Thursday, March 31, 2005

McAfee Research to SPARTA, 4/9/05

The previously announced transfer of the assets, people, and contracts of McAfee Research to SPARTA, Inc., will be effective late next week. Friday, April 8 will be our last day as employees of McAfee, and Monday, April 11 will be our first day as employees of SPARTA.

My new work email address will be <>. <> should continue to reach me.


Passport Chip Criticism Grows

A Wired News article actually holds out hope that the State Department is listening to critics.

"Business travel groups, security experts and privacy advocates are looking to derail a government plan to insert remotely readable chips in American passports, calling the chips homing devices for high-tech muggers, identity thieves and even terrorists. But the U.S. State Department, which plans to start issuing the new passports to citizens later this year, says its critics are overstating the risks. Officials say that the chips will cut down on passport forgery, improve security and speed up border crossings."

"The State Department is also adding technical features to prevent the radio-frequency identification devices, or RFID chips, in new passports from being 'skimmed' by unauthorized readers, according to Frank Moss, the deputy assistant secretary for passport services at the State Department. 'We will not issue passports to the American public without mitigating the risk of skimming,' Moss said, calling the issue both a technical and a political problem."

"Two business travel groups -- the Business Travel Coalition and the Association of Corporate Travel Executives -- also announced their opposition to the chips Monday. 'The thought that your travel documents could be broadcasting your nationality to those with an interest in harming U.S. citizens is bad enough,' said ACTE President Greeley Koch in a written statement. 'But it could also be pinpointing likely targets for pickpockets, thieves, and even providing information to steal.' "

"The chips are also designed only to be readable from 8 centimeters (about 3 inches) away when the passport is open, Moss said, adding 'these are not like the RFID chips that control Wal-Mart's inventory.' State Department contractors are looking to include some shielding, such as metal fibers in the passport cover, to keep the chips from being read when the passport is closed. But others say the passports could be read from much further, perhaps 10 meters (about 33 feet), if one used a stronger reader than the border guards have."

Labels: , ,


Wednesday, March 30, 2005

Phishing report (through February)

A new report by the Anti-Phishing Working Group (APWG) indicates that the threat of phishing continues to grow.

Number of active phishing sites reported in February:
Average monthly growth rate in phishing sites July through February:
Number of brands hijacked by phishing campaigns in February:
Number of brands comprising the top 80% of phishing campaigns in February:
Country hosting the most phishing websites in February:
 United States"

See also this and this.

Labels: ,

Human damage to Earth worsening

A Reuters story, based on the Millenium Ecosystem Assessment report, indicates that we may be in even worse trouble than I thought.

"Humans are damaging the planet at an unprecedented rate and raising risks of abrupt collapses in nature that could spur disease, deforestation or 'dead zones' in the seas, an international report said on Wednesday. The study, by 1,360 experts in 95 nations, said a rising human population had polluted or over-exploited two thirds of the ecological systems on which life depends, ranging from clean air to fresh water, in the past 50 years. 'At the heart of this assessment is a stark warning,' said the 45-member board of the Millennium Ecosystem Assessment. 'Human activity is putting such strain on the natural functions of Earth that the ability of the planet's ecosystems to sustain future generations can no longer be taken for granted,' it said."

Labels: ,


Monday, March 28, 2005

Your Law Suit is Junk, Mine Seeks Justice

This is for the "outrage" department: A Wampum post, noted by Dan Gillmor, spells out exactly how the "tort reform" movement's leaders have been quite willing to engage in the "abuses" they now profess to abhor.

"Republicans want to limit the right of others to recover for torts but are quick to sue when they, or members of their family, have been harmed. "



GAO's Report on Secure Flight

Bruce Schneier blogs on the GAO's Report on Secure Flight:

"The AP says:
The government's latest computerized airline passenger screening program doesn't adequately protect travelers' privacy, according to a congressional report that could further delay a project considered a priority after the Sept. 11 attacks. Congress last year passed a law that said the Transportation Security Administration could spend no money to implement the program, called Secure Flight, until the Government Accountability Office reported that it met 10 conditions. Those include privacy protections, accuracy of data, oversight, cost and safeguards to ensure the system won't be abused or accessed by unauthorized people. The GAO found nine of the 10 conditions hadn't yet been met and questioned whether Secure Flight would ultimately work."

Labels: ,


Terrorism risk in nuclear fuel storage

An article in the San Francisco Chronicle reports on yet another nuclear power safety risk.

"A classified report by nuclear experts assembled by the National Academy of Sciences has challenged the decision by federal regulators to allow commercial nuclear facilities to store large quantities of radioactive spent fuel in pools of water. The report concluded that the government does not fully understand the risks that a terrorist attack could pose to the pools and ought to expedite the removal of the fuel to dry storage casks that are more resilient to attack. The Bush administration has defended the safety of the pools, and the nuclear industry has warned that moving fuel to dry storage would be unnecessary and expensive. The report was requested by Congress after the terrorist attacks of Sept 11, 2001. Because it is classified, the contents of the report were not made public when it was delivered to the Nuclear Regulatory Commission last summer. Even a stripped-down, declassified version has remained under wraps because the NRC says it contains sensitive information."

Labels: ,


Friday, March 25, 2005

TSA Failed to Protect Passenger Data

A Wall Street Journal article reports that the TSA was insufficiently careful with passenger screening data.

"A new government report says officials in the Department of Homeland Security didn't do enough to keep airline-passenger data secure when using it to test a traveler-screening program. In a report to be released today, the Department of Homeland Security's inspector general says the Transportation Security Administration gathered 12 million passenger records from February 2002 to June 2003 and used most of them to test the Computer Assisted Passenger Prescreening System, or CAPPS 2, which was designed to check passenger names against government watch lists. Passengers weren't told their information was being used for testing."

"'Although we have found no evidence of harm to individual privacy, TSA could have taken more steps to protect privacy,' investigators concluded. TSA officials shelved CAPPS 2 last year amid complaints it was an invasion of passenger privacy. The agency has replaced it with a similar system, called Secure Flight, which is being tested and is expected to debut in August."

"The report raises concerns because Secure Flight ultimately will gather private information, such as names, addresses, travel itineraries and credit-card information, on anyone who takes a domestic flight. That effort could be slowed by a Government Accountability Office study due Monday which is expected to be critical of TSA's efforts to develop passenger-privacy protections... Investigators also found TSA provided inaccurate information to the media about the agency's use of real passenger records for CAPPS 2 testing and wasn't 'fully forthcoming' to the agency's own internal privacy officer during an investigation into the matter."

Labels: , ,


Personal Information and Identity Theft

A good brief post by Bruce Schneier.

"Fraud due to impersonation -- commonly called 'identity theft' -- works for two reasons. One, identity information is easy to obtain. And two, identity information is easy to use to commit fraud. Studies like this show why attacking the first reason is futile; there are just too many ways to get the information. If we want to reduce the risks associated with identity theft, we have to make identity information less valuable. Too much of our security is based on identity, and it's not working."

Labels: ,


Tuesday, March 22, 2005

Up for the Count

A Washington Post editorial urges voter verifiable paper trails for Maryland's electronic voting machines.

"MARYLAND VOTERS will never know for sure whether their election choices last year were recorded correctly -- and the same uncertainty could haunt them next year if lawmakers again fail to address a serious defect in the touch-screen voting machines used throughout the state. When functioning properly -- and the state elections administrator, Linda H. Lamone, insists that nearly all the machines did work last time -- they are said to be as accurate as they are efficient. But without a paper trail showing each vote cast, who's to know? And what about the machines that did freeze or had mechanical problems? Voters should not have to take it on faith; yet as it stands, there is no way to conduct a solid recount or audit."

"Last year, bills to require paper receipts that can be checked by voters before their selections are officially recorded died in conference committee at the end of the session. This year, supporters from both parties in both houses are pressing for committee approvals of measures sponsored by Del. Karen S. Montgomery (D-Montgomery) and Sen. Andrew P. Harris (R-Baltimore County). Action could come this week. Supporters cite testimony by computer experts that even though no major problems were evident last year, there could have been troubles hidden in the software."

"The technology exists for machines to create 'voter-verified audit trails,' and Maryland should have it. A few lawmakers have been backing measures that would establish some sort of independent audit system that would be more complicated and less efficient; it would use software that would enable voters to verify their choices on a Web site using encoded receipts. Instead of experimenting with a new and possibly more expensive system, lawmakers concerned about the possibilities of tainted election results should vote now to get a paper-trail system in place for next year's elections. Still other legislation would delay a decision for another year, to restudy options that already have undergone multiple reviews. However well the system really worked last year -- which no one can verify -- the integrity of the voting process demands the best possible protections."

See the expert e-voting blog for history and details.



Monday, March 21, 2005

Cyber Warfare: An Analysis

A report titled Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States by Charles Billo and Welton Chang of the Institute for Security Technology Studies at Dartmouth College makes interesting reading. The following is from the Executive Summary.

IT dependence in the United States is evolving into a strategic center of gravity. This represents an inviting target to a potential adversary. While intrusions and hacks are not the exclusive province of large, hierarchical organizations, military and intelligence services possess an advantage over terrorist units for example in terms of resources, depth of personnel, and longer time-horizon reconnaissance and probes.

Moreover, as advanced industrial states such as the United States outsource their programming of software to countries such as India, Pakistan, China, Philippines, and Russia, the risk of rogue programmers using their access to commit cyber attacks rises. The possibility of abuse by hackers, organized crime agents, and cyber terrorists in countries not necessarily allied with the United States is great, and grows as more programming is sub-contracted to these countries for economic reasons.

We believe that scientific and engineering prowess in the United States and elsewhere, when properly harnessed and directed, can lead to improved security measures and better defenses (such as attack “indications and warnings”) against malicious intrusions. Technology, however, is no panacea.

In conclusion, we recommend improved vigilance on the part of our homeland defense authorities against ever more sophisticated and numerous cyber attacks and probes. Given the significant economic and other interests at stake, we recommend a more systematic and sustained effort to raise awareness at the grass roots level regarding security loopholes and vulnerabilities. These efforts, led by local and national political leaders and responsible officials in the United States, will be important in changing the way the populace currently views network security. Finally, we propose greater urgency be given to the recommendation in the U.S. National Strategy to Secure Cyberspace calling for an effective public/private partnership to develop realistic software security and related standards that manufacturers will accept.

Labels: ,


Follow the Money

An article in Technology Review echoes warnings issued elsewhere.

"According to some experts, the kind of basic research necessary to create tomorrow's technologies is under siege, or at the very least, suffering from neglect. Venture capitalists never entirely stopped investing in companies with technologies just emerging from the lab. But after several years in which high-risk investments were unpopular, many startups developing innovative technologies (especially in such areas as nanotechnology and new genomic approaches to medicine) are starving for capital. Even more worrisome, the federal government's preoccupation with funding homeland security and national defense, and its resulting cutbacks in support for basic research in other areas, has left many wondering where the funding for research on new core technologies will come from."

"For many in the technology community, the threat of crisis became much more vivid in early December when President Bush signed off on the fiscal year 2005 U.S. federal budget. While this year's budget increases spending for research and development by 4.8 percent to $132.2 billion, most of that increase, 80 percent, goes to defense R&D, and most of that to new weapons development, according to the American Association for the Advancement of Science (AAAS). In fact, defense-related R&D reached a record high $75 billion this year. One winner was the U.S. Department of Homeland Security, which gets a 19.9 percent increase in its R&D budget, to $1.2 billion. The big loser is the National Science Foundation (NSF), which had its R&D budget cut by .3 percent, to $4.1 billion; it was the first cut in NSFs budget since 1996. Meanwhile, R&D funding for the National Institutes of Health (NIH) increased by just 1.8 percent to $27.5 billion; it was NIH's smallest percentage increase in years, and well below the rate of inflation."

" 'Defense and homeland security are very important. I can't criticize funding increases per se in those areas,' says Shirley Ann Jackson, president of Rensselaer Polytechnic Institute in New York and the 2004 AAAS president. 'But the bigger issue is sustaining focus and support for funding of basic research across broad fronts. We have to have a robust base of basic research. We're talking about potentially eroding that base.' Jackson adds, 'Other places will innovate. The question is, are we going to be a leader? If we don't pay attention to the warning signs, 15, 20 years from now, we could find ourselves in a relatively disadvantageous position in terms of global leadership.' "

Note that these figures are not corrected for inflation; NSF's purchasing power is hurt more than these figures indicate.


Study Criticizes Government on Cybersecurity Research

John Markoff's article in The New York Times summarizes and comments on the PITAC Cyber Security Report.

" 'The federal government is largely failing in its responsibility to protect the nation from cyberthreats,' said Edward D. Lazowska, chairman of the computer science and engineering department at the University of Washington and co-chairman of the panel. 'The Department of Homeland Security simply doesn't "get" cybersecurity. They are allocating less than 2 percent of their science and technology budget to cybersecurity, and only a small proportion of this is forward-looking.' "

"Peter Neumann, an independent computer scientist at SRI International, a research center in Menlo Park, Calif., said that both Congress and the Bush administration had been neglecting civilian Internet security research. 'The problem is that there is no sense of the importance of research in this Congress or in this administration,' said Mr. Neumann, who consults for the government."

Labels: , ,


Friday, March 18, 2005

Dan Gillmor on the Corruption of Journalism

A Dan Gillmor post calls a spade a spade.

"Earlier this week, President Bush defended this utterly indefensible policy, and even joked about it...
The Bush policy is simple: It is part of an administration's deliberate attempt to corrupt the practice of journalism. This practice did not start with Bush, as right-wingers who can't bring themselves to criticize their hero note in defense of this corruption. Indeed, Clinton used the same technique several times.
But there's not a hint that Clinton's administration was in the same league of manipulative practices that are the standard for this one."



Cyber Security: A Crisis of Prioritization

The much-anticipated report of the President's Information Technology Advisory Committee has been released.

"Dear Mr. President:
We submit to you the enclosed report entitled Cyber Security: A Crisis of Prioritization. For nearly a year, the President’s Information Technology Advisory Committee (PITAC) has studied the security of the information technology (IT) infrastructure of the United States, which is essential to national and homeland security as well as everyday life.
The IT infrastructure is highly vulnerable to premeditated attacks with potentially catastrophic effects. Thus, it is a prime target for cyber terrorism as well as criminal acts. The IT infrastructure encompasses not only the best-known uses of the public Internet – e-commerce, communication, and Web services – but also the less visible systems and connections of the Nation’s critical infrastructures such as power grids, air traffic control systems, financial systems, and military and intelligence systems. The growing dependence of these critical infrastructures on the IT infrastructure means that the former cannot be secure if the latter is not.
Although current technical approaches address some of our immediate needs, they do not provide adequate computer and network security. Fundamentally different architectures and technologies are needed so that the IT infrastructure as a whole can become secure.
Historically, the Federal government has played a vital, irreplaceable role in providing support for fundamental, long-term IT R&D, generating technologies that gave rise to the multibillion-dollar IT industry. The PITAC’s review of current Federally supported R&D in cyber security finds an imbalance, however, in the current cyber security R&D portfolio: most support is for short-term, defense-oriented research; there is relatively little support for fundamental research to address the larger security vulnerabilities of the civilian IT infrastructure, which supports defense systems as well. Therefore, PITAC urges changes in the Federal government’s cyber security R&D portfolio..." [emphasis mine]

See also the commentary by Peter Harsha on the CRA blog.

Labels: , , ,


Thursday, March 17, 2005

Momentum Turns Toward Privacy Protection

A USACM Technology Policy Weblog post discusses Congressional sentiment following recent news and hearings.

"One thing became crystal clear during this week's hearings involving the leaders of information brokers ChoicePoint and LexisNexis (among others) by a House Energy and Commerce subcommittee and the Senate Banking Committee: namely, the intent of policymakers to take action toward regulating the information brokerage industry. Indeed, the question now is less about whether Congress will decide to regulate this industry and more about the nature and scope of such regulation."

"On the House side, full Energy and Commerce Committee Chairman Joe Barton (R-TX) (as reported by the Washington Post) went so far as to call the routine sale of consumers' Social Security numbers without their knowledge or persmission 'just wrong,' while Banking Committee Chairman Richard Shelby (R-AL) likened the data collections managed by data brokers to a 'treasure trove' of personal financial information. Other highlights from the hearings included the testimony from Federal Trade Commission (FTC) chair Deborah Platt Majoras, ChoicePoint CEO Derek Smith, LexisNexis CEO Kurt Sanford, and EPIC director (and USACM member) Marc Rotenberg."

"As a result of recent revelations of unauthorized personal information disclosures, hacking, and fraud at companies like ChoicePoint, LexisNexis, and Bank of America, information brokers and others who handle sensitive personal information find themselves on the defensive like never before. It is apparent that many in the U.S. -- policymakers included -- were previously unaware of
(1) the kinds and volume of personal information handled and sold by brokers,
(2) the fact that such information is regularly bought and sold,
(3) the seeming ease with which such information can be obtained, and
(4) the fact that information brokers operate largely free of the kinds of government regulations that cover other arguably similar companies

Labels: ,


Is Intellectual Property really the same as Real Property?

A post on the USACM Technology Policy Weblog discusses how the answer to this question affects the whole IP protection debate.

"Understanding the fundamentals underlying a debate often provides useful insight into policymakers' thinking about an issue. Over the past two days, two different events highlighted a fundamental part of the MGM vs. Grokster debate. On Tuesday, the conservative Heritage Foundation held an event titled 'Government's Role In Protecting Constitutional Rights in Intellectual Property (IP)'. The keynote speakers, former Attorney General Edwin Meese and former Solicitor General Theodore Olsen, drove home their view that there is no difference between real property (land, buildings, etc.) and IP. On Wednesday, the Consumer Electronics Association (CEA) held the rebuttal event titled 'IP & Creativity'. Gary Shaprio, the President of Shaprio, kicked off the event by persuasively describing all the reasons why IP is different than real property."

Labels: ,


Wednesday, March 16, 2005

BCS: Grand Challenges in Computing Research

The British Computer Society report is now available.

There is also a Grand Challenges website.
BCS also issued a press release that is summarized in a Computer Weekly article.

The challenge titles are
In Vivo--in Silico
Science for global ubiquitous computing
Memories for life: managing information over a human lifetime
Scalable ubiquitous computing systems
The architecture of brain and mind
Dependable systems evolution
Journeys in non-classical computation

Labels: ,


Tuesday, March 15, 2005

Himalayan glaciers receding fast

A story is based on a WWF study.

"Himalayan glaciers are receding at among the fastest rates in the world due to global warming, threatening water shortages for millions of people in China, India and Nepal, a leading conservation group said on Monday. The Worldwide Fund for Nature (WWF) said in a new study that Himalayan glaciers were receding 10-15 meters per year on average and that the rate was accelerating as global warming increases. In India, the Gangotri glacier is receding at an average rate of 23 meters per year, the study said."



Forbes: Our Frankenputer

An article in Forbes places much of the blame on the sainted John von Neumann!

"Malicious software, or malware, costs us much in vandalism, more in data theft and most of all in forced countermeasures. We hire experts, build firewalls, subscribe to antivirus services, plan backups. Still it goes on:Now we have a pandemic of e-mail phishing scams and spyware that downloads itself surreptitiously with song-pirating software. There are simple things you can do to protect yourself, and there are things the computer industry is doing to solve the problem, but in the meantime it is also helpful to grasp just how sorry this state of affairs really is."

"But if the Von Neumann theory makes evil programs possible, it does not make them inevitable. From the beginning, the PC has made cybervandalism too easy. The computer is impossible to completely secure because it descends directly from a design that didn't take security into account. In terms of security, the PC's design is a breathtaking kludge--a sequence of defensive maneuvers and patches that play a futile catch-up game with malicious software. It's hard to overestimate how poisonous an environment the global Internet is. Peter Tippett, a physician who invented the antivirus software now sold by Norton and who is now chief technologist at computer security firm Cybertrust, conducted an experiment a year ago. He bought ten computers in ten different cities and hooked them up to high-speed Internet connections, then tried to load a Windows patch designed to keep out particular worms, a delivery vehicle for viral payloads. Three of the ten machines were either hacked or infected with worms within minutes, before the patches could even download."



Looming Threats for the Future of IT

A story in Computerworld discusses the costs and prospects of various information technology problems.

"Our panel finds plenty to worry about, from the sometimes deplorable quality of commercial software to cybercrimes and an erosion of U.S. leadership in IT. Leading the list of concerns—perhaps because it's so troublesome today—is the software quality issue, with its evil triad of poor security, unreliability and complexity. Easy, trouble-free use of IT has moved to the top of users' wish lists, some say. 'It's not much use making the digital technology better, cheaper, faster; that's going to happen in any case,' says economist W. Brian Arthur. 'Computers are working about as fast as we need. The bottleneck is making it all usable.' "

"Panel members rounded up the usual suspects. 'The purveyors of this complex and unreliable software are the current big software vendors,' says Network Services Co. CIO Michael H. Hugos. 'We all deal with some of them on a daily basis, and everyone knows who they are, including the vendors themselves.' But a day of reckoning is coming for these vendors, Hugos and others predict. 'There is a great pent-up demand for alternatives, and now, thanks to open-source software and commodity IT platforms, there are beginning to be industrial-strength alternatives to the products of the big software vendors,' Hugos says."

Labels: , ,


Monday, March 14, 2005

Spyware interferes with NZ online banking

A Sydney Morning Herald story reports a problem in New Zealand.

"New Zealand's major banks have blocked access to internet banking for hundreds of customers because they say their computers are infected with a so-called 'spyware' program, it was reported on Friday. Westpac notified 1400 customers and three other banks, including the Bank of New Zealand, had also warned clients that they would not be able to do internet banking until their personal computers are cleaned up, the New Zealand Herald said. The spyware, created by the American company Marketscore, infects PCs when the user accessed certain websites, the paper said ... the banks were concerned about the impact on secure internet sessions when user names and passwords are keyed in. The paper quoted Westpac spokesman Paul Gregory as saying the spyware program, which disguises itself as part of a secure session and records it, was 'very clever'."

Labels: ,


FTC Bars Bogus Spyware Claims

A Federal Trade Commission press release notes:
"An operation that offered consumers free spyware detection scans that 'detected' spyware even if there was not any, to market anti-spyware software that does not work has been barred from making deceptive claims by a U. S. District court at the request of the FTC. The FTC will seek a permanent halt to the marketing scam and redress for consumers. In papers filed with the court, the FTC alleges that Spyware Assassin and its affiliates used Web sites, e-mail, banner ads, and pop-ups to drive consumers to the Spyware Assassin Web site. After exposing consumers to a litany of the dire consequences of having spyware on their computers, the Web site warns, 'you WILL eventually experience credit card and/identity theft and your computer will ultimately crash and cease working for good . . . It's not a matter of if, but truly a matter of when.' "

"According to the FTC complaint, the Web site offers to scan consumers' computers at no cost to determine whether they're infected with spyware. One 'scan' -- the remote scan -- is performed when consumers land on the Web site. The free 'scan' displays a pop-up message that states, 'URGENT ERROR ALERT: You have dangerous spyware virus infections on your computer. Click OK to install the latest free update to fix these errors. Immediate action is highly recommended before you continue!' The other 'scan' -- the 'local scan' -- is performed when consumers click to download the defendants' software. Both scans warn consumers that they have spyware installed on their system. The FTC charges that, 'the defendants' free remote scan is phony, and the defendants' representations that they have detected spyware on the consumer's computer are deceptive.' "

Labels: ,


Friday, March 11, 2005

Hackers Target U.S. Power Grid

A story in the Washington Post recaps the risks.

"Patrick H. Wood III, the chairman of the Federal Energy Regulatory Commission, warned top electric company officials in a private meeting in January that they need to focus more heavily on cyber-security. Wood also has raised the issue at several public appearances."

"Officials will not say whether new intelligence points to a potential terrorist strike, but Wood stepped up his campaign after officials at the Energy Department's Idaho National Laboratory showed him how a skilled hacker could cause serious problems. Wood declined to comment on specifics of what he saw. But an official at the lab, Ken Watts, said the simulation showed how someone could hack into a utility's Internet-based business management system, then into a system that controls utility operations. Once inside, lab workers simulated cutting off the supply of oil to a turbine generating electricity and destroying the equipment. Describing his reaction to the demonstration, Wood said: 'I wished I'd had a diaper on.' "

"Many electric industry representatives have said they are concerned about cyber-security and have been taking steps to make sure their systems are protected. But Wood and others in the industry said the companies' computer security is uneven."

Labels: ,


Thursday, March 10, 2005

Madrid: Terrorism, the Internet and Democracy

A very interesting and encouraging Dan Gillmor post: "From the International Summit on Democracy, Security and Terrorism in Madrid, my working group on terrorism and the Internet has come up with what amounts to a set of principles and suggestions. I'll post them below. But keep in mind that this is a draft, the result of several days of work, not the Final Word. You can join this conversation more directly -- you can help edit the document to make it better -- by visiting the Global Voices wiki at Harvard Law School's Berkman Center for Internet and Society."

Labels: ,


TechNet Calls on United States to Intensify Innovation Priorities

Technet: In the News: "TechNet today warned U.S. policy leaders that profound changes in the global economy put America's competitiveness at risk. In the face of this challenge, the bipartisan network of technology CEOs unveiled an Innovation Policy Agenda designed to maintain U.S. global leadership through policies that encourage entrepreneurship, job creation and economic growth by strengthening innovation."

"Across the country, the academics, industry leaders and policymakers involved in the Innovation Summits collectively found that:
* The U.S. education system is not preparing young Americans for the careers of the future
* The United States is no longer assured of attracting and retaining the world's best innovators
* Global innovation leadership requires a long-term, strategic approach to create an ecosystem that fosters innovation
* We are gravely under-investing in research and development as a nation
* The U.S. lags behind other nations in the deployment of broadband networks that are the foundation of the next wave of technology innovation."

See also the insightful analysis, including links to related information, on the CRA Policy blog.

TechNet is a national, bipartisan network of CEOs that promotes the growth of technology industries and the economy by building long-term relationships between technology leaders and policymakers and by advocating a targeted policy agenda.

Labels: ,


This fine bridge for sale. Cheap.

A story on suggests that ballistic missile defense developers have not noticed what happens in even their very choreographed, long-planned test shots.

"Experimental interceptor bases in Alaska and California can be made ready to fire at incoming ballistic missiles within minutes or hours, the chief of the Missile Defense Agency said Wednesday. The comments from Lt. Gen. Henry A. Obering III in a conference call with reporters suggest the United States is technically ready to try to shoot down a few incoming intercontinental ballistic missiles with little warning."

Labels: ,


Wednesday, March 09, 2005

ChoicePoint Says "Please Regulate Me"

Schneier on Security comments on information in ChoicePoint's most recent 8-K filing.

"Catch that? ChoicePoint actually has no idea if only 145,000 customers were affected by its recent security debacle. But it's not doing any work to determine if more than 145,000 customers were affected -- or if any customers before July 1, 2003 were affected -- because there's no law compelling it to do so. I have no idea why ChoicePoint has decided to tape a huge 'Please Regulate My Industry' sign to its back, but it's increasingly obvious that it has. There's a class-action shareholders' lawsuit, but I don't think that will be enough. And, by the way, Choicepoint's database is riddled with errors."



Bay Bridge equipment for new span is sent to scrap yard and then called back

A strange story in the San Francisco Chronicle: "The star-crossed Bay Bridge project entered a new realm of strangeness over the weekend when the chief contractor dismantled a huge piece of equipment that will be needed if the proposed suspension span is ever built and hauled it out of the bay to be sold as scrap. On Tuesday, as word started getting around that the state was throwing a giant wrench into Bay Area officials' plans for a signature single-tower span, Caltrans ordered the contractor to retrieve the massive steel structure and stick it back in the water."



Phishers using DNS servers to lure victims?

A CNet post warns:
"Online thieves looking for personal data may be moving to more active measures by redirecting people from legitimate sites to malicious ones, security experts said this week. The warning follows reports Friday that some people's computers were being redirected from sites such as eBay and Google to malicious Web servers that attempted to install spyware. The compromises affected 30 to 40 networks, according to Jason Lam (PDF file), incident handler for the Internet Storm Center, which tracks network threats."

When we can no longer trust the DNS, the whole Internet will be in deep yoghurt.

Labels: ,


Singapore passes US to top tech economy ranking

A BBC NEWS story reports that the US has lost its long-time lead.

"Singapore has toppled the US from top spot in a ranking of world economies that make the best use of information and communication technology (ICT). The US has been outpaced by the advance of other nations, rather than any slow down in its own performance. The annual World Economic Forum (WEF) index placed Singapore, Iceland, Finland and Denmark above the US, with the UK up three places in 12th spot. The WEF said ICT is playing a 'central role' in growth and competitiveness. Singapore was found to be the best performer in a number of categories, including quality of maths and science education, affordability of telephone connection charges and internet access, and government policy on ICT."



Consumer Data Stolen from Reed Elsevier U.S. Unit

A Reuters story in the Washington Post indicates that ChoicePoint has company.

"Hackers have gained access to sensitive personal information of about 32,000 U.S. citizens on databases owned by publisher Reed Elsevier, the second company to reveal a major breach in the past month. Anglo-Dutch Reed Elsevier said the breach at its Seisint unit was found after a customer's billing complaint in the last week led to the discovery that an identity and password had been misappropriated. The information accessed included names, addresses, social security and driver's license numbers, but not credit history, medical records or financial information."



Tuesday, March 08, 2005

Computers Can Add Errors, Too, Study of Medical Records Finds

A story in the Wall Street Journal sounds a cautionary note.

"Patient-safety advocates, lawmakers and even the Bush administration have been pushing hospitals to implement computerized physician-order entry systems to reduce medical errors and deaths. But a study found that computer systems as well can introduce medical errors.The study, by researchers at the University of Pennsylvania, looked at a computer system used by doctors to order medicines at the Hospital of the University of Pennsylvania. The study, published today in the Journal of the American Medical Association, found many potential glitches. Errors included confusing different patients listed alphabetically in the computer; ordering drugs at a terminal not 'logged out' by the prior physician, which could lead to mistakenly order drugs for the previous patient; and delays because of frequent computer 'crashes.' "

"The study said computerized order systems have many benefits over paper, such as eliminating mistakes associated with trying to decipher a doctor's handwriting. Ross Koppel, lead author of the study and a sociologist at the University of Pennsylvania, said he wasn't opposed to computerized systems, but 'blind faith in the technology is silly.' Many computer systems fail to consider the human element needed to operate them in a fast and efficient way. The study is expected to stir debate among advocates of bringing hospitals more fully into the computer era."



Emerging Scandal on MD Voting Machine Performance?

Although I have not yet seen this in the MSM (mainstream media) a press release posted by Scoop makes some pretty broad charges. I'm inclined to give it some credence, since it's cited by E-voting News and Analysis, from the Experts, which I generally trust.

"According to county election officials and other sources, all Maryland voting machines have been on 'lockdown' since November 2, 2004 due to statewide machine failures including 12% of machines in Montgomery County, some of which appear to have lost votes in significant numbers. The State Board of Elections convinced the media that Election Day went smoothly, when in fact there were serious statewide, systemic problems with the Diebold electronic voting machines -- so serious that the SBE and Diebold still have not figured out how to prevent the loss of votes in the future."

" 'Election Day was anything but smooth. Votes were lost, computer cards storing votes were unreadable, thousands of error messages were reported, machines froze in mid-voting and machines refused to boot up. The problems with the machines were so widespread and serious that efforts to hide the problems have failed,' said Linda Schade, director of 'It is not sufficient for Diebold and the SBE to investigate themselves. They have misled the public about this problem and an independent investigation is needed.' "

Labels: , , ,


The Verification Grand Challenge

Quite a bit of material relating to the Workshop on The Verification Grand Challenge, held February 21--23, 2005, at SRI International in Menlo Park, CA, is now available online. There are two sets of notes (taken by Sergey Berezin and Greg Morrisett) and the slides used by a majority of the speakers (including for keynotes by Tony Hoare and Amir Pnueli), as well as a few photos of the event.

I came away from the workshop more optimistic about the prospects for various program verification projects than I have been for several years. Impressive progress is being made by a number of researchers--some long-timers, some newcomers--using a variety of old and new approaches. (I try not to let the fact that I was similarly optimistic 30 years ago influence me too much.)

However, I also came away much less optimistic about a unified approach to the Verification Grand Challenge--at least on this side of the Atlantic. This is partly because none of the usual sources of IT research funding is currently prepared to make major investments in projects with a 10-15 year timescale. However, it is more because the sheer variety of the approaches being taken by the best investigators (who should provide the core of a Grand Challenge team) makes it unlikely that a sufficient number of them will subordinate their own research interests to those of an overarching project.

There still seems to be some likelihood of the European Union pulling together a Verification Grand Challenge team. A lot of the top researchers are there, and the EU has a track record of putting more of its IT research investments into collaborative projects. So much the better for them. If they succeed, we will all benefit.

Labels: ,


Virus authors form unholy alliance

A post on suggests an increased degree of collaboration among the malware crew.

"The authors of the Bagle, Zafi and Netsky viruses have joined forces in an unholy alliance that aims to spread cyber-terror, security experts have claimed. The warning comes from virus analysts at Kaspersky Lab investigating the recent Bagle outbreak and suggest that the authors of Bagle, Zafi and Netsky are 'working hand in hand with each other'."

"'In researching the Bagle outbreak, virus analysts have concluded that the authors of Bagle, Zafi and Netsky and others are working closely together. They may not be personally known to each other, but they are all using information provided by the author of Bagle to mass mail their creations.' According to Kaspersky, approximately 50 modifications of a range of malicious programs were mass mailed in the space of just two days. The timing of these mailings 'clearly shows that they are automated or semi-automated'. These recent events confirm the trend towards the criminalisation of the internet. And likely as not, events will continue to evolve in such a way. 'Network attacks are now automated, take place in several stages, and are carefully timed and planned,' Kaspersky warned. 'The authors of malicious code are joining forces, exchanging information and techniques, in order to increase the impact of attacks'."

Labels: ,


Confessions of a corporate spy

A Computerworld story discusses the ease with which sensitive information can be winkled out of companies.

"A former National Security Agency analyst who is now an expert on corporate espionage offered chilling accounts yesterday of his easy penetration into a variety of U.S. companies. In one case, in just a few hours he was able to make off with product plans and specifications worth billions of dollars. Ira Winkler, global security strategist at CSC Consulting, spoke at Computerworld's Premier 100 IT Leaders Conference here and punctured several popular misconceptions about information security. Notably, he said that information security is not the same thing as computer security. Most of his success in penetrating companies, which had hired him to do just that, came from 'social engineering' -- not from hacking into corporate networks."

Labels: , ,


Monday, March 07, 2005

ChoicePoint Data Cache Became a Powder Keg

A story in the Washington Post discusses the background of the ChoicePoint scandal.

"Identity theft and fraud has become a national problem in a few short years. In 2003, federal authorities estimated that about 750,000 people fell victim to some identity scam. Now the prevailing estimate is close to 10 million. Driving the rise is a growing number of clever criminals who use people's Social Security numbers and other facts of their lives to take on their personas to run up credit cards bills, empty bank accounts and commit other crimes. But consumer advocates say it's also the failure of so many information brokers, retailers and credit issuers to adequately protect records or do enough to stop swindlers by verifying the identities of customers. Credit card companies, marketers and others have lost millions of files to hackers and identity thieves in recent years. Two years ago, ChoicePoint itself was hit by another identity theft scheme involving personal records of thousands of people."

"ChoicePoint, based in Alpharetta, Ga., has assembled a huge trove of personal data in recent years. Much of that information, such as court rulings, driver records and real estate details, comes from government agencies. The company also purchases information from the three major credit bureaus and other information services. Its ability to create and electronically transmit exhaustive dossiers on people makes it a favorite of many Fortune 500 companies, government agencies and law enforcement and Homeland Security authorities. Today, it has more than 100,000 customers and revenue approaching $1 billion, a large proportion based on the resale of details about individuals."

"After four months it feels like [this] investigation is just beginning. 'Sometimes you're looking at Social Security numbers, and all of the sudden a name pops out and you realize, "These are real people, all of them," ' he said. 'They could all be victims, if not now, in the future. The information is out there.' "

If you ever thought your Social Security number and mother's maiden name were secure identifiers, think again. Identity thieves are finding them easier and easier to obtain. It's much more prudent to assume that everyone knows them than to attempt to (retroactively) protect them.

Labels: ,


Friday, March 04, 2005

Security? Nuclear plants don't need no stinkin' security!

A SecurityFocus post discusses the nuclear industry's reaction to a proposed voluntary standard for security of digital systems controlling nuclear power plants.

"Two companies that make digital systems for nuclear power plants have come out against a government proposal that would attach cyber security standards to plant safety systems. The 15-page proposal, introduced last December by the U.S. Nuclear Regulatory Commission (NRC), would rewrite the commission's 'Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.' The current version, written in 1996, is three pages long and makes no mention of security. The plan expands existing reliability requirements for digital safety systems, and infuses security standards into every stage of a system's lifecycle, from drawing board to retirement. Last month the NRC extended a public comment period on the proposal until March 14th to give plant operators and vendors more time to respond. So far, industry reaction has been less than glowing."

"The NRC tries to promote the use of digital technology in the nuclear power industry on the one hand, but then over-prescribes what is needed when a digital safety system is proposed," wrote one company president.

"The entire cyber security section should be deleted and only a passing reference to the subject retained," another company wrote.

"In 2003 the Slammer worm penetrated a private computer network at Ohio's idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours [followup and another]. The worm entered the plant network through an interconnected contractor's network, bypassing Davis-Besse's firewall."

"Dominion also takes exception to NRC's preference against interconnection. 'Remote access to safety system data from outside the physical plant is not necessarily a potential vulnerability,' the company wrote. 'Access to data through one-way or fixed function gateways should be allowed, assuming proper verification of the integrity of the gateway is verified.' "

You may not be concerned about connecting SCADA (Supervisory Control and Data Acquisition) systems for critical infrastructure to the Internet, where it can be probed by hackers of all sorts. It scares the hell out of me, but obviously doesn't concern Dominion.

Labels: , ,


Thursday, March 03, 2005

Just when I thought I could trust my bank

A Computerworld story warns that Wells Fargo has completed a project to Web-enable its ATMs using Windows and tightly integrate its back-end systems. Changing banks probably won't help, they all seem to have the idea.

"Wells Fargo and Co. announced this week that it has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. The Windows-based infrastructure is designed to allow Wells Fargo to update and add services such as new languages and envelope-free deposits to its entire network remotely. The San Francisco-based bank said it also installed more than 3,000 online stations in nearly all of its 6,046 branch locations. The WebATM machines and online stations are part of the company's strategy to integrate all channels -- stores, phone, ATM and Internet. Jonathan Velline, head of Wells Fargo's ATM Banking, said the biggest challenge was the amount of internal software development needed to migrate the bank's ATM back-end systems operating system from OS/2 to Windows. Another hurdle was tightly integrating the ATM back-end systems with other business units, such as branch and online banking."

"Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said ATM fraud will likely pick up because of the move by most banks to Web-enabled systems, 'because of the combination of stealing ATM numbers online and creating counterfeit ATM cards to use off-line.' Litan also said the move to Windows-based systems is 'not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this.' "

"According to research by TowerGroup, only 30% of the world's ATMs will be running on Windows by 2006."

Labels: , ,


Secrecy Hurts Security

A post in Defense Tech cites comments by Rep. Christopher Shays (R-CT), a long-time critic of the Bush administration's urge to declare off-limits to the public all the information it possibly can.

"Yesterday, Shays, who heads the Goverment Reform Committee's national security panel, gave one of the best speeches yet about the dangers of overclassification, just before lanuching into a hearing on the subject. 'The Cold War cult of secrecy remains largely impervious to the new security imperatives of the post-9/11 world. Overclassification is a direct threat to national security. Last year, more federal officials classified more information, and declassified less, than the year before. In our previous hearing on official secrecy policies, the Department of Defense (DOD) witness estimated that fully half of all the data deemed "Confidential," "Secret" or "Top Secret" by the Pentagon was needlessly or improperly withheld from public view. Further resisting the call to move from a "need to know" to a "need to share" standard, some agencies have become proliferators of new categories of shielded data. Legally ambiguous markings like "Sensitive but Unclassified", "Sensitive Homeland Security Information" and "For Official Use Only" create new bureaucratic barriers to information sharing. These pseudo-classifications can have persistent and pernicious practical effects on the flow of threat information. "The National Commission on Terrorist Attacks Upon the United States" (the 9/11 Commission) concluded that, "Current security requirements nurture overclassification and excessive compartmentation of information among agencies. Each agency's incentive structure opposes sharing, with risks (criminal, civil and internal administrative sanctions) but few rewards for sharing information." ' "

Labels: , ,


ACM: 2004 Award Winners and Fellows

ACM has announced its 2004 Award Winners and Fellows.

"As part of ACM's ongoing effort to recognize technical excellence and outstanding service to the computing field, the ACM Award Subcommittees have deliberated and made their selections, and ACM is pleased to announce the winners of its 2004 awards. These award winners and Fellows represent a diverse group of leaders who have contributed significantly to the IT community. Some have led the way for others to follow with breakthrough achievements that have changed the world; others are just starting out and are among the best and the brightest of their generation. ACM is privileged to acknowledge all this year's winners for their stellar accomplishments."

A.M. Turing Award

Vinton G. Cerf, Senior Vice President for Technology Strategy, MCI
Robert E. Kahn, CEO, Corporation for National Research Initiatives

'For pioneering work on internetworking, including the design and implementation of the Internet's basic communications protocols, TCP/IP, and for inspired leadership in networking.'

Grace Murray Hopper Award

Jennifer Rexford, Princeton University

'For models, algorithms, and deployed systems that assure stable and efficient Internet routing without global coordination.' "

And many more...

Labels: ,


Fighting for the "freedom to tinker"

A Daily Princetonian article about Ed Felten gives some nice background on how attacks by the "IP industry" have radicalized a mild-mannered Computer Science professor.

"The world is an imperfect place, and Edward Felten likes to tinker with it. Sitting behind his desk in a spacious office in the Computer Science Building, Felten is an unlikely poster child for academic freedom. The desk is piled high with papers, and an abandoned keyboard sits in a box in the corner of the room. But the scholarly, soft-spoken professor has more than once been the center of attention--and he isn't afraid to put himself there again.
'Ed is not very easily intimidated,' computer science professor Andrew Appel said.
In December, Felten released the world's smallest peer-to-peer file-sharing program--15 lines of code he named tinyP2P--to prove that such programs could not easily be banned."

I highly recommend his blog, Freedom to Tinker.

Labels: , ,


Wednesday, March 02, 2005

Securing Government IT:
Your Tax Dollars Not At Work

A post on the InformationWeek weblog argues that this is important enough to justify investing tax dollars.

"Securing our federal IT systems and networks is so important that spending tax dollars to educate some 125 federal chief information security officers about the latest in cybersecurity--and to get them to collaborate--seems like a sound investment. That's not the case, however. The government has opted to have private businesses, especially companies that sell IT security products and services, to pick up the tab. Earlier this month, through the auspices of House Government Reform Committee chairman Tom Davis, R.-Va., and the Federal CIO Council, the CISO Exchange was created. What prompted Davis and the CIOs to create the exchange? Very poor grades--a D average--government agencies received on an IT security scorecard; one-quarter of the agencies got an F."

Labels: , ,


Can women do research?

A Campus Technology article on the 2nd annual Graduate Cohort Program of the Computer Research Association's Committee on the Status of Women in Computing Research (CRA-W) discusses responses to the question.

"The CRA-W event offered an elegant, practical answer to valid concerns about the current low numbers of women completing advanced CS degrees and heading for jobs in computer science research. Rather than mulling over problematic research on the relative abilities of men and women in scientific fields, organizers of this conference aim at increasing success and reducing attrition of women in the career path leading from graduate study into the computing research field in academia or industry. Mentoring and networking are core elements of the program and considered keys to boosting the staying power of women in a field that has been traditionally dominated by men."

As I have commented previously, Computer Science and Engineering, and the Information Technology field in general, are shockingly low in the proportion of women, and the figures just keep getting worse. The activities of CRA-W are one of the few bright spots on this horizon.



The Book Stops Here

A nice article in Wired 13.03 on the Wikipedia.

"Four years ago, a wealthy options trader named Jimmy Wales set out to build a massive online encyclopedia ambitious in purpose and unique in design. This encyclopedia would be freely available to anyone. And it would be created not by paid experts and editors, but by whoever wanted to contribute. With software called Wiki - which allows anybody with Web access to go to a site and edit, delete, or add to what's there - Wales and his volunteer crew would construct a repository of knowledge to rival the ancient library of Alexandria. In 2001, the idea seemed preposterous. In 2005, the nonprofit venture is the largest encyclopedia on the planet. Wikipedia offers 500,000 articles in English - compared with Britannica's 80,000 and Encarta's 4,500 - fashioned by more than 16,000 contributors. Tack on the editions in 75 other languages, including Esperanto and Kurdish, and the total Wikipedia article count tops 1.3 million."

If you haven't sampled Wikipedia, check it out. And consider contributing. You almost certainly know some things that no one has contributed yet, even if it's just details, or ideas for articles that someone should write.



ChoicePoint Had Theft Case Before

A San Francisco Chronicle story indicates that ChoicePoint's recent security blunder was not the first.

"Two Nigerian-born siblings were arrested in 2002 on charges of tapping into ChoicePoint Inc.'s vast database of personal information, a security breach similar to one announced by the data warehouser last month, a newspaper reported Wednesday. A company spokesman said he did not know if the problem was made public. Bibiana Benson, 39, and her brother, Adedayo Benson, 38, gained access to at least 7,000 people and used their identities to buy at least $1 million in merchandise, the Los Angeles Times reported, citing court documents."

Labels: ,


Tuesday, March 01, 2005

Sen. Leahy Introduces Phishing Bill

An article in the Washington Post discusses a bill aimed at the fastest-growing and most alarming form of Internet fraud.

"A senior Senate Democrat on Tuesday introduced legislation to impose tough penalties against persons convicted of launching 'phishing' scams -- a form of online fraud in which criminals use deception to trick computer users into giving up their personal and financial information. The Anti-Phishing Act of 2005, sponsored by Sen. Patrick J. Leahy (Vt.), would allow prosecutors to impose fines of up to $250,000 and jail terms of up to five years against anyone convicted of creating fake corporate Web sites and fraudulent e-mail messages designed to fleece consumers. The legislation would prevent online parodies and political speech from being prosecuted as phishing."

"The legislation comes in the midst of a substantial increase in the number of phishing attacks, as documented by security experts. More than 12,800 new and unique phishing e-mails were reported in January, a 42 percent increase over December, according to a report released last week by the Anti-Phishing Working Group (APWG), a coalition of banks and technology companies. The APWG tracked 2,560 phishing Web sites in January, a 47 percent increase from one month earlier and more than double the number of scam sites spotted in October. Estimates of consumer losses to phishing scams range from a few hundred million dollars to more than a billion dollars each year. According to experts, phishing scams often lead to identity theft and other crimes that can haunt consumers for years. Roughly three to five percent of people who receive phishing scams take the bait, the APWG said."

The Fundamental Principle of Phishing Protection:
Never, ever, log in to a site that you got to (directly or indirectly) by clicking a link in an email, no matter how legitimate the email appeared, nor how genuine the site looks. Either type in the URL by hand, or use a bookmark.

Phishing letters and sites have become alarmingly good replicas of the genuine article, and identity theft can be both expensive and damaging to your life.

Unfortunately, some normally reputable organizations continue to send out emails inviting you to click and log in. In my experience, the biggest offender is the Association for Computing Machinery (ACM)[confirmed], but I have also received such emails apparently from American Express.

Labels: ,