From rforno at infowarrior.org Thu Apr 1 12:48:07 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 1 Apr 2010 08:48:07 -0400 Subject: [Infowarrior] - Microsoft runs fuzzing botnet, finds 1, 800 Office bugs Message-ID: (Talk about dual-use technologies, eh? This is a rather innovative idea, I think .... even if I'm not a software security guy. -rf) Microsoft runs fuzzing botnet, finds 1,800 Office bugs Finds, fixes huge number of Office 2010 bugs by tapping idle company PCs Gregg Keizer http://www.computerworld.com/s/article/9174539/Microsoft_runs_fuzzing_botnet_finds_1_800_Office_bugs March 31, 2010 (Computerworld) Microsoft uncovered more than 1,800 bugs in Office 2010 by tapping into the unused computing horsepower of idling PCs, a company security engineer said today. Office developers found the bugs by running millions of "fuzzing" tests, said Tom Gallagher, senior security test lead with Microsoft's Trustworthy Computing group. Fuzzing, a practice employed by both software developers and security researchers, searches for flaws by inserting data into file format parsers to see where programs fail by crashing. Because some crash bugs can be further exploited to successfully hack software, allowing an attacker to insert malicious code, fuzzing is of great interest to both legitimate and criminal researchers looking for security vulnerabilities. "We found and fixed about 1,800 bugs in Office 2010's code," said Gallagher, who last week co-hosted a presentation on Microsoft's fuzzing efforts at the CanSecWest security conference in Vancouver, British Columbia. "While a large number, it's important to note that that doesn't mean we found 1,800 security issues. We also want to fix things that are not security concerns." Gallagher declined to quantify the number of flaws found via fuzzing that qualified as vulnerabilities, saying only that the Office 2010 team did uncover security bugs in the process and patched them during development. Some of those vulnerabilities have already been addressed in older editions of Office, Gallagher added, because information obtained by fuzzing Office 2010 code was checked against the code in earlier versions -- such as Office 2007 and Office 2003 -- then patched during Office 2010's development. Non-security bugs discovered in Office 2010 that also exist in previous editions will be fixed in those versions' upcoming service packs, Gallagher said. Microsoft was able to find such a large number of bugs in Office 2010 by using not only machines in the company's labs, but also under- utilitized or idle PCs throughout the company. The concept isn't new: The Search for Extraterrestrial Intelligence (SETI at home) project may have been the first to popularize the practice, and remains the largest, but it's also been used to crunch numbers in medical research and to find the world's largest prime number. "We call it a botnet for fuzzing," said Gallagher, referring to what Microsoft has formally dubbed Distributed Fuzzing Framework (DFF). The fuzzing network originated with work by David Conger, a software design engineer on the Access team. Client software installed on systems throughout Microsoft's network automatically kicks in when the PCs are idle, such as on weekends, to run fuzzing tests "We would do millions of [fuzzing] iterations each weekend," Gallagher said -- up to 12 million in some cases. The difference between Microsoft's old way of fuzzing -- which involved a tester setting up a fuzzer on a single machine, then letting it run for as long as a week -- and DFF was dramatic, said Gallagher. "We can do 12 million iterations without a lot of effort," he said. "Set it up, go home, come in on Monday, and we have the results listing all the issues. What used to take days now just takes an hour." While all the Office development teams use DFF, only some groups within the company have tried it. Currently SharePoint, MSN client and Fast search teams are utilizing the fuzzing network, but Windows developers are not. A prominent vulnerability researcher, however, has criticized the fuzzing efforts of Microsoft, Apple and Adobe. Last week, Charlie Miller, three-time winner at the Pwn2Own hacking contest, showed CanSecWest attendees how he used a simple "dumb" fuzzer -- one not built to understand a specific file format -- to root out 20 security vulnerabilities and hundreds of crash bugs using fewer than five computers. Miller found vulnerabilities in PowerPoint, the presentation maker in Office, as well as in Mac OS X, Apple's Safari browser and Adobe's Reader. Miller refused to turn over details of the vulnerabilities to the vendors, Microsoft included, but instead showed the vendors how to replicate his work in his own presentation. "What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing," Miller said last week in an interview with Computerworld. Gallagher, who sat in on Miller's presentation, didn't commit Microsoft to doing what Miller wanted. "We're looking at his technique, how to duplicate it and how we might implement it," Gallagher said today. Miller was unavailable today to comment on Microsoft's Office fuzzing work. Microsoft's stepped-up fuzzing was part of a security push for Office 2010 that also added several new features, including a more flexible file blocker -- first introduced in Office 2007 -- and a new sandbox dubbed Protected View that isolates suspicious Word, Excel and PowerPoint files in a limited-rights environment, effectively quarantining them from the rest of the PC. "We're not banking on finding and fixing every bug in Office 2010," Gallagher admitted. Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer at ix.netcom.com. From rforno at infowarrior.org Fri Apr 2 13:29:07 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 2 Apr 2010 09:29:07 -0400 Subject: [Infowarrior] - U.S. changing the way air travelers are screened Message-ID: <0DEA9B63-FD5C-41E4-BB30-4605A2B2560C@infowarrior.org> (of course, we still have to take off our shoes.....grrr. -rick) U.S. changing the way air travelers are screened By Anne E. Kornblut and Spencer S. Hsu Friday, April 2, 2010; 1:07 AM http://www.washingtonpost.com/wp-dyn/content/article/2010/04/02/AR2010040204131_pf.html The Obama administration is abandoning its policy of using nationality alone to determine which U.S.-bound international air travelers should be subject to additional screening and will instead select passengers based on possible matches to intelligence information, including physical descriptions or a particular travel pattern, senior officials said Thursday. After the attempted bombing of an Amsterdam-to-Detroit flight on Christmas Day, U.S. officials hastily decided that passengers from or traveling through 14 specified countries would be subjected to secondary searches. Critics have since called the measures discriminatory and overly burdensome, and the administration has faced pressure to refine its approach. Under the new system, screeners will stop passengers for additional security if they match certain pieces of known intelligence. The system will be "much more intel-based," a senior administration official said, "as opposed to blunt force." "It's much more tailored to what the intelligence is telling us, what the threat is telling us, as opposed to stopping all individuals of a particular nationality or all individuals using a particular passport," the official said, speaking on condition of anonymity. On Christmas Day, Nigerian student Umar Farouk Abdulmutallab allegedly tried to ignite explosives sewn into his underwear as Northwest Airlines Flight 253 prepared to land, but the device failed and he was subdued by fellow passengers. Abdulmutallab has allegedly said he was trained by an al-Qeada affiliate in Yemen.The case exposed gaps in the government's ability to identify people who might pose a threat. Days later, the administration ordered a significant increase in secondary searches, requiring all passengers from or traveling through Afghanistan, Algeria, Lebanon, Liberia, Iraq, Nigeria, Pakistan, Saudi Arabia, Somalia and Yemen to undergo extra security at the airport. Travelers from countries considered state sponsors of terrorism -- Cuba, Syria, Iran and Sudan -- were subjected to the same screening, including pat-downs and additional bag checks. Airlines had warned that the measures instituted after the Christmas Day incident would need to be eased before the busy summer travel season. And critics objected that the added scrutiny amounted to a pretext for racial profiling that could potentially affect 675 million people, including American Muslims and religious pilgrims. Administration officials briefed reporters about the revised policy Thursday. But they did so on the condition that reporters not publicize it or seek reaction to it until after midnight, saying they were still working to notify foreign partners and members of Congress. The underlying airline security policy of checking passenger names against watch lists will continue, and certain passengers will still be banned from flying or required to submit to additional security based on names in intelligence databases. About 24,000 people around the world are currently on those "no-fly" and "selectee" lists. Administration officials said the new system will "significantly" reduce the number of passengers chosen for mandatory extra screening, eliminating entire swaths of travelers who had been chosen based on their nationalities. But it will also broaden the universe of potential targets for secondary searches, expanding the focus from the 14 named countries to dubious passengers from anywhere in the world, a move also designed to outsmart terrorist plotters who knew which countries were affected. The rules will take effect within the month, the senior administration official said, acknowledging that the system instituted in January presented a severe inconvenience to travelers from the listed countries. The official offered a hypothetical case to illustrate how the new system will work. If U.S. intelligence authorities learned about a terrorism suspect from Asia who had recently traveled to the Middle East, and they knew the suspect's approximate age but not name or passport number, those fragments would be entered into a database and shared with commercial airline screeners abroad. The screeners would be instructed to look for people with those traits and to pull them aside for extra searches, the official said, acknowledging that that in some cases, screeners will have to rely on their judgment as they consider the listed traits. While intelligence officials had fragments of information about Abdulmutallab -- including warnings from his father that he was becoming radicalized, and warnings about a Nigerian plot against U.S. interests -- those pieces of information were not connected in time to keep him from flying. Administration officials have said that, in hindsight, the central failure involved inadequate sharing of information. It is not clear whether the new screening measures would have been sufficient to block him. From rforno at infowarrior.org Fri Apr 2 13:39:51 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 2 Apr 2010 09:39:51 -0400 Subject: [Infowarrior] - Doctorow: Why I won't buy an iPad Message-ID: <84F26F51-D94D-4F19-9B11-80D4F654263B@infowarrior.org> (I agree 100% with his sentiment. -rick) Why I won't buy an iPad (and think you shouldn't, either) Cory Doctorow at 5:23 AM April 2, 2010 http://www.boingboing.net/2010/04/02/why-i-wont-buy-an-ipad-and-think-you-shouldnt-either.html#more I've spent ten years now on Boing Boing, finding cool things that people have done and made and writing about them. Most of the really exciting stuff hasn't come from big corporations with enormous budgets, it's come from experimentalist amateurs. These people were able to make stuff and put it in the public's eye and even sell it without having to submit to the whims of a single company that had declared itself gatekeeper for your phone and other personal technology. Danny O'Brien does a very good job of explaining why I'm completely uninterested in buying an iPad -- it really feels like the second coming of the CD-ROM "revolution" in which "content" people proclaimed that they were going to remake media by producing expensive (to make and to buy) products. I was a CD-ROM programmer at the start of my tech career, and I felt that excitement, too, and lived through it to see how wrong I was, how open platforms and experimental amateurs would eventually beat out the spendy, slick pros. I remember the early days of the web -- and the last days of CD ROM -- when there was this mainstream consensus that the web and PCs were too durned geeky and difficult and unpredictable for "my mom" (it's amazing how many tech people have an incredibly low opinion of their mothers). If I had a share of AOL for every time someone told me that the web would die because AOL was so easy and the web was full of garbage, I'd have a lot of AOL shares.And they wouldn't be worth much. Incumbents made bad revolutionaries Relying on incumbents to produce your revolutions is not a good strategy. They're apt to take all the stuff that makes their products great and try to use technology to charge you extra for it, or prohibit it altogether. I mean, look at that Marvel app (just look at it). I was a comic-book kid, and I'm a comic-book grownup, and the thing that made comics for me was sharing them. If there was ever a medium that relied on kids swapping their purchases around to build an audience, it was comics. And the used market for comics! It was -- and is -- huge, and vital. I can't even count how many times I've gone spelunking in the used comic- bins at a great and musty store to find back issues that I'd missed, or sample new titles on the cheap. (It's part of a multigenerational tradition in my family -- my mom's father used to take her and her sibs down to Dragon Lady Comics on Queen Street in Toronto every weekend to swap their old comics for credit and get new ones). So what does Marvel do to "enhance" its comics? They take away the right to give, sell or loan your comics. What an improvement. Way to take the joyous, marvellous sharing and bonding experience of comic reading and turn it into a passive, lonely undertaking that isolates, rather than unites. Nice one, Misney. Infantalizing hardware Then there's the device itself: clearly there's a lot of thoughtfulness and smarts that went into the design. But there's also a palpable contempt for the owner. I believe -- really believe -- in the stirring words of the Maker Manifesto: if you can't open it, you don't own it. Screws not glue. The original Apple ][+ came with schematics for the circuit boards, and birthed a generation of hardware and software hackers who upended the world for the better. If you wanted your kid to grow up to be a confident, entrepreneurial, and firmly in the camp that believes that you should forever be rearranging the world to make it better, you bought her an Apple ][+. But with the iPad, it seems like Apple's model customer is that same stupid stereotype of a technophobic, timid, scatterbrained mother as appears in a billion renditions of "that's too complicated for my mom" (listen to the pundits extol the virtues of the iPad and time how long it takes for them to explain that here, finally, is something that isn't too complicated for their poor old mothers). The model of interaction with the iPad is to be a "consumer," what William Gibson memorably described as "something the size of a baby hippo, the color of a week-old boiled potato, that lives by itself, in the dark, in a double-wide on the outskirts of Topeka. It's covered with eyes and it sweats constantly. The sweat runs into those eyes and makes them sting. It has no mouth... no genitals, and can only express its mute extremes of murderous rage and infantile desire by changing the channels on a universal remote." The way you improve your iPad isn't to figure out how it works and making it better. The way you improve the iPad is to buy iApps. Buying an iPad for your kids isn't a means of jump-starting the realization that the world is yours to take apart and reassemble; it's a way of telling your offspring that even changing the batteries is something you have to leave to the professionals. Dale Doherty's piece on Hypercard and its influence on a generation of young hackers is a must-read on this. I got my start as a Hypercard programmer, and it was Hypercard's gentle and intuitive introduction to the idea of remaking the world that made me consider a career in computers. Wal-Martization of the software channel And let's look at the iStore. For a company whose CEO professes a hatred of DRM, Apple sure has made DRM its alpha and omega. Having gotten into business with the two industries that most believe that you shouldn't be able to modify your hardware, load your own software on it, write software for it, override instructions given to it by the mothership (the entertainment industry and the phone companies), Apple has defined its business around these principles. It uses DRM to control what can run on your devices, which means that Apple's customers can't take their "iContent" with them to competing devices, and Apple developers can't sell on their own terms. The iStore lock-in doesn't make life better for Apple's customers or Apple's developers. As an adult, I want to be able to choose whose stuff I buy and whom I trust to evaluate that stuff. I don't want my universe of apps constrained to the stuff that the Cupertino Politburo decides to allow for its platform. And as a copyright holder and creator, I don't want a single, Wal-Mart-like channel that controls access to my audience and dictates what is and is not acceptable material for me to create. The last time I posted about this, we got a string of apologies for Apple's abusive contractual terms for developers, but the best one was, "Did you think that access to a platform where you can make a fortune would come without strings attached?" I read it in Don Corleone's voice and it sounded just right. Of course I believe in a market where competition can take place without bending my knee to a company that has erected a drawbridge between me and my customers! Journalism is looking for a daddy figure I think that the press has been all over the iPad because Apple puts on a good show, and because everyone in journalism-land is looking for a daddy figure who'll promise them that their audience will go back to paying for their stuff. The reason people have stopped paying for a lot of "content" isn't just that they can get it for free, though: it's that they can get lots of competing stuff for free, too. The open platform has allowed for an explosion of new material, some of it rough-hewn, some of it slick as the pros, most of it targetted more narrowly than the old media ever managed. Rupert Murdoch can rattle his saber all he likes about taking his content out of Google, but I say do it, Rupert. We'll miss your fraction of a fraction of a fraction of a percent of the Web so little that we'll hardly notice it, and we'll have no trouble finding material to fill the void. Just like the gadget press is full of devices that gadget bloggers need (and that no one else cares about), the mainstream press is full of stories that affirm the internal media consensus. Yesterday's empires do something sacred and vital and most of all grown up, and that other adults will eventually come along to move us all away from the kids' playground that is the wild web, with its amateur content and lack of proprietary channels where exclusive deals can be made. We'll move back into the walled gardens that best return shareholder value to the investors who haven't updated their portfolios since before eTrade came online. But the real economics of iPad publishing tell a different story: even a stellar iPad sales performance isn't going to do much to staunch the bleeding from traditional publishing. Wishful thinking and a nostalgia for the good old days of lockdown won't bring customers back through the door. Gadgets come and gadgets go Gadgets come and gadgets go. The iPad you buy today will be e-waste in a year or two (less, if you decide not to pay to have the battery changed for you). The real issue isn't the capabilities of the piece of plastic you unwrap today, but the technical and social infrastructure that accompanies it. If you want to live in the creative universe where anyone with a cool idea can make it and give it to you to run on your hardware, the iPad isn't for you. If you want to live in the fair world where you get to keep (or give away) the stuff you buy, the iPad isn't for you. If you want to write code for a platform where the only thing that determines whether you're going to succeed with it is whether your audience loves it, the iPad isn't for you. From rforno at infowarrior.org Fri Apr 2 13:41:59 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 2 Apr 2010 09:41:59 -0400 Subject: [Infowarrior] - The [Gadget] Maker's Bill of Rights Message-ID: The [Gadget] Maker's Bill of Rights http://makezine.com/04/ownyourown/ Meaningful and specific parts lists shall be included. Cases shall be easy to open. Batteries should be replaceable. Special tools are allowed only for darn good reasons. Profiting by selling expensive special tools is wrong and not making special tools available is even worse. Torx is OK; tamperproof is rarely OK. Components, not entire sub-assemblies, shall be replaceable. Consumables, like fuses and filters, shall be easy to access. Circuit boards shall be commented. Power from USB is good; power from proprietary power adapters is bad. Standard connecters shall have pinouts defined. If it snaps shut, it shall snap open. Screws better than glues. Docs and drivers shall have permalinks and shall reside for all perpetuity at archive.org. Ease of repair shall be a design ideal, not an afterthought. Metric or standard, not both. Schematics shall be included. From rforno at infowarrior.org Fri Apr 2 13:48:18 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 2 Apr 2010 09:48:18 -0400 Subject: [Infowarrior] - OT: Is there a Darwin Award for Pirates? Message-ID: <29177502-872D-48FC-B8C6-51F14F932145@infowarrior.org> Pirates Attack (Yes, Attack) U.S. Warship http://burnafterreading.nationaljournal.com/2010/04/theyre-baaaack-somali-pirates.php < - > Somali pirates opened fire on the USS Nicholas early this morning as the American warship was patrolling west of the Seychelles in the Indian Ocean. American forces returned fire and pursued; they eventually captured three pirates on the attacking skiff and two more aboard a suspected mother ship. < - > From rforno at infowarrior.org Fri Apr 2 14:32:12 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 2 Apr 2010 10:32:12 -0400 Subject: [Infowarrior] - Anti-Piracy Lawyers Vandalize Wikipedia Page Message-ID: Anti-Piracy Lawyers Vandalize Wikipedia Page Written by enigmax on April 02, 2010 http://torrentfreak.com/anti-piracy-lawyers-vandalize-wikipedia-page-100402/ As mass file-sharing litigation lawsuits go inter-continental, not everyone is proud to be associated with this type of work. Lawyers Tilly Bailey & Irvine in the UK have been hard at work this month, editing large chunks of their own Wikipedia page in an attempt to hide their involvement and also earning themselves a copyright infringement warning. This week, Jeffrey Weaver, a lawyer for U.S. Copyright Group, proudly announced that the company would be bringing the mass-litigation model against alleged BitTorrent users to the United States. ?We?re creating a revenue stream and monetizing the equivalent of an alternative distribution channel,? he unashamedly confirmed. This business model has been running ahead at full-steam in Germany and the UK for some time now. As they do most of the work and are seen to do most of the perceived bullying of individuals ill-equipped to defend themselves, the lawyers operating these schemes have been singled out for most of the criticism. Tilly Bailey & Irvine (TBI), the lawyers who have just made their first steps into this business model in the UK, had a very stormy entrance. Within weeks their activities had been noted negatively by the Government and had their traditional 170 year-old company publicly connected with their porn-industry customers. Of course, the antics of TBI haven?t gone unnoticed by the tech-savvy, who have been adding details of their involvement in these schemes to the company?s Wikipedia page, as detailed below: Volume litigation On 1 March 2010, Lord Clement-Jones criticised TBI Solicitors along with firm ACS:Law for tactics that they employed when accusing people of copyright infringement.[11] He called TBI Solicitors ?new entrants to the hall of infamy?[11] and their activities ?an embarrassment to the rest of the creative rights industry?.[11] On 3 March, UK consumer rights website Which? reported complaints by people who had received letters from TBI Solicitors accusing them of illegally sharing files of pornographic material that belongs to Golden Eye (International).[12] TBI Solicitors threatened legal action against the letters? recipients unless they paid ?700 compensation within fourteen days of the date of the letter.[12] On 9 March, Which? reported an undertaking by Lord Young that the government would keep watch on ACS:Law and TBI Solicitors.[13] In an attempt to remove this embarrassing information, a staff member at Tilly Bailey & Irvine took direct action ? by deleting the entire section ten days after TorrentFreak broke the news of their entrance to this business. So, how do we know it was TBI doing the editing? Because they were smart enough to edit it from 195.153.132.204, the IP address registered to their company. ?Please do not remove sourced content from Wikipedia, as you did with TBI Solicitors ? this is vandalism,? wrote a Wikipedia admin to Tilly Bailey & Irvine. ?Furthermore, your IP address geolocates to ?TILLY BAILEY & IRVINE? which suggests that you have a conflict of interest in removing criticism of the firm from Wikipedia. I suggest that you familiarise yourself with that policy before editing this particular article any further,? added the award-winning user, Rlandmann. The final embarrassment on the TBI ?talk? page prompted another comment by Rlandmann. Copyright problem I?ve also removed a large chunk of text from the TBI Solicitors article that was copied-and-pasted from the thisishartlepool website. This creates a potential copyright problem for Wikipedia. TorrentFreak has learned that Tilly Bailey & Irvine has already dropped some cases against alleged infringers after they denied their accusations. We?re not sure if the editing of their Wikipedia page means that they intend to move out of this business altogether, since thus far they have refused to answer any of our questions, but it would be a welcome move. From rforno at infowarrior.org Fri Apr 2 14:36:38 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 2 Apr 2010 10:36:38 -0400 Subject: [Infowarrior] - Prozac Pilots May Fly as FAA Drops Ban on Medicines (Update1) Message-ID: <3CDDD893-DD41-43E1-B68D-87CCD73E2374@infowarrior.org> Prozac Pilots May Fly as FAA Drops Ban on Medicines (Update1) Share Business ExchangeTwitterFacebook| Email | Print | AAA By John Hughes http://www.bloomberg.com/apps/news?pid=20601109 April 2 (Bloomberg) -- Pilots taking Prozac will be permitted to fly as U.S. regulators drop a decades-old ban on four antidepressants including the Eli Lilly and Co. drug. Risks from side effects, such as drowsiness, associated with the medications used to treat depression don?t pose a safety threat, the Federal Aviation Administration said today. ?We have a better understanding of the drugs,? FAA Administrator Randy Babbitt said in an interview. ?We know more about the illness, we know more about how to treat it.? The policy, which goes into effect on April 5, may cover as many as 10,000 pilots, such as aviators grounded because they suffer from depression or who take antidepressants in violation of rules, said Fred Tilton, the federal air surgeon. Organizations led by the Aircraft Owners and Pilots Association, which represents 415,000 small-plane pilots, and the Air Line Pilots Association, the largest union for cockpit crews, had sought to lift the restriction. The FAA said its action is consistent with the views of the groups. ?We really need to remove the stigma, if you will, of being treated for an illness,? Babbitt said. The FAA decision reflects extensive study of the medication issue, said Bill Voss, president of the non-profit Flight Safety Foundation in Alexandria, Virginia. ?The FAA knows this is going to be a controversial ruling because of the stigma attached to depression,? Voss said in an interview. ?I?m sure they doubly did their homework.? Seek Permission Under the policy, pilots can seek FAA permission to take one of four drugs -- Lilly?s Prozac, Pfizer Inc.?s Zoloft or Forest Laboratories Inc.?s Celexa or Lexapro. Prozac, Zoloft and Celexa have lost patent protection and are available in generic form. Lexapro had $2.3 billion in revenue last year. All four drugs are in a class of antidepressants called SSRI?s, which help regulate mood by blocking reabsorption of the chemical serotonin, believed to play a role in behavior. The drugs give the brain access to more serotonin. FAA policy bans pilots from flying if they have depression because the condition can be distracting in the cockpit and pose a safety risk, according to the agency. Under the new policy, pilots with depression can seek treatment with one of the four medications and keep flying. Steven Chealander, a former American Airlines captain and National Transportation Safety Board member, called the policy a ?big deal? for pilots who would face disqualification because they take antidepressants. ?Good Condition? ?A lot of guys I know for various reasons haven?t been able to get their medical? certificate due to health conditions or prescriptions, said Chealander, now a vice president of training for Airbus SAS in Miami. ?You?ve got to be in such good medical condition.? An estimated 20 million people in the U.S. have depression, which can cause thoughts of suicide, sadness and feelings of worthlessness, according to the National Institutes of Health. The U.S. had almost 614,000 active pilots in 2008, the most recent FAA statistics, with about 95,000 working for commercial airlines, Tilton said. U.S. airlines ?rely on the FAA? to decide which medications pilots can take, said David Castelveter, a spokesman for the Washington-based Air Transport Association that represents carriers such as Delta Air Lines Inc., UAL Corp.?s United Airlines and AMR Corp.?s American. FAA Monitoring Pilots who show success controlling their depression for 12 months using one of the medications will be able to seek permission to fly, according to the FAA. The pilots will be monitored by FAA health specialists as an additional safeguard, the agency said. Pilots who violate the rule by flying without disclosing their antidepressant use will have amnesty for six months to step forward, Tilton said. Those pilots will be grounded, and could be eligible to fly within a few months if they show a successful history of treatment, he said. As many as 10 percent of Americans were taking an antidepressant as of 2005, the most recent time period available in a Columbia University study released last year. To contact the reporters on this story: John Hughes in Washington at jhughes5 at bloomberg.net . Last Updated: April 2, 2010 08:00 EDT From rforno at infowarrior.org Sat Apr 3 04:26:20 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 3 Apr 2010 00:26:20 -0400 Subject: [Infowarrior] - Latest Facebook fracas: Your privacy vs. its profit Message-ID: The latest Facebook fracas: Your privacy vs. its profit By Rob Pegoraro Sunday, April 4, 2010; G04 http://www.washingtonpost.com/wp-dyn/content/article/2010/04/02/AR2010040200762_pf.html The signs of a new season surround us: Flowers are blooming, trees are budding, and another Facebook privacy fracas is brewing. The last event kicked off a week ago, when the popular social network posted a note on its blog about "working with some partner Web sites that we pre-approve to offer a more personalized experience" at those sites. This possible change didn't exactly get a charitable read in reactions like "Facebook's Plan To Automatically Share Your Data With Sites You Never Signed Up For," and "Facebook Planning To Give Away Your Data To 'Partners.' "How bad could things get for the 400 million-plus Facebook users when this test begins a few months from now? The potential downside seems obvious. You'll see that some random site knows who your Facebook friends are and fret about other once-private information Facebook might be leaking. But what will you be able to do when so much of your life is tied up there? As Sherry Turkle, a sociologist at Massachusetts Institute of Technology, said in an e-mail Thursday: "There is a sense of the 'investment' in Facebook being so great that one is beholden to it. . . . This is not empowering." (Before I go further, a few disclaimers: Washington Post Co. chairman and chief executive Donald E. Graham sits on Facebook's board of directors; Facebook's chief privacy officer, Chris Kelly, who is on leave to run for political office, is a friend of mine from college; and many Post staffers, myself included, use public Facebook pages to connect with readers.) The upside isn't quite as clear. In a phone interview Wednesday, Facebook spokesman Barry Schnitt and product director Bret Taylor said the Palo Alto, Calif., company wanted to expand its utility. In this experiment, Facebook would build on its Facebook Connect system (in which people can sign into sites such as The Post's with their Facebook accounts) to help other companies greet Facebook users with a taste of its social network. For example, Taylor suggested that if a Facebook friend posted a link to a song on his wall and you clicked over to the record label's site, the label could tell you which Facebook pals liked the song. This test would come with limits. You'd have to be logged into Facebook in the same browser to get any such personalized welcome elsewhere, less than 10 sites would be invited into the program at first, and each of them would have to let you easily opt out (after which each would have to delete any data Facebook had shared about you). Facebook would also provide a universal opt-out for the entire program. To its credit, Facebook hasn't tried to spring this change on people. Beyond that blog post, it has invited users to comment on proposed changes to its privacy policy and "statement of rights and responsibilities" -- then provided a marked-up version of each showing text that has been removed and added, a step few other sites bother to take. The reaction to that prior disclosure could indicate how worked up people really are about the changes. The relevant part of the new privacy policy, "Information You Share With Third Parties," had drawn only 211 comments early Thursday. More important, consider what's happened since Facebook made far more user data public by default in December. According to Schnitt, 33.9 percent of Facebook users had changed their privacy settings one way or another, even though the site required all of them to confirm, decline or edit its suggested options. Since then, 50 million more people have joined Facebook. You can't chalk all of that up to audience obliviousness. Perhaps Facebook users have decided that with so many people on the site, their own data get lost in the collective noise -- sort of the way living in a big city affords some enforced anonymity. Some might have learned to think like publicists on Facebook. They dial back how much information they post, they only write status updates that beg for publicity (think of all the political manifestoes you've seen), or they create second accounts for their work identities (an action Facebook's user agreement prohibits). Or maybe Facebook's executives are correct in assuming that people don't want as much privacy online, as founder Mark Zuckerberg said in January. (He did not say that privacy was dead, nor does he seem to think that; his own Facebook profile informs strangers that "Mark only shares some of his profile information with everyone.") But even if all of those theories are true, changing the rules to share people's information without advance permission crosses a line. If the benefits of this openness are as obvious as Facebook suggests, this new option should sell itself to the same people who let Google's computers read their Gmail, then publicize their pastimes on Foursquare. And if this experiment is as limited as Facebook suggests, the company won't forgo much revenue if it eases off on its launch. In the meantime, I'll stay on the site -- as a journalist, it's implausible not to. But it would help to see some sign that this company will go to the mat to defend its users' rights, even if that means jeopardizing its profits. It's not too late for Facebook to pick a fight with China, is it? From rforno at infowarrior.org Sat Apr 3 12:29:54 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 3 Apr 2010 08:29:54 -0400 Subject: [Infowarrior] - Is the cyber threat overblown? Message-ID: Is the cyber threat overblown? Posted By Stephen M. Walt Tuesday, March 30, 2010 - 4:14 PM http://walt.foreignpolicy.com/posts/2010/03/30/is_the_cyber_threat_overblown Am I the only person -- well, besides Glenn Greenwald and Kevin Poulson -- who thinks the "cyber-warfare" business may be overblown? It?s clear the U.S. national security establishment is paying a lot more attention to the issue, and colleagues of mine -- including some pretty serious and level-headed people -- are increasingly worried by the danger of some sort of "cyber-Katrina." I don't dismiss it entirely, but this sure looks to me like a classic opportunity for threat-inflation. Mind you, I'm not saying that there aren't a lot of shenanigans going on in cyber-space, or that various forms of cyber-warfare don't have military potential. So I'm not arguing for complete head-in-the-sand complacency. But here?s what makes me worry that the threat is being overstated. First, the whole issue is highly esoteric -- you really need to know a great deal about computer networks, software, encryption, etc., to know how serious the danger might be. Unfortunately, details about a number of the alleged incidents that are being invoked to demonstrate the risk of a "cyber-Katrina," or a cyber-9/11, remain classified, which makes it hard for us lay-persons to gauge just how serious the problem really was or is. Moreover, even when we hear about computers being penetrated by hackers, or parts of the internet crashing, etc., it?s hard to know how much valuable information was stolen or how much actual damage was done. And as with other specialized areas of technology and/or military affairs, a lot of the experts have a clear vested interest in hyping the threat, so as to create greater demand for their services. Plus, we already seem to have politicians leaping on the issue as a way to grab some pork for their states. Second, there are lots of different problems being lumped under a single banner, whether the label is "cyber-terror" or "cyber-war." One issue is the use of various computer tools to degrade an enemy?s military capabilities (e.g., by disrupting communications nets, spoofing sensors, etc.). A second issue is the alleged threat that bad guys would penetrate computer networks and shut down power grids, air traffic control, traffic lights, and other important elements of infrastructure, the way that internet terrorists (led by a disgruntled computer expert) did in the movie Live Free and Die Hard. A third problem is web-based criminal activity, including identity theft or simple fraud (e.g., those emails we all get from someone in Nigeria announcing that they have millions to give us once we send them some account information). A fourth potential threat is ?cyber-espionage?; i.e., clever foreign hackers penetrate Pentagon or defense contractors? computers and download valuable classified information. And then there are annoying activities like viruses, denial-of-service attacks, and other things that affect the stability of web-based activities and disrupt commerce (and my ability to send posts into FP). This sounds like a rich menu of potential trouble, and putting the phrase "cyber" in front of almost any noun makes it sound trendy and a bit more frightening. But notice too that these are all somewhat different problems of quite different importance, and the appropriate response to each is likely to be different too. Some issues -- such as the danger of cyber-espionage -- may not require elaborate technical fixes but simply more rigorous security procedures to isolate classified material from the web. Other problems may not require big federal programs to address, in part because both individuals and the private sector have incentives to protect themselves (e.g., via firewalls or by backing up critical data). And as Greenwald warns, there may be real costs to civil liberties if concerns about vague cyber dangers lead us to grant the NSA or some other government agency greater control over the Internet. Third, this is another issue that cries out for some comparative cost- benefit analysis. Is the danger that some malign hacker crashes a power grid greater than the likelihood that a blizzard would do the same thing? Is the risk of cyber-espionage greater than the potential danger from more traditional forms of spying? Without a comparative assessment of different risks and the costs of mitigating each one, we will allocate resources on the basis of hype rather than analysis. In short, my fear is not that we won't take reasonable precautions against a potential set of dangers; my concern is that we will spend tens of billions of dollars protecting ourselves against a set of threats that are not as dangerous as we are currently being told they are. I hasten to add that this isn't my area of expertise and I may be completely wrong about it. What I would really like, therefore, is for an objective, blue-ribbon commission to look carefully at this question. Here's a possible example of what I have in mind, but I can't tell how reliable its conclusions are likely to be. Why? Because I can't tell how many of its members are people with a stake in the outcome. Makes me wish somebody like Richard Feynman was still around to chair it. From rforno at infowarrior.org Sun Apr 4 14:54:05 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 4 Apr 2010 10:54:05 -0400 Subject: [Infowarrior] - iPad magazine pricing Message-ID: <735D7D3A-280B-4027-B08A-2BB380AA6D60@infowarrior.org> An interesting commentary about the way stuff is being priced/marketed on the iPad. The other day I looked around at Kindle pricing of some stuff and noticed a similar pattern....it's still cheaper to get the Economist in hardcopy than it is on the Kindle (and presumably iPad). Based on the comments in this blog entry, the same seems to apply to other magazines/newspapers as well. ---rick iPad app pricing: A last act of insanity by delusional content companies http://charman-anderson.com/2010/04/02/ipad-app-pricing-a-last-act-of-insanity-by-delusional-content-companies/ (Yes, I *might* consider an iPad Mark 2 (second-gen) as a 'gadget' or 'curiosity purchase....but I see no compelling need/reason to buy one now, nor do I see this as 'revolutionizing the computing industry. Though perhaps if it was less-locked-down or an iPhone-on-Steroids I might feel otherwise.) -rick From rforno at infowarrior.org Sun Apr 4 22:25:18 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 4 Apr 2010 18:25:18 -0400 Subject: [Infowarrior] - iBooks naughty word filter... Message-ID: So much for classic New England seafaring literature on iPads (screenshot) iBooks naughty word filter doesn't let you say "sperm" http://www.boingboing.net/2010/04/04/ibooks-censortron-do.html From rforno at infowarrior.org Mon Apr 5 15:53:33 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 5 Apr 2010 11:53:33 -0400 Subject: [Infowarrior] - Wikileaks releases class'd Afghan video Message-ID: WikiLeaks has released a classified US military video depicting the indiscriminate slaying of over a dozen people in the Iraqi suburb of New Baghdad -- including two Reuters news staff. Reuters has been trying to obtain the video through the Freedom of Information Act, without success since the time of the attack. The video, shot from an Apache helicopter gun-site, clearly shows the unprovoked slaying of a wounded Reuters employee and his rescuers. Two young children involved in the rescue were also seriously wounded. http://collateralmurder.com/ http://www.youtube.com/watch?v=5rXPrfnU3G0 From rforno at infowarrior.org Mon Apr 5 23:26:07 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 5 Apr 2010 19:26:07 -0400 Subject: [Infowarrior] - Report: Infosec Compliance doesn't work much Message-ID: <747FEDA7-23D7-4968-86AF-E3CB6767069F@infowarrior.org> It's about time others began to agree with me on this!!!! -rick Published on threatpost (http://threatpost.com) Home > Compliance & Regulations > Security Programs Focusing Too Much on Compliance, Study Finds Security Programs Focusing Too Much on Compliance, Study Finds http://threatpost.com/en_us/print/4148 By Dennis Fisher Created 04/05/2010 - 3:27pm Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research [1], commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection. "Despite the increasing mandates enterprises face, custodial data assets aren?t the most valuable assets in enterprise information portfolios. Proprietary knowledge and company secrets, by contrast, are twice as valuable as the custodial data. And as recent company attacks illustrate, secrets are targets for theft. Compliance, not security, drives security budgets. Enterprises devote 80% of their security budgets to two priorities: compliance and securing sensitive corporate information, with the same percentage (about 40%) devoted to each. But secrets comprise 62% of the overall information portfolio?s total value while compliance-related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance," the Forrester analysts found. The study surveyed 300 senior IT personnel. It found that about 41 percent of security budgets are directed toward non-compliance activities, and about 39 percent go directly to compliance initiatives. Forrester's research also found that although data breaches and accidental losses of sensitive information get most of the headlines, intentional theft of corporate data causes 10 times more financial loss. Interestingly, the study also found that regardless of the number and severity of these kinds of incidents that a company has endured, the IT staff is still likely to think that its security controls are working well. "Even enterprises with a high number of incidents are still likely to imagine that their programs are 'very effective.' We concluded that most enterprises do not actually know whether their data security programs work or not," the study found. From rforno at infowarrior.org Tue Apr 6 00:43:01 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 5 Apr 2010 20:43:01 -0400 Subject: [Infowarrior] - Obama Limits When U.S. Would Use Nuclear Arms Message-ID: April 5, 2010 Obama Limits When U.S. Would Use Nuclear Arms By DAVID E. SANGER and PETER BAKER http://www.nytimes.com/2010/04/06/world/06arms.html?pagewanted=print WASHINGTON ? President Obama said Monday that he was revamping American nuclear strategy to substantially narrow the conditions under which the United States would use nuclear weapons, even in self defense. But the president said in an interview that he was carving out an exception for ?outliers like Iran and North Korea? that have violated or renounced the main treaty to halt nuclear proliferation. Discussing his approach to nuclear security the day before formally releasing his new strategy, Mr. Obama described his policy as part of a broader effort to edge the world toward making nuclear weapons obsolete, and to create incentives for countries to give up any nuclear ambitions. To set an example, the new strategy renounces the development of any new nuclear weapons, overruling the initial position of his own defense secretary. Mr. Obama?s strategy is a sharp shift from those adopted by his predecessors and seeks to revamp the nation?s nuclear posture for a new age in which rogue states and terrorist organizations are greater threats than traditional powers like Russia and China. It eliminates much of the ambiguity that has deliberately existed in American nuclear policy since the opening days of the Cold War. For the first time, the United States is explicitly committing not to use nuclear weapons against non-nuclear states that are in compliance with the Nuclear Non-Proliferation Treaty, even if they attacked the United States with biological or chemical weapons, or launched a crippling cyberattack. Those threats, he argued, could be deterred with ?a series of graded options? -- a combination of old and newly designed conventional weapons. ?I?m going to preserve all the tools that are necessary in order to make sure that the American people are safe and secure,? Mr. Obama said during the interview in the Oval Office. White House officials said that the new strategy will leave open the option of reconsidering the use of nuclear retaliation against a biological attack, if the development of such weapons reaches a level that makes United States vulnerable to a devastating strike. Mr. Obama?s new strategy is bound to be controversial, both among conservatives who have warned against diluting America?s most potent deterrent, and among liberals who were hoping for a blanket statement that America would never be the first to use nuclear weapons. Mr. Obama argued for a slower course, saying, ?We are going to want to make sure that we can continue to move towards less emphasis on nuclear weapons,? and, he added, to ?make sure that our conventional weapons capability is an effective deterrent in all but the most extreme circumstances.? The release of the new strategy, known as the ?Nuclear Posture Review,? opens an intensive nine days of nuclear diplomacy geared toward reducing weapons. Mr. Obama?s plans to fly to Prague to sign a new arms control agreement with Russia on Thursday and then next week will host 47 world leaders in Washington for a summit on nuclear security. The most immediate test of the new strategy is likely to be in dealing with Iran, which has defied the international community by developing a nuclear program that it insists is peaceful but that the United States and its allies say is a precursor to weapons. Asked about the escalating confrontation with Iran, Mr. Obama said he was now convinced that ?the current course they?re are on would provide them with nuclear weapons capabilities,? though he gave no timeline. He dodged when asked whether he shared Israel?s view that a ?nuclear capable? Iran was as dangerous as one that actually possessed weapons. ?I?m not going to parse that right now,? he said, sitting in his office as children played on the South Lawn of the White House during a day-long Easter Egg roll. However, he cited the example of North Korea, whose nuclear capabilities were unclear until it conducted a test in 2006, which it followed with a second shortly after Mr. Obama took office. ?I think it?s safe to say that there was a time when North Korea was said to be simply a nuclear-capable state until it kicked out the IAEA and become a self-professed nuclear state,? he said. ?And so rather than splitting hairs on this, I think that the international community has a strong sense of what it means to pursue civilian nuclear energy for peaceful purposes versus a weaponizing capability.? From rforno at infowarrior.org Tue Apr 6 02:44:50 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 5 Apr 2010 22:44:50 -0400 Subject: [Infowarrior] - Infowarcon 2010 Message-ID: <78C01CB4-A6A9-4A94-B279-CA9B3534423A@infowarrior.org> InfoWarCon - Washington, D.C. The 2010 installment of InfoWarCon will be May 12-14 in Washington, D.C., at the Washington Convention Center. I will be joining Jake Schaffner, Alex Cochran, and Chris Rouland as a panelist for the 13 May "Commercial Cyber Intelligence" session -- and, of course, participating in deep philosophical discussions while standing vigilant watch over the nearest coffee urn. The current agenda is @ https://www.crows.org/the-io-institute/agenda-iwc2010.html Hope to see you there! -rick From rforno at infowarrior.org Tue Apr 6 12:43:23 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 6 Apr 2010 08:43:23 -0400 Subject: [Infowarrior] - Does ACTA Kill Online Anonymity? Message-ID: Does ACTA Kill Online Anonymity? from the it-might... dept http://techdirt.com/articles/20100330/1847258797.shtml With the full draft of ACTA leaked, lots of people have been highlighting the various lowlights found in the draft. Andrew Moshirnia, over at the Citizen Media Law Project, has picked up on another one. If you read the draft, it appears to remove due process in revealing anonymous users. While other countries have viewed anonymity differently, in the US, at least, the courts have been very strong defenders of the right to anonymous speech. But the ACTA draft includes this fun tidbit: Each Party shall enable right holders, who have given effective notification to an online service provider of materials that they claim with valid reasons to be infringing their copyright or related rights, to expeditiously obtain from that provider information on the identity of the relevant subscriber. In other words, as long as someone makes a copyright claim -- bogus or not -- ISPs should be required to give up who the user is. Once again, this appears to be contrary to US law. The RIAA made this argument in the US years ago, and Verizon fought back and (eventually) won, as judges noted that ISPs did not just have to hand over information without a lawsuit being filed and an official subpoena issued. So much for ACTA not changing US law, right? But, an even bigger concern may be how other countries implement this as well. We've already noted that China will likely use ACTA as justification for greater censorship, but Moshirnia points out that authoritarian regimes may start (ab)using it to unveil anonymous internet users as well: Let's say I am an oppressive regime. One of the very few ways my citizens can reach me is by videotaping and publicizing my brutal methods of silencing protesters (warning, disturbing link). Now, not only can I use bogus takedown requests to pull down those videos (think a global DMCA) but I can also get the private information of the poster. So why is anyone supporting ACTA again? From rforno at infowarrior.org Tue Apr 6 13:29:35 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 6 Apr 2010 09:29:35 -0400 Subject: [Infowarrior] - Uncle Sam Wants You (To Fight Hackers) Message-ID: <6C76B996-3873-4E10-9AD8-BDCF7E8B144A@infowarrior.org> April 6, 2010, 12:07AM EST text size: TT Uncle Sam Wants You (To Fight Hackers) The U.S. government is stepping up recruitment of engineers who can help wage cyberwar By Rachael King http://www.businessweek.com/print/technology/content/apr2010/tc2010041_502327.htm Kyle Osborn does a good job impersonating a technical support rep. On a recent day in Southern California, the 19-year-old is working the phones, trying to persuade people on the other end to download malicious software. In cybercrime circles, this is called "social engineering," and criminals use the tactics to circumvent companies' Internet security software by tricking employees to download harmful software or cough up passwords. Osborn doesn't look the part of a hacker, with his short blond hair, baby face, and glasses. Yet he's persuasive?after a few calls, he finds an employee who agrees to download malicious software that will open a door into the computer network and let Osborn break in. In real life, Osborn isn't a cybercriminal; he's a student participating in a cyberdefense competition at California State Polytechnic University in Pomona, Calif., that drew about 65 students from Western colleges. The campus is situated on a former ranch east of Los Angeles. Horses and sheep still graze in the pastures. Boeing (BA) and the Black Hat computer security conference sponsored the regional competition, held Mar. 26 to 28. Cisco Sytems (CSCO) and Intel (INTC) donated computer equipment. The goal is to help companies recruit students who can assist in bolstering their defenses against cyberattacks. Last year Boeing hired seven students who competed in this event, and the company hopes to fill a few slots with talent discovered this year, too. "It's about [developing] the next generation of cyberwarriors to protect the nation," says Alan Greenberg, technical director of cyber and information solutions at Boeing. Boeing employs about 2,000 cybersecurity workers, up from roughly 100 in 2004. This year, the company may hire 15 to 30 cybersecurity workers, Greenberg says. Not Enough Applicants Demand for cybersecurity professionals is growing quickly. Government and industry executives say they need more cybersecurity employees but struggle to find qualified applicants. Just 40% of government hiring managers say they're satisfied with the quality of applicants for federal cybersecurity jobs, and only 30% are satisfied with the number, according to a July 2009 report by Booz Allen Hamilton. While the government's scholarship program can fill about 120 entry- level cybersecurity jobs, the feds need about 1,000 recent grads to fill those spots, according to the report. Together, the U.S. public and private sectors will need about 60,000 cybersecurity workers in the next three years, says Greenberg. "There will be a shortage." The number of cyberattacks from organized hackers against the computer networks of U.S. companies continues to escalate. "Two recent examples have highlighted why companies need to work together: the Conficker worm and the Google attack," says Melissa Hathaway, a former cybersecurity adviser in the Bush and Obama administrations. Trouble in China In one particularly high-profile case, the computer systems of Google (GOOG) and more than 30 other companies, including Adobe Systems (ADBE), were breached by hackers based in China.The incident ultimately led Google to redirect its Chinese users to company servers in Hong Kong. In February, security software vendor NetWitness said it had discovered that about 2,500 organizations had their PCs recruited into a network of spam-sending computers. At a computer security conference at Stanford University on Mar. 17, government and industry officials said theft of intellectual property from hacking endangers the U.S. economy. Richard Schaeffer, director of information assurance at the intelligence-gathering National Security Agency, said during a panel discussion that the U.S. isn't taking theft of intellectual property due to hacking "seriously enough." Government and industry need to work together to stop it?or risk losing economic leadership, Schaeffer said. "It's not something we as a nation can afford to lose." In 2008, chief information officers of 800 companies estimated that they had lost $4.6 billion worth of intellectual property due to cybercrime and employee theft, according to a January 2009 report from security software vendor McAfee (MFE). Best Weapons: People Cyberdefense competitions at Cal Poly Pomona and other universities are one example of increased public-private cooperation, as recruiters scour contestants for the next generation of cybersecurity talent. Because cyberattacks happen so quickly and attackers can change tactics rapidly, experts say the fight often boils down to people skills?which side has the best-trained cyberwarriors. "The weapons of the next war will be people," says Alan Paller, director of research at SANS Institute, a research and educational organization for security professionals. About 85% of critical U.S. infrastructure, including electric utility grids, telecommunications networks, and banking systems, are owned by private industry, according to the U.S. Homeland Security Dept. That means national security is interwoven with private companies' ability to protect their digital networks. "We're all playing defense, and we're all doing it for shareholder value, for customer value, for economic purposes," says John Stewart, Cisco's chief security officer. The competition at Cal Poly Pomona is a grueling multiday affair. By 7 p.m. on Mar. 27, the 19th hour of the event, the cases of Red Bull are gone, but the teams are still working in an auditorium on campus, some operating mock corporate networks, and others trying to infiltrate them. The winners will go on to a national competition that begins Apr. 16 in San Antonio. That conference has drawn such corporate sponsors as Microsoft (MSFT), McAfee, and Accenture (ACN). A separate government talent search, the U.S. Cyber Challenge, aims to find 10,000 young cybersecurity workers through a series of national competitions. Alluring Pay Scales Starting salaries in Internet security can reach $100,000, says Boeing's Greenberg. Alisha Kloc, 25, began working as a systems security engineer at Boeing last year after competing in the 2009 cyberdefense competition at Cal Poly and meeting technical director Greenberg. "The competition gave me a good feel for how things work in the real world," she says. Students said knowing that potential employers were watching the conference gave them extra incentive to perform. "We took this very seriously," says David Hunter, a member of the winning team from Cal Poly Pomona. Osborn says it's his dream to work in the cybersecurity field. He spends evenings and weekends learning what he can on his own. "I've been doing this since I was 14," he says. At the end of the conference, two people approached him about jobs. It's another small step in the hunt for fresh talent to bolster the nation's computer security defenses. King is a writer for Bloomberg BusinessWeek in San Francisco. From rforno at infowarrior.org Tue Apr 6 14:14:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 6 Apr 2010 10:14:24 -0400 Subject: [Infowarrior] - =?windows-1252?q?Words_as_Weapons=3A_Dropping_the?= =?windows-1252?q?_=91Terrorism=92_Bomb?= Message-ID: <902670CB-B1E9-4467-BD1C-29D592E8949C@infowarrior.org> April 2, 2010 Words as Weapons: Dropping the ?Terrorism? Bomb By SCOTT SHANE http://www.nytimes.com/2010/04/04/weekinreview/04shane.html?hpw=&pagewanted=print WASHINGTON ? Words can be weapons, too. So after nearly every new report of political violence, whether merely plotted or actually carried out, there is a vocabulary debate: Should it be labeled ?terrorism?? When early reports of Maj. Nidal Malik Hasan?s shooting spree at Fort Hood, Tex., in November mentioned his personal problems and failed to apply the T-word, activists on the right cried foul: He?s a radical Muslim terrorist, they said, and only political correctness run amok could argue otherwise. When A. Joseph Stack III flew his Piper Dakota into an Internal Revenue Service office building in Austin, Tex., in February, killing himself and an I.R.S. manager, it was the left that blew the linguistic whistle: If such a public, politically motivated act of lethal violence is not terrorism, they asked, just what is? Last week, the arrests of nine members of the Hutaree Christian sect in Michigan on charges that they plotted to kill police officers and then bomb their funerals stirred up the question again. Were they terrorists? Were they Christians? Were they just weirdos? Had they been Muslims, some commentators complained, there would have been not a moment?s hesitation at applying both names: Islamic terrorism. ?None dare call it terrorism,? wrote David Dayen at the liberal Firedoglake blog, noting that most of the major media outlets had not used the word ?terrorism? in reporting the Hutaree arrests for plotting exactly that. ?These are Christians, so they cannot be terrorists. Or something,? he added, with sarcasm. At Lucianne Goldberg?s conservative Web site, Lucianne.com, a contributor calling himself kanphil rejected the labels: ?Not Christians. Not terrorists. Just dimwits that couldn?t organize a decent deer hunt.? The right-left squabbles are an attempt to spin violence for political advantage. If Major Hasan was a Muslim terrorist, the right?s logic goes, then oversensitivity to the rights of Muslims is unjustified and the tough security measures of the Dick Cheney school are validated. If the Hutaree are government-fearing, right-wing Christians, the left suggests, then perhaps there is reason to be wary of the extremism of other anti-government, conservative Christians, whether of the Tea Party or plain Republican Party variety. But more is at stake here than semantics or petty point-scoring in the blogosphere. Political violence has two elements: the act, and the meaning attached to it. Long after the smoke of an explosion has cleared, the battle over language goes on, as contending sides seek to aggrandize the act or dismiss it, portray it as noble or denounce it as vile. ?The use of the term terrorism delegitimizes the opponent,? said Martha Crenshaw, a scholar at Stanford who wrote her first essay wrestling with the definition of terrorism in 1972. ?It?s not just the tactics that are discredited, it?s the cause, as well.? In fact, accused terrorists often throw the label back at their accusers. In a recording played in court last week, David B. Stone Sr., leader of the Hutaree group, described the government as a ?terrorist organization.? And Doku Umarov, the Chechen guerrilla leader who claimed responsibility for the suicide bombings in the Moscow subway, took the same line in a videotaped message, suggesting that the real terrorist was his nemesis, Vladimir V. Putin, the Russian prime minister. ?Any politician or journalist or any person who will condemn me for those operations, or who will accuse me of terrorism, I am laughing at those people,? he said, ?because I haven?t heard that Putin was accused of terrorism for the murder of civilians.? The word originated in the context of large-scale violence by the state: the Jacobin Reign of Terror during the French Revolution, when 16,000 to 40,000 people were killed in 13 months. The Latin root ?terrere? means ?to cause to tremble,? and one essential notion in most definitions of terrorism is that it seeks to frighten the enemy, as well as to inspire allies. Over time, terrorism has come to be applied more commonly to the violent tactics of nonstate groups, often in a campaign of repeated attacks. The targets are often chosen for symbolic reasons (the World Trade Center, the Pentagon), and the victims usually include civilians. The acts of terror seek to influence an audience, ostensibly in service of a political goal. The anarchist movement before and after the turn of the 20th century spoke of the ?Propaganda of the Deed,? a phrase that captures both the violence and its purported political purpose. Their deeds included the assassination of numerous politicians and world leaders, including President William McKinley in 1901, and they were the rare militants who did not shun the terrorism label. ?They called themselves terrorists and they were proud of it,? said David C. Rapoport, a historian of terrorism and editor of the journal Terrorism and Political Violence. With time, however, the term terrorism took on connotations of cowardice, unfairness and special brutality, whatever the larger cause it claims to serve. Today even the most brazen of terrorists generally shun the label. In a recent audio message, Osama bin Laden described Khalid Shaikh Mohammed, chief planner of the Sept. 11 attacks, as a ?holy warrior and hero.? Major Hasan, by the standard definition, would qualify as a terrorist. Whatever his emotional troubles, he appears to have viewed his killings as part of the larger global campaign of Muslims fighting what they view as American aggression. Likewise, though Joe Stack certainly had his personal gripes against the I.R.S., the six-page manifesto he left behind suggested that he was dying for the cause of freedom in a blow against ?Mr. Big Brother I.R.S. man.? True, both men seem to have been eccentrics and sociopaths. But so are many who all agree are terrorists ? remember Mohammed Atta, with his creepy list of instructions for how his body should be handled after death? By choosing, in their despair, not just solo suicide but an attack against others, and by attaching their violence to a political point of view, they earned the label. From the debate over word choice came the adage that ?one man?s terrorist is another man?s freedom fighter,? a clich? already by the 1980s. ?That?s a catchy phrase, but also misleading,? President Ronald Reagan said in a 1986 radio address. ?Freedom fighters do not need to terrorize a population into submission. Freedom fighters target the military forces and the organized instruments of repression keeping dictatorial regimes in power. Freedom fighters struggle to liberate their citizens from oppression and to establish a form of government that reflects the will of the people.? But distinguishing these points is not always easy: Major Hasan targeted military forces; Mr. Stack surely considered the I.R.S. an ?organized instrument of repression.? Thinking of ends and not means, Mr. Reagan praised the Nicaraguan contra rebels, who had a bloody record fighting the Communist Sandinistas, as ?the moral equivalent of the Founding Fathers.? In the cold war contest with the Soviet Union, he armed and embraced the Afghan ?freedom fighters? and their Arab allies, some of whom evolved into the terrorists of Al Qaeda and the Taliban. That long-ago radio address sounds na?ve in retrospect in another respect, too. ?History is likely to record that 1986 was the year when the world, at long last, came to grips with the plague of terrorism,? President Reagan declared. President Obama is unlikely to venture a similar prediction anytime soon. From rforno at infowarrior.org Tue Apr 6 16:31:46 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 6 Apr 2010 12:31:46 -0400 Subject: [Infowarrior] - Court: FCC has no power to regulate Net neutrality Message-ID: April 6, 2010 8:15 AM PDT Court: FCC has no power to regulate Net neutrality by Declan McCullagh http://news.cnet.com/8301-13578_3-20001825-38.html The Federal Communications Commission does not have the legal authority to slap Net neutrality regulations on Internet providers, a federal appeals court ruled Tuesday. A three-judge panel in Washington, D.C. unanimously tossed out the FCC's August 2008 cease and desist order against Comcast, which had taken measures to slow BitTorrent transfers and had voluntarily ended them earlier that year. Because the FCC "has failed to tie its assertion" of regulatory authority to any actual law enacted by Congress, the agency does not have the authority to regulate an Internet provider's network management practices, wrote Judge David Tatel of the U.S. Court of Appeals for the D.C. Circuit. Tuesday's decision could doom one of the signature initiatives of current FCC Chairman Julius Genachowski, a Democrat. Last October, Genachowski announced plans to begin drafting a formal set of Net neutrality rules -- even though Congress has not given the agency permission to begin. (Verizon Communications CEO Ivan Seidenberg, for instance, has said that new regulations would stifle innovative technologies like telemedicine.) Even though liberal advocacy groups had urged the FCC to take action against Comcast, the agency's vote to proceed was a narrow 3-2, with the dissenting commissioners predicting at the time that it would not hold up in court. FCC Commissioner Robert McDowell, a Republican, said at the time that the FCC's ruling was unlawful and the lack of legal authority "is sure to doom this order on appeal." The ruling also is likely to shift the debate to whether Congress will choose to explicitly grant the FCC the authority to regulate companies' network management practices. It will also likely revive lobbying coalitions that have been defunct for the last few years. In 2006, Congress rejected five bills, backed by groups including Google, Amazon.com, Free Press, and Public Knowledge, that would have handed the FCC the power to police Net neutrality violations. Even though the Democrats have enjoyed a majority on Capitol Hill since 2007, the political leadership has shown little interest in resuscitating those proposals. "We must decide whether the Federal Communications Commission has authority to regulate an Internet service provider's network management practices," Tatel wrote in his 36-page opinion. "The Commission may exercise this 'ancillary' authority only if it demonstrates that its action--here barring Comcast from interfering with its customers' use of peer-to-peer networking applications--is 'reasonably ancillary to the...effective performance of its statutorily mandated responsibilities.'" In August 2005, the FCC adopted a set of principles saying "consumers are entitled to run applications and use services of their choice." But the principles also permit providers' "reasonable network management" and, confusingly, the FCC admitted on the day of their adoption that the guidelines "are not enforceable." The FCC's 2008 vote to punish Comcast stems from a request from Free Press and its political allies, including some Yale, Harvard, and Stanford law school faculty. They claim the FCC has the authority-- under existing law--to "impose additional regulations" declaring Comcast's throttling to be illegal. This is not the first time that the FCC has been rebuked for enacting regulations without any actual legal authority to do so. In 2005, D.C. Circuit ruled the agency did not have the authority to draft its so- called broadcast flag rule. And a federal appeals court in Pennsylvania ruled in the Janet Jackson nipple exposure incident that the FCC's sanctions against CBS--which publishes CNET News--amounted to an "arbitrary and capricious change of policy." Update at 9:15 a.m. PDT: History and more details added. From rforno at infowarrior.org Tue Apr 6 16:33:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 6 Apr 2010 12:33:24 -0400 Subject: [Infowarrior] - Nuclear Posture Review (PDF) Message-ID: <09421F61-7546-442D-8785-2039999500FB@infowarrior.org> http://www.defense.gov/npr/ The Nuclear Posture Review (NPR) is a legislatively-mandated review that establishes U.S. nuclear policy, strategy, capabilities and force posture for the next five to ten years. PDF @ http://www.defense.gov/npr/docs/2010%20Nuclear%20Posture%20Review%20Report.pdf From rforno at infowarrior.org Tue Apr 6 18:46:07 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 6 Apr 2010 14:46:07 -0400 Subject: [Infowarrior] - Comcast Can Block BitTorrent Again, Court Rules Message-ID: Comcast Can Block BitTorrent Again, Court Rules Written by Ernesto on April 06, 2010 http://torrentfreak.com/comcast-can-block-bittorrent-again-court-rules-100406/ The US Court of Appeals for the District of Columbia has overruled FCC?s decision to sanction Comcast for unfair treatment of BitTorrent users. The ruling, which may also effect FCC?s Net Neutrality regulation, means that Comcast could go back to throttling BitTorrent users. In 2008 Comcast was ordered to stop slowing down BitTorrent users by preventing them to share files with others. In addition, the company had to disclose all ?network management? practices. The whole Comcast debacle ignited a discussion about Net Neutrality and eventually led to the FCC?s national broadband plan which was released last month. Today, the Court of Appeals overruled FCC?s decision in the Comcast case, with three judges stating that the commission doesn?t have the authority to require IPSs to keep their network neutral. After appealing FCC?s decision in favor of BitTorrent users, Comcast has finally got the verdict (pdf) it wanted. Although it seems unlikely that the ISP will pick up its old habit of preventing BitTorrent users to seed files, it could in theory do so. The ruling Court of Appeals ruling states that the FCC did not have the power to regulate ISPs network managing practices, which leaves the commission with two options. It could appeal at the Supreme Court, or it could ask Congress to give it the powers it wants and/or needs. The latter option will pose potential problems for likes of Comcast, with the FCC potentially asking not only for powers to deal with this particular case, but for greatly increased powers to regulate the entire sector. For BitTorrent users on Comcast and other US Internet providers uncertain times are ahead. From rforno at infowarrior.org Wed Apr 7 20:52:27 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 7 Apr 2010 16:52:27 -0400 Subject: [Infowarrior] - Spirit airlines charging for carry-on bags Message-ID: Unbundled airline fees reach the overhead bin Spirit Airlines the first U.S. carrier to introduce charge for carry- on bags By Harriet Baskas updated 11:30 a.m. ET April 7, 2010 http://www.msnbc.msn.com/id/36199332/ns/travel-news/ That lumpy person seated next to you on your next Spirit Airlines flight may not be so large in real life. The budget carrier announced Tuesday it will begin charging a fee of up to $45 for each piece of carry-on luggage placed in overhead bins. The fees will be assessed on travel August 1 and beyond. That means that come summer, you may notice some Spirit Airlines customers wearing multiple layers of clothing on flights in an effort to avoid the carry-on fee. In the modern era of unbundled airline service fees, customers now pay for everything from sodas and snacks to extra leg room and seats on the aisle. On most airlines, passengers also pay hefty fees to check their bags. George Hobica, president of travel Web site Airfarewatchdog.com, said Spirit is the first airline he's aware of that plans to charge for bags passengers bring on board. ?Even Ryanair doesn?t charge,? Hobica said, referring to the low-cost Irish airline rumored to be mulling pay-to-pee lavatories on its planes. ?The real question is: Will other airlines follow and will this actually be good for air travel?? In the company?s press release announcing the policy change, Spirit Airlines Chief Operating Officer Ken McKenzie suggested the fee will be good for air travel, as it will ?reduce the number of carry-on bags, which will improve in-flight safety and efficiency by speeding up the boarding and deplaning process, all of which ultimately improve the overall customer experience.? Further, by unbundling the fees even more, McKenzie said passengers might save money. ?Bring less; pay less. It?s simple.? But will travelers go along? Jami Counter, senior director of TripAdvisor Flights, doesn?t think so. ?This move by Spirit may cross the line for U.S. travelers who are already near the breaking point due to rising checked baggage fees,? Counter said. ?While there may be a big enough customer base out there willing to suffer a wide array of add-on fees in exchange for rock-bottom fares, it's likely that this move will alienate many fliers.? Steven Frischling, an airline blogger and emerging media consultant, called Spirit?s carry-on fee part of ?a deceptive pricing scheme ... that should come before the Federal Trade Commission for review.? Boston-based writer and travel expert Melanie Nayer doesn?t think fees for carry-on bags will fly. ?We?ll see a slight increase in the price of airline tickets before we see airlines come out with carry-on bag fees,? she said. ?Some things will just not go over well. This is one of them.? Competitors keep watch As they did when a few airlines first floated fees for checked bags, competing airlines are sitting back and watching how Spirit Airlines? carry-on bag fees play out. At Alaska Airlines, charging for carry-on luggage ?has never come up in any conversation,? spokesperson Bobbie Egan said. United Airlines is not considering adding the fee, according to spokesperson Robin Urbanski. And AirTran Airways spokesperson Christopher White said the carrier has ?no immediate plans to change carry-on baggage policies.? ?We weren't anticipating an airline to come out with a policy for carry-on bags,? said Brandy King, spokesperson for Southwest Airlines, one of few U.S. carriers that does not charge for checked bags. ?But it still doesn?t change the way we?re doing business. We don?t have plans to charge for carry-ons.? No other domestic airlines currently charge for carry-on bags, although carriers will reclassify your carry-on as checked baggage if it is too large for the overhead bin. Spirit won?t charge for carry-ons until August, and there will be exceptions for items that fit under a seat. Furthermore, charges will not apply to several objects, such as umbrellas, assitive devices, outer garments (coats, hats, wraps), cameras, car seats/strollers, infant diaper bags, medicine, pet containers, reading material or food for immediate consumption. And we will undoubtedly see travelers getting creative with some of those exempt items, and could see others adopting pocket-rich clothing. SCOTTEVEST founder and CEO Scott Jordan called Spirit?s decision ?ridiculous and insane,? but acknowledged business will be great ?if other airlines are stupid enough to adopt the same program.? The company sells jackets, shirts, vests and other clothing with built-in pockets originally designed to help travelers maximize the one carry- on bag rule. JetBlue, which doesn?t charge for a first checked bag, reacted to Spirit?s decision with pointed humor. On its Web site, the airline offered this advice: ?For those times when customers can?t travel on JetBlue, we recommend purchasing our expertly-crafted Extrago Sherpa Shirt ? special outerwear we designed to hold an entire trip?s worth of necessities, including the money you?ll save by not checking or carrying on your bag.? The shirt ? a suitcase that wraps around a traveler?s torso ? doesn?t really exist. But if other airlines follow Spirit?s lead, it may be the next hot item to hit retail shelves. Harriet Baskas is a frequent contributor to msnbc.com, authors the ?Stuck at the Airport? blog and is a columnist for USATODAY.com. You can follow her on Twitter. ? 2010 msnbc.com. Reprints URL: http://www.msnbc.msn.com/id/36199332/ns/travel-news/ From rforno at infowarrior.org Wed Apr 7 21:22:48 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 7 Apr 2010 17:22:48 -0400 Subject: [Infowarrior] - Cyberattack: Michele Bachmann's response Message-ID: <9AF1B20C-7D8B-47E3-9939-BAD35539539E@infowarrior.org> (While I'm loathe to post much direct political stuff here, this one was too whacky to ignore: Michele Bachmann is a GOP Congresscritter well-known for her controversial views and whackjob soundbytes based on little real substance or fact. In a political speech today, she assailed the Obama NPR that came out yesterday. Contemplating a nuclear response to a cyberattack? She better get a new speechwriter. -rick) "So if in fact there is a nation who is compliant with all the [new NPR] rules ahead of time...if they fire against the United States, a biological weapon, a chemical weapon, or maybe a cyber attack, then we aren't going to be firing back with nuclear weapons," said Bachmann. "Doesn't that make us all feel safe?"" Source: http://www.cbsnews.com/8301-503544_162-20001959-503544.html From rforno at infowarrior.org Thu Apr 8 00:48:55 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 7 Apr 2010 20:48:55 -0400 Subject: [Infowarrior] - =?windows-1252?q?How_=93Dirty=94_MP3_Files_Are_A_?= =?windows-1252?q?Back_Door_Into_Cloud_DRM?= Message-ID: <196D2E95-5BA8-47BD-9C4A-4157ECE5C9E8@infowarrior.org> How ?Dirty? MP3 Files Are A Back Door Into Cloud DRM http://techcrunch.com/2010/04/06/how-dirty-mp3-files-are-a-back-door-into-cloud-drm/ All the big music sellers may have moved to non-DRM MP3 files long ago, but the watermarking of files with your personal information continues. Most users who buy music don?t know about the marking of files, or don?t care. Unless those files are uploaded to BitTorrent or other P2P networks, there isn?t much to worry about.... < - > From rforno at infowarrior.org Thu Apr 8 11:57:29 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 8 Apr 2010 07:57:29 -0400 Subject: [Infowarrior] - UK's controversial net-blocking bill passed Message-ID: <4CD97602-EE33-4435-86F9-58633215720D@infowarrior.org> riginal URL: http://www.theregister.co.uk/2010/04/08/mandybill_commons/ Mandybill: All the Commons drama Web-blocking goes through, orphan works fails By Andrew Orlowski (andrew.orlowski at theregister.co.uk) Posted in Music and Media, 8th April 2010 00:03 GMT Live TV and internet coverage allowed the nation to feel grubby as the Mandybill was shunted through the House of Commons late last night. The government?s replacement for Clause 18 ? a catch-all illiberal web- blocking measure that few in the music business ever expected to survive ? was approved, and the photographers cemented a spectacular victory by crushing the orphan works clause. But not before a bit of spirited resistance ? or token posturing ? take your pick, for it in truth it was a bit of both, to the copyright infringement clauses by Tom Watson, Austin Mitchell, Bill Cash and other backbenchers. Almost universally the MPs who spoke objected to the bill being rammed through in a sort of procedural speed-dating, at the very death of Parliament. Even stalwart copyright supporters such as John Hemming, a BPI member, and LibDem frontbencher Don Foster condemned the scheduling. Foster said the government?s whips could have timetabled a Commons debate three weeks earlier, but had left MPs kicking their heels. Watson proposed a number of probing amendments - ie ones designed to be withdrawn - before duly withdrawing them all. The first of these, which would have decriminalised online file sharing except for commercial infringers, took almost an hour to debate. While it gave MPs a chance to vent before a sizeable crowd following on Twitter, it exhausted most of the time available. On Twitter, the probing amendments caused some confusion Foster said that it ?was disgraceful a bill of this complexity is given so little time? to be debated, explaining: ?That?s why so many of us are in such a difficult position. [Watson] has raised important probing amendments.? He regretted the time didn?t allow orphan works to be discussed, but then nobody mentioned the ludicrous timetable for radio switchover. Or radio at all. Not once. The government?s promise of a ?superaffirmative? procedure in the next Parliament (commencing mid-May) may not have won over any rebels, but perhaps staunched any defections. The procedure means leftover legislation is subject to a further 60 days' scrutiny. So the Digital Economy Bill was passed by 189 to 47 votes at 11:18pm. The web-blocking provision was the only clause to go to a division, where it was carried 197:40. Clause 43 fell on a voice vote. Apart from blaming the Labour Party for rotten scheduling, the Conservatives were quiet. Tory spokesman Ed Vaizey mocked the ?extraordinary bleating? of the Labour worrywarts, and didn?t think much of Watson?s amendments, which he said were ?scribbled on the back of an envelope at 100 mbits/second. ?It is pathetic for the Labour benches to say that the three hours is nothing to do with them. They are responsible for the lack of scrutiny.? In turn, Watson wasn?t impressed with The Honourable Edward Vaizey, and said he could have done some scrutinising of his own. 'Likely to infringe' On Twitter, the divisions caused some confusion Watson, who was in no way playing to his Twitter gallery, said he feared the tyranny of the ?lickspittle media oligarch who gives instructions from his tax haven?. If Twitter was an electorate, Watson would have won by around 3,000 votes to one by this point. Those are the kind of numbers a dictator would be comfortable with. Watson said he thought a statutory license would solve the problem ? a confiscation of private property (from the lickspittle media oligarchs) to be handed over to the People of a Free Freetardia ? and said that?s how a Labour government had solved the problem of Pirate Radio in the 1960s. The analogy doesn?t quite scale, obviously. Unfortunately, with a few open goals to aim at, many of the backbench objections were about as coherent. One MP said the trawl would only catch children, the inference being grown-ups don?t use Bittorrent. Another MP said the legislation was unenforceable, because people could change their internet providers as easily as they could change an email addresses, and if disconnected they?d just create another Hotmail account to get on the internet instead. Hemming said that publication of FOIA requested-material that had stamped with the crown copyright could be blocked. This was not in the Amendment the government countered with last week, it must be said, which would permit publication in the public interest. Foster scored some better points, wondering why on earth web blocking could be applied to sites ?likely to infringe?, and why an injunction needed to be ?indefinite?? These are terrible amendments, but in their haste to pursue fictional grievances that catch headlines, such as Open Wi-Fi and disconnections, the Open Rights Group is guilty of incredibly naive tactics, and has helped unleash some really dangerous legislation into the wild. (They could take a leaf out of the Stop43 group?s successful campaign. Rather than trying to get their names in the papers as Freedom Fighters, using enviro-scare tactics, the photographers quietly stopped the bad legislation through rational persuasion and did so using fewer resources - and less time.) On Twitter, latecomers were simply confused Now what? The Mandylaw may not survive the cooler appraisal of ?Superaffirmative? scrutiny in the next session, but Ofcom - which has the task of devising the ?technical counter measures? - may get cold feet. The timetable is for a six-month consultation period. This is likely to stretch to nine months when the EU is included. Then the first letters go out. Only a year after that, the throttling can begin. ? From rforno at infowarrior.org Thu Apr 8 13:23:27 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 8 Apr 2010 09:23:27 -0400 Subject: [Infowarrior] - Europe Learns The Truth(s) About ACTA Message-ID: Europe Learns The Truth(s) About ACTA By Monika Ermert for Intellectual Property Watch @ 9:03 pm http://www.ip-watch.org/weblog/2010/04/07/europe-learns-the-truths-about-anti-counterfeiting-trade-agreement/ The truth about the Anti-Counterfeiting Trade Agreement (ACTA) is different depending on which side you are on. At a hearing organised by the Liberal Party Group in the European Parliament in Brussels yesterday Canadian law professor and ACTA expert Michael Geist challenged the position of the European Commission and other negotiating parties to the agreement that ACTA would not lead to substantive law changes in the ACTA countries and also explained what possible long-term effects could result from the heavily debated treaty. Critics in Europe go one further in their rejection of ACTA which does undermine according to them democratic processes in the EU and EU member states. The ?truth about ACTA,? according to Geist, is first and foremost that it is not what it is said to be. ?It is essential to recognise that ACTA is not the norm,? Geist said, countering the argument of negotiating parties who have pointed out tirelessly that trade agreements never were negotiated openly. Geist: Not about Trade, but about IP ?ACTA is not about trade, but about IP,? said Geist, who added the assertion that ACTA is not confined to enforcement of existing laws only. ?The claims that this is solely about enforcement, I am sorry, but that is not true.? Examples he gave of necessary changes are higher standards with regard to banning anti-circumvention technology, the protection of ?labels? on products and packages, notice and take- down provisions for providers that many countries do not already have or statutory damages so far only in use in the US. ?Statutory damages so far were mainly used by the way against non-commercial users,? warned Geist in a challenge to the notion put forth by ACTA negotiators that non-commercial users would be off the hook. Raising standards in copyright protection is one clear goal of ACTA as Geist reads the leaked draft text of the agreement that is the only version available to the public. One example, according to him, is the re-introduction of anti-circumvention legislation via ACTA that had not received global consensus at the World Intellectual Property Organization (WIPO) when the so-called internet treaties were negotiated in the 1990s. Now the US Digital Millennium Copyright Act would become the standard. Geist said he is afraid of similar effects from ACTA with regard to internet cut-offs in the style of ?three- strikes-and-you?re-out.? While the cut-offs were not compulsory in ACTA they could be referenced by the ACTA partners once in the text and become a standard over time. ?You will not get the three strikes today,? he said, but rather in a few years. Again, it was the truth, said Geist, that the three-strikes-measure was only in a footnote and only mentioned as an example for conditions ISP had to accept in order to not be hold liable for copyright infringement of their customers on the net. ?But it is the only measure mentioned,? said Geist. Malcolm Hutty, president of EuroISPA, warned in his panel presentation in Brussels that internet service providers must be protected from liability in order to have the rights of users like free access to information and privacy protected. Measures internet service providers might be asked to implement to qualify for a safe harbour were throttling of bandwidth, the blocking of IP addresses, the filtering or monitoring of traffic and the mentioned cut-offs from access to the communication network. ISPs facing unlimited liability because they did not implement such measures certainly had no option according to Hutty. ?If that is the case, this is commercially mandatory, even if it is not legally mandatory,? he said. EU negotiator Luc Devigne (on left) with Canadian law professor Michael Geist in Brussels Photo credit: Monika Ermert Devigne: ACTA Fears Based on Myths Luc Devigne, European Commission lead negotiator for ACTA, reiterated once more the Commission?s mantra that the Commission would not go beyond the acquis communautaire, the harmonised legislation of the Union. To Hutty, Devigne said the Commission would not accept a compulsory three-strikes-rule, or even one that would make internet cut-offs commercially mandatory. The truth about ACTA told by Geist was rejected completely by Devigne. ?I totally disagree with all examples you gave,? the EU official said. ACTA is ?only about enforcement, I stand by that,? he underlined, listing all the things the EU would not agree to in the negotiations because there was no harmonised legislation. ?There will be no change in ISP liability,? he said, and notice and take-down is only in place in some EU countries. Also there is ?no specific legislation for camcording in European legislation so we won?t accept it.? Another example he gave was criminalisation of patent infringement, where again there is no EU law and therefore ?we would not accept it.? Yet there are some problems Devigne had to acknowledge with regard to the EU acquis. Several members of the EU Parliament asked, for example, what the line of negotiation was the Commission was taking with regard to the definition of ?commercial,? a term critical in the European debate about criminal sanctions. Devigne said as there was no harmonised position in the EU on this, the Commission did not take a stance in the negotiations. Criminal sanctions also not harmonised in the Union accordingly are negotiated by the EU Presidency representing the European Council. As soon as the draft ACTA text is published ? something the EU is proposing at the next meeting round in New Zealand next week ? his life will become easier, Devigne said. That?s because he would not have to deal any longer with myths surrounding ACTA. Geist doubted that Devigne?s life would become easier with the transparency problem solved. Analyzing the discussion, he said the two sides obviously see two ?totally different things? when reading the same text. For instance, saying that a three-strikes model was not there after the leaked draft version of April contained the respective footnote made Devigne?s expectation rather unlikely, Geist said. ACTA ? counterfeiting at all or counterfeiting only? Members of Parliament ? who attended the hearing in considerable numbers ? were highly critical of the ACTA negotiation so far. ?If three strikes are not compulsory, why are they in the text at all?? asked Liberal Party Member Sophie in?t Veld. Parliament has already said that they does not want internet cut-offs. She also questioned the whole process of secret negotiations and accused the Commission of seeing democratic processes as a burden. The European Parliament in an earlier resolution not only asked for full access to all ACTA documents, but also to limit ACTA?s scope to anti-counterfeiting, the very aspect where ACTA according to Geist would ?ironically? not lead to a much better situation. Limiting ACTA to counterfeiting could in fact mean that the chapter on digital environment and copyright would have to be taken out, something that had made Trade Commissioner Karel De Gucht nervously ask MEPs not to ask for in their resolution. ?We stand by this,? said Alexander Alvaro, Liberal Party member and one of the organisers of yesterday?s hearing. Devigne was asked by several participants in the hearing, including Pirate MEP Christian Engstr?m, what kept the Commission from implementing the Parliament?s resolution. He answered that one had to read the whole resolution which also asked for ?continuing the negotiations.? How this EU power struggle is developing is still open, but there are observers who fear that ACTA is undermining EU democratic processes. Not only the resolution by the Parliament seems to have been made a piece of interpretation, but information to national parliaments ? not to mention the public ? has been non- existent at best, and possibly ?deceptive? in more severe cases, according to some ACTA critics. Geist is heavily concerned with a series of other long-term effects. The shift of venues from the IP-competent fora to ACTA, for example, could slow down or sideline other projects like the WIPO treaty for the visually impaired or the Development Agenda. ACTA with a whole set of bodies of its own might in fact supersede WIPO, where there has been an intensive, and much more open debate on exemptions and limitations to IP rights in recent years, said Geist. He criticised the ?country-club approach? of ACTA that would exclude the very countries that were the target of complaints with regard to counterfeiting. To make ACTA negotiations transparent therefore was not the final goal, said Geist. Substantive debate had to follow and he still thought that a multi-lateral approach should be pursued. If parliaments like the EU Parliament or NGOs like the InternetNZ and other organisers of the counter-conference to ACTA round nine in New Zealand next week will be able to change or even stop ACTA is doubtful, said Geist. What could stop ACTA is disagreement among the ACTA country-club members, and there is still some of that. From rforno at infowarrior.org Thu Apr 8 17:27:58 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 8 Apr 2010 13:27:58 -0400 Subject: [Infowarrior] - Federal IT pros say U.S. at high risk for cyberattack Message-ID: <059FAB88-97AC-47B4-BFFE-56B5007433A8@infowarrior.org> Federal IT pros say U.S. at high risk for cyberattack by Lance Whitney http://news.cnet.com/8301-1009_3-20002009-83.html?part=rss&subj=news&tag=2547-1_3-0-20 Almost three-quarters of the government IT administrators polled in a new survey believe the U.S. is likely to face a cyberattack from a foreign country in the next year. Key IT decision makers who work in national defense and security were questioned in a new Clarus Research Group survey commissioned by Lumension and released Tuesday. Among those polled for the "Federal Cyber Security Outlook for 2010 Survey," 74 percent expect a cyberattack from foreign shores in the next year. (Credit: Lumension) What types of threats and security risks do federal IT professionals fear the most? Among the respondents, 64 percent said they're worried about the growth and sophistication of cyberattacks, while 49 percent expressed concern over negligent or purposely malicious employees or insiders creating trouble. These risks are also heightened by a lack of sufficient resources and coordination: 42 percent said they don't have the budget or staff to properly address security risks, 25 percent noted a lack of integration between security and overall IT operations, and 22 percent said there's no coordination between security and their IT operations. The holes in IT security within the government have already left the door open for attacks. Over the past year, 59 percent of those polled said their agency or department was hit by viruses or malware, 53 percent said that internal notebooks, desktops, and other devices have been stolen, and 50 percent reported the loss of sensitive information due to a negligent employee. The White House, under both President Bush and President Obama, has struggled to try to clean up the nation's weaknesses in cybersecurity. In 2008, the Department of Homeland Security established the National Cyber Security Initiative as an attempt to coordinate national security with the private sector and within the government itself. This past December, the White House appointed a new cybersecurity chief. Despite these and other efforts by the government, more than half of the IT pros questioned by Clarus Research expect only minor changes as a result. Of those polled, 41 percent said they've spent less than 10 percent of their time in the past year working on the National Cyber Security Initiative. Overall, only 6 percent of those surveyed rated the government's ability to stop or deal with cyberattacks on critical U.S. operations as "excellent," while 42 percent rated it as "only fair" or "poor." Most did express more confidence in their level of IT security today versus a year ago, but mainly due to improvements in technology, better collaboration between IT security and operations, and internal audit requirements. (Credit: Lumension) "Unfortunately, when it comes to our infrastructure, we are already under attack and are faced with the reality of a growing and advanced persistent threat from foreign entities that are targeting our critical U.S. infrastructure," Lumension CEO Pat Clawson said in a statement. "The traditional government responses we've seen so far, such as naming a security coordinator, announcing a cyber security initiative, and focusing on compliance initiatives will not alone successfully address this problem." What does the future hold? Those polled expect that the next few years will see growing threats to U.S critical infrastructure from foreign countries and terrorist groups. In response, Clawson, who has a background in security, offered a few suggestions in a recent blog posting and laid out some specific steps: We must do three things if we are to truly empower and implement a robust national cybersecurity plan. One--we need to have an empowered cyber security czar, with budget and policy authority, reporting directly to the president. Next--given that 90 percent of our critical infrastructure is owned or managed by private entities, we need a collaborative government and private sector partnership to better understand the risks at hand and to better define IT security standards, practices, and contingency plans in the event of a major attack. And finally--we need to shift from an absolute focus on being compliant with ad-hoc audits for verification, to one of being secure and continuously monitoring our IT environment to ensure that the proper controls are always in effect. From rforno at infowarrior.org Fri Apr 9 02:30:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 8 Apr 2010 22:30:24 -0400 Subject: [Infowarrior] - AMC: A new low for US television.... Message-ID: <9CD808FC-63FF-4517-AB13-48CF6FE23D16@infowarrior.org> So I am catching the final few minutes of 'Top Gun' on commercial cable channel AMC right now. Question: when did cable networks start placing "perma-ads" on the bottom for upcoming shows? As if the permanent channel bugs weren't bad enough (especially when they're animated) but AMC is placing full-text bugs reading "New Breaking Bad New Episode on DAY$ at TIME$" on the screen *permanently* during the movie. Not periodically, permanently. But that's not enough. They also run QUARTER-PAGE, if not LOWER-THIRD-OF-SCREEN animated previews for "Breaking Bad" every 10 minutes or so during the movie. Am I missing something here? Is it AMC's goal to annoy the fsck out of its viewers? Or did it change its name to the 'Annoying Movie Channel' and forget to inform its viewers of the change? Good thing I have local copies of 'Top Gun' and other movies, where I can enjoy them uncensored, commercial-, and and advertisement-free. You know, the way they should be watched. This, of course, reminds me of why I watch so little broadcast/cable television anymore. It's not for amusement or entertainment, but rather advertising. I totally forgot. :( -rick From rforno at infowarrior.org Fri Apr 9 12:42:11 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Apr 2010 08:42:11 -0400 Subject: [Infowarrior] - How Visa Predicts Divorce Message-ID: <69A9E41D-98F4-44FE-8BB6-22859AFA2CE9@infowarrior.org> (c/o JH) How Visa Predicts Divorce by Nicholas Ciarelli http://www.thedailybeast.com/blogs-and-stories/2010-04-06/how-mastercard-predicts-divorce/full/ By scrutinizing your purchases, credit companies try to figure out if your life is about to change?so they?ll know what to sell you. If you ever doubted the power of the credit card companies, consider this: Visa, the world?s largest credit card network, can predict how likely you are to get a divorce. There?s no consumer-protection legislation for that. Why would Visa care that your marriage is on the rocks? Yale Law School Professor Ian Ayres, who included the Visa example in his book Super Crunchers, says ?credit card companies don't really care about divorce in and of itself?they care whether you're going to pay your card off." And because people who are going through a divorce are more likely to miss payments, your domestic troubles are of great interest to a company that thrives on risk management. Exactly how the credit industry does it?through sophisticated data-mining techniques?is a closely guarded secret. (Visa did not return requests for comment.) The mobile social network Loopt or its competitors could conceivably predict with 90 percent accuracy where an individual will be tomorrow. Predicting people?s behavior is becoming big business?and increasingly feasible in an era defined by accessible information. Data crunching by Canadian Tire, for instance, recently enabled the retailer's credit card business to create psychological profiles of its cardholders that were built upon alarmingly precise correlations. Their findings: Cardholders who purchased carbon-monoxide detectors, premium birdseed, and felt pads for the bottoms of their chair legs rarely missed a payment. On the other hand, those who bought cheap motor oil and visited a Montreal pool bar called "Sharx" were a higher risk. "If you show us what you buy, we can tell you who you are, maybe even better than you know yourself," a former Canadian Tire exec said. Credit card companies have also used predictive modeling to answer questions such as, has this cardholder recently moved? "There's a whole market out there that has tried to predict whether someone has just moved, and to be first with offers," says Bob Grossman, director of the Laboratory for Advanced Computing at the University of Illinois at Chicago. "Those kinds of things tend to be pretty high value." If a credit card issuer can quickly determine that a cardholder has moved, then the issuer's marketing partners?a home refurb business, for instance?can be the first to swoop in. Last year, American Express began offering select cardholders $300 simply to close their accounts and walk away?individuals who the company clearly felt were too much of a risk to keep on its books. And the factors that go into such a calculation have become considerably more sophisticated than the simple matter of whether cardholders have paid their bills on time. The credit card industry is just an early adopter of a number- crunching game that?s increasingly transforming businesses from airlines to gambling. "Thirty years ago, loan officers used to look you in the eye and tell you whether you were the right kind of person to trust for a loan. That was a really inaccurate approach. Just using FICO scores did a much better job," Ayres says. "Credit card companies started using a similar approach in deciding whether to issue and how to price their card. It's getting to be a more nuanced statistical game." Other industries have bolstered their bottom lines by predicting how consumers will behave, according to Super Crunchers. UPS predicts when customers are at risk of fleeing to one of its competitors, and then tries to prevent the loss with a telephone call from a salesperson. And with its ?Total Rewards? card, Harrah?s casinos track everything that players win and lose, in real time, and then analyze their demographic information to calculate their ?pain point??the maximum amount of money they?re likely to be willing to lose and still come back to the casino in the future. Players who get too close to their pain point are likely to be offered a free dinner that gets them off the casino floor. The statistical guessing game is also becoming one that consumers can play. For example, the New York-based startup Hunch offers personalized recommendations after users answer a series of questions that give the site a sense of their tastes. Do you live in the suburbs? Do you like bumper cars? Are you more likely to spoon or be spooned? Out of this examination, Hunch generates a ?taste profile? for each of its users. Hunch then looks for statistical correlations between the information that all of its users provide, revealing fascinating links between people?s seemingly unrelated preferences. For instance, Hunch has revealed that people who enjoy dancing are more apt to want to buy a Mac, that people who like The Count on Sesame Street tend to support legalizing marijuana, that pug owners are often fans of The Shawshank Redemption, and that users who prefer aisle seats on planes "spend more money on other people than themselves." Through ?machine learning,? the Hunch algorithm is developing a sense of what individuals with a certain taste profile will prefer?a sense that is being improved with each new user of the Web site. This knowledge then allows the system to make predictions of what an individual user might like: a movie soundtrack, a cat name, a restaurant in Los Angeles. Kelly Ford, the startup's vice president of marketing, notes that while the credit card companies rely on a small set of inputs to make predictions, Hunch's questions collect "nearly unlimited aspects of who you are and how and what you think." As new sets of data are collected about our lives, that data will contain a new set of predictions about us, waiting to be mined. The question will be how much control we have over that process. At the South by Southwest Interactive conference in March, Sam Altman, chief executive of the mobile social network Loopt, said that by using the available data, Loopt or its competitors could conceivably predict with 90 percent accuracy where an individual will be tomorrow. He said hedge funds have contacted Loopt to try to purchase its data set so that they can forecast how much traffic a particular store will get. The startup declined. It doesn?t take much predictive prowess to see that these issues will become major matters of contention in the years to come. Correction: The headline of this article originally referenced MasterCard, not Visa. Nicholas Ciarelli is the former publisher of Think Secret, an Apple news Web site. He currently works on the product team at The Daily Beast. From rforno at infowarrior.org Fri Apr 9 13:16:25 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Apr 2010 09:16:25 -0400 Subject: [Infowarrior] - Congressman Blasts "Useless" Air Marshal Service Message-ID: <50D049A0-E7AE-4E0C-82F8-79F57094B6D6@infowarrior.org> (c/o DS) (It's a year old article, but making the rounds this week, so I'll join the herd and send out as well. -rick) Duncan Blasts "Useless" Air Marshal Service June 19, 2009 12:00 PM http://duncan.house.gov/2009/06/22062009.shtml Washington, DC -- Mr. DUNCAN: Madam Speaker, probably the most needless, useless agency in the entire Federal Government is the Air Marshal Service. In the Homeland Security Appropriations bill we will take up next week, we will appropriate $860 million for this needless, useless agency. This money is a total waste: $860 million for people to sit on airplanes and simply fly back and forth, back and forth. What a cushy, easy job. And listen to this paragraph from a front-page story in the USA Today last November: ?Since 9/11, more than three dozen Federal air marshals have been charged with crimes, and hundreds more have been accused of misconduct. Cases range from drunken driving and domestic violence to aiding a human-trafficking ring and trying to smuggle explosives from Afghanistan.'' Actually, there have been many more arrests of Federal air marshals than that story reported, quite a few for felony offenses. In fact, more air marshals have been arrested than the number of people arrested by air marshals. We now have approximately 4,000 in the Federal Air Marshals Service, yet they have made an average of just 4.2 arrests a year since 2001. This comes out to an average of about one arrest a year per 1,000 employees. Now, let me make that clear. Their thousands of employees are not making one arrest per year each. They are averaging slightly over four arrests each year by the entire agency. In other words, we are spending approximately $200 million per arrest. Let me repeat that: we are spending approximately $200 million per arrest. Professor Ian Lustick of the University of Pennsylvania wrote last year about the money feeding frenzy of the war on terror. And he wrote this: ?Nearly 7 years after September 11, 2001,'' he wrote this last year, ?what accounts for the vast discrepancy between the terrorist threat facing America and the scale of our response? Why, absent any evidence of a serious terror threat, is a war to on terror so enormous, so all-encompassing, and still expanding? The fundamental answer is that al Qaeda's most important accomplishment was not to hijack our planes but to hijack our political system.? ?For a multitude of politicians, interest groups and professional associations, corporations, media organizations, universities, local and State governments and Federal agency officials, the war on terror is now a major profit center, a funding bonanza, and a set of slogans and sound bites to be inserted into budget, grant, and contract proposals.'' And finally, Professor Lustick wrote: ?For the country as a whole, however, it has become maelstrom of waste.'' And there is no agency for which those words are more applicable than the Federal Air Marshal Service. In case anyone is wondering, the Air Marshal Service has done nothing to me, and I know none of its employees. But I do know with absolute certainty that this $860 million we are about to give them could be better spent on thousands of other things. As far as I'm concerned, it is just money going down a drain for the little good it will do. When we are so many trillions of dollars in debt, a national debt of over $13 trillion, we simply cannot afford to waste money in this way. From rforno at infowarrior.org Fri Apr 9 13:54:05 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Apr 2010 09:54:05 -0400 Subject: [Infowarrior] - Big Banks Mask Risk Levels Message-ID: (I'm reminded of the Captain Kirk response to Spock, asking him to negotiate a treaty with the Klingons: "But you can't TRUST them!." ---rick) Big Banks Mask Risk Levels Quarter-End Loan Figures Sit 42% Below Peak, Then Rise as New Period Progresses; SEC Review By KATE KELLY, TOM MCGINTY and DAN FITZPATRICK http://online.wsj.com/article/SB10001424052702304830104575172280848939898.html Major banks have masked their risk levels in the past five quarters by temporarily lowering their debt just before reporting it to the public, according to data from the Federal Reserve Bank of New York. A group of 18 banks?which includes Goldman Sachs Group Inc., Morgan Stanley, J.P. Morgan Chase & Co., Bank of America Corp. and Citigroup Inc.?understated the debt levels used to fund securities trades by lowering them an average of 42% at the end of each of the past five quarterly periods, the data show. The banks, which publicly release debt data each quarter, then boosted the debt levels in the middle of successive quarters. Excessive borrowing by banks was one of the major causes of the financial crisis, leading to catastrophic bank runs in 2008 at firms including Bear Stearns Cos. and Lehman Brothers. Since then, banks have become more sensitive about showing high levels of debt and risk, worried that their stocks and credit ratings could be punished. That practice, while legal, can give investors a skewed impression of the level of risk that financial firms are taking the vast majority of the time. Major banks masked their risk levels during the most recent five quarters by lowering debt levels just before announcing quarterly earnings, according to data from the New York Federal Reserve Bank. Kate Kelly and Evan Newmark discuss. "You want your leverage to look better at quarter-end than it actually was during the quarter, to suggest that you're taking less risk," says William Tanona, a former Goldman analyst who now heads U.S. financials research at Collins Stewart, a U.K. investment bank. Though some banks privately confirm that they temporarily reduce their borrowings at quarter's end, representatives at Goldman, Morgan Stanley, J.P. Morgan and Citigroup declined to comment specifically on the New York Fed data. Some noted that their firm's financial filings include language saying borrowing levels can fluctuate during the quarter. "The efforts to manage the size of our balance sheet are appropriate and our policies are consistent with all applicable accounting and legal requirements," a Bank of America spokesman said. Masking Risk See the net borrowing of securities such as U.S. Treasurys or corporate bonds as pledged as collateral on the repo market. An official at the Federal Reserve Board noted that the Fed continuously monitors asset levels at the large bank-holding companies, but the financing activities captured in the New York Fed's data fall under the purview of the Securities and Exchange Commission, which regulates brokerage firms. The New York Fed declined to comment. The data highlight the banks' levels of short-term financing in the repurchase, or "repo," market. Financial firms use cash from the loans to buy securities, then use the purchased securities as collateral for other loans, and buy more securities. The loans boost the firms' trading power, or "leverage," allowing them to make big trades without putting up big money. This amplifies gains?and losses, which were disastrous in 2008. According to the data, the banks' outstanding net repo borrowings at the end of each of the past five quarters were on average 42% below their peak in net borrowings in the same quarters. Though the repo market represents just a slice of banks' overall activities, it provides a window into the risks that financial institutions take to trade. The SEC now is seeking detailed information from nearly two dozen large financial firms about repos, signaling that the agency is looking for accounting techniques that could hide a firm's risk- taking. The SEC's inquiry follows recent disclosures that Lehman used repos to mask some $50 billion in debt before it collapsed in 2008. The practice of reducing quarter-end repo borrowings has occurred periodically for years, according to the data, which go back to 2001, but never as consistently as in 2009. The repo market played a role in recent accusations leveled by an examiner in Lehman's bankruptcy case. But rather than reducing quarter- end debt, Lehman took steps to hide it. Anxious to maintain favorable credit ratings, Lehman engaged in an accounting device known within the firm as "Repo 105" to essentially park about $50 billion of assets away from Lehman's balance sheet, according to the examiner. The move helped Lehman look like it had less debt on its books, the examiner said. Other Wall Street firms, including Goldman and Morgan Stanley, have denied characterizing their short-term borrowings as sales, the way Lehman did in employing Repo 105. Both of those firms also make standard disclaimers about debt. For instance, Goldman disclosed in its 2009 annual report that although its balance sheet can "fluctuate," asset levels at the ends of quarters are "typically not materially different" from their levels in the midst of the quarter. Total assets at the end of 2009 were 7% lower than average assets during the year, the report states. Some banks make big trades that don't show up in quarter-end balance sheets. That is what happened recently at Bank of America involving a trade designed to mature before the end of 2009's first quarter, people familiar with the matter say. Two Bank of America traders bought $40 billion of mortgage-backed securities from clients for one month, while at the same time agreeing to sell the securities back before quarter's end, according to people familiar with the matter. This "roll" trade provided the clients with cash and the bank with fees. Robert Qutub, then Bank of America's chief financial officer for global markets, told Michael Nierenberg, a former Bear Stearns trader who oversaw the traders who made the roll trade, to cap the size of the short-term transaction, people familiar with the matter say. A week later, however, the amount tied to the trade shot up to $60 billion, these people say, before dropping to $25 billion, one of these people said, appearing to some at headquarters that the group had defied the order to cap the trade. A bank spokeswoman said "the team was aware of and worked within its risk limits." Write to Kate Kelly at kate.kelly at wsj.com, Tom McGinty at tom.mcginty at wsj.com and Dan Fitzpatrick at dan.fitzpatrick at wsj.com From rforno at infowarrior.org Fri Apr 9 14:47:10 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Apr 2010 10:47:10 -0400 Subject: [Infowarrior] - good read: Dan Gilmor on iPad-Journalism Objectivity Message-ID: <00363585-479F-4424-922A-E557772C8FBF@infowarrior.org> IMHO such questions about conflcit of interest are a VERY worrysome prospect:, not just for the Times, but for any content provider in a future of such iPad-ish Walled Gardens: "That?s only one issue I raised with the Times? spokesman. Here?s another, which I?ve also raised with Nisenholtz and people at the Wall Street Journal and USA Today: Does Apple, which maintains control over what iPad apps are made available, have the unilateral right to remove these journalism organizations? news apps if the apps deliver information to audiences that Apple considers unacceptable for any reason?" Dan's entire posting is worth reading: Complicating Relationships in Media: Apple, NY Times Dealings Raise Questions http://mediactive.com/2010/04/08/complicating-relationships-in-media-apple-ny-times-dealings-raise-questions/ From rforno at infowarrior.org Fri Apr 9 18:10:29 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Apr 2010 14:10:29 -0400 Subject: [Infowarrior] - Felten: iPad: The Disneyland of Computers Message-ID: (Building on Gilmor's posting from earlier this morning, here's Ed Felten's take...-rick) iPad: The Disneyland of Computers By Ed Felten - Posted on April 8th, 2010 at 8:06 am http://www.freedom-to-tinker.com/blog/felten/ipad-disneyland-computers Tech commentators have a love/hate relationship with Apple's new iPad. Those who try it tend to like it, but many dislike its locked-down App Store which only allows Apple-approved apps. Some people even see the iPad as the dawn of a new relationship between people and computers. To me, the iPad is Disneyland. I like Disneyland. It's clean, safe, and efficient. There are lots of entertaining things to do. Kids can drive cars; adults can wear goofy hats with impunity. There's a parade every afternoon, and an underground medical center in case you get sick. All of this is possible because of central planning. Every restaurant and store on Disneyland's Main Street is approved in advance by Disney. Every employee is vetted by Disney. Disneyland wouldn't be Disneyland without central planning. I like to visit Disneyland, but I wouldn't want to live there. There's a reason the restaurants in Disneyland are bland and stodgy. It's not just that centralized decision processes like Disney's have trouble coping with creative, nimble, and edgy ideas. It's also that customers know who's in charge, so any bad dining experience will be blamed on Disney, making Disney wary of culinary innovation. In Disneyland the trains run on time, but they take you to a station just like the one you left. I like living in a place where anybody can open a restaurant or store. I like living in a place where anybody can open a bookstore and sell whatever books they want. Here in New Jersey, the trains don't always run on time, but they take you to lots of interesting places. The richness of our cultural opportunities, and the creative dynamism of our economy, are only possible because of a lack of central planning. Even the best central planning process couldn't hope to keep up with the flow of new ideas. The same is true of Apple's app store bureaucracy: there's no way it can keep up with the flow of new ideas -- no way it can offer the scope and variety of apps that a less controlled environment can provide. And like the restaurants of Disneyland, the apps in Apple's store will be blander because customers will blame the central planner for anything offensive they might say. But there's a bigger problem with the argument offered by central planning fanboys. To see what it is, we need to look more carefully at why Disneyland succeeded when so many centrally planned economies failed so dismally. What makes Disneyland different is that it is an island of central planning, embedded in a free society. This means that Disneyland can seek its suppliers, employees, and customers in a free economy, even while it centrally plans its internal operations. This can work well, as long as Disneyland doesn't get too big -- as long as it doesn't try to absorb the free society around it. The same is true of Apple and the iPad. The whole iPad ecosystem, from the hardware to Apple's software to the third-party app software, is only possible because of the robust free-market structures that create and organize knowledge, and mobilize workers, in the technology industry. If Apple somehow managed to absorb the tech industry into its centrally planned model, the result would be akin to Disneyland absorbing all of America. That would be enough to frighten even the most rabid fanboy, but fortunately it's not at all likely. The iPad, like Disneyland, will continue to be an island of central planning in a sea of decentralized innovation. So, iPad users, enjoy your trip to Disneyland. I understand why you're going there, and I might go there one day myself. But don't forget: there's a big exciting world outside, and you don't want to miss it. From rforno at infowarrior.org Fri Apr 9 23:23:03 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Apr 2010 19:23:03 -0400 Subject: [Infowarrior] - =?windows-1252?q?Adobe=3A_=93Go_Screw_Yourself_Ap?= =?windows-1252?q?ple=94?= Message-ID: Adobe: ?Go Screw Yourself Apple? The claws are out. Adobe?s Platform Evangelist, Lee Brimelow retaliated today against Apple blocking Flash developers on the iPhone with a post on his Flash Blog. Brimelow holds little back, lambasting the company for trying to exert a ?tyrannical control over developers?more importantly, wanting to use developers as pawns in their crusade against Adobe.? He says any real developer could not support Apple?s moves in ?good conscience.? < - > http://techcrunch.com/2010/04/09/adobe-go-screw-yourself-apple-2/ From rforno at infowarrior.org Mon Apr 12 01:50:34 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 11 Apr 2010 21:50:34 -0400 Subject: [Infowarrior] - Facebook under privacy microscope Message-ID: <0865D4EF-0889-4B02-BEF7-FF876312EF78@infowarrior.org> Facebook under privacy microscope By David Gelles in San Francisco Published: April 11 2010 19:17 | Last updated: April 11 2010 19:17 http://www.ft.com/cms/s/0/a807eaf6-4593-11df-9e46-00144feab49a.html Regulators globally are grappling with a conundrum: how to contend with the rise of an internet phenomenon that five years ago did not exist? Facebook, founded in a Harvard dorm room just five years ago, now boasts 400m users and is the world?s largest social networking site. But its meteoric rise has also brought with it an increase in scrutiny from regulators and privacy advocates, who are questioning the direction in which such sites are heading. Social networking sites by definition have courted controversy over their privacy policies, including Google?s YouTube and Buzz, but it seems that Facebook has been the one to stick its neck out. In December, it implemented changes that made most of its users? personal information public by default. Last month, Facebook unveiled plans to share user information automatically with some third-party websites. ?Facebook is just stuck under the privacy microscope,? says Marc Rotenberg, president of the Electronic Privacy Information Centre. ?There?s almost nothing the company does at this point that doesn?t raise some privacy concerns. That has not escaped the attention of regulators in both Europe and the US.? Yet so far, lawmakers have stopped short of introducing legislation that would directly target Facebook. For as much as Facebook is pushing the envelope by making more information public by default, it is also taking great pains to put users in control of their own information. For example, when Facebook users post a new piece of content, they can decide whether to share that with an individual, a group or the entire web. Facebook?s motives are not hard to grasp. By making more personal information publicly accessible, it is improving its ability to target users with highly-specified adverts. ?They are pushing the envelope because it is in their financial best interest to do so,? says Augie Ray, an analyst with Forrester Research. However, Facebook ? and the rest of the social networking industry ? is facing the prospect of increased regulation in Europe and the US, its biggest markets. Facebook has already faced questions from German and Swiss regulators over its practice of allowing users to upload pictures and information about other people without their explicit permission. Regulators say that uploading snapshots of friends may be illegal under the two countries? stringent privacy laws. Regulators say Facebook may be forced to contact the individuals to ask if they consent. Australia, too, is considering such measures. Meanwhile, Brussels has made it clear that privacy will be one of the key issues it will tackle. Viviane Reding, the EU?s information society commissioner, has warned social networking sites that she will not hesitate to intervene with legislation if they do not work harder to keep the profiles of minors private. In response to the threat of increased regulation, Facebook has beefed up its lobbying presence in Europe with new staff in France and Germany. This should help it deal with an expected increase in the volume of inquiries from country watchdogs and Brussels. Meanwhile, in the US, Facebook and other social networking sites are also under scrutiny. The Federal Trade Commission recently concluded a series of ?privacy roundtables? designed to examine how new technologies were blurring the lines between private and public information. During one, commissioner Pamela Jones Harbour criticised social networking sites for not doing enough to protect their users. ?Protecting consumer privacy is of utmost importance,? she said. ?Unfortunately, many of the companies that consumers look to as leaders, and that we expect to be leaders, still have not taken this message entirely to heart.? Last year, EPIC filed a complaint about Facebook to the FTC, citing its December changes as an example of overreach. What is more, EPIC seems to have Washington?s ear. Responding to the complaint, David Vladeck, head of the FTC?s bureau of consumer protection, said the complaint raised ?issues of particular interest for us at this time?. Facebook has already been forced to take action in Canada. Regulators last year found it in violation of privacy laws and said it would be taken to court if it did not change. Months later, Facebook unveiled changes that addressed the regulators? concerns. Richard Allen, Facebook?s European director of public policy, says he is worried new laws could inhibit the development of new technologies during a time of rapid transition, while providing little new protection to the users. ?Over-detailed regulation could become outdated very quickly and may not achieve the goals of the regulators,? says Mr Allen. ?The price you pay is a price of innovation.? Meanwhile, Tim Sparapani, Facebook?s director of public policy in Washington, said that, in spite of the concerns of regulators, there is little to suggest Facebook is causing havoc by allowing people to share information online. ?There seems to be a real disconnect between the regulators and the people,? he said. ?People are embracing these social technologies. They are embracing sharing with one another. The explosive growth of Facebook is proof of that.? Instead of imposing laws to prescribe what Facebook should or should not do, Mr Sparapani said lawmakers should leave the control of personal information in the hands of the users. Additional reporting by Maija Palmer Copyright The Financial Times Limited 2010. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web. From rforno at infowarrior.org Mon Apr 12 17:12:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Apr 2010 13:12:28 -0400 Subject: [Infowarrior] - 6/8 DC Debate: Cyberwar Exaggeration Message-ID: <71F0F615-708F-4D87-9DD8-5354E6D7D768@infowarrior.org> (tickets are $45) Upcoming Debate on Whether ?The Cyber War Threat Has Been Grossly Exaggerated? This was written by Michael Cheek on Monday, April 12, 2010, 12:04. Intelligence Squared U.S. will be coming to Washington, DC on June 8, 2010 to host a live debate that will discuss the proposition that ?The Cyber War Threat Has Been Grossly Exaggerated.? The event will be hosted at the Newseum and will feature Mike McConnell, former DNI and presently SVP at Booz Allen, Marc Rotenberg, executive director of the Electronic Privacy Information Center, Bruce Schneier, a security author and John Zittrain, professor at Harvard Law School. The four experts will face off against on another with McConnell and Zittrain arguing against the thesis and Schneier and Rotenberg arguing for it. The audience will provide questions to the panel and will also determine the winner at the end of the debate. http://www.thenewnewinternet.com/2010/04/12/upcoming-debate-on-the-cyber-war-threat-has-been-grossly-exaggerated/ THE CYBER WAR THREAT HAS BEEN GROSSLY EXAGGERATED Tuesday, June 8th 2010 Pre-Debate Reception: 6:30pm Debate: 7:30pm ? 9:15pm Newseum 555 Pennsylvania Avenue Northwest Washington, DC 20001 https://app.etapestry.com/hosted/IntelligenceSquared/OnlineRegistration.html From rforno at infowarrior.org Mon Apr 12 18:15:48 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Apr 2010 14:15:48 -0400 Subject: [Infowarrior] - Makeup to 'jam' facial recognition Message-ID: <8471A03F-829F-4500-9DB0-1B24FCC7CA05@infowarrior.org> A student's academic research..... CV Dazzle Makeup http://ahprojects.com/c/itp/thesis From rforno at infowarrior.org Mon Apr 12 18:23:51 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Apr 2010 14:23:51 -0400 Subject: [Infowarrior] - Parliament of Hypocrites Message-ID: <19B79D7E-E7C3-418D-9FF8-A49152F94CAA@infowarrior.org> Parliament of Hypocrites - UK's digital privacy double-standard http://citinq.3cdn.net/f2212547825312fbd1_1rm6i2xjk.pdf From rforno at infowarrior.org Mon Apr 12 18:30:29 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Apr 2010 14:30:29 -0400 Subject: [Infowarrior] - RFI: PGP 10 on OSX Message-ID: Anyone here using PGP 10 on OSX 10.6? Any issues/comments to report? (And no, don't tell me to use GPG.....) From rforno at infowarrior.org Mon Apr 12 18:42:30 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Apr 2010 14:42:30 -0400 Subject: [Infowarrior] - U.S.: No ACTA Transparency Unless Other Countries Cave on Substance Message-ID: <3A929459-69F4-4539-BFCB-92FC5DAF26B4@infowarrior.org> U.S.: No ACTA Transparency Unless Other Countries Cave on Substance Monday April 12, 2010 http://www.michaelgeist.ca/content/view/4949/125/ The U.S. Trade Representative issued a release just prior to the launch of the New Zealand round of ACTA negotiations that has left no doubt that the U.S. is the biggest barrier to official release of the ACTA text. The full text of the release is couched in terms of improving transparency, but is really a thinly-veiled shot at the European Union's public demands for release of the text. The U.S. statement: "In this upcoming round of ACTA negotiations, the U.S. delegation will be working with other delegations to resolve some fundamental issues, such as the scope of the intellectual property rights that are the focus of this agreement. Progress is necessary so that we can prepare to release a text that will provide meaningful information to the public and be a basis for productive dialogue. We hope that enough progress is made in New Zealand in clearing brackets from the text so that participants can be in a position to reach a consensus on sharing a meaningful text with the public." Note what the U.S. is actually saying - resolving scope of the treaty (the E.U. is seeking a broader scope that includes patents) and removing square brackets (the sources of disagreement) is needed to reach consensus on sharing text with the public. Yet there is no reason to link ACTA transparency with the substance of the treaty. The text of the treaty can be released without regard for the level of agreement on substantive issues. Yet unlike most other ACTA countries that have called for transparency without condition, the U.S. has set conditions that effectively seeks to trade its willingness to release the text for gains on the substance of the text. The only thing needed to reach consensus on sharing the text with the public is for the U.S. to give the go-ahead. This statement indicates they will only do so for a price. From rforno at infowarrior.org Mon Apr 12 23:14:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Apr 2010 19:14:28 -0400 Subject: [Infowarrior] - Legislation proposes Ambassador for Cyberspace Message-ID: <38B0035B-AB93-4DAC-8C67-3BB6080F97FF@infowarrior.org> Our Ambassador to Cyberspace Legislation would open diplomatic relations -- in cyberspace http://fcw.com/articles/2010/04/12/cyber-ambassador-bill-041210.aspx Measure responds to growing calls for international coordination ? By William Jackson ? Apr 12, 2010 In an effort to address what he calls an uncoordinated and fragmented diplomatic approach to international cybersecurity issues, Sen. John Kerry (D-Mass.), chairman of the Senate Foreign Relations Committee, today announced plans to introduce a bill that would establish the position of ambassador at large to coordinate U.S. cyberspace issues. The State Department?s coordinator for cyberspace and cybersecurity issues would be the principal adviser to the secretary of state in this arena and provide strategic direction for U.S. international policy. He also would coordinate policy with U.S. agencies, including the Homeland Security, Defense, Treasury, Justice and Commerce departments, as well as with the intelligence community and the private sector. The bill also would direct the secretary of state to designate a point person for cybersecurity policy in every relevant country or region. The International Cyberspace and Cybersecurity Coordination Act of 2010 would address calls from government officials including Secretary of State Hillary Clinton, National Intelligence Director Dennis Blair and President Barack Obama for a coordinated international approach to cybersecurity and cyberspace issues. The bill text quotes the May 2009 White House Cyberspace Policy Review, which stated: "The nation also needs a strategy for cybersecurity designed to shape the international environment and bring like-minded nations together on a host of issues, such as technical standards and acceptable legal norms regarding territorial jurisdiction, sovereign responsibility, and use of force. International norms are critical to establishing a secure and thriving digital infrastructure.? Cybersecurity is inherently an international issue because of the lack of borders or national control on the Internet. This has made securing an infrastructure on which the global economy is increasingly dependent more difficult, and a lack of international cooperation has complicated law enforcement efforts against online criminals, who can operate in one country and use resources in a second country to attack targets in a third country. In addition to addressing law enforcement issues, concerns also are growing about the offensive and defensive cyber war capabilities being developed by many nation states. ?The international community should strongly consider the utility of negotiating a multilateral framework on cyber warfare that would create shared norms for cyber conduct,? the bill says. The bill says that U.S. diplomatic engagement on these issues has been uncoordinated and fragmented and that there is no general framework among countries for addressing them. Under the bill's provisions, the secretary of state, in consultation with other relevant federal agencies, would develop and establish a "clear and coordinated strategy for international cyberspace and cybersecurity engagement." This would be the job of the cyberspace coordinator, who would ?provide strategic direction and coordination for United States government policy and programs aimed at addressing and responding to cyberspace and cybersecurity issues overseas.? About the Author William Jackson is a senior writer for GCN and the author of the CyberEye column. From rforno at infowarrior.org Mon Apr 12 23:30:19 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Apr 2010 19:30:19 -0400 Subject: [Infowarrior] - Disney Thinks Photographers Are Terrorists Message-ID: <578F0322-FF8D-46E1-ACF0-679678E7C31F@infowarrior.org> (c/ AJM) Mickey Mouse Security. Literally. http://williambeem.com/?p=330 From rforno at infowarrior.org Tue Apr 13 01:39:21 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Apr 2010 21:39:21 -0400 Subject: [Infowarrior] - TSA Concedes Body Scanners Store and Record Images Message-ID: <66DC9D12-089A-4292-9F96-1F46179EB509@infowarrior.org> Again, they're asking the public to "just trust us" --- right??? -rick TSA Concedes Body Scanners Store and Record Images In response to a Congressional inquiry, led by Congressman Bennie Thompson, the Transportation Security Agency acknowledged that images on body scanner machines would be recorded for "testing, training, and evaluation purposes." The TSA also did not dispute that test mode could be activated in airports, but said this "would" not happen. As part of an ongoing lawsuit, EPIC had previously obtained TSA documents describing the machines' capabilities to store and transmit detailed images of travelers' naked bodies. For more information, see EPIC: Whole Body Imaging Technology. http://epic.org/2010/04/tsa-concedes-body-scanners-sto.html From rforno at infowarrior.org Tue Apr 13 02:33:46 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Apr 2010 22:33:46 -0400 Subject: [Infowarrior] - GAO doubts Hollywood piracy claims Message-ID: <8E6725A5-E0AE-4EF3-9985-A783555FE0FF@infowarrior.org> Feds raise questions about big media's piracy claims by Greg Sandoval http://news.cnet.com/8301-31001_3-20002304-261.html After spending a year studying how piracy and illegal counterfeiting affects the United States, the Government Accountability Office says it still doesn't know for sure. "Some experts we interviewed and literature we reviewed identified potential positive economic effects of counterfeiting and piracy." --GAO report Congress tasked the GAO in April 2009 with reviewing the efforts to quantify the size and scope of piracy, including the impacts of Web piracy to the film and music industries. In a 32-page report issued Monday, the GAO said that most of the published information, anecdotal evidence and records show that piracy is a drag on the U.S. economy, tax revenue and in some cases potentially threatens national security and public health. But the problem is, according to the GAO, the data used to quantify piracy isn't reliable. "Three widely cited U.S. government estimates of economic losses resulting from counterfeiting cannot be substantiated due to the absence of underlying studies," the GAO said in its 32-page report. "Each method (of measuring) has limitations, and most experts observed that it is difficult, if not impossible, to quantify the economy-wide impacts." In what appears to be a setback for Hollywood and the recording industry, the government said that it sees problems with the methodology used in studies those sectors have long relied on to support claims that piracy was destructive to their businesses. The accountability office even noted the existence of data that shows piracy may benefit consumers in some cases. "Some experts we interviewed and literature we reviewed identified potential positive economic effects of counterfeiting and piracy," The GAO wrote. "Some consumers may knowingly purchase a counterfeit or pirated product because it is less expensive than the genuine good or because the genuine good is unavailable, and they may experience positive effects from such purchases." To be sure, the GAO found evidence that piracy is large and harmful. But if leaders of the media world were hoping for a government document that proved their many claims that piracy and counterfeiting cost it billions every year and cost the U.S. economy jobs and revenue, then they will be disappointed because this report wasn't that document. The GAO did not say assertions by media companies were wrong, but it did point out what it considered were weaknesses with how they measured piracy's impacts. At the very least, the GAO report hands anti-copyright proponents some valuable ammo in their long-running debate with entertainment sector over file sharing. "The U.S. government may lose tax revenue, incur (intellectual property) enforcement expenses, and face risks of counterfeits entering supply chains with national security or civilian safety implications." --GAO report "The GAO study confirms that piracy of all sorts is rampant," said a spokesman for the Motion Picture Association of America (MPAA). "Getting a firm handle on the problem in terms of dollar estimates is complicated." The GAO is not known for being some radical, free-content group. It is the audit and investigative arm of Congress, once known as the General Accounting Office. Lawmakers are seeking ways to strengthen efforts to protect intellectual property and in 2008 they tasked the GAO with conducting the study. The review went far beyond digital music, movies and software. Among the sectors the GAO reviewed were toys, clothing, automobile parts, medicine. The GAO said it examined "research on the effects of counterfeiting and piracy on consumers, industries, government, and the U.S. economy." The organization also wanted to learn about efforts to quantify piracy. In the past year, the GAO said that it found most of the "information and views" on the subject focused on the negative effects of piracy. "Americans are the world's leading innovators, and our ideas and intellectual property are a key ingredient to our competitiveness and prosperity," the GAO wrote. "Negative effects on U.S. industry (from piracy) may include lost sales, lost brand value, and reduced incentives to innovate. However, industry effects vary widely among sectors and companies. The U.S. government may lose tax revenue, incur (intellectual property) enforcement expenses, and face risks of counterfeits entering supply chains with national security or civilian safety implications. "The U.S. economy as a whole," the report continued, "may grow more slowly because of reduced innovation and loss of trade revenue." Some media outlets have reported that counterfeit goods can be traced to organized crime and groups that support terrorism. Consumers may face danger when counterfeit and unsafe toys and medicine enter the marketplace. Fake airplane parts have also been discovered in the aviation industry, according to the GAO's report. The GAO said that most of the experts and literature available concluded that piracy caused more harm than good but after stating this, the GAO waded into a long explanation of why the problem of measuring piracy's impacts with any degree of accuracy may be impossible. One example of this is how experts disagree over the potential impacts of piracy on jobs. One leader in the field told the GAO that piracy kills jobs while another said "any effects are unclear," because job loss in one sector may result in a "rise in other industries as workers are hired to produce counterfeits." When it came to previous studies or surveys on piracy, the GAO noted that it had questions and concerns with data produced by both the film and music industries to support financial loss claims. Jonathan Lamy, a spokesman for the Recording Industry Association of America, said he hadn't read the report and didn't know what studies the GAO referred to but said plenty of studies have reached the same conclusion. "There's no doubt that the music industry has declined significantly over the last 10 years," Lamy said. "Countless studies have blamed this on the fact that millions of people have been getting their music for free online. That has translated to thousands of lost jobs in the industry and that's undeniable." What Congress plans to do with this report is unclear. Greg Sandoval covers media and digital entertainment for CNET News. He is a former reporter for The Washington Post and the Los Angeles Times. E-mail Greg, or follow him on Twitter at http://twitter.com/sandoCNET. From rforno at infowarrior.org Tue Apr 13 12:06:54 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Apr 2010 08:06:54 -0400 Subject: [Infowarrior] - Twitter's Ad Strategy Message-ID: <29CD6B6A-E95C-406D-82FF-2B309C5248BE@infowarrior.org> (This will be an interesting case study --- not sure how I feel about having a company 'inject themselves" into a communications streaem. It's a bit more invasive then banner ads, per se......and the idea of being able to troll conversations, identify negative comments, and then tailor positive ads at those users is creepy. Interesting influence operation potential, though. -rick) Twitter Unveils Plans to Draw Money From Ads By CLAIRE CAIN MILLER Published: April 12, 2010 http://www.nytimes.com/2010/04/13/technology/internet/13twitter.html?hp Twitter will unveil on Tuesday a much-anticipated plan for making money from advertising, finally answering the question of how the company expects to turn its exponential growth into revenue. Kim White/Bloomberg News The advertising program, which Twitter calls Promoted Tweets, will show up when Twitter users search for keywords that the advertisers have bought to link to their ads. Later, Twitter plans to show promoted posts in the stream of Twitter posts, based on how relevant they might be to a particular user. Several companies will run ads, including Best Buy, Virgin America, Starbucks and Bravo. ?The idea behind Promoted Tweets is that we want to enhance the communications that companies are already having with customers on Twitter,? said Dick Costolo, Twitter?s chief operating officer. Since Twitter started in 2007, its growth has resembled a hockey stick, increasing almost in a vertical line. According to comScore, Twitter.com had 22.3 million unique visitors in March, up from 524,000 a year ago, and that does not include the millions more who use the service through third-party smartphone and Web applications like TweetDeck or Tweetie. Yet Twitter has been slow to monetize those users. Its founders, Evan Williams and Biz Stone, have said that it is following Google?s path ? building a service that many people use, then figuring out how to make money. Though Twitter already has some revenue from deals to license its stream of posts to Google, Microsoft and Yahoo, Twitter?s announcement is the first significant step toward a business model. The ads will let businesses insert themselves into the stream of real-time conversation on Twitter to ensure their posts do not get buried in the flow. Starbucks, for instance, often publishes Twitter posts about its promotions, like free pastries. But the messages quickly get lost in the thousands of posts from users who happen to mention meeting at Starbucks. ?When people are searching on Starbucks, what we really want to show them is that something is happening at Starbucks right now, and Promoted Tweets will give us a chance to do that,? said Chris Bruzzo, vice president of brand, content and online at Starbucks. When a Twitter user searches for a word an advertiser bought, the promoted message will show up at the top of the results, even if it was written much earlier. The posts say they are promoted by the company in small type, and when someone rolls over a promoted post with a cursor, it turns yellow. The ads will also be a way for companies to enter the conversation when it turns negative. Several companies have created tools to measure sentiment on Twitter, but until now, businesses can do little with that information. Even if they write a post in response, it also quickly gets lost in a sea of complaints. Companies will ?be able to increase awareness in that instance when the iron is most malleable,? said Anamitra Banerji, who manages commercial products at Twitter. If a new movie is getting negative reaction, the studio could use the ads to link to a positive review, for example. Businesses have been eager to wade into conversations on social media, said Bernardo Huberman, senior fellow and director of the social computing lab at Hewlett-Packard?s research and development arm and co-author of a recent study that found that chatter on Twitter can forecast box-office revenue for movies. But he is not convinced that it can change people?s opinions. Studios have already been writing Twitter posts about new movies. ?Our study shows that the influence of those tweets was minimal compared to the conversation that people were having about those movies,? he said. ?Media like Twitter and Facebook are so enormous that it?s very hard to imagine it would be easy to manipulate the conversation.? Twitter will measure what it calls resonance, which takes into account nine factors, including the number of people who saw the post, the number of people who replied to it or passed it on to their followers, and the number of people who clicked on links. If a post does not reach a certain resonance score, Twitter will no longer show it as a promoted post. That means that the company will not have to pay for it, and users will not see ads they do not find useful, Mr. Costolo said. At first, companies will pay per thousand people who see promoted posts. Once Twitter figures out how people interact with the posts, it will figure out alternate ways to charge advertisers. In the next phase of Twitter?s revenue plan, it will show promoted posts in a user?s Twitter stream, even if a user did not perform a search and does not follow the advertiser. For example, if someone has been following people who write about travel, they could see a promoted post from Virgin America on holiday fare discounts. Anyone who uses Google has grown accustomed to seeing ads alongside their search results, but Twitter users could resent seeing promoted posts in their personal content stream. Twitter is aware of that risk. It is still figuring out how to determine which promoted posts should appear. It could be based on topics they are writing about, geographic location or shared interests of people they follow. ?One of the reasons we?re not rolling that out right now is because we only want to show tweets that help the user experience,? Mr. Costolo said. Once Twitter figures out how to measure the number of people who read posts other than on Twitter.com, it will also allow third-party developers to show ads and share revenue. Early on, Twitter?s founders said they wanted to avoid showing ads as other social networks do, displayed on the right side of the page. The new ad platform is different, Mr. Costolo said, because the promoted posts also exist in the organic Twitter stream. ?The ability of companies to engage with customers around this interest graph is more compelling than trying to wedge yourself into these social interactions,? he said. From rforno at infowarrior.org Tue Apr 13 13:07:44 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Apr 2010 09:07:44 -0400 Subject: [Infowarrior] - Web spy software hacks into secretive online forums Message-ID: http://www.newscientist.com/article/mg20627555.700-web-spy-software-hacks-into-secretive-online-forums.html Web spy software hacks into secretive online forums ? 13 April 2010 by Shehryar Mufti ? Magazine issue 2755. Subscribe and get 4 free issues. ? For similar stories, visit the Crime and Forensics Topic Guide THE dark corners of cyberspace are being illuminated by indexing software that can reach into secretive websites that are normally inaccessible to search engines. This could allow search engines to cover online forums lurking within the "dark web", and provide insights into what is being said by groups who would rather keep their conversations secret. Conventional search engines use programs called spiders or web crawlers that scuttle around the internet and index what they find. However, many websites are protected by security restrictions that fend off such software. Screening out all traffic from IP addresses belonging to well-known search engines is one way to do this. The dark web can provide a haven for extremist groups to exchange ideas, says Hsinchun Chen, director of the artificial intelligence laboratory at the University of Arizona in Tucson. So Chen and his team devised software to access and index protected online forums (Journal of the American Society for Information Science and Technology, DOI: 10.1002/asi.21323). One of the tricks deployed by Chen's software is to regularly change the apparent IP address of the computer on which it is running. The software also disguises its indexing activity by making it look like the traffic generated by users browsing the forum. What's more, it can attempt to sign up for membership on forums that require registration, though it has to seek help from Chen's team if unusual information is asked for. To help it index text in languages other than English it uses Google Translate, Google's online translation engine. The software disguises its indexing activity to look like traffic generated by users browsing the forum Unlike a regular web crawler, Chen's software looks only at sites he has specified. It has compiled data on 29 restricted forums, containing about 13 million messages in total. On one forum, it took just 39 minutes to index 29,016 posts made over a six-week period. Chen's team is now analysing the conversations on these forums to build an overview of the links between participants. He suggests this may be useful in identifying prominent members. The impressive thing about Chen's forum crawler is the way it combines human guidance and automated web searches to catalogue dark web forums, says Denis Roy, a spokesman for Yahoo. "The name of the game," he says, is to "find the right blend of the least possible number of humans and machines" to perform this indexing of restricted websites efficiently. From rforno at infowarrior.org Tue Apr 13 17:30:30 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Apr 2010 13:30:30 -0400 Subject: [Infowarrior] - 'Stolen' Tweets lead to reader ire Message-ID: Recently, the editor of the book Tweet Nothings, a book of curated Tweets, sent an apologetic letter to the people whose Tweets were included in the book -- after the book had already been published in December: http://techdirt.com/articles/20100412/1844038986.shtml From rforno at infowarrior.org Tue Apr 13 17:34:26 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Apr 2010 13:34:26 -0400 Subject: [Infowarrior] - FBI Invites Academics to Confer on Security Message-ID: In support of the FBI's Academic Alliance initiative, the San Francisco Division of the FBI and its Strategic Technology Task Force will co-host a conference to promote positive continuous dialogue between the U.S. Intelligence Community and the academic community. The San Francisco Bay Area Academic Alliance Conference will take place on Thursday, April 29, 2010. You are invited to attend this special event. If you cannot attend this event and know someone who is interested in this topic, please feel free to forward this invitation to them. This will be a great opportunity to meet with other academics and U.S. national security partners to discuss trends, observations, as well as security concerns. The conference will be held at SLAC National Accelerator Laboratory, 2575 Sand Hill Road, Menlo Park, California 94025 (please see enclosed maps for location and parking). Registration for visitor's badges will begin at 8:00 a.m. The conference will begin at 9:00 a.m. and conclude at 2:00 p.m. (agenda enclosed). We are honored to announce that Dr. Graham Spanier, President of Pennsylvania State University, will speak about the National Security Higher Education Advisory Board ("NSHEAB"), which he also chairs. Established in 2005, the NSHEAB works to bridge historical gaps between the U.S. Intelligence Community and the academic community with respect to national security issues. Since its inception, the NSHEAB has been an invaluable tool in providing advice to the FBI on the culture of higher education, including the traditions of openness, academic freedom, and international collaboration, while serving as a forum for discussion of national security issues. The NSHEAB fosters understanding and cooperation between leaders in higher education and the U.S. Intelligence Community and develops outreach efforts to help the academic community better understand the missions and mandates relating to terrorism, counterintelligence, and homeland security. In addition to Dr. Spanier, the conference will also feature guest speakers Julie Salcido, Special Agent in Charge, Department of Commerce, Office of Export Enforcement; Boris Yuzhin, former KGB Colonel; and Special Agent Cody Monk, FBI-Houston. Please RSVP by email to Special Agent James G. Kang at james.kang3 at ic.fbi.gov no later than April 19, 2010. Please RSVP as soon as possible, as seating is limited to the first 200 respondents. If you do not intend to participate in the Academic Alliance Conference, but wish to receive a security awareness and threat briefing for yourself and your facility personnel, please contact Special Agent Luther Jaffe at (650) 251-8371. From rforno at infowarrior.org Tue Apr 13 19:47:05 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Apr 2010 15:47:05 -0400 Subject: [Infowarrior] - Apple Places New Limits on App Developers Message-ID: April 12, 2010 Apple Places New Limits on App Developers By JENNA WORTHAM http://www.nytimes.com/2010/04/13/technology/companies/13apple.html?hpw=&pagewanted=print Apple is tightening its already firm grip on what software can run on the iPhone and its other mobile devices, as shown by its recent changes to the rules that outside programmers must follow. The company is locked in a battle with other cellphone makers, particularly those using Google?s Android operating system, for the latest and best applications that add functions to a phone. The new rules, released last week, say in part that app developers may only use Apple?s programming tools. That is a problem for Adobe Systems, which announced a new package of tools on Monday that were meant to let developers create apps once and then automatically generate versions for the iPhone and other companies? devices. Developers will also no longer be permitted to use outside services to measure how their applications are performing. The company says it will refuse to distribute any apps in the iTunes store that violate the new agreement. ?Apple is doing everything to encourage app development, as long as it?s on their platform,? said Gene Munster, an analyst with Piper Jaffray. ?The risk Apple runs is ticking off developers and causing them to want to develop on other platforms,? he said. But until competing mobile platforms gain more traction, he said, ?there?s no other place for developers to go, so Apple can call the terms however they want.? The changes leave many start-ups and apps developers in limbo, waiting to find out whether their businesses, many of which have built a substantial clientele and taken money from venture capitalists, can still operate under the new rules. ?The truth is that right now, we don?t know a lot,? said Peter Farago, vice president of Flurry, an analytics company with offices in New York and San Francisco. ?We have a list of questions.? Flurry?s software tracks how smartphone applications are used. It has become a popular tool among developers, who have access to details like how long it takes to complete a game or to finish reading a chapter of an electronic book. Mr. Farago said his company had asked Apple for clarification, but had not heard back. ?We think we can be compliant by doing some modifications,? he said. ?We?ll do what we need to do to get that to happen.? Even so, the company is aware that it may have to rethink its business model, Mr. Farago said. Henry Balanon, lead developer at an iPhone development company called BickBot, said he had no immediate plans to remove Flurry?s software from his applications. ?We?d have to roll our own analytics into the software, which is just a pain,? Mr. Balanon said. ?But if we start getting rejections because of the analytics, we may have to reconsider.? Industry experts like Al Hilwa, an analyst with the research firm IDC, say that Apple is tightening its grip on applications in an attempt to keep rivals at bay. ?There will be a big fistfight for developers and applications over the next few years,? he said. ?This is just the early stages of the battle for mobile telephony. Apple?s financial radar is up, and they are trying to close all the holes.? Mr. Munster, the Piper Jaffray analyst, said that the broader shift in Apple?s core revenue streams, to mobile from desktop computing, was a chief reason for the company to pressure developers. ?It?s not about making money on the apps,? he said. ?It?s about making money off the hardware.? Mobile devices with more apps, he said, are more attractive to buyers. By the end of 2011, Mr. Munster said, nearly 50 percent of Apple?s total revenue will come from sales of the iPhone and iPod Touch. In 2001, 80 percent of Apple?s revenue was from its line of Mac laptops and desktop computers. That figure will slip to about 27 percent in 2011, he said. Apple did not respond to requests for comment. But an iPhone developer named Greg Slepak sent an e-mail message to Apple?s chief executive, Steven P. Jobs, saying that the new rules were ?limiting creativity.? ?We?ve been there before,? Mr. Jobs wrote in reply. ?Intermediate layers between the platform and the developer ultimately produces substandard apps and hinders the progress of the platform.? The prohibition on the use of non-Apple programming tools prompted a sharp response from an Adobe employee. Lee Brimelow, an Adobe evangelist, wrote on his blog last week: ?This is a frightening move that has no rational defense other than wanting tyrannical control over developers and more importantly, wanting to use developers as pawns in their crusade against Adobe.? From rforno at infowarrior.org Wed Apr 14 12:05:35 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Apr 2010 08:05:35 -0400 Subject: [Infowarrior] - Military asserts right to return cyber attacks Message-ID: <174B8FE5-35D4-44BA-BF8D-2518B769E5FD@infowarrior.org> Military asserts right to return cyber attacks Email this Story Apr 14, 5:37 AM (ET) By LOLITA C. BALDOR http://apnews.myway.com/article/20100414/D9F2PLP00.html WASHINGTON (AP) - The U.S. must fire back against cyber attacks swiftly and strongly and should act to counter or disable a threat even when the identity of the attacker is unknown, the director of the National Security Agency told Congress. Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks. "Even with the clear understanding that we could experience damage to our infrastructure, we must be prepared to fight through in the worst case scenario," Alexander said in a Senate document obtained by The Associated Press. Alexander's answers reflect the murky nature of the Internet and the escalating threat of cyber terrorism, which defies borders, operates at the speed of light and can provide deep cover for assailants who can launch disruptive attacks from continents away, using networks of innocent computers. The three-star Army general laid out his views on Cyber Command and the military's role in protecting computer networks in a 32-page Senate questionnaire. He answered the questions in preparation for a Senate Armed Services Committee hearing Thursday on his nomination to head Cyber Command. U.S. computer networks are under constant attack, and President Barack Obama last year declared that the cyber threat is one of nation's most serious economic and national security challenges. Alexander offered a limited but rare description of offensive U.S. cyber activities, saying the U.S. has "responded to threats, intrusions and even attacks against us in cyberspace," and has conducted exercises and war games. It's unclear, Alexander added, whether or not those actions have deterred criminals, terrorists or nations. In cyberspace, he said, it is difficult to deliver an effective response if the attacker's identity is not known. But commanders have clear rights to self-defense, he said. He added that while "this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles ... would be lawful." Senators noted, in their questions, that police officers don't have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack. The nation's ability to protect its networks and launch counterattacks, however, is shrouded in secrecy. Alexander gave the panel a separate classified attachment that provided more details on how and when the military would launch cyber attacks and under what legal and command authorities. Among the classified responses was his answer to whether the U.S. should first ask another government to deal with a cyber attack that came from within its borders. He repeatedly stressed that any U.S. response to a cyber attack must be authorized by the president and must conform to international law and guiding military principles. Those guidelines require that the reaction be deemed militarily necessary and in proportion to the attack. Noting that there is no international consensus on the definition of use of force, in or out of cyberspace, Alexander said uncertainty creates the potential for disagreements among nations. Alexander echoed other experts who warn that the U.S. is unprepared for a cyber attack. He said the first priority is to make sure the nation can defend its networks, which are now a "strategic vulnerability." Alexander said the biggest challenge facing the development of Cyber Command will be improving the defense of military networks, which will require better real-time knowledge of intrusions. He added that it will be difficult for the military to gain superiority in cyberspace, but the goal is "realistic." Alexander, 58, is a native of Syracuse, N.Y., and a graduate of the U.S. Military Academy. --- On the Net: Lt. Gen. Keith Alexander: http://www.nsa.gov/about/leadership/bio_alexander.shtml From rforno at infowarrior.org Wed Apr 14 16:21:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Apr 2010 12:21:24 -0400 Subject: [Infowarrior] - Who's Got the Cyberwar Rule Book Message-ID: Who's Got the Cyberwar Rule Book Posted by David A. Fulghum at 4/14/2010 9:16 AM CDT Congress is struggling to understand the rules of cyberwar, a task that is holding up confirmation of Army Gen. Lt. Gen. Keith Alexander as the first chief of U.S. Cyber Command. http://www.aviationweek.com/aw/blogs/defense/index.jsp The months of delay in Alexander?s confirmation is making it hard for each of the services to continue planning, decision-making and structuring its own organizations for the pursuit of cyber operations from the air, land, sea and space. Alexander is already head of the National Security Agency which has part of the responsibility for conducting and approving cyber attacks. The Air Force?s 24th Air Force and Navy?s 10th Fleet, for example, are being stymied in the development and testing of tactical cyber weapons that can analyze, identify and attack command and control as well as strike systems on the battlefield. The Air Force?s F-22 Raptor and F-15E Strike Eagle, the Navy?s EA-18G Growlers and F/A-18F Super Hornets and the F-35 Joint Strike Fighter all have advanced radars that can be upgraded with software packages to generate data streams ? packed with algorithms for digital mischief ? that can be beamed into antennas associated with enemy networks of interest. For ground-based cyber operations, the Air Force is planning to start training its first two classes ? a total of 60 persons for what will eventually be a force of 1,000 cyber warriors -- this summer that will make up the operational heart of the 6,000 person 24th Air Force. The battlefield will encompass not only desktop personal computers but also laptops, cell phones and whatever replaces the next generation of communication devices. "It?s about the message," says Lt. Gen. William Lord, the Air Force's chief information officer. "Monkeying around with the network is not just about turning systems on or off. How, when and where do you deliver [the message]-- to [a targeted official's] house of office? [A cyber operation] is an instrument that we could use to change the behavior of a belligerent. A demarche, a well-placed e-mail or a telephone call from a head of state may create that change." In fact, the combination of cyber operations, non-kinetic weapons and their blending with intelligence, surveillance and reconnaissance is expected to change the conduct of warfare., The evolution of technology, information and culture underlies a movement to shift the Air Force, for example, away from the traditional segregation of operations and intelligence to their integration. "As we move to designing every shooter as a sensor and every sensor as a shooter [including cyber attack and network exploitation], we will also need to merge today?s separate ISR tasking process with the current separate strike [planning]," says Lt. Gen. David Deptula, the Air Force?s deputy chief of staff for ISR. "The [consolidation] will involve dramatic cultural changes and as with any large institution they won?t come easy, but they need to happen sooner rather than later if we intend to operate inside our adversary?s action cycle." That consolidation also will tie together key ISR, directed energy and cyber attack components as sensors, like the Active Electronically Scanned Array (AESA) radar, becomes become a high-power microwave (HPM) weapon with the ability to infiltrate networks with algorithms embedded in data streams. "AESA radar and HPM technologies are still maturing and as these technologies are being tested and proven, they are showing great promise," Deptula says. "I?m convinced these are break-through, 'game-changing' technologies that will directly affect the way we think about aircraft, airpower?and frankly?warfare in the future." ISR will take on the locating of mapping for networks and the geolocation for cyber attack just as it uses video and other imagery to plan conventional bombing attacks. "The Air Force's ISR Enterprise's role in the Cyber domain parallels ISR's role in the domains of air and space," Deptula says. "[Part of its mission] is to provide the ISR exploitation piece for 24th Air Force cyberspace [attack and defense] operations. Under AF doctrine, computer network exploitation is a part of signals intelligence and given that our AF ISR Agency is already conducting that mission, it is a natural fit for us." From rforno at infowarrior.org Wed Apr 14 16:29:26 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Apr 2010 12:29:26 -0400 Subject: [Infowarrior] - Twitter's Entire Archive Headed to the Library of Congress Message-ID: Twitter's Entire Archive Headed to the Library of Congress Written by Marshall Kirkpatrick / April 14, 2010 9:03 AM / 2 Comments http://www.readwriteweb.com/archives/twitters_entire_archive_headed_to_the_library_of_c.php The US Library of Congress announced this morning via its official Twitter account that it will be acquiring the entire archive of Twitter messages back through March, 2006. In addition to a massive printed collection, the Library already has an extensive collection of other digital assets. The Library of Congress is the biggest library in the world. The Library does extensive work with data format standards, the semantic web and other platforms for outside analysis. The addition of Twitter into the organization's offerings could foster an enormous amount of academic research. Will the archive include friend/follower connection data? Will it be usable for commercial purposes? Will there be a web interface for searching it and will that change the face of Twitter search for good? Is there any way that the much larger archive of Facebook data could be submitted to the same body for analysis of the same kind? These kinds of large data sets are poised to become one of the most important resources the Internet creates. As Kenneth Cukier wrote in the Economist's recent Special Report on Big Data, "Data are becoming the new raw material of business: an economic input almost on a par with capital and labour." There's no word from Twitter itself about this news but we expect details to become public during the Chirp developers conference starting in just a few minutes. It's hard to imagine a more significant milepost in social media's early march toward becoming an essential component of our social experience. From rforno at infowarrior.org Wed Apr 14 16:46:30 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Apr 2010 12:46:30 -0400 Subject: [Infowarrior] - Air Force to add cyberwarfare training Message-ID: Air Force to add cyberwarfare training by Lance Whitney http://news.cnet.com/8301-13639_3-20002463-42.html?part=rss&subj=news&tag=2547-1_3-0-20 U.S. Air Force recruits will be trained in the basics of cyberwarfare, according to statements made by four-star Air Force Gen. Robert Kehler. Though details of the plan are still being worked out, according to the Associated Press, the Air Force intends to provide brief training sessions on cyberwarfare to new recruits, most likely an hour or two, to cover the fundamentals. The training would cover basic principles, such as the use of firewalls and passwords, according to Kehler. The general, who runs the Air Force Space Command at the Peterson Air Force Base in Colorado, spoke about the planned cyberwarfare training at the 26th National Space Symposium on Monday. "We teach them at basic training fundamentals of an M-16 (rifle), for example, and an M-9 (pistol), and so we want them to know the fundamentals of the computer network that they're going to be operating in," Kelher said. Although recruits will only have basic training, officers and enlisted personnel could opt for a more advanced, undergraduate-level program in cyber operations, said the general. Such a program would run for six months and give students more in-depth training on computer networks and vulnerabilities. More specific training would be offered as a follow-up. The first advanced course would be given to 16 officers, but the Air Force intends to offer several classes each year to reach its goal of having 400 officers skilled in cyberwarfare annually. From rforno at infowarrior.org Wed Apr 14 22:58:13 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Apr 2010 18:58:13 -0400 Subject: [Infowarrior] - Israel confiscates visiting iPads Message-ID: <5F95C991-07A3-4415-8A30-6E87DA438169@infowarrior.org> Israel confiscates visiting iPads By Rik Myslewski in San Francisco ? Get more from this author Posted in Mobile, 14th April 2010 19:48 GMT http://www.theregister.co.uk/2010/04/14/ipad_banned_in_israel/ If you're planning a visit to Israel, don't bring along your new iPad - the Israeli government will confiscate it at entry. So says a report in Wednesday's Haaretz, a leading Israeli news service based in Tel Aviv. According to the report, the problem is the iPad's Wi-Fi implementation - and, no, it's not because the iPad's Wi-Fi has been giving early-adopters so much trouble. What concerns engineers working in the Israeli Ministry of Communications, according to Haaretz, is that the iPad's "wireless technology is not compatible with Israeli standards." The Israeli wireless standards match those of European standards. American standards, with which the iPad does comply, allow for lower wireless power levels than do the European standards. Because of this, Haaretz quotes unnamed ministry officials as saying, "the broadcast levels of the [iPad] prevent approving its use in Israel." An Israeli who tried to bring his iPad back from the US on Tuesday told the Haaretz's business division, TheMarker, that when he tried to declare it at Israeli customs it was confiscated, and he was directed to contact the Ministry of Communications if he wanted it back. The Ministry told him, according to Haaretz: "It is forbidden to bring iPads into Israel; send it back overseas." Haaretz also reported that the customs chief at Tel Aviv's Ben-Gurion International Airport said that his staff bagged 10 iPads on Tuesday, taking them even from users who offered to pay the required VAT. The iPad, however, is not being singled out for unusual treatment. As one person familiar with the matter told The Reg: "This isn't the first time that this has happened in Israel - this has happened with other devices as well." Daniel Morgan, the director of public affairs at the Israeli Consulate in San Francisco, was more specific, telling The Reg: "All new electronic technology that enters Israel is subject to regulation approval, just as in European and many other countries. The Communications Ministry has asked Apple to send the technological specs of the iPad in order to approve its usage in the Israeli market, and any iPads that were held before entering Israel will be returned to their owners." Apple and Israel had better come to an agreement in 90 days, seeing as how the iPad will go on sale internationally at the end of May. ? From rforno at infowarrior.org Wed Apr 14 23:25:16 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Apr 2010 19:25:16 -0400 Subject: [Infowarrior] - DOJ wants to read email without warrants Message-ID: <71276DFD-64C3-4E6F-959F-C4C341DD7DE6@infowarrior.org> April 13, 2010 5:27 PM PDT Google backs Yahoo in privacy fight with DOJ by Declan McCullagh http://news.cnet.com/8301-13578_3-20002423-38.html Google and an alliance of privacy groups have come to Yahoo's aid by helping the Web portal fend off a broad request from the U.S. Department of Justice for e-mail messages, CNET has learned. In a brief filed Tuesday afternoon, the coalition says a search warrant signed by a judge is necessary before the FBI or other police agencies can read the contents of Yahoo Mail messages--a position that puts those companies directly at odds with the Obama administration. Yahoo has been quietly fighting prosecutors' requests in front of a federal judge in Colorado, with many documents filed under seal. Tuesday's brief from Google and the other groups aims to buttress Yahoo's position by saying users who store their e-mail in the cloud enjoy a reasonable expectation of privacy that is protected by the U.S. Constitution. "Society expects and relies on the privacy of e-mail messages just as it relies on the privacy of the telephone system," the friend-of-the-court brief says. "Indeed, the largest e-mail services are popular precisely because they offer users huge amounts of computer disk space in the Internet 'cloud' within which users can warehouse their e-mails for perpetual storage." The coalition also includes the Electronic Frontier Foundation, the Center for Democracy and Technology, the Progress and Freedom Foundation, the Computer and Communications Industry Association, and TRUSTe. For its part, the Justice Department has taken a legalistic approach: a 17-page brief it filed last month acknowledges that federal law requires search warrants for messages in "electronic storage" that are less than 181 days old. But, Assistant U.S. Attorney Pegeen Rhyne writes in a government brief, the Yahoo Mail messages don't meet that definition. "Previously opened e-mail is not in 'electronic storage,'" Rhyne wrote in a motion filed last month. "This court should therefore require Yahoo to comply with the order and produce the specified communications in the targeted accounts." (The Justice Department's position is that what's known as a 2703(d) order--not as privacy-protective as the rules for search warrants--should let police read e-mail.) On December 3, 2009, U.S. Magistrate Judge Craig Shaffer ordered Yahoo to hand to prosecutors certain records including the contents of e-mail messages. Yahoo divulged some of the data but refused to turn over e-mail that had been previously viewed, accessed, or downloaded and was less than 181 days old. A Yahoo representative declined to comment. "This case is about protecting the privacy rights of all Internet users," a Google representative said in a statement provided to CNET on Tuesday. "E-mail stored in the cloud should have the same level of protection as the same information stored by a person at home." That is, in fact, the broader goal of the groups filing Tuesday's brief. They're also behind the new Digital Due Process Coalition, which wants police to be able to obtain private communications (and the location of Americans' cell phones) only when armed with a search warrant. Under a 1986 law written in the pre-Internet era, Internet users enjoy more privacy rights if they store data locally, a legal hiccup that these companies fear could slow the shift to cloud-based services unless it's changed. The judge should "reject the government's attempted end-run around the Fourth Amendment and require it to obtain a search warrant based on probable cause before searching and seizing e-mails without prior notice to the account holder," the coalition brief filed Tuesday says. The Bill of Rights' Fourth Amendment prohibits unreasonable searches and, in general, has been interpreted to mean warrantless searches are unreasonable. The legal push in Colorado federal court, and a parallel legislative effort in Congress to update the 1986 Electronic Communications Privacy Act, is likely to put the coalition at odds with the Obama administration. A few weeks ago, for instance, Justice Department prosecutors told a federal appeals court that Americans enjoy no reasonable expectation of privacy in their mobile device's location and that no search warrant should be required to access location logs. The U.S. Attorney's office in Colorado did not immediately respond to a request for comment. Update 8:15 p.m. PDT Tuesday: I've heard back from a Justice Department representative who says he'll be able to answer questions on Wednesday after he talks to the cybercrime section. Update 9 a.m. PDT Wednesday: The Electronic Frontier Foundation has posted a statement on the case, with EFF attorney Kevin Bankston saying: "The government is trying to evade federal privacy law and the Constitution." Yahoo's brief is also worth noting. Like the coalition's filing, it argues that "users have a reasonable expectation of privacy in their e-mails" and says the Fourth Amendment requires police to obtain a warrant to peruse stored messages. And it confirms that prosecutors want "all e-mail" in the targeted Yahoo Mail accounts, even if it's not relevant to the investigation or could include documents protected by the attorney-client privilege. Update 9:30 a.m. PDT Wednesday: Yahoo has sent over a statement saying: "Yahoo values our trusted relationships with our users and works to protect their privacy while at the same time fulfilling our legal responsibilities. Yahoo's filing in this matter is a public document. Beyond what is contained in that document, Yahoo has no comment on the specifics of the case." From rforno at infowarrior.org Thu Apr 15 02:28:11 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Apr 2010 22:28:11 -0400 Subject: [Infowarrior] - Cancer breakthrough as DNA code cracked Message-ID: Cancer breakthrough as DNA code cracked ? By Margaret Wenham ? From: The Courier-Mail ? April 15, 2010 2:37AM http://www.news.com.au/national/cancer-breakthrough-as-dna-code-cracked/story-e6frfkvr-1225853861443 A NEW era of cancer treatment has dawned. Scientists from research institutes in Australia, Canada, Japan, China and the UK will today release the first DNA profiles of some of the most prevalent types of tumours. It is the first output from the International Cancer Genome Consortium of 12 institutes around the world working to map the genes of 50 different cancers. The Queensland Centre for Medical Genomics at the University of Queensland's Institute of Molecular Bioscience is a member of the consortium and has released the analysed blueprints of two pancreatic tumours. QCMG director and primary investigator Professor Sean Grimmond said the QCMG was mapping the pancreatic and ovarian tumours of 500 patients, while other institutes were tackling different common cancers, including lung, breast, blood, brain, kidney, liver and stomach. "Over the last two decades we've worked out that cancer arises from the accumulation of genetic damage to the genome or genetic blueprint . . . once you've accumulated sufficient damage in key locations, tumours will develop," he said. From rforno at infowarrior.org Thu Apr 15 13:07:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Apr 2010 09:07:24 -0400 Subject: [Infowarrior] - OT: QOTD Message-ID: A plume of volcanic ash from Iceland has led to flights across the UK being grounded. The events around one British Airways flight in 1982 reveal the potential dangers of this sort of dust....... < - > Memorable quote: "Good evening ladies and gentlemen. This is your captain speaking. We have a small problem. All four engines have stopped. We are all doing our damnedest to get them going again. I trust you are not in too much distress." Source: http://news.bbc.co.uk/2/hi/uk_news/magazine/8622099.stm ... classic British style. :) -rick From rforno at infowarrior.org Thu Apr 15 13:43:43 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Apr 2010 09:43:43 -0400 Subject: [Infowarrior] - JITP 2010: Politics of Open Source Message-ID: <373C4B1C-2D94-4F18-AB1B-9CE883BAA833@infowarrior.org> JITP 2010: Politics of Open Source May 6 & 7, 2010 University of Massachusetts Amherst http://politicsofopensource.jitp.net/ The Politics of Open Source is an interdisciplinary conference organized by the Journal of Information Technology and Politics (JITP) that examines the politics associated with the Free/Libre and Open Source Software (FLOSS) Movement. A complete program is available at: http://politicsofopensource.jitp.net Regular registration is open until April 21. The conference features two keynote lectures: Eric von Hippel, Professor and Head of the Innovation and Entrepreneurship Group at the Sloan School of Management at the Massachusetts Institute of Technology and Fellow at the Berkman Center for Internet and Society at Harvard Law School. Dr. von Hippel specializes in research related to the nature and economics of distributed and open innovation. He also develops and teaches about practical methods that firms can use to improve their product and service development processes. He is the author of Democratizing Innovation (MIT Press, 2005) and The Sources of Innovation (Oxford, 1988). Clay Johnson, Director of Sunlight Labs. Prior joining Sunlight, Clay was one of the four founders of Blue State Digital, the progressive left's premier technology and online strategy firm. This firm, which was born out of the Howard Dean campaign, was also responsible for Barack Obama's Web presence. Before joining Blue State, Johnson was the lead programmer for Dean for America in 2004, overseeing the development of grassroots tools like GetLocal, DeanLink and Project Commons. Prior to entering politics, Johnson was a technologist at Ask Jeeves (now Ask.com) where he helped to develop the company's Web syndication product. He also started the first Internet Knowledge Exchange, KnowPost.com, and worked as an entrepreneur-in-residence at a Venture Capital firm, but still claims that he learned the most from his first job -- as a waiter at Waffle House in Atlanta, Georgia. And invited panel presentations featuring: John M. Weathersby, Founder and Executive Director of the Open Source Software Institute, and Louis Suarez-Potts, Community Development Manager at Sun Microsystems and OpenOffice.org For more information and to register, visit http://politicsofopensource.jitp.net/ The conference is supported by Microsoft, Google, UMass Department of Computer Science, Texifter, UMass Department of Political Science, the Open Source Software Institute, the Qualitative Data Analysis Program, the National Center for Digital Government, and the Center for Pubic Policy and Administration. From rforno at infowarrior.org Thu Apr 15 21:05:38 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Apr 2010 17:05:38 -0400 Subject: [Infowarrior] - At Internet Conference, Signs of Agreement Between U.S. and Russia Message-ID: <724481D4-716A-4993-809A-0D076DB6CEB5@infowarrior.org> April 15, 2010 At Internet Conference, Signs of Agreement Between U.S. and Russia By JOHN MARKOFF http://www.nytimes.com/2010/04/16/science/16cyber.html?hpw=&pagewanted=print GARMISCH-PARTENKIRCHEN, Germany ? For the 140 computer network specialists, law enforcement agents and diplomats from eight countries who met in this German ski resort this week for a Russian-sponsored conference on Internet security, the biggest challenge was finding a common ground to discuss their differences. The barrier was not the gaggle of native languages but the deep differences in the way governments view cyberspace, according to many of the cyberspecialists at the conference. That challenge was underscored by a sharp rift between the United States and Russia. Americans speak about computer security and cyberwarfare; the Russians have a different emphasis, describing cyberspace in a broader framework they refer to as ?information security.? ?The Russians have a dramatically different definition of information security than we do; it?s a broader notion, and they really mean state security,? said George Sadowsky, a United States representative to the Internet Corporation for Assigned Names and Numbers, or Icann, the organization that is the closest thing to a governing body for the global network. What has changed, however, is the Obama administration?s decision this year to actively begin discussing these differences with the Russians. While last year only a single American academic computer security specialist attended the conference, this year more than a dozen Americans attended, including Christopher Painter, the second ranking White House official on cybersecurity, and Judith Strotz, the director of the State Department?s Office of Cyber Affairs. The two nations, according to Russian officials, have agreed to renew bilateral discussions that began last November in Washington. ?An international dialogue on cybergovernance, crime and security is really long overdue,? said Charles Barry, a research fellow at the National Defense University. ?There?s really only one network out there. We?re all on it, and we need to make it safe.? Mr. Painter, speaking on Tuesday, said there had been significant improvement in international law enforcement cooperation in recent years. To respond to challenges in cyberspace, he said, strong laws, trained cybercrime investigators and efficient international cooperation are needed. The United States has succeeded in creating a global 24-hour, seven-day network of law enforcement agencies in 50 nations, which have agreed to collect and share data in response to computer attacks and intrusions. While officials from both nations said that law enforcement cooperation had improved, the Russians have still refused to sign the European Cybercrime Treaty, which is strongly backed by the United States. At the same time, for the past 13 years, the Russians have been trying to interest the United States in a cyberspace treaty in which nations would agree not to develop offensive cyberweapons or to conduct attacks on computer networks. The United States has repeatedly declined to enter into negotiations, arguing instead that improved law enforcement cooperation between different countries was all that was necessary to combat both cybercrime and cyberterrorism. On Monday, Gen. Vladislav P. Sherstyuk, Russia?s undersecretary of the security council of the Russian Federation and the former leader of the Russian equivalent of the National Security Agency, criticized the treaty, saying that a single provision effectively violated Russia?s sovereignty by permitting foreign law enforcement direct access to the Russian Internet. He also restated Russian concerns about the absence of an international treaty limiting the military uses of the Internet. ?Cyberattacks are left out of international military law,? he said. ?Information technology can be used as a tool to undermine national peace and security.? The Americans have accused the Russians of turning a blind eye to cybercriminals who have operated with relative impunity from their country. In response, the Russians have criticized what they see as the United States? ?hegemony? over the Internet and privately expressed concerns that the United States has retained a ?red button? ? the power to shut off the Internet for specific countries. Yet despite these differences, in Garmisch this year there were also signs of agreement between Russians and Americans. The conference, which is sponsored by Lomonosov Moscow State University, Icann and several Russian companies, is the brainchild of General Sherstyuk. Several of the conference attendees said the gathering, which is in its fourth year, was an effort by General Sherstyuk to build international support for his work. He has been the principal force behind Russian efforts to create a treaty limiting cyberwarfare developments. Academic and government officials from a number of other countries, including India and China, attended this year. However, recent episodes like Google?s claims in January that it had suffered the theft of its software and intrusions on human rights advocates from China and a recent Canadian report about a Chinese computer spying system focused on India, were not discussed. During a panel on countering computer crime, Col. Gen. Boris Miroshnikov, a cybercrime official for the Russian Ministry of the Interior, and Stewart Baker, a fellow at the Center for Strategic and International Studies, a policy group in Washington, and the former chief counsel for the National Security Council, agreed that the most important step in combating Internet crime would be to do away with the anonymity that has long been a central tenet of Internet culture. ?Anonymity is an invitation to criminals,? said Colonel General Miroshnikov. Mr. Baker agreed, saying, ?Anonymity is the fundamental problem we face in cyberspace.? This week, the Russians were optimistic that progress was being made in bridging more of the cultural divide that has hindered international cooperation. According to one Russian business executive who has attended all four of the Garmisch events, the tenor of this year?s meeting was markedly different than earlier meetings, which were dominated by the Russians. ?In the past, the largest group was from the F.S.B.,? he said, referring to the Russian intelligence agency, ?who were here for an annual vacation.? From rforno at infowarrior.org Thu Apr 15 21:19:29 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Apr 2010 17:19:29 -0400 Subject: [Infowarrior] - Entertainment Industry's Dystopia of the Future Message-ID: The Entertainment Industry's Dystopia of the Future Commentary by Richard Esguerra http://www.eff.org/deeplinks/2010/04/entertainment-industrys-dystopia-future We're not easily shocked by entertainment industry overreaching; unfortunately, it's par for the course. But we were taken aback by the wish list the industry submitted in response to the Intellectual Property Enforcement Coordinator's request for comments on the forthcoming "Joint Strategic Plan" for intellectual property enforcement. The comments submitted by various organizations provide a kind of window into how these organizations view both intellectual property and the public interest. For example, EFF and other public interest groups have asked the IPEC to take a balanced approach to intellectual property enforcement, paying close attention to the actual harm caused, the potential unexpected consequences of government intervention, and compelling countervailing priorities. The joint comment filed by the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA) and others stands as a sharp contrast, mapping out a vision of the future where Big Media priorities are woven deep into the Internet, law enforcement, and educational institutions. Consider the following, all taken from the entertainment industry's submission to the IPEC. "Anti-infringement" software for home computers There are several technologies and methods that can be used by network administrators and providers...these include [consumer] tools for managing copyright infringement from the home (based on tools used to protect consumers from viruses and malware). In other words, the entertainment industry thinks consumers should voluntarily install software that constantly scans our computers and identifies (and perhaps deletes) files found to be "infringing." It's hard to believe the industry thinks savvy, security-conscious consumers would voluntarily do so. But those who remember the Sony BMG rootkit debacle know that the entertainment industry is all too willing to sacrifice consumers at the altar of copyright enforcement. Pervasive copyright filtering Network administrators and providers should be encouraged to implement those solutions that are available and reasonable to address infringement on their networks. [This suggestion is preceded by a list of filtering methods, like protocol filtering, fingerprint-based filtering, bandwidth throttling, etc.] The entertainment industry loves widespread filtering as a "solution" to online copyright infringement ? in fact, it has successfully persuaded Congress to push these technologies on institutions of higher-education. But this "solution" is full of flaws. First, even the "best" automated copyright blocking systems fail to protect fair use. Worse, these techniques are unlikely to make any lasting dent on infringing behavior, but will instead just invite the use of more encryption and private "darknets" (or even just more hand-to-hand sharing of hard drives and burned DVDs). But perhaps the most pernicious effect may be that copyright protection measures can be trojan horses for consumer surveillance. In an age of warrantless wiretapping and national censorship, building more surveillance and inspection technologies into the heart of the Internet is an obviously bad idea. In the words of the Hollywood movie, "if you build it, they will come." Intimidate and propagandize travelers at the border Customs authorities should be encouraged to do more to educate the traveling public and entrants into the United States about these issues. In particular, points of entry into the United States are underused venues for educating the public about the threat to our economy (and to public safety) posed by counterfeit and pirate products. Customs forms should be amended to require the disclosure of pirate or counterfeit items being brought into the United States. Does that iPod in your hand luggage contain copies of songs extracted from friends' CDs? Is your computer storing movies ripped from DVD (handy for conserving battery life on long trips)? Was that book you bought overseas "licensed" for use in the United States? These are the kinds of questions the industry would like you to answer on your customs form when you cross borders or return home from abroad. What is more, this suggestion also raises the specter of something we've heard the entertainment industry suggest before: more searches and seizures of electronic goods at the border. Once border officials are empowered to search every electronic device for "pirated" content, digital privacy will all but disappear, at least for international travelers. From what we've learned about the fight over a de minimis border measures search exclusion in the latest leaked text, ACTA might just try to make this a reality. Bully countries that have tech-friendly policies The government should develop a process to identify those online sites that are most significantly engaged in conducting or facilitating the theft of intellectual property. Among other uses, this identification would be valuable in the interagency process that culminates in the annual Special 301 report, listing countries that fail to provide adequate and effective protection to U.S. intellectual property rights holders. Special 301 could provide a focus on those countries where companies engaged in systematic online theft of U.S. copyrighted materials are registered or operated, or where their sites are hosted. Targeting such companies and websites in the Special 301 report would put the countries involved on notice that dealing with such hotbeds of copyright theft will be an important topic of bilateral engagement with the U.S. in the year to come. (As noted above, while many of these sites are located outside the U.S., their ability to distribute pirate content in the U.S. depends on U.S.-based ISP communications facilities and services and U.S.-based server farms operated commercially by U.S.-based companies.) Some background: the Special 301 process is a particularly unpleasant annual procedure by which the United States Trade Representative (USTR) pressures other countries to adopt tougher intellectual property laws and spend more for IP enforcement. In the Special 301 report, the USTR singles out particular countries for their "bad" intellectual property policies, placing them on a watch list, and threatening trade sanctions for those that deny "adequate and effective protection" for US IP rightsholders or restrict fair and equitable market access for US intellectual property. Before this year, the US Trade Representative only sought input from the entertainment and pharmaceutical industries for these rankings, resulting in unbalanced assessment criteria. Countries have been listed for failing to sign on to controversial international treaties or for not mirroring certain parts of US law. For example, Chile was named for considering fair use-style exceptions to its copyright law; Canada was listed for requiring that its customs officers have a court order before seizing goods at the border; and Israel was highlighted for refusing to adopt DMCA-style anti-circumvention provisions after legislative debate concluded that anti-circumvention laws would have no effect on copyright infringement. The creative communities' proposal imagines that the US Trade Representative should become a glorified messenger for Big Media, using its resources to pressure countries that "harbor" websites and Internet services that facilitate copyright infringement. In other words, they believe that the USTR should put US IP rightsholders' interests at the center of its foreign policy, ignoring other foreign policy goals such as regional security, and promoting innovation and competition. Federal agents working on Hollywood's clock The planned release of a blockbuster motion picture should be acknowledged as an event that attracts the focused efforts of copyright thieves, who will seek to obtain and distribute pre-release versions and/or to undermine legitimate release by unauthorized distribution through other channels. Enforcement agencies (notably within DOJ and DHS) should plan a similarly focused preventive and responsive strategy. An interagency task force should work with industry to coordinate and make advance plans to try to interdict these most damaging forms of copyright theft, and to react swiftly with enforcement actions where necessary. This is perhaps the most revealing of the proposals: big Hollywood studios deputizing the FBI and Department of Homeland Security to provide taxpayer-supported muscle for summer blockbuster films. Jokes have been made about SWAT team raids on stereotypical file-sharers in college dorm rooms ? but this entertainment industry request to "interdict...and to react swiftly with enforcement actions" brings that joke ridiculously close to reality. What next? Of course, these comments are just an entertainment industry wishlist, an exercise in asking for the moon. But they reveal a great deal about the entertainment industry's vision of the 21st century: less privacy (with citizens actively participating in their own surveillance), a less-neutral Internet, and federal agents acting as paid muscle to protect profits of summer blockbusters. From rforno at infowarrior.org Fri Apr 16 11:50:44 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Apr 2010 07:50:44 -0400 Subject: [Infowarrior] - Layman-"Hackers" Driving Up Searches for Beef Jerky Message-ID: http://attrition.org/security/rants/bing01.html Mon Apr 15 22:21:12 EST 2010 By: d2d A foreword is in order here: To all those people, including acquaintances, who have thoroughly enjoyed the living hell out of ClubBing prizes, I apologize if this causes you stress and discomfort. Fear not though, as I doubt it'll bring about any substantial change, and I'm certain you'll continue receiving your "Bing" branded crud in the mail on a weekly basis. Unfortunately for me, I never got around to trying to build a "Bing" prize room, but I can assure you that I've lived vicariously through watching your bots run in the background every minute of every day. But I digress... Microsoft's Bing search engine has been steadily gaining ground since its release last May, according to various media and blog reports. Some articles cite a gain in market share by some 70% of the inherited market share of Microsoft Live, Bing's predecessor. While it doesn't appear to be taking share away from Google, it does seem to be chipping away at all other ancillary search engines on its way up the rankings ladder. Microsoft has invested some 100 million dollars in marketing for Bing, and it seems to be more-or-less working. There are, however, some other factors that might be boosting Bing's search popularity. One of them is a bribery scheme called "Bing Cashback". It's essentially "Google Product Search" (looks almost identical to it too), only you get a percentage of cash back by purchasing items through it. Nothing terribly revolutionary there, but it may be helping their rankings. A much more fascinating topic from a security perspective is their Club Bing project. [...] From rforno at infowarrior.org Fri Apr 16 12:09:04 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Apr 2010 08:09:04 -0400 Subject: [Infowarrior] - good read: Please do not change your password Message-ID: I daresay this is the way infosec has evolved in recent years -- allegedly improving computer security by making it so onerous that folks end up embracing bad security practices just to be functional on a basic level. I'm an IA person, and *never* wrote down passwords (the mere thought is like nails-on-chalkboard to me) until I got involved in some projects that had password requirements of 8-12 chars, alphanumeric, one capital letter, one lower case letter, one number, and one special character with lifetimes of 45-90 days. (I wonder if Post-It sales showed a marked increase once such horrendously-abusive password requirements became popular.) When you had multiple such passwords that were different, at some point you just give up. Ergo, security requirements with the best of intentions become security vulnerabilities created by the users in response to obstacles they face in acheiving basic productivity. Interestingly, the article highlights a very much overlooked aspect of infosec that I bring out whenever possible to my students -- "For too long, users have been asked to follow security instructions without being told why they are worth the time investment." How very true. -rick http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=full Please do not change your password You were right: It?s a waste of your time. A study says much computer security advice is not worth following. By Mark Pothier April 11, 2010 To continue reading this story, enter your password now. If you do not have a password, please create one. It must contain a minimum of eight characters, including upper- and lower-case letters and one number. This is for your own good. Nonsense, of course, but it helps illustrate a point: You will need a computer password today, maybe a half dozen or more ? those secret sign-ins that serve as sentries for everything from Amazon shopping carts to work files to online bank accounts. Just when you have them all sorted out, along comes another ?urgent? directive from the bank or IT department ? time to reset those codes, for safety?s sake. And the latest lineup of log-ins you?ve concocted won?t last for long, either. Some might temporarily stay in your head, others are jotted on scraps of paper and stuffed in a wallet. A few might be taped to your computer monitor in plain view (or are those are from last year?s batch? Who can remember?). Now, a study has concluded what lots of us have long suspected: Many of these irritating security measures are a waste of time. The study, by a top researcher at Microsoft, found that instructions intended to spare us from costly computer attacks often exact a much steeper price in the form of user effort and time expended. ?Most security advice simply offers a poor cost-benefit trade-off to users,? wrote its author, Cormac Herley, a principal researcher for Microsoft Research. Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you?ve switched to a new one, Herley wrote. That?s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door. Herley also looked at the validity of other advice for blocking security threats, including ways to recognize phishing e-mails (phony messages aimed at getting recipients to give up personal information such as credit card numbers) and how to deal with certificate errors, those impossible-to-fathom warning messages. As with passwords, the benefits of these procedures are usually outweighed by what users must do to carry them out, he said. It?s not that Herley believes we should give up on protecting our computers from being hijacked or corrupted simply because safety measures consume time. The problem, he said, is that users are being asked to take too many steps, and more are constantly being added as new threats emerge or evolve. Security professionals have generally assumed that users can?t have too much knowledge in the battle against cyber crime. But that fails to take into account a crucial part of the equation, according to Herley: the worth of users? time. ?A lot of advice makes sense only if we think user time has no value,? he said. The study was first presented by Herley at a security workshop at Oxford University last fall, and began generating wider discussion last month after an essay about it appeared on TechRepublic, a popular technology website. In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It?s a high hurdle to clear. Herley?s paper gives ?normal users a voice,? said Michael P. Kassner, a technology writer and IT veteran who wrote the TechRepublic piece. For too long, users have been asked to follow security instructions without being told why they are worth the time investment. ?I?ve been a proponent of prioritizing? security measures, Kassner said. ?The whole purpose of IT is to make people?s lives easier.? The computer security community has long puzzled over why so many users fail to snap to attention when alerted to news about the latest threats, such as viruses, worms, Trojan horses, malware, and spyware. At countless conferences and seminars, experts have consistently called for more education and outreach as the answer to user apathy or ignorance. But the research of Herley and others is causing many to realize most of the blame for noncompliance rests not with users, but with the experts themselves ? the pros aren?t able to make a strong case for all their recommendations. Some advice is excellent, of course. But instead of working to prioritize what efforts are effective, government and security industry officials have resorted to dramatic boldface statements about the horrors of poor passwords and other safety lapses, overwhelming the public. For instance, the federal government?s website for computer safety tips, www.us-cert.gov, includes more than 50 categories under the heading of ?Cyber Security Tips.? Each category leads to complex sets of instructions. ?It?s nice to see the industry starting to grapple with these issues,? said Bruce Schneier, the author of ?Secrets and Lies,? a book about computer and network security. In a blog posting last year, Schneier recalled a security conference at which a speaker was baffled by the failure of workers at his company to adhere to strict computer policies. Schneier speculated that the employees knew following those policies would cut into their work time. They understood better than the IT department that the risks of not completing their assignments far outweighed any unspecified consequences of ignoring a security rule or three. ?People do what makes sense and don?t do what doesn?t,? he said. To prompt them to be more rigorous about computer protection, he said, ?You want actual studies, actual data.? That poses a challenge for the security industry, Herley said. While doctors can cite statistics showing smoking causes cancer, and road-safety engineers can produce miles of numbers supporting seat belt use, computer security professionals lack such compelling evidence to give their advice clout. ?Unbelievable though it might seem, we don?t have data on most of the attacks we talk about,? he said. ?That?s precisely why we?re in this ?do it all? approach.? His paper argues for advice that incorporates more information, and less hyperbole. Security professionals need to consider that user education costs everyone (in time), but benefits only the small percentage who are actually victimized, he wrote. Advice must be based on an estimate of the victimization rate for a particular security issue, not a worst-case scenario risk analysis. It?s a start to quantify in a rough way the value of user time, he said, but more study is required. The central question that remains to be answered: Given all the threats, what steps produce results that outweigh the price for society at large? Costs can come in unexpected ways, he suggests. One example he studied was phishing. Banks and other investment companies often guarantee to reimburse customers if unauthorized withdrawals are made from their online accounts, so the customer does not pay a direct price. The banks face losses, but they are relatively modest ? the annual cost nationwide as a result of phishing attacks is $60 million, Herley estimated. By instructing users to take measures against them (such as by scouring URLs to make sure they lead to legitimate websites), ?we?re imposing a cost that is orders of magnitude greater than the problem it addresses,? he said. For banks, the greater potential for damages comes not from a phishing attack itself, but indirect expenses. Herley used Wells Fargo as an example. He wrote that if a mere 10 percent of its 48 million customers needed the assistance of a company agent to reset their passwords ? at about $10 per reset ? it would cost $48 million, far surpassing Wells Fargo?s share of the $60 million in collective losses. No one is saying computer security threats are not a serious matter. Attacks multiply daily and are becoming more effective, having risen far beyond the sophistication level of the Nigerian prince looking to unload $12 million. Check your in-box ? within the last few hours a criminal probably sent you an invitation to be victimized. Herley?s paper cites a report that said an unprotected PC will be invaded within 12 minutes of being connected to the Internet, on average. And last month, Justice Department Inspector General Glenn A. Fine warned the government isn?t keeping pace with cyber crooks in its efforts to combat the fastest-growing crime in the United States ? identity theft. About 10 million Americans are affected each year. With all that scary stuff in mind, it is easy to appreciate the sincerity of those pushing us to be more vigilant, even if their methods are muddled. So which security measures offer a reasonable return on time and effort? Although coming up with a sensible list of security actions was not a goal of Herley?s research, he does have some suggestions based on personal experience. Start with bullet-proof passwords, he said, even if your employer requires you to periodically reinvent them or use too many (he juggles about three dozen as part of his work). Beyond that, he is big on one-time measures that offer ongoing benefits, like installing the latest software to shield against viruses and spyware (set it to automatically update). Two-thirds of computers have outdated software protection, according to a Microsoft spokesman. The company also recommends activating a firewall, which ?functions like a moat around a castle.? Combined, such measures shouldn?t take more than 30 minutes, it said, and offer insulation from what is perhaps the biggest security menace of all: users. ?One of the main ways people get compromised is that they open the door to an attacker themselves,? said Herley. Someone might load software promoted as offering protection when it is actually spyware in disguise, he said, or they ?open an e-mail attachment with a malicious payload....If this happens, it can be very bad. A piece of malicious keylogging software on your machine can grab all of your passwords: It makes no difference at that point whether they are strong or weak.? After all this trash talk about security, you might wonder what Microsoft chief executive Steve Ballmer thinks about one of his key researchers challenging much of the advice the industry giant dispenses like gospel. Herley insists there has not been any blowback. Microsoft encourages its researchers to ?push against fixed beliefs, even when some of the ideas can be controversial,? he said. And from outside Redmond, Wash., he added, ?the reaction has been tremendous.? ?Maybe I?m just saying out loud what is rather obvious ? we seem to be causing lots of unnecessary misery.? Mark Pothier is the Globe?s senior assistant business editor. He can be reached at mpothier at globe.com. ? Copyright 2010 Globe Newspaper Company. From rforno at infowarrior.org Fri Apr 16 12:13:17 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Apr 2010 08:13:17 -0400 Subject: [Infowarrior] - more on...Re: good read: Please do not change your password In-Reply-To: References: Message-ID: I should add that in those rare cases when I did jot a password down, at no time was kept in an easy-to-find place, at my desk, in my wallet, or written down in "cleartext" that easily disclosed its contents. I'm not that delusional. :) -rick From rforno at infowarrior.org Fri Apr 16 14:43:08 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Apr 2010 10:43:08 -0400 Subject: [Infowarrior] - SEC Charges Goldman Sachs With Fraud Message-ID: SEC Charges Goldman Sachs With Fraud in Structuring and Marketing of CDO Tied to Subprime Mortgages FOR IMMEDIATE RELEASE 2010-59 http://sec.gov/news/press/2010/2010-59.htm Washington, D.C., April 16, 2010 ? The Securities and Exchange Commission today charged Goldman, Sachs & Co. and one of its vice presidents for defrauding investors by misstating and omitting key facts about a financial product tied to subprime mortgages as the U.S. housing market was beginning to falter. The SEC alleges that Goldman Sachs structured and marketed a synthetic collateralized debt obligation (CDO) that hinged on the performance of subprime residential mortgage-backed securities (RMBS). Goldman Sachs failed to disclose to investors vital information about the CDO, in particular the role that a major hedge fund played in the portfolio selection process and the fact that the hedge fund had taken a short position against the CDO. "The product was new and complex but the deception and conflicts are old and simple," said Robert Khuzami, Director of the Division of Enforcement. "Goldman wrongly permitted a client that was betting against the mortgage market to heavily influence which mortgage securities to include in an investment portfolio, while telling other investors that the securities were selected by an independent, objective third party." Kenneth Lench, Chief of the SEC's Structured and New Products Unit, added, "The SEC continues to investigate the practices of investment banks and others involved in the securitization of complex financial products tied to the U.S. housing market as it was beginning to show signs of distress." The SEC alleges that one of the world's largest hedge funds, Paulson & Co., paid Goldman Sachs to structure a transaction in which Paulson & Co. could take short positions against mortgage securities chosen by Paulson & Co. based on a belief that the securities would experience credit events. According to the SEC's complaint, filed in U.S. District Court for the Southern District of New York, the marketing materials for the CDO known as ABACUS 2007-AC1 (ABACUS) all represented that the RMBS portfolio underlying the CDO was selected by ACA Management LLC (ACA), a third party with expertise in analyzing credit risk in RMBS. The SEC alleges that undisclosed in the marketing materials and unbeknownst to investors, the Paulson & Co. hedge fund, which was poised to benefit if the RMBS defaulted, played a significant role in selecting which RMBS should make up the portfolio. The SEC's complaint alleges that after participating in the portfolio selection, Paulson & Co. effectively shorted the RMBS portfolio it helped select by entering into credit default swaps (CDS) with Goldman Sachs to buy protection on specific layers of the ABACUS capital structure. Given that financial short interest, Paulson & Co. had an economic incentive to select RMBS that it expected to experience credit events in the near future. Goldman Sachs did not disclose Paulson & Co.'s short position or its role in the collateral selection process in the term sheet, flip book, offering memorandum, or other marketing materials provided to investors. The SEC alleges that Goldman Sachs Vice President Fabrice Tourre was principally responsible for ABACUS 2007-AC1. Tourre structured the transaction, prepared the marketing materials, and communicated directly with investors. Tourre allegedly knew of Paulson & Co.'s undisclosed short interest and role in the collateral selection process. In addition, he misled ACA into believing that Paulson & Co. invested approximately $200 million in the equity of ABACUS, indicating that Paulson & Co.'s interests in the collateral selection process were closely aligned with ACA's interests. In reality, however, their interests were sharply conflicting. According to the SEC's complaint, the deal closed on April 26, 2007, and Paulson & Co. paid Goldman Sachs approximately $15 million for structuring and marketing ABACUS. By Oct. 24, 2007, 83 percent of the RMBS in the ABACUS portfolio had been downgraded and 17 percent were on negative watch. By Jan. 29, 2008, 99 percent of the portfolio had been downgraded. Investors in the liabilities of ABACUS are alleged to have lost more than $1 billion. The SEC's complaint charges Goldman Sachs and Tourre with violations of Section 17(a) of the Securities Act of 1933, Section 10(b) of the Securities Exchange Act of 1934, and Exchange Act Rule 10b-5. The Commission seeks injunctive relief, disgorgement of profits, prejudgment interest, and financial penalties. # # # For more information about this enforcement action, contact: Lorin L. Reisner Deputy Director, SEC Enforcement Division (202) 551-4787 Kenneth R. Lench Chief, Structured and New Products Unit, SEC Enforcement Division (202) 551-4938 Reid A. Muoio Deputy Chief, Structured and New Products Unit, SEC Enforcement Division (202) 551-4488 http://www.sec.gov/news/press/2010/2010-59.htm From rforno at infowarrior.org Fri Apr 16 18:16:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Apr 2010 14:16:28 -0400 Subject: [Infowarrior] - ACTA to be made officially public Message-ID: Acta copyright enforcement treaty to go public By David Meyer, ZDNet UK, 16 April, 2010 17:22 http://www.zdnet.co.uk/news/regulation/2010/04/16/acta-copyright-enforcement-treaty-to-go-public-40088663 Negotiators will on Wednesday publish the first officially-released draft of the Anti-Counterfeiting Trade Agreement, a new treaty designed to harmonise copyright enforcement around the world. The decision to release the consolidated draft on 21 April was made at the eighth round of Anti-Counterfeiting Trade Agreement (Acta) negotiations, which took place this week in Wellington, New Zealand. So far, the only publicly available information on the negotiating countries' proposals and amendments have been leaked documents purporting to be drafts of the agreement. "There was a general sense from this session that negotiations have now advanced to a point where making a draft text available to the public will help the process of reaching a final agreement," the participants said in a joint statement on Friday. "For that reason, and based on the specific momentum coming out of this meeting, participants have reached unanimous agreement that the time is right for making available to the public the consolidated text coming out of these discussions, which will reflect the substantial progress made at this round." The publication of the draft text will go some way to fulfilling demands for transparency in the Acta negotiations, as expressed by members of the European Parliament, ISPs, the European privacy czar Peter Hustinx and various digital rights groups. "With the official draft text released, government officials will now be able to answer specific questions about the text," Canadian internet law expert Michael Geist wrote in a Friday blog post. "Many previously declined to do so on the grounds that they would not address questions arising from unofficial or leaked documents." The participants in the Wellington round included Australia, Canada, the European Union (represented by the European Commission), the EU Presidency (Spain) and EU Member States, Japan, Korea, Mexico, Morocco, New Zealand, Singapore, Switzerland and the USA. According to the statement, the negotiations saw progress made in "narrowing existing differences" between different countries' systems of civil enforcement, border measures, criminal enforcement and "special measures for the digital environment". However, despite the imminent publication of the draft Acta text, the participating countries' respective positions on various issues will remain confidential, the statement said. The most comprehensive leak of Acta proposals and amendments appeared in late March, when a full consolidated text was published online by the French digital rights group La Quadrature du Net. Although the commission refused to say whether or not the document was genuine, the text appeared to show EU resistance to US proposals that would have seen people cut off the internet for repeatedly infringing copyright online. The leaked document also detailed US proposals for new criminal offences to be created around the world. These offences would have included breaking digital rights management (DRM) on copyrighted content, creating or distributing DRM-breaking tools, and distributing content that has been stripped of its DRM. Since Karel De Gucht became the new EU trade commissioner at the start of the year, the commission has maintained that it will not accept any global regime of internet disconnections for copyright infringement. The commission prefers to leave issues such as disconnection up to the discretion of individual member states. In Friday's statement, negotiators maintained that "Acta will not interfere with a signatory's ability to respect its citizens' fundamental rights and liberties". "While the participants recognise the importance of responding effectively to the challenge of internet piracy, they confirmed that no participant is proposing to require governments to mandate a 'graduated response' or 'three strikes' approach to copyright infringement on the internet," the statement read. The statement also stressed that Acta will contain no obligation for border authorities to "search travellers' baggage or their personal electronic devices for infringing materials". "In addition, Acta will not address the cross-border transit of legitimate generic medicines," the participants added. The next round of negotiations will take place in Switzerland in June, according to the statement. From rforno at infowarrior.org Fri Apr 16 20:27:26 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Apr 2010 16:27:26 -0400 Subject: [Infowarrior] - DOJ backs down in email warrant case Message-ID: <5310B00B-4D16-40C2-BD11-BAACC5F19D4C@infowarrior.org> April 16th, 2010 Government Backs Down in Yahoo! Email Privacy Case, Avoids Court Ruling on Important Digital Civil Liberties Issue News Update by Kevin Bankston http://www.eff.org/deeplinks/2010/04/government-backs-down-yahoo-email-privacy-case In the face of stiff resistance from Yahoo! and a coalition of privacy groups, Internet companies and industry coalitions led by EFF, the U.S. government today backed down from its request that a federal magistrate judge in Denver compel Yahoo! to turn over the contents of a Yahoo! email user's email account without the government first obtaining a search warrant based on probable cause. The EFF-led coalition filed an amicus brief this Tuesday in support of Yahoo!'s opposition to the government's motion, agreeing with Yahoo! that the government's warrantless seizure of an email account would violate both federal privacy law and the Fourth Amendment to the Constitution. In response, the Government today filed a brief claiming that it no longer had an investigative need for the demanded emails and withdrawing the government's motion. While this is a great victory for that Yahoo! subscriber, it's disappointing to those of us who wanted a clear ruling on the legality and constitutionality of the government's overreaching demand. Such demands are apparently a routine law enforcement technique. If the government withdraws its demand whenever an objection is raised by an email provider or a friend of the court like EFF, however, it robs the courts of the ability to issue opinions on whether the government's warrantless email surveillance practices are legal. This is not the first time the government has evaded court rulings in this area. Most notably, although many federal magistrate judges and district courts have ruled that the government may not conduct real-time cellphone tracking without a warrant, the government has never appealed any of those decisions to a Circuit Court of Appeals, thereby preventing the appeals courts from ruling on the issue. Similarly, a federal magistrate judge in New York, Magistrate Judge Michael H. Dolinger, has twice invited EFF to brief the court on applications by the government to obtain private electronic communications without a warrant, and in each case, the government withdrew its application rather than risk a ruling against it (in one case the government went so far as to file a brief anticipating EFF's opposition before finally dropping the case). The government's unwillingness to face off with EFF in these cases is certainly flattering, and it speaks volumes about their view of whether what they are doing is actually legal. But the right answer here is to let the courts decide, not to have the government turn tail and run whenever someone seeks real judicial review of their positions. So while it is a big victory for the Yahoo! customer, today's capitulation by the government is a profound disappointment to those of us seeking to clarify and strengthen the legal protections for your private data. Court rulings are needed to keep the government within its legal bounds when it comes to warrantless communications and location surveillance. Next time, the government should stay in the fight, because EFF isn't going to back down when it comes to protecting your privacy. From rforno at infowarrior.org Sat Apr 17 18:04:40 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 17 Apr 2010 14:04:40 -0400 Subject: [Infowarrior] - Web Coupons Know Lots About You, and They Tell Message-ID: <21FF21F3-3A4E-41A9-8E1D-E6E12A501CD4@infowarrior.org> April 16, 2010 Web Coupons Know Lots About You, and They Tell By STEPHANIE CLIFFORD http://www.nytimes.com/2010/04/17/business/media/17coupon.html?pagewanted=print For decades, shoppers have taken advantage of coupons. Now, the coupons are taking advantage of the shoppers. A new breed of coupon, printed from the Internet or sent to mobile phones, is packed with information about the customer who uses it. While the coupons look standard, their bar codes can be loaded with a startling amount of data, including identification about the customer, Internet address, Facebook page information and even the search terms the customer used to find the coupon in the first place. And all that information follows that customer into the mall. For example, if a man walks into a Filene?s Basement to buy a suit for his wedding and shows a coupon he retrieved online, the company?s marketing agency can figure out whether he used the search terms ?Hugo Boss suit? or ?discount wedding clothes? to research his purchase (just don?t tell his fianc?e). Coupons from the Internet are the fastest-growing part of the coupon world ? their redemption increased 263 percent to about 50 million coupons in 2009, according to the coupon-processing company Inmar. Using coupons to link Internet behavior with in-store shopping lets retailers figure out which ad slogans or online product promotions work best, how long someone waits between searching and shopping, even what offers a shopper will respond to or ignore. The coupons can, in some cases, be tracked not just to an anonymous shopper but to an identifiable person: a retailer could know that Amy Smith printed a 15 percent-off coupon after searching for appliance discounts at Ebates.com on Friday at 1:30 p.m. and redeemed it later that afternoon at the store. ?You can really key into who they are,? said Don Batsford Jr., who works on online advertising for the tax preparation company Jackson Hewitt, whose coupons include search information. ?It?s almost like being able to read their mind, because they?re confessing to the search engine what they?re looking for.? While companies once had a slim dossier on each consumer, they now have databases packed with information. And every time a person goes shopping, visits a Web site or buys something, the database gets another entry. ?There is a feeling that anonymity in this space is kind of dead,? said Chris Jay Hoofnagle, director of the Berkeley Center for Law and Technology?s information privacy programs. None of the tracking is visible to consumers. The coupons, for companies as diverse as Ruby Tuesday and Lord & Taylor, are handled by a company called RevTrax, which displays them on the retailers? sites or on coupon Web sites, not its own site. Even if consumers could figure out that RevTrax was creating the coupons, it does not have a privacy policy on its site ? RevTrax says that is because it handles data for the retailers and does not directly interact with consumers. RevTrax can also include retailers? own client identification numbers (Amy Smith might be client No. 2458230), then the retailer can connect that with the actual person if it wants to, for example, to send a follow-up offer or a thank-you note. Using coupons also lets the retailers get around Google hurdles. Google allows its search advertisers to see reports on which keywords are working well as a whole but not on how each person is responding to each slogan. ?We?ve built privacy protections into all Google services and report Web site trends only in aggregate, without identifying individual users,? Sandra Heikkinen, a spokeswoman for Google, said in an e-mail message. The retailers, however, can get to an individual level by sending different keyword searches to different Web addresses. The distinct Web addresses are invisible to the consumer, who usually sees just a Web page with a simple address at the top of it. So clicking on an ad for Jackson Hewitt after searching for ?new 2010 deductions? would send someone to a different behind-the-scenes URL than after searching for ?Jackson Hewitt 2010,? though the Web pages and addresses might look identical. This data could be coded onto a coupon. RevTrax works as closely with image-rich display ads, with coupons also signaling what ad a person saw and on what site. ?Wherever we provide a link, whether it?s on search or banner, that thing you click can include actual keywords,? said Rob O?Neil, director of online marketing at Tag New Media, which works with Filene?s. ?There?s some trickery.? The companies argue that the coupon strategy gives them direct feedback on how well their marketing is working. Once the shopper prints an online coupon or sends it to his cellphone and then goes to a store, the clerk scans it. The bar code information is sent to RevTrax, which, with the ad agency, analyzes it. ?We break people up into teeny little cross sections of who we think they are, and we test that out against how they respond,? said Mr. Batsford, who is a partner at 31 Media, an online marketing company. RevTrax can identify online shoppers when they are signed in to a coupon site like Ebates or FatWallet or the retailer?s own site. It says it avoids connecting that number with real people to steer clear of privacy issues, but clients can make that match. The retailer can also make that connection when it is offering coupons to its Facebook fans, like Filene?s Basement is doing. ?When someone joins a fan club, the user?s Facebook ID becomes visible to the merchandiser,? Jonathan Treiber, RevTrax?s co-founder, said. ?We take that and embed it in a bar code or promotion code.? ?When the consumer redeems the offer in store, we can track it back, in this case, not to the Google search term but to the actual Facebook user ID that was signing up,? he said. Although Facebook does not signal that Amy Smith responded to a given ad, Filene?s could look up the user ID connected to the coupon and ?do some more manual-type research ? you could easily see your sex, your location and what you?re interested in,? Mr. Treiber said. (Mr. O?Neil said Filene?s did not do this at the moment.) The coupon efforts are nascent, but coupon companies say that when they get more data about how people are responding, they can make different offers to different consumers. ?Over time,? Mr. Treiber said, ?we?ll be able to do much better profiling around certain I.P. addresses, to say, hey, this I.P. address is showing a proclivity for printing clothing apparel coupons and is really only responding to coupons greater than 20 percent off.? That alarms some privacy advocates. Companies can ?offer you, perhaps, less desirable products than they offer me, or offer you the same product as they offer me but at a higher price,? said Ed Mierzwinski, consumer program director for the United States Public Interest Research Group, which has asked the Federal Trade Commission for tighter rules on online advertising. ?There really have been no rules set up for this ecosystem.? From rforno at infowarrior.org Sat Apr 17 21:12:19 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 17 Apr 2010 17:12:19 -0400 Subject: [Infowarrior] - Comcast launching 'Right' Channel Message-ID: Comcast apparently is launching a political-right channel (http://rightnetwork.com/) this year. "We?re creating a welcome place for millions and millions of Americans who?ve been looking for an entertainment network and media channel that reflects their point-of-view. Rightnetwork will be the perfect platform to entertain, inform and Connect with the American majority about what?s right in the world." - Ed Snider, Chairman of Comcast-Spectacor According to their "sell book" (http://rightnetwork.com/RIGHTNETWORKlookbook.pdf): "RightNetwork delivers programming on demand that enables our audience to watch what they want, when they want. Everything Right, at the click of a remote. the lineup focuses on entertainment with pro-America, pro-business, pro-military sensibilities ? compelling content that inspires action, invites a response, and influences the national conversation." ...but do we need another 'political' channel to influnce -- er, disrupt, distract, and distort -- the national conversation? Liberals flock to MSNBC; Conservatives flock to Fox. CNN flocks to Twitter. Sounds to me like this is an attempt to capitalize on the populist-angry mentality of the country these days....and from what I can tell, this network really should be called the Teabaggers Network anyway (http://www.youtube.com/watch?v=qFi-IXPjArs). Stand by for more mindless chants of "USA USA" and the belief that America can do no wrong, ever.... -rf From rforno at infowarrior.org Mon Apr 19 01:11:39 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 18 Apr 2010 21:11:39 -0400 Subject: [Infowarrior] - TSA to download your iTunes? Message-ID: <6B010D01-220B-41D3-AF73-5D56C9F80D6E@infowarrior.org> (You just know the Hollywood cartels are all drooling at this... -rick) Sunday, April 18, 2010 EDITORIAL: TSA to download your iTunes? THE WASHINGTON TIMES http://www.washingtontimes.com/news/2010/apr/18/tsa-to-download-your-itunes/print/ Federal security workers are now free to snoop through more than just your undergarments and luggage at the airport. Thanks to a recent series of federal court decisions, the digital belongings of international fliers are now open for inspection. This includes reading the saved e-mails on your laptop, scanning the address book on your iPhone or BlackBerry and closely scrutinizing your digital vacation snapshots. Unlike the more common confiscations of dangerous Evian bottles and fingernail clippers, these searches are not being done in the name of safety. The digital seizures instead are part of a disturbing trend of federal agencies using legal gimmicks to sidestep Fourth Amendment constitutional protections. This became clear in an April 8 court ruling that found admissible the evidence obtained by officials who had peeped at a passenger's laptop files at George Bush Intercontinental Airport in Houston. According to court documents, FBI agents had identified an individual suspected of downloading child pornography on an Internet chat room. The G-men, however, did not want to take their evidence before a judge to obtain a search warrant, as the Constitution requires. Instead, they flagged the suspect's passport and asked officials at the Department of Homeland Security to seize and search his computer at the airport - without a warrant. Three incriminating images were found during the examination, but this case is not about whether a particular person is a scumbag. It's about abusing a principle that applies to all Americans. U.S. District Judge Gray H. Miller found in this case that neither probable cause, justification nor warrant were required to seize and examine the suspect's laptop. Judge Miller, in accord with a 9th Circuit appellate ruling handed down two years ago, explained that "the court finds that reviewing the files of a computer does not rise to the level of invasion of the privacy and dignity of the individual to make the search non-routine." In other words, simply because a U.S. citizen is returning from a foreign country by airplane, the government thinks it is a "routine" matter to download sensitive business documents, personal correspondence and any other information that might be saved on a laptop or cell phone, regardless of whether there is any reason to suspect the traveler of a crime. The danger of this chain of reasoning is magnified by the courts' expansive definition of "border," which now includes checkpoints operating up to 100 miles from Canada or Mexico. Those traveling on the highway between Los Angeles and Phoenix, for example, may find themselves stopped by Department of Homeland Security officers who, literally, ask travelers to show their papers. Drug dogs also can be brought in to search vehicles without probable cause. The Fourth Amendment guarantees the right of Americans to be "secure in their persons, houses, papers and effects" from unreasonable and unwarranted government intrusion. It is obvious that this right is meant to apply equally to papers that happen to be stored in digital form on a personal hard drive. Such protections do not disappear merely because one happens to be at a real - or imaginary - border. Because the courts have been derelict in their duty to uphold this fundamental right, it is up to Congress to prohibit the thinly veiled attempts to create Constitution-free zones where Americans find their privacy invaded. From rforno at infowarrior.org Mon Apr 19 22:31:21 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Apr 2010 18:31:21 -0400 Subject: [Infowarrior] - SCOTUS tech savvy (not!) Message-ID: <69E2C72E-BB18-40AF-B98E-5D13A51914F2@infowarrior.org> April 19, 2010, 5:56 PM ET Our Tech-Savvy Supreme Court By Ashby Jones http://blogs.wsj.com/law/2010/04/19/our-tech-savvy-supreme-court/ The Supreme Court justices are a bright bunch. But chances are you?re not going to see them at next January?s CES show or ever watch them on a Web video demonstrating how to create apps for the iPhone. That much was driven home, it seems, during today?s oral arguments in the case City of Ontario v. Quon. The case examines whether a California police department violated the constitutional rights of an employee when it inspected personal text messages sent and received by a pager owned by the city of Ontario, Calif. According to this post, at DC Dicta, the Court asked some questions of the lawyers which, well, the justices? kids and grandkids could have answered while sleepwalking. According to the story, the first sign of trouble came was about midway through the argument, when Chief Justice John Roberts asked what the difference was ?between email and a pager?? (Cue sound of hard slap against forehead.) At another point, Justice Anthony Kennedy asked what would happen if a text message was sent to an officer at the same time he was sending one to someone else. ?Does it say: ?Your call is important to us, and we will get back to you??? Kennedy asked. (Cue sound of louder slap against forehead.) Justice Antonin Scalia stumbled getting his arms around with the idea of a service provider. ?You mean (the text) doesn?t go right to me?? he asked. Then he asked whether they can be printed out in hard copy. ?Could Quon print these spicy little conversations and send them to his buddies?? Scalia asked. Maybe the justices are against cameras in the court because when they think of cameras, they think of those huge cameras on tripods with the cloth to cover the photographers and the supernova flash-bulbs. From rforno at infowarrior.org Tue Apr 20 00:31:03 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Apr 2010 20:31:03 -0400 Subject: [Infowarrior] - Cyberattack on Google Said to Hit Password System Message-ID: <35275AE8-CA97-4D6F-BB43-DC96C9244A85@infowarrior.org> April 19, 2010 Cyberattack on Google Said to Hit Password System By JOHN MARKOFF http://www.nytimes.com/2010/04/20/technology/20google.html Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google?s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company?s web services, including e-mail and business applications. The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services. The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said. The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google?s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in one place, a single breach can lead to disastrous losses. The theft began with a single instant message sent to a Google employee in China, according to the person with knowledge of the inquiry, who spoke on the condition he not be identified. By clicking on a link and connecting to a ?poisoned? Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google?s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team. The details surrounding the theft of the software have been a closely guarded secret by the company. Google first publicly disclosed the theft in a Jan. 12 posting on the company?s Web site, which stated that the company was changing its policy toward China in the wake of the theft of unidentified ?intellectual property? and the apparent compromise of the e-mail accounts of two human rights activists. The accusations became a significant source of tension between the United States and China, leading Secretary of State Hillary Rodham Clinton to urge China to conduct a ?transparent? inquiry into the attack. In March, after difficult discussions with the Chinese Government, Google said it would move its mainland Chinese-language Web site and begin rerouting queries to its Hong Kong-based site. The company also gave a classified briefing to the Senate Intelligence Committee in March, but it did not describe the nature of the stolen software, according to a person familiar with the testimony. Company executives on Monday declined to comment about the new details of the case, saying that they had dealt with the security issues raised by the theft of the company?s intellectual property in their initial statement in January. Google executives have also said privately that the company had been far more transparent about the intrusions than any of the more than two dozen other companies that were compromised, the vast majority of which have not acknowledged the attacks. Google continues to use the Gaia password system, now known as Single Sign-On, but has tightened the security of its data centers and further secured the communications links between its services and the PCs of its users. Hours after announcing the intrusions, for example, Google said it would activate a new layer of encryption for Gmail service. Several technical experts said that, because Google had quickly learned of the theft of the software, it is unclear what the consequences of the theft have been. One of the most alarming possibilities is that the attackers might have intended to insert a trojan horse ? a secret back door ? into the Gaia program and install it in dozens of Google?s global data centers to establish clandestine entry points. But the independent security specialists stressed that such an undertaking would have been remarkably difficult, particularly because Google?s security specialists had been alerted to the theft of the program. However, having access to the original programmer?s instructions, or source code, could also provide technically skilled hackers with knowledge about subtle security vulnerabilities in the Gaia code that may have eluded Google?s engineers. ?If you can get to the software repository where the bugs are housed before they are patched, that?s the pot of gold at the end of the rainbow,? said George Kurtz, chief technology officer for McAfee, Inc., a software security firm that was one of the companies that analyzed the illicit software used in the intrusions at Google and at other companies last year. Rodney Joffe, a vice president at Neustar, a developer of Internet infrastructure services, said, ?It?s obviously a real issue if you can understand how the system works.? Understanding the underlying algorithms on which the software is based might be of great value to an attacker looking for weak points in the system, he said. When Google first announced the thefts, the company said it had evidence the intrusions had come from China. The attacks have been traced to computers at two campuses in China, but investigators acknowledge that the true origin may have been concealed, a quintessential problem of cyberattacks. Several people involved in the investigation of break-ins at more than two dozen other technology firms said while there were similarities between the attacks on the companies, there were also significant differences, like the use of different types of software in intrusions. At one high-profile Silicon Valley company, investigators found evidence of intrusions going back more than two years. In Google?s case, the intruders seemed to have precise intelligence about the names of the Gaia software developers, and they first attempted to access their work computers and then used a set of sophisticated techniques to gain access to the repositories where the source-code for the program was stored. They then transferred the stolen software to computers owned by Rackspace, a Texas-based web-hosting firm. It is not known where the software was sent from there. The intruders had access to an internal Google corporate directory known as Moma, which holds detailed information about the work activities of each Google employee and they may have used it to find specific employees. From rforno at infowarrior.org Tue Apr 20 21:45:22 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Apr 2010 17:45:22 -0400 Subject: [Infowarrior] - =?windows-1252?q?=93Downfall_Meme=94_gets_taken_d?= =?windows-1252?q?own?= Message-ID: <9A0D1B98-78C3-400E-831F-22EE0846C1B8@infowarrior.org> Hitler ?Downfall Meme? gets taken down http://openvideoalliance.org/2010/04/hitler-downfall-meme-gets-dmcad/?l=en A recent wave of takedowns notices affecting many of the Hitler ?Downfall? parody videos has resulted in their removal from YouTube. (EDIT: These videos were blocked by YouTube?s Content ID system, not taken down via DMCA notices. For more on the difference between these two, see the EFF?s Guide to YouTube Removals.) The copyright claim is being filed on behalf of Constantin Films, the German production company that owns the rights to the 2004 film Der Untergang (Downfall), from which the clip originates. Downfall parodies are a well-established part of online culture and follow a familiar format: phony subtitles are presented along with Hitler?s final soliloquy in his besieged bunker (you might need to watch for yourself). The Downfall format has been used to mock everything from social networking sites, to politicians, to the iPad, to self-important hipsters. The list goes on, but as of this week Downfall videos are disappearing fast. Both ?Hitler Gets Banned from XBox Live,??which had over 4 million views before it was taken down?and the meta-parody ?Hitler Wants to Make a Meme,? are currently unavailable due to Constantin?s copyright claim. The Downfall meme is so well-established that it has literally become standard curriculum for digital moviemaking courses, as evidenced by this class? page which counted 14 videos before the takedowns were issued (currently, only two of these videos remain playable). For more on the genesis of the Downfall meme, see YouTOMB researcher Alex Leavitt?s study. There are hundreds of Hitler Downfall videos, and it is unclear what will become of them. The burden of filing a counternotice dispute or a claim of fair use to restore the video falls on individual users, so it will be difficult to reverse this action. We?ll be following this story as it develops. From rforno at infowarrior.org Tue Apr 20 21:49:19 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Apr 2010 17:49:19 -0400 Subject: [Infowarrior] - Google Enumerates Government Requests Message-ID: Government requests directed to Google and YouTube Like other technology and communications companies, we regularly receive requests from government agencies around the world to remove content from our services, or provide information about users of our services and products. The map shows the number of requests that we received between July 1, 2009 and December 31, 2009, with certain limitations. We know these numbers are imperfect and may not provide a complete picture of these government requests. For example, a single request may ask for the removal of more than one URL or for the disclosure of information for multiple users. See the FAQ for more information. http://www.google.com/governmentrequests/ From rforno at infowarrior.org Tue Apr 20 23:50:38 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Apr 2010 19:50:38 -0400 Subject: [Infowarrior] - Facebook Further Reduces Your Control Over Personal Information Message-ID: <4388018B-AC5C-46A4-AE82-12D4F4E75CCD@infowarrior.org> April 19th, 2010 Facebook Further Reduces Your Control Over Personal Information Commentary by Kurt Opsahl https://www.eff.org/deeplinks/2010/04/facebook-further-reduces-control-over-personal-information Once upon a time, Facebook could be used simply to share your interests and information with a select small community of your own choosing. As Facebook's privacy policy once promised, "No personal information that you submit to Facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings." How times have changed. Today, Facebook removed its users' ability to control who can see their own interests and personal information. Certain parts of users' profiles, "including your current city, hometown, education and work, and likes and interests" will now be transformed into "connections," meaning that they will be shared publicly. If you don't want these parts of your profile to be made public, your only option is to delete them. The example Facebook uses in its announcement is a page for "Cooking." Previously, you could list "cooking" as an activity you liked on your profile, but your name would not be added to any formal "Cooking" page. (Under the old system, you could become a "fan" of cooking if you wanted). But now, the new Cooking page will publicly display all of the millions of people who list cooking as an activity. Cooking is not very controversial or privacy-sensitive, and thus makes for a good example from Facebook's perspective. Who would want to conceal their interest in cooking? Of course, the new program will also create public lists for controversial issues, such as an interest in abortion rights, gay marriage, marijuana, tea parties and so on. But even for an innocuous interest like cooking, it?s not clear how this change is meant to benefit Facebook's users. An ordinary human is not going to look through the list of Facebook's millions of cooking fans. It's far too large. Only data miners and targeted advertisers have the time and inclination to delve that deeply. There is one loophole ? tell Facebook you're under 18. Under Facebook's policy for minors, your interests would only be visible for friends and family and verified networks. You would not be publicly listed on these new connection pages. However, this only works as you set up a new account. The new connections features benefit Facebook and its business partners, with little benefit to you. But what are you going to do about it? Facebook has consistently ignored demands from its users to create an easy "exit plan" for migrating their personal data to another social networking website, even as it has continued ? one small privacy policy update after another ? to reduce its users' control over their information. The answer: Let Facebook hear your frustration. Last December, when Facebook announced a new round of privacy degradations, it provoked a potent combination of public outrage, legal threats, and government investigations. In response, Facebook listened to some criticism and walked-back a few of its changes. Now it will allow users to adjust the visibility of information in their profiles, such as hiding your friend list from other friends. If you want Facebook to walk back these new changes too, let them know how you feel. From rforno at infowarrior.org Wed Apr 21 01:33:02 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Apr 2010 21:33:02 -0400 Subject: [Infowarrior] - CFTC OKs movie futures exchange Message-ID: <44CF42DB-41DB-4BDF-B76A-6B7D728C0CF5@infowarrior.org> (Disclosure: I have been part of the beta testing of this exchange. rick) CFTC OKs Cantor market but mulls film contract Sue Zeidler and Christopher Doering LOS ANGELES/ WASHINGTON Tue Apr 20, 2010 8:41pm EDT http://www.reuters.com/article/idUSTRE63J6BI20100421 LOS ANGELES/ WASHINGTON (Reuters) - Cantor Fitzgerald LP won U.S. regulatory approval on Tuesday to launch a "contract market" for the trading of box office futures, but whether it can proceed with its controversial plan to offer contracts based on movie receipts is still far from certain. The U.S. Commodity Futures Trading Commission (CFTC) said on Tuesday it had approved Cantor's application for designation as a "contract market," clearing the first hurdle the firm needed to begin trading options or futures contracts. But the CFTC said it is still considering whether to allow Cantor to offer a contract tied to the box office receipts of a movie, and commissioners so far do not appear convinced the contracts will pass muster. Last week, the CFTC also approved a new market request by Media Derivatives Inc that could one day be used to trade box office receipts. The efforts by Cantor and Media Derivatives have drawn vigorous opposition by Hollywood studios which believe such a market could be susceptible to manipulation. "In the upcoming days, we will continued to urge the CFTC to finally reject both the Cantor proposal and a separate proposal by Media Derivatives Inc," said Howard Gantman, a spokesman for the Motion Picture Association of America (MPAA). The trade group represents large studios such as Walt Disney Co and News Corp's Twentieth Century Fox. Separately, members of Congress have also raised serious questions about the financial harm that these proposals could cause. Senator Blanche Lincoln, chairman of the Senate Agriculture Committee, has introduced legislation that contains a provision banning such box-office wagering services. A markup on this bill is scheduled on Wednesday. And on Thursday, the House Agriculture Subcommittee on General Farm Commodities and Risk Management, chaired by Representative Leonard Boswell, will be holding a hearing on the issue. Media Derivatives CEO Robert Swagger and interim MPAA CEO Robert Pisano will be testifying. "At this point in time, I have not heard any arguments to persuade me that 'movie futures' generally can overcome some fundamental design flaws," CFTC Commissioner Bart Chilton said of Media Derivatives' application. A form of betting on the success and failure of box office flicks has been around for more than a decade. In 1996, a website called The Hollywood Stock Exchange was started where participants could invest fake dollars on box office outcomes. A division of Cantor Fitzgerald bought the site in 2001. (Reporting by Sue Zeidler; Editing by Richard Chang) From rforno at infowarrior.org Wed Apr 21 21:30:55 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Apr 2010 17:30:55 -0400 Subject: [Infowarrior] - McAfee DDOS 'oopsie' Message-ID: <5C3F422A-F3F7-40FA-934C-4F82A2499964@infowarrior.org> (The snarky part of me says this AV made a correct diagnosis, but joking aside, this is a major screwup. -rf) McAfee false positive bricks enterprise PCs worldwide By Dan Goodin in San Francisco ? Get more from this author Posted in Malware, 21st April 2010 18:43 GMT http://www.theregister.co.uk/2010/04/21/mcafee_false_positive/ Enterprise customers of a widely used McAfee anti-virus product were in a world of hurt on Wednesday after an update caused large swaths of their machines to become completely inoperable. The problem started around 2 pm GMT when McAfee pushed out DAT 5958 to users of VirusScan Enterprise. The virus definition falsely identifies a core Windows file as infected, quarantines it and then shuts down the machine. When restarted, the PCs are unable to load Windows, a glitch that mires them in an endless reboot cycle. "We support customers' platforms, and it means we are currently unable to do that," said the head of infrastructure security for a worldwide IT firm who asked not to be identified because he's not authorized to speak to the press. "Basically, our engineers are currently unable to work." In a statement, McAfee said the false positive "can result in moderate to significant performance issues" on machines running Windows XP service pack 3, and that the defective definition has been removed from download servers. The infrastructure security head said XP machines running SP 1 and SP 2 were also affected. "McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly," the statement continued. "McAfee apologizes for any inconvenience to our customers." Judging from comments left on McAfee support forums, the snafu is causing considerable problems for many customers. "How much longer before McAfee finds a fix or has the update 5959 to resolve this problem?" one admin wrote. "We are a school district and have over 5000 computers being effected by this DAT file. This Extra.dat files looks like it will work but guess what the 5958 update has already been applied so this will not work for us." The infrastructure security head, who was working in one of his firm's UK offices, said about 30 percent of the company's PCs were affected, in part because admins disconnected working machines from the network after learning about the glitch. So far, his team has been able to bring only about 5 percent of the disabled machines back online. The snafu causes VirusScan Enterprise to falsely flag svchost.exe as infected with malware known as Wecorl.a. From rforno at infowarrior.org Fri Apr 23 01:37:58 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Apr 2010 21:37:58 -0400 Subject: [Infowarrior] - =?windows-1252?q?Clarke=92s_Cyberwar=3A_File_Unde?= =?windows-1252?q?r_Fiction?= Message-ID: <60C5BB1B-DB22-40DF-8D31-0AE542BA977A@infowarrior.org> Richard Clarke?s Cyberwar: File Under Fiction ? By Ryan Singel ? April 22, 2010 | ? 4:17 pm | http://www.wired.com/threatlevel/2010/04/cyberwar-richard-clarke Readers of Richard Clarke?s new book Cyberwar who want to jump to the steamy parts should start at page 64 in the chapter ?Cyber Warriors.? It?s there you?ll find the Book of Revelation re-written for the internet age, with the end-times heralded by the Four Trojan Horses of the Apocalypse. Chinese hackers take down the Pentagon?s classified and unclassified networks, trigger explosions at oil refineries, release chlorine gas from chemical plants, disable air traffic control, cause trains to crash into each other, delete all data ? including offsite backups ? held by the federal reserve and major banks, then plunge the country into darkness by taking down the power grid from coast-to-coast. Thousands die immediately. Cities run out of food, ATMs shut down, looters take to the streets. That electronic Judgment Day is not the stuff of bad movies or sci-fi novels, according to Clarke, who writes, ?A sophisticated cyber war attack by one of several nation-states could do that today, in fifteen minutes.? That?s right. In less time than it takes to download Live Free or Die Hard, foreign hackers could make it real. A former top counter-terrorism advisor under President Clinton, who later served as President Bush?s cybersecurity czar, Richard Clarke has been sounding the alarm on cyberwar for more than a decade, rarely letting up, even through two real wars and one massive domestic terrorist attack. Now Chairman of Good Harbor Consulting, Clarke is going full-out Jerry Bruckheimer in an effort to get America to take seriously what he clearly sees as a (perennially) looming existential threat to the nation. And it turns out that in Cyberwar, like in real war, truth is the first casualty. It?s not just Clarke?s 15-minutes-to-doomsday scenario that stretches credulity. Like most cyberwar pundits, Clarke puts a shine on his fear mongering by regurgitating long-ago debunked hacker horror stories. In his world, the Slammer worm was partially responsible for the Northeast blackout of 2003 ? the Energy Department concluded otherwise. A power outage in Brazil is similarly attributed to a hacker, when the real-life evidence points to sooty insulators. Clarke describes the Russian denial-of-service attacks against Estonian servers in 2007 as the ?largest ever seen? (not even close). He claims that foreign hackers stole the plans to the F-35 Joint Strike Fighter fighter, when they actually nabbed unclassified information on the plane?s self-diagnostic system. So much of Clarke?s evidence is either easily debunked with a Google search, or so defies common sense, that you?d think reviewers of the book would dismiss it outright. Instead, they seem content to quote the book liberally and accept his premise that cyberwar could flatten the United States, and no one in power cares at all. Of course, the debunking would be easier if the book had footnotes or endnotes, but neither are included ? Revelation doesn?t need sources. Clarke returns over and over to the security of the power grid, focusing on the systems known as SCADA that allow utilities to remotely monitor and control electric generation and transmission equipment. Here, he starts reasonably enough: Good security practices dictate that these systems should be unreachable from the public net, and, unfortunately, that?s not always the case. But from there, he quickly moves back to fantasy. He suggests darkly throughout the book that the nation?s power and chemical plants are all shot through with secret backdoors implanted by the Russian, North Korean and Chinese governments, even though there?s never been a single publicly documented case, outside of a vague and anonymously sourced article in the Wall Street Journal Clarke?s prescriptions are manyfold. First, the nation?s backbone carriers ? the ones with fiber optic networks crisscrossing the country ? should be required to inspect all packets, and delete the ones that match known signatures of viruses and other malware. While that might seem like a fine idea, the security industry is already moving away from signature-based strategies, since malware-makers have taken to testing their payloads against anti-virus software before deploying it. ISPs already have the ability, and the legal right, to filter out known bad packets, but requiring it ? as Clarke would do ? would not only be ineffective, but it would inevitably lead to other demands to filter content, first child pornography, then perceived copyright violations, and finally unwanted speech of all sorts. Clarke fails to consider the contents of the Pandora?s box he seeks to open. More persuasively, Clarke argues the feds need to set some real, auditable and binding rules for companies that run critical infrastructure, such as the electrical grid. The current policy is driven by the rationale that private-sector companies have enough financial incentive to protect their network, and the government?s role should be limited to helping share information about threats among the stakeholders. That policy works well when it comes to companies like Google and Chase, which could lose customers if their networks are routinely hacked, but isn?t as effective for your energy company, which likely has no real competition. So, even if you don?t accept Clarke?s doomsday predictions, there?s a good case to be made that the feds ought to have strong rules governing these systems, and, as he suggests, a crew of white hat hackers tasked with trying to bust into the grid on a daily basis. And there?s something to be gained by thinking about the consequences and morality of militaries infiltrating other country?s power grids, or whether the government ought to be able to take down Al Qaeda websites, or whether the military should ever hack into the financial system. These are fun and not unimportant debates to have. But the Chinese can?t blunt the power of 15 carrier groups with some fancypants, unheard of ninja cybercoding tricks. Live Free or Die Hard was a bad movie, not a prescient one (it?s one of many Hollywood references Clarke makes to bolster his case). The Chinese and Russians don?t have secret backdoors into the transformer outside your house, and if it blows up, it?s more likely a rodent chewing through the casing than a cyberwarrior sitting in an internet cafe in Shanghai. The cyberwar rhetoric is dangerous. Its practitioners are artists of exaggeration, who seem to think spinning tall tales is the only way to make bureaucracies move in the right direction. But yelling ?Cyberwar? in a crowded internet is not without consequence. Not only does it promote unnecessary fear, it feeds the forces of parochial nationalism and militarism ? undermining a communications system that has arguably done more to connect the world?s citizens than the last 50 years of diplomacy. And, let?s be honest, your photocopier will never, ever catch on fire due to a hacker, like it does in Cyberwar. Except, of course, in the movie version of this book, which undoubtedly, will star Bruce Willis or Keifer Sutherland. From rforno at infowarrior.org Fri Apr 23 02:21:37 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Apr 2010 22:21:37 -0400 Subject: [Infowarrior] - Facebook: Privacy Enemy Number One? Message-ID: <3F1E25FF-B4AF-421B-B39B-92B322B1ABC8@infowarrior.org> Facebook: Privacy Enemy Number One? By: Dan Costa 04.22.2010 http://www.pcmag.com/article2/0,2817,2362967,00.asp Facebook's notable announcements this week range from a holistic vision of a seamless, semantically-enabled Web of human relationships, to a simple "Like" button, which will soon be omnipresent on the Internet. The moves are ambitious, giving even fast-moving rivals like Twitter reason to worry. Still, the simple fact that gets lost in the rush towards ubiquitous social connectivity is that Facebook users still don't know what they are sharing, with whom, or why it matters. In short: Facebook remains a privacy minefield. During the event, Zuckerberg described what he calls the "Social Graph." It's basically a map of all of our social relationships and the things that we care about. It isn't just about who you know, but also what you want. Sharing photos with friends is great, but sharing camera recommendations is monetizable. This is the promise of the Semantic Web, a collection of links and objects that can be easily shared and repurposed among sites; except on the Social Graph, all the lines eventually run through Facebook. Part of Facebook's plan is the universal Like button. It may seem like a minor introduction, but it isn't. Sure, there are lots of ways to indicate that you like a story online: Digg, Buzz, Twitter, Reddit, and countless others, but those are mostly about getting people to read something. What if you just, well, like something? A book, a movie, brand of peanut butter, or a shortstop for the New York Yankees. Until now, the most granular measure of our human intent has been our search terms, and Google has done an exceedingly good job of connecting that intent with advertisers who want to capitalize on it. By integrating personal and profile information through third party sites, Facebook is making its database of intention social. As much as I love Twitter and even Foursquare, Facebook has always been among my least favorite social media sites, and its graduation to "platform" status hasn't done anything to change my mind. It truly is an application platform; there are more than 550,000 applications on Facebook, accessed by more than 70 percent of users. And no, I still don't want your virtual farm animal or to participate in your silly crime-themed role playing game. When I role play, I do it old school?with a D20. I find Facebook's interface cluttered, the applications moronic, and the Terms of Service opaque?at best. It is AOL, circa 1996?without the service fees. Clearly, I am in the minority. Facebook has more than 400 million active users worldwide, and 50 percent of those users log on every day. These users create and share more than 25 billion Web links, news stories, blog posts, notes, and photo albums. They can be inane or profound, personal or public, but they are always revealing. Facebook considers them objects. I lost track of how many times Facebook Chief Executive Mark Zuckerberg or his director of product development referred to bits of personal information as "objects." To a programmer, they are objects?bits of code that can be created, shared, exported, imported, synchronized, monetized. And the easier it is for all that to happen, the better the platform becomes. As Zuckerberg modestly put it: "This is the most transformative thing we've ever done for the Web." Transformative, for sure, but I would humbly suggest it will be better for Facebook than the Internet as a whole. I agree these products go a long way towards creating "instantly social and personalized experiences on the Web," but it will come at a price. And that price is privacy. "Like" a movie on IMDB, and all of your friends will get updates to that effect. For that matter, every time you look at a movie on IMDB, you will see a list of friends who have "liked" that page. It is a powerful tool, but my bet is most Facebook users will have no idea where, when, or how their Likes will show up on the Web. Or for how long. In the past, Facebook would ask you to share your data with each app that wanted to access your profile. Not anymore. Make something "public" and it won't just appear on Facebook, but throughout the Facebook ecosystem. Again, this is a user-choice, but it is rarely an informed one. In other words, be careful about who you friend because your information will show up when you visit one of these pre-approved sites. Indeed, the Graph API makes it possible to pull all sorts of personal data directly into third party sites. If you want to know what you are sharing, go to graph.facebook.com/markzuckerberg, but replace Zuck's name with yours. Or try your friend's username, just for kicks. Facebook will say that all of this is opt-in, and it is. Hell, no one is making you use Facebook at all?yet. But the truth is no one really understands their own privacy settings now. When Facebook changed its settings six months ago, 65 percent of users chose to keep their profiles public. Or, more likely, they just thought they should click "yes" to everything. We have all done it, and that choice will now follow us around the Web?forever. This is the same problem Google had when it launched Buzz, and for which is has now been criticized by ten European countries. Of course, European countries tend to be a pretty critical bunch, so it is hard to hit Google too hard for that. Even so, the companies are very different. For Google, having users share private information is a constant risk and an unfortunate side affect of its services, perhaps even a liability. For Facebook, it is a business model. The funny thing is that I didn't even attend the F8 developer conference?I downloaded the embed code for the keynote's video stream, posted it to PCMag's Business destination site, and watched it live from my desk. When the keynote ended, I loaded up Robert Scoble's Ustream feed and watched Zuckerberg get grilled from the front row of the press conference. Combine that with the real-time updates from attendees and other remote viewers, and it amounts to amazing transparency. Pure gold for a journalist. Great exposure for Facebook. And the average Facebook user? For better or worse, they are going to get a lot more exposure as well. From rforno at infowarrior.org Fri Apr 23 19:39:53 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Apr 2010 15:39:53 -0400 Subject: [Infowarrior] - Youtube's good DMCA compromise? Message-ID: Content ID and Fair Use http://youtube-global.blogspot.com/ Over the past decade, the evolution of the Internet has altered the landscape for both traditional media companies and the doctrine of fair use, and the media industry has tried to keep up. The new ways that consumers create and distribute content are not a niche phenomenon. Hundreds of millions of people around the world now use the Web to connect and interact with content online, and a huge percentage of them go even further: they express themselves via parodies, celebrate their favorite videos with mashups, and use music in educational presentations. The people that upload these videos are typically the biggest fans, and are exactly the kinds of consumers rights holders should be embracing. We've listened closely to our partners and we're constantly improving our content identification and management tools ("Content ID") to make sure they have choices in dealing with these different uses of their content on YouTube. Over 1,000 content owners use Content ID, and we've built it in a way that lets them account for fair uses of their content: they can easily create policies depending on the proportion of a claimed video that contains their work, or the absolute length of the clip used. For example, a record label might decide to block videos that contain over one minute of a given song, but leave up videos that contain less than one minute. Since Content ID can't identify context (like "educational use" or "parody"), we give partners the tools to use length and match proportion as a proxy. Of course, it's not a perfect system. That's why two videos -- one of a baby dancing to one minute of a pop song, and another using the exact same audio clip in a videotaped University lecture about copyright law -- might be treated identically by Content ID and taken down by the rights holder, even though one may be fair use and the other may not. Rights holders are the only ones in a position to know what is and is not an authorized use of their content, and we require them to enforce their policies in a manner that complies with the law. Still, to make sure that users also have choices when dealing with the content they upload to YouTube, we've made it easy for users to dispute inappropriate claims. ? When you receive a notice in your account via Content ID, we tell you who claimed the content, and direct you to a form that lets you dispute the claim if you so choose. ? If you believe your video is fair use, check the box that reads "This video uses copyrighted material in a manner that does not require approval of the copyright holder." If you're not sure if your video qualifies, you can learn more about fair use here. ? Once you've filed your dispute, your video immediately goes back up on YouTube. ? From this point, the claimant then makes a decision about whether to file a formal DMCA notification, and remove the content from the site according to the process set forth in the DMCA. Content ID has helped create an entirely new economic model for rights holders. We are committed to supporting new forms of original creativity, protecting fair use, and providing a seamless user experience -- all while we help rights owners easily manage their content on YouTube. Posted by Shenaz Zack, Product Manager From rforno at infowarrior.org Fri Apr 23 21:36:01 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Apr 2010 17:36:01 -0400 Subject: [Infowarrior] - Sec Researchers are "Narcissistic Vulnerability Pimps" Message-ID: <308CA15A-3A97-4CDA-93AA-843737805322@infowarrior.org> First we had 'information anarchy' coined by Scott Culp at Microsoft a few years ago. [1] Now, an un-named Verizon blogger coins the term "Narcissistic Vulnerability Pimp" for someone who releases information about infosec vulnerabilities on an official Verizon website.[2] ...this should provide some fun fodder for the serious infosec community to re-ignite the security disclosure debate, eh? -rf [1] http://news.cnet.com/2008-1082-275588.html [2] http://securityblog.verizonbusiness.com/2010/04/22/redefining-security-researcher/ From rforno at infowarrior.org Fri Apr 23 22:29:39 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Apr 2010 18:29:39 -0400 Subject: [Infowarrior] - Computerized Front-Running Message-ID: How a Computer Program Designed to Save the Free Market Turned Into a Monster Computerized Front-Running By ELLEN BROWN http://www.counterpunch.org/brown04232010.html Market commentators are fond of talking about ?free market capitalism,? but according to Wall Street commentator Max Keiser, it is no more. It has morphed into what his TV co-host Stacy Herbert calls ?rigged market capitalism?: all markets today are subject to manipulation for private gain. Keiser isn?t just speculating about this. He claims to have invented one of the most widely used programs for doing the rigging. Not that that?s what he meant to invent. His patented program was designed to take the manipulation out of markets. It would do this by matching buyers with sellers automatically, eliminating ?front running? ? brokers buying or selling ahead of large orders coming in from their clients. The computer program was intended to remove the conflict of interest that exists when brokers who match buyers with sellers are also selling from their own accounts. But the program fell into the wrong hands and became the prototype for automated trading programs that actually facilitate front running. Also called High Frequency Trading (HFT) or ?black box trading,? automated program trading uses high-speed computers governed by complex algorithms (instructions to the computer) to analyze data and transact orders in massive quantities at very high speeds. Like the poker player peeking in a mirror to see his opponent?s cards, HFT allows the program trader to peek at major incoming orders and jump in front of them to skim profits off the top. And these large institutional orders are our money -- our pension funds, mutual funds, and 401Ks. When ?market making? (matching buyers with sellers) was done strictly by human brokers on the floor of the stock exchange, manipulations and front running were considered an acceptable (if morally dubious) price to pay for continuously ?liquid? markets. But front running by computer, using complex trading programs, is an entirely different species of fraud. A minor flaw in the system has morphed into a monster. Keiser maintains that computerized front running with HFT has become the principal business of Wall Street and the primary force driving most of the volume on exchanges, contributing not only to a large portion of trading profits but to the manipulation of markets for economic and political ends. The ?Virtual Specialist?: the Prototype for High Frequency Trading Until recently, most market making was done by brokers called ?specialists,? those people you see on the floor of the New York Stock Exchange haggling over the price of stocks. The job of the specialist originated over a century ago, when the need was recognized for a system for continuous trading. That meant trading even when there was no ?real? buyer or seller waiting to take the other side of the trade. The specialist is a broker who deals in a specific stock and remains at one location on the floor holding an inventory of it. He posts the ?bid? and ?ask? prices, manages ?limit? orders, executes trades, and is responsible for managing the uninterrupted flow of orders. If there is a large shift in demand on the ?buy? side or the ?sell? side, the specialist steps in and sells or buys out of his own inventory to meet the demand, until the gap has narrowed. This gives him an opportunity to trade for himself, using his inside knowledge to book a profit. That practice is frowned on by the Securities Exchange Commission (SEC), but it has never been seriously regulated, because it has been considered necessary to keep markets ?liquid.? Keiser?s ?Virtual Specialist Technology? (VST) was developed for the Hollywood Stock Exchange (HSX), a web-based, multiplayer simulation in which players use virtual money to buy and sell ?shares? of actors, directors, upcoming films, and film-related options. The program determines the true market price automatically, by comparing ?bids? with ?asks? and weighting the proportion of each. Keiser and HSX co-founder Michael Burns applied for a patent for a ?computer-implemented securities trading system with a virtual specialist function? in 1996, and U.S. patent no. 5960176 was awarded in 1999. But things went awry after the dot.com crash, when Keiser?s company HSX Holdings sold the VST patent to investment firm Cantor Fitzgerald, over his objection. Cantor Fitzgerald then put the part of the program that would have eliminated front-running on ice, just as drug companies buy up competing patents in order to take them off the market. Instead of preventing front-running, the program was altered so that it actually enhanced that fraudulent practice. Keiser (who is now based in Europe) notes that this sort of patent abuse is illegal under European Intellectual Property law. Meanwhile, the design of the VST program remained on display at the patent office, giving other inventors ideas. To get a patent, applicants must list ?prior art? and then prove that their patent is an improvement in some way. The listing for Keiser?s patent shows that it has been referenced by 132 others involving automated program trading or HFT. Since then, HFT has quickly come to dominate the exchanges. High frequency trading firms now account for 73% of all U.S. equity trades, although they represent only 2% of the approximately 20,000 firms in operation. In 1998, the SEC allowed online electronic communication networks, or alternative trading systems, to become full-fledged stock exchanges. Alternative trading systems (ATS) are computer-automated order-matching systems that offer exchange-like trading opportunities at lower costs but are often subject to lower disclosure requirements and different trading rules. Computer systems automatically match buy and sell orders that were themselves submitted through computers. Market making that was once done with a ?specialist?s book? -- something that could be examined and audited -- is now done by an unseen, unaudited ?black box.? For over a century, the stock market was a real market, with live traders hotly bidding against each other on the floor of the exchange. In only a decade, floor trading has been eliminated in all but the largest exchanges, such as the New York Stock Exchange (NYSE); and even in those markets, it now co-exists with electronic trading. Alternative trading systems allow just about any sizable trader to place orders directly in the market, rather than routing them through investment dealers on the NYSE. They also allow any sizable trader with a sophisticated HFT program to front run trades. Flash Trades: How the Game Is Rigged An integral component of computerized front running is a dubious practice called ?flash trades.? Flash orders are permitted by a regulatory loophole that allows exchanges to show orders to some traders ahead of others for a fee. At one time, the NYSE allowed specialists to benefit from an advance look at incoming orders; but it has now replaced that practice with a ?level playing field? policy that gives all investors equal access to all price quotes. Some ATSs, however, which are hotly competing with the established exchanges for business, have adopted the use of flash trades to pull trading business away from the exchanges. An incoming order is revealed (or flashed) to a trader for a fraction of a second before being sent to the national market system. If the trader can match the best bid or offer in the system, he can then pick up that order before the rest of the market sees it. The flash peek reveals the trade coming in but not the limit price ? the maximum price at which the buyer or seller is willing to trade. This is what the HFT program figures out, and it is what gives the high-frequency trader the same sort of inside information available to the traditional market maker: he now gets to peek at the other player?s cards. That means high-frequency traders can do more than just skim hefty profits from other investors. They can actually manipulate markets. How this is done was explained by Karl Denninger in an insightful post on Seeking Alpha in July 2009: ?Let?s say that there is a buyer willing to buy 100,000 shares of BRCM with a limit price of $26.40. That is, the buyer will accept any price up to $26.40. But the market at this particular moment in time is at $26.10, or thirty cents lower. ?So the computers, having detected via their ?flash orders? (which ought to be illegal) that there is a desire for Broadcom shares, start to issue tiny (typically 100 share lots) ?immediate or cancel? orders - IOCs - to sell at $26.20. If that order is ?eaten? the computer then issues an order at $26.25, then $26.30, then $26.35, then $26.40. When it tries $26.45 it gets no bite and the order is immediately canceled. ?Now the flush of supply comes at, big coincidence, $26.39, and the claim is made that the market has become ?more efficient.? ?Nonsense; there was no ?real seller? at any of these prices! This pattern of offering was intended to do one and only one thing -- manipulate the market by discovering what is supposed to be a hidden piece of information -- the other side?s limit price! ?With normal order queues and flows the person with the limit order would see the offer at $26.20 and might drop his limit. But the computers are so fast that unless you own one of the same speed you have no chance to do this -- your order is immediately ?raped? at the full limit price! . . . [Y]ou got screwed for 29 cents per share which was quite literally stolen by the HFT firms that probed your book before you could detect the activity, determined your maximum price, and then sold to you as close to your maximum price as was possible.? The ostensible justification for high-frequency programs is that they ?improve liquidity,? but Denninger says, ?Hogwash. They have turned the market into a rigged game where institutional orders (that?s you, Mr. and Mrs. Joe Public, when you buy or sell mutual funds!) are routinely screwed for the benefit of a few major international banks.? In fact, high-frequency traders may be removing liquidity from the market. So argues John Daly in the U.K. Globe and Mail, citing Thomas Caldwell, CEO of Caldwell Securities Ltd.: ?Large institutional investors know that if they start trying to push through a large block of shares at a certain price ? even if the block is broken into many small trades on several ATSs and markets -- they can trigger a flood of high-frequency orders that immediately move market prices to the institution?s disadvantage. . . . That?s why institutions have flocked to so-called dark pools operated by ATSs such as Instinet, and individual dealers like Goldman Sachs. The pools allow traders to offer prices without publicly revealing their identities and tipping their hand.? Because these large, dark pools are opaque to other investors and to regulators, they inhibit the free and fair trade that depends on open and transparent auction markets to work. The Notorious Market-Rigging Ringleader, Goldman Sachs Tyler Durden, writing on Zero Hedge, notes that the HFT game is dominated by Goldman Sachs, which he calls ?a hedge fund in all but FDIC backing.? Goldman was an investment bank until the fall of 2008, when it became a commercial bank overnight in order to capitalize on federal bailout benefits, including virtually interest-free money from the Fed that it can use to speculate on the opaque ATS exchanges where markets are manipulated and controlled. Unlike the NYSE, which is open only from 10 am to 4 pm EST daily, ATSs trade around the clock; and they are particularly busy when the NYSE is closed, when stocks are thinly traded and easily manipulated. Tyler Durden writes: ?[A]s the market keeps going up day in and day out, regardless of the deteriorating economic conditions, it is just these HFT?s that determine the overall market direction, usually without fundamental or technical reason. And based on a few lines of code, retail investors get suckered into a rising market that has nothing to do with green shoots or some Chinese firms buying a few hundred extra Intel servers: HFTs are merely perpetuating the same ponzi market mythology last seen in the Madoff case, but on a massively larger scale.? HFT rigging helps explain how Goldman Sachs earned at least $100 million per day from its trading division, day after day, on 116 out of 194 trading days through the end of September 2009. It?s like taking candy from a baby, when you can see the other players? cards. Reviving the Free Market So what can be done to restore free and fair markets? A step in the right direction would be to prohibit flash trades. The SEC is proposing such rules, but they haven?t been effected yet. Another proposed check on HFT is a Tobin tax ? a very small tax on every financial trade. Proposals for the tax range from .005% to 1%, so small that it would hardly be felt by legitimate ?buy and hold? investors, but high enough to kill HFT, which skims a very tiny profit from a huge number of trades. That is what proponents contend, but a tiny tax might not actually be enough to kill HFT. Consider Denninger?s example, in which the high-frequency trader was making not just a few pennies but a full 29 cents per trade and had an opportunity to make this sum on 99,500 shares (100,000 shares less 5 100-lot trades at lesser sums). That?s a $28,855 profit on a $2.63 million trade, not bad for a few milliseconds of work. Imposing a .1% Tobin tax on the $2.63 million would reduce the profit to $26,225, but that?s still a nice return for a trade that takes less time than blinking. The ideal solution would fix the problem at its source -- the price-setting mechanism itself. Keiser says this could be done by banning HFT and installing his VST computer program in its original design in all the exchanges. The true market price would then be established automatically, foreclosing both human and electronic manipulation. He notes that the shareholders of his former firm have a good claim for voiding out the sale to Cantor Fitzgerald and retrieving the program, since the deal was never consummated and the investors in HSX Holdings have never received a penny for the sale. There is just one problem with their legal claim: the paperwork proving it was shipped to Cantor Fitzgerald?s offices in the World Trade Center several months before September 2001. Like free market capitalism itself, it seems, the evidence has gone up in smoke. Ellen Brown is the author of Web of Debt: the Shocking Truth About Our Money System and How We Can Break Free. She can be reached through her website. From rforno at infowarrior.org Sat Apr 24 02:52:57 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Apr 2010 22:52:57 -0400 Subject: [Infowarrior] - White House Updates Cybersecurity Orders Message-ID: <3ADEA7A1-12F1-41D6-8CCF-CE05E1F5F289@infowarrior.org> White House Updates Cybersecurity Orders The three-pronged approach should help federal agencies do away with wasteful compliance spending and encourage improved security, say White House officials. By J. Nicholas Hoover http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=224500173 The White House issued new cybersecurity marching orders to government agencies Wednesday, which top officials say will help redirect government efforts from wasteful paperwork compliance toward continuous monitoring and patching and more effective cybersecurity spending. Many observers both inside and outside government have come to the conclusion that the government?s cybersecurity reporting requirements, as currently implemented, have created an environment in which expensive annual compliance reports that cut into real cybersecurity have become the norm. ?These reports ended up being more secure in the cabinets they were living in than were the systems they were meant to protect,? federal CIO Vivek Kundra said in a conference call with reporters and White House cybersecurity coordinator Howard Schmidt. Agencies have been spending as much as $1,400 per page on those reports under requirements of the Federal Information Systems Management Act. The Department of State alone has spent $133 million in the last six years just on FISMA compliance. However, numerous questions continue to arise about the effectiveness of agencies? cybersecurity efforts. That kind of waste has led to simultaneous moves by the White House, the National Institute for Standards and Technology (which has power to set FISMA standards), and Congress to overhaul or refocus FISMA and other federal cybersecurity requirements. The new policy outlines what Kundra described as a ?significant departure? from the way cybersecurity has been measured and managed in government. It is contained in an Office of Management and Budget memo penned by federal chief performance officer Jeffrey Zients, Kundra, and Schmidt, and developed with input from federal CIOs. Kundra and Schmidt said on the conference call that the new policy points toward continuous monitoring and patching of federal systems, and also toward the deployment of cybersecurity systems that better position the government against constantly evolving threats. The guidance takes a ?three-tiered approach? to FISMA that includes automatic reporting of cybersecurity data feeds directly from agency security and management tools to a tool hosted by the Department of Homeland Security; government-wide benchmarking on agencies? security postures; and agency-specific interviews to help determine the needs and proper metrics for individual agencies. First, agencies will be required to feed cybersecurity information directly and in near real-time from their own security management tools into the recently implemented Cyberscope security reporting tool, which DHS is now operating. The White House is convening with agencies on May 7 to discuss how they will move forward with this plan, and what new metrics will be included in the new reporting. This automated reporting should both decrease the amount of money agencies are spending on cybersecurity reporting, and also help the White House best determine where and how resources should be spent on cybersecurity across government, said Kundra and Schmidt. ?Capital can and should be used to invest in systems that will be actually enhancing security,? Kundra said. Agencies will begin feeding this data to Cyberscope by June of this year, but Kundra admitted that some agencies will have to make investments in order to get tools like asset management systems and security information management systems in place to feed data to Cyberscope. Some agencies, like the Departments of Justice, Treasury, State, Veterans Affairs, and NASA are already able to report to Cyberscope, and will be among the first to do so. The due date for reporting through Cyberscope is November 15, and those agencies which can?t yet directly feed information into Cyberscope will be able to provide a data feed as an XML upload to Cyberscope. Along with this new reporting structure will also come new metrics for agencies to use. Those metrics have been developed in concert with the private sector, academic community, and federal CIOs and CISOs. The new data feeds will include summary information about inventory, systems and services, hardware, software, external connections, security training, and identity management and access. In terms of government-wide benchmarking, CyberScope will be asking agencies a set of questions on their security posture online, rather than in the submission of an annual signed letter to do the same task. The White House will also be carrying out agency-by-agency interviews on cybersecurity. ?We recognize not all agencies perform the same mission and function,? Kundra said. ?Historically it was just a lowest common denominator approach, but the nature of the threat can be unique to each agency.? Finally, in addition to the three-pronged approach to overhauling FISMA reporting, the White House memo answers dozens of potential agency questions about FISMA, including some issues outside the scope of the new approach, like whether national security systems fall under this guidance (not typically), who should have the ultimate say over an agency?s security posture (the agency head), and whether SAS 70 compliance audits often used by private sector to determine whether third-party systems are secure is sufficient for FISMA compliance (it depends). From rforno at infowarrior.org Sat Apr 24 21:49:51 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 24 Apr 2010 17:49:51 -0400 Subject: [Infowarrior] - GPG integrates w/OSX 10.6 Mail now Message-ID: <97D2323C-DF92-4DE8-9923-7EF37BF3EB23@infowarrior.org> Mac Users fed up with "Commercial PGP" rejoice --- Lukas Pitsch has released new Mail bundles for Apple Mail so that GPG gets integrated with Apple Mail on Snow Leopard. Seems to work fine with my existing keys and seems solid. Download the bundle here: http://github.com/lukele/GPGMail-SL/downloads To see how to install GPG on OSX and fix it for Snow Leopard, visit this Apple Forums thread .. the last message on this page has step-by-step instructions with download URLs: http://discussions.apple.com/thread.jspa?threadID=2136007&start=75&tstart=0 Yay. -rf From rforno at infowarrior.org Sat Apr 24 23:29:17 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 24 Apr 2010 19:29:17 -0400 Subject: [Infowarrior] - Apple: Can You Survive a Benevolent Dictatorship? Message-ID: <344D224D-7111-4A02-BBB1-443C1B9BF6BB@infowarrior.org> Can You Survive a Benevolent Dictatorship? The press loves the iPad, but beware Apple's attempt to shackle your readers to its hardware By Cory Doctorow -- Publishers Weekly, 4/19/2010 12:00:00 AM http://www.publishersweekly.com/article/456751-Can_You_Survive_a_Benevolent_Dictatorship_.php The first press accounts of the Apple iPad have been long on emotional raves about its beauty and ease of use, but have glossed over its competitive characteristics?or rather, its lack thereof. Some have characterized the iPad as an evolution from flexible-but-complicated computers to simple, elegant appliances. But has there ever been an ?appliance? with the kind of competitive control Apple now enjoys over the iPad? The iPad's DRM restrictions mean that Apple has absolute dominion over who can run code on the device?and while that thin shellac of DRM will prove useless at things that matter to publishers, like preventing piracy, it is deadly effective in what matters to Apple: preventing competition. Maybe the iPad will fizzle. After all, that's what has happened to every other tablet device so far. But if you're contemplating a program to sell your books, stories, or other content into the iPad channel with hopes of it becoming a major piece of your publishing business, you should take a step back and ask how your interests are served by Apple's shackling your readers to its hardware. The publishing world chaos that followed the bankruptcy of Advanced Marketing Group (and subsidiaries like Publishers Group West) showed what can happen when a single distributor locks up too much of the business. Apple isn't just getting big, however; it's also availing itself of a poorly thought-out codicil of copyright law to lock your readers into its platform, limit innovation in the e-book realm, and ultimately reduce the competition to serve your customers. Jailbreak Here's what most mainstream press reports so far haven't told you. The iPad uses a DRM system called ?code-signing? to limit which apps it can run. If the code that you load on your device isn't ?signed,? that is, approved by Apple, the iPad will not run it. If the idea of adding this DRM to the iPad is to protect the copyrights of the software authors, we can already declare the system an abject failure?independent developers cracked the system within 24 hours after the first iPad shipped, a very poor showing even in the technically absurd realm of DRM. Code-signing has also completely failed for iPhones, by the way, on which anyone who wants to run an unauthorized app can pretty easily ?jailbreak? the phone and load one up. But DRM isn't just a system for restricting copies. DRM enjoys an extraordinary legal privilege previously unseen in copyright law: the simple act of breaking DRM is illegal, even if you're not violating anyone's copyright. In other words, if you jailbreak your iPad for the purpose of running a perfectly legal app from someone other than Apple, you're still breaking the law. Even if you've never pirated a single app, nor violated a single copyright, if you're found guilty of removing an ?effective means of access control,? Apple can sue you into a smoking hole. That means that no one can truly compete with Apple to offer better iStores, or apps, with better terms that are more publisher- and reader-friendly. Needless to say, it is also against the law to distribute tools for the purpose of breaking DRM. Think about what that kind of control means for the future of your e-books. Does the company that makes your toaster get to tell you whose bread you can buy? Your dishwasher can wash anyone's dishes, not just the ones sold by its manufacturer (who, by the way, takes a 30% cut along the way). What's more, you can invent cool new things to do with your dishwasher. For example, you can cook salmon in it without needing permission from the manufacturer (check out the Surreal Gourmet for how). And you can even sell your dishwasher salmon recipe without violating some obscure law that lets dishwasher manufacturers dictate how you can use your machine. Some early reviews have compared the iPad to a TV, a more passive medium in contrast to the interactive PC. But even passive old TV benefited greatly from the absence of a DRM-style lockdown on its medium. No one needed a broadcaster's permission, for example, to invent cable TV. No one needed a cable operator's permission to invent the VCR. And, tellingly, Apple cofounder Steve Wozniak didn't need a TV manufacturer's permission to invent the Apple II Plus, which plugged into the back of any old TV set. Of course, cable operators were sued by broadcasters, and the VCR was the subject of an eight-year court battle to wipe it off the face of the Earth. But by any measure, TV has greatly benefited from this system of ?adversarial innovation.? TiVo and all its imitators and successors, including the Apple TV, are good recent examples. But this is not what is happening in e-book publishing so far. Devices like the iPad and the Kindle are a wholly new kind of thing?they function like bookshelves that reject all books except those the manufacturer has blessed. Publishers today worry that retailers like Wal-Mart might control too much of their business?and rightly so. But imagine how much more precarious things would be if Wal-Mart sold bookcases that were programmed to do what the iPad and Kindle do?refuse to hold books bought in other stores, and by canceling Wal-Mart's account, your publishing house would lose access to any customer who didn't have the desire to throw out their Wal-Mart bookcases or Wal-Mart?approved books, or room to add another brand of bookcase. Having too much of your business subject to the whim of a single retailer who is out for its own interests is a scary and precarious thing. Already, Apple's App Store has displayed the warning signs of a less-than-benevolent dictator. Its standard deal with developers was, until recently, a secret?that is, until NASA was forced to reveal the terms of its deal with Apple in the face of a Freedom of Information Act request. Now that we've seen the details of that deal, we see what it means to sell into a marketplace with only one distributor: developers are prohibited from selling their apps in competing stores; consumers are prohibited from ?jailbreaking? any Apple product even for legal uses; Apple can kick your app out of its store at any time; and Apple's liability to you is capped at $50, no matter what the circumstances. Apple has also announced a ban on the use of ?middleware? programming environments that let you develop simultaneously for multiple platforms, like Google's Android OS, the Nintendo WiiWare marketplace, and so on. Apple will tell you that it needs its DRM lock-in to preserve the iPad's ?elegance.? But if somewhere in the iPad's system settings there was a button that said, ?I am a grownup and would like to choose for myself which apps I run,? and clicking on that button would allow you to buy e-books from competing stores, where exactly is the reduction in elegance there? Apple will also tell you that there's competition for apps?that anyone can write an HTML5 app (the powerful, flexible next generation of the HTML language that Web pages are presently made from. That may be true, but not if developers want their app to access the iPad's sensors that allow you to control it by moving it around and making noises, or to the payment system that allows apps to be bought and sold with a single click. It's an enormous competitive setback if your customers have to laboriously tap their credit card details into the screen keyboard every time they buy one of your products. And here's a fun experiment for the code writers among you: write an app and stick a ?buy in one click with Google Checkout? button on the screen. Watch how long it takes for Apple to reject it. For bonus fun, send the rejection letter to the FTC's competition bureau. Whaddya Gonna Do? There's an easy way to change this, of course. Just tell Apple it can't license your copyrights?that is, your books?unless the company gives you the freedom to give your readers the freedom to take their products with them to any vendor's system. You'd never put up with these lockdown shenanigans from a hardcopy retailer or distributor, and you shouldn't take it from Apple, either, and that goes for Amazon and the Kindle, too. This is exactly what I've done. I won't sell my e-books in any store that locks my users into a vendor's platform. That's true for both my forthcoming self-published collection With a Little Help and the e-book editions that HarperCollins and Tor publish of my books. At the same time, I'm hoping my unlocked readers will come up with great HTML5 remixes of the stories in With a Little Help: interactive, cross-platform net-toys that can actually drive revenue for me, whether through sales of my print editions, donations for the e-books, or downloads of the audio. I'm planning to be in the publishing business for a good half-century or more. And though I am not exactly sure how the e-publishing book business will mature (hence my experiment With a Little Help), I am keenly aware that locking my readers to a specific device today, whether the iPad or the Kindle, could very well mean a dramatic loss of control for my business tomorrow. From rforno at infowarrior.org Sun Apr 25 03:05:18 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 24 Apr 2010 23:05:18 -0400 Subject: [Infowarrior] - Hyperfast missile to hit anywhere in an hour Message-ID: <22C39F95-2CFE-4CD0-AABC-7CB36DD9A2E3@infowarrior.org> From The Sunday Times April 25, 2010 Hyperfast missile to hit anywhere in an hour Tony Allen-Mills in Washington http://www.timesonline.co.uk/tol/news/world/us_and_americas/article7107179.ece HAUNTED by the memory of a lost opportunity to kill Osama Bin Laden before he attacked the World Trade Center in New York, US military planners have won President Barack Obama?s support for a new generation of high-speed weapons that are intended to strike anywhere on Earth within an hour. Obama?s interest in Prompt Global Strike (PGS), a nonnuclear weapons programme, has alarmed China and Russia and complicated nuclear arms reduction negotiations. White House officials confirmed last week that the president, who won the Nobel peace prize last year, is considering the deployment of a new class of hypersonic guided missiles that can reach their targets at speeds of Mach 5 ? about 3,600mph. That is nearly seven times faster than the 550mph Tomahawk cruise missiles that arrived too late to kill Bin Laden at an Al-Qaeda training camp in Afghanistan in 1998. ?The ability to attack a wide range of targets at intercontinental range, promptly and without resort to nuclear weapons, is of central importance to US national security,? said Daniel Goure, a defence analyst at the Lexington Institute in Virginia. The White House has requested almost $250m in congressional funding next year for research into hypersonic technologies, some of which harness the shock waves generated by a fast-moving missile to increase its speed further. The new weapon could be launched from air, land or sea on a long-range missile travelling at suborbital altitudes above 350,000ft. The missile releases a hypersonic pilotless plane that receives updates from satellites as it homes in on its target at up to five times the speed of sound, generating so much heat that it has to be shielded with special materials to avoid melting. Depending on the version the Pentagon chooses, the warhead would either split into dozens of lethal fragments in the final seconds of its flight or simply smash into its target, relying on devastating kinetic energy to destroy anything in its path. As a precision weapon its effects would be quite different from the mass destruction inflicted by nuclear warheads delivered by intercontinental ballistic missiles that can reach 13,400mph. The development of PGS has won praise and criticism as the president seeks to reduce the strategic US nuclear arsenal in favour of tactical weapons that can be used swiftly to counter terrorists or rogue states. ?Conventional weapons with worldwide reach ... enable us to reduce the role of nuclear weapons,? said Joe Biden, the vice-president, recently. Sergei Lavrov, the Russian foreign minister, warned earlier this month that ?states will hardly accept a situation in which nuclear weapons disappear, but weapons that are no less destabilising emerge in the hands of certain members of the international community?. General Yuri Baluyevsky, a deputy secretary of the Russian National Security Council, complained that US concessions at nuclear arms reduction talks were not because of America?s love of peace, but because ?they can kill you using conventional high-precision weapons?. US analysts have also warned of the risk that Chinese or Russian monitors might mistake a hypersonic launch for nuclear attack. ?The short flight time ... leaves very little time for an assessment of the situation, putting an enormous strain on national decision-making mechanisms and increasing the probability of an accident,? argued Pavel Podvig of Stanford University. General Kevin Chilton, the US air force commander supervising the PGS programme, told The New York Times that the Pentagon?s current options were not fast enough. ?Today we can present some conventional options to the president to strike a target anywhere on the globe that range from 96 hours to maybe four, five, six hours,? he said. ?If the president wants to act faster than that, the only thing we have that goes faster is a nuclear response.? The Pentagon has already begun testing missile systems that might be used in a PGS programme. Last week the Defense Advanced Research Projects Agency (Darpa) launched a test flight of a prototype labelled the Hypersonic Technology Vehicle 2 (HTV-2), also known as the Falcon. The prototype was launched from Vandenberg air force base in California on a solid-fuel rocket booster made from a decommissioned ballistic missile. There was no comment from US Strategic Command, which controls the programme, on either the success of the test or a timetable for future deployment. ?It is premature to discuss the actual implementation of this capability until the technology has sufficiently matured,? a Pentagon statement said. The Washington Times reported last week that Darpa is building two Falcon vehicles, the second of which is scheduled for launch early next year. US officials have sought to reassure Russian and Chinese authorities that the new weapons will be developed in small numbers and will be kept well away from US nuclear launch sites so there is no confusion that might trigger an accidental nuclear war. The new arms reduction treaty signed by Obama and Dmitri Medvedev, the Russian president, in Prague two weeks ago also contains a provision that Washington will reduce its arsenal by one nuclear missile for every PGS weapon that it deploys. Obama?s efforts to placate Moscow and Beijing have been criticised by US arms control hawks. Dean Cheng, a China specialist at the conservative Heritage Foundation, accused the administration of ?pursuing a strategically incoherent policy, one that is ostensibly aimed at reassuring other nations but will more likely lead to greater instability and uncertainty?. Cheng added: ?This is not the path to another Nobel peace prize.? From rforno at infowarrior.org Mon Apr 26 14:12:14 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Apr 2010 10:12:14 -0400 Subject: [Infowarrior] - OT: Computer Security on the Death Star Message-ID: .... too amusing not to pass along to brighten everyone's Monday. :) Computer Security on the Death Star http://abstrusegoose.com/262 From rforno at infowarrior.org Mon Apr 26 19:33:50 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Apr 2010 15:33:50 -0400 Subject: [Infowarrior] - McAfee to compensate home users for bad update Message-ID: <31778D3E-BA17-4721-8849-DA8DA76762ED@infowarrior.org> http://news.cnet.com/8301-1009_3-20003399-83.html April 26, 2010 10:20 AM PDT McAfee to compensate home users for bad update by Lance Whitney McAfee is promising to reimburse home customers hit by last Wednesday's faulty virus update, which hosed tens of thousands of computers. Facing complaints and questions from people whose PCs crashed or kept rebooting as a result of the buggy update, McAfee formally apologized in an official blog last Friday. But now the company has gone a step further. McAfee is committing to reimburse home and home office customers for any money they spent to fix their PCs as a result of the problem. Details are sketchy now, but the company is hoping people will sit tight for a few more days until more information is available. "If you have already incurred costs to repair your PC as a result of this issue, we're committed to reimbursing reasonable expenses," promised McAfee in a special announcement for home and home office users. "Steps to process your reimbursement request will be posted in the next few days. Please check back here in a few days." And for loyal customers whose PCs were impacted but plan to stick with McAfee, the company has promised to extend their antivirus subscriptions for another two years free of charge. McAfee home page points to latest details about its security update problem. The problem started last Wednesday at 6 a.m. PDT when McAfee released a bad DAT update to its antivirus software that incorrectly targeted svchost.exe, a key Windows system file, as a virus. The update, which sneaked past the company's internal testing, clobbered PCs running Windows XP with Service Pack 3. In response, McAfee released a patch called SuperDAT Remediation Tool early Thursday morning to fix the bad update and restore the svchost.exe file. Instructions for applying the fix are available for home and home office users and business customers. In its latest announcement, McAfee also explained the steps to follow for customers who are still out of commission. Anyone who needs help can call a local toll free support number where a technician will try to get your PC up and running. If that fails, the company will send you the patch via a software download or on a CD through postal mail. Home and home office users may be able to receive compensation for damages, but what of corporate customers? McAfee's announcement for companies explains the steps to fix the problem for those that use its VirusScan Enterprise or Total Protection Service product. But so far, no mention of reimbursement for the many businesses that were impacted. The buggy update affected business customers around the world, including chipmaker Intel, the Kentucky police, and several Rhode Island hospitals that were forced to juggle surgeries and turn away non-trauma patients. We'll provide more details and updates on McAfee's reimbursement policy as they become available. From rforno at infowarrior.org Mon Apr 26 19:35:39 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Apr 2010 15:35:39 -0400 Subject: [Infowarrior] - Bill Would Extend DMCA-Style Takedowns To 'Personal Info' Message-ID: Bill Would Extend DMCA-Style Takedowns To 'Personal Info' from the this-won't-end-well dept http://techdirt.com/articles/20100426/0034189166.shtml There are certainly concerns from many people about the fact that it's difficult to get certain information to go away online. Hell, there's an entire industry built around the idea of trying to either remove or hide any "bad info" about you online. However, it looks like there's a new bill in Congress that would be a disaster for free speech and would have incredible unintended consequences. It's an attempt to extend DMCA-style takedowns for any "personal info" posted online. This comes just as more people are recognizing that such takedowns have a high likelihood of being unconstitutional. In this case, the so-called "Cyber Privacy Act" would require any website that allows open posting of content to provide "a means for individuals whose personal information it contains to request the removal of such information" and would then be required to "promptly remove the personal information of any individual who requests its removal." Notice that there is no other option. You can't respond as to why that content is reasonable and should be left available. You can't defend basic freedom of speech. In fact, this is even worse than a DMCA-style notice-and-takedown regime, which at least has a process of counternotices and the allowance that content can be put back up under certain conditions. That does not exist in this case. And what constitutes "personal information"? According to the bill: As used in this Act, the term 'personal information' means any information about an individual that includes, at minimum, the individual's name together with either a telephone number of such individual or an address of such individual. The bill was introduced by Michigan Rep. Thaddeus McCotter, and it seems like one of those bills that someone rushed out after hearing some moral panic about people's information being online. But it looks like Rep. McCotter never bothered to think through the unintended consequences of making it easy to demand content be taken offline with no recourse. In many cases, things like your name, address or telephone number are, in fact, public information -- and even if you don't like that such content is out there, it doesn't mean that it should be illegal. It's not hard to see how this would be massively abused, just like the DMCA takedown process and create a pretty big burden for all sorts of websites. About the only "good" thing I could see if this bill passed is perhaps we'd get a precedent that could be used to invalidate the DMCA's takedown process as unconstitutional as well. From rforno at infowarrior.org Tue Apr 27 01:58:34 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Apr 2010 21:58:34 -0400 Subject: [Infowarrior] - We Have Met the Enemy and He Is PowerPoint Message-ID: (And, of course, my own PowerPoint Manifesto from 2002 -- http://infowarrior.org/powerpoint.html) :) -rick April 26, 2010 We Have Met the Enemy and He Is PowerPoint By ELISABETH BUMILLER http://www.nytimes.com/2010/04/27/world/27powerpoint.html WASHINGTON ? Gen. Stanley A. McChrystal, the leader of American and NATO forces in Afghanistan, was shown a PowerPoint slide in Kabul last summer that was meant to portray the complexity of American military strategy, but looked more like a bowl of spaghetti. ?When we understand that slide, we?ll have won the war,? General McChrystal dryly remarked, one of his advisers recalled, as the room erupted in laughter. The slide has since bounced around the Internet as an example of a military tool that has spun out of control. Like an insurgency, PowerPoint has crept into the daily lives of military commanders and reached the level of near obsession. The amount of time expended on PowerPoint, the Microsoft presentation program of computer-generated charts, graphs and bullet points, has made it a running joke in the Pentagon and in Iraq and Afghanistan. ?PowerPoint makes us stupid,? Gen. James N. Mattis of the Marine Corps, the Joint Forces commander, said this month at a military conference in North Carolina. (He spoke without PowerPoint.) Brig. Gen. H. R. McMaster, who banned PowerPoint presentations when he led the successful effort to secure the northern Iraqi city of Tal Afar in 2005, followed up at the same conference by likening PowerPoint to an internal threat. ?It?s dangerous because it can create the illusion of understanding and the illusion of control,? General McMaster said in a telephone interview afterward. ?Some problems in the world are not bullet-izable.? In General McMaster?s view, PowerPoint?s worst offense is not a chart like the spaghetti graphic, which was first uncovered by NBC?s Richard Engel, but rigid lists of bullet points (in, say, a presentation on a conflict?s causes) that take no account of interconnected political, economic and ethnic forces. ?If you divorce war from all of that, it becomes a targeting exercise,? General McMaster said. Commanders say that behind all the PowerPoint jokes are serious concerns that the program stifles discussion, critical thinking and thoughtful decision-making. Not least, it ties up junior officers ? referred to as PowerPoint Rangers ? in the daily preparation of slides, be it for a Joint Staff meeting in Washington or for a platoon leader?s pre-mission combat briefing in a remote pocket of Afghanistan. Last year when a military Web site, Company Command, asked an Army platoon leader in Iraq, Lt. Sam Nuxoll, how he spent most of his time, he responded, ?Making PowerPoint slides.? When pressed, he said he was serious. ?I have to make a storyboard complete with digital pictures, diagrams and text summaries on just about anything that happens,? Lieutenant Nuxoll told the Web site. ?Conduct a key leader engagement? Make a storyboard. Award a microgrant? Make a storyboard.? Despite such tales, ?death by PowerPoint,? the phrase used to described the numbing sensation that accompanies a 30-slide briefing, seems here to stay. The program, which first went on sale in 1987 and was acquired by Microsoft soon afterward, is deeply embedded in a military culture that has come to rely on PowerPoint?s hierarchical ordering of a confused world. ?There?s a lot of PowerPoint backlash, but I don?t see it going away anytime soon,? said Capt. Crispin Burke, an Army operations officer at Fort Drum, N.Y., who under the name Starbuck wrote an essay about PowerPoint on the Web site Small Wars Journal that cited Lieutenant Nuxoll?s comment. In a daytime telephone conversation, he estimated that he spent an hour each day making PowerPoint slides. In an initial e-mail message responding to the request for an interview, he wrote, ?I would be free tonight, but unfortunately, I work kind of late (sadly enough, making PPT slides).? Defense Secretary Robert M. Gates reviews printed-out PowerPoint slides at his morning staff meeting, although he insists on getting them the night before so he can read ahead and cut back the briefing time. Gen. David H. Petraeus, who oversees the wars in Iraq and Afghanistan and says that sitting through some PowerPoint briefings is ?just agony,? nonetheless likes the program for the display of maps and statistics showing trends. He has also conducted more than a few PowerPoint presentations himself. General McChrystal gets two PowerPoint briefings in Kabul per day, plus three more during the week. General Mattis, despite his dim view of the program, said a third of his briefings are by PowerPoint. Richard C. Holbrooke, the Obama administration?s special representative for Afghanistan and Pakistan, was given PowerPoint briefings during a trip to Afghanistan last summer at each of three stops ? Kandahar, Mazar-i-Sharif and Bagram Air Base. At a fourth stop, Herat, the Italian forces there not only provided Mr. Holbrooke with a PowerPoint briefing, but accompanied it with swelling orchestral music. President Obama was shown PowerPoint slides, mostly maps and charts, in the White House Situation Room during the Afghan strategy review last fall. Commanders say that the slides impart less information than a five-page paper can hold, and that they relieve the briefer of the need to polish writing to convey an analytic, persuasive point. Imagine lawyers presenting arguments before the Supreme Court in slides instead of legal briefs. Captain Burke?s essay in the Small Wars Journal also cited a widely read attack on PowerPoint in Armed Forces Journal last summer by Thomas X. Hammes, a retired Marine colonel, whose title, ?Dumb-Dumb Bullets,? underscored criticism of fuzzy bullet points; ?accelerate the introduction of new weapons,? for instance, does not actually say who should do so. No one is suggesting that PowerPoint is to blame for mistakes in the current wars, but the program did become notorious during the prelude to the invasion of Iraq. As recounted in the book ?Fiasco? by Thomas E. Ricks (Penguin Press, 2006), Lt. Gen. David D. McKiernan, who led the allied ground forces in the 2003 invasion of Iraq, grew frustrated when he could not get Gen. Tommy R. Franks, the commander at the time of American forces in the Persian Gulf region, to issue orders that stated explicitly how he wanted the invasion conducted, and why. Instead, General Franks just passed on to General McKiernan the vague PowerPoint slides that he had already shown to Donald H. Rumsfeld, the defense secretary at the time. Senior officers say the program does come in handy when the goal is not imparting information, as in briefings for reporters. The news media sessions often last 25 minutes, with 5 minutes left at the end for questions from anyone still awake. Those types of PowerPoint presentations, Dr. Hammes said, are known as ?hypnotizing chickens.? Helene Cooper contributed reporting. From rforno at infowarrior.org Wed Apr 28 10:35:39 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Apr 2010 06:35:39 -0400 Subject: [Infowarrior] - FTC creating Internet privacy framework Message-ID: FTC says it is creating Internet privacy framework amid growing concerns http://voices.washingtonpost.com/posttech/2010/04/ftc_says_it_is_creating_intern.html?hpid=sec-tech The Federal Trade Commission said Tuesday that it plans to create guidelines on Internet privacy, amid a growing cry by privacy advocates and lawmakers to protect consumers from abuse of their personal data by social networks, search engines and location tracking on cellphones. The comments came after four senators called for greater enforcement and rules at the FTC on Tuesday, with troubling business features on social networking site Facebook that they said exposed users? information to the public and to third-party advertisers trying to create profiles on those users. ?We agree that social networks provide a valuable consumer service, but that they also raise privacy concerns,? said Cecelia Prewett, a spokeswoman for the FTC, who declined to comment specifically on the senators? complaints about Facebook. ?The FTC is examining how social networks collect and share data as part of a project to develop a comprehensive framework governing privacy going forward. Our plan is to develop a framework that social networks and others will use to guide their data collection, use and sharing practices.? The complaints by the lawmakers, users and privacy groups have increased in recent months with the advent of new technologies like location-based services such as Foursquare, which allow sites to track users' location and spending activity through cellphones. A change in privacy setting policies at Facebook late last year and a mishap on Google?s Buzz social network that exposed e-mail contacts to the public have added to concerns that users are flocking to these Web sites without a strong federal guardian of privacy. With advertising as the primary means of drawing revenue for their Web businesses, the desire to draw more detailed and tailored profiles of users will only continue to rub against the comfort levels of consumers and Washington?s desire to regulate those activities. ?This is a whole new world,? said Sen. Charles Schumer (D-N.Y.) in a news conference. ?The onus here should be on Facebook, not on the user." Last week, changes at Facebook made data from its users available to third parties unless a user opted out, the lawmakers said. Schumer and fellow Democratic Sens. Al Franken (Minn.), Michael Bennet (Colo.) and Mark Begich (Alaska) sent a letter to Facebook CEO Mark Zuckerberg asking him to reverse those policies. They also called for the FTC to take up new rules and step up enforcement of companies that harm consumer by misusing their private information. With 400 million users, Facebook is the largest social networking site in the world, where people form miniature networks where they share pictures, personal musings, videos and information about their backgrounds with ?friends? they connect with the site. Last week, the company partnered with 75 companies, including The Washington Post and CNN, to allow their users to take their networks to other sites. The lawmakers said those business partnerships posed troubling questions on what information was being shared with the third-party sites. Washington Post Co. Chairman Donald Graham is a board member of Facebook. Facebook agreed to let third-party companies retain information about its users indefinitely, a shift from previous policies that forced businesses to purge that information after 24 hours. And the lawmakers questioned changes to its privacy settings late last year, which automatically made profile information publicly available unless a user opted out of that default setting. ?Folks who?ve put information out that they may not want shared with the entire world are put in the position where they have to opt-out. Now I would read what you have to do to opt-out, but we really only have so much time," Franken said at the news conference. Facebook said it isn?t sharing information with third-party sites. ?Specifically, these new products and features are designed to enhance personalization and promote social activity across the Internet while continuing to give users unprecedented control over what information they share, when they want to share it, and with whom,? Elliot Schrage, Facebook?s vice president of communications and public policy, wrote in a letter responding to the lawmakers. ?All of Facebook?s partner sites interact with a user?s consent.? Some privacy advocates say that the agency hasn?t responded to complaints over Facebook?s privacy changes last December and a mishap by Google when it launched its social networking application Buzz. In February, Google launched Buzz through Gmail users? accounts and for those that agreed to try it, their e-mail contact lists became public to other users of the application. "It?s becoming increasingly clear that the FTC is a black hole for user concerns about online privacy, said Mark Rotenberg, executive director of the Electronic Privacy Information Center. From rforno at infowarrior.org Wed Apr 28 11:46:45 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Apr 2010 07:46:45 -0400 Subject: [Infowarrior] - more on...We Have Met the Enemy and He Is PowerPoint References: <20100428110203.GA5054@gsp.org> Message-ID: <7D063F24-4CBA-49AF-BD09-F304EC712FF9@infowarrior.org> Begin forwarded message: > From: Rich Kulawiec > Date: April 28, 2010 7:02:03 AM EDT > To: Richard Forno > Subject: Re: [Infowarrior] - We Have Met the Enemy and He Is PowerPoint > > There is an interesting piece on this very article over at Digby's > Hullabaloo (which is, incidentally, one of the best-written political > blogs out there). > > http://digbysblog.blogspot.com/2010/04/elizabeth-bumiller-royal-stenographer.html > From rforno at infowarrior.org Wed Apr 28 20:19:59 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Apr 2010 16:19:59 -0400 Subject: [Infowarrior] - Hewlett-Packard to Buy Palm for $1.2 Billion Message-ID: <2C907638-19D6-4D58-882B-7C17BE95C25D@infowarrior.org> Hewlett-Packard to Buy Palm for $1.2 Billion By Greg Chang - Apr 28, 2010 Hewlett-Packard said it agreed to buy Palm for $5.70 a share, or $1.2 billion. http://preview.bloomberg.com/news/2010-04-28/hewlett-packard-to-buy-palm-for-1-2-billion.html From rforno at infowarrior.org Wed Apr 28 20:53:12 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Apr 2010 16:53:12 -0400 Subject: [Infowarrior] - EFF on Gizmodo Raid Message-ID: <1BC8332E-0C67-49D8-898E-6941E1BF8411@infowarrior.org> The Gizmodo Raid: A Preview of Hollywood's Dystopian Plan for Copyright Enforcement Commentary by Corynne McSherry http://www.eff.org/deeplinks/2010/04/gizmodo-raid-preview-hollywoods-dystopian-plan Last week?s police raid on Gizmodo blogger Jason Chen?s house, in response to a request from Apple Inc., has led many to wonder why government resources are being spent on a spat between Apple and Gizmodo. But here at EFF, we are also wondering if we?ve just seen the future of copyright enforcement. Although the Gizmodo seizure doesn?t appear to be rooted in copyright, having cops kicking in doors over what seems like a private dispute reminded us of recent efforts by the big content industries to get law enforcement to go after ?copyright thieves.? Usually, copyright law requires copyright owners to do and pay for their own enforcement efforts ? they don?t get the windfall of a limited monopoly, the hammer of statutory damages, and the ability to require the public to bankroll the enforcement for them. But the big content industries are trying to reverse that presumption, demanding (via wish lists sent to the new IP Czar last month) that federal agencies devote more resources to finding and catching ?copyright thieves.? For example, the Motion Picture Association of American, the Recording Industry Association of America and others filed joint comments arguing among other things, that: The planned release of a blockbuster motion picture should be acknowledged as an event that attracts the focused efforts of copyright thieves, who will seek to obtain and distribute pre-release versions and/or to undermine legitimate release by unauthorized distribution through other channels . . . An interagency task force should work with industry to coordinate and make advance plans to try to interdict these most damaging forms of copyright theft, and to react swiftly with enforcement actions where necessary. In other words, while the movie studios are reporting record profits, we should deputize the FBI and Department of Homeland Security to provide taxpayer-supported muscle for summer blockbuster films. This submission also urged state and local police to get involved in copyright policing, using ?state labeling laws?: ?State labeling laws that define unauthorized online file sharing and streaming as a felony would provide state and local law enforcement with jurisdiction to investigate and prosecute online theft of intellectual property.? The International Intellectual Property Alliance (IIPA), which represents most of the entertainment industry?s biggest players, also wants to see a chilling expansion of law enforcement involvement in copyright enforcement, including: ? empowering government agents to prosecute alleged infringements, whether or not a copyright owner has actually complained; ? expanded "information sharing" between copyright owners and law enforcement, including border officials, i.e., a direct two-way pipeline between Big Media and the cops; ? issuance and execution of search warrants without notice to the alleged infringer. The Software Information Industry Association supports many similar measures, and also suggests that convicted infringers should be required to make public video confessions, to be posted online and "used for education in schools and in training programs." If this wish list strikes you as disturbing, it should. Any government enforcement of copyrights should be focused on large scale, commercial infringements that can?t be adequately deterred by civil lawsuits, using the already powerful existing legal tools. The Gizmodo seizure reminds us that not only are our tax dollars at stake, but also our civil liberties. Whether you?re a blogger or a simple citizen, take note: if copyright policing becomes a regular item on the law enforcement agenda, you can expect more bogus search warrants, and more doors to be broken down. From rforno at infowarrior.org Wed Apr 28 20:55:21 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Apr 2010 16:55:21 -0400 Subject: [Infowarrior] - =?windows-1252?q?IFPI=92s_child_porn_strategy?= Message-ID: <4C450218-68A2-4763-80E3-A3F63D8A2A70@infowarrior.org> Scary thing is, this is the way I've always said it would be done, too......-rick 27 april 2010 IFPI?s child porn strategy http://christianengstrom.wordpress.com/2010/04/27/ifpis-child-porn-strategy/ ?Child pornography is great,? the speaker at the podium declared enthusiastically. ?It is great because politicians understand child pornography. By playing that card, we can get them to act, and start blocking sites. And once they have done that, we can get them to start blocking file sharing sites?. The venue was a seminar organized by the American Chamber of Commerce in Stockholm on May 27, 2007, under the title ?Sweden ? A Safe Haven for Pirates??. The speaker was Johan Schl?ter from the Danish Anti-Piracy Group, a lobby organization for the music and film industry associations, like IFPI and others. I was there together with two other pirates, Pirate Party leader Rick Falkvinge, and veteran Internet activist Oscar Swartz. Oscar wrote a column about the seminar in Computer Sweden just after it had happened. Rick blogged about it later, and so did I. (All links in Swedish.) ?One day we will have a giant filter that we develop in close cooperation with IFPI and MPA. We continuously monitor the child porn on the net, to show the politicians that filtering works. Child porn is an issue they understand,? Johan Schl?ter said with a grin, his whole being radiating pride and enthusiasm from the podium. And seen from the perspective of IFPI and the rest of the copyright lobby, he of course had every reason to feel both proud and enthusiastic, after the success he had had with this strategy in Denmark. Today, the file sharing site The Pirate Bay is blocked by all major Internet service providers in Denmark. The strategy explained by Mr. Schl?ter worked like clockwork. Start with child porn, which everybody agrees is revolting, and find some politicians who want to appear like they are doing something. Never mind that the blocking as such is ridiculously easy to circumvent in less than 10 seconds. The purpose at this stage is only to get the politicians and the general public to accept the principle that censorship in the form of ?filters? is okay. Once that principle has been established, it is easy to extend it to other areas, such as illegal file sharing. And once censorship of the Internet has been accepted in principle, they can start looking at ways to make it more technically difficult to circumvent. In Sweden, the copyright lobby tried exactly the same tactic a couple of months after the seminar where Johan Schl?ter had been speaking. In July 2007, the Swedish police was planning to add The Pirate Bay to the Swedish list of alleged child pornography sites, that are blocked by most major Swedish ISPs. The police made no attempt whatsoever at contacting anybody from The Pirate Bay, which they of course should have done if they had actually found any links to illegal pictures of sexual child abuse. The plan was to just censor the site, and at the same time create a guilt-by-association link between file sharing and child porn. In the Swedish case, the plan backfired when the updated censorship list leaked before it was put into effect. After an uproar in the bloggosphere, the Swedish police was eventually forced to back down from the claim that they had found illegal child abuse pictures, or had any other legal basis for censoring the file sharing site. Unlike in Denmark, The Pirate Bay is not censored in Sweden today. But the copyright lobby never gives up. If they are unable to get what they want on the national level, they will try through the EU, and vice versa. The big film and record companies want censorship of the net, and they are perfectly willing to cynically use child porn as an excuse to get it. All they needed was a politician who was prepared to do their bidding, without spending too much effort on checking facts, or reflecting on the wisdom of introducing censorship on the net. Unfortunately they found one in the newly appointed Swedish EU commissioner Cecilia Malmstr?m. In March 2010 she presented an EU directive to introduce filtering of the net, exactly along to the lines that Johan Schl?ter was advocating in his speech at the seminar in 2007. I assume that commissioner Malmstr?ms?s motives are honourable, and that she genuinely believes she is doing something good that will prevent sexual child abuse. But sweeping a problem under the carpet, or hiding it behind filters, can never be the proper solution. If there actually are sites distributing pictures of sexual child abuse openly on the net, the sites should be shut down and the people behind them should be put in prison (after a proper trial). But Cecilia Malmstr?m?s Internet censorship directive will have no effect at all on sexual child abuse in the world. All she will have achieved if she is successful with this directive, will be to legitimize the principle of Internet censorship in Europe, just like the copyright lobby wanted her to. It would be very sad if she succeeds. ???? From rforno at infowarrior.org Thu Apr 29 01:40:44 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Apr 2010 21:40:44 -0400 Subject: [Infowarrior] - China to Enforce New Encryption Rules Message-ID: APRIL 28, 2010, 8:42 A.M. ET China to Enforce New Encryption Rules By LORETTA CHAO http://online.wsj.com/article/SB10001424052748704423504575211842948430882.html BEIJING?China is set to implement new rules that would require makers of certain electronic equipment to disclose key encryption information to be eligible for government procurement sales, creating a possible showdown with foreign companies that are unlikely to comply. Beginning Saturday, makers of six categories of technology products, including smart cards, firewall technology and Internet routers, will have to disclose encryption codes to authorities for certification to participate in bidding for government purchases. Such encryption information is closely guarded by companies, and industry officials say foreign companies that fall under the new rules are unlikely to comply, which could mean they are cut off from government contracts for those products. The product categories covered by the encryption rules account for tens of millions, or possibly hundreds of millions, of dollars a year in government sales, industry officials estimate. That's a small fraction of the many tens of billions a year China's government spends on procurement. Still, the dispute is the latest illustration of recent tension between Chinese authorities and foreign businesses over a range of regulatory policies. Disclosing encryption information is "something companies cannot and will not do," said Jorg Wuttke, president of the European Union Chamber of Commerce in China at a briefing last week, because such codes are often kept secret by companies for both competitive and security reasons. Mr. Wuttke said this is one of the most important issues facing European companies from the chamber's perspective. Two companies that are likely to be affected by the rules are Gemalto NV, a maker of smart cards and other digital security products, and Cisco Systems Inc., the U.S. network-equipment giant. Cisco declined to comment on the new rules. Gemalto didn't immediately respond to a request for comment. Industry observers who follow the issue say that the regulation appears to be part of a broader effort by Beijing to promote domestic enterprises. Foreign executives say such regulations make it increasingly difficult for foreign companies to compete fairly in one of the world's most important markets. Chinese officials have said their policies aren't discriminatory, and have complained about alleged protectionist measures taken by the U.S. and other nations. The encryption requirement has been scaled back significantly from when it was first proposed in 2008 by the General Administration of Quality Supervision, Inspection and Quarantine. At the time, authorities said that any uncertified security products wouldn't be permitted to be sold, imported or used in China. But after protests from foreign industry groups, the officials narrowed the scale of the regulation to include only government procurement of certain products. The General Administration of Quality Supervision, Inspection and Quarantine didn't respond to requests for comment on the rules. Nor did the Ministry of Finance, which funds government procurement. Implementation of the regulation was delayed last year just days before it was to go into effect, and authorities could delay again. It's also unclear how the regulation will be enforced. People who follow the issue say the requirement could, for example, force the Ministry of Transportation to use only certified technology in the millions of transportation cards used in China's subway systems. If the scope of government procurement is interpreted to include state-owned companies as well, the requirement also could encompass bank cards. As of Wednesday evening, a government list of companies certified under the rule listed only Chinese companies. Shenzhen-based telecom-equipment giant Huawei Technologies Co. and Internet security company Leadsec Technologies (Beijing) Co., a subsidiary of personal computer maker Lenovo Group Ltd., were among more than 20 companies listed. ?Gao Sen contributed to this article. Write to Loretta Chao at loretta.chao at wsj.com From rforno at infowarrior.org Thu Apr 29 01:45:05 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Apr 2010 21:45:05 -0400 Subject: [Infowarrior] - Facebook's Eroding Privacy Policy: A Timeline Message-ID: April 28th, 2010 Facebook's Eroding Privacy Policy: A Timeline Commentary by Kurt Opsahl https://www.eff.org/deeplinks/2010/04/facebook-timeline Since its incorporation just over five years ago, Facebook has undergone a remarkable transformation. When it started, it was a private space for communication with a group of your choice. Soon, it transformed into a platform where much of your information is public by default. Today, it has become a platform where you have no choice but to make certain information public, and this public information may be shared by Facebook with its partner websites and used to target ads. To help illustrate Facebook's shift away from privacy, we have highlighted some excerpts from Facebook's privacy policies over the years. Watch closely as your privacy disappears, one small change at a time! Facebook Privacy Policy circa 2005: No personal information that you submit to Thefacebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings. Facebook Privacy Policy circa 2006: We understand you may not want everyone in the world to have the information you share on Facebook; that is why we give you control of your information. Our default privacy settings limit the information displayed in your profile to your school, your specified local area, and other reasonable community limitations that we tell you about. Facebook Privacy Policy circa 2007: Profile information you submit to Facebook will be available to users of Facebook who belong to at least one of the networks you allow to access the information through your privacy settings (e.g., school, geography, friends of friends). Your name, school name, and profile picture thumbnail will be available in search results across the Facebook network unless you alter your privacy settings. Facebook Privacy Policy circa November 2009: Facebook is designed to make it easy for you to share your information with anyone you want. You decide how much information you feel comfortable sharing on Facebook and you control how it is distributed through your privacy settings. You should review the default privacy settings and change them if necessary to reflect your preferences. You should also consider your settings whenever you share information. ... Information set to ?everyone? is publicly available information, may be accessed by everyone on the Internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations. The default privacy setting for certain types of information you post on Facebook is set to ?everyone.? You can review and change the default settings in your privacy settings. Facebook Privacy Policy circa December 2009: Certain categories of information such as your name, profile photo, list of friends and pages you are a fan of, gender, geographic region, and networks you belong to are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings. You can, however, limit the ability of others to find this information through search using your search privacy settings. Current Facebook Privacy Policy, as of April 2010: When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends? names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. ... The default privacy setting for certain types of information you post on Facebook is set to ?everyone.? ... Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection. .....Viewed together, the successive policies tell a clear story. Facebook originally earned its core base of users by offering them simple and powerful controls over their personal information. As Facebook grew larger and became more important, it could have chosen to maintain or improve those controls. Instead, it's slowly but surely helped itself ? and its advertising and business partners ? to more and more of its users' information, while limiting the users' options to control their own information. From rforno at infowarrior.org Thu Apr 29 12:40:54 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Apr 2010 08:40:54 -0400 Subject: [Infowarrior] - All of Gopherspace as a single download Message-ID: <4FB4018B-D6FD-4207-B776-E3D6F165759E@infowarrior.org> All of Gopherspace as a single download Cory Doctorow at 3:32 AM April 29, 2010 In 2007, John Goerzen scraped every gopher site he could find (gopher was a menu-driven text-only precursor to the Web; I got my first online gig programming gopher sites). He saved 780,000 documents, totalling 40GB. Today, most of this is offline, so he's making the entire archive available as a .torrent file; the compressed data is only 15GB. Wanna host the entire history of a medium? Here's your chance! http://www.boingboing.net/2010/04/29/all-of-gopherspace-a.html From rforno at infowarrior.org Thu Apr 29 12:52:49 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Apr 2010 08:52:49 -0400 Subject: [Infowarrior] - DOJ Subpoenas NYT Reporter Over Book on C.I.A. Message-ID: April 28, 2010 U.S. Subpoenas Times Reporter Over Book on C.I.A. By CHARLIE SAVAGE http://www.nytimes.com/2010/04/29/us/29justice.html WASHINGTON ? The Obama administration is seeking to compel a writer to testify about his confidential sources for a 2006 book about the Central Intelligence Agency, a rare step that was authorized by Attorney General Eric H. Holder Jr. The author, James Risen, who is a reporter for The New York Times, received a subpoena on Monday requiring him to provide documents and to testify May 4 before a grand jury in Alexandria, Va., about his sources for a chapter of his book, ?State of War: The Secret History of the C.I.A. and the Bush Administration.? The chapter largely focuses on problems with a covert C.I.A. effort to disrupt alleged Iranian nuclear weapons research. Mr. Risen referred questions to his lawyer, Joel Kurtzberg, a partner at Cahill Gordon & Reindel L.L.P., who said that Mr. Risen would not comply with the demand and would ask a judge to quash the subpoena. ?He intends to honor his commitment of confidentiality to his source or sources,? Mr. Kurtzberg said. ?We intend to fight this subpoena.? The subpoena comes two weeks after the indictment of a former National Security Agency official on charges apparently arising from an investigation into a series of Baltimore Sun articles that exposed technical failings and cost overruns of several agency programs that cost billions of dollars. The lead prosecutor in both investigations is William Welch II. He formerly led the Justice Department?s public integrity unit, but left that position in October after its botched prosecution of Senator Ted Stevens of Alaska. Matthew A. Miller, a Justice Department spokesman, declined to discuss the subpoena to Mr. Risen or to confirm its existence. ?As a general matter, we have consistently said that leaks of classified information are a matter we take extremely seriously,? he said. Mr. Risen and a colleague won a Pulitzer Prize for a December 2005 New York Times article that exposed the existence of the National Security Agency?s warrantless surveillance program. While many critics ? including Barack Obama, then a senator ? called that program illegal, the Bush administration denounced the article as a damaging leak of classified information and opened an investigation into its sources. No one has been indicted in that matter. The second chapter in Mr. Risen?s book provides a detailed description of the program. But Mr. Kurtzberg said the Justice Department was seeking information only about Mr. Risen?s sources for the ninth chapter, which centers on the C.I.A.?s effort to disrupt Iranian nuclear research. That material did not appear in The Times. The book describes how the agency sent a Russian nuclear scientist ? who had defected to the United States and was secretly working for the C.I.A. ? to Vienna in February 2000 to give plans for a nuclear bomb triggering device to an Iranian official under the pretext that he would provide further assistance in exchange for money. The C.I.A. had hidden a technical flaw in the designs. The scientist immediately spotted the flaw, Mr. Risen reported. Nevertheless, the agency proceeded with the operation, so the scientist decided on his own to alert the Iranians that there was a problem in the designs, thinking they would not take him seriously otherwise. Mr. Risen described the operation as reckless, arguing that Iranian scientists may have been able to ?extract valuable information from the blueprints while ignoring the flaws.? He also wrote that a C.I.A. case officer, believing that the agency had ?assisted the Iranians in joining the nuclear club,? told a Congressional intelligence committee about the problems, but that no action was taken. It is not clear whether the Iranians had figured out that the Russian scientist had been working for the C.I.A. before publication of Mr. Risen?s book. The Bush administration had sought Mr. Risen?s cooperation in identifying his sources for the Iran chapter of his book, and it obtained an earlier subpoena against him in January 2008 under Attorney General Michael B. Mukasey. But Mr. Risen fought the subpoena, and never had to testify before it expired last summer. That left it up to Mr. Holder to decide whether to press forward with the matter by seeking a new subpoena. If a judge does not agree to quash the subpoena and Mr. Risen still refuses to comply, he risks being held in contempt of court. In 2005, a Times reporter, Judith Miller, was jailed for 85 days for refusing to testify in connection with the Valerie Plame Wilson leak case. Department rules say prosecutors may seek such subpoenas only if the information they are seeking is essential and cannot be obtained another way, and the attorney general must personally sign off after balancing the public?s interest in the news against the public?s interest in effective law enforcement. Congress is considering legislation that would let judges make that determination, giving them greater power to quash subpoenas to reporters. The Obama administration supports such a media-shield bill, and the House of Representatives has passed a version of it. But a Senate version has been stalled for months. From rforno at infowarrior.org Thu Apr 29 13:59:23 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Apr 2010 09:59:23 -0400 Subject: [Infowarrior] - Symantec Buys PGP for $300M Message-ID: Symantec Buys ncryption Specialist PGP for $300M By Jeremy Kirk, IDG News Service http://www.pcworld.com/businesscenter/article/195217/symantec_buys_encryption_specialist_pgp_for_300m.html Symantec will acquire encryption specialist PGP and endpoint security vendor GuardianEdge Technologies for US$300 million and $70 million respectively, the company said on Thursday. Both are privately held companies. Symantec said the deals are subject to regulatory approval but are expected to close by June. Symantec said the companies' combined specialties in standards-based encryption for e-mail, file systems, removable media and smartphones will complement its security offerings, such as its gateway, endpoint security and data-loss prevention software. Encrypting information offers a higher level of security in case data is lost or stolen. Earlier this month, the U.K. increased the fine under the Data Protection Act for organizations that lose data to a maximum of ?500,000 (US$765,000). Symantec said it will standardize its products on PGP's key management platform, which allows administrators to centrally manage encryption tasks. That platform will be integrated into the Symantec Protection Center, a management console for its products. GuardianEdge, which specializes in security for laptops, portable storage devices and smartphones, is already a partner of Symantec for its Endpoint Encryption product. The company has particular strength in the government market, Symantec said. The two companies will become part of Symantec's Enterprise Security Group, headed by Francis deSouza, senior vice president. From rforno at infowarrior.org Thu Apr 29 15:14:23 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Apr 2010 11:14:23 -0400 Subject: [Infowarrior] - Steve Jobs Open Letter on dumping Flash Message-ID: <6D89F616-85D6-4114-9DBF-D8F2C5DA041E@infowarrior.org> http://www.apple.com/hotnews/thoughts-on-flash/ Apple has a long relationship with Adobe. In fact, we met Adobe?s founders when they were in their proverbial garage. Apple was their first big customer, adopting their Postscript language for our new Laserwriter printer. Apple invested in Adobe and owned around 20% of the company for many years. The two companies worked closely together to pioneer desktop publishing and there were many good times. Since that golden era, the companies have grown apart. Apple went through its near death experience, and Adobe was drawn to the corporate market with their Acrobat products. Today the two companies still work together to serve their joint creative customers ? Mac users buy around half of Adobe?s Creative Suite products ? but beyond that there are few joint interests. I wanted to jot down some of our thoughts on Adobe?s Flash products so that customers and critics may better understand why we do not allow Flash on iPhones, iPods and iPads. Adobe has characterized our decision as being primarily business driven ? they say we want to protect our App Store ? but in reality it is based on technology issues. Adobe claims that we are a closed system, and that Flash is open, but in fact the opposite is true. Let me explain. First, there?s ?Open?. Adobe?s Flash products are 100% proprietary. They are only available from Adobe, and Adobe has sole authority as to their future enhancement, pricing, etc. While Adobe?s Flash products are widely available, this does not mean they are open, since they are controlled entirely by Adobe and available only from Adobe. By almost any definition, Flash is a closed system. Apple has many proprietary products too. Though the operating system for the iPhone, iPod and iPad is proprietary, we strongly believe that all standards pertaining to the web should be open. Rather than use Flash, Apple has adopted HTML5, CSS and JavaScript ? all open standards. Apple?s mobile devices all ship with high performance, low power implementations of these open standards. HTML5, the new web standard that has been adopted by Apple, Google and many others, lets web developers create advanced graphics, typography, animations and transitions without relying on third party browser plug-ins (like Flash). HTML5 is completely open and controlled by a standards committee, of which Apple is a member. Apple even creates open standards for the web. For example, Apple began with a small open source project and created WebKit, a complete open-source HTML5 rendering engine that is the heart of the Safari web browser used in all our products. WebKit has been widely adopted. Google uses it for Android?s browser, Palm uses it, Nokia uses it, and RIM (Blackberry) has announced they will use it too. Almost every smartphone web browser other than Microsoft?s uses WebKit. By making its WebKit technology open, Apple has set the standard for mobile web browsers. Second, there?s the ?full web?. Adobe has repeatedly said that Apple mobile devices cannot access ?the full web? because 75% of video on the web is in Flash. What they don?t say is that almost all this video is also available in a more modern format, H.264, and viewable on iPhones, iPods and iPads. YouTube, with an estimated 40% of the web?s video, shines in an app bundled on all Apple mobile devices, with the iPad offering perhaps the best YouTube discovery and viewing experience ever. Add to this video from Vimeo, Netflix, Facebook, ABC, CBS, CNN, MSNBC, Fox News, ESPN, NPR, Time, The New York Times, The Wall Street Journal, Sports Illustrated, People, National Geographic, and many, many others. iPhone, iPod and iPad users aren?t missing much video. Another Adobe claim is that Apple devices cannot play Flash games. This is true. Fortunately, there are over 50,000 games and entertainment titles on the App Store, and many of them are free. There are more games and entertainment titles available for iPhone, iPod and iPad than for any other platform in the world. Third, there?s reliability, security and performance. Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don?t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash. In addition, Flash has not performed well on mobile devices. We have routinely asked Adobe to show us Flash performing well on a mobile device, any mobile device, for a few years now. We have never seen it. Adobe publicly said that Flash would ship on a smartphone in early 2009, then the second half of 2009, then the first half of 2010, and now they say the second half of 2010. We think it will eventually ship, but we?re glad we didn?t hold our breath. Who knows how it will perform? Fourth, there?s battery life. To achieve long battery life when playing video, mobile devices must decode the video in hardware; decoding it in software uses too much power. Many of the chips used in modern mobile devices contain a decoder called H.264 ? an industry standard that is used in every Blu-ray DVD player and has been adopted by Apple, Google (YouTube), Vimeo, Netflix and many other companies. Although Flash has recently added support for H.264, the video on almost all Flash websites currently requires an older generation decoder that is not implemented in mobile chips and must be run in software. The difference is striking: on an iPhone, for example, H.264 videos play for up to 10 hours, while videos decoded in software play for less than 5 hours before the battery is fully drained. When websites re-encode their videos using H.264, they can offer them without using Flash at all. They play perfectly in browsers like Apple?s Safari and Google?s Chrome without any plugins whatsoever, and look great on iPhones, iPods and iPads. Fifth, there?s Touch. Flash was designed for PCs using mice, not for touch screens using fingers. For example, many Flash websites rely on ?rollovers?, which pop up menus or other elements when the mouse arrow hovers over a specific spot. Apple?s revolutionary multi-touch interface doesn?t use a mouse, and there is no concept of a rollover. Most Flash websites will need to be rewritten to support touch-based devices. If developers need to rewrite their Flash websites, why not use modern technologies like HTML5, CSS and JavaScript? Even if iPhones, iPods and iPads ran Flash, it would not solve the problem that most Flash websites need to be rewritten to support touch-based devices. Sixth, the most important reason. Besides the fact that Flash is closed and proprietary, has major technical drawbacks, and doesn?t support touch based devices, there is an even more important reason we do not allow Flash on iPhones, iPods and iPads. We have discussed the downsides of using Flash to play video and interactive content from websites, but Adobe also wants developers to adopt Flash to create apps that run on our mobile devices. We know from painful experience that letting a third party layer of software come between the platform and the developer ultimately results in sub-standard apps and hinders the enhancement and progress of the platform. If developers grow dependent on third party development libraries and tools, they can only take advantage of platform enhancements if and when the third party chooses to adopt the new features. We cannot be at the mercy of a third party deciding if and when they will make our enhancements available to our developers. This becomes even worse if the third party is supplying a cross platform development tool. The third party may not adopt enhancements from one platform unless they are available on all of their supported platforms. Hence developers only have access to the lowest common denominator set of features. Again, we cannot accept an outcome where developers are blocked from using our innovations and enhancements because they are not available on our competitor?s platforms. Flash is a cross platform development tool. It is not Adobe?s goal to help developers write the best iPhone, iPod and iPad apps. It is their goal to help developers write cross platform apps. And Adobe has been painfully slow to adopt enhancements to Apple?s platforms. For example, although Mac OS X has been shipping for almost 10 years now, Adobe just adopted it fully (Cocoa) two weeks ago when they shipped CS5. Adobe was the last major third party developer to fully adopt Mac OS X. Our motivation is simple ? we want to provide the most advanced and innovative platform to our developers, and we want them to stand directly on the shoulders of this platform and create the best apps the world has ever seen. We want to continually enhance the platform so developers can create even more amazing, powerful, fun and useful applications. Everyone wins ? we sell more devices because we have the best apps, developers reach a wider and wider audience and customer base, and users are continually delighted by the best and broadest selection of apps on any platform. Conclusions. Flash was created during the PC era ? for PCs and mice. Flash is a successful business for Adobe, and we can understand why they want to push it beyond PCs. But the mobile era is about low power devices, touch interfaces and open web standards ? all areas where Flash falls short. The avalanche of media outlets offering their content for Apple?s mobile devices demonstrates that Flash is no longer necessary to watch video or consume any kind of web content. And the 200,000 apps on Apple?s App Store proves that Flash isn?t necessary for tens of thousands of developers to create graphically rich applications, including games. New open standards created in the mobile era, such as HTML5, will win on mobile devices (and PCs too). Perhaps Adobe should focus more on creating great HTML5 tools for the future, and less on criticizing Apple for leaving the past behind. Steve Jobs April, 2010 From rforno at infowarrior.org Thu Apr 29 22:11:14 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Apr 2010 18:11:14 -0400 Subject: [Infowarrior] - USAF cyberspace badge guidelines released Message-ID: News > New Air Force cyberspace badge guidelines released http://www.af.mil/news/story.asp?id=123201885 4/27/2010 - PETERSON AIR FORCE BASE, Colo. (AFNS) -- Air Force Chief of Staff Gen. Norton A. Schwartz has approved the new cyberspace badge and associated wear criteria. In his Apr. 21 memorandum, General Schwartz set forth guidelines and addressed standard eligibility requirements for officers working in the cyberspace domain. Eligibility criteria for enlisted personnel are slated for release in a future message. Maj. Gen. Michael Basla, Air Force Space Command vice commander, who will wear the new badge, highlighted its significance. "The Air Force mission -- to fly, fight and win in air, space and cyberspace -- acknowledges the significance and interrelationship of our three operational domains in effective warfighting. The establishment of the Air Force cyberspace badge underscores the crucial operational nature of the cyberspace mission," General Basla said. Lt. Gen. William T. Lord, the Air Force's chief of warfighting integration and chief information officer said the new badge reflects the importance of cyber operations. "The Air Force's cyberspace operators must focus on operational rigor and mission assurance in order to effectively establish, control and leverage cyberspace capabilities," he said. "The new cyberspace operator badge identifies our cyberspace professionals with the requisite education, training and experience to operate in this new critical domain. The badge symbolizes this new operational mindset and the Air Force's commitment to operationalize the cyberspace domain." The new badge is authorized in three levels: basic, senior and master. Badge level eligibility criteria are consistent with those listed in Air Force Instruction 36-2903, Dress and Personal Appearance of Air Force Personnel. The guidance for the cyberspace badge will be included in the next revision of the AFI. Certain officers are "grandfathered" and eligible to wear the new badge. Officers converting from the 33S to the 17D Air Force Specialty Code on April 30 are authorized the basic cyberspace badge. Officers may continue to wear the communications and information badge at the authorized level until Oct. 1, 2011. Upon completing the Distance Learning Cyberspace Operations Transition Course -- the "X- course," Undergraduate Network Warfare Training or meeting criteria for upgrade, officers who earned the senior or master level communications and information badge are authorized to wear that same level of the cyberspace badge. Officers from other AFSCs who have completed the X-course and have at least one year of cyberspace experience since Jan. 1, 2006, also are eligible to wear the cyberspace badge. The 17D career field manager is coordinating with Air Force Space Command's Space and Cyberspace Professional Management Office to identify eligible officers. Beyond the grandfathering period, standard eligibility criteria will apply and officers will be identified in orders published by the commander of Air Force Space Command, who is responsible for cyberspace force development. The AFSPC commander, in conjunction with the Air Staff functional authorities responsible for cyberspace-related specialties, will regularly approve authorization orders listing additional officers who have earned the badge. The design element of the badge holds significant meaning. The lightning bolt wings signify the cyberspace domain while the globe signifies the projection of cyber power world-wide. The globe, combined with lightning bolt wings, signifies the Air Force's common communications heritage. The bolted wings, centered on the globe, are a design element from the Air Force seal signifying the striking power through air, space and cyberspace. The orbits signify the space dimension of the cyberspace domain. The new badge is equal in precedence to the aeronautical and space badges. Those awarded multiples of the cyberspace, aeronautical and space badges must wear the cyberspace badge above the others while serving in a cyberspace billet. From rforno at infowarrior.org Fri Apr 30 01:29:42 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Apr 2010 21:29:42 -0400 Subject: [Infowarrior] - Cyberattacks: Can Google -- or Uncle Sam -- protect you? Message-ID: <02B2CDF4-86E5-4B9B-800C-A7BD0965A47D@infowarrior.org> Cyberattacks: Can Google -- or Uncle Sam -- protect you? US cybersecurity is weakened by our desire to keep government out of business. By Walter Rodgers posted April 29, 2010 at 9:46 am EDT http://www.csmonitor.com/layout/set/print/content/view/print/297685 Washington ? Who can do a better job of protecting us from cyberthreats: private companies like Google, or Uncle Sam? This was the question discussed at a recent event hosted by the Center for National Policy in Washington. It was one of those seminars that should have been attended by everyone who conducts business online. The views of the two experts on hand ? Doug Raymond of Google and Rob Knake of the Council on Foreign Relations ? echo the debate in Washington over regulating banks and Wall Street. And the stakes of a cybersecurity crisis are just as high as a financial crisis, if not higher. US consumers lose billions each year to viruses, spyware, and Internet scams, while global corporations lose even more. US defense networks are hit by 80,000 cyberattacks each year. America?s cybersecurity is undermined by our rigid insistence that the government stay out of the business of Internet firms. But this noninvolvement badly stings American businesses. It forfeits America?s technological edge and cripples new innovation as cyberattacks from other countries siphon off our intellectual properties and profits. The Internet industry has been telling the government to mind its own business for years. That effort got a boost last month when a federal court ruled that the Federal Communications Commission can?t enforce ?Net neutrality,? the idea that broadband providers not be allowed to restrict access to any content providers. The ruling sidelined the FCC as a watchdog of broadband services, leaving it with almost no regulatory jurisdiction in that area. If this decision stands, said Mr. Knake, the Internet ?will fundamentally be an unregulated and unregulatable industry unless Congress intervenes.? Google?s Mr. Raymond said the federal government just can?t move fast enough to meet the challenges Internet providers face from foreign cyberattacks. ?The best people to stay ahead of the curve and come up with solutions are those who are on the ground managing those products day to day.? Basically, that means: Leave industry free to manage its own products. The FCC ruling is a short-term victory for some industry players, but it may hurt all of us in the long term by limiting Washington?s ability to regulate the Web and keep it safe. It?s also made mush of the constitutional power of Congress to ?provide for the common Defence.? Instead of fighting the idea of government involvement, said Knake, the private sector needs to start to shape it. He noted that the chemical industry in recent years went to Congress and asked to be regulated. What evolved was just such a constructive partnership. Raymond acknowledged that some collaboration between the Internet industry and government may be in order, although he insisted that private industry is quicker to identify the threat. The problem, he says, is that the cyberattacks now occur with such frequency that laws cannot be codified quickly enough for the federal government to weigh in. Frequency indeed. Witness the inability of Google and other companies to protect their crown jewels from Chinese piracy a few months ago. The Clinton administration suggested a public/private partnership to tend the Internet. The Bush administration reaffirmed that, as has the Obama administration. But President Obama has said he won?t impose security standards on private companies. Meanwhile, cyberthreats are growing worse. Part of the problem is that Internet firms behave as if they invented the Net ? a myth, says Knake. ?The Internet was created in a wonderful partnership between the US government, the US academic community, and the US private sector.? Then the floodgates opened, and now with considerable chutzpah, some firms seem to believe the Net has become their domain, a claim reinforced by April?s federal court ruling. The range of targets for cyberattacks is much bigger now ? probably too large for Google and its competitors to fight. And it?s no longer just your PC but an array of devices that store your personal data and connect to the Web. Social-media sites like Facebook leave the unsuspecting terribly vulnerable. One major threat is called ?Facebook phishing? where someone claiming to be your friend cons you into sharing your password. More than 50 percent of these Facebook users employ the same password for their bank accounts, leaving them wide-open to theft. Clearly, there are legitimate rights and privacy concerns if the government partners with Internet providers. And it?s fair to ask how long it would be before we end up with government surveillance and monitoring of all American Web traffic. But foreign governments in league with foreign hackers already are exploiting that vulnerability. Russia, China, and even some European governments are bigger players on the Net than Washington. Our current cyberinsecurity, left only to private Internet firms, is rendering American businesses victims of vast industrial espionage unlike anything we have previously experienced. Walter Rodgers, a former senior international correspondent for CNN, writes a biweekly column. From rforno at infowarrior.org Fri Apr 30 02:19:15 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Apr 2010 22:19:15 -0400 Subject: [Infowarrior] - Goldman may face Justice Department review Message-ID: <46F9B0A3-6C9B-44B0-9F75-245782A32653@infowarrior.org> Goldman may face Justice Department review By Zachary A. Goldfarb Washington Post Staff Writer Friday, April 30, 2010; A14 http://www.washingtonpost.com/wp-dyn/content/article/2010/04/29/AR2010042904458_pf.html The Securities and Exchange Commission has referred its investigation of Goldman Sachs to the Justice Department for possible criminal prosecution, less than two weeks after filing a civil securities fraud case against the firm, according to a source familiar with the matter. Any probe by the Justice Department would be in a preliminary stage. No Goldman Sachs employees involved in the mortgage-related transactions that are the focus of the SEC case have been interviewed by Justice Department prosecutors or the FBI agents who often conduct probes on behalf of prosecutors, according to a source familiar with the matter. The sources spoke on the condition of anonymity because they were not authorized to discuss the matter publicly. The Justice Department usually investigates high-profile cases of securities fraud, but the threshold for criminal prosecution is significantly higher than that of civil cases. The SEC only files civil cases. The Wall Street Journal and Bloomberg News reported Thursday night that the U.S. attorney's office in Manhattan had followed up on the request and opened a criminal probe. The office declined to comment. "Given the recent focus on the firm, we're not surprised by the report of an inquiry," said Goldman spokesman Lucas Van Praag. "We would cooperate fully with any request for information." It is rare for the government to indict a firm, and even the threat of criminal prosecution can doom a company. A criminal investigation destroyed the infamous Wall Street firm Drexel Burnham Lambert in the 1980s even though the firm settled with authorities. And although the Supreme Court ultimately overturned the conviction, accounting firm Arthur Andersen collapsed after facing criminal charges in connection with corporate corruption at Enron in 2002. In that case, the justices said that lower courts had given juries far too broad guidelines by which to decide whether to convict the company. The decision, lawyers at the time said, would make it more difficult for prosecutors to bring criminal cases against corporations. The SEC says the firm and employee Fabrice Tourre broke the law and committed fraud when they sold clients a complex investment linked to the value of home loans that was secretly designed to fail. Another firm, Paulson & Co., a hedge fund, helped Goldman create the investment and planned to bet against it. But the SEC says the relationship was not disclosed to Goldman's clients, ACA Financial Guaranty and the German bank IKB. Goldman has rejected charges that it committed securities fraud. Tourre has also denied the charges. Goldman says ACA and IKB were sophisticated investors, and disclosure of Paulson's role was not required. Proving a criminal case could be challenging given that prosecutors must show "beyond a reasonable doubt" that Goldman and its employees committed fraud, compared to the threshold for a civil case, which requires a "preponderance of evidence." Under civil law, the SEC does not have to prove that Goldman set out to defraud investors -- only that it did. But criminal law would require prosecutors to show that Goldman maliciously planned to mislead its investors. Since the SEC filed its lawsuit earlier this month, securities lawyers have debated the merits of the agency's case. Most agree that it represents an ambitious legal theory, saying the bar to show that Paulson's role was relevant would be high, because the financial firms were big and engaged in speculative betting. Goldman also says ACA was told about Paulson's role, and the firm has written a letter to its investors strongly suggesting that was the case. The Justice Department suffered a setback earlier this year when a case against two Bear Stearns hedge fund managers failed. A jury rejected securities fraud charges against the hedge fund managers, who ran funds linked to subprime mortgages, after presenting evidence that the men knew about risks in the market but did not disclose these to investors. The SEC is still pursuing the Bear Stearns case. From rforno at infowarrior.org Fri Apr 30 11:10:03 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 30 Apr 2010 07:10:03 -0400 Subject: [Infowarrior] - DRM free movie store Message-ID: <43689097-072E-4405-8ED7-2092380DF9A8@infowarrior.org> I like their terms of use -- about retroactive DRM-free and so forth. Not necessarily the latest and greatest hits, but I'm sure people can find something there to catch their interest and support someone other than the Hollywood cartels!! (Disclosure: I receive no compensation for this 'plug') -rick EZTakes: 5,000+ strong DRM-free online video store Cory Doctorow at 3:54 AM April 30, 2010 http://www.boingboing.net/2010/04/30/eztakes-5000-strong.html When I co-founded EZTakes, my intention was to create a movie download service that encrypted content with DRM. But after hearing Cory give a speech on DRM at a 2005 indie film conference in Montreal, I decided to launch a DRM-free service. I've continued the fight ever since. Today, we offer about 5,000 DRM-free feature films that we licensed from over 80 distributors and studios. We've focused on finding the great movies you used to get at that quirky corner video store (when it was in business), and can't find among all the rows of "Avatar" at Wal-Mart. Our catalog includes classics such as Fellini's "La Dolce Vita," movie riffs like the entire Cinematic Titanic (former Mystery Science Theater 3K crew) collection, indie films like "Super Size Me," and campy/cult films such as "Plan 9" and "Jesus Christ Vampire Hunter." Our revenue has grown steadily, and the vast majority of our content partners are pleased with the income they get from us. We've also rejected the ridiculous restrictions that other download services seek to impose on paying customers. From our Terms of Use: "EZTakes shall not take away, nor attempt to take away, rights related to your use of Content as a consumer, including but not limited to, 'first sale' and 'fair use' rights in the USA, or similar rights held by consumers outside the USA. If we ever say anything different, the foregoing shall take precedence." You can read our entire Terms of Use on our Web site. We've just re-launched our site with a host of new features. Now when you buy a title from us, you almost always get: a tiny MP4 that plays on most smart phones; a high-quality MP4 that plays on any iPad, iPhone or video-enabled iPod; a downloadable DVD (for some titles) that you can burn and play on DVD players; and you can stream your purchase immediately, even while other versions download (broadband connection permitting). As an added benefit, iPhone and Android users can login to our mobile site (http://m.eztakes.com) to get their purchases streamed to their mobile phones (no download required). We also let our customers re-download, even if it's far into the future. So, I think it's safe to say that we've bent over backwards to give consumers reasons to buy. The "scarce value" we provide is our service, which lets our customers easily enjoy their content when, where and how they want. It hasn't been easy. We've flirted with DRM. Just last year two major Hollywood studios offered us large catalogs of films, with no upfront payment, if we'd just use a certain vendor's DRM. Last week we walked away from a contract with a large media company because they wanted us to charge for re-downloads. Last year we ditched a deal (after spending tens of thousands on legal fees) when a well-known media company changed their mind at the 11th hour and told us they wanted DRM (even on trailers!). IMPORTANT: If you look at the EZTakes site from outside the USA, you won't automatically see our entire catalog. Although we've tried, we couldn't always get world-wide rights. Many of our content partners had pre-existing deals with distributors in various territories. From rforno at infowarrior.org Fri Apr 30 13:12:16 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 30 Apr 2010 09:12:16 -0400 Subject: [Infowarrior] - WH Releases Public Comments On IP Enforcement Message-ID: White House Releases Public Comments On IP Enforcement http://techdirt.com/articles/20100428/2358239231.shtml From rforno at infowarrior.org Fri Apr 30 13:22:34 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 30 Apr 2010 09:22:34 -0400 Subject: [Infowarrior] - Dems spark alarm with call for national ID card Message-ID: Dems spark alarm with call for national ID card By Alexander Bolton - 04/30/10 06:00 AM ET http://thehill.com/homenews/senate/95235-democrats-spark-alarm-with-call-for-national-id-card A plan by Senate Democratic leaders to reform the nation?s immigration laws ran into strong opposition from civil liberties defenders before lawmakers even unveiled it Thursday. Democratic leaders have proposed requiring every worker in the nation to carry a national identification card with biometric information, such as a fingerprint, within the next six years, according to a draft of the measure. The proposal is one of the biggest differences between the newest immigration reform proposal and legislation crafted by late Sen. Edward Kennedy (D-Mass.) and Sen. John McCain (R-Ariz.). The national ID program would be titled the Believe System, an acronym for Biometric Enrollment, Locally stored Information and Electronic Verification of Employment. It would require all workers across the nation to carry a card with a digital encryption key that would have to match work authorization databases. ?The cardholder?s identity will be verified by matching the biometric identifier stored within the microprocessing chip on the card to the identifier provided by the cardholder that shall be read by the scanner used by the employer,? states the Democratic legislative proposal. The American Civil Liberties Union, a civil liberties defender often aligned with the Democratic Party, wasted no time in blasting the plan. ?Creating a biometric national ID will not only be astronomically expensive, it will usher government into the very center of our lives. Every worker in America will need a government permission slip in order to work. And all of this will come with a new federal bureaucracy ? one that combines the worst elements of the DMV and the TSA,? said Christopher Calabrese, ACLU legislative counsel. ?America?s broken immigration system needs real, workable reform, but it cannot come at the expense of privacy and individual freedoms,? Calabrese added. The ACLU said ?if the biometric national ID card provision of the draft bill becomes law, every worker in America would have to be fingerprinted.? A source at one pro-immigration reform group described the proposal as ?Orwellian.? But Senate Democratic Whip Dick Durbin (Ill.), who has worked on the proposal and helped unveil it at a press conference Thursday, predicted the public has become more comfortable with the idea of a national identification card. ?The biometric identification card is a critical element here,? Durbin said. ?For a long time it was resisted by many groups, but now we live in a world where we take off our shoes at the airport and pull out our identification. ?People understand that in this vulnerable world, we have to be able to present identification,? Durbin added. ?We want it to be reliable, and I think that?s going to help us in this debate on immigration.? Implementing a nationwide identification program for every worker will be a difficult task. The Social Security Administration has estimated that 3.6 million Americans would have to visit SSA field offices to correct mistakes in records or else risk losing their jobs. Angela Kelley, vice president of immigration policy at the Center for American Progress, a liberal think tank, said the biometric identification provision ?will give some people pause.? But she applauded Democrats for not shying away from the toughest issues in the immigration reform debate. ?What I like about the outline is that Democrats are not trying to hide the ball or soft-pedal the tough decisions,? Kelley said. ?It seems a very sincere effort to get the conversation started. This is a serious effort to get Republicans to the table.? Reform Immigration for America, a pro-immigrant group, praised Democrats for getting the discussion started but said the framework fell short. ?The proposal revealed today [Thursday] is in part the result of more than a year of bipartisan negotiations and represents a possible path forward on immigration reform,? the group said in a statement. ?This framework is not there yet.? Democrats and pro-immigration groups will now begin to put pressure on Republicans to participate in serious talks to address the issue. The bipartisan effort in the Senate suffered a serious setback when Sen. Lindsey Graham (R-S.C.) pulled back from talks with Sen. Charles Schumer (D-N.Y.). ?We call on Republican Senators to review this framework and sit down at the negotiating table in good faith,? Reform Immigration for America said in a statement. ?This is a national problem that requires a federal solution and the input of leaders in both parties.? Durbin said Democratic leaders are trying to recruit other Republican partners. ?We?re making a commitment to establishing a framework to work toward comprehensive immigration reform, and I think it?s a good framework and now we?re engaging our friends on the other side of the aisle to join us in this conversation,? Durbin said. From rforno at infowarrior.org Fri Apr 30 18:56:16 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 30 Apr 2010 14:56:16 -0400 Subject: [Infowarrior] - USAF caught in own Transformers 3 phishing net Message-ID: The quote at the end is brilliant - wonder if it was intentional or just coincidence!! :) -rick US Air Force phishing test transforms into a problem Rumors that "Transformers 3" will be filmed in Guam start after a phishing exercise goes viral By Robert McMillan, IDG News Service April 29, 2010 08:41 PM ET http://www.networkworld.com/news/2010/043010-us-air-force-phishing-test.html Sorry Airman Supershaggy, "Transformers 3" is not coming to Andersen Air Force Base. And by the way, you've been phished. Security testers at the Guam Air Force base's 36th Communications Squadron had to send out a clarification notice on Monday after an in-house test -- called an operational readiness exercise (ORE) in Air Force parlance -- of how airmen would respond to a phishing e-mail worked out a little too well. The e-mail said that crews were going to start filming "Transformers 3" on Guam and invited airmen to fill out applications on a Web site if they wanted to work the shoot. The Web site then asked them for sensitive information. Also read: 15 secrets of next-gen Web browsers This type of in-house phishing exercise is a routine occurrence in the military and in major corporations, and is generally seen as a good way of promoting security awareness. But in Andersen's case, the information in the phishing e-mail started leaking to the civilian world. "Unfortunately, many of Andersen's personnel responded to this inject and submitted their personal information to the Web site, and forwarded the information outside of Andersen," the Air Force base said in a statement. Supershaggy was one of them. "I'm an Airman in the worlds greatest air, space and cyberspace force on Guam," he wrote in a Sunday posting to the Scooper section of Comicbookmovie.com. "I received an email stating that Dreamworks is looking for 20 airmen from Andersen to be extras." The rumor soon spread to other Transformers fan sites, including Seibertron.com and Tformers.com. The Transformers movies, directed by Michael Bay, are successful Hollywood blockbusters that depict a futuristic war between alien robots. The third installment in the franchise is expected next year. Shooting is slated to happen all over the world -- in China, Moscow and Africa -- but not in Guam. As the rumor spread that the hotly anticipated film was coming to Guam, local media started calling the base, which then began the work of setting the record straight. "Leadership from Andersen AFB regrets that there has been any confusion in the general public regarding this exercise phishing attempt," Andersen said in a statement. "We hope however that this will show that all individuals need to be careful about the real danger of phishing emails and that others can learn from this exercise." This isn't the first time that some type of unforeseen consequence has come of a security training exercise. In August, a test of a bank's computer systems prompted the federal agency chartered with overseeing the nation's credit unions to issue a fraud alert. The "fraud" was actually a sanctioned penetration testing exercise conducted by security firm MicroSolved. Organizations conducting these drills need to first make sure that they're spelled out in company policies, and they need to think carefully about what the phishing e-mail promises, said Sherri Davidoff, a consultant with Lake Missoula Group who conducts this type of test for the financial services industry. Often, she tries to trick employees into divulging information by offering raffles for free iPods or promising a cash bonus. "If you're not careful, then afterwards if they find out they're not really getting an iPod or they're not getting a bonus, they can get really angry." She also recommends notifying employees very soon after the test is run. "If it's not carefully managed, it can backfire," she said. "People feel bad when they fall for these things and if you want to keep a company secure, you don't want to have a whole bunch of disgruntled employees." On the other hand, she believes that this type of testing is very effective in preventing so-called social engineering attacks, such as phishing. "People should realize that those e-mails have more than meets the eye," she said. The IDG News Service is a Network World affiliate.