From rforno at infowarrior.org Thu Feb 1 09:04:31 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Feb 2007 09:04:31 -0500 Subject: [Infowarrior] - DRM in the BitTorrent and Broadband Age Message-ID: http://www.firingsquad.com/hardware/drm_editorial/ DRM in the BitTorrent and Broadband Age January 31, 2007 Alan /.effect Dang Summary: DRM can be a good thing. Unfortunately, the way DRM has been handled by the industry has not been so good. Introduction Digital Rights Management is a good thing. The problem is that the way digital rights management has been handled by the industry has not been so good. We have copy protection software that act just like malicious viruses and rootkits. Defining the Problem The industry needs to recognize that it'll be impossible to stop piracy. The more complex, innovative, or intricate the content protection system, the more interest and zeal crackers will have in subverting such protection. If the US was unable to keep nuclear weapons technology secret after WW2, there is no way the MPAA can ask consumer electronics companies to keep movies and music 100% secure, especially when the whole intent of music/movies is to be seen and heard. The industry needs to recognize that most people are reasonable. The US gaming industry is over $10 billion dollars. The home video market is over $24 billion dollars. If everyone was a pirate, shouldn't that be zero? Flawed logic, I know, but these are still thriving industries despite the fact that "most games" and "most movies" really just aren't special to begin with. What's changed is how we choose to experience our media. We want movies that can be enjoyed in our home theater, airplane, or portable music player. We want security where a hard drive crash or malicious virus doesn?t mean that we?ve lost the digital content we've purchased with our hard-earned money. If our hardware is capable of enhancing the original content such as upsampling beyond 1080p, then let the consumer do so. The industry needs to recognize that most people are... human. We may tell a store clerk they've given us to much change back, but our hunter-gathering DNA makes us look for bargains. Who among us hasn't jumped at a chance to stack multiple coupons or shopped at a clearance or special limited quantities sale? The promise of "free" movies and music is one that is hard to give up. When the CEO of Time Warner admits that his kids illegally downloaded music off the Internet too, it should show the industry that software piracy isn't something limited to l33t hax0rs. That doesn't mean everyone jumps at the opportunity of a five-finger discount at your local Best Buy though. People are reasonable. The difference is that intuitively, stealing a physical item from a store is fundamentally different from copying bits in which the opportunity cost to the manufacturer is zero. The Fundamental Issue The general public just doesn't appreciate the true value of intellectual property. You can list off a ton of famous actors and directors, but how many famous screenwriters (who aren't directors or actors) can you name? The HDCP Vision The problem with DRM is that it hasn't been done correctly to date. Every implementation of DRM has only hurt honest users. More frustrating is that HDCP should have been the first to prove that DRM could be done in a reasonable manner. The original idea of HDCP was to stop casual copying of high-definition uncompressed digital video. Since the decryption/encryption had to be done in real-time, the goal was to make the algorithm simple. The fact that HDCP has been demonstrated by computer science researchers to be easily compromised provided that a handful of keys are leaked isn?t an issue. However, HDCP itself remains secure because its security is tied into licensing. You can't buy the HDCP keys unless you agree not to use it in a recording device. The keys themselves are located in hardware, making it more difficult for casual users to crack. Movie studios were saying "we won't release digital HD content unless you electronics manufacturers guarantee that you won't build digital recording devices." The crypto ROMs, etc. were just ways to make this gentlemen's agreement formal. In exchange for this gentlemen's agreement, enforced by relatively low-cost crypto ROMs, consumers should have been able to transparently enjoy HD content. Yes, early adopters of televisions would have to buy new TVs, but with HDCP, "advance warning" was available. Figuring out how to transcode content to portable players or other formats (i.e. a desktop PC or media server) would have been something to be addressed in the future (ultimately resulting in AACS and BD+). Remember, HDCP was simply intended to limit the creation of a high-definition VCR capable of recording ?protected? content. What ended up happening was that the graphics board manufacturers betrayed our trust, HDCP handshake protocols have been poorly implemented, and HDCP ended up being far from that ?seamless? integration. "Perfect DRM" already exists today. Perfect from both the perspective of consumers and the industry. Perfect DRM It's called the printed book. As big as the video game industry is, the book industry is bigger. Last year, Barnes & Nobles, Borders, and Amazon pulled in $11.5 billion in terms of book sales (this isn't including sales of coffee or non-book items in these stores). Add in the sales of Wal-Mart, Target, and local independent retailers and you'll have to agree that it's still a big market even in today?s age. Go to any Barnes and Nobles and you'll see a ton of people reading for free. Someone might walk into a B&N, pick up a magazine and read it cover to cover, or even pick up a self-help book, and read it while taking notes on a separate sheet of paper. Sometimes, you might actually buy a book when you want to enjoy re-reading the material at home, or if you want it as part of your collection. Books are cheap. Hardcover books are more expensive than paperbacks; and art books may be the most expensive of them all but the print quality and binding makes it all worth it. Casual copying is possible but not easy. There's nothing stopping me from photocopying a whole book cover-to-cover, but very few of us have stacks upon stacks of copied books. It's too inconvenient to copy something when it's cheap enough to buy. Likewise, everyone has taken a class or two where the professor hands out a photocopied textbook chapter, recognizing that students are unlikely to find value from the rest of the textbook or beyond the term. If a book publisher thought like the movie industry and wanted to prevent casual copying of a book, they would have made every page black text on a red background. It'd be so hard to read and intrusive that no one would ever buy a book again. Finally, all of us can name plenty of famous authors. We recognize the effort and time an author has put into his work and may purchase a book in order to support an author in the hopes of seeing a sequel, even if only in theme. The Difference Between Books and Movies That's the predicament of digital music and digital video right now. Unprotected content over large BitTorrent networks is akin to having a Star Trek replicator. In order to have a DRM model that parallels the book model, you have to make copying music and movies as tough as photocopying a book. Hollywood studios shouldn't panic about sites like YouTube or even the torrent sites. I can see the problems with leaked prerelease copies of shows like 24, but after a show has been broadcast, it?s hard to make a reasonable common-man standard against sharing of the recording. You can already get the full book experience for free, and it doesn't stop people from buying books to support their favorite authors. The next step is appropriate pricing. There's something wrong when a soundtrack CD costs almost as much as the entire movie on DVD. In countries like China, where pirated CDs can be bought by the pound, Hollywood has tried releasing lower-priced DVD movies with good success. Again, most people are reasonable. Just look at iTunes when it comes to music. DVD movies and DVD television shows continue to have good sales thanks to bonus features like behind the scenes footage, or commentaries. Many people without a HDTV prefer DVDs for the 16:9 widescreen experience. As long as there is added value (think hardcover book) or convenience, physical media will continue to thrive. The biggest hurdle will be promoting authorship. In books it's easy. In the movies, it's hard to get people excited about buying a DVD or Blu-Ray/HD-DVD to support the actor who already makes $20M a movie, or the director who's first in line for that latest supercar. People never hear about the screenwriters who may only get $100K for the first draft of their screenplay and another $30K for their second draft. Since a screenplay can take several years of work, many writers are making less than minimum wage. I challenge you to name ten successful screenwriters. Do you know who Terry Rossio and Ted Elliot are? What about Felix Chong and Siu Fai Mak? David Koepp? Promoting the screenwriter also serves an additional purpose. Right now, it's easy to see the actor's work and even the director's work. It's tangible and direct. What's often lost is the contribution of the screenwriter. I'm not talking about the dialogue (ultimately only a minor element in the grand scheme of things) but in terms of the story, character, and theme. These are purely concepts of intellectual property. Until Hollywood can turn screenwriters into celebrities too, they'll never be able to convince the public to buy movies even if they can enjoy it for free in the same way the public buys books even after reading it for free. The solution to movie piracy isn't fancier and more complex copy protection, it is bringing screenwriters, the creators of Hollywood's most conceptually-pure intellectual property, to the center stage. Only when Hollywood recognizes the value of pure intellectual property will consumers also recognize the true value of intellectual property and support their favorite screenwriter. Why I'm hopeful In some ways, the HD ecosystem is going to buy time to help DRM reach that magic steady state that we enjoy with books. With HD movies requiring huge amounts of space, there's already a barrier to casual copying if only for HDD space issues. The HD-DVD rips that have been unleashed onto the Internet still represents gigabytes and gigabytes of storage. As bandwidth and HDD space increases, technologies such as BD+ potentially will maintain sufficient copy protection to prevent casual copying while still ensuring that the optical disc is a) not counterfeit and b) can be used for managed copy (allowing you to transcode the content to portable players). Potentially being the key phrase ? the industry has had rough enough start with HDCP. People buy more DVDs than music CDs because they see it as a better value. Fortunately, HD content remains aggressively priced. Although Blu-Ray and HD-DVD products are more expensive than DVD products, prices will see more parity as production ramps up and more consumers transition to HD. DVD players launched at $1000 (FiringSquad?s retired Editor-in-Chief Kenn Hwang spent that much on his Sony DVP-S7000) and by 2009 there will be no more analog TV in the United States. I'm even hopeful about Hollywood increasing the visibility of screenwriters in the industry. As movies like Fight Club and TV shows like 24 and Heroes continue to push the envelope of storytelling and captivate an increasingly sophisticated audience, writers are increasingly forced to write more sophisticated movies. A screenplay from a 1990's Van Damme movie wouldn't fly today. Would any movie which uses "it was just a dream" as a plot device work today? Only if it's told like A Beautiful Mind. The elite group of screenwriters who are capable of writing such movies is relatively small, and that is good news because it means Hollywood only needs to spend a lot of money on a few number of people. So if anyone you know is a creative executive at a studio, debate with them why stories like Thank You For Smoking, Good Will Hunting, Napoleon Dynamite, Pirates of the Caribbean, Finding Nemo or God forbid, Titanic were more successful than Stealth, Lady in the Water, Basic Instinct 2, Poseidon, and Flushed Away... ? Copyright 2003 FS Media, Inc. From rforno at infowarrior.org Thu Feb 1 09:09:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Feb 2007 09:09:10 -0500 Subject: [Infowarrior] - Hysterical website ToS Message-ID: (c/o BoingBoing) I don't even know where to begin. http://www.sleepingearthed.com/html/terms_of_use.html *snickerlaughgiggle* -rf From rforno at infowarrior.org Thu Feb 1 09:14:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Feb 2007 09:14:38 -0500 Subject: [Infowarrior] - OpEd: Sony's mind trick Message-ID: Sony's mind trick http://www.globalpov.com/archives/2007/02/post_41.html Sony reached an agreement with the FTC over their infamous "rootkit" incident last year. Sony had installed a intrusive (and badly written) rootkit on some of their audio CDs, in such a way that when the consumer had bought the music and played it on their PC, the rootkit was surreptitiously installed on their hard drive. Once there, it would do things like stop the music from being copied onto MP3 players, monitor how the tunes were used and occasionally phone home to Sony and tell them what else the poor sap had on their computer. (A rootkit is a program that installs itself on your computer and then twiddles the operating system to hide it's presence--sort of like Obi Wan Kenobi using the Jedi mind trick on Imperial Stormtroopers "These aren't the droids you're looking for.") The settlement worked out to $150 per user to repair damage to their computer. I haven't seen the details yet, but I imagine that the submitting user will have to show that there was in fact, repairable damage to their machine plus proof of purchase of the CD. In other words, although there were millions of CDs sold with the damaging software installed, it's unlikely that Sony will pay off on many of them. In fact, as per usual with this kind of settlement, the biggest beneficiaries will undoubtedly be the lawyers on both sides who probably high-fived each other in the hallways, congratulating each other on collecting another round of high-priced fees. So, and this is a serious question--why isn't what Sony did an act of terrorism? Wilful attacks on private property, spying on American citizens and potential disruption of computer networks sound like something that the Taliban might have tried. Why aren't Sony executives being brought up on criminal charges? The recording motion picture industries have been getting away with a lot in this country in the last few decades. This is one of the most outrageous acts, but it's not an isolated incident. If Congress would get the entertainment industries tongues and wallets out of their pants, perhaps they would protect us from these predatory actions on the part of companies like Sony. I believe that there are worse things going on out there in cyberspace created and released by the Mad Doctors of Hollywood. Viruses and spambots, zombie nets and trojan horse files floating around the Internet plaguing our personal computers may in some part, someday, be traced back to these clowns at companies like Sony. From rforno at infowarrior.org Thu Feb 1 09:20:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Feb 2007 09:20:05 -0500 Subject: [Infowarrior] - Fond Memory: The Short Life Of the Floppy Message-ID: Fond Memory: The Short Life Of the Floppy http://www.washingtonpost.com/wp-dyn/content/article/2007/01/31/AR2007013102 441_pf.html By Jose Antonio Vargas Washington Post Staff Writer Thursday, February 1, 2007; C01 The last time I saw Floppy was at the library of Crittenden Middle School in Mountain View, Calif. It was an early spring morning in 1996. And blue, square, 3 1/2 -inch Floppy -- tired from a late night of writing and rewriting -- was his usual humble, upbeat, irreplaceable self. No more. This week PC World, one of the largest computer retailers in Europe, announced it will stop selling floppy disks once its existing stock is sold. Dell Computer Corp. stopped including floppy drives in its desktop computers four years ago. Walk into any Washington area high school today and you're more likely to see a 15-year-old listening to her cassette player -- it's a retro thing -- than toting a floppy disk storing her 10-page, doubled-spaced, annotated book report. Floppy's gone, an artifact of that time back in the day when we called the new, exciting, mysterious creation of the Internet the World Wide Web. As Bryan Magrath, commercial director of PC World, told Britain's Daily Telegraph: "The sound of a computer's floppy disk drive will be as closely associated with 20th-century computing as the sound of a computer dialing into the Internet." It's the same old story told again and again, the march of technology and time. Remember when you had a pager? In 1998? Floppy was born way before that, in 1971, and underwent various makeovers in the '70s. The first time I saw Floppy he was really floppy, a 5 1/4 -inch iteration of plastic with a doughnut hole in the middle. That thing really flopped -- not as in failed, of course, but as in you could wave it and watch it move. I thought he was so cool. But it wasn't until the early 1980s, when personal computers became more common, that Floppy took off. He was ubiquitous. I got my hands on him as a sixth-grader at Crittenden. That 3 1/2 -inch Floppy was where I kept my WordPerfect documents, my Quattro Pro spreadsheets, my whatever needed keeping. Then, of course, the CD-ROM came. And these days you can store your MP3s, video files, Web pages, anything on the Web, in a CD or a USB thumb drive. Goodbye, Floppy. Oh, you can visit a few, if you want, probably stored in the same place as other relics, the eight-track and VHS. It will be next to the Apple IIc, sitting right atop your Super NES. "It's weird. It's dead and it isn't, " says 57-year-old Tom Persky of Floppydisk.com, a one-stop shop where you can buy floppies and get your floppy files transferred to CDs, among other things. There are 2 million floppies in his office in Orange County, Calif., he says, and business is strong. Someone, he says, is always finding a floppy disk that needs transferring. See, Faulkner had it right. The past is always with us -- on Floppy. From rforno at infowarrior.org Thu Feb 1 09:20:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Feb 2007 09:20:50 -0500 Subject: [Infowarrior] - FCC Releases Data on High Speed Services for Internet Access In-Reply-To: <893065.54900.qm@web37903.mail.mud.yahoo.com> Message-ID: FOR IMMEDIATE RELEASE NEWS MEDIA CONTACT: January 31, 2007 Mark Wigfield at (202) 418-0253 Email: mark.wigfield at fcc.gov FEDERAL COMMUNICATIONS COMMISSION RELEASES DATA ON HIGH-SPEED SERVICES FOR INTERNET ACCESS High-Speed Connections to the Internet Increased by 26% in the First Half of 2006 Washington, D.C. ? The Federal Communications Commission (FCC) today released new data on high-speed connections to the Internet in the United States. Twice a year, all facilities-based broadband providers are required to report to the Commission basic information about their service offerings and types of customers pursuant to the FCC?s local telephone competition and broadband data gathering program (FCC Form 477). Statistics released today reflect data as of June 30, 2006. For reporting purposes, high-speed lines are connections that deliver services at speeds exceeding 200 kilobits per second (kbps) in at least one direction, while advanced services lines are connections that deliver services at speeds exceeding 200 kbps in both directions. Commencing with the June 2005 data, we collect and report more detailed information about the speeds of in-service lines, provide finer distinctions among technologies, and collect and analyze information about the availability of high-speed Digital Subscriber Line (DSL) connections from incumbent local exchange carriers (incumbent LECs) and high-speed cable modem service from cable TV system operators. 1) High-Speed Lines ? High-speed lines increased by 26% during the first half of 2006, from 51.2 million to 64.6 million lines in service, compared to a 21% increase, from 42.4 million to 51.2 million lines, during the second half of 2005. For the full twelve month period ending June 30, 2006, high-speed lines increased by 52% (or 22.2 million lines). High-speed lines encompass advanced services lines and also include lines that deliver services at speeds exceeding 200 kbps in one, but not both, directions. ? Of the 64.6 million total high-speed lines reported as of June 30, 2006, 50.3 million served primarily residential end users. Cable modem service represented 55.2% of these lines while 40.1% were asymmetric DSL (ADSL) connections, 0.2% were symmetric DSL (SDSL) or traditional wireline connections, 0.9% were fiber connections to the end user premises, and 3.7% used other types of technology including satellite, terrestrial fixed or mobile wireless (on a licensed or unlicensed basis), and electric power line. ? ADSL lines increased by 3.1 million lines during the first half of 2006 compared to an increase of 2.0 million lines for cable modem service. For the full year, ADSL increased by 6.3 million lines compared to an increase of 4.6 million lines for cable modem service. 2) Advanced Services Lines ? Advanced services lines, which deliver services at speeds exceeding 200 kbps in both directions, increased by 15% during the first half of 2006, from 43.8 million to 50.4 million, compared to a 18% increase, from 37.3 million to 43.8 million lines, during the second half of 2005. For the full twelve month period ending June 30, 2006, advanced services lines increased 35% (or 13.2 million lines). ? Of the 50.4 million advanced services lines reported as of June 30, 2006, 63.1% were at least 2.5 mbps in the faster direction and 36.9% were slower than 2.5 mbps in the faster direction. Of the 50.4 million advanced services lines, 45.9 million served primarily residential end users. Cable modem service represented 59.9% of these lines while 35.8% were ADSL connections, 0.2% were SDSL or traditional wireline connections, 1.0% were fiber connections to the end user premises, and 3.2% used other types of technology including satellite, terrestrial fixed or mobile wireless (on a licensed or unlicensed basis), and electric power line. 3) Geographic Coverage ? As a nationwide average, we estimate that high-speed DSL connections were available to 79% of the households to whom incumbent LECs could provide local telephone service as of June 30, 2006, and that high-speed cable modem service was available to 93% of the households to whom cable system operators could provide cable TV service. Providers list the Zip Codes in which they have at least one high-speed connection in service to an end user, and 99% of Zip Codes were listed by at least one provider. Our analysis indicates that more than 99% of the nation?s population lives in those Zip Codes. The most widely reported technologies by this measure were satellite (with at least some presence reported in 90% of Zip Codes), ADSL (in 82% of Zip Codes), and cable modem (in 64% of Zip Codes). ADSL and/or cable modem connections were reported to be present in 88% of Zip Codes. The summary statistics released today also include state-by-state information, and population density and household income information ranked by Zip Codes. As additional information becomes available, it will be posted on the Commission?s Internet site. The report is available for reference in the FCC?s Reference Information Center, Courtyard Level, 445 12th Street, SW, Washington, DC. Copies may be purchased by calling Best Copy and Printing, Inc. at (800) 378-3160. The report can also be downloaded from the Wireline Competition Bureau Statistical Reports Internet site at www.fcc.gov/wcb/stats. - FCC - Wireline Competition Bureau contacts: James Eisner and Suzanne Mendez at (202) 418-0940, TTY (202) 418-0484. From rforno at infowarrior.org Thu Feb 1 15:38:24 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Feb 2007 15:38:24 -0500 Subject: [Infowarrior] - Judges indicate domestic surveillance issue is not closed Message-ID: udges indicate domestic surveillance issue is not closed By Adam Liptak Thursday, February 1, 2007 CINCINNATI http://www.iht.com/articles/2007/02/01/news/spy.php Three federal judges hearing the first appellate argument about the legality of a National Security Agency domestic surveillance program have indicated that they were not convinced the issue was moot now that the Bush administration has agreed to submit the program to review by a secret court. In a series of sharply worded questions to an administration lawyer defending the program, the judges on Wednesday noted that the administration did not promise to continue working with the secret court in the future. "You could opt out at any time, couldn't you?" asked Judge Ronald Gilman of the 6th U.S. Circuit Court of Appeals. Gregory Garre, a deputy solicitor general, acknowledged the possibility. The judges pressed Garre's adversary, Ann Beeson of the American Civil Liberties Union, just as hard on a different point ? whether her clients had suffered injuries direct and concrete enough to give them standing to sue. "Explain to me how we get to a finding of standing?" asked Judge Julia Gibbons. Gibbons repeated the question in similar form several times. Beeson said the plaintiffs, who include lawyers and journalists, have had to change the way they communicate with clients and sources in the Middle East because they feared that their discussions would not be confidential. But Gibbons and Judge Alice Batchelder seemed skeptical about whether that sort of general and speculative fear was sufficient. The government has refused to say whether it eavesdropped on the plaintiffs. "Telling our enemies who is the subject of surveillance would reveal information that could harm the national security," Garre said Wednesday. The ACLU brought suit last year after The New York Times disclosed the existence of the program, which monitors the international communications of people in the United States without court approval. In August, Judge Anna Diggs Taylor of the U.S. District Court in Detroit ordered the program shut down. The decision has been suspended during the appeal to the 6th Circuit. Gilman raised the possibility that the legality of the program might never be adjudicated. "If the plaintiffs here don't have standing," he said, "who would possibly have standing?" While Garre urged the court to dismiss the case under threshold questions like mootness and standing, Beeson tried to steer the judges toward its merits. "A failure to decide the case will leave it up to the president whether and when to follow the law," Beeson said. Over the course of the litigation, the government has refined some of its arguments. Early statements from various administration officials appeared to concede that the program violated the Foreign Intelligence Surveillance Act of 1978. But the government's appellate filings say that is an open question and one that cannot be answered without disclosing state secrets. At several points in the argument, Garre said that the so-called state secrets privilege was a litigation showstopper. The privilege requires courts to limit or dismiss cases when allowing them to proceed would disclose information harmful to national security. Several courts have ruled, however, that the administration's general description and defense of the NSA program meant that it was no longer secret and that questions about its legality could be decided without raising national security concerns. Assuming the court finds a path through the thicket of preliminary objections, it will be left with the question of whether the president was entitled to ignore the 1978 law when he authorized eavesdropping that bypassed warrants. Garre said that a 2001 congressional authorization to use military force after the Sept. 11, 2001, terrorist attacks overrode the law. Gilman seemed unconvinced. "I understand your argument," he said. "I'm not sure I agree with it." The administration has also said that the president has the constitutional power, regardless of what Congress has to say, to conduct foreign intelligence surveillance in wartime. Taylor's decision striking down the program was sweeping, and her reasoning, which was in places unorthodox, attracted criticism even from legal scholars who supported her conclusion. In its public briefs, the government said Taylor had taken "the unprecedented step of permanently enjoining a foreign intelligence gathering program authorized by the commander in chief to protect the nation from foreign attacks in wartime." The government has also filed classified versions of its briefs and other documents, which are available only to the judges. Batchelder was appointed by President George H.W. Bush, Gilman by President Bill Clinton, and Gibbons by President George W. Bush. From rforno at infowarrior.org Thu Feb 1 16:43:58 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Feb 2007 16:43:58 -0500 Subject: [Infowarrior] - Accountability Is Key Goal of Privacy Legislation Message-ID: Accountability Is Key Goal of Privacy Legislation Rep. Frank Wants Added Protections for Consumers http://www.washingtonpost.com/wp-dyn/content/article/2007/02/01/AR2007020100 748_pf.html By Brian Krebs washingtonpost.com Staff Writer Thursday, February 1, 2007; 10:19 AM Data privacy is likely to be among the hottest technology issues to face Congress this year, thanks in part to interest from the new chairman of the powerful House Financial Services Committee. Panel Chairman Barney Frank (D-Mass.) said he plans to craft a bill by working with the head of the committee overseeing commerce issues. His measure would exempt companies from disclosing data breaches, provided they secure the data with encryption software, or some other technology that would render it virtually unreadable if it fell into the wrong hands. Frank also said he wants retailers to be held more accountable for data breaches. Earlier this month, TJX Companies, the Massachusetts-based parent company of discount retailers TJ Maxx and Marshalls, disclosed that hackers had broken into its credit card processing network, exposing financial details on millions of Americans. This week, the Massachusetts Bankers Association said that some of its member banks have reported fraudulent transactions associated with the data breach. Credit card issuers have contacted at least 60 banks affected by the break-in, the MBA said. While more than 30 states have laws requiring companies to alert residents of a data breach, most of the statutes let the affected company delay notifying banks while law enforcers investigate. Frank said retailers should be required to notify banks that issued the compromised credit card accounts so that financial institutions can issue customers new cards before fraud occurs. "For too long, retailers have been immunized from having to own up when it's their mistake through contractual protection from Visa and MasterCard," Frank said. Officials from Visa and MasterCard declined to comment for this story. But Mallory Duncan, senior vice president of the National Retail Federation, said Frank's proposal was an effort by some smaller banks to shift more of the costs of fraud to retailers. "Most of the larger banks have very sophisticated, round-the-clock fraud monitoring systems in place, but a lot of the smaller institutions don't have those systems, Duncan said. "These institutions have abdicated their responsibilities in this regard, and now they want retailers to pay for it." More than 100 million Americans have had their personal data compromised due to data breaches or mishaps, according to the Privacy Rights Clearinghouse. The data breach bill that enjoyed the most support from industry and consumer groups last year -- offered by California Democratic Sen. Dianne Feinstein -- would require any organization holding personal data to notify consumers upon learning of a data breach. Feinstein's measure contains fairly broad exemptions, and it would preempt many tougher state laws. Feinstein's bill, among the first to be reintroduced this year, also would require companies to notify consumers of a breach regardless of whether the data was encrypted, although companies would only be forced to notify if records on at least 10,000 customers were jeopardized. But it is far more palatable to consumer groups than a proposal that came close to a vote in the House of Representatives last year. That measure would have barred most consumers from requesting "security freezes" on their credit files. It also would have given businesses greater discretion in determining when consumers should be notified about a data breach. Liz Gasster, acting executive director of the Cyber Security Industry Alliance, said her member companies would lobby for the inclusion of a legal liability exemption for data breaches that involve stolen or lost personal information that has been protected by encryption technology. "We want to ensure that if companies take steps like using encryption as part of their overall security plan that there would be some sort of safe harbor limitation on liability, said Gasster, whose group represents some of the world's largest computer security firms. David Sohn, staff counsel for the Center for Democracy & Technology, a policy group in Washington, said an encryption exemption in a data breach bill would help avoid alarming consumers over data breaches that have a very low likelihood of compromising their personal information. "So long as [the legislation] is written not to exempt companies that also have their encryption keys [needed to unscramble encrypted data] stolen along with their customers' information, there is a strong argument to be made that sending notices to consumers in those cases could desensitize people into not being vigilant in cases where it really matters," Sohn said. While some major corporations -- most recently Microsoft -- have expressed support for some kind of federal consumer privacy law to govern how companies can use, combine and trade consumer data, the effort to produce baseline privacy protections for consumers may be among the most contentious of policy debates, said Fred von Lohmann, a senior staff attorney with the Electronic Frontier Foundation. "Data privacy is one of those areas where you're going to have very big corporate interests on both sides," von Lohmann said. "The question with this issue -- as with others -- becomes, is this an area where dueling interest groups will make it difficult for Congress to come to an effective solution, or is it something that's moving so fast that anything Congress is likely to do will end up obsolete a year or two from now?" Consumer groups also expect corporate- and government-backed data mining practices to receive heavy scrutiny from this Congress, in part because the Senate Judiciary Committee is now headed by Patrick Leahy, a Democrat from Vermont known for his staunch advocacy on consumer privacy matters. The Bush administration has come under heavy fire from privacy advocates for its data mining initiatives and for pressuring Internet service providers to dramatically extend the length of time that they retain records of their customers' online activities. In a shining example of how few technology policy concerns divide neatly along partisan lines, the administration's data retention plan was backed with legislation offered by Rep. Diana DeGette, a Democrat from Colorado. Leahy declined to comment for this story, but in a speech at the Georgetown University Law Center following the mid-term election, Leahy said he plans to introduce legislation to curtail what he called the "proliferation of data brokers and the burgeoning market for collecting and selling personal information." From rforno at infowarrior.org Thu Feb 1 16:49:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Feb 2007 16:49:17 -0500 Subject: [Infowarrior] - Shooting the Messenger Message-ID: Shooting the Messenger Linda J. Bilmes, a lecturer in public policy at Harvard University, calls her latest paper ?pretty dry.? That hasn?t prevented it from riling high-ranking Pentagon officials ? who called her and her dean to complain about her work. When they questioned her sources of material, they ran into a bit of a problem: She did most of her research with data on federal Web sites. So what did the Pentagon do? It changed the Web sites, and now continues to trash her research. Bilmes has become a leading expert on economic questions related to the war in Iraq, and her experience the last few weeks demonstrates how social scientists can end up in the line of political fire when their findings ? however dry ? offend government officials. < - > http://www.insidehighered.com/news/2007/01/30/injuries From rforno at infowarrior.org Thu Feb 1 16:50:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Feb 2007 16:50:50 -0500 Subject: [Infowarrior] - Avoiding tech traps for the unwary Message-ID: Avoiding tech traps for the unwary By Bartlett Cleland http://news.com.com/Avoiding+tech+traps+for+the+unwary/2010-1028_3-6155081.h tml Story last modified Thu Feb 01 10:35:04 PST 2007 Congress and the White House are key technology players in America, but it's time for them to learn how technology really works, what drives innovation and how to get government out of the way of what could be a spectacular future. There are many issues to be addressed--issues that have been ignored. Congress tends instead to housecleaning items that are not as important as creating a permanent tax credit for research, permanently eliminating the threat of taxation discrimination against e-commerce, or even thoroughly reforming the tax code to produce an innovation economy. Some members of Congress do understand the importance of getting technology issues right for economic security reasons and guaranteeing that our civil rights are not eroded electronically. They have joined the Internet Caucus, a bipartisan group of members of the House and Senate who work to educate their colleagues about the promise and potential of the Internet. They are advised by the Congressional Internet Caucus Advisory Committee, an educational organization composed of nonprofit and industry representatives. This committee annually hosts a conference, reception and a technology exhibition known as the State of the Net Conference--which took place earlier this week. This year's conference focused on some of the most pressing concerns in the world of technology and public policy, such as global broadband, copyright, child safety and a handful of Web 2.0 issues. Broadband Ubiquitous broadband has long been desired by the technology industry, consumers and policy makers for health and safety reasons among others. The marketplace is working with new competitors, new products and great consumer demand. Government does not need to intervene with a so-called better way. Want to end innovation? Then try Net neutrality, which would only guarantee market share and monopoly-like status to powerful incumbent companies. Property rights Similarly, Congress must be skeptical of efforts to define property rights as antithetical to consumers' interests. In fact, copyright contributes mightily to the incentive to create--knowing that one can profit from one's own talents, intelligence or creativity. Those creators exploit their property themselves, contract with others to do so, sell their creations, or sometimes choose to do nothing. These fundamental rights must be protected. We cannot allow others to steal with impunity. Just the theft of movies costs our economy $20.5 billion a year, more than 141,000 jobs annually and $837 million in lost tax revenue a year--imagine adding in all the copyrighted industries. Business models One more trap for the unwary would be to curtail cutting-edge applications, technologies or business models. Overly broad language in legislation or a lack of technical understanding of how applications work can quickly eliminate companies or even budding industries. Congress must keep its hands off new advertising models or direct payment schemes that will be launched. Of course it must guard against fraud and criminality, but instead of fearing what lies ahead, Congress should marvel at the innovation. Child safety Importantly, Congress and the White House can play a pivotal role in helping to protect our nation's children--not by passing another law to make illegal what already is illegal, and not by passing more impotent content restrictions. Instead, they can demonstrate real leadership where leaders are most needed--in the home. Our elected leaders should use the profile that they enjoy on the national and local stage, in conjunction with such efforts as the Internet Caucus Advisory Committee's GetNetWise to educate parents how to protect children before predators strike. Perhaps they also could barnstorm the country with one message: "Talk with your children." We must insist that our leaders embrace the future. Too many have long fixated on the rung of the economic ladder on which we now stand. Instead, they should be firmly grasping the next rung--our future success. Let's hope that Congress learns what indeed drives innovation and how to get government out of the way of American's future. Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Thu Feb 1 20:56:31 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 01 Feb 2007 20:56:31 -0500 Subject: [Infowarrior] - Opinion: Four laws Congress needs to pass now to boost computer security Message-ID: Opinion: Four laws Congress needs to pass now to boost computer security Ira Winkler http://www.computerworld.com/action/article.do?command=viewArticleBasic&art icleId=9009984&pageNumber=1 February 01, 2007 (Computerworld) Even though we have a new Congress, I doubt that much will change with regard to computer security. While a law related to identity theft will probably be passed in one form or another, I expect that it will be trivial and not deal with preventing the theft of individuals' personal information. Corporate lobbyists have proved themselves to be too adept at manipulating members of Congress so they don't pass laws requiring companies to be proactive, especially with regard to security measures. Identity theft is a symptom of poor computer security. There are two underlying methods of identity theft: hacks of vendor computers, and client-side attacks. Vendor hacks are the result of poor security on the part of the vendor and often lead to the theft of thousands, or millions, of credit card numbers, at once. The laws passed in this regard basically state requirements that vendors have to follow once data is stolen. However, they do not lay out computer security requirements. The hope is that if vendors have to act if their security fails, they will try to better protect themselves. All you have to do is browse Computerworld.com to see how well that's working. Congress, however, has taken no action to address client-side attacks targeting the end user. These include phishing, keystroke logging and virus attacks. The underlying enabler of these attacks are the bot networks that grow unchecked. Botnets are networks of PCs that have been compromised by a remote attacker through known vulnerabilities on the PCs. The attacker then has the compromised PCs do his bidding without the knowledge of the PCs' owners. Bots send out billions of spam e-mails and their evil cousins, phishing messages. Just as important, bots are used for distributed denial of service attacks. DDOS attacks use thousands of computers to simultaneously send data packets to a victim's computer to overwhelm the computer and the supporting network infrastructure. The attackers then use the DDOS attacks to extort money from owners of various Web sites. For example, it's common for online gambling sites to be threatened prior to a major sporting event, where the attacker will say, "Unless you pay me $50,000, I will take you down for a day before the event." A successful attack could cost a good-sized gambling site more than $1 million. Likewise, DDOS attacks have targeted critical elements of the Internet, such as the root DNS servers. Those attacks have crippled segments of the Internet for periods of time. It should be expected that similar attacks will occur in the future and will attempt to do even more damage. Frankly, I believe that if there is a significant Internet attack, it will involve bot networks. So, for Congress to do anything that helps protect consumers and the critical Internet infrastructure as a whole, it must pass laws that require proactive processes to protect computers, not that tell people how to deal with the resulting mess. Here are more reasons for enacting computer security laws: * According to reports, the percentage of unsolicited e-mail sent out via bot networks is in excess of 90%. Messages are also growing in size. The number and the size of messages will only continue to grow, so you can assume a very large percentage of Internet traffic is a result of bots. * From my personal observations, an unprotected computer will fall victim to dozens of attacks an hour. This implies that botnet scans are constant and responsible for a large volume of Internet traffic. * Botnet-related attacks result in billions of dollars in lost productivity and added costs annually. ISPs and large organizations spend billions to increase bandwidth as spam and other botnet-related attacks take up network volume, and billions more is spent on security software and the related hardware to prevent botnet-related attacks. With the above in mind, the following laws are needed to at least begin to protect businesses, consumers and the Internet itself: 1. Make ISPs (and all organizations providing computer access to more than 100 people) responsible for filtering scan and attack traffic across their networks. ISPs were declared "publishers" by the Child Online Protection Act. The legal effect of this was that ISPs were found to be not responsible for the content or intent of the data packets going across their networks. While it may be reasonable to say that an ISP might have no clue that a JPEG file going across its network has child pornography, thousands of ACK packets sent instantaneously are a different story. Attack and scan traffic is easy for ISPs to detect and block. The more scans that are blocked, the fewer compromised systems there will be. Any increase in time to process data packets is easily made up by the overall decrease in the amount of network traffic. 2. Make ISPs (and all organizations providing computer access to more than 100 people) responsible for knocking customer PCs off their network if they become bots. Any system that is clearly behaving as a bot should be immediately logged off a network. An end user who starts flooding the network with tens of thousands of e-mail messages, or who starts to send hundreds of thousands of DOS packets, is clearly compromised or otherwise abusing privileges. It is blatant and therefore easy to spot. More important, it is easier to identify and stop offending traffic at the source than for a victim under attack to identify and contact the appropriate administrators to stop the attacks. 3. Make end users liable if losses are incurred because of outdated security software. We cannot push all requirements to the ISPs. End users who leave their computers vulnerable to being controlled by others are also at fault. All PCs connected to the Internet should have the latest patches installed, as well as updated firewall, antivirus and antispyware software. While these tools won't prevent everything, they can decrease a computer's susceptibility to compromise exponentially. Those who fall victim to an attack because they don't have the appropriate software and updates would be financially responsible for their own loss and potentially the loss they cause others. Just as individuals are legally required to keep their cars in safe condition to protect others on the road, they should be required to keep their computers safe to protect others on the Internet. 4. Write some kind of law concerning efficient security software. I have been wrestling with how to word this one. A law like this is especially important if people are required to install and run security software. People have uninstalled their antivirus and antispyware software because it brought their systems to a crawl. Security software vendors must make performance a critical feature of their software. While there are other laws I could recommend, these are the most fundamental and easy to implement. I know there may be criticisms. For example, some smaller, and even larger, ISPs and organizations will say they can't afford the software and staffing needed to kill end-user access as required. First, these companies are already spending money to provide bandwidth for all of the malicious traffic. Second, if they can't afford to protect their network properly, they shouldn't be in that business. That is probably the key point. Can you imagine a trucking company saying that highway safety laws shouldn't be enacted because that would be too expensive? Likewise, can you imagine a private citizen saying that he doesn't want to properly maintain a car's safety? Of course not, as they would be endangering the safety of others. If people want to have access to the Internet, or financially profit from it, they should likewise be required to take precautions so that they don't endanger others. All of the current regulatory discussions in Congress and local legislatures generally involve identity theft and are in reaction to the current hype. They are also reactionary in their effects in that they deal with what to do after information is stolen, and not with the fact that the thefts should have been prevented in the first place. Most important, they do not fundamentally improve security. We need laws that are proactive in preventing identity theft and all other likely attacks. These proposed laws go a long way in doing so. Ira Winkler is president of the Internet Security Advisors Group. He is a former National Security Agency analyst and author of Spies Among Us (Wiley, 2005). From rforno at infowarrior.org Fri Feb 2 09:10:26 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 02 Feb 2007 09:10:26 -0500 Subject: [Infowarrior] - NFL's copyright/trademark nuttyness Message-ID: Great way to attract fans, eh? -rf C/o J.V. On a side note, watching the game on a screen greater than 55" can constitute copyright infringement according to a paragraph of 17 USC ( http://tinyurl.com/3cymnj) NFL won't let church show game http://sportsillustrated.cnn.com/2007/football/nfl/specials/playoffs/2006/02 /01/bc.fbn.superbowl.church.ap/index.html?eref=rss_topstories INDIANAPOLIS (AP) -- The NFL has nixed a church's plans to use a wall projector to show the Colts-Bears Super Bowl game, saying it would violate copyright laws. NFL officials spotted a promotion of Fall Creek Baptist Church's "Super Bowl Bash" on the church Web site last week and overnighted a letter to the pastor demanding the party be canceled, the church said. Initially, the league objected to the church's plan to charge a fee to attend and that the church used the license-protected words "Super Bowl" in its promotions. Pastor John D. Newland said he told the NFL his church would not charge anyone and that it would drop the use of the forbidden words. But the NFL objected to the church's plans to use a projector to show the game, saying the law limits it to one TV no bigger than 55 inches. The church will likely abandon its plans to host a Super Bowl party. "We want to be supportive of our local team," Newland said. "For us to have all our congregation huddled around a TV that is big enough only for 10 or 12 people to watch just makes little sense." NFL spokesman Greg Aiello said the league's long-standing policy is to ban "mass out-of-home viewing" of the Super Bowl. An exception is made for sports bars and other businesses that show televised sports as a part of their everyday operations. "We have contracts with our (TV) networks to provide free over-the-air television for people at home," Aiello said. "The network economics are based on television ratings and at-home viewing. Out-of-home viewing is not measured by Nielsen." It is also the reason no mass viewings are planned in large arenas like the RCA Dome or Conseco Fieldhouse. Newland said his church won't break the law. "It just frustrates me that most of the places where crowds are going to gather to watch this game are going to be places that are filled with alcohol and other things that are inappropriate for children," Newland said. "We tried to provide an alternative to that and were shut down." Other Indiana churches said they are deciding whether they should go through with their Super Bowl party plans, given the NFL's stance. ___ Information from: The Indianapolis Star, http://www.indystar.com Copyright 2007 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. From rforno at infowarrior.org Fri Feb 2 09:13:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 02 Feb 2007 09:13:13 -0500 Subject: [Infowarrior] - CSIS: Overreacting to risk means we're 'giving in to fear' Message-ID: Too much secrecy helps terrorists CSIS: Overreacting to risk means we're 'giving in to fear' http://tinyurl.com/2koeb9 Ian MacLeod The Ottawa Citizen Saturday, January 27, 2007 Canada's spy master, of all people, is warning that excessive government secrecy and draconian counterterrorism measures will only play into the hands of terrorists. "The response to the terrorist threat, whether now or in the future, should follow the long-standing principle of 'in all things moderation,' " Jim Judd, director of the Canadian Security Intelligence Service, said in a recent Toronto speech. "The response must be calibrated carefully so as to optimally protect Canadians and Canadian interests while containing an often natural disposition of giving in to fear and panic." Even so, he offered a candid -- and bleak -- assessment of the threat posed by terrorism. "I regret to say that, at this juncture, there appears to be little prospect in the near term for the threat to dissipate. Successfully countering the current terrorist threat is going to be a very difficult and longer-term challenge." Authorities, he said, are faced with an imaginative adversary and "it could be argued that traditional responses -- military, security, intelligence and law enforcement -- will go only so far in countering this threat. "We are dealing with an adaptive adversary that learns from its mistakes, our mistakes and vulnerabilities, and our operational methods. It is an adversary that is not going to favour us with mindless repetitiveness in its actions." He admitted officials do not yet fully understand a crucial element in combating terrorism -- the process of radicalization that can lead individuals, especially young Muslims raised in Canada and other democracies, to embrace terrorism. That remark at the recent Raoul Wallenberg International Human Rights Symposium was followed yesterday by details from a CSIS study that found a "very rapid process" is transforming some youths from angry activists into jihadist terrorists intent on killing for their religion. The study, obtained by the National Post under the Access to Information Act, says a few have embraced terrorism with frightening speed after becoming enraged over what they perceive as a western "war on Islam" and being coaxed on by extremist preachers. "The most important factor for radicalization is the perception that Islam is under attack from the West. Jihadists also feel they must pre-emptively and violently defend Islam from these perceived enemies," it concludes. The study is the government's latest attempt to understand why a handful of Canadian Muslims are alleged to have become involved in terrorist plots. It comes as a preliminary hearing is under way in Brampton for four of 18 suspects charged for their alleged role in a Canadian terrorist group accused of plotting attacks in southern Ontario. Mr. Judd's comments are similar to those made in November by Dame Eliza Manningham-Buller, the normally very private head of Britain's MI5 security service. In a major public speech, she predicted the fight against terrorism will last a generation and warned that radicalization, especially of young people, was one of the biggest problems facing anti-terror investigators. Three of the four men who attacked three London subways and a red double-decker bus on July 7, 2005, were British-born. In his speech, Mr. Judd said governments and societies must measure their response to terrorism by keeping in mind that it is driven by the aspirations and actions of a select group of individuals and groups. "We therefore have to avoid falling prey to the terrorist propaganda which would have people believe that this is a clash of civilizations or cultures or religions," he said. "Our own response therefore has to be carefully modulated and very focused.... And we have to be very careful in our use of language on these issues. "Over-reaction to terrorism, it should be remembered, is a fundamental objective of most terrorists in history. We should not accommodate their goals in this regard." Though organizations such as CSIS, he said, are often seriously constrained in what can and cannot be said publicly "we do have to play our part in this dialogue, something we have been doing much more of in the last several years. "Broader public education and engagement is critically important to ensure a dialogue that is well-informed, robust and balanced. This is particularly the case with those diverse communities in our societies who may feel most threatened by the efforts to contain this terrorist threat." Canadians cannot afford to see these communities withdraw or close in on themselves for fear of being unfairly associated with the actions of what amounts to a relatively few individuals, he said. "More broadly, there is a risk that, absent adequate public dialogue and a surfeit of secrecy, the justification for action by governments against terrorism will be undermined or misunderstood. This in turn can put in jeopardy the legitimacy of the government response." A careful, broadly based and multi-faceted national and international response to the issue is going to be required to prevail, he said. "Democracies have taken a long period to develop and their values, laws and institutions continue to provide inspiration to those without the luxury of living in one. It is thus essential that in responding to threats such as terrorism we do so in a fashion that best reflects what democracies stand for." Ran with main story "Air Security: Chairman of Agency ? The Ottawa Citizen 2007 From rforno at infowarrior.org Fri Feb 2 09:15:14 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 02 Feb 2007 09:15:14 -0500 Subject: [Infowarrior] - DRM on 9/11 Commission Report Message-ID: http://www.techliberation.com/archives/041976.php This is nothing new, but it's something that grinds my gears to no end, and that's how the DMCA makes it illegal for me to use works that are completely in the public domain. Researching my previous post, I had occasion to download and read a PDF of the 9/11 Commission Report. This is a report created by the federal government and therefore has no copyright; it is in the public domain. If I click to enter a password it tells me that I have permission to read and print the document, but not to copy from it. Because there is no copyright, the government has no right to prevent me from copying. I could circumvent the DRM on the PDF, but then it's possible that I'd be violating the DMCA (not the way I read it, but I'd have to take the risk). Even if I'm not breaking the law by circumventing the DRM, how am I supposed to do that? I have no hacking skills; I'm just a non-profit lawyer trying to read a government document. Normally I'd buy some software utility that would let me do this, but such a utility is something the DMCA definitely prohibits. I better start writing my petition for a Copyright Office exemption next time they grant them in two years. From rforno at infowarrior.org Sat Feb 3 21:42:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 03 Feb 2007 21:42:56 -0500 Subject: [Infowarrior] - 'Electric Slide' on slippery DMCA slope Message-ID: 'Electric Slide' on slippery DMCA slope By Daniel Terdiman http://news.com.com/Electric+Slide+on+slippery+DMCA+slope/2100-1030_3-615602 1.html Story last modified Sat Feb 03 07:45:52 PST 2007 'Electric Slide' on slippery DMCA slope The inventor of the "Electric Slide," an iconic dance created in 1976, is fighting back against what he believes are copyright violations and, more importantly, examples of bad dancing. Kyle Machulis, an engineer at San Francisco's Linden Lab, said he received a Digital Millennium Copyright Act takedown notice about a video he had shot at a recent convention showing three people doing the Electric Slide. "The creator of the Electric Slide claims to hold a copyright on the dance and is DMCAing every single video on YouTube" that references the dance, Machulis said. He's also sent licensing demands to The Ellen DeGeneres Show, Machulis added. Indeed, Richard Silver, who filed the copyright for the Electric Slide in 2004, said on one of his Web pages that the DeGeneres Show had been putting up a legal fight as he tried to get compensation for a segment that aired in February 2006 in which actress Teri Hatcher and other dancers performed the popular wedding shuffle. The 1998 Digital Millenium Copyright Act governs copyright infringement as well as technology whose purpose is to circumvent measures intended to protect copyrights. Under the DMCA, rights-holders can complain to services like YouTube that content uploaded by users infringes their copyrights. Silver did not respond to an e-mail sent Friday asking for comment and did not answer several phone calls to his Groton, Conn., home. A representative for the DeGeneres Show declined to comment. But on the YouTube page Silver himself posted showing the Electric Slide, he wrote, "Any video that shows my choreography being done incorrectly is being removed. I don't want future generations having to learn it wrong and then relearn it as I am being faced with now because of certain sites and (people) that have been teaching it incorrectly and without my permission. That's the reason I (copyrighted) it in the first place." YouTube has been dealing with a slew of DMCA takedown claims recently. Viacom on Friday demanded the service remove a hundred thousand videos it claimed infringed its copyrights. Some may find it odd that a dance could be copyrightable, of course. But according to Jason Schultz, a staff attorney with the Electronic Frontier Foundation, dance moves can definitely be protected under copyright law. "You can copyright the choreography for dances," said Schultz, "and then enforce the copyright against anyone who publicly performs the dance." Does that mean that everyone who giggles their way through the Electric Slide with the wedding videographer shooting away is violating copyright? No, but the videographer could be at risk. But Schultz said he believes Silver's claims against Machulis and others who have posted videos on YouTube may be questionable. "Someone who performs it noncommercially or adds their own artistic flair to the dance has a pretty good fair-use argument that their performance is noninfringing," Schultz said. Because there are only about 20 seconds of actual footage of people doing the Electric Slide out of Machulis' nearly five-minute video, Silver's claim may be on shaky ground, Schultz said. "Here, it's such a small piece of the video, and such a small piece of the dance (that) I think if (Silver brought) a copyright lawsuit, he would lose," he said. Joe Pesci, Electric Slide master Machulis, who has reposted his video on another online site, said he is considering a counterclaim on the theory that Silver's copyright applies only to a videotape of his original tutorial of the dance. But Schultz said the format isn't a concern in this case. A blogger named Rob Lathan also recently said he got a DMCA takedown notice from YouTube. Lathan had posted a video of himself dancing the Electric Slide on stilts on NBC's Today Show. Now, he said on his blog, his video had been removed by YouTube after a complaint by Silver. But Lathan seemed nonplussed by Silver's complaint. "I'm gonna fight him with everything I've got," he wrote. "And you know what that is, right? My trusty pair of shiny red stilts." It appears Silver has for several years aggressively defended his copyright on the dance. In 2004, Silver apparently wrote an e-mail to Donna Woolard, an associate professor of exercise science at North Carolina's Campbell University, demanding she remove a video of the dance from a Web site. He complained the dance wasn't being done correctly on the video, and Woolard took down the video. Silver wrote, according to e-mail correspondence posted by Woolard, that he had sued two Hollywood production companies for using the dance in several films and that he was now adding her as a co-defendant. It's unclear what happened to the suit. Interestingly, he also complained that actors in those movies also didn't do the dance right. In fact, of several movies mentioned, surprisingly, Silver said only Joe Pesci, best known for his Oscar-winning role in the gangster classic Goodfellas, performed the dance correctly in the decidedly lesser-known film, The Super. "I realize that this incorrect version of my choreography has been around for some 27 years," Silver wrote, "and it seems pointless to try and correct it at this time but because of the legal ramifications, my lawyers have suggested that I take this approach." So does doing the Electric Slide badly protect you from charges of copyright violation? To Schultz, an incorrect version of the dance may still be covered under copyright law as a derivative of the original, but it depends on the context. In the case of Machulis' video, the missteps of the dance probably mean a loss of Silver's rights. "Slight variations (of the original) are arguably derivative," said Schultz, "but something else, like doing (a dance) out of sequence, you're probably not even getting close to his copyright." Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Sat Feb 3 22:11:11 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 03 Feb 2007 22:11:11 -0500 Subject: [Infowarrior] - Out of the loop on terror threats Message-ID: Out of the loop on terror threats Homeland Security excludes state, local officials from group that shares data By Siobhan Gorman Sun reporter Originally published February 2, 2007 http://www.baltimoresun.com/news/nationworld/bal-te.intel02feb02,0,1214353.s tory WASHINGTON // State and local officials are protesting efforts by the Department of Homeland Security to exclude them from a new unit designed to share information about possible terrorist threats to the country. The information-sharing group, created by a White House directive last year, is designed to send out bulletins to state and local officials when the federal government learns of terrorist activity at home and abroad. Advertisement But Homeland Security officials are opposed to letting representatives of state and local government serve on the unit that would send out the information because they believe it would confuse the process. The department's opposition puts it at odds with the White House and with other U.S. intelligence agencies, according to state and federal officials and government documents. It is the latest example of the government's failure to heed one of the most critical lessons of the Sept. 11 attacks: the inability or unwillingness of federal officials to share information with those at the state and local level who might be in a position to help stave off a terrorist attack. Thomas "Ted" McNamara, who is in charge of information-sharing in the office of the Director of National Intelligence, graded government intelligence-sharing efforts thus far as "just barely 'fair.'" He added: "We're certainly not doing 'good,' and we're not doing 'excellent.'" At his Senate confirmation hearing yesterday to be director of national intelligence, retired Vice Adm. Mike McConnell said the culture of intelligence agencies must change to appreciate the needs of police chiefs and their colleagues around the country. "This is a different age and a different time," he said. Local response Federal and state officials said the government is still having trouble getting timely and accurate threat information to states and localities so they can decide how to respond - for example, by sending more officers to an airport or border, dispatching K-9 teams or a bomb squad. Local officials see and use information differently from "somebody who came out of fighting the Cold War against Russia," said former Baltimore Police Commissioner Thomas C. Frazier, who has represented municipal police in discussions over how to assemble the unit. Historically, information has often been closely held at the federal level until the last minute. Sometimes, alerts come in the middle of the night, making it difficult for mayors and others to respond before the morning rush hour, said David Sobczyk, a commander with the Chicago Police Department. "There has to be a leap of faith" to trust local officials with sensitive information, he said. A White House directive in November, issued with President Bush's approval, was designed to fix these problems. It called for Homeland Security to create a unit that would assemble terrorism reports specifically for state and local officials. The unit, which could include two or three state or local officials, would issue alerts and identify information important to state and local officials, according to a Homeland Security document obtained by The Sun. President Bush "has been clear" that he wants state and local representatives included in the unit, said spokesman Scott Stanzel. He said he was confident they would be incorporated. Homeland Security Department spokesman Russ Knocke declined to comment on the department's position because the issue is still under negotiation, but the document on the unit, which was assembled by Homeland Security and the FBI for senior officials, said that all agencies involved, "with Exception of DHS," agree that state and local officials should participate in the group. In meetings on the issue, Homeland Security officials have maintained that they will represent the interests of state and local officials and that there is no need to include them directly, according to the senior intelligence official. Proponents of state and local inclusion say Homeland Security officials mainly want to control the flow of information and are reluctant to give up that power. Fear of confusion Two senior Homeland Security officials, discussing their concerns on condition they not be named because the issue is still unresolved, said that adding local officials would create "unnecessary confusion" at a unit whose main role is merely to package information. And Homeland Security has sought ways to incorporate state and local officials by assigning them to offices inside the department, such as its intelligence office and its operations center, Knocke said. Kerry Sleeper, Vermont's homeland security adviser and the point man for state homeland officials in talks over the creation of the new unit, said it was "absolutely insulting" that the issue hasn't been resolved, more than five years after the Sept. 11 attacks. Democratic Rep. Bennie Thompson of Mississippi, who chairs the House Homeland Security committee, called the impasse "very disappointing news" in a letter last week to Homeland intelligence chief Charles Allen. If the White House fails to break the impasse, said the senior intelligence official, Congress might step in to force Homeland Security to include state and local participation in the unit. siobhan.gorman at baltsun.com From rforno at infowarrior.org Sun Feb 4 19:57:30 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 04 Feb 2007 19:57:30 -0500 Subject: [Infowarrior] - States Challenge Nat'l Driver's License Message-ID: States Challenge Nat'l Driver's License http://apnews.myway.com/article/20070204/D8N2UVDG0.html Feb 4, 9:36 AM (ET) By LESLIE MILLER WASHINGTON (AP) - A revolt against a national driver's license, begun in Maine last month, is quickly spreading to other states. The Maine Legislature on Jan. 26 overwhelmingly passed a resolution objecting to the Real ID Act of 2005. The federal law sets a national standard for driver's licenses and requires states to link their record-keeping systems to national databases. Within a week of Maine's action, lawmakers in Georgia, Wyoming, Montana, New Mexico, Vermont and Washington state also balked at Real ID. They are expected soon to pass laws or adopt resolutions declining to participate in the federal identification network. "It's the whole privacy thing," said Matt Sundeen, a transportation analyst for the National Conference of State Legislatures. "A lot of legislators are concerned about privacy issues and the cost. It's an estimated $11 billion implementation cost." The law's supporters say it is needed to prevent terrorists and illegal immigrants from getting fake identification cards. States will have to comply by May 2008. If they do not, driver's licenses that fall short of Real ID's standards cannot be used to board an airplane or enter a federal building or open some bank accounts. About a dozen states have active legislation against Real ID, including Arizona, Georgia, Hawaii, Massachusetts, Missouri, New Hampshire, Oklahoma, Utah and Wyoming. Missouri state Rep. James Guest, a Republican, formed a coalition of lawmakers from 34 states to file bills that oppose or protest Real ID. Though most states oppose the law, some such as Indiana and Maryland are looking to comply with Real ID, Sundeen said. The issue may be moot for states if Congress takes action. From rforno at infowarrior.org Sun Feb 4 19:57:37 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 04 Feb 2007 19:57:37 -0500 Subject: [Infowarrior] - TiVo sees if you skip those ads Message-ID: TiVo sees if you skip those ads David Lazarus Sunday, February 4, 2007 http://tinyurl.com/2e23xr TiVo revealed the other day that it's offering TV networks and ad agencies a chance to receive second-by- second data about which programs the company's 4.5 million subscribers are watching and, more importantly, which commercials people are skipping. This raises a pair of troubling questions: Is TiVo, which revolutionized TV viewing with its digital video recording technology, now watching what people watch? And is it selling that sensitive info to advertisers and others? The answers, apparently, are no and no. "I promise with my hand on a Bible that your data is not being archived and sold," said Todd Juenger, TiVo's vice president and general manager of audience research and measurement. "We don't know what any particular person is watching," he said. "We only know what a random, anonymous sampling of our user base is watching." Still, privacy advocates say TiVo's new data service -- dubbed StopWatch -- reflects the growing ease with which companies could, if they so choose, collect and exploit vast amounts of information about consumers' everyday habits. "It's a constant struggle to maintain your privacy in the modern era," said Kurt Opsahl, a staff attorney at San Francisco's Electronic Frontier Foundation. "We have entered an era in which more and more information about you is being collected and maintained." He added: "In the past, you had a lot of privacy protection because information about you was too difficult to collect and sort. Now that protection is gone because computers can do it." TiVo's potential to monitor (and embarrass) millions of people was made clear in 2004 after Janet Jackson's right breast made a surprise appearance during the Super Bowl halftime show. TiVo reported that this fleeting glimpse of celebrity flesh "drew the biggest spike in audience reaction TiVo has ever measured ... as hundreds of thousands of households used TiVo's unique capabilities to pause and replay live television to view the incident again and again." More than a few subscribers probably thought later that this wasn't the sort of thing they wanted stored in some corporate database. "That initial reaction of concern is understandable," said Ray Everett-Church, a Silicon Valley privacy consultant and longtime TiVo user. "It's hard to know for a fact that they don't keep that information." But he said he's prepared to take TiVo at its word that sensitive data about users' viewing habits aren't being stored or shared with others. "If they're careful about how they anonymize and aggregate the information, I don't see huge problems," Everett-Church said. (TiVo said last week that once again it will be closely monitoring audience behavior during today's Super Bowl to see how often users pause and rewind "unscripted moments and entertainment.") TiVo's Juenger said the Alviso company downloads usage data from a random sampling of about 20,000 set-top boxes each night. That data, he said, is stripped of any personally identifiable information before being mixed with other users' data for research and marketing purposes. "All we know is that we have an anonymous box out there with certain viewing behaviors," he said. Juenger recalled how the Justice Department issued subpoenas last year to Google and other Internet companies for access to data on people's online searches. (Google fought the subpoena and forced the Justice Department to significantly scale back its data request.) "If we were subpoenaed by the Justice Department, we would be literally incapable of saying what an individual user was watching," Juenger said. "It would be impossible." Not for much longer, though. Juenger said TiVo is gearing up for a Nielsen-style rating service in which a select group of subscribers will volunteer to have their viewing tracked. In this case, participants' personal data will be part of the mix. "It's absolutely something we're looking at," Juenger said. "Our clients have told us it's something they want." The hack is back: Speaking of TiVo, I'm always getting requests to repeat the code discovered by hackers for programming TiVo remotes to skip ahead through recorded commercials at 30-second intervals. Here it is: Select Play Select 30 Select. The trick is to do the hack while a recorded program is playing. Point your remote at the TiVo box and press, in sequence, the Select button, the Play button, the Select button again, the 3 button, the 0 button and then Select one last time. If you do it correctly, you'll hear three dings from your box. Now the Advance button (the one with a Play arrow and a vertical line at the right edge) can be used to jump ahead by 30 seconds, thus zipping past commercials more easily than fast forwarding. David Lazarus' column appears Wednesdays, Fridays and Sundays. He also can be heard Saturdays, 4 to 7 p.m., on KGO Radio. Send tips or feedback to dlazarus at sfchronicle.com. Page F - 1 From rforno at infowarrior.org Sun Feb 4 19:57:42 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 04 Feb 2007 19:57:42 -0500 Subject: [Infowarrior] - Mobile giants plot secret rival to Google Message-ID: http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2007/02/04/cnsearch04 .xml Mobile giants plot secret rival to Google By Juliette Garside, Sunday Telegraph Last Updated: 8:18pm GMT 04/02/2007 Europe's biggest telecoms groups are aiming to create a mobile phone search engine that could challenge Yahoo! and Google, the US giants. Vodafone, France Telecom, Telefonica, Deutsche Telekom, Hutchison Whampoa, Telecom Italia and one American network, Cingular, are among the companies that will come together for secret, high-level talks at the mobile industry's biggest annual trade show in Barcelona next week. 3G World Congress billboard, mobile phone search engine Declining call revenues are driving network operators together to compete against Google and Yahoo! search engines Faced with declining revenues as calls become cheaper, network operators are determined to secure a large slice of the lucrative search advertising market. In the UK alone, more than 20 per cent of subscribers are expected to have access to mobile internet at broadband speeds by the end of 2007, which should prompt a dramatic increase in the use of search engines via mobile phones. The initiative will come as a surprise to Google and Yahoo!, which have lost no time in striking deals with mobile operators and handset makers. But the mobile industry believes it can retain a greater share of advertising revenues by developing its own service. A joint approach is essential, because mobile networks will need to offer advertisers a large audience if they are to challenge the US search giants. The four big operators in Britain - Orange, owned by France Telecom, O2, part of Spain's Telefonica, Deutsche Telekom's T-Mobile and Vodafone - will all be represented at the meeting next week. The groups involved have a combined customer base of 600m mobile phone users worldwide. advertisement The networks may decide to go with an existing search engine and use their combined might to secure a majority slice of the income. Another idea up for discussion is the creation of a white label service, with a single advertising sales house and technical team, to which mobile networks could then apply their own brand. A UK executive at one of the companies involved said: "There is a big play in mobile search that we need to be part of, and we are exploring those options at a very high level." It is not clear what the implications are for existing deals between networks and the big US search companies. Google has already signed up Vodafone and T-Mobile, as well as Hutchison's 3 and China Mobile. Its service also comes pre-loaded on handsets made by companies including Samsung. The Google mobile search engine does not make money because it hasn't started selling sponsored links to advertisers. However, trials are underway and the service should become fully commercial this year. Yahoo! has so far signed up Vodafone and 3, and is already featuring sponsored links. Mobile search is seen as potentially more valuable to users and advertisers than the service currently provided to desktop computers because results can be made geographically relevant. On Yahoo!'s service, for example, users can type in their location and receive local information on weather, travel or entertainment. Mobile internet will be given a further boost at Barcelona when Far Eastern manufacturer LG Electronics is announced as the winner of a competition to produce an affordable, mass-market handset capable of accessing the web. Twelve of the leading mobile operators spanning six continents and more than 620m subscribers have agreed to sell the 3G (third generation) phone to their customers. This will allow economies of scale sufficient to bring its price in well below existing 3G handsets. The deal will also be a massive boost for LG, allowing it to challenge the dominance of the four largest handset makers: Nokia, Sony Ericsson, Siemens and Motorola. From rforno at infowarrior.org Sun Feb 4 20:07:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 04 Feb 2007 20:07:00 -0500 Subject: [Infowarrior] - OT: CBS Superbowl Coverage Message-ID: Aside from the fact that all "my" teams are in the NFC except Baltimore, I knew there was a reason I didn't watch many AFC games on CBS this season. CBS employs far too much whirring, whooshing, and cheezy computer noises for my tastes during queues for replays and/or on-screen statistic displays, and the onscreen graphic "zoom" used before/after replays practically evokes nausea. Such on-air graphics and special effects remind me of website design circa 1997 when everyone used every 'cool' trick they could learn about just because they could -- ie, embedded MIDI audio or blink tags. Watching football on CBS is like viewing such webpages: painful. Looking back at the 2006-07 season, I still say NBC, and then FOX, had the best football coverage/presentation. And less-annoying "theme" music, too. :) Go Bears! -rf From rforno at infowarrior.org Sun Feb 4 20:15:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 04 Feb 2007 20:15:35 -0500 Subject: [Infowarrior] - Target Practice in the Final Frontier Message-ID: Target Practice in the Final Frontier By Michael Krepon Sunday, February 4, 2007; B03 http://www.washingtonpost.com/wp-dyn/content/article/2007/02/02/AR2007020201 463_pf.html They warn us of approaching storms. They allow us to make emergency phone calls on mobile phones. They're the digital conveyor belt for global commerce. They help police and ambulances reach their destinations when every minute counts. And the Pentagon relies on them to provide U.S. forces with intelligence, communications and targeting information. Satellites, it seems, have become our lifelines. Still, it's easy to take satellites for granted -- easy, that is, until the People's Liberation Army crashes a missile into one of China's aging meteorological satellites, as it did last month. It was a crude show of strength, which the PLA will do on occasion when it wants to make a point. In 1995, for example, Beijing sent a fusillade of missiles in Taiwan's direction, a blunt reminder to think twice about independence. This time around, the PLA's message seemed directed at the Bush administration and the Air Force, which has adopted a "space control" doctrine that endorses the use of weapons in, from and through space. The debris from China's missile blast could travel in space for much more than a quarter-century before burning up in the Earth's atmosphere. That's a long time, but not longer than the debate over weapons in space has raged, beginning with the launch of Sputnik in 1957. Having prying eyes overhead is unsettling enough, but it is not nearly so worrisome as weapons circling overhead, ready to fire. What the Air Force euphemistically calls "offensive counter-space" capabilities -- use of the terms "space weapons" and "space dominance" is verboten -- does not have a broad constituency of support in the Pentagon or on Capitol Hill. The notion of turning space into one more war zone offends many sensibilities, from those of devout believers who don't think the heavens should be sullied by weapons, to those of pragmatic soldiers who realize that, if satellites become fair game in warfare, their other missions will become even harder. President Ronald Reagan couldn't dent these concerns with the Strategic Defense Initiative, his 1983 proposal to use space-based weapons as a shield against nuclear attack. Journalist Frances FitzGerald offers a skeptical account of this period in "Way Out There in the Blue," which treats Reagan's scheme as part fantasy, part public relations and part device to kill arms control. Mikhail Gorbachev is the hero of FitzGerald's narrative, while Reagan's contributions toward devaluing nuclear weapons are short-changed. Astronomer Robert Jastrow makes the moral case for Reagan's vision of space-based defenses in his 1985 book "How to Make Nuclear Weapons Obsolete." So far, the Bush administration's testing in space appears limited to demonstrations of multipurpose technologies: For example, a recent test maneuvered a small satellite to make close passes at U.S. space objects. These techniques could ultimately be used to help with satellite docking or monitoring. The Air Force's new doctrine and the Bush administration's refusal to discuss, let alone negotiate, anything that could limit U.S. freedom of action in space -- along with the traditional secrecy surrounding military space programs -- has gotten China's attention. Last September, press reports indicated that China had "painted" a U.S. satellite with a laser. It is unclear how often this has occurred, or whether the United States has carried out similar practices against Chinese satellites. (Shining lasers on satellites can be used for space tracking and monitoring, as well as for temporarily blinding a satellite, among other uses.) Now that Beijing has in turn gained Washington's attention, the competition in space is likely to heat up. An old U.S.-Soviet-style space race seems unlikely -- after all, we live in an era of asymmetric warfare -- but it doesn't take an arms race to mess up space, as the PLA just proved. These days, "lasing" and jamming are the preferred Pentagon means for dealing with satellites that could threaten U.S. combat forces. Initially, however, the Pentagon considered nuclear detonations as a way to destroy satellites, even deploying (but never launching) two nuclear-tipped rockets for this assignment after the Cuban missile crisis. The Kennedy administration learned that this was a bad idea after one particularly powerful atmospheric nuclear test in 1962 damaged every U.S. satellite -- and one Soviet satellite -- in low Earth orbit. The United States and the Soviet Union turned next to space weapons that killed on contact, as detailed in Paul Stares's 1985 book on Cold War space warfare, "The Militarization of Space." The U.S. military conducted dozens of such tests, but only one, in 1985, was like the recent Chinese test, with the Air Force blowing up an aging meteorological satellite. Fourteen years later, a piece of debris from this test came within one mile of the international space station. It took three additional years for this lethal hazard to clear out of low Earth orbit. (The recent Chinese test has produced a much larger debris field at a higher altitude, meaning that the resulting hazard to spaceflight will be much worse.) Political interest in space weapons is usually linked to spikes in public anxiety. During the Reagan administration, many were concerned that the Kremlin had achieved strategic and military superiority and might exploit its advantages -- including the use of futuristic space weapons. The Kremlin leadership felt precisely the same way about Washington, which made this chapter of the Cold War so dangerous. Walter A. McDougall's Pulitzer Prize-winning "The Heavens and the Earth: A Political History of the Space Age," published in 1985, is a graceful and lyrical account of the space race, and details the history of the Soviet and U.S. space programs. Now, the focus is squarely on China. Just as the Pentagon once published annual reports on "Soviet Military Power" and "Soviet Space Power," it now issues annual reports on Chinese military capabilities; they are far better than the old analyses of Soviet power, but the analysis remains spotty. For instance, the recent congressionally mandated report "Military Power of the People's Republic of China 2006," from the defense secretary's office, covers many Chinese military innovations -- including a new doctrine of modern warfare and the purchase of more advanced weapons systems -- but failed to predict a "hit to kill" anti-satellite test. In the current debates over space weapons, few advocates mince their words less than Everett Dolman, a faculty member at the Air Force's Air University and author of " Astropolitik: Classical Geopolitics in the Space Age." Dolman argues that the Air Force should seek military control of space and thus dictate terms to potential adversaries. In "Neither Star Wars Nor Sanctuary," Brookings Institution scholar Michael O'Hanlon is less enthusiastic about weapons in space, but doesn't wish to rule them out in the case of a potential conflict with China over Taiwan. My own view is laid out in my book "Space Assurance or Space Dominance: The Case Against Weaponizing Space," in which I argue that the United States has more to lose than to gain if space becomes a shooting gallery. It is perhaps fitting that some of the best information and analysis on weapons in space would be found in, well, cyberspace. The Space Security Index 2006, issued by the research consortium SpaceSecurity.org, offers a detailed overview of these issues on an ongoing basis. The Air Force Space Command also maintains a detailed and informative Web site ( http://www.afspc.af.mil). And among the bloggers, I would recommend Leonard David of Space.com, as well as Jeffrey Lewis, who keeps perhaps the leading blog on nuclear proliferation and arms control, ArmsControlWonk.com -- where he broke the Chinese anti-satellite test story on Jan. 17. mkrepon at stimson.org Michael Krepon, co-founder of the Henry L. Stimson Center, lectures on nuclear proliferation at the University of Virginia. From rforno at infowarrior.org Mon Feb 5 08:53:54 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 05 Feb 2007 08:53:54 -0500 Subject: [Infowarrior] - U.S. Set to Begin a Vast Expansion of DNA Sampling Message-ID: http://www.nytimes.com/2007/02/05/washington/05dna.html?ei=5094&en=4f5fb3a24 5f37a20&hp=&ex=1170738000&partner=homepage&pagewanted=print February 5, 2007 U.S. Set to Begin a Vast Expansion of DNA Sampling By JULIA PRESTON The Justice Department is completing rules to allow the collection of DNA from most people arrested or detained by federal authorities, a vast expansion of DNA gathering that will include hundreds of thousands of illegal immigrants, by far the largest group affected. The new forensic DNA sampling was authorized by Congress in a little-noticed amendment to a January 2006 renewal of the Violence Against Women Act, which provides protections and assistance for victims of sexual crimes. The amendment permits DNA collecting from anyone under criminal arrest by federal authorities, and also from illegal immigrants detained by federal agents. Over the last year, the Justice Department has been conducting an internal review and consulting with other agencies to prepare regulations to carry out the law. The goal, justice officials said, is to make the practice of DNA sampling as routine as fingerprinting for anyone detained by federal agents, including illegal immigrants. Until now, federal authorities have taken DNA samples only from convicted felons. The law has strong support from crime victims? organizations and some women?s groups, who say it will help law enforcement identify sexual predators and also detect dangerous criminals among illegal immigrants. ?Obviously, the bigger the DNA database, the better,? said Lynn Parrish, the spokeswoman for the Rape, Abuse and Incest National Network, based in Washington. ?If this had been implemented years ago, it could have prevented many crimes. Rapists are generalists. They don?t just rape, they also murder.? Peter Neufeld, a lawyer who is a co-director of the Innocence Project, which has exonerated dozens of prison inmates using DNA evidence, said the government was overreaching by seeking to apply DNA sampling as universally as fingerprinting. ?Whereas fingerprints merely identify the person who left them,? Mr. Neufeld said, ?DNA profiles have the potential to reveal our physical diseases and mental disorders. It becomes intrusive when the government begins to mine our most intimate matters.? Immigration lawyers said they did not learn of the measure when it passed last year and were dismayed by its sweeping scope. ?This has taken us by storm,? said Deborah Notkin, a lawyer who was president of the American Immigration Lawyers Association last year. ?It?s so broad, it?s scary. It is a terrible thing to do because people are sometimes detained erroneously in the immigration system.? Immigration lawyers noted that most immigration violations, including those committed when people enter the country illegally, are civil, not criminal, offenses. They warned that the new law would make it difficult for immigrants to remove their DNA profiles from the federal database, even if they were never found to have committed any serious violation or crime. Under the new law, DNA samples would be taken from any illegal immigrants who are detained and would normally be fingerprinted, justice officials said. Last year federal customs, Border Patrol and immigration agents detained more than 1.2 million immigrants, the majority of them at the border with Mexico. About 238,000 of those immigrants were detained in immigration enforcement investigations. A great majority of all immigration detainees were fingerprinted, immigration officials said. About 102,000 people were arrested on federal charges not related to immigration in 2005. While the proposed rules have not been finished, justice officials said they were certain to bring a huge new workload for the F.B.I. laboratory that logs, analyzes and stores federal DNA samples. Federal Bureau of Investigation officials said they anticipated an increase ranging from 250,000 to as many as 1 million samples a year. The laboratory currently receives about 96,000 samples a year, said Robert Fram, chief of the agency?s Scientific Analysis Section. DNA would not be taken from legal immigrants who are stopped briefly by the authorities, justice officials said, or from legal residents who are detained on noncriminal immigration violations. ?What this does is move the DNA collection to the arrest stage,? said Erik Ablin, a Justice Department spokesman. ?The general approach,? he said, ?is to bring the collection of DNA samples into alignment with current federal fingerprint collection practices.? He said the department was ?moving forward aggressively? to issue proposed regulations. The 2006 amendment was sponsored by two border state Republicans, Senator Jon Kyl of Arizona and Senator John Cornyn of Texas. In an interview, Mr. Kyl said the measure was broadly drawn to encompass illegal immigrants as well as Americans arrested for federal crimes. He said that 13 percent of illegal immigrants detained in Arizona last year had criminal records. ?Some of these are very bad people,? Mr. Kyl said. ?The number of sexual assaults committed by illegal immigrants is astonishing. Right now there is a fingerprint system in use, but it is not as thorough as it could be.? Ms. Parrish, of the rape victims? organization, pointed to the case of Angel Resendiz, a Mexican immigrant who was known as the Railroad Killer. Starting in 1997, Mr. Resendiz committed at least 15 murders and numerous rapes in the United States. Over the years of his rampage, Mr. Resendiz was deported 17 times. He was executed in Texas in June. ?That was 17 missed opportunities to collect his DNA,? Ms. Parrish said. ?If he had been identified as the perpetrator of the first rapes, it would have prevented later ones.? Immigration lawyers said the DNA sampling could tar illegal immigrants with a criminal stigma, even though most of them have never committed any criminal offense. ?To equate somebody with a possible immigration violation in the same category as a suspected sex offender is an outrage,? said David Leopold, an immigration lawyer who practices in Cleveland. Forensic DNA is culled either from a tiny blood sample taken from a fingertip (the F.B.I.?s preferred method) or from a swab of the inside of the mouth. Federal samples are logged into the F.B.I.?s laboratory, analyzed and transformed into profiles that can be read by computer. The profiles are loaded into a database called the National DNA Index System. The F.B.I. also loads DNA profiles from local and state police into the federal database and runs searches. Only seven states now collect DNA from suspects when they are arrested; of those, only two states are authorized by their laws to send those samples to the federal database. Mr. Neufeld, of the Innocence Project, said his group supported broad DNA collection from convicted criminals. But, he said, ?There is no demonstrable nexus between being detained for an immigration matter and the likelihood you are going to commit some serious violent crime.? The DNA amendment has divided women?s groups that are usually unified supporters of the Violence Against Women Act, which was adopted in 1994. ?We were stunned by the extraordinary, broad sweep of this amendment,? said Lisalyn Jacobs, vice president for government relations at Legal Momentum, a law group founded by the National Organization for Women. Ms. Jacobs recalled that the amendment had been adopted by a voice vote with little debate. She said many lawmakers eager to renew the act, which enjoys solid bipartisan support, appeared unaware of the scope of the DNA amendment. ?The pervasive problems of profiling in the United States will only be exacerbated by such a system,? Ms. Jacobs said, because Latino and other immigrants will be greatly over-represented in the database. She noted that the law required a court order to remove a profile from the system. Many groups warned that the measure would compound already severe backlogs in the F.B.I.?s DNA processing. Mr. Fram of the F.B.I. said there had been an enormous increase in the samples coming to the databank since it started to operate in 1998, but no new resources for the bureau?s laboratory. Currently about 150,000 DNA samples from convicted criminals are waiting to be processed and loaded into the national database, Mr. Fram said. He said the laboratory had added robot technology to speed the processing. But in the ?worst case scenario,? where the laboratory receives one million new samples a year, Mr. Fram said, ?there is going to be a bottleneck.? From rforno at infowarrior.org Mon Feb 5 10:01:24 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 05 Feb 2007 10:01:24 -0500 Subject: [Infowarrior] - Apple, Beatles settle trademark suit over "Apple" name, logos Message-ID: Apple, Beatles settle trademark suit over "Apple" name, logos Associated Press http://www.mercurynews.com/mld/mercurynews/news/local/states/california/nort hern_california/16626955.htm CUPERTINO, Calif. - IPod maker Apple said Monday it settled long-simmering trademark issues with The Beatles' Apple Corps Ltd. company about the use of the name "Apple" and apple logos. The new settlement replaces the companies' 1991 agreement, and gives Apple Inc. ownership of all the trademarks related to "Apple." In addition, Apple Inc. will license certain of those trademarks back to Apple Corps for their continued use. This settlement ends the ongoing trademark lawsuit between the companies, with each paying its own legal costs, and Apple Inc. will continue using its name and logos on iTunes. Further terms weren't disclosed. It was not clear if The Beatles music catalog was part of the deal, and none of the band's songs was available on iTunes as of Monday morning. That catalog of all Beatles songs, including "Let it Be," "Get Back" and "She Loves You," is the largest holdout from iTunes and other online music services. "We love the Beatles, and it has been painful being at odds with them over these trademarks," said Steve Jobs, Apple's CEO. "It feels great to resolve this in a positive manner, and in a way that should remove the potential of further disagreements in the future." Neil Aspinall, manager of Apple Corps, said the company was glad to resolve the dispute. "The years ahead are going to be very exciting times for us. We wish Apple Inc. every success and look forward to many years of peaceful co-operation with them," he said. From rforno at infowarrior.org Mon Feb 5 22:22:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 05 Feb 2007 22:22:50 -0500 Subject: [Infowarrior] - Windows 'fails' active virus test Message-ID: Windows 'fails' active virus test Security tools that work with Windows Vista have failed tests to see if they can detect viruses circulating online. Microsoft's Windows Live OneCare security tool was one of four products that failed independent tests carried out by the Virus Bulletin. The security testing group found that Live OneCare missed far more active viruses than any other program tested. To pass the tests anti-virus tools must spot and stop 100% of the malicious programs used to attack them. Attack profile When Vista was launched on 30 January, Microsoft chairman Bill Gates claimed that it was "dramatically more secure" than other operating systems. Work began on Vista in 2001 and prior to release Microsoft said that some of the delay was due to efforts to harden the operating system against viruses and other malicious programs. Vista cannot fend off today's malware without help from security products John Hawes, Virus Bulletin Version 1.5 of Windows Live OneCare was co-launched with Vista and uses the same scanning "engine" as the security tools bundled with the operating system. Typically users pay a yearly subscription to use Live OneCare. The Virus Bulletin tests try to catch out anti-virus software with a variety of malicious programs including bots and worms known to be spreading online, file infectors, polymorphic and macro viruses. While Live OneCare did manage to spot 100% of the macro viruses it was tested against, it missed some wild viruses, polymorphic programs and file infectors. Live OneCare caught 99.91% of the known active viruses it was tested against. This left it vulnerable to 37 separate malicious programs. Other anti-virus products that failed the tests included G-Data AntiVirusKit, McAfee VirusScan Enterprise 8.51 and Norman Virus Control 5.90. "The tests conducted in our secure labs were against the most significant viruses and worms affecting real-world users," said John Hawes, a technical consultant at Virus Bulletin. "Although many improvements have been made, Vista cannot fend off today's malware without help from security products," he said. Jo Wickremasinghe, Windows Live OneCare product manager, said in a statement: "We are looking closely at the methodology and results of the test to ensure that Windows Live OneCare performs better in future tests and, most importantly, as part of our ongoing work to continually enhance Windows Live OneCare to ensure the highest level of protection and service that we can provide our customers." Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/6331959.stm Published: 2007/02/05 14:43:06 GMT ? BBC MMVII From rforno at infowarrior.org Mon Feb 5 22:34:20 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 05 Feb 2007 22:34:20 -0500 Subject: [Infowarrior] - Windows Vista EULA: Is It That Bad? Message-ID: Windows Vista EULA: Is It That Bad? Ever since I found out that Vista Home and Vista Home Premium editions explicitly prevent you from running the software in a virtual machine I?ve been poring over Microsoft?s EULAs trying to make sense of them. Kudos to Microsoft for providing a nice easy way to browse through all the EULAs for all their software. You can download all the licensing agreements as pdf files from that link. There have been a number of reports on the internet about all sorts of terrible things you agree to when accepting the Vista EULA, but it isn?t really that bad. < - > http://blog.wired.com/monkeybites/2007/02/windows_vista_e.html From rforno at infowarrior.org Tue Feb 6 15:08:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 06 Feb 2007 15:08:43 -0500 Subject: [Infowarrior] - Steve Jobs Note: End DRM Message-ID: Thoughts on Music http://www.apple.com/hotnews/thoughtsonmusic/ Steve Jobs February 6, 2007 With the stunning global success of Apple?s iPod music player and iTunes online music store, some have called for Apple to ?open? the digital rights management (DRM) system that Apple uses to protect its music against theft, so that music purchased from iTunes can be played on digital devices purchased from other companies, and protected music purchased from other online music stores can play on iPods. Let?s examine the current situation and how we got here, then look at three possible alternatives for the future. To begin, it is useful to remember that all iPods play music that is free of any DRM and encoded in ?open? licensable formats such as MP3 and AAC. iPod users can and do acquire their music from many sources, including CDs they own. Music on CDs can be easily imported into the freely-downloadable iTunes jukebox software which runs on both Macs and Windows PCs, and is automatically encoded into the open AAC or MP3 formats without any DRM. This music can be played on iPods or any other music players that play these open formats. The rub comes from the music Apple sells on its online iTunes Store. Since Apple does not own or control any music itself, it must license the rights to distribute music from others, primarily the ?big four? music companies: Universal, Sony BMG, Warner and EMI. These four companies control the distribution of over 70% of the world?s music. When Apple approached these companies to license their music to distribute legally over the Internet, they were extremely cautious and required Apple to protect their music from being illegally copied. The solution was to create a DRM system, which envelopes each song purchased from the iTunes store in special and secret software so that it cannot be played on unauthorized devices. Apple was able to negotiate landmark usage rights at the time, which include allowing users to play their DRM protected music on up to 5 computers and on an unlimited number of iPods. Obtaining such rights from the music companies was unprecedented at the time, and even today is unmatched by most other digital music services. However, a key provision of our agreements with the music companies is that if our DRM system is compromised and their music becomes playable on unauthorized devices, we have only a small number of weeks to fix the problem or they can withdraw their entire music catalog from our iTunes store. To prevent illegal copies, DRM systems must allow only authorized devices to play the protected music. If a copy of a DRM protected song is posted on the Internet, it should not be able to play on a downloader?s computer or portable music device. To achieve this, a DRM system employs secrets. There is no theory of protecting content other than keeping secrets. In other words, even if one uses the most sophisticated cryptographic locks to protect the actual music, one must still ?hide? the keys which unlock the music on the user?s computer or portable music player. No one has ever implemented a DRM system that does not depend on such secrets for its operation. The problem, of course, is that there are many smart people in the world, some with a lot of time on their hands, who love to discover such secrets and publish a way for everyone to get free (and stolen) music. They are often successful in doing just that, so any company trying to protect content using a DRM must frequently update it with new and harder to discover secrets. It is a cat-and-mouse game. Apple?s DRM system is called FairPlay. While we have had a few breaches in FairPlay, we have been able to successfully repair them through updating the iTunes store software, the iTunes jukebox software and software in the iPods themselves. So far we have met our commitments to the music companies to protect their music, and we have given users the most liberal usage rights available in the industry for legally downloaded music. With this background, let?s now explore three different alternatives for the future. The first alternative is to continue on the current course, with each manufacturer competing freely with their own ?top to bottom? proprietary systems for selling, playing and protecting music. It is a very competitive market, with major global companies making large investments to develop new music players and online music stores. Apple, Microsoft and Sony all compete with proprietary systems. Music purchased from Microsoft?s Zune store will only play on Zune players; music purchased from Sony?s Connect store will only play on Sony?s players; and music purchased from Apple?s iTunes store will only play on iPods. This is the current state of affairs in the industry, and customers are being well served with a continuing stream of innovative products and a wide variety of choices. Some have argued that once a consumer purchases a body of music from one of the proprietary music stores, they are forever locked into only using music players from that one company. Or, if they buy a specific player, they are locked into buying music only from that company?s music store. Is this true? Let?s look at the data for iPods and the iTunes store ? they are the industry?s most popular products and we have accurate data for them. Through the end of 2006, customers purchased a total of 90 million iPods and 2 billion songs from the iTunes store. On average, that?s 22 songs purchased from the iTunes store for each iPod ever sold. Today?s most popular iPod holds 1000 songs, and research tells us that the average iPod is nearly full. This means that only 22 out of 1000 songs, or under 3% of the music on the average iPod, is purchased from the iTunes store and protected with a DRM. The remaining 97% of the music is unprotected and playable on any player that can play the open formats. Its hard to believe that just 3% of the music on the average iPod is enough to lock users into buying only iPods in the future. And since 97% of the music on the average iPod was not purchased from the iTunes store, iPod users are clearly not locked into the iTunes store to acquire their music. The second alternative is for Apple to license its FairPlay DRM technology to current and future competitors with the goal of achieving interoperability between different company?s players and music stores. On the surface, this seems like a good idea since it might offer customers increased choice now and in the future. And Apple might benefit by charging a small licensing fee for its FairPlay DRM. However, when we look a bit deeper, problems begin to emerge. The most serious problem is that licensing a DRM involves disclosing some of its secrets to many people in many companies, and history tells us that inevitably these secrets will leak. The Internet has made such leaks far more damaging, since a single leak can be spread worldwide in less than a minute. Such leaks can rapidly result in software programs available as free downloads on the Internet which will disable the DRM protection so that formerly protected songs can be played on unauthorized players. An equally serious problem is how to quickly repair the damage caused by such a leak. A successful repair will likely involve enhancing the music store software, the music jukebox software, and the software in the players with new secrets, then transferring this updated software into the tens (or hundreds) of millions of Macs, Windows PCs and players already in use. This must all be done quickly and in a very coordinated way. Such an undertaking is very difficult when just one company controls all of the pieces. It is near impossible if multiple companies control separate pieces of the puzzle, and all of them must quickly act in concert to repair the damage from a leak. Apple has concluded that if it licenses FairPlay to others, it can no longer guarantee to protect the music it licenses from the big four music companies. Perhaps this same conclusion contributed to Microsoft?s recent decision to switch their emphasis from an ?open? model of licensing their DRM to others to a ?closed? model of offering a proprietary music store, proprietary jukebox software and proprietary players. The third alternative is to abolish DRMs entirely. Imagine a world where every online store sells DRM-free music encoded in open licensable formats. In such a world, any player can play music purchased from any store, and any store can sell music which is playable on all players. This is clearly the best alternative for consumers, and Apple would embrace it in a heartbeat. If the big four music companies would license Apple their music without the requirement that it be protected with a DRM, we would switch to selling only DRM-free music on our iTunes store. Every iPod ever made will play this DRM-free music. Why would the big four music companies agree to let Apple and others distribute their music without using DRM systems to protect it? The simplest answer is because DRMs haven?t worked, and may never work, to halt music piracy. Though the big four music companies require that all their music sold online be protected with DRMs, these same music companies continue to sell billions of CDs a year which contain completely unprotected music. That?s right! No DRM system was ever developed for the CD, so all the music distributed on CDs can be easily uploaded to the Internet, then (illegally) downloaded and played on any computer or player. In 2006, under 2 billion DRM-protected songs were sold worldwide by online stores, while over 20 billion songs were sold completely DRM-free and unprotected on CDs by the music companies themselves. The music companies sell the vast majority of their music DRM-free, and show no signs of changing this behavior, since the overwhelming majority of their revenues depend on selling CDs which must play in CD players that support no DRM system. So if the music companies are selling over 90 percent of their music DRM-free, what benefits do they get from selling the remaining small percentage of their music encumbered with a DRM system? There appear to be none. If anything, the technical expertise and overhead required to create, operate and update a DRM system has limited the number of participants selling DRM protected music. If such requirements were removed, the music industry might experience an influx of new companies willing to invest in innovative new stores and players. This can only be seen as a positive by the music companies. Much of the concern over DRM systems has arisen in European countries. Perhaps those unhappy with the current situation should redirect their energies towards persuading the music companies to sell their music DRM-free. For Europeans, two and a half of the big four music companies are located right in their backyard. The largest, Universal, is 100% owned by Vivendi, a French company. EMI is a British company, and Sony BMG is 50% owned by Bertelsmann, a German company. Convincing them to license their music to Apple and others DRM-free will create a truly interoperable music marketplace. Apple will embrace this wholeheartedly. From rforno at infowarrior.org Tue Feb 6 16:40:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 06 Feb 2007 16:40:43 -0500 Subject: [Infowarrior] - Security: Open vs. Closed Message-ID: Open vs. Closed http://www.acmqueue.com/modules.php?name=Content&pa=printer_friendly&pid=453 &page=1 >From Open Source Security Vol. 5, No. 1 - February 2007 by Richard Ford, Florida Institute Of Technology There is no better way to start an argument among a group of developers than proclaiming Operating System A to be "more secure" than Operating System B. I know this from first-hand experience, as previous papers I have published on this topic have led to reams of heated e-mails directed at me - including some that were, quite literally, physically threatening. Despite the heat (not light!) generated from attempting to investigate the relative security of different software projects, investigate we must. Understanding why products are (and are not) secure is a critical stepping stone toward building better software. Before wading into these dangerous waters, we should clarify the question. All too often when comparing open and closed source approaches, the question is unconsciously interpreted as Windows versus Linux. While that's a fantastic question to knock around, doing so is a very narrow way of looking at the world, as it ignores many other projects in both the open and closed source worlds. Although it's foolish to ignore the data points the Windows/Linux world provides, they are simply examples of the process. So, let us first strip away the misconception that the question is about these particular platforms and recognize its real breadth. With this in mind, our answer requires three crucial definitions in order to have meaning: "What is open source?"; "What is closed source?"; and, surprisingly, "What is security?" The first two we can deal with quickly; the third is a lot subtler, however, so we shall tackle it first. What is Security? Traditionally, we tend to think of security as maintaining the CIA (confidentiality, integrity, and availability) of information. This is a useful taxonomy of security, and because of this, it's pervasive. One limitation of the CIA approach is that it isn't very helpful when we consider how to measure security. What does it mean to say that one product is more secure than another product? Is C more important than A, and is A more important than I? How does one rank these different aspects of security? A literature review quickly shows that measuring security is a tricky problem, which, as yet, we haven't gotten our arms around very well. That's a pity, because if we had, it would be tempting to run the simple experiment of measuring the security of various open and closed source projects and see if one methodology is consistently more secure than the other. If closed source, for example, were measurably better from a security perspective, we would have the answer to our question. There are two obvious ways to measure security: * What are the chances of any member of the CIA triad being violated? * How many actual vulnerabilities are there in a product? Let's take a look at both of these approaches. The problem is that the former is a combination of the quality of the software under test, the number and type of attackers targeting that software, and how the box is configured, administered, and used. Thus, if "more secure" simply means measuring the probability of compromise, it might be possible to conclude that MS-DOS with a TCP/IP stack is more secure than a fully patched Windows XP box, simply because the number of attackers looking for MS-DOS machines is now vanishingly small. While the measure is pragmatic, it tells us a lot about the ubiquity of the system and the talent and number of its attackers. Discarding this approach leaves us with the latter of our two approaches: counting vulnerabilities in the code. Even here, it's not obvious how to proceed, as we don't have direct measures of actual vulnerability counts; we have information only about the number of vulnerabilities that are publicly disclosed. Thus, like the first approach, this one doesn't provide an objective measure of security; it also considers external factors (such as attacker profile). A variation of this approach is known as "days of risk," which is literally counting the elapsed time between vulnerability disclosure and remediation. Defining remediation is a difficult task. Does turning off a noncritical service count as temporarily "fixing" the problem, or does only a "sanctioned" patch supported by the vendor constitute remediation? This would depend on the service provided and the needs of the user. Even if we can agree on remediation, the number of attackers plays a critical role in determining the total days of risk. Despite this, the approach is tremendously practical because it takes into account the fact that actually exploiting a vulnerability is relatively rare until the vulnerability is publicly known.1 It's a practical measure, however, and as such, doesn't speak directly to inherent security properties, but pragmatic ones. Note here that days of risk are traditionally counted from the date the vulnerability is publicly available, not the date an exploit is known. Although one can argue that knowledge of the vulnerability is meaningless in the absence of an exploit, it is often difficult to determine when an exploit became "public," as many members of the black-hat community keep such information under close guard. Thus, vulnerability date is the most objective - and therefore repeatable - measure (even if it is not as desirable as the exploit date). Even based on this short discussion, it's clear that accurately measuring security will mean different things to different people. Thus, for the purposes of this article, it's reasonable to accept that we can't (yet) measure the inherent security outcomes of open/closed source processes in an ordinal way. This means that our "experimental" approach to determining which approach leads to better security is off the table: until the science matures, we will have to examine the pros and cons of each approach independently and try to balance them ourselves. Open Source, Closed Source Put simply, the open source process can be thought of as an approach where the source code to products/executables is provided. In contrast, closed source approaches restrict source-code access to just the developers of the product and other chosen individuals (usually under the constraints of a nondisclosure agreement). In both worlds, many finer distinctions can be made. For example, some open source projects restrict development to a small cadre of programmers; others allow anyone to contribute. Source code access, however, is the key distinction between the approaches. Note also that neither case requires software to be free nor "for fee" - though the open source world is generally friendlier in terms of licensing. Perhaps appropriately for the open source community, a more precise definition of open source varies from person to person. At its simplest, open source refers to the practice of providing the source code for programs. Furthermore, most proponents of the open source approach would agree that the distributed source code should be legally modifiable and redistributable (with some license restrictions). Thus, users have the ability to inspect and modify programs they use. (A far more complete definition is provided at http://www.opensource.org.) In contrast, the closed source approach seals the program code. As such, derivative works are usually legally prohibited. Proponents of both camps may object to the simplicity of my definitions: they do capture the essence of both approaches but fail to capture the culture that surrounds them. Culturally, closed source represents traditional corporate software developers. When we think of open source, however, we tend to think of volunteers working as a collective, free software, and community projects. Open source structures are fluid; closed ones rigid. While this is something of a caricature, like all good sketches, it does catch some of the "feel" of the movement. Inherent Security Properties Armed now with an understanding of the question, it is time to examine the relative merits of the two approaches from a security perspective. Clearly, others have undertaken this process (for a slightly different perspective, for example, see Ross Anderson2); however, there are many issues that are not addressed completely. As such, we begin by considering the most basic difference between the development methodologies: one can examine the source code of an open source project. Pragmatically, this is of use to both the attacker and the defender. >From the attacker's point of view, code availability means that there is complete disclosure on how a particular feature is implemented. Furthermore, it means that discussion of weaknesses and design decisions often happens in the open (see the "Disclosure Models" section later in this article). Thus, open source products allow the attacker a white-box view of the product and, potentially, associated problems. When a security patch is made available, it is trivial for the attacker to determine exactly what was fixed. >From the perspective of the defender, open source also has advantages. Perhaps most importantly, it allows for code inspection. Thus, if the defender really wants to know that a particular feature is secure, he or she can simply examine the code - provided, of course, that the defender has the necessary security knowledge to spot a problem. Second, there is a sense that because many people can review the code, the code is inherently higher quality - as framed by Eric S. Raymond in his now-famous quote, "Given enough eyeballs, all bugs are shallow."3 Finally, features that are problematic in a particular environment can be turned off by a sufficiently skilled programmer. Thus, when a vulnerability is found, the user doesn't have to wait for a sanctioned patch: anyone can make the requisite changes to the code base. >From an attacker's perspective, closed source means that only a small part of a given community has access to the code. Thus, to understand the internals, the attacker must reverse-engineer the binary; such a process is time consuming and, in the case of software that has been protected from such reverse engineering, nontrivial. Furthermore, design mistakes may be harder to spot, as grasping the entire form of a large application is quite difficult when working only with compiled code. Things are equally double-edged for the defender. When using a closed source product, the user is left entirely at the mercy of the code developer in terms of functionality changes or security patches. Thus, when a vulnerability is announced, the options for the defender are limited. Once again, differences in disclosure models help mitigate this somewhat, but ultimately, the user is left trusting the vendor. Self-help is not a practical option; code cannot be screened internally for structures that are worrisome in particular environments. Of course, these issues are compounded if the code to a closed source product is leaked; then the attacker has many of the benefits of the approach, with few of the downsides. These fundamental properties are painted with a fairly broad brush, but in essence they encapsulate the systematic differences between the techniques in terms of attacker and defender. Space precludes a thorough examination of these differences, so we will turn our attention to the two that seem to have the most impact: vulnerability disclosure models and trust/validation. Disclosure Models One key difference between open and closed source processes is the vulnerability disclosure model that is typically shared within them. As open source's nature is openness, when vulnerabilities are repaired it is trivial for an attacker to see exactly what was repaired and work back to the vulnerability and (probably) a working exploit. In the closed source world, it might not even be clear that a vulnerability existed or was fixed. Because of this, open source tends to do badly from the perspective of "days of risk," where one counts the time between the disclosure of a vulnerability and an "approved" fix. Some may find this unfair, but pragmatically history shows that the window between the public availability of a vulnerability/exploit and its patch is a difficult and dangerous time. In addition, while it is entirely possible (and practiced in several open source communities) to embargo security bug disclosure until a patch is available, the practice of no disclosure is still rarer in the open source community than the closed source community. In addition, the problem is compounded by the many different Linux distributions that contain open source components. If a component is updated by its creators, it is impractical to wait until all distributions that use it are ready to issue a validated patch. The difference in disclosure models is a difficult problem for open source processes to solve. While one can argue that users can fix problems as they arise (thus, as soon as the problem is disclosed, the user writes a patch for his or her own use), this is a little far-fetched. Most users aren't programmers, and those who are usually aren't security experts. Thus, closed source benefits from its "closed" nature in this aspect - its worldview centers on keeping certain "secrets" secret. Conversely, the open source world is based around information exchange. Changing the open source worldview on this matter with respect to security is really the crux of the solution but is somewhat in contradiction to the culture. Despite the solid progress several open source projects are making in this area (bugs are increasingly discussed in private, not in public forums), as soon as a patch is released it is trivial to determine the exact details of the patch. This makes developing an exploit for the previous version much simpler. Trusting Trust Ken Thompson's paper "Reflections on Trusting Trust" is as important today as it was when first penned in 1984.4 Thompson illustrated the trust assumptions we make when deciding on security-related issues. Ultimately, he argues, we're trusting far more than we might realize. The same argument holds when considering open/closed source security. Classically, security people tend to think of the attacker as either a malicious insider or a third party. It's also possible, however, to think of the software vendor - in its entirety - as untrustworthy (because one suspects the vendor is either malicious or incompetent). What then? This change of focus in terms of trust can be a little startling, but isn't entirely far-fetched. It doesn't even require malfeasance on the part of the vendor. Consider a well-meaning (but foolish) vendor who, during an install, disables a critical piece of security software, with the intent of restoring it at the end of the install. Such a vendor could be unwittingly placing the user at risk. Incidents such as the Sony rootkit, used for DRM (digital rights management) purposes, also emphasize the sometimes misplaced trust placed in vendors. In each case, the closed source nature of the project put the user in jeopardy because there was no way - aside from reverse engineering - to determine the real functionality of the software. There is also the issue of unethical vendors deliberately sneaking adware onto your computers under the guise of a "utility." Vendors aren't inherently trustworthy, and anyone who blindly makes the assumption that they are is either in denial or na?ve. In the case of an untrustworthy vendor, open source provides at least a mechanism by which a concerned entity can verify (within reason - remember the implications of Thompson's paper) that all is well. Going to the trouble of auditing the entire code base for a project isn't justified in many cases, but I can provide an example that is difficult to refute: voting software. The idea of trusting a single vendor with the legitimacy of elections is, frankly, terrifying. With so much at stake, voting software must be verified by source inspection - who would trust a black-box approach to voting? Clearly, in the case of such software, an open source approach provides at least a mechanism by which the software's veracity can be verified. Does one vote entered tally up with one vote counted in all scenarios? Although the process is nontrivial in an open source world, it's really very challenging in a closed source scenario where one must resort to reverse-engineering the system. Thus, in some cases, it seems the open source approach clearly has the edge. An interesting counterpoint can be found in security software. Consider antivirus software. While much antivirus software is signature-based, many different incarnations of generic virus protection exist that attempt to apply different techniques to stop new viruses. Such software is important, as it provides a first line of defense against rapid worms, which can become pandemic minutes after their initial release. Generally, such software is not theoretically secure - it is heuristic in nature and can be bypassed by an attacker with sufficient knowledge. This being the case, an open source approach is probably less attractive than a closed source one. Let's at least make the life of the attacker a bit harder. If that sounds like security through obscurity, hold on to your seat for a moment: it is. Security Through Obscurity? The idea of "security through obscurity" has a horrible reputation among software engineers. I can still remember mentors through the years drumming into my head the idea that security by obscurity is no security at all (I expect that some of those fine scientists will contact me as they read this article to see where they went wrong in my education), but my belief is that the entire argument is highly contextual. For example, passwords are the perfect example of "acceptable" security through obscurity: they are useful only if the attacker doesn't know them. Again, let me illustrate my position by using an example: DRM software. Any time one is attempting to protect software from unauthorized copying, one runs into the idea of security through obscurity. Essentially, if the computer can run the software, it's almost certainly going to be possible to copy it. Similarly, with a copy-protected document, if all else fails, I can always take a picture of my screen. Almost all DRM software is, at some level, security through obscurity: the bar is set only so high. The trick is making sure it is high enough to deter most attackers. Similarly, the protection offered by Microsoft Windows Vista's much-discussed Kernel Patch Protection is of far less value if the source code is available. This would allow attackers to chart the fastest route around it. A counterpoint once again highlights the context I'm talking about: encryption. As computer scientists, we can make encryption arbitrarily difficult to break given currently known technology. If breaking the code involves factoring a very large number, I can make good predictions of how much effort an attacker needs to spend, and that time doesn't really depend on the attacker's knowledge of my software or algorithm. For such software, the best route to security is to publish the algorithm and let it be independently verified. So, what's the difference? The difference between these cases is simple: determinism. In the case of the encryption software, the outcome is deterministic. Knowing everything about the mechanism doesn't compromise the security of the outcome. In contrast, for antivirus software the system is heuristic. As such, some things benefit from disclosure, and some things don't. In these two cases, it's obvious. Unfortunately, that's the exception, not the rule. The problem is that many systems contain aspects that are heuristic and aspects that are deterministic. For a word processor, the question is different. You might like your word processor to work reliably, but the truth is that it contains bugs, and, potentially, security vulnerabilities. The closed source approach makes it expensive for anyone other than the developer to find those bugs. The open source approach means it's easy for anyone trained in secure coding practices to find weaknesses. Both of these properties are double-edged, and it's not clear which provides the best long-term outcome. Conclusion Part of the reason why this topic is interesting is because it is difficult: there are arguments on both sides that are compelling. By being able to understand the nuances of the question better, different aspects begin to become clear. Both development methodologies have intrinsic properties: which set of properties most appropriately fits for a particular application is contextual. Unfortunately, the cases where one is clearly better than the other are few and far between. Most software sits somewhat uncomfortably between the two. In such cases, the makeup, philosophy, and training of the team behind the software are far more important than whether the project is open or closed source. Both methods can be done well, and both can be done badly. Understanding where each method is strong and where it is weak is the first step toward process improvement. Instead of focusing on either/or decisions, perhaps it is ultimately more fruitful to follow both, using each where appropriate. Software engineering is a young discipline; time will answer if we approach the question with full knowledge of our assumptions and shortcomings. References 1. Arbaugh, W. A., Fithen, W. L., McHugh, J. 2000. Windows of vulnerability: A case study analysis. IEEE Computer 33 (December): 52-59. 2. Anderson, R. J. 2002. Security in open versus closed systems - the Dance of Boltzmann, Coase and Moore. Presented at Open Source Software Economics. 3. Raymond, E. S. 1999. The Cathedral and the Bazaar. Sebastapol, CA: O'Reilly. 4. Thompson K. 1984. Reflections on trusting trust. Communications of the ACM 27(8): 761-763. RICHARD FORD graduated from the University of Oxford in 1992 with a D.Phil. in quantum physics. Since that time, he has worked extensively in the area of computer security and malicious mobile code prevention. Previous projects include work on the Computer Virus Immune System at IBM Research and development of the world's largest Web hosting system while director of engineering for Verio. Ford is an associate professor at Florida Institute of Technology, where he is the director of the Center for Security Sciences. His research interests include malicious mobile code, behavioral worm prevention, security metrics, and computer forensics. Ford is executive editor of Reed-Elsevier's Computers and Security, Virus Bulletin and co-editor of a column in IEEE Security and Privacy. From rforno at infowarrior.org Tue Feb 6 16:46:21 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 06 Feb 2007 16:46:21 -0500 Subject: [Infowarrior] - Hackers Attack Key Net Traffic Computers Message-ID: Feb 6, 3:55 PM EST Hackers Attack Key Net Traffic Computers By TED BRIDIS Associated Press Writer http://hosted.ap.org/dynamic/stories/I/INTERNET_ATTACKS?SITE=WIRE&SECTION=HO ME&TEMPLATE=DEFAULT WASHINGTON (AP) -- Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002. Experts said the unusually powerful attacks lasted for hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet. Behind the scenes, computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet's most vital pipelines. Experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea. The attacks appeared to target UltraDNS, the company that operates servers managing traffic for Web sites ending in "org" and some other suffixes, experts said. Company officials did not immediately return telephone calls from The Associated Press. Among the targeted "root" servers that manage global Internet traffic were ones operated by the Defense Department and the Internet's primary oversight body. "There was what appears to be some form of attack during the night hours here in California and into the morning," said John Crain, chief technical officer for the Internet Corporation for Assigned Names and Numbers. He said the attack was continuing and so was the hunt for its origin. "I don't think anybody has the full picture," Crain said. "We're looking at the data." Crain said Tuesday's attack was less serious than attacks against the same 13 "root" servers in October 2002 because technology innovations in recent years have increasingly distributed their workloads to other computers around the globe. --- AP Internet Writer Anick Jesdanun contributed to this story from New York. ? 2007 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. Learn more about our Privacy Policy. From rforno at infowarrior.org Wed Feb 7 08:21:04 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Feb 2007 08:21:04 -0500 Subject: [Infowarrior] - Label Must Pay P2P Defendent's Legal Fees Message-ID: Tuesday, 6 February 2007 Scoop: Label Must Pay P2P Defendent's Legal Fees http://blog.wired.com/music/2007/02/scoop_label_mus.html#more Snipshot_b288r1w1slp Debbie Foster, the RIAA file sharing defendent who notoriously took on the organization after it went after her for copyright infringement, has won some amount of the legal fees [see update below] she seeks from the RIAA after having their case against her dismissed last summer. This is a significant development; the landmark case could have dramatic repercussions for the RIAA's legal campaign against file sharers, since a precedent now exists for the RIAA to compensate wrongfully-sued defendants for their legal costs. (Capitol Records' mistake was to claim Debbie Foster was liable for any infringement occuring on her internet account, regardless of who actually downloaded and subsequently shared the files.) Listening Post has obtained a copy of Judge Lee R. West's Order, issued today, in which the judge grants Foster an award of "reasonable attorney fees in this action under ? 505 of the Copyright Act," but denies her "attorneys' fees under 28 U.S.C. ? 1927." I'm going to leave the full legal analysis for Listening Post's legal expert Stewart Rutledge, but wanted to post the news right away that Capitol will owe Foster some percentage of her legal fees, which totaled approximately $50,000 [see update below]. What a bad day for major labels... first Steve Jobs tells them he's had it with DRM, and now a judge says they're going to have to pay up if they sue people for sharing files, but then can't prove that the infringement happened. Stay tuned for exclusive analysis of the Order. Update: I just spoke with Marilyn Barringer Thomson, Debbie Foster's attorney, who told me that she and her client are "pleased with the outcome," and explained that the judge granting attorneys' fees under the specific Copyright Act was preferable to him granting the fees under the more general 1927 statute (essentially, Thomson's main legal theory triumphed, and her back-up/alternate was denied). Finally, Thomson said that the label will likely owe Foster more than $50,000, since today's Order allows her to supplement the attorneys' fees total to include additional time spent on the case. From rforno at infowarrior.org Wed Feb 7 09:48:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Feb 2007 09:48:35 -0500 Subject: [Infowarrior] - Who Watches The Watchers In Surveillance Society? Message-ID: Who Watches The Watchers In Surveillance Society? By Reuters InformationWeek Sun Feb 4, 9:08 PM ET http://news.yahoo.com/s/cmp/20070205/tc_cmp/197003126 CHICAGO - In some cities in Europe and the United States, a person can be videotaped by surveillance cameras hundreds of times a day, and it's safe to say that most of the time no one is actually watching. But the advent of "intelligent video" -- software that raises the alarm if something on camera appears amiss -- means Big Brother will soon be able to keep a more constant watch, a prospect that is sure to heighten privacy concerns. Combining motion detection technology with the learning capabilities of video game software, these new systems can detect people loitering, walking in circles or leaving a package. New microphone technology can isolate the sound of a gunshot and direct the attached camera to swivel and zoom in on the source. Sensitivity may reach the point where microphones could pick out the word "explosives" spoken in a crowd. "There's just not enough personnel to watch every single camera," said Chicago emergency operations chief Andrew Velasquez. "We are piloting analytic software right now ... where you can set that particular camera to watch for erratic behavior, or someone leaving a suitcase on the sidewalk." Since the attacks on the United States of Sept. 11, 2001, sections of New York, Washington, Los Angeles, Chicago and even a few smaller U.S. towns have been blanketed with closed-circuit cameras. Privately owned cameras are also proliferating. FALSE POSITIVES The encroachment on privacy in what civil libertarians call a "surveillance society" may be a price willingly paid by citizens who fear terrorism and crime. But ever-alert software capable of maintaining a continuous "watch" on security cameras multiplies the risks of harassing innocent people, privacy experts say. "I don't buy it. The number of false positives are going to be astronomical," said David Holtzman, author of "Privacy Lost." "It's extremely dangerous to abrogate legitimate law enforcement authority ... to a camera." In Chicago's darkened, windowless surveillance center, Velasquez looks forward to using new technology, which has had some success elsewhere. The port of Jacksonville, Florida, has dispensed with human monitoring of cameras altogether by sending alerts and live video to the personal digital assistant of the nearest officer on patrol, according to a spokesman for ObjectView Inc. ObjectView is one of two dozen companies seeking to perfect so-called intelligent video -- an industry whose sales will grow from $60 million to $400 million within five years, according to global consulting group Frost & Sullivan. Meanwhile, Texas is evaluating a pilot program in which it allowed Internet access to video of unmanned sections of its border with Mexico and urged viewers to send an e-mail if they spotted something. "The cameras don't replace police officers. They are in essence a force multiplier. They serve as an extra set of eyes," Velasquez said. OGLING The Chicago center is manned 24 hours a day by veteran police officers. A dozen screens depict a few street corners and a stadium, while others are tuned to cable news or Web sites. They can retrieve video from thousands of cameras and their universe is expanded by private cameras owned by cooperating buildings and stores, but they can monitor only a few at a time. Velasquez said his officers receive training on privacy and constitutional rights -- for example it is illegal to look into private homes and offices -- and digital recordings hold his officers accountable and prevent abuses that have occurred elsewhere. In Britain, which has 4.2 million government security cameras, 2 million in London alone, a study showed that male surveillance workers sometimes ogled women on their screens, while others focused on minorities excessively. But privacy experts also note another British study, from 2002, which said surveillance cameras did not lower overall crime rates, and mereley pushes crime elsewhere. "Cameras are great tools for solving crime. They're not really that helpful in preventing crime," said Ed Yohnka of the American Civil Liberties Union. Velasquez disputed the conclusion that cameras don't prevent crime, saying he constantly fields requests from residents asking for a camera to make their neighborhood safer. He said cameras contributed to a drop in violent crime in the city of Chicago in recent years, a drop that is widely attributed to improved police work in countering gangs and street-corner drug dealing. At the same time, gang activity has surged in some Chicago suburbs. The city's prosecutors said they rarely use video evidence in court from the cameras, which are encased in bulletproof boxes topped by blue flashing lights and are a common sight in crime-ridden neighborhoods. Downtown, the cameras are less obtrusive, though a pair mounted on a park fountain was removed after an outcry that they defiled the art. Holtzman, the privacy expert, wondered where the line will be drawn if authorities opt to use the cameras to spy on suspects or to sniff out low-level crimes. There are no legal barriers to video being subpoenaed by, for instance, a divorce lawyer seeking evidence of infidelity, he said. "I think there's a certain amount of freedom you want to give people that live in the city to kind of screw up a little bit," he said. By: Andrew Stern Copyright 2006 Reuters. From rforno at infowarrior.org Wed Feb 7 09:49:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Feb 2007 09:49:47 -0500 Subject: [Infowarrior] - Senator to propose surveillance of illegal images Message-ID: Senator to propose surveillance of illegal images By Declan McCullagh http://news.com.com/Senator+to+propose+surveillance+of+illegal+images/2100-1 028_3-6156976.html Story last modified Wed Feb 07 06:24:37 PST 2007 A forthcoming bill in the U.S. Senate lays the groundwork for a national database of illegal images that Internet service providers would use to automatically flag and report suspicious content to police. The proposal, which Sen. John McCain is planning to introduce on Wednesday, also would require ISPs and perhaps some Web sites to alert the government of any illegal images of real or "cartoon" minors. Failure to do would be punished by criminal penalties including fines of up to $300,000. The Arizona Republican claims that his proposal, a draft of which was obtained by CNET News.com, will aid in investigations of child pornographers. It will "enhance the current system for Internet service providers to report online child pornography on their systems, making the failure to report child pornography a federal crime," a statement from his office said. To announce his proposal, McCain has scheduled an afternoon press conference on Capitol Hill with Sen. Chuck Schumer, a New York Democrat; John Walsh, host of America's Most Wanted; and Lauren Nelson, who holds the title of Miss America 2007. Civil libertarians worry that the proposed legislation goes too far and could impose unreasonable burdens on anyone subject to the new regulations. And Internet companies worry about the compliance costs and argue that an existing law that requires reporting of illicit images is sufficient. The Securing Adolescents from Exploitation-Online Act (PDF) states ISPs that obtain "actual knowledge" of illegal images must make an exhaustive report including the date, time, offending content, any personal information about the user, and his Internet Protocol address. That report is sent to local or federal police by way of the National Center for Missing and Exploited Children. The center received $32.6 million in tax dollars in 2005, according to its financial disclosure documents. SAFE Act FAQ Who must comply? "Any service which provides to users thereof the ability to send or receive wire or electronic communications." (18 USC 2510) Who must be alerted? Federal and state police through the National Center for Missing and Exploited Children. What images must be reported? Illegal images of minors, which includes clothed teens in "lascivious" poses, according to the Justice Department. Obscene "cartoons" and "drawings" also qualify. (18 USC 1466A) What information must be included? Basically everything the reporting person knows about the image and who posted it. Penalties for not reporting? Criminal penalties including fines of up to $300,000. Afterward, the center is authorized to compile that information into a form that can be sent back to ISPs and used to assemble a database of "unique identification numbers generated from the data contained in the image file." That could be a unique ID created by a hash function, which yields something akin to a digital fingerprint of a file. Details on how the system would work are missing from McCain's legislation and are left to the center and ISPs. But one method would include ISPs automatically scanning e-mail and instant messaging attachments and flagging any matches. The so-called SAFE Act is revised from an earlier version (PDF) that McCain introduced in December. < - > http://news.com.com/2102-1028_3-6156976.html?tag=st.util.print From rforno at infowarrior.org Wed Feb 7 20:19:14 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Feb 2007 20:19:14 -0500 Subject: [Infowarrior] - Wargamer Can Keep WarGames.com Message-ID: Wargamer Can Keep WarGames.com http://blog.wired.com/27bstroke6/2007/02/wargamer_can_ke.html In MGM's bid to seize control of Wargames.com from an entrepreneur with an online war gaming store, the only winning move was not to play. Rogers Cadenhead registered Wargames.com in 1998 and didn't use it until MGM started complaining last September that he was infringing the studio's trademark. MGM began the domain dispute resolution process to attempt to wrest control of the web address from Cadenhead. The studio is shooting a sequel to the 1983 classic WarGames called WarGames 2: The Dead Code, which likely explains its sudden interest in Wargames.com a quarter-century after the fact. But Cadenhead provided arbitrators with proof that he'd taken concrete steps toward launching a business selling military simulation games, and he did it two years before MGM raised any issues. Based largely on that, the National Arbitration Forum, which heard the case, has ruled that Cadenhead is not a domain squatter, and can keep Wargames.com. "The phrase 'war games' existed in the vernacular for centuries before Complainant made a film," the ruling reads. "Respondent's knowledge of Complainant's film in no way establishes his intent to make a bad faith or competitive use of Complainant?s trademark." MGM loses. How about a nice game of chess? From rforno at infowarrior.org Wed Feb 7 20:20:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Feb 2007 20:20:13 -0500 Subject: [Infowarrior] - Conservatives to scrap UK ID cards Message-ID: Conservatives to scrap UK ID cards By Rob Miller Posted: February 6, 2007 3:39 pm http://www.homelandstupidity.us/2007/02/06/conservatives-to-scrap-uk-id-card s/ The Conservative party in Britain will scrap Tony Blair?s planned compulsory ID card scheme if it wins the next election, according to a statement by Shadow Home Secretary David Davis. The Labour Party?s proposed scheme would create a nationwide database of biometric data and personal information, linked to existing databases detailing citizens? private data. Its estimated cost will be around ?10.6-?19.2 billion ($20.9-$37.8 billion), and registration will be compulsory for all citizens over 16 or visitors staying for over three months. The scheme has met with outrage among many proponents of civil liberties: however, it also has some public support. In March 2003, for example, the scheme was favoured by 61% of the public; this has since fallen to around 50%. While welcomed by many, it?s difficult to see whether or not this move will help or hinder the Conservatives in the next general election. The announcement is just one part of an attempt by the Conservative party to paint themselves as ?the party of civil liberties?; Davis recently compared the Labour party?s 90-day detentions of terrorist suspects to the internment of civilians under Ugandan dictator Idi Amin, for example. There was also more than a hint of party politics in the announcement, too: Davis was quick to point out the failings of the Labour government under Blair, calling them ?a government desperate to clutch at any measure that might make it look robust and competent?. Labour were quick to respond, with Home Secretary John Reid claiming that the Conservatives ?talk tough while acting soft?, and that measures such as the ID scheme would be a ?key tool? in Britain?s fight against terrorism. According to Reid, the Conservatives ?can?t be trusted with Britain?s safety?. Regardless of its impact on public opinion, the announcement has once again brought the debate over civil liberties to the forefront of public discourse. With patience for Labour?s War on Terror growing thin, will this be a catalyst for a Conservative government in 2009 or 2010? Only time will tell. From rforno at infowarrior.org Wed Feb 7 22:42:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 07 Feb 2007 22:42:00 -0500 Subject: [Infowarrior] - VeriSign Adds TLD Servers Message-ID: February 8, 2007 VeriSign Moves to Address an Internet Security Problem By JOHN MARKOFF http://www.nytimes.com/2007/02/08/technology/08net.html?pagewanted=print SAN FRANCISCO, Feb. 7 ? To keep up with the growing strains put on the Internet by both legitimate users and online attackers, a Silicon Valley company is undertaking a $100 million expansion of a crucial part of the system that speeds Web users to their destinations. The company, VeriSign, is a leader in networking infrastructure and manages registration for the .com and .net Internet domains. It is among the stewards of an international system of computer servers running programs that translate domain names like google.com or wikipedia.org into numeric addresses. But the system is under increasing strain because of the explosion of human and machine Internet users and because of occasional assaults by automated software programs that threaten to overwhelm the ability to respond to routine requests. VeriSign executives said their expansion project, to be announced Thursday, was crucial because of the increasing role that the Internet plays in basic functions of modern life. ?This isn?t just about Web sites anymore, and it?s not about online shopping,? said Ken Silva, VeriSign?s chief security officer. ?It?s about the way humans communicate and the way everything is interconnected.? The potential challenge was underscored on Tuesday when an automated attack against the domain name system was carried out for several hours by a distributed computer program known as a botnet. The attack initially affected all of the 13 root server systems ? the top level of the hierarchy of interconnected computers ? and then focused for several hours on servers operated by the Internet Corporation for Assigned Names and Numbers, the organization responsible for the Internet address system, and the Pentagon. The attack impeded but did not halt any of the systems, according to several of the operators. Such attacks make expansion of the name server systems crucial, Mr. Silva said. The VeriSign project, to be completed by 2010, will offer a tenfold increase in the capacity of two root servers that the company operates and of the infrastructure that supports the .com and .net systems. VeriSign servers, now in 20 regional centers around the world, will be expanded to 70 sites. The effort would not only improve response time, the company said, but would also make it possible to diagnose and contain Internet attacks more quickly. VeriSign profits indirectly from the growth of Internet traffic from its business managing the .com and .net domains. In addition to resisting cyber attacks, the enhancement of the root server system is made necessary by the rapid growth in new types of Internet devices, many of which can communicate among themselves without direct human intervention. The company said it expected the number of Internet users to grow from one billion today to 1.8 billion in 2010. Many will reach the Internet with multiple devices, including cellphones, most of which are expected to be Internet-enabled. From rforno at infowarrior.org Thu Feb 8 00:05:25 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Feb 2007 00:05:25 -0500 Subject: [Infowarrior] - FW: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: Message-ID: ------ Forwarded Message From: lyger http://attrition.org/dataloss/forensics.html Wed Feb 07 21:55:51 EDT 2007 Jericho and Lyger In May of 2006, the United States Department of Veterans Affairs publicly disclosed the fact that "Personal data on about 26.5 million U.S. military veterans was stolen from the residence of a Department of Veterans Affairs data analyst who improperly took the material home", prompting a mass concern that the information, if in the wrong hands, could have led to multiple cases of identity theft. At the very least, the fear that even a government entity could have let such sensitive data fall into the wrong hands led many to wonder about the data security of less protected sources. The additional fact that the breach wasn't disclosed for almost three weeks after the theft did little to initially ease those fears. Weeks later, the stolen laptop and hard drive were recovered from the back of a truck at a black market sale and sent to the United States Federal Bureau of Investigation for analysis. At the end of June 2006, the FBI issued a declaration that "the personal data on the hardware was not accessed by thieves" to which VA Secretary R. James Nicholson stated "This is a reason to be optimistic. It's a very positive note in this entire tragic event." The question that needs to be asked, however, is how could they be absolutely sure that the data wasn't accessed? Simply because the FBI said so? [...] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 562 incidents over 7 years. From rforno at infowarrior.org Thu Feb 8 20:20:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Feb 2007 20:20:39 -0500 Subject: [Infowarrior] - The brain scan that can read people's intentions Message-ID: The brain scan that can read people's intentions Call for ethical debate over possible use of new technology in interrogation Ian Sample, science correspondent Friday February 9, 2007 The Guardian http://www.guardian.co.uk/frontpage/story/0,,2009229,00.html A team of world-leading neuroscientists has developed a powerful technique that allows them to look deep inside a person's brain and read their intentions before they act. The research breaks controversial new ground in scientists' ability to probe people's minds and eavesdrop on their thoughts, and raises serious ethical issues over how brain-reading technology may be used in the future. The team used high-resolution brain scans to identify patterns of activity before translating them into meaningful thoughts, revealing what a person planned to do in the near future. It is the first time scientists have succeeded in reading intentions in this way. Article continues "Using the scanner, we could look around the brain for this information and read out something that from the outside there's no way you could possibly tell is in there. It's like shining a torch around, looking for writing on a wall," said John-Dylan Haynes at the Max Planck Institute for Human Cognitive and Brain Sciences in Germany, who led the study with colleagues at University College London and Oxford University. The research builds on a series of recent studies in which brain imaging has been used to identify tell-tale activity linked to lying, violent behaviour and racial prejudice. The latest work reveals the dramatic pace at which neuroscience is progressing, prompting the researchers to call for an urgent debate into the ethical issues surrounding future uses for the technology. If brain-reading can be refined, it could quickly be adopted to assist interrogations of criminals and terrorists, and even usher in a "Minority Report" era (as portrayed in the Steven Spielberg science fiction film of that name), where judgments are handed down before the law is broken on the strength of an incriminating brain scan. "These techniques are emerging and we need an ethical debate about the implications, so that one day we're not surprised and overwhelmed and caught on the wrong foot by what they can do. These things are going to come to us in the next few years and we should really be prepared," Professor Haynes told the Guardian. The use of brain scanners to judge whether people are likely to commit crimes is a contentious issue that society should tackle now, according to Prof Haynes. "We see the danger that this might become compulsory one day, but we have to be aware that if we prohibit it, we are also denying people who aren't going to commit any crime the possibility of proving their innocence." During the study, the researchers asked volunteers to decide whether to add or subtract two numbers they were later shown on a screen. Before the numbers flashed up, they were given a brain scan using a technique called functional magnetic imaging resonance. The researchers then used a software that had been designed to spot subtle differences in brain activity to predict the person's intentions with 70% accuracy. The study revealed signatures of activity in a marble-sized part of the brain called the medial prefrontal cortex that changed when a person intended to add the numbers or subtract them. Because brains differ so much, the scientists need a good idea of what a person's brain activity looks like when they are thinking something to be able to spot it in a scan, but researchers are already devising ways of deducing what patterns are associated with different thoughts. Barbara Sahakian, a professor of neuro-psychology at Cambridge University, said the rapid advances in neuroscience had forced scientists in the field to set up their own neuroethics society late last year to consider the ramifications of their research. "Do we want to become a 'Minority Report' society where we're preventing crimes that might not happen?," she asked. "For some of these techniques, it's just a matter of time. It is just another new technology that society has to come to terms with and use for the good, but we should discuss and debate it now because what we don't want is for it to leak into use in court willy nilly without people having thought about the consequences. "A lot of neuroscientists in the field are very cautious and say we can't talk about reading individuals' minds, and right now that is very true, but we're moving ahead so rapidly, it's not going to be that long before we will be able to tell whether someone's making up a story, or whether someone intended to do a crime with a certain degree of certainty." Professor Colin Blakemore, a neuroscientist and director of the Medical Research Council, said: "We shouldn't go overboard about the power of these techniques at the moment, but what you can be absolutely sure of is that these will continue to roll out and we will have more and more ability to probe people's intentions, minds, background thoughts, hopes and emotions. "Some of that is extremely desirable, because it will help with diagnosis, education and so on, but we need to be thinking the ethical issues through. It adds a whole new gloss to personal medical data and how it might be used." The technology could also drive advances in brain-controlled computers and machinery to boost the quality of life for disabled people. Being able to read thoughts as they arise in a person's mind could lead to computers that allow people to operate email and the internet using thought alone, and write with word processors that can predict which word or sentence you want to type . The technology is also expected to lead to improvements in thought-controlled wheelchairs and artificial limbs that respond when a person imagines moving. "You can imagine how tedious it is if you want to write a letter by using a cursor to pick out letters on a screen," said Prof Haynes. "It would be much better if you thought, 'I want to reply to this email', or, 'I'm thinking this word', and the computer can read that and understand what you want to do." ? FAQ: Mind reading What have the scientists developed? They have devised a system that analyses brain activity to work out a person's intentions before they have acted on them. More advanced versions may be able to read complex thoughts and even pick them up before the person is conscious of them. How does it work? The computer learns unique patterns of brain activity or signatures that correspond to different thoughts. It then scans the brain to look for these signatures and predicts what the person is thinking. How could it be used? It is expected to drive advances in brain-controlled computers, leading to artificial limbs and machinery that respond to thoughts. More advanced versions could be used to help interrogate criminals and assess prisoners before they are released. Controversially, they may be able to spot people who plan to commit crimes before they break the law. What is next? The researchers are honing the technique to distinguish between passing thoughts and genuine intentions. From rforno at infowarrior.org Thu Feb 8 20:30:06 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Feb 2007 20:30:06 -0500 Subject: [Infowarrior] - GAO: Lawyers stonewall Homeland Security oversight Message-ID: GAO: Lawyers stonewall Homeland Security oversight By Michael Hampton Posted: February 8, 2007 6:09 am http://www.homelandstupidity.us/2007/02/08/gao-lawyers-stonewall-homeland-se curity-oversight/ The Government Accountability Office, which investigates waste, fraud and abuse in federal government agencies, reported Tuesday that its attempts to audit and investigate the Department of Homeland Security have been frustrated by the department?s lawyers. ?DHS has not been receptive towards oversight and its delays in providing Congress and us with access to various documents and officials have impeded our work,? GAO head David Walker testified (PDF) before the House Appropriations Subcommittee on Homeland Security. Walker, joined by the department?s inspector general, said that department officials, and especially the office of general counsel, had delayed investigations and demanded to be present during employee interviews, in order to intimidate those employees. ?Every document we seek to review has to be reviewed (first) by the general counsel?s office,? Walker added. He said the department?s general counsel wants to ?sit in on every interview,? which he deemed inappropriate. Walker said when there are more lawyers than other staff involved, ?you?ve got problems.? ?I agree wholeheartedly,? said Inspector General Richard Skinner. ?It?s not a denial of information, but it?s very cumbersome to obtain information.? Skinner also said that having a supervisor or attorney present when his office interviews an employee ?sets a chilling effect? and tells the employee he?s presumed not to be a team player. Until his resignation last month, the general counsel was Phil Perry, son-in-law of Vice President Dick Cheney. ? Associated Press The general counsel?s office insisted on reviewing ?sensitive? documents before releasing them to Congressional investigators or to the inspector general, a cumbersome process which Skinner said was ?structured to delay, delay, delay.? A Homeland Security spokesman said that the statements were inaccurate and unfair. In December, the inspector general released a semiannual report on its activities, including investigations and prosecutions of DHS employees for criminal activities. One wonders if this is what Perry worried so much about investigators digging into. Morale in the Department of Homeland Security is the lowest of any government agency, and has been persistently low since the department?s creation in 2003. I wonder why. From rforno at infowarrior.org Fri Feb 9 17:01:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Feb 2007 17:01:27 -0500 Subject: [Infowarrior] - Telecom's New Battleground: Carriers' Proprietary Controls Message-ID: A Call To Let Your Phone Loose Telecom's New Battleground: Carriers' Proprietary Controls By Charles Babington Washington Post Staff Writer Friday, February 9, 2007; D01 http://www.washingtonpost.com/wp-dyn/content/article/2007/02/08/AR2007020802 169_pf.html Until federal regulators issued a landmark ruling in 1968, Americans could not own the telephones in their homes, nor attach answering machines or other devices to them. Now, a growing number of academics and consumer activists say it's time to deliver a similar groundbreaking jolt to the cellphone industry, possibly triggering a new round of customer options and technical innovations to rival the one that produced faxes, modems and the Internet. Wireless carriers, which limit what customers may do with their phones, say the move is unnecessary and potentially harmful. But in articles, blogs and speeches, a number of researchers are asking why the companies are allowed to force consumers to buy new handsets when they change carriers, pay a specified carrier to transfer photos from a camera phone, or download ring tones or music from one provider only. "At some point, I think Americans are going to put their foot down and say, 'We won't tolerate this anymore,' " said Dave Passmore, who has written extensively on the issue as an analyst for the Burton Group, a research firm. Activists who share his view are seizing on an article circulated by Columbia University law professor Tim Wu, an authority on telecommunications issues. Wu, who plans to present the paper Wednesday at a Federal Trade Commission hearing on Internet access, writes that wireless carriers are "aggressively controlling product design and innovation in the equipment and application markets, to the detriment of consumers. Their policies, in the wired world, would be considered outrageous [and] in some cases illegal." The wireless carriers, however, say that forcing them to open their networks to unfettered use is not needed, because consumers have several options for carriers. "Wireless is a competitive industry, and consumers enjoy the greatest number of choices among services, devices, calling plans and coverage areas in the entire telecom industry," the main trade group, CTIA -- The Wireless Association, says in a policy statement. "CTIA opposes the recent attempts to supplant competition and market discipline with heavy-handed, anti-consumer regulation." Verizon Wireless spokesman Jeffrey Nelson also called the industry highly competitive, noting that consumers can choose among numerous handset models and four major providers of cellular service: Verizon, AT&T, Sprint Nextel and T-Mobile. "If you don't like what one company enables," he said, "find somebody else. . . . To suggest it's a locked-down industry is crazy." Moreover, eliminating controls on the wireless network could undermine its security, said another Verizon Wireless spokesman, John Johnson. His company limits Bluetooth applications in part to prevent illegal access to users' personal information, he said, a problem in some European markets. It was the Federal Communications Commission that issued the far-reaching 1968 ruling, and some analysts think the current five-member commission is at least willing to listen to Wu, Passmore and others. But in an interview yesterday, FCC Chairman Kevin J. Martin made no commitments. In general, he said, robust competition and choice spur innovation and lower prices for consumers. For now, at least, Martin said, the major wireless carriers are competing vigorously against each other, and he said would not favor FCC intervention unless there was evidence that innovation was beginning to suffer and prices were becoming unreasonable. "The jury is still out," said Martin, a Republican appointee. "It's something we're watching." Some predict the debate will spread quickly beyond academic and political circles. "This paper has the potential to become a huge telecommunications issue," said Art Brodsky, who tracks the communications industry for the advocacy group Public Knowledge. "People now don't understand how limited they are in what they can do with their cellphones. This is a totally ripe issue." Some of Wu's allies say they may use his research to petition the FCC to force wireless providers to loosen their restrictions on phones. Wu, Passmore and others cite restrictions involving applications like Bluetooth, which facilitates communications among such devices as printers, personal computers and wireless headsets. In an article last year for Business Communications Review, Passmore wrote that Verizon disables "all Bluetooth profiles except wireless headsets and dial-up networking. You can forget about using Bluetooth for synchronizing your phone's calendar or address-phone book-contact information with your PC's. Nor can you move any music or other files between your phone and PC, or move photos off of your phone (unless you're willing to pay Verizon 25 cents apiece for the privilege of using their network for photo transfers)." Wu, in his 40-page article "Wireless Net Neutrality," notes that AT&T and T-Mobile "lock" their cellphones so users cannot continue using them if they switch carriers. The companies allow customers, upon request, to unlock the phones after a certain time. But Wu says "most consumers have no idea what a phone lock is" in the first place, and therefore don't know that they can reuse their phones. Some hold up Apple's iPhone as another example of the industry's restrictive practices, because it will operate only on AT&T's mobile service when it goes on sale this summer. Critics of such restrictions say the FCC should consider applying the so-called "Carterphone" rules to the wireless industry. The 1968 ruling allowed inventor Thomas Carter to attach a device to AT&T phones that would convert two-way radio signals from offshore oil rigs to phone calls. AT&T, then the all-powerful Ma Bell, strenuously objected, saying any non-AT&T device could seriously damage the entire network. The FCC disagreed, and the Carterphone decision became "a kind of Bill of Rights or Magna Carta for telecom users," Passmore recently wrote. Wireless carriers, however, say today's competitive environment does not resemble Ma Bell's monopolistic power in the 1950s and '60s, and no new Magna Carta is needed. "This whole issue is a giant red herring," said AT&T spokesman Mark Siegel. "This is a fiercely competitive industry," which has grown "almost entirely through the force of competition in the marketplace, more innovative devices and services, and continually lower prices." From rforno at infowarrior.org Sat Feb 10 22:35:54 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 10 Feb 2007 22:35:54 -0500 Subject: [Infowarrior] - Engineer: GPS Shoes Make People Findable Message-ID: Engineer: GPS Shoes Make People Findable Email this Story Feb 9, 5:04 AM (ET) By KELLI KENNEDY http://apnews.myway.com/article/20070209/D8N64ESG0.html MIAMI (AP) - Isaac Daniel calls the tiny Global Positioning System chip he's embedded into a line of sneakers "peace of mind." He wishes his 8-year-old son had been wearing them when he got a call from his school in 2002 saying the boy was missing. The worried father hopped a flight to Atlanta from New York where he had been on business to find the incident had been a miscommunication and his son was safe. Days later, the engineer started working on a prototype of Quantum Satellite Technology, a line of $325 to $350 adult sneakers that hit shelves next month. It promises to locate the wearer anywhere in the world with the press of a button. A children's line will be out this summer. "We call it a second eye watching over you," Daniel said. It's the latest implementation of satellite-based navigation into everyday life - technology that can be found in everything from cell phones that help keep kids away from sexual predators to fitness watches that track heart rate and distance. Shoes aren't as easy to lose, unlike phones, watches and bracelets. The sneakers work when the wearer presses a button on the shoe to activate the GPS. A wireless alert detailing the location is sent to a 24-hour monitoring service that costs an additional $19.95 a month. In some emergencies - such as lost child or Alzheimer's patient - a parent, spouse or guardian can call the monitoring service, and operators can activate the GPS remotely and alert authorities if the caller can provide the correct password. But the shoe is not meant for non-emergencies - like to find out if a teen is really at the library or a spouse is really on a business trip. If authorities are called and it is not an emergency, the wearer will incur all law enforcement costs, Daniel said. Once the button is pressed, the shoe will transmit information until the battery runs out. While other GPS gadgets often yield spotty results, Daniel says his company has spent millions of dollars and nearly two years of research to guarantee accuracy. The shoe's 2-inch-by-3-inch chip is tucked into the bottom of the shoe. Experts say GPS accuracy often depends on how many satellites the system can tap into. Daniel's shoe and most GPS devices on the market rely on four. "The technology is improving regularly. It's to the point where you can get fairly good reflection even in areas with a lot of tree coverage and skyscrapers," said Jessica Myers, a spokeswoman for Garmin International Inc., a leader in GPS technology based in Kansas. "You still need a pretty clear view of the sky to work effectively." Daniel, who wears the shoes when he runs every morning, says he tested the shoes on a recent trip to New Jersey. It tracked him down the Atlantic Coast to the Miami airport and through the city to a specific building. The company also has put the technology into military boots and is in talks with Colombia and Ecuador, he said. But retail experts say the shoe might be a tough sale to brand-conscious kids. "If (parents) can get their kids to wear them, then certainly there is a marketplace. But I think the biggest challenge is overcoming ... the cool marketplace," said Lee Diercks, managing director of New Jersey-based Clear Thinking Group, an advisory firm for retailers. The GPS sneakers, available in six designs, resemble most other running shoes. The two silver buttons - one to activate and one to cancel - are inconspicuous near the shoelaces. The company is selling 1,000 limited-edition shoes online and already has orders for 750, Daniel said. Parents who buy the pricey kicks don't have to worry about their kids outgrowing them fast. This fall, the company is unveiling a plug-and-wear version that allows wearers to remove the electronics module from their old shoes and plug it into another pair of Daniel's sneaks. --- On the Net: Isaac Daniel: http://www.isaacdaniel.com From rforno at infowarrior.org Sat Feb 10 22:40:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 10 Feb 2007 22:40:47 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?Critics_Question_Education_Departm?= =?iso-8859-1?q?ent_=B9_s_Screening?= Message-ID: February 11, 2007 Critics Question Education Department?s Screening By JONATHAN D. GLATER http://www.nytimes.com/2007/02/11/washington/11privacy.html?ei=5094&en=63c85 32822a1a911&hp=&ex=1171170000&partner=homepage&pagewanted=print As a condition of his work for the federal government, Andrew A. Zucker was willing to be fingerprinted and provide an employment history. But then he was asked to let federal investigators examine his financial and medical records, and interview his doctors. Dr. Zucker was not tracking terrorists or even emptying the trash at the Pentagon. He was studying how to best teach science to middle school students. He was stunned at the breadth of the request for information. ?To me, personally, it?s shocking,? said Dr. Zucker, who worked for a contractor doing research for the Education Department. He withdrew from the job. For about a year, contractors say, the department has been requiring employees of the thousands of contractors it hires ? many of them academic researchers like Dr. Zucker ? to go through a level of security screening usually reserved for those working with very sensitive information. Katherine McLane, a department spokeswoman, said the scrutiny was warranted because her agency had access to databases with financial data and other information, including names and social security numbers of students or of applicants to colleges or other programs. ?We want to make sure that the people who handle and have access to this information are responsible, reliable and trustworthy,? Ms. McLane said. The policy is prompting critics to question when a prudent background investigation becomes an invasion of privacy. About 100 researchers, including Dr. Zucker, have signed an open letter of protest to Margaret Spellings, the secretary of education, calling the quest for information ?far beyond bounds of reason, necessity, and decency.? Others echo the protests. ?These requirements have very little connection with the work that we do,? said Michael Knapp, director of the Center for Study of Teaching and Policy at the University of Washington. Mr. Knapp, a former Education Department contractor, called the policy ?an example of going overboard.? Gerald Sroufe, director of government relations for the American Educational Research Association, which represents about 25,000 people, most at universities or research organizations and companies, said, ?Our concern is really whether or not all the measures that have been introduced are necessary.? But Ed Elmendorf, senior vice president for government relations at the American Association of State Colleges and Universities, said criminal record checks, which are considerably less invasive than the screening required by the Education Department, are becoming ?pretty much a standard operating procedure? at many public academic institutions. Still, efforts to put criminal record checks in place have met with resistance. Some faculty members protested when the chancellor of the University of Georgia said recently that new hires would be required to undergo a criminal record check. Although some federal agencies like the Departments of Defense and Homeland Security routinely seek detailed personal information from contractors considered for classified work, others generally do not, unless the contractors are expected to work in federal buildings or have access to federal databases. At the Agriculture Department, Boyd Rutherford, the assistant secretary for administration, said that if contractors were not in a position of public trust, the department was not asking for a detailed screening. He said that positions of public trust would include those that allowed a contractor access to areas like government information technology. At the Department of Health and Human Services, which includes the National Institutes of Health, the intensity of background screening also turns on access, said Bill Hall, a spokesman. The lowest-level screening requires running fingerprints through the Federal Bureau of Investigation, performing a criminal records check and determining whether someone had undergone a background check with another government agency. Ms. McLane, the Education Department spokeswoman, acknowledged that her agency?s policy may be stricter than others, but she defended it, saying the department ?takes very seriously its responsibility to safeguard information and maintains strong systems that protect confidential data.? Dr. Zucker, a Harvard-trained educator, was a consultant for a subcontractor on a Pennsylvania State University contract with the Education Department. He was developing a procedure to study methods of teaching middle-school science. ?I was just designing a study, so I had no access to data because there was no data,? he said. Kyle L. Peck, associate dean at the College of Education at Penn State, said Dr. Zucker would have been comparing test scores of students taught using one method with scores of those taught using another. The data would not necessarily have identified individual students. Dr. Zucker said he would not have had access to any databases that would identify individual students. He also did not work in a federal building. ?On the one hand, it makes sense,? Dr. Peck said of the screening. ?On the other hand, we have institutional review processes that govern educational research that protect the confidentiality, and, I think, make this additional level of security clearance unnecessary.? Many employees asked for information by the Education Department were academics like Dr. Zucker. In some instances, the agency has backed down when its policy was challenged. When Dr. Zucker protested, he said the department excused him from providing access to his medical and financial records. But Dr. Zucker still had reservations about other information the agency required and stopped work on the project. ?I had worked on many Department of Education contracts before,? he said, ?and other federal contracts from other agencies, and I have 20 years of experience or more in the business, and I had never seen or heard of anything like this.? From rforno at infowarrior.org Sat Feb 10 22:46:40 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 10 Feb 2007 22:46:40 -0500 Subject: [Infowarrior] - A Drawback of the Information Age Message-ID: A Drawback of the Information Age >From Christian Science Monitor, February 9, 2007 By Jeffrey Shaffer http://www.freepress.net/news/20962 I?m thinking it might be a good idea for every major city in America to have a guy like Joe Turner on the payroll. He?s the fictional CIA agent portrayed by Robert Redford in ?Three Days of the Condor,? a 1975 thriller that?s one of my favorite spy movies. In the film, Joe is a researcher in a clandestine agency office in New York City. He reads books and other publications from around the globe and picks out information that might indicate an awareness of secret CIA operations. In today?s world, he?d also be watching hours of TV, scanning for clues to potential nefarious activities. Boston could?ve used a guy like him last month when reports came in about strange electronic objects planted around the city. I feel that Joe would?ve turned on his police scanner, heard a description of the blinking devices, and immediately called city hall to say, ?Don?t shut down the highways yet. This sounds like a promotion for Aqua Teen Hunger Force. It?s an offbeat animated series with a small audience. This kind of publicity stunt is right up their alley.? Is it possible that no one in the Boston law enforcement bureaucracy is an avid fan of the Cartoon Network? I?m not being sarcastic. I?ve mentioned in previous columns how hard it is for me to keep up with every detail of modern culture, and obviously I?m not alone in battling this information gap. The old saying that knowledge is power still holds true, but how does anyone with a thirst for knowledge avoid being drowned by the tsunami of information that crashes over us each day? My fear is that many Americans are sliding into a narrow groove that includes a few topics of personal interest, and everything outside the groove is simply ignored. A recent Nielsen survey of Internet users found that 12 percent of American respondents had never heard of global warming. I?d like to question those people more closely and learn how they decide what information is useful in their lives and what they don?t care about. It?s a decision we all face constantly, and it never gets easier. A recent story in The New York Times explained that 10 publications in Washington carry a total of 14 columns focused on political gossip, up from only three such columns a decade ago. I wonder what Joe Turner would do if I yanked him out of that movie and put him to work monitoring our cavalcade of modern media outlets? I have a feeling he?d just shake his head and opt for early retirement. This article is from Christian Science Monitor. If you found it informative and valuable, we strongly encourage you to visit their website and register an account to view all their articles on the web. Support quality journalism. From rforno at infowarrior.org Sat Feb 10 22:47:28 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 10 Feb 2007 22:47:28 -0500 Subject: [Infowarrior] - U.S. calls for more organized cyber response Message-ID: U.S. calls for more organized cyber response Robert Lemos, SecurityFocus 2007-02-08 http://www.securityfocus.com/print/news/11441 SAN FRANCISCO -- The United States' top cybersecurity official renewed calls on Thursday for companies to step up and help the federal government manage threats to critical infrastructure and the Internet. Gregory Garcia, Assistant Secretary for Cyber Security and Telecommunications, told attendees at the RSA Security Conference that the nation still has a long way to go before being ready to respond to a serious cybersecurity incident. "Our networks are, by and large, interdependent because our networks are interconnected," Garcia said. "Home users, governments, and private companies all need to be aware of their responsibilities." The number of reported incidents have surged to 23,000 in 2006 from 5,000 in 2005, according to the latest data from the DHS. Moreover, the number of vulnerabilities disclosed to public sources jumped by more than a third in 2006 over the previous year, although most of the flaw reports could be attributed due to increased scrutiny of Web applications. The U.S. government has had a spotty record in dealing with cybersecurity. Garcia became the first Assistant Secretary of Cyber Security and Telecommunications in September, more than a year after the post was created by Congress. While federal officials and private participants completed the first international cybersecurity exercise in February, eight federal agencies--including the Department of Homeland Security--failed to get passing grades in an annual security audit. Threats continue to multiply, Garcia said. The U.S. Computer Emergency Readiness Team (US-CERT) has monitored as many as 3,000 bot net command and control channels believed to be responsible for millions of compromised machines, he said. Target trojan horse, which have attempted to compromise government servers, are on the rise. "Our networks and systems are vulnerable and exposed," Garcia said. "Our adversaries are motivated and sophisticated." Reaching out to companies to aid the nation's fight against cybercrime and cyberattacks is not surprising. The private sector owns more than 80 percent of the critical infrastructure in the United States, including the servers and backbones that make up the Internet. While the government continues to develop cybersecurity expertise among key personnel, not enough federal employees have the knowledge necessary to be part of the 'A' squad, Christopher Painter, deputy chief of the Computer Crime and Intellectual Property Section (CCIPS) at the U.S. Department of Justice, said during a panel discussion on Wednesday. "The bench is not very deep in terms of cyber response," Painter said. The DHS's immediate plans call for the department to work with the companies to deter attacks, develop better response plans and build awareness in specific industries, such as finance and power. Its not too late to help out, Garcia said, adding that interested firms should become familiar with the National Infrastructure Protection Plan. "Companies that have not participated are just in time to jump in with both feet," he told attendees. From rforno at infowarrior.org Sun Feb 11 21:29:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 11 Feb 2007 21:29:53 -0500 Subject: [Infowarrior] - The Wizards of Buzz Message-ID: The Wizards of Buzz http://www.freepress.net/news/20972 >From Wall Street Journal, February 10, 2007 By Jamin Warren and John Jurgensen This winter, many parents across the country are sitting on the floor with slabs of cardboard, box cutters and special rivets, and building pirate ships for their kids. How did this happen? Thank 45-year-old Cliff Worthington. An English teacher in Osaka, Japan, he mentioned the box projects on a popular Web site called Digg.com. Soon, supplies of the rivets needed to make them sold out at MrMcGroovys.com. ?It would have taken me a year to sell that many rivets,? says Andy McGrew, owner of Mr. McGroovy?s, which offers free blueprints for the homemade pirate ships and other projects. The next time you visit a buzzy Web site, see a funny video clip online or read an unusual take on the news, chances are you owe it to someone like Mr. Worthington. A new generation of hidden influencers is taking root online, fueled by a growing love affair among Web sites with letting users vote on their favorite submissions. These sites are the next wave in the social-networking craze ? popularized by MySpace and Facebook. Digg is one of the most prominent of these sites, which are variously labeled social bookmarking or social news. Others include Reddit.com (recently purchased by Cond? Nast), Del.icio.us (bought by Yahoo), Newsvine.com and StumbleUpon.com6. Netscape relaunched last June with a similar format. The opinions of these key users have implications for advertisers shelling out money for Internet ads, trend watchers trying to understand what?s cool among young people, and companies whose products or services get plucked for notice. It?s even sparking a new form of payola, as marketers try to buy votes. THE INFLUENCERS Take a look at some of the hidden influencers deciding what is popular on the Internet.It?s also giving rise to an obsessive subculture of ordinary but surprisingly influential people who, usually without pay and purely for the thrill of it, are trolling cyberspace for news and ideas to share with their network. They include people like 18-year-old Smaran Dayal, a high-school student who submits some 40 stories a week on Digg and has become a go-to source there for news about Apple. Diane Put, a nutritionist in Idyllwild, Calif., known to Netscape users by her handle, ?idyll,? has become a major source for health-related news on that site, which is viewed by more than 1.9 million people daily. A Reddit user known for scoping out striking images on the Web, Amardeep Sahota recently helped drive about 100,000 unique visitors to one amateur photographer?s site. Most sites are based on a voting model. Members look around the Web for interesting items, such as video clips, blog entries or news articles. A member then writes a catchy description and posts it, along with a link to the material, on the site, in hopes that other members find it just as interesting and show their approval with an electronic thumbs-up vote. Items that receive enough votes rise in the rankings and appear on the front page, which can be seen by hundreds of thousands of people. When an item is submitted by a popular or influential member ? one whose postings are closely followed by fellow members ? it can have a much better shot at making the front page. Marketers and the merely curious have long tried to pin down how phenomena from Beanie Babies to cardio-boxing get popular. Sites like Reddit and Digg now raise the possibility that you can home in on the specific people who generated the early ? or, in some cases, the first ? buzz. But identifying these influencers is complicated. WHERE TO FIND THE IN CROWD Below, some of the main social bookmarking sites on the Web now. Digg: One of the largest social-media sites in terms of submissions, San Francisco-based Digg.com launched in late 2004 and now has about 900,000 registered users and 20 million visitors monthly, the site says. Digg?s content leans heavily on technology and science, but to help broaden its appeal, the site recently added new sections for entertainment and podcasts. Reddit: Reddit works similarly to Digg, with people submitting stories and the wider community voting on them. The submitter receives one ?karma? point for each positive vote and loses one for each negative vote. Cond? Nast?s Wired Digital acquired the Cambridge, Mass., company in October. StumbleUpon: Unlike most other social-media sites, StumbleUpon requires users to download a toolbar onto their Web browsers. Click the ?Thumbs Up? or ?Thumbs Down? buttons when you visit a site you like or don?t like and it will automatically post it to your page on StumbleUpon.com. You can also click ?Stumble? on the toolbar and be redirected to a site another user has voted on that matches your interests. Del.icio.us: Del.icio.us is essentially a database of users? bookmarked sites. The more other users bookmark a site, the more popular it becomes, and the more likely it is to land on the ?hotlist? page. Started in 2003, Del.icio.us was acquired by Yahoo in 2005. Newsvine: Seattle-based Newsvine launched last March with a focus on what has become known as ?citizen journalism,? amateurs reporting on the news. Users post links they think are interesting, and also post their own articles and opinion pieces, on which others in the community can then submit comments. Netscape: One of the first major Web browsers, Netscape relaunched last June as a social news site similar to Digg. A unit of AOL, it caused a stir last year when it began wooing top users from other social-media sites and paid these ?navigators? $1,000 a month to submit links.To find the key influencers, The Wall Street Journal analyzed more than 25,000 submissions across six major sites. With the help of Dapper, a company that designs software to track information published on the Web, this analysis sifted through snapshots of the sites? home pages every 30 minutes over three weeks. The data included which users posted the submissions and the number of votes each received from fellow users. We then contacted scores of individual users to find which ones are tracked by the wider community. Though it can take hundreds or thousands of votes to make it onto the hot list at these sites, the Journal?s analysis found that a substantial number of submissions originated with a handful of users. At Digg, which has 900,000 registered users, 30 people were responsible for submitting one-third of postings on the home page. At Netscape.com, a single user named ?STONERS? ? in real life, computer programmer Ed Southwood of Dayton, Ohio ? was behind fully 217 stories over the two-week period, or 13% of all stories that reached the most popular list. (Netscape, which gained fame with its namesake browser, is now owned by Time Warner?s AOL unit and operates a news site.) On Reddit, one of the most influential users is 12-year-old Adam Fuhrer. At his desktop computer in his parents? home in the quiet northern Toronto suburb of Thornhill, Mr. Fuhrer monitors more than 100 Web sites looking for news on criminal justice, software releases ? and the Toronto Maple Leafs, his favorite hockey team. When Microsoft launched its Vista operating system this year, he submitted stories that discussed its security flaws and price tag, which attracted approving votes from more than 500 users. Besides an electric guitar and an iPod, ?my favorite thing in the whole world is my computer,? says Mr. Fuhrer, who has lately also been studying for his bar mitzvah in June. In spite of a content filter his parents use to block him from viewing certain sites (including YouTube), he has managed to consistently make it onto the list of Reddit?s highest performers. ?I watch my son?s page while I?m at work,? says his father, Gerald Fuhrer, and ?gush about his achievements to my co-workers.? Pulling back the curtain on these hidden influencers is a controversial subject. Many of these sites say it can heighten the risk of payola and attempts to game the system. Last summer, some bloggers posted accusations that a cabal of top Digg users were banding together to vote for one another?s stories, thereby boosting their profiles. Payola schemes depend on the voting system these sites employ. Some marketing companies promise clients they can get a client front-page exposure on Digg or one of the other social-bookmarking sites in exchange for a fee, according to marketers. To deliver on that promise, the company then recruits members at the site, offering to pay them for thumbs-up votes on the posting that links to the client. If enough paid-off members all vote for that posting, it could theoretically push the client?s link onto the front, where it receives wide exposure. Digg and other sites say their systems have safeguards that can detect concerted attempts. Ground zero of this cat-and-mouse game is the headquarters of Digg in San Francisco?s Potrero Hill neighborhood. Here, dedicated site monitors track every submission that comes in, looking for restricted content and evidence of users colluding to drive up an entry?s popularity or plugging services for pay. Jay Adelson, Digg?s 36-year-old co-founder and chief executive, says refining the algorithms that analyze users? votes and determines a submission?s popularity rank is a constant process. Last week, Digg took a more dramatic step, pulling down the user rankings that had served as a prod to people on the site to post their best findings. ?It became a target for those trying to manipulate the system,? Mr. Adelson says. On the other side of this battle are companies like User/Submitter.com. The site promises to pay users ?easy money? for ?digging,? or voting on, links on Digg.com. Its offer is simple: Pay User/Submitter $1 for every ?digg,? or vote, you request and in turn it?ll pay a user. Users can earn 50 cents for every three ?diggs,? and User/Submitter pockets the difference. At any given time, a top submission on Digg has anywhere from 800 to 3,000 votes, meaning a successful campaign could cost thousands of dollars. When contacted by the Journal, representatives of User/Submitter.com declined to identify themselves but said the company has successfully placed items on Digg?s home page on behalf of its clients. In December, Digg user Karim Yergaliyev was banned from the site after submitting a link to Jetnumbers, an international phone service provider. Other users who said they were offered compensation by the company to plug it ? but didn?t accept ? had previously notified Digg of the offer. Mr. Yergaliyev, who uses the name ?supernova17? online, says he didn?t actually receive any compensation from the company. Digg agreed to reinstate him. Jetnumbers says it offered a free trial to 30 Digg users in exchange for a mention on the site. ?It?s my job to get our name out,? says Nathan Schorr, business development manager for the company. Though these sites are undeniably popular, there?s ongoing debate about whether the model of filtering content through voting ultimately will pose a challenge to traditional media. Some say the voting-site approach can more quickly distill what?s important for busy readers. But critics say it?s simply an aggregate of borrowed content and links to a relatively small pool of blogs. And while they sometimes drive traffic to Web sites that are spotlighted, the spike can be temporary. ?Influence implies that I can change your mind and they?re not necessarily doing that,? says Duncan Watts, a professor of sociology at Columbia University. For 17-year-old Henry Wang, the job of finding compelling information for Digg?s 20 million monthly users starts when tennis practice ends. Mr. Wang, a senior at Illinois Mathematics and Science Academy in Aurora, Ill., says he spends three hours a day doing his Digg work, and highlighted his success on the site ? at one point, he was ranked the No. 2 user ? on his college applications. After first posting some duds, three months after joining he says he finally figured out what works: Focus primarily on science and technology, fields that a bigger percentage of Digg users are naturally interested in, but throw in the occasional oddball story to stand out. His link to a site that explains the formula behind randomness in computer science earned more than 600 Diggs and a spot on the front page. His next post, a visual comparison of the diameter between objects (protons vs. electrons, among others), also rose quickly. Last year, Mr. Wang took his skills to Netscape, which pays him $1,000 a month to do what he was already doing for free elsewhere. It?s his first paying job. Mr. Wang says he doesn?t talk about the gig with his friends very often because he doesn?t want to rub it in: ?They?re working long hours at Starbucks and I?m at the computer all day.? One site that says it has a lot to thank Henry Wang for is Famster.com. Similar to MySpace.com but aimed primarily at families, Famster allows people to set up their own sites to keep track of everything from photos to family trees and blog entries. When it went live on August 7 of last year, the site says it had only a trickle of visitors. Five days later, Mr. Wang posted a link to it on Digg, with the comment, ?I can?t believe that this site isn?t widely known, even with all its features: share photos, stream videos, create a blog, upload files, keep track of RSS feeds? all in Flash? and for free? Ridiculous.? More than 1,700 users voted on the link, driving traffic to Famster up to 50,000 unique visitors per day during the week it was on Digg?s home page. ?I was in awe,? says Bryan Opfer, the site?s chief technology officer. [Editor?s note: For a look at some of the hidden influencers deciding what is popular on the Internet, click here.] This article is from Wall Street Journal. From rforno at infowarrior.org Sun Feb 11 21:39:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 11 Feb 2007 21:39:43 -0500 Subject: [Infowarrior] - Skype snoop agent reads mobo serial numbers Message-ID: Skype snoop agent reads mobo serial numbers 'Quite normal' feature has been removed http://www.theregister.co.uk/2007/02/11/skype_bios_snoop/ Published Sunday 11th February 2007 22:29 GMT Skype has been spying on its Windows-based users since the middle of December by secretly accessing their system bios settings and recording the motherboard serial number. A blog entry made on Skype's website assures us it's no big deal. The snooper agent is the handiwork of a third-party program called EasyBits Software, which Skype uses to manage Skype plug-ins. Among other things, EasyBits offers DRM features that prevent the unauthorized use or distribution of plug-ins, and that's why Skype 3.0 has been nosing around in users' bios. Reading the serial number allows EasyBits to quickly identify the physical computer the software is running on. The practice was discontinued on Thursday, when Skype was updated to version 3.0.0.216. "It is quite normal to look at indicators that uniquely identify the platform and there is nothing secret about reading hardware parameters from the BIOS," Skype's blog author, Kurt Sauer, assured us. He also says Skype never retrieved any of this data. We're not sure that's the point. Skype goes to great lengths to assure users they will not be fed spyware, which the eBay-owned VOIP provider defines as "software that becomes installed on computer without the informed consent or knowledge of the computer?s owner and covertly transmits or receives data to or from a remote host." What's more, we were unable to find terms of service the spells out what EasyBits does with the information it gathers on Skype users. It's also hard to take Skype's nothing-to-see-here notification at face value because of the lengths the software goes to conceal its snooping. As documented in the Pagetable blog, the Skype snoopware runs a .com file and prevents the more curious users among us from reading it. Were it not for errors it was giving users of 64-bit versions, we'd probably still be in the dark. Skype's decision to remove the EasyBits DRM feature is a good start. Time now for an apology and an explanation of what has been done with the information already collected. ? From rforno at infowarrior.org Mon Feb 12 09:24:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Feb 2007 09:24:38 -0500 Subject: [Infowarrior] - Firefighters' windfall comes with a catch Message-ID: Firefighters' windfall comes with a catch Grant can't buy needed truck http://www.boston.com/news/local/articles/2007/02/09/firefighters_windfall_c omes_with_a_catch/ By Raja Mishra, Globe Staff | February 9, 2007 When the fire department in the tiny Berkshire hamlet of Cheshire needed a new fire truck, it asked Uncle Sam for a little help. The response last month was stunning: a $665,962 homeland security grant. The award was nearly 26 times the annual budget of the volunteer fire department in the town of 3,500. And the rub: The department is not allowed to spend it on a fire truck. Instead, the town won a grant to fortify the ranks of its volunteer brigade. Its selectmen plan to huddle later this month to hash out a spending plan. Asked how the money will be spent, Cheshire Fire Chief George Sweet cryptically replied yesterday: "Rome wasn't built in a day." Sweet said he couldn't say much more about the windfall. Indeed, Cheshire's officialdom is a nervous wreck over it and is reviewing federal grant guidelines. "We've never had this much money dropped in our laps," said Cheshire town administrator Mark Webber. "People get fined and go to jail because they don't handle money like this properly." Just as Boston, New York, and Washington complained last year when their homeland security grants were reduced while other less likely terrorist targets received more, the Cheshire money seemed to underscore the puzzling nature of some of the agency's spending habits. The town does have the Cheshire Cheese Monument, a sizable concrete sculpture of a cheese press commemorating a 1,450-pound cheese hunk given by town elders to Thomas Jefferson in 1801. But its value as a terrorist target is not readily apparent. Security specialist James Carafano of the Heritage Foundation, a Washington think tank, was blunt: "It's pure pork. It has nothing to do with homeland security." The money comes from the Staffing for Adequate Fire and Emergency Response grants, a program that was absorbed into the Department of Homeland Security after the agency was established following the Sept. 11, 2001, terrorist attacks. Asked about Cheshire's grant, Department of Homeland Security spokeswoman Val Bunting said yesterday that the town "presented a multifaceted project proposal." She said the grant could be spent over four years, but she would not elaborate . Carafano said the emergency response program was designed to funnel money to small fire departments and has wide support in Washington "because everyone has a fire department in their district." But now, Carafano said, "the money is spent under the big lie that it's about national security." The Cheshire Fire Department wrote two grant requests, one for the fire truck and the other for boosting its 29-member volunteer force. It got a lot more than it bargained for. And that is where its spending dilemma began. Cheshire -- the smallest town in Massachusetts to get a grant, but the recipient of the largest amount -- is not alone. As part of $94 million in the emergency response grants awarded across the country, Fall River gets $621,000, Concord gets $414,000, Littleton gets $207,000, and Sudbury gets $101,970. Cheshire's money can be spent to reimburse volunteers for wages lost at their regular jobs while on duty, new uniforms, and recruiting ad vertisement s. Sweet, who has been chief for 18 years, said the department could use about 10 new volunteers, though it has more pressing needs. "We really needed the truck," he said. Sweet said that the department has seven fire trucks, "plus an old antique we use for parades." Of particular concern is a 21-year-old refitted ambulance used to ferry medical equipment to fires. He had sought about $175,000 to refurbish or replace it. But now that that's off the wish list, Sweet said he might use some of the money to recruit high school students. Or he might put some of the windfall into a marketing campaign to lure volunteers to Cheshire. "It'll be on billboards, TVs, and radio stations, and that kind of stuff," he said. "We'll have to spend it wisely." Material from the Associated Press was used in this report. Raja Mishra can be reached at rmishra at globe.com ? Copyright 2007 Globe Newspaper Company. From rforno at infowarrior.org Mon Feb 12 19:59:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Feb 2007 19:59:39 -0500 Subject: [Infowarrior] - MySpace to block unauthorized videos Message-ID: MySpace to block unauthorized videos Automated filter By OUT-LAW.com ? More by this author Published Monday 12th February 2007 21:44 GMT http://www.theregister.co.uk/2007/02/12/myspace_video_blocking_filter/ MySpace will use software to monitor videos posted to the site in a bid to block unauthorised use of copyrighted content. The social networking giant will use technology to analyse videos' audio tracks to identify infringing posts. The move is intended to placate the big copyright-holding music and entertainment industries, which are taking legal action against social networking and video sharing sites over the copyright infringing activity of their users. MySpace, which is owned by Rupert Murdoch's News Corporation, will use technology from Audible Magic to screen content which users try to upload. If the audio track matches that held by the software and is identified as belonging to someone else, the video will be flagged by the system. YouTube is the world's biggest video sharing site, but industry observers estimate that MySpace, with its huge community of virtual friends, is the second biggest source of user-submitted videos. Much of that material is self-made and causes no copyright problems, but a huge amount is professionally produced and owned by a major entertainment company. Those companies will now be able to upload 'fingerprints' of the digital audio of a given video. If a user submits a video for upload with the same audio, that video will be blocked. ?For MySpace, video filtering is about protecting artists and the work they create," said Chris DeWolfe, co-founder and chief executive of MySpace. "MySpace is dedicated to ensuring that content owners, whether large or small, can both promote and protect their content in our community." Content owners are increasingly calling for the automation of the process of identifying and removing infringing material. US entertainment giant Viacom last week ordered Google-owned YouTube to take down 100,000 clips from television programmes which it owns. It said that the company was taking too long to devise a system of identifying and removing its clips. The issue is complex in the case of MySpace because its parent company is the owner of some of the US's biggest content creators. News Corporation runs Fox News, Fox Television and movie studio 20th Century Fox. It makes popular series such as 24 and The Simpsons, and has already been involved in copyright battles as a content owner. That puts News Corporation in the position of relying on user-submitted content in one of its businesses but relying on exploiting copyrighted material in many others. YouTube has said that it will begin operating a content identification system and will introduce it in stages. It has already cut usage deals with many of the major music labels for use of their content. Copyright ? 2007, OUT-LAW.com OUT-LAW.COM is part of international law firm Pinsent Masons. From rforno at infowarrior.org Mon Feb 12 21:57:55 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Feb 2007 21:57:55 -0500 Subject: [Infowarrior] - Quantum Supercomputer to be unveiled Message-ID: Quantum Leap: Computer to 'Make Computer History' Canadian Firm Promises Computer Based on Quantum Physics, Many Times Faster Than World's Best By NED POTTER http://abcnews.go.com/Technology/print?id=2864363 Feb. 12, 2007 ? - "Quantum Computing." It's one of those things that bring a sparkle to the eyes of propellerheads -- and make the rest of us just scratch our heads. But it's been a holy grail in the arcane world of supercomputers -- and a Canadian firm claims it will be unveiling one on Tuesday. Nevermind that most engineers thought quantum computers were decades away. D-Wave Systems, Inc., based near Vancouver, is the company that's been working on the project. Its machine is described as a computer that can perform 64,000 calculations at once. Following the odd laws of quantum mechanics, the digital "bits" that race through its circuits will be able to stand for 0 or 1 at the same time, allowing the machine, eventually, to do work that is orders of magnitude more complex than what today's computers can do. "There are certain classes of problems that can't be solved with digital computers," said Herb Martin, the firm's CEO, over a decidedly-noisy digital cell phone. "Digital computers are good at running programs; quantum computers are good at handling massive sets of variables." Coming Soon to a Store Near You? So will you or I be able to have one soon? Will it come as a laptop? The answers, for now, are no, and no. The current prototype, says Martin, is as big as a good-sized freezer, and a lot colder. It uses superconducting circuits that have to be refrigerated, close to absolute zero. That's the kind of temperature at which electrical resistance fades nearly to nothing (think of the heat generated by a conventional laptop), so that massive calculations can be done. What sorts? Martin says, for instance, that a quantum computer could be used to design genetically based drugs (remember that the DNA in every human cell has 3 billion "base pairs," or "rungs" on that famous helical ladder). Or it could be used by companies to manage their supply chains. "Think," says Martin, "of a company that has 40 factories and makes a million different parts. That's a lot to keep track of." Quantum computers could also have major uses in the security world. Since 9/11, governments and companies have gotten heavily into biometrics, building massive databases of pictures, fingerprints, and other complex measures of people they want to track. If someone on a terrorism watch list passes a security checkpoint at an airport, a quantum computer could presumably be very fast at comparing his or her picture to the massive databases of pictures stored by security agencies. Reality Check Will this actually happen any time soon? Much of the computing world is skeptical. Major companies, such as IBM and NEC, have done years of research without results so far. Even Seth Lloyd of MIT, a computer scientist whose research is cited as a major source of D-Wave's work, has been quoted as saying that while he's happy they're trying, he'll wait to see what they've done. So don't go online in search of a quantum machine any time soon. But don't be surprised if, at some time in the future, you can go online to a search engine which just happens to be powered by this very strange technology. Copyright ? 2007 ABC News Internet Ventures From rforno at infowarrior.org Mon Feb 12 22:35:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Feb 2007 22:35:33 -0500 Subject: [Infowarrior] - Navy May Deploy Anti-Terrorism Dolphins Message-ID: Feb 12, 9:27 PM EST Navy May Deploy Anti-Terrorism Dolphins By THOMAS WATKINS Associated Press Writer http://news.wired.com/dynamic/stories/D/DOLPHIN_DEFENDERS?SITE=WIRE&SECTION= HOME&TEMPLATE=DEFAULT SAN DIEGO (AP) -- Dozens of dolphins and sea lions trained to detect and apprehend waterborne attackers could be sent to patrol a military base in Washington state, the Navy said Monday. In a notice published in this week's Federal Register, the Navy said it needs to bolster security at Naval Base Kitsap-Bangor, on the Puget Sound close to Seattle. The base is home to submarines, ships and laboratories and is potentially vulnerable to attack by terrorist swimmers and scuba divers, the notice states. Several options are under consideration, but the preferred plan would be to send as many as 30 California sea lions and Atlantic Bottlenose dolphins from the Navy's Marine Mammal Program, based in San Diego. "These animals have the capabilities for what needs to be done for this particular mission," said Tom LaPuzza, a spokesman for the Marine Mammal Program. LaPuzza said that because of their astonishing sonar abilities, dolphins are excellent at patrolling for swimmers and divers. When a Navy dolphin detects a person in the water, it drops a beacon. This tells a human interception team where to find the suspicious swimmer. Dolphins also are trained to detect underwater mines; they were sent to do this in the Iraqi harbor of Umm Qasr in 2003. The last time the animals were used operationally in San Diego was in 1996, when they patrolled the bay during the Republican National Convention. Sea lions can carry in their mouths special cuffs attached to long ropes. If the animal finds a rogue swimmer, it can clamp the cuff around the person's leg. The individual can then be reeled in for questioning. The Navy is seeking public comment for an environmental impact statement on the proposal. The Navy wanted to deploy marine animals to the Northwest in 1989, LaPuzza said, but a federal judge sided with animal-rights activists concerned about the effects of cooler water, as well as how the creatures would affect the environment. Water in the Puget Sound is about 10 degrees cooler than in San Diego Harbor, which has an average temperature of about 58 degrees, LaPuzza said. Since then, the Navy has taken the dolphins and sea lions to cold-water places like Alaska and Scandinavia to see how they cope. "They did very well," LaPuzza said. If the animals are sent to Washington, the dolphins would be housed in heated enclosures and would patrol the bay only for periods of about two hours. Stephanie Boyles, a marine biologist and spokeswoman for People for the Ethical Treatment of Animals, said that sea mammals do not provide a reliable defense system, and that they should not be kept in small enclosures. "We believe the United States' citizens deserve the very best defense possible, and this just isn't it," Boyles said, adding that dolphins are easily distracted once in open water. "They don't understand the consequences of what will happen if they don't carry out the mission." Dolphins can live as long as 30 years. LaPuzza said the Navy occasionally gives its retired animals to marine parks but generally keeps them until they die of old age. The Navy has been training marine mammals since the 1960s and keeps about 100 dolphins and sea lions. Most are in San Diego, but about 20 are deployed at Naval Submarine Base Kings Bay, Ga. The Navy hopes eventually to downsize its marine mammal program and replace the animals with machines. "But the technology just isn't there yet," LaPuzza said. "The value of the marine mammals is we've been doing this for 35 years, and we've ironed out all the kinks." --- On the Net: Navy Marine Mammal Program, http://www.spawar.navy.mil/sandiego/technolog y/mammals/ From rforno at infowarrior.org Tue Feb 13 09:00:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Feb 2007 09:00:43 -0500 Subject: [Infowarrior] - Congress Seeks 'Bite' For Privacy Watchdog Message-ID: Congress Seeks 'Bite' For Privacy Watchdog By Ellen Nakashima Washington Post Staff Writer Tuesday, February 13, 2007; D01 http://www.washingtonpost.com/wp-dyn/content/article/2007/02/12/AR2007021201 430_pf.html Key lawmakers want to replace a White House privacy and civil liberties board created by Congress in 2004 with one that is more independent of the president. The idea is to make the board more like the one envisioned by the bipartisan 9/11 Commission. As the commission's vice chairman, Lee H. Hamilton, said yesterday: "We felt that you had to have a voice within the executive branch that reached across all of the departments of government with strong powers to protect our civil liberties." But the five-member Privacy and Civil Liberties Oversight Board is resisting proposals that would dramatically change its composition and powers. The battle is another sign of the changed political landscape, with the Democratic-controlled Congress pushing for stronger oversight of the Bush administration's counterterrorism programs. "In 2004, the Senate endorsed the idea of a strong privacy and civil liberties watchdog to keep vigil as the government launched a full-bore effort to make the nation safe from terrorists," said Sen. Joseph I. Lieberman (I-Conn.), the chairman of the Homeland Security and Governmental Affairs Committee who caucuses with the Democrats. "Congress passed a weak proposal. Now we are back to make sure the watchdog has both a bark and a bite." House Democrats see the board, which took office only last March after a series of delays, as too beholden to President Bush, who selects the members. Despite its position, the board has had to wait months before receiving briefings on sensitive administration programs, and then only with permission from the White House counsel's office. "Since its inception, the administration has failed to properly fund the board, and quite frankly, there have been no visible results of its existence," said Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee. Separate House and Senate measures would require that the entire board be confirmed by the Senate -- now it is only the chairman and vice chairman -- and that no more than three members be from one party. The House provision would remove the board from the Executive Office of the President but keep it within the executive branch and give it subpoena power, as recommended by the 9/11 Commission. The Senate version would keep the board within the executive office and allow it to ask the attorney general to issue subpoenas. Congress would have to be notified if a subpoena request were denied or modified. Two board members, however, including the lone Democrat, said the board would lose its effectiveness if it were outside the executive office and had "adversarial powers" such as subpoenas. Vice Chairman Alan Charles Raul said he wanted an environment in which agencies initiated contacts with the board to review programs with civil liberties implications -- before there is a controversy. "It's almost unreasonable to think that an agency is going to reach out at a very early stage to a body that by design, by mind-set and by reporting channels, is outside the president's supervision, even if they're technically within the executive branch," Raul said yesterday. Lanny J. Davis, who served as special counsel to President Bill Clinton, agreed. At the same time, he said, "The board needs a clearer mandate to be able to speak independently and to have full and complete access to all programs affecting privacy and civil liberties, both evolving as well as those in place." The board has asked Bush to issue a directive to all executive agencies that will spell out its mandate to ensure that it is involved in the development of programs that affect privacy and civil liberties. White House spokeswoman Dana Perino yesterday declined to comment specifically on that request, saying that there have been "internal discussions about any possible refinements that could be made" to make the board more effective. The board has held only one public forum, in December at Georgetown University, where the public was given an opportunity to express its concerns. The board's first report to Congress is to be presented in March. In November, board members said they had been briefed by the National Security Agency on its warrantless wiretapping program and that they were impressed by the protections, but failed to provide specifics. The board paid a return visit to the NSA two weeks ago and observed the surveillance program, which monitors people, including some in the United States, who have links to al-Qaeda. This is done under the supervision of a secret court that administers the Foreign Intelligence Surveillance Act (FISA). Raul and Davis said they were "more reassured" after the second briefing that the program had taken into account civil liberties and privacy protections. They said the agency had "multiple layers" of review, including audit trails to track whoever has access to the data. If information appears that is not related to counterterrorism, it is not shared with other agencies, Raul said. On that visit, Raul also reviewed the secret court orders governing the spying program that were issued Jan. 10 and supporting material submitted by the Justice Department. "The surveillance under the program is very highly regimented and justified both internally within the agency and now externally to the FISA court," he said. He declined to provide more detail on the orders. That hurts the board's credibility, said Marc Rotenberg, executive director of the Electronic Privacy Information Center, an advocacy group. "They have to do something more than say 'trust us,' " he said. "This goes to the objection that many people have had about an oversight board based in the executive branch." Thomas H. Kean, chairman of the 9/11 Commission, said he supported the legislation to make the board more independent, which includes reporting twice a year to Congress. "The civil liberties board has got to alert us on the questions involving our civil liberties," he said. "What hasn't been done yet is to make sure that it's in the executive branch as a totally independent agency. From rforno at infowarrior.org Tue Feb 13 13:43:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Feb 2007 13:43:39 -0500 Subject: [Infowarrior] - OpEd: Michael Crichton: Patenting Life Message-ID: (his current book 'Next' is very thought-provoking on the subject........rf) February 13, 2007 Op-Ed Contributor Patenting Life By MICHAEL CRICHTON http://www.nytimes.com/2007/02/13/opinion/13crichton.html?pagewanted=print YOU, or someone you love, may die because of a gene patent that should never have been granted in the first place. Sound far-fetched? Unfortunately, it?s only too real. Gene patents are now used to halt research, prevent medical testing and keep vital information from you and your doctor. Gene patents slow the pace of medical advance on deadly diseases. And they raise costs exorbitantly: a test for breast cancer that could be done for $1,000 now costs $3,000. Why? Because the holder of the gene patent can charge whatever he wants, and does. Couldn?t somebody make a cheaper test? Sure, but the patent holder blocks any competitor?s test. He owns the gene. Nobody else can test for it. In fact, you can?t even donate your own breast cancer gene to another scientist without permission. The gene may exist in your body, but it?s now private property. This bizarre situation has come to pass because of a mistake by an underfinanced and understaffed government agency. The United States Patent Office misinterpreted previous Supreme Court rulings and some years ago began ? to the surprise of everyone, including scientists decoding the genome ? to issue patents on genes. Humans share mostly the same genes. The same genes are found in other animals as well. Our genetic makeup represents the common heritage of all life on earth. You can?t patent snow, eagles or gravity, and you shouldn?t be able to patent genes, either. Yet by now one-fifth of the genes in your body are privately owned. The results have been disastrous. Ordinarily, we imagine patents promote innovation, but that?s because most patents are granted for human inventions. Genes aren?t human inventions, they are features of the natural world. As a result these patents can be used to block innovation, and hurt patient care. For example, Canavan disease is an inherited disorder that affects children starting at 3 months; they cannot crawl or walk, they suffer seizures and eventually become paralyzed and die by adolescence. Formerly there was no test to tell parents if they were at risk. Families enduring the heartbreak of caring for these children engaged a researcher to identify the gene and produce a test. Canavan families around the world donated tissue and money to help this cause. When the gene was identified in 1993, the families got the commitment of a New York hospital to offer a free test to anyone who wanted it. But the researcher?s employer, Miami Children?s Hospital Research Institute, patented the gene and refused to allow any health care provider to offer the test without paying a royalty. The parents did not believe genes should be patented and so did not put their names on the patent. Consequently, they had no control over the outcome. In addition, a gene?s owner can in some instances also own the mutations of that gene, and these mutations can be markers for disease. Countries that don?t have gene patents actually offer better gene testing than we do, because when multiple labs are allowed to do testing, more mutations are discovered, leading to higher-quality tests. Apologists for gene patents argue that the issue is a tempest in a teapot, that patent licenses are readily available at minimal cost. That?s simply untrue. The owner of the genome for Hepatitis C is paid millions by researchers to study this disease. Not surprisingly, many other researchers choose to study something less expensive. But forget the costs: why should people or companies own a disease in the first place? They didn?t invent it. Yet today, more than 20 human pathogens are privately owned, including haemophilus influenza and Hepatitis C. And we?ve already mentioned that tests for the BRCA genes for breast cancer cost $3,000. Oh, one more thing: if you undergo the test, the company that owns the patent on the gene can keep your tissue and do research on it without asking your permission. Don?t like it? Too bad. The plain truth is that gene patents aren?t benign and never will be. When SARS was spreading across the globe, medical researchers hesitated to study it ? because of patent concerns. There is no clearer indication that gene patents block innovation, inhibit research and put us all at risk. Even your doctor can?t get relevant information. An asthma medication only works in certain patients. Yet its manufacturer has squelched efforts by others to develop genetic tests that would determine on whom it will and will not work. Such commercial considerations interfere with a great dream. For years we?ve been promised the coming era of personalized medicine ? medicine suited to our particular body makeup. Gene patents destroy that dream. Fortunately, two congressmen want to make the full benefit of the decoded genome available to us all. Last Friday, Xavier Becerra, a Democrat of California, and Dave Weldon, a Republican of Florida, sponsored the Genomic Research and Accessibility Act, to ban the practice of patenting genes found in nature. Mr. Becerra has been careful to say the bill does not hamper invention, but rather promotes it. He?s right. This bill will fuel innovation, and return our common genetic heritage to us. It deserves our support. Michael Crichton is the author, most recently, of the novel ?Next.? From rforno at infowarrior.org Tue Feb 13 13:46:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Feb 2007 13:46:32 -0500 Subject: [Infowarrior] - Leaked letter shows RIAA pressuring ISPs Message-ID: Leaked letter shows RIAA pressuring ISPs, planning discounts for early settlements http://arstechnica.com/news.ars/post/20070213-8832.html 2/13/2007 11:59:18 AM, by Eric Bangeman The RIAA is asking for additional cooperation from ISPs in getting customers targeted by the RIAA's file-sharing sting to cooperate, according to a letter recently leaked to P2P attorney Ray Beckerman. In it, the RIAA lays out its vision for how it would like ISPs to cooperate with its efforts to identify and sue those accused of sharing music over P2P networks. This includes communicating a standing offer of a $1,000 settlement discount should the subscriber settle before a lawsuit is filed against him or her. The letter also discloses plans for a settlement web site that will launch later this year. MediaSentry, the RIAA's investigative arm, typically identifies suspected copyright infringers by IP address. One of the record labels whose music was discovered in a shared folder then becomes the lead plaintiff in a John Doe lawsuit. Via the discovery process, the ISP is then forced to turn over the name and address of the account owner who was using the IP address at the time of the alleged infringement. At that point, the John Doe case is discontinued and the label sues the individual fingered by the ISP. Bypassing the courts The RIAA wants to do an end run around this process, getting ISPs to start the collection agency work by sending out letters to the owners of IP addresses allegedly used for infringement. If the recipient of a such a letter contacts the RIAA, the labels get their positive ID and the chance to extract a sizable settlement without having to resort to the legal system. In its letter (which has all information that would identify the recipient blacked out), the RIAA outlines how it would like ISPs' help in its continued attacks against suspected file sharers. One of the big problems from the RIAA's perspective is that of the ISPs' communications. "Whether in a notice to a subscriber at the preservation or Doe stage, or in subsequent communication with subscribers," the RIAA writes, "it is vital that you avoid providing incorrect or misleading information." Instead, ISPs should use a model letter written by the RIAA to let subscribers know what's going on. > <> has received a notice from the Recording Industry Association of > America ("RIAA") requesting that we preserve documents regarding your > identity. The RIAA has indicated that it intends to file a lawsuit and seek > leave to serve a subpoena upon <> requiring disclosure of documents that > identify the user located at an IP address that our files indicate was > assigned to you at the time identified by the RIAA. > > If you have an questions regarding why the RIAA is interested in your > account, please contact the record companies' representatives by phone at > (913) 234-8181, by facsimile at (913) 234-81812, or by email at > info at SettlementInformationLine.com > > Please be advised that if the RIAA follows this notice with a subpoena, we > will forward a copy of that subpoena to you but we will be legally obligated > to provide the requested information. > > Our purpose in sending you this letter is to provide you with advance > notice of the RIAA's request. <> is not taking any action against you, > and there is no need for you to communicate with us regarding this issue. ISPs are cautioned against letting their customer service staff provide misinformation to subscribers. They are told to "refrain from issuing opinions about the validity of the copyright claims." The RIAA also asks to be promptly notified if an ISP believes it has mistakenly identified a customer in an attempt to avoid further embarrassments. Call now! Operators are standing by! The RIAA will also be providing the ISPs with another letter they can send to their subscribers, this one notifying them of the possibility of an early, out-of-court settlement. "We have heard repeatedly from targets that they want the ability to settle as early as possible at the lowest amount possible," according to the letter. "To accommodate this request, we are instituting a new Pre-Doe settlement option that will allow infringers to settle at a discounted rate if they do so prior to our filing a Doe suit." There's a catch: in order to be eligible for the Pre-Doe settlement option and $1,000 savings, ISPs will have to hold on to its log files for at least 180 days. This gives the RIAA ample time to pursue a lawsuit and subpoena if the suspected infringer elects not to enter a settlement. The letter also outlines what exactly the RIAA wants in response to a subpoena, should a lawsuit become necessary. First, the music labels want an ISP to examine its log files "as completely and carefully as possible" before responding. The labels also want the most up-to-date contact information, as well as the log files used to identify the subscriber. Ill communication The last request contains a troubling admission by the RIAA: "We are taking this step to address the occasional problem we have had where an ISP does not maintain the log files and cannot later exculpate a subscriber who claims to have been misidentified." In other words, the RIAA has targeted the wrong people in the past due to its heavy reliance on US ISPs to accurately identify people with shared music folders on Kazaa or other P2P networks. Later this year, the RIAA will launch a new web site intended to "facilitate" early settlements. Once www.p2plawsuits.com?which was just registered on January 23?comes online, it will provide consumers with information about the RIAA's lawsuits and how to enter into a costly settlement in order to avoid litigation. We contacted the RIAA to determine if the letter was indeed authentic and received no response prior to running this story. If nothing else, the letter illustrates the degree to which the RIAA wants to be able to get settlements from its targets without having to resort to even a John Doe lawsuit. The RIAA also anticipates stepping up the pace of its lawsuits against suspected file sharers, telling ISPs that the labels will soon resume sending them "early preservation notices" that are precursors to a lawsuit. From rforno at infowarrior.org Wed Feb 14 14:21:28 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Feb 2007 14:21:28 -0500 Subject: [Infowarrior] - TSA.GOV reportedly phished Message-ID: Has the Transportation Security Administration's website been hacked? All indications are yes, and that a malicious phishing attack has been launched against travelers who have or think they have been delayed because they are on a watchlist or have a name similar to a person on the watchlist. < - > http://blog.wired.com/27bstroke6/2007/02/homeland_securi.html From rforno at infowarrior.org Thu Feb 15 08:52:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Feb 2007 08:52:17 -0500 Subject: [Infowarrior] - Google Turns Over User IDs Message-ID: February 12, 2007 Google Turns Over User IDs By Nicholas Carlson http://www.internetnews.com/xSP/article.php/3659401 Google's YouTube and a company called Live Digital will offer no refuge to users who uploaded pirated copies of Fox Television's "24" and "The Simpsons" onto their video platforms. In an e-mail to internetnews.com, a 20th Century Fox Television spokesperson said that Google and Live Digital complied with subpoenas issued by the U.S. District Court in Northern California and disclosed to Fox the identities of two individuals who illegally uploaded entire episodes of "24" prior to its broadcast and DVD release. According to copies of the subpoena applications, Fox found this season's first four episodes of "24" on LiveDigital and YouTube on Jan. 8, a full week before they were to air for the first time in the U.S. Fox said a YouTube user who goes by the handle "ECOTtotal" uploaded 12 episodes of the popular animated show "The Simpsons." The LiveDigital user's display name was "Jorge Romero." "We intend to use the information provided to pursue all available legal remedies against those who infringed our copyrights," 20th Century Fox Television Vice President of Media Relations Chris Alexander told internetnews.com. The U.S. District Court first instructed Google and Live Digital to produce identifying information in identical subpoenas, pursuant to the Digital Millennium Copyright Act, issued Jan. 24 after L.A. law firm Loeb & Loeb filed them for Fox on Jan. 18. Since Google purchased YouTube for $1.56 billion last fall, the company has been besieged by similar complaints of copyright infringement. Last week, for example, media giant Viacom demanded YouTube take down 100,000 clips, including content from MTV, Comedy Central and other networks. Viacom said "it has become clear that YouTube is unwilling to come to a fair market agreement" on content distribution. Some media companies have been more congenial. According to a Google spokesperson, of the big four music labels, only EMI is yet to sign a revenue-sharing deal with Google. And today, Digital Music Group announced it entered into an agreement with Google to make more than 4,000 hours of video content and approximately 40,000 music recordings available to the YouTube community. DMGI currently owns or controls the digital distribution rights to classic television episodes of "Gumby," "I Spy," "My Favorite Martian," "Peter Gunn" and more. Tools: From rforno at infowarrior.org Thu Feb 15 08:54:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Feb 2007 08:54:38 -0500 Subject: [Infowarrior] - Brilliant op-ed on geek tech mob mentality Message-ID: Horseshoes and Hand Grenades http://gizmodo.com/gadgets/feature/horseshoes-and-hand-grenades-joel-johnson -returnsto-spank-us-all-for-supporting-crap-236310.php From rforno at infowarrior.org Thu Feb 15 16:46:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Feb 2007 16:46:08 -0500 Subject: [Infowarrior] - Digital neighbourhood watch plan Message-ID: Digital neighbourhood watch plan A neighbourhood watch for the digital age, utilising the power of social networking, has been proposed. Two lecturers in the US have suggested creating a network of Community Response Grids (CRG) in conjunction with the emergency services. Citizens could leave text, video and photos on the site of emergencies, natural disasters and terror attacks. A pilot could start later this year based at the University of Maryland, driven by 40,000 students and staff. The idea of a nationwide network of 911.gov websites has been proposed by Maryland university lecturers Ben Shneiderman and Jennifer Preece in this month's edition of Science magazine. "The 911 telephone system functions effectively when there are traffic accidents, health emergencies or small fires, but when large numbers of people are involved it does not handle the capacity," said Professor Shneiderman. He added: "The evolution of the internet and its maturity at this point and the great success of social networking sites like MySpace, Craig's List and Amber Alert, suggests there is an opportunity to do something for emergency response and recovery." Community driven The proposal is for community-driven websites to be run by trained volunteers working in conjunction with the 6,100 local 911 services around the US. "Citizen reporters would report to a centralised authority who will take care of emergency response coordination and allocate scarce resources of police fire and medical services," said Professor Shneiderman. The idea came after Prof Shneiderman typed 911 into his web browser to see if there were any official websites. It gives neighbours and people in the community much more power in protecting and supporting each other Jennifer Preece, University of Maryland The two professors believe the growth of community-driven websites and the rise of user generated content, especially in the field of citizen journalism, would give the grids every chance of success. "It gives neighbours and people in the community much more power in protecting and supporting each other," said Professor Preece. Information from residents would be added to regular updates from hospitals, emergency crews, surveillance cameras and other sensors used for Homeland Security so that the site would be both a resource for information and a place to contribute material. The two academics admitted there were many hurdles to overcome but said the grids could be set up within three to five years. They have applied for funding from the National Science Foundation to pay for a pilot study on the campus. They said the net was robust enough and reliable enough to be used as a conduit and source for information in major disasters. 'Legitimate concerns' Prof Shneiderman said: "Any communications medium is vulnerable especially in certain kinds of devastation - either natural disasters or terrorist attacks. Those are legitimate concerns. "The internet is designed for resilience and if this proposal goes forward it would certainly strengthen the need to have very reliable systems which are increasingly available." Encouraging the participation of existing local groups, such as volunteer firemen, libraries, sports groups etc, would keep the community alive even when there were no emergencies or disasters. The CRGs would need to be robust enough to deal with traffic spikes during times of large-scale emergencies, said the professors. "Peak service problems are substantial issues," said Prof Shneiderman. "News sites have the same problem - when a big story breaks demand is 40 to 100 times greater than the normal load. "The internet does very well when it comes to scaling up, certainly better than phones." Pranksters There were also issues around pranksters leaving false information which could have fatal consequences if acted upon by the emergency services. "911 phone calls are subject to prank callers and we think web-based reporting would have that danger just as well," said Prof Shneiderman. "You would have to pre-register, the system would not allow anonymous entries. "You must get people engaged in advance, to try it and learn it and be part of it." Prof Preece said the mobile phone would be an important tool for the CRGs. "We are expecting to have cell phone access. Many people's lives are directed by their cell phones - their communications, their social lives, contact with families." Prof Shneiderman said the French heatwave in 2003 in which thousands of people died was an example of where community-driven services could have helped. "11,000 people died and that was really for the lack of people offering each other water, checking on their neighbours, and arranging for people to go to air conditioned facilities. "There would be a need and demand for a service like this even if there were not a Hurricane Katrina or terrorist attacks - there are lots of occasions where community help on a resident by resident basis could be very beneficial." Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/6364301.stm Published: 2007/02/15 19:00:15 GMT ? BBC MMVII From rforno at infowarrior.org Thu Feb 15 16:46:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Feb 2007 16:46:50 -0500 Subject: [Infowarrior] - The fact and fiction of camcorder piracy Message-ID: The fact and fiction of camcorder piracy Internet law professor Michael Geist examines the arguments surrounding camcorder piracy of movies and says facts should be separated from fiction. In recent months, a steady stream of reports have asserted that movie piracy is on the rise in countries around the world resulting in hundreds of millions of pounds in lost revenue. Pointing to the prevalence of illegal camcording - a practice that involves videotaping a movie directly off the screen in a theatre and transferring the copy onto DVDs for commercial sale - the major Hollywood studios have launched incentive programs for theatre employees to report camcording incidents and threatened to delay the distribution of their top movies. While the reports have succeeded in attracting considerable attention, a closer examination of the industry's own data reveals that the claims are based primarily on fiction rather than fact. In the best Hollywood tradition, the Motion Picture Association of America (MPAA) and its foreign counterparts have put on a show that is much ado about nothing, featuring unsubstantiated and inconsistent claims about camcording, exaggerations about its economic harm, and misleading critiques of the law. Different figures First, the camcorder claims have themselves involved wildly different figures. For example, over the past two weeks, reports have pegged the Canadian percentage of global camcording at either 40 or 50%. Yet the International Intellectual Property Alliance, a U.S. lobby group that includes the MPAA, advised the US government in late September that Canadians were the source for 23% of camcorded copies of DVDs. Camcorded DVDs, which typically feature awful sound and picture quality, ultimately compete with theatrical releases for only a few weeks Not surprisingly, none of these figures have been subject to independent audit or review. In fact, AT&T Labs, which conducted the last major public study on movie piracy in 2003, concluded that 77 percent of pirated movies actually originate from industry insiders and advance screener copies provided to movie reviewers. Moreover, the industry's numbers indicate that camcorded versions of DVDs strike only a fraction of the movies that are released each year. While the UK Federation Against Copyright Theft (FACT) last year claimed that UK cinemas have been the source for pirate DVDs of blockbuster films such as X-Men: The Last Stand,and Harry Potter and the Goblet of Fire, the MPAA's data suggests that these incidents are relatively rare. Infringing DVDs As of August 2006, the MPAA documented 179 camcorded movies as the source for infringing DVDs since 2004. During that time, its members released approximately 1,400 movies, suggesting that approximately one in every 10 movies is camcorded and sold as infringing DVDs. Second, the claims of economic harm associated with camcorded movies have been grossly exaggerated. The industry has suggested that of recently released movies on DVD, 90% can be sourced to camcording. This data is misleading not only because a small fraction of recently released movies are actually available on DVD, but also because the window of availability of the camcorded versions is very short. Counterfeiters invariably seek to improve the quality of their DVDs by dropping the camcorder versions as soon as the studios begin production of authentic DVDs (which provide the source for perfect copies). Camcorded DVDs, which typically feature awful sound and picture quality, ultimately compete with theatrical releases for only a few weeks and likely have very limited impact as they do not represent a viable substitute for the overwhelming majority of moviegoers. Lion's share In fact, as the movie industry has grown - global revenues have nearly tripled over the past 25 years - the importance of theatre revenues has shrunk. In 1980, theatre box office revenues represented 55% of movie revenue. Today, DVDs and television licensing capture the lion's share of revenue, with the box office only responsible for approximately 15% of movie revenue. In other words, the economic impact of camcorded DVDs - which involve only one in 10 releases and impact a small part of the revenue cycle - is little more than a rounding error in a US$45 billion industry. Third, claims that copyright law is ill-equipped to deal with camcorder piracy are similarly misleading. The law in many jurisdictions - including the UK, Canada, and Australia - currently renders it illegal to make for sale or rental an infringing copy of a copyrighted work such as movie. It is not uncommon to find severe penalties for violating this provision with the potential for million dollar fines and prison sentences. Indeed, the MPAA's own website acknowledges that many countries have legislation that prohibit illegal camcording. While the MPAA is anxious for other countries to adopt tough U.S. anti-camcording laws, there is no evidence that those provisions - which open the door to lengthy jail sentences for releasing movies before they launch in theatres - have had a significant deterrent effect. In fact, the president of the U.S. National Association of Theatre Owners told his members in November that illegal camcording in the US has expanded over the past two years from New York and Los Angeles to at least 15 states across the country. Despite all the evidence the contrary, the MPAA continues to lobby for unnecessary legal reforms. Unless politicians separate fact from fiction, this show appears headed for a frightening finale. Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/6334913.stm Published: 2007/02/06 13:04:39 GMT ? BBC MMVII From rforno at infowarrior.org Thu Feb 15 19:34:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Feb 2007 19:34:33 -0500 Subject: [Infowarrior] - FW: [attrition] rant: I read the news today, oh boy. In-Reply-To: Message-ID: http://www.pogowasright.org/blogs/dissent/?p=210 (Dateline Washington , D.C., January 6, 2031) The first session of the 122nd Congress opened today, with Senate leaders vowing that this would be the year that they would pass the Leahy-Specter Memorial Data Protection and Mandatory Breach Notification Act. Some Beltway insiders had suggested that previous failures to enact the legislation were due to the unpronouncabilty of "LSMDPMBNA," but others had suggested that until now, Congress's priority had been to debate how we landed up in wars with Iran, Korea, and Canada without Congress ever authorizing any of those wars. Over the holidays, members of Congress were shocked to read that unencrypted data on a laptop computer lost by a Kaiser Impermanente employee had been found and leaked to the media. The data revealed how Representative Kale Jackson.s daughter had had 4 elective abortions before the age of 15, how Senator Reid Smither's son had undergone inpatient treatment for early-onset Huntington's Chorea and narcotic abuse, and how Representative JoAnne B. Lane was currently under psychiatric treatment for depression following her recent divorce. [...] From rforno at infowarrior.org Thu Feb 15 22:37:25 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Feb 2007 22:37:25 -0500 Subject: [Infowarrior] - Judge Restricts New York Police Surveillance Message-ID: February 15, 2007 Judge Restricts New York Police Surveillance By JIM DWYER http://www.nytimes.com/2007/02/15/nyregion/15cnd-police.html?ei=5090&en=f59d f17f90978527&ex=1329195600&partner=rssuserland&emc=rss&pagewanted=print In a rebuke of a surveillance practice greatly expanded by the New York Police Department after the Sept. 11 attacks, a federal judge ruled today that the police must stop the routine videotaping of people at public gatherings unless there was an indication that unlawful activity may occur. Nearly four years ago, at the request of New York City, the same judge, Charles S. Haight Jr., had given the police greater authority to investigate political, social and religious groups. In today?s ruling, however, Judge Haight of Federal District Court in Manhattan found that by videotaping people who were exercising their right to free speech and breaking no laws, the Police Department had ignored the milder limits he had imposed on it in 2003. Citing two events in 2005 ? a march in Harlem and a demonstration by homeless people in front of the Upper East Side home of Mayor Michael Bloomberg ? the judge said the city offered scant justification for videotaping the people involved. ?There was no reason to suspect or anticipate that unlawful or terrorist activity might occur,? he wrote, ?or that pertinent information about or evidence of such activity might be obtained by filming the earnest faces of those concerned citizens and the signs by which they hoped to convey their message to a public official.? While he called the police conduct ?egregious,? Judge Haight also offered an unusual judicial mea culpa, taking responsibility for his own words in a 2003 order that, he conceded, had not been ?a model of clarity.? The restrictions on videotaping do not apply to bridges, tunnels, airports, subways or street traffic, Judge Haight noted, but are meant to control police surveillance at events where people gather to exercise their rights under the First Amendment. "No reasonable person, and surely not this court, is unaware of the perils the New York public faces and the crucial importance of the N.Y.P.D.?s efforts to detect, prevent and punish those who would cause others harm," Judge Haight wrote. Jethro Eisenstein, one of the lawyers who challenged the videotaping practices, said Judge Haight?s ruling would make it possible to contest other surveillance tactics, including the use of undercover officers at political gatherings. In recent years, police officers have disguised themselves as protesters, shouted feigned objections when uniformed officers were making arrests, and pretended to be mourners at a memorial event for bicycle riders killed in traffic accidents. ?This was a major push by the corporation counsel to say that the guidelines are nice but they?re yesterday?s news, and that the security establishment?s view of what is important trumps civil liberties,? Mr. Eisentstein said. ?Judge Haight is saying that?s just not the way we?re doing things in New York City.? A spokesman for Police Commissioner Raymond W. Kelly referred questions about the ruling to the city?s lawyers, who noted that Judge Haight did not set a deadline for destroying the tapes it had already made, and that the judge did not find the city had violated the First Amendment. Nevertheless, Judge Haight ? at times invoking the mythology of the ancient Greeks and of Harold Ross, the founding editor of The New Yorker ? used blunt language to characterize the Police Department?s activities. ?There is no discernible justification for the apparent disregard of the Guidelines? in his 2003 court order, the judge said. These spell out the broad circumstances under which the police could investigate political gatherings. Under the guidelines, the police may conduct investigations ? including videotaping ? at political events only if they have indications that unlawful activity may occur, and only after they have applied for permission to the deputy commissioner in charge of the Intelligence Division. Judge Haight noted that the Police Department had not produced evidence that any applications for permission to videotape had ever been filed. Near the end of his 51-page order, the judge warned that the Police Department must change its practices or face penalties ?Any future use by the N.Y.P.D. of video and photographic equipment during the course of an investigation involving political activity? that did not follow the guidelines could result in contempt proceedings, he wrote. At monthly group bicycle rides in lower Manhattan known as Critical Mass, some participants break traffic laws, and the police routinely videotape those events, Judge Haight noted. That would be an appropriate situation for taping, he said, but police officials did not follow the guidelines and apply for permission. ?This is a classic case of application of the guidelines: political activity on the part of individuals, but legitimate law enforcement purpose on the part of the police,? Judge Haight wrote. ?It is precisely the sort of situation where the guidelines require adherence to certain protocols but ultimately give the N.Y.P.D. the flexibility to pursue its law enforcement goals.? Gideon Oliver, a lawyer who has represented many people arrested during the monthly bicycle rides, said he is troubled by the intensive scrutiny of political activities. ?I?m looking forward to a deeper and more serious exploration of how and why this surveillance has been conducted,? Mr. Oliver said. In the past, the Police Department has said that it needed intelligence about the Critical Mass rides in order to protect the streets from unruly riders. Patrick Markee, an official with another group that was cited in the ruling, the Coalition for the Homeless, said the judge?s decision ratified the group?s basic rights to free speech. ?We?re gratified that Judge Haight found that the police shouldn?t engage in surveillance of homeless New Yorkers and their supporters when they?re engaged in peaceful, lawful political protest,? Mr. Markee said. The Police Department?s approach to investigating political, social and religious groups has been a contentious subject for most of four decades, and a class-action lawsuit brought by political activists, including a lawyer named Barbara Handschu, was settled in 1985. Judge Haight oversees the terms of that settlement, which are known as the Handschu Guidelines, and which he modified in 2003. At the time, Judge Haight said that the police could ?attend any event open to the public, on the same terms and conditions of the public generally.? But in today?s ruling, he said that permission ?cannot be stretched to authorize police officers to videotape everyone at a public gathering just because a visiting little old lady from Dubuque (to borrow from The New Yorker) could do so. There is a quantum difference between a police officer and a little old lady (or other tourist or private citizen) videotaping or photographing a public event.? The judge said he bore some responsibility for misinterpretation of the guidelines. ?I confess with some chagrin that while the text of this opinion and its implementing order, read together, may not be as opaque as the irritatingly baffling pronouncements of the Oracle at Delphos, they do not constitute a model of clarity,? he wrote. From rforno at infowarrior.org Thu Feb 15 23:06:37 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Feb 2007 23:06:37 -0500 Subject: [Infowarrior] - NFL demonstrates DMCA whackyness Message-ID: Wendy Seltzer, a law professor who used to work for the EFF and who founded the awesome Chilling Effects clearinghouse for providing an archive of various takedown notices, has apparently received her very own first DMCA takedown notice (found via Boing Boing). Seltzer posted a snippet from the Superbowl for her students to see. Not just any snippet, mind you, but the snippet where its announced: "This telecast is copyrighted by the NFL for the private use of our audience. Any other use of this telecast or of any pictures, descriptions, or accounts of the game without the NFL's consent, is prohibited." She posted it as an example of a copyright holder exaggerating its rights -- as the NFL cannot ban all of the things they ban in that statement. < - > http://techdirt.com/articles/20070214/154327.shtml From rforno at infowarrior.org Thu Feb 15 23:46:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Feb 2007 23:46:59 -0500 Subject: [Infowarrior] - NOW Preview 2/16: Is the Government Reading Your Email? Message-ID: Is the Government Reading Your Email? NOW PBS Airtime: Friday, February 16, 2007, at 8:30 p.m. on PBS (check local listings at http://www.pbs.org/now/sched.html.) Accusations that the American government spies on private citizen emails. Next time on NOW. Is the government reading your email? On February 16 at 8:30 p.m. (check local listings), NOW reports on new evidence suggesting the existence of a secret government program that intercepts millions of private emails each day in the name of terrorist surveillance. News about the alleged program came to light when a former AT&T employee, Mark Klein, blew the whistle on what he believes to be a large-scale installation of secret Internet-monitoring equipment deep inside AT&T's San Francisco office. The equipment, he contends, was created at the request of the US Government to spy on email traffic across the entire Internet. Though the government and AT&T refuse to address the issue directly, Klein backs up his charges with internal company documents and personal photos. Criminal Defense Lawyer Nancy Hollander, who represents several Muslim-Americans, feels her confidential emails are anything but secure. "I've personally never been afraid of my government until now. And now I feel personally afraid that I could be locked up tomorrow," she told NOW. Who might be eyeing the hundreds of millions of emails Americans send out each day, and to what end? Next time on NOW. -------- The NOW website at www.pbs.org/now will provide additional coverage starting Friday morning, February 16, including an interview with the WIRED reporter who broke the whistleblower story and more details about these incredible allegations. From rforno at infowarrior.org Fri Feb 16 10:22:31 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Feb 2007 10:22:31 -0500 Subject: [Infowarrior] - Macrovision responds to Steve Jobs DRM note Message-ID: ( *wipes coffee from keyboard * ) http://macrovision.com/company/news/drm/response_letter.shtml To Steve Jobs and the Digital Entertainment Industry: I would like to start by thanking Steve Jobs for offering his provocative perspective on the role of digital rights management (DRM) in the electronic content marketplace and for bringing to the forefront an issue of great importance to both the industry and consumers. Macrovision has been in the content protection industry for more than 20 years, working closely with content owners of many types, including the major Hollywood studios, to help navigate the transition from physical to digital distribution. We have been involved with and have supported both prevention technologies and DRM that are on literally billions of copies of music, movies, games, software and other content forms, as well as hundreds of millions of devices across the world. There are four key points that I would like to make in response to your letter. * DRM is broader than just music ? While your thoughts are seemingly directed solely to the music industry, the fact is that DRM also has a broad impact across many different forms of content and across many media devices. Therefore, the discussion should not be limited to just music. It is critical that as all forms of content move from physical to electronic there is an opportunity for DRM to be an important enabler across all content, including movies, games and software, as well as music. * DRM increases not decreases consumer value ? I believe that most piracy occurs because the technology available today has not yet been widely deployed to make DRM-protected legitimate content as easily accessible and convenient as unprotected illegitimate content is to consumers. The solution is to accelerate the deployment of convenient DRM-protected distribution channels?not to abandon them. Without a reasonable, consistent and transparent DRM we will only delay consumers in receiving premium content in the home, in the way they want it. For example, DRM is uniquely suitable for metering usage rights, so that consumers who don't want to own content, such as a movie, can "rent" it. Similarly, consumers who want to consume content on only a single device can pay less than those who want to use it across all of their entertainment areas ? vacation homes, cars, different devices and remotely. Abandoning DRM now will unnecessarily doom all consumers to a "one size fits all" situation that will increase costs for many of them. * DRM will increase electronic distribution ? Well maintained and reasonably implemented DRM will increase the electronic distribution of content, not decrease it. In this sense, DRM is an important ingredient in the overall success of the emerging digital world and especially cannot be overlooked for content creators and owners in the video industry. Quite simply, if the owners of high-value video entertainment are asked to enter, or stay in a digital world that is free of DRM, without protection for their content, then there will be no reason for them to enter, or to stay if they've already entered. The risk will be too great. * DRM needs to be interoperable and open ? I agree with you that there are difficult challenges associated with maintaining the controls of an interoperable DRM system, but it should not stop the industry from pursuing it as a goal. Truly interoperable DRM will hasten the shift to the electronic distribution of content and make it easier for consumers to manage and share content in the home ? and it will enable it in an open environment where their content is portable across a number of devices, not held hostage to just one company's products. DRM supporting open environments will benefit consumer electronics manufacturers by encouraging and enabling them to create ever more innovative and sophisticated devices for consumers that play late running premium content from a number of sources. As an industry, we can overcome the DRM challenges. A commitment to transparent, interoperable and reasonable DRM will effectively bridge the gap between consumers and content owners, eliminate confusion and make it possible for new releases and premium content to enter the digital environment and kick off a new era of entertainment. At Macrovision we are willing to lead this industry effort. We offer to assist Apple in the issues and problems with DRM that you state in your letter. Should you desire, we would also assume responsibility for FairPlay as a part of our evolving DRM offering and enable it to interoperate across other DRMs, thus increasing consumer choice and driving commonality across devices. In summary, we are on the verge of a transformation in home entertainment that can be as significant as the introduction of the PC into the home or the invention of the television. Already, consumer equipment manufacturers are introducing advancements in wireless connectivity and the interoperability of devices that are opening the door to new ways for consumers to acquire and view content from many sources. With such an enjoyable and revolutionary experience within our grasp, we should not minimize the role that DRM can and should play in enabling the transition to electronic content distribution. Without reasonable, consistent and transparent DRM we will only delay the availability of premium content in the home. As an industry, we should not let that happen. Thank you, Fred Amoroso CEO & President Macrovision Corporation From rforno at infowarrior.org Sat Feb 17 11:18:26 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 17 Feb 2007 11:18:26 -0500 Subject: [Infowarrior] - Secrecy's dangerous side effects Message-ID: Secrecy's dangerous side effects When legal settlements allow companies to hide their mistakes, what we don't know can hurt us. http://www.latimes.com/news/opinion/la-oe-zitrin08feb08,0,6742226.story?coll =la-opinion-rightrail RICHARD ZITRIN practices law in San Francisco and teaches at UC Hastings College of the Law. He is also the founder of the Center for Applied Legal Ethics at the University of San Francisco. February 8, 2007 DRUG GIANT Eli Lilly & Co. recently settled 18,000 lawsuits brought by people claiming they were injured by the side effects of its biggest-selling drug, Zyprexa, which is used to treat schizophrenia and bipolar disorder. But the $500 million in settlements says less about the dangers of the drug than the dangers of secrecy. About 18 months earlier, Lilly had settled 8,000 other Zyprexa cases for $700 million. But those settlements required the plaintiffs to return all sensitive documents obtained through the legal discovery process to Lilly ? a requirement that kept the strongest smoking-gun evidence out of public view. The plaintiffs also had to agree "not to communicate, publish or cause to be published, in any public or business forum or context, any statement, whether written or oral, concerning the specific events, facts or circumstances giving rise to [their] claims." Lilly had strong motivation to settle. The documents contained evidence that Zyprexa caused large, often enormous, weight gain in many patients, significantly increasing the risk of dangerously high blood-sugar levels and diabetes. They also showed that Lilly knew about the problems in 1999, largely through its own research. Other documents outlined a marketing scheme to encourage physicians to prescribe Zyprexa for elderly patients with early signs of dementia. This strategy not only had no clinical evidence to support it, it promoted an "off-label" use not approved by the Food and Drug Administration, a violation of federal law. Lilly gave the original 8,000 plaintiffs ample incentive to settle. Those plaintiffs received substantial compensation, and by agreeing to secrecy, they surely avoided years of scorched-earth litigation, extremely costly in terms of time, money and emotion. When secrecy is the price of a legal settlement, wrongdoers hide their mistakes as if they never happened and continue with business as usual. That's what happened in the Lilly case. The thousands of plaintiffs and dozens of lawyers involved in the 2005 settlements kept their part of the bargain, while Lilly continued to sell Zyprexa in huge quantities ? a reported $4.2 billion in sales in 2005 ? without warning either patients or doctors about the drug's dangers. Part of the problem was that those plaintiffs had little control over their cases. They were consolidated ? as these matters often are ? in one huge federal case in which a committee of plaintiffs' lawyers has much more say over a settlement than in typical civil suits. In exchange for access to key Zyprexa data in the Lilly case, the committee agreed to a "protective order" that kept the information secret. That may have expedited things for their clients, but it was a public disservice. Courts have the power to grant protective orders only to limit the disclosure of highly personal information and legitimate trade secrets. But when all the lawyers in a case agree, judges often grant protection even if the trade secrets in question show how the product does not work, not how it does. Neither lawyers nor judges should ever be party to such agreements. It is simply unacceptable as a matter of public policy to permit secret deals that conceal evidence of dangers to the public. In the Zyprexa cases, the documents eventually were exposed when Alaska attorney James B. Gottstein, working on an entirely unrelated case, subpoenaed the records of one of the plaintiffs' expert witnesses. Gottstein not only used the documents in his lawsuit but, to his great credit, disclosed them to the New York Times and several healthcare groups. Gottstein was almost immediately ordered to return all the documents he had, but the train had left the station: The New York Times published articles about the dangers of Zyprexa, and excerpts from the documents began appearing on the Internet. Within two weeks, with much of the Zyprexa evidence now out in the open, Lilly settled the additional 18,000 cases. Negotiated secrecy, Lilly's primary goal, had become moot. Some intrepid plaintiffs and their lawyers refuse to play the secrecy game. In Northern California, plaintiffs in dozens of Catholic Church sexual abuse cases have banded together and refused to keep the names and whereabouts of molesters secret. And recently, Eva Rowe, who lost her parents as the result of an explosion at a Texas oil refinery in 2005, refused to settle with BP unless the oil company agreed to release the millions of documents obtained as evidence. Rowe and her lawyer hope that the documents, which they say show how BP's under-funding and lackadaisical attitude created significant safety problems, will serve as an industry blueprint on how refinery safety should, and shouldn't, be handled. Unfortunately, disclosure is still the exception. But we should have learned our lesson by now. From Zomax and Halcion in the 1980s to shredding Firestone tires and GM gas-tank fires in the 1990s, to Vioxx and Zyprexa today, when lawyers cut secret deals behind the public's back, what we don't know can and does hurt us. The civil justice system belongs to all of us, and no one should be allowed to use it to keep the public in the dark. From rforno at infowarrior.org Sat Feb 17 11:21:46 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 17 Feb 2007 11:21:46 -0500 Subject: [Infowarrior] - State, local officials to get security data Message-ID: State, local officials to get security data By Siobhan Gorman Sun reporter Originally published February 15, 2007 http://www.baltimoresun.com/news/nationworld/bal-te.intel15feb15,0,3180441.s tory WASHINGTON // Reversing course, the Homeland Security Department announced yesterday that it will allow state and local officials to participate in a new counterterrorism unit designed to share information about possible terrorist threats. The unit was created to address a long-standing complaint that states and localities do not receive timely threat information from the federal government, leading to the type of confusion that ensued over a possible plot to blow up a tunnel in Baltimore in 2005. Advertisement Charles Allen, chief intelligence officer at Homeland Security, told members of Congress that the department supports the participation of state and local representatives on the Interagency Threat Assessment and Coordination Group, which will soon begin operations. "I pledge my staff's full effort to make this happen as smoothly and swiftly as possible," Allen said at a hearing of a House Homeland Security subcommittee. Rep. Jane Harman, a California Democrat who chairs the subcommittee, called the announcement "a win for our communities, which should, as a result, get better intelligence out to the first preventers." She said the unit is particularly important because local officials need more information to track down "homegrown" terrorist cells, noting that one such radicalized group had been uncovered in her Los Angeles-area district. The announcement ended a lengthy stalemate between the department and the White House, which had ordered the creation of the group last year. Homeland Security officials had balked at including state and local officials in the group because, they said, the unit was just packaging information and it might confuse rather than improve communications to include them. But officials from the White House, Congress and several intelligence agencies argued that state and local officials should be included to ensure that the information in the bulletins was truly useful. Allen pledged that the Homeland Security effort would "set the standard for inclusiveness, access and collaboration" with officials at all levels of government. "If there's a threat out there, it's going to get down to the local level," he said. White House orders After a report in The Sun earlier this month about the dispute, the White House notified federal agencies involved in negotiations over the unit, including Homeland Security, that state and local officials must be part of the Threat Assessment group, according to an administration official who spoke on condition of anonymity to discuss internal communications. In meetings on the issue as recently as last month, Homeland Security officials had staunchly opposed state and local participation, according to briefing documents and meeting participants. Homeland Security officials had argued that they needed time to establish the unit and that adding state and local officials would create, as one put it, "unnecessary confusion." They also said that state and local officials already have other opportunities to participate in threat analyses. Allen did not provide specifics about how state and local officials will be incorporated into the group but said he expects it to be "up and running" in the coming weeks. The unit, to be housed at the National Counterterrorism Center in Northern Virginia, is expected to have two or three state and local officials on its staff of about 15. Members of the group would likely come from the FBI, CIA, National Security Agency and other federal agencies, according to internal documents. The group would evaluate the sources and content of terrorism information and issue reports tailored to state and local needs. Matter of trust Kerry Sleeper, Vermont's homeland security adviser, who has been representing state homeland advisers in the negotiations, said he found Homeland Security's new position "encouraging." But he added that the department's prolonged opposition had damaged relations with state and local officials. He said that "it'll remain to be seen" whether the strongly held opinions of Homeland Security officials "can be overcome with a simple [directive to] make it happen. This type of process requires trust and collaboration." There is a significant need for improvement, he said, pointing to a front-page article in the Montreal Gazette on an alleged al-Qaida threat to target Canada's oil and natural gas facilities aimed at damaging the U.S. economy. "You would assume that DHS would recognize that border states have a vested interest in Canada," he said. But he said he received no information from Homeland Security about whether the report was credible. siobhan.gorman at baltsun.com From rforno at infowarrior.org Sat Feb 17 11:54:16 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 17 Feb 2007 11:54:16 -0500 Subject: [Infowarrior] - AACS: A Tale of Three Keys In-Reply-To: Message-ID: (c/o MS) AACS: A Tale of Three Keys Thursday February 15, 2007 by J. Alex Halderman This week brings further developments in the gradual meltdown of AACS (the encryption scheme used for HD-DVD and Blu-Ray discs). Last Sunday, a member of the Doom9 forum, writing under the pseudonym Arnezami, managed to extract a "processing key" from an HD-DVD player application. Arnezami says that this processing key can be used to decrypt all existing HD-DVD and Blu-Ray discs. Though currently this attack is more powerful than previous breaks, which focused on a different kind of key, its usefulness will probably diminish as AACS implementers adapt. To explain what's at stake, we need to describe a few more details about the way AACS manages keys. Recall that AACS player applications and devices are assigned secret device keys. Devices can use these keys to calculate a much larger set of keys called processing keys. Each AACS movie is encrypted with a unique title key, and several copies of the title key, encrypted with different processing keys, are stored on the disc. To play a disc, a device figures out which of the encrypted title keys it has the ability to decrypt. Then it uses its device keys to compute the necessary processing key, uses the processing key to decrypt the title key, and uses the title key to extract the content. ... http://www.freedom-to-tinker.com/?p=1121 From rforno at infowarrior.org Sat Feb 17 14:28:34 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 17 Feb 2007 14:28:34 -0500 Subject: [Infowarrior] - MPAA rips off freeware author Message-ID: MPAA rips off freeware author The author of ForestBlog, a blogging tool, has discovered that the MPAA was using his code in violation of his license. He gives the code away for free, but requires that users link back to his site and keep his name on the software. The MPAA deleted all credits and copyright notices from his work, and used it without permission. They ripped him off: Way back in October last year whilst going through the website referals list for another of my sites I stumbled across this link. That's right, my blogging software is being used by the MPAA (Motion picture Association of America); probably one of the most hated organisations known to the internet. Cool, I thought, until I had a look around and saw that all of the back links to my main site had been removed with nary a mention in the source code! < - > http://www.boingboing.net/2007/02/17/mpaa_rips_off_freewa.html From rforno at infowarrior.org Sat Feb 17 19:29:01 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 17 Feb 2007 19:29:01 -0500 Subject: [Infowarrior] - Chinese Internet Research Conference In-Reply-To: <995243DD2D70CF438F02451A98B81D4858604F@ipo-exch.ipo.ad.tamu.edu> Message-ID: The deadline has just passed for the 5th Annual Chinese Internet Research Conference to be held at Texas A&M University on May 21-22, but we can still receive submissions for another week or so. Some travel subsidies will be available for scholars from the PRC and from Taiwan. See conference details and cfp here: http://international.tamu.edu/ipa/projects/conference.asp From rforno at infowarrior.org Sat Feb 17 19:59:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 17 Feb 2007 19:59:17 -0500 Subject: [Infowarrior] - Smart cards track commuters Message-ID: Smart cards track commuters By Aaron Scullion BBC News Online staff Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/3121652.stm Civil rights campaigners have expressed concerns about the new smart travelcards introduced for London commuters. Under the new system, Transport for London will be able to track a commuter's movements and it plans to retain information on journeys made for "a number of years" Each card has a unique ID number linked to the registered owner's name, which is recorded together with the location and time of the exchange every time the card is used. The data, retained for business purposes, could be released to law enforcement agencies under certain conditions. Anyone hoping to use a monthly or annual season ticket will have to register their details with Transport for London, although anonymous cards will be available to those willing to pay per journey. The civil rights group Liberty told BBC News Online that commuters should be able to opt out of the system if they had privacy concerns. How it works The new system uses the Oyster smart card, which Transport for London began distributing to commuters in the summer. The smart card is 'contactless', meaning customers do not have to insert their cards into a card reader. Instead, the new card must be quickly placed on top of a reader and does not even need to be removed from its holder to work. A small amount of data about the commuter holding the card, including a unique ID number, is stored on it. When the card is presented at a tube station or on a bus, the ID number, together with information including the location and time of the transaction, is sent from the card reader to a central database. In time, Transport for London have a database with the exact movements of a significant number of the people who live or work in London. 'Journey planning' But those behind the scheme were keen to stress that the information is being held for business purposes. "It's not so much about the individual. It's about understanding passenger travel better", said John Monk of the Oyster project. "The fact that the card belongs to a given person is irrelevant, to some degree, until we try to provide customer service for that passenger. People should have the right to opt out Mark Littlewood of Liberty "But if someone were to lose their card, you would want to be able to trace it back to them in order to replace it." Mr Monk stressed that Transport for London are only collecting the data to "improve the journey planning process." "The information has to be retained to allow tracking across the system, to tie the journeys made on an individual travelcard together." Data that can identify people's movements is being held locally for eight weeks, according to Mr Monk, to allow reports to be produced, and then "archived for a number of years." An anonymous pre-pay card will be available early in 2004, but Mr Monk added that customers would not be able to buy season tickets, for example, until they had personalised the cards. "People who don't trust the technology can still come on board, and when they feel comfortable, they can register and get all the extra benefits that will bring." Anyone unwilling to register their details with Transport for London will be at a financial disadvantage. The cost of a year's travel in central London with a season ticket is ?660. Anyone commuting to work on a pre-pay card, making 10 journeys a week, will pay a total of ?832. 'Function creep' In the UK, people's movements are already indirectly tracked in a number of ways. Mobile phone companies keep records of the location of their customers for a number of years, while the number plates of individual cars on the public highway are read and recorded by a number of different organisations. Law enforcement agencies can gain access to stored electronic data of this nature, and Mr Monk admitted it was "likely the information would be used for court evidence." Such information is a boon to those seeking to combat crime, but many feel that people's privacy is undermined by this kind of monitoring. "All too often we have seen data collected for one apparent purpose, only for it to end up being used for something entirely different", said Mark Littlewood, campaign director of civil rights group Liberty. "We will be monitoring the situation carefully to ensure that this sort of 'function creep' doesn't occur in this instance," added Mr Littlewood. "If anyone wishes to store information on people's journeys for their own planning purposes, they should at least ensure that travellers are fully informed of this. "It is also important that people have a right to opt out of the system." A spokesperson for the government body which looks after data protection issues, the Information Commissioner, stated that there were valid commercial reasons for holding the data, but that it was important that Transport for London did not misuse the information gathered. Whilst these privacy concerns currently only affect commuters in London, the country's other major transport companies are working on a smartcard scheme which could have similar implications for commuters. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/3121652.stm Published: 2003/09/25 11:32:39 GMT ? BBC MMVII From rforno at infowarrior.org Sat Feb 17 20:03:55 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 17 Feb 2007 20:03:55 -0500 Subject: [Infowarrior] - Hardware Versus Software Firewalls Message-ID: Hardware Versus Software Firewalls by Chris Swartz and Randy Rosel 02/15/2007 According to estimates, an unprotected Windows computer system connected to the Internet could be compromised within twelve minutes. In light of this, the need for computer security has expanded in the last few years. Today, it is just as necessary for home users to secure personal computers as it is for businesses to secure office computers. In order to gain security benefits like those many businesses possess, home network security often utilizes the same models. The difference, however, has been that most home users do not have the financial resources for top of the line security equipment. This has led many home users to begin using security tools such as freeware firewalls and over-the-counter hardware firewall solutions. This raises a question. How do the freeware firewalls compare to expensive, all-in-one firewall solutions such as the Cisco PIX? The goal for this project, then, is to compare the Cisco PIX with two freeware firewalls. < - > http://www.oreillynet.com/lpt/a/6937 From rforno at infowarrior.org Sat Feb 17 20:20:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 17 Feb 2007 20:20:50 -0500 Subject: [Infowarrior] - Driver's License Emerges as Crime-Fighting Tool, but Privacy Advocates Worry In-Reply-To: Message-ID: (c/o MS) Driver's License Emerges as Crime-Fighting Tool, but Privacy Advocates Worry By ADAM LIPTAK The New York Times February 17, 2007 BOSTON, Feb. 12 - On the second floor of a state office building here, upstairs from a food court, three facial-recognition specialists are revolutionizing American law enforcement. They work for the Massachusetts motor vehicles department. Last year they tried an experiment, for sport. Using computerized biometric technology, they ran a mug shot from the Web site of "America's Most Wanted," the Fox Network television show, against the state's database of nine million digital driver's license photographs. The computer found a match. A man who looked very much like Robert Howell, the fugitive in the mug shot, had a Massachusetts driver's license under another name. Mr. Howell was wanted in Massachusetts on rape charges. The analysts passed that tip along to the police, who tracked him down to New York City, where he was receiving welfare benefits under the alias on the driver's license. Mr. Howell was arrested in October. At least six other states have or are working on similar enormous databases of driver's license photographs. Coupled with increasingly accurate facial-recognition technology, the databases may become a radical innovation in law enforcement. ... http://www.nytimes.com/2007/02/17/us/17face.html?ex=1329368400&en=8782b7320b 2e7a40&ei=5090 From rforno at infowarrior.org Sun Feb 18 01:08:23 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 18 Feb 2007 01:08:23 -0500 Subject: [Infowarrior] - Warnings Over Privacy of U.S. Health Network Message-ID: February 18, 2007 Warnings Over Privacy of U.S. Health Network By ROBERT PEAR http://www.nytimes.com/2007/02/18/washington/18health.html?_r=1&oref=slogin& pagewanted=print WASHINGTON, Feb. 17 ? The Bush administration has no clear strategy to protect the privacy of patients as it promotes the use of electronic medical records throughout the nation?s health care system, federal investigators say in a new report. In the report, the Government Accountability Office, an investigative arm of Congress, said the administration had a jumble of studies and vague policy statements but no overall strategy to ensure that privacy protections would be built into computer networks linking insurers, doctors, hospitals and other health care providers. President Bush has repeatedly called for the creation of such networks, through which health care providers could share information on patients. In 2004, Mr. Bush declared that every American should have a ?personal electronic medical record? within 10 years ? by 2014. With computerized records, he said, ?we can avoid dangerous medical mistakes, reduce costs and improve care.? In response to the president?s plea, federal officials have developed elaborate plans for what they describe as ?a nationwide health information network.? Mr. Bush has said: ?One of the things I?ve insisted upon is that it?s got to be secure and private. There?s nothing more private than your own health records.? But in the report, issued this month, the G.A.O. said the administration had taken only rudimentary steps to safeguard sensitive personal data that would be exchanged over the network. Senator Daniel K. Akaka, Democrat of Hawaii, who requested the investigation, said it showed that ?the Bush administration is not doing enough to protect the privacy of confidential health information.? As a result, Mr. Akaka said, ?more and more companies, health care providers and carriers are moving forward with health information technology without the necessary protections.? In written comments on the report, Jim Nicholson, the secretary of veterans affairs, who supervises one of the nation?s largest health care systems, said, ?I concur with the G.A.O. findings.? But Dr. Robert M. Kolodner, who coordinates work on information technology at the Department of Health and Human Services, disputed the findings. Dr. Kolodner said his department was ?very committed to privacy and security as it works toward the president?s goal? of switching medical records from paper to electronic files. Mark A. Rothstein, the chairman of a panel that advises the government on health information policy, essentially agreed with the accountability office. ?Health privacy has not received adequate attention at the Department of Health and Human Services,? said Mr. Rothstein, a professor of law and medical ethics at the University of Louisville School of Medicine. ?A sense of urgency is lacking.? Mr. Rothstein said ?time is of the essence? because ?the private sector is racing ahead? to establish medical record banks and health information exchanges. In December, he noted, Wal-Mart, Intel and other companies announced they were creating a huge database that could store the personal health records of more than 2.5 million employees and retirees. The companies promised they would have ?stringent privacy policies and procedures.? Mr. Rothstein said Congress should not provide more money for a nationwide health information network unless the administration did more to protect the privacy of electronic medical records. Dr. William A. Yasnoff, a physician and computer scientist who worked at the Department of Health and Human Services from 2002 to 2005, said he too had found that ?the department does not have a comprehensive approach to privacy.? Explaining why he saw a need for stronger privacy protections in the digital age, Dr. Yasnoff said: ?Anything you do to make information more accessible for good, laudable purposes will simultaneously make it more accessible for evil, nefarious purposes. People intuitively understand that, and they are worried.? The accountability office said doubts about privacy could slow the adoption and use of electronic medical records. Professor Rothstein offered a similar prediction, saying: ?If privacy protections are not built into the network, people will not trust it. They won?t participate, or they will opt out if they are allowed to.? Legislation to encourage the use of health information technology has broad bipartisan support but died in Congress last year, partly because of disagreements over privacy protections. Under Mr. Bush?s proposal, lawmakers said, it is not clear how much control people would have over their electronic medical records. Several members of Congress have drafted legislation to clarify consumers? control over such data. One proposal, by Senator Sam Brownback of Kansas and Representative Paul D. Ryan of Wisconsin, both Republicans, would establish health data banks in which people could store electronic copies of their medical records. Under the bill, a consumer would ?maintain ownership over the entire health record? and could control access to it. By contrast, under existing federal rules, hospitals and other health care providers generally do not have to obtain a patient?s consent to use or disclose information for ?treatment, payment or health care operations.? From rforno at infowarrior.org Sun Feb 18 01:10:34 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 18 Feb 2007 01:10:34 -0500 Subject: [Infowarrior] - A Reality Check on Our Fears Message-ID: A Reality Check on Our Fears By Jim Hoagland Sunday, February 18, 2007; B07 http://www.washingtonpost.com/wp-dyn/content/article/2007/02/16/AR2007021601 806_pf.html NEW YORK -- Global business is burbling while global politics croaks messages of dread, frustration and hatred. It is supersized Dickens: The best of times by many economic measures is also the worst of times when we listen to the pollsters and the politicians. Why this disjunction of spirits? Or to put it another way: Why not? Selling fear is the oldest tool of politics. Selling hope and confidence is the mother's milk of business. The more we get, the more we have to fear having it taken away by "others" as defined by race, religion, class or rivalrous sameness. But there is a different, fragile feel to this particular "golden moment," a term George Shultz used in a recent Washington talk. As a former secretary of both Treasury and state, Shultz is credible in warning that the current public fury with leaders, liberal trade policies and the conduct of nations does not match -- and eventually can threaten -- the economic openings that bring billions of new workers into global labor markets and generate huge profits for the happy few of highest finance. Protectionism is the danger Shultz has in mind. The jarring contrast is easy to spot. I went recently from listening in Washington to a hopeful Eric Schmidt, the chief executive of Google, describe a world of growing individual empowerment and prosperity as Chinese and Indian peasants join the Internet era to listening to politicians at the annual Munich Conference on Security Policy darkly emphasize the threats of terrorism, failed states, and, yes, American unilateralism and lawlessness. That point was put most pungently by Russian President Vladimir Putin in a widely misunderstood presentation. Putin's speech was an intensely personal mocking of President Bush rather than a policy declaration of hostility toward the United States. Moreover, it was laboriously calculated for domestic political effect to bolster the other important Russian in Munich, Sergei Ivanov. It was bad cop, good cop. Ivanov talked reassuringly about U.S.-Russian cooperation. Also a former KGB officer, Ivanov is moving forward now to succeed Putin. He was portrayed on Moscow television as a statesmanlike figure -- especially on one program filmed before either spoke in Munich but shown afterward, one knowledgeable Russian told me. Putin promoted Ivanov to become first deputy prime minister five days after the president's speech in Germany. Putin's political intentions and the mood of his audience reflect how the national security imperative has displaced pocketbook issues that should dominate political discourse today. A relatively strong global growth cycle is continuing longer than experience and experts say is normal. You can argue economic policies round or flat if you pick your own numbers. In this confusion, foreign policy and national security issues become more salient and decisive in campaigns around the world. Putin's audience included Sen. John McCain, a leading Republican presidential contender, who took the high road by characterizing Putin's jabs as "aggressive" but quickly adding that Americans still must work with Russia. But it did not include Sen. Hillary Clinton, the leading Democratic contender. Clinton decided to stay away from a meeting she dazzled two years ago. This time she did not want to be put in the position of criticizing the Bush administration or Democratic rivals on Iraq from a foreign forum. Instead she went to New Hampshire to criticize the Bush administration on Iraq and to eclipse her Democratic rivals. Republican strategists hope she will now "chase John Edwards to the left" to counter his populist economic programs and thereby muddy her strong appeal to the electoral center on national security. The dynamic is similar in other democracies. French Prime Minister Dominique de Villepin gets little to no political credit for announcing that unemployment has declined steadily through his tattered term. Segolene Royal, the Socialist presidential candidate, has tumbled from front-runner to second place with foreign policy blunders that make her seem inexperienced and duplicitous. (The second the French may forgive, but not the first.) German Chancellor Angela Merkel presides over a stalemated coalition and a surprisingly robust economy. No need to dwell on Tony Blair's politically poisoned golden economic chalice in Britain. Abundant financing in global markets and broad confidence in the ability of today's central banks to control inflation have created a buoyant international financial system in which risk premiums scrape historic lows. Oil price volatility creates enormous psychological strain on Western consumers -- but has not derailed growth to this point. There is always cause for concern about markets overshooting, especially when risk premiums evaporate. But the merchants of political despair are overdoing it as they manipulate the new instruments of intrusive round-the-clock communications. Breathe deep, look around at what is really happening, and spend more time in life than online or in other forms of virtual reality. jimhoagland at washpost.com From rforno at infowarrior.org Sun Feb 18 14:54:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 18 Feb 2007 14:54:00 -0500 Subject: [Infowarrior] - New UN symbol for radiation warning Message-ID: Red triangle with skull and crossbones is for danger ? new UN radiation symbol 15 February 2007 ? A skull and crossbones, a running person and radiating ionizing waves, all on a deep red triangle, joined other more common warning symbols today as part of a United Nations effort to reduce needless deaths and serious injuries from accidental exposure to large radioactive sources such as food irradiation and cancer therapy equipment. < - > http://www.un.org/apps/news/story.asp?NewsID=21578&Cr=iaea&Cr1= From rforno at infowarrior.org Sun Feb 18 15:44:45 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 18 Feb 2007 15:44:45 -0500 Subject: [Infowarrior] - FBI Defends Against 'Kitchen Sink Bombs' Message-ID: Aha! They were right!!! There ARE terrorists lurking in every house in America......and under every sink in America!!! -rf FBI Defends Against 'Kitchen Sink Bombs' By LARA JAKES JORDAN Associated Press Writer http://hosted.ap.org/dynamic/stories/K/KITCHEN_SINK_BOMBS?SITE=CATOR&SECTION =HOME&TEMPLATE=DEFAULT QUANTICO, Va. (AP) -- Kirk Yeager makes bombs from the stuff found under kitchen sinks. He does it to help the FBI defend against what officials say is the next frontier for terrorists in the United States. Ten years ago, peroxide-based bombs were mostly the work of young pranksters. But the easy-to-make yet deadly chemical cocktails were embraced in the late 1990s by Palestinian militants and suicide bombers bent on killing large groups of people. Now, Yeager says, the "Mother of Satan" explosives are considered the most likely weapon that terrorists will use against the U.S., more so than a nuclear or radiological "dirty" bomb. "Every serious terrorist group knows about them and knows how to make them," Yeager said. The forensic scientist heads the explosives unit at the FBI's laboratory in Quantico, Va., about 35 miles south of Washington. "Bad guys are bombers. You don't have to have the level of sophistication to make a bomb that you need to get nuclear materials," Yeager said. The bombs are made by mixing chemicals that are used in common household items, including hydrogen peroxide and paint thinner, and easily found at drug stores or hardware stores. Experts know them as TATP, short for triacetone triperoxide, and HMTD, or hexamethylene triperoxide diamine. Recent cases of explosions or thwarted attacks with TATP or HMTD in the U.S. include: -Millennium bomber Ahmed Ressam. He was carrying HMTD among the 124 pounds of explosives in the trunk of his car when he was arrested near the U.S.-Canadian border in December 1999. -Richard Reid. The would-be British shoe bomber tried unsuccessfully to detonate 8 ounces of TATP hidden in his high-top sneaker during a Paris-to-Miami flight in 2001. -University of Oklahoma suicide bomber Joel Henry Hinrichs III. He used TATP to blow himself up near a packed football stadium in October 2005. -College student Matthew Rugo in Texas City, Texas. He was killed last July when a plastic storage container of TATP that was mixed in his apartment exploded. The FBI has not found any connection in the case to international terrorist groups, but the investigation continues. Additionally, counterterrorist authorities say terrorists planned to mix a solution similar to TATP in last summer's thwarted attacks on as many as 10 London-to-U.S. flights - leading to the crackdown on bringing liquids aboard airlines. Also, ecoterrorists and animal rights extremist groups such as Animal Liberation Front and Earth Liberation Front are believed by authorities to use peroxide-based explosives. Yeager, 41, who helps the FBI solve bombing cases by investigating the crime scene debris, is the only U.S. official who makes TATP and similar explosives in mass quantities. His interest in bomb-making began at Cornell University, where he earned his Ph.D. in organic chemistry. He honed his skills at the New Mexico Institute of Mining and Technology, one of the nation's top centers for explosives research and testing. Yeager's brews are used for testing and training police officers and bomb-sniffing dogs. Until recently, authorities knew little about peroxide-based bombs because they are too volatile to handle casually. Moreover, TATP in particular is hard for dogs to detect. Over the past year, the FBI and Transportation Security Administration have trained dog teams to sniff out the chemical cocktails at 75 airports and on subway, train and bus systems in 13 cities. The government pays up to $50,000 to train each of the 420 teams currently in action. "It's a threat that's not here right now, but we see it coming," said Dave Kontny, director of TSA's national explosives detection canine teams. "So we're better off to have these teams." John Rollins, a counterterrorism expert at Congressional Research Service and former U.S. intelligence official, said TATP and other varieties of peroxide-based bombs are most likely to show up in the hands of homegrown extremists and other splinter sympathizers of international terrorist groups. The larger and centrally organized groups, such as al-Qaida, are more interested in "big bang" weapons that he said would cause widespread deaths and economic losses. But aspiring terrorists, Rollins said, "would lean toward this because it's so readily available, it's so hard to detect." "It certainly would be enough of a bang to draw attention to their cause, and shake the foundations in the short term of society's belief that the government can protect the United States," Rollins said. --- Associated Press writer Matt Apuzzo contributed to this report. From rforno at infowarrior.org Sun Feb 18 21:11:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 18 Feb 2007 21:11:59 -0500 Subject: [Infowarrior] - Entrepreneurs Profit From Free Web Names Message-ID: Entrepreneurs Profit From Free Web Names By ANICK JESDANUN The Associated Press Sunday, February 18, 2007; 7:37 PM http://www.washingtonpost.com/wp-dyn/content/article/2007/02/18/AR2007021800 599_pf.html NEW YORK -- It's not often you can compare Internet addresses with clothing, but a growing practice comes close, contributing to a global shortage in good names. Entrepreneurs have been taking advantage of a five-day grace period to sample millions of domain names, keeping the relative few that might generate advertising revenues and dropping the rest before paying. It's akin to buying new clothes on a charge card only to return them for a full refund after wearing them to a big party. The grace period was originally designed to rectify legitimate mistakes, such as registrants mistyping the domain name they are about to buy. But with computer automation and a burgeoning online advertising market, entrepreneurs have turned the return policy into a loophole for generating big bucks. Experts believe spammers and scam artists are also starting to use the grace period as a source of free, disposable Web addresses. With up to 6 million names tied up at any given time through a practice known as domain name tasting, individuals and businesses are having even greater difficulty finding good names, particularly in the already-crowded ".com" space. "The system really doesn't work to the advantage of people who have legitimate reasons for wanting names," Frederick Felman, chief marketing officer with MarkMonitor, a brand-protection firm. "It allows people with criminal or speculative intent to dominate." Cybersquatting has been around for more than a decade, and scores of entrepreneurs have made thousands and even millions of dollars reselling names they had bought for as little as $6 each. With tasting, entrepreneurs generally aren't grabbing names to resell but to generate traffic and share in online advertising revenues. The Internet's key oversight agency for domain names, the Internet Corporation for Assigned Names and Numbers, or ICANN, has for years required operators of major Web suffixes such as ".com" to refund cancellations within five days. Tasting became more practical about two years ago when automation allowed newly available ".com" names to go live almost immediately, providing an additional half-day for sampling. The practice has spiked, with an average tasting of 1.2 million names each day in December, compared with 7,200 two years earlier, according to data from Name Intelligence Inc., which analyzes domain name patterns. Legitimate registrations made up 2 percent of the registrations at the end of 2006, down from about half in 2004. In an e-mail statement, one company that engages in tasting, Wang Lee Domains, said the practice was "perfectly legal" and brings "customers to the companies that advertise." Moniker Online Services LLC, which lets customers try out domains for a small service charge it keeps, said companies can identify the right names to buy and not overspend for ones that don't matter. Monte Cahn, Moniker's founder and chief executive, said many leading brands do it, although he would not name them. "Tasting is similar to test driving a car before you buy it or doing a walkthrough of a house before you buy," Cahn said. The loophole works this way: Speculators write software to automatically register hundreds or thousands of names. Some are variants of trademarks or generic keywords that Internet users are likely to type _ or mistype. Others are names grabbed after their original owners fail to renew. During the grace period, the entrepreneur puts up a Web page featuring keyword search ads and receives a commission on each ad clicked. Services like Google Inc.'s AdSense for Domains and Yahoo Inc.'s Domain Match help large domain name owners set them up, even as the search companies officially oppose abuses in tasting. Addresses likely to generate more than the $6 annual cost of domain name are kept _ not a high threshold given how lucrative search advertising is these days. The rest are thrown back into the pool on the fourth or fifth day, only to be grabbed by another group of domain name tasters. "Everyone's trash is someone else's gold," said Jay Westerdal, president of Name Intelligence. "You'll see this with three or four companies that keep going through the trash of everybody else." And because the process is automated _ the names are grabbed as soon as they are let go _ legitimate registrants barely have a chance, Westerdal said. The department store chain Neiman Marcus Group Inc. even filed a federal lawsuit last year accusing the registration company Dotster Inc. of tasting hundreds of names meant to lure Internet users who mistype Web addresses. At one point, the lawsuit said, the misspelled NeimuMarcus.com featured ads for Target, Nordstrom and other rivals. David Steele, an attorney representing the retailer, said Neiman Marcus could have placed ads on those sites as well, but "should Neiman Marcus have to pay ... for directing people back to their Web site?" The two parties recently agreed to settle, though Steele said details won't be announced until at least this week (Dotster declined comment). He said his law firm, Christie, Parker & Hale LLP, also was preparing litigation against other tasters. Operators of the ".org" database have tried to strike back, winning approval in November to charge a restocking fee. But VeriSign Inc., which runs ".com" and ".net," has not publicly backed one. The oversight agency ICANN said it was still studying the extent of the problem. Critics of the system say VeriSign and ICANN both benefit from the thousands of names that are tasted and kept, collecting fees proportional to the number of names sold. VeriSign said decisions should follow community-wide discussions. "The risk is you don't want to necessarily move too fast or have a knee-jerk reaction without understanding the ramification," said Michael Denning, general manager with VeriSign's Digital Brand Management Services, which encourages companies to register additional domain names before tasters can get to them. The practice, meanwhile, shows no signs of waning. A newer variant, sometimes called "kiting," involves the same company reregistering the same name every fourth or fifth day to hang onto it in perpetuity, without ever paying for it. Anti-spam experts also suggest that spammers and scam artists are turning to the loophole to register new names every couple of days to avoid detection. "We see them using hundreds and hundreds of domains, and even at $5 a domain, that's costing them thousands of dollars, which they probably don't want to be losing," said Matt Sergeant, senior anti-spam technologist at MessageLabs Ltd. Steele, the Neiman Marcus lawyer, said many of the dispute-resolution rules written for the pre-tasting days are no longer effective. "By the time you expend the time and effort to track and figure out who's going after what names, they have moved on," he said. "A day where 100 Neiman Marcus names get registered is not an uncommon day." ___ Anick Jesdanun can be reached at netwriter(at)ap.org ? 2007 The Associated Press From rforno at infowarrior.org Mon Feb 19 10:41:16 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Feb 2007 10:41:16 -0500 Subject: [Infowarrior] - New Weapon in Web War Over Piracy Message-ID: February 19, 2007 New Weapon in Web War Over Piracy By BRAD STONE and MIGUEL HELFT http://www.nytimes.com/2007/02/19/technology/19video.html?pagewanted=print SAN FRANCISCO, Feb. 18 ? As media companies struggle to reclaim control over their movies, television shows and music in a world of online file-sharing software, they have found an ally in software of another kind. The new technological weapon is content-recognition software, which makes it possible to identify copyrighted material, even, for example, from blurry video clips. The technology could address what the entertainment industry sees as one of its biggest problems ? songs and videos being posted on the Web without permission. Last week, Vance Ikezoye, the chief executive of Audible Magic in Los Gatos, Calif., demonstrated the technology by downloading a two-minute clip from YouTube and feeding it into his company?s new video-recognition system. The clip ? drained of color, with dialogue dubbed in Chinese ? appeared to have been recorded with a camcorder in a dark movie theater before it was uploaded to the Web, so the image quality was poor. Still, Mr. Ikezoye?s filtering software quickly identified it as the sword-training scene that begins 49 minutes and 37 seconds into the Miramax film ?Kill Bill: Vol. 2.? The entertainment industry is clamoring for Internet companies to adopt the technology for music files as well as for video clips. The social networking site MySpace, owned by the News Corporation, said last week that it would use Audible Magic?s system to identify copyrighted material on its pages. But not every Internet company is rushing to go along. The video-sharing site YouTube, which Google bought last year, is the major holdout so far. Though YouTube?s co-founders said publicly that they would start using filtering technology by the end of last year, the site has yet to do so. And they have further angered some media companies by saying they would only use such technology to detect clips owned by companies that agree to broader licensing deals with YouTube. The pressure is on. Executives at media companies like NBC and Viacom have criticized Google for the delay. Earlier this month, Viacom asked YouTube to remove 100,000 clips of its shows, like music videos from MTV and excerpts from Comedy Central?s ?The Daily Show.? In a statement, YouTube said that identifying which video clips had been uploaded without permission was a complex problem that required the cooperation of the copyright owners. ?On YouTube, identifying copyrighted material cannot be a single automated process,? it said in the statement. The systems being developed by companies like Audible Magic and Gracenote make use of vast databases that store digital representations of copyrighted songs, TV shows and movies. When new files are uploaded to a Web site that is using the system, it checks the database for matches using a technique known as digital fingerprinting. Copyrighted material can then be blocked or posted, depending on whether it is licensed for use on the site. ?This is capable of helping the film and TV studios comprehensively protect their works,? Mr. Ikezoye said. ?This could put the genie back in the bottle.? Audio fingerprinting technologies have been used successfully for some time to detect copyrighted music on file-sharing networks and, to a smaller degree, to identify music tracks on social-networking Web sites like MySpace. Systems that can identify video files hold even greater promise to improve relations between traditional media companies and Internet companies like YouTube. But the technology is not quite ready. ?Video is much more complex to analyze, and more information needs to be captured in the fingerprint,? said Bill Rosenblatt, president of GiantSteps Media Technology Strategies, a consulting firm based in New York. He noted that there were also more ways to fool the technology ? for example, by cropping the image. Screening for video is also more difficult because of the sheer volume of new material broadcast on television each day, all of which must be captured in the database. And deploying any type of fingerprinting technology can carry a price. Users tend to leave filtered Web sites and migrate to more anything-goes online destinations. Nevertheless, some file-sharing networks and smaller video sites like Guba.com and Grouper.com are already using more basic filters that monitor video soundtracks and music files, hoping to appease copyright holders and stay out of the courtroom. Last week, they got some company: MySpace announced that it would expand on early filtering efforts and license Audible Magic?s audio and video fingerprinting technology. It will use the system to identify and obtain authorization for material from Universal Music, NBC Universal and Fox, three media companies that have wanted more control over their content on the site. The move ratchets up the pressure on YouTube, the largest video site on the Web. Hollywood, long tormented by digital piracy, is growing excited about the possibilities of digital fingerprinting and filtering ? in part because it is tired of having to ask YouTube and other sites to remove individual clips, only to find them posted again by other users. ?To the extent you can readily and easily identify one film or TV show from the next, it enables different licensing models and the opportunity to protect your content,? said Dean Garfield, executive vice president of the Motion Picture Association of America. For now, however, audio fingerprinting is all that is widely available, and it can fall short in some situations, like when someone pairs a song with an unrelated piece of video. For example, last December, one YouTube user uploaded scenes from the Warner Brothers movie ?Superman Returns,? matched to the song ?Superman,? by Five for Fighting of Columbia Records, a unit of Sony BMG Music. With acoustic fingerprinting, Sony could authorize the use of the song and get a slice of the advertising revenue the clip generates, but Warner Brothers could not because the filter does not scrutinize video images. Hoping to nurture the development of more advanced video fingerprinting, the film association asked technology companies last fall to submit video filtering systems for testing. Mr. Garfield of the association said 13 companies responded; their systems are now being evaluated. Perhaps not surprisingly, there is now a flurry of interest in digital fingerprinting in Silicon Valley. Sean Varah, an electronic-music researcher who once worked for Sony music?s venture capital group, founded the start-up MotionDSP in 2005 to develop technology to improve the quality of video images. But he changed the company?s direction last year after seeing an opportunity in the filtering business. ?The television and movie producers have learned a lesson from Napster,? he said, referring to the music-sharing service that first got the attention of media companies. ?They are not going to wait and see what happens.? Attributor, another start-up based in Redwood City, Calif., is taking a different approach to filtering. It is developing automated software that will travel the Internet looking for copyrighted text, audio and video. Setting up filters for each and every Web site and peer-to-peer network ?is not a long-term solution,? said Jim Brock, a former Yahoo executive and the chief executive of Attributor. Rights holders ?need to have these kinds of solutions across the Internet,? he said. Audible Magic, which is considered to be an early leader in the field, started out with a system to recognize songs played on the radio, so it could offer listeners an opportunity to buy the music online. The company later adapted that technology to create an audio fingerprinting system. Mr. Ikezoye, a former Hewlett-Packard marketing executive, recently set out to expand into video recognition. Last year, he licensed an invention called Motional Media ID, created by David W. Stebbings, a former executive at the Recording Industry Association of America. Neither Mr. Ikezoye nor Mr. Stebbings would offer details on Motional Media ID (which identified the ?Kill Bill? clip), citing the newly competitive environment around digital fingerprinting. Mr. Ikezoye acknowledged that it did not work well for very short clips and said that he would probably have to buy or develop additional technology. Deploying any type of fingerprinting filter can have both good and bad effects. Guba.com, a video-sharing site similar to YouTube, developed its own filtering system, which it calls Johnny. Having won the favor of the film industry, the company now has deals to sell Warner and Sony films on its site. But when Guba began blocking many copyrighted clips last April, its popularity plunged. ?We took a huge hit,? said Eric Lambrecht, Guba?s chief technology officer. ?We all know what people want to see, but we looked at it as a long-term business decision.? Some experts believe wide adoption of the technology is inevitable. ?As technology companies mature, they are realizing that the rule of law is better than the anarchy in which they were formed,? said Paul Kocher, chief executive of Cryptography Research, a company that has studied the security of digital fingerprinting technology. From rforno at infowarrior.org Mon Feb 19 14:01:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Feb 2007 14:01:38 -0500 Subject: [Infowarrior] - Watchdog Groups, Some Lawmakers Say Congressional Reports Should Be Made Public Message-ID: Information, Please Watchdog Groups, Some Lawmakers Say Congressional Reports Should Be Made Public http://www.washingtonpost.com/wp-dyn/content/article/2007/02/18/AR2007021801 064_pf.html By Elizabeth Williamson Washington Post Staff Writer Monday, February 19, 2007; A17 Deep inside the Library of Congress, 500 researchers pound out the secret intelligence Congress uses to make law. Legislators request 6,000 Congressional Research Service reports a year, on weapons systems and farm subsidies, prescription prices and energy use. Together, they offer what lobbyists and industry want most: clues to what's next on the Hill. For years, open-government groups have fought to make the reports public, and for years, many lawmakers have kept them under wraps. Or so they thought. By insisting on secrecy, Congress instead created a bootleg market for the research. Every day, a small Texas company compiles the reports and sells them to lobbyists, lawyers and others who pay thousands of dollars for a peek at the reports and what they say about the congressional agenda. And it's all legal. "How I get them is my trade secret . . . but I get them all," said Walt Seager, who digs up the reports for Gallery Watch, a legislative tracking service. The Congressional Research Service (CRS) was established in 1914 as Congress's supplier of nonpartisan research and analysis. Its reports are neither classified nor copyrighted, but they've long been the exclusive property of lawmakers, who distribute them as they see fit. Taxpayers supply the agency's $100 million annual budget, inspiring open-government groups and some lawmakers, including Sens. John McCain (R-Ariz.) and Patrick J. Leahy (D-Vt.) to push for public release of CRS reports. "The Library of Congress is a national treasure. The public deserves ready access to the reports it prepares for Congress, and easy online retrieval is the obvious answer," Leahy said. "We need to keep moving toward that goal." But each time the topic comes up, it runs into a wall erected by lawmakers such as Sen. Ted Stevens (R-Alaska), who "like many members of Congress, views CRS as an extension of his staff," said Aaron Saunders, Stevens's spokesman. If the reports were made public, "every time a member requests a particular document, the public may infer that he's staking out a particular policy position." CRS's director, Daniel P. Mulhollan, has left it to Congress to decide. "Once a report is produced for the Congress, it becomes the property of the Congress," he said in a statement. "CRS itself has no public role and is prohibited by law from publishing its work." It's up to members and committees, Mulhollan said, to release the reports "directly, by inclusion in congressional publications or through their own Web sites." Open-government groups have a problem with that: "CRS is Congress's brain, and it's useful for the public to be plugged into it," says Steven Aftergood, an open-government advocate who runs the Federation of American Scientists' Secrecy News blog. Aftergood and others have fought back by posting every CRS report they can find on their Web sites. But watchdog groups have released only about 10 percent of the total, not enough to reveal the patterns that suggest what Congress might do next. Subscribers to Gallery Watch pay about $4,000 a year to get all the CRS reports, online and searchable, delivered weekly. Gallery Watch sells other legislative tracking tools, but the reports are the key reason clients subscribe, said Patrick Riendeau, a sales executive. Besides lobbyists, lawyers, and corporations, universities and news organizations subscribe. At a recent meeting for potential customers, Riendeau explained that clients scan the reports for intelligence "kind of how the CIA operates," by spotting the political trends suggested by their contents and timing, he said. About a year ago, lawmakers made a flurry of requests for CRS reports related to North Korean counterfeiting of U.S. currency; not until months later, when the Treasury Department cracked down on North Korea, did the issue appear in newspapers. Gallery Watch, owned by the Capitol Hill newspaper Roll Call, gets the publications from Seager, 68, a former trade magazine journalist based in Damascus, who for 20 years has mined the Hill for them. "I'm just an old Washington journalist who knows how to find things," Seager said. He got started, he said, two decades ago when he found a CRS catalogue of new reports in a congressman's office. He made copies of it and sold subscriptions, with instructions on how to get the reports by contacting lawmakers. When CRS stopped publishing the listing, Seager started finding the reports himself. "I upload an average of about 100 a week" to Gallery Watch, he said. If the reports were ever made available to all, "I would comfortably retire to my mountain retreat in West Virginia and be very happy, because that's the way it should be -- taxpayers pay for them," he said. But he doesn't think that will happen. For one thing, he said, "incumbents like to provide them to their constituents [saying] 'glad to be of service, hint, hint, remember me at election time.' " Second, he said, CRS is "a think tank working for [members] exclusively and not for the people running against them. They've got all this brainpower behind them making them look very knowledgeable." "The less I know, the better," said Gallery Watch Senior Vice President Arnie Thomas about Seager's methods. While he would not provide a list of clients, citing privacy concerns, the company's Web site client list includes lobbying and law firms, Mitsubishi, the Mashantucket Pequot Tribal Nation and the Department of Agriculture. Deloitte & Touche lobbyists hailed Gallery Watch in an online testimonial: "With the collapse of Enron . . . almost daily there were numerous bills being introduced that required us to research and analyze the impact of the proposed legislation on the accounting profession," one said. "We need a tool to tell us when something is going on." Staff researchers Madonna Lebling and Alice Crites contributed to this report. From rforno at infowarrior.org Mon Feb 19 14:15:14 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Feb 2007 14:15:14 -0500 Subject: [Infowarrior] - Rumor: XM and Sirius May Be About to Merge Message-ID: (I thought the FCC told them recently that they couldn't merge?? -rf) XM and Sirius May Be About to Merge By THE ASSOCIATED PRESS Published: February 19, 2007 http://www.nytimes.com/aponline/business/AP-XM-Radio-Sirius.html Filed at 1:33 p.m. ET NEW YORK (AP) -- Satellite radio rivals XM and Sirius could announce a merger deal as early as Monday, The New York Post reported. The Post, citing an unnamed person familiar with the matter, said that XM Satellite Radio Holdings Inc. and Sirius Satellite Radio Inc. were in advanced negotiations but that the deal could still fall apart. Spokesmen for both companies didn't return calls and e-mails seeking comment. Speculation about a potential merger between the two companies has persisted for months, and analysts and company executives say such a deal could have significant cost savings. However, many remain skeptical that a deal would be able to pass regulatory scrutiny. A clause in the Federal Communications Commission ruling granting licenses to the satellite radio operators says that one company cannot own the other one, but the FCC would have the power to change the rule if it chose to. Any deal would also have to pass an antitrust review at the Department of Justice. The New York Post reported that XM's chairman Gary Parsons would likely keep that title in the combined company, while Sirius' CEO Mel Karmazin would become CEO. It wasn't clear if XM's CEO Hugh Panero would remain. The shares of both Sirius and XM tumbled more than 40 percent last year on concerns about whether the rapid growth both companies had seen would continue. Both stocks have gained support in recent months from speculation that they would attempt to merge. XM's stock rose again on Friday after an analyst said in a research note that a merger would have a good chance of passing regulatory hurdles. From rforno at infowarrior.org Tue Feb 20 08:30:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Feb 2007 08:30:09 -0500 Subject: [Infowarrior] - Music industry's new Internet strategy? Message-ID: So they're joyfully-embracing the internet in order to allow customers to download HALF a totally-unprotected non-DRM'd music video in the hopes it will get them to visit their sites to see the whole thing with ads (or possibly buy the full thing with DRM?) Does anyone else see this as a completely-idiotic undertaking? To quote Carlos Mencia, "Dear Recording Industry: Dee Dee Dee!" The labels remain just as clueless as ever. -rf http://www.wilmingtonstar.com/apps/pbcs.dll/article?AID=/20070219/ZNYT01/702 190400/1002/business < - > Starting this week, Suretone Records, a label distributed by the Universal Music Group, plans to distribute video files featuring popular acts like Weezer and new bands like Drop Dead Gorgeous on file-sharing networks that the industry has long viewed as illicit bazaars for pirates. Unlike the music audio and video files that major labels sell at services like iTunes, the video files will not be wrapped in protective software to limit copying, executives say. But they will also be incomplete: users who download them will see perhaps half the video and will be directed to the label?s own Web site to watch the complete version ? and the advertising planned to run alongside. From rforno at infowarrior.org Tue Feb 20 08:32:30 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Feb 2007 08:32:30 -0500 Subject: [Infowarrior] - U.S. cybersecurity czar has his marching orders Message-ID: U.S. cybersecurity czar has his marching orders By Joris Evers Story last modified Tue Feb 20 04:38:28 PST 2007 The top U.S. cybersecurity official wants Congress to come up with ways to promote adoption of security technologies, and he sees a tax break as one possible incentive. Greg Garcia was appointed by Homeland Security chief Michael Chertoff in September, after the position went unfilled for more than a year. He's the first U.S. cybersecurity czar to hold the title of assistant secretary. The elevated position is important as it comes with more power; a lack of stature is part of the reason why his predecessors failed, Garcia says. His self-described mission is hardly surprising, especially given his background as an executive at the Information Technology Association of America, a tech industry group. For example, Garcia is asking for Congress to think of ways to promote more purchases of security technology or technology with security already built in. He's not asking for regulation of the industry. He opposes that, thus going against some who have advocated backdoors in encryption technology so law enforcement can read the encrypted files of criminal suspects. Garcia is also working to connect private industry security watchdogs with government ones, continuing the familiar call for cooperation between public and private groups. He sat down with CNET News.com earlier this month. < - > http://news.com.com/U.S.+cybersecurity+czar+has+his+marching+orders/2008-734 8_3-6160438.html From rforno at infowarrior.org Tue Feb 20 12:51:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Feb 2007 12:51:03 -0500 Subject: [Infowarrior] - Ruling: Guantanamo Detainees Can't Challenge Their Cases in U.S. Courts Message-ID: Guantanamo Detainees Can't Challenge Their Cases in U.S. Courts, Appellate Panel Rules By Carol D. Leonnig Washington Post Staff Writer Tuesday, February 20, 2007; 11:28 AM http://www.washingtonpost.com/wp-dyn/content/article/2007/02/20/AR2007022000 490_pf.html A divided judicial panel ruled this morning that hundreds of foreign nationals detained for as long as five years at a military prison in Guantanamo Bay do not have rights to challenge their indefinite imprisonment through the U.S. court system. In a 2-1 decision, a panel of the U.S. Court of Appeals for the District of Columbia found that Congress's 2006 Military Commissions Act firmly blocked detainees from trying to appeal the president's decision to hold them without charges and without any promise of release. Many detainees, viewed by the military as potential terrorism suspects or people with valuable information about terrorist plots, have been seeking through pro bono lawyers to challenge their imprisonment using a longstanding American legal right called the writ of habeas corpus. But the Military Commissions Act, passed by Congress at the urging of President Bush last fall, stripped detainees at Guantanamo Bay, Cuba, of that right. The legislation was drafted after the U.S. Supreme Court declared the Bush administration's original rules for trying detainees before military commissions was unconstitutional. In arguing the case decided today by the appeals court, attorneys for the detainees had said the Military Commissions Act should not apply to challenges already pending before the court. But, given the new laws passed by Congress, "federal courts have no jurisdiction in these cases," Circuit Judge A. Raymond Randolph wrote for the panel. "Everyone who has followed the interaction between Congress and the Supreme Court knows full well that one of the primary purposes of the [Military Commissions Act] was to overrule" the Supreme Court's decision to give detainees access to federal courts, Randolph wrote. "Everyone, that is, except the detainees." Lawyers for the detainees said they had expected the panel to rule against them, but were glad to receive the ruling after a two-year delay, so they could appeal it directly to the Supreme Court. In a lengthy dissent to the ruling, Judge Judith W. Rogers wrote that the Military Commissions Act did not square with the Constitution or history, because it would suspend the writ of habeas corpus indefinitely, even when there was no war on U.S. soil. "Suspension has been an exceedingly rare event in the history of the United States," Rogers wrote. "On only four occasions has Congress seen fit to suspend the writ. These examples follow a clear pattern: Each suspension has made specific reference to a state of 'Rebellion' or 'Invasion' and each suspension was limited to the duration of that necessity." Rogers wrote that Congress exceeded its own powers by attempting "to revoke federal jurisdiction that the Supreme Court held to exist." The Military Commissions Act, she said, "therefore has no effect on the jurisdiction of the federal courts to consider these petitions and their related appeals." A group of Senate Democrats introduced legislation last week that would strike down parts of the Military Commissions Act and restore habeas corpus rights to all detainees in U.S. custody. The bill, titled the "Restoring the Constitution Act of 2007," would restrict the president's authority to interpret when certain human rights standards apply to detainees, and would limit the label "enemy combatant" to a person "who directly participates in hostilities in a zone of active combat against the United States" or who took part in the terrorist attacks of Sept. 11, 2001. Staff writer Debbi Wilgoren contributed to this report. From rforno at infowarrior.org Tue Feb 20 12:58:24 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Feb 2007 12:58:24 -0500 Subject: [Infowarrior] - Michael Geist: US copyright lobby out-of-touch Message-ID: US copyright lobby out-of-touch Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/6379309.stm Internet law professor Michael Geist takes a look at intellectual property protection in the US and finds it somewhat out of step with the rest of the world. The International Intellectual Property Alliance, an association that brings together US lobby groups representing the movie, music, software, and publisher industries, last week delivered its annual submission to the US government featuring its views on the inadequacy of intellectual property protection around the world. The report frequently serves as a blueprint for the US Trade Representative's Section 301 Report, a government-mandated annual report that carries the threat of trade barriers for countries that fail to meet the US standard of IP protection. The IIPA submission generated considerable media attention, with the international media focusing on the state of IP protection in Russia and China, while national media in Canada, Thailand, and Taiwan broadcast dire warnings about the consequences of falling on the wrong side of US lobby groups. While the UK was spared inclusion on this year's list, what is most noteworthy about the IIPA effort is that dozens of countries - indeed most of the major global economies in the developed and developing world - are singled out for criticism. The IIPA recommendations are designed to highlight the inadequacies of IP protection around the world, yet the lobby group ultimately shines the spotlight on how US copyright policy has become out-of-touch and isolated from much of the rest of the globe. The IIPA criticisms fall into three broad categories. First, the lobby group is very critical of any country that does not follow the US model for implementing the World Intellectual Property Organisation's Internet Treaties. Those treaties, which create legal protection for technological protection measures, have generated enormous controversy with many experts expressing concern about their impact on consumer rights, privacy, free speech, and security research. Double standards? The US implementation, contained in the 1997 Digital Millennium Copyright Act, represents the world's most aggressive approach to the WIPO Internet Treaties, setting very strict limits on the circumvention of digital rights management systems and establishing a ban on devices that can be used to circumvent DRM, even if the circumvention is for lawful purposes. Given the US experience, it is unsurprising that many countries have experimented with alternate implementations. This experimentation invariably leads to heavy criticism from the IIPA as countries such as Canada, New Zealand, Japan, Switzerland, Hong Kong, South Korea, Israel, Mexico, and India are all taken to task for their implementation (or proposed implementation) of anti-circumvention legislation. Further, countries that have not signed or ratified the WIPO Internet treaties (which still includes the majority of the world), face the wrath of the US lobby group for failing to do so. Second, in a classic case of "do what I say, not what I do", many countries are criticised for copyright laws that bear a striking similarity to US law. For example, Israel is criticised for considering a fair use provision that mirrors the US approach. The IIPA is unhappy with the attempt to follow the US model, warning that the Israeli public might view it as a "free ticket to copy." Similarly, the time shifting provisions in New Zealand's current copyright reform bill (which would permit video recording of television shows) are criticised despite the fact that US law has granted even more liberal copying rights for decades. The most disturbing illustration of this double standard is the IIPA's criticism of compulsory copyright licensing requirements. Countries around the world, particularly those in the developing world (including Indonesia, the Philippines, Lebanon, Kuwait, Nigeria, and Vietnam) all face demands to eliminate compulsory licensing schemes in the publishing and broadcasting fields. Moreover, the report even criticises those countries that have merely raised the possibility of new compulsory licensing systems, such as Sweden, where politicians have mused about an Internet file sharing license. Long list Left unsaid by the IIPA, is the fact that the US is home to numerous compulsory licenses. These include statutory licenses for transmissions by cable systems, satellite transmissions, compulsory licenses for making and distributing phonorecords as well as the use of certain works with non-commercial broadcasting. Third, the IIPA recommendations criticise dozens of efforts to support national education, privacy, and cultural initiatives. For example, Canada, Brazil, and South Korea are criticised for copyright exceptions granted to students and education institutions. Italy and Mexico are criticised for failing to establish an easy method for Internet service providers to remove allegedly infringing content (without court oversight), while Greece is viewed as being offside for protecting the privacy of ISP subscribers. Greece is also taken to task for levying a surcharge at movie theatres that is used to support Greek films. Moreover, countries that have preserved their public domain by maintaining their term of copyright protection at the international treaty standard of life of the author plus an additional fifty years are criticised for not matching the US extension to life plus 70 years. There are literally hundreds of similar examples, as countries from Europe, Asia, Africa, North and South America are criticised for not adopting the DMCA, not extending the term of copyright, not throwing enough people in jail, or creating too many exceptions to support education and other societal goals. In fact, the majority of the world's population finds itself on the list, with 23 of the world's 30 most populous countries targeted for criticism (the exceptions are the UK, Germany, Ethiopia, Iran, France, Congo, and Myanmar). Countries singled out for criticism should not be deceived into thinking that their laws are failing to meet an international standard, no matter what US lobby groups say. Rather, those countries should know that their approach - and the criticism that it inevitably brings from the US - places them in very good company. Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/6379309.stm Published: 2007/02/20 15:01:57 GMT ? BBC MMVII From rforno at infowarrior.org Tue Feb 20 19:36:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Feb 2007 19:36:05 -0500 Subject: [Infowarrior] - Study on privacy protections finds citizens distrust security agencies Message-ID: February 20, 2007 http://www.govexec.com/story_page.cfm?articleid=36167&dcn=todaysnews Study on privacy protections finds citizens distrust security agencies By Andrew Noyes, National Journal's Technology Daily The CIA, Homeland Security Department and National Security Agency are the least trusted federal agencies when it comes to protecting Americans' privacy, according to a new study by the Ponemon Institute. The annual survey, which will be released Wednesday, asked more than 7,000 citizens whether they believe the government takes appropriate steps to safeguard personal information. Answers were mixed, but the overall trend suggested a decline in public trust since the think tank first studied the issue in 2004. The NSA has suffered a substantial flogging by lawmakers and privacy advocates amid questions in the past year over its domestic spying in search of terrorists. It also was revealed recently that the CIA has been utilizing a special subpoena power of the 2001 anti-terrorism law known as the USA PATRIOT Act to comb bank and credit-card records. Homeland Security and the Transportation Security Administration, which were evaluated separately in the survey, have experienced their fair share of controversy over the mining of information from government and commercial databases and a program that screens travelers entering the United States. After last year's massive breach of more than 27 million military personnel's data, furthermore, the Veterans Administration fell from a top-five ranking in 2006 to just outside the bottom five in the 2007 Ponemon study. Attorney General Alberto Gonzales' office also was among the least trusted of the 74 federal entities included in the poll. "There's a clear correlation between bad publicity and poor privacy trust performance," survey author Larry Ponemon said. Previous studies "lacked a big headline negative event," whereas this time, there were several. "Initiating more transparent operations and communications with the public is often the first step toward repairing damaged trust, but for obvious reasons, those are not options that agencies like the CIA or NSA can take," Ponemon said. The confidential nature of the agencies' operations "will always carry a certain cloud of mistrust with some." Lisa Graves, deputy director of the Center for National Security Studies, said the study "rightly gives these agencies rock-bottom privacy trust scores." "Some politicians may believe they can make political gains by going along with the president's anti-terrorism policies that strip away Americans' privacy rights," she said. But the survey makes clear that Americans do not think the entities can be trusted to protect their rights, she said. The U.S. Postal Service received Ponemon's top ranking for protecting privacy the third year in a row. Other notable high achievers were the FTC, its Bureau of Consumer Protection, the National Institutes of Health, and the Census Bureau. The study's overall findings concluded that Americans remain concerned over a "loss of civil liberties and privacy rights," "surveillance into personal life," and "monitoring e-mail and Web activities." While diminishing public trust for the NSA and VA was not surprising to privacy advocate Marc Rotenberg, the FTC "may not be out of the woods" given mounting public concerns about identity theft. "If the FTC doesn't get a better handle on that problem, the commission may find its own trust rating drop in the 2008 survey," he said. From rforno at infowarrior.org Tue Feb 20 22:44:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Feb 2007 22:44:39 -0500 Subject: [Infowarrior] - Audit: Anti-Terror Case Data Flawed Message-ID: Associated Press Audit: Anti-Terror Case Data Flawed By LARA JAKES JORDAN 02.20.07, 3:25 PM ET http://www.forbes.com/feeds/ap/2007/02/20/ap3445818.html Federal prosecutors counted immigration violations, marriage fraud and drug trafficking among anti-terror cases in the four years after 9/11 despite no evidence linking them to terror activity, a Justice Department audit said Tuesday. Overall, nearly all of the terrorism-related statistics on investigations, referrals and cases examined by department Inspector General Glenn A. Fine were either diminished or inflated. Only two of 26 sets of department data reported between 2001 and 2005 were accurate, the audit found. Responding, a Justice spokesman pointed to figures showing that prosecutors in the department's headquarters for the most part either accurately or underreported their data - underscoring what he called efforts to avoid pumping up federal terror statistics. The numbers, used to monitor the department's progress in battling terrorists, are reported to Congress and the public and help, in part, shape the department's budget. "For these and other reasons, it is essential that the department report accurate terrorism-related statistics," the audit concluded. Fine's office took care to say the flawed data appear to be the result of "decentralized and haphazard" methods of collection or disagreement over how the numbers are reported, and do not appear to be intentional. Still, the errors led Sen. Charles E. Schumer, D-N.Y., to question whether the department had exaggerated the number of its terror cases. "If the Department of Justice can't even get their own books in order, how are we supposed to have any confidence they are doing the job they should be?" said Schumer, who sits on the Senate panel that oversees the department. "Whether this is just an accounting error or an attempt to pad terror prosecution statistics for some other reason, the Department of Justice of all places should be classifying cases for what they are, not what they want us to think them to be." Auditors looked at 26 categories of statistics - including numbers of suspects charged and convicted in terror cases, and terror-related threats against cities and other U.S. targets - compiled by the FBI, the Justice Department's Criminal Division, and the Executive Office of U.S. Attorneys. It found that data from the Executive Office of U.S. Attorneys were the most severely flawed. Auditors said the office, which compiles statistics from the 94 federal prosecutors' districts nationwide, both under- and over-counted the number of terror-related cases during a four-year period. Much of the problem stemmed from how that office defines anti-terrorism cases. A November 2001 federal crackdown on security breaches at airports, for example, yielded arrests on immigration and false document charges, but no evidence of terrorist activity. Nonetheless, the attorneys' office lumped them in with other anti-terror cases since they were investigated by federal Joint Terrorism Task Forces or with other counterterror measures. Other examples, according to the audit, included: _Charges against a marriage-broker for being paid to arrange six fraudulent marriages between Tunisians and U.S. citizens. _Prosecution of a Mexican citizen who falsely identified himself as another person in a passport application. _Charges against a suspect for dealing firearms without a license. The prosecutor handling the case told auditors it should not have been labeled as anti-terrorism. "We do not agree that law enforcement efforts such as these should be counted as anti-terrorism," the audit concluded. Even if those cases were not taken into account, the audit said the U.S. attorneys' office had overstated statistics in all other categories it reported. The office has since agreed to change the way it counts and classifies anti-terrorism cases, department spokesman Dean Boyd said. Additionally, Boyd said, Criminal Division prosecutors at the department's headquarters and the FBI have overhauled their respective case reporting systems since 2004 for a more accurate picture of terror-related workloads. He said both agencies were strained to accurately report terrorism data in the flood of cases immediately after the Sept. 11, 2001, attacks. In all but one area, Criminal Division prosecutors either accurately stated or underreported their data - the ones the department usually uses in public statements about its counterterror efforts, Boyd noted. He said the Justice Department has already completed most of the fixes recommended in the audit. Copyright 2006 Associated Press. All rights reserved. This material may not be published broadcast, rewritten, or redistributed From rforno at infowarrior.org Wed Feb 21 08:48:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Feb 2007 08:48:43 -0500 Subject: [Infowarrior] - A new copyright battlefield: Veoh Networks Message-ID: A new copyright battlefield: Veoh Networks By Greg Sandoval http://news.com.com/A+new+copyright+battlefield+Veoh+Networks/2100-1026_3-61 60860.html Story last modified Wed Feb 21 05:30:23 PST 2007 One of the last places you might expect to find copyright violations is on a Web site backed by Time Warner and former Disney CEO Michael Eisner. Nonetheless, Veoh Networks CEO Dmitry Shapiro acknowledges that only a week after the company's official debut, Veoh.com is host to a wide range of unauthorized and full-length copies of popular programs. But Shapiro says it's not his upstart video company's fault: Blame the people who are posting the material. "We have a policy that specifically states that when we see copyright material posted, we take it down," Shapiro said. "This problem is the democratization of publishing. Anyone can now post a video to the Internet. Sometimes the material belongs to someone else. We take this very seriously." Veoh has raised about $12 million from investors such as Eisner and Time Warner. The company wants to be more than just another YouTube. Executives have their sights on distributing long-format video for networks and media companies, and privately held Veoh currently claims its peer-to-peer technology enables content creators to transmit higher quality video much more efficiently. The problem, of course, is dealing with the content piracy that nearly every video-sharing and peer-to-peer company has faced. While executives at these companies have argued they discourage copyright violations, there's little question that's what their customers are often trying to accomplish. The law requires a company to remove copyright-infringing videos once notified by a copyright holder, but it doesn't have to pre-screen material or actively police the site. Veoh's ambitious plan to distribute long-format videos adds another wrinkle to the fight between technology companies and content owners. Even YouTube, which has come under fire from a range of content owners because of copyright issues, tries to prevent people from uploading full-length films and TV shows by limiting clips to 10 minutes. Now content owners have to worry about their entire programs getting posted. "I can't believe Hollywood is going to let (Veoh) get away with this," said Josh Martin, an analyst at the research firm Yankee Group. "The environment is different now. The media companies know that it's wrong now and I can't imagine that they are going to sit still about entire episodes being posted. You have to remember that YouTube (which gained early notoriety from postings of copyrighted material) was at the right place at the right time and I don't see that happening again." A review of Veoh found an extensive list of professionally made shows, including an hour-long animated feature produced by Disney called Cinderella III: A Twist in Time (the video was removed over the weekend), and a two-hour long video of a soccer match between England and Spain. Also on Veoh, users need only turn off a "family filter" to find a wide assortment of adult material. The appearance of unauthorized videos at Veoh is surprising to some analysts because the San Diego company has strong ties to the entertainment sector. Another thing that has industry insiders scratching their heads is why Veoh would attempt a strategy that looks like YouTube on steroids at a time when YouTube continues to butt heads with media powerhouses over copyright issues. Two weeks ago, entertainment conglomerate Viacom demanded that YouTube remove 100,000 videos from the site that featured material from its TV shows and films. Viacom announced on Tuesday that it has signed a licensing deal with Joost, the startup backed by the founders of Skype and Kazaa, which promises to prevent infringement of intellectual property. Earlier this month, NBC's new CEO, Jeff Zucker, also blasted YouTube for failing to deliver a promised technology that would help screen the site for copyright content. YouTube is hardly the only Internet video company running into copyright controversy. Sony's video-sharing offering, Grouper, and Bolt.com have been accused of violating copyrights. TVU Networks, a peer-to-peer startup that allows users to stream TV shows to the Web, has also run afoul of some large media companies in recent months: some have sent the TVU "take-down" notices, including Major League Baseball and HBO, demanding that the company remove their content. One reason Hollywood and big media companies have yet to react to the copyright infringement at Veoh may be because the site has yet to draw much attention. Having officially launched only a week ago, the site is just now building an audience. Asked about the full-length episodes at Veoh, Jeremy Zweig, a spokesman at Viacom, said the company has concentrated on fighting the copyright battle at places where the most violations occur--YouTube, MySpace and Google Video. "We allocate our resources based on where we think the most harm is being done," Zweig said. "We haven't focused on Veoh at this point." The privately held Veoh is planning to use peer-to-peer technology to distribute DVD-quality video and allow it to be posted to other Web sites, including YouTube's. The site currently requires a software download, but company officials say its technology enables content creators to distribute their video much more efficiently than other methods. The company is also offering a syndication service that will distribute video across the Web and can also embed ads. Shapiro insists that the copyright material found on the site is only temporary. "We're all inventing a new medium," Shapiro said. "When you start off you have some issues, but all of us in this industry are working to solve those issues." Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Feb 21 10:37:29 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Feb 2007 10:37:29 -0500 Subject: [Infowarrior] - Va. Senate Approves Red-Light Cameras Message-ID: Va. Senate Approves Red-Light Cameras House Blocks Boost Of Minimum Wage By Amy Gardner and Tim Craig Washington Post Staff Writers Wednesday, February 21, 2007; A01 RICHMOND, Feb. 20 -- The Virginia General Assembly will allow local governments to set up cameras to catch drivers who run red lights, renewing a program that safety advocates say reduces accidents and aggressive driving. The Senate voted 30 to 10 Tuesday to approve a bill that would let towns, cities and counties with populations of 10,000 or more install photo-monitoring systems at intersections with traffic signals. The House has already approved the measure, and Gov. Timothy M. Kaine (D) has said he will sign it. Nearing the close of their 45-day session, lawmakers also voted Tuesday to phase out touch-screen voting machines because of concerns about their accuracy. And House Republicans blocked an effort to raise the state's minimum wage to $6.50 an hour. The session ends Saturday. The red-light camera program would replace an experiment that expired in 2005 in Alexandria, Fairfax City, Falls Church, Vienna, Virginia Beach and Arlington and Fairfax counties. In addition to the District, Maryland and 11 other states use automated cameras for traffic enforcement. "This is the best opportunity this legislature has had since I've been here for 12 years to establish a statewide safety program," said Sen. Martin E. Williams (R-Newport News). "This is for all localities in Virginia." The real hurdle was in the more conservative House of Delegates, where lawmakers had approved the measure this month 63 to 35. It is one in a series of measures to be approved this year after historic resistance by House members who have argued against what they view as unnecessary government "nannyism" through regulation. < - > http://www.washingtonpost.com/wp-dyn/content/article/2007/02/20/AR2007022001 500_pf.html From rforno at infowarrior.org Wed Feb 21 13:16:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Feb 2007 13:16:35 -0500 Subject: [Infowarrior] - DARPA Chief Speaks Message-ID: Darpa Chief Speaks Tony Tether has headed up the Pentagon's way-out research arm, Darpa, since 2001. That makes him the longest-serving director in the agency's nearly 50-year history. He sat down with me for an interview in his office, on the top floor of a blandly menacing Northern Virginia office building, last December. For my story in the March issue of Wired (online next Tuesday), Tether and I talked about everything from bio-terrorists to zombie rodents to thinking machines to the golf courses in Iraq. Here's the transcript. < - > http://blog.wired.com/defense/2007/02/tony_tether_has_1.html From rforno at infowarrior.org Wed Feb 21 15:17:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Feb 2007 15:17:35 -0500 Subject: [Infowarrior] - EFF: Judge Denies Complete Stay in AT&T Surveillance Case Message-ID: : . : . : . : . : . : . : . : . : . : . : . : . : . : . : * Judge Denies Complete Stay in AT&T Surveillance Case Government and AT&T Cannot Freeze Proceedings During Appeal San Francisco - A federal judge yesterday ruled that the Electronic Frontier Foundation (EFF) can go forward with elements of its class action lawsuit against AT&T for collaborating with the government on illegal spying in ordinary Americans -- despite the government and AT&T's request to freeze proceedings during an appeal. In his ruling, U.S. District Court Judge Vaughn Walker opened the door to beginning the discovery process, allowing EFF to ask "limited and targeted" questions as long as those questions do not overlap with the issues under consideration in the 9th U.S. Circuit Court of Appeals. "The government wanted to put this case in the deep freeze," said EFF Staff Attorney Kurt Opsahl. "Instead, the court has invited us to move forward with some targeted questions. We're glad to accept that invitation, which will allow progress while respecting the government's national security concerns." Judge Walker also refused to implement a blanket stay on the other telecommunications surveillance cases transferred to his court. He ruled that unless the parties stipulate to a stay, then "defendants will answer or otherwise respond to the complaint" by March 29. Earlier yesterday, Judge Walker denied requests from media groups to unseal critical evidence in the AT&T case. "We're disappointed that the court did not choose to unseal all of the documents that include or refer to the evidence presented by Mark Klein and our expert, J. Scott Marcus. The government has already agreed that the evidence is neither classified nor a state secret, and is only being held under seal because of AT&T's weak trade secrecy claims," said Cindy Cohn, EFF's Legal Director. "Given that the privacy of millions of Americans is at stake, we strongly believe that the public would benefit from seeing this evidence for themselves." Judge Walker did grant the media groups' request to intervene, and said he might revisit the unsealing issue at a later date. For Judge Walker's full order: For more on EFF's case against AT&T: For this release: From rforno at infowarrior.org Wed Feb 21 19:38:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Feb 2007 19:38:33 -0500 Subject: [Infowarrior] - Felten: Why Understanding Programs is Hard Message-ID: Why Understanding Programs is Hard Wednesday February 21, 2007 by Ed Felten Senator Sam Brownback has reportedly introduced a bill that would require the people rating videogames to play the games in their entirety before giving a rating. This reflects a misconception common among policymakers: that it?s possible to inspect a program and figure out what it?s going to do. It?s true that some programs can be completely characterized by inspection, but this is untrue for many programs, including some of the most interesting and useful ones. Even very simple programs can be hard to understand. < - > http://www.freedom-to-tinker.com/?p=1123 From rforno at infowarrior.org Wed Feb 21 21:03:42 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Feb 2007 21:03:42 -0500 Subject: [Infowarrior] - FW: Stop & Shop reports credit data was stolen / Card readers reveal tampering In-Reply-To: Message-ID: (c/o MS) Stop & Shop reports credit data was stolen Card readers reveal tampering By Peter J. Howe, Globe Staff | February 19, 2007 SEEKONK -- With help from US Secret Service agents, Stop & Shop Supermarket Cos. executives scrambled yesterday to determine how many consumers may have had their credit and debit card data stolen by high-tech thieves who apparently broke into checkout-line card readers and planted the equivalent of bugs to steal information. Stop & Shop said customer information, including personal identification codes for cards, was confirmed stolen from supermarkets in Coventry and Cranston, R.I. The company said it had found evidence that card readers were tampered with in a similar way at four other stores in Seekonk and in Bristol, Providence, and Warwick, R.I. But the supermarket company said it had no reports of illegal transactions on cards that had been used at those stores. After being notified by a bank last week that its Coventry and Cranston stores appeared to be the common link to a number of stolen card numbers, Quincy-based Stop & Shop has bolted down card readers at all 385 of its supermarkets in New England, New York, and New Jersey, company spokesman Robert Keane said yesterday. ... http://www.boston.com/business/globe/articles/2007/02/19/stop__shop_reports_ credit_data_was_stolen/ Stop & Shop Frequently Asked Questions http://www.stopandshop.com/about/security_faq.htm Bill targets retailers for costs to fix data thefts They say plan would fatten bank profits, not protect public http://www.boston.com/business/globe/articles/2007/02/20/bill_targets_retail ers_for_costs_to_fix_data_thefts/ From rforno at infowarrior.org Wed Feb 21 21:38:02 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Feb 2007 21:38:02 -0500 Subject: [Infowarrior] - Galloway: Walter Reed Hospital Scandal is 'The Last Straw' In-Reply-To: Message-ID: I'm sure I'll get flack for posting what likely will be viewed by some readers here as a "political" message, but so be it. Galloway's right about this horrendous situation impacting our troops, and his comments deserve wide dissemination. -rf http://www.editorandpublisher.com/eandp/columns/shoptalk_display.jsp?vnu_con tent_id=1003548374 Galloway: Walter Reed Hospital Scandal is 'The Last Straw' As The Washington Post probe proves, there's more to supporting our troops than making "Support Our Troops" a phrase that every politician feels obliged to utter in every speech, no matter how craven the purpose. How can they look at themselves in the mirror every morning? By Joseph L. Galloway Joseph L. Galloway is a legendary war correspondent, winner of a Bronze Star and co-author of "We Were Soldiers Once...and Young." His column on military affairs is distributed by Tribune Media Services. ------- (February 21, 2007) -- There?s a great deal more to supporting our troops than sticking a $2 yellow ribbon magnet made in China on your SUV. There?s a great deal more to it than making "Support Our Troops" a phrase that every politician feels obliged to utter in every speech, no matter how banal the topic or craven the purpose. This week, we were treated to new revelations of just how fraudulent and shallow and meaningless "Support Our Troops" is on the lips of those in charge of spending the half a trillion dollars of taxpayer's money that the Pentagon eats every year. The Washington Post published a probe, complete with photographs, revealing that for every in-patient who's getting the best medical treatment that money can buy at the main hospital at the Walter Reed Army Medical Center, there are out-patients warehoused in quarters unfit for human habitation. Some of the military outpatients are stuck on the Walter Reed campus, a couple of miles from the White House and the Capitol, for as long as 12 months. They've been living in rat and roach-infested rooms, some of which are coated in black mold. There was outrage and disgust and raw anger at this callous, cruel treatment of those who have the greatest claim not only on our sympathies, but also on the public purse. Who among the smiling politicians who regularly troop over to the main hospital at Walter Reed for photo-op visits with those who've come home grievously wounded from the wars the politicians started have bothered to go the extra quarter-mile to see the unseen majority with their rats and roaches? Not one, it would seem, since none among them have admitted to knowing that there was a problem, much less doing something about it before the reporters blew the whistle. Within 24 hours, construction crews were working overtime, slapping paint over the moldy drywall, patching the sagging ceilings and putting out traps and poison for the critters that infest the place. Within 48 hours, the Department of Defense announced that it was appointing an independent commission to investigate. Doubtless the commission will provide a detailed report finding that no one was guilty -- certainly none of the politicians of the ruling party whose hands were on the levers of power for five long years of war. They will find that it all came about because the Army medical establishment was overwhelmed by the case load flowing out of Iraq and Afghanistan. Meanwhile, brave soldiers who were wheelchair-bound with missing legs or paralysis, have been left to make their own way a quarter-mile to appointments with the shrinks and a half-mile to pick up the drugs that dim their minds and eyes and pain, and make the rats and roaches recede into a fuzzy distance. All this came on the heels of my McClatchy Newspapers colleague Chris Adams's Feb. 9 report that even by its own measures, the Veterans Administration isn't prepared to give returning veterans the care they need to help them overcome destructive, and sometimes fatal, mental health ailments. Nearly 100 VA clinics provided virtually no mental health care in 2005, Adams found, and the average veteran with psychiatric troubles gets about a third fewer visits with specialists today than he would have received a decade ago. The same politicians, from a macho president to the bureaucrats to the people who chair the congressional committees that are supposed to oversee such matters, have utterly failed to protect our wounded warriors. They?ve talked the talk but few, if any, have ever walked the walk. No. This happened while all of them were busy as bees, taking billions out of the VA budget and planning to shut down Walter Reed by 2011 in the name of cost-efficiency. Among those politicians are the people who sent too few troops to Afghanistan or Iraq, who failed to provide enough body armor and weapons and armored vehicles and who, to protect their own political hides, refused to admit that the mission was not accomplished and change course. But it's they who are charged with the highest duty of all, in the words of President Abraham Lincoln in his Second Inaugural in 1865: "to care for him who shall have borne the battle and for his widow, and his orphan." How can they look at themselves in the mirror every morning? How dare they ever utter the words: Support Our Troops? How dare they pretend to give a damn about those they order to war? They've hidden the flag-draped coffins of the fallen from the public and the press. They've averted their eyes from the suffering that their orders have visited upon an Army that they've ground down by misuse and over-use and just plain incompetence. This shabby, sorry episode of political and institutional cruelty to those who deserve the best their nation can provide is the last straw. How can they spin this one to blame the generals or the media or the Democrats? How can you do that, Karl? If the American people are not sickened and disgusted by this then, by God, we don?t deserve to be defended from the wolves of this world. Joseph L. Galloway is a legendary war correspondent, winner of a Bronze Star and co-author of "We Were Soldiers Once...and Young." His column on military affairs is distributed by Tribune Media Services. From rforno at infowarrior.org Wed Feb 21 21:40:02 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Feb 2007 21:40:02 -0500 Subject: [Infowarrior] - Aging weather satellite fleet at risk Message-ID: Posted on Sun, Jan. 28, 2007 http://www.miami.com/mld/miamiherald/16563706.htm Aging weather satellite fleet at risk According to a new study, crucial weather and environmental satellites soon will fail, and their replacements are insufficient and behind schedule. BY MARTIN MERZER mmerzer at MiamiHerald.com * Document | Prepublication version of The National Academy of Science's report on the nation's Earth monitoring Scientists soon will lose access to crucial information that helps them better understand and predict everything from hurricanes and earthquakes to global warming and environmental decay, according to a candid and sobering report by prestigious experts. As wide gaps develop in the ability of scientists to analyze natural phenomena, Floridians -- particularly vulnerable to hurricanes, rising sea levels and environmental changes affecting fisheries and farmers -- could be especially affected. ''It's a train wreck,'' said Otis Brown, dean of the University of Miami's Rosenstiel School of Marine and Atmospheric Science and a member of the National Academy of Science's panel that issued the report earlier this month. ''When you hope for the best, this is about the worst you could imagine in terms of things going awry,'' he said. Among the reasons for this reversal of scientific fortunes: sharp budget cuts, ill-advised technological compromises, and a botched partnership between the National Aeronautics and Space Administration and the National Oceanic and Atmospheric Administration, according to the report. And the setbacks come at an inopportune time. NOAA recently reported that last year was the warmest on record in the United States, and a major study scheduled for release Friday by an international group of scientists is expected to amplify the developing crisis of global warming. Scientist Stephen Hawking and several colleagues recently said climate change posed a threat nearly equal to that of nuclear proliferation. To date, no one has challenged the panel's conclusions, which were released Jan. 15. NOAA and NASA said they were studying the 436-page report. A congressional committee vowed to apply ''vigorous oversight'' to the situation. Among the highlights -- or possibly lowlights -- of the report by scores of experts working with the academy, which is chartered by Congress and advises the federal government on scientific matters: ? By 2010, the number of operating sensors and instruments on NASA's aging fleet of weather and other global-monitoring satellites will decrease 40 percent, and replacement sensors are behind schedule, over budget and, in many cases, less capable. 'The United States' extraordinary foundation of global observations is at great risk,'' the committee concluded. Said Brown: ``We're seeing a reduction in the development of new approaches and, in fact, we well could be worse off than we are now.'' ? In particular, there is ''substantial concern'' about the pending loss of an important satellite-based instrument employed by tropical weather forecasters and hurricane researchers. The QuikSCAT information helps scientists estimate wind speeds at the ocean's surface. That information contributes to year-round forecasts of marine conditions, and it's crucially important to hurricane specialists, helping them assess the strength of storms that are far from land and often enabling the identification of new tropical systems. OUTDATED DEVICE But the device is well past its designed lifetime, which was expected to end by 2002, and budget concerns and technical compromises prompted NOAA to replace it with a less sophisticated instrument that still hasn't been launched, the committee said. This could diminish the accuracy of hurricane and other forecasts, especially for coastal areas such as South Florida. ''The committee believes it's imperative that a measurement capability be available to prevent a data gap,'' the report concluded. Chris Landsea, the National Hurricane Center's science and operations officer, called QuikSCAT a ''wonderful tool'' that has ``become ingrained in our operations, and it could disappear tomorrow.'' ''What's available in the plans would be a degradation to that,'' Landsea said. ? Much of NASA's budget and many of its scientists are being diverted to the human space program that was reenergized by President Bush's proposal to send astronauts back to the moon and onward to Mars. The president's 2007 budget reduced NASA's research and analysis budget for science missions 15 percent compared to 2005. Since 2000, the agency's earth-science budget has been slashed 30 percent. That caused the elimination of some projects, including measurements of solar radiation and Earth radiation that could help scientists understand global warming. ? In addition, many of NASA's scientists seem too interested in theoretical research and insufficiently focused on practical science that can address pressing environmental issues, the committee said. In particular, the panel urged NASA scientists to transition from brief examinations of the climate to sustained studies that might help answer pressing questions about drought, soil moisture and other issues. And, the panel said, coordination between NOAA and NASA is weak. ''The committee is particularly concerned with the lack of clear agency responsibility for sustained research programs and the transitioning of proof-of-concept measurements into sustained measurement systems,'' the report said. OTHER PROBLEMS At the same time, NOAA is coping with many other problems. Automated buoys, weather balloons, radars and other equipment fail at unacceptably high rates, The Miami Herald's ''Blind Eye'' series reported in 2005, and budget overruns are legion. In response to the new report, both agencies issued noncommittal responses. ''It's useful to have such consolidated and prioritized information from the users of our data,'' NOAA Administrator Conrad C. Lautenbacher said in a written statement. ``Once we have a more complete understanding of this complex study, we will be working closely with NASA to assess how our two agencies can best address recommendations.'' NASA said it appreciated the group's work and already devotes considerable resources to earth sciences. ''The decadal survey offers important guidance on how best to spend that money,'' the agency said in a prepared statement. On Capitol Hill, Rep. Bart Gordon, D-Tenn., chairman of the House Committee on Science and Technology, praised the committee's work as ``a great service in providing clear recommendations for a constructive way forward.'' `A CLOSE EYE' He said the committee would keep a close eye on NOAA and NASA, especially when it came to ``continued climate observations.'' In some ways, the report represented a scientific version of the Iraq Study Group, which last month issued a comprehensive report about the war. Both panels stepped back, closely analyzed a government program and issued recommendations to set right what once went wrong. Brown, the University of Miami scientist who participated in the academy's study, suggested that the group's conclusions should worry all Americans. ''The simple message is that we've spent decades and what amounts to billions [of dollars] in developing state-of-the-art environmental sensing systems from space, and what we're seeing is that these systems are at risk,'' he said. The panel urged federal officials to fully fund currently planned satellites and design and launch 17 new missions, but it is already too late to avoid gaps in the U.S. network, he said. ''We might be able to use a foreign satellite capability,'' Brown said. ``But in the U.S. pipeline, there is no way to fix it quickly. There's a lag time that's measured in years. These are long-term decisions that are made.'' And now, the consequences are becoming clear. ''To get a report like this through the national academy that even begins to hint at how screwed up things are is pretty amazing,'' Brown said. ``You can tell that feelings are very strong about this.'' From rforno at infowarrior.org Wed Feb 21 21:42:21 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Feb 2007 21:42:21 -0500 Subject: [Infowarrior] - Frontline: "NewsWar" series Message-ID: http://www.pbs.org/wgbh/pages/frontline/newswar/ Series info: http://www.pbs.org/wgbh/pages/frontline/newswar/etc/synopsis.html From rforno at infowarrior.org Wed Feb 21 21:44:07 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Feb 2007 21:44:07 -0500 Subject: [Infowarrior] - Cisco, Apple Settle iPhone Lawsuit Message-ID: Cisco, Apple Settle iPhone Lawsuit Wednesday February 21, 9:26 pm ET By Jordan Robertson, AP Technology Writer http://biz.yahoo.com/ap/070221/cisco_apple.html?.v=7 SAN JOSE, Calif. (AP) -- Cisco Systems Inc. and Apple Inc. said Wednesday they have settled the trademark-infringement lawsuit that threatened to derail Apple's use of the "iPhone" name for its much-hyped new iPod-cellular phone gadget. The companies said they reached an agreement that will allow Apple to use the name for its sleek new multimedia device in exchange for exploring wide-ranging "interoperability" between the companies' products in the areas of security, consumer and business communications. No other details of the agreement were released. The companies both said they would dismiss any pending legal actions regarding the trademark. The showdown between the Silicon Valley tech heavyweights erupted last month when Cisco sued Apple in San Francisco federal court claiming that Apple's use of the iPhone name constituted a "willful and malicious" violation of a trademark that Cisco has owned since 2000. Cisco's Linksys division has been using the trademark since last spring on a line of phones that make free long-distance calls over the Internet using a technology called Voice over Internet Protocol, or VoIP. The lawsuit was filed a day after Apple Chief Executive Steve Jobs unveiled his own company's iPhone, a multimedia device that operates over the cellular network instead of the Internet. Apple initially called the lawsuit "silly" and argued that it was entitled to use the name because the phones operate over different networks and would not compete with each other. Cisco maintained that in an era of "convergence" -- where increasingly intelligent networks and devices can handle a variety of different types of voice, video, data and other transmissions -- the two companies' phones could eventually take on different features and wind up competing head-to-head. The result would be "confusion, mistake and deception among consumers," according to the lawsuit. Negotiations between the companies broke down just hours before Jobs' dramatic unveiling of the product Jan. 9 in San Francisco. The sticking point apparently was Cisco's demand that in order to use the iPhone name, Apple would have to open up its famously closed products to communicate with some of Cisco's offerings. From rforno at infowarrior.org Wed Feb 21 21:45:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 21 Feb 2007 21:45:13 -0500 Subject: [Infowarrior] - Music Industry Cracks Down on Colleges Message-ID: Music Industry Cracks Down on Colleges Wednesday February 21, 7:47 pm ET By Ted Bridis, Associated Press Writer http://biz.yahoo.com/ap/070221/downloading_music.html?.v=11 WASHINGTON (AP) -- College students who faced lawsuits for illegally sharing large music collections over campus computer networks increasingly risk being unplugged from the Internet or even suspended over lesser complaints by the recording industry. In a nationwide crackdown, the music industry is sending thousands more copyright complaints to universities this school year than last. In some cases, students are targeted for allegedly sharing a single mp3 file online. A few schools -- Ohio University and Purdue University are at the top of the list -- already have received more than 1,000 complaints accusing individual students since last fall. For students who are caught, punishments can vary from e-mail warnings to semester-long suspensions from classes. Ohio University said students caught twice sharing music online would face the same disciplinary sanctions as classmates accused of violence or cheating: suspension, probation or an assignment to write a homework paper on the subject. Ohio said no student ever has been caught twice. "When they told me I freaked," said Ryan Real of Louisville, an Ohio University sophomore who was accused in November of illegally sharing not music but a popular video game, "Grand Theft Auto," over the school's network. Real said he was ordered to delete the game and the Bittorrent file-sharing software he was using from his computer before the school would turn his Internet connection back on. "Everybody does it," Real said. "The odds that you are going to get caught, it's not something you think about." Classmates who also have been caught "still download illegally," Real said. At the request of The Associated Press, the trade group for the largest music labels, the Recording Industry Association of America, identified the 25 universities to which it has sent the most copyright complaints so far this school year. The group, which has long pressured schools to act more aggressively, said software tools are improving to trace illegal file-sharing on campuses. "We are taking advantage of that technology to make universities aware of the problem on their campuses," said RIAA President Cary Sherman. "They need to be sending a message to their students about how to live a lawful life." The top five schools are Ohio, Purdue, the University of Nebraska-Lincoln, University of Tennessee and the University of South Carolina. The RIAA complained about almost 15,000 students at the 25 universities, nearly triple the number for the previous school year. "They're trying to make a statement," said Randall Hall, who polices computers at Michigan State University, seventh on the list with 753 complaints. Michigan State received 432 such complaints in December alone, when students attended classes for only half the month. Hall meets personally with students caught twice and forces them to watch an eight-minute anti-piracy DVD produced by the RIAA. A third-time offender can be suspended for a semester; at least one student was targeted with three strikes so far this year. "I get the whole spectrum of excuses," Hall said. "The most common answer I get is, 'All my friends are doing this. Why did I get caught?'" The University of Tennessee requires second-time offenders to carry computers to a technology lab where popular music-sharing programs are deleted before Internet connections are restored. A student subjected to a third complaint -- which typically happens once each year -- faces punishment that ranges from a formal reprimand to suspension. "They're apologetic and somewhat embarrassed," said Tim Rogers, the school's vice chancellor for student affairs. At the University of Massachusetts at Amherst -- which received 897 complaints -- first- and second-time offenders receive escalating warnings about piracy. After a third complaint, the school unplugs a student's Internet connection and sends the case to a dean for punishment. The music group said each university should set its own penalties for stealing songs and said campuses are rife with such thefts. "When we look at the problem, it's particularly acute in the college context," said the group's chief executive, Mitch Bainwol. The trade group said popular software programs it has targeted at schools include AresWarez, BitTorrent, eDonkey and other programs that operate on the Gnutella and FastTrack services. Under federal law, universities that receive complaints about students illegally distributing copyrighted songs generally must act to stop repeat offenders or else the schools can be sued. The entertainment industry typically can identify a student only by his or her numerical Internet address and must rely on the school to correlate that information with its own records to trace a person's identity. Some schools aggressively warn students after they receive complaints. Others don't. Purdue, which has received 1,068 complaints so far this year but only 37 in 2006, said it rarely even notifies students accused by the RIAA because it's too much trouble to track down alleged offenders. Purdue said its students aren't repeat offenders. "In a sense, the (complaint) letter is asking us to pursue an investigation and as the service provider we don't see that as our role," spokesman Steve Tally said. "We are a leading technology school with thousands and thousands of curious and talented technology students." From rforno at infowarrior.org Thu Feb 22 09:25:07 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Feb 2007 09:25:07 -0500 Subject: [Infowarrior] - Google challenges Microsoft with new business package Message-ID: Google challenges Microsoft with new business package By Miguel Helft Published: February 22, 2007 http://www.iht.com/articles/2007/02/22/business/google.php SAN FRANCISCO: Google is taking aim at one of Microsoft's most lucrative franchises. On Thursday, Google, the Internet search giant, unveiled a package of communications and productivity software aimed at businesses, which overwhelmingly rely on Microsoft products for those functions. The package, called Google Apps, combines two sets of previously available software bundles. One includes programs for e-mail, instant messaging, calendars and Web page creation; the other, called Docs and Spreadsheets, includes programs to read and edit documents created with Microsoft Word and Excel, the mainstays of Microsoft Office, an $11 billion annual franchise. Unlike Microsoft's products, which reside on PCs and corporate networks, Google's will be delivered as services accessible over the Internet, with Google storing the data. That will allow businesses to offload some of the cost of managing computers and productivity software. For corporate technology staffs, "we think that will be a very refreshing change," said Dave Girouard, Google's vice president and general manager for enterprise. Today in Technology & Media Major media trying to improve the methods by which they measure audiences Google challenges Microsoft with new business package A zoo of iPod critters and Barbie, too The e-mail and messaging package, which is based on products like Gmail, Google's e-mail service, has been available in a free trial since August and is supported by advertising. It has been used by thousands of businesses, educational institutions and other organizations, Google said. Google will continue to provide the extended bundle of software free to businesses and educational institutions. But it will also offer businesses additional e-mail storage and customer support for an annual fee of $50 a user. By comparison, businesses pay on average about $225 a person annually for Office and Exchange, the Microsoft server software typically used for corporate e-mail systems, in addition to the costs of in-house management, customer support and hardware, according to the market research firm Gartner. Google said initial customers of Google Apps would include a unit of Procter & Gamble and SalesForce.com, a pioneer in the business of delivering software as an Internet service. Google Apps comes at a time of increased competition between Microsoft and Google in a number of areas, including Internet search and advertising and mobile services. And it comes just as corporations are considering whether to upgrade to recently released versions of Microsoft Windows and Office. While most analysts say that businesses will increasingly use software delivered over the Internet and supported by advertising ? a formula that Google has mastered ? they are split over the threat that Google's offering represents to Microsoft in the near term. "I think Microsoft should be very concerned about this," said Rebecca Wettemann, vice president of Nucleus Research. Wettemann noted that a business may spend about $80,000 on a systems administrator to manage e-mail and desktop office software. For the same amount of money, Google Apps allows a business to support 1,600 users, she noted. Simply in terms of staffing, "this may be a better proposition even if Microsoft were free," Wettemann said. Mark Anderson, an analyst at Strategic News Service, a technology consulting firm, said Microsoft should worry about Google's inroads into one of its core businesses but would not see an immediate impact. "These things take years to happen," Anderson said. "Google will have to prove itself in terms of security and in terms of quality." Girouard said Google's products were not replacements for Excel or Word, which he admits are more powerful. But he added that for smaller businesses and for certain groups of employees within larger companies, Google Apps could be a substitute for Microsoft's products. Microsoft has taken steps to embrace the trend toward Internet services with products like Office Live, a package of functions to help small businesses set up Web sites. "We have a bunch of hosted services that we offer to our customers," said Chris Capossela, vice president for Office at Microsoft. "Our belief is that the future of computing is a combination of software and services." Capossela said he welcomed the competition. But he said he expected that many customers would continue to want to have their data stored in-house because of security, legal and compliance reasons. For now, Google's share of the business software market is a tiny fraction of Microsoft's. Google said more than 100,000 small businesses had been using Google Apps for Your Domain, as the earlier package of e-mail and messaging programs was known. Docs and Spreadsheets had 432,000 users in December, according to Nielsen/NetRatings. Microsoft says Office has 450 million to 500 million users. From rforno at infowarrior.org Thu Feb 22 10:19:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Feb 2007 10:19:39 -0500 Subject: [Infowarrior] - Scientists make quantum encryption breakthrough Message-ID: Scientists make quantum encryption breakthrough http://www.itpro.co.uk/news/105452/scientists-make-quantum-encryption-breakt hrough.html Researchers have managed to close a loophole in quantum cryptography that could allow a hacker to determine a secret key transmitted using the technology. Working at Toshiba Research Europe in Cambridge, scientists found that laser diodes used to transmit keys used to encrypt data, known as Quantum Key Distribution (QKD), sometimes transmitted more than one photon at a time. Quantum encryption works by transmitting key data as a stream of single photons. Should an eavesdropper try to intercept the transmission, monitoring a single photon would change the state of that photon, and this would make both ends of the transmission aware that the data had been eavesdropped. However, the laser diodes can sometimes transmit more than one photon and so a hacker could monitor the second photon, leaving the first photon unchanged and this would not alert anyone that the key transmission had been compromised. But scientists have now added decoy photons to the key data. When an eavesdropper now tries to monitor extra photons, they will also monitor the decoy photons. Scientists said these decoy photons or "decoy pulses" are weaker on average and so very rarely contain two or more photons. If an eavesdropper attempts a pulse-splitting attack, they will transmit a lower fraction of these decoy pulses than signal pulses. By monitoring the transmission of the decoy and signal pulses separately this type of intervention can be detected, according to scientists. By introducing decoy pulses, the researcher found that stronger laser pulses could be used securely, increasing the rate at which keys may be sent. By using this method keys could be transmitted securely over a 25km fibre to an average bit rate of 5.5kbits/sec, a hundred-fold increase on previous efforts. "Using these new methods for QKD we can distribute many more secret keys per second, while at the same time guaranteeing the unconditional security of each," said Dr Andrew Shields, Quantum Information group leader at Toshiba Research Europe. "This enables QKD to be used for a number of important applications such as encryption of high bandwidth data links." The researchers also discovered a second method to push bit-rates even higher for QKD. The scientists have created the first semiconductor diode that can be controlled with electrical signal input to emit only single photons at a wavelength compatible with optical fibres. This 'single photon source' method eliminates the problem of multi-photon pulses altogether, claimed the research. The single photon diode has a structure similar to an ordinary semiconductor light emitting diode (LED), but measures just 45 nm in diameter and 10 nm in height. The dot can hold only a few electrons and so can only ever emit one photon at a time at the selected wavelength. The source operates with only electrical signals, which is essential for practical applications such as QKD. Initial trials with the new device, reported recently in the scientific journal Applied Physics Letters, showed the multi-photon rate from the device to be fives times lower than that of a laser diode of the same intensity. From rforno at infowarrior.org Thu Feb 22 14:26:01 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Feb 2007 14:26:01 -0500 Subject: [Infowarrior] - RIAA appeals attorneys' fees award Message-ID: RIAA appeals attorneys' fees award 2/22/2007 10:19:33 AM, by Eric Bangeman http://arstechnica.com/news.ars/post/20070222-8902.html The cartel of record companies in Capitol v. Foster have filed a motion for reconsideration of US District Court Judge Lee R. West's decision to award the defendant Debbie Foster attorneys' fees. In it, the plaintiffs lay out their disagreement with the judge's reasoning while taking time to point out that the fees awarded far exceed any damages they could have recovered should their suit have been successful. Although the RIAA is careful to take issue with all of Judge West's conclusions, its primary concern is his ruling on secondary infringement. Throughout its legal attacks on file sharers, the RIAA has argued that the owners of ISP accounts used to share copyrighted material should be held liable, even if they had no knowledge of the alleged infringement. Judge West called the RIAA's secondary infringement claims "untested and marginal" in his order, a characterization the labels take issue with. Instead, the plaintiffs argue that if the defendant has "a reason to know" of the infringing activity, she should be held liable. The RIAA also points to Foster's subscriber agreement with Cox Communications, her ISP, which the RIAA says "expressly required" her to keep others using her account from infringing copyrights. The RIAA also bemoans what it calls the premature end of the discovery process: "Finally, plaintiffs believe that discovery would have revealed substantial other evidence of defendant's knowledge and material assistance in the underlying infringements. For example, the computer may well have been in a common area such that defendant heard music coming from the computer when admitted infringer Amanda Foster was using it," argues the RIAA. That's right... the RIAA is arguing that mere act of listening to music on one's PC is evidence of copyright infringement. Awarding attorneys' fees to Debbie Foster would do little more than reward the defendant for choosing to "litigate long after this case should have been dismissed," according to the motion. The record labels say that Foster failed to take advantage of the plaintiffs' offers to "end this litigation without paying anything." Instead, she chose to fight the lawsuit vigorously in hopes of clearing her name completely. The RIAA also argues that should the attorneys' fees award stand, it would deter other copyright owners from pursuing infringement claims. This is an important issue for the RIAA and the stakes are high. Even if the RIAA changes its legal tactics and decides not to press secondary infringement claims in future lawsuits, there are still numerous lawsuits wending their way through the courts where the record labels have used the exact same tactics seen in Capitol v. Foster. The labels recognize this, noting that "defense counsel in other cases like this across the country are already citing the Court's statement, albeit out of context, in an effort to suggest that this Court has found that contributory and vicarious infringement claims in cases like this one are not viable." Should other courts find Judge West's reasoning applicable to their cases, the RIAA is at risk of writing a lot of large checks, drastically tilting the risk-reward equation in the wrong direction for them. From rforno at infowarrior.org Thu Feb 22 15:54:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Feb 2007 15:54:33 -0500 Subject: [Infowarrior] - GAO Report: Terrorist Capabilities for Cyberattack: Overview and Policy Issues Message-ID: (c/o secrecy news) "Terrorist Capabilities for Cyberattack: Overview and Policy Issues," updated January 22, 2007: http://www.fas.org/sgp/crs/terror/RL33123.pdf From rforno at infowarrior.org Thu Feb 22 20:45:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Feb 2007 20:45:08 -0500 Subject: [Infowarrior] - Airline Screening Update Delayed Three More Years Message-ID: Airline Screening Update Delayed Three More Years A key homeland security official says that a long-delayed change in how airline passengers are checked against watch lists won't come to pass until 2010, two years after the end of the Bush Administration's tenure. Transportation Security Administration chief Kip Hawley told Times reporter Eric Lipton that "after spending a year re-examining Secure Flight, officials had come up with a way to reduce mistakes, protect privacy rights and achieve the reliability needed to screen about two million passengers that fly each day." < - > http://blog.wired.com/27bstroke6/2007/02/airline_screeni.html From rforno at infowarrior.org Thu Feb 22 20:46:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Feb 2007 20:46:09 -0500 Subject: [Infowarrior] - Federal privacy panel leader resigns, raps standards Message-ID: ederal privacy panel leader resigns, raps standards Healthcare IT News By Diana Manos, Senior Editor http://www.healthcareitnews.com/story.cms?id=6553 02/22/07 WASHINGTON ? The leader of a federal panel charged with providing privacy recommendations for the national health information network resigned Wednesday, thwarted, he said, in efforts to develop adequate standards. The resignation comes amid complaints from others about the speed with which standards are being written. Paul Feldman, deputy director of the nonprofit Health Privacy Project, stepped down from his position as co-chair of the American Health Information Community?s Confidentiality, Privacy, and Security Workgroup, created in May 2006. In a letter sent Wednesday to 15 members of Congress, Department of Health and Human Services Secretary Michael Leavitt and HHS Interim National Coordinator for Health Information Technology Robert Kolodner, Feldman said the workgroup's efforts to establish standards for the nation?s developing healthcare IT network, are ?a far cry from a comprehensive and timely approach that would give privacy policy equal and necessary footing with interoperability and systems development efforts.? Janlori Goldman, director of the Health Privacy Project, also signed the letter. ?We already know that the majority of people in this country fear that their health information is more prone to misuse in electronic form,? Feldman said. ?We must not shirk our duty to protect them from such harm.? AHIC must provide recommendations for healthcare IT standards that will be required by federal contractors as early as Jan. 2008 ? and eventually will be adopted nationwide ? according to John Halamka, chairman of the Health Information Technology Standards Panel, also known as HITSP. HITSP will develop the standards based on AHIC recommendations, Halamka said at a Feb. 21 AHIC meeting. HITSP criticized for speed Feldman is not the first to express dissatisfaction with standards setting. Long before HHS Secretary Leavitt approved interoperability standards in December, stakeholders had been raising complaints about the unreasonable speed that standards are being adopted through the AHIC-HITSP process. Gary Dickinson, director of healthcare standards for CentrifyHealth and a panel member on several HITSP committees has submitted more than four public complaints to HITSP and one set of comments to AHIC within the last year. Dickinson said he is concerned that the foundation for privacy is missing in the current standards process, posing a threat to consumers. ?Real world scenarios are not being taken into account,? Dickenson said. ?Instead of going through a full analysis process, [HHS] has only cared about the back end of systems and interoperability standards.? Dickinson said this raises privacy concerns because information cannot be exchanged at the back end unless its origination is known through proper authentication on the front end, ?to ensure that information being exchanged is trusted.? In response to Dickinson?s complaints, Halamka told Healthcare IT News in a Dec. 18 interview that his role is to make sure every voice in HITSP gets equally heard. ?Privacy issues are foundational,? Halamka said. ?My sense is we have a pretty open and transparent process.? Halamka said Feb. 21 that the interoperability standards are still subject to small changes over the next year. ?HITSP tried really hard to get it right, but we still need to be vetted by the industry and reality-checked,? Halamka said. From rforno at infowarrior.org Thu Feb 22 20:46:49 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Feb 2007 20:46:49 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?DHS_isn_=B9_t_protecting_your_pers?= =?iso-8859-1?q?onal_information?= Message-ID: DHS isn?t protecting your personal information By Michael Hampton Posted: February 22, 2007 1:47 pm http://www.homelandstupidity.us/2007/02/22/dhs-isnt-protecting-your-personal -information/ The Department of Homeland Security isn?t sufficiently protecting personally identifiable information on its computer systems, though it is making progress, according to an inspector general?s report. DHS is still trying to determine which of its 699 computer systems require security measures to protect personally identifiable information, has not encrypted most of its laptops, rarely encrypts personal information transported or stored offsite, doesn?t have sufficient security for remote users, and doesn?t track and destroy copies made of personal information, according to the report (PDF) from IG Richard Skinner. ?Until adequate encryption mechanisms have been implemented, there is increased risk that sensitive data or [personally identifiable information] may be compromised through the loss or theft of laptop computers and mobile computing devices,? the report said. The IG is also concerned that the department has not followed OMB guidelines for protecting systems that can be accessed by remote users. In their interviews with officials at component agencies, the IG?s office found that their efforts to improve remote access and storage controls were hindered by ?uncertainty regarding the applicability and scope of the OMB recommendations and new DHS requirements.? The IG recommends that the department?s chief information officer identify those gray areas and provide additional guidance. ? Federal Computer Week Computer security has been a long-standing challenge for the Department of Homeland Security, one it has yet to meet. A previous Inspector General?s report found last October that DHS hasn?t sufficiently been able to ensure the computer security of its systems generally. For example, computers could be improperly secured and nobody would know because the security paperwork had in many cases been fudged. In this case, though, it?s your personal information not being encrypted, not well secured, and vulnerable to the next hacker or identity thief. Comments RSS - From rforno at infowarrior.org Thu Feb 22 20:49:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Feb 2007 20:49:17 -0500 Subject: [Infowarrior] - Hollywood faces up to DRM flop Message-ID: Hollywood faces up to DRM flop http://technology.guardian.co.uk/weekly/story/0,,2017948,00.html The system designed to protect next-generation DVDs from pirates has been cracked - and even the hackers are surprised at how easy it was, says Bobbie Johnson Thursday February 22, 2007 The Guardian This weekend, studio executives from Hollywood will be all smiles as they congratulate each other on their successes at the annual Oscars ceremony. But behind the grins, champagne and glamorous gowns, they are contemplating the biggest blockbuster flop in history. This time it's not a movie, but studio technology that hasn't lived up to its billing. The systems intended to lock pirates out of the new generation of high-definition DVDs have been cracked. Article continues Both of the next-generation DVD formats - Sony's Blu-ray and Toshiba's HD DVD - use a protection mechanism called the Advanced Access Content System (AACS), a hugely complex and expensive beast aimed at rendering unauthorised copies useless. But what took countless dollars and years of work to create was undone in just a few weeks by a hacker who in effect unlocked every single Blu-ray and HD DVD disc now in circulation. Process circumvented "The developers spent billions, the hackers spent pennies," said Cory Doctorow, an opponent of digital rights management (DRM) who blogs at BoingBoing.net. "For DRM to work it has to be airtight - there can't be a single mistake. It's like a balloon that pops with the first prick." The hacker, "Arnezami", posted a blow-by-blow account of the process on the Doom9 website, a famous haunt for crackers and pirates. It wasn't even a particularly complex attack; the only weapons used were an Xbox 360, a computer and a copy of King Kong. And instead of deciphering the complex cryptography that protects every high-definition movie, the hackers circumvented the entire process by discovering one of the crucial keys that unlocks the encrypted information. Watching the protection unravel was like watching a cat playing with a ball of string - and even those doing the work could hardly believe such luck. "Wow, I think I did it," Arnezami wrote. "It's pretty incredible that a carefully thought-of encryption system is now reduced to, at worst, a guessing game. Somebody should feel very ashamed." Over the years, the Hollywood machine has become as famous for its flops as its successes. Where films like Jaws once ruled the cinemas all summer, modern blockbusters are built for impact - lavish multimillion-dollar productions that spend a week on top of the box office charts before fading into history. The same seems to be true of DRM systems, which are costing more and more to develop despite being broken with increasing speed. In the late 1990s it took a Norwegian teenager, Jon Lech Johansen, months to crack DVD's DeCSS protection. These days that must seem like a luxury. "Blu-ray is incredibly well-designed," says Bruce Schneier, the chief technology officer of BT Counterpane and a respected security expert. "If they're smart, they'll have been expecting this, and if they're lucky they'll be able to fix it - not with the DVDs that are already out there, but with ones coming in the future." At first some doubted Arnezami's claims, but it quickly became apparent that the processing key was able to unlock almost anything that came its way. Within days the system's creators, the AACS licensing authority, responded. "AACS has confirmed that an additional key has been published on public websites without authorisation. This is a variation of the previously reported attack on one or more players sold by AACS licensees," said a statement. "Although a different key was extracted, this represents no adverse impact on the ability of the AACS ecosystem to address the attack. All technical and legal measures applicable to the previously reported attack will be applicable against this attack as well." The language is measured, but reading between the lines reveals otherwise. Arnezami's revelation is treated dismissively, but is not refuted; in fact, it is only the "AACS ecosystem" that has survived. In other words, producers will be able to change the keys on forthcoming products to try to prevent this crack from being successful in the future. The effects have already rippled through the industry. Fox, one of the major backers of Blu-ray, has delayed a raft of high definition movies it was preparing to release, presumably to recode them and tighten up procedures. In the meantime, customers are left waiting empty-handed while Hollywood carries on spending money on a system that failed to do its job properly. Impossible problem Even the assumption that AACS has a backup plan to beat this particular crack is debatable, because nobody can be sure what measures are being taken. The AACS licensing authority was invited to take part in this article, but refused. Campaigners continue to argue about the rights and wrongs of digital rights mechanisms - but what good is any protection system if it fails? Meanwhile, as the studios look to restrict their official products even further, the Swedish anti-copyright group The Pirate Bay - identified by the US-based International Intellectual Property Alliance as one of the most dangerous groups in the world - is distributing BitTorrent versions of Oscar-nominated movies with impunity at oscartorrents.org. "The movie industry learned from the music industry's lesson - that you should never offer too perfect a product, so that you can sell your customers an improved version later," says John Buckman, whose online record label, Magnatune, does not use protection systems. "The appeal of BitTorrent files is not only that they're free - they are a better product than you can buy at any price." And free, too, of DRM. In the end, say experts, vested interests are at play, and a whole industry of companies and experts is profiting from the false promise of a silver bullet for piracy. "It is an impossible problem, like making water not wet," says Schneier. "These systems are supposed to be able to recover from breaks, but the cracks are going to get better. It's a never-ending arms race." How the hackers did it Both Arnezami and another hacker, Muslix64, who managed a similar attack, realised that it is easier to bypass the protection system than try to decode it. A high definition DVD includes a number of software 'keys' to decrypt the content; there's also one built into the player. One of the keys identifies the movie. By watching the information streaming from the DVD itself, Arnezami was able to pick up one of those codes - and realised that the "unique" identifiers were actually based on simple information such as the title of the movie. A couple of steps later, Arnezami was able to spot another more useful key, which helped circumvent the decryption process. Hackers are now building software that can exploit the hack and play any high-def disc in any computer - which in turn will open the door to free copying. Fixing the crack will be expensive and awkward for the movie studios: future pressings of DVDs will need to use different, unbroken keys, and it is likely they will have to randomise the codes on every future HD and Blu-ray DVD rather than use the same one for every copy of a movie. ? If you'd like to comment on any aspect of Technology Guardian, send your emails to tech at guardian.co.u From rforno at infowarrior.org Fri Feb 23 08:15:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Feb 2007 08:15:47 -0500 Subject: [Infowarrior] - Why we don't care about Josh Wolf Message-ID: Why we don't care about Josh Wolf By Charles Cooper http://news.com.com/Why+we+dont+care+about+Josh+Wolf/2010-1028_3-6161545.htm l Story last modified Fri Feb 23 04:16:52 PST 2007 I'm so glad the media scrum surrounding Anna Nicole Smith is dying down. There are so many more urgent stories begging attention these days. Such as Britney Spears' latest whereabouts. Meanwhile, a San Francisco video blogger named Josh Wolf remains in the Federal Detention Center in Dublin, Calif., where he continues to set new records as this country's longest-serving journalist behind bars. Wolf's family and friends understandably can think of little else. He's become the poster child for a variety of free speech advocates who say his imprisonment vividly symbolizes the loss of press freedoms in post-September 11 America. You might assume more people would be listening, but Wolf's plight has failed to capture the public's imagination. On a whim, I tried an Internet search. Google came up with 1.84 million mentions of Wolf's name on the Internet. Not bad, but far behind Britney, finishing second with 38.1 million. Anna Nicole naturally remained the people's favorite with a whopping 54 million hits. I obviously stacked the deck here. When it comes to what folks find more compelling, large breasts always trump freedom of speech. What could be more American? Still, this is more than just an additional proof point that our dumbed-down era still has room for further decline. Wolf's plight remains disturbing on several levels--not the least being the near-absolute silence from Silicon Valley or the tech plutocrats who chart the future of this multi-billion dollar industry. In case you haven't followed the story closely, Wolf videotaped a July 2005 demonstration in San Francisco protesting a meeting of the G8 economic summit. The local district attorney wanted the unedited footage to assist a police investigation into violence which marked that night. The 24-year-old refused to turn over the full video to a grand jury. Because prosecutors brought the case in federal court, where there are no shield law protections, Wolf had two choices: comply or go to jail. As of today, he's spent 185 days in jail and could remain inside until the grand jury's term expires in July. Civil liberties-minded folks are upset about the press freedom issues raised by Wolf's imprisonment. But Wolf's self-proclaimed status as a video blogger also opens a Pandora's box the fourth estate would just as soon see remain shut. More than any case I can recall, the Wolf case reflects the changing way journalism is being practiced in the age of Internet bloggers. In 2006, a California appeals court rejected Apple's attempt to force a couple of blogging sites to disclose their sources. The court didn't buy Apple's argument that the bloggers failed to qualify as legitimate journalistic enterprises. But the court decided not to decide the tricky question of what constitutes "legitimate journalism." To do otherwise, said the judge who authored the opinion warned, would be to imperil the very values the First Amendment was intended to protect. Unfortunately for Wolf, he caught a bad break. If prosecutors had tried the case in state court, California's shield law would have applied. Wolf could have argued he was practicing the craft of journalism by virtue of his role as a news blogger about current affairs. It did not matter who his employer was. The state would have had its hands full trying to disprove that claim. I doubt that many of my colleagues in what's come to be known as the mainstream media would welcome Wolf into the fraternity with enthusiasm. But times are changing--fast. What hasn't changed is Silicon Valley's collective quietude when it comes to getting involved. Considering the counterculture roots of so many who laid the foundation of this business, I expected to hear people weigh in. But the tech industry has been silent during the entire time Wolf has sat in prison. It's not as if this crowd doesn't know how to voice its concerns. When self-interest is involved, there's no shortage of talking heads eager to bloviate. So it was that several stars from the high-tech firmament dutifully trooped to Capitol Hill last year when Congress debated Net neutrality legislation. No less a personage than Google CEO Eric Schmidt publicly lectured how those who understand such things need to educate government about the Internet's role in society. Probably a good idea, too. How about extending that noble concern to a disquisition on the Wolf case and the importance of free Internet journalism--practiced in a myriad of ways--in that same society? "It's rare that we as a company would get involved in something like this," said an executive with one computer company I spoke with. "There are so many other issues to deal with." That's why I wonder. Who really cares about Josh Wolf? Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Feb 23 08:56:55 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Feb 2007 08:56:55 -0500 Subject: [Infowarrior] - RIAA Fights Back, Threatens Open Wi-Fi Message-ID: Notice how the RIAA has been slow to do anything about the Internet and technology other than treat it like the enemy? They're lazy as hell about evolving with the rest of the world, but they're active as hell about trying to preserve their (fading) relevance if they don't evolve. RIAA = Effing Moronic Hypocritical Parasites. http://blog.wired.com/music/2007/02/riaa_contests_d.html > They want the judge to rule that the owner of an ISP account is responsible > for all activity on that account, which could have a chilling effect on public > wireless access and open hotspots. (The appeal also made the point that > Foster should be held liable if she was aware of the infringement occuring via > her account; in the case of someone with an open Wi-Fi network, that could > constitute something as simple as experiencing traffic slowdowns.) > > If the judge rules that we're each legally responsible for all of the traffic > that comes through our ISP account, open, unprotected Wi-Fi hotspots would > become a serious legal liability, the hundreds of thousands (millions?) of > people who depend on their neighbors for Wi-Fi will be out of luck, while > altruistic (or ignorant) folks who leave their wireless networks open could > find themselves embroiled in an RIAA lawsuits even if they've never shared a > single song in their lives. From rforno at infowarrior.org Fri Feb 23 08:58:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Feb 2007 08:58:13 -0500 Subject: [Infowarrior] - Major news: Fair Use and Film Message-ID: Major news: Fair Use and Film http://www.lessig.org/blog/archives/003713.shtml Yesterday, in LA, in partnership with the insurance company, Media/Professional, and LA lawyer Michael Donaldson, we (the Stanford CIS Fair Use Project) made a major announcement. In my just about 10 years working on these issues, this is the most important announcement yet. As reported just over a year ago, American University?s Center for Social Media released the Documentary Filmmakers? Statement of Best Practices in Fair Use. This fantastic report outlines principles to guide filmmakers in the fair use of copyrighted material in their films. It was an important step towards helping to clarify this unruly area of the law. Working with Media/Professional, and Michael Donaldson, the Fair Use Project has now found a way to insure films that follow the Best Practices guidelines. For films that are certified to have followed the Best Practices guidelines, Media/Professional will provide a special (read: much lower cost) policy; Stanford?s Fair Use Project will provide pro bono legal services to the film. If we can?t provide pro bono services, then Michael Donaldson?s firm will provide referrals to a number of media lawyers who will provide representation at a reduced rate. Either way, filmmakers will be able to rely upon ?fair use? in the making of their film. The Fair Use Project and Donaldson will defend the filmmakers if their use is challenged. Media/Professional will cover liability if the defense is not successful. This is a huge breakthrough. As many of us have been arguing, the real constraint of fair use comes not from the courts, but from those in the market who are trying to avoid any risk of copyright exposure. This market-based solution will now clear the way for many films to be released which before could not secure insurance. And we are eager to use the inevitable cases that will emerge to solidify the fantastic Statement of Best Practices developed by the Center for Social Media. The project has an advisory board: filmmakers Kirby Dick, Academy Award-nominee Davis Guggenheim, Arthur Dong and Haskell Wexler; professors Peter Jaszi and me; and intellectual property attorneys Michael Donaldson and Anthony Falzone. To remix a bit EFF?s slogan: Fair Use?s posse just got a whole lot bigger ? and with insurance now to boot. From rforno at infowarrior.org Fri Feb 23 09:07:34 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Feb 2007 09:07:34 -0500 Subject: [Infowarrior] - Doesn't the Social Web Realize that People Talk? Message-ID: Doesn't the Social Web Realize that People Talk? by Trevor Baca 02/22/2007 http://www.oreillynet.com/pub/a/etel/2007/02/22/doesnt-the-social-web-realiz e-that-people-talk.html During my upcoming presentation at ETel, Voice and the Web: The New Terrain, I'll be examining how the global telephone network evolved from a completely closed system to where we're headed when the global telephone network finally becomes available to applications developers everywhere. In the course of putting together the presentation I asked myself why much of the 2.0 hoopla isn't about voice. We're telecom innovators. We think about people and communications and technology a lot. And we look at Myspace and can't help but wonder how all that happened without us. Put another way, just how did social computing get so social without voice? First, let's check the observation. Tens of millions of messages, perhaps, pass through Myspace daily. Those messages are text, images, or both. But not voice. And yet voice seems so obvious. Friend online? Click here to ring both your phones. But no. On flickr we find photos from everywhere in the world. And looking at everybody's stuff even turns out to be fun and engaging. And we can see exactly who took what, and why. But click here to ring the photographer's phone? Again, no. No voice. And Craigslist? Do people call each other when they use humanity's largest watercooler to sell a sofa? In fact, they frequently do. This one's interesting. Clicking through the want ads and personals turns up a surprising number of phone numbers, frequently lightly scrambled?"4* 15 # three two six 1805 for more info"?to throw off the spammers. More phone numbers, in fact, than we might expect. So Craigslist allows for the power of voice but, crucially, doesn't do anything to actively promote voice between users. Why not? The technology exists today to pass out one-day, three-day, or seven-day disposable telephone numbers to anybody buying that sofa or looking for a date. And away would go the spambots, forever. But, no. No voice. Why? Doesn't the social web realize that people talk? eBay is our current best counterexample to the voiceless web. eBay believes in the power of voice. So much so, in fact, that it bought Skype for billions of dollars. So, on the one hand we have Myspace and Craigslist?currently the first and seventh largest websites on the planet?whose planners and designers either don't know they can bring voice to their users, or don't care. And, on the other hand, we have eBay?probably the world's largest online buyers' community?spending billions to bring Skype to users that could have been Skyping all along, if only they had cared. Both parts of this equation are bizarre. A complete lack of interest in voice on one side together with an obvious over-response on the other. Part of the problem may be that voice doesn't actually make sense in all of the social contexts that we, as telecom innovators, might hope. Maybe flickr is a case in point. If browsing the world's photos means that we're looking mostly at photos taken by people we've never met, from different time zones, maybe voice just isn't the right way to reach out and make an introduction. Another part may be fear of integration. Up until very recently, if you found yourself hosting a well-trafficked site with a large user base, it wasn't at all clear how you could offer up voice to your users, even if you wanted to. This may be what's going on with Myspace. The obvious interaction guffaws of the site are the stuff of legend in the usability community. That could point to any number of things, of course, but one likely culprit may just be the risk of integrating anything at all with site growth that rapid. And then, there may be a genuine lack of interest on the part of some of the most successful of the social sites. I can't be certain, but I suspect this to be the case with Craigslist. Perhaps Craig himself doesn't care. Or perhaps nobody's approached him. Or perhaps it simply isn't clear enough yet that voice is a genuine possibility on the Web. Where voice simply isn't the right tool for the job?flickr, perhaps?then we can stop asking questions. But where voice is simply disadvantaged?either through the lack of interest or because of integration difficulties?we owe it to ourselves to look past these proximal causes and go at least one layer deeper. Consider, to start with, that voice, at least traditionally, has cost money. The public network didn't come about for free. Then compare those decades of centralized state planning and control to the free, drop-in Web components?think shopping carts and comment boards, as well as Google Maps and Feedburner-type web services. It's easy to see why voice may not be the first thing that springs to the minds of talented Web developers everywhere. VoIP may, of course, turn "costs money" into a type of "free," but then we run into the fact that whatever the outcome of the religious war on the uptake of VoIP handsets, what users really love is wireless, which puts us squarely back in the "costs money" domain of the PSTN. Of course, costing money isn't the end of successful innovation. But it probably doesn't help that the web has evolved as an almost exclusively transaction-driven economy. Click here. For a search, for an API call, for an image, an article, or a book. It doesn't matter what it is?on the Web, it's the outcome of a mostly stateless, mostly timeless transaction. But voice? Voice has always been about minutes, unlimited local calling, nights or weekends notwithstanding. It might help us to ask how we can turn voice into the type of billing the Web expects. That is, a billed transaction rather than a bunch of minutes. And last?and probably most fruitfully?we can tackle the question of integration and just how hard it is to use voice on the Web. Just how hard should it be for a web developer to start or stop a telephone call? That's something we've been tackling at Jaduka. And I'll be talking more about our API at ETel, which will give developers direct access to, and all the inherent benefits of, the world's highest-quality, ubiquitous, public-switched telephone network (PSTN). Client-side installs are a barrier to innovation, not a help. Web developers and users alike hate Flash and Java downloads, and it seems unlikely Skype will change these feelings in any significant way. So why shouldn't control of voice on the Web look and act just like everything else on the Web?that is, like a Web service? So I ask again: how did social computing get so social without voice? Maybe part of the social web doesn't need us. But clearly other parts of the social web will. Whatever the case, it will be up to us to package our services, and to bill for them, in ways that web developers everywhere understand, appreciate, and will explore. Catch my talk at ETel on Wednesday, February 28, at 4:15pm?4:30pm, in Salon ABCDE. Trevor Baca is VP of software engineering at Jaduka and oversees software engineering, real-time systems engineering, telephony services development, information architecture, usability, and user-experience engineering teams. From rforno at infowarrior.org Fri Feb 23 09:46:26 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Feb 2007 09:46:26 -0500 Subject: [Infowarrior] - Going to Canada? Check your past Message-ID: Going to Canada? Check your past Visitors with minor criminal records turned back at border C.W. NEVIUS Friday, February 23, 2007 http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/02/23/NEVIUS.TMP There was a time not long ago when a trip across the border from the United States to Canada was accomplished with a wink and a wave of a driver's license. Those days are over. Take the case of 55-year-old Lake Tahoe resident Greg Felsch. Stopped at the border in Vancouver this month at the start of a planned five-day ski trip, he was sent back to the United States because of a DUI conviction seven years ago. Not that he had any idea what was going on when he was told at customs: "Your next stop is immigration.'' Felsch was ushered into a room. "There must have been 75 people in line," he says. "We were there for three hours. One woman was in tears. A guy was sent back for having a medical marijuana card. I felt like a felon with an ankle bracelet.'' Or ask the well-to-do East Bay couple who flew to British Columbia this month for an eight-day ski vacation at the famed Whistler Chateau, where rooms run to $500 a night. They'd made the trip many times, but were surprised at the border to be told that the husband would have to report to "secondary'' immigration. There, in a room he estimates was filled with 60 other concerned travelers, he was told he was "a person who was inadmissible to Canada.'' The problem? A conviction for marijuana possession. In 1975. Welcome to the new world of border security. Unsuspecting Americans are turning up at the Canadian border expecting clear sailing, only to find that their past -- sometimes their distant past -- is suddenly an issue. While Canada officially has barred travelers convicted of criminal offenses for years, attorneys say post-9/11 information-gathering, combined with a sweeping agreement between Canada and the United States to share data, has resulted in a spike in phone calls from concerned travelers. They are shocked to hear that the sins of their youth might keep them out of Canada. But what they don't know is that this is just the beginning. Soon other nations will be able to look into your past when you want to travel there. "It's completely ridiculous,'' said Chris Cannon, an attorney representing the East Bay couple, who asked that their names not be used because they don't want their kids to know about the pot rap. "It's a disaster. I mean, who didn't smoke pot in the '70s?'' We're about to find out. And don't think you are in the clear if you never inhaled. Ever get nabbed for a DUI? How about shoplifting? Turn around. You aren't getting in. "From the time that you turn 18, everything is in the system,'' says Lucy Perillo, whose Canada Border Crossing Service in Winnipeg, Manitoba, helps Americans get into the country. Canadian attorney David Lesperance, an expert on customs and immigration, says he had a client who was involved in a fraternity prank 20 years ago. He was on a scavenger hunt, and the assignment was to steal something from a Piggly Wiggly supermarket. He got caught, paid a small fine and was ordered to sweep the police station parking lot. He thought it was all forgotten. And it was, until he tried to cross the border. The official word from the Canadian Border Services Agency is that this is nothing more than business as usual. Spokesman Derek Mellon gets a little huffy when asked why the border has become so strict. "I think it is important to understand that you are entering another country,'' Mellon says. "You are not crossing the street.'' OK, but something changed here, didn't it? "People say, 'I've been going to Canada for 20 years and never had a problem,' '' Lesperance says. "It's classic. I say, 'Well, you've been getting away with it for 20 years.' '' A prior record has always made it difficult to cross the border. What you probably didn't know was that, as the Canadian Consulate's Web site says, "Driving while under the influence of alcohol is regarded as an extremely serious offense in Canada.'' So it isn't as if rules have stiffened. But what has changed is the way the information is gathered. In the wake of 9/11, Canada and the United States formed a partnership that has dramatically increased what Lesperance calls "the data mining'' system at the border. The Smart Border Action Plan, as it is known, combines Canadian intelligence with extensive U.S. Homeland Security information. The partnership began in 2002, but it wasn't until recently that the system was refined. "They can call up anything that your state trooper in Iowa can,'' Lesperance says. "As Canadians and Americans have begun cooperating, all those indiscretions from the '60s are going to come back and haunt us.'' Now, there's a scary thought. But the irony of the East Bay couple's situation is inescapable. Since their rowdy days in the '70s, they have created and sold a publishing company, purchased extensive real estate holdings and own a $3 million getaway home in Lake Tahoe. "We've done pretty well since those days,'' she says. "But what I wonder is how many other people might be affected.'' The Canadian Border Services Agency says its statistics don't show an increase in the number of travelers turned back. But Cannon says that's because the "data mining'' has just begun to pick up momentum. "It is too new to say,'' he says. "Put it this way. I am one lawyer in San Francisco, and I've had four of these cases in the last two years, two since January. And remember, a lot of people don't want to talk about it (because of embarrassment).'' Asked if there were more cases, attorney Lesperance was emphatic. "Oh, yeah,'' he says. "Just the number of calls I get has gone up. If we factor in the greater ability to discover these cases, it is just mathematically logical that we are going to see more.'' The lesson, the attorneys say, is that if you must travel to Canada, you should apply for "a Minister's Approval of Rehabilitation" to wipe the record clear. Oh, and by the way, if you don't need to travel to Canada, don't think you won't need to clear your record. Lesperance says it is just a matter of time before agreements are signed with governments in destinations like Japan, Indonesia and Europe. "This,'' Lesperance says, "is just the edge of the wedge.'' Who would have thought a single, crazy night in college would follow you around the world? Rules for getting into Canada For more information on offenses that prohibit entry to Canada, go to the Canadian Consulate's Web site at geo.international.gc.ca/can-am/seattle/visas/inadmissible-en.asp. For more information on visiting Canada, go to cic.gc.ca. This article appeared on page A - 1 of the San Francisco Chronicle From rforno at infowarrior.org Fri Feb 23 16:30:01 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Feb 2007 16:30:01 -0500 Subject: [Infowarrior] - Police blow up foul-mouthed CDs that blared in church Message-ID: Talk about overkill on a NON-ISSUE.......I guess the bomb squad needed to justify their monthly quota for making things go boom.........rf Police blow up foul-mouthed CDs that blared in church http://www.cnn.com/2007/US/02/22/church.foul.language.ap/index.html SANTA FE, New Mexico (AP) -- Three CD players hidden under a cathedral's pews blared sexually explicit language in the middle of an Ash Wednesday Mass, leading a bomb squad to detonate two of the devices. Authorities determined the music players were not dangerous and kept the third one to check it for clues, said police Capt. Gary Johnson. The CD players, duct-taped to the bottoms of the pews, were set to turn on in the middle of noon Mass on Wednesday at the Roman Catholic Cathedral Basilica of St. Francis of Assisi. The recordings, made on store-bought blank discs, featured people using foul language and "pornographic messages," Johnson said. He would not elaborate because of the ongoing investigation. Church staff members took the CD players to the basement and called police, who sent the bomb squad, Johnson said. The bomb squad blew up two players outside and kept the third one to test for fingerprints or DNA and trace its components, he said. Ash Wednesday is the first day of Lent, which marks a 40-day period of fasting and penitence before Easter. Copyright 2007 The Associated Press. All rights reserved.This material may not be published, broadcast, rewritten, or redistributed. From rforno at infowarrior.org Sat Feb 24 19:54:31 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 24 Feb 2007 19:54:31 -0500 Subject: [Infowarrior] - Scary.......Inside Navy's secret brig Message-ID: One quote from this story is more than a little shocking, and the very fact it was even mentioned in a DOD guidance document should disturb everyone, no matter how it's spun or explained: > "In detaining American citizens, full constitutional rights are afforded > except where curtailed by higher guidance or accepted prison practice," I thought the highest guidance on legal matters pertaining to US citizens was the US Constitution and Bill of Rights. Or is that just sentimental nostalgiac pre-9/11 thinking? Full story: http://www.charleston.net/assets/webPages/departmental/news/Stories.aspx?sec tion=localnews&tableId=131707&pubDate=2/23/2007 From rforno at infowarrior.org Sat Feb 24 19:59:52 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 24 Feb 2007 19:59:52 -0500 Subject: [Infowarrior] - Think Your Social Security Number Is Secure? Think Again Message-ID: February 24, 2007 Your Money Think Your Social Security Number Is Secure? Think Again By DAMON DARLIN http://www.nytimes.com/2007/02/24/business/24money.html?pagewanted=print It should come as little surprise that Social Security numbers are posted on the Internet. But, says Betty Ostergren, a former insurance claims supervisor in suburban Richmond, Va., who has spent years trolling for them, ?people are always astounded? to learn that theirs is one of them. Mrs. Ostergren, 57, has made a name for herself as a gadfly as she took on a lonely and sometimes frustrating mission to draw attention to the situation. With addresses, dates of birth and maiden names often associated with Social Security numbers, she said, they are a gift to data thieves. But in the last few weeks, Mrs. Ostergren?s Web site, The Virginia Watchdog ? with the help of lobbying from an unexpected ally, America?s farm bureaus ? is having an effect. One by one, states and counties have started removing images of documents that contain Social Security numbers, or they are blocking out the numbers. Four states, including New York, have removed links to images of public documents containing Social Security numbers. Snohomish County, Wash., for example, said Wednesday that 61 types of documents, including tax liens and marriage certificates, would be blocked. (The documents are supposed to remain public at courthouses or state offices.) On Wednesday, the Texas attorney general, Greg Abbott, issued a legal opinion that county clerks could be committing a crime by revealing Social Security numbers on the Internet. ?I am almost in a celebratory mode,? said David Bloys, a retired private investigator in Shallowater, Tex., who also highlights the public records issue on his Web site, NewsforPublicOfficials.com. For people wondering if they should be worried about the security of their own numbers, there is a new tool to help them. TrustedID, a company that sells services to consumers to give them more control over who sees their credit reports, has compiled a database of compromised numbers that could already be traded or sold on the Internet. It has created an online search tool, StolenIDSearch.com, where people can check at no cost to see if their number is one that is in a too-public domain. TrustedID said that about 220,000 people had tested their numbers in the three weeks the site has been open to the public. The Social Security number remains the personal identifier not only for government documents, but for credit applications and medical records, as well as video and cellphone stores. ?In the commercial world, it is ubiquitous when credit is offered,? said Chris Jay Hoofnagle, a privacy advocate and senior fellow of the Berkeley Center for Law and Technology at the University of California, Berkeley. ?It all flows from the credit system and it flows very far.? Even though Americans are told to protect their Social Security number to prevent identity theft, that is a tall order. The Social Security Administration says its card ?was never intended and does not serve as a personal identification document.? But that has not been true about the number almost from outset. The Social Security numbers that were first handed out in November 1936 as a means for the federal government to track payments to the retirement system were soon used for other purposes. They help track payrolls, loan payments, financial transactions and income taxes. They are necessary for anyone seeking public assistance, like food stamps, or registering for the draft. Congress decreed that the numbers be put on records including professional licenses, marriages licenses and divorce decrees to better track scofflaws of child support orders. The Social Security number took on a second role. It allowed collectors of data to link pieces of information together, like a driver?s license record, credit report data and the information on the warranty card for a toaster. That is a useful tool for marketers and just as useful for criminals. It was only in 2004 that Congress prohibited states from using the Social Security number on drivers? licenses. Yet the databases with those numbers still exist. Until 2001, states could sell lists with those numbers, which means that for virtually anyone 22 years or older, the name, address, phone number and Social Security number are in private databases. The nine-digit string took on a third role ? as a password that was supposed to protect all that private information from snoops and criminals. But its ubiquity defeats that purpose, Mr. Hoofnagle said. ?It will pass when the business community no longer needs a Social Security number,? he said. The Social Security Administration?s Office of Inspector General said that 16 percent of the 99,000 fraud cases it investigated in the 12-month period that ended Sept. 30 involved the misuse of Social Security numbers. One involved an identify theft ring in Central Florida. Twelve people were convicted, sentenced to prison and ordered to repay more than $2 million. About 16,000 incidents are not a lot considering that 240 million numbers are currently in use, and certainly theft and fraud involving credit card numbers are much more pervasive. But credit card numbers are rarely exposed on documents in public view. And if a credit card is stolen or misused, obtaining a new one is a fairly simple process. A new Social Security number is rarely granted. (Indeed, one is limited to 3 replacements of the green paper Social Security card in a year and 10 over a lifetime.) Social Security numbers are routinely traded and sold by thieves over the Internet like credit card numbers, says Panos Anastassiadis, chief executive of Cyveillance, a company in Arlington, Va., that monitors online fraud attempts for major financial institutions. His company has found caches of them in Web chat rooms where they are offered as samples by criminals selling even larger lists. They are sometimes obtained by ?key logging? software surreptitiously installed on home computers to record what is typed. Some come from so-called phishing attacks in which people are misled into entering the data on fake Web sites of banks or utilities. The numbers are also out in the open. ?People think it is the banks, but banks are very secure,? Mr. Anastassiadis said. ?The problem is every dentist?s office has Social Security numbers. Every doctor?s office has them. How secure are these?? It has been Mrs. Ostergren?s near obsession to answer that question. Few things delight her more than finding a number belonging to a celebrity because it draws attention to her cause. ?Oh, my Lord!? she exclaimed recently as she stumbled upon the Social Security number of a member of the boldfaced set as she demonstrated how New York State Web sites display documents containing names, addresses and Social Security numbers. ?Let me download this one. This is Donald Trump?s number. I can?t wait to tell him.? Mrs. Ostergren never got through to Mr. Trump to confirm whether the nine-digit identifier was indeed his, but she has found and tried to notify others, including Kelly Ripa, the actress and talk-show host; Jeb Bush, the former governor of Florida; Porter Goss, the former C.I.A. director; and scores of state legislators. She posted links to some of those documents on her site. (New York later made the documents unavailable, so the links no longer work.) She has found Social Security numbers on tax liens on the official site of Maricopa County in Arizona. In Florida, as in many states, they appear on documents consumers sign when they buy furniture or other merchandise on credit. Mrs. Ostergren wants the documents taken off the Web, and she applies pressure by using the people whose numbers she finds. ?I?ve been calling people and telling them that they are exposed,? Mrs. Ostergren said. ?It is not very hard to find the numbers. They are exposed everywhere.? Her Web site may be cluttered with so many typefaces that it resembles a ransom note, but she seems to be having an impact. In the last month she found a pressure point: farmers. Their numbers show up on Uniform Commercial Code filings when they buy machinery or supplies on credit. She showed state farm bureau leaders their numbers; they contacted their state legislators. She has also found common cause with other gadflies like Mr. Bloys. She has had her share of setbacks as well. Several state legislators tried to ban her from posting information about their personal data that appeared in public records. She wins no fans among legitimate companies who sell databases. Removing the data from the Internet slows their ability to collect public information, but does not stop them. ?There are a lot of people in the data brokerage business who don?t like what I do,? she said. From rforno at infowarrior.org Sat Feb 24 20:05:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 24 Feb 2007 20:05:05 -0500 Subject: [Infowarrior] - Identity in the Information Society: Security, Privacy, The Future. Message-ID: Identity in the Information Society: Security, Privacy, The Future. The 7th Social Study of ICT workshop (SSIT7) at LSE http://www.lse.ac.uk/collections/informationSystems/newsAndEvents/2007events /SSIT7.htm Draft programme The Information Systems Group will host the seventh annual Social Study of ICT (SSIT7) workshop on 19 and 20 March 2007. Identity is a key issue for business and government today. Private and public sector are both developing technologies that track physical persons, their movements, financial transactions, health. In the name of security citizens are being asked to accept from the state intrusions on their privacy undreamt of just a few years ago, while the marketing strategies of corporate enterprise rely on powerful profiling that leaves millions of consumers with nowhere to hide. Is there a correct balance between security and privacy? Can technological intrusion into personal spheres be sustained in a democratic society? What does the future hold for identity? This workshop offers an opportunity to engage with leading researchers and professionals in the identity, security and privacy area, to be informed of developments and to debate these contemporary issues. Regular updates on the event will appear here. There is no charge for attending the workshop and refreshments will be provided. If you have any questions or comments, please email Stella Mandehou, Research Coordinator To help us with our planning and to secure a place please download an application form * Form as word document for completion online and return by email * Form as acrobat pdf document for printing and return by fax or mail The workshop will be followed by the third SSIT Open Research Forum on 21 and 22 March. From rforno at infowarrior.org Sat Feb 24 22:22:40 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 24 Feb 2007 22:22:40 -0500 Subject: [Infowarrior] - SWIFT sides with US in data spat with EU Message-ID: SWIFT sides with US in data spat with EU Safe Harbor - safe from storm? By Mark Ballard ? More by this author Published Saturday 24th February 2007 23:06 GMT http://www.theregister.co.uk/2007/02/24/swift_safe_harbour/ The Belgian firm stuck in the middle of a transatlantic spat over the US infringement of civil liberties by the agents of its war on terror is throwing its lot in with the Americans. In open defiance of European privacy officials, the Society for Worldwide Interbank Financial Telecommunication (Swift), has declared that it has applied to the US Federal Trade Commission (FTC) for 'safe harbour' protection for the data it holds on US soil. Swift had handed data containing the details of private international financial transactions to US terrorist finance investigators under a secret arrangement since late 2001. Since the transfers came to light last June, Europe's data protection authorities have declared that Swift is a data controller and, as such, it should take responsibility for the privacy of the data it administers for its banking clients. Swift claims it is not a controller, but a mere processor and cannot be held responsible for what European authorities say is the illegal transfer of data to US Treasury agents. A Swift spokesman told The Register: "We are working on what the Americans call safe harbour to make SWIFT comply with EU legislation - that is a process Swift has started with the US government." "We have received confirmation that we come under the distinction of the FTC and we are therefore eligible for safe harbour," he said. "The reason we are doing this is to address the claims from the data protection commissioners that Swift is a controller of the data. Our interpretation of the law was that we are a processor," he said. Another point of contention between Swift and the European authorities is whether it is a financial organisation. Swift maintains that it a mere messaging service, as it only handles messages that facilitate the international transactions of banks. Hence, it can apply for safe harbour. If the FTC has indeed told Swift it is eligible for safe harbour protection, that could imply that it also accepts its assertion that it is a mere messaging service - financial institutions are not eligible for safe harbour. Yet the Europeans maintain that Swift a financial institution. Accordingly, the spokesman said this was a "really, really complex" legal matter -it's like splitting hairs in four". An officer of one of the European data protection offices said he knew that Swift was considering safe harbour, but that it wouldn't be enough to satisfy the authorities: "Safe harbour makes data safe once it's transferred, but it doesn't make the transfer legitimate." According to European regulators, the only way for Swift to avoid infringing data protection law would be to pull its data out of the US. Meanwhile, both sides insist they want to work together to find a solution and they are pinning their hopes on the US and EU agreeing an overarching instrument that would satisfy both anti-terror investigators on the West-side of the pond and data protection wonks on the East. The FTC was not available for comment. From rforno at infowarrior.org Sat Feb 24 22:38:20 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 24 Feb 2007 22:38:20 -0500 Subject: [Infowarrior] - Homeland Security Funding 'Pork' Under Fire Message-ID: http://www.cnsnews.com/ViewPolitics.asp?Page=/Politics/archive/200702/POL200 70223b.html Homeland Security Funding 'Pork' Under Fire By Fred Lucas CNSNews.com Staff Writer February 23, 2007 (CNSNews.com) - In 2005, Kentucky won a $36,300 grant from the Department of Homeland Security to protect bingo halls from terrorist infiltration, and last year, the federal government granted $46,908 in homeland security funds to protect a limo and bus service that transports New Yorkers to the affluent Hamptons region in Long Island. In 2004, five days before Christmas, the government announced a $153 million homeland security grant to provide food and shelter for the homeless, and in the last fiscal year, $15.7 million in homeland security funds went for enforcement of child labor laws. While spending government money on questionable projects isn't especially unusual in Washington, some government watchdogs and other groups say homeland security money should be off limits for pork barrel spending. "Money spent on these projects is money not spent on something we need," Veronique de Rugy, a research fellow at the American Enterprise Institute, told Cybercast News Service. The AEI issued a report last year concerning wasteful homeland security spending. In many cases, Congress earmarks spending, while in others, the DHS has discretion in allocating state and local grants. "Congress appropriates to us and directs us how to spend the money," DHS spokeswoman Erin Streeter told Cybercast News Service. DHS spending priorities are in the spotlight as members of Congress debate shifting to a "risk-based" funding formula. Advocates say this would reduce the spending of anti-terror dollars on projects that have little to do with homeland security. Under current law, the DHS must give each state 0.75 percent of the overall pie of grants. This formula allows Wyoming to get about $37.94 per capita, while California gets about $5 per capita in DHS grants, according to Citizens Against Government Waste, a group that chronicles federal spending. The House last month passed a bill that would reduce the minimum required grant to each state to 0.25 of the entire grant pool. For certain high risk states - such as New York and California - the minimum would be 0.45 percent. Meanwhile, the Senate Homeland Security and Government Affairs Committee last week passed a proposal for $3.1 billion over the next three years to be distributed based on a location's vulnerability to a terror attack. "The 9/11 Commission has told us that we must provide homeland security grants to states and cities based on risk and not pork-barrel formulas," said House Homeland Security Committee Chairman Rep. Bennie Thompson (D-Miss.) in a statement on the recent House bill. "The bill meets that recommendation." Changing the formula is a step in the right direction, David Williams, vice president for policy at Citizens Against Government Waste, told Cybercast News Service. "It looks like this legislation would go a long way in fixing the formula," Williams said. "Every state is a potential target, but you have to look at high density targets." Still, changing the formula doesn't mean there won't be any waste, fraud and abuse, Williams said, as long as Congress can still allocate homeland security money to projects that don't pertain to fighting terror. Other projects found in the DHS Fiscal Year 2006 budget that appeared to have little to do with fighting terrorism were: * $102,000 for the promotion of public awareness of a child pornography tip line; * $203,000 for Project Alert, a drug use prevention program in schools; * $7.9 million in homeland security funds went to investigate missing and exploited children; * $900,000 to the Steamship Authority that runs ferries to Martha's Vineyard in Massachusetts; * $180,000 for a tactical urban combat truck with similar armor to a military Humvee in LaCrosse, Wis. Such expenditures are less likely, said de Rugy, if strict risk-based guidelines are imposed. "If the minimum grants are reduced, low risk states will get much less," she said. In the case of local grants, the Martha Vineyard's ferry and the Hampton Jitney, Inc. bus line both qualified for grant money based on the large number of passengers they carry each year, said Streeter. The Kentucky bingo hall money was granted on the basis of that state's law enforcement agencies wanting to establish a program to prevent money laundering through gambling rings with terrorist ties, she said. However, Kentucky never found a qualified person to conduct the training for the bingo hall program, so the money will likely be relocated. The grant for Kentucky's bingo halls is a classic example of how grants are not allocated based on risk, critics say. "There was no objective assessment that found a higher risk of terrorist infiltration in Kentucky's bingo halls than other types of employment," argued an article in Wastewatcher, the magazine of Citizens Against Government Waste. From rforno at infowarrior.org Sun Feb 25 11:46:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 25 Feb 2007 11:46:38 -0500 Subject: [Infowarrior] - As Bush's ID Plan Was Delayed, Coalition Formed Against It Message-ID: As Bush's ID Plan Was Delayed, Coalition Formed Against It By Spencer S. Hsu and Darryl Fears Washington Post Staff Writers Sunday, February 25, 2007; A08 http://www.washingtonpost.com/wp-dyn/content/article/2007/02/24/AR2007022401 407_pf.html Inspired by the Sept. 11, 2001, attacks, a sweeping federal law to tighten security requirements for driver's licenses is in jeopardy of unraveling after missteps by Congress and the Homeland Security Department, analysts and lawmakers said. While Washington has delayed implementing it, a rebellion against the program has grown. Privacy advocates say the effort could create a de facto national ID card. Meanwhile, state officials charge that complying with federal requirements will cost $11 billion and potentially double fees and waiting times for 245 million Americans whose licenses would have to be reissued starting next year. The issue threatens to turn into a partisan fight. The White House expects to release its driver's license plan, Real ID, this week and has warned congressional critics not to thwart or further delay a program that was recommended by the Sept. 11 commission. "If we don't get it done now, someone's going to be sitting around in three or four years explaining to the next 9/11 commission why we didn't do it," Homeland Security Secretary Michael Chertoff told the Senate's Homeland Security Committee on Feb. 13. Critics in both parties will try to delay the launch of the program by offering an amendment to legislation that Senate Democrats are pushing to implement remaining changes suggested by the Sept. 11 commission. Sen. Joseph I. Lieberman (I-Conn.), chairman of the homeland security panel, said in a statement that Real ID may not provide real security and that it is opposed by states "because it is overly burdensome, possibly unworkable, and may actually increase a terrorist's ability to commit identity theft." The White House plan, which has been in the works for two years and will take effect in May 2008, standardizes information that must be included on licenses, including a digital photograph, a signature and machine-readable features such as a bar code. The new rules also will spell out how states must verify applicants' citizenship status, check identity documents such as birth certificates and cross-check information with other states and with Social Security, immigration and State Department databases. Only complying IDs can be used for federal purposes such as boarding airplanes or entering government buildings. The law is "vital for the protection of the country," said former New Jersey governor Thomas H. Kean Jr., co-chairman of the Sept. 11 commission. "You can't have 30 different methods of identification to get in and out of the country . . . many of them easily forged, and expect to keep the bad guys out." All but one of the Sept. 11 hijackers acquired, legitimately or by fraud, IDs that allowed them to board planes, rent cars and move through the country. Tightening U.S. identification requirements was a focus of both the Sept. 11 commission and the Markle Foundation's earlier bipartisan task force on terrorism. Markle, a New York think tank, focuses on technology policy. But concern has mounted over Real ID's cost, practicality and impact on privacy and travel. The National Governors Association calls Real ID an $11 billion unfunded mandate. States say the federal government, not license holders, should pay the tab. It wants up to 10 years for states to enact laws, pass budgets, develop technology, hire staff members and educate the public to phase in changes. Last month, Maine's lawmakers voted to stop the initiative, saying it would cost $185 million -- six times the Maine Bureau of Motor Vehicles' annual budget. Measures are pending in at least 21 states to oppose or question the law. Matthew Dunlap, Maine's secretary of state and head of the bureau, said the message from the lawmakers was: "We don't care if you give us bags of money. We don't want it." An unusual and powerful alliance of civil liberties groups and libertarian groups important to the political bases of both parties has also mobilized. They describe Orwellian scenarios in which Real ID integrates nationwide databases storing personal information without adequate security safeguards, and they ask who will own and control access to the system. "Real ID is a real nightmare," said Barry Steinhardt, director of the ACLU's Program on Technology and Liberty. "No one should be fooled that just because the data resides in 50 different states it's not all functionally one big database, because all the data is linked together." Steinhardt said he fears that private companies that demand to check driver's licenses for commercial purposes could sell unencrypted data they get from the licenses to big data brokers. Means to prevent that could be even more costly and raise other security risks. There are other worries. If Maine wants to include gun-permit information on its driver's licenses, Dunlap asked, will a Maine gun owner whose ID is swiped in a traffic stop in another state face extra scrutiny? Practical problems also loom. Computer systems that would let state workers electronically verify birth certificates, Social Security numbers or citizenship status do not yet exist, Dunlap said, calling them "science fiction." Sen. Susan Collins (R-Maine), ranking Republican on Lieberman's panel, and Rep. Tom Allen (D-Maine) are seeking to delay or repeal Real ID and let security experts, privacy advocates and the states renegotiate the rules. That is what Congress started to do in 2004. But in 2005, Rep. F. James Sensenbrenner Jr. (R-Wis.), then chairman of the Judiciary Committee, rewrote the law to keep illegal immigrants from getting licenses and to let the Homeland Security Department define the rules for the program. "If that process had been allowed to finish, we would have been done by now," said David Quam of the National Governors Association. Instead, work bogged down in the overstretched department, whose top officials failed at first to give it enough attention, current and former officials said. Stewart A. Baker, assistant homeland security secretary for policy, defended the department's effort: "We've moved this as fast as possible given the importance of the issue to so many different constituencies." Michael E. O'Hanlon, a senior fellow at the Brookings Institution, blamed the administration and the previous Congress for squandering the consensus on security that formed after Sept. 11. "It's a very badly mishandled case overall of a homeland security reform that was logical, important and yet not sufficiently promoted at the right time," O'Hanlon said. "We've lost the sense of urgency." Staff writer Ellen Nakashima contributed to this report. From rforno at infowarrior.org Sun Feb 25 18:51:54 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 25 Feb 2007 18:51:54 -0500 Subject: [Infowarrior] - Surveillance Cameras Get Smarter Message-ID: Surveillance Cameras Get Smarter Sunday February 25, 2:05 pm ET By Stephen Manning, Associated Press Writer http://biz.yahoo.com/ap/070225/smart_surveillance.html?.v=1 COLLEGE PARK, Md. (AP) -- The next time you walk by a shop window, take a glance at your reflection. How much do you swing your arms? Is the weight of your bag causing you to hunch over? Do you still have a bit of that 1970s disco strut left? Look around -- You might not be the only one watching. The never-blinking surveillance cameras, rapidly becoming a part of daily life in public and even private places, may be sizing you up as well. And they may soon get a lot smarter. Researchers and security companies are developing cameras that not only watch the world but also interpret what they see. Soon, some cameras may be able to find unattended bags at airports, guess your height or analyze the way you walk to see if you are hiding something. Most of the cameras widely used today are used as forensic tools to identify crooks after-the-fact. (Think grainy video on local TV news of convenience store robberies gone wrong.) But the latest breed, known as "intelligent video," could transform cameras from passive observers to eyes with brains, able to detect suspicious behavior and potentially prevent crime before it occurs. Surveillance cameras are common in many cities, monitoring tough street corners to deter crime, watching over sensitive government buildings and even catching speeders. Cameras are on public buses and in train stations, building lobbies, schools and stores. Most feed video to central control rooms, where they are monitored by security staff. The innovations could mean fewer people would be needed to watch what they record, and make it easier to install more in public places and private homes. "Law enforcement people in this country are realizing they can use video surveillance to be in a lot of places at one time," said Roy Bordes, who runs an Orlando, Fla.-based security consulting company. He also is a council vice president with ASIS International, a Washington-based organization for security officials. The advancements have already been put to work. For example, cameras in Chicago and Washington can detect gunshots and alert police. Baltimore installed cameras that can play a recorded message and snap pictures of graffiti sprayers or illegal dumpers. In the commercial market, the gaming industry uses camera systems that can detect facial features, according to Bordes. Casinos use their vast banks of security cameras to hunt cheating gamblers who have been flagged before. In London, one of the largest users of surveillance, cameras provided key photos of the men who bombed the underground system in July 2005 and four more who failed in a second attempt just days later. But the cameras were only able to help with the investigation, not prevent the attacks. Companies that make the latest cameras say the systems, if used broadly, could make video surveillance much more powerful. Cameras could monitor airports and ports, help secure homes and watch over vast borders to catch people crossing illegally. Intelligent surveillance uses computer algorithms to interpret what a camera records. The system can be programmed to look for particular things, like an unattended bag or people walking somewhere they don't belong. "If you think of the camera as your eye, we are using computer programs as your brain," said Patty Gillespie, branch chief for image processing at the Army Research Laboratory in Adelphi, Md. Today, the military funds much of the smart-surveillance research. At the University of Maryland, engineering professor Rama Chellappa and a team of graduate students have worked on systems that can identify a person's unique gait or analyze the way someone walks to determine if they are a threat. A camera trained to look for people on a watch list, for example, could combine their unique walk with facial-recognition tools to make an identification. A person carrying a heavy load under a jacket would walk differently than someone unencumbered -- which could help identify a person hiding a weapon. The system could even estimate someone's height. With two cameras and a laptop computer set up in a conference room, Chellappa and a team of graduate students recently demonstrated how intelligent surveillance works. A student walked into the middle of the room, dropped a laptop case, then walked away. On the laptop screen, a green box popped up around him as he moved into view, then a second focused on the case when it was dropped. After a few seconds, the box around the case went red, signaling an alert. In another video, a car pulled into a parking lot and the driver got out, a box springing up around him. It moved with the driver as he went from car to car, looking in the windows instead of heading into the building. In both cases, the camera knew what was normal -- the layout of the room with the suspicious bag and the location of the office door and parking spots in the parking lot. Alerts were triggered when the unknown bag was added and when the driver didn't go directly into the building after parking his car. Similar technology is currently in use by Marines in Iraq and by the subway system in Barcelona, according to ObjectVideo, a Reston, Va., firm that makes surveillance software. ObjectVideo uses a "tripwire system" that allows users to set up virtual perimeters that are monitored by the cameras. If someone crosses that perimeter, the system picks it up, sends out an alert, and security staff can determine if there is a threat. Company spokesman Edward Troha predicts the technology, currently designed primarily to protect borders, ports and other infrastructure, could be adapted to help prevent retail theft or guard private homes. The Jacksonville Port Authority uses ObjectVideo software as part of its security measures to watch the perimeter of the Florida port that handles 8.7 million tons of cargo and thousands of cruise ship passengers each year. The surveillance system sends real-time video from anywhere at the port of possible intruders to patrol cars. Still, industry officials say the technology needs to improve before it can be widely used. There are liability issues, such as if someone is wrongly tagged as a threat at an airport and misses a flight, said Bordes. Troha warns humans are still essential to intelligent video, to tell, for example, if a person in a restricted area is a danger or just lost. And the cameras can only see so much -- they can't stop some threats, like a bomber with explosives in a backpack. They can't see what you are wearing under your jacket -- yet. "That is an eventual goal, but we're not there yet," said Chellappa. From rforno at infowarrior.org Sun Feb 25 18:54:52 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 25 Feb 2007 18:54:52 -0500 Subject: [Infowarrior] - Tech: 10 Things Your Blogger Won't Tell You Message-ID: 10 Things Your Blogger Won't Tell You http://www.smartmoney.com/10things/index.cfm?story=march2007&afl=yahoo&pgnum =2 By Daniel Cho February 22, 2007 1. "Hardly anybody reads me." If you believe the hype, blogs ? those online journals where people write about everything from politics and sports to their personal lives ? will soon be the only thing most people read. Indeed, the blogging phenom, which blossomed from modest beginnings almost a decade ago, seems unstoppable: Three years ago there were two million blogs on the web, according to blog search engine Technorati; today there are more than 60 million. But the reality behind the stats is that most blogs get few hits. The most popular do boast huge followings ? tech-news site Engadget, for one, has more readers than most print newspapers and magazines. But beyond the elite few, it drops off significantly ? the top 25 blogs account for roughly 10% of blog readership, according to web-traffic measurement firm ComScore. To be fair, most bloggers aren't seeking a big audience. "The pleasure of blogging is in forming a sense of intimacy readers and fellow bloggers can enjoy," says Rachel Bray, whose Babayaga.ca gets a few hundred hits a day. So what's the norm? Google CEO Eric Schmidt told a recent gathering of U.K. politicians that the average blog has just one reader: the blogger. 2. "The more companies pay me, the more I like their stuff." Companies looking for ways to profit from the blogging phenomenon have tried everything from buying ad space on blogs to infiltrating discussion forums with hired PR shills. They've even created fake blogs to hawk their products. In December, Sony went live with AllIWantforXmasIsaPSP.com, a "blog" by two fictitious teenagers clamoring to get a PlayStation Portable for Christmas. The site, which contained videos and strained attempts at youth slang, was quickly exposed as a fraud. "It was designed to be humorous," says a Sony spokesperson. "It didn't come across as intended." When such tactics aren't enough, companies will even pay bloggers to praise their products. In 2006, Florida outfit PayPerPost sparked controversy by offering to connect advertisers with bloggers willing to drop a company's name into their daily scribbles for a fee (between $4 and $40 per mention). The practice was quickly denounced as online payola, and in December, the Federal Trade Commission weighed in, ruling that word-of-mouth marketers must disclose their sponsorship. Says PayPerPost CEO Ted Murphy, "We're trying to strike a balance that makes everybody happy." 3. "Did I mention I'm not a real reporter?" With major newspapers including "The Washington Post" routinely hosting blogs for columnists and reporters, blogging is gaining credibility. But beware: Even those associated with mainstream news outlets aren't subject to the same prepublication safeguards ? editing, fact-checking, proofreading ? that print publications use. With blogs "we're shifting to this world where we're publishing first and editing later," says Jeff Jarvis, a journalism professor at the City University of New York and author of the blog BuzzMachine. While more than one-third of bloggers consider their work a form of journalism, their news-gathering consists largely of borrowing content and posting links to traditional news sources, along with some added commentary. What's more, bloggers don't face the same consequences as journalists for getting it wrong: In a recent libel case against a woman who posted a critical letter about two doctors, the California Supreme Court ruled that those who post content from other sources aren't liable for defamation. In other words, bloggers are off the hook so long as they aren't the original author of the mistake. 4. "I might infect your computer with a virus." Most web surfers know better than to click on a link promising free money or a trip to the Bahamas. But blogs can contain malicious code just like any other site. Social-networking hub MySpace, for example, which hosts about one in 10 blogs online, suffered several high-profile attacks last year. In December hackers altered hundreds of thousands of MySpace user profiles; the doctored pages directed viewers to a scam site that elicited log-in names and passwords. Another tactic involves targeting innocent blogs and inserting malicious links into the reader comment section ? one click and your computer could be infected. Allysa Myers, a virus-research engineer at security-software maker McAfee, says researchers now see such attacks, which first appeared less than a year ago, almost daily. Keeping your operating system, browser and security software updated may help contain the damage, but the responsibility is partly that of web site operators, who need to put proper filters in place so rogue users can't upload bad content. The bottom line for readers: "If you don't know the person doing the linking, don't click on it," Myers says. 5. "I'm revealing company secrets." When Mark Jen started working at Google in 2005, he was so excited about his new job that the newly minted associate product manager started a blog about it, describing orientation meetings, comparing Google's pay and benefits package with that of his past employer, and recounting a company ski trip. Though Jen revealed nothing earth-shattering, his blog soon drew an audience eager for a peek inside the tight-lipped firm. Two weeks later Jen was fired. He isn't sure just what he wrote that prompted his dismissal, but "was told somebody at the top wanted me gone," Jen says. (Google had no comment on the matter.) Indeed, companies are only now beginning to realize that employee blogs can be a threat to information security; so far just 7% of firms have policies on personal blogs, according to a survey from the American Management Association and ePolicy Institute. But that doesn't mean you can blog with abandon. "Don't piss off your boss," says Robert Scoble, author of "Naked Conversations: How Blogs Are Changing the Way Businesses Talk With Customers." Ask about your employer's stance on blogs and what subject matter is out of bounds before ever typing a word. 6. "Just because my name's on it doesn't mean I wrote it." In 2005 New York City mayoral candidate Fernando Ferrer's web log mentioned he'd attended public schools; in fact, Ferrer received most of his education in private Catholic schools. When confronted with the error, his campaign admitted the blog was written by a staffer. Ferrer's predicament was hardly unusual: Politicians, business leaders and other public figures routinely employ ghostwriters to produce books, speeches and, more recently, blogs. One survey conducted by PR consultant David Davis found that only 17% of CEOs who blog do all their own writing. However common it is, "ghost blogging" remains controversial. "It's a perversion of the real meaning of blogging, which is to put yourself out there," says Debbie Weil, author of "The Corporate Blogging Book." But not everybody agrees the practice is tantamount to lying. Ed Poll, a law firm management consultant and author of LawBiz Blog, thinks ghost blogging is fine. "I don't think anyone who reads a post should care whether the name on it belongs to the writer," Poll says. "If you believe everything you read, then shame on you." 7. "My blog is just a stepping stone to bigger and better things." In some blogging circles, scorn for the mainstream media, or "MSM," is a virtual religion. Nonetheless, many bloggers have proven eager to join it when the opportunity arises. Melissa Lafsky, author of the popular Opinionistas blog, was stressed and unhappy as a young lawyer in New York City. As a kind of therapy, she began chronicling daily life at her firm, relating tales of tyrannical partners and sleepless, embittered young associates, being careful not to reveal her identity. Her blog soon built a following, gaining mentions in The New York Times and Slate.com. Eventually, a literary agent came calling, and Lafsky quit her job to write professionally. "I'd be getting coffee in some newsroom if not for the Internet," she says. Indeed, bloggers are using their medium to pursue jobs in all sorts of industries. Seeking a spot at Provo Labs, Utah resident Carolynn Duncan created "Why Provo Labs Wants to Hire Carolynn Duncan," a blog detailing her qualifications to work for the startup incubator. "It was kind of a flippant idea," Duncan admits, but it worked ? after approaching a company exec at a community dinner and handing him her business card listing her blog's address, Duncan scored an interview and got the job. 8. "I can control what you see on the Internet." When search engines like Google calculate their search results ? the list you get when you type in specific words ? one of the biggest factors in determining order is the number of other sites that link to a given web page. The reasoning goes that it's a good measure of how useful the content of a web site is to readers ? and it often works in favor of blogs. "There's no special boost in our algorithm for blogs," according to a Google spokesperson, "but as part of their nature [for example, routinely providing fresh content], people may link to and from blogs more often." Knowing how to game the system, some bloggers will use the power of links to get ahead on search-result lists. Kansas lawyer Grant Griffiths started the Kansas Family Law Blog in 2005 to promote his practice. By posting two or three times a day, he says, he soon brought his blog near the top of the list for search terms like "Kansas law" and "divorce lawyers." Within 30 days Griffiths started attracting new business and now gets two to three new cases per week because of his high-visibility blog. Bloggers don't just use links to promote themselves; they can also manipulate search results to make their enemies look bad. In a practice known as "Google bombing," a coordinated group of bloggers can boost a site's ranking using negative key words. Such was the case in 2003, when enough bloggers linked to George W. Bush's official White House biography page using the words "miserable failure" to make it No. 1 on the list for a Google search of those words. 9. "Blogging just about ruined my life." In 2004 Oregon resident Curt Hopkins was getting ready to fly to Minnesota for a job interview at a radio station. But before he got on the plane, the station canceled the meeting. The reason? His blog, Morpheme Tales. Hopkins had made some harsh remarks in it about the Catholic Church a few weeks before the scheduled interview, remarks he suspects sank his chances of getting hired. Hopkins says he stands by his words, but plenty of people end up regretting a rash posting they didn't expect anyone to read. In a notorious 2006 incident, the entire Northwestern University women's soccer team was suspended for a month after photos of their drinking and risqu? hazing rituals were discovered online and publicized by the sports blog BadJocks.com. If you want to blog but still value some measure of privacy, try using one of several blog-hosting services ? including Vox, WordPress or Google's Blogger ? that allow you to limit your audience to a select group of your choosing. 10. "I'm already obsolete." How long can the blog bonanza last? There are already signs of a slowdown: The growth rate of blogs let up for the first time in third-quarter 2006, and overall daily postings fell to 1.3 million in September from 1.6 million in June, according to Technorati. "There's a certain faddish quality to what's going on," says technology writer Nicholas Carr. "We're probably at or near the peak of popularity of writing blogs." But that's only a part of the story; indeed, blogs have begun evolving into a multimedia phenomenon. It's now fairly cheap and easy to record video and post it as a video blog, or "vlog." And together with podcasts ? audio recordings posted online ? the number of video blogs has surged, from 4,000 just a year ago to more than 22,000 today, according to vlog directory Mefeedia. At its core blogging has always been about showing oneself to the world; with the advent of user-friendly voice and video technology, that idea is becoming more literal every day. Links in this article: URL for this article: http://www.smartmoney.com/10things/index.cfm?story=march2007 From rforno at infowarrior.org Mon Feb 26 09:23:15 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Feb 2007 09:23:15 -0500 Subject: [Infowarrior] - Windows for Warships nears frontline service Message-ID: Original URL: http://www.theregister.co.uk/2007/02/26/windows_boxes_at_sea/ Windows for Warships nears frontline service By Lewis Page Published Monday 26th February 2007 12:15 GMT Analysis Everyone knows the differences between Windows and other operating systems. Steve Jobs has recently spent colossal sums telling us that most malware is written for Windows; also that using Windows is no fun and, even worse, seems to involve wearing a tie. Those acquainted with the more foam-lipped Linux fanciers will also be familiar with the position that Windows use is morally corrupt, indicative of sexual perversion, and causes cancer. A lot of customers keep buying from Microsoft, however. One may want to deploy a particular kind of hardware, perhaps used only by a few organisations. It may well be that you can only get the associated software from the hardware maker, and the vendor in question doesn't provide anything other than Windows-based machines. One type of hardware where this is happening more and more is warships. This shift has already been heavily criticised (http://www.theregister.co.uk/2004/11/05/mod_oks_win2k_warships/). Nonetheless, BAE Systems subsidiary Insyte, the UK's sole provider of warship command systems, has decided to standardise on Win2k (this was during the company's former incarnation as AMS). Type 45 Destroyer The Type 45 destroyers now being launched (http://thescotsman.scotsman.com/index.cfm?id=122192007) will run Windows for Warships: and that's not all. The attack submarine Torbay has been retrofitted with Microsoft-based command systems, and as time goes by the rest of the British submarine fleet will get the same treatment, including the Vanguard class (V class). The V boats carry the UK's nuclear weapons and are armed with Trident ICBMs, tipped with multiple H-bomb warheads. All this raises a number of worrying issues. First up is basic reliability and usability. Most of us have stared in helpless despair at the dreaded blue screen; how much worse would you feel if that wasn't just your desktop gone but your combat display, and it really was the screen of death? Surely we can't have our jolly tars let down by possibly untrustworthy, difficult to use kit such as Windows? Especially when you reflect that cost is not an issue. When you're buying destroyers at ?1bn per hull, the price difference between 26 PCs and the same number of Sun workstations barely shows up. Big step forward All that may be so. However, the sad fact is that Windows will probably be a big step forward for the Royal Navy (RN). Anyone who has spent time in an RN warship is entirely accustomed to seeing equipment on which he may depend for his life occasionally throw a double six for no good reason. Windows may be unreliable, but it's hard to imagine it being as failure-prone as the kit which is out there already. Again, Windows platforms may be troublesome to maintain, but most civilian sysadmins simply wouldn't believe the resources the navy can throw at problems. A present-day Type 42 destroyer carries at least four people who have absolutely nothing else to do but care for the ship's command system. As of just a few years ago, this was still a pair of antique 24-bit, 1MHz machines each with about 25KB of RAM. Two of the seagoing sysadmins will be senior technicians with at least five years' expensive general training and months of courses specifically tailored for the kit they are minding now. Their assistants will be less skilled, but still useful. They can take care of drudgery ? minor bumf, safety checks, making tea ? freeing the real techs for serious work. And the on-board team would seldom be expected to cope with anything as complex as a software update. That would be done in harbour by more advanced specialists, probably including vendor reps. Nor do the combat sysadmins get lumbered with general IT desktop support; there are other people to do that, also lavishly trained. If any organisation can keep Windows functional, it's Her Majesty's navy. There may also be perfectly valid criticisms to be made regarding Windows useability. When triggering missile decoys with seconds to spare, one doesn't need a superfluous pop-up box saying "Do you want to use soft kill?" with "Confirm" and "Cancel" buttons. But this kind of thing isn't going to faze you if you're used to entering instruction sets such as "PE L5414.10N L00335.67E R6000 TMDA [INJECT]" from memory without backspace or delete. During combat, mind. The one group of users to whom Windows 2000 might look pretty marvellous are RN warfare operators. In fact, the navy is easily impressed by almost any modern technology. As another example, the RN is only today getting used to the avant-garde notion of display screens which can be read with the lights on. Her Majesty's warships still have a lot of crazy old circular-sweep CRTs ? essentially, modified 1940s-style radar scopes ? whose image is so dim they can only be used in darkness. On the bridge during daylight you often need a hood or blackout curtains just to check the radar. Many of these aged displays have refresh rates measured in deciseconds, not milliseconds. To this very day, RN navigators typically have to track the ship's position in pencil on a paper chart. There is normally no moving-map display of the sort found in every merchant ship ? or even minicab. The results of this luddism are often expensive (http://news.bbc.co.uk/1/hi/england/hampshire/dorset/3051451.stm) and embarrassing (http://news.bbc.co.uk/1/hi/uk/920457.stm). Customers like this aren't going to be very critical of even the most unimpressive kit. The RN will likely be very chuffed with its huge leap forward to Win2k, though many of Microsoft's civilian customers will be three operating systems down the road by the time the Type 45s join the fleet. So reliability, usability and maintainability may not be an issue, at least not for these benighted end-users. But what about security? An enemy will find it difficult to exploit a brief, random system crash aboard a warship, as he won't be able to predict it. But downtime caused by malware could well be predictable and/or persistent, giving all sorts of openings to the opposition. Worse, malware can do more than knock systems down. It can extract information and potentially send it elsewhere. It can insert spoof data. Worst of all, it could potentially take control of hardware directly, raising the spectre of weapons being fired to the direction of an evilly-disposed black hat. Trident Submarine The nuclear-armed Vanguard-class boats, perhaps naturally, tend to cause the most worry in this context: "Of more concern to Windows detractors than the fitting of Type 45s was the news from AMS [that] it was conducting early development work for retrofitting [Win2k] to the Royal Navy's Vanguard-class submarines," Richard Smedley said in LXF(pdf) (http://www.linuxformat.co.uk/pdfs/LXF64.pro_war.pdf). Paradoxically, perhaps, this is not true. The V-boats are actually one of the less bothersome cases. To be sure, bot-controlled nukes would be bad news, but it isn't really possible. Submarine warfare in general and deterrent patrols in particular aren't a worrying environment for network security. Nuclear-propelled submarines ? especially Trident ones ? spend almost all their sea time underwater. The standard UK means of communication with a submerged boat is VLF radio from a single massively secure shore transmitter (http://www.visitcumbria.com/car/anthorn.htm). It is shore-to-ship only, and extremely low bandwidth (say 300 baud). Even this vanishingly thin, one-way, inaccessible pipe isn't always there, and it isn't directly connected to the sub's command system anyhow. Of course, there are other ways than networks for malware to arrive, but the command system of a V-boat isn't going to have USB slots or optical drives. Furthermore, nobody has ever gained unauthorised access to the interior of an ICBM sub. Peaceniks with time on their hands have reached the outer casing (http://www.tridentploughshares.org/article378), though the boat in question was unarmed and de-fuelled at the time. People more dangerous than the disarmament hippies (http://weblog.greenpeace.org/makingwaves/archives/2006/05/brian.html) have never yet bothered with such capers, perhaps because one can't achieve much once inside. Even bearing all this in mind, it is still possible that a V-boat might one day suffer from malware in its command system. However, the command system never gets any control over the nukes unless the prime minister has decided to launch them. One-time-pad messages have to be sent and read by live people, physical keys have to be turned by human hands. There are many chances to abort. There isn't any rush or hurry - that's the whole point of sub-launched nukes, after all. You don't need to sweat about an incoming counter-force strike, you don't need to get your shot off first. Submarine strategic weapons are not a time-critical application. Against all odds And remember, this is already a highly disastrous, very statistically rare event we're discussing. Somebody's getting nuked here by UK weapons designed and intended for second-strike use, which suggests that a lot of Reg readers are already dead. Frankly, a slim chance of technical delays to the retribution doesn't seem worth losing sleep over. If somebody needs nuking, they'll get nuked sooner or later. Even supposing there's a noticeable risk of the submarine's weapons being permanently disabled, it still doesn't matter. If the UK is launching its nukes at all, they've already failed to achieve their purpose. Far from needing five-nines reliability, a strategic deterrent only really requires, say, 90 per cent assurance that it will function. That's quite enough to deter anyone who can be deterred. You'd need to be a very odd enemy to say: "What's that? The UK's nukes have only 90 per cent reliability due to running on Windows? Well let's attack Blighty then. A one-in-ten chance of not being vapourised by the response sounds good to me." Trident Missile launched from sea In theory, an unbelievably puissant black hat in the pay of Dark Forces might manage to write specialist malware that could reliably direct or sabotage the weapons rather than just crash the system. This code could perhaps fire our Tridents at the UK, or an ally, or relatively harmlessly into the sea ? without the sub's crew noticing and aborting the launch. Somehow, this uber-malware might be introduced into a V-boat command system and survive undetected until the government decided to nuke someone and the weapons releases were unlocked. A nuclear-armed enemy might be so entirely confident of all this that he might seize the chance to wipe out Britain, happy in the knowledge that there would be no response. We're starting to search really hard for things to panic about here. It would make more sense to worry about a rogue sub crew ? or, likelier, a rogue prime minister. Anyway, an agency with the resources for such an attack would be equally capable of doing it to a Linux box. So the presence of Windows in the Trident boats isn't of great concern. However ? again for hardware reasons ? it is reasonable to be worried about the Type 45 destroyers, despite the lesser power of their weapons. This is because the Type 45s are air-defence ships. They are intended to shoot down incoming ship-killer missiles such as the Russian Moskit (http://www.globalsecurity.org/military/world/russia/moskit.htm), known to NATO as "Sunburn". A Sunburn flies low above the waves, so it doesn't appear over the horizon until it's quite near the defending destroyer. The entire design of the Type 45 is devoted to getting its fire-control radar as high above the waterline as possible in order to see the missiles further off, but even so it is only 30 metres up. A radar is a heavy object, and putting heavy stuff high up in a ship tends to make it capsize. Thus, a Type 45 can't expect to acquire a sea-skimmer at ranges much greater than 20 miles. The Sunburn is better than Mach 2, and can hit the destroyer perhaps 30 seconds after appearing on radar ? and that's game over for 200 British sailors. This means the Type 45's combat system needs to go from acquisition to kill in well under 30 seconds ? we don't want supersonic debris pelting the ship. During that time an Aster counter-missile must launch vertically from its silo, tip over, accelerate to Mach 3-plus, and bullseye the Sunburn head-on at a closing speed in excess of Mach 5. There is no margin whatsoever for a bored human being to spill his tea, assess what's happening, and decide whether or not to approve weapons launch. This really is a time-critical application. One might say at this point "why on earth doesn't the navy just use radar aircraft, 30,000 feet up? Then they could detect sea-skimmers hundreds of miles out, and fighters could nail them easily from behind. They could probably spot the planes or ships bringing the pesky things, and take them out from above before the shipkillers were even launched. Why would you ever spend ?6bn trying to shoot these things down in the most difficult imaginable way, at the very last possible moment?" To which the honest answer might be "we in the Royal Navy find that when we buy planes nobody gets a promotion out of it and the kit may get taken over by the RAF (http://www.airsceneuk.org.uk/hangar/2000/jf2000/jf2000.htm). If we buy a ship, however, someone gets to be captain and the slug-balancers leave us alone. Anyway, it's our ?6bn, we'll do what we like with it. What do you mean you're a UK taxpayer and it's actually your money? That's crazy talk". The logical consequence of all this is that whenever a sea-skimmer threat is deemed to be present ? and if there isn't any such threat, why are we there in a Type 45 destroyer? ? the weapon lockout keys will have to be turned and left turned until the threat has gone away. As a matter of routine, then, a Windows computer in a destroyer will be enabled to launch weapons autonomously, perhaps for days at a time. Quite a lot of weapons, actually: the sea-skimmers can be expected to come in groups, so the destroyer's computer must be allowed to ripple off a fair number of Asters without asking. It can control at least 10 simultaneously. Even without considering malware or other Windows-related issues, combat-ready air defence ships always present a severe risk of terrible, deadly accidents because there is seldom any chance to positively identify targets. The US Navy's existing Aegis ships have already demonstrated this (http://news.bbc.co.uk/onthisday/hi/dates/stories/july/3/newsid_4678000/4678 707.stm). It gets worse. This Windows box, unlike the one in the Trident sub, is by necessity heavily networked. A destroyer command system has to constantly communicate with other ships, aircraft, satellites, various organisations in the UK ? lots of different computers. Naval surface task groups used crude automated data links before the internet was ever heard of, and nowadays the bandwidth is substantial and varied. A Type 45 will be plugged into many different networks. There will be NATO or other foreign units on some of these nets, which is to say that the authentication protocols and probably codes too will be available to anyone who wants them. Other pipes will connect, perhaps at one or two removes, to the wild and woolly internet itself. Hacking Destroyers It still won't be easy to hack a destroyer, but it will be distinctly possible. If you can't do it over a network, physically infiltrating a surface warship is a trivial task compared to getting aboard a Trident sub. Surface vessels have dozens of upper-deck doors and hatches, compared to a submarine's handful. Destroyers routinely tie up at berths without shoreside security, guarded by no more than a pair of gangway sentries. A surface warship's crew can and often do bring guests and visitors aboard. Security cockups have been known even in naval bases (http://news.bbc.co.uk/1/hi/england/devon/5032516.stm). So a malware-infected Type 45 is actually achievable, and the destroyer computer will routinely have autonomous weapons authority. Furthermore, even in the absence of malware, opacity and unreliability are key criticisms levelled at Win2k. That just isn't acceptable in this case. For a Type 45 to be even vaguely worth having, you really do need five-nines, rock-solid dependability. A 90 per cent punt won't do here. Against just six sea-skimmers, that would equate to only a 40 per cent chance of survival. Then there's predictability. Aboard your destroyer in, let's say the Persian/Arabian Gulf, you may need to set up the condition "fire automatically on any unidentified supersonic object", and then unlock weapons to computer control. This, despite the fact there may be half a dozen airliners in the sky above you right then, all moving at high-subsonic speeds. If you can't do this and leave the system ready to rumble for days or even weeks, it isn't going to have the slightest chance of stopping a sheaf of Sunburns when they come smoking in over the horizon. But you also need to be absolutely certain that Windows won't have a little hiccup, malware-related or not. Let's suppose that the GPS throws a wobbly, for instance, such that the entire plot appears to instantly jump 10 miles sideways. You need to be sure your command system won't decide as a result that the innocent airliner passing overhead has gone supersonic. And so on, and so on. The Insyte engineers will have to include big wads of Windows code which they don't properly understand in the Type 45: they can't realistically guarantee what the ships will do. When asked to comment on these issues, Microsoft reps rather elliptically replied that "we'll have to decline this one", and BAE/Insyte didn't respond at all. A Navy source with an extensive background in destroyer warfare confirmed that it would sometimes be necessary to trust the Type 45's command system implicitly, but declined to comment on software or engineering issues. In the final analysis, a working air-defence destroyer with its weapon systems live is by necessity a disaster waiting to happen, far more so than a Trident submarine. It's questionable whether the UK needs this sort of hardware at all, especially at this price. But if we're going to have it ? and it seems we are ? the kit needs to be controlled by the very best, safest and most predictable software architecture available. It's hard to see Windows as fitting the bill. ? Lewis Page spent 11 years in the navy, mostly as a specialist in underwater bomb disposal. Highlights of his service included commando training with the Royal Marines, and the opportunity to render safe bona-fide "weapons of mass destruction". Disappointingly, these WMDs were discovered in Wales rather than any sunnier clime. On leaving the service he wrote a book, Lions, Donkeys and Dinosaurs: Waste and Blundering in the British Armed Forces (http://www.amazon.co.uk/exec/obidos/ASIN/0434013897/202-9705542-8989460), which was so successful that it is now almost impossible to obtain, though a paperback is forthcoming. Page can be found on the web at www.lewispage.co.uk. From rforno at infowarrior.org Mon Feb 26 09:24:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Feb 2007 09:24:41 -0500 Subject: [Infowarrior] - DHS Biometric Program in Trouble Message-ID: DHS Biometric Program in Trouble http://www.wired.com/news/technology/1,72792-0.html By Luke O'Brien| Also by this reporter 02:00 AM Feb, 26, 2007 A House Appropriations subcommittee and congressional investigators are renewing criticism of the US-VISIT program, a Department of Homeland Security initiative to collect and share biometric-fingerprint and facial data from all foreign visitors to the United States. The GAO, the investigative arm of Congress, released a report (.pdf) this month revealing that, even as development costs settle, US-VISIT's overall price tag is spiraling up "without any accompanying explanation of the reasons," the report said. In an interview with Wired News, Randy Hite, the author of the GAO report, described US-VISIT as a plane flying aimlessly. "We're asking for a pilot to program in a destination," Hite said. "Instead, we have it on autopilot with no destination." US-VISIT collects a digital photo and two digital fingerprints from incoming visitors to the United States, and checks each traveler against scores of government watchlists stored in a hodgepodge of backend databases. The program was launched in January 2004 in an effort to secure the border from terrorists. The system is at hundreds of airports, seaports and land border crossing across the country, but it is largely a one-way process: missing from the program is a way to verify that a visitor has left the United States, except for a limited pilot program at 12 airports and two seaports where visitors are required to scan their fingerprints on their way out of the country. In a hearing at the House Appropriations Subcommittee on Homeland Security earlier this month, chairman Rep. David Price (D-North Carolina) expressed concern that the DHS still has no "meaningful exit capacity" for the US-VISIT program. "The total resources provided to this program would exceed $2 billion over the five years since 9/11," Price said, counting $462 million in funding requested for 2008. "But we still have no way to know if people visiting the U.S. have left, even though we know that millions of undocumented aliens in this country are so-called 'overstays.' This ignorance is both a security gap and a key problem for immigration reform." The DHS' Robery Mocny, acting director of US-VISIT, agreed that the inability to track exits is a major weakness of the system, but talked up plans to further improve entrance security. In 2008, the DHS plans to use $228 million to deploy "ten fingerprint capture" equipment at ports of entry, upgrade to automated biometric identification systems and increase compatibility with the Department of Justice's fingerprint system. The GAO report focused on the growing costs of the program and its lack of oversight, and at the recent hearing lawmakers slammed DHS for not providing Congress with a clear strategy going forward. Congress has been waiting since 2005 for the DHS to provide a strategic plan that defines US-VISIT's mission. Simpler spending plans have also been late: a 2006 expenditure plan was delivered almost 11 months after Congress appropriated $336.6 million for the program, and a FY2007 expenditure plan is four months overdue. Congress has withheld $200 million of the $362.5 million appropriated for the program this year, pending receipt of the spending plan -- not the first time it has withheld funding for the program while waiting for the DHS to get its act together. "I've had it," rumbled Rep. Harold Rogers (R-Kentucky), the ranking minority member on the subcommittee, at the hearing. "We've withheld funds and released them, dribbled them out long enough. Face up to it. Give us the plan. If you can't do the plan, scrap US-VISIT.... How can we do our job if you won't tell us where you're going?" Rogers set a March 16 deadline for US-VISIT to supply the strategic plan and the spending plan for 2007. Despite the congressional pummeling, Anna Hinken, a spokeswoman for US-VISIT, said Friday the program is proceeding apace, and dismissed the GAO report as outdated information from six months ago. "Everything is on track," Hinken said. "We have biometric data for over 80 million foreign visitors," Hinken said. "We've already denied entry to almost 2,000 people based on the biometrics alone." From rforno at infowarrior.org Mon Feb 26 09:25:52 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Feb 2007 09:25:52 -0500 Subject: [Infowarrior] - Default Router Password List Message-ID: (c/o Bruce's blog) http://www.phenoelit.de/dpl/dpl.html From rforno at infowarrior.org Mon Feb 26 09:55:28 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Feb 2007 09:55:28 -0500 Subject: [Infowarrior] - Site lets you buy friends (and they're hot) Message-ID: Site lets you buy friends (and they're hot) By Daniel E. Slotnik http://news.com.com/Site+lets+you+buy+friends+and+theyre+hot/2100-1038_3-616 2004.html Story last modified Mon Feb 26 04:22:16 PST 2007 Popularity was never easily measured, until the advent of social-networking sites. Now, prospective employers and others can gain some insights into an applicant's lifestyle and character by looking at a person's social-networking page, including the roster of friends. So what if a job applicant's networking page lacks friends? EnterFakeYourSpace.com, a business founded by Brant Walker, which offered users of MySpace.com and similar sites a way to enhance their page with photographs and comments from hired "friends"--mainly attractive models--for 99 cents a month each. FakeYourSpace was doing very well, attracting 50,000 hits a day, until a service that provided the photographs of the models, iStockPhoto.com, noticed that use and objected to it. Kelly Thompson, iStockPhoto's vice president for marketing, said its licensing agreement did not allow Web sites to post photos that might lead the average person to "think that the model endorses" the product, Web site or person in question. IStockPhoto's network of 30,000 photographers police the Internet for such contractual infractions. When they noticed how FakeYourSpace was using the photos, they reported it to iStockPhoto, which asked Walker to stop using the photographs. He complied, and FakeYourSpace, while still viewable online, will not be fully operational again until Thursday. Walker is searching for models through agency and online auditions to replace those that had been provided by iStockPhoto, which was recently purchased by Getty Images. But is FakeYourSpace's business legal? The site certainly misrepresents people, but Walker, 26, said he thought that its intent was more altruistic than fraudulent. A graduate of Platt College, a graphics and multimedia specialty school in San Diego, Walker runs the site from his San Diego home with two employees. He said the idea came to him when he noticed, while browsing MySpace pages, that "some people would have a lot of good-looking friends, and others didn't." His idea, he said, was "to turn cyberlosers into social-networking magnets" by providing fictitious postings from attractive people. The postings are written by the client or by Walker and his employees, who base the messages on the client's requests. FakeYourSpace says it does not post any messages that are threatening, pornographic or illegal. MySpace and other social-networking sites appear to have no rules prohibiting Walker's idea. The leading sites, MySpace, Friendster and facebook, did not respond to requests for comment. Walker's business is a variation on a growing phenomenon that Bruce Schneier, a blogger at InfoWorld.com, a Web site for the business technology magazine InfoWorld, refers to as "the social network reputation hack." MobileAlibi.com and PopularityDialer.comoffer similar services, using fake cell phone calls scheduled in advance to provide an excuse to escape a tedious situation, like a bad date, or to make the subscriber appear in demand. While they may be less than honest, FakeYourSpace and similar sites are currently legal, as long as the content they post is legitimately licensed. Walker said his second business, a Web site called BreakYourSpace.com that removes unwanted friends from a user's profile by third-party messenger, had yet to have any legal trouble. Entire contents, Copyright ? 2007 The New York Times. All rights reserved. From rforno at infowarrior.org Mon Feb 26 10:01:06 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Feb 2007 10:01:06 -0500 Subject: [Infowarrior] - Feb. 26, 1991: Just Browsing Message-ID: Feb. 26, 1991: Just Browsing By Tony Long| Also by this reporter 02:00 AM Feb, 26, 2007 1991: Tim Berners-Lee, the acknowledged inventor of the World Wide Web, introduces WorldWideWeb, the first practical web browser. The first version, which Berners-Lee completed on Christmas Day 1990 using a NeXT computer, was released first to a group of physicists, and its use spread outward from there. WorldWideWeb, later renamed Nexus in order to avoid confusing it with the World Wide Web, was the first program to use both the file transfer protocol and hypertext transfer protocol, another Berners-Lee invention. HTTP simplified the linkup between client and server, making the transfer of text and images a more seamless process and facilitating the growth of the web. WorldWideWeb entered the public domain in 1993. http://www.wired.com/news/technology/0,72719-0.html?tw=wn_index_5 From rforno at infowarrior.org Mon Feb 26 11:57:16 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Feb 2007 11:57:16 -0500 Subject: [Infowarrior] - Using free wireless at library described as theft Message-ID: Using free wireless at library described as theft PALMER: Man was tapping into library connection after hours. By ANDREW WELLNER Anchorage Daily News http://www.adn.com/news/alaska/story/8667098p-8559268c.html (Published: February 24, 2007) WASILLA -- Brian Tanner was sitting in his Acura Integra recently outside the Palmer Library playing online games when a Palmer police pulled up behind him. The officer asked him what he was doing. Tanner, 21, was using the library's wireless Internet connection. He was told that his activity constituted theft of services and was told to leave. The next day, Sunday, police spotted him there again. "It was kind of like, 'Well gee whiz, come on,' " police Lt. Tom Remaley said. The police officer confiscated Tanner's laptop in order to inspect what he may have been downloading, Remaley said. Remaley on Friday said he hasn't looked inside the computer yet; he's putting together a search warrant application. Alaska state troopers had chased Tanner off a few times at other locations, Remaley said. Tanner said that was true. He has a device on his keychain that sniffs out wireless networks. When he found one, he would park in his neighborhood and use his $800 Dell laptop to hop on the Web. But worried neighbors summoned the troopers, who told him to park in a public place. "I went to the public library because I go there during the day," Tanner said. Though the library was closed, its wireless was up and running, he said. Tanner said he was upset that he hasn't gotten his computer back yet. The police have told him he won't until the case is concluded, he said. Jeanne Novosad, the library system manager, said the wireless connection is normally shut off when the library is closed. But the library was waiting on a technician to install a timer and the connection was left on after hours for several days, she said. Remaley said the investigating officer is talking with the District Attorney's Office to determine whether criminal charges are warranted. Remaley said few of these cases that he's seen have resulted in criminal prosecution. But, "in this particular case you know he's feeding off something that we know the city of Palmer pays for and there are requirements to use it," Remaley said. Either way, Tanner's Internet usage has been curtailed. He's got a home computer, but his parents don't let him on the Web after 9 p.m. He's been using computers at the library during the day. He's a moderator on an online gaming site, conquerclub.com, where he plays a game similar to the board game Risk. "It's pretty addicting," he said. From rforno at infowarrior.org Mon Feb 26 12:05:51 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Feb 2007 12:05:51 -0500 Subject: [Infowarrior] - OSX users....the death of Fire Message-ID: ...too bad, as it's been my Trillian-clone for years. Le sigh. -rf http://fire.sourceforge.net/ We are saddened to announce that there will be no future versions of Fire. There are several reasons for this end, but the most notable is the loss of developers. Fire's development had dwindled to few developers who do not wish to continue the project alone. In addition, another major contributing factor is the fact that all but one of Fire's IM libraries is no longer in active development. The good news is that two of Fire's developers have joined the Adium team and have written a transition path. Adium 1.0, upon first launch, will import your Fire accounts, away messages, groups, buddies, and logs into Adium. For future updates and IM needs, we suggest that you look at Adium. http://fire.sourceforge.net/ From rforno at infowarrior.org Mon Feb 26 12:11:23 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Feb 2007 12:11:23 -0500 Subject: [Infowarrior] - Resource: OpenCongress.Org Message-ID: OpenCongress brings together official government data with news and blog coverage to give you the real story behind each bill. http://www.opencongress.org/ From rforno at infowarrior.org Mon Feb 26 19:47:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Feb 2007 19:47:47 -0500 Subject: [Infowarrior] - Black Hat: Battle brewing over RFID chip-hacking demo Message-ID: Battle brewing over RFID chip-hacking demo Card maker HID calls foul over Black Hat presentation http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/0 2/26/HNblackhatrfid_1.html By Paul F. Roberts February 26, 2007 Secure card maker HID Corp. is objecting to a demonstration of a hacking tool at this week's Black Hat Federal security conference in Washington, D.C. that could make it easy to clone a wide range of so-called "proximity" door access cards. HID has sent a letter to IOActive, a security consulting firm, accusing Chris Paget, IOActive's director of research and development, of possible patent infringement over a planned presentation, "RFID for beginners," on Wednesday, a move that could lead to legal action should the talk go forward, according to Jeff Moss, founder and director of Black Hat. IOActive will hold a press conference Tuesday at 9:00AM to discuss the issue, according to Joshua Pennell, IOActive's CEO told InfoWorld. Paget's talk will address widespread security issues with the implementation of RFID in proximity cards that are sold by HID and other companies and that are widely used for building access. His RFID cloner was on display at the recent RSA Security Conference in San Francisco, where he demonstrated for InfoWorld how the device could be used to steal access codes from HID brand proximity cards, store them, then use the stolen codes to fool a HID card reader. Paget's presentation at Black Hat Federal will go deeper, providing schematics and source code that attendees could use to create their own cloning device, and discussing vulnerable implementations of RFID technology in a wide variety of devices, Paget told InfoWorld at RSA earlier this month. "Hopefully I'll be able to give people some information about RFID and get some pressure on vendors to fix these lousy RFID implementations," Paget said. "As it stands, I can walk up to someone on the street or maybe stand next to them in an elevator, grab their card ID and get into the building," he said. So far, Black Hat organizers have not been contacted or asked to cancel Paget's presentation, but lawyers representing Black Hat, which was purchased by CMP, are ready should that happen, Moss said. "We're prepared for the worst," Moss said. The incident between HID and IOActive recalls a 2005 imbroglio between researcher Michael Lynn and Cisco Systems over a presentation of a flaw in Cisco's IOS at a Black Hat event in Las Vegas. In that incident, Cisco attorneys demanded that Lynn's presentation be torn out of the printed conference proceedings and that Lynn be blocked from giving his talk. Lynn ultimately resigned his position at Internet Security Systems Inc. (ISS) and gave the talk anyway, spawning lawsuits and even an FBI investigation of him. Lynn now works as a researcher at Cisco competitor, Juniper Networks. Whereas Lynn's hack of IOS was considered novel, however, the IOActive demonstration of RFID vulnerabilities is largely a rehash of known issues, intended more as an introduction, Moss said. "They've known about this for years and years," Moss said. Kathleen Carroll, a spokeswoman for HID's Government Relations group acknowledged that a letter was sent to IOActive but that it did not mention patent infringement. She said that the company has long been aware that its proximity cards are vulnerable to hacking but does not believe that the cards are as vulnerable as Paget suggests. "For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," Carroll said. HID is also concerned that Paget's demonstration will popularize the vulnerabilities in its proximity cards and endanger its many customers. "These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said. According to Moss, HID has charged Paget with patent infringement over his presentation, but has not laid out any particular remedies or threatened actions, making it difficult to ascertain what the company might do -- if anything -- to block the presentation. Security problems with implementations of RFID are well known and have been publicized before. In 2005, security consultant Jonathan Westhues detailed attacks against implanted VeriChip RFID chips. More recently, in January, Westhues posted detailed code and schematics for an RFID hacking device that can act as a reader, eavesdrop on RFID transactions between reader and a tag, analyze the signal received over the air, or impersonate a tag. In 2005, Avi Rubin and other researchers at Johns Hopkins also sounded the alarm about weak security in RFID implementations by hacking technology from Texas Instruments that is used in late model car ignition systems and electronic payment systems, as well. All that attention hasn't sparked much change at companies like HID, which makes fifteen different types of proximity cards in their Prox Products and Indala Prox Products lines, all of which are believed to be vulnerable to cloning, according to Paget. "Some of these cards have been around for 15 years and were developed when there was no awareness of the problem," Carroll said. Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause "major upheaval" among customers. Inertia is a more likely cause, said Dan Kaminsky, director of penetration testing at IOActive. "They didn't want to change to a more secure implementation because of backwards compatibility issues, and they had a lot of sites that use these cards, and HID has stuff to sell them," Kaminsky said. Paget's hack was no feat of engineering wizardry, Kaminsky said. "It took a month -- and he wasn't even working on it full time." The problem is that RFID technology, although good for inventory tracking as a replacement for barcodes, is not well suited for security, Kaminsky said. "The technology is very convenient, but don't interpret the convenience as security," Kaminsky said. "At the end of the day, many companies are essentially using barcode technology to control access to their facilities. I'd posit that perhaps there are more secure technologies out there." HID recommends that customers who are concerned about cloning upgrade to one of HID's smart card products, which do encrypt transmissions between card and reader and are more difficult to hack, Carroll said. HID also recommends that companies that use the cards train their employees to look for suspicious activity that might indicate that someone is trying to clone or spoof access cards. As for Paget's presentation, Moss expressed frustration over HID's actions, especially given the widespread attention to RFID security holes. "It's just so frustrating from a security standpoint. Now anytime someone wants to talk about anything, they need a team of lawyers. Even when it's about commonly understood problems," Moss said. For now, Moss said Black Hat is supporting Paget and his presentation -- even if last minute changes are needed to satisfy HID, Moss said. print thisPrint this From rforno at infowarrior.org Mon Feb 26 23:06:58 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Feb 2007 23:06:58 -0500 Subject: [Infowarrior] - IO: The White House website is getting scrubbed? In-Reply-To: Message-ID: (c/o Greg V.) Interesting analysis. Not the first organization to do this, corporate or government, I'm sure. -rf (Updated) The White House website is getting scrubbed by smintheus Sun Feb 25, 2007 at 12:39:00 PM PST On March 16, 2003 Dick Cheney went on Meet the Press. His absurd claims in that interview have since become politically embarrassing to the White House. For example, he declared... I think things have gotten so bad inside Iraq, from the standpoint of the Iraqi people, my belief is we will, in fact, be greeted as liberators. You won't any longer find a link to this transcript on the White House website?nor, indeed, are there links to most of Cheney's interviews from before 2006. Don't believe me? Just do a search for that infamous sentence at www.whitehouse.gov. The WH website evidently has been busy scrubbing links to interviews and perhaps other public appearances by top officials. The operation has proceeded somewhat unevenly, though aggressively. Pretty clearly the WH wants to make it much harder to research the administration's past pronouncements, especially unscripted ones, and especially those pertaining to Iraq. < - > http://www.dailykos.com/storyonly/2007/2/25/153120/172 From rforno at infowarrior.org Mon Feb 26 23:07:24 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Feb 2007 23:07:24 -0500 Subject: [Infowarrior] - FW: Microsoft Virtualization Licensing and Distribution Terms In-Reply-To: Message-ID: (c/o MS) Microsoft Virtualization Licensing and Distribution Terms VMware White Paper February 23, 2007 Summary Microsoft is trying to restrict customers' flexibility and freedom to choose virtualization software by limiting who can run their software and how they can run it. Microsoft is leveraging its ownership of the market leading operating system and numerous applications that are market leaders in their respective categories (Exchange, SQL Server, Active Directory) to drive customers to use Microsoft virtualization products. Their tactics are focused on software licensing and distribution terms (for SQL Server, Exchange, Windows Server, Vista) and through the APIs and formats for virtualized Windows. In particular, Microsoft does not have key virtual infrastructure capabilities (like VMotion), and they are making those either illegal or expensive for customers; Microsoft doesn't have virtual desktop offerings, so they are denying it to customers; and Microsoft is moving to control this new layer that sits on the hardware by forcing their specifications and APIs on the industry. Included below in this document are explanations with supporting details of some of these specific areas. Virtualization opens up new enabling models for IT customers and technology vendors. To fully achieve this vision, the industry must ensure fundamental market choice and ecosystem interoperability. Microsoft operating systems and applications are both market dominant and they deliver value to customers. However, customers and vendors require freedom of choice to implement and deliver applications and operating systems from any vendor with any chosen virtual hardware platform. Microsoft is not acting in customers' best interests when they attempt to force an integrated virtual hardware/operating system/application stack for their operating system and applications. Customers require an "any to any" interoperability model where Microsoft application stacks can run freely with licensing, open APIs, and support equivalence on non-Microsoft virtual hardware to Microsoft's own virtualization technologies. ... http://www.vmware.com/solutions/whitepapers/msoft_licensing_wp.html From rforno at infowarrior.org Tue Feb 27 08:19:57 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Feb 2007 08:19:57 -0500 Subject: [Infowarrior] - Seven Things I Learned from World of Warcraft Message-ID: Seven Things I Learned from World of Warcraft - by John August http://johnaugust.com/archives/2007/seven-things-warcraft Those who?ve seen my movie, The Nines, can infer that I had a bit of a World of Warcraft problem back in the day. ?The day? being a period of about four months in which most of my waking hours were spent either playing the game or wanting to. The luxury and danger of being a screenwriter is an abundance of unstructured time. WoW can eat hours in a gulp. Moderation just didn?t work. I had to give it up cold-turkey, canceling my account and throwing out the install disks. With my newfound time, I had a kid, wrote a couple of movies and directed one of my own. I have few regrets about giving up Warcraft. But in retrospect, I did learn some valuable things from my time in Azeroth, lessons that have stuck with me. So I thought I?d share a few. 1. Kill injured monsters first W When facing multiple bad guys, the temptation is to go after the one who?s hitting you hardest. This is often a mistake. That injured razorback, the one who is running away? He?ll be back in 15 seconds, likely with other baddies in tow. So take a few clicks to kill him now. Once he?s dead, you can focus completely on the guy who?s smacking you. The real world may not have druids and paladins, but it?s chock full of monsters. They?re called ?term papers? and ?errands? and ?mysterious car problems.? At any given moment, there may be one monster that looms larger than all of the others, who clearly needs to be attacked. But before you do, look around for injured monsters ? the half-finished tasks that probably need only a few more minutes to complete. If you don?t deal with them now, they?ll be a constant distraction, and may eventually come back stronger. This ?injured monster theory? is why I try to return every phone call the day I receive it, and respond to every email within 24 hours. If a warning light comes on in my car, I go to the mechanic that day. Whenever I find myself thinking, ?I need to remember to?? then I know I?ve failed. I don?t need to remember. I need to do. I need to finish. 2. Grinding is part of the game? W In WoW parlance, ?grinding? is the process of killing a bunch of fairly easy monsters, one after the other, strictly to rack up loot and experience. There?s no adventure to it, no real challenge. It?s tedious and mindless, but it?s often the fastest way to level up, which is why everyone does it. Daily life is full of mindless tedium, but there?s an important distinction: grinding has a point. While the task may be dull and carpal tunnel-aggravating, there?s a clear goal. You?re doing X in order to get Y. You?re xeroxing scripts in the William Morris mailroom in order to get a job as an assistant. You?re proofreading your script for the seventh time in order to send it to your friend, who works for that producer. You have to be willing to do serious grunt work in order to move ahead. 3. ?But grinding is not the game W It?s easy to confuse what you?re doing with why you?re doing it. Just remember: you?re not paying $15 a month to kill the same set of spawning critters. Grinding is a means of achieving a specific goal, whereas the game itself is supposed to be entertaining. So once you level (or get enough deer skins to fabricate that armor), stop grinding and start exploring. I worked for a year as a reader at Tri-Star, writing coverage on 10 scripts or books a week. It was good money, $65 a shot, but it was wearying. Most of the scripts were terrible. Apart from offering lessons-to-avoid, there wasn?t any point in reading them other than the money. But I convinced myself I was ?working in the industry,? so I kept reading them, one after the other, dutifully writing up my synopses and comments. Executives would congratulate me on my witty notes, and there was some suggestion that I could get a job in development. So I quit. In place of reading, I got a mindless internship in physical production at Universal: filing, copying, researching clearances. I didn?t use my brain once. That left me with abundant energy when I got home from work, and with it I finished two scripts. Both jobs were quintessential ?day jobs.? In theory, writing coverage should have been the better job, because it was closer to screenwriting. And truthfully, I did learn some valuable things?for the first month or two. After that, it was a whole lotta more of the same. The second job was a better fit because there was no confusing it with my true ambitions. 4. Give away stuff to newbies W You start the game with almost nothing: a weapon and the shirt on your back. Each new piece of gear you accumulate is tremendously exciting. Cloth armor seems luxurious. But as you level up, that early gear becomes increasingly irrelevant and basically worthless. It?s not worth the trip to the store to sell it. So don?t. Instead, run back to the newbie lands, find the first character of your class, and hand him all the stuff you don?t want. It will take two minutes of your time, but give the newbie a tremendous head start. (Not to mention building your karma.) This site, johnaugust.com, is really just me running back to the newbie lands and giving away what I can. There?s no financial incentive in it for me. I could certainly put my advice in a book and charge $15.95 for it. But I see it as the take-a-penny, leave-a-penny flow of information. On a daily basis, I find myself searching the web for answers on topics in which I?m a newbie (Flash programming, DC mythology, teaching toddlers to swim) and leaving thankful that someone out there took the time to write a tutorial on exactly what I needed. So in exchange, I write up what I know about screenwriting. If everyone took the time to build a site about the areas of their expertise, the world would be significantly cooler. 5. Keep track of your quests W WoW is refreshingly open-ended?you could spend all your time skinning bears, if you felt like it. In order to provide a sense of structure, the game helpfully provides quests: multi-step missions, generally to collect, kill or deliver something. While the system does a solid job tracking these official endeavors (?13 out of 25 tusks?), most of the time what you?re really trying to do (?find a better shield?) is frustratingly amorphous. The trick is to identify these unofficial quests and break them down into distinct steps: * browse the auctions to compare prices * pick preferred shield * sell off unneeded linen to raise needed cash * bid At any given point, you may have 10 of these pseudo-quests, and unless you take charge of them, you?re liable keep running around, cursing your stupid shield. GTD enthusiasts would label these WoW quests ?projects,? and each of the bullet points ?next actions.? That?s geekery, but it?s an acknowledgment that most of life?s work consists of a bunch of little activities in the service of a larger goal. You don?t write a script; you write a scene. You don?t design a website; you tweak the CSS so the navigation looks better. No matter what the project is, you can?t finish until you get started, and you can?t get started until you figure out the steps. 6. Storage is costly W Perhaps sensing that messy teenage boys are a key demographic, World of Warcraft won?t let you leave something on the ground. If you don?t pick up that fallen warhammer, it will vanish, never to return. So one quickly learns the importance of storage: belts, bags, backpacks and chests. Unfortunately, there?s never nearly enough space, and adding more becomes ridiculously expensive. (That?s by design, clearly. The developers want to minimize hoarding.) So always keep in mind the carrying costs. If you never use that second bow, get rid of it, and use those slots for something you need. Unlike World of Warcraft (or hard drives in the 90?s), digital storage is now cheap. Crazy cheap. I remember having to carefully comb through my hard drive, trying to figure out exactly what I could purge in order to install the newest version of Quark XPress. Today, I have 80 gigs available on my startup drive, and this was the first time I checked in over a year. But while the cost of bit storage has plummeted, the cost of storing atoms is still huge. My neighbors just had a POD delivered, essentially a cargo container that gets trucked off. I?ve watched as they?ve filled it with furniture and boxes, all the time wondering, ?Is all that stuff really worth keeping?? It?s like paying rent on things you already own. Last year, we cleaned out our garage. Instead of a traditional yard sale, we did a virtual version. We took pictures of everything we were getting rid of, built a page in Backpack, and sent the link to all our friends. Whoever wanted something could email us and take it. They got a free desk, and we got a free garage. 7. Overthinking takes the fun out of it W Remember, the game is supposed to be fun. Yes, you can spend hours pouring through the forums, finding exactly the right talent tree. Or you could wing it: explore some new lands and kill some big monsters. Obsessive planning won?t make the game more enjoyable. It will just make it more like work. I?m often asked about outlines and treatments, and whether they?re necessary before sitting down to write a script. They?re not. Like a map, they can help you figure out where you?re going, but when you follow them too closely, you?re apt to miss a lot of amazing scenery along the way. On a bigger level, as you look back at any period of your life, you don?t remember what a solid plan you had. You remember what you did. You remember the adventures, the scrapes, the unanticipated detours that turned out to fascinating. So don?t plan your way out of an exciting life. From rforno at infowarrior.org Tue Feb 27 08:30:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Feb 2007 08:30:13 -0500 Subject: [Infowarrior] - Which Videos Are Protected? Lawmakers Get a Lesson Message-ID: February 26, 2007 Which Videos Are Protected? Lawmakers Get a Lesson By NOAM COHEN http://www.nytimes.com/2007/02/26/technology/26cspan.html?_r=3&oref=slogin&p agewanted=print As the new Congress experiments with the wide world of blogging and video clips, members are learning the complexities of copyright law, much the way the casual YouTube user has learned that there are corporations out there that own ?Lost? and can stop you from posting a favorite episode. The introduction began awkwardly this month when the House Republican Study Committee issued a news release accusing Speaker Nancy Pelosi of ?pirating? 16 copyrighted clips of House floor debate from the public affairs network C-Span by including them on her new blog, The Gavel. Shortly after the news release was distributed by e-mail, C-Span corrected the record to say that House and Senate floor debates are ?government works,? shot by government-owned cameras, and thus in the public domain. The Republican committee promptly sent out a news release to withdraw the accusation against Ms. Pelosi?s office. The speaker?s spokesman, Brendan Daly, used the opportunity to decry ?yet another baseless attack of the Republicans; in this case they have retracted it.? But last week, as it happens, C-Span did contact the speaker?s office to have it take down a different clip from her blog ? one shot by C-Span?s cameras at a House Science and Technology Committee hearing on global warming where Ms. Pelosi testified, Mr. Daly said. (The blog has substituted material filmed by the committee?s cameras, he said.) C-Span, a private nonprofit company financed by the cable and satellite affiliates that carry its programming, says that over more than 25 years of operating it has consistently asserted its copyright to any material it shoots with its own cameras. But that message can get lost. ?We are structurally burdened, in terms of people?s perception, because we are the only network that has such a big chunk of public domain material,? said Bruce Collins, the corporate vice president and general counsel of C-Span. He estimated that 5 to 15 percent of C-Span?s programming is from the House and Senate floor, and thus publicly available. ?It is perfectly understandable to me that people would be confused,? he said. ?They say, ?When a congressman says something on the floor it is public domain, but he walks down the street to a committee hearing or give a speech and it is not public domain?? ? The issue is of recent vintage for C-Span. In May, C-Span said that it had for first time asserted its copyright against a video-clip site, ordering YouTube to take down copies of Stephen Colbert?s pointed speech in front of President Bush at the White House Correspondents? Association dinner. Clips of the speech had been viewed 2.7 million times on YouTube in the 48 hours before it was taken down. ?What I think a lot of people don?t understand ? C-Span is a business, just like CNN is,? Mr. Collins said. ?If we don?t have a revenue stream, we wouldn?t have six crews ready to cover Congressional hearings.? Without use of C-Span?s material, members of Congress will have to rely on government cameras to get their message out. Mr. Daly said that the speaker?s office had its own camera operator and that 11 of 21 House committees can Webcast their hearings, with the goal that all will be able to do so. On that, even Ms. Pelosi?s critics agreed. ?The Republican Study Committee, Republicans in general, would favor more transparency,? said the committee?s spokesman, Brad Dayspring. ?We heard that the committees are moving in that direction ? conservatives would support that.? From rforno at infowarrior.org Tue Feb 27 08:33:52 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Feb 2007 08:33:52 -0500 Subject: [Infowarrior] - Schneier: Privatizing the police puts us at greater risk Message-ID: Last update: February 26, 2007 ? 7:09 PM http://www.startribune.com/562/story/1027072.html Bruce Schneier: Privatizing the police puts us at greater risk Abuses of power and brutality are likelier among private security guards. Bruce Schneier In Raleigh, N.C., employees of Capitol Special Police patrol apartment buildings, a bowling alley and nightclubs, stopping suspicious people, searching their cars and making arrests. Sounds like a good thing, but Capitol Special Police isn't a police force at all -- it's a for-profit security company hired by private property owners. This isn't unique. Private security guards outnumber real police more than 5-1, and increasingly act like them. They wear uniforms, carry weapons and drive lighted patrol cars on private properties like banks and apartment complexes and in public areas like bus stations and national monuments. Sometimes they operate as ordinary citizens and can only make citizen's arrests, but in more and more states they're being granted official police powers. This trend should greatly concern citizens. Law enforcement should be a government function, and privatizing it puts us all at risk. Most obviously, there's the problem of agenda. Public police forces are charged with protecting the citizens of the cities and towns over which they have jurisdiction. Of course, there are instances of policemen overstepping their bounds, but these are exceptions, and the police officers and departments are ultimately responsible to the public. Private police officers are different. They don't work for us; they work for corporations. They're focused on the priorities of their employers or the companies that hire them. They're less concerned with due process, public safety and civil rights. Also, many of the laws that protect us from police abuse do not apply to the private sector. Constitutional safeguards that regulate police conduct, interrogation and evidence collection do not apply to private individuals. Information that is illegal for the government to collect about you can be collected by commercial data brokers, then purchased by the police. We've all seen policemen "reading people their rights" on television cop shows. If you're detained by a private security guard, you don't have nearly as many rights. For example, a federal law known as Section 1983 allows you to sue for civil rights violations by the police but not by private citizens. The Freedom of Information Act allows us to learn what government law enforcement is doing, but the law doesn't apply to private individuals and companies. In fact, most of your civil right protections apply only to real police. Training and regulation is another problem. Private security guards often receive minimal training, if any. They don't graduate from police academies. And while some states regulate these guard companies, others have no regulations at all: anyone can put on a uniform and play policeman. Abuses of power, brutality, and illegal behavior are much more common among private security guards than real police. A horrific example of this happened in South Carolina in 1995. Ricky Coleman, an unlicensed and untrained Best Buy security guard with a violent criminal record, choked a fraud suspect to death while another security guard held him down. This trend is larger than police. More and more of our nation's prisons are being run by for-profit corporations. The IRS has started outsourcing some back-tax collection to debt-collection companies that will take a percentage of the money recovered as their fee. And there are about 20,000 private police and military personnel in Iraq, working for the Defense Department. Throughout most of history, specific people were charged by those in power to keep the peace, collect taxes and wage wars. Corruption and incompetence were the norm, and justice was scarce. It is for this very reason that, since the 1600s, European governments have been built around a professional civil service to both enforce the laws and protect rights. Private security guards turn this bedrock principle of modern government on its head. Whether it's FedEx policemen in Tennessee who can request search warrants and make arrests; a privately funded surveillance helicopter in Jackson, Miss., that can bypass constitutional restrictions on aerial spying; or employees of Capitol Special Police in North Carolina who are lobbying to expand their jurisdiction beyond the specific properties they protect -- privately funded policemen are not protecting us or working in our best interests. Bruce Schneier is a security technologist and author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World." ?2007 Star Tribune. All rights reserved. From rforno at infowarrior.org Tue Feb 27 08:50:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Feb 2007 08:50:47 -0500 Subject: [Infowarrior] - Interview w/Sandia Reverse Hacker Message-ID: Shawn Carpenter $4.3 million in a wrongful termination lawsuit against his former employer Sandia National Laboratories. The former network intrusion detection analyst was fired in January 2005 after he shared information relating to an internal network compromise with the FBI and the U.S. Army. Sandia alleged that Carpenter had inappropriately shared confidential information he had gathered in his role as a security analyst for the laboratory. Carpenter said he had done so only for national security reasons. He said his independent investigations of a May 2004 breach had unearthed evidence showing that the intruders who had broken into Sandia's networks belonged to a Chinese hacking group called Titan Rain that also had attacked other sensitive networks and stolen U.S. military and other classified documents. Carpenter until last Friday worked with the U.S. Department of State's Cyber Threat Analysis Division. He is currently a principal research analyst at NetWitness Corp., a start-up headed by Amit Yoran, former director of the National Cyber Security Division of the Department of Homeland Security. In this interview conducted via e-mail, Carpenter talks about the case...... < - > http://tinyurl.com/3d6g6s From rforno at infowarrior.org Tue Feb 27 08:58:02 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Feb 2007 08:58:02 -0500 Subject: [Infowarrior] - Apple's iTunes DRM Dilemma Message-ID: Understanding how Apple?s FairPlay DRM works helps to answer a lot of questions: why it hasn?t been replaced with an open, interoperable DRM that anyone can use, why Apple isn?t broadly licensing FairPlay, and why the company hasn?t jumped to add DRM-free content from indie artists to iTunes. < - > http://www.roughlydrafted.com/RD/RDM.Tech.Q1.07/2A351C60-A4E5-4764-A083-FF86 10E66A46.html From rforno at infowarrior.org Tue Feb 27 10:53:42 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Feb 2007 10:53:42 -0500 Subject: [Infowarrior] - Possible MS Vista DDS vector Message-ID: I see this as an interesting attack vector on MS Vista: a fellow installs a game on Vista that, as a result of its own anti-piracy scheme, tricks Windows into thinking it is unlicensed, and thus downgrades itself into the new Microsoft "Reduced Functionality Mode." (translation: Windows is practically-unusable) He makes an interesting point that this game apparently tampered with the Windows OS yet the much-hyped Windows Defender (increased OS security) functionality did not prevent it from making such changes to the OS. That should raise some eyebrows. http://blogs.zdnet.com/Bott/?p=221 -rf From rforno at infowarrior.org Tue Feb 27 13:17:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Feb 2007 13:17:56 -0500 Subject: [Infowarrior] - Boucher and Doolittle Introduce the FAIR USE Act of 2007 Message-ID: http://www.boucher.house.gov/index.php?option=com_content&task=view&id=1011& Itemid=75 Reps. Boucher and Doolittle Introduce the FAIR USE Act of 2007 (February 27, 2007) DATE: February 27, 2007 Reps. Boucher and Doolittle Introduce the FAIR USE Act of 2007 Legislation Would Protect the Fair Use Rights of Digital Media Consumers U.S. Representatives Rick Boucher (D-VA) and John Doolittle (R-CA), today introduced the Freedom And Innovation Revitalizing U.S. Entrepreneurship Act of 2007 (FAIR USE Act) to protect the fair use rights of users of copyrighted material and thereby enable consumers of digital media to use it in ways that enhance their personal convenience. The legislation contains several improvements to the Digital Media Consumer's Rights Act, similar legislation which the lawmakers introduced in the 108th and 109th Congresses. Congresswoman Zoe Lofgren (D-CA) is an original cosponsor of the legislation. Because the fair use rights of consumers of digital media are severely threatened today, Boucher and Doolittle propose amending a 1998 law, the Digital Millennium Copyright Act, which was enacted at the behest of motion picture studios, the recording industry, and book publishers. "The fair use doctrine is threatened today as never before. Historically, the nation's copyright laws have reflected a carefully calibrated balanced between the rights of copyright owners and the rights of the users of copyrighted material. The Digital Millennium Copyright Act dramatically tilted the copyright balance toward complete copyright protection at the expense of the public's right to fair use," Boucher said. "The FAIR USE Act will assure that consumers who purchase digital media can enjoy a broad range of uses of the media for their own convenience in a way which does not infringe the copyright in the work," Boucher explained. "Without a change in the law, individuals will be less willing to purchase digital media if their use of the media within the home is severely circumscribed and the manufacturers of equipment and software that enables circumvention for legitimate purposes will be reluctant to introduce the products into the market," Boucher added. "America can and must be a world leader in technological innovation," said Doolittle. "This objective is hindered by the provisions in the DMCA that discourage the free flow of ideas and information. The FAIR USE Act removes those disincentives, and I look forward to seeing the benefits that will ensue." The FAIR USE Act differs fundamentally from H.R. 107 and H.R. 1201, as proposed in the 108th and 109th Congresses, respectively, by Representatives Boucher and Doolittle. In an effort to address the concerns expressed by content owners, the FAIR USE Act does not contain provisions which would have established a fair use defense to the act of circumvention. The legislation instead contains specific exemptions to section 1201 of the Digital Millennium Copyright Act which do not pose a comparable potential threat to their business models. For example, the proposed legislation would codify the decision by the Register of Copyrights, as affirmed in a determination made by the Librarian of Congress under section 1201(a)(1) of the DMCA, to allow consumers to "circumvent" digital locks in six discrete areas. The bill also contains narrowly crafted additional exemptions that are a natural extension of these exemptions. Other new elements of bill include limiting the availability of statutory damages against individuals and firms who may be found to have engaged in contributory infringement, inducement of infringement, vicarious liability or other indirect infringement. A more narrowly crafted provision codifying the Supreme Court's Betamax decision to eliminate any uncertainty about a potential negative impact on the Supreme Court's holding in the Grokster case is also contained in the legislation. Finally, given the central role that libraries and archives play in our society in ensuring free speech and continuing access to creative works, the bill includes a provision to ensure that they can circumvent a digital lock to preserve or secure a copy of a work or replace a copy that is damaged, deteriorating, lost, or stolen. "I look forward to working with my colleagues and all interested parties in an effort to properly balance the rights of content owners, consumers and other constructive users of content. I will welcome their suggestions about how the measure might be further improved as it moves forward in the legislative process," Boucher concluded. "As a consumer, I am excited about the possibilities that the FAIR USE Act brings," stated Doolittle. Supporters of the FAIR USE Act include the Consumer Electronics Association, the American Library Association, the American Association of Law Libraries, the Association of Research Libraries, the Special Libraries Association, the Home Recording Rights Coalition, the Computer & Communications Industry Association, and other organizations representing the public interest and the consumers of digital media. From rforno at infowarrior.org Tue Feb 27 14:29:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Feb 2007 14:29:03 -0500 Subject: [Infowarrior] - Nixed: Black Hat talk on RFID access badge risks Message-ID: Nixed: Black Hat talk on RFID access badge risks By Joris Evers http://news.com.com/Nixed+Black+Hat+talk+on+RFID+access+badge+risks/2100-102 9_3-6162547.html Story last modified Tue Feb 27 10:29:46 PST 2007 Security researchers have canceled a talk on the flaws of RFID-equipped building access badges after receiving legal threats from a major manufacturer. Researchers from security services firm IOActive planned to demonstrate that the commonly used identification cards can easily be duplicated, posing a serious risk to those who rely on such systems for security. The talk, slated for Wednesday at the Black Hat DC Briefings & Training event in Arlington, Va., was canceled Tuesday after IOActive said it received legal threats from HID Global, a major seller of access control systems. "We can't go forward with the threat of litigation hanging over our small company," Joshua Pennell, IOActive's chief executive, said in a conference call with reporters Tuesday. An HID representative could not immediately be reached for comment. According to IOActive, HID charged that the planned presentation infringed its intellectual property, U.S. patents 5,041,826 and 5,166,676 in particular. "As a consequence...IOActive has withdrawn its presentation," the company said in a statement on its Web site, declining to give further details about its scrapped conference session. The concept behind IOActive's presentation is not new. RFID security is regularly scrutinized. In fact, at last year's Black Hat Briefings in Las Vegas, a German security researcher showed how passports equipped with the radio tags could be cloned. The same researcher said this could also be done with building access cards. Black Hat is getting a reputation for having talks canceled at the last minute because of legal threats. A presentation on vulnerabilities in Cisco Systems' software at the 2005 event in Las Vegas was pulled because of legal threats from the networking giant. The presenter famously delivered his talk anyway. "I don't like it when really big companies throw their weight around," Jeff Moss, founder of Black Hat conferences, said on the Tuesday conference call. "This threatens the whole conference business." "It is deja vu," Moss said, referring to Black Hat having to revise parts of its conference materials because of the last-minute change. "It certainly screwed up our conference scheduling." From rforno at infowarrior.org Tue Feb 27 19:39:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Feb 2007 19:39:27 -0500 Subject: [Infowarrior] - Technical Glitch Hits Dow Average But Prices Are Not Affected Message-ID: Glitch Hits Dow Average But Prices Are Not Affected By Reuters | 27 Feb 2007 | 07:25 PM http://www.cnbc.com/id/17369561 A technical glitch hit the system that calculates the Dow Jones industrial average on Tuesday, but it did not affect stock prices, a spokeswoman for Dow Jones Indexes said. With an hour left to trade, the Dow Jones industrial average fell more than 500 points as it abruptly added about 200 points to its slide in late afternoon trade. "At around 2 p.m. we realized extraordinarily heavy volume coming in and that caused a delay in the Dow Jones data system," said Sybille Reitz. "As a result the calculation of the Dow average temporarily lagged behind the market decline. We then switched over to a backup system, which resulted in a rapid catch up in the published value of the Dow," she said. Reitz added that at no point did the swing in the index affect stock prices. "The calculation is absolutely correct, we just had a delay in the output." The Dow Jones Industrial Average ended down 416 points, erasing all of this year's gains. The Standard & Poor's 500 index and Nasdaq Composite also dropped more than 3%, an exclamation point on a global sell-off that began with the worst one-day slide in Chinese stocks in a decade. From rforno at infowarrior.org Tue Feb 27 20:02:18 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Feb 2007 20:02:18 -0500 Subject: [Infowarrior] - UPDATE 2-NYSE says experienced trading delays Message-ID: UPDATE 2-NYSE says experienced trading delays Tue Feb 27, 2007 7:59 PM ET (Rewrites throughout, adds brokerage delays, byline) http://yahoo.reuters.com/news/articlehybrid.aspx?storyID=urn:newsml:reuters. com:20070228:MTFH99773_2007-02-28_00-59-04_N27240624&type=comktNews&rpc=44 By Jonathan Keehner NEW YORK, Feb 27 (Reuters) - The New York Stock Exchange's touted trading floor automation was tested by its first big selloff on Tuesday, and didn't pass with flying colors. The Big Board was not the only financial company to see its systems taxed by tumbling equity markets and soaring volumes. But the admission of a glitch may be a sign that its hybrid system, which has coincided with the loss of hundreds of flesh-and-blood floor trading jobs, still needs to work out some kinks. "Toward the end of trading today, we experienced intermittent delays and we are assessing the situation," said NYSE Group spokesman Eric Ryan. The delays occurred toward the end of Tuesday's big stock sell-off, which resulted in heavy volume on the NYSE where about 2.41 billion shares changed hands -- well above last year's estimated daily average of 1.84 billion. The glitch could be an indication that NYSE's hybrid market, which integrates floor-based trading with automated capabilities, was unable to handle such large volume, analysts said. Last month, the NYSE requested a delay in upcoming regulatory deadlines, citing delays in rolling out the hybrid market. TRADES SNAGGED ON MANY VENUES While the S&P 500 experienced its biggest one-day drop in almost four years, orders were snagged on venues ranging from the Big Board, which is the largest U.S. stock exchange, to discount brokers catering to mom-and-pop retail investors. The Web sites of several full service and online brokerages were significantly delayed, said Matt Poepsel of Lexington, MA-based consultant Gomez, Inc. Response times for online brokers at Banc of America Investment Services, Inc., a unit of Bank of America , The Vanguard Group, and Fidelity were all at least four times slower for the final trading hour on Tuesday than during that period the day prior, according to Gomez. A Fidelity spokesman was not immediately available and Bank of America declined to comment, but a Vanguard spokeswoman confirmed that trades were "slightly slower than normal." A technical glitch also hit the system that calculates the Dow Jones industrial average <.DJI> on Tuesday, but it did not affect stock prices, a spokeswoman for Dow Jones Indexes said. With an hour left to trade, the Dow Jones industrial average fell more than 500 points as it abruptly added about 200 points to its slide in late afternoon trade. The combination of glitches and delays may have further complicated a major sell-off in U.S. equity markets on Tuesday, as a plunge in China's equity market fanned worries that stock valuations there are too high and some data indicated U.S. economic growth may slow. (Additional reporting by Ellis Mnyandu and Jonathan Stempel) From rforno at infowarrior.org Wed Feb 28 07:48:07 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Feb 2007 07:48:07 -0500 Subject: [Infowarrior] - New Profiling Program Raises Privacy Concerns Message-ID: New Profiling Program Raises Privacy Concerns http://www.washingtonpost.com/wp-dyn/content/article/2007/02/27/AR2007022701 542_pf.html By Ellen Nakashima and Alec Klein Washington Post Staff Writers Wednesday, February 28, 2007; D03 The Department of Homeland Security is testing a data-mining program that would attempt to spot terrorists by combing vast amounts of information about average Americans, such as flight and hotel reservations. Similar to a Pentagon program killed by Congress in 2003 over concerns about civil liberties, the new program could take effect as soon as next year. But researchers testing the system are likely to already have violated privacy laws by reviewing real information, instead of fake data, according to a source familiar with a congressional investigation into the $42.5 million program. Bearing the unwieldy name Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE), the program is on the cutting edge of analytical technology that applies mathematical algorithms to uncover hidden relationships in data. The idea is to troll a vast sea of information, including audio and visual, and extract suspicious people, places and other elements based on their links and behavioral patterns. The privacy violation, described in a Government Accountability Office report that is due out soon, was one of three by separate government data mining programs, according to the GAO. "Undoubtedly there are likely to be more," GAO Comptroller David M. Walker said in a recent congressional hearing. The violations involved the government's use of citizens' private information without proper notification to the public and using the data for a purpose different than originally envisioned, said the source, who declined to be identified because the report is not yet public. The issue lies at the heart of the debate over whether pattern-based data mining -- or searching for bad guys without a known suspect -- can succeed without invading people's privacy and violating their civil liberties. DHS spokesman Larry Orluskie said officials had not yet read the GAO report and could not comment. Another DHS official who helped develop ADVISE said that the program was tested on only "synthetic" data, which he described as "real data" made anonymous so it could not be traced back to people. The system has been tested in four DHS pilot programs, including one at the Office of Intelligence and Analysis, to help analysts more effectively sift through mounds of intelligence reports and documents. In another pilot at a government laboratory in Livermore, Calif., that assessed foreign and domestic terror groups' ability to develop weapons of mass destruction, ADVISE tools were found "worthy of further development," DHS spokesman Christopher Kelly said. The DHS is completing reports on the privacy implications of all four pilot programs. Such assessments are required on any government technology program that collects people's personally identifiable information, according to DHS guidelines. The DHS official who worked on ADVISE said it can be used for a range of purposes. An analyst might want, say, to study the patterns of behavior of the Washington area sniper and look for similar patterns elsewhere, he said. The bottom line is to help make analysts more effective at detecting terrorist intent. ADVISE has progressed further than the program killed by Congress in 2003, Total Information Awareness, which was being developed at the Defense Advanced Research Projects Agency (DARPA). Yet it was partly ADVISE's resemblance to Total Information Awareness that led lawmakers last year to request that the GAO review the program. Though Total Information Awareness never got beyond an early research phase, unspecified subcomponents of the program were allowed to be funded under the Pentagon's classified budget, which deal largely with foreigners' data. The Disruptive Technology Office, a research arm of the intelligence community, is working on another program that would sift through massive amounts of data, such as intelligence reports and communications records, to detect hidden patterns. The program focuses on foreigners. Officials declined to elaborate because it is classified. Officials at the office of the director of national intelligence stressed that pattern analysis research remains largely theoretical. They said the more effective approach is link analysis, or looking for bad guys based on associations with known suspects. They said that they seek to guard Americans' privacy, focusing on synthetic and foreigners' data. Information on Americans must be relevant to the mission, they said. Still, privacy advocates raise concerns about programs based on sheer statistical analysis because of the potential that people can be wrongly accused. "They will turn up hundreds of soccer teams, family reunions and civil war re-enactors whose patterns of behavior happen to be the same as the terrorist network," said Jim Harper, director of information policy studies at the Cato Institute. But Robert Popp, former DARPA deputy office director who founded National Security Innovations, a Boston firm working on technologies for intelligence agencies, said that research anecdotally shows that pattern analysis has merit. In 2003, he said, DARPA researchers using the technique helped interrogators at the U.S. prison at Guantanamo Bay, Cuba, assess which detainees posed the biggest threats. Popp said that analysts told him that "detainees classified as 'likely a terrorist' were in fact terrorists, and in no cases were detainees who were not terrorists classified as 'likely a terrorist.' " Some lawmakers are demanding greater program disclosure. A bipartisan bill co-sponsored by Senate Judiciary Committee Chairman Patrick J. Leahy (D-Vt.) would require the Bush administration to report to Congress the extent of its data-mining programs. Staff researchers Richard Drezen and Madonna Lebling contributed to this report. From rforno at infowarrior.org Wed Feb 28 08:02:14 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Feb 2007 08:02:14 -0500 Subject: [Infowarrior] - Music executives lament state of industry Message-ID: Music executives lament state of industry By Greg Sandoval http://news.com.com/Music+executives+lament+state+of+industry/2100-1027_3-61 62729.html Story last modified Wed Feb 28 03:48:57 PST 2007 NEW YORK--The discussions at a music conference here Tuesday started with an all-around bashing of Apple CEO Steve Jobs before moving to the plethora of issues plaguing the music industry. Apple, digital rights management (DRM) and the public's willingness to pirate music were discussed, debated and lamented once more by attendees of the Digital Music Forum East conference. "We're running out of time," Ted Cohen, managing director of music consulting firm TAG Strategic, told the roughly 200 attendees. "We need to get money flowing from consumers and get them used to paying for music again." The call to arms by Cohen, who was moderating a panel discussion titled "The State of the Digital Union," comes as the music industry suffers through one of the worst slumps in its history. CD sales fell 23 percent worldwide between 2000 and 2006. Legal sales of digital songs aren't making up the difference either. Last year saw a 131 percent jump in digital sales, but overall the industry still saw about a 4 percent decline in revenue. That has the industry pointing fingers at a number of things they believe caused the decline. At the opening of the conference, some of the panel members lashed out at Jobs. Members said Jobs' call three weeks ago for DRM-free music was "insincere" and a "red herring." "Imagine a world where every online store sells DRM-free music encoded in open licensable formats," Jobs wrote in a letter that rocked the music industry. "In such a world, any player can play music purchased from any store, and any store can sell music which is playable on all players. This is clearly the best alternative for consumers, and Apple would embrace it in a heartbeat." Jobs' position was perceived by many in the music industry as a 180-degree shift in direction. The view expressed at the conference is that Apple has maintained a stranglehold on the digital music industry by locking up iTunes music with DRM. Cohen told the audience that if Jobs was really sincere about doing away with DRM, he would soon release movies from Disney--the studio Jobs holds a major stake in--without any software protection. An Apple representative declined to comment on Tuesday on remarks made by the panel. Panel member Mike Bebel, CEO of Ruckus music service, said: "Look, I don't think anybody is necessarily down on Apple. The problem is the proprietary implementation of technology...and it's causing everybody else who is participating in the marketplace--the other service providers, the labels, the users--a lot of pain. If they could simply open it up, everybody would love them." The role of DRM Panel members--who included Thomas Gewecke, Sony BMG senior vice president, and Gabriel Levy, general manager of RealNetworks Europe--were divided about what the music industry should do about DRM in general. Most of the panel members, save for Greg Scholl, CEO of independent music label The Orchard, believe that some form of DRM is necessary. Scholl said flatly that DRM doesn't work. "The idea that DRM gives us choice isn't right," he said. "The economics of the business are over for good and aren't ever going to be the way they were before," Scholl said. This is a position that some in the music industry are starting to warm up to. In January, EMI said it was reviewing a request by the Electronic Frontier Foundation to allow reverse engineering of its digital rights management software. That EMI would even consider the proposal was seen in many circles as a step forward by the anti-DRM camp. Gewecke also defended record labels against the criticism that the music industry has its head in the sand and just doesn't understand the Digital Age. He said that Sony BMG is working with technologists and retailers, and is constantly is looking for technological solutions to some of the industry's problems. He also said that despite all the bad news, there's plenty for the sector to be encouraged about. "We routinely talk to companies about what's different," Gewecke said. "We're constantly looking for where value is being created in a business model. We are being flexible. There's still an evolution that has to happen. I say it's an optimistic time considering there's more music being listened to now than ever before. There's more opportunities to monetize the music. We want to be out there looking for new ideas and companies." Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Feb 28 08:03:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Feb 2007 08:03:00 -0500 Subject: [Infowarrior] - Windows adds 'maybe pirate' category Message-ID: Windows adds 'maybe pirate' category By Ina Fried http://news.com.com/Windows+adds+maybe+pirate+category/2100-7355_3-6162734.h tml Story last modified Wed Feb 28 04:58:57 PST 2007 Until recently, Microsoft's antipiracy technology was pretty decisive: either your copy of Windows was genuine or it wasn't. With a software update this week, however, Microsoft has added a new "Yellow state" for times when it just can't tell whether a copy is legitimate. According to Microsoft, the new indeterminate reading can occur, for example, when a local error or network error prevents the validation check from being completed. The message is part of a controversial add-on to Windows XP, known as Windows Genuine Advantage Notification, which tells users whether Microsoft believes their copy of Windows to be legitimate. Validation is required for most Windows XP downloads, though users can still get automatic security updates. With Windows Vista, some features won't work at all unless a machine is validated as genuine. For machines that get the new "maybe pirate" reading, a window pops up that says "unable to complete genuine Windows validation." Encountering the new reading does not limit a user's ability to download additional software, as is the case when a computer fails validation. A user can "click to see more details and address the problem, ignore the messages, or suppress them altogether," Microsoft said in a statement. Microsoft said it hoped the new state would lead to better experiences for customers. "If a system or network error prevents an accurate status check, Microsoft wants customers to know that and have the option to fix the problem," Microsoft said. "We have seen many instances where the failure to complete validation is masking other system problems that users should attend to. The change was noted earlier by technology site From rforno at infowarrior.org Wed Feb 28 09:34:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Feb 2007 09:34:32 -0500 Subject: [Infowarrior] - Google Searches For Government Work Message-ID: Google Searches For Government Work http://www.washingtonpost.com/wp-dyn/content/article/2007/02/27/AR2007022701 541_pf.html By Sara Kehaulani Goo and Alec Klein Washington Post Staff Writers Wednesday, February 28, 2007; D03 Google, meet Uncle Sam. The search engine giant showed off its ambition yesterday to expand its business with the federal government, kicking off a two-day sales meeting that attracted nearly 200 federal contractors, engineers and uniformed military members eager to learn more about its technology offerings. Google has ramped up its sales force in the Washington area in the past year to adapt its technology products to the needs of the military, civilian agencies and the intelligence community. Already, agencies use enhanced versions of Google's 3-D mapping product, Google Earth, to display information for the military on the ground in Iraq and to track airplanes that fight forest fires across the country. At the meeting, held over a breakfast of scrambled eggs at the Ritz-Carlton in Tysons Corner and attended by existing and potential clients, Google executives said they expected to see far more applications of the company's technology by the government. "We're really in the beginning stages," said Rob Painter, director of the Google Earth federal effort. "Coming on the scene to the federal space, in many ways, it's brand new." Google started selling products to the U.S. government about three years ago, company officials said. Its government sales and engineering team is relatively small -- 10 people in Herndon-- but it expects to grow to 15 by the month's end and to 20 by the year's end. Google also has hired a team of Democratic and Republican policy staff members who work in an office in the District. Although most of Google's services are offered free for Web users, the company sells enhanced versions of those services to its government clients. The enhanced versions of Google Earth allow government agencies to merge their data about a region with Google's satellite images and receive updated versions of images. The company aims to sell three key products to government agencies: enhanced versions of Google Earth; search engines that can be used internally by agencies; and a new suite of e-mail, document and spreadsheet products similar to Microsoft Office but hosted on Google's servers. Google declined to comment on which federal agencies it serves and would not reveal its revenue from government work. But publicly available data indicate that the nascent business quadrupled in just one year, from $73,000 in 2005 to $312,000 in 2006, according to FedSpending.org, a nonprofit unit of OMB Watch, an advocacy group that tracks federal contracts. Google said it has some contract work with many federal agencies, evenly spread among military, intelligence and civilian offices. "Most federal agencies have trouble with information technology. They don't really talk about it very openly," said Stephen E. Arnold, a technology analyst and the author of "The Google Legacy." "Google is in a unique position to do these large-scale, back-office functions. . . . That's really what they're up to." For Google's mapping product, doing more business with the federal government is like coming full circle. The technology behind Google Earth, which Google says has 200 million users, got its start in the intelligence community, in a CIA-backed firm called Keyhole. Google acquired Keyhole in 2004. Yesterday, Google's partner, Lockheed Martin, demonstrated a Google Earth product that it helped design for the National Geospatial-Intelligence Agency's work in Iraq. These included displays of key regions of the country and outlined Sunni and Shiite neighborhoods in Baghdad, as well as U.S. and Iraqi military bases in the city. Neither Lockheed nor Google would say how the geospatial agency uses the data. From rforno at infowarrior.org Wed Feb 28 19:21:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Feb 2007 19:21:13 -0500 Subject: [Infowarrior] - Patently Bad Move Gags Critics Message-ID: Patently Bad Move Gags Critics By Jennifer Granick| Also by this reporter 02:00 AM Feb, 28, 2007 http://www.wired.com/news/columns/0,72819-0.html Guess what? Radio frequency identification tags are insecure. But don't demonstrate the technology's problems at a security conference. If you do, HID Global, a manufacturer of access-control devices, might sue you for patent infringement. That's the threat the company leveled against Chris Paget of IOActive Monday, forcing him to pull the presentation he planned for the Black Hat DC 2007 conference taking place this week in Washington. Paget had planned to discuss and demonstrate a technique for cloning RFID proximity cards -- the kind that are used to control access to buildings and offices. He performed a similar demonstration at the RSA Conference recently, using a home-brew RFID reader/writer. I haven't seen the cease-and-desist letter, but from reports, HID Global seems to be claiming that cloning an RFID security card violates one or more of the company's patents on RFID reading technology. If true, this would make any third-party research into the security of the company's products illegal, as well as any public demonstration. I'm sure burglars, identity thieves and others who misuse insecure RFIDs for personal gain will be deterred by the years of messy patent litigation they'll face if they start hacking RFIDs. It seems to have scared legitimate researchers pretty well. I'm glad we didn't worry about whether hacking RFID infringes upon patents back in January, because at a symposium about new technology and the Fourth Amendment put on by Stanford Technology Law Review students, University of California at Berkeley computer science student David Molnar demonstrated (.mp4) for the audience a cheap little device cobbled together from Radio Shack parts that was able to read and clone radio frequency tags contained in our university ID cards. On that same panel, Nicole Ozer, technology and civil liberties policy director for the ACLU of Northern California, told us that most people carry some sort of card that someone can read through a pants pocket, and thereby identify, track or impersonate them. But it makes a much bigger impression when you see it happen before your very eyes, which is why a company might want to block a demonstration. HID Global reportedly pointed to two of its patents for card readers -- No. 5,041,826 and No. 5,166,676. The important parts of a patent are the claims. To infringe a patent, one must make, use, sell or offer for sale an invention described by the patent's claims without the patent owner's authorization. Paget doesn't sell his reader, which you can see him demonstrate here. But he did make it. So if it operates identically to the card readers described in HID's patents, then the company's legal threat actually makes some theoretical sense. That should scare everyone reading this. Patents have been issued for the most trivial of inventions -- there are multiple patents like No. 7,111,753, which grants rights with regard to a piece of paper that goes around a hot cup to stop your hand from getting burned. Combine excessive grants of patent rights with a company's narrow corporate self-interest in maintaining an image, and we have a free speech and security nightmare. Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products. The use of patent law to prevent vulnerability discovery and discussion is bitter irony, because a fundamental purpose of patent law is disclosure: In exchange for the right to exclude others from using, making or selling a novel invention, an inventor agrees to make public all the details. Once issued, patents are a searchable public record, and expire after 20 years. This isn't a case about keeping dangerous information out of the hands of attackers. There's nothing new about RFID vulnerabilities: Everyone knows about them and has for years. Nor is this a case about properly rewarding HID for its innovative creativity. Paget isn't building and selling his own, competing devices. This is a case about misusing intellectual property laws to silence critics who want to inform customers and consumers alike that the RFID emperor has no clothes. - - - Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. From rforno at infowarrior.org Wed Feb 28 19:25:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Feb 2007 19:25:41 -0500 Subject: [Infowarrior] - Audio Watermark Web Spider Starts Crawling Message-ID: New "watermark" system scours the net for infringement, notifies owners 2/27/2007 10:05:26 PM, by Ken Fisher http://arstechnica.com/news.ars/post/20070227-8937.html Watermarks date back at least to the 13th century, when paper manufacturers found a way to "mark" sheets with an unremovable, barely-visible signature to denote either the paper's origin, ownership, or both. Watermarks have come a long way, and companies such as Macrovision and Digimarc have made a king's ransom offering "digital watermarking technology" to today's purveyors of content. These days, digital watermarking is now being tasked to make money on unauthorized file distribution. The proposition is simple: what if video and audio content flowed freely online, sans DRM, but owners were somehow compensated when files were played or accessed? That's the basic idea behind Digimarc's latest patent. According a patent filing at the US Patent and Trademark Office, Digimarc's "Method for monitoring internet dissemination of image, video and/or audio files" is a monitoring service that scans the Internet, consuming content as it goes. The system downloads audio, video and images, and then scans them for watermarks. If it finds a watermark it recognizes, the system then contacts that mark's registered owner and informs them of the discovery. Digimark announced their successful patent application this month, but the patent has been a long time coming. It was first filed in November of 1998, long before the YouTubes and MySpaces of the world existed. Now Digimarc is promoting the monitoring system as the cure to what ails these social networking sites. According to Bruce Davis, Digimarc chairman and CEO, the system could help build "viable business models" in an arena rife with "disruptive changes in entertainment distribution and consumption." "Much of the repurposed content on YouTube, for example, contains copyrighted entertainment," Davis said in a statement. "If social networking sites implemented software to check each stream, they could identify copyrighted subject matter, create a report, negotiate compensation for the value chain and sell targeted advertising for related goods and services. There is no need to impede consumers. In fact, the specific identification of the content could guide provision of related goods, services and community designed to maximize the consumer?s enjoyment of the entertainment experience." For the system to work, players at multiple levels would need to get involved. Broadcasters would need to add identifying watermarks to their broadcast, in cooperation with copyright holders, and both parties would need to register their watermarks with the system. Then, in the event that a user capped a broadcast and uploaded it online, the scanner system would eventually find it and report its location online. Yet the system is not designed to hop on P2P networks or private file sharing hubs, but instead crawls public web sites in search of watermarked material. As such, this "solution" is more geared towards sites like YouTube and less towards casual piracy, which rarely involves posting things to a web site. Generally we've laughed off most watermarking solutions because they seemed like solutions in search of a problem. Now that Google has learned the hard way that content owners want to be paid when their content shows up on YouTube, we may see more of these "solutions" in the future. From rforno at infowarrior.org Wed Feb 28 22:56:01 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Feb 2007 22:56:01 -0500 Subject: [Infowarrior] - Mac Wi-Fi hijack demonstrated Message-ID: Mac Wi-Fi hijack demonstrated February 28, 2007 4:10 PM PST http://news.com.com/2061-10789_3-6163285.html?part=rss&tag=2547-1_3-0-20&sub j=news ARLINGTON, Va.--Is the book on the Mac Wi-Fi hijack saga finally being closed? David Maynor, chief technology officer at Errata Security, at the Black Hat DC event here on Wednesday broke the months-long silence on a controversial Mac hack. He also said he plans to publicly release computer code used in that attack. The controversy started at the Black Hat Briefings conference last summer in Las Vegas. There, Maynor and fellow security researcher Jon "Johnny Cache" Ellch showed how a MacBook could be hacked by sending malformed network traffic to it. (Click here to see the video.) The presentation caused a storm of criticism from the Mac community and Apple criticized Maynor and Ellch for saying Macs were insecure. The Mac maker even tried to pressure Maynor into posting a blog on the site of his then-employer SecureWorks stating that Macs were not flawed, he said. Nearly two months later, however, Apple released Mac OS X 10.4.8, which fixed the problem demonstrated at Black Hat, Maynor said Wednesday. "The vulnerability that was being exploited was now patched," Maynor said. "Apple released some security patches to address stuff I actually pointed them to and they claimed had nothing to do with me." Shortly after Apple issued its patches, Maynor and Ellch were slated to open the book on Apple at the ToorCon hacker event in San Diego. That presentation was pulled because Apple threatened to sue SecureWorks, Maynor said. Maynor did offer an apology. "I screwed up a little bit," he said. There was a lot of confusion around the Mac hack because the original presentation used a third party Wi-Fi card. However, Maynor and Ellch had in fact also found flaws in Apple's own hardware, he said. Maynor demonstrated a Mac Wi-Fi hack on stage on Wednesday. His MacBook running Mac OS X 10.4.6 crashed while scanning for a wireless network and coming across rogue code Maynor was pushing out from a Toshiba laptop. While the attack he demonstrated only caused a crash, it could also be used to run code on the Mac, he said. Apple fixed that particular problem in September with Mac OS X 10.4.8, Maynor said. "I did provide the information on vulnerabilities in Apple products, I provided them with code and they were given packet captures," he said. In the future, Maynor said he won't work with Apple. "I do not feel comfortable keeping relations with the company and will not report future findings to them," he said. An Apple representative could not immediately comment on Maynor's presentation. From rforno at infowarrior.org Wed Feb 28 22:56:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Feb 2007 22:56:56 -0500 Subject: [Infowarrior] - Researcher sees ROM as rootkit home Message-ID: Researcher sees ROM as rootkit home Published: 2007-02-28 http://www.securityfocus.com/brief/447?ref=rss ARLINGTON, VA. -- The flashable memory on graphics cards and other add-on hardware could easily be used to hide malicious code on computer systems, yet still run the software at boot time, a researcher told attendees at the Black Hat DC conference on Wednesday. Such surreptitious code, known as a rootkit, could be hidden in the expansion read-only memory (ROM) frequently used by add-on Peripheral Component Interconnect (PCI) cards, said John Heasman, a security researcher with Next-Generation Security Software. The expansion ROM attack could update itself using a covert channel to the Internet, runs at boot time and would be fairly difficult to detect. It doesn't help that the developers creating device drivers don't normally consider security, he said. "Graphics card makers, for example, are not thinking about this attack," Heasman said. "They want to make it as easy as possible to update the ROM." Attacks that use rootkits stored outside of system memory are not totally new. Last year, Heasman presented practical research into malicious software that could use the motherboard's Advanced Configuration and Power Interface (ACPI) to run code at boot time. In November, Heasman released his initial paper on the PCI rootkits. The technique will not likely become a prevalent threat. Because the attack requires a great deal of technical knowledge and effort, an attacker is more likely to use standard software Trojan horses to compromise systems, he said. Computers that have specialized hardware security based on the Trusted Computing Platform will be largely immune to such attacks.