From rforno at infowarrior.org Mon Feb 1 01:52:53 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 31 Jan 2010 20:52:53 -0500 Subject: [Infowarrior] - Amazon Concedes on Electronic Book Pricing Message-ID: February 1, 2010 Amazon Concedes on Electronic Book Pricing By BRAD STONE and MOTOKO RICH http://www.nytimes.com/2010/02/01/technology/companies/01amazonweb.html?hp=&pagewanted=print In a fight over the price of electronic books, Amazon.com has blinked. On Friday, Amazon.com shocked the publishing world when it pulled both the digital and physical books of Macmillan, the large international publisher, after Macmillan said it planned to begin setting higher prices for its e-books. Until now, Amazon has been setting e-book prices itself, and has established $9.99 as the common price for new releases and best-sellers. But in a message to its customers posted to its Web site on Sunday afternoon, Amazon said that while it strongly disagreed with Macmillan?s stance, it would concede to the publisher. ?We have expressed our strong disagreement and the seriousness of our disagreement by temporarily ceasing the sale of all Macmillan titles,? Amazon said. ?We want you to know that ultimately, however, we will have to capitulate and accept Macmillan?s terms because Macmillan has a monopoly over their own titles, and we will want to offer them to you even at prices we believe are needlessly high for e-books.? The message went on to suggest that Amazon customers may rebel against such a high price for books that cost far less to distribute than physical books. ? We don?t believe that all of the major publishers will take the same route as Macmillan. And we know for sure that many independent presses and self-published authors will see this as an opportunity to provide attractively priced e-books as an alternative,? Amazon?s online message said. Macmillan officials were not immediately reached for comment on Sunday. From rforno at infowarrior.org Mon Feb 1 14:53:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 1 Feb 2010 09:53:28 -0500 Subject: [Infowarrior] - Book Review: 'The Bell Ringers' Message-ID: Book World: Patrick Anderson reviews 'The Bell Ringers' by Henry Porter By Patrick Anderson Special to The Washington Post Monday, February 1, 2010; C02 http://www.washingtonpost.com/wp-dyn/content/article/2010/01/31/AR2010013101840_pf.html THE BELL RINGERS By Henry Porter Atlantic Monthly. 402 pp. $24 George Orwell's classic dystopian novel, "Nineteen Eighty-Four," was published in 1949 and presented a future, totalitarian England in which all-powerful Thought Police demanded total devotion to the nation's supreme leader, Big Brother. War was peace in this world, lies were truth, and the individual had no rights whatsoever. It's a powerful novel, a milestone, but Orwell, deeply influenced by the evil of Joseph Stalin, painted in broad strokes. In fact, 1984 came and went without his political fears being realized, at least in the English-speaking nations. English journalist Henry Porter's "The Bell Ringers" (published in England last year as "The Dying Light") is one of many novels that have attempted to update "Nineteen Eighty-Four" -- and one of the more impressive. But while Orwell offered a worst-case scenario of what could happen 35 years in the future, Porter is writing about what, as he sees it, is already starting to happen. He declares in an afterword to his novel, "I have not made anything up: the law is all there, ready and waiting . . . a fact that very few people in Britain perhaps appreciate." He has in mind not only the reality of England's ubiquitous surveillance cameras, but laws making possible "the suspension of travel, seizing of property, forced evacuation, special courts and arbitrary detention and arrest." In Porter's fictional England, a cynical and ruthless -- but outwardly genial -- prime minister named John Temple is creating "an utterly new species of vindictive technological totalitarianism." In Orwell's novel, the government used two-way "telescreens" that delivered Big Brother's messages and spied on the homes of viewers. In Porter's near future -- no year is given -- the technology is far more advanced. Not only are all calls and computers monitored, but the government has supercomputers that can pull together financial statements, medical records, credit-card spending, school grades, travel records and much else about every citizen. People can be judged disloyal simply by their spending, travel and associations. Porter's hero, David Eyam, warns that "this system has begun to presume to know the intentions of every mind in the country and is penalizing tens of thousands of people with increasing vindictiveness. You see, it allows no private realm. People can't exist inside themselves." David Eyam (think "I Am") was once an adviser to the prime minister, but when he began to grasp the full extent of the government's surveillance program, he protested, was forced out and went underground. As the novel unfolds, he is leading a resistance movement and has obtained top-secret documents that he hopes will bring down Temple's corrupt government, which works closely with an equally corrupt American corporation. Eyam gains support from his onetime lover and close friend, lawyer Kate Lockhart, who helps organize the rebellion as he hides from government agents. The early action takes place in a rural community where people are being harassed for refusing to carry the new national ID card. They are the "bell ringers" -- people who do ring bells in church but also are secretly fighting to protect civil liberties. The prime minister, Temple, wants to call a new election to consolidate his power, but first he wants to crush the opposition. When an outbreak of red algae occurs in several reservoirs -- probably from natural causes -- Temple declares it a terrorist plot, suspends the constitution, and fills London with soldiers and detention camps. When one patriot insists that people won't tolerate mass arrests, another, more of a pessimist, says, "That's the pity of it . . . they'll think the government is protecting them. They'll be reassured." That, finally, is the question: Do people care? This is a sophisticated, engrossing and important political thriller. Porter wants us to see that the same technological tools that can be used to fight terrorism or to make government more efficient can also, in the wrong hands, be used to destroy freedom. Perhaps Porter's most important updating of Orwell is to show how corporate money might work with political corruption to create a dictatorship behind a democratic facade. The American corporation in this novel supports charities and think tanks, but it also makes the supercomputers that endanger civil liberties, pays huge bribes to the prime minister and his top aides, and provides hit men to dispose of critics. Far-fetched? Alarmist? Who can say? Recent events suggest that we in America have at least as much reason to fear corporate encroachment on democracy as do our cousins across the Atlantic. Anderson reviews mysteries and thrillers regularly for The Post. From rforno at infowarrior.org Mon Feb 1 22:27:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 1 Feb 2010 17:27:28 -0500 Subject: [Infowarrior] - UN calls for global cyber treaty Message-ID: Once again, we hear rumblings of "internet drivers' liscenses as part of any 'solutions' to 'protect' the net..... -rf UN calls for global cyber treaty http://www.zdnet.com.au/news/security/soa/UN-calls-for-global-cyber-treaty/0,130061744,339300673,00.htm?omnRef=1337 By AAP 01 February 2010 10:07 AM Tags: un, treaty, security, google, china, cyber, war, attack The world needs a treaty to prevent cyber attacks becoming an all-out war, the head of the main UN communications and technology agency has warned. International Telcommunications Union secretary general Hamadoun Toure gave his warning on Saturday at a World Economic Forum debate where experts said nations must now consider when a cyber attack becomes a declaration of war. With attacks on Google from China a major talking point in Davos, Toure said the risk of a cyber conflict between two nations grows every year. He proposed a treaty in which countries would engage not to make the first cyber strike against another nation. "A cyber war would be worse than a tsunami ? a catastrophe," the UN official said, highlighting examples such as attacks on Estonia last year. He proposed an international accord, adding: "The framework would look like a peace treaty before a war." Countries should guarantee to protect their citizens and their right to access to information, promise not to harbour cyber terrorists and "should commit themselves not to attack another". John Negroponte, former director of US intelligence, said intelligence agencies in the major powers would be the first to "express reservations" about such an accord. Susan Collins, a US Republican senator who sits on several senate military and home affairs committees, said the prospect of a cyber attack sparking a war was now being considered in the United States. "If someone bombed the electric grid in our country and we saw the bombers coming in it would clearly be an act of war. "If that same country uses sophisticated computers to knock out our electricity grid, I definitely think we are getting closer to saying it is an act of war," Collins said. Craig Mundie, chief research and strategy officer for Microsoft, said "there are at least 10 countries in the world whose internet capability is sophisticated enough to carry out cyber attacks ... and they can make it appear to come from anywhere." "The internet is the biggest command and control centre for every bad guy out there," he said. The head of online security company McAfee told another Davos debate on Friday that China, the United States, Russia, Israel and France were among 20 countries locked in a cyberspace arms race and gearing up for possible internet hostilities. Mundie and other experts have said there is a growing need to police the internet to clampdown on fraud, espionage and the spread of viruses. "People don't understand the scale of criminal activity on the internet. Whether criminal, individual or nation states, the community is growing more sophisticated," the Microsoft executive said. "We need a kind of World Health Organisation for the internet," he said. He also called fo a "driver's licence" for internet users. "If you want to drive a car you have to have a licence to say that you are capable of driving a car, the car has to pass a test to say it is fit to drive and you have to have insurance." From rforno at infowarrior.org Tue Feb 2 01:15:20 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 1 Feb 2010 20:15:20 -0500 Subject: [Infowarrior] - Microsoft's Police State Vision? Exec Calls for Internet "Driver's Licenses" References: <8556CBC4-E332-475E-A63D-9ACD12B0940B@farber.net> Message-ID: <8BC37FD4-B999-4920-8DEF-7DCF7EF06327@infowarrior.org> February 01, 2010 Microsoft's Police State Vision? Exec Calls for Internet "Driver's Licenses" http://lauren.vortex.com/archive/000676.html Greetings. About a week ago, in Google and the Battle for the Soul of the Internet, I noted that: Even here in the U.S., one of the most common Internet-related questions that I receive is also one of the most deeply disturbing: Why can't the U.S. require an Internet "driver's license" so that there would be no way (ostensibly) to do anything anonymously on the Net? After I patiently explain why that would be a horrendous idea, based on basic principles of free speech as applied to the reality of the Internet -- most people who approached me with the "driver's license" concept seem satisfied with my take on the topic, but the fact that the question keeps coming up so frequently shows the depth of misplaced fears driven, ironically, by disinformation and the lack of accurate information. So when someone who really should know better starts to push this sort of incredibly dangerous concept, it's time to bump up to orange alert at a minimum, and the trigger is no less than Craig Mundie, chief research and strategy officer for Microsoft. At the World Economic Forum in Davos two days ago, Mundie explicitly called for an "Internet Driver's License": "If you want to drive a car you have to have a license to say that you are capable of driving a car, the car has to pass a test to say it is fit to drive and you have to have insurance." When applied to the Internet, this is the kind of logic that must gladden the heart of China's rulers, where Microsoft has already announced their continuing, happy compliance with the country's human- rights-abusive censorship regime. Dictators present and past would all appreciate the value of such a license -- let's call it an "IDL" -- by its ability to potentially provide all manner of benefits to current or would-be police states. After all, a license implies a goal of absolute identification and zero anonymity -- extremely valuable when trying to track down undesirable political and other free speech uttering undesirables. And while the reality of Internet technology suggests that such identity regimes would be vulnerable to technological bypass and fascinating "joe job" identity-diversion schemes, criminal penalties for their use could be kept sufficiently draconian to assure that most of the population will be kowtowing compliantly. I used the term "police state" in the text and title above, and I don't throw this concept around loosely. The Internet has become integral to the most private and personal aspects of our lives -- health, commerce, and entertainment to name just a few on an ever expanding list. While there are clearly situations on the Internet where we want and/or need to be appropriately identified, there are many more where identification is not only unnecessary but could be incredibly intrusive and subject to enormous abuse. And I might add, it is also inevitable that serious crooks would find ways around any Internet identification systems -- one obvious technique would be to divert blame to innocent parties through manipulation and theft of associated IDL identification credentials. It was perhaps inevitable that the same "Hide! Here come the terrorists!" scare tactics used to promote easily thwarted naked airport scanners and domestic wiretapping operations, not to mention other PATRIOT and Homeland Security abuses, are now being repurposed in furtherance of gaining an iron grip on the communications technology -- the Internet -- that enables the truly free speech so terrifying to various governments around the world. It's true that some persons advocating police state IDL concepts are not themselves in any way inherently evil -- they can for example be well-meaning but incredibly short-sighted. However, I would be less than candid if I didn't admit that I'm disappointed, though not terribly surprised -- especially in light of Microsoft's explicit continuing support of Chinese censorship against human rights -- to hear a top Microsoft executive pushing a concept that is basic to making the Internet Police State a reality. In the final analysis, evil is as evil does. From rforno at infowarrior.org Tue Feb 2 13:12:49 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Feb 2010 08:12:49 -0500 Subject: [Infowarrior] - =?windows-1252?q?Hacking_for_Fun_and_Profit_in_Ch?= =?windows-1252?q?ina=92s_Underworld?= Message-ID: <1690FEDC-9512-46A5-9A0C-1A43E9DC90D3@infowarrior.org> February 2, 2010 Hacking for Fun and Profit in China?s Underworld By DAVID BARBOZA http://www.nytimes.com/2010/02/02/business/global/02hacker.html?hp=&pagewanted=print CHANGSHA, China ? With a few quick keystrokes, a computer hacker who goes by the code name Majia calls up a screen displaying his latest victims. ?Here?s a list of the people who?ve been infected with my Trojan horse,? he says, working from a dingy apartment on the outskirts of this city in central China. ?They don?t even know what?s happened.? As he explains it, an online ?trapdoor? he created just over a week ago has already lured 2,000 people from China and overseas ? people who clicked on something they should not have, inadvertently spreading a virus that allows him to take control of their computers and steal bank account passwords. Majia, a soft-spoken college graduate in his early 20s, is a cyberthief. He operates secretly and illegally, as part of a community of hackers who exploit flaws in computer software to break into Web sites, steal valuable data and sell it for a profit. Internet security experts say China has legions of hackers just like Majia, and that they are behind an escalating number of global attacks to steal credit card numbers, commit corporate espionage and even wage online warfare on other nations, which in some cases have been traced back to China. Three weeks ago, Google blamed hackers that it connected to China for a series of sophisticated attacks that led to the theft of the company?s valuable source code. Google also said hackers had infiltrated the private Gmail accounts of human rights activists, suggesting the effort might have been more than just mischief. In addition to independent criminals like Majia, computer security specialists say there are so-called patriotic hackers who focus their attacks on political targets. Then there are the intelligence-oriented hackers inside the People?s Liberation Army, as well as more shadowy groups that are believed to work with the state government. Indeed, in China ? as in parts of Eastern Europe and Russia ? computer hacking has become something of a national sport, and a lucrative one. There are hacker conferences, hacker training academies and magazines with names like Hacker X Files and Hacker Defense, which offer tips on how to break into computers or build a Trojan horse, step by step. For less than $6, one can even purchase the ?Hacker?s Penetration Manual.? (Books on hacking are also sold, to a lesser extent, in the United States and elsewhere.) And with 380 million Web users in China and a sizzling online gaming market, analysts say it is no wonder Chinese youths are so skilled at hacking. Many Chinese hackers interviewed over the last few weeks describe a loosely defined community of computer devotees working independently, but also selling services to corporations and even the military. Because it is difficult to trace hackers, exactly who is behind any specific attack and how and where they operate remains to a large extent a mystery, technology experts say. And that is just the way Majia, the young Chinese hacker, wants it. On condition that he not be identified by his real name, Majia agreed two weeks ago to allow a reporter to visit his modest home in a poor town outside Changsha, and watch him work. Slim and smartly dressed in black, Majia seemed eager to tell his story; like many hackers, he wants recognition for his hacking skills even as he prizes anonymity to avoid detection. The New York Times found him through another well-known hacker who belongs to a hacker group and vouched that Majia was skilled at what he did. While Majia?s claims, of course, cannot be verified, he is happy to demonstrate his hacking skills. He met a journalist at a cafe one night just over a week ago, and then invited him to his home, where he showed how he hacked into the Web site of a Chinese company. Once the Web site popped up on his screen, he created additional pages and typed the word ?hacked? onto one of them. Majia says he fell in love with hacking in college, after friends showed him how to break into computer systems during his freshman year. After earning a degree in engineering, he took a job with a government agency, largely to please his parents. But every night after work, he turns to his passion: hacking. He is consumed by the challenges it presents. He reads hacker magazines, swaps information with a small circle of hackers and writes malicious code. He uses Trojan horses to sneak into people?s computers and infect them, so he can take control. ?Most hackers are lazy,? he says, seated in front of a computer in his spare bedroom, which overlooks a dilapidated apartment complex. ?Only a few of us can actually write code. That?s the hard part.? Computer hacking is illegal in China. Last year, Beijing revised and stiffened a law that makes hacking a crime, with punishments of up to seven years in prison. Majia seems to disregard the law, largely because it is not strictly enforced. But he does take care to cover his tracks. Partly, he admits, the lure is money. Many hackers make a lot of money, he says, and he seems to be plotting his own path. Exactly how much he has earned, he won?t say. But he does admit to selling malicious code to others; and boasts of being able to tap into people?s bank accounts by remotely operating their computers. Financial incentives motivate many young Chinese hackers like Majia, experts say. Scott J. Henderson, author of ?The Dark Visitor: Inside the World of Chinese Hackers,? said he had spent years tracking Chinese hackers, sometimes with financial help from the United States government. One Chinese hacker who broke into a United States government site later lectured on hacking at a leading university, Mr. Henderson said, and worked for China?s security ministry. But recently, many have been seeking to profit from stealing data from big corporations, he said, or teaching others how to hijack computers. ?They make a lot of money selling viruses and Trojan horses to infect other people?s computers,? Mr. Henderson said in a telephone interview. ?They also break into online gaming accounts, and sell the virtual characters. It?s big money.? Majia lives with his parents, and his bedroom has little more than a desktop computer, a high-speed Internet connection and a large closet. The walls are bare. Most of his socializing occurs online, where he works from about 6:30 p.m. to 12:30 a.m., starting every evening by perusing computer Web sites like cnBeta.com. Asked why he doesn?t work for a major Chinese technology company, he sneers at the suggestion, saying that it would restrain his freedom. He even claims to know details of the Google attack. ?That Trojan horse on Google was created by a foreign hacker,? he says, indicating that the virus was then altered in China. ?A few weeks before Google was hijacked, there was a similar virus. If you opened a particular page on Google, you were infected.? Oddly, Majia said his parents did not know that he was hacking at night. But at one point, he explained the intricacies of computer hacking and stealing data while his mother stood nearby, listening silently, while offering a guest oranges and candy. Majia and his fellow hackers keep secret their knowledge of certain so- called zero-day vulnerabilities ? software flaws ? for future use, he says. ?Microsoft and Adobe have a lot of zero days,? he said, while scanning Web sites at home. ?But we don?t publish them. We want to save them so that some day we can use them.? When asked whether hackers work for the government, or the military, he says ?yes.? Does he? No comment, he says. Bao Beibei contributed research from Shanghai, and John Markoff contributed reporting from San Francisco. From rforno at infowarrior.org Tue Feb 2 13:16:06 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Feb 2010 08:16:06 -0500 Subject: [Infowarrior] - WH redefining 'homeland security' Message-ID: <01D2221A-A59E-4489-8F1F-2C6D213CF5EC@infowarrior.org> Obama officials present a strategic redefining of Homeland Security's mission http://www.washingtonpost.com/wp-dyn/content/article/2010/02/01/AR2010020104087_pf.html By Spencer S. Hsu Washington Post Staff Writer Monday, February 1, 2010; 11:44 PM The Obama administration Monday delivered to Congress the nation's first Quadrennial Homeland Security Review, defining homeland security for the first time as including hazards beyond terrorism, in a strategic document intended to drive long-term budget decisions. < - > In July 2002, nearly a year before the Homeland Security Department was created under former president George W. Bush, a handful of advisers hastily drafted in private a 90-page national homeland security strategy. That document was later criticized for weakening the response to Hurricane Katrina by overemphasizing terrorism at the expense of natural disasters, and in October 2007, the Bush administration updated it. The 2007 strategy still defined homeland security as "a concerted national effort to prevent terrorist attacks within the United States, reduce America's vulnerability to terrorism, and minimize the damage and recover from attacks that do occur." However, the document stated that effective preparation for "catastrophic natural disasters and man- made disasters" was also important to increasing security. DHS took that shift further in a September 2008 strategic document, setting out a mission statement that acknowledged other "threats and hazards" and the department's role in securing borders "while welcoming lawful immigrants, visitors, and trade." The Obama administration's review focuses on terrorism as the foremost of many threats, defining homeland security as "a concerted national effort to ensure a homeland that is safe, secure, and resilient against terrorism and other hazards, where American interests, aspirations, and way of life can thrive." The QHSR lists five missions, backed by 14 specific goals: preventing terrorism and enhancing security, particularly against chemical, biological, nuclear and radiological threats; securing U.S. borders; enforcing the nation's immigration laws; securing cyberspace; and ensuring resilience to disasters. By comparison, the 2007 national strategy update set four goals: prevention and disruption of terror attacks; protection of the public and critical assets; response to and recovery from incidents; and strengthening the nation's homeland security foundation. The review states that preventing terrorism remains the cornerstone of homeland security, while it identifies other hazards, including mass cyberattacks, pandemics, natural disasters, illegal trafficking and transnational crime. The review notes the danger of complacency and restores the strategic aim of mitigating risks before disasters occur. In a two-page introductory letter, President Obama's homeland security secretary, Janet Napolitano, highlighted what she called a broad national homeland security "enterprise," of which her department is only "one among many components." Key systems, such as computer networks and power plants, are privately controlled; state and local governments lead emergency responses to natural disasters; and other federal agencies investigate terrorism, Napolitano said. "Homeland security will only be optimized when we fully leverage the distributed and decentralized nature of the entire enterprise in the pursuit of our common goals," Napolitano said. From rforno at infowarrior.org Tue Feb 2 15:11:46 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Feb 2010 10:11:46 -0500 Subject: [Infowarrior] - US plans crewless automated ghost-frigates Message-ID: Original URL: http://www.theregister.co.uk/2010/02/02/unmanned_frigates/ US plans crewless automated ghost-frigates Mary Celeste class robot X-ships to prowl seas By Lewis Page Posted in Science, 2nd February 2010 14:15 GMT Those splendid brainboxes at DARPA - the Pentagon's in-house bazaar of the bizarre - have outdone themselves this time. They now plan an entirely uncrewed, automated ghost frigate able to cruise the oceans of the world for months or years on end without human input. The new project is called Anti-submarine warfare Continuous Trail Unmanned Vessel (ACTUV), and is intended to produce "an X-ship founded on the assumption that no person steps aboard at any point in its operating cycle". The uncrewed frigate would have enough range and endurance for "global, months long deployments with no underway human maintenance", being able to cross oceans largely without any human input - communications back to base would be "intermittent", according to DARPA. In particular, the automated warship would need to avoid crashing into other vessels as it prowled the seas on the business of the US government, a function normally performed by bridge watchkeeping officers. DARPA specifies that the ACTUV must be able to conduct "safe navigation at sea within the framework of maritime law" - that is the International Rules for Prevention of Collisions at Sea, aka "Rule of the Road", which Royal Navy officers have to memorise almost word- perfect. Then, while weaving in and out of other ships, the crewless frigate must be able to stay on the trail of a well-nigh silent diesel- electric submarine running beneath the waves. Such subs are operated - albeit in small numbers - by various minor powers around the world, and are considered by some in the major navies to be a very serious threat. DARPA's idea would be that every time such a sub put to sea or was otherwise at a known location, an ACTUV would be put onto its tail - freeing up hugely expensive manned ships and subs from routine shadowing work. The thinking is that following such a submarine is fairly easily done compared to finding it in the first place. That might be true in this case, as DARPA specify that the ACTUV should be able to carry out "continuous overt trail of threat submarines", as opposed to following them secretly as manned US forces might. The robo-frigate would be able to simply get a lock on its prey using powerful active sonar, sending loud "pings" of sound into the sea and detecting the echoes from the sub. It could then hang close on the sub's tail where active sonar tracking is easy, as it would have "propulsive overmatch" - ie it would be much faster. Nuclear submarines can be speedy enough to lose a surface ship in some circumstances, but this isn't feasible for a diesel-electric boat. Better still, there would be no need for expensive silencing on the ACTUV (of the sort seen on British Type 23 frigates, for instance) as it would expect to be using active sonar anyway. But who would give the cocktail parties? Normally, lurking right on top of a hostile sub making lots of noise would be seen as quite a dangerous plan for a frigate captain. Should an actual war break out, the sub might well be able to torpedo the ship before it could itself be destroyed. But this wouldn't be such a disastrous result in the case of an ACTUV. As DARPA puts it: "A low cost, unmanned platform creates a disruptive change in ASW operational risk calculus." Or in other words it doesn't matter too much if you lose the odd robo- frigate. Particularly as the enemy sub would then have to make a top- speed submerged dash away from the burning wreck of its ACTUV shadower, in order to avoid getting picked up again and promptly sunk by responding ships or aircraft. Unfortunately for diesel-electric submarine captains, the sub's batteries are only good for one such sprint before running almost flat: which would leave it out of juice not far from the scene of its crime, unable to get further except maybe at a crawl. In theory it might put up a snorkel mast to run its diesels and recharge its batteries - or flee on the surface - but this would be very dangerous with hostile ships and aircraft about, as radar reaches much further and more reliably than sonar does. All in all, quite a cunning idea then. Rule-of-the-road navigation should be easy enough to automate (for all that boneheaded officer trainees sometimes struggle to master it) and sonar tracking shouldn't be too hard when you can go as close in and make as much noise as you like. And an unmanned ship should not only be cheaper to run, it might be possible to make it much cheaper to build - and yet offer better performance: Conventional naval architecture should be examined in this unmanned system context, which in addition to recouping first order crew support overhead, may offer second order benefits such as relaxed reserve buoyancy margins, dynamic stability limits, and even new platform orientation assumptions. The objective is to demonstrate disproportionate platform capabilities in terms of speed, endurance, sea keeping, and maneuverability. The program will also maintain a strong focus on exploiting novel system architectures and internal arrangements enabled by being unmanned to explore new construction methods and maintenance approaches to achieve disproportionately low system procurement cost and efficient inter-deployment maintenance. It certainly tends to bear out the view of those naval personnel who aren't frigate sailors by trade: that the only thing frigates really do which couldn't be done better by a robot is give show-the-flag cocktail parties in foreign ports. No doubt that's an overly harsh assessment. Even so, with the coming crunch on government spending and aspirations to buy new carriers and jets to fly from them - not to mention the fact that crewed frigates are scarcely a very effective means of dealing with common-or-garden thugs with guns (http://www.foxnews.com/story/0,2933,260583,00.html) either - perhaps the Royal Navy too should be thinking along these lines. Needless to say, it isn't (http://www.warisboring.com/?p=3525). Meanwhile, it seems to us that there's only one possible name (http://www.smithsoniannetworks.com/site/smithsonian/show_mary.do ) for the first ghostly, crewless X-ship of the class. ? Lewis Page spent 11 years in the Royal Navy, largely managing to stay out of frigates but not altogether. Most of the time he was a mine- clearance diver - another field in which humans' jobs are under threat from robots (http://www.theregister.co.uk/2007/03/29/talisman_almost_a_miracle/ ). From rforno at infowarrior.org Tue Feb 2 17:17:43 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Feb 2010 12:17:43 -0500 Subject: [Infowarrior] - WH privacy oversight panel gets short shrift Message-ID: <83599A3A-EA28-4F41-9BF7-F882996899AC@infowarrior.org> February 2, 2010, updated 08:13 a.m., February 2, 2010 Liberties oversight panel gets short shrift Eli Lake http://washingtontimes.com/news/2010/feb/02/liberties-oversight-panel-gets-short-shr-15642008//print/ President Obama is coming under pressure from Democrats and civil liberties groups for failing to fill positions on an oversight panel formed in 2004 to make sure the government does not spy improperly on U.S. citizens. The Privacy and Civil Liberties Oversight Board was recommended initially by the bipartisan September 11 commission as an institutional voice for privacy inside the intelligence community. Its charter was to recommend ways to mitigate the effects of far-reaching surveillance technology that the federal government uses to track terrorists. The panel was established in 2004 under the Bush administration as part of the executive office of the president. Its independence was unclear for several years. Congress responded by increasing the board's budget, expanding its powers and moving it outside the presidential executive office in 2007. Since taking office, Mr. Obama has allowed the board to languish. He has not even spent the panel's allocation from the fiscal 2010 budget. On Friday, two leading Democrats ? Rep. Bennie Thompson of Mississippi, chairman of the House Homeland Security Committee, and Rep. Jane Harman of California, chairman of that panel's subcommittee on intelligence, information sharing and terrorism risk assessment ? sent a letter to Mr. Obama demanding action. "We write to urge you to appoint individuals to the Privacy and Civil Liberties Oversight Board immediately. Your FY2010 budget appropriates funds for this board, but it remains unfulfilled," the lawmakers wrote. The two Democrats noted that previous letters to Mr. Obama, including one from Mrs. Harman and Sen. Susan Collins, Maine Republican and ranking member of the Senate Homeland Security Committee, "remain unanswered." The lawmakers said the need for the oversight panel is particularly urgent in light of proposed changes to terrorist-screening rules at airports after the attempted Christmas Day attack on a Northwest jet bound for Detroit. "Given the recent events of December 25, 2009, and the prospective policy changes that will be made subsequent to this incident, including potential expansion of watch lists and widespread use of body-scanning technology, we believe that the Board will give an anxious public confidence that appropriate rights are respected," the lawmakers wrote. Ben Rhodes, deputy national security adviser for strategic communications, defended the administration's record in general but acknowledged the Democrats' criticisms and said the White House would soon act on them. "This president has made clear his commitment to civil liberties through the actions of his administration, and appreciates the congressional interest in this important issue. The White House has allocated funding for the civil liberties board, and looks forward to appointing its leadership soon," he said. Mr. Thompson and Mrs. Harman are not alone. Last week, the two former chairmen of the September 11 commission, in testimony before the Senate Homeland Security Committee, also urged Mr. Obama to staff the civil liberties panel. "You need somebody out here in the government that is checking everything that is done with regard to security, and asking themselves, can it be done better with a little more respect for privacy and civil liberties?" said former Rep. Lee Hamilton of Indiana, a Democrat who was chairman of the House International Relations Committee. Mr. Hamilton said that "if you have an argument today in the [intelligence] bureaucracy between the security people and the civil liberties people, I'll tell you who's going to win the argument. It'll be the security people every time." Former Gov. Thomas H. Kean, New Jersey Republican, said the civil liberties board "had disappeared." He added, "We have now a massive capacity in this country to develop data on individuals, and the board should be the champion of seeing that collection capabilities do not intrude into privacy and civil liberties." The Obama administration's inaction contradicts the White House's public message of being a civil liberties champion. In the first two days of the Obama administration, the White House outlawed enhanced interrogation that was not enumerated in the Army Field Manual and vowed to close the terrorist detention facility at U.S. Naval Base Guantanamo Bay, Cuba, within a year, though it has not met its deadline. Still, Mr. Obama has maintained some Bush-era precedents on civil liberties. For example, the Obama administration pressed a British court last year to keep secret details of how terrorism suspect Binyam Mohammed was treated while in U.S. and Pakistani custody. The administration also has embraced in some cases the concept of indefinite detention for some terrorism suspects apprehended during the Bush presidency, and it has increased the practice of targeted killings in Pakistan and Yemen through unmanned aerial vehicles. On the issue of surveillance, Mr. Obama during the presidential campaign voted for reauthorization of the Foreign Intelligence Surveillance Act, a bill criticized by the American Civil Liberties Union for providing only minimal court oversight to expansive electronic intelligence-collection programs. In many ways, the civil liberties oversight board was designed to mitigate the effects of the new technology, which in turn prompted Congress to reauthorize the foreign intelligence surveillance law. Lanny Davis said that when he served on the civil liberties board, he and the four other members were briefed on the terrorist surveillance program first disclosed to the public by the New York Times at the end of 2005. The board also was informed about the U.S. government's efforts to monitor financial interactions through the SWIFT database. Mr. Davis said FBI Director Robert S. Mueller III told the board personally about concerns over the sending of national security letters, secret administrative subpoenas that require no judicial approval, to businesses and corporations after Sept. 11, 2001. "The fact is, having civil libertarians taken into the confidence of the intelligence agencies is the best way to persuade Americans that we need these surveillance programs," Mr. Davis said. "Because if we say we are reassured, then Americans concerned about their privacy and civil liberties can be reassured." Mr. Davis resigned from the board in 2007 after a White House staffer edited the board's first report and did not give the members a chance to approve the edit. One edit included deleting a board recommendation seeking a presidential executive order that would strengthen the board's independence. The resignation of Mr. Davis prompted Congress in 2007 to reconstitute the board outside the office of the president but remain in the executive branch. Steven Aftergood, who heads the project on government secrecy for the Federation of American Scientists, said the board is still important in part because the courts have dismissed many of the challenges to government surveillance programs. "I think the board could help to resolve lingering disputes about the legality or propriety of various anti-terrorism policies," he said. Chris Calabrese, a legislative counsel for the ACLU, agreed. "This is clearly a black eye for the president's civil liberties record, that he has not appointed members to the civil liberties oversight board," he said. "The national security establishment represents more than 50,000 people and hundreds of billions of dollars. The fact there is no independent oversight board for that organization is deeply troubling." From rforno at infowarrior.org Tue Feb 2 17:20:25 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Feb 2010 12:20:25 -0500 Subject: [Infowarrior] - Didn't The Entertainment Industry Insist ACTA Wouldn't Change US Law Message-ID: <54C1AA16-E5D2-4502-907A-E136BA4CF033@infowarrior.org> But, Wait, Didn't The Entertainment Industry Insist ACTA Wouldn't Change US Law? from the then-what's-this-about? dept It's been amusing watching the entertainment industry lobbyists try to come up with talking points in support of their most favored trade agreement du jour, ACTA. A popular one is that nothing in it can or will change US law. But, of course, if you talk to the folks who know how these things work in DC, you quickly learn that's hogwash. There wouldn't be any ACTA at all if it wasn't out to change the laws, and it wouldn't be so secretive if it was just designed to keep the status quo. Case in point, not that we know for sure because we're still not being told what's in the document, but various sources have confirmed that "three strikes" legislation that would kick file sharers off the internet based on accusations (not convictions) is on the agenda. That's not in US law, and according to all the ACTA defenders out there, it would be impossible for this to be on the agenda because, we're told, ACTA can't possibly change US law. Not at all. Except for the parts that do seem to require changing US law. http://techdirt.com/articles/20100201/1822517995.shtml From rforno at infowarrior.org Tue Feb 2 18:43:29 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Feb 2010 13:43:29 -0500 Subject: [Infowarrior] - PGP buys tech to offer trusted ID from the cloud Message-ID: <5B18DD1D-C3DB-476C-9946-9DAA7A2A479D@infowarrior.org> PGP buys tech to offer trusted ID from the cloud By John Leyden ? Get more from this author Posted in Enterprise Security, 2nd February 2010 15:10 GMT http://www.theregister.co.uk/2010/02/02/pgp_trusted_id/ PGP Corporation has acquired privately-held TC TrustCenter and its US parent company, ChosenSecurity, as part of plans to offer trusted identity management services from the cloud. Terms of the transaction, announced Tuesday, were not disclosed. TC TrustCenter provides managed trust services for customers in the financial, car manufacture and utilities industries. This trust infrastructure supports applications include encryption, authentication, and secure collaboration. The technology supports PCs, servers, and mobile devices. PGP marketing manager Jamie Cowper explained that TC TrustCenter's technology provides "managed identities and certificates for individuals and servers/services". PGP reckons there a neat fit between this "on-demand platform for managing trusted identities" and its line of disk encryption and data protection products. From a commercial perspective, the deal will allow PGP to better compete in the managed PKI market with the likes of Entrust and Verisign. "Trusted identities are a crucial component for data protection solutions that secure sensitive data," said Phillip Dunkelberger, president and chief exec of PGP Corporation. "With this acquisition, PGP Corporation is gaining an extensible platform that will dramatically accelerate its vision of delivering integrated data protection across vendors, technologies, and devices." ? From rforno at infowarrior.org Tue Feb 2 20:24:04 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Feb 2010 15:24:04 -0500 Subject: [Infowarrior] - DHS Quadrennial Review Report (PDF) Message-ID: <88AE5129-7FE1-4082-BDF0-5A366CBCB44E@infowarrior.org> Here's a link to the Quadrennial Homeland Security Review Report .... same sort of thing as the QDR done in the Pentagon for the DOD every few years. http://homeland.house.gov/SiteDocuments/20100202095427-07430.pdf From rforno at infowarrior.org Tue Feb 2 23:36:44 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Feb 2010 18:36:44 -0500 Subject: [Infowarrior] - iPhones Vulnerable to New Remote Attack Message-ID: <65B678C2-D582-4BC3-A7D9-BCC572B0C7F0@infowarrior.org> (A good friend and I wrote about this type of vuln nearly 10 years ago after Microsoft got burned by a similar technique with its Windows update process. History repeats itself farther down the Pacific coast, it seems. --rick) Home > Vulnerabilities > iPhones Vulnerable to New Remote Attack iPhones Vulnerable to New Remote Attack By Dennis Fisher Created 02/02/2010 - 1:04pm http://threatpost.com/en_us/print/3030 [1]There are several flaws in the way that the iPhone handles digital certificates which could lead to an attacker being able to create his own trusted certificate and entice users into downloading malicious files onto their iPhones. The attack is the end result of a number of different problems with the way that the iPhone handles over- the-air provisioning, trusted root certificates and configuration files. But the result of the attack is that a remote hacker may be able to change some settings on the iPhone and force all of the user's Web traffic to run through any server he chose and also to change the root certificate on the phone, enabling him to man-in-the-middle SSL traffic from the iPhone. The chain of vulnerabilities and the attack was outlined in an anonymous blog post on the iPhone flaws [2] on Friday. Charlie Miller, an Apple security researcher at Independent Security Evaluators, said that the attack works, although it would not lead to remote code execution on the iPhone. "It definitely works. I downloaded the file and ran it and it worked," Miller said. "The only thing is that it warns you that the file will change your phone, but it also says that the certificate is from Apple and it's been verified." The problems start with the fact that the iPhone signs its own credentials using a certificate signed by Apple when it is requesting a configuration file from a remote server during the provisioning process. The only way to establish the validity of the Apple certificate is to verify each of the certificates that leads to the Apple root certificate authority, and that can only be done by getting the data from a jailbroken iPhone. Interestingly, the Apple root CA on top of the iPhone chain is not the same as the one published on the Apple web site. Fetching the root certificate published on Apple?s web site [3] shows: Serial Number: 2 (0x2) CN=Apple Root CA keyid=2B:D0:69:47:94:76:09:FE:F4:6B:8D:2E:40:A6:F7:47:4D:7F:08:5E Different name (CN), different serial numbers (1 vs 2) but the same key id. It looks like somebody reused the same keyset to generate a second certificate. Hard to tell whether this is an oversight or intentional, but the fact is: you cannot technically relate an iPhone signature to the Apple root CA certificate published on their web site. Even with the same keyset, verification will fail because Subject and Serial are different. The iPhone by default will trust configuration files that it receives over the air or while connected to a PC, as long as the file is signed by a trusted implementation of the iPhone Configuration Utility, a desktop application used to create config files for iPhones. However, the iPhone also will accept a file that is signed by a signature-only certificate, which can be obtained fairly easily without any credentials. Apple has a list of 224 root certificates [4] that it trusts. As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer. They backed the certificate up to disk, then used iPCU to create a mobilconfig file called "Security Update," and attributed it to Apple Computer. They then exported it to disk without a signature as an XML file. They then signed the file and its CA trust chain and uploaded it to a Web server. Opening the file with Safari on an iPhone results in the phone trusting the configuration file. "To be successful, profile installation needs to be validated by the end-user. Unless they know about this flaw it is quite likely that a default end-user would trust an update that claims to be issued by Apple and indicated as trusted by the device. A bit of social engineering is needed to both get the user to click on the link and accept the profile installation," the researchers wrote. The mobileconfig file has the authority to change a number of things on the iPhone, including the default HTTP proxy and the root certificate. Miller was unable to verify that the file could change the iPhone's proxy settings. A real-world attack might involve the attacker enticing the user into clicking on a malicious URL either in an email or on a site, leading them to the site to download the configuration file. The user would see a dialogue box asking him whether he's sure he wants to install the file. If he accepts, the file downloads and takes whatever action is contained in the configuration profile. The attacker would not have the ability to run code on the iPhone, but he could take any number of other actions, Miller said. "You can make any part of the phone not work. You definitely don't get to run code, but there's lots of nasty things you can do. You can make applications not work, make it so that you can't remove this config file," Miller said. "At the very least, you can make someone's day miserable." From rforno at infowarrior.org Wed Feb 3 14:30:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 3 Feb 2010 09:30:24 -0500 Subject: [Infowarrior] - US police want backdoor to Web users' private data Message-ID: Police want backdoor to Web users' private data by Declan McCullagh http://news.cnet.com/8301-13578_3-10446503-38.html?part=rss&subj=news&tag=2547-1_3-0-20 Anyone with an e-mail account likely knows that police can peek inside it if they have a paper search warrant. But cybercrime investigators are frustrated by the speed of traditional methods of faxing, mailing, or e-mailing companies these documents. They're pushing for the creation of a national Web interface linking police computers with those of Internet and e-mail providers so requests can be sent and received electronically. CNET has reviewed a survey scheduled to be released at a federal task force meeting on Thursday, which says that law enforcement agencies are virtually unanimous in calling for such an interface to be created. Eighty-nine percent of police surveyed, it says, want to be able to "exchange legal process requests and responses to legal process" through an encrypted, police-only "nationwide computer network." (See one excerpt and another.) The survey, according to two people with knowledge of the situation, is part of a broader push from law enforcement agencies to alter the ground rules of online investigations. Other components include renewed calls for laws requiring Internet companies to store data about their users for up to five years and increased pressure on companies to respond to police inquiries in hours instead of days. But the most controversial element is probably the private Web interface, which raises novel security and privacy concerns, especially in the wake of a recent inspector general's report (PDF) from the Justice Department. The 289-page report detailed how the FBI obtained Americans' telephone records by citing nonexistent emergencies and simply asking for the data or writing phone numbers on a sticky note rather than following procedures required by law. Some companies already have police-only Web interfaces. Sprint Nextel operates what it calls the L-Site, also known as the "legal compliance secure Web portal." The company even has offered a course that "will teach you how to create and track legal demands through L-site. Learn to navigate and securely download requested records." Cox Communications makes its price list for complying with police requests public; a 30-day wiretap is $3,500. The police survey is not exactly unbiased: its author is Frank Kardasz, who is scheduled to present it at a meeting (PDF) of the Online Safety and Technology Working Group, organized by the U.S. Department of Commerce. Kardasz, a sergeant in the Phoenix police department and a project director of Arizona's Internet Crimes Against Children task force, said in an e-mail exchange on Tuesday that he is still revising the document and was unable to discuss it. In an incendiary October 2009 essay, however, Kardasz wrote that Internet service providers that do not keep records long enough "are the unwitting facilitators of Internet crimes against children" and called for new laws to "mandate data preservation and reporting." He predicts that those companies will begin to face civil lawsuits because of their "lethargic investigative process." "It sounds very dangerous," says Lee Tien, an attorney with the Electronic Frontier Foundation, referring to the police-only Web interface. "Let's assume you set this sort of thing up. What does that mean in terms of what the law enforcement officer be able to do? Would they be able to fish through transactional information for anyone? I don't understand how you create a system like this without it." Kardasz's survey, based on questionnaires completed by 100 police investigators, says that 61 percent of them had their investigations harmed "because data was not retained" and only 40 percent were satisfied with the timeliness of responses from Internet providers. It also says: "89 percent of investigators agreed that a nationwide computer network should be established for the purpose of linking ISPs with law enforcement agencies so that they may exchange legal process requests and responses to legal process. Authorized users would communicate through encrypted virtual private networks in order to maintain the security of the data." Some of the responses to other questions: "AT&T is very prompt." "Cox Communications seems to be the worst." "Places like Yahoo can take a month for basic subscriber info which is also a problem." "AT&T Mobility does not keep a log at all." "MySpace give (sic) me the quickest response and they have been very pro-police." Hemanshu (Hemu) Nigam, MySpace's chief security officer, said in an interview with CNET on Tuesday that: "You can be very supportive of law enforcement investigations and at the same time be very cognizant and supportive of the privacy rights of our users. Every time a legal process comes in, whether it's a subpoena or a search order, we do a legal review to make sure it's appropriate." Nigam said that MySpace accepts law enforcement requests through e- mail, fax, and postal mail, and that it has a 24-hour operations center that tries to respond to requests soon after they've been reviewed to make sure state and federal laws are being followed. MySpace does not have a police-only Web interface, he said. Creating a national police-only network would be problematic, Nigam said. "I wish I knew the number of local police agencies in the country, or even police officers in the country," he said. "Right there that would tell you how difficult it would be to implement, even though ideally it would be a good thing." Another obstacle to creating a nation-wide Web interface for cops--one wag has dubbed it "DragNet," and another "Porknet"--is that some of its thousands of users could be infected by viruses and other malware. Once an infected computer is hooked up to the national network, it could leak confidential information about ongoing investigations. Jim Harper, a policy analyst at the free-market Cato Institute, says that he welcomes the idea of a police-only Web interface as long as it's designed carefully. "A system like this should have strong logins, should require that the request be documented fully, and should produce statistical information so there can be strong oversight," he says. "I think that's a good thing to have." Declan McCullagh is a contributor to CNET News and a correspondent for CBSNews.com who has covered the intersection of politics and technology for over a decade. Declan writes a regular feature called Taking Liberties, focused on individual and economic rights; you can bookmark his CBS News Taking Liberties site, or subscribe to the RSS feed. You can e-mail Declan at declan at cbsnews.com. From rforno at infowarrior.org Thu Feb 4 23:09:01 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 4 Feb 2010 18:09:01 -0500 Subject: [Infowarrior] - House Passes Cybersecurity Bill Message-ID: <23FCE366-8A30-451D-A7C6-A283DE26E7A1@infowarrior.org> House Passes Cybersecurity Bill By JANIE LORBER http://thecaucus.blogs.nytimes.com/2010/02/04/house-passes-cybersecurity-bill/ February 4, 2010 Update | 12:46 p.m. The House today overwhelmingly passed a bill aimedat building up the United States? cybersecurity army and expertise, amid growing alarm over the country?s vulnerability online. The bill, which passed 422-5, requires the Obama administration to conduct an agency-by-agency assessment of cybersecurity workforce skills and establishes a scholarship program for undergraduate and graduate students who agree to work as cybersecurity specialists for the government after graduation. As officials puzzle over how to defend the nation from enemies that are often impossible to pinpoint, the lawmakers behind the bill said education and recruitment are crucial. ?Investing in cybersecurity is the Manhattan Project of our generation,? Representative Michael Arcuri, Democrat of New York, a sponsor of the bill said on the House floor Wednesday. ?But this time around we are facing far greater threat. Nearly every high school hacker has the potential to hamper our unfettered access to the Internet. Just imagine what a rogue state could do.? Mr. Arcuri said that the federal government will need to hire between 500 and 1,000 more ?cyber warriors? each year to keep up with potential enemies. Troops online ?are every bit as important to our security as a soldier in our field,? he said. The Cybersecurity Enhancement Act, H.R. 4061, a major information security bill, closely follows a warning by Dennis Blair, the director of National Intelligence, who told lawmakers this week that computer- related attacks were becoming increasingly malicious. The government?s four-year review of Defense Department strategies, also issued this week, stated that large-scale cyberattacks could massively disable or hurt international financial, commercial and physical infrastructure. Mr. Obama has said cybersecurity is one of his top priorities and between the fallout from the attack on Google?s computers in January and the more modest hacking of Web sites of 49 House members and committees last week, the risk is felt acutely in Washington. Still, the budget proposal the administration delivered to Congress Monday cut funding for the Homeland Security Department?s cybersecurity division. There is no companion bill in the Senate, but senators are working on several unrelated information security bills. The bill is based on a review of Mr. Obama?s review of cyberspace policies across the federal government in May, 2009. It authorizes one single entity, the director of the National Institute of Standards and Technology, to represent the government in negotiations over international standards and orders the White House office of technology to convene a cybersecurity university-industry task force to guide the direction of future research. It also directs the National Science Foundation to research the social and behavioral aspects of cybersecurity, like how people interact with their computers and manage their online identities, in order to establish a new, more accessible awareness and education campaign. From rforno at infowarrior.org Fri Feb 5 16:36:38 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 5 Feb 2010 11:36:38 -0500 Subject: [Infowarrior] - =?windows-1252?q?Zittrain=3A_A_fight_over_freedom?= =?windows-1252?q?_at_Apple=92s_core?= Message-ID: A fight over freedom at Apple?s core By Jonathan Zittrain Published: February 3 2010 20:40 | Last updated: February 3 2010 20:40 http://www.ft.com/cms/s/2/fcabc720-10fb-11df-9a9e-00144feab49a.html?nclick_check=1 In 1977, a 21-year-old Steve Jobs unveiled something the world had never seen before: a ready-to-program personal computer. After powering the machine up, proud Apple II owners were confronted with a cryptic blinking cursor, awaiting instructions. The Apple II was a clean slate, a device built ? boldly ? with no specific tasks in mind. Yet, despite the cursor, you did not have to know how to write programs. Instead, with a few keystrokes you could run software acquired from anyone, anywhere. The Apple II was generative. After the launch, Apple had no clue what would happen next, which meant that what happened was not limited by Mr Jobs? hunches. Within two years, Dan Bricklin and Bob Frankston had released VisiCalc, the first digital spreadsheet, which ran on the Apple II. Suddenly businesses around the world craved machines previously marketed only to hobbyists. Apple IIs flew off the shelves. The company had to conduct research to figure out why. Thirty years later Apple gave us the iPhone. It was easy to use, elegant and cool ? and had lots of applications right out of the box. But the company quietly dropped a fundamental feature, one signalled by the dropping of ?Computer? from Apple Computer?s name: the iPhone could not be programmed by outsiders. ?We define everything that is on the phone,? said Mr Jobs. ?You don?t want your phone to be like a PC. The last thing you want is to have loaded three apps on your phone and then you go to make a call and it doesn?t work any more.? The openness on which Apple had built its original empire had been completely reversed ? but the spirit was still there among users. Hackers vied to ?jailbreak? the iPhone, running new apps on it despite Apple?s desire to keep it closed. Apple threatened to disable any phone that had been jailbroken, but then appeared to relent: a year after the iPhone?s introduction, it launched the App Store. Now outsiders could write software for the iPhone, setting the stage for a new round of revolutionary VisiCalcs ? not to mention tens of thousands of simple apps such as iPhone Harmonica or the short-lived I Am Rich, which for $999.99 displayed a picture of a gem, just to show that the iPhone owner could afford the software. But the App Store has a catch: app developers and their software must be approved by Apple. If Apple does not like the app, for any reason, it is gone. I Am Rich was axed from the Store after it was ridiculed in the press. Another app, Freedom Time, never made it in. It counted down the days to the end of George W. Bush?s US presidency, and that was deemed too politically sensitive. An e-mail reader was denied because it competed with Apple?s own Mail app. Imagine if Microsoft?s Bill Gates had decreed that no other word processor but Word would be allowed to run on the Windows operating system. Microsoft lost a decade-long competition lawsuit for far less proprietary behaviour. Despite outsiders being invited to write software, the iPhone thus remains tightly tethered to its vendor ? the way that the Kindle is controlled by Amazon. George Orwell?s 1984 was retroactively zapped from Kindles around the world after Amazon grew concerned that it had sold the book without permission. To be sure, many rejected apps will not be missed. (Only eight spendthrifts bought I Am Rich before it disappeared.) And users can be protected from harmful software from suspect sources. But consider: the world wide web started as, and remains, an app. Its first versions were written by Tim Berners-Lee, a British computer scientist who was unaffiliated with any software or hardware vendor. How worthy of approval would Wikipedia have seemed when it boasted only seven articles ? dubiously hoping that the public would magically provide the rest? How threatened might today?s content publishers feel by peer- to-peer apps that let iPhone users trade data from one phone to another? We know the answer to that: enough that they have persuaded Apple to exclude all such apps from the App Store. It is tempting to think that a little outside software is better than none. But what is fine for a single device may be bad for the ecosystem. The iPhone?s hybrid model of centrally controlled outside software is already moving beyond the smart phone. This is the significance of the iPad. It could have been built either like a small Apple Macintosh ? open to any outside software ? or as a big iPhone, controlled by Apple. Apple went with the latter. Attach a keyboard to it and it could replace a PC entirely ? boasting plenty of new apps, but only as Apple deems them worthy. If Apple is the gatekeeper to a device?s uses, the governments of the world need knock on the door of only one office in Cupertino, California ? Apple?s headquarters ? to demand changes to code or content . Users no longer own or control the apps they run ? they merely rent them minute by minute. Hope lies in more balanced combinations of open and closed systems, such as that embodied by the traditional Apple Mac ? or phones based on the Android operating system from the Open Handset Alliance, a consortium of hardware, software and telecoms companies. Android Market is the approved counterpart to Apple?s App Store but, in this case, users are also free to go off-roading, installing any code they like. Android is a canary in the digital coal mine: will its more open model survive should people load suspect apps and find they cannot make calls any more? Mr Jobs ushered in the personal computer era and now he is trying to usher it out. We should focus on preserving our freedoms, even as the devices we acquire become more attractive and easier to use. The writer is professor of law at Harvard Law School and a founder of its Berkman Center for Internet & Society. He is author of The Future of the Internet ? and How to Stop It Copyright The Financial Times Limited 2010. From rforno at infowarrior.org Fri Feb 5 16:38:45 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 5 Feb 2010 11:38:45 -0500 Subject: [Infowarrior] - Google to enlist NSA to help it ward off cyberattacks Message-ID: <779A067C-B007-4DAD-A33F-1DFBF808CBD4@infowarrior.org> Google to enlist NSA to help it ward off cyberattacks By Ellen Nakashima Thursday, February 4, 2010; A01 http://www.washingtonpost.com/wp-dyn/content/article/2010/02/03/AR2010020304057_pf.html The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity. Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack. Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google's policies or laws that protect the privacy of Americans' online communications. The sources said the deal does not mean the NSA will be viewing users' searches or e-mail accounts or that Google will be sharing proprietary data. The partnership strikes at the core of one of the most sensitive issues for the government and private industry in the evolving world of cybersecurity: how to balance privacy and national security interests. On Tuesday, Director of National Intelligence Dennis C. Blair called the Google attacks, which the company acknowledged in January, a "wake-up call." Cyberspace cannot be protected, he said, without a "collaborative effort that incorporates both the U.S. private sector and our international partners." But achieving collaboration is not easy, in part because private companies do not trust the government to keep their secrets and in part because of concerns that collaboration can lead to continuous government monitoring of private communications. Privacy advocates, concerned about a repeat of the NSA's warrantless interception of Americans' phone calls and e-mails after the Sept. 11, 2001, terrorist attacks, say information-sharing must be limited and closely overseen. "The critical question is: At what level will the American public be comfortable with Google sharing information with NSA?" said Ellen McCarthy, president of the Intelligence and National Security Alliance, an organization of current and former intelligence and national security officials that seeks ways to foster greater sharing of information between government and industry. On Jan. 12, Google took the rare step of announcing publicly that its systems had been hacked in a series of intrusions beginning in December. The intrusions, industry experts said, targeted Google source code -- the programming language underlying Google applications -- and extended to more than 30 other large tech, defense, energy, financial and media companies. The Gmail accounts of human rights activists in Europe, China and the United States were also compromised. So significant was the attack that Google threatened to shutter its business operation in China if the government did not agree to let the firm operate an uncensored search engine there. That issue is still unresolved. Google approached the NSA shortly after the attacks, sources said, but the deal is taking weeks to hammer out, reflecting the sensitivity of the partnership. Any agreement would mark the first time that Google has entered a formal information-sharing relationship with the NSA, sources said. In 2008, the firm stated that it had not cooperated with the NSA in its Terrorist Surveillance Program. Sources familiar with the new initiative said the focus is not figuring out who was behind the recent cyberattacks -- doing so is a nearly impossible task after the fact -- but building a better defense of Google's networks, or what its technicians call "information assurance." One senior defense official, while not confirming or denying any agreement the NSA might have with any firm, said: "If a company came to the table and asked for help, I would ask them . . . 'What do you know about what transpired in your system? What deficiencies do you think they took advantage of? Tell me a little bit about what it was they did.' " Sources said the NSA is reaching out to other government agencies that play key roles in the U.S. effort to defend cyberspace and might be able to help in the Google investigation. These agencies include the FBI and the Department of Homeland Security. Over the past decade, other Silicon Valley companies have quietly turned to the NSA for guidance in protecting their networks. "As a general matter," NSA spokeswoman Judi Emmel said, "as part of its information-assurance mission, NSA works with a broad range of commercial partners and research associates to ensure the availability of secure tailored solutions for Department of Defense and national security systems customers." Despite such precedent, Matthew Aid, an expert on the NSA, said Google's global reach makes it unique. "When you rise to the level of Google . . . you're looking at a company that has taken great pride in its independence," said Aid, author of "The Secret Sentry," a history of the NSA. "I'm a little uncomfortable with Google cooperating this closely with the nation's largest intelligence agency, even if it's strictly for defensive purposes." The pact would be aimed at allowing the NSA help Google understand whether it is putting in place the right defenses by evaluating vulnerabilities in hardware and software and to calibrate how sophisticated the adversary is. The agency's expertise is based in part on its analysis of cyber-"signatures" that have been documented in previous attacks and can be used to block future intrusions. The NSA would also be able to help the firm understand what methods are being used to penetrate its system, the sources said. Google, for its part, may share information on the types of malicious code seen in the attacks -- without disclosing proprietary data about what was taken, which would concern shareholders, sources said. Greg Nojeim, senior counsel for the Center for Democracy & Technology, a privacy advocacy group, said companies have statutory authority to share information with the government to protect their rights and property. From rforno at infowarrior.org Fri Feb 5 18:22:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 5 Feb 2010 13:22:24 -0500 Subject: [Infowarrior] - FBI wants records kept of Web sites visited Message-ID: February 5, 2010 9:16 AM PST FBI wants records kept of Web sites visited by Declan McCullagh http://news.cnet.com/8301-13578_3-10448060-38.html?part=rss&subj=news&tag=2547-1_3-0-20 The FBI is pressing Internet service providers to record which Web sites customers visit and retain those logs for two years, a requirement that law enforcement believes could help it in investigations of child pornography and other serious crimes. FBI Director Robert Mueller supports storing Internet users' "origin and destination information," a bureau attorney said at a federal task force meeting on Thursday. As far back as a 2006 speech, Mueller had called for data retention on the part of Internet providers, and emphasized the point two years later when explicitly asking Congress to enact a law making it mandatory. But it had not been clear before that the FBI was asking companies to begin to keep logs of what Web sites are visited, which few if any currently do. The FBI is not alone in renewing its push for data retention. As CNET reported earlier this week, a survey of state computer crime investigators found them to be nearly unanimous in supporting the idea. Matt Dunn, an Immigration and Customs Enforcement agent in the Department of Homeland Security, also expressed support for the idea during the task force meeting. Greg Motta, the chief of the FBI's digital evidence section, said that the bureau was trying to preserve its existing ability to conduct criminal investigations. Federal regulations in place since at least 1986 require phone companies that offer toll service to "retain for a period of 18 months" records including "the name, address, and telephone number of the caller, telephone number called, date, time and length of the call." At Thursday's meeting (PDF) of the Online Safety and Technology Working Group, which was created by Congress and organized by the U.S. Department of Commerce, Motta stressed that the bureau was not asking that content data, such as the text of e-mail messages, be retained. "The question at least for the bureau has been about non-content transactional data to be preserved: transmission records, non-content records...addressing, routing, signaling of the communication," Motta said. Director Mueller recognizes, he added "there's going to be a balance of what industry can bear...He recommends origin and destination information for non-content data." Motta pointed to a 2006 resolution from the International Association of Chiefs of Police, which called for the "retention of customer subscriber information, and source and destination information for a minimum specified reasonable period of time so that it will be available to the law enforcement community." Recording what Web sites are visited, though, is likely to draw both practical and privacy objections. "We're not set up to keep URL information anywhere in the network," said Drew Arena, Verizon's vice president and associate general counsel for law enforcement compliance. And, Arena added, "if you were do to deep packet inspection to see all the URLs, you would arguably violate the Wiretap Act." Another industry representative with knowledge of how Internet service providers work was unaware of any company keeping logs of what Web sites its customers visit. If logs of Web sites visited began to be kept, they would be available only to local, state, and federal police with legal authorization such as a subpoena or search warrant. What remains unclear are the details of what the FBI is proposing. The possibilities include requiring an Internet provider to log the Internet protocol (IP) address of a Web site visited, or the domain name such as cnet.com, a host name such as news.cnet.com, or the actual URL such as http://reviews.cnet.com/Music/2001-6450_7-0.html. While the first three categories could be logged without doing deep packet inspection, the fourth category would require it. That could run up against opposition in Congress, which lambasted the concept in a series of hearings in 2008, causing the demise of a company, NebuAd, which pioneered it inside the United States. The technical challenges also may be formidable. John Seiver, an attorney at Davis Wright Tremaine who represents cable providers, said one of his clients had experience with a law enforcement request that required the logging of outbound URLs. "Eighteen million hits an hour would have to have been logged," a staggering amount of data to sort through, Seiver said. The purpose of the FBI's request was to identify visitors to two URLs, "to try to find out...who's going to them." A Justice Department representative said the department does not have an official position on data retention. Disclosure: The author of this story participated in the meeting of the Online Safety and Technology Working Group, though after the law enforcement representatives spoke. Declan McCullagh is a contributor to CNET News and a correspondent for CBSNews.com who has covered the intersection of politics and technology for over a decade. Declan writes a regular feature called Taking Liberties, focused on individual and economic rights; you can bookmark his CBS News Taking Liberties site, or subscribe to the RSS feed. You can e-mail Declan at declan at cbsnews.com. From rforno at infowarrior.org Sat Feb 6 18:05:33 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 6 Feb 2010 13:05:33 -0500 Subject: [Infowarrior] - OT: Snowpocalypse, the Musical Message-ID: <04E7948D-1CD6-4FBC-A07D-4FAE68C5FF8C@infowarrior.org> 'Snowpocalypse' - The (Hopeful) Official Song of the 2010 DC Blizzard Lyrics (c) 2010 Richard Forno Original Melody Copyright 1964 (and apologies to) Shirley Bassey Presented in good-natured parody and neighborhoodly spirit http://www.infowarrior.org/snowpocalypse.html From rforno at infowarrior.org Sat Feb 6 18:15:52 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 6 Feb 2010 13:15:52 -0500 Subject: [Infowarrior] - Open Security Foundation - State of the Union 2010 Message-ID: Open Security Foundation - State of the Union 2010 Posted by jkouns 12 hours ago http://blog.osvdb.org/2010/02/06/open-security-foundation-state-of-the-union-2010 The Open Security Foundation (OSF) has grown from a humble beginning in 2004 to an internationally recognized 501(c)(3) non-profit public organization. Through the work of a small team of dedicated information security enthusiasts, the Open Source Vulnerability Database (OSVDB) and DataLossDB projects have provided organizations of all sizes with the knowledge and resources to accurately detect, protect and mitigate information security risks. OSF research is often cited throughout the security industry and the organization was honored by being named winner of the SC Magazine's Editors Choice award for 2009. To ensure the highest quality information that has become the trademark of OSF, a tremendous amount of effort is expended on a daily basis by OSF volunteers to process an ever increasing amount of data loss and vulnerability reports. Over the years, many volunteers have been involved in the projects, but for the most part the the heavy lifting has been the work of only a few very dedicated volunteers. The "open source" approach to resourcing the projects has been successful to date but is now proving to be an unsustainable model. With long-term sustainability and increased services as our goal, we have initiated a comprehensive review of our current operations, our existing approach to project funding and the creation of potential new services for the security community. As a start, we plan to do a better job of sharing our view on the state of the information security industry and creating a mechanism to gain community feedback to better establish our vision for the OSVDB and DataLossDB projects. To that end I want to take a moment to share our initial plans for 2010. The OSF officers and project leads have been dedicated to the daily operations required to make OSVDB and DataLossDB the recognized leader in vulnerability and data loss tracking. This focused dedication has left little time to take the pulse of the industry as it relates to our projects or to establish a clear long-term vision for the projects. To address this need, OSF will be creating an Advisory Board. The board will consist of three to five senior leaders capable of providing broad based perspective on information security, business management and fundraising. It is our hope that this will provide a sounding board when developing future plans, an open forum when reviewing community feedback and a broader view when prioritizing potential new services. Additional information along with an official call for Advisory Board nominations is planned for 2/12/2010. Direct unfiltered feedback from both the security community as well as the organizations that benefit from our projects is critical. Over the next few weeks, we plan to post a public survey asking for feedback that will help shape our long-term vision and establish our near-term plans for OSVDB and DataLossDB. Those of you who value the work that the OSF provides and/or consider yourselves friends and supporters of OSF are asked to help spread the word to maximize the feedback provided. Feedback from the survey will be the foundation for the OSF vision and 2010 plan. Our goal is to present a draft of both the vision and the 2010 plan to the newly formed Advisory Board by mid-April 2010. Once finalized, both documents will be shared with the information security community. OSF has been recognized for providing a critical service to the information security community but our potential is much greater. We look forward to hearing your ideas on how OSF can further improve the state of security while building a stronger organization to deliver even higher quality research and additional services. We appreciate your support and if you are interested in working with OSF please contact us at moderators at osvdb.org or curators at datalossdb.org. Jake Kouns Chairman, Open Security Foundation From rforno at infowarrior.org Sat Feb 6 19:00:56 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 6 Feb 2010 14:00:56 -0500 Subject: [Infowarrior] - 2010 Olympic stuff Message-ID: In response to this News.Com article, (http://news.cnet.com/8301-31322_3-10448231-256.html ) I am happy to offer some original content of my own as an experiment. Two different items. Come what may, eh? http://www.infowarrior.org/2010Games/ - and - http://www.infowarrior.org/2010GamesOlympicsVancouverCanadaTeam/ From rforno at infowarrior.org Sun Feb 7 00:09:17 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 6 Feb 2010 19:09:17 -0500 Subject: [Infowarrior] - PIR: Teens and Blogging Message-ID: <0A36841A-DE66-4F6D-BE82-4666ACEC9EB2@infowarrior.org> http://www.pewinternet.org/Reports/2010/Social-Media-and-Young-Adults.aspx Two Pew Internet Project surveys of teens and adults reveal a decline in blogging among teens and young adults and a modest rise among adults 30 and older. Even as blogging declines among those under 30, wireless connectivity continues to rise in this age group, as does social network use. Teens ages 12-17 do not use Twitter in large numbers, though high school-aged girls show the greatest enthusiasm for the application. This report from the Pew Research Center?s Internet & American Life Project is a part of a series of reports undertaken by the Pew Research Center that highlight the attitudes and behaviors of the Millennial generation, a cohort we define here as adults ages 18 to 29. The Pew Internet Project has conducted more than 100 surveys and written more than 200 reports on the topic of teen and adult internet use, all of which are freely available on our website: www.pewinternet.org . This report brings together recent findings about internet and social media use among young adults by situating it within comparable data for adolescents and adults older than 30. All the most current data on teens is drawn from a survey we conducted between June 26 and September 24, 2009 of 800 adolescents between ages 12 and 17. Most of the adult data are drawn from a survey we conducted between August 18 and September 14, 2009 of 2,253 adults (age 18 and over). At times, though, we draw from other adult surveys and we will note where that occurs. http://www.pewinternet.org/Reports/2010/Social-Media-and-Young-Adults.aspx From rforno at infowarrior.org Sun Feb 7 04:21:15 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 6 Feb 2010 23:21:15 -0500 Subject: [Infowarrior] - EU Committee Says No To Bank Data Sharing Message-ID: <5D4AC4B5-F57E-4440-ADCC-50713C0ABEC5@infowarrior.org> Finance | 05.02.2010 Washington threatens to bypass Europe in battle for bank data http://www.dw-world.de/dw/article/0,,5220092,00.html The US is threatening to stop working with Europe in the fight against terrorism after an EU parliamentary group rejected a proposed data- sharing agreement. A final EU vote is scheduled for next week. The United States has warned that it may stop working with EU institutions on terrorist data exchange if the European Parliament next week blocks a bilateral deal on the issue. "If the European parliament overturns the agreement, I am unsure whether Washington agencies would again decide to address this issue at EU level," US ambassador to the EU William Kennard wrote in a letter sent to European Parliament President Jerzy Buzek, according to news agency AFP. US Secretary of State Hillary Clinton also called Buzek and EU foreign affairs chief Catherine Ashton to voice Washington's concern over the issue. Members of a European Parliament subcommittee dealt a blow to US-EU relations by voting to reject a proposed bank data sharing deal between the US and Europe in a preliminary vote on Thursday. The agreement allows the US to access information gathered by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) about bank transfers within Europe. SWIFT manages global transactions between thousands of financial institutions in over 200 countries. Members of the parliament's civil liberties committee voted by 29 votes to 23 to reject the SWIFT deal, arguing that the deal fails to protect the privacy of EU citizens. US authorities say access to bank details is vital to counterterrorism efforts, but many in Europe object to the widespread invasion of privacy. Agreement in jeopardy The proposed short-term agreement went into force on February 1 for an initial period of nine months, while the two sides negotiate a permanent system. However, the interim agreement still has to be ratified by the European Parliament. The committee's rejection of the measure, though advisory in nature, could be an indication that the bill will fail in the final parliamentary vote. If parliament votes against it next week, the measure will be suspended. The US previously had access to bank transfer data, but lost it when Belgian-based SWIFT moved its servers from the United States to Europe. It now wants a permanent agreement granting access to the data, which US terrorism investigators say has played a key role in several cases, including one in which they say an attack on a trans- Atlantic flight was prevented. smh/dpa/Reuters/AFP Editor: Nancy Isenson From rforno at infowarrior.org Sun Feb 7 15:47:23 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 7 Feb 2010 10:47:23 -0500 Subject: [Infowarrior] - Master of the Obvious Message-ID: <2D6190C7-3B45-4A3A-99B9-188721FA779B@infowarrior.org> Must be a slow news day for the AP this morning? Like, DUH. -rick http://www.nytimes.com/aponline/2010/02/07/us/politics/AP-US-White-House-Cybersecurity.html?_r=1&pagewanted=print February 7, 2010 US Faces 'Serious and Significant' Cyberthreats By THE ASSOCIATED PRESS Filed at 10:28 a.m. ET WASHINGTON (AP) -- President Barack Obama's top counterterrorism adviser says the U.S. faces ''serious and significant'' cyberthreats that could compromise national security. John Brennan says the administration is taking steps to improve cybersecurity and looking at the matter from an espionage and terrorism point of view. He says national security is something that's at risk. Brennan isn't naming any country or individuals possibly behind cyberattacks. He was asked on NBC's ''Meet the Press'' about concerns that computer hackers in China have infiltrated computer networks. From rforno at infowarrior.org Sun Feb 7 16:28:39 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 7 Feb 2010 11:28:39 -0500 Subject: [Infowarrior] - Broadband truth in advertising, redux Message-ID: Just saw a TV ad for 'unlimited mobile broadband' via Cricket for $40/ mo. Sounds awesome, right? But if you quickly scan the fine print during the commercial, Cricket's service, like everyone else, is capped at 5GB/mo. So again, what does "unlimited" mean for mobile broadband? You're not limited to WHEN you can connect to their service when in their service area? This is just the latest marketing scam for the wireless and broadband providers.....after all, it's perfectly legal to say "up to 50GB speeds" in big bold blinking letters but only deliver 15GB regularly, with periodic bursts to 40GB. But that is deemed 'truth' in advertising. Gotta love the lawyers. -rick From rforno at infowarrior.org Sun Feb 7 17:20:55 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 7 Feb 2010 12:20:55 -0500 Subject: [Infowarrior] - Demonoid open signup today Message-ID: <15A3F6F8-31D5-44A7-8B73-8699ED0C2A3C@infowarrior.org> Demonoid Updates Including Open Signups Today Just a short update with two little snippets about the semi-private BitTorrent tracker, Demonoid. Don?t have an account? You can get one today. http://freakbits.com/demonoid-updates-including-open-signups-today-0207 From rforno at infowarrior.org Mon Feb 8 14:47:27 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Feb 2010 09:47:27 -0500 Subject: [Infowarrior] - In Secret, Nations Work Toward Crackdown on Piracy Message-ID: February 8, 2010 In Secret, Nations Work Toward Crackdown on Piracy By ERIC PFANNER http://www.nytimes.com/2010/02/08/technology/08piracy.html?pagewanted=print PARIS ? Behind a veil of secrecy, the United States, the European Union, Japan and other countries are forging ahead with plans to coordinate an international crackdown on illegally copied music, movies, designer bags and other goods that change hands in sidewalk souks and Internet bazaars. Negotiators, under intense pressure from media companies, luxury brands and other corporate victims of piracy, are scrambling to complete a so-called Anti-Counterfeiting Trade Agreement by the end of the year. But the process is running into growing criticism from Internet campaigners, lawmakers and even some people involved in it. After the most recent round of negotiations late last month in Guadalajara, Mexico, news of disagreements has been trickling out, despite an official vow of silence from the participants, which has itself become a main source of friction. E.U. negotiators, for example, are said to have balked at a U.S.- backed proposal to require Internet service providers to take tough steps against digital piracy. Under such a structure, leaked papers from the Union show, Internet providers might be required to filter out illegally copied songs and films from their networks or to sever copyright violators? Internet connections. Many nations are said to have drafted alternatives to the U.S.-backed proposal, seeking alternatives to those demands. ?Our system allows for flexibility,? said one person with knowledge of the E.U. position, who insisted on anonymity because of nondisclosure agreements governing the talks. ?The E.U. cannot accept an agreement that mandates a single solution.? Within Europe, different countries have pursued a range of approaches to dealing with Internet piracy. Last year, France approved a so- called three-strikes system, under which illegal file-sharers who ignored two warnings to quit could face the loss of Internet access. Britain has proposed similar legislation. But German and Swedish officials have ruled out such measures, and politicians elsewhere in Europe have sought to enshrine Internet access as a fundamental human right. Details of what has actually been discussed remain sketchy. Though the talks have been going on for two years, texts of the proposed deal have been sealed from public view. Critics say the lack of transparency is highly unusual for a trade agreement with so many parties involved, especially since the deal could influence the workings of the Internet and affect hundreds of millions of people around the world. ?You?d think it was nuclear weapons kind of stuff, not intellectual property law,? said Eddan Katz, international affairs director at the Electronic Frontier Foundation, which campaigns against regulation of the Internet. ?The fact that there are 30 or 50 people sitting around a table deciding the laws of the world?s nations, when there are major areas of disagreement, seems like a wholesale contravention of the democratic process.? Lawmakers have also largely been kept out of the loop. In the United States last month, Senator Ron Wyden, a Democrat from Oregon, wrote to Ron Kirk, the U.S. trade representative, whose office is negotiating on behalf of the United States, to seek information about the negotiations. In Britain, members of the three main political parties have signed a parliamentary motion calling on their government to release details. National lawmakers elsewhere in Europe, and at the European Parliament, have also demanded greater openness. Even some participants want to ease the secrecy that surrounds the process. ?The Swedish government believes that we should release a consolidated text as soon as possible,? said Stefan Johansson, a Swedish Justice Ministry official who has been involved in the talks. After the latest round in Mexico, the participants issued only a bland communiqu? saying, among other things, that the negotiations had been ?productive? and had ?focused on civil enforcement, border enforcement and enforcement of rights in the digital environment.? ?Recalling their shared view of the importance of providing opportunities for meaningful public input, the participants reaffirmed their commitment to intensify their respective efforts to provide such opportunities and collectively enhance transparency,? the statement said. The person with knowledge of the talks said one idea under consideration would be to invite groups with concerns to meet on the sidelines of the next round, scheduled for Wellington in April. Despite the haze surrounding the proposed agreement, some of the most alarmist speculation appears to have been exaggerated. For example, several people with knowledge of the talks said there was no truth to one early rumor ? that the accord would empower customs officials to search digital music players for illegally copied songs at border crossings. Business groups say fears have been fanned by people with a vested interest in weakening copyright protection in the proposed Anti- Counterfeiting Trade Agreement, or ACTA. These groups say that greater international coordination is needed to protect businesses that rely on creativity, brand names and other easily copied assets, particularly in export markets. ?Given the importance of this agreement to our economy and to consumers, we must not allow ACTA to be derailed by a minority opposed to protecting the rights of artists, inventors and entrepreneurs,? Mark T. Esper, executive vice president of the Global Intellectual Property Center, an affiliate of the U.S. Chamber of Commerce, said in a statement. Critics of the process say that if protecting industrialized countries? economies is the goal, the talks ought to include developing countries like China, India and Indonesia, where intellectual property laws or enforcement are sometimes weaker. In addition to the United States, the European Union and Japan, the parties to the talks are Australia, Canada, South Korea, Mexico, Morocco, New Zealand, Singapore and Switzerland. ?Some might see it as an anti-counterfeiting deal without the counterfeiters,? said Michael Geist, a law professor at the University of Ottawa who has been mustering critics of the negotiations via his blog. Portions of the negotiations dealing with the Internet have attracted more attention than proposals for cracking down on piracy of physical goods and other trademark violations. In an interview with World Trademark Review, a trade journal, the assistant U.S. trade representative for intellectual property and innovation, Stan McCoy, lamented what he called a ?misperception that this agreement will focus mostly or exclusively on copyright infringement in the digital environment.? ?The threat of physical goods bearing counterfeit trademarks is a real one, and it is a priority for ACTA,? Mr. McCoy said. ?Americans do not want to brush their teeth with counterfeit toothpaste or drive a car with knockoff brakes.? His office did not respond to requests for elaboration on the U.S. position. One supporter of the talks, the Motion Picture Association of America, is urging U.S. negotiators not to back down on proposals for fighting the unauthorized digital copying of movies. ?Internet piracy has emerged as the fastest-growing threat to the filmed entertainment industry,? Dan Glickman, chief executive of the association, said in a recent letter to Senator Patrick J. Leahy, the Vermont Democrat who is the chairman of the U.S. Senate Judiciary Committee. ?M.P.A.A. firmly believes that a strong ACTA should address this challenge, raising the level and effectiveness of copyright enforcement in the digital and online marketplaces.? From rforno at infowarrior.org Mon Feb 8 22:45:19 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Feb 2010 17:45:19 -0500 Subject: [Infowarrior] - NBC Plots (Futile) Crackdown On Olympic Pirates Message-ID: <1C3BC0C6-DB4A-4AA9-A181-38F73A2EB9DB@infowarrior.org> Yeah...good luck with that, guys. -rick NBC Plots Crackdown On Olympic Pirates Written by Ernesto on February 08, 2010 http://torrentfreak.com/nbc-plots-crackdown-on-olympic-pirates-100208/ In 2008 Olympic torrents were hugely popular. The opening ceremony was downloaded more than 2 million times in the first week, outraging the International Olympic Committee. With Vancouver 2010 starting later this week, several broadcasters have declared war on Olympic pirates. The 2008 Summer Olympics were a huge hit online, both through legal and illegal channels. NBC streamed a record breaking 2,200 hours of live video to the delight of millions of people, but strangely enough this year the network will limit its live coverage to hockey and curling. An NBC representative explained that the network will only cover the highlights because people ?are not dying to watch lots of long-form content on a 13-inch screen.? However, at the same time NBC contradicts itself by announcing that it will do all it can to prevent people from accessing unauthorized live feeds or downloads of Olympic broadcasts. While NBC doesn?t believe there is much demand for live coverage, it will do all it can to prevent the ?few? people who do from downloading or streaming the events online. ?Our aim is to make access to pirated material inconvenient, low quality and hard to find,? said Rick Cotton, NBC?s Executive Vice President commenting on their Olympic mission. Once again one of the major entertainment industry outfits has got it entirely wrong. If NBC really wants to prevent piracy they have to offer at least some sort of alternative. Cutting 2,200 hours of live web coverage back to just a few hundred is certainly not going to help in stopping piracy. NBC reportedly has teamed up with Ustream and Justin.tv, two popular live streaming sites, to use filtering schemes in order to prevent illegal broadcasts. However, it is inevitable that they won?t be able to stop them all since there are dozens of live streaming sites. Preventing torrents from being uploaded will turn out to be even more problematic for the network. During the Beijing Olympics two years ago, The International Olympic Committee (IOC) asked for ?assistance? from the Swedish government with preventing video clips from the Olympics in Beijing being shared via The Pirate Bay. This didn?t help much and during the weeks that followed millions of people continued to download broadcasts of Olympic events. We assume that in the coming weeks most events will again appear online, despite NBC?s efforts to prevent the Olympics from being pirated. From rforno at infowarrior.org Tue Feb 9 15:01:03 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2010 10:01:03 -0500 Subject: [Infowarrior] - NSC's Brennan: "We Need No Lectures" Message-ID: <8FAE3B70-61F3-4345-BD35-8AA31C2679BF@infowarrior.org> (Interestingly the amount of time Brennan has taken in recent weeks to respond to these political allegations is in itself intereresting. -- rf) 'We need no lectures' Administration disrupts terrorists? plots, takes fight to them abroad .By John Brennan http://blogs.usatoday.com/oped/2010/02/opposing-view-we-need-no-lectures.html?csp=34 Politics should never get in the way of national security. But too many in Washington are now misrepresenting the facts to score political points, instead of coming together to keep us safe. Immediately after the failed Christmas Day attack, Umar Farouk Abdulmutallab was thoroughly interrogated and provided important information. Senior counterterrorism officials from the White House, the intelligence community and the military were all actively discussing this case before he was Mirandized and supported the decision to charge him in criminal court. The most important breakthrough occurred after Abdulmutallab was read his rights, which the FBI made standard policy under Michael Mukasey, President Bush's attorney general. The critics who want the FBI to ignore this long-established practice also ignore the lessons we have learned in waging this war: Terrorists such as Jose Padilla and Saleh al-Mari did not cooperate when transferred to military custody, which can harden one's determination to resist cooperation. It's naive to think that transferring Abdulmutallab to military custody would have caused an outpouring of information. There is little difference between military and civilian custody, other than an interrogator with a uniform. The suspect gets access to a lawyer, and interrogation rules are nearly identical. Would-be shoe bomber Richard Reid was read his Miranda rights five minutes after being taken off a plane he tried to blow up. The same people who criticize the president today were silent back then. Cries to try terrorists only in military courts lack foundation. There have been three convictions of terrorists in the military tribunal system since 9/11, and hundreds in the criminal justice system ? including high-profile terrorists such as Reid and 9/11 plotter Zacarius Moussaoui. This administration's efforts have disrupted dozens of terrorist plots against the homeland and been responsible for killing and capturing hundreds of hard-core terrorists, including senior leaders in Pakistan, Yemen, Somalia and beyond ? far more than in 2008. We need no lectures about the fact that this nation is at war. Politically motivated criticism and unfounded fear-mongering only serve the goals of al-Qaeda. Terrorists are not 100-feet tall. Nor do they deserve the abject fear they seek to instill. They will, however, be dismantled and destroyed, by our military, our intelligence services and our law enforcement community. And the notion that America's counterterrorism professionals and America's system of justice are unable to handle these murderous miscreants is absurd. John Brennan is Assistant to the President and Deputy National Security Advisor for Homeland Security and Counterterrorism. From rforno at infowarrior.org Tue Feb 9 21:23:02 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2010 16:23:02 -0500 Subject: [Infowarrior] - Congress and the Stock Market Message-ID: Academic research proves it -- when Congress is not in session, the stock market does well. -rick http://papers.ssrn.com/sol3/papers.cfm?abstract_id=687211 Congress and the Stock Market Michael F. Ferguson University of Cincinnati - Department of Finance - Real Estate Hugh Douglas Witte University of Missouri at Columbia - Department of Finance March 13, 2006 Abstract: We find a strong link between Congressional activity and stock market returns that persists even after controlling for known daily return anomalies. Stock returns are lower and volatility is higher when Congress is in session. This "Congressional Effect" can be quite large - more than 90% of the capital gains over the life of the DJIA have come on days when Congress is out of session. The Effect varies systematically with the public's opinion of Congress: returns are lower and volatility higher when a relatively unpopular Congress is active. Public opinion appears to play a fundamental role in market prices. This is consistent with a mood-based explanation that sees Congress as 'depressing' the average investor. Alternatively, our results can also be reconciled with rational explanations that view Congressional activity as a proxy for regulatory uncertainty or rent- seeking behavior. Keywords: stock market, Congress, anomalies, behavioral finance JEL Classifications: G1, G10, G14, G18 Working Paper Series http://papers.ssrn.com/sol3/papers.cfm?abstract_id=687211 From rforno at infowarrior.org Wed Feb 10 00:43:35 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2010 19:43:35 -0500 Subject: [Infowarrior] - But they promised us .... Message-ID: <4198E923-187F-45B0-B25A-10775514D628@infowarrior.org> ... that this kind of stuff wouldn't happen. Right? -rick Exposed: Naked Body Scanner Images Of Film Star Printed, Circulated By Airport Staff Tuesday, February 9, 2010 Claims on behalf of authorities that naked body scanner images are immediately destroyed after passengers pass through new x-ray backscatter devices have been proven fraudulent after it was revealed that naked images of Indian film star Shahrukh Khan were printed out and circulated by airport staff at Heathrow in London. UK Transport Secretary Lord Adonis said last week that the images produced by the scanners were deleted ?immediately? and airport staff carrying out the procedure are fully trained and supervised. ?It is very important to stress that the images which are captured by body scanners are immediately deleted after the passenger has gone through the body scanner,? Adonis told the London Evening Standard. Adonis was forced to address privacy concerns following reports that the images produced by the scanners broke child pornography laws in the UK. When the scanners were first introduced, it was also speculated that images of famous people would be ripe for abuse as the pictures produced by the devices make genitals ?eerily visible? according to journalists who have investigated trials of the technology. However, the Transport Secretary?s assurances were demolished after it was revealed on the BBC?s Jonathan Ross show Friday that Indian actor Shahrukh Khan had passed through a body scan and later had the image of his naked body printed out and circulated by Heathrow security staff. < - > http://www.prisonplanet.com/exposed-naked-body-scanner-images-of-film-star-printed-circulated.html From rforno at infowarrior.org Wed Feb 10 00:46:04 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2010 19:46:04 -0500 Subject: [Infowarrior] - Supergeek pulls off 'near impossible' crypto chip hack Message-ID: <9ACDA6DF-4F1F-4EFB-8AAB-42D1925D61ED@infowarrior.org> Supergeek pulls off 'near impossible' crypto chip hack 10:40 AM Tuesday Feb 9, 2010 http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10625082&pnum=0 SAN FRANCISCO - Deep inside millions of computers is a digital Fort Knox, a special chip with the locks to highly guarded secrets, including classified government reports and confidential business plans. Now a former US Army computer-security specialist has devised a way to break those locks. The attack can force heavily secured computers to spill documents that likely were presumed to be safe. This discovery shows one way that spies and other richly financed attackers can acquire military and trade secrets, and comes as worries about state-sponsored computer espionage intensify, underscored by recent hacking attacks on Google. The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer. But laptops and smart phones get lost and stolen all the time. And the data that the most dangerous computer criminals would seek likely would be worth the expense of an elaborate espionage operation. Jeff Moss, founder of the Black Hat security conference and a member of the US Department of Homeland Security's advisory council, called Tarnovsky's finding "amazing." "It's sort of doing the impossible," Moss said. "This is a lock on Pandora's box. And now that he's pried open the lock, it's like, ooh, where does it lead you?" Tarnovsky figured out a way to break chips that carry a "Trusted Platform Module," or TPM, designation by essentially spying on them like a phone conversation. Such chips are billed as the industry's most secure and are estimated to be in as many as 100 million personal computers and servers, according to market research firm IDC. When activated, the chips provide an additional layer of security by encrypting, or scrambling, data to prevent outsiders from viewing information on the machines. An extra password or identification such as a fingerprint is needed when the machine is turned on. Many computers sold to businesses and consumers have such chips, though users might not turn them on. Users are typically given the choice to turn on a TPM chip when they first use a computer with it. If they ignore the offer, it's easy to forget the feature exists. However, computers needing the most security typically have TPM chips activated. "You've trusted this chip to hold your secrets, but your secrets aren't that safe," said Tarnovsky, 38, who runs the Flylogic security consultancy in Vista, California, and demonstrated his hack last week at the Black Hat security conference in Arlington, Virginia. The chip Tarnovsky hacked is a flagship model from Infineon Technologies AG, the top maker of TPM chips. And Tarnovsky says the technique would work on the entire family of Infineon chips based on the same design. That includes non-TPM chips used in satellite TV equipment, Microsoft's Xbox 360 game console and smart phones. That means his attack could be used to pirate satellite TV signals or make Xbox peripherals, such as handheld controllers, without paying Microsoft a licensing fee, Tarnovsky said. Microsoft confirmed its Xbox 360 uses Infineon chips, but would only say that "unauthorised accessories that circumvent security protocols are not certified to meet our safety and compliance standards." The technique can also be used to tap text messages and email belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon. Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users. "The risk is manageable, and you are just attacking one computer," said Joerg Borchert, vice president of Infineon's chip card and security division. "Yes, this can be very valuable. It depends on the information that is stored. But that's not our task to manage. This gives a certain strength, and it's better than an unprotected computer without encryption." The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment." It added that the group has "never claimed that a physical attack - given enough time, specialised equipment, know-how and money - was impossible. No form of security can ever be held to that standard." It stood by TPM chips as the most cost-effective way to secure a PC. It's possible for computer users to scramble data in other ways, beyond what the TPM chip does. Tarnovsky's attack would do nothing to unlock those methods. But many computer owners don't bother, figuring the TPM security already protects them. Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it. Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle. The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory. Those instructions hold the secrets to the computer's encryption, and he didn't find them encrypted because he was physically inside the chip. Even once he had done all that, he said he still had to crack the "huge problem" of figuring out how to avoid traps programmed into the chip's software as an extra layer of defence. "This chip is mean, man - it's like a ticking time bomb if you don't do something right," Tarnovsky said. Joe Grand, a hardware hacker and president of product- and security-research firm Grand Idea Studio, saw Tarnovsky's presentation and said it represented a huge advancement that chip companies should take seriously, because it shows that presumptions about security ought to be reconsidered. "His work is the next generation of hardware hacking," Grand said. - AP From rforno at infowarrior.org Wed Feb 10 00:47:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Feb 2010 19:47:28 -0500 Subject: [Infowarrior] - Google Buzz Aims To Social-Network Gmail Users Message-ID: Google Buzz Aims To Social-Network Gmail Users Richard Koman, newsfactor.com Richard Koman, newsfactor.com 1 hr 28 mins ago http://news.yahoo.com/s/nf/20100209/tc_nf/71580/print Google has watched more or less on the sidelines as social-networking sites -- most notably Facebook and Twitter -- have captured the public's attention. Facebook, especially, has become more than a destination web site. It has become a user-centric world where users communicate via status updates, third-party applications, and shared groups. While Google has made various attempts to gain traction in the social web, nothing has really worked. So on Tuesday, Google gave notice that it's serious about the social web with its announcement of Google Buzz -- a new feature of its Gmail web-based e-mail system. Rather than simply adding status updates to Gmail, Google is pouring on the social-networking juice in an attempt to exploit the growing user base of Gmail. Gmail: Social Network "Google Buzz is a new way to start conversations about the things you find interesting. It's built right into Gmail, so you don't have to peck out an entirely new set of friends from scratch -- it just works," product manager Todd Jackson wrote in an announcement blog post. Buzz will take advantage of the social network inherent in e-mail by "automatically setting you up to follow the people you e-mail and chat with the most," Jackson said. How will this impact Facebook and Twitter? Not too much, said Ben Bajarin, an analyst with Creative Strategies, in an e-mail. "It really boils down to Google attempting to get folks to spend more time with their assets," he said. "Time will tell how this works out, but I don't really see this as a threat to Facebook or Twitter, given that neither of those services has been cannibalized by each other." Buzz is intended to be an "easy-to-use sharing experience that richly integrates photos, videos and links, and makes it easy to share publicly or privately (so you don't have to use different tools to share with different audiences)," Jackson wrote. With Buzz tightly integrated with users' existing Gmail inbox, "you're sure to see the stuff that matters most as it happens in real time." Business Networks? Buzz may also have a business application, but this is far from clear. Jackson only hinted at business applications. "We also plan to make Google Buzz available to businesses and schools using Google Apps, with added features for sharing within organizations," he wrote. Google also showed an understanding that social networking is naturally a mobile application. "Mobile devices add an important component to sharing: Location," Jackson wrote. "Posts tagged with geographical information have an extra dimension of context -- the answer to the question 'Where were you when you shared this?' can communicate so much. And when viewed in aggregate, the posts about a particular location can paint an extremely rich picture of that place." Jackson also emphasized that Buzz will be leveraged to other Google properties like Google Maps and integrate with applications with open APIs like Flicker and Twitter itself. "We've relied on other services' openness in order to build Buzz (you can connect Flickr and Twitter from Buzz in Gmail), and Buzz itself is not designed to be a closed system. Our goal is to make Buzz a fully open and distributed platform for conversations. We're building on a suite of open protocols to create a complete read/write developer API," Jackson wrote. From rforno at infowarrior.org Wed Feb 10 12:16:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2010 07:16:28 -0500 Subject: [Infowarrior] - Mudge goes to DARPA Message-ID: Hacker 'Mudge' gets DARPA job by Elinor Mills http://news.cnet.com/8301-27080_3-10450552-245.html?tag=newsLeadStoriesArea.1 Peiter Zatko--a respected hacker known as "Mudge"--has been tapped to be a program manager at DARPA, where he will be in charge of funding research designed to help give the U.S. government tools needed to protect against cyberattacks, CNET has learned. Zatko will become a program manager in mid-March within the Strategic Technologies Office at DARPA (Defense Advanced Research Projects Agency), which is the research and development office for the Department of Defense. His focus will be cybersecurity, he said in an interview with CNET on Tuesday. One of his main goals will be to fund researchers at hacker spaces, start-ups, and boutiques who are most likely to develop technologies that can leapfrog what comes out of large corporations. "I want revolutionary changes. I don't want evolutionary ones," he said. He's also hoping that giving a big push to research and development will do more to advance the progress of cybersecurity than public policy decisions have been able to do over the past few decades. "Not much has changed" with regard to strengthening the U.S. cybersecurity position, he said. "As a society, we have a larger dependence on being wired in, yet the government only focuses on particular areas." The connectedness of commercial, government, and military networks makes the situation even more dire, he said. "I'm going to argue that they're all pretty much intertwined now and we've seen how vulnerable some of those sectors are now. That's unacceptable," Zatko said. "I aim to fix that." The current state of technology isn't working adequately, for the government or commercial companies, he said. For instance, the current defense mechanisms need to change so they can block attacks, instead of responding to them, he added. "I don't want people to be putting out virus signatures after a virus has come out," he said. "I want an active defense. I want to be at the sharp pointy end of the stick." Zatko cut his security chops as a teen-age hacker in the 1980s and managed to stay one step ahead of the law. He ran the L0pht hacker space during the 1990s, where he invented anti-sniffing technology that became the first remote promiscuous system detector used by the Defense Department. He also pioneered work on buffer overflows, which are a basis for many computer network attacks. "L0pht turned the industry on its head," he said. "You didn't have security response teams at major organizations like Microsoft or Intel until we came along." He started the corporate information security group at BBN Technologies in the 1990s, was chief executive at L0pht Heavy Industries when the hacker space decided to incorporate, and founded security consultancy @Stake, which was later acquired by Symantec. Since 2004, he's been back at BBN, working as division scientist and technical director for the company's National Intelligence Research and Applications department. Zatko has also done his fair share of work for the government. He was appointed to the Information Assurance sub-committee out of the Executive Office of the President, named as a subcommittee member to the Partnership for Critical Infrastructure Protection and testified several times before Congressional committees. The main hacker character in the book Breakpoint by former U.S. cybersecurity guru Richard Clarke is believed to be based on him. "I don't want people to be putting out virus signatures after a virus has come out. I want an active defense. I want to be at the sharp pointy end of the stick." --Peiter "Mudge" Zatko, newly hired program manager at DARPA He's not the first self-described hacker to embrace public service. Jeff Moss, founder of the Black Hat and Defcon conferences, joined the Homeland Security Advisory Council last summer. One of the reasons Zatko decided to take the job is that the new DARPA director, Regina Dugan, is entrepreneurial and is looking to engage more with academics, following years of DARPA being closed to nongovernmental researchers for national security reasons, he said. "Now they are running more programs out of DARPA that are not classified beyond what they need to be, so it will enable more people to have visibility into them," he added. Another lure of the job was the budget he will have. Zatko said he doesn't know exactly how much of the $3.5 billion a year DARPA spends to fund research he will oversee but said it's likely to be a "good chunk." From his many years doing penetration testing and working to break security systems, he understands what it takes to try to defend networks and how to come up with innovative solutions to break through barriers and get around obstructions. "I've got a track record of doing novel things on both the offense and defense side," he said. "In the commercial world I wasn't able to take those to fruition because often the market drivers and the money drivers were at odds. You don't want to put yourself out of business. But now, I want to put myself out of business." Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. From rforno at infowarrior.org Wed Feb 10 12:18:53 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2010 07:18:53 -0500 Subject: [Infowarrior] - Aussie hacktivism Message-ID: (some text in the news story probably NSFW, so I cut the article. --rf) Operation Titstorm: hackers bring down government websites ASHER MOSES February 10, 2010 - 4:11PM Groups opposing the government's internet censorship plans have condemned today's attacks on government websites, saying it will do little to help their cause, while Communications Minister Stephen Conroy called them "totally irresponsible". Hackers connected with the group Anonymous, known for its war against Scientology, this morning launched a broad attack on government websites. They are protesting against forthcoming internet filtering legislation < - > http://www.smh.com.au/technology/technology-news/operation-titstorm-hackers-bring-down-government-websites-20100210-nqku.html From rforno at infowarrior.org Wed Feb 10 13:36:26 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2010 08:36:26 -0500 Subject: [Infowarrior] - OpEd: Terrorism Derangement Syndrome Message-ID: Terrorism Derangement Syndrome The GOP's scare tactics work so well because the public is terrified already. By Dahlia Lithwick Posted Wednesday, Feb. 3, 2010, at 6:41 PM ET http://www.slate.com/id/2243429 America has slid back again into its own special brand of terrorism- derangement syndrome. Each time this condition recurs, it presents with more acute and puzzling symptoms. It's almost impossible to identify the cause, and it's doubtful there's a cure. The entire forensic team from House would need a full season to unravel the mystery of what it is about the American brain that renders us more terrified of terrorists today than we were five years ago and less trusting of government policies to protect us. The real problem is that too many people tend to follow GOP cues about how hopelessly unsafe America is, and they've yet again convinced themselves that we are mere seconds away from an attack. Moreover, each time Republicans go to their terrorism crazy-place, they go just a little bit farther than they did the last time, so that things that made us feel safe last year make us feel vulnerable today. Policies and practices that were perfectly acceptable just after 9/11, or when deployed by the Bush administration, are now decried as dangerous and reckless. The same prominent Republicans who once celebrated open civilian trials for Zacarias Moussaoui and Richard Reid, the so-called "shoe bomber," now claim that open civilian trials endanger Americans (some Republicans have now even gone so far as to try to defund such trials). Republicans who once supported closing Guantanamo are now fighting to keep it open. And one GOP senator, who like all members of Congress must take an oath to uphold the Constitution, has voiced his concern that the Christmas bomber really needed to be "properly interrogated" instead of being allowed to ask for a lawyer. In short, what was once tough on terror is now soft on terror. And each time the Republicans move their own crazy-place goal posts, the Obama administration moves right along with them. It's hard to explain why this keeps happening. There hasn't been a successful terror attack on U.S. soil since 9/11. The terrorists who were tried in criminal proceedings since 9/11 are rotting in jail. The Christmas Day terror attack was both amateurish and unsuccessful. The Christmas bomber is evidently cooperating with intelligence officials without the need to resort to thumbscrews. In a rational universe, one might conclude that all this is actually good news. But in the Republican crazy-place, there is no good news. There's only good luck. Tick tock. And the longer they are lucky, the more terrified Americans have become. This week Glenn Greenwald summarized how far the goal posts of normal have moved when he pointed out that "merely advocating what Ronald Reagan explicitly adopted as his policy?'to use democracy's most potent tool, the rule of law against' terrorists?is now the exclusive province of civil liberties extremists." Upon being elected to the U. S. Senate last month, Scott Brown declared: "Our Constitution and laws exist to protect this nation?they do not grant rights and privileges to enemies in wartime. In dealing with terrorists, our tax dollars should pay for weapons to stop them, not lawyers to defend them." As Adam Serwer observed, "This is the new normal for Republicans: You can be denied rights not through due process of law but merely based on the nature of the crime you are suspected of committing. Brown's rhetorical framing, that jettisoning the legal system we've had for 200-plus years represents 'tradition' while granting suspected criminals the right to legal counsel represents liberalism gone mad is new, and I suspect we'll hear it again." I have read several good explanations for why the GOP leadership has decided to make the case that processes that worked in the Bush administration (like civilian trials) won't work under Obama, and why policies that failed in the Bush administration (like torture or military tribunals) must be reinstated. Maybe it's simple obstructionism. Josh Gerstein points out that for Republicans seeking to capitalize on Obama's missteps, his feints and pivots on national security have proved fertile ground. And Greenwald concludes that "our establishment craves Bush/Cheney policies because it is as radical as they are." But it's not just the establishment that opposes closing Guantanamo, trying Khalid Sheikh Mohammed, or reading Umar Farouk Abdulmutallab his Miranda rights. Polls show most Americans want Abdulmutallab tried by military commission, want Gitmo to remain open, and want KSM tried in a military commission, too. For those of us who are horrified by the latest Republican assault on basic legal principles, it's time to reckon with the fact that the American people are terrified enough to go along. We're terrified when a terror attack happens, and we're also terrified when it's thwarted. We're terrified when we give terrorists trials, and we're terrified when we warehouse them at Guantanamo without trials. If a terrorist cooperates without being tortured we complain about how much more he would have cooperated if he hadn't been read his rights. No matter how tough we've been on terror, we will never feel safe enough to ask for fewer safeguards. Now I grant that it's awfully hard to feel safe when the New York Times is publishing stories about a possible terrorist attack by July. So long as there are young men in the world willing to stick a bomb in their pants, we will never be perfectly safe. And what that means is that every time there's an attack, or a near-attack, or a new Bin Laden tape, or a new episode of 24, we'll always be willing to go one notch more beyond the rules than we were willing to go last time. Some of the very worst excesses of the Bush years can be laid squarely at the doorstep of a fictional construct: The "ticking time bomb scenario." Within minutes, any debate about terrorists and the law arrives at the question of what we'd be willing to do to a terrorist if we thought he had knowledge of an imminent terror plot that would kill hundreds of innocent citizens. The ticking time bomb metaphor is the reason we get bluster like this from Sen. Susan Collins, R-Maine, complaining that "5-6 weeks of 'time-sensitive information' was lost" because Abdulmutallab wasn't interrogated against his will upon capture. But here's the paradox: It's not a terrorist's time bomb that's ticking. It's us. Since 9/11, we have become ever more willing to suspend basic protections and more contemptuous of American traditions and institutions. The failed Christmas bombing and its political aftermath have revealed that the terrorists have changed very little in the eight-plus years since the World Trade Center fell. What's changing?what's slowly ticking its way down to zero?is our own certainty that we can never be safe enough and our own confidence in the rule of law. Dahlia Lithwick is a Slate senior editor. Article URL: http://www.slate.com/id/2243429/ From rforno at infowarrior.org Wed Feb 10 16:55:41 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2010 11:55:41 -0500 Subject: [Infowarrior] - Fallows: Cyber Warriors Message-ID: <53365309-F118-4818-8AF0-C99ECAB49666@infowarrior.org> http://www.theatlantic.com/doc/201003/china-cyber-war Cyber Warriors by James Fallows Early in my time in China, I learned a useful lesson for daily life. In the summer of 2006, I saw a contingent of light-green-shirted People?s Liberation Army soldiers marching in formation down a sidewalk on Fuxing Lu in Shanghai, near the U.S. and Iranian consulates. They looked so crisp under the leafy plane trees of the city?s old colonial district that I pulled out a camera to take a picture of them?and, after pushing the button, had to spend the next 60 seconds running at full tilt away from the group?s leader, who pursued me yelling in English ?Stop! No photo! Must stop!? Fortunately he gave up after scaring me off. The practical lesson was to not point a camera toward uniformed groups of soldiers or police. The broader hint I took was to be more careful when asking about or discussing military matters than when asking about most other aspects of modern China?s development. I did keep asking people in China?carefully?about the potential military and strategic implications of their country?s growing strength. Ever since the collapse of the Soviet Union and consequent disappearance of the U.S. military?s one superpower rival, Western defense strategists have speculated about China?s emergence as the next great military threat. (In 2005, this magazine published Robert Kaplan?s cover story ?How We Would Fight China,? about such a possibility. Many of the international-affairs experts I interviewed in China were familiar with that story. I often had to explain that ?would? did not mean ?will? in the article?s headline.) The cynical view of warnings about a mounting Chinese threat is that they are largely Pentagon budget-building ploys: if the U.S. military is ?only? going to fight insurgents and terrorists in the future, it doesn?t really need the next generation of expensive fighter planes or attack submarines. Powerful evidence for this view?apart from familiarity with Pentagon budget debates over the years?is that many of the neoconservative thinkers who since 9/11 have concentrated on threats from Iraq, Afghanistan, and Iran were before that time writing worriedly about China. The most powerful counterargument is that China?s rise is so consequential and unprecedented in scale that it would be naive not to expect military ramifications. My instincts lie with the skeptical camp: as I?ve often written through the past three years, China has many more problems than most Americans can imagine, and its power is much less impressive up close. But on my return to America, I asked a variety of military, governmental, business, and academic officials about how the situation looks from their perspective. In most ways, their judgment was reassuringly soothing; unfortunately, it left me with a new problem to worry about. Without meaning to sound flip, I think the strictly military aspects of U.S.-China relations appear to be something Americans can rest easy about for a long time to come. Hypercautious warnings to the contrary keep cropping up, especially in the annual reports on China?s strategic power produced since 2000 by the Pentagon each spring and by the U.S.-China Economic and Security Review Commission each fall. Yet when examined in detail, even these show the limits of the Chinese threat. To summarize: ? In overall spending, the United States puts between five and 10 times as much money into the military per year as China does, depending on different estimates of China?s budget. Spending does not equal effectiveness, but it suggests the difference in scale. ? In sophistication of equipment, Chinese forces are only now beginning to be brought up to speed. For instance, just one-quarter of its naval surface fleet is considered ?modern? in electronics, engines, and weaponry. ? In certain categories of weaponry, the Chinese don?t even compete. For instance, the U.S. Navy has 11 nuclear-powered aircraft-carrier battle groups. The Chinese navy is only now moving toward construction of its very first carrier. ? In the unglamorous but crucial components of military effectiveness? logistics, training, readiness, evolving doctrine?the difference between Chinese and American standards is not a gap but a chasm. After a natural disaster anywhere in the world, the American military?s vast airlift and sealift capacity often brings rescue supplies. The Chinese military took days to reach survivors after the devastating Sichuan earthquake in May of 2008, because it has so few helicopters and emergency vehicles. ? For better and worse, in modern times, American forces are continually in combat somewhere in the world. This has its drawbacks, but it means that U.S. leaders, tactics, and doctrine are constantly refined by the realities of warfare. In contrast, vanishingly few members of the People?s Liberation Army have any combat experience whatsoever. The PLA?s last major engagement was during its border war with Vietnam in February and March of 1979, when somewhere between 7,000 of its soldiers (Chinese estimate) and 25,000 (foreign estimates) were killed within four weeks. Beyond all this is a difference of military culture rarely included in American discussions of the Chinese threat?and surprising to those unfamiliar with the way China?s Communist government chose to fund its army. The post-Vietnam American military has been fanatically devoted to creating a ?warrior? culture of military professionalism. The great struggle of the modern PLA has been containing the crony-capitalist culture that comes from its unashamed history of involvement in business. Especially under Deng Xiaoping, the Chinese military owned and operated factories, hotels and office buildings, shipping and trucking companies, and other businesses both legitimate and shady. In the late 1990s President Jiang Zemin led a major effort to peel the PLA?s military functions away from its business dealings, but by all accounts, corruption remains a major challenge in the Chinese military, rather than the episodic problem it is for most Western forces. One example: at a small airport in the center of the country, an airport manager told me about his regular schedule of hong bao deliveries??red envelopes,? or discreet cash payoffs?to local air- force officers, to ensure airline passage through the sector of airspace they controlled. (Most U.S. airspace is controlled by the Federal Aviation Administration; nearly all of China?s, by the military.) A larger example is the widespread assumption that military officials control the vast Chinese traffic in pirated movie DVDs. The Chinese military?s main and unconcealed ambition is to someday be strong enough to take Taiwan by force if it had to. But the details of the balance of power between mainland and Taiwanese forces, across the Straits of Taiwan, have been minutely scrutinized by all parties for decades, and shifts will not happen by surprise. The annual reports from the Pentagon and the Security Review Commission lay out other possible scenarios for conflict, but in my experience it is rare to hear U.S. military or diplomatic officials talk about war with China as a plausible threat. ?My view is that the political leadership is principally focused on creating new jobs inside the country,? I was told by retired Admiral Mike McConnell, a former head of the National Security Agency and the director of national intelligence under George W. Bush. Another former U.S. official put it this way: ?We tend to think of everything about China as being multiplied by 1.3 billion. The Chinese leadership has to think of everything as being divided by 1.3 billion??jobs, houses, land. Russell Leigh Moses, who has lived in China for years and lectures at programs to train Chinese officials, notes that the Chinese military, like its counterparts everywhere, is ?determined not to be neglected.? But ?so many problems occupy the military itself?including learning how to play the political game?that there is no consensus to take on the U.S.? Yes, circumstances could change, and someday there could be a consensus to ?take on the U.S.? But the more you hear about the details, the harder it is to worry seriously about that now. So why should we worry? After conducting this round of interviews, I now lose sleep over something I?d generally ignored: the possibility of a ?cyberwar? that could involve attacks from China?but, alarmingly, could also be launched by any number of other states and organizations. The cyber threat is the idea that organizations or individuals may be spying on, tampering with, or preparing to inflict damage on America?s electronic networks. Google?s recent announcement of widespread spying ?originating from China? brought attention to a problem many experts say is sure to grow. China has hundreds of millions of Internet users, mostly young. In any culture, this would mean a large hacker population; in China, where tight control and near chaos often coexist, it means an Internet with plenty of potential outlaws and with carefully directed government efforts, too. In a report for the U.S.-China Economic and Security Review Commission late last year, Northrop Grumman prepared a time line of electronic intrusions and disruptions coming from sites inside China since 1999. In most cases it was impossible to tell whether the activity was amateur or government-planned, the report said. But whatever their source, the disruptions were a problem. And in some instances, the ?depth of resources? and the ?extremely focused targeting of defense engineering data, US military operational information, and China-related policy information? suggested an effort that would be ?difficult at best without some type of state-sponsorship.? The authorities I spoke with pooh-poohed as urban myth the idea that an electronic assault was behind the power failures that rippled from the Midwest to the East Coast in August of 2003. By all accounts, this was a cascading series of mechanical and human errors. But after asking corporate and government officials what worried them, I learned several unsettling things I hadn?t known before. First, nearly everyone in the business believes that we are living in, yes, a pre-9/11 era when it comes to the security and resilience of electronic information systems. Something very big?bigger than the Google-China case?is likely to go wrong, they said, and once it does, everyone will ask how we could have been so complacent for so long. Electronic-commerce systems are already in a constant war against online fraud. ?The real skill to running a successful restaurant has relatively little to do with producing delicious food and a lot to do with cost and revenue management,? an official of an Internet commerce company told me, asking not to be named. ?Similarly, the real business behind PayPal, Google Checkout, and other such Internet payment systems is fraud and risk management,? since the surge of attempted electronic theft is comparable to the surge of spam through e-mail networks. At a dinner in Washington late last year, I listened to two dozen cyber-security experts compare tales of near-miss disasters. The consensus was that only a large-scale public breakdown would attract political attention to the problem, and that such a breakdown would occur. ?Cyber crime is not conducted by some 15-year-old kids experimenting with viruses,? Eugene Spafford, a computer scientist at Purdue, who is one of the world?s leading cyber-security figures (and was at the dinner), told me later via e-mail. It is well-funded and pursued by mature individuals and groups of professionals with deep financial and technical resources, often with local government (or other countries?) toleration if not support. It is already responsible for billions of dollars a year in losses, and it is growing and becoming more capable. We have largely ignored it, and building our military capabilities is not responding to that threat. With financial, medical, legal, intellectual, logistic, and every other sort of information increasingly living in ?the cloud,? the consequences of collapse or disruption are unpleasant to contemplate. A forthcoming novel, Directive 51, by John Barnes, does indeed contemplate them, much as in the 1950s Nevil Shute imagined the world after nuclear war in On the Beach. Barnes?s view of the collapse of financial life (after all, our ?assets? consist mostly of notations in banks? computer systems), the halt of most manufacturing systems, the evaporation of the technical knowledge that now exists mainly in the cloud, and other consequences is so alarming that the book could draw attention in a way no official report can. Next, the authorities stressed that Chinese organizations and individuals were a serious source of electronic threats?but far from the only one, or perhaps even the main one. You could take this as good news about U.S.-China relations, but it was usually meant as bad news about the problem as a whole. ?The Chinese would be in the top three, maybe the top two, leading problems in cyberspace,? James Lewis, a former diplomat who worked on security and intelligence issues and is now at the Center for Strategic and International Studies, in Washington, told me. ?They?re not close to being the primary problem, and there is debate about whether they?re even number two.? Number one in his analysis is Russia, through a combination of state, organized-criminal, and unorganized-individual activity. Number two is Israel?and there are more on the list. ?The French are notorious for looking for economic advantage through their intelligence system,? I was told by Ed Giorgio, who has served as the chief code maker and chief code breaker for the National Security Agency. ?The Israelis are notorious for looking for political advantage. We have seen Brazil emerge as a source of financial crime, to join Russia, which is guilty of all of the above.? Interestingly, no one suggested that international terrorist groups?as opposed to governments, corporations, or ?normal? criminals?are making significant use of electronic networks to inflict damage on Western targets, although some groups rely on the Internet for recruitment, organization, and propagandizing. This led to another, more surprising theme: that the main damage done to date through cyberwar has involved not theft of military secrets nor acts of electronic sabotage but rather business-versus-business spying. Some military secrets have indeed leaked out, the most consequential probably being those that would help the Chinese navy develop a modern submarine fleet. And many people said that if the United States someday ended up at war against China?or Russia, or some other country?then each side would certainly use electronic tools to attack the other?s military and perhaps its civilian infrastructure. But short of outright war, the main losses have come through economic espionage. ?You could think of it as taking a shortcut on the ?D? of R&D,? research and development, one former government official said. ?When you create a new product, a competitor can cherry-pick the good parts and introduce a competitive product much more rapidly than he could otherwise.? Another technology expert, who serves on government advisory boards, told me, when referring to the steady loss of technological advantage, ?We should not forget that it was China where ?death by a thousand cuts? originated.? I heard of instances of Western corporate officials who arrived for negotiations in China and realized too late that their briefing books and internal numbers were already known by the other side. (In the same vein: I asked security officials whether the laptops and BlackBerry I had used while living in China would have been bugged in some way while I was there. The answers were variations on ?Of course,? with the ?you idiot? left unsaid.) The final theme was that even though these cyber concerns are not confined to China, the Chinese aspects do deserve consideration on their own, because China?s scale, speed of growth, and complex relationship with the United States make it a unique case. Hackers in Russia or Israel might be more skillful one by one, but with its huge population China simply has more of them. The French might be more aggressive in searching for corporate secrets, but their military need not simultaneously consider how to stop the Seventh Fleet. According to Mike McConnell, everything about China?s military planning changed after its leaders saw the results of U.S. precision weapons in the first Gulf War. ?They were shocked,? he told me. ?They had no idea warfare had progressed to that point, and they went on a crash course to take away our advantage.? This meant both building their own information systems?thus China?s aspiration to create a Beidou (the Chinese name for the Big Dipper) system of satellites comparable to America?s GPS?and being prepared in time of war to ?attack what they see as our soft underbelly, our military?s dependence on networking,? as McConnell put it, noting the vast emerging PLA literature on defending and attacking data networks. Ed Giorgio, formerly of the NSA, has prepared charts showing the points of ?asymmetric advantage? China might have over the long run in such competition. Point nine on his 12-point chart: ?They know us much better than we know them (virtually every one of their combatants reads English and virtually none of ours read Mandarin. This, in itself, will surely precipitate a massive intelligence failure).? But James Lewis, of CSIS, pointed out an ?asymmetric handicap?: ?For all the effort the Chinese put into cyber competition, external efforts?? against a potential foe like the United States??are second priority. The primary priority is domestic control and regime survival. The external part is a side benefit.? For many other reasons, the China- cyber question will, like the China-finance and China-environment and China-human-rights questions, demand special attention and work. The implications of electronic insecurity will be with us in the long run, among the other enduring headaches of the modern age. The ?solution? to them is like the solution to coping with China?s rise: something that will unfold over the years and require constant attention, adjustments, and innovations. ?Cyber security is a process, not a patch,? Eugene Spafford said. ?We must continue to invest in it? and for the long term as well as the ?quick fix,? because otherwise we will always be applying fixes too late.? No doubt because I?ve been so preoccupied for so long with the implications of China?s growth, I thought I heard a familiar note in the recommendations that many of the cyber-security experts offered. The similarity lies in their emphasis on openness, transparency, and international contact as the basis of a successful policy. In overall U.S. dealings with China, it matters tremendously that so many Chinese organizations are led or influenced by people who have spent time in America or with Americans. Today?s financial, academic, and business elite in China is deeply familiar with the United States, many of its members having studied or worked here. They may disagree on points of policy?for instance, about trade legislation?but they operate within a similar set of concepts and facts. This is less true of China?s political leaders, and much less true of its military?with a consequently much greater risk of serious misunderstanding and error. The tensest moment in modern China?s security relationship with the outside world came in January of 2007, when its missile command shot one of its own weather satellites out of the sky, presumably to show the world that it had developed anti-satellite weaponry. The detonation filled satellite orbits with dangerous debris; worse, it seemed to signal an unprovoked new step in militarizing space. By all accounts, President Hu Jintao okayed this before it occurred; but no one in China?s foreign ministry appeared to have advance word, and for days diplomats sat silent in the face of worldwide protests. The PLA had not foreseen the international uproar it would provoke?or just didn?t care. Precisely in hopes of building familiarity like that in the business world, the U.S. Navy has since the 1980s taken the lead in military-to- military exchanges with the PLA. ?I think both sides are trying to figure out what kind of a military-to-military relationship is feasible and proper,? David Finkelstein, of the Center for Naval Analyses, in suburban Washington, D.C., told me. ?We have two militaries that, in some circumstances, see each other as possible adversaries. At the same time, at the level of grand strategy, the two nations are trying to accommodate each other. There is a major chasm, but both sides are working hard to bridge it.? Such exposure obviously doesn?t eliminate the real differences of national interest between the two countries, but I believe it makes outright conflict less likely. A similar high-road logic seems to lie behind recommendations for cyber security in general, and for dealing with the Chinese cyber threat in particular. The NSA, which McConnell directed and where Giorgio worked, is renowned for its secrecy. But both men, along with others, now argue that to defend information networks, the U.S. should talk openly about risks and insecurities?and engage the Chinese government and military in an effort to contain the problem. As a matter of domestic U.S. politics, McConnell argues that we now suffer from a conspiracy of secrecy about the scale of cyber risks. No credit-card company wants to admit how often or how easily it is cheated. No bank or investment house wants to admit how close it has come to being electronically robbed. As a result, the changes in law, regulation, concept, or habit that could make online life safer don?t get discussed. Sooner or later, the cyber equivalent of 9/11 will occur ?and, if the real 9/11 is a model, we will understandably, but destructively, overreact. While trying to build bridges to the military, McConnell and others recommend that the U.S. work with China on international efforts to secure data networks, comparable to the Chinese role in dealing with the world financial crisis. ?You could have the model of the International Civil Aviation Organization,? James Lewis said, ?a body that can reduce risks for everyone by imposing common standards. It?s moving from the Wild West to the rule of law.? Why would the Chinese government want to join such an effort? McConnell?s answer was that an ever-richer China will soon have as clear a stake in secure data networks as it did in safe air travel. We?re naturally skeptical of abstractions like ?cooperation? or ?greater openness? as the solutions to tough-guy, real-world problems. But in making the best of a world that will inevitably be changed by increasing Chinese power and increasing electronic threats from many directions, those principles may offer the right, realistic place to start. The URL for this page is http://www.theatlantic.com/doc/201003/china-cyber-war From rforno at infowarrior.org Wed Feb 10 18:27:05 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2010 13:27:05 -0500 Subject: [Infowarrior] - Google Becomes an ISP: Plans to Deliver 1 Gigabit Connections to 50, 000 Homes Message-ID: <795AECDF-418E-4BA6-AEB9-DC80CCFA21C2@infowarrior.org> Google Becomes an ISP: Plans to Deliver 1 Gigabit Connections to 50,000 Homes Written by Frederic Lardinois / February 10, 2010 8:09 AM / 1 Comments http://www.readwriteweb.com/archives/google_becomes_an_isp_plans_to_deliver_1_gigabit_c.php Google just announced that it will beginning to build and test an ultra high-speed broadband network in a small number of locations in the United States. The company wants to offer fiber-to-the-home connections that will reach 1 gigabit per second. For now, Google plans to first roll out these connections to around 50,000 people, with the potential to reach over 500,000 people at a later stage. According to Google, this will be an experiment. The company hasn't decided on where to build this network yet, but you can nominate your own neighborhood here. The nomination process will end on March 26 and Google plans to announce where it will deploy this network by the end of the year. According to today's announcement, Google plans to offer these connections at "competitive prices" and wants the networks to be open to competitors. Google current operates a free WiFi network in its hometown of Mountain View. Finding Killer Apps According to Google, this effort will help the company to experiment with "new ways to help make Internet access better and faster for everyone." Specifically, Google wants to see what the "killer apps" for these kind of connections are and test how to build better fiber networks. U.S. is Lagging Behind - Will this Help? The U.S. has been lagging behind with regards too broadband speeds and adoption. Just last year, the average broadband speed in the U.S. actually declined. With Chrome and the Chrome OS, Google has recently tackled a number of problems where it feels like the company is more interested in pushing technology forward than becoming a market leader. Nobody has really pushed broadband speeds in the U.S. forward and given that there are a lot of places where the incumbent cable providers don't even have competition, there has been relatively little incentive for these ISPs to provide higher speeds. From rforno at infowarrior.org Wed Feb 10 22:15:38 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2010 17:15:38 -0500 Subject: [Infowarrior] - Storm of the Century (we did it!) Message-ID: <715D3A40-1B87-4FC1-BD45-ACEC251665F0@infowarrior.org> http://www.wtopnews.com/?nid=25&sid=1885272 Baltimore, D.C. break records for snowiest winter February 10, 2010 - 3:42pm STERLING, Va. - The current storm has put Baltimore and Washington over the top for their snowiest season on record. Bryan Jackson of the National Weather Service says that as of 7 a.m. Wednesday, 5.2 inches of snow had fallen since Tuesday at Baltimore- Washington International Thurgood Marshall Airport. That brings the total snowfall since December to 65.6 inches and is the most since record-keeping began in Baltimore in 1893. The previous record, from 1995-96, was 62.5 inches. Meanwhile, Washington reached a seasonal snowfall record on Wednesday. As of 2 p.m., there were 54.9 inches recorded at Reagan National Airport. That's a half-inch above the previous record from the 1898-1899 season. Washington Dulles International Airport, which already had its snowiest season before the current storm began, has gotten another 4 inches. That brings its total for the season to 67.5 inches. From rforno at infowarrior.org Thu Feb 11 02:52:15 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2010 21:52:15 -0500 Subject: [Infowarrior] - Google Buzz? More Like Buzz Kill Message-ID: <52AEC321-D39E-4EB7-85AE-AD8627E1CEEC@infowarrior.org> Google Buzz? More Like Buzz Kill Daniel Lyons http://blog.newsweek.com/blogs/techtonicshifts/archive/2010/02/10/google-buzz-more-like-buzz-kill.aspx R. Galbraith / Reuters-Landov God bless those hard-working techies in Silicon Valley for inventing this constant stream of things that serve mostly to make me feel guilty because I don?t want to use them even though everyone else says they?re the greatest thing ever. First came Facebook, which I joined but rarely use, and now has become just one more e-mail inbox that I need to check once in a while. Then came Twitter, which is mostly pointless, since I really don?t care what anyone else is doing at any particular moment and have no desire to tell others what I?m doing either, but again I joined, mostly because if I didn?t get on Twitter I?d look like someone who doesn?t ?get it,? as they say in the Valley, and in my line of work that?s a bad reputation to have. Next came Facebook games like Mafia Wars and FarmVille, and again I joined so I could see what the big deal was, only to find that the big deal was, well, not such a big deal, and I never used them because who has time to play online games, but now every time I go to Facebook I get bombarded with messages informing me that someone I don?t know has sent me an energy pack, and in general Facebook is becoming so overwhelmed with spam and useless junk that the noise-to-signal ratio is about 100 to 1. Then came Google Wave, and again I signed up, but as far as I can tell nobody is actually using Google Wave, mostly because nobody can figure out what it does or how it works, so that it exists only as a catnip toy for new media wanker-pundits who love it because it gives them something to blather on about, plus it provides them with yet another weapon in their arsenal of things that can be used to make lesser folks, like me, feel yet more guilty and left behind. And now, ta-da, comes Google Buzz, announced yesterday, and I swear to God I just want to start screaming. What is it? Apparently it is Gmail on steroids. Basically, Google has copied stuff that people do on Facebook and Twitter and added them to Gmail, so that now my e-mail can become another place where I can network socially with my social network of people I don?t really even know. I can (but won't) share pictures and status updates with people in my Gmail contacts list, and they can (and, sadly, will, unless I can prevent them) start doing the same to me. Google's promo video, complete with the requisite cutesy drawings and happy music and groovy-guy voice-over, was intended to make it all sound perfectly simple but instead had me reaching for the Xanax. Good grief. Why, Google? Why take a perfectly wonderful e-mail system and pollute it by adding a zillion new things to it? I?m not looking for more clutter in my life. I?m looking for less. At the launch event some Google exec claimed Buzz is a way to ?find the signal in the social networking noise,? but to me it looks like Google is just adding to the noise. Why does Buzz even exist? Is it because Google wants to make my life better in some way? No. Buzz exists because Google feels threatened by Twitter and Facebook and wants to kill them. Google has become what Microsoft used to be?the Borg, the company that gobbles up ideas from smaller rivals and cranks out lame imitations in an attempt to put the little guys out of business. That is the biggest problem with Buzz?it was invented not for us but for Google. So now, because Google feels threatened, we have yet another thing to learn, which won?t be easy because Google is basically a world where nerd engineers get turned loose in a Montessori preschool, and they have no idea about user interface design and, frankly, they don?t care. Instead of aping Microsoft, Google should take a page from Apple?s playbook. Sure, Steve Jobs is a control freak. But at least Apple remembers that computers were originally intended to make our lives easier?not provide us with ever-more-pointless chores. From rforno at infowarrior.org Thu Feb 11 02:58:05 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2010 21:58:05 -0500 Subject: [Infowarrior] - Operation Cyber Shockwave Message-ID: (Few of the named partcipants have any direct - or relevant - operational cyber expertise, IMHO......which perhaps explains why the video trailer promoting this event looks like something straight out of Hollywood. One has to wonder how useful or insightful this drill will be? -rf) The Bipartisan Policy Center has created Cyber ShockWave, a simulated cyber attack on our nation. To defend against this attack, a working group of high-ranking former White House, Cabinet and national security officials will come together. Their mission: to advise the President as the nation grapples with this crisis. http://bipartisanpolicy.org/events/cyber2010 Cyber ShockWave Participants Michael Chertoff Former Secretary of Homeland Security Fran Townsend Former White House Homeland Security Advisor J. Bennett Johnston Former Senator (D-LA) John Negroponte Former Director of National Intelligence Jamie Gorelick Former Deputy Attorney General Joe Lockhart Former White House Press Secretary John McLaughlin Former Acting Director of Central Intelligence Stephen Friedman Former Director of the National Economic Council Stewart Baker Former National Security Agency General Counsel Charles Wald Former Deputy Commander of U.S. European Command From rforno at infowarrior.org Thu Feb 11 04:29:57 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Feb 2010 23:29:57 -0500 Subject: [Infowarrior] - The VoIP Steganography Threat Message-ID: The VoIP Steganography Threat A growing cadre of criminals is hiding secret messages in voice data http://spectrum.ieee.org/telecom/internet/vice-over-ip-the-voip-steganography-threat/0 quick summary from wired.com: http://www.wired.com/dangerroom/2010/02/how-to-smuggle-secret-information-with-voip/ "IEEE Spectrum found three different ways that messages could be encrypted and sent via VoIP, with little or no possibility for detection or interception. By delaying specific packets, corrupting packets, or changing the identification information of packets, users can sort out their message, which is then easily decoded by freely available software. In the course of a Skype call that only lasts a few minutes, massive amounts of data can be sent?without any detection or permanent record." From rforno at infowarrior.org Thu Feb 11 19:10:58 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Feb 2010 14:10:58 -0500 Subject: [Infowarrior] - New Anti-Piracy Windows 7 Update "Phones Home" Message-ID: February 11, 2010 Who Owns Your PC? New Anti-Piracy Windows 7 Update "Phones Home" to Microsoft Every 90 Days http://lauren.vortex.com/archive/000681.html Greetings. Sometimes a seemingly small software update can usher in a whole new world. When Microsoft shortly pushes out a Windows 7 update with the reportedly innocuous title "Update for Microsoft Windows (KB71033)" -- it will be taking your Windows 7 system where it has never been before. And it may not be a place where you want to go. Imagine that you're sitting quietly in your living-room at your PC, perhaps watching YouTube. Suddenly, a pair of big, burly guys barge into your house and demand that you let them check your computer to make sure that it's "genuine" and not running pirated software. You protest that you bought it fair and square, but they're insistent -- so you give in and let them proceed. Even though you insist that you bought your laptop from the retail computer store down the street many months ago, and didn't install any pirate software, the visitors declare that your computer "isn't genuine" according to their latest pirated systems lists, and they say that "while we'll let you keep using it, we're modified your system so that it will constantly nag in your face until you pay up for a legit system!" And they head out the door to drop in on the eBay-loving grandmother next door. You then notice that the wallpaper on your PC has turned black, and these strange notifications keep popping up urging you to "come clean." Ridiculous? Well, uh, actually no. Microsoft most definitely has a valid interest in fighting the piracy of their products. It's a serious problem, with negative ramifications for Microsoft and its users. But in my opinion, Microsoft is about to embark on a dramatic escalation of anti-piracy efforts that many consumers are likely to consider to be a serious and unwanted intrusion at the very least. It's important for you to understand what Microsoft is going to do, what your options are, and why I am very concerned about their plans. Back in June 2006, in a series of postings, I revealed how Microsoft was performing unannounced "phone home" operations over the Internet as part of their Windows Genuine Advantage authentication system for Windows XP. (The last in that series of postings describes Microsoft's reaction to the resulting controversy.) The surrounding circumstances even spawned a lawsuit against Microsoft, which coincidentally was recently dismissed by a judge. But Microsoft has continued to push the anti-piracy envelope, now under the name Windows Activation Technologies (WAT). This time around, to the company's credit (and many thanks to them for this!) Microsoft reached out to me starting several months ago for briefings and discussion about their plans for a major new WAT thrust -- on the basis, to which I agreed, that I not discuss it publicly until now. The release of Windows 7 "Update for Microsoft Windows (KB71033)" will change the current activation and anti-piracy behavior of Windows 7 by triggering automatic "phone home" operations over the Internet to Microsoft servers, typically for now at intervals of around 90 days. The purpose? To verify that you're not running a pirated copy of Windows, and to take various actions changing the behavior of your PC if the WAT system believes that you are not now properly authenticated and "genuine" -- even if up to that point in time it had been declaring you to be A-OK. Note that I'm not talking about the one-time activation that you (or your PC manufacturer) performs on new Windows systems to authenticate them to Microsoft initially. I'm talking a procedure that would "check- in" your system with Microsoft at quarterly intervals, and that could take actions to significantly change your "user experience" whenever the authentication regime declares you to have fallen from grace. These automatic queries will repeatedly -- apparently for as long as Windows is installed -- validate your Windows 7 system against Microsoft's latest database of pirated system signatures (currently including more than 70 activation exploits known to Microsoft). If your system matches -- again even if up to that time (which could be months or even years since you obtained the system) it had been declared to be genuine -- then your system will be "downgraded" to "non-genuine" status until you take steps to obtain what Microsoft considers to be an authentic, validated, Windows 7 license. In some cases you might be able to get this for free if you can convince Microsoft that you were the victim of a scam -- but you'll have to show them proof. Otherwise, you'll need to pull out your wallet. I'm told that the KB71033 update (this is the KB number provided to me, if it changes I'll let you know!) is scheduled to deploy to the manual downloading "Genuine Microsoft Software" site on February 16, and start pushing out automatically through the Windows Update environment on February 23. The update will reportedly be tagged simply as an "Important" update. This means that if you use the Windows Update system, the update will be installed to your Windows 7 PC based on whatever settings you currently have engaged for that level of update -- it will not otherwise ask for specific permission to proceed with installation. If your Windows Update settings are such that you manually install updates, you can choose to decline this particular update and you can also uninstall it later after installation -- without any negative effects per se. But don't assume that this will always "turn back the clock" in terms of the update's effects. More on this below. Also, reportedly if the 90-day interval WAT piracy checking system "calls" are unable to connect to the Microsoft servers (or even if they are manually blocked from connecting, e.g. by firewall policies) there will reportedly be no ill effects. However -- and this is very important -- if the update is installed and the authentication system then (after connecting with the associated Microsoft authentication servers at any point) decides that your system is not genuine, the "downgrading" that occurs will not be reversible by uninstalling the update afterward. The WAT authentication system also includes various other features, such as the ability to automatically replace authentication/license related code on PCs if it decides that the official code has been tampered with (Microsoft rather euphemistically calls this procedure "self heal"). I've mentioned that Windows 7 systems will be "downgraded" to "non- genuine" status if they're flagged as suspected pirates. What does this mean? Essentially, they'll behave the same way they would if they had failed to be authenticated and activated initially within the grace period after purchase. Downgraded systems will still function much as usual fundamentally, but there will be some very significant (and very annoying) changes if your system has been designated non-genuine. The background wallpaper will change to black. You can set it back to whatever you want, but once an hour or so it will reset again to black. Various "nag" notifications will appear at intervals to "remind" you that your system has been tagged as a likely pirate and offering you the opportunity to "come clean" -- becoming authorized and legitimate by buying a new Windows 7 license. Some of these nags will be windows that appear at boot or login time, others will appear frequently (perhaps every 20 minutes or so) as main screen windows and taskbar popup notices. Systems that are considered to be non-genuine also have only limited access to other Microsoft updates of any kind (e.g., access to high priority security updates, but not anything else, may be permitted). And of course, under the new WAT regime you run the risk of being downgraded into this position at any time during the life of your PC. In response to my specific queries about how downgraded systems (particularly unattended systems) would behave vis-a-vis existing application environments, Microsoft has said that they have taken considerable effort to avoid having the downgrade "nag system" interfere with the actual running of other applications, including stealing of windows' focus. It remains to be seen how well this aspect turns out in practice. All of this brings us to a very basic question. Why would any PC owner -- honest or pirate -- voluntarily participate in such a continuing "phone home" authentication regime? Obviously, knowledgeable pirates will avoid the whole thing like the plague any way that they can. Microsoft's view, as explained to me and as primarily emphasized in their blog posting that will appear today announcing the WAT changes, is that honest Windows 7 users will want to know if their systems are running unauthentic copies of the operating system, since (Microsoft asserts and indeed is the case) those systems have a significant likelihood of also containing dangerous viruses or other potentially damaging illicit software that "ride" onto the PC along with the unauthentic copy of the OS. But even if we assume that there's a noteworthy risk of infections on systems running pirated copies of Windows 7, the approach that Microsoft is now taking doesn't seem to make sense even for honest consumers. If Microsoft's main concern were really just notifying users about "contaminated" systems, they could do so without triggering the non- genuine downgrading process and demands that the user purchase a new license (demands that will be extremely confusing to many users). As I originally discussed in How Innocents Can Be Penalized by Windows Genuine Advantage, it's far more common than many people realize for completely innocent users to be running perfectly usable -- but not formally authenticated -- copies of Windows Operating Systems through no fault whatever of their own. OK, let's review where we stand. The new Microsoft WAT regime relies upon a series of autonomous "cradle to grave" authentication verification connections to a central and ever-expanding Microsoft piracy signature database, even in the absence of major hardware changes or other significant configuration alterations that might otherwise cause the OS or local applications to query the user for explicit permission to reauthenticate. Microsoft will trigger forced downgrading to non-genuine status if they believe a Windows 7 system is potentially pirated based on their "phone home" checks that will occur at (for now) 90 day intervals during the entire life of Windows 7 on a given PC, even months or years after purchase. That Microsoft has serious piracy problems, and has "limited" the PC downgrading process to black wallpaper, repeating nagging at users, and extremely constrained update access isn't the key point. Nor is the ostensibly "voluntary" nature of the update triggering these capabilities (I say ostensibly since almost certainly most users will have the update installed automatically and won't even realize what it means at the time). The new Microsoft WAT update and its associated actions represent unacceptable intrusions into the usability of consumer products potentially long after the products have been purchased and have been previously declared to be genuine. Microsoft is not entirely alone in such moves. For example, a major PC game manufacturer has apparently announced that their games will soon no longer run at all if you don't have an Internet connection to allow them to authenticate at each run. Still, games and other applications are one thing, operating systems are something else altogether. And regardless of whether we're talking about games or Windows 7, it's unacceptable for consumers to be permanently shackled to manufacturers via lifetime authentication regimes -- particularly ones that can easily impact innocent parties -- that can degrade their ability to use the products that they've purchased in many cases months or even years earlier. Fundamentally, for Microsoft to assert that they have the right to treat ordinary PC-using consumers in this manner -- declaring their systems to be non-genuine and downgrading them at any time -- is rather staggering. Make no mistake about it, fighting software piracy is indeed important, but Microsoft seems to have lost touch with a vast swath of their loyal and honest users if the firm actually believes their new WAT anti-piracy monitoring system is an acceptable policy model. My recommendations to persons who currently run or plan to run Windows 7 are simplicity themselves. I recommend that you strongly consider rejecting the manual installation of the Windows Activation Technologies update KB71033, and do not permit Windows Update to install it (this will require that you not have your PC configured in update automatic installation mode, which has other ramifications -- so you may wish to consult a knowledgeable associate if you're not familiar with Windows Update configuration issues). And if at some point in the future you find that the update has been installed and your PC is still running normally, remove the update as soon as possible. While I certainly appreciate Microsoft's piracy problems, and the negative impact that these have both on the company and consumers, I believe that the approach represented by this kind of escalation on the part of Microsoft and others -- into what basically amounts to a perpetual anti-piracy surveillance regime embedded within already purchased consumer equipment -- is entirely unacceptable. --Lauren-- From rforno at infowarrior.org Thu Feb 11 22:08:42 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Feb 2010 17:08:42 -0500 Subject: [Infowarrior] - Feds push for tracking cell phones Message-ID: <16EB0F98-E672-46BD-8179-2EA4B3810B4B@infowarrior.org> February 11, 2010 4:00 AM PST Feds push for tracking cell phones by Declan McCullagh http://news.cnet.com/8301-13578_3-10451518-38.html Two years ago, when the FBI was stymied by a band of armed robbers known as the "Scarecrow Bandits" that had robbed more than 20 Texas banks, it came up with a novel method of locating the thieves. FBI agents obtained logs from mobile phone companies corresponding to what their cellular towers had recorded at the time of a dozen different bank robberies in the Dallas area. The voluminous records showed that two phones had made calls around the time of all 12 heists, and that those phones belonged to men named Tony Hewitt and Corey Duffey. A jury eventually convicted the duo of multiple bank robbery and weapons charges. Even though police are tapping into the locations of mobile phones thousands of times a year, the legal ground rules remain unclear, and federal privacy laws written a generation ago are ambiguous at best. On Friday, the first federal appeals court to consider the topic will hear oral arguments (PDF) in a case that could establish new standards for locating wireless devices. In that case, the Obama administration has argued that warrantless tracking is permitted because Americans enjoy no "reasonable expectation of privacy" in their--or at least their cell phones'-- whereabouts. U.S. Department of Justice lawyers say that "a customer's Fourth Amendment rights are not violated when the phone company reveals to the government its own records" that show where a mobile device placed and received calls. Those claims have alarmed the ACLU and other civil liberties groups, which have opposed the Justice Department's request and plan to tell the U.S. Third Circuit Court of Appeals in Philadelphia that Americans' privacy deserves more protection and judicial oversight than what the administration has proposed. "This is a critical question for privacy in the 21st century," says Kevin Bankston, an attorney at the Electronic Frontier Foundation who will be arguing on Friday. "If the courts do side with the government, that means that everywhere we go, in the real world and online, will be an open book to the government unprotected by the Fourth Amendment." Not long ago, the concept of tracking cell phones would have been the stuff of spy movies. In 1998's "Enemy of the State," Gene Hackman warned that the National Security Agency has "been in bed with the entire telecommunications industry since the '40s--they've infected everything." After a decade of appearances in "24" and "Live Free or Die Hard," location-tracking has become such a trope that it was satirized in a scene with Seth Rogen from "Pineapple Express" (2008). Once a Hollywood plot, now 'commonplace' Whether state and federal police have been paying attention to Hollywood, or whether it was the other way around, cell phone tracking has become a regular feature in criminal investigations. It comes in two forms: police obtaining retrospective data kept by mobile providers for their own billing purposes that may not be very detailed, or prospective data that reveals the minute-by-minute location of a handset or mobile device. Obtaining location details is now "commonplace," says Al Gidari, a partner in the Seattle offices of Perkins Coie who represents wireless carriers. "It's in every pen register order these days." Gidari says that the Third Circuit case could have a significant impact on police investigations within the court's jurisdiction, namely Delaware, New Jersey, and Pennsylvania; it could be persuasive beyond those states. But, he cautions, "if the privacy groups win, the case won't be over. It will certainly be appealed." CNET was the first to report on prospective tracking in a 2005 news article. In a subsequent Arizona case, agents from the Drug Enforcement Administration tracked a tractor trailer with a drug shipment through a GPS-equipped Nextel phone owned by the suspect. Texas DEA agents have used cell site information in real time to locate a Chrysler 300M driving from Rio Grande City to a ranch about 50 miles away. Verizon Wireless and T-Mobile logs showing the location of mobile phones at the time calls became evidence in a Los Angeles murder trial. And a mobile phone's fleeting connection with a remote cell tower operated by Edge Wireless is what led searchers to the family of the late James Kim, a CNET employee who died in the Oregon wilderness in 2006 after leaving a snowbound car to seek help. "This is a critical question for privacy in the 21st century. If the courts do side with the government, that means that everywhere we go, in the real world and online, will be an open book to the government unprotected by the Fourth Amendment." --Kevin Bankston, attorney, Electronic Frontier Foundation The way tracking works is simple: mobile phones are miniature radio transmitters and receivers. A cellular tower knows the general direction of a mobile phone (many cell sites have three antennas pointing in different directions), and if the phone is talking to multiple towers, triangulation yields a rough location fix. With this method, accuracy depends in part on the density of cell sites. The Federal Communications Commission's "Enhanced 911" (E911) requirements allowed rough estimates to be transformed into precise coordinates. Wireless carriers using CDMA networks, such as Verizon Wireless and Sprint Nextel, tend to use embedded GPS technology to fulfill E911 requirements. AT&T and T-Mobile comply with E911 regulations using network-based technology that computes a phone's location using signal analysis and triangulation between towers. T-Mobile, for instance, uses a GSM technology called Uplink Time Difference of Arrival, or U-TDOA, which calculates a position based on precisely how long it takes signals to reach towers. A company called TruePosition, which provides U-TDOA services to T-Mobile, boasts of "accuracy to under 50 meters" that's available "for start-of-call, midcall, or when idle." A 2008 court order to T-Mobile in a criminal investigation of a marriage fraud scheme, which was originally sealed and later made public, says: "T-Mobile shall disclose at such intervals and times as directed by (the Department of Homeland Security), latitude and longitude data that establishes the approximate positions of the Subject Wireless Telephone, by unobtrusively initiating a signal on its network that will enable it to determine the locations of the Subject Wireless Telephone." 'No reasonable expectation of privacy' In the case that's before the Third Circuit on Friday, the Bureau of Alcohol, Tobacco, Firearms and Explosives, or ATF, said it needed historical (meaning stored, not future) phone location information because a set of suspects "use their wireless telephones to arrange meetings and transactions in furtherance of their drug trafficking activities." U.S. Magistrate Judge Lisa Lenihan in Pennsylvania denied the Justice Department's attempt to obtain stored location data without a search warrant; prosecutors had invoked a different legal procedure. Lenihan's ruling, in effect, would require police to obtain a search warrant based on probable cause--a more privacy-protective standard. Lenihan's opinion (PDF)--which, in an unusual show of solidarity, was signed by four other magistrate judges--noted that location information can reveal sensitive information such as health treatments, financial difficulties, marital counseling, and extra- marital affairs. In its appeal to the Third Circuit, the Justice Department claims that Lenihan's opinion "contains, and relies upon, numerous errors" and should be overruled. In addition to a search warrant not being necessary, prosecutors said, because location "records provide only a very general indication of a user's whereabouts at certain times in the past, the requested cell-site records do not implicate a Fourth Amendment privacy interest." The Obama administration is not alone in making this argument. U.S. District Judge William Pauley, a Clinton appointee in New York, wrote in a 2009 opinion that a defendant in a drug trafficking case, Jose Navas, "did not have a legitimate expectation of privacy in the cell phone" location. That's because Navas only used the cell phone "on public thoroughfares en route from California to New York" and "if Navas intended to keep the cell phone's location private, he simply could have turned it off." (Most cases have involved the ground rules for tracking cell phone users prospectively, and judges have disagreed over what legal rules apply. Only a minority has sided with the Justice Department, however.) Cellular providers tend not to retain moment-by-moment logs of when each mobile device contacts the tower, in part because there's no business reason to store the data, and in part because the storage costs would be prohibitive. They do, however, keep records of what tower is in use when a call is initiated or answered--and those records are generally stored for six months to a year, depending on the company. Verizon Wireless keeps "phone records including cell site location for 12 months," Drew Arena, Verizon's vice president and associate general counsel for law enforcement compliance, said at a federal task force meeting in Washington, D.C. last week. Arena said the company keeps "phone bills without cell site location for seven years," and stores SMS text messages for only a very brief time. Gidari, the Seattle attorney, said that wireless carriers have recently extended how long they store this information. "Prior to a year or two ago when location-based services became more common, if it were 30 days it would be surprising," he said. The ACLU, EFF, the Center for Democracy and Technology, and University of San Francisco law professor Susan Freiwald argue that the wording of the federal privacy law in question allows judges to require the level of proof required for a search warrant "before authorizing the disclosure of particularly novel or invasive types of information." In addition, they say, Americans do not "knowingly expose their location information and thereby surrender Fourth Amendment protection whenever they turn on or use their cell phones." "The biggest issue at stake is whether or not courts are going to accept the government's minimal view of what is protected by the Fourth Amendment," says EFF's Bankston. "The government is arguing that based on precedents from the 1970s, any record held by a third party about us, no matter how invasively collected, is not protected by the Fourth Amendment." Update 10:37 a.m. PT: A source inside the U.S. Attorney's Office for the northern district of Texas, which prosecuted the Scarecrow Bandits mentioned in the above article, tells me that this was the first and the only time that the FBI has used the location-data-mining technique to nab bank robbers. It's also worth noting that the leader of this gang, Corey Duffey, was sentenced last month to 354 years (not months, but years) in prison. Another member is facing 140 years in prison. Declan McCullagh is a contributor to CNET News and a correspondent for CBSNews.com who has covered the intersection of politics and technology for over a decade. Declan writes a regular feature called Taking Liberties, focused on individual and economic rights; you can bookmark his CBS News Taking Liberties site, or subscribe to the RSS feed. You can e-mail Declan at declan at cbsnews.com. From rforno at infowarrior.org Fri Feb 12 12:39:05 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Feb 2010 07:39:05 -0500 Subject: [Infowarrior] - Israel adds Cyber-Attack to IDF Message-ID: Israel adds Cyber-Attack to IDF http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/dti/2010/02/01/DT_02_01_2010_p39-198440.xml By David Eshel Tel Aviv There is no equivocation in how the Israeli military views cyber- security. ?Using computer networks for espionage is as important to warfare today as the advent of air support was to warfare in the 20th century,? says Maj. Gen. Amos Yadlin, chief of military intelligence. Speaking recently at the Institute for National Security Studies (INSS) here, Yadlin says the ability to collect information and launch cyber-attacks gives small countries, terror groups and even individuals the power to inflict serious damage unlimited by range on a target?the kind of damage that was once the province of large countries. Noting that the U.S. and Britain are setting up cyber-warfare commands, Yadlin says Israel has its own soldiers and officers working on an ?Internet warfare? team dedicated to cyber-security. The issue is critical for many governments. In the U.S., Lockheed Martin recently opened the NexGen Cyber Innovation and Technology Center to address global cyber-security needs. The company has helped launch an industry association focusing on providing government, business and industry (including defense contractors) with integrated cyber- security solutions (see p. 43). In confronting cyber-attacks, military intelligence has become a combat arm of the Israel Defense Forces (IDF). Computer networks are being exploited by hacking into databases or carrying out sabotage with malicious software (malware) that infiltrates and inflicts damage in adversary computers. To counter cyber-attack, Yadlin says Israel?s armed forces have the means to provide adequate network security. ?The cyber-warfare field fits well with Israel?s defense doctrine.? The ubiquity of the Internet and its ease of use make it vulnerable to infiltration, exploitation and sabotage. IDF intelligence estimates that several countries in the Middle East use Russian hackers and scientists to operate on their behalf. Since the 2006 war against Hezbollah, when cyber-warfare was part of the conflict, Israel has attached growing importance to cyber-tactics. Israel in fact is, along with the U.S., France and a couple of other nations, a leader in cyber-war planning. Cyber-warfare teams are integrated within Israel?s spy agencies, which have rich experience in traditional sabotage techniques. Israel?s high-tech industry is at the forefront of computer and software development, particularly in the areas of security and communications. Companies such as Comverse and Nice Systems are world leaders in ?legal eavesdropping? networks, while Checkpoint Software is an innovator in network security. Many international high-tech companies are locating research and development operations in Israel, where local hires are often veterans of the IDF?s elite computer units. In fact, most of Israel?s technical know-how originates from the army, especially the computer and C4I (command, control, communications, computers and intelligence) division of the intelligence branch. Veterans of these specialized units have become the mainstay of top- secret work at tech companies. While it is clear Israel has successfully used cyber-tactics against enemies, it is harder to know to what extent it has been hit by cyber- attacks. Israel says little about its cyber-operations, but occasional leaks point to a trend of active involvement by computer experts in covert and sometimes overt operations. In September 2007, for example, Israeli jets destroyed a suspected nuclear facility under construction in a remote part of Syria. From what journalists have discerned, Israel jammed Syrian radar and other defenses, allowing sufficient time to launch the strike undetected. During the attack, cyber-tactics appeared to involve remote air-to- ground electronic attack and network penetration of Syria?s command- and-control systems. There is evidence that a sophisticated network attack and electronic hacking capability have become indispensable components of the IDF arsenal. Government-owned Elta Systems, an authority on communications intelligence (comint), recently announced a line of ?CellInt? support systems, offering cross-border interception of cellular networks and active monitoring of satellite links, including those operated by the UAE?s Thuraya satellite communications network, used throughout Southwest Asia. Elta?s cyber-warfare systems, activated from ground, naval, airborne or unmanned platforms, intercept a target network, track connections and calls between networks, and infiltrate deep into an enemy?s communications loop. The vanguard of Israel?s cyber-warfare efforts is focused on blocking Iran?s nuclear ambitions. A U.S. expert said recently that malware could be inserted, disrupting the controls of sensitive sites like uranium enrichment plants. The appeal of cyber-attacks has increased, Israeli intelligence sources say, due to the limited feasibility of air strikes on the distant and heavily fortified Iranian nuclear facilities, and by U.S. reluctance to open another war front in the region. The newspaper Ha?aretz reports that Israeli intelligence has tried to insert malware that can damage information systems within Iran?s nuclear program. The systems are not connected to the Internet, but to equipment sold to the Iranian government This is the future of cyber-war. Modern societies are complex networks of people, information systems and equipment. Enormous advantages will be obtained by adversaries that quickly identify and neutralize critical nodes within the systems. Apart from the military, two other government bodies operate in the field of cyber-warfare. Shin Bet, Israel?s internal security authority, directs its focus on Palestinians and Israeli Arabs. The agency has established a department for the protection of information that is responsible for coordinating network security of government and infrastructure of strategic importance, such as Israel?s electric utility or the Mekorot water company. A special department in the finance ministry also works to protect government cyber-systems from being hacked. While critical systems are not directly connected to the Internet, they can be penetrated and attacked by indirect means, such as stealthy ?Trojan horses? planted in electronic devices like cell phones, personal digital assistants and computers, through file- sharing services or through the Internet without an owner?s knowledge, turning personal communicators into active eavesdropping devices. Cyber-attacks against Israeli networks have been encountered in recent conflicts. When tensions with Hamas or the Palestinian Authority flare up, Israeli web sites immediately suffer a barrage of virtual assaults. During Operation Cast Lead in Gaza last year, cyber-attacks were unusually severe, peaking with millions of junk mail deliveries lasting for days. Israel has made major investments in infrastructure as part of the global war on terrorism and the related fight against money-laundering and financial support of terrorist activities. Agencies are targeting individuals and groups of known terrorist supporters in an attempt to extract intelligence from e-mails, chat rooms, instant messaging and Internet phone calls. But there are more layers of information to be mined below such direct intercepts, empowering services with the capability to spot, track and isolate suspicious objectives through mass interception methods. Employing mass interception requires sophisticated analysis tools and processing reams of information, enabling services to trace network activities and extract clues by analyzing volumes of communications. Though considered vulnerable to hostile intercepts, wireless cellular networks offer Western intelligence agencies dramatic advantages, since they have become common in Third World countries and in areas not covered by U.S. and European lawful interception acts. Exploited by modern communications intelligence, wireless connections?including WiFi, microwave links, local area networks, cellular systems and WiMax broadband mobile links, and even satellite networks?are easily intercepted, providing covert access to a wealth of information without subscribers? or operators? knowledge. Hence, the demand for comint equipment. Physical networks considered relatively safe from eavesdropping have become vulnerable to stealthy probes, with bugging devices capable of capturing traffic over broadband channels and gathering intelligence by searching for suspicious words, phrases and names. Critical government systems are run on intranets, networks that operate independently from the Internet and often carry sensitive and classified information. A nation?s most secret networks are increasingly ?air-gapped,? meaning they do not link to other systems. But many government webs still have points at which they interface with the Internet, and thus can be infected with malware. So even though intranets are relatively controlled environments, one mistake in procedure, however slight, can compromise an entire network. Eternal vigilance, it has been said, is the price of freedom, and, it appears, of cyber-security. From rforno at infowarrior.org Fri Feb 12 12:39:35 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Feb 2010 07:39:35 -0500 Subject: [Infowarrior] - Einstein 2: U.S. government's 'enlightening' new cybersecurity weapon Message-ID: http://www.networkworld.com/news/2010/021110-cybersecurity-einstein-2.html Einstein 2: U.S. government's 'enlightening' new cybersecurity weapon DHS intrusion-detection system spots new cyberattack patterns By Carolyn Duffy Marsan, Network World February 11, 2010 08:01 AM ET The Department of Homeland Security is detecting new patterns of cyberattacks from foreign adversaries -- some targeted at particular agencies and others aimed at the entire U.S. government -- due to to special-purpose intrusion-detection systems that will be widely deployed in federal networks during 2010. Only a handful of agencies -- including DHS, the Department of Agriculture, the State Department and the Department of Interior -- have network traffic flowing through the IDSs, which are called Einstein 2. The U.S. Computer Emergency Readiness Team (US-CERT) is monitoring the IDSs as well as the Einstein 1 appliances, which collect router net flow data from all federal agencies and the carriers that support them. Einstein 2 "has been very enlightening?to see what intrusion sets they are actually seeing and how certain ones target particular departments and particular agencies and others you can see every place we are currently operational " says Nicole Dean, deputy director of the National Cybersecurity Division of DHS. Deployment of Einstein 2 is going hand-and-hand with the federal Trusted Internet Connections (TIC) Initiative, an ongoing effort to secure the external Internet connections operated by federal agencies. (See "U.S. Internet security plan revamped.") Together, the Einstein program and the TIC Initiative are designed to bolster the ability of federal agencies to detect and respond to a rising tide of cyberattacks. Einstein 2 has been deployed by nine federal agencies that plan to operate their own TIC-compliant Internet access points as well as three carriers: AT&T, Qwest and Sprint. Verizon is in the midst of deploying Einstein 2, Dean says. AT&T wins $5M cyber security deal with FTC| AT&T, Verizon, other carriers eyeing federal government cybersecurity deals All U.S. federal agencies and carriers that will operate TIC-compliant Internet access points are scheduled to deploy Einstein 2 by year-end. Dean says DHS is detecting between 100 and 10,000 cyberattacks aimed at each federal agency per week through the Einstein appliances. Einstein 2 "is allowing us to monitor intrusion sets that weren't previously being monitored and to make that information available through the US-CERT of what's actually occurring and what various types of intrusion sets are active that we may not have been aware of before," Dean says.. The Einstein 2 systems are not using commercially available intrusion- detection signatures. "Our signatures are highly specialized and are developed with information that US-CERT analysts have gleaned from very particular attacks being sent through our foreign adversaries," Dean says. "We've partnered with the Defense Department?and we've developed signatures based on information we've shared with them." Einstein 2 is a passive network data collection system that doesn't operate in real time. "As traffic comes into a department or agency, a mirrored copy is sent to Einstein 2, and Einstein 2 has the signature sets loaded into it and some of that traffic would fire a signature that sends an alert to the US-CERT analyst. Once the signature is fired, then US-CERT will work with the department to deal with the attack," Dean says. Einstein 2 isn't detecting new cyberattacks; instead it's showing patterns of known malicious activity. "Every time one of those signature sets shows, we work with the department or agency to clean up that machine and remove it from their network so it can be re-imaged and brought back online in a non- infected state," Dean says. Next on the DHS' cybersecurity agenda is the deployment of Einstein 3, which will add intrusion-prevention capabilities to federal networks. With Einstein 3, federal agencies will have near real-time defense against cyberattacks including distributed denial-of-service attacks, which are on the rise. "Einstein is a spiral development program," Dean says. "That means we will keep adding new capabilities." Dean recommends that all network operators deploy security capabilities similar to Einstein 2. Industry "needs to be doing something very similar to what we're doing for the .gov environment," Dean says. "They need to be monitoring their traffic and then looking at the trending data. The trending data is very eye opening. From that, you can tell if your current defenses are working or not. Now that we have Einstein 2 collecting data, we can see if the same intrusion sets are continuing to spread or if agencies' internal mechanisms are keeping that from happening." From rforno at infowarrior.org Fri Feb 12 13:25:55 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Feb 2010 08:25:55 -0500 Subject: [Infowarrior] - Chip and PIN system is vulnerable to fraud Message-ID: <31E2ABA8-D82F-4FE8-8F39-4B09E1F8A218@infowarrior.org> Cambridge researchers show that the Chip and PIN system is vulnerable to fraud Thursday, 11 February 2010 Steven J. Murdoch, Saar Drimer, Ross Anderson and Mike Bond, researchers at the Computer Laboratory, University of Cambridge, have shown that flaws in the Chip and PIN system allow criminals to use stolen credit and debit cards, without knowing the correct PIN. Fraudsters can easily insert a ?wedge? between the stolen card and terminal, which tricks the terminal into believing that the PIN was correctly verified. In fact, the fraudster can enter any PIN, and the transaction will be accepted. Murdoch says, ?We have tested this attack against cards issued by most major UK banks. All have been found to be vulnerable.? Victims of this attack may have a difficult time being refunded by their bank. The receipt produced will state ?Verified by PIN?, and bank records will show that the correct PIN was used. Banks may then argue that the customer must have been negligent and had allowed the criminal to know their PIN. Drimer says, ?The technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff. A single criminal can develop and industrialize a kit to be used by others who do not need to understand how the attack works.? The Cambridge attacks call into question both the design of the Chip and PIN system, and the security of card payments. Victims of fraud are commonly told that bank systems can be relied upon. However, this attack shows that criminals are able to not only defraud customers, but cause bank systems to make the false assertion that the PIN was verified correctly. Anderson said "Over the past five years, thousands of cardholders have had stolen chip and pin cards used by criminals. The banks often tell customers that their pin was used and so it's their fault. Yet we've shown that it's easy to use a card without knowing the pin - and the receipt will say the transaction was 'verified by pin' even though it wasn't." Anderson continued "This is not just a failure of bank technology. It's a failure of bank regulation. The ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks." The attack will be featured on Newsnight, including a demonstration of it being deployed in practice. Watch BBC Two, 10:30pm, Thursday 11 February 2010. The Cambridge team's results are also to be presented at the the academic conference ?IEEE Symposium on Security and Privacy?, Oakland, CA, US, May 2010. Notes for editors ? For more information on Chip and PIN wedge attacks, please see our webpage on this topic: http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/ ? The academic paper, accepted for a peer-reviewed conference, can be found at: http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/oakland10chipbroken.pdf ? The latest version of this press release can be found at: http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/press-release.html ? For any further questions, please contact: Dr Saar Drimer phone: 01223 763 532 mobile: 07779 606 045 website: http://www.cl.cam.ac.uk/users/sd410/ email: Saar.Drimer at cl.cam.ac.uk Professor Ross Anderson phone: 01223 334 733 mobile: 0791 905 8248 website: http://www.cl.cam.ac.uk/users/rja14/ email: Ross.Anderson at cl.cam.ac.uk Dr Steven J. Murdoch website: http://www.cl.cam.ac.uk/users/sjm217/ email: Steven.Murdoch at cl.cam.ac.uk From rforno at infowarrior.org Fri Feb 12 13:30:05 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Feb 2010 08:30:05 -0500 Subject: [Infowarrior] - China Alarmed by Security Threat From Internet Message-ID: <3C6544AE-A1C5-4B73-B4ED-B9EF725D1B2E@infowarrior.org> February 12, 2010 China Alarmed by Security Threat From Internet By SHARON LaFRANIERE and JONATHAN ANSFIELD http://www.nytimes.com/2010/02/12/world/asia/12cyberchina.html?hp=&pagewanted=print BEIJING ? Deep inside a Chinese military engineering institute in September 2008, a researcher took a break from his duties and decided ? against official policy ? to check his private e-mail messages. Among the new arrivals was an electronic holiday greeting card that purported to be from a state defense office. The researcher clicked on the card to open it. Within minutes, secretly implanted computer code enabled an unnamed foreign intelligence agency to tap into the databases of the institute in the city of Luoyang in central China and spirit away top-secret information on Chinese submarines. So reported Global Times, a Communist Party-backed newspaper with a nationalist bent, in a little-noticed December article. The paper described the episode as ?a major security breach? and quoted one government official who complained that such attacks were ?ubiquitous? in China. The information could not be independently confirmed, and such leaks in the Chinese news media often serve the propaganda or lobbying goals of government officials. Nonetheless, the story is one sign that while much of the rest of the world frets about Chinese cyberspying abroad, China is increasingly alarmed about the threat that the Internet poses to its security and political stability. In the view of both political analysts and technology experts here and in the United States, China?s attempts to tighten its grip on Internet use are driven in part by the conviction that the West ? and particularly the United States ? is wielding communications innovations from malware to Twitter to weaken it militarily and to stir dissent internally. ?The United States has already done it, many times,? said Song Xiaojun, one of the authors of ?Unhappy China,? a 2009 book advocating a muscular Chinese foreign policy, which the party?s propaganda department is said to promote. He cited the so-called color revolutions in Ukraine and Georgia as examples. ?It is not really regime change, directly,? he said. ?It is more like they use the Internet to sow chaos.? State media have vented those concerns more vociferously since Secretary of State Hillary Rodham Clinton last month criticized China for censorship and called for an investigation of Google?s assertion that its databases had been the target of a sophisticated attack from China. ?China wants to make clear that it too is under serious attack from spies on the Internet,? said Cheng Gang, author of the Global Times article. Despite China?s robust technological abilities, its cyberdefenses are almost certainly more porous than those of the United States, American experts say. To cite one glaring example, even Chinese government computers are frequently equipped with pirated software from Microsoft, they say. That means many users miss out on security upgrades, available to paying users, that fix security breaches exploited by hackers. Cybersecurity is a growing concern for most governments. While the United States probably has tighter defenses than China, for example, experts say it relies more heavily on computers to run its infrastructure and so is more vulnerable to an attack. But for China, worries about how foreign forces might employ the Internet and other communications advances to unseat the Communist Party are a salient factor in the government?s 15-year effort to control those technologies. Chinese leaders are constantly trying to balance the economic and social benefits of online freedoms and open communications against the desire to preserve social stability and prevent organized political opposition. A distinct shift in favor of more comprehensive controls began nearly two years ago and hardened over the past six months, analysts say. New policies are intended to replace foreign hardware and software with homegrown systems that can be more easily controlled and protected. Officials are also expanding the reach and resources of state-controlled media outlets so they dominate Chinese cyberspace with their blogs, videos and news. At the same time, the government is beefing up its security apparatus. Officials have justified stronger measures by citing various internal threats that they say escalated online. Among them: the March 2008 riots in the Tibetan capital, Lhasa; reported attempts to disrupt the August 2008 Olympic Games and the amassing of more than 10,000 signatures supporting a petition for human rights and democratic freedoms, an example of how democracy advocates could organize online. Especially alarming to officials, analysts say, was the role of the Internet in ethnic riots last July that left nearly 200 people dead and more than 1,700 injured ? the worst ethnic violence in recent Chinese history. Government reports asserted that terrorists, separatists and religious extremists from within and outside the country used the Internet to recruit Uighur youth to travel to Urumqi, the capital of western China?s Xinjiang region, to attack ethnic Han citizens. In August, security and propaganda officials briefed China?s ruling Politburo on their view of how the Xinjiang riots developed, according to one media executive with high-level government ties. The executive spoke on the condition of anonymity for fear of retribution for discussing delicate political topics. China?s leaders also reviewed how Iranian antigovernment activists used Twitter and other new communication tools to organize large street demonstrations against President Mahmoud Ahmadinejad over the summer. He said Chinese leaders saw the Iranian protests as an example of how the United States could use the new forms of online communication in a fashion that could one day be turned against China. ?How did the unrest after the Iranian elections come about?? People?s Daily, the Communist Party?s official newspaper, asked in a Jan. 24 editorial. ?It was because online warfare launched by America, via YouTube video and Twitter micro-blogging, spread rumors, created splits, stirred up and sowed discord.? Since the unrest in Iran and Xinjiang, Chinese leaders accelerated a raft of new initiatives, including closing thousands of Web sites, tightening censorship of text messages for lewd or ?unhealthy? content and planning to converge China?s Internet, phone and state television networks. They are also carefully cultivating homegrown alternatives to foreign computer technologies and foreign-based Web sites like YouTube, Facebook and Twitter, all of which Chinese censors now block. The government says it needs the new controls to fight pornography, piracy and other illegal activity. In November, nearly 300 government officials and technicians gathered in Beijing for a seminar that stressed China?s vulnerability in cyberspace. ?It is a long-existing reality that the West is stronger than us in terms of information security,? said the seminar training manual, posted on the Web site of the Ministry of Public Security. ?Most of the key technology and products in the information security sphere are held in the hands of Western countries, which leaves China?s important information systems exposed to a bigger chance of being attacked and controlled by hostile forces,? the manual said. The risks of dependence on foreign-made software became clear in 2008 after Microsoft deployed a new antipiracy program aimed at detecting and discouraging unauthorized users of its Windows operating system. In China, where an estimated four-fifths of computer software is pirated, the program caused millions of computer screens to go dark every hour and led to a public outcry. New government procurement rules require state buyers to give preference to Chinese-made computers and communication products, among other supplies and services. But James Mulvenon, director of the Center for Intelligence Research and Analysis, a Washington-based consulting firm, said such orders were typically ignored. James A. Lewis, director of the Center for Strategic and International Studies, a Washington-based research group, said China was caught between contradictory goals. The authorities want to keep using superior Western software so they can engage in espionage and defend themselves against foreign infiltration. ?But at the same time they want to use indigenous software, which is not up to par,? he said. But China is pushing hard to catch up. Mr. Mulvenon describes China as ?absolutely the world leader? in development of Internet Protocol Version 6 (IPv6) ? the successor to the current Internet. Some suggest China aims to develop a more autonomous system equipped with stronger firewalls and filters. China?s leaders ?have always had the ambition to develop the capability of one big domestic Intranet that they could manage more easily, if need be,? one Communist Party newspaper editor said. But others suggest China is merely trying, like other nations, to respond to the reality that the existing IPv4 global Internet, in which the United States commands a disproportionate share of addresses, will soon run out of space. The clearest evidence of China?s determination to wield greater control was the virtual communications blackout imposed over Xinjiang for six months after the July riots. Nineteen million residents in a region more than twice as big as Texas were deprived of text-messaging service, international phone calls and Internet access to all but a few government-controlled Web sites. The damage to tourism and business, not to mention the disruption to everyday life, was significant. Hu Yong, a Beijing-based media expert, said the government was no longer as worried as it once was about the economic impact of electronic communication controls. ?Now that is more secondary to their concerns about political and social stability,? he said. John Markoff contributed reporting from San Francisco, and Zhang Jing and Xiyun Yang contributed research from Beijing. From rforno at infowarrior.org Fri Feb 12 22:37:15 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Feb 2010 17:37:15 -0500 Subject: [Infowarrior] - Google seeks to quell Buzz privacy outcry Message-ID: <4511E3D8-05D2-4F15-94E5-4516EFC02858@infowarrior.org> Google seeks to quell Buzz privacy outcry By Richard Waters in San Francisco Published: February 12 2010 02:19 | Last updated: February 12 2010 09:37 http://www.ft.com/cms/s/0/6720a3c4-176d-11df-87f6-00144feab49a.html Google sought on Thursday night to quell an outcry over the privacy settings in its new Buzz social networking service, which critics have claimed exposes personal information about users without their approval. The internet company acknowledged the concerns raised by the service, launched just two days before, and announced changes designed to stem the fears, though these did not directly address all the complaints from some critics. Its change of heart follows a growing chorus of complaints on the web. One privacy advocacy group told the Financial Times that it planned to file an official complaint with US regulators over the affair. The outcry has centred on the way Buzz automatically creates a social network for new users by drawing on the people they communicate with most frequently over Gmail, Google?s e-mail system. This list of personal e-mail contacts is then made public over Buzz by default, although users can choose to override the system to hide it. ?People are surprised that Google treated a private [e-mail] contact list as a public ?friends? list,? said Marc Rotenberg, head of the Electronic Privacy Information Center. He said that the list should not automatically be made public, and that he would lodge a Federal Trade Commission complaint next week. In a blog post on Thursday evening, Google said it was making changes to Buzz deal with this issue. These included making it easier for users to change their privacy settings to limit who can see their personal lists of contacts. However, the contact lists will still be public by default until changes are made, and it was unclear whether the concessions would do enough to quiet the critics. The row over privacy on Buss echoes the reaction two months ago to a decision by Facebook to make more of the personal data about its own users public by default. Under the guise of giving them greater controls over their privacy, Facebook also changed its settings in a way that made personal contact lists more public, though it later partially reversed that. The moves by Google and Facebook to push more of their users? personal information into the public domain comes as they are trying to match the popularity of Twitter ? a service that most users expect to be public from the outset. Unlike Twitter, Google and Facebook face the challenge of encouraging users to think of their personal social networks and private e-mail contact lists as the foundation for more public behaviour. The similar approaches taken by Facebook and Google suggest that big internet companies are trying to stretch the limits of current privacy expectations, said Mr Rotenberg. ?Companies may become more aggressive if they think they can get away with this.? Jeff Chester, director of the Center for Digital Democracy, added that Google?s Buzz service represented a worrying new trend in marketing, given the extent of the information it already holds about its users. ?Buzz is the latest example of a global digital data collection ?arms race? ? where the latest trend is for marketers to grab hold and monetise a user?s social graph,? he said. The FTC refused to comment on Thursday. Copyright The Financial Times Limited 2010. From rforno at infowarrior.org Sat Feb 13 00:51:16 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Feb 2010 19:51:16 -0500 Subject: [Infowarrior] - =?windows-1252?q?A_Plan_for_=91Best_Practices=92_?= =?windows-1252?q?on_National_Security_Reporting?= Message-ID: <1BAA300A-E7B3-41BD-B657-014947D31B89@infowarrior.org> The Kicker ? February 12, 2010 03:06 PM A Plan for ?Best Practices? on National Security Reporting By Greg Marx http://www.cjr.org/the_kicker/a_plan_for_best_practices_on_n.php The stories about Pulitzer Prize-winning reporter Barton Gellman?s departure from The Washington Post have generally emphasized his new job as a contributing editor-at-large and columnist for Time magazine. But Gellman will also have another new role, as a senior research fellow at the NYU School of Law?s excellent Center on Law and Security. According to a press release from the center: Gellman will develop a new program on national security and investigative strategies for journalists and other public interest researchers who work in the uniquely challenging terrain of defense, intelligence, and foreign policy. Beginning in fall 2010, Bart will lead a select team of visiting fellows to build a set of best practices and investigative tools designed to shed light on vital policies that are ordinarily debated out of public view. This sounds like a valuable thing; journalists on these beats can use all the help they can get. It also sounds, at first glance, like part of the larger trend in which reportorial talent and resources are increasingly drawn to institutions that are not traditionally ?journalistic.? Best of luck to Gellman in both his new roles. From rforno at infowarrior.org Sat Feb 13 14:51:15 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Feb 2010 09:51:15 -0500 Subject: [Infowarrior] - MI-5 Director Statement on Press Coverage Message-ID: <6CD2D52C-D6C1-4A2B-8EF2-7E7D5C21DBC8@infowarrior.org> (This is something you don't see everyday...-rf) SECURITY SERVICE DIRECTOR GENERAL COMMENTS ON RECENT PRESS COVERAGE https://www.mi5.gov.uk/output/news/security-service-director-general-comments-on-recent-press-coverage.html The Security Service's Director General, Jonathan Evans, has written an article for the Daily Telegraph concerning recent press coverage about MI5. For the full text of the article, see below. It is rare that the intelligence services comment in public, but some of the recent reporting on the supposed activities and culture of MI5 has been so far from the truth that it couldn?t be left unchallenged, particularly against the backdrop of the current severe terrorist threat to this country. As head of the security service, I know that the reason the Government appealed against the Divisional Court judgment in the Binyam Mohammed case was not to cover up supposed British collusion in mistreatment, but in order to protect the vital intelligence relationship with America and, by extension, with other countries. We cannot protect the UK without the help and co-operation of other countries. The US, in particular, has been generous in sharing intelligence with us on terrorist threats; that has saved British lives and must be protected. The ?seven paragraphs? now published are, in fact, less politically explosive than some commentators had imagined. The Government would not have objected to their publication in themselves, despite the unacceptable actions they describe. But the appeal was necessary because the paragraphs were received on intelligence channels and provided on the basis that they would not be disclosed. The United States does not have to share intelligence with us. Nor do other countries. The US government has expressed its deep disappointment at the publication of the paragraphs and has said that the judgment will be factored into its decision-making in future. We must hope, for our safety and security, that this does not make it less ready to share intelligence with us. There have also been a series of allegations that MI5 has been trying to ?cover up? its activities. That is the opposite of the truth. People who choose to work in the service do so because they want to protect the UK and its liberties. We are an accountable public organisation and take our legal and oversight responsibilities seriously. The material our critics are drawing on to attack us is taken from our own records, not prised from us by some external process but willingly provided by us to the court, in the normal way. No cover-up there. Likewise, we co-operate willingly with the Intelligence and Security Committee so that it can fulfil its oversight role, which we support and which benefits the service. Sometimes the ISC draws attention in its reports to aspects of our work that it believes fall short of what it, and through it the public, might expect. That is right and proper in a democratic system. One shortfall it highlighted in 2005 and again in 2007 was that the British intelligence community was slow to detect the emerging pattern of US mistreatment of detainees after September 11, a criticism that I accept. But there wasn?t any similar change of practice by the British intelligence agencies. We did not practise mistreatment or torture then and do not do so now, nor do we collude in torture or encourage others to torture on our behalf. Meanwhile, some commentators have given the impression that there is a lack of accountability for the actions of the intelligence agencies when interviewing detainees after September 11. This again flies in the face of the facts. A string of civil cases has been brought against the Government and the agencies by former detainees who claim that their rights have been infringed. The issues involved are serious and complex: it is right that they should be considered by the courts and we, with others on the Government side, are co-operating fully in the process. Inevitably this will take time, but all involved will get the chance to put their case. Nor are only civil claims being pursued: an allegation has been made that one of my officers might have committed a criminal offence. That allegation (and it is no more than an allegation) is being investigated by the police. As the Government has said repeatedly, if serious allegations are made, they will be investigated appropriately. And these are not just fine words. It is happening. Both the Government and the Opposition in the House of Commons on Wednesday underlined how important it is that Britain lives up to its legal and moral responsibilities in countering terrorism. If we fail to do so, we are giving a propaganda weapon to our opponents. I fully agree with that judgment. As a service, and working closely with partners here and abroad, we will do all that we can to keep the country safe from terrorist attack. We will use all the powers available to us under the law. For their part, our enemies will also seek to use all tools at their disposal to attack us. That means not just bombs, bullets and aircraft but also propaganda and campaigns to undermine our will and ability to confront them. Their freedom to voice extremist views is part of the price we pay for living in a democracy, and it is a price worth paying because in the long term, our democracy underpins our security. But we would do well to maintain a fair and balanced view of events as they unfold and avoid falling into conspiracy theory and caricature. Jonathan Evans 12 February 2010 From rforno at infowarrior.org Sat Feb 13 15:21:32 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Feb 2010 10:21:32 -0500 Subject: [Infowarrior] - Who needs aircraft carriers and cruise missiles when you have IOUs? Message-ID: Who needs aircraft carriers and cruise missiles when you have IOUs? China's debt bomb By ARTHUR HERMAN Last Updated: 4:28 AM, February 8, 2010 Posted: 2:06 AM, February 8, 2010 http://theburningplatform.com/groups/quinns-daily-dose-of-reality/discussions/the-art-of-war 'He who pays the piper calls the tune": That old saying captures perfectly America's growing dependence on our No. 1 creditor in the world, Communist China. By their carelessness Congress and the Obama administration are steadily handing over control of America's economic and financial future to a handful of Chinese officials and generals in Beijing. Those who think the Chinese won't use that control if they feel they have to are ignoring history -- and the Chinese. The ancient military strategist Sun Tzu said that the best strategy was to render an opponent's army helpless even before the battle began. America may still have the biggest and best military in the world. But many at the Pentagon are starting to realize that, thanks to our growing fiscal irresponsibility, we may be surrendering control of America's destiny to a rival superpower -- and all without a shot being fired. Consider the scale of the problem. With President Obama's 2010 budget, 42 cents of every dollar the federal government spends will have to be borrowed. In the last decade, foreign investors have wound up lending us roughly half of all federal debt -- with just two countries, China and Japan, providing nearly half of that sum, or 44 percent, through the purchase of US Treasury securities. China now tops Japan as our biggest lender by some $30 billion a year, at $789 billion. (By comparison, our No. 3 lender, Great Britain, comes in at a measly $277 billion). But that's not all. As its booming economy becomes more global, China is also the world's largest holder of foreign-currency reserves. Most of that is in US dollars. Indeed, without most Americans realizing it, China has become the largest foreign holder of US dollars in the world. How many dollars foreign exchange traders at the Bank of China decide to sell or buy on any given day is increasingly determining whether the dollars in our purses and wallets buy a little or a lot. Seen from one angle, this dependence on China for the value of our national currency and the funding of our debt is like our dependence on inexpensive Chinese exports for our standard of living: the inevitable fruit of today's interlocking global economies -- and poor planning on our part. Seen from another, more strategic angle, it may spell disaster. History shows that nations that can't control their economic fortunes don't control much else. Debt freezes destinies -- as every credit-card holder knows. Europeans discovered that after World War II, when they lost the power to make major decisions without first checking with their lender-in-chief, the United States. At that time, we used our economic dominance to rebuild Europe, not reduce it to impotence. On the other hand, If US-China relations continue to deteriorate -- over arms sales to Taiwan, Internet freedom issues, Chinese industrial espionage and a Chinese military build-up that looks more and more like it's directed at challenging US power in Asia -- our lenders-in-chief in Beijing may not be so scrupulous. Indeed, back in 1999, the Chinese literally wrote the book on how to use economic asymmetries as a blunt instrument, entitled "Unrestricted Warfare." It draws no meaningful distinction between military, economic and political force (including using cyberspace) as means to defeat an enemy. Instead, it shows how a nation can dominate its opponents not with planes, ships and soldiers, but with foreign exchange rates, trade embargoes and armies of computer hackers. Suppose that in retaliation for some slight China decides to stop buying Treasury bonds, forcing our debt to cost us even more. A furious US Congress hits back with trade sanctions. China then responds by driving up the price of the dollar, crippling US exports -- or, alternately, it crashes the dollar by dumping its foreign reserves, even as Chinese computer hackers slow down our banks' ability to respond to the crisis. No one will call this a war. But it will certainly fit the classic definition of war as politics by other means. And the Pentagon knows it. Last March, the Pentagon held its first-ever economic-warfare war game, with China as the putative opponent and with economists and bankers (including from UBS) helping out. Details of what unfolded are still classified. However, sources told Fox Business News that the scenario played out as planned. That was the good news. The bad news is that China won. Today, some experts argue that rational self-interest will prevent China from waging this kind of economic warfare, because crippling the US would also severely wound its own economy. However, on an issue like Taiwan or Japan, rational judgment can take a backseat to national pride, and the desire to reverse old humiliations. That war game was almost a year ago, when the Federal deficit was half of what it is today. And China is moving out of its short-term debt positions -- although slowly enough not to roil the credit markets. In any case, Bracken and others argue that we need more coordination between the Treasury and the Pentagon on ways to deal with a vulnerability that seemed entirely theoretical then, but now seems all too real. Still others are pushing for rules restricting the future sales of Treasury securities to foreign buyers. All this, however, is only playing catch up. The real issue is whether we get our fiscal house in order, and realize that a $12 trillion national debt and a crippled economy could leave us as vulnerable as we once were on a December Sunday morning 69 years ago, at Pearl Harbor in 1941. From rforno at infowarrior.org Sat Feb 13 15:25:33 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Feb 2010 10:25:33 -0500 Subject: [Infowarrior] - Comcast to undergo a name change Message-ID: Feb 10, 2010 -- Comcast to undergo a name change http://clarkhoward.com/shownotes/2010/02/10/17735/ Most companies that have an awful reputation with the public would want to fix their shortcomings, right? But apparently not if you have a government-granted monopoly! Comcast -- the nation's largest cable monopoly -- has decided it will simply change its name in an attempt to wipe the slate clean with consumers. After all, the name "Comcast" has become nearly synonymous with poor service. The February 2010 issue of Consumer Reports gives Comcast the following poor marks: ? No. 14 out of 16 for television service ? No. 19 out of 23 for phone service ? No. 23 out of 27 for Internet service ? No. 11 out of 12 for bundled services So instead of fixing what they're doing wrong, Comcast plans to change its identity to Xfinity later this year! Clark likens it to rearranging the deck chairs on a very profitable Titanic while customer service keeps sinking. The real solution for our nation would be to destroy cable monopolies and open their service territories to competition like they did in the United Kingdom. The British created what's called a dumb pipe operator to provide the service backbone and any company can register as a marketer of telecom services. But not all is lost here in the United States. We have a variety of almost direct competitors to Comcast with phone and satellite companies offering TV; Internet providers offering telephone service; and phone companies offering Internet service. (RICK -- EXCEPT UNLESS YOU LIVE IN A DOWNTOWN PART OF THE DC AREA WHERE VERIZON REFUSES TO LAY FIOS AND GETS NO GOOD SATELLITE TV RECEPTION - THEN YOU'RE STUCK WITH COMCAST.) From rforno at infowarrior.org Sat Feb 13 16:32:45 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Feb 2010 11:32:45 -0500 Subject: [Infowarrior] - Once again, NBC is clueless about the Net.... Message-ID: (I can't wait to see how they spin this .... of course, it's not just NBC but the IOC and the rest of the 'content' industry, but especially the aforementioned abusive-enforcement ones. -rf) Olympics Opening Ceremony a Hit On BitTorrent Written by Ernesto on February 13, 2010 http://torrentfreak.com/olympics-opening-ceremony-hit-on-bittorrent-100213/ Despite efforts to prevent coverage of the Winter Olympics Opening Ceremony from leaking online, the broadcast is widely available on BitTorrent, downloaded by thousands of people. Most of the downloaders are from the host country Canada, closely followed by the United States. Just a few hours after the video of the Vancouver 2010 Opening Ceremony was posted on BitTorrent, it has already been downloaded by tens of thousands of people. In 2008 Olympic torrents were hugely popular, especially the Opening Ceremony which was downloaded by nearly 5 million people. It is doubtful that this 2008 Olympic record will be broken this year, but nonetheless, there is plenty of interest on BitTorrent for the 2010 Opening Ceremony. As with most big sporting events there are huge commercial interests involved in the Olympics. This is one of the main reasons why the International Olympic Committee and broadcasters such as NBC have announced a piracy crackdown, trying to prevent their content from leaking online. ?Our aim is to make access to pirated material inconvenient, low quality and hard to find,? said Rick Cotton, NBC?s Executive Vice President commenting on their Olympic mission. It is needless to say that this mission has already failed miserably. The Opening Ceremony could be watched online through dozens of illegal streams last night, and a few hours later a high quality video of the entire broadcast appeared on file-sharing networks including BitTorrent. Thus far, nearly 100,000 people have downloaded the Opening Ceremony through BitTorrent. A quick look at the locations of the downloaders reveals that roughly a quarter are Canadians. Another 15% of the downloaders come from the United States, followed by the UK with 5% and The Netherlands and Australia both with 4%. In the coming days many of the sporting events will also surface online illegally, but the interest for the opening and closing ceremonies tend to be the highest, based on download numbers from the 2008 Olympics in Beijing. It is expected that the International Olympic Committee will be outraged over this massive rights violation. In 2008 they urged Sweden to take action against the Pirate Bay over the Olympic torrents that they hosted, without result. Maybe they should start offering their own sponsored downloads in 2012? There is plenty of demand for it. From rforno at infowarrior.org Sat Feb 13 17:48:05 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Feb 2010 12:48:05 -0500 Subject: [Infowarrior] - Luge death videos pulled over broadcast rights Message-ID: http://www.mediabistro.com/webnewser/video_sites/olympic_luge_competitor_killed_videos_quickly_pulled_from_youtube_152019.asp Olympic Luge Competitor Killed; Videos Quickly Pulled from YouTube By Kevin Allocca on Feb 12, 2010 03:56 PM Immediately after news broke that 21-year-old Nodar Kumaritashvili, a member of the Georgian luge team at the Vancouver Winter Olympics, had been in a serious crash, the footage of the event was quickly posted on YouTube and tweeted around the world. But within moments of being posted, the videos began disappearing, with the note: This video is no longer available due to a copyright claim by International Olympic Committee. Some of those videos posted originated from CTV, which broadcast the footage after the event and is the Canadian rights-holder to the games. One was just a camera videotaping a television screen with the CTV program. It's interesting to see the IOC spring to action asserting copyright claims for video of a news event, particularly when the video is from a major news broadcast and not directly from the IOC. And the games haven't even begun! Eventually, the video found its way onto custom video players at other sites (like Huffpost) and onto the social media site twitvid, where it's likely harder to assert copyright claim. We've posted it after the jump from a site called iviewtube.com. (Warning: it is disturbing.) From rforno at infowarrior.org Sat Feb 13 17:51:47 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Feb 2010 12:51:47 -0500 Subject: [Infowarrior] - Justice Dept. defends warrantless cell phone tracking Message-ID: <85076139-84C2-4A57-A5FE-F90230F36E24@infowarrior.org> February 13, 2010 9:25 AM PST Justice Dept. defends warrantless cell phone tracking by Declan McCullagh http://news.cnet.com/8301-13578_3-10453214-38.html The FBI and other police agencies don't need to obtain a search warrant to learn the locations of Americans' cell phones, the U.S. Department of Justice told a federal appeals court in Philadelphia on Friday. A Justice Department attorney told the Third Circuit Court of Appeals that there is no constitutional problem with obtaining records from cellular providers that can reveal the approximate locations of handheld and mobile devices. (See CNET's previous article.) There "is no constitutional bar" to acquiring "routine business records held by a communications service provider," said Mark Eckenwiler, a senior attorney in the criminal division of the Justice Department. He added, "The government is not required to use a warrant when it uses a tracking device." This is the first federal appeals court to address warrantless location tracking, which raises novel issues of government surveillance and whether Americans have a reasonable expectation of privacy in their--or at least their cell phones' --whereabouts. Judge Dolores Sloviter sharply questioned Eckenwiler, saying that location data can reveal whether people "have been at a protest, or at a meeting, or at a political meeting" and that rogue governments could misuse that information. (See transcript excerpts below.) Just a few years ago, tracking phones was the stuff of thrillers like "Enemy of the State" or "Live Free or Die Hard." Now, even though police are tapping into the locations of mobile phones thousands of times a year, the legal ground rules remain unclear, and federal privacy laws written a generation ago are ambiguous at best. "When the government acquires historical cell location information, it effectively commandeers our cell phones and turns them into electronic trackers that report, without our knowledge or consent, where we have been and how long we have spent there," Susan Freiwald, a law professor at the University of San Francisco, told the court on Friday. "We should be able to use our cell phones without them creating a virtual map of our every movement and association." Freiwald, the ACLU, the Electronic Frontier Foundation, and the Center for Democracy and Technology filed briefs saying that the U.S. Constitution's Fourth Amendment provides Americans with at least some privacy protections that shield their whereabouts from police not armed with search warrants. The civil liberties groups also said that current law gives judges the flexibility to require search warrants based on probable cause. EFF attorney Jennifer Granick said one possibility is for the Third Circuit to order the district judge to hold hearings to learn the more about the technology of cell tracking, including how accurately stored records can pinpoint the location of a phone. The judges "had a lot of factual questions about accuracy that haven't been answered," Granick said after the hearing. Besides Sloviter, the other judges on the panel are Atsushi Tashima, who is visiting from the Ninth Circuit, and Jane Roth, who was not present on Friday but is expected to review the transcript. The Bureau of Alcohol, Tobacco, Firearms and Explosives is asking the court for an order divulging historical (meaning stored, not future) phone location information because a set of suspects "use their wireless telephones to arrange meetings and transactions in furtherance of their drug trafficking activities." It's unclear how detailed this stored information is; there's some evidence that the FBI can use it to narrow down the location to a city block but perhaps not an individual house. The Obama administration argues that no search warrant is necessary; it says what's needed is only a 2703(d) order, which requires law enforcement to show that the records are "relevant and material to an ongoing criminal investigation." Because that standard is easier to meet than that of a search warrant, it is less privacy-protective. Cell phone tracking comes in two forms: police obtaining retrospective historical data kept by mobile providers for their own billing purposes that is typically not very detailed, or prospective tracking--which CNET was the first to report in a 2005 article--that reveals the minute-by-minute location of a handset or mobile device. Tracking cell phones can be useful for law enforcement. Agents from the Drug Enforcement Administration in Arizona tracked a tractor trailer with a drug shipment through a GPS-equipped Nextel phone owned by the suspect. Texas DEA agents have used cell site information in real time to locate a Chrysler 300M driving from Rio Grande City to a ranch about 50 miles away. Verizon Wireless and T-Mobile logs showing the location of mobile phones at the time calls were placed became evidence in a Los Angeles murder trial. The civil liberties say they're not opposed to the government obtaining that information for legitimate purposes -- as long as the Fourth Amendment and federal privacy laws are being followed. This is, said Freiwald "a truly novel technology that can invade the privacy of all Americans who carry cell phones in their pockets or purses." < - BIG SNIP - > http://news.cnet.com/8301-13578_3-10453214-38.html From rforno at infowarrior.org Sat Feb 13 18:27:04 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Feb 2010 13:27:04 -0500 Subject: [Infowarrior] - DISA to establish safe haven outside the Internet Message-ID: <5876B711-99A3-4846-B0E3-AE43FFF49D31@infowarrior.org> While I understand the defensive logic behind this, and the potential security benefits of limiting your access points, does not this also present a larger single point of failure/vulnerability that negates much of what makes networks (ie resiliency/survivability) so useful? Do "we" sacrifice those essential features in the name of possibly increasing security? Just wondering out loud.... --rick DISA to establish safe haven outside the Internet Move would whisk users away from the perils of public Internet access http://gcn.com/articles/2010/02/12/disa-dmz.aspx ? By Amber Corrin ? Feb 12, 2010 The Defense Information Systems Agency plans to cordon off its unclassified networks from public Internet access, creating a "demilitarized zone" isolating Web-based servers and applications from other defense systems. The DISA procurement budget for fiscal 2011 includes $6 million to construct a bypass around public Internet portals for users of the Unclassified but Sensitive IP Router Network (NIPRNet), according to govinfosecurity.com. The DMZ would eliminate ?the need for most DOD assets to directly connect with the public Internet, which greatly reduces its surface and exposure to attacks,? the DISA budget stated. The DMZ was designed to provide an infrastructure to implement data segregation to protect private, controlled and classified data from publicly accessible information, according to the budget description. The funding will procure hardware and software to move Web-based application servers into the DMZ. ?These servers separate networks that should have access to the Internet from those that should not,? the budget stated. The project is part of DISA?s Information Systems Security Program (ISSP), for which $14.6 million total was budgeted for 2011. Other projects under ISSP include nearly $1.8 million for its host-based security system to counter cyber threats on Defense Department computers and ?accomplish configuration and management control across all endpoints,? the budget stated. Other funding includes: ? $2.3 million to bolster DOD?s classified Secure IP Router Network (SIPRNet) firewall against external attacks. ? $2.2 million for Insider Threat capability that addresses potential internal attacks. ? $2.5 million for the Cross-Domain Enterprise Service to securely transfer information between NIPRNet and SIPRNet and to safely disseminate information while reducing costs. From rforno at infowarrior.org Sun Feb 14 15:23:16 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 Feb 2010 10:23:16 -0500 Subject: [Infowarrior] - Simple URL Hack Can Expose Your Gmail Address Message-ID: <4333049C-14B6-4801-8BAD-320C262BF67D@infowarrior.org> Too Easy: How a Simple Hack Can Turn Your Numeric Google Profile URL Back into a Gmail Address Written by Frederic Lardinois / February 12, 2010 10:05 AM / 7 Comments http://www.readwriteweb.com/archives/hacking_google_profile_gmail_email_addresses.php Over the last few days, there has been a lot of buzz about how much private information your public Google profile contains if you don't choose the right settings. The URL of your profile alone can already give away your Gmail address. To hide this address from public view, you can switch your profile URL away from showing your name to using an address that features a 21-digit number instead of your username. However, as it turns out, this isn't a foolproof method either. By using a very simple trick, anybody can quickly figure out your Gmail address from these numbers. Security blogger The Harmony Guy just told us about how this hack works. While the way to reveal these addresses isn't obvious, you can easily follow along and try this method out yourself. How does it work? First, you simply copy the numbers from a user's Google profile and then append these numbers to http://picasaweb.google.com/[numbers]. For some users who haven't customized their Picasa page, the username (which is also their Gmail address) will come right up. If the user has customized the account and added a nickname, you simply have to replace the URL in the address bar with javascript:alert(_user.name); and a small pop-up window will show you the username. Caveats It's important to note that this only works for Google users who also use the Picasa web service. This, however, is likely a large percentage of Gmail users. How to Protect Yourself In Picasa Web Albums, go to the settings page and add a new username. Then, select the new username for your gallery URL. As The Harmony Guy points out, you may also want to edit your nickname. Is this a major issue for Google? Probably not. But given the ruckus around privacy, Buzz and Google Profiles these days, it is disheartening to see that it is this easy to circumvent the only way to hide your Gmail address from public view. After all, if you want to use Google Buzz, Google forces you to have a public profile. From rforno at infowarrior.org Sun Feb 14 15:34:42 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 Feb 2010 10:34:42 -0500 Subject: [Infowarrior] - Google Buzz Abandons Auto-Following Amid Privacy Concern Message-ID: <5350BCD7-91B9-4E78-8A5C-33FACBD021E1@infowarrior.org> Google Buzz Abandons Auto-Following Amid Privacy Concerns http://techcrunch.com/2010/02/13/google-buzz-privacy-update/ by Jason Kincaid on Feb 13, 2010 As we noted this morning, Google isn?t wasting any time in responding to user criticism about Buzz. Now they?ve rolled out another set of changes to further address Buzz?s privacy issues. The biggest change involves the automatic follow system: it?s now being switched to a suggestion model, where Google will present you with a list of friends it thinks you?d like to follow, but gives you a chance to deselect them before you start using the service. That?s a pretty big change ? when Buzz launched four days ago, one of its selling points was that it took no work on the user?s part to get started, because Buzz would automatically follow the people you interact with most on Gmail. Of course, that isn?t always a good thing ? there are plenty of cases when you wouldn?t want people to know who you?d been communicating with. After an initial backlash Google made it easier to hide which users you were following, but now they?re ditching the auto-follow model entirely. Fortunately it only takes a minute to go through the suggestions, so it?s not much of a hurdle. New users will see a screen like the one above, and Google?s post says that existing Buzz users will be shown a version of this friend selection screen in the next few weeks to confirm that they?re comfortable with everyone they?re following. The service is also going to stop automatically connecting Google Reader and Picasa albums to Buzz accounts, though those options will still be available. Finally, Google is adding a Buzz section to Gmail?s Settings. Why this wasn?t there from the start is beyond me ? before now, if you wanted to adjust your Buzz settings you had to go to your Google account page, which made very little sense because most people use Buzz from Gmail. Earlier today, Google made yet another change to Buzz?s privacy settings by fixing a bug that could cause users to inadvertently expose their friends? private settings. All of these are good changes for Buzz, and I?m optimistic about its future, but I can?t help but wonder how they all made it through months of internal testing. From rforno at infowarrior.org Mon Feb 15 15:35:37 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Feb 2010 10:35:37 -0500 Subject: [Infowarrior] - U.S. Internet security plan revamped Message-ID: ttp://www.networkworld.com/news/2010/021110-cybersecurity-defense-revamped.html U.S. Internet security plan revamped Consolidation of Internet connections loses favor under Obama administration; standard security tools deployed By Carolyn Duffy Marsan, Network World February 11, 2010 08:01 AM ET The U.S. government is shifting its strategy for defending federal networks against a rising tide of hacking attacks launched by foreign governments and criminals. Instead of focusing on consolidating external Internet connections that civilian agencies operate -- which number in the thousands -- the Office of Management and Budget is directing agencies to deploy a standard set of security tools and processes on all of their Internet connections. The shift represents a new direction for the federal Trusted Internet Connections (TIC) Initiative, which was launched by the Bush administration in November 2007. The Bush administration's original goal was to reduce the number of external Internet connections operated by civilian agencies from more than 8,000 down to 50. Standard security software -- including antivirus, firewall, intrusion detection and traffic monitoring -- was to be deployed on the remaining connections. The Obama administration has changed the emphasis of the TIC Initiative, focusing more on security controls than on network consolidation. "Despite the whole TIC Initiative, there are probably as many points of Internet connection as there used to be," says Diana Gowen, senior vice president of Qwest Government Services. "The new administration is less concerned with the number, and more concerned about getting them protected." Gowen pointed out that the Defense Department has an ongoing procurement to purchase more than 4,000 Internet connections worldwide. "So clearly the focus isn't on consolidation," she adds. AT&T wins $5M cyber security deal with FTC| AT&T, Verizon, other carriers eyeing federal government cybersecurity deals Bill White, vice president of federal sales at Sprint, says he believes the TIC Initiative will eventually result in consolidation of federal networks, although not down to 50 Internet connection points. "Out of the gate, we thought there would be significant consolidation," White admits. "At the end of the day, I think there still will be. But I think the agencies are becoming more realistic and flexible about consolidation." Federal agencies are under the gun to meet the requirements of the TIC Initiative in 2010, as well as to receive the benefits of the Department of Homeland Security's companion Einstein software, which provides another layer of cyberdefense. (See "Einstein 2: U.S. government's 'enlightening' new cybersecurity weapon".) Reordering priorities The TIC Initiative was conceived to reduce the number of external Internet access points operated by civilian agencies, establish baseline security practices for the remaining access points, and migrate agency traffic to flow through the approved access points. "What we've done is not really change what the goals are, but simply reorder them," explains Sean Donelan, program manager of network and infrastructure security at the Department of Homeland Security (DHS). "We talk about establishing the baseline security practices first for all the approved TIC access points?Then all of the agency connectivity will come through these access points." Donelan admits that there's less focus on network consolidation these days, and more discussion of security practices. "We're trying to move away from trying to focus on the number of connections," Donelan says. "The consolidation piece is still a goal; it's still a part of the program. But it is not being done to simply eliminate connections." Donelan expects to have more than half of civilian agency network traffic flowing through TIC-compliant access points by the end of 2010. "We're still working with the agencies to come up with a date at which 70%, 80% or 90% of the traffic goes through TICs," Donelan says, adding that the migration process could take three to five years. "Sometimes, there are big legacy applications that may have to be changed." Donelan says the number of external Internet connections operated by the federal government is less important than having secure access points. "Rather than focusing on a single number, we're focusing on the mission of securing federal networks," Donelan says. "Even if we got down to 50 or 100 external Internet connections, the number would probably go up or down over the course of the year as agency missions change." One aspect of the TIC Initiative that hasn't changed under the Obama administration is that the program is still focused on deploying network security services consistently across civilian agencies. Most civilian agencies already have antivirus and other security software mandated by the TIC Initiative. But the TIC Initiative requires that these services be deployed uniformly, with synchronized time stamps and standard logging procedures. The TIC Initiative also will provide a common feed of information about cyberattacks to the U.S. Computer Emergency Readiness Team (US- CERT). "Another big benefit of the TIC Initiative is that it will give a consistent view to the folks in government that are worried about [cybersecurity]," says Jeff Mohan, Networx program director for AT&T Government Solutions. "US-CERT will get the same type of feed from every agency and telecom provider. One of the things they have done is make the interface and the information being transferred very specific and very consistent." The TIC Initiative won't detect or eliminate all hacking attempts; for example, it doesn't prevent distributed denial-of-service attacks. But the extra layers of network security services it provides and the consistent way they are being applied should help agencies block e- mail-based attacks such as viruses, worms and malware. "This is a better mousetrap," White says of the TIC Initiative. "I think it will provide a higher level of assurance that we can keep the bad guys out. And to the extent there is an incident, I think we'll be in a better position to react with the agency and the US-CERT to limit the risk." Donelan says the bottom line benefit of the TIC Initiative is governmentwide situational awareness. "No single agency can do everything themselves, especially when we're dealing with this kind of threat environment," Donelan says. "Even the most sophisticated agencies, there are sometimes [attack patterns] they can't see." From rforno at infowarrior.org Mon Feb 15 18:08:13 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Feb 2010 13:08:13 -0500 Subject: [Infowarrior] - Resource: GoogleSharing proxy Message-ID: <5C18A44B-943D-4214-BFCC-8C6174E7347A@infowarrior.org> http://googlesharing.net/ GoogleSharing is a special kind of anonymizing proxy service, designed for a very specific threat. It ultimately aims to provide a level of anonymity that will prevent google from tracking your searches, movements, and what websites you visit. GoogleSharing is not a full proxy service designed to anonymize all your traffic, but rather something designed exclusively for your communication with Google. Our system is totally transparent, with no special "alternative" websites to visit. Your normal work flow should be exactly the same. http://googlesharing.net/ From rforno at infowarrior.org Mon Feb 15 20:31:31 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Feb 2010 15:31:31 -0500 Subject: [Infowarrior] - Paper: Google Buzz: Economic Surveillance Message-ID: (good read --- rick) Google Buzz: Economic Surveillance ? Buzz Off! The Problem of Online Surveillance and the Need for an Alternative Internet Posted February 14th 2010 at 5:56 pm by christian fuchs I wrote this text for a longer paper about online surveillance that will be included in the collected volume ?The Internet & Surveillance? that I am editing together with Kees Boersma, Anders Albrechtslund, and Marisol Sandoval as part of the EU COST Action ?Living in Surveillance Societies? (see http://www.liss-cost.eu/). The book will be published in 2011. < BIG SNIP > http://fuchs.uti.at/313/ From rforno at infowarrior.org Tue Feb 16 04:18:23 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Feb 2010 23:18:23 -0500 Subject: [Infowarrior] - Another case of TSA overkill Message-ID: Daniel Rubin: Another case of TSA overkill By Daniel Rubin Inquirer Columnist http://www.philly.com/inquirer/home_region/20100215_Daniel_Rubin__Another_case_of_TSA_overkill.html Just when I thought I was out of the Transportation Security Administration business for a few columns, they pull me back in. Did you hear about the Camden cop whose disabled son wasn't allowed to pass through airport security unless he took off his leg braces? Unfortunately, it's no joke. This happened to Bob Thomas, a 53-year- old officer in Camden's emergency crime suppression team, who was flying to Orlando in March with his wife, Leona, and their son, Ryan. Ryan was taking his first flight, to Walt Disney World, for his fourth birthday. The boy is developmentally delayed, one of the effects of being born 16 weeks prematurely. His ankles are malformed and his legs have low muscle tone. In March he was just starting to walk. Mid-morning on March 19, his parents wheeled his stroller to the TSA security point, a couple of hours before their Southwest Airlines flight was to depart. The boy's father broke down the stroller and put it on the conveyor belt as Leona Thomas walked Ryan through the metal detector. The alarm went off. The screener told them to take off the boy's braces. The Thomases were dumbfounded. "I told them he can't walk without them on his own," Bob Thomas said. "He said, 'He'll need to take them off.' " Ryan's mother offered to walk him through the detector after they removed the braces, which are custom-made of metal and hardened plastic. No, the screener replied. The boy had to walk on his own. Leona Thomas said she was calm. Bob Thomas said he was starting to burn. They complied, and Leona went first, followed by Ryan, followed by Bob, so the boy wouldn't be hurt if he fell. Ryan made it through. By then, Bob Thomas was furious. He demanded to see a supervisor. The supervisor asked what was wrong. "I told him, 'This is overkill. He's 4 years old. I don't think he's a terrorist.' " The supervisor replied, "You know why we're doing this," Thomas said. Thomas said he told the supervisor he was going to file a report, and at that point the man turned and walked away. A Philadelphia police officer approached and asked what the problem was. Thomas said he identified himself and said he was a Camden officer. The Philadelphia officer suggested he calm down and enjoy his vacation. Back home in Glassboro a week later, Bob Thomas called the airport manager and left her what he calls a terse message. He was still angry enough last week to call me after I'd written a couple of columns about travelers' complaints of mistreatment by screeners at the airport. "This was just stupid," he told me. At the very least, it was not standard procedure. On Friday, TSA spokeswoman Ann Davis said the boy never should have been told to remove his braces. TSA policy should have allowed the parents to help the boy to a private screening area where he could have been swabbed for traces of explosive materials. She said she wished Thomas had reported the matter to TSA immediately. "If screening is not properly done, we need to go back to that officer and offer retraining so it's corrected." Davis also said TSA's security director at the airport, Bob Ellis, called Thomas last week to apologize. He gave Thomas the name of the agency's customer service representative, in case he has a problem at the airport in the future. Afterward, Thomas said he appreciated Ellis' call. He said he had no interest in pursuing the matter further or in filing a lawsuit. "I'm just looking for things to be done right," he said. "And I just want to make sure this isn't done to anyone else. Just abide by your standard operating procedures." Contact Daniel Rubin at 215-854-5917 or drubin at phillynews.com. From rforno at infowarrior.org Tue Feb 16 12:38:33 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2010 07:38:33 -0500 Subject: [Infowarrior] - FairPlay DRM on Apple iPad books Message-ID: <7F511DA2-3FCF-42B9-A8B3-B47FF22E3164@infowarrior.org> Apple to stick padlocks on books for iPad FairPlay DRM will rise again By John Oates ? Get more from this author Posted in Mobile, 16th February 2010 11:51 GMT http://www.theregister.co.uk/2010/02/16/drm_ebooks/ Apple is dusting off FairPlay - the digital rights management used by iTunes - to protect electronic copies of books sold to iPad users. FairPlay irritated some iTunes users and was dropped for most music content last year. But when the iPad launches next month, along with the iBook store, copyrighted content will have some restrictions on its use, the LA Times reports. Apple's move will be criticised by some, but might be seen as a way to get more publishers interested in the gadget. Music firms had equal fears about putting content on iTunes without protection. The downside will likely be in the form of hiccups with the technology stopping people doing quite legal things with their content, and probable fury from the committed freetards opposed to any form of content management. ? From rforno at infowarrior.org Tue Feb 16 13:50:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2010 08:50:28 -0500 Subject: [Infowarrior] - OT: Ultimate Meme Recursion Message-ID: <7B361E97-15D1-41CC-99B0-21FC60BD3B73@infowarrior.org> (Source http://www.boingboing.net/2010/02/16/adolf-hitler-makes-a.html) In this, the 198th Hitler/Downfall parody video to be uploaded to YouTube, Chris Hanel asks the comedic question: what would happen if Hitler made a Hitler parody? http://www.youtube.com/watch?v=1CyzgOupqLg From rforno at infowarrior.org Tue Feb 16 14:39:44 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2010 09:39:44 -0500 Subject: [Infowarrior] - New DOJ IP task force brings "stronger and stricter enforcement" Message-ID: New IP task force brings "stronger and stricter enforcement" By Nate Anderson | Last updated February 16, 2010 6:16 AM http://arstechnica.com/tech-policy/news/2010/02/new-ip-task-force-brings-stronger-and-stricter-enforcement.ars The Department of Justice has announced a new intellectual property task force that will bring together antitrust, the civil and criminal divisions, and the FBI in an effort to "confront the growing number of domestic and international intellectual property (IP) crimes." The announcement was vague on details, but it did make three curious statements that suggest the task force wants to do more than clamp down on counterfeit pharmaceuticals and knock-off handbags. For one thing, the new task force "will also serve as an engine of policy development to address the evolving technological and legal landscape of this area of law enforcement." Secondly, the Department of Justice will "leverage existing partnerships with federal agencies and independent regulatory authorities such as the Department of Homeland Security and the Federal Communications Commission." Finally, Justice will "develop a plan to expand civil IP enforcement efforts." Taken separately, no statement is all that interesting; put them together, though, and it certainly sounds possible that the new task force will ponder ways to curtail Internet-based IP infringement, including "noncommercial" P2P (the music and movie businesses deny that there is such a thing; in their view, it's all commercial). Singling out the FCC as a partner agency, for instance, could mean only that the task force cares about better communications systems for law enforcement. Perhaps the task force just wants to encourage deployment of new gear in the 700MHz spectrum reserved for public safety? On the other hand, expanding "civil enforcement" of copyright claims has long been on Big Content's wish list. The PRO-IP Act, which became law in 2008, initially directed the Department of Justice to prosecute major civil copyright cases, then turn any damage awards over the the private firms affected. That provision was stripped from the bill before passage. The task force emphasis on "policy development" could also create pressure on the FCC to encourage "three strikes" rules by American ISPs. The possibility isn't just paranoid crazy talk; the MPAA and RIAA both explicitly asked the FCC to encourage this in recent filings on the soon-to-be-unveiled National Broadband Plan. And both groups attended a recent IP-focused meeting with Attorney General Eric Holder and Vice President Joe Biden?a meeting explicitly credited with spurring the creation of the new task force. "The Attorney General?s announcement follows a summit meeting convened last December by Vice President Biden, a long-standing champion of US intellectual property rights-holders," said the press release. It also follows the creation of a new White House job, the Intellectual Property Encforcement Coordinator, which was mandated by the PRO-IP Act. Between Joe Biden, IPEC Victoria Espinel, the new DoJ task force, and the secretive Anti-Counterfeiting Trade Agreement (ACTA), it's clear that intellectual property enforcement has the major backing of the Obama administration. As Biden put it, get ready for "stronger and stricter enforcement of intellectual property rights. From rforno at infowarrior.org Tue Feb 16 17:01:34 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2010 12:01:34 -0500 Subject: [Infowarrior] - Yale-Mail planning didn't include IT faculty input Message-ID: Google to run Yale e-mail New e-mail client will work like Gmail, provide more storage while reducing costs for Yale The Horde e-mail server will soon be replaced by a new Google interface, custom-designed for Yale. Information Technology Services administrators plan to join with Google Apps for Education to bring students, faculty and employees the Gmail e-mail service by the end of this month, said an undergraduate member of the Student Technology Collaborative who asked to remain anonymous because of ITS policy. The service, tentatively called ?Bulldogs,? will also offer users a suite of tools for communication and collaboration ? including Google Calendar, Google Talk and Google Docs. The new interface will look like the standard Gmail layout, but without advertisements, the student said. The Gmail-based service will gradually replace the University?s current e-mail client, Horde, the student said. The incoming class of 2014 will be the first to go directly to the new Google system, and current freshmen and sophomores will have to make the switch. Upperclassmen will have the option of keeping Horde, but the University plans to phase out Horde by spring of next year, the student said. Planning for ?Bulldogs? did not include computer science faculty, computer science professor Michael Fischer said, adding that he and his colleagues have not yet discussed the transition with ITS administrators. < - > http://www.yaledailynews.com/news/university-news/2010/02/09/google-run-yale-e-mail/ From rforno at infowarrior.org Tue Feb 16 18:15:30 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2010 13:15:30 -0500 Subject: [Infowarrior] - Resource: Secret Service Network IDS program Message-ID: There's a bunch of useful information in this both in terms of general IT refresher and criminal procedure. -rick US Secret Service Network Intrusion Program http://cryptome.org/NITRO.zip From rforno at infowarrior.org Tue Feb 16 18:19:50 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2010 13:19:50 -0500 Subject: [Infowarrior] - New Credit Card Rules: What You Need to Know Message-ID: <2D7D70A5-5D96-4CFC-BC1A-A4ABA0BD66B2@infowarrior.org> New Credit Card Rules: What You Need to Know hanges in Interest Rates, Overdraft Fees, Late Payments By LAURA ZACCARO Feb. 16, 2010? http://abcnews.go.com/print?id=9846423 Next week new credit card provisions from the 2009 Credit Card Accountability, Responsibility, and Disclosure Act (CARD) will take effect, making it easier for consumers to understand their credit card bills and how interest charges are determined. The new rules will affect millions of consumers. The average person has five credit cards and the average household with at least one credit card has more than $10,000 in credit card debt, according to a 2009 Nilson Report. "Good Morning America" financial contributor Mellody Hobson explained what you should know about the credit card changes. Web Only Tip: Overdraft Fees Overdraft fees generated $25 billion to $38 billion for banks last year, Hobson said. Consumers can be automatically enrolled in overdraft protection, but with the new Credit CARD Act, customers must now specifically request it. Should a customer enroll, overdraft fees can only be applied once during a billing cycle and the card company must let you know how much it will be, Hobson said. The customer has the right to opt out of overdraft protection at any time. But these new rules only apply to debit cards and not to overdraft fees from checks or electronic transfers. Hobson recommended that consumers never ask for the overdraft protection for debit cards and opt out of it for checking accounts. Credit Card Changes Two of the Credit CARD Act changes are already in place. Consumers now have 21 days to send their payments in instead of 14 and credit card companies must give consumers 45 days notice if their terms change, instead of 15 days. Although Hobson notes that one important exception to the 45-day notification rule is if your credit card company decides to reduce your credit limit  the company can do that without any warning. Should this happen, Hobson said to call the company and ask for it to be reversed. If the company refuses, then pay any remaining balance as soon as possible since lowering your credit limit could affect your credit score. On Feb. 22 another change will take effect that should help consumers better understand their credit card terms and debt, Hobson said. New Credit Card Rules Beginning on Monday, credit card bills must make clear how long it will take the consumer to pay off the balance and how much interest the consumer will pay if he or she only pays the minimum amount every month. For example, if a consumer has $5,000 in credit card debt with a 14 percent APR, the credit card company must disclose that it would take 10 years to pay off the balance plus nearly $2,000 in interest fees if the consumer only paid the minimum balance every month. Fee and Interest Rate Changes After the Credit CARD Act was passed in May 2009, credit card companies pre-emptively raised certain fees and interest rates in order to replace the $50 billion in revenues they expected to lose, Hobson said. In fact since June 2009, the top 12 banks and credit unions have increased their rates by approximately 23 percent, Hobson explained. While the Credit CARD Act does not put a cap on increased interest rates, credit card companies must give customers 45 days notice on any change and they are not allowed to raise the current interest rate on consumers' existing debt, Hobson said. However, there are a few exceptions. If a consumer's APR is a variable and tied to an index, then the interest rates on existing debt can be raised. Additionally, if a consumer is more than 60 days late making a payment, then the credit card company can increase the interest rate. But if the consumer then makes on-time payments for the following six months, the company must roll back the interest rate to the previous level, Hobson said. Also, consumers can no longer be charged an additional fee for paying over the phone, by an electronic transfer or by mail, Hobson said. An extra charge will only apply if the consumer uses live services to expedite a payment. Although the Credit CARD Act now requires 45 days notification of account changes, Hobson said it is still the consumer's responsibility to monitor all of the terms of their credit card statement. Web Only Tip: Universal Default The practice of universal default is also banned for existing credit card balances, Hobson said. This is when a card user's interest rate is increased based upon payment records for unrelated accounts, such as utility bills. Changes Affect College Students The last thing a college student needs is more debt. A Sallie Mae study found that in 2008, college seniors with at least one credit card graduated with an average of $4,138 in credit card debt. To protect young people from incurring debt the Credit CARD Act has made it more difficult for college students to get a credit card, Hobson said. Credit card companies can no longer offer a card to someone under 21 without a co-signer or proof of proper income, Hobson explained. Nor can the company increase the limit on the card unless both the co- signer and the student agree. Offering inducements to sign up for cards - such as free t-shirts or beach towels  on or near a campus are also banned. Hobson recommends that if your child does need a card, to add him or her as an authorized user on your own credit card. Being an authorized user will help teach them to live within their means and also help them build up their credit history and could improve their credit score if you make on-time payments, Hobson said. From rforno at infowarrior.org Tue Feb 16 19:41:01 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2010 14:41:01 -0500 Subject: [Infowarrior] - Public Input on Open Government Solicited Message-ID: Public Input on Open Government Solicited February 16th, 2010 by Steven Aftergood http://www.fas.org/blog/secrecy/2010/02/public_input.html The Obama Administration?s open government initiative might possibly inspire a transformation in the character of government operations along with an expansion of citizen engagement in policy development. But in order to succeed, it needs some thoughtful, creative input from members of the public. All Cabinet level agencies (and a few others) have now prepared Open Government Webpages to document their progress in improving transparency and to solicit public suggestions for how to proceed, including recommendations for development of the Open Government Plans that will define each agency?s transparency program. What this means is that ?openness? is becoming incorporated into the bureaucratic machinery of government. While executive branch agencies remain constrained by security restrictions, resource limits and other considerations, these rule-driven organizations are being given some new rules to follow. But the actual contours of the new thrust towards openness ? its scope, its content, its urgency ? depend significantly on the quality of feedback and support that the initiative receives from the interested public. Agencies need specific, achievable, actionable suggestions for how to meet their new openness obligations. Each agency?s openness webpage (linked here) invites readers to ?share your ideas? on how to proceed. There has never been a better time for concerned citizens to help shape the government transparency agenda. (Actually, there has never been a ?government transparency agenda? before.) And there is a premium on good ideas. Proposals that are unintelligible, impractical, irrelevant, or inane are effectively endorsements of the status quo because they cannot be implemented. What kind of ideas would be useful and appropriate? Those who already interact with each particular agency will be in the best position to say what that agency could and should provide to help advance the Administration?s declared goals of transparency, participation and collaboration. But one general approach to the issue is to consider the diverse categories of government information that have been removed from public access over the past decade, and to use those as a metaphorical trail of bread crumbs leading back to a more transparent posture. Restoring access to that missing information could help agencies to reorient their policies and to chart a new direction forward. And it is clearly within the realm of possibility, since it has already been done. So, for example, these are some suggestions that we have submitted for agency consideration: Restore public access to the Los Alamos Technical Report Library. Until 2002, thousands of unclassified technical reports from Los Alamos National Laboratory dating back half a century and longer were publicly available on the Lab web site. And then they weren?t. They constitute an invaluable archive of technological development, historical information, and current scientific research. A sizable fraction of the sequestered reports have been republished on the Federation of American Scientists website. But the entire collection, with updated content since 2002, should be restored to the public domain. Restore public access to orbital element data. For many years, NASA provided direct public access to so-called Two-Line Element sets that characterize the orbits of the many objects in Earth orbit that are tracked by Air Force surveillance, including active and defunct U.S. and foreign spacecraft, as well as significant debris. In 2004, open public access was terminated. That step should be reversed. Publish the Defense Department telephone directory. For decades, the Pentagon telephone directory served as a public guide to the complex structure of the Department of Defense, and provided a way to establish direct contact with individual offices and officials. It was always for sale at the Government Printing Office Bookstore to anyone who cared to buy it. But in 2001, the DoD telephone directory was designated ?for official use only.? In the interests of ?openness, participation, and collaboration,? public access to the DoD directory should be restored. (Other agencies with national security and foreign policy missions including the Department of Energy and the Department of State already make their personnel directories available online.) There must be countless other possibilities for moving towards a more open, responsive and accountable government. Some will be of broad interest, while others may serve a specialized constituency. Some will be easily achievable, others may require new investments or new modes of operation. But all of a sudden, ?openness? is on the government-wide agenda in a way that it has never been before. The opportunities are there to be seized. From rforno at infowarrior.org Tue Feb 16 20:04:45 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2010 15:04:45 -0500 Subject: [Infowarrior] - Verizon to allow Skype calls over wireless network Message-ID: <67B22287-D4B6-42C0-ADDB-8846956BE17E@infowarrior.org> Verizon to allow Skype calls over wireless network By RACHEL METZ The Associated Press Tuesday, February 16, 2010; 1:07 PM http://www.washingtonpost.com/wp-dyn/content/article/2010/02/16/AR2010021602367.html?hpid=topnews SAN FRANCISCO -- Verizon Wireless will let customers use the Internet phone service Skype to make free calls on some phones, an application that wireless carriers have been slow to allow. Under a deal announced Tuesday at the Mobile World Congress trade show, users of some Verizon phones who have a voice and data plan will be able to download a free Skype application in late March. That will let them call or instant-message other Skype users for free or call regular phone numbers outside the United States for a fee paid to Skype. These calls would go over Verizon's network and would not use up minutes on a cell phone plan. Minutes would be deducted, however, to use Skype to call regular phone numbers in the U.S., Verizon said. Initially, the mobile application will be available for nine Verizon phones, including several BlackBerry models and Motorola Inc.'s Droid and upcoming Devour handsets. John Stratton, Verizon's chief marketing officer, said the application will be able to run all the time in the background. This means other people should be able to contact you through Skype even if your phone is on standby. Other wireless carriers have blocked the Skype app from running all the time. It's available on the iPhone only in Wi-Fi hot spots. In October, AT&T said it would relent and let the program work over its cellular network as well, but Skype has not yet released an application to enable that. Verizon's version of Skype mobile will not work over Wi-Fi, the companies said. From rforno at infowarrior.org Wed Feb 17 02:54:17 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Feb 2010 21:54:17 -0500 Subject: [Infowarrior] - US officials, Web executives to visit Russia Message-ID: <6B646700-A1FF-48E9-AAE4-023835D171B0@infowarrior.org> US officials, Web executives to visit Russia Tue Feb 16, 6:38 pm ET http://news.yahoo.com/s/afp/20100216/pl_afp/usrussiaitcompanydiplomacyinternet/print WASHINGTON (AFP) ? US officials and executives from eBay, Twitter and other Web companies are to visit Russia to discuss using social media to improve relations, the State Department said Tuesday. The delegation, which is to visit Russia from February 17 to 23, will hold meetings with representatives of the Russian government, universities, private companies, and non-governmental organizations, it said in a statement. "They will discuss how social media and other innovative technologies can be used to strengthen and broaden ties between the United States and Russia," the State Department said. The delegation will visit Moscow and Novosibirsk, it said. It will be led by Jared Cohen of the State Department's Office of Policy Planning and Howard Solomon of the National Security Council and will include White House chief technology officer Aneesh Chopra. The State Department said eBay, Twitter, Cisco, Howcast, EDventure, Social Gaming Network and Mozilla were among the companies sending representatives. Twitter, Facebook and LiveJournal were among the websites which came under cyberattack last year in an assault that Web security companies said were aimed at silencing a pro-Georgian blogger. The Georgian blogger, known only as "Cyxymu," blamed Russia for the attacks and said they were meant to silence his criticism of Moscow's role in the Georgia-Russia war. From rforno at infowarrior.org Wed Feb 17 13:39:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Feb 2010 08:39:24 -0500 Subject: [Infowarrior] - Race/Gender info a 'trade secret' Message-ID: <14201259-767E-4D44-B570-A87F642AA791@infowarrior.org> Five Silicon Valley companies fought release of employment data, and won By Mike Swift mswift at mercurynews.com Posted: 02/14/2010 04:00:00 PM PST Updated: 02/14/2010 08:47:17 PM PST http://www.mercurynews.com/ci_14382477?source=most_emailed&nclick_check=1 Google, the company that wants to make the world's information accessible, says the race and gender of its work force is a trade secret that cannot be released. So do Apple, Yahoo, Oracle and Applied Materials. These five companies waged an 18-month Freedom of Information battle with the Mercury News, convincing federal regulators who collect the data that its release would cause "commercial harm" by potentially revealing the companies' business strategy to competitors. A sixth company, Hewlett-Packard, fought the release and lost. But many of their industry peers see the issue differently. The Mercury News initially set out to obtain race and gender data on the valley's 15 largest companies, and nine ? including Intel, Cisco Systems, eBay, AMD, Sanmina and Sun Microsystems ? agreed to allow the U.S. Department of Labor to provide it. "There's nothing to hide, in our view," said Chuck Mulloy, a spokesman for Intel, which contacted the Mercury News to share its employment data after learning of the newspaper's federal FOIA request filed in early 2008. "We just felt that we're very proud of the (diversity) programs we have in place and the efforts we put forth, and we don't have any trouble sharing it." Experts in the area of equal employment law scoffed at the idea that public disclosure of race and gender data ? for example, the number of black men or Asian women in job categories such as "professionals," "officials Advertisement & managers" and "service workers" ? could really allow competitors to discern a big tech company's business strategy. A bigger issue, they said, is the social cost of allowing large, influential corporations to hide their race and gender data. "One of the main ways that we track how society is doing in terms of race relations, in terms of eliminating discrimination, in terms of promoting diversity, is by looking at statistics," said Richard Ford, a Stanford University law professor who is an expert in civil rights and anti-discrimination law. "But if we can't get the data, we can't know if it's a problem or not." John Sims, a law professor at the University of the Pacific and an expert in FOIA law, called the objections of Google, Apple and other companies "absurd." "The whole debate on affirmative action is based on the question, 'Is racial discrimination a thing of the past, or is it still going on?' " Sims said. "These companies are very interesting to look at, because they are new and they are not just in the rut of what they were doing 50 years ago, because they didn't exist 50 years ago." The Labor Department data ultimately obtained by the Mercury News shows that while the collective work force of 10 of the valley's largest companies grew by 16 percent from 1999 to 2005, an already small population of black workers dropped by 16 percent, while the number of Hispanic workers declined by 11 percent. By 2005, only about 2,200 of the 30,000 Silicon Valley-based workers at those 10 companies were black or Hispanic. In addition, among the roughly 5,900 managers at those companies in 2005, about 300 were either black or Hispanic ? a 20 percent dip from five years earlier. Women slipped to 26 percent of managers in 2005, from 28 percent in 2000. Companies such as Google and Apple are particularly crucial to study, Ford said, because many of the nation's civil rights laws were written in the 1960s for a different workplace than the information-driven jobs of today. The Mercury News initially asked the Labor Department to release so- called EEO-1 race and gender data for the 15 largest companies ranked by sales in the newspaper's SV150 Index. Following an appeal lodged by the Mercury News against the six companies that objected, the Labor Department released Hewlett- Packard's data after the company failed, government lawyers said, to provide a detailed objection "when we requested its views." But the Labor Department accepted arguments filed by lawyers for Google, Apple, Yahoo, Oracle and Applied Materials that release of the information would cause commercial harm. The department declined to share the text of the detailed arguments made by the companies. "Such data can demonstrate a company's evolving business strategy," William W. Thompson II, an associate solicitor with the Labor Department, wrote in the agency's notification of its final action. "The companies have articulated to us that they are in a highly competitive environment in which less mature corporations can use this EEO-1 data to assist in structuring their business operations to better compete against more established competitors." Google recently announced that it donated $8 million over the last two weeks of 2009 to help underrepresented minorities follow careers in technology, including the donation of laptops to more than 600 high schools, and donations to groups such as the National Society of Black Engineers. Still, the company declined to release any racial or gender breakdown of its 20,000 workers. "As we've previously said, we don't release this information for competitive reasons," a spokeswoman said. From rforno at infowarrior.org Wed Feb 17 14:12:37 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Feb 2010 09:12:37 -0500 Subject: [Infowarrior] - European ACTA Document Leaks With New Details Message-ID: http://www.michaelgeist.ca/content/view/4795/125/ European ACTA Document Leaks With New Details on Mexico Talks and Future Meetings Wednesday February 17, 2010 A brief report from the European Commission authored by Pedro Velasco Martins (an EU negotiator) on the most recent round of ACTA negotiations in Guadalajara, Mexico has leaked, providing new information on the substance of the talks, how countries are addressing the transparency concerns, and plans for future negotiations. The document (cover page, document) notes that the Mexico talks were a "long meeting with detailed technical discussions, which allowed progress, but parties not yet ready for major concessions. Due to lack of time, internet discussions could not be concluded." Start first with plans for future talks. Round 8 of the ACTA negotiations, which will be held in Wellington, New Zealand, are apparently now scheduled for April 12 to 16th. Countries plan a five- day round - the longest yet - with detailed discussions on the Internet provisions, civil enforcement, border measures, and penal provisions. Moreover, Round 9 will take place in Geneva, possibly during the week of June 7th. This aggressive negotiation schedule - three rounds of talks in six months - points to the pressure to conclude ACTA in 2010. Secondly, transparency. The leaked document reveals that the summary document on ACTA is currently being updated by Canada and Switzerland, with release likely in March. The new document will deny rumours about iPod searching border guards and mandatory three strikes policies. There is no agreement about releasing the ACTA text, however (though more European Union members states favour its release). New Zealand is considering a stakeholder meeting during the next round in April as part of the transparency effort. Third, the substance of the talks. The three main areas of substantive discussion were civil enforcement, border measures (called customs by the EC), and the Internet provisions. The Commission document states: 1. The civil enforcement chapter was discussed very thoroughly. It was possible to agree additional language, but when entering into the detail of the different mechanisms (provisional measures, injunctions, calculation of damages) progress became slow due to the different technical concepts of each legal system. 2. The customs chapter was discussed in detail for the first time in more than one year. Good progress on items like exemptions for personal luggage (a sensitive issue in the public opinion). EU proposing a more organised and logical structure of the chapter, not always well understood by others. 3. The internet chapter was discussed for the first time on the basis of comments provided by most parties to US proposal. The second half of the text (technological protection measures) was not discussed due to lack of time. Discussions still focus on clarification of different technical concepts, therefore, there was not much progress in terms of common text. US and EU agreed to make presentations of their own systems at the next round, to clarify issues. Leaving aside the more personal comments (ie. others do not understand the border measures chapter structure), the leaked document is precisely what the negotiating countries should be providing to the public in the absence of an actual text. Rather than the mundane meeting statement that says nothing, this brief report includes far more detail on the substance of the talks and the plans for the future. From rforno at infowarrior.org Wed Feb 17 19:48:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Feb 2010 14:48:28 -0500 Subject: [Infowarrior] - TSA to swab airline passengers' hands Message-ID: <792D937B-4FE9-4EC0-8927-10A2787D155A@infowarrior.org> TSA to swab airline passengers' hands in search for explosives By Jeanne Meserve and Mike M. Ahlers, CNN February 17, 2010 12:21 p.m. EST http://www.cnn.com/2010/TRAVEL/02/17/tsa.hands.swabbing/index.html Washington (CNN) -- To the list of instructions you hear at airport checkpoints, add this: "Put your palms forward, please." The Transportation Security Administration soon will begin randomly swabbing passengers' hands at checkpoints and airport gates to test them for traces of explosives. Previously, screeners swabbed some carry-on luggage and other objects as they searched for the needle in the security haystack -- components of terrorist bombs in an endless stream of luggage. But after the Christmas Day attempted bombing of Northwest Flight 253 over Detroit, Michigan, the TSA began a program of swabbing passengers' hands, which could be contaminated by explosive materials, experts say. The TSA will greatly expand the swabbing in the coming weeks, the agency said. "The point is to make sure that the air environment is a safe environment," Homeland Security Secretary Janet Napolitano told CNN. "We know that al Qaeda [and other] terrorists continue to think of aviation as a way to attack the United States. One way we keep it safe is by new technology [and] random use of different types of technology." Security experts consulted by CNN said swabbing hands is a good move, and privacy advocates said they support the new swabbing protocols, provided the agency tests only for security-related objects and does not discriminate when it selects people to be tested. It's a "very good idea," said security expert Tony Fainberg. TSA screeners currently swab luggage handles and parts of bags that are likely be contaminated by human hands, he said, and swabbing a person's hands increases the chances of finding explosive materials. "Looking at the hands means you will probably get a better dose," he said. Under the new protocols, tests will be conducted at various locations -- including in checkpoint lines, during the screening process and at gates. Newer, more portable machines make it easier to conduct tests away from fixed locations such as the checkpoint. The TSA has more than 7,000 explosive trace detection (ETD) machines and has purchased 400 additional units with $16 million in federal stimulus money. The president's fiscal 2011 budget calls for $60 million to purchase approximately 800 portable ETD machines. Napolitano said the tests will not significantly increase wait times at airport checkpoints. The American Civil Liberties Union has "always supported explosive detection as a good form of security that doesn't really invade privacy," said Jay Stanley, an attorney and privacy expert with the organization. Stanley said the ACLU is chiefly concerned that the TSA does not discriminate when selecting people for enhanced screening -- something the agency said it does not do -- and that it treat people with dignity. "We would not want to see it implemented in a discriminatory fashion, for example, in a disproportionate way against Muslims and Arabs or, for example, people with red hair or anything else. Security experts from across the spectrum will tell you that that's not just unfair and unjust and not the American way, it's also a terrible way to do security," Stanley said. Swabbing also should not be used to test for nonsecurity-related contraband, such as drugs, he said. "Under the Constitution, searches in airports are only for the purpose of protecting the security of airline transportation; they are not general law enforcement stops. And so it wouldn't be permissible for the government to use these trace portal detectors to look for drugs," Stanley said. The TSA said the machines test only for explosives. It declined to specify which explosives, citing security reasons. Because some legal substances -- such as fertilizers and heart medicines -- can result in "false positives," Stanley said the ACLU also wants to ensure that people who test positive be treated respectfully. "It's important that the government treat people who do show up as a positive -- fairly and with dignity -- and not parade them off in handcuffs and treat them as terrorists, but do rational things to investigate what the problem might be," he said. But swabbing hands does not, by itself, raise civil liberty problems, Stanley said. "There's really not a big privacy interest at stake here," he said. "They are basically looking for particles of explosives, which is not something that people normally have." From rforno at infowarrior.org Thu Feb 18 14:06:32 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2010 09:06:32 -0500 Subject: [Infowarrior] - Wall Street's Bailout Hustle Message-ID: Long article, but well-worth reading. In particular, fread the #6 con "The Wire" and then re-consider how much faith (if any) you place in Wall Street "analysis" or "recommendations." As there is profanity in the article, I'm only sending the link out. -rf Wall Street's Bailout Hustle MATT TAIBBI Posted Feb 17, 2010 5:57 AM Wall Street's Bailout Hustle Goldman Sachs and other big banks aren't just pocketing the trillions we gave them to rescue the economy - they're re-creating the conditions for another crash http://www.rollingstone.com/politics/story/32255149/wall_streets_bailout_hustle/print From rforno at infowarrior.org Thu Feb 18 15:37:03 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2010 10:37:03 -0500 Subject: [Infowarrior] - Most Windows 7 PCs max out memory Message-ID: Most Windows 7 PCs max out memory Most Windows 7 systems consume nearly all RAM; less than half of XP PCs do Gregg Keizer http://www.computerworld.com/s/article/9158258/Most_Windows_7_PCs_max_out_memory February 17, 2010 (Computerworld) Most Windows 7 PCs max out their memory, resulting in performance bottlenecks, a researcher said today. Citing data from Devil Mountain Software's community-based Exo.performance.network (XPnet), Craig Barth, the company's chief technology officer, said that new metrics reveal an unsettling trend. On average, 86% of Windows 7 machines in the XPnet pool are regularly consuming 90%-95% of their available RAM, resulting in slow-downs as the systems were forced to increasingly turn to disk-based virtual memory to handle tasks. The 86% mark for Windows 7 is more than twice the average number of Windows XP machines that run at the memory "saturation" point, said Barth. The most recent snapshot of XPnet's 23,000-plus PCs -- taken yesterday -- pegs only 40% of XP systems as running low on memory. "The vast majority of Windows 7 machines over the last several months are very heavily-memory saturated," said Barth today. "From a performance standpoint, that has an immediate impact on the machine." The low-memory condition of most Windows 7 PCs is even more notable considering the amount of RAM in Windows 7 systems: According to XPnet's polling, Windows 7 PCs sport an average of 3.3GB of memory, compared to 1.7GB in the average Windows XP computer. (Machines running Windows Vista contain an average of 2.7GB.) "Windows 7 machines have almost twice as much memory to work with," said Barth, "but the numbers show just how much larger and more complex Windows 7 is than XP." Barth acknowledged that XPnet's data couldn't determine whether the memory usage was by the operating system itself, or an increased number of applications, but said that Devil Mountain would start working on finding which is the dominant factor in increased memory use. Other data that Devil Mountain collates as part of a new metric dubbed "Windows Composite Performance Index" (WCPI) quantifies peak processor workload and I/O performance. Both of those measurements are also higher for Windows 7 systems than for XP machines. While 85% of the former are running at peak I/O loads, only 36% of the latter do; the numbers for CPU workload are closer, as 44% of Windows 7 computers are running a computational backlog that delays processing tasks, compared to 36% of the XP systems. "This is alarming," Barth said of Windows 7 machines' resource consumption. "For the OS to be pushing the hardware limits this quickly is amazing. Windows 7 is not the lean, mean version of Vista that you may think it is." Long-time computer users are more familiar with the opposite: that hardware stays ahead of operating system requirements. "On current- generation hardware right out of the gate, Windows 7 is maxing out the resources. The old trend just isn't the case anymore. Now, everything that Intel giveth, Microsoft taketh away," Barth said. "I think this is something that everyone in their gut knew, but now we have data," said Barth. "The metrics don't lie." Users who want to compare their computers to the current WCPI numbers can do so by registering with XPnet and then installing the DMS Clarity Tracker Agent from Devil Mountain's site. Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at From rforno at infowarrior.org Thu Feb 18 17:56:05 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2010 12:56:05 -0500 Subject: [Infowarrior] - Pentagon Lifts Thumb Drive Ban Message-ID: <5F208A49-0C11-4A40-9F9A-0AD8280621E1@infowarrior.org> Danger Room What?s Next in National Security Hackers, Troops Rejoice: Pentagon Lifts Thumb Drive Ban ? By Noah Shachtman ? February 18, 2010 | ? 12:00 pm | ? Categories: Info War http://www.wired.com/dangerroom/2010/02/hackers-troops-rejoice-pentagon-lifts-thumb-drive-ban Soldiers, you are now cleared to use your thumb drives again. U.S. Strategic Command has lifted its ban on the tiny drives, memory sticks, CDs, and other ?removable flash media? on military networks. The repeal, first reported by InsideDefense.com, may be good news for troops, who depend on the drives to move data in bandwidth-starved locations. But it may be good news for hackers, too. The original network security concerns which prompted the ban haven?t really been addressed, one Strategic Command cyber defense specialist tells Danger Room: ?Not much changed. STRATCOM simply does not have the support to enforce such a ban indefinitely.? STRATCOM prohibited the drives? use back in November, 2008 after the Agent.btz virus began working its way through military networks. A variation of the ?SillyFDC? worm, Agent.btz spreads by copying itself from thumb drive to computer and back again. Once on a PC, ?it automatically downloads code from another location. And that code could be pretty much anything,? iDefense computer security expert Ryan Olson said at the time. There was also talk that such infections might be deliberate attacks on the Defense Department?s networks. The ban was billed in one STRATCOM e-mail as a way to counter ?adversary efforts to penetrate, disrupt, interrupt, exploit or destroy critical elements of the GIG [Global Information Grid].? Jim Lewis, with the Center for Strategic and International Studies, told 60 Minutes last November that ?some foreign power? infiltrated the classified network of U.S. Central Command through the use of ?thumb drives.? (Later, Lewis said he did not have direct knowledge of the incident.) Troops in the field and at secure facilities often rely on thumb drives, CDs, and other removable media to transport information when bandwidth is scarce and networks are unreliable. Even after the ban went into effect, takeaway storage continued to be used constantly as a substitute. STRATCOM hopes to keep the spread of any viruses to a minimum by only allowing ?properly inventoried, government-procured and owned devices? on military networks. But at least one STRATCOM specialist is skeptical that the limitations will have much of an impact. ?Simply put, DoD [Department of Defense] cannot undo 20+ years of tacitly utilizing worst IT security practices in a reasonable amount of time especially when many of these practices are embedded in enterprise wide processes. While a more restrictive policy on such devices is useful and better than no policy at all, it still pivots on what I like to call the ?original sin? fallacy of cyber security: the unsubstantiated given in most policies that all users will always follow the rules and self police,? the specialist notes. At the National Security Agency and other highly-classified organizations, USB ports and writable drives are removed from desktop computers. Drivers of the devices are disabled. In many wings of Defense Department, that would bring information-sharing to a grinding halt. ?Folks at all levels being routinely tasked to do things with their IT by senior leaders for which they are not provided the enterprise tools for and often require them to use poor security practices or violate existing policy to accomplishment,? the STRATCOM specialist observes. It would be like ordering a subordinate to hand deliver a message by car to someone in 10 minutes ? but that person is 10 miles away so they have to drive 60 mph. The law says the speed limit is 55, but the driver is forced to speed to accomplish the task. And then leaders lament the deaths and injuries caused by speeding and create policies demanding drivers stop speeding and increase the punishment on those that do. Nice little Catch 22 we create for ourselves. [Photo: USMC] From rforno at infowarrior.org Thu Feb 18 17:57:36 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2010 12:57:36 -0500 Subject: [Infowarrior] - Nathan Myhrvold, patent troll Message-ID: <6DC24F31-766C-4C2D-A7C7-A490A1355C87@infowarrior.org> Nathan Myhrvold's Intellectual Ventures Using Over 1,000 Shell Companies To Hide Patent Shakedown http://techdirt.com/articles/20100217/1853298215.shtml From rforno at infowarrior.org Thu Feb 18 20:56:56 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2010 15:56:56 -0500 Subject: [Infowarrior] - Musicblogocide 2010: The Blame Game Message-ID: <809A92AC-240C-4DBB-ACA8-1ED2B00B5E96@infowarrior.org> Ic/o E) Musicblogocide 2010: The Blame Game By Jonathan Bailey ? Feb 17th, 2010 Last week Google shut down a series of music blogs running on their popular Blogger service. All of the blogs were shut down for alleged copyright violations but at least six of the blogs were popular music blogs, including several that claimed they had obtained all of the music they were sharing legitimately. This kicked off a firestorm of controversy and blame was quickly spread around. Many blamed the labels for sending such clearly false DMCA notices, others blamed Google for sending inadequate notices and others still blamed the laws themselves The truth is that there is plenty of blame to go around. When you step back and take a look at the situation and how it unfolded, you can see that there are no completely innocent parties nor any one guilty entity. It was a perfect storm created by a series of bungles and missteps that, fortunately, is more rare than it seems. However, to figure out how to prevent such takedowns in the future, let us take a look at what happened and what everyone can do better. < big cut > http://www.plagiarismtoday.com/2010/02/17/musicblogocide-2010-the-blame-game/ From rforno at infowarrior.org Thu Feb 18 21:04:52 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2010 16:04:52 -0500 Subject: [Infowarrior] - DHS loses 289 of its guns Message-ID: <987D7763-9A97-4485-B55E-63E10F92E647@infowarrior.org> Report finds DHS does poor job securing its own firearms By Spencer S. Hsu Washington Post Staff Writer Thursday, February 18, 2010; 3:09 PM http://www.washingtonpost.com/wp-dyn/content/article/2010/02/18/AR2010021802621_pf.html Agents and officers of the U.S. Department of Homeland Security reported that 289 of their handguns, shotguns or automatic rifles had been lost or stolen between 2005 and 2008, with weapons left in places ranging from fast-food restaurant restrooms to bowling alleys to clothing stores, the agency's inspector general said in a report released Thursday. Most of the losses could have been prevented, DHS Inspector General Richard L. Skinner reported. In one case, his office stated, a border officer left a weapon in his idling vehicle at a convenience store. Both the weapon and the vehicle were stolen. In another case, a shotgun and semiautomatic rifle were stolen from an officer's closet at home. Other agents left firearms in truck beds or on vehicle bumpers, where weapons fell off as they drove away. "The Department of Homeland Security, through its components, did not adequately safeguard and control its firearms," Skinner concluded in a 23-page report dated Jan. 25. "Although some reported losses were beyond the officers' control, most losses occurred because officers did not properly secure firearms," the inspector general concluded. The report, first reported Thursday by USA Today, recommended that DHS set tighter department-wide rules for storing, transferring and taking inventory of weapons, and for reporting when they are lost. While the report was embarrassing for DHS, other unidentified federal law enforcement agencies fared worse. Skinner said the Justice Department and the Government Accountability Office, Congress's audit arm, found similar problems among 18 agencies assessed between 2003 and 2007. Elaine C. Duke, then-DHS undersecretary for management, committed in a Dec. 11 letter to Skinner's assistant to stronger oversight and department-wide policies. "Components that were audited took immediate and substantive actions to correct noted deficiencies and to improve the overall management of their firearms," Duke said. She said a DHS management plan and policy were expected within months. Overall, DHS agencies reported having more than 188,548 firearms on hand as of July, not counting the Transportation Security Administration, whose inventory is secret for security reasons. Two DHS components -- Customs and Border Protection and Immigration and Customs Enforcement -- reported 243 lost weapons, or 84 percent of the total. TSA, the Secret Service and the Coast Guard lost 46. About one in four losses was beyond officers' control, with weapons lost for example when Hurricane Katrina made landfall, in assaults against officers or taken from lockboxes or safes. Listing examples of poor practices, auditors found CBP and ICE firearms instructors storing weapons in bags visible from the windows of their vehicles. Other officers were observed putting them in glove compartments, under seats and in trunks. Agencies are also sloppy about tracking weapons, the report said. CBP and ICE staff took two to four months on average to report lost weapons to headquarters. According to ICE and CBP, 65 lost firearms were recovered, but 15 were taken by local law enforcement from felons, gang members, criminals, drug users and teenagers. From rforno at infowarrior.org Thu Feb 18 21:11:32 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2010 16:11:32 -0500 Subject: [Infowarrior] - Class action against Google Buzz Message-ID: <6B1B56F1-FD72-4775-96BA-2C9563BA3CE1@infowarrior.org> Google slapped with class-action lawsuit over Buzz Florida woman contends that Buzz violates Gmail user privacy rights, federal laws Sharon Gaudin http://www.computerworld.com/s/article/9158858/Google_slapped_with_class_action_lawsuit_over_Buzz? February 18, 2010 (Computerworld) A Florida woman yesterday filed a class-action lawsuit against Google Inc., charging that the new Buzz social networking tool set violates the privacy rights of users. Eva Hibnick, a resident of Sarasota County, Fla., filed the suit in a San Jose, Calif., federal court on behalf of herself and the approximately 31 million U.S. users of Google's popular Gmail e-mail service. The lawsuit alleges that Google violated federal privacy and computer fraud laws by adding Buzz to the Gmail service last week. According to the class action complaint, "Google Buzz made private data belonging to Gmail users publicly available without the users' knowledge or authorization. Google has publicly admitted that its Buzz program presents privacy concerns, and Google has made several waves of modifications to the program. However, Google's modifications do not go far enough to address the problem. Furthermore, Google's actions have already caused damage because the Buzz program disclosed private user information the moment Google launched the service. The bell of breached privacy cannot be un-rung." Hibnick is seeking unspecified damages and is asking the court to prevent Google from offering Buzz without "appropriate safeguards, default provisions and opt-in mechanisms." In an e-mail to Computerworld, Google said it has not yet been served with the lawsuit and would not comment until the complaint has been received and reviewed. Google last week threw its hat into the social networking ring by adding new Gmail features designed to make the e-mail service a social networking hub. Google Buzz is the company's attempt to make the flood of social posts, pictures and video easier to weed through, and to make it easier to find important information. Users started expressing concerns about the complexity of the privacy setting in Buzz almost immediately after its Feb. 9 launch. In response, Google said it had tweaked the technology to address early privacy concerns just two days after the launch of Buzz. The company noted in a blog post that the modifications should make it easier for users to block access to their pages and also make it easier to find two different privacy features. In her lawsuit, Hibnick called Google's tweaks to Buzz too little and too late. Dan Olds, an analyst with The Gabriel Consulting Group, said that if nothing else, the lawsuit should serve as an eye opener for Google executives. "This should definitely be a wake-up call for them to go over Buzz with a magnifying glass and a fine-toothed comb, looking for any other potential problems and try to fix them proactively," Olds said. "Actually, the lawsuit doesn't surprise me at all. In fact, I'm a little surprised that there's only one so far. Given our litigious society, plus Google's recent missteps in terms of privacy, I wouldn't be surprised if state and/or federal regulators got into the act, too. Google did make some serious blunders with Buzz. Plus they aren't the underdog anymore. Their halo is getting a bit tarnished in some ways." Olds added that he doesn't foresee the lawsuit having a major financial impact on Google but it should bring more scrutiny down on the company and its privacy moves and policies. From rforno at infowarrior.org Thu Feb 18 22:06:19 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2010 17:06:19 -0500 Subject: [Infowarrior] - PA school spies on students at home? Message-ID: <70A9B379-D5E9-468B-A226-FEC33135048F@infowarrior.org> (c/o AJR) http://www.boston.com/news/nation/articles/2010/02/18/suit_pa_school_spied_on_students_via_laptops/ Suit: Pa. school spied on students via laptops "PHILADELPHIA?A suburban Philadelphia school district used school- issued laptop webcams to spy on students at home, potentially catching them and their families in compromising situations, a family claims in a federal lawsuit." Another article, more detail: http://arstechnica.com/tech-policy/news/2010/02/school-under-fire-for-spying-on-kid-via-webcam-at-home.ars Robbins' father Michael supposedly confirmed with Matsko that the school has the ability to remotely activate the webcam "at any time it chose to view and capture whatever images were in front of the webcam." From rforno at infowarrior.org Fri Feb 19 00:04:20 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2010 19:04:20 -0500 Subject: [Infowarrior] - TSA's latest doozie in Newark Message-ID: <88718C35-A1B6-4B79-BE2C-2D251EAF4FE7@infowarrior.org> Feb 18, 2010 6:10 pm US/Eastern Frustration Mounts After Latest Newark Breach TSA: Agent Flagged Wrong Passenger For Rescreening, But Person In Question With Carry-On Was Never Found http://wcbstv.com/local/newark.airport.security.2.1502898.html Marcia Kramer NEWARK (CBS) ? Parts of Newark Liberty International Airport were closed again this week due to a security breach, the second security snafu in six weeks. It was calm at Newark on Thursday, but that definitely wasn't the case Monday when a security breach forced the closure of parts of Terminal A for over an hour. The reason for the security breach was a real doozy -- a passenger was flagged for having suspicious objects in his carry-on bag but a Transportation Security Administration spokesman said that agents stopped the wrong passenger for rescreening and the passenger with the suspicious objects got away. When agents couldn't find the passenger after shutting down the operations for an hour they went to all gate areas to screen passengers but they never found the person. The problem is it was the second security breach at the airport in six weeks. On Jan. 3 a security breach caused the airport to shut down Terminal C for six hours, stranding 16,000 passengers for days and entangling flights around the world. "You cannot allow back-to-back major mistakes like this, security gaps like this to occur, especially such flagrant ones as this," Rep. Peter King said. King, the ranking member on the House Homeland Security Committee, is especially concerned because, he said, al Qaeda terrorists are constantly on the lookout for holes in our security system. "It's a crisis or tragedy waiting to happen," Rep. King said. "Everything we do is being watched by al Qaeda. When they see such an easy way to breach security at Newark Airport we have to assume, we have to assume al Qaeda will try to take advantage." Passengers were stunned at news of the latest breach. "Shocking. I would expert security to be a little more tighter than that," said Edin Haya of Paterson, N.J. "It's a little bit concerning. I like to see people be safe and that calls into question the security procedures yet again," added Nelson Hurt of Chatham. This comes as the airport scored dead last in a national survey of airport customer satisfaction. One big trouble spot is poor security checks. A TSA spokesman said the agency is reviewing the in incident and will take appropriate action against the officer responsible for flagging the wrong passenger. From rforno at infowarrior.org Fri Feb 19 02:14:27 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2010 21:14:27 -0500 Subject: [Infowarrior] - Yawn on 'Zeus' Message-ID: 'Zeus' apparently is not a new thing, despite today's media circus coverage. In addition to cting a December occurance of Zeus, George Smith (of Vmyth fame) blog describes what appears to be a popular thing for cybersecurity vendors looking to get their names up in lights on the national cybersecurity stage. (Circus du Cyber?) I have links to Smith's blog below. As for me, I knew today's breathless cyberstory couldn't be as serious as the MSM reported it when I went to Netwitness' homepage and in order to read their report on "Zeus" -- you know, the thing behind this "ZMG! BADNEWS!" computer security event, you had to fork over contact information to be added to their marketing database. If it was really important, or really bad news for the Internet you/d find in-depth analyses from all over the Net. But nope, the only analysis you see is the one presented to the public in a blatantly commercial and self-serving manner. Since lots of vendors use cybersecurity hysteria to market themselve throughout the year, that tells me it's not as groundbreaking or earth-shattering a 'story' as I'm being led to believe. --rf http://dickdestiny.com/blog1/2010/02/18/enormous-cyberattack-takes-ten-minutes-to-undo-here/ < - > Zeus attacks were not extraordinary frontpage news when DD reported it matter of factly. Or perhaps when others noted the same. Today they?re news because NetWitness made a report out of them and handed it over to the press. < - > http://dickdestiny.com/blog1/2010/02/18/enormous-cyberattack-takes-ten-minutes-to-undo-here/ From rforno at infowarrior.org Fri Feb 19 04:13:22 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Feb 2010 23:13:22 -0500 Subject: [Infowarrior] - IOC 'owns' Lindsay Vonn's name? Message-ID: <24E82EFE-D324-4BC9-B615-DEFF00635795@infowarrior.org> This clever ditty appears on the front page of UVEX, whose winter sports gear is prominently seen in venues up at the OLYMPICS in VANCOUVER during the 2010 GAMES. (ooops, can I use these terms? so sue me, IOC....) Source: http://www.uvexsports.com/ Blonde we like wins Downhill (Last name rhymes with "Bonn") Wednesday, February 17, 2010 There once was a lawyer from the IOC, who called us to protect "intellectual property." "During the Olympics", she said with a sneer "your site can't use an Olympian's name even if they use your gear." "No pictures, no video, no blog posts can be used..." Even if they are old? "No!", she enthused. While Olympians chase gold the IOC pursues green. Cough up millions, or your logo cannot be seen. Except there it is, on top of countless heads! Tax free endorsements the IOC dreads. And so it is with a wink and a nudge that we would like to congratulate a skier whose name we must fudge. Her hair is long and blonde Last name rhymes with the German city of Bonn. Congratulations Women's Downhill winner -- from all of us here at UVEX (no longer an IOC sinner). From rforno at infowarrior.org Fri Feb 19 17:53:18 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Feb 2010 12:53:18 -0500 Subject: [Infowarrior] - Pew Research Survey: The Future of the Internet IV Message-ID: The Future of the Internet IV http://pewinternet.org/Reports/2010/Future-of-the-Internet-IV.aspx In an online survey of 895 technology stakeholders? and critics? expectations of social, political and economic change by 2020, fielded by the Pew Research Center?s Internet & American Life Project and Elon University?s Imagining the Internet Center: ? Google won?t make us stupid: 76% of these experts agreed with the statement, ?By 2020, people?s use of the Internet has enhanced human intelligence; as people are allowed unprecedented access to more information they become smarter and make better choices. Nicholas Carr was wrong: Google does not make us stupid.? Some of the best answers are in Part 1 of this report. ? Reading, writing, and the rendering of knowledge will be improved: 65% agreed with the statement ?by 2020 it will be clear that the Internet has enhanced and improved reading, writing and the rendering of knowledge.? Still, 32% of the respondents expressed concerns that by 2020 ?it will be clear that the Internet has diminished and endangered reading, writing and the rendering of knowledge.? Some of the best answers are in Part 2 of this report. ? Innovation will continue to catch us by surprise: 80% of the experts agreed that the ?hot gadgets and applications that will capture the imaginations of users in 2020 will often come ?out of the blue.?? Some of the best answers are in Part 3 of this report. ? Respondents hope information will flow relatively freely online, though there will be flashpoints over control of the internet. Concerns over control of the Internet were expressed in answers to a question about the end-to-end principle. 61% responded that the Internet will remain as its founders envisioned, however many who agreed with the statement that ?most disagreements over the way information flows online will be resolved in favor of a minimum number of restrictions? also noted that their response was a ?hope? and not necessarily their true expectation. 33% chose to agree with the statement that ?the Internet will mostly become a technology where intermediary institutions that control the architecture and ?content will be successful in gaining the right to manage information and the method by which people access it.? Some of the best answers are in Part 4 of this report. ? Anonymous online activity will be challenged, though a modest majority still think it will possible in 2020: There more of a split verdict among the expert respondents about the fate on online anonymity. Some 55% agreed that Internet users will still be able to communicate anonymously, while 41% agreed that by 2020 ?anonymous online activity is sharply curtailed.? From rforno at infowarrior.org Sun Feb 21 23:09:59 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 21 Feb 2010 18:09:59 -0500 Subject: [Infowarrior] - ACTA Internet Chapter Leaks: Renogotiates WIPO, Sets 3 Strikes as Model Message-ID: ACTA Internet Chapter Leaks: Renogotiates WIPO, Sets 3 Strikes as Model Sunday February 21, 2010 http://www.michaelgeist.ca/content/view/4808/125/ Several months after a European Union memo discussing the ACTA Internet chapter leaked, the actual chapter itself has now leaked. First covered by PC World, the new leak fully confirms the earlier reports and mirrors the language found in the EU memo. This is the chapter that required non-disclosure agreements last fall. The contents are not particulary surprising given the earlier leaks, but there are three crucial elements: notice-and-takedown, anti- circumvention rules, and ISP liability/three strikes. Notice-and-Takedown The notice-and-takedown provision, which is a pre-requisite for intermediary safe harbour from liability, requires: an online service provider expeditiously removing or disabling access to material or activity, upon receipt of legally sufficient notice of alleged infringement, and in the absence of a legally sufficient response from the relevant subscriber of the online service provider indicating that the notice was the result of a mistake or misidentification. except that the provisions of (II) shall not be applied to the extent that the online service provider is acting solely as a conduit for transmissions through its system or network. This would represent a change in Canadian law. Both prior copyright reform bills (C-60 and C-61) established notice-and-notice systems, rather than notice-and-takedown. There is currently an informal agreement to use notice-and-notice, which has proven effective (the Entertainment Software Association of Canada told the Liberal copyright roundtable earlier this month that 71% of subscribers who receive a notice do not repost the content within a week). ACTA would trump domestic law and the current Canadian business practice. Anti-Circumvention The anti-circumvention provisions are even more problematic as they effectively represent a renegotiation of the WIPO Internet treaties. The proposed ACTA provision states: In implementing Article 11 of the WIPO Copyright Treaty and Article 18 of the WIPO Performances and Phonograms Treaty regarding adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors, performers or producers of phonograms in connection with the exercise of their rights and that restrict unauthorized acts in respect of their works, performances, and phonograms, each Party shall provide civil remedies, as well as criminal penalties in appropriate cases of willful conduct that apply to: (a) the unauthorized circumvention of an effective technological measure that controls access to a protected work, performance, or phonogram; and (b) the manufacture, importation, or circulation of a technology, service, device, product, component, or part thereof, that is: marketed or primarily designed or produced for the purpose of circumventing an effective technological measure; or that has only a limited commercially significant purpose or use other than circumventing an effective technological measure. Article 11 of the WIPO Copyright Treaty (the anti-circumvention provision) was intentionally left broad in scope to allow for various implementations. The treaty merely requires "adequate legal protection and effective legal remedies against the circumvention of effective technological measures." It does not require access controls nor prohibitions on the manufacture or distribution of devices that can be used to circumvent. Indeed, when the DMCA was being discussed in the United States, Bruce Lehman, the Under- Secretary of State, acknowledged that the treaties could be implemented without a devices provision. Moreover, he stated that the DMCA would be used to pressure other countries into following the U.S. example: When that legislation is in effect, then we will have a template that we can use, that the Trade Representative can use, that we in the Commerce Department can use, the State Department can use, when we are in negotiations with other governments to advise them as to what they need to do to implement their responsibilities in these treaties to provide effective remedies. ACTA is therefore viewed as a mechanism to win the policy battle lost in Geneva in 1996. It would force countries like Canada to adopt the U.S. approach, even though the treaty explicitly envisioned other possibilities. Three Strikes/Graduated Response The draft chapter finally puts to rest the question of whether ACTA in its current form would establish a three strikes and you're out model. The USTR has recently emphatically stated that it does not establish a mandatory three strikes system. The draft reveals that this is correct, but the crucial word is mandatory. The draft U.S. chapter does require intermediaries to play a more aggressive role in policing their networks and the specific model cited is the three-strikes approach. In other words, the treaty may not specifically require three-strikes, but it clearly encourages it as the model to qualify as a safe harbour from liability. The specific provision, which is another pre-requisite for intermediary safe harbour from liability, states: an online service provider adopting and reasonably implementing a policy to address the unauthorized storage or transmission of materials protected by copyright or related rights except that no Party may condition the limitations in subparagraph (a) on the online service provider's monitoring its services or affirmatively seeking facts indicating that infringing activity is occurring; And what is an example of a policy provided in ACTA? The treaty states: An example of such a policy is providing for the termination in appropriate circumstances of subscriptions and accounts in the service provider's system or network of repeat infringers. This leaks shows how deceptive the USTR has been on this issue - on the one hand seeking to assure the public that there is no three- strikes and on the other specifically citing three strikes as its proposed policy model. Given the past U.S. history with anti- circumvention - which started with general language and now graduates to very specific requirements - there is little doubt that the same dynamic is at play with respect to three strikes. From a process perspective, leaks coming out of the Mexico ACTA talks revealed that the ISP provisions were discussed, but the anti- circumvention provisions were not. This suggests that the anti- circumvention provisions from the U.S. are the only proposal currently on the table. According to a New Zealand official, there may be alternate proposals for the three-strikes model, all of which will presumably be discussed during the next round of negotiations in April in New Zealand. From rforno at infowarrior.org Mon Feb 22 01:20:09 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 21 Feb 2010 20:20:09 -0500 Subject: [Infowarrior] - Leaked ACTA draft reveals plans for internet clampdown Message-ID: <5710FD4A-F214-47C0-B7B6-463C2223EF72@infowarrior.org> Leaked ACTA draft reveals plans for internet clampdown ISPs must snoop on subscribers or face being sued by content owners By Paul Meller, Brussels | Sunday, 21 February, 2010 http://computerworld.co.nz/news.nsf/printer/BE590D95B79BE414CC2576D1000A252C The US, Europe and other countries including New Zealand are secretly drawing up rules designed to crack down on copyright abuse on the internet, in part by making ISPs liable for illegal content, according to a copy of part of the confidential draft agreement that was seen by the IDG News Service. It is the latest in a series of leaks from the anticounterfeiting trade agreement (ACTA) talks that have been going on for the past two years. Other leaks over the past three months have consisted of confidential internal memos about the negotiations between European lawmakers. The chapter on the internet from the draft treaty was shown to the IDG News Service by a source close to people directly involved in the talks, who asked to remain anonymous. Although it was drawn up last October, it is the most recent negotiating text available, according to the source. It proposes making ISPs (internet service providers) liable under civil law for the content their subscribers upload or download using their networks. To avoid being sued by a record company or Hollywood studio for illegally distributing copyright-protected content, the ISP would have to prove that it took action to prevent the copyright abuse, according to the text, and in a footnote gives an example of the sort of policy ISPs would need to adopt to avoid being sued by content owners: "An example of such a policy is providing for the termination in appropriate circumstances of subscriptions and accounts in the service provider's system or network of repeat offenders," the text states. Terminating someone's subscription is the graduated response enacted in France last year that sparked widespread controversy. The French law is dubbed the "Three Strikes" law because French ISPs must give repeat file sharers two warnings before cutting off their connection. Other countries in Europe are considering similar legal measures to crack down on illegal file-sharing. However, EU-wide laws waive ISPs' liability for the content of messages and files distributed over their networks. European Commission officials involved in negotiating ACTA on behalf of the EU insist that the text being discussed doesn't contradict existing EU laws. "There is flexibility in the European system. Some countries apply judicial solutions (to the problem of illegal file-sharing), others find technical solutions," said an official on condition he wasn't named. He said the EU doesn't want to make a "three strikes" rule obligatory through the ACTA treaty. "Graduated response is one of many methods of dealing with the problem of illegal file-sharing," he said. He also admitted that some in the Commission are uncomfortable about the lack of transparency in the ACTA negotiations. "The fact that the text is not public creates suspicion. We are discussing internally whether the negotiating documents should be released," he said, but added that even if it was agreed in Brussels that the documents should be made public, such a move would require the approval of the EU's 10 ACTA negotiating partners. The participating countries are the US, the E.U., Canada, Mexico, Australia, New Zealand, South Korea, Singapore, Jordan, Morocco and the United Arab Emirates. In a separate leak that first appeared on blogs last week, the European Commission updated members of the European Parliament on the most recent face-to-face meeting between the signatory countries, which took place in Mexico at the end of last month. According to that leak, the internet chapter of the treaty was discussed, but no changes to the position suggested by the US last fall were agreed. "The internet chapter was discussed for the first time on the basis of comments provided by most parties to US proposal. The second half of the text (technological protection measures) was not discussed due to lack of time," the memo said, adding: "Discussions still focus on clarification of different technical concepts, therefore, there was not much progress in terms of common text. The US and the EU agreed to make presentations of their own systems at the next round, to clarify issues." The Commission official refused to comment on the content of the leaked documents. The next meeting of ACTA negotiators will take place in New Zealand in April. ? Fairfax Business Group Fairfax New Zealand Limited, 2010 Privacy Policy From rforno at infowarrior.org Mon Feb 22 12:21:54 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Feb 2010 07:21:54 -0500 Subject: [Infowarrior] - GCHQ: Cyber attacks will 'catastrophically' spook public Message-ID: <8859AB20-419E-493B-9719-6540617358DD@infowarrior.org> Original URL: http://www.theregister.co.uk/2010/02/22/csoc_report/ Cyber attacks will 'catastrophically' spook public, warns GCHQ Cheltenham spies 'cyber arms race' By Chris Williams Posted in Enterprise Security, 22nd February 2010 12:02 GMT Exclusive A digital attack against the UK causing even minor damage would have a "catastrophic" effect on public confidence in the government, GCHQ has privately warned Whitehall. The Cheltenham spy agency's new Cyber Security Operations Centre (CSOC) makes the prediction in a document prepared for Cabinet Office and seen by The Register. Growing reliance on the internet to deliver public services will "quickly reach a point of no return", meaning "any interruption of broadband access becomes intolerable and will have serious impacts on the the economy and public well being", CSOC says. "A successful cyber attack against public services would have a catastrophic impact on public confidence in the government, even if the actual damage caused by the attack were minimal," it adds. The warning forms part of a preliminary "horizon scanning" report produced by the new unit, which is scheduled to begin operations next month. Its job will be to continually monitor internet security, producing intelligence on botnets, denial of service attacks and other digital threats to national security. CSOC was established by last summer's Cyber Security Strategy. With an initial staff of 19 and funded from GCHQ's budget of hundreds of millions of pounds, it reports to the equally nascent Office of Cyber Security within the Cabinet Office, which coordinates digital national security policy across Whitehall. Most cyber attacks are likely to remain difficult to trace to official sources, the report explains, citing the denial of service attacks on Georgia as Russia's army invaded in 2008. This year GCHQ's close US counterpart, the National Security Agency (NSA), has been called in to investigate attacks on Google's GMail service apparently from inside China. "An internationally agreed definition of cyber warfare will remain elusive, with state actors making increasing use of hired criminals and 'hacktivists' to carry out deniable cyber attacks on their behalf," CSOC predicts. The offical British view casts ongoing talks (http://www.nytimes.com/2009/12/13/science/13cyber.html ) between the US and Russia - aimed at fostering cooperation between states on internet security and agreeing ground rules - in a pessimistic light. "States are likely to increasingly see the cyber domain as an area in which to wage war... it is difficult to see international agreement on what acts are and are not acceptable in a cyber war being achieved within five years," CSOC says. "Even if regulation of this kind was to emerge, it is likely that it would make little difference. "The increasing sophistication of criminal cyber tools and the availability of cheap, fast broadband will mean that states are able to achieve their aims by hiring criminal botnets to carry out DDOS or other attacks on their enemies' infrastructure." Cyber arms race Government eavesdroppers also face a secret "cyber arms race" to develop quantum cryptography technology, according to GCHQ. "In the next 5 to 10 years, states are likely to engage in a cyber arms race for quantum cryptanalysis, which would enable the users to crack any encryption within a very short space of time, and for quantum cryptography, which would prevent secure communications from being intercepted," it said. Quantum computers would be able to test every possible cipher for a traditionally-encrypted message very quickly. Meanwhile a quantum- encrypted message would be impossible to intercept because just by observing it the eavesdropper would destroy it. GCHQ - the descendent of the UK's famous World War Two codebreaking effort at Bletchley Park - is responsible for intercepting foreign communications and for trying to ensure government communications are not intercepted. Without directly referring to its own work on quantum cryptography, it said the revolution the technology would spark in both areas remains out of reach. "It is unlikely that any state actor will have been able to put quantum systems into operation by 2015, although some state actors may have basic quantum computing capabilities by 2020," CSOC says. The NSA is said to be investing heavily in quantum computing. The predictions in CSOC's report have served as the basis of a series of classified and unclassified meetings with industry and academics hosted by the Office of Cyber Security in recent weeks. Officials plan to feed the results of the meetings into policy, including whether and how the UK should develop offensive capabilities online. ? From rforno at infowarrior.org Mon Feb 22 15:45:56 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Feb 2010 10:45:56 -0500 Subject: [Infowarrior] - EU privacy czar against ACTA Message-ID: <2DD10175-11D9-45C6-8828-FF7A652A68B1@infowarrior.org> EU Data Protection Supervisor Warns Against ACTA, Calls 3 Strikes Disproportionate Monday February 22, 2010 http://www.michaelgeist.ca/content/view/4809/125/ Peter Hustinx, the European Data Protection Supervisor, has issued a 20-page opinion expressing concern about ACTA. The opinion is a must- read and points to the prospect of other privacy commissioners speaking out. Moreover, with the French HADOPI three strikes law currently held up by its data protection commissioner, it raises questions about whether that law will pass muster under French privacy rules. Given the secrecy associated with the process, the opinion addresses possible outcomes based on the information currently available. The opinion focuses on three key issues: three strikes legislation, cross- border data sharing as part of enforcement initiatives, and transparency. Three Strikes On three strikes, the opinion begins by noting the privacy implications: Such practices are highly invasive in the individuals' private sphere. They entail the generalised monitoring of Internet users? activities, including perfectly lawful ones. They affect millions of law-abiding Internet users, including many children and adolescents. They are carried out by private parties, not by law enforcement authorities. Moreover, nowadays, Internet plays a central role in almost all aspects of modern life, thus, the effects of disconnecting Internet access may be enormous, cutting individuals off from work, culture, eGoverment applications, etc. The opinion then assesses three strikes within the context of European data protection law, concluding that it is a disproportionate measure: Although the EDPS acknowledges the importance of enforcing intellectual property rights, he takes the view that a three strikes Internet disconnection policy as currently known - involving certain elements of general application - constitutes a disproportionate measure and can therefore not be considered as a necessary measure. The EDPS is furthermore convinced that alternative, less intrusive solutions exist or that the envisaged policies can be performed in a less intrusive manner or with a more limited scope. Also on a more detailed legal level the three strikes approach poses problems. Among the specific problems, Hustinx concludes that the benefits simply don't outweigh the costs: The EDPS is not convinced that the benefits of the measures outweigh the impact on the fundamental rights of individuals. The protection of copyright is an interest of right holders and of society. However, the limitations on the fundamental rights do not seem justified, if one balances the gravity of the interference, i.e. the scale of the privacy intrusion as highlighted by the above elements, with the expected benefits, deterring the infringement of intellectual property rights involving - for a great part - small scale intellectual property infringements. Data Sharing The opinion also considers the privacy implications of data sharing arrangements facilitated by ACTA for enforcement purposes: It can be questioned first whether data transfers to third countries in the context of ACTA are legitimate. The relevance of adopting measures at international level in that field can be questioned as long as there is no agreement within the EU member states over the harmonisation of enforcement measures in the digital environment and the types of criminal sanctions to be applied. In view of the above, it appears that the principles of necessity and proportionality of the data transfers under ACTA would be more easily met if the agreement was expressly limited to fighting the most serious IPR infringement offences, instead of allowing for bulk data transfers relating to any suspicions of IPR infringements. This will require defining precisely the scope of what constitutes the 'most serious IPR infringement offences' for which data transfers may occur. The opinion follows this with detailed recommendations on how ACTA can facilitate sharing of information and ensure appropriate privacy safeguards. Transparency Hustinx is direct and to the point on the issue of transparency: The EDPS strongly encourages the European Commission to establish a public and transparent dialogue on ACTA, possibly by means of a public consultation, which would also help ensuring that the measures to be adopted are compliant with EU privacy and data protection law requirements. From rforno at infowarrior.org Mon Feb 22 23:34:47 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Feb 2010 18:34:47 -0500 Subject: [Infowarrior] - Citigroup may restrict bank withdrawls Message-ID: Update: Citigroup Says Feds Ordered 7 Day Restriction On Bank Withdrawals Announcement stokes fears of old fashioned bank runs if economy takes a turn for the worse http://www.prisonplanet.com/citigroup-warns-customers-it-may-refuse-to-allow-withdrawals.html Paul Joseph Watson Prison Planet.com Monday, February 22, 2010 A new advisory being sent by America?s third largest bank to its account holders has stoked fears that major financial institutions could be preparing for old fashioned bank runs if the economy takes a turn for the worse. Originally reported by John Carney over at the Business Insider website, Citigroup is sending the following information to customers along with their bank statements. ?Effective April 1, 2010, we reserve the right to require (7) days advance notice before permitting a withdrawal from all checking accounts. While we do not currently exercise this right and have not exercised it in the past, we are required by law to notify you of this change.? An almost identical advisory to the one being sent out can be read on page 22 of Citbank?s Client Manual effective January 1, 2010, which can be read here from Citibank?s own website. ?We reserve the right to require seven (7) days advance notice before permitting a withdrawal from all checking, savings and money market accounts. We currently do not exercise this right and have not exercised it in the past,? states the manual. According to the Future of Capitalism blog, Citigroup originally claimed that the warning was only sent nationwide as a result of a mistake, but that the measures do apply to account holders in Texas. However, in a statement, Citigroup confirmed that they had reserved the right to impose the new 7 day rule on all account holders nationwide, but claimed they had no plans to enforce it. The bank stated that they had been forced to enact the new policy as a result of federal regulations. ?When Citibank moved to unlimited FDIC coverage in 2009, we had to reclassify many checking accounts to allow for immediate withdrawals in order to ensure all customers qualified for the additional coverage. When we moved back to standard FDIC coverage with most major banks in 2010, Citibank decided to reclassify those accounts back to make them eligible again for promotional incentives. To do so, Federal Reserve Reg D requires these accounts, called NOW accounts, to reserve the right to require a 7-day notice of withdrawal. We recently communicated this technical requirement to our customers. However, we have never exercised this right and have no plans to do so in the future,? reads a statement released by the bank. Over the last 18 months, numerous rumors of bank runs, ?bank holidays,? and limitations on access to cash at ATM?s have been floating around. Citigroup?s new policy to restrict withdrawals won?t do anything to calm such fears. As we reported back in 2008, the Federal Deposit Insurance Corp., which guarantees individual accounts up to $100,000, only has about $50 billion to ?insure? about $1 trillion in assets across the nation?s financial institutions. This revelation prompted fears that an accelerating amount of bank closures could absorb FDIC funds and leave holders of money market and traditional savings accounts expos From rforno at infowarrior.org Tue Feb 23 02:53:52 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Feb 2010 21:53:52 -0500 Subject: [Infowarrior] - Who runs cyber policy? Message-ID: Who runs cyber policy? Posted By Josh Rogin Monday, February 22, 2010 http://thecable.foreignpolicy.com/posts/2010/02/22/who_runs_cyber_policy Whether it's Chinese hackers breaking into the Gmail accounts of leading dissidents, or Russian hackers sniffing around the Pentagon, the cyber wars are heating up. Barack Obama entered office vowing to wage them more effectively than ever before. "From now on, our digital infrastructure -- the networks and computers we depend on every day -- will be treated as they should be: as a strategic national asset," Obama said in May, "Protecting this infrastructure will be a national security priority." So, is the United States finally getting its act together? The short answer is yes, but there's much more to be done, and the Obama administration's first-year efforts have been undermined with infighting, sudden resignations, and some confusion about who is doing what. The administration has vastly increased the resources dedicated to cyber security, completed a full internal review, and moved to reform the bureaucracy. But there are still large gaps between the level of the threat and the government capability to meet it, as the actors inside the system jostle for positioning and power. "This administration has paid more attention to the problem than any proceeding administration, but they're just at the starting point so we'll have to see how it all fits together," said James Lewis,director of the Technology and Public Policy Program at the Center for Strategic and International Studies. Any discussion of Obama era cyber policy has to begin with the Defense Department, the part of government with the most resources, the most vulnerable assets, and the most power and influence over the issue. Leading that effort politically is Deputy Secretary Bill Lynn, who is not well known as a "cyber guy" but has taken a personal interest in the issue and is extremely active. As the most senior government person with direct involvement, he gives DoD top cover and profile, and is also heavily involved in the creation of DOD's new Cyber Command, which will be based at Fort Meade, the home of the National Security Agency, expected to open soon. Lt. Gen. Keith Alexander, the head of the NSA, will lead the Cyber Command, assuming he gets confirmed by the Senate. When that happens, almost all of DoD's cyber resources will fall under his purview, greatly increasing the already hefty cyber portfolio he had at NSA, which houses the government's most secret cyber warriors, the guys who go on offense against international threats. Also crucial to mention is Gen. James Cartwright, the vice chairman of the Joint Chiefs of Staff and former commander of Strategic Command, where many cyber attacks are defended. Cartwright has been talking about what he calls the "dysfunctional" U.S. approach to cyber security for years and he's regarded as a smart, independent, and important voice inside the Pentagon. The non-military networks, which DoD doesn't control, fall to the Homeland Security Department, which has had a rough time on cyber policy in its first years. When DHS's cyber czar Rod Beckstrom resigned last March after only a year, he blamed the NSA in his resignation letterfor not cooperating with him and seeking to hoard the issue inside DOD. DHS is also supposed to be forging the relationships between the the government and private corporations to share info on cyber attacks. That initiative is led by Deputy Under Secretary Phil Reitenger, who works under Rand Beers and is aided by former Office of Management and Budget official Bruce McConnell and Rear Adm. Mike Brown. Outsiders lament that Reitenger, a former Microsoft executive, has announced no real policy on the issue and few public-private partnership exist. Google is working on cooperation with the NSA, but some observers believe companies are wary of linking with DHS because that department is so dependent on contractors, which might be sharing intel with their competitors. McConnell provides DHS with a valuable link back to OMB, a link the DHS folks will need if they plan to fund their expansion of cyber efforts, which could include 1,000 new cyber personnel. Brown, who is expected to move at some point over to the new Cyber Command, is credited with greatly improving the management of the effort at DHS but is not really a policy guy, per se. Over at the White House, the president finally named Howard Schmidt as the new cyber coordinator in December after reportedly offering the position to over two dozen people who turned it down. Schmidt, the holder of two degrees from the University of Phoenix,is said to have lobbied hard for the job. Bush holdover Melissa Hathaway, who led the Obama administration's review, had been expected for the role, but quit the administration shortly after the review came out. Insiders said that Hathaway had personality clashes both with her staff and with the administration, leading them to tell her she would not be appointed, which prompted her resignation. "She talked herself out of the job by fighting with everyone," one insider said. One Bush era holdover who is still on the job is Schmidt's deputy Chris Painter, who was acting coordinator after Hathaway left. A former Los Angeles criminal prosecutor, Painter became famous when he brought down notorious cyber hacker turned consultant Kevin Mitnick. Painter also worked at the Justice Department, giving him a great sense of the legal issues involved in cyber security. Painter's other claim to fame is his work with a cyber official everyone praises, the FBI's Sean Henry. The pair took the initiative to build bilateral agreements with a host of countries to allow cooperation on investigating and prosecuting cyber crimes. Henry is also said to have brought the FBI's cyber operation into the 21st century and was recently promoted to head up the FBI's Washington field office. Other notable Obama-era cyber officials Vivek Kundra, the Federal Chief Information officer,Robert "Bear" Bryant, the cyber counterintelligence guru who runs the Office of the National Counterintelligence Executive, Chief of Naval Operations Adm. Gary Roughead, who leads a nation-wide cyber recruiting effort, and the State Department's Chief Information and Security Officer John Streufert, who is credited with reducing cyber risk by moving State towards a paperless cyber system so that files could b From rforno at infowarrior.org Tue Feb 23 12:32:40 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Feb 2010 07:32:40 -0500 Subject: [Infowarrior] - Wall Street's Bailout Hustle Message-ID: <8C12564B-C5FE-4098-9D64-BF7EA081AA45@infowarrior.org> Wall Street's Bailout Hustle MATT TAIBBI Posted Feb 17, 2010 5:57 AM Wall Street's Bailout Hustle Goldman Sachs and other big banks aren't just pocketing the trillions we gave them to rescue the economy - they're re-creating the conditions for another crash... < big snip > URL: http://www.rollingstone.com/politics/story/32255149/wall_streets_bailout_hustle From rforno at infowarrior.org Tue Feb 23 13:57:55 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Feb 2010 08:57:55 -0500 Subject: [Infowarrior] - Secret AIG Document Shows Goldman Sachs Minted Most Toxic CDOs Message-ID: Secret AIG Document Shows Goldman Sachs Minted Most Toxic CDOs By Richard Teitelbaum http://www.bloomberg.com/apps/news?pid=20601087&sid=ax3yON_uNe7I# Feb. 23 (Bloomberg) -- When a congressional panel convened a hearing on the government rescue of American International Group Inc. in January, the public scolding of Treasury Secretary Timothy F. Geithner got the most attention. Lawmakers said the former head of the New York Federal Reserve Bank had presided over a backdoor bailout of Wall Street firms and a coverup. Geithner countered that he had acted properly to avert the collapse of the financial system. A potentially more important development slipped by with less notice, Bloomberg Markets reports in its April issue. Representative Darrell Issa, the ranking Republican on the House Committee on Oversight and Government Reform, placed into the hearing record a five-page document itemizing the mortgage securities on which banks such as Goldman Sachs Group Inc. and Societe Generale SA had bought $62.1 billion in credit- default swaps from AIG. These were the deals that pushed the insurer to the brink of insolvency -- and were eventually paid in full at taxpayer expense. The New York Fed, which secretly engineered the bailout, prevented the full publication of the document for more than a year, even when AIG wanted it released. That lack of disclosure shows how the government has obstructed a proper accounting of what went wrong in the financial crisis, author and former investment banker William Cohan says. ?This secrecy is one more example of how the whole bailout has been done in such a slithering manner,? says Cohan, who wrote ?House of Cards? (Doubleday, 2009), about the unraveling of Bear Stearns Cos. ?There?s been no accountability.? CDOs Identified The document Issa made public cuts to the heart of the controversy over the September 2008 AIG rescue by identifying specific securities, known as collateralized-debt obligations, that had been insured with the company. The banks holding the credit-default swaps, a type of derivative, collected collateral as the insurer was downgraded and the CDOs tumbled in value. The public can now see for the first time how poorly the securities performed, with losses exceeding 75 percent of their notional value in some cases. Compounding this, the document and Bloomberg data demonstrate that the banks that bought the swaps from AIG are mostly the same firms that underwrote the CDOs in the first place. The banks should have to explain how they managed to buy protection from AIG primarily on securities that fell so sharply in value, says Daniel Calacci, a former swaps trader and marketer who?s now a structured-finance consultant in Warren, New Jersey. In some cases, banks also owned mortgage lenders, and they should be challenged to explain whether they gained any insider knowledge about the quality of the loans bundled into the CDOs, he says. ?Too Uncanny? ?It?s almost too uncanny,? Calacci says. ?If these banks had insight into the underlying loans because they had relationships with banks, originators or servicers, that?s at the least unethical.? The identification of securities in the document, known as Schedule A, and data compiled by Bloomberg show that Goldman Sachs underwrote $17.2 billion of the $62.1 billion in CDOs that AIG insured -- more than any other investment bank. Merrill Lynch & Co., now part of Bank of America Corp., created $13.2 billion of the CDOs, and Deutsche Bank AG underwrote $9.5 billion. These tallies suggest a possible reason why the New York Fed kept so much under wraps, Professor James Cox of Duke University School of Law says: ?They may have been trying to shield Goldman -- for Goldman?s sake or out of macro concerns that another investment bank would be at risk.? Poor Performers Goldman Sachs spokesman Michael DuVally declined to comment. Schedule A also makes possible a more complete examination of why AIG collapsed. Joseph Cassano, the former president of the AIG Financial Products unit that sold the swaps, said on a December 2007 conference call that his firm pulled back from selling swaps on U.S. subprime residential CDOs in late 2005. The list shows that the $21.2 billion in CDOs minted after 2005, mostly based on prime and commercial mortgages, performed as badly as or worse than the earlier subprime vintages. A lawyer for Cassano declined to comment. As details of the coverup emerge, so does anger at the perceived conflicts. Philip Angelides, chairman of the Financial Crisis Inquiry Commission, at a hearing held by his panel on Jan. 13, questioned how banks could underwrite poisonous securities and then bet against them. ?It sounds to me a little bit like selling a car with faulty brakes and then buying an insurance policy on the buyer of those cars,? he said. ?Part of the Coverup? Janet Tavakoli, founder of Tavakoli Structured Finance Inc., a Chicago- based consulting firm, says the New York Fed?s secrecy has helped hide who?s responsible for the worst of the disaster. ?The suppression of the details in the list of counterparties was part of the coverup,? she says. E-mails between Fed and AIG officials that Issa released in January show that the efforts to keep Schedule A under wraps came from the New York Fed. Revelation of the messages contributed to the heated atmosphere at the House hearing. ?What date did you know there was a coverup?? Republican Congressman Brian Bilbray of California demanded of Geithner. Lawmakers used the word coverup more than a dozen times as they peppered Geithner with questions. Geithner said that he wasn?t involved in matters of disclosure and that his former colleagues did the best they could. In a Jan. 19 statement, the New York Fed said, ?AIG at all times remained responsible for complying with its disclosure requirements under the securities laws.? The government has committed more than $182 billion to AIG and owns almost 80 percent of the company. Document Withheld In late November 2008, the insurer was planning to include Schedule A in a regulatory filing -- until a lawyer for the Fed said it wasn?t necessary, according to the e-mails. The document was an attachment to the agreement between AIG and Maiden Lane III, the fund that the Fed established in November 2008 to hold the CDOs after the swap contracts were settled. AIG paid its counter parties -- the banks -- the full value of the contracts, after accounting for any collateral that had been posted, and took the devalued CDOs in exchange. As requested by the New York Fed, AIG kept the bank names out of the Dec. 24 filing and edited out a sentence that said they got full payment. The New York Fed?s January 2010 statement said the sentence was deleted because AIG technically paid slightly less than 100 cents on the dollar. Paid in Full Before the New York Fed ordered AIG to pay the banks in full, the company was trying to negotiate to pay off the credit- default swaps at a discount or ?haircut.? By March 2009, responding to a request from Christopher Dodd, chairman of the Senate Committee on Banking, Housing and Urban Affairs, AIG released the names of the counterparty banks. In a filing later that month, AIG included Schedule A, showing bank names while withholding all identification of the underlying CDOs and the amounts of collateral each bank had collected. The document had more than 800 redactions. In May 2009, AIG again filed Schedule A, this time with about 400 redactions. It revealed that Paris-based Societe Generale got the biggest payout from AIG, or $16.5 billion, followed by Goldman Sachs, which got $14 billion, and then Deutsche Bank and Merrill Lynch. It still kept secret the CDOs? identification and information that would show performance. ?Right to Know? ?This is something that belongs in the public domain because it was done with public money,? Issa says. ?The public has the right to know what was done with their money and who benefited from it.? Now, thanks to Issa, the list is out, and specific information about AIG?s unraveling can be learned from it. At the Jan. 27 hearing, the New York Fed was still arguing that the contents of Schedule A shouldn?t be fully disclosed. Thomas Baxter, the New York Fed?s general counsel, testified that divulging the names of the CDOs could erode their value: ?We will be hurt because traders in the market will know what we?re holding.? Tavakoli calls that wrong. With many CDOs, providing more information to the market will give the manager a greater chance of fetching a realistic price, she says. Jack Gutt, a spokesman for the New York Fed, declined to comment, as did AIG?s Mark Herr. Bad to Worse Tavakoli also says that the poor performance of the underlying securities (which are actually specific slices or tranches of CDOs) shows they were toxic in the first place and were probably replenished with bundles of mortgages that were particularly troubled. Managers who oversee CDOs after they are created have discretion in choosing the mortgage bonds used to replenish them. ?The original CDO deals were bad enough,? Tavakoli says. ?For some that allow reinvesting or substitution, any reasonable professional would ask why these assets were being traded into the portfolio. The Schedule A shows that we should be investigating these deals.? Among the CDOs on Schedule A with notional values of more than $1 billion, the worst performer was a tranche identified as Davis Square Funding Ltd.?s DVSQ 2006-6A CP. It was held by Societe Generale, underwritten by Goldman Sachs and managed by TCW Group Inc., a Los Angeles-based unit of SocGen, according to Bloomberg data. It lost 77.7 percent of its value -- though it isn?t in default and continues to pay. SocGen spokesman James Galvin and TCW spokeswoman Erin Freeman declined to comment. Documentation Needed Ed Grebeck, CEO of Tempus Advisors, a global debt market strategy firm in Stamford, Connecticut, agrees that more digging is necessary. ?You need all the documentation and more than that, all the e-mails,? he says. ?That would allow us to understand what went wrong and how to fix it going forward.? Neil Barofsky, the special inspector general for the Troubled Asset Relief Program, who delivered a report on the AIG bailout in November, says he?s not finished. He has begun a probe of why his office wasn?t provided all of the 250,000 pages of documents, including e-mails and phone logs, that Issa?s committee received from the New York Fed. Schedule A provides some answers -- and raises questions that need to be tackled to avoid the next expensive bailout. To contact the reporter on this story: Richard Teitelbaum in New York at rteitelbaum1 at bloomberg.net Last Updated: February 23, 2010 00:01 EST From rforno at infowarrior.org Tue Feb 23 14:01:59 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Feb 2010 09:01:59 -0500 Subject: [Infowarrior] - Hurdles Hinder Counterterrorism Center Message-ID: <53615889-6614-432D-8E28-87716AAEE8E8@infowarrior.org> Hurdles Hinder Counterterrorism Center By ERIC SCHMITT and THOM SHANKER http://www.nytimes.com/2010/02/23/us/politics/23center.html?hp=&pagewanted=print WASHINGTON ? The nation?s main counterterrorism center, created in response to the intelligence failures in the years before Sept. 11, is struggling because of flawed staffing and internal cultural clashes, according to a new study financed by Congress. The result, the study concludes, is a lack of coordination and communication among the agencies that are supposed to take the lead in planning the fight against terrorism, including the C.I.A. and the State Department. The findings come just weeks after the National Counterterrorism Center was criticized for missing clear warning signs that a 23-year-old Nigerian man was said to be plotting to blow up a Detroit-bound commercial airliner on Dec. 25. The counterterrorism center?s mission is to gather information from across the government, pull it all together and assess terrorist threats facing the United States, then develop a plan for the government to combat them. But the new report found that the center?s planning arm did not have enough authority to do its main job of coordinating the White House?s counterterrorism priorities. The center?s planning operation is supposed to be staffed by representatives of various agencies, but not all of them send their best and brightest, the report said. It also cited examples in which the C.I.A. and the State Department did not even participate in some plans developed by the center that were later criticized for lacking important insights those agencies could offer. As a result, the center?s planning arm ?has been forced to develop national plans without the expertise of some of the most important players,? the report determined. The counterterrorism center was part of the overhaul of the government after Sept. 11, including the creation of the director of national intelligence. Now, years after the attacks, the entire reorganization is coming under scrutiny, raising fundamental questions about who is in charge of the nation?s counterterrorism policy and its execution. ?The fluid nature of modern terrorism necessitates an agile and integrated response,? the report concluded. ?Yet our national security system is organized along functional lines (diplomatic, military, intelligence, law enforcement, etc.) with weak and cumbersome integrating mechanisms across these functions.? The 196-page report is the result of an eight-month study by the Project on National Security Reform, a nonpartisan research and policy organization in Washington. It was financed by Congress and draws on more than 60 interviews with current and former government and Congressional officials, including nearly a dozen officials at the counterterrorism center. The study is scheduled to be made public this week. The authors provided a copy to The New York Times. The center noted in a statement on Monday that the study found the center had ?made progress? in linking national policy with operations, adding that the report?s recommendations ?provide an extremely thoughtful and useful critique of how counterterrorism actions are or are not fully synchronized across the U.S. government.? The report found that the center?s planning arm struggled with ?systemic impediments? like overlapping statutes, culture clashes with different agencies and tensions with two formidable players: the State Department?s counterterrorism office and the C.I.A. Under President Obama, the report determined, counterterrorism issues have become more decentralized within the National Security Council?s different directorates, leaving the counterterrorism center?s planning arm to collect and catalog policies and operations going on at the C.I.A., the Pentagon and the Departments of State and Homeland Security, rather than help shape overall government strategy. The planning arm has not yet figured out good ways to measure the effectiveness of the steps the government is taking against extremists. ?The basic but fundamental question remains unanswered: How is the United States doing in its attempt to counter terrorism?? the report concluded. And the study is critical of Congress for failing to create committees that cut across national security issues. The planning arm ?lacks a champion in either chamber of Congress,? the report found. Since the counterterrorism center was created in 2004, its planning arm has been largely focused on a comprehensive review to assign counterterrorism roles and responsibilities to each federal agency, producing then revising a document called the National Implementation Plan. But pointedly, the counterterrorism center does not direct any specific operations. Since the completion of that longer-term project, the study?s authors found that the center?s 100-person planning arm had become more involved in immediate counterterrorism issues: working on various classified projects involving Afghanistan, Pakistan, Yemen and threats to the United States at home. The study called on Mr. Obama to issue an executive order to define the nation?s counterterrorism architecture in order to address some of the problems and improve coordination. It also recommended giving the center?s director, currently Michael E. Leiter, a say in the choice of counterterrorism officials at other federal agencies, a step the 9/11 Commission had recommended but was not adopted. The report was directed by Robert S. Kravinsky, a Pentagon planner on assignment to the group, and James R. Locher III, a former Pentagon official and senior Congressional aide who is the group?s president. Until they joined the administration, Gen. James L. Jones, Mr. Obama?s national security adviser, and Dennis C. Blair, the director of national intelligence, were members of the group?s board of advisers, which now includes Newt Gingrich, the former House speaker, and Brent Scowcroft, the national security adviser to the first President Bush. From rforno at infowarrior.org Tue Feb 23 15:32:43 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Feb 2010 10:32:43 -0500 Subject: [Infowarrior] - An Interview With Howard Schmidt Message-ID: <7E2393A0-A04F-42B5-B5F3-60816AC96B0A@infowarrior.org> Home > Government Security > An Interview With Howard Schmidt An Interview With Howard Schmidt By Dennis Fisher Created 02/22/2010 - 11:50am http://threatpost.com/en_us/print/3375 In this podcast interview, done before Schmidt was appointed to the Obama administration, Dennis Fisher talks with Schmidt about his career and what the priorities should be for the cybersecurity czar. Dennis Fisher: My guest today is my friend, Howard Schmidt, who has had one of the more varied and interesting careers in the security industry over the last few decades. Howard spent some time at both the FBI and as a supervisory special agent in the Air Force?s Office of Special Investigations, where he helped create the government?s first computer forensics lab. He also served as a CSO at Microsoft, where he helped establish the company?s Trustworthy Computing group. But the most important roles for the purposes of what we?re gonna talk about today is Howard?s time as vice-chair and later, chair, of the President?s Critical Infrastructure Protection Board and his work with the Department of Homeland Security. Sorry I couldn?t give you a better introduction than that, Howard. That?s all I had for you. Howard Schmidt: Well, Dennis thanks. I appreciate that. Dennis Fisher: I left out about half of what you?ve done, but we can point people to your bio later. I don?t have time to read it all. Howard Schmidt: No problem at all. Dennis Fisher: All right, so the timing of this is good, I think. I?ve been trying to get you on for about a month, but you travel about 99 percent of your life. We?re recording this the day before we?re supposed to hear from the president on whether there?s gonna be a new cybersecurity czar position created, get the details of the 60-day review of federal cybersecurity, and maybe even name somebody to the cybersecurity job. I?m not sure about that part. You served in a similar position as we?re hearing what this is gonna be, during the Bush administration, so you?re the right guy to ask this question of. Do you think there is a definitive need for a single leader on this issue, whatever the job title turns out to be? Howard Schmidt: Well, as far as having a single leader in this area, I think we need to have a single strategy. Now that?s not necessarily saying that responsibility lies with one person, but it?s like a football team. You?d have to have a quarterback, and in this case, someone who is going to coordinate the activities that are so multifaceted. I?m sure we?ll get to that in a few moments. Have someone sit there and make sure that things are progressing as they should is very beneficial. Now whether that sits in the White House or one of the other departments is ? people have pros and cons against all aspects of it, but I think the essence of having a leadership role that does coordination and ensures that things are being executed as planned, is something, I think, is long overdue. Dennis Fisher: And does that role ? you mentioned the White House or whether it?s in some other federal agency, it?s been at DHS for a long time now ? does that role need to be operational or should it just be a supervisory role, like you said, to coordinate activities among the federal agencies? Howard Schmidt: Well, clearly, it?s a White House position and the White House is not operational. The White House is about policy and the whole executive branch in that respect, so in that case, it would be more of a coordinating role and a policy establishment role. This is one of the things that really makes this challenging, because there are so many different aspects of this. Clearly, when it comes to security of government systems, we?ve seen changes over FISMA the past few years. We?ve seen some really good moves by the Office of Management and Budget in the past, taking forward some things that really need to be done on secure desktop configurations and things that should help the government agencies, themselves, become more secure. But this whole issue about cybersecurity and critical infrastructure protection and the fact that, early on, the president declared that the information critical infrastructure is a critical national asset. That puts it in a different perspective than just keeping the government systems secure, which, obviously, this position has got to go beyond that. Dennis Fisher: Right. Yeah, that elevates it to another level within the country?s infrastructure and it seems like that position needs to have some real authority behind it, whether it?s statutory authority or it?s just organizational authority, as in whoever it turns out to be is a member of the National Security Council and reports directly up the chain to the president. That was the case when you had the position; it was part of the White House. Do you think that?s the best spot for it in the government org chart right now? Howard Schmidt: Well, I think a lot of it depends on the person as well, because when you start looking at placement of a position that is so broad ? for example, a lot of people ? I mentioned a few minutes ago that I?ve been doing a series of executive luncheon briefings around the world recently and the question that comes up often is, ?What is a skill set?? Well, when you start breaking this down into what are the key areas, clearly, you?ve got a defense, from the Department of Defense role that people really have to understand and be able to work with. There?s an intelligence role that goes from an economic espionage, all the way up to a state intelligence issue. You?ve got a private sector component in there, and particularly, with the economic world that we?re in today, we have to do more, but also not break the bank in doing it, because we do have some instability issues on the economic front and, basically, this plays a lot into everything from online ecommerce to expenditure funds for updating and creating new ICT systems. Add on the top of that the cybercrime or the law enforcement perspective, not only the federal level, but state and local and international level and then one other layer on top of that, when you look at the international component of the ICT systems and all the interdependencies we?ve had with countries and, in many cases, are our friends and allies, but in other case, that also have access to the same resources that are not basically doing things in our best interest. So when you start looking at the person, the ability to understand that broad swath of things, to be able to take input from different areas, analyze that input and make decisions that are gonna help facilitate the people that have the operational responsibility; that?s gonna be a really interesting skill set to try to pull out of this. Dennis Fisher: Right, and that?s something I wanted to get to, too. You just described a very comprehensive set of skills that this person needs to have. It?s gonna be pretty tough to find one person with that broad range of skills. How do you prioritize if you can?t find the one person who has all of that? What do you really look for in terms ? is it more important that that person have good relationships throughout the security community and government as well, or is it more important to have a technical background? How do you go about finding that? Howard Schmidt: I think, like anything else, and it?s funny, because one of the things you always hear from a management versus a technology perspective is the technology folks often say, ?You really have to understand the technology to be able to manage this.? And on the other hand, you have the management school folks who say, ?Listen, a good manager can manage anything.? I think in this case, it comes somewhere in between. I think you can find people with a balance of technical understanding of security, because one of the biggest fears that some of us have had, and I?ll give you a real live example ? years and years in the past, we used to struggle to convince management that information security or cybersecurity, whatever you want to call it, was a priority and was a business imperative. So what happened is ? and this happened to me personally ? I finally convinced one of the other vice presidents that this was a big issue, and then three or four times a day, I would get an email that says, ?Oh, there?s a new virus that came out today. What?s being done about this?? So it got to the point where there was such a heightened level of sensitivity, there wasn?t any practical application of what?s really a risk and what?s not a risk. So it was a consequence, in this case, having some understanding of it, but also, in a measured way that you understand that not every new virus, not every web defacement is a crisis that?s gonna affect billions of dollars or people?s homes losing electricity or airplanes falling out of the sky, to really understand that this is important, but understand it in a measured manner, so it?s done is a risk practical perspective. At the same token, having the organizational skills to go ahead and be somewhat of a diplomat, sit there with people with competing equities, people of organizations that have different priorities by nature of their mission that?s assigned to them or because of their personal understanding, to be able to sit there and get everybody pulling the same direction and doing so to the benefits, the government in the first case. When you start looking at the prioritization, I think one of the things that?s important is understand about what it takes to secure a government systems first and foremost, because those are the ones that the government has direct control over. The second thing is the ability to understand that international framework ? what are the agreements that we have for using IP-based and net protocol-based technologies worldwide? What are the capabilities? There?s been a discussion in one of the recent bills about having the poison pill or the kill pill or a kill switch, whatever you want to call it that says to be able to shut people off. Well, you should be thinking about that without thinking all the unintended consequences of that, not only from a financial perspective, but also just from an international relationship perspective. So that?s got to be another one of the high priorities to look at. So I?d say if you?re looking to stack rank them, you look at the ability to understand securing government systems from a technology, as well as a policy perspective, as well as the international framework. Those are things that I think are pretty healthy. Dennis Fisher: Okay, and there are some good people within the government who have been working on those issues, using the government?s purchasing power to put some pressure on vendors, like Microsoft and Oracle and others, to really come up with some more secure applications, some more secure configurations for government systems in the past few years. Do you see that being expanded in the near future as the Obama administration really takes hold of this issue? Howard Schmidt: I absolutely do, and I?m glad you brought up about the good people out there, because right now, one of the limitations has not been the quality of the people, but the support and the resources they have available to them. As I look at people who have been doing the job in the government, particularly since I left, or people that, I think, as you?re aware, I?m still a computer crime investigator with the Army Reserves at the Criminal Investigation Division at Fort Belvoir. When I look at the folks there, they eat, live, breathe and sleep this, everything from network investigations to vulnerability assessments to forensics stuff. These are hard-working, dedicated people that are working as hard as they can, using every resource they?ve got available to them, but unfortunately, the resources have not been there in the past. There?s been this faulted idea that everything else is a ? this is a priority, but everything else is a bigger priority. I think we finally realized, and I think there?s probably a good track to say, ?Yeah, this is a good opportunity to have multiple priorities across different things, whether it?s physical security, whether it?s antiterrorism, all these other things. We can do more than one thing at a time. So by giving the dedicated people that are in government now the resources to do it, we can go a long way to help, indeed, reduce the risk that we have of having any dramatic effect from attacks on our systems. Dennis Fisher: Okay. You mentioned cybercrime just there and a little earlier. We?ve heard a lot from the administration about cybersecurity, in general, which, I think; everybody takes to mean locking down the critical infrastructure, defending the countries networks, that sort of thing. We haven?t heard as much, at least publicly, about better cybercrime laws, more cooperation with international authorities, that sort of thing. What are you thoughts on the state of things right now, in terms of cybercrime investigations and prosecutions and where things should go? Howard Schmidt: Well, that?s one of the, I think, good new stories we?ve had. We?ve got a guy over at the FBI, at the deputy director level, Shawn Henry, that has grown up in the ranks as a computer crime investigator, a good manager, a good executive that?s leading that effort over there. We?re starting to see a lot of the international things, the G8 subcommittee on cybercrime. I was just back over with the counselor of Europe on the Council of Europe?s Cybercrime Treaty. We?re getting a lot more visibility in that. As a matter of fact, that meeting over there a couple months ago, I think was the fifth annual meeting and, clearly, there were hundreds and hundreds of people there, ranging from Nigeria to Canada to the U.K. So there was a tremendous amount of support from the international perspective. The challenge, though, we have in the law enforcement perspective is, once again, there?s way too much of the criminal activity going on for anybody to deal with. I try to translate that into my previous life, working in gang investigations and drug cases and stuff, and it seemed like there was never an end to this. But in our case, in particular, in the cybercrime area, while there are way too many cases for law enforcement, internationally, to be able to deal with, there is a light at the end of the tunnel, and that?s us doing a better job securing these systems for people not becoming a victim of credit card fraud, identity theft, hacking, intellectual property theft ? you name the litany of things. By using some good protection techniques, we can actually start to reduce that. We?ve seen some pieces of that take place. I?ll talk about that in a moment. But we can start reducing some of the criminal activity and then once you start reducing that, then the limited resources we have in law enforcement, which are better trained and better equipped than they?ve ever been in the past, then they can focus on the most egregious offenders, which really sends a message through the criminal community that said, ?Yeah, you?re not always gonna get away with this,? like people seem to think they can now. Dennis Fisher: Yeah, everybody does seem to have that impression that this is a very low-risk criminal activity. It?s not breaking into cars or even running drugs. It?s pretty low-risk when you look at the number of prosecutions we see, especially in the U.S. compared to the amount of crime that?s going on out there. Howard Schmidt: That?s correct, and the interesting piece about it is it doesn?t necessarily have to be off the scale. In other words, there is a question that I?ll ask some audiences that I speak to once in a while. At the most recent one, there were 150-200 people in the audience, and I asked how many of them would report it to the police if someone stole $1.00 from them or $5.00 or $10.00. People didn?t start raising their hand until you got to $50.00 or $100.00. That?s what the criminals depend on. So instead of stealing $10,000.00 from someone, they?ll steal $1.00 from 10,000 people, with the concept that they still get the end result. The criminals still get $10,000.00, but nobody is going to go crying to about it. And that?s how a lot of them will fundamentally work. Dennis Fisher: Right and its working pretty well for them. Howard Schmidt: Correct. Dennis Fisher: At least up until now, yeah. Okay, let me get your thoughts on this. I wrote a column yesterday making the case that the first priority for the new cybersecurity czar, whatever the job turns out to be, should be building a strong relationship with the key people and organizations in the private sector to bring that bond back. Why has that been such a difficult task in the past for the people who have had that job? Howard Schmidt: Well, I don?t think it?s been a difficult task unto itself, but what happens, people keep moving the deck chairs around all the time. Once you have a relationship established with someone, it takes a while to build up trust, whether it?s government to private, private to government, government to government or private to private. It takes time to build up those relationships. Then when you have people moving out every year or two, then you?re rearranging things, which is one of the things that I think when you start looking at that heavily overused term of ?private/public partnerships,? when you start looking at this sort of a thing, I think a lot in the private sector said, ?Listen, we?re not gonna sit around waiting for government to do something. We?ve got to do things on our own.? That?s why you see a lot of the activity going on, Microsoft with their End to End Trust program, Oracle, with some of the security programs they?ve got. You see a lot of private industry critical infrastructure owners and operators saying, ?Well, we get the message. We understand that we?ve got to do things differently. We?re gonna put a higher priority on security.? Some of it?s based on just pure overarching governance requirements. Others are then looking at issues about, ?Okay, well, now I?ve got to be compliant, whether it?s PCI, whether I?ve got to do some of these other things, but there is a tremendous amount of effort within private industry, just to become more secure and on top of it, customers are demanding it. So as a consequence, when you start looking at that public/private relationship that?s been going on, I think there?s less of a dependency on private sector looking to the government for leadership, than I think there ever has been in the past, because I think private industry gets it and, like I said, with the changing people, not knowing who to talk to from one day to the next, industry says, ?Well, we?re gonna go and make things happen on our own.? Dennis Fisher: Yeah, and they?ve been doing that to a large degree, but it still seems to me that the vast majority ? not vast majority, but the large portion of the expertise in cybersecurity lies in the private sector. So doesn?t it benefit both sides if there?s a strong relationship there and they can communicate openly about, ?Okay, we?re seeing this threat inside government networks. Have you guys seen this before? What have you done about it? How should we go about defending against it?? Howard Schmidt: Yeah, and I think to some level, you?re correct that there?s a greater level of expertise in private industry, but that?s at a different level. I?ll give you an example. Within the government now and one of the really great programs that has been established is the Scholarship for Service Program. Another one, Cybercore, is one of the terms, a joint effort between NSA and National Science Foundation and Homeland Security to make sure that we have the next generation of information security or cybersecurity experts going through the universities now in dedicated courses in information security and information insurance. I forget, I work close, if not over 100 universities participate in that. When their students graduate, they go into the government right away. Now some of the universities that I teach at, such as Georgia Tech and Idaho State University, our Scholarship for Service programs, as soon as they get done, they?re going in government, fairly high- level positions as security experts. So the expertise is there on a technical level and, once again, as their careers move on, you?ll start seeing some balance in there of those that have, in private sector, which not only have the technical confidence, but also have the management and leadership competencies. You?ll start to see that in government as these scholarships for students are working their way through the government ranks. Dennis Fisher: Yeah, I love that idea. I think it?s terrific. It?s a great program. But how long do you expect or how many of those graduates do you expect to stay in government service for the long term? Howard Schmidt: It?s an excellent question. I remember a few years ago, I was testifying up on the hill and one of the congressmen asked me that very question, ?We get these people to come in. They spend some period of time in the government, but obviously, the money?s better in the outside. The work elements, oftentimes, were better, so as a consequence, how do you retain these people?? My response, basically, to you as it was to him at that point. I don?t think it?s necessarily bad for them to come in and spend two years, four years or six years. There are gonna be some people atha are just civil service oriented, if you would, that like public service and will stay there through their entire career, which is good for the longevity of those in that business, but on the same token, we start looking at the interdependencies between the private critical infrastructure and the government?s systems. I really like the concept that somebody spend a few years working for the Department of the Defense or working for the FBI or working for Homeland Security, gets the understanding of the criticality of this and then come back and transfer that into the private sector. I think that makes both the private industry and public service or public sector much stronger. So I think it?s a good thing to have that cross- fertilization and having been a participant myself most of my career, I find that to be particularly rewarding, because it gives you a lot of different perspectives that you wouldn?t have staying in one sector or another. Dennis Fisher: Yeah, that?s a great point. And the other thing I would guess is that if you?re one of these kids who goes and spends four or five years in government service and then goes to work in the industry, all of a sudden, you?ve got this big network of contacts inside the government who you can talk to when you have a problem or they can call you when they have something that they need to talk to you about. Howard Schmidt: You?re absolutely correct, and that?s one of the things that when you start looking at where the rubber meets the road and where things really get done. We can have all the greatest policies in the world and all the committees and all these other things, but when you have an individual in either government or private sector, pick up the phone and call someone that they went to university with, that they?ve worked with in government or private sectors, and says, ?Hey, I?m seeing this really anonymous activity on this particular port. Are you guys seeing that?? ?Yeah, we are.? Well, that solves problems and that?s what this is all about. Dennis Fisher: Yeah, and you would know this having spent a lot of time in law enforcement. That?s how things get done in the law enforcement community. Howard Schmidt: Absolutely correct. Dennis Fisher: There?s some guy that you worked with once at the FBI and you know you can call him and say, ?Listen, we have this problem. Can you help?? Howard Schmidt: Absolutely correct. And those are lifelong relationships, too. They aren?t something that just because this person is no longer in this particular job, you no longer have access to them. By the way, one of the things, and just changing the topic just a little bit, when you start looking at some of the social networking tools that are out there today, people oftentimes think about, ?Oh, yeah, these are college students doing this,? or ?My granddaughter is doing these things.? Well, those same resources are available to all of us, from security, private sector, public sector, law enforcement, and we use them all the time. There?s not a week that goes by that there?s not a former colleague either in private sector or government or law enforcement that doesn?t pop and say, ?Hey, I saw your profile here. I want to make sure we?re connected.? And the next thing you know, I may get a call, ?By the way, I?m working this case. What do you know about this?? Those things make it even better as far as the longevity and the ability to stay in contact. Dennis Fisher: Yeah, I completely agree. Let me ask you about the ISACs, because you were involved in the beginning of the IT-ISACs. How active are the ISACs, in general, right now, and do you think that there is a need to maybe not replace them, but reinvigorate them at this point. Howard Schmidt: It?s a really good point, because the ISACs, in the very beginning, were born, I think, born, in a lot of cases, and I can speak for the IT-ISAC, when we founded that, it was based on recommendation that government people or private sector organizing amongst ourselves, not necessarily share information with the government, which was desirable, but to share information with each other. That, once again, established some longtime formal bonds between, often, many cases, competitors in this space, to bring this to the table, to share information and do that. So I think for the most part, and we have some ups and downs in any organization you might imagine, but for the most part, that has become institutionalized, that no longer will you see something new hit the horizon that takes everyone by surprise, except for one company, because people are inclined to share with each other. By the same token, I think what has happened now is there are so many people that are paying attention to cybersecurity, critical infrastructure protection, that there is this underlying feeling that, ?I know how to do this already. I don?t need to be a part of a bigger organization.? So when you talk about trying to bring up the example of ISACs, that?s one of the things to show, that there is much, much greater strength in numbers than people going it alone. I think that?s one of the things that could be helped to be emphasized. The other thing is making sure that the information is relevant. That?s one of the things that I think many of use would challenge today and for lack of a better word, I?ll call it ?information overload.? New vulnerability pops up. A new question about something pops up. I?m getting an email from 10 or 12 different sources in one day, whether it?s serv, whether it?s some sort of a listserv that I?m on, whether it?s through an ISAC publication, InfoGuard. There are a lot of sources of information out there now that are circulating, which we didn?t have back in the days when we used to perform the ISACs. We didn?t have that public communication that was out there, so as a consequence, trying to consolidate that through the ISACs would be very helpful to make it relevant and timely. Once again, I was recently talking with somebody and we were lamenting the fact that some of the recent things you hear or you get a piece of correspondence from some ? in this case, we were talking about a particular government agency ? that we got the communication from the government agency three days after CNN had fully covered it. So these are the sort of things, keeping it active and vibrant. It?s got to be timely and relevant to what people?s needs are. Dennis Fisher: Right. Yeah, that?s a great point. Getting back to the critical infrastructure piece of this for a minute, we always hear that the majority of the critical infrastructure is owned by the private sector in various forms. How much of a role do you think the government should have in helping to secure that part of the infrastructure, whether it?s through just help in providing resources and expertise or through regulation and mandates? Howard Schmidt: I think for the first and probably the most important part is that government has got to help assess what really is important and what?s not important. An example I like to use ? I live on a remote mountain about 30 miles east of Seattle. Because of the nature of the west coast and the weather and stuff, we wind up losing power up here at least a half a dozen or so times through the course of the winter. So to me, critical infrastructure means a generator and enough gas to last me for a day or two. But then you start going into the city down here, which is less than 30,000 population, you start looking at that, well, that takes a whole different picture when power is out for a few days, because people can?t go grocery shopping. They can?t get fuel. As recent as a couple years ago, in order to get a mobile phone signal, you had to drive for an hour north of here, because the towers were out, because the power outage was out. They took up all the fuel with their backup generators, so we started to lose that aspect of it. So it takes a different component, but I think the government?s key role is to assess what the risks are. Once the risks have been identified, what are the capabilities that private sector has to respond to these things? What I?ve seen, particularly during my time at the White House, you look in the aftermath of September 11th, with a telecom company, their ability to go out there and recreate an infrastructure, get the stock market back up and running in a relatively short period of time, to have telecommunications available for mobile phones and stuff. That was just phenomenal. So it?s clear that some sectors are quite prepared and probably more so than the government, in some cases, to be able to deal with these sort of things. But there should be an assessment and a baseline expectation that during whatever the incident may be, here?s what we have the ability to respond to. Now once that determination is met, where that is, then it?s up to the government to decide, ?Is that sufficient for us to do public safety and the protection of people and property?? Now if that delta is above what the private sector capabilities are, then the government has to make a couple of decisions. One, how do we get it to the level we need it to get. Will it, indeed, create some sort of incentive by we give private sector or provide some funding to private sector to develop the extra capabilities or is it the type of thing where we encourage private sector to do it as part of a business plan where as they increase resources out to a certain segment of the population, something they would do automatically. And then the other aspect of that, once we move forward, what role should government start to look at regulation if, indeed, the market can?t do what it needs to do. Dennis Fisher: Do you find that the industries, think about, maybe, utilities, power companies, water companies; do they resent the government getting involved in what they?re trying to do in terms of securing their own networks? Howard Schmidt: I don?t know that I?d say, ?resent.? I think there?s concern. More than one person has told me, ?How can the government tell me what to do when they can?t even secure their own stuff?? Then you start getting into ? and many people don?t realize that there is not the one power company that looks after the entire country. There?s not the one water treatment facility. We?re talking about literally thousands and thousands of these organizations of all different levels. Some local water cooperative here where I?m at may be just a few hundred homes in a subdivision and its run by a water cooperative there. So all these things are not made the same. Also, not only are they not made the same, but various government entities have regulatory controls over them at the very local public utilities commission, within a particular town, village, city or county. So when you start looking at how do we deal with this, how do wind end up dealing ? and competitive, because some of these things, of course, are for-profit organizations? How do we wind up getting the information needed by government to identify if resources are enough without impacting the proprietary and, oftentimes, competitive things that these companies need to do? I wouldn?t say they resent it. What they oftentimes don?t care for is what they feel might be intrusive in their ability to run their business the way they need to run it, to do the same job the government wants them to do anyway and that?s provide the critical infrastructure that people need. Dennis Fisher: Yeah, that?s true. You mentioned that there?s literally a network of thousands of these cooperatives and small companies all over North America, really, running the utilities. One small mistake or one small incident at one of these could have a cascading effect, as we saw with that blackout in the Northeast about three or four years ago now that affected New York. Howard Schmidt: And therein lies the key issue when you start looking at the assessment by the government, and I don?t know that we?ve done this good yet. We?ve talked about it from the days I was in the government, and that?s sort of identifying what are the critical independencies that one would have? A classic example is, and I?ll use this region up here in the Pacific Northwest, where we have Mt. Rainer, which the experts say that?s still an active volcano, that at some point, that could go like Mount St. Helens did 20-some odd years ago. It?s also been discovered that we are pretty much sitting on two different, if not more, earthquake faults in the region. Being we?re on the west coast, we?re subject to tsunamis. We have tsunami routes put all over the place, and notwithstanding, just the normal battering of storms coming in off the Alaska gulf affecting this region. So as a consequence, when you start looking at that whole piece of aspect, you look at local businesses that sit there and say, ?Okay, part of my business continuity plan or my disaster recovery plan for my data centers,? which are populated all over the Puget Sound area, here in the Pacific Northwest, if we should have an earthquake and our data center becomes a smoking hole in the ground and we?re critical, how do we end up recovering from that? Well, oftentimes, the resources they have contracted are the ones that the business down the highway also contracted with, so it gets to a matter when you need a thousand servers and there?s only 500 available, and there are 20 people asking for those thousand, how do you prioritize that? That?s one of the things that government can help, if you would, negotiate, if you would, to make sure that those things that are necessary for public safety and health and safety are being dealt with first and then also, not ripping out the underpinnings of our economic infrastructure, because somebody has a higher priority. It?s a tough balance to do. Dennis Fisher: Yeah, it?s got to be. Sure. All right, so you were involved in the original national strategy to secure cyberspace, which is several years old now. You?re also involved in the recent CSIS report on cybersecurity for the Obama administration. There are a lot of similarities between the two documents, both in terms of the recommendations, as well as the people involved, honestly. Why do you think that so many of the original recommendations in that national strategy, which everybody seems to think are very valid recommendations, still, sort of fell by the wayside and didn?t gain traction the way everybody hoped they would? Howard Schmidt: Once again, I think it?s a loss of focus. It?s one of the things I?ve asked. There?s also another undertaking, a really good effort by GAO, looking at this issue and a bunch of us, and once again, probably the same people went and talked with them. My question, and it continues to be, if you take the original national strategies to secure cyberspace from February 14th, of 2003, and look at that and look at the components of that, every one of those are still valid; education and training, vulnerability reduction, situation awareness and response capabilities. All those things are there, but what happened is we never focused on executing on all those things and going through and saying, ?Yes, this is done. This is in progress,? and therein lies us into another position where we are with the recent report and many, many other reports that basically reaffirm the same thing we said back in 2002-2003, but we?ve not done is build the mechanism and provide the resources to actually execute on getting those things done. Dennis Fisher: Not to turn this into a political discussion, but how much of that do you think has to do with the fact that a lot of the same resources at DHS and the Department of Defense that might have been involved in that kind of effort, have been dedicated to supporting the two wars that we?ve had going on, essentially since that report came out just about the same time? Howard Schmidt: Clearly, when you start looking at an issue of prioritization, when people start looking at bombs going off in someone?s backyard as opposed to they can?t connect to the internet, I think there?s a clear decision on which way people are gonna go on that. But once again, that goes back to my earlier comment that I truly believe that we have the capacity and we have the resources to multitask in this vein to say, yes, we can put the resource we need to put into protecting people against kinetic things, such as bombs and biochem hazards and things of this nature, while at that same time, we can put the resources necessary to fixing some of the cybersecurity issues. Once again, many of us held and still continue to hold that it doesn?t require ripping out an infrastructure and rebuilding things. It requires a few things from a current perspective, like just doing what needs to be done, making sure you?re doing vulnerability and management, making sure that your users are not clicking on things that they shouldn?t be, things that are just basically 101 security for those of us in the business. We still have not institutionalized the process to keep those things happen. On the same token, you mentioned earlier about the vulnerabilities and things, we should be building an infrastructure that, at some point, we?re not gonna be running a piece of computer software on anything that has not totally had a 360 degree vulnerability assessment, doing source code analysis on the front end, doing black box and white box testing on implementation, doing constant implementation and testing once it?s integrated into the enterprise, but we?ve not done that either; we?ve just sort of continued to move on with, ?Okay, we?ll fix this one, then we?ll move on to fix the next thing,? as opposed to looking at this from a very proactive perspective as, ?We don?t want to let these bad things happen.? Dennis Fisher: All right, so to wrap all this up, if we get together and do this again, say, a year from now, what would you hope that the cybersecurity advisor, assuming we have one sometime soon, will have accomplished in that time? Are there two or three top priorities that you?d really like to see checked off the list? Howard Schmidt: Clearly, I think there is one on the government side that the government systems, indeed, there is a definite implementation of better security procedures across the government. It goes from two-factor authentication to vulnerability assessment and management and risk management, clearly, across the breadth of the government, from the defense side, all the way down to some of the civilian agencies to make sure that that is fully implemented and that we can have trust and reliance on the government systems, not only that they?re operational, but they?re also free from being affected by new nation states or any other rogue country that?s looking to do us harm. The second thing is to have a clear assessment of where private industry is on its capability to prevent and, if necessary, recover from any sort of an incident that we may have, whether it?s a widespread distributed denial-of-service attack or it?s some sort of a zero-day vulnerability that we might have to recover from. The third thing is clearly having a forward path to make sure that we don?t relive the sins of the past the way we roll out infrastructure, ?Let?s build it, let?s get it out there and we?ll fix it later on.? That?s not the right way to do things. We have to have a clear path going forward to make sure that we?re implementing all the solutions, both of hardware and software, where, once again, we?re not putting things out there with vulnerabilities, that we?re making an investment in the professionals that are running and operating these systems, that we?re investing in the training of those that are actually designing, engineering and building these systems and then we have an operational path to make sure that once we come up with a secure system that we wind up being able to maintain it that way. And all those things we do, while still preserving privacy, while still preserving all the rich capabilities that technology gives us today, that?s what I?d like to see done. Dennis Fisher: That?s a pretty good list. Honestly, I?d probably be happy with one of those in the next year, but if we could get all of them, that would be fantastic. Howard Schmidt: Yeah, I think we can, because I think those are things that would be done in parallel with each other and I think getting this done right, I think we can do it. Dennis Fisher: All right. Howard thanks so much for your time. I really appreciate it and I?d love to have you on again in a few months down the road when maybe we have a little better perspective of what?s going on in D.C. Howard Schmidt: Always good to talk with you. It?s my pleasure. From rforno at infowarrior.org Tue Feb 23 15:39:46 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Feb 2010 10:39:46 -0500 Subject: [Infowarrior] - Redefining privacy in the era of personal genomics Message-ID: <9B80DD57-37FD-4589-BB10-61C233C1C255@infowarrior.org> Redefining privacy in the era of personal genomics By Yun Xie | Last updated February 23, 2010 6:41 AM http://arstechnica.com/science/news/2010/02/dna-data-sharing-a-privacy-conundrum.ars DNA, the storage bank of genetic information for all living organisms, is challenging scientists and policy makers to reconsider the issue of privacy. With the completion of the human genome and advancements in DNA sequencing technologies, a person?s DNA can potentially be tested for risks related to a number of genetic diseases. This progress is promising for personalized medicine, but ethical and policy issues are coming to the forefront as well. After all, can DNA data ever be truly private and anonymous when DNA itself can also act as a unique identifier? At the 2010 AAAS conference in San Diego, a panel of experts criticized current policies and offered solutions to the ethical issues associated with DNA identifiability. Joel Wu, a research fellow at the Mayo Clinic, moderated a discussion among four panelists: Brad Malin (professor of biomedical informatics at Vanderbilt University), Sharon Terry (president and CEO of Genetic Alliance), Barbara Koenig (professor biomedical ethics at the Mayo Clinic), and Ellen Clayton (professor of genetics and health policy at Vanderbilt University). Wu opened up the symposium by stressing the point that ?genomic research needs data access to large data banks of DNA from volunteers, but data sharing becomes a question of public trust.? In order for scientists to continue gathering and sharing DNA data, the public must trust the process enough to volunteer for studies. If privacy protection becomes compromised, research won't continue to move forward. Thus, Wu states that ?the goal is to create a balance between genomic research and privacy protection. The goal is to find balance between data access and public trust.? Criticisms of the Current System The panelists propose that the current policies fail to adequately protect volunteers for genomic research, making the balance impossible to achieve. A key problem, according to Wu, is that ?DNA and DNA data cannot be truly de-identified, so common interpretations of privacy do not apply.? Currently, there is no definitive, legal definition of DNA as data that contains identification information. Koenig pointed out that ?administrative units within the US Department of Health and Human Services articulate inconsistent positions of DNA and DNA data.? The panel argued that the first step of protecting DNA data is to define it as ID information. Furthermore, current research protocols for volunteers are rather misleading when it comes to genomic research. For example, participants normally sign informed consent forms, but Wu posited that ?meaningful informed consent is elusive, as there is unspecific future use for DNA data,? so current informed consent forms provide ?untenable promises of privacy and confidentiality.? Both Wu and Koenig acknowledged the lack of regulatory frameworks for reviewing the ethics, expertise, authority, and jurisdiction of facilities that collect and share DNA data. Koenig summarized it by saying, ?Science is dynamic, and we almost can?t keep track of the speed of progress, but we have a stale ethical system that?s decades old.? A Realistic Look at Identifiability Before we can reasonably tackle the deficiencies of existing policies, we need to know some technical facts about DNA identification. Malin stated that the adage ?we fear what we don?t understand? applies to genomic research. He said that ?uniqueness is not sufficient for identification,? meaning ?just having DNA is not going to tell you who it is. There needs to be a linking mechanism between de-identified DNA and identified data.? The linking mechanism can be a forensics team, life science researchers, paternity companies, or anyone who swipes a tissue sample from you. Nevertheless, for you to be linked to your genomic data in some database, a person already has to know who you are. What can your DNA data reveal? Malin listed demographics, familial history, clinical features, and life patterns among information that is commonly linked with DNA in databases. That may seem revealing, but Malin pointed out that most of that information can be gathered far more simply and by cheaper means than DNA analysis. He demonstrated that, as he put it, ?demographic data is pretty much available through public means.? It is fairly easy to figure out an average person's sex, race, age, employment status, location, and income from the Internet, phone books, or public records. As for familial history, he showed examples from unrestricted sources like obituaries that gave detailed information about a person?s family. People can also be identified based on shared clinical diagnosis codes, and people?s habits like hospital visitation patterns are also vulnerable to data miners. None of this requires the help of DNA databases. Overall, privacy concerns are not unique to genomic research, as there are so many ways to breach an individual?s privacy. But one factor that makes DNA data special is its potential as an indicator for disease risks and possibly other characteristics, such as intelligence. To prevent companies and governments from exploiting DNA data, the panelists agreed that there needs to be a new governance system. Proposals for Improvement In creating a new governance system, Clayton warned that ?we need to pay attention to the enormous pressure of data sharing. Once data gets to a researcher, it has to be shared.? Thus, it is impractical to simply outlaw data sharing. Malin suggested three key steps: threat modeling, access control, and disclosure control. First, it is important to fully comprehend the negative impact of the illicit disclosure of DNA data. Second, employees must be vetted and required to sign a data use agreement. In addition, an operations advisory board or institutional review board should only grant access to employees on a project-specific basis. Third, a board should not give away all the information. The third point relates to modifying the data before it is shared. For example, there is no need to be completely specific in saving clinical data?instead of saying a man broke his left big toe, it's often equally useful to just say he has a broken toe. It is also possible to package the DNA data differently. Malin proposed perturbing the sequence of DNA to generalize the data, while allowing it to retain the necessary information for most forms of analysis. People have also developed algorithms to unlink patient data from their identity. Koenig and Clayton both stressed the importance of ethical overview and developing an adequate punishment system for breaches of privacy. Besides losing funding (the typical current disciplinary action), Clayton suggested something stronger. ?People at Vanderbilt get fired for privacy infringement. We have real punch.? The panelists were articulate and informative in revealing the pitfalls of current policies, and they provided outlines to address some of the problems. Yet, it is still difficult to imagine what a robust system of governance would look like. Concrete details were elusive and, when one considers that DNA identification is a multinational issue (other countries are also collecting and sharing genomic data), perhaps the only certainty is that the present system of regulations is insufficient. From rforno at infowarrior.org Tue Feb 23 17:56:21 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Feb 2010 12:56:21 -0500 Subject: [Infowarrior] - Locating Hidden URLs = "Hacking" Message-ID: <3AD1D329-FA18-4E5B-ADC2-C0CF165B2CC1@infowarrior.org> Another win for security-through-obscurity!!!!! Minister, a monkey could have 'hacked' secret transport site MATTHEW MOORE February 23, 2010 - 5:11PM The government site they didn't want you to see ... all a reader had to do was type http://nswtransportblueprint.com.au/project into their computer's address bar and tap 'enter'. Some hack. You know a government is in trouble when it starts accusing aging Sydney Morning Herald hacks like me and my colleague Andrew West of engaging in high level cyber crime. And yet, in his first day in Parliament since announcing on the weekend details of the government's transport blueprint, the only question from the Labor benches to Transport Minister Dave Campbell concerned a fanciful claim the Herald had somehow hacked a top secret website to reveal the plan early. Campbell said that by accessing a website where the plan was available, the Herald had done the equivalent of "pick the lock off a secure office and take highly confidential documents". He went further and said the campaign to crack the site had been so determined there had been "3727 hits on the firewall of the website from four different IP addresses" last Thursday and Friday and the contractor in charge of the site, IT private, had referred the matter to the police. Really? < - > http://www.smh.com.au/nsw/minister-a--monkey-could-have-hacked--secret-transport-site-20100223-p085.html From rforno at infowarrior.org Tue Feb 23 23:21:51 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Feb 2010 18:21:51 -0500 Subject: [Infowarrior] - Olympics: Thou Shalt Not Tweet (Without Paying Up Message-ID: Olympics: Thou Shalt Not Tweet (Without Paying Up) from the the-gold-medal-in-stupidity-goes-to... dept http://techdirt.com/articles/20100223/1031018270.shtml Every time you think that the Olympics can't get more ridiculous with its attempts to abuse trademark law to control its name, they go one step further into ridiculousness. Following the threat to goggle maker UVEX for mentioning skiier and gold medalist Lindsey Vonn on its website, the US Olympic Committee is threatening Red Bull and Verizon for daring to tweet about the Olympics without first paying up. I'm not kidding. Both companies showed some basic Olympic spirit with some simple tweets, supporting some winning athletes. Here's Red Bull's "offending" twitter message: We're rooting for you @LindseyVonn @Shaun_White @GregBretzz and @Drahlves in the 2010 Winter #Olympics! And Verizon's: Who are the REAL American Idols? Shaun White, Lindsey Vaughn & Shani Davis draw more viewers than American Idol Seriously. And the US Olympics straight-faced response? "When people partake in this kind of ambush behavior, it hurts American athletes." Yes. Two simple tweets from companies cheering on successful Olympians are considered "ambush behavior" that "hurts American athletes." Apparently, these threats from the Olympics worked on at least Red Bull who pulled its Twitter message supporting the athletes. This goes beyond the typical abuse of trademark law to ridiculous levels. While Verizon hasn't yet pulled its post, I would hope that it will stand up for basic free speech rights that say the Olympics has no right to tell it what it can and cannot tweet in support of the games. From rforno at infowarrior.org Wed Feb 24 02:24:47 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Feb 2010 21:24:47 -0500 Subject: [Infowarrior] - Avoiding a Digital Dark Age Message-ID: <5FA02118-1CF4-42A7-8F0A-026B9D7F4F27@infowarrior.org> http://www.americanscientist.org/issues/id.8795,y.2010,no.3,content.true,page.1,css.print/issue.aspx Avoiding a Digital Dark Age Data longevity depends on both the storage medium and the ability to decipher the information Kurt D. Bollacker When I was a boy, I discovered a magnetic reel-to-reel audio tape recorder that my father had used to create ?audio letters? to my mother while he was serving in the Vietnam War. To my delight (and his horror), I could listen to many of the old tapes he had made a decade before. Even better, I could make recordings myself and listen to them. However, all of my father?s tapes were decaying to some degree?flaking, stretching and breaking when played. It was clear that these tapes would not last forever, so I copied a few of them to new cassette tapes. While playing back the cassettes, I noticed that some of the sound quality was lost in the copying process. I wondered how many times I could make a copy before there was nothing left but a murky hiss. A decade later in the 1980s I was in high school making backups of the hard drive of my PC onto 5-?-inch floppy disks. I thought that because digital copies were ?perfect,? and I could make perfect copies of perfect copies, I couldn?t lose my data, except by accident. I continued to believe that until years later in college, when I tried to restore my backup of 70 floppy disks onto a new PC. To my dismay, I discovered that I had lost the floppy disk containing the backup program itself, and thus could not restore my data. Some investigation revealed that the company that made the software had long since gone out of business. Requests on electronic bulletin board systems and searches on Usenet turned up nothing useful. Although all of the data on them may have survived, my disks were useless because of the proprietary encoding scheme used by my backup program. The Dead Sea scrolls, made out of still-readable parchment and papyrus, are believed to have been created more than 2,000 years ago. Yet my barely 10-year-old digital floppy disks were essentially lost. I was furious! How had the shiny new world of digital data, which I had been taught was so superior to the old ?analog? world, failed me? I wondered: Had I had simply misplaced my faith, or was I missing something? Over the course of the 20th century and into the 21st, an increasing proportion of the information we create and use has been in the form of digital data. Many (most?) of us have given up writing messages on paper, instead adopting electronic formats, and have exchanged film-based photographic cameras for digital ones. Will those precious family photographs and letters?that is, email messages?created today survive for future generations, or will they suffer a sad fate like my backup floppy disks? It seems unavoidable that most of the data in our future will be digital, so it behooves us to understand how to manage and preserve digital data so we can avoid what some have called the ?digital dark age.? This is the idea?or fear!?that if we cannot learn to explicitly save our digital data, we will lose that data and, with it, the record that future generations might use to remember and understand us. Save Our Bits! The general problem of data preservation is twofold. The first matter is preservation of the data itself: The physical media on which data are written must be preserved, and this media must continue to accurately hold the data that are entrusted to it. This problem is the same for analog and digital media, but unless we are careful, digital media can be more fragile. The second part of the equation is the comprehensibility of the data. Even if the storage medium survives perfectly, it will be of no use unless we can read and understand the data on it. With most analog technologies such as photographic prints and paper text documents, one can look directly at the medium to access the information. With all digital media, a machine and software are required to read and translate the data into a human-observable and comprehensible form. If the machine or software is lost, the data are likely to be unavailable or, effectively, lost as well. Preservation Unlike the many venerable institutions that have for centuries refined their techniques for preserving analog data on clay, stone, ceramic or paper, we have no corresponding reservoir of historical wisdom to teach us how to save our digital data. That does not mean there is nothing to learn from the past, only that we must work a little harder to find it. We can start by briefly looking at the historical trends and advances in data representation in human history. We can also turn to nature for a few important lessons. The earliest known human records are millennia-old physical scrapings on whatever hard materials were available. This medium was often stone, dried clay, bone, bamboo strips or even tortoise shells. These substances were very durable?indeed, some specimens have survived for more than 5,000 years. However, stone tablets were heavy and bulky, and thus not very practical. Possibly the first big advance in data representation was the invention of papyrus in Egypt about 5,500 years ago. Paper was lighter and easier to make, and it took up considerably less space. It worked so well that paper and its variants, such as parchment and vellum, served as the primary repositories for most of the world?s information until the advent of the technological revolution of the 20th century. Technology brought us photographic film, analog phonographic records, magnetic tapes and disks, optical recording, and a myriad of exotic, experimental and often short-lived data media. These technologies were able to represent data for which paper cannot easily be used (video, for example). The successful ones were also usually smaller, faster, cheaper and easier to use for their intended applications. In the last half of the 20th century, a large part of this advancement included a transition from analog to digital representations of data. Even a brief investigation into a small sampling of information-storage media technologies throughout history quickly uncovers much dispute regarding how long a single piece of each type of media might survive. Such uncertainty cannot be settled without a time machine, but we can make reasonable guesses based on several sources of varying reliability. If we look at the time of invention, the estimated lifespan of a single piece of each type of media and the encoding method (analog or digital) for each type of data storage (see the table at right), we can see that new media types tend to have shorter lifespans than older ones, and digital types have shorter lifespans than analog ones. Why are these new media types less durable? Shouldn?t technology be getting better rather than worse? This mystery clamors for a little investigation. To better understand the nature of and differences between analog and digital data encoding, let us use the example of magnetic tape, because it is one of the oldest media that has been used in both analog and digital domains. First, let?s look at the relationship between information density and data-loss risk. A standard 90-minute analog compact cassette is 0.00381 meters wide by about 129 meters long, and a typical digital audio tape (DAT) is 0.004 meters wide by 60 meters long. For audio encodings of similar quality (such as 16 bit, 44.1 kilohertz for digital, or 47.6 millimeters per second for analog), the DAT can record 500 minutes of stereo audio data per square meter of recordable surface, whereas the analog cassette can record 184 minutes per square meter. This means the DAT holds data about 2.7 times more densely than the cassette. The second table (right) gives this comparison for several common consumer audio-recording media types. Furthermore, disk technologies tend to hold data more densely than tapes, so it is no surprise that magnetic tape has all but disappeared from the consumer marketplace. However, enhanced recording density is a double-edged sword. Assume that for each medium a square millimeter of surface is completely corrupted. Common sense tells us that media that hold more data in this square millimeter would experience more actual data loss; thus for a given amount of lost physical medium, more data will be lost from digital formats. There is a way to design digital encoding with a lower data density so as to avoid this problem, but it is not often used. Why? Cost and efficiency: It is usually cheaper to store data on digital media because of the increased density. A possibly more important difference between digital and analog media comes from the intrinsic techniques that comprise their data representations. Analog is simply that?a physical analog of the data recorded. In the case of analog audio recordings on tape, the amplitude of the audio signal is represented as an amplitude in the magnetization of a point on the tape. If the tape is damaged, we hear a distortion, or ?noise,? in the signal as it is played back. In general, the worse the damage, the worse the noise, but it is a smooth transition known as graceful degradation. This is a common property of a system that exhibits fault tolerance, so that partial failure of a system does not mean total failure. Unlike in the analog world, digital data representations do not inherently degrade gracefully, because digital encoding methods represent data as a string of binary digits (?bits?). In all digital symbol number systems, some digits are worth more than others. A common digital encoding mechanism, pulse code modulation (PCM), represents the total amplitude value of an audio signal as a binary number, so damage to a random bit causes an unpredictable amount of actual damage to the signal. Let?s use software to concoct a simulated experiment that demonstrates this difference. We will compare analog and PCM encoding responses to random damage to a theoretically perfect audiotape and playback system. The first graph in the third figure (above) shows analog and PCM representations of a single audio tone, represented as a simple sine wave. In our perfect system, the original audio source signal is identical to the analog encoding. The PCM encoding has a stepped shape showing what is known as quantization error, which results from turning a continuous analog signal into a discrete digital signal. This class of error is usually imperceptible in a well-designed system, so we will ignore it for now. For our comparison, we then randomly damage one-eighth of the simulated perfect tape so that the damaged parts have a random amplitude response. The second graph in the third figure (above) shows the effect of the damage on the analog and digital encoding schemes. We use a common device called a low-pass filter to help minimize the effect of the damage on our simulated output. Comparing the original undamaged audio signal to the reconstructions of the damaged analog and digital signals shows that, although both the analog and digital recordings are distorted, the digital recording has wilder swings and higher error peaks than the analog one. But digital media are supposed to be better, so what?s wrong here? The answer is that analog data-encoding techniques are intrinsically more robust in cases of media damage than are naive digital-encoding schemes because of their inherent redundancy?there?s more to them, because they?re continuous signals. That does not mean digital encodings are worse; rather, it?s just that we have to do more work to build a better system. Luckily, that is not too hard. A very common way to do this is to use a binary-number representation that does not mind if a few bits are missing or broken. One important example where this technique is used is known as an error correcting code (ECC). A commonly used ECC is the U.S. Postal Service?s POSTNET (Postal Numeric Encoding Technique), which represents ZIP codes on the front of posted envelopes. In this scheme, each decimal digit is represented as five binary digits, shown as long or short printed bars (right). If any single bar for any decimal digit were missing or incorrect, the representation would still not be confused with that of any other digit. For example, in the rightmost column of the table, the middle bar for each number has been erased, yet none of the numbers is mistakable for any of the others. Although there are limits to any specific ECC, in general, any digital- encoding scheme can be made as robust as desired against random errors by choosing an appropriate ECC. This is a basic result from the field of information theory, pioneered by Claude Shannon in the middle of the 20th century. However, whichever ECC we choose, there is an economic tradeoff: More redundancy usually means less efficiency. Nature can also serve as a guide to the preservation of digital data. The digital data represented in the DNA of living creatures is copied into descendents, with only very rare errors when they reproduce. Bad copies (with destructive mutations) do not tend to survive. Similarly, we can copy digital data from medium to medium with very little or no error over a large number of generations. We can use easy and effective techniques to see whether a copy has errors, and if so, we can make another copy. For instance, a common error-catching program is called a checksum function: The algorithm breaks the data into binary numbers of arbitrary length and then adds them in some fashion to create a total, which can be compared to the total in the copied data. If the totals don?t match, there was likely an accidental error in copying. Error-free copying is not possible with analog data: Each generation of copies is worse than the one before, as I learned from my father?s reel-to-reel audiotapes. Because any single piece of digital media tends to have a relatively short lifetime, we will have to make copies far more often than has been historically required of analog media. Like species in nature, a copy of data that is more easily ?reproduced? before it dies makes the data more likely to survive. This notion of data promiscuousness is helpful in thinking about preserving our own data. As an example, compare storage on a typical PC hard drive to that of a magnetic tape. Typically, hard drives are installed in a PC and used frequently until they die or are replaced. Tapes are usually written to only a few times (often as a backup, ironically) and then placed on a shelf. If a hard drive starts to fail, the user is likely to notice and can quickly make a copy. If a tape on a shelf starts to die, there is no easy way for the user to know, so very often the data on the tape perishes silently, likely to the future disappointment of the user. Comprehensibility In the 1960s, NASA launched Lunar Orbiter 1, which took breathtaking, famous photographs of the Earth juxtaposed with the Moon. In their rush to get astronauts to the Moon, NASA engineers created a mountain of magnetic tapes containing these important digital images and other space-mission-related data. However, only a specific, rare model of tape drive made for the U.S. military could read these tapes, and at the time (the 1970s to 1980s), NASA had no interest in keeping even one compatible drive in good repair. A heroic NASA archivist kept several donated broken tape drives in her garage for two decades until she was able to gain enough public interest to find experts to repair the drives and help her recover these images. Contrast this with the opposite problem of the analog Phaistos Disk (above right), which was created some 3,500 years ago and is still in excellent physical condition. All of the data it stores (about 1,300 bits) have been preserved and are easily visible to the human eye. However, this disk shares one unfortunate characteristic with my set of 20-year-old floppy disks: No one can decipher the data on either one. The language in which the Phaistos disk was written has long since been forgotten, just like the software to read my floppies is equally irretrievable. These two examples demonstrate digital data preservation?s other challenge?comprehensibility. In order to survive, digital data must be understandable by both the machine reading them and the software interpreting them. Luckily, the short lifetime of digital media has forced us to gain some experience in solving this problem?the silver lining of the dark clouds of a looming potential digital dark age. There are at least two effective approaches: choosing data representation technologies wisely and creating mechanisms to reach backward in time from the future. Make Good Choices ? In order to make sure digital data can be understood in the future, ideally we should choose representations for our data for which compatible hardware and software are likely to survive as well. Like species in nature, digital formats that are able to adapt to new environments and threats will tend to survive. Nature cannot predict the future, but the mechanism of mutation creates different species with different traits, and the fittest prevail. Because we also can?t predict the future to know the best data-representation choices, we try to do as nature does. We can copy our digital data into as many different media, formats and encodings as possible and hope that some survive. Another way to make good choices is to simply follow the pack. A famous example comes from the 1970s, when two competing standards for home video recording existed: Betamax and VHS. Although Betamax, by many technical measures, was a superior standard and was introduced first, the companies supporting VHS had better business and marketing strategies and eventually won the standards war. Betamax mostly fell into disuse by the late 1980s; VHS survived until the mid-2000s. Thus if a format or media standard is in more common use, it may be a better choice than one that is rare. ? Or Fake It! Once we?ve thrown the dice on our data-representation choices, is there anything else we can do? We can hope we will not be stuck for decades, like our NASA archivist, or left with a perfectly readable but incomprehensible Phaistos disk. But what if our scattershot strategy of data representation fails, and we can?t read or understand our data with modern hardware and software? A very common approach is to fake it! If we have old digital media for which no compatible hardware still exists, modern devices sometimes can be substituted. For example, cheap and ubiquitous optical scanners have been commonly used to read old 80-column IBM punchcards. This output solves half of the problem, leaving us with the task of finding hardware to run the software and interpret the data that we are again able to read. In the late 1950s IBM introduced the IBM 709 computer as a replacement for the older model IBM 704. The many technical improvements in the 709 made it unable to directly run software written for the 704. Because customers did not want either to lose their investment in the old software or to forgo new technological advances, IBM sold what they called an emulator module for the 709, which allowed it to pretend to be a 704 for the purposes of running the old software. Emulation is now a common technique used to run old software on new hardware. It does, however, have a problem of recursion?what happens when there is no longer compatible hardware to run the emulator itself? Emulators can by layered like Matryoshka dolls, one running inside another running inside another. Being Practical Given all of this varied advice, what can we do to save our personal digital data? First and foremost, make regular backup copies onto easily copied media (such as hard drives) and place these copies in different locations. Try reading documents, photos and other media whenever upgrading software or hardware, and convert them to new formats as needed. Lastly, if possible, print out highly important items and store them safely?there seems to be no getting away from occasionally reverting to this ?outdated? media type. None of these steps will guarantee the data?s survival, but not taking them almost guarantees that the data will be lost, sooner or later. This process does seem to involve a lot more effort than my grandparents went to when shoving photos into a shoebox in the attic decades ago, but perhaps this is one of the costs for the miracles of our digital age. If all this seems like too much work, there is one last possibility. We could revert our digital data back to an analog form and use traditional media-preservation techniques. An extreme example of this is demonstrated by the Rosetta Project, a scholarly endeavor to preserve parallel texts of all of the world?s written languages. The project has created a metal disk (right) on which miniaturized versions of more than 13,000 pages of text and images have been etched using techniques similar to computer-chip lithography. It is expected that this disk could last up to 2,000 years because, physically, the disk has more in common with a stone tablet than a modern hard drive. Although this approach should work for some important data, it is much more expensive to use in the short term than almost any practical digital solution and is less capable in some cases (for example, it?s not good for audio or video). Perhaps it is better thought of as a cautionary example of what our future might look like if we are not able to make the digital world in which we find ourselves remain successful over time. Bibliography ? Balistier, Thomas. 2000. The Phaistos Disc: An Account of Its Unsolved Mystery. New York: Springer-Verlag. ? Besen, Stanley M., and Joseph Farrell. 1994. Choosing how to compete: Strategies and tactics in standardization. Journal of Economic Perspectives 8:117?131. ? Camras, Marvin. 1988. Magnetic Recording Handbook. New York: Van Nostrand Reinhold Co. ? The IBM 709 Data-Processing System. http://www-03.ibm.com/ibm/history/exhibits/mainframe/mainframe_PP709.html ? Koops, Matthias. 1800. Historical Account of the Substances Which Have Been Used to Describe Events, and to Convey Ideas, from the Earliest Date, to the Invention of Paper. London: T. Burton. ? Pohlmann, Ken C. 1985. Principles of Digital Audio, 2nd ed. Carmel, Indiana: Sams/Prentice-Hall Computer Publishing. ? The Rosetta Project. http://www.rosettaproject.org ? United States Postal Service, Domestic Mail Manual 708.4?Special Standards, Technical Specifications, Barcoding Standards for Letters and Flats. You can find this online at http://www.americanscientist.org/issues/num2/2010/3/avoiding-a-digital-dark-age/1 ? Sigma Xi, The Scientific Research Society From rforno at infowarrior.org Wed Feb 24 12:30:02 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Feb 2010 07:30:02 -0500 Subject: [Infowarrior] - New Verisign 'Trust' seal ... so what? Message-ID: The firm says lots of folks sign up for their SSL service that don't need it. Okay, I grant them that is probably true. But that said, how many gullible orgs will sign up for this service that don't need this one, either? Frankly, the 'benefits' they list for using this service don't exactly seem groundbreaking to me: ? Display the #1 trust mark on the Internet: ? Prove that your business is a legal entity: ? Protect visitors and your site from malware: Web site malware scan See more below.... www.esecurityplanet.com/features/article.php/3866716 VeriSign Debuts New Online Trust Seal By Sean Michael Kerner February 23, 2010 < - > "Over the last few years, we've noticed that there are companies that don't need SSL because they're not doing transactions, but they were purchasing an SSL certificate anyways so they could display the VeriSign Secured Seal on their site in order to drive customer confidence," Fran Rosch, senior vice president for authentication at VeriSign, told InternetNews.com. "There are tens of millions of Web sites that don't take transactions, that are information only, that don't require SSL." That's where the Trust Seal comes in as a scanning effort to ensure the safety of a Web site. Rosch added that VeriSign is using a combination of technology that it developed (including those from its iDefense security division) along with that of a third-party vendor that VeriSign is not naming publicly. < - > From rforno at infowarrior.org Wed Feb 24 12:57:49 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Feb 2010 07:57:49 -0500 Subject: [Infowarrior] - Infowarcon 2010 Message-ID: <27FAD1D6-CC35-4C29-8B3E-84A7CF26094D@infowarrior.org> (Disclosure: I am on the advisory board for this event and have been a longtime supporter of / participant in this conference over the years. I receive no compensation for this announcement. -rick) INFOWARCON 2010 Sponsored by the Association of Old Crows InfowarCon 2010 highlights future warfare: the battle for ideas and information, using ancient methods as well as cutting edge technologies. This is not your typical boring conference, this is edgy: provocative and evocative. Experts present opposing viewpoints and air their differences. We bring out the debates that future warfare will be idea and information based, will not be restricted to the conventional hard- kill military operations and that our governments are not manned, equipped nor organized to win, perhaps not even to survive. InfowarCon presents key individuals who are responsible for fighting this kind of war on our behalf, in the cyber world - from inside our governments, our military, corporations and academia, here and with our global partners. Hear how they are fighting these threats to our security and way of life. Sessions will include future technical cyberwarfare, electronic attacks, even nanotechnology in war and much more! Conference website and online sign-up: http://www.infowarcon.com/ PDF Agenda & Overview: http://www.crows.org/images/stories/pdf/InfowarCon_2010.pdf From rforno at infowarrior.org Thu Feb 25 01:30:33 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Feb 2010 20:30:33 -0500 Subject: [Infowarrior] - MS kills Cryptome.Org Message-ID: <711A53B3-FE7F-485B-BA25-E0A7A529BA04@infowarrior.org> (of course, the document in question is availble in tons of places already, in another /t to the Streissand Effect. -rick) Microsoft Kills Watchdog Website Due to Leaked Documents Written by Jolie O'Dell / February 24, 2010 4:54 PM / 0 Comments http://www.readwriteweb.com/archives/_improper_use_of_copyright.php Due to DMCA complaints filed my Microsoft, whistleblower website Cryptome [link to a backup version of the site] has been disabled by its ISP, Network Solutions. The complaints were due to the fact that Cryptome published a 17-page Microsoft Global Criminal Spy Guide. Microsoft claimed copyright infringement; Cryptome's editor refused to budge; and the site was taken down this afternoon. Cryptome has previously published similar guides from Facebook, AOL, Yahoo and Skype; the site has been threatened but never before actually disabled. The Microsoft document was originally published on February 20. Microsoft demanded that Cryptome remove the PDF, and when the editor refused, Cryptome's ISP sent a warning: If the document was not removed by Thursday, the site would be disabled. However, the site was taken down Wednesday afternoon. The reason Cryptome refused to remove the PDF of Microsoft's so-called "spy guide" was that editor John Young believed its programs, which make it easier for law enforcement to obtain user data, showed "improper use of copyright to conceal... violations of trust toward its customers," according to an interview with Geekosystem. "Copyright law is not intended for confidentiality purposes," he continued. "We think all lawful spying arrangements should be made public... Microsoft should join the others who openly describe [their] procedures." Young named Cisco as one such company. Cindy Cohn of the Electronic Frontier Foundation said in a call today, "We find it troubling that copyright law is being invoked here. Microsoft doesn't sell this manual. There's no market for this work. It's not a copyright issue. John's copying of it is fair use... We don't do this anywhere else in speech law." For example, in cases involving libel or trade secrets, said Cohn, "You go to court, you make a case and you get an injunction. You don't just file a form... DMCA makes censorship easy." Cohn also noted she feels the reason Microsoft actually wants the document removed from the Web is because, for a large corporation with millions of users and an aggressive PR agenda, the document raises concerns and sparks conversations the company would rather not confront. "It's part of a very intense political debate about the role of intermediary companies like Microsoft aiding surveillance for law enforcement. It's embarrassing for Microsoft for their users to see how much the people who carry their email have arrangements with law enforcement... All of the people who carry our communications are an easy conduit for our government to spy on us, and a lot of people are unhappy about that. It's a legitimate public debate, and Microsoft doesn't want to be part of that debate." We hope that Microsoft does, in fact, release their stranglehold on Young and his site and take part in a conversation with their users about how their data can be accessed by others, including law enforcement. We've reached out to them for comment and will update this post if and when we hear back. In the meantime, let us know your thoughts in the comments. UPDATE: Still no word from Microsoft, but here's that document they really don't want you (or anyone else) to see. We hope to hear from a Microsoft representative soon to discuss the intentions and implications of this guide. Thanks to Glenn Davis of Geekosystem for the tip. From rforno at infowarrior.org Thu Feb 25 01:40:29 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Feb 2010 20:40:29 -0500 Subject: [Infowarrior] - MS Spy Guide (links) Message-ID: <49DCDC5A-BD64-451A-A2C1-A23A9A16DFA1@infowarrior.org> There are other sources, but for those interested. http://file.wikileaks.org/files/microsoft-spy.pdf http://www.wired.com/images_blogs/threatlevel/2010/02/microsoft-online-services-global-criminal-compliance-handbook.pdf http://www.scribd.com/doc/27394899/Microsoft-Spy ...Once again, the Streissand Effect, brought about by controversial attempts of copyright enforcement, only moves information folks want to move back into the shadows farther into the light. -rf From rforno at infowarrior.org Thu Feb 25 15:09:57 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2010 10:09:57 -0500 Subject: [Infowarrior] - New ACTA Leak: U.S., et.al Do Not Support Transparency Message-ID: New ACTA Leak: U.S., Korea, Singapore, Denmark Do Not Support Transparency Thursday February 25, 2010 http://www.michaelgeist.ca/content/view/4819/125/ Throughout the debate over ACTA transparency, many countries have taken public positions that they support release of the actual text, but that other countries do not. Since full transparency requires consensus of all the ACTA partners, the text simply can't be released until everyone is in agreement. Of course, those same countries hasten to add that they can't name who opposes ACTA transparency, since that too is secret. No longer. In an important new leak from the Netherlands (Dutch, Google English translation), a Dutch memorandum reporting back on the Mexico ACTA negotiation round names names, pointing specifically to which countries support releasing the text and which do not (note that the memo does not canvass everyone - Australia, and New Zealand are known to support transparency but are not named in the memo). According to the Dutch memo, Canada has played a lead role in making the case for full disclosure of the documents. Within Europe, the UK has been actively pushing for transparency and is of the view that there is consensus for release of the text (there is support from many countries including the Netherlands, Sweden, Finland, Ireland, Hungary, Poland, Estonia, and Austria). However, the memo indicates that several countries are not fully supportive including Belgium, Portugal, Germany, and Denmark. Of these four countries, the Dutch believe that Denmark is the most inflexible on the issue. Outside of the Europe, the memo identifies three problem countries. While Japan is apparently supportive, both South Korea and Singapore oppose ACTA transparency. Moreover, the U.S. has remained silent on the issue, as it remains unconvinced of the need for full disclosure. In doing so, it would appear that the U.S. is perhaps the biggest problem since a clear position of support might be enough to persuade the remaining outliers. The memo also provides additional new information on the substance of the Mexico meeting. It confirms that countries are still not willing to make significant concessions. The countries are closing in on agreement on the border measures chapter, but are finding disagreements on civil enforcement due to differing legal systems. There is still no agreement on transit shipments or exports, nor on the scope of the treaty (EU continuing to push for broader coverage). This is an important leak, since it provides at least one perspective on who remains a barrier to ACTA transparency. Given the information, Canadians should be pleased with the position taken by its government, while those in the U.S., South Korea, Singapore, Belgium, Portugal, Germany, and Denmark should be demanding answers from their leaders. From rforno at infowarrior.org Thu Feb 25 17:58:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2010 12:58:24 -0500 Subject: [Infowarrior] - Senate votes to extend USA Patriot Act for 1 year Message-ID: <1D5744B3-486D-47CB-A999-C81D057CFEC5@infowarrior.org> Senate votes to extend USA Patriot Act for 1 year By STEPHEN OHLEMACHER The Associated Press Wednesday, February 24, 2010; 9:25 PM http://www.washingtonpost.com/wp-dyn/content/article/2010/02/24/AR2010022404926_pf.html WASHINGTON -- The Senate voted Wednesday to extend for a year key provisions of the nation's counterterrorism surveillance law that are scheduled to expire at the end of the month. In agreeing to pass the bill, Senate Democrats retreated from adding new privacy protections to the USA Patriot Act. The Senate approved the bill on a voice vote with no debate. It now goes to the House. Three important sections of the Patriot Act are to expire at the end of this month. One authorizes court-approved roving wiretaps that permit surveillance on multiple phones. A second allows court-approved seizure of records and property in anti-terrorism operations. A third permits surveillance against a so-called lone wolf, a non-U.S. citizen suspected of engaging in terrorism who may not be part of a recognized terrorist group. Supporters say extending the law enables authorities to keep important tools in the fight against terrorism. It would also give Democrats some cover from Republican criticism that the Obama administration is soft on terrorism. Republicans have criticized the administration for trying terrorist suspects in civilians courts, rather than military ones, and for trying to close the military-run prison at Guantanamo Bay, Cuba. Some Democrats, however, had to forfeit new privacy protections they had sought for the law. The Judiciary Committee bill would have restricted FBI information demands known as national security letters and made it easier to challenge gag orders imposed on Americans whose records are seized. Library records would have received extra protections. Congress would have closely scrutinized FBI use of the law to prevent abuses. Dissemination of surveillance results would have been restricted and after a time, unneeded records would have been destroyed. "I would have preferred to add oversight and judicial review improvements to any extension of expiring provisions in the USA Patriot Act," said Sen. Patrick Leahy, D-Vt., chairman of the Senate Judiciary Committee. "But I understand some Republican senators objected." --- Associated Press writer Larry Margasak contributed to this report. ? 2010 The Associated Press From rforno at infowarrior.org Thu Feb 25 22:02:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2010 17:02:28 -0500 Subject: [Infowarrior] - Ranum & Peterson Video on Cloud Computing Message-ID: Brilliant vid by two our our industry's best. This should be required watching at all computer security cons and classes. ;) -rick Downfall Strikes Again!!!!!! (c/o Schneier) Hitler and Cloud Computing Funny video by Marcus Ranum and Gunnar Peterson. http://www.youtube.com/watch?v=VjfaCoA2sQk From rforno at infowarrior.org Thu Feb 25 23:15:38 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2010 18:15:38 -0500 Subject: [Infowarrior] - MS relents on Cryptome Message-ID: Guess they realized the futility of their actions? Or is it wishful thinking? lol -rick Date: Thu, 25 Feb 2010 12:22:59 -0500 From: "DMCA" To: "John Young" We would like to notify you that Microsoft has contacted us regarding www.cryptome.org. Microsoft has withdrawn their DMCA complaint. As a result www.cryptome.org has been reactivated and this matter has been closed. Please allow time for the reactivation to propagate throughout the various servers around the world. Linda L. Larsen, Designated Agent Network Solutions, LLC Telephone: 703.668.5615 Facsimile: 703.668.5959 Email: dmca[at]networksolutions.com From rforno at infowarrior.org Thu Feb 25 23:20:52 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2010 18:20:52 -0500 Subject: [Infowarrior] - more on: MS relents on Cryptome Message-ID: <93291A74-550C-40ED-97A7-1D98D2F5CD19@infowarrior.org> (c/o TL) Microsoft retreats from demand that killed whistleblower site Never meant to knock Crytome.org offline, says Microsoft; whistleblower wants his day in court http://www.computerworld.com/s/article/9162358/Microsoft_retreats_from_demand_that_killed_whistleblower_site Gregg Keizer February 25, 2010 (Computerworld) Microsoft Corp. today withdrew its demand that Cryptome.org yank the "Microsoft Global Criminal Spy Guide" document from its site and said it had never intended for the whistleblower's domain to be knocked off the Web. "In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed," said a Microsoft spokeswoman in an e-mailed statement early today. "We are requesting to have the site restored and are no longer seeking the document's removal." The document, a 17-page guide that Microsoft prepared to show law enforcement how to obtain information about users of its online services -- including Windows Live Hotmail, the Xbox Live gaming network and the Windows Live SkyDrive storage service -- was published by John Young, who runs Cryptome.org, on Feb. 20. Earlier this week, Microsoft demanded that Young remove the document from his site, citing the Digital Millennium Copyright Act (DMCA). When Young refused, his Internet provider shut down the site, and Network Solutions LLC, the registrar of Young's domain, put a "legal lock" on the domain name. That last move prevented him from transferring the URL to another Internet service provider. Originally, Young had been told he had until today to remove the document from his site or face the consequences. Instead, his ISP pulled the plug and Network Solutions locked the domain name a day early, forcing him to scramble Wednesday to find a temporary home for his site. Today, Network Solutions unlocked the domain and restored the site. Cryptome.org returned to the Web shortly before 3 p.m. Eastern time. "We removed the legal lock as soon as we received the notification from Microsoft that they withdrew their [DMCA]-based complaint," said Susan Wade, a spokeswoman for Network Solutions. Prior to Microsoft's turnabout, Young remained combative, effectively daring the company to fight. "We really want this to go to court," he said in a telephone interview early today. "The DMCA needs to be modified, because it's catching a lot of innocent people in its net." The DMCA, Young argued, makes it much too easy for large companies like Microsoft to demand, and get, cooperation from Internet providers and domain registrars like Network Solutions when the issue is not actually copyright-related but more in the confidentiality arena. "This is an abuse of the copyright law," Young maintained, adding that it wasn't Congress's intent to let companies use the DMCA to quash leaked information. "We want to go to court so [Congress] comes out with a better version [of the DMCA]." Cryptome.org has rebuffed efforts by other major Internet companies, most recently Yahoo Inc., when they have demanded that the site take down documents spelling out how police can request user information. "They're all bluffing," he said earlier today, putting Microsoft in that crowd. After Young's site published the "Microsoft Global Criminal Spy Guide," other sites posted the document. It can currently be downloaded from Wikileaks (download PDF), for example. Microsoft defended the two-year-old document that caused the ruckus. "Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations," the company spokeswoman said today. "We take our responsibility to protect our customers' privacy very seriously, so we have specific guidelines that we use when responding to law enforcement requests." Computerworld blogger Preston Gralla dug into the document today in his "Leaked Microsoft intelligence document: Here's what Microsoft will reveal to police about you" post. From rforno at infowarrior.org Fri Feb 26 00:54:26 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Feb 2010 19:54:26 -0500 Subject: [Infowarrior] - RIAA Revisionim (CEO's op-ed) Message-ID: <66E14EE3-6885-4132-83DD-394B19A7C0AA@infowarrior.org> RIAA CEO Tries To Connect China Google Hack With Google's Attitude Towards Copyright from the how-out-of-touch-are-you? dept The RIAA has made some bizarre and totally nonsensical arguments in its time, but it may have just set a new low. castilho points us to an opinion piece written by RIAA boss Mitch Bainwol that tries to pin the blame for the Chinese hack of Google on Google's opinion towards copyright. Seriously. Of course, the logical leaps and bounds you have to go through to make this sort of statement is a bit crazier than your average roller coaster, and in the process Bainwol seems to be implying both that those who give away anything for free are against content creation and that getting hacked actually has something to do with copyright law. < - > http://techdirt.com/articles/20100225/0425588308.shtml From rforno at infowarrior.org Fri Feb 26 19:10:10 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 Feb 2010 14:10:10 -0500 Subject: [Infowarrior] - DoD Issues Responsible Internet Use Policy Message-ID: <72F0B669-1DCD-4A1D-A2BE-344A179FEC05@infowarrior.org> DoD Issues Responsible Internet Use Policy http://cryptome.org/dodi/DTM-09-026.pdf From rforno at infowarrior.org Fri Feb 26 20:11:53 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 Feb 2010 15:11:53 -0500 Subject: [Infowarrior] - USA PATRIOT renewed Message-ID: <1F7818A8-D7EA-41FF-8C4F-A9A8609579D6@infowarrior.org> February 26th, 2010 Epic Fail in Congress: USA PATRIOT Act Renewed Without Any New Civil Liberties Protections News Update by Kevin Bankston http://www.eff.org/deeplinks/2010/02/epic-fail-congress-usa-patriot-act-renewed-without Yesterday evening, the U.S. House of Representatives voted overwhelmingly to renew three expiring provisions of the USA PATRIOT Act, after the Senate abandoned the PATRIOT reform effort and approved the extension by a voice vote on Wednesday night. Disappointingly, the government's dangerously broad authority to conduct roving wiretaps of unspecified or "John Doe" targets, to secretly wiretap of persons without any connection to terrorists or spies under the so-called "lone wolf" provision, and to secretly access a wide range of private business records without warrants under PATRIOT Section 215 were all renewed without any new checks and balances to prevent abuse. Despite months of vigorous debate, when PATRIOT renewal bills providing for greater oversight and accountability were approved by the Judiciary Committees of both the House and the Senate, Democratic leaders' push for reform fizzled in the face of staunch Republican opposition buoyed by recent hot-button events such as the attempted bombing of an airliner on Christmas Day and the shooting at Fort Hood. The renewed PATRIOT provisions were originally set to expire on December 31, 2009, but Congress ran out of time last year and temporarily extended them until February 28th, this coming Sunday. The new extension is expected to be signed by the President before then. The one silver lining? Despite a push by Republican leaders for a four- year extension, the renewed provisions are now set to expire in one year. So, although this battle's been lost, the effort to roll back PATRIOT's worst excesses is far from over. Thank you to everyone who took action to support PATRIOT reform this past year; we hope that you'll continue the fight with us in the next year. From rforno at infowarrior.org Fri Feb 26 21:28:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 Feb 2010 16:28:24 -0500 Subject: [Infowarrior] - Secret Service computer woes Message-ID: Secret Service Computers Only Work at 60 Percent Capacity; Agency Uses 1980s Mainframe System Is 'Fragile' and Cannot Sustain Tempo of Current or Future Operational Missions By JASON RYAN WASHINGTON, Feb. 26, 2010? http://abcnews.go.com/print?id=9945663 A classified review of the United States Secret Service's computer technology found that the agency's computers were fully operational only 60 percent of the time because of outdated systems and a reliance on a computer mainframe that dates to the 1980s, according to Sen. Joe Lieberman, I-Conn. "We have here a premiere law enforcement organization in our country which is responsible for the security of the president and the vice president and other officials of our government, and they have to have better IT than they have," said Lieberman, who is chairman of the Senate Homeland Security and Government Affairs Committee. Sources tell ABC News that the Secret Service was so plagued by computer problems that the agency invited the National Security Agency to formally review its information technology systems. The Secret Service's databases are outdated and users are at times unable to conduct searches from one system to another. Lieberman says he's had "concern for a while" about the Secret Service computers. A 60 percent, fully operational average is far worse than "industry and government standards that are around 98 percent generally," Lieberman said. Asked about the review and the NSA review of Secret Service systems, service spokesman Malcolm Wiley said, "At our request, NSA performed an independent evaluation of our existing IT network to determine if any deficiencies or potential vulnerabilities existed. ...Results of the review suggested we needed enhancements to ensure that our systems remained sound. A number of the recommended changes have already been implemented." According to officials at the time of the review, the unofficial cost estimate to update the system was $187 million. The Department of Homeland Security (DHS), which oversees the Secret Service, has so far allocated $33 million, and requested $69 million in the department's most recent budget request. The DHS budget justification for 2011 noted, "The Secret Service data environment is fragile and cannot sustain the tempo of current or future operational missions. The existing hardware infrastructure is more than 5 years old and is prone to failures." The service says that its protective details have not been impacted by any issues with their computer systems. They note that the agency is responsible for protective detail as well as a vast array of electronic crimes, such as banking and financial fraud issues and cyber-security issues. The recent scrutiny the agency faced after three individuals were able to attend a state dinner without being invited, were not attributable to any computer deficiencies at the Secret Service, according to officials. "The systems that impact our protective responsibilities are constantly monitored and potential problems are immediately addressed," Malcolm said. A Secret Service contracting memo from Oct. 16, 2009, reviewed by ABC News found, "Currently, 42 mission-oriented applications run on a 1980s IBM mainframe with a 68 percent performance reliability rating. Networks, data systems, applications, and IT security do not meet current operational requirements. The IT systems lack appropriate bandwidth to run multiple applications to effectively support USSS offices and operational missions around the world." "We have managed our aged IT infrastructure well past its intended capability. We now have a get-well plan to resolve our IT needs and requirements," Malcom said. This is not the first time that drastically out of date computer systems have been discovered in federal agencies. The FBI revealed it suffered from major computer problems following the scrutiny the bureau received after the 9/11 attacks. The bureau's most embarrassing computer problem came in 2005 when the FBI had to scrap the $170 million Virtual Case File program, which was designed to help agents track cases electronically. Since then, the FBI has been setting up a new $451 million project called Sentinel, which will allow agents to use a Web-based system to incorporate the FBI's old existing files. While the Justice Department inspector general has expressed some concerns that the program runs slowly for users and some cost overruns, it is scheduled to be completed later this year. Asked why DHS was requesting less money than the initial estimate of $187 million, DHS Secretary Janet Napolitano said, "Part of it is an assessment of how much it would actually cost and also what can be purchased and what is needed on a priority basis." Copyright ? 2010 ABC News Internet Ventures From rforno at infowarrior.org Sat Feb 27 02:06:56 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 Feb 2010 21:06:56 -0500 Subject: [Infowarrior] - USG rescinds 'leave internet alone' policy Message-ID: <5548BA36-80D0-481E-BA87-777D56FD08FB@infowarrior.org> Original URL: http://www.theregister.co.uk/2010/02/27/internet_3_dot_0_policy/ US government rescinds 'leave internet alone' policy By Kieren McCarthy Posted in Networks, 27th February 2010 00:06 GMT The US government?s policy of leaving the Internet alone is over, according to Obama?s top official at the Department of Commerce. Instead, an ?Internet Policy 3.0? approach will see policy discussions between government agencies, foreign governments, and key Internet constituencies, according to Assistant Secretary Larry Strickling, with those discussions covering issues such as privacy, child protection, cybersecurity, copyright protection, and Internet governance. The outcomes of such discussions will be ?flexible? but may result in recommendations for legislation or regulation, Strickling said in a speech at the Media Institute in Washington this week. The new approach (http://www.ntia.doc.gov/presentations/2010/MediaInstitute_02242010.html) is a far cry from a US government that consciously decided not to intrude into the internet?s functioning and growth and in so doing allowed an academic network to turn into a global communications phenomenon. Strickling referred to these roots arguing that it was ?the right policy for the United States in the early stages of the Internet, and the right message to send to the rest of the world.? But, he continued, ?that was then and this is now. As we at NTIA approach a wide range of Internet policy issues, we take the view that we are now in the third generation of Internet policy making.? Outlining three decades of internet evolution - from transition to commercialization, from the garage to Main Street, and now, starting in 2010, the ?Policy 3.0? approach - Strickling argued that with the internet is now a social network as well a business network. ?We must take rules more seriously.? He cited a number of examples where this new approach was needed: end users worried about credit card transactions, content providers who want to prevent their copyright, companies concerned about hacking, network neutrality, and foreign governments worried about Internet governance systems. The decision to effectively end the policy that made the internet what it is today is part of a wider global trend of governments looking to impose rules on use of the network by its citizens. In the UK, the Digital Economy Bill currently making its way through Parliament has been the subject of significant controversy for advocating strict rules on copyright infringement and threatening to ban people from the internet if they are found to do so. The bill includes a wide variety of other measures, including giving regulator Ofcom a wider remit, forcing ISPs to monitor their customers? behavior, and allowing the government to take over the dot-uk registry. In New Zealand, a similar measure to the UK?s cut-off provision has been proposed by revising the Copyright Act to allow a tribunal to fine those found guilty of infringing copyright online as well as suspend their Internet accounts for up to six months. And in Italy this week, three Google executives were sentenced to jail for allowing a video that was subsequently pulled down to be posted onto its YouTube video site. Internationally, the Internet Governance Forum ? set up by under a United Nations banner to deal with global governance issues ? is due to end its experimental run this year and become an acknowledged institution. However, there are signs that governments are increasingly dominating the IGF, with civil society and the Internet community sidelined in the decision-making process. In this broader context, the US government?s newly stated policy is more in line with the traditional laissez-faire internet approach. Internet Policy 3.0 also offers a more global perspective than the isolationist approach taken by the previous Bush administration. In explicitly stating that foreign governments will be a part of the upcoming discussions, Strickling recognizes the United States? unique position as the country that gives final approval for changes made to the internet?s ?root zone.? Currently the global Internet is dependent on an address book whose contents are changed through a contract that the US government has granted to the Internet Corporation for Assigned Names and Number (ICANN), based in Los Angeles. ICANN recently adjusted its own agreement with the US government to give it more autonomy and now reports to the global Internet community through a series of reviews. Strickling sits on the panel of one of those reviews. Overall, this new approach could enable the US government to regain the loss of some of its direct influence through recommendations made in policy reports. But internet old hands will still decry the loss of a policy that made the network what it is today. ? From rforno at infowarrior.org Sat Feb 27 14:15:11 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 27 Feb 2010 09:15:11 -0500 Subject: [Infowarrior] - Cybersecurity bill to give president new emergency powers Message-ID: Cybersecurity bill to give president new emergency powers By Tony Romm - 02/26/10 02:30 PM ET http://thehill.com/blogs/hillicon-valley/technology/83961-forthcoming-cybersecurity-bill-to-give-president-new-powers-in-cyberattack-emergencies The president would have the power to safeguard essential federal and private Web resources under draft Senate cybersecurity legislation. According to an aide familiar with the proposal, the bill includes a mandate for federal agencies to prepare emergency response plans in the event of a massive, nationwide cyberattack. The president would then have the ability to initiate those network contingency plans to ensure key federal or private services did not go offline during a cyberattack of unprecedented scope, the aide said. Ultimately, the legislation is chiefly the brainchild of Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), the chairman and ranking member of the Senate Commerce Committee, respectively. Both lawmakers have long clamored for a federal cybersecurity bill, charging that current measures ? including the legislation passed by the House last year ? are too piecemeal to protect the country's Web infrastructure. Their renewed focus arrives on the heels of two, high-profile cyberattacks last month: A strike on Google, believed to have originated in China, and a separate, more disjointed attack that affected thousands of businesses worldwide. Rockefeller and Snowe's forthcoming bill would establish a host of heretofore absent cybersecurity prevention and response measures, an aide close to the process said. The bill will "significantly [raise] the profile of cybersecurity within the federal government," while incentivizing private companies to do the same, according to the aide. Additionally, it will "promote public awareness" of Internet security issues, while outlining key protections of Americans' civil liberties on the Web, the aide continued. Privacy groups are nonetheless likely to take some umbrage at Rockefeller and Snowe's latest effort, an early draft of which leaked late last year. When early reports predicted the cybersecurity measure would allow the president to "declare a cybersecurity emergency," online privacy groups said they felt that would endow the White House with overly ambiguous and far-reaching powers to regulate the Internet. The bill will still contain most of those powers, and a "vast majority" of its other components "remain unchanged," an aide with knowledge of the legislation told The Hill. But both the aide and a handful of tech insiders who support the bill have nonetheless tried to dampen skeptics' concerns, reminding them the president already has vast ? albeit lesser-known ? powers to regulate the Internet during emergencies. It is unclear when Rockefeller and Snowe will finish their legislation. And the ongoing debate over healthcare reform, financial regulatory reform, jobs bills and education fixes could postpone action on the floor for many months. Both lawmakers heavily emphasized the need for such a bill during a Senate Commerce Committee cybersecurity hearing on Wednesday. "Too much is at stake for us to pretend that today?s outdated cybersecurity policies are up to the task of protecting our nation and economic infrastructure," Rockefeller said. "We have to do better and that means it will take a level of coordination and sophistication to outmatch our adversaries and minimize this enormous threat." Source: http://thehill.com/blogs/hillicon-valley/technology/83961-forthcoming-cybersecurity-bill-to-give-president-new-powers-in-cyberattack-emergencies From rforno at infowarrior.org Sat Feb 27 15:38:35 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 27 Feb 2010 10:38:35 -0500 Subject: [Infowarrior] - Weaponizing Mozart Message-ID: <41955D37-8BAC-4F35-8496-FCA3DC793ACB@infowarrior.org> Weaponizing Mozart How Britain is using classical music as a form of social control Brendan O'Neill | February 24, 2010 http://reason.com/archives/2010/02/24/weoponizing-mozart/1 In recent years Britain has become the Willy Wonka of social control, churning out increasingly creepy, bizarre, and fantastic methods for policing the populace. But our weaponization of classical music?where Mozart, Beethoven, and other greats have been turned into tools of state repression?marks a new low. We?re already the kings of CCTV. An estimated 20 per cent of the world?s CCTV cameras are in the UK, a remarkable achievement for an island that occupies only 0.2 per cent of the world?s inhabitable landmass. A few years ago some local authorities introduced the Mosquito, a gadget that emits a noise that sounds like a faint buzz to people over the age of 20 but which is so high-pitched, so piercing, and so unbearable to the delicate ear drums of anyone under 20 that they cannot remain in earshot. It?s designed to drive away unruly youth from public spaces, yet is so brutally indiscriminate that it also drives away good kids, terrifies toddlers, and wakes sleeping babes. Police in the West of England recently started using super-bright halogen lights to temporarily blind misbehaving youngsters. From helicopters, the cops beam the spotlights at youths drinking or loitering in parks, in the hope that they will become so bamboozled that (when they recover their eyesight) they will stagger home. And recently police in Liverpool boasted about making Britain?s first- ever arrest by unmanned flying drone. Inspired, it seems, by Britain and America?s robot planes in Afghanistan, the Liverpool cops used a remote-control helicopter fitted with CCTV (of course) to catch a car thief. Britain might not make steel anymore, or cars, or pop music worth listening to, but, boy, are we world-beaters when it comes to tyranny. And now classical music, which was once taught to young people as a way of elevating their minds and tingling their souls, is being mined for its potential as a deterrent against bad behavior. In January it was revealed that West Park School, in Derby in the midlands of England, was ?subjecting? (its words) badly behaved children to Mozart and others. In ?special detentions,? the children are forced to endure two hours of classical music both as a relaxant (the headmaster claims it calms them down) and as a deterrent against future bad behavior (apparently the number of disruptive pupils has fallen by 60 per cent since the detentions were introduced.) One news report says some of the children who have endured this Mozart authoritarianism now find classical music unbearable. As one critical commentator said, they will probably ?go into adulthood associating great music?the most bewitchingly lovely sounds on Earth?with a punitive slap on the chops.? This is what passes for education in Britain today: teaching kids to think ?Danger!? whenever they hear Mozart?s Requiem or some other piece of musical genius. The classical music detentions at West Park School are only the latest experiment in using and abusing some of humanity?s greatest cultural achievements to reprimand youth. Across the UK, local councils and other public institutions now play recorded classical music through speakers at bus-stops, in parking lots, outside department stores, and elsewhere. No, not because they think the public will appreciate these sweet sounds (they think we are uncultured grunts), but because they hope it will make naughty youngsters flee. Tyne and Wear in the north of England was one of the first parts of the UK to weaponize classical music. In the early 2000s, the local railway company decided to do something about the ?problem? of ?youths hanging around? its train stations. The young people were ?not getting up to criminal activities,? admitted Tyne and Wear Metro, but they were ?swearing, smoking at stations and harassing passengers.? So the railway company unleashed ?blasts of Mozart and Vivaldi.? Apparently it was a roaring success. The youth fled. ?They seem to loathe [the music],? said the proud railway guy. ?It?s pretty uncool to be seen hanging around somewhere when Mozart is playing.? He said the most successful deterrent music included the Pastoral Symphony by Beethoven, Symphony No. 2 by Rachmaninov, and Piano Concerto No. 2 by Shostakovich. (That last one I can kind of understand.) In Yorkshire in the north of England, the local council has started playing classical music through vandal-proof speakers at ?troublesome bus-stops? between 7:30 PM and 11:30 PM. Shops in Worcester, Bristol, and North Wales have also taken to ?firing out? bursts of classical music to ward of feckless youngsters. In Holywood (in County Down in Northern Ireland, not to be confused with Hollywood in California), local businesspeople encouraged the council to pipe classical music as a way of getting rid of youngsters who were spitting in the street and doing graffiti. And apparently classical music defeats street art: The graffiti levels fell. Anthony Burgess?s nightmare vision of an elite using high culture as a ?punitive slap on the chops? for low youth has come true. In Burgess?s 1962 dystopian novel A Clockwork Orange, famously filmed by Stanley Kubrick in 1971, the unruly youngster Alex is subjected to ?the Ludovico Technique? by the crazed authorities. Forced to take drugs that induce nausea and to watch graphically violent movies for two weeks, while simultaneously listening to Beethoven, Alex is slowly rewired and re-moulded. But he rebels, especially against the use of classical music as punishment. Pleading with his therapists to turn the music off, he tells them that ?Ludwig van? did nothing wrong, he ?only made music.? He tells the doctors it?s a sin to turn him against Beethoven and take away his love of music. But they ignore him. At the end of it all, Alex is no longer able to listen to his favorite music without feeling distressed. A bit like that schoolboy in Derby who now sticks his fingers in his ears when he hears Mozart. The weaponization of classical music speaks volumes about the British elite?s authoritarianism and cultural backwardness. They?re so desperate to control youth?but from a distance, without actually having to engage with them?that they will film their every move, fire high-pitched noises in their ears, shine lights in their eyes, and bombard them with Mozart. And they have so little faith in young people?s intellectual abilities, in their capacity and their willingness to engage with humanity?s highest forms of art, that they imagine Beethoven and Mozart and others will be repugnant to young ears. Of course, this becomes a self-fulfilling prophecy. The dangerous message being sent to young people is clear: 1) you are scum; 2) classical music is not a wonder of the human world, it?s a repellent against mildly anti-social behavior. Brendan O'Neill is editor of spiked in London. From rforno at infowarrior.org Sat Feb 27 19:47:30 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 27 Feb 2010 14:47:30 -0500 Subject: [Infowarrior] - The Rise of the Web Introvert Message-ID: The Rise of the Web Introvert By Kevin Kelleher Feb. 27, 2010, 9:00am PST http://gigaom.com/2010/02/27/the-rise-of-the-web-introvert/ Over the past several years, the web has been kind to extroverts. Social networks have offered a new platform for people to broadcast their thoughts, connect with each other and expand their contacts in the online realm. The social web has even ushered in a new kind of extroversion, in which people who might be shy or uneasy in traditional social settings can express themselves online. Much less noticeable is another trend: the rise of the web introvert. But while some web introverts might be introverted in the classic sense ? that is, uncomfortable in social settings ? many of them aren?t shy at all. They are simply averse to having a public presence on the web. And in time, they are going to present a problem for social sites like Facebook and Twitter, whose potential growth will be limited unless they can successfully court them. Web introversion isn?t a question of technophobia or security concerns. Anyone who has tried to build out their online networks on Facebook knows that there are a lot of people they know in real life that they can?t friend online. Many people who have been involved in technology for years ? or who are entirely comfortable shopping at Amazon, paying bills online, buying songs from iTunes ? will have nothing to do with social networks. Others see it as a chore necessary for their jobs. Still others have accounts languishing on all the major social networks. If you ask a web introvert why he or she isn?t into social networks, the response often comes down to a matter of trust ? or rather, a lack of it. It?s frustrating enough that each social network has its own etiquette to master, but many people are loathe to make the effort because of the unpleasant reality that there is no such thing as privacy on the web. And typically, the more that web introverts understand the nature of the web, the less willing they are to expose themselves on it. For while you might start off thinking you own your tweets, you really don?t. And if you don?t want your Facebook information open to the public, you need to follow closely that site?s constant privacy changes. Moreover, regardless of the site, a casual comment that, in an offline conversation would be forgotten, is preserved for years on the web ? and could come back to haunt you. For extroverts, this is all just part of navigating the social web. But enough people are uncomfortable with social networks that it?s going to become a barrier to growth in the coming years. For now, Facebook?s growth is continuing simply because there are more and more extroverts signing up. And Twitter is still in the stage of experimenting with ways to make money. Eventually growth rates will slow and these companies will see web introverts as an alienated part of the market that they need to court. Each introvert, after all, is a lost opportunity for revenue. But it may be that these characteristics are so inherent in the social web that such people simply can?t be courted. From rforno at infowarrior.org Sun Feb 28 19:38:53 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 28 Feb 2010 14:38:53 -0500 Subject: [Infowarrior] - America, the fragile empire Message-ID: America, the fragile empire Here today, gone tomorrow -- could the United States fall that fast? By Niall Ferguson February 28, 2010 http://www.latimes.com/news/opinion/la-oe-ferguson28-2010feb28,0,2697391.story For centuries, historians, political theorists, anthropologists and the public have tended to think about the political process in seasonal, cyclical terms. From Polybius to Paul Kennedy, from ancient Rome to imperial Britain, we discern a rhythm to history. Great powers, like great men, are born, rise, reign and then gradually wane. No matter whether civilizations decline culturally, economically or ecologically, their downfalls are protracted. In the same way, the challenges that face the United States are often represented as slow-burning. It is the steady march of demographics -- which is driving up the ratio of retirees to workers -- not bad policy that condemns the public finances of the United States to sink deeper into the red. It is the inexorable growth of China's economy, not American stagnation, that will make the gross domestic product of the People's Republic larger than that of the United States by 2027. As for climate change, the day of reckoning could be as much as a century away. These threats seem very remote compared with the time frame for the deployment of U.S. soldiers to Afghanistan, in which the unit of account is months, not years, much less decades. But what if history is not cyclical and slow-moving but arrhythmic -- at times almost stationary but also capable of accelerating suddenly, like a sports car? What if collapse does not arrive over a number of centuries but comes suddenly, like a thief in the night? Great powers are complex systems, made up of a very large number of interacting components that are asymmetrically organized, which means their construction more resembles a termite hill than an Egyptian pyramid. They operate somewhere between order and disorder. Such systems can appear to operate quite stably for some time; they seem to be in equilibrium but are, in fact, constantly adapting. But there comes a moment when complex systems "go critical." A very small trigger can set off a "phase transition" from a benign equilibrium to a crisis -- a single grain of sand causes a whole pile to collapse. Not long after such crises happen, historians arrive on the scene. They are the scholars who specialize in the study of "fat tail" events -- the low-frequency, high-impact historical moments, the ones that are by definition outside the norm and that therefore inhabit the "tails" of probability distributions -- such as wars, revolutions, financial crashes and imperial collapses. But historians often misunderstand complexity in decoding these events. They are trained to explain calamity in terms of long-term causes, often dating back decades. This is what Nassim Taleb rightly condemned in "The Black Swan" as "the narrative fallacy." In reality, most of the fat-tail phenomena that historians study are not the climaxes of prolonged and deterministic story lines; instead, they represent perturbations, and sometimes the complete breakdowns, of complex systems. To understand complexity, it is helpful to examine how natural scientists use the concept. Think of the spontaneous organization of termites, which allows them to construct complex hills and nests, or the fractal geometry of water molecules as they form intricate snowflakes. Human intelligence itself is a complex system, a product of the interaction of billions of neurons in the central nervous system. All these complex systems share certain characteristics. A small input to such a system can produce huge, often unanticipated changes -- what scientists call "the amplifier effect." Causal relationships are often nonlinear, which means that traditional methods of generalizing through observation are of little use. Thus, when things go wrong in a complex system, the scale of disruption is nearly impossible to anticipate. There is no such thing as a typical or average forest fire, for example. To use the jargon of modern physics, a forest before a fire is in a state of "self-organized criticality": It is teetering on the verge of a breakdown, but the size of the breakdown is unknown. Will there be a small fire or a huge one? It is nearly impossible to predict. The key point is that in such systems, a relatively minor shock can cause a disproportionate disruption. Any large-scale political unit is a complex system. Most great empires have a nominal central authority -- either a hereditary emperor or an elected president -- but in practice the power of any individual ruler is a function of the network of economic, social and political relations over which he or she presides. As such, empires exhibit many of the characteristics of other complex adaptive systems -- including the tendency to move from stability to instability quite suddenly. The most recent and familiar example of precipitous decline is the collapse of the Soviet Union. With the benefit of hindsight, historians have traced all kinds of rot within the Soviet system back to the Brezhnev era and beyond. Perhaps, as the historian and political scientist Stephen Kotkin has argued, it was only the high oil prices of the 1970s that "averted Armageddon." But this did not seem to be the case at the time. The Soviet nuclear arsenal was larger than the U.S. stockpile. And governments in what was then called the Third World, from Vietnam to Nicaragua, had been tilting in the Soviets' favor for most of the previous 20 years. Yet, less than five years after Mikhail Gorbachev took power, the Soviet imperium in central and Eastern Europe had fallen apart, followed by the Soviet Union itself in 1991. If ever an empire fell off a cliff, rather than gently declining, it was the one founded by Lenin. If empires are complex systems that sooner or later succumb to sudden and catastrophic malfunctions, what are the implications for the United States today? First, debating the stages of decline may be a waste of time -- it is a precipitous and unexpected fall that should most concern policymakers and citizens. Second, most imperial falls are associated with fiscal crises. Alarm bells should therefore be ringing very loudly indeed as the United States contemplates a deficit for 2010 of more than $1.5 trillion -- about 11% of GDP, the biggest since World War II. These numbers are bad, but in the realm of political entities, the role of perception is just as crucial. In imperial crises, it is not the material underpinnings of power that really matter but expectations about future power. The fiscal numbers cited above cannot erode U.S. strength on their own, but they can work to weaken a long- assumed faith in the United States' ability to weather any crisis. One day, a seemingly random piece of bad news -- perhaps a negative report by a rating agency -- will make the headlines during an otherwise quiet news cycle. Suddenly, it will be not just a few policy wonks who worry about the sustainability of U.S. fiscal policy but the public at large, not to mention investors abroad. It is this shift that is crucial: A complex adaptive system is in big trouble when its component parts lose faith in its viability. Over the last three years, the complex system of the global economy flipped from boom to bust -- all because a bunch of Americans started to default on their subprime mortgages, thereby blowing huge holes in the business models of thousands of highly leveraged financial institutions. The next phase of the current crisis may begin when the public begins to reassess the credibility of the radical monetary and fiscal steps that were taken in response. Neither interest rates at zero nor fiscal stimulus can achieve a sustainable recovery if people in the United States and abroad collectively decide, overnight, that such measures will ultimately lead to much higher inflation rates or outright default. Bond yields can shoot up if expectations change about future government solvency, intensifying an already bad fiscal crisis by driving up the cost of interest payments on new debt. Just ask Greece. Ask Russia too. Fighting a losing battle in the mountains of the Hindu Kush has long been a harbinger of imperial fall. What happened 20 years ago is a reminder that empires do not in fact appear, rise, reign, decline and fall according to some recurrent and predictable life cycle. It is historians who retrospectively portray the process of imperial dissolution as slow-acting. Rather, empires behave like all complex adaptive systems. They function in apparent equilibrium for some unknowable period. And then, quite abruptly, they collapse. Washington, you have been warned. Niall Ferguson is a professor at Harvard University and Harvard Business School, and a fellow of Jesus College, Oxford. His latest book is "The Ascent of Money: A Financial History of the World." A longer version of this essay appears in the March/April issue of Foreign Affairs. foreign.affairs.com Copyright ? 2010, The Los Angeles Times