Computer Glitches

China's Cyber Offensive
And how the U.S. can respond.

United States Defense Secretary Robert Gates welcomed a vice chairman of the People's Liberation Army to the Pentagon last week in what many analysts saw as a sign of warming ties. Yet the smiles masked China's aggressive development of cyberwarfare, and concern in Washington that in this area, America is on the defensive.

Consider the report released late last month by the U.S.-China Economic and Security Commission, which I head. Prepared by the Northrop Grumman Corporation for the Commission, the authors state China is conducting a "long-term, sophisticated, computer network exploitation campaign." The report documents the most sophisticated cyberspying yet attributed to Beijing: a months-long cyber reconnaissance effort directed against a single U.S.-based company, followed by a "multiday" intrusion where large amounts of data were compiled and extracted to an Internet protocol address in China.

The attack is only one example of a string of recent incidents. In April this newspaper reported on intrusions into a U.S. defense contractor's network that resulted in the collection of "several terabytes of data" about the design of the F-35 "Lightning II" fighter system and its electronics systems. In 2005 Time magazine documented a series of intrusions into the U.S. Sandia Nuclear Weapons Laboratory the year before by Chinese hackers. According to the SANS Institute, a computer security firm, keystroke logs of intrusions on government computers leave "little doubt that the Chinese government" is behind the attacks. In some cases the intruders went to the same intrusion sites a hundred times a day. In 2008, from all sources, officials in the Department of Homeland Security and the U.S. Strategic Command say there were 5,488 known breaches of U.S. government computers, and 54,640 "incidents of malicious cyber activity" against the Department of Defense alone.

The PLA has been developing these capabilities since at least 2003, when the then-director of the PLA's electronic warfare department, Dai Qingmin, proposed a comprehensive information warfare effort, including cyber attack, electronic attack and coordinated kinetic attacks in military operations. The PLA has specialized units and trained personnel to conduct these kinds of attacks, which require reconnaissance, mapping and targeting.

To some extent China's cyberwarfare efforts are an extension of its more traditional espionage efforts to gather defense-related and economic information. The Federal Bureau of Investigation and the Department of Justice have had some success in prosecuting this kind of espionage. In California, the 2007 conviction of Chi Mak, an engineer for a defense contractor, revealed that information on naval propulsion and weapons systems was obtained by an official of the Chinese government. In two cases in Alexandria, Virginia in 2008, Department of Defense employees provided information on weapons systems and Taiwan's military to an individual working for the Chinese government.

In the cyber realm, however, the U.S. government and private industry seem to be in a reactive role, detecting intrusions and information losses only after the fact, with no cross-government or industry coordinated response. To complicate the problem, the very nature of the Internet makes it difficult to attribute the intrusions to a specific actor, while neither criminal nor international law adequately deals with cyberspying. So what should be done?

China's growing cyberwarfare capabilities aren't solely directed at the U.S. Leaders in Britain and Germany have voiced concerns, too. These nations cooperate to fight cybercrime, like hacking into banks. A parallel initiative to detect and counter cyberspies would be useful\u2014but the initiative has to start with the U.S.

President Barack Obama made a good start by initiating a 60-day cyber-security review in February and appointing former intelligence official Melissa Hathaway as acting director for cyber security. In April, the review commission established by Mr. Obama released a report that recommended, among other things, a White House-based "cyber-security coordinator" to coordinate the U.S. government's cyber policies with private industry, and handle responses to threats. This "cyber czar" was to report to the National Security Council with some budgetary and resource influence through the Office of Management and Budget. That was a good start.

But from then on, results have been mixed. Ms. Hathaway resigned in August, reportedly unhappy with the lack of cooperation between the government and the private sector. Efforts to coordinate standards and policies across the private sector and in government, therefore, appear stalled. The Department of Homeland Security and the National Security Agency, which is part of the Department of Defense, are still arguing about which one should have primacy over these efforts.

The Pentagon has made more progress. Secretary Gates ordered in June the creation of a unified "United States Cyber Command" that began initial operations in October and will be fully operational by October 2010. Under this plan the National Security Agency was to function as the headquarters of the U.S. Cyber Command, with each of the military services putting together their own subordinate cyber commands.

There is debate in Congress, however, about the efficacy of letting the NSA have the keys to the cyber kingdom. There is also much debate about which agency will set the standards for, and oversee, nonintelligence- and nondefense-related government cyber networks. There is no clear decision on which agency will set standards and try to coordinate policies for civilian cyber infrastructure and critical infrastructure. And there is, to date, no "cyber czar" in the White House.

The Obama administration would do well to heed Ms. Hathaway's calls for international alliances on cyber security, better sharing of threat information with the private sector by government, and more open private-sector cooperation. This makes sense. American allies in Europe and Asia have experienced similar intrusions, as have private companies. More cooperation would provide a common picture of the threat and support a coordinated response.

It would also behoove Mr. Obama to clarify which government agency will take the lead in protecting the country from cyber attack. The National Security Agency should be at the top of his list: it has decades of experience conducting operations in the electronic and cyber realms. The agency has skilled personnel, wide contacts in the private sector and abroad, and highly skilled linguists able to work in languages associated with the origin of some of the intrusions.

In China there appears to be a centralized, coordinated and successful effort to penetrate American and other cyber networks. The U.S. and its allies, by contrast, so far seem to lack a concentrated, well-led cyber defense. And there will be none if the White House does not make this a priority. The National Security Agency has the experience, the international contacts and the expertise to defend the country from these threats. It should be the lead agency.

Mr. Wortzel, a former U.S. Army colonel and intelligence officer, is vice chairman of the U.S.-China Economic and Security Review Commission.

from the Wall Street Journal, 2010-Feb-18, by Siobhan Gorman:

Broad New Hacking Attack Detected
Global Offensive Snagged Corporate, Personal Data at nearly 2,500 Companies; Operation Is Still Running

Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach.

The damage from the latest cyberattack is still being assessed, and affected companies are still being notified. But data compiled by NetWitness, the closely held firm that discovered the breaches, showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.

The hacking operation, the latest of several major hacks that have raised alarms for companies and government officials, is still running and it isn't clear to what extent it has been contained, NetWitness said. Also unclear is the full amount of data stolen and how it was used. Two companies that were infiltrated, pharmaceutical giant Merck & Co. and Cardinal Health Inc., said they had isolated and contained the problem.

Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found.

In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email.

They also broke into computers at 10 U.S. government agencies. In one case, they obtained the user name and password of a soldier's military email account, NetWitness found. A Pentagon spokesman said the military didn't comment on specific threats or intrusions.

At one company, the hackers gained access to a corporate server used for processing online credit-card payments. At others, stolen passwords provided access to computers used to store and swap proprietary corporate documents, presentations, contracts and even upcoming versions of software products, NetWitness said.

Data stolen from another U.S. company pointed to an employee's apparent involvement in criminal activities; authorities have been called in to investigate, NetWitness said. Criminal groups have used such information to extort sensitive information from employees in the past.

The spyware used in this attack allows hackers to control computers remotely, said Amit Yoran, chief executive of NetWitness. NetWitness engineer Alex Cox said he uncovered the scheme Jan. 26 while installing technology for a large corporation to hunt for cyberattacks.

That discovery points to the growing number of attacks in recent years that have drafted computers into cyber armies known as botnets—intrusions not blocked by standard antivirus software. Researchers estimate millions of computers are conscripted into these armies.

"It highlights the weaknesses in cyber security right now," said Adam Meyers, a senior engineer at government contractor SRA International Inc. who reviewed the NetWitness data. "If you're a Fortune 500 company or a government agency or a home DSL user, you could be successfully victimized."

Disclosure of the attack comes on the heels of Google Inc.'s allegation that it and more than 20 other companies were breached by Chinese hackers. This operation appears to be more far-reaching, infiltrating some 75,000 computers and touching 196 countries. The highest concentrations of infected computers are in Egypt, Mexico, Saudi Arabia, Turkey and the U.S.

NetWitness, based in Herndon, Va., said it was sharing information with the companies infected. Mr. Yoran declined to name them. The company provides computer security for U.S. government agencies and companies. Mr. Yoran is a former Air Force officer who also served as cyber security chief at the Department of Homeland Security.

Besides Merck and Cardinal Health, people familiar with the attack named several other companies infiltrated, including Paramount Pictures and software company Juniper Networks Inc.

Merck said in a statement that one computer had been infected. It said it had isolated the attack and that "no sensitive information was compromised."

Cardinal said it removed the infected computer from its network. Paramount declined to comment. Juniper's security chief, Barry Greene, wouldn't speak about any specific incidents but said the company worked aggressively to counter infections.

NetWitness, which does extensive work for the U.S. government and private-sector clients, said it was sharing its information with the Federal Bureau of Investigation. The FBI said it received numerous allegations about potential compromises of network systems and responded promptly, in coordination with law-enforcement partners.

The computers were infected with spyware called ZeuS, which is available free on the Internet in its basic form. It works with the FireFox browser, according to computer-security firm SecureWorks. This version included a $2,000 feature that works with FireFox, according to SecureWorks.

Evidence suggests an Eastern European criminal group is behind the operation, likely using some computers in China because it's easier to operate there without being caught, said NetWitness's Mr. Yoran.

There are some electronic fingerprints suggesting the same group was behind a recent effort to dupe government officials and others into downloading spyware via emails purporting to be from the National Security Agency and the U.S. military, NetWitness's Mr. Yoran said.

That attack was described in a Feb. 5 report from the Department of Homeland Security, which said it was issuing an alert to the government and other organizations to "prevent further compromises."

A DHS official said that ZeuS was among the top five reported tools for malware infections.

from the Washington Post, 2010-Feb-4, by Ellen Nakashima:

Google to enlist NSA to help it ward off cyberattacks

The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity.

Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack.

Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google's policies or laws that protect the privacy of Americans' online communications. The sources said the deal does not mean the NSA will be viewing users' searches or e-mail accounts or that Google will be sharing proprietary data.

The partnership strikes at the core of one of the most sensitive issues for the government and private industry in the evolving world of cybersecurity: how to balance privacy and national security interests. On Tuesday, Director of National Intelligence Dennis C. Blair called the Google attacks, which the company acknowledged in January, a "wake-up call." Cyberspace cannot be protected, he said, without a "collaborative effort that incorporates both the U.S. private sector and our international partners."

But achieving collaboration is not easy, in part because private companies do not trust the government to keep their secrets and in part because of concerns that collaboration can lead to continuous government monitoring of private communications. Privacy advocates, concerned about a repeat of the NSA's warrantless interception of Americans' phone calls and e-mails after the Sept. 11, 2001, terrorist attacks, say information-sharing must be limited and closely overseen.

"The critical question is: At what level will the American public be comfortable with Google sharing information with NSA?" said Ellen McCarthy, president of the Intelligence and National Security Alliance, an organization of current and former intelligence and national security officials that seeks ways to foster greater sharing of information between government and industry.

On Jan. 12, Google took the rare step of announcing publicly that its systems had been hacked in a series of intrusions beginning in December.

The intrusions, industry experts said, targeted Google source code -- the programming language underlying Google applications -- and extended to more than 30 other large tech, defense, energy, financial and media companies. The Gmail accounts of human rights activists in Europe, China and the United States were also compromised.

So significant was the attack that Google threatened to shutter its business operation in China if the government did not agree to let the firm operate an uncensored search engine there. That issue is still unresolved.

Google approached the NSA shortly after the attacks, sources said, but the deal is taking weeks to hammer out, reflecting the sensitivity of the partnership. Any agreement would mark the first time that Google has entered a formal information-sharing relationship with the NSA, sources said. In 2008, the firm stated that it had not cooperated with the NSA in its Terrorist Surveillance Program.

Sources familiar with the new initiative said the focus is not figuring out who was behind the recent cyberattacks -- doing so is a nearly impossible task after the fact -- but building a better defense of Google's networks, or what its technicians call "information assurance."

One senior defense official, while not confirming or denying any agreement the NSA might have with any firm, said: "If a company came to the table and asked for help, I would ask them . . . 'What do you know about what transpired in your system? What deficiencies do you think they took advantage of? Tell me a little bit about what it was they did.' " Sources said the NSA is reaching out to other government agencies that play key roles in the U.S. effort to defend cyberspace and might be able to help in the Google investigation.

These agencies include the FBI and the Department of Homeland Security.

Over the past decade, other Silicon Valley companies have quietly turned to the NSA for guidance in protecting their networks.

"As a general matter," NSA spokeswoman Judi Emmel said, "as part of its information-assurance mission, NSA works with a broad range of commercial partners and research associates to ensure the availability of secure tailored solutions for Department of Defense and national security systems customers."

Despite such precedent, Matthew Aid, an expert on the NSA, said Google's global reach makes it unique.

"When you rise to the level of Google . . . you're looking at a company that has taken great pride in its independence," said Aid, author of "The Secret Sentry," a history of the NSA. "I'm a little uncomfortable with Google cooperating this closely with the nation's largest intelligence agency, even if it's strictly for defensive purposes."

The pact would be aimed at allowing the NSA help Google understand whether it is putting in place the right defenses by evaluating vulnerabilities in hardware and software and to calibrate how sophisticated the adversary is. The agency's expertise is based in part on its analysis of cyber-"signatures" that have been documented in previous attacks and can be used to block future intrusions.

The NSA would also be able to help the firm understand what methods are being used to penetrate its system, the sources said. Google, for its part, may share information on the types of malicious code seen in the attacks -- without disclosing proprietary data about what was taken, which would concern shareholders, sources said.

Greg Nojeim, senior counsel for the Center for Democracy & Technology, a privacy advocacy group, said companies have statutory authority to share information with the government to protect their rights and property.

from the Army Times, 2009-Dec-21, by Michael Hoffman, John Reed and Joe Gould:

Army: Working to encrypt UAV video feeds

The Army is scrambling to protect the live video feeds from its unmanned aerial vehicles from being intercepted by the enemy. Raven drones will be retrofitted with encryption technology as early as this month.

Defense officials confirmed Dec. 17 that Iraqi insurgents have been capturing the nonsecure, line-of-sight communications signals from Army and Air Force drones since mid-2008.

Army officials acknowledged that the service has fielded hundreds of drones without the ability to encrypt the signals that ground forces rely upon for intelligence and surveillance of insurgent hideouts or roadside-bomb hot spots.

However, the Army will retrofit the handheld Raven and other UAVs over “at least two years,” targeting currently deployed systems first, said Col. Gregory Gonzalez, the Army's project manager for unmanned aerial vehicles.

For the Shadow, Hunter, Warrior Alpha and the Extended-Range Multipurpose UAV, the Army will retrofit all systems with encryption, as funding permits, said Gonzalez.

“This is not the first time that we have heard about the potential threat against full motion video. The threats are ongoing, and the Department of Defense has taken some risk,” said Gonzalez. “We received specific direction from the Office of the Secretary of Defense within the last year to fix the problem.”

A report published in the Dec. 17 edition of The Wall Street Journal detailed how defense officials earlier this year discovered laptops in Iraq loaded with a $26 Russian-made software program called SkyGrabber that hacked into video broadcast by Predator cameras, which show the location of insurgents being targeted by the drones.

Besides the SkyGrabber software, insurgents have used high-tech methods to capture the video feeds.

U.S. troops found advanced electronic warfare equipment in a 2008 raid on Shiite militia, according to an Air Force intelligence officer briefed on the raid.

Army officials acknowledged the interceptions, and the Pentagon issued a general statement on the security of its intelligence gathering.

“The Department of Defense constantly evaluates and seeks to improve the performance and security of our various ISR systems and platforms. As we identify shortfalls, we correct them as part of a continuous process of seeking to improve capabilities and security,” the statement said.

One Air Force official contends the insurgents' ability to watch drone feeds has adversely affected U.S. operations in the Middle East.

“We noticed a trend when going after these guys; that sometimes they seemed to have better early warning” of U.S. actions, said the officer briefed on the raid. “We went and did a raid on one of their safe houses and found all of this equipment that was highly technical, highly sophisticated. It was more sophisticated than any other equipment we'd seen Iraqi insurgents use.”

The militia, known as Kata'ib Hezbollah based out of Sadr City, Baghdad, has long been suspected of being a surrogate for Iran's Quds Force, the wing of the Iranian Army responsible for conducting clandestine warfare outside of Iran via various insurgent groups.

“It was the technological know-how to make the antennas, computers and software go together and pick up the appropriate bands that was impressive,” the officer said.

Soon after the raid, top commanders in Iraq convened a task force to identify the extent of the threat and how best to deal with it, according to the officer. Initial findings showed the threat was isolated to Kata'ib Hezbollah.

“They knew that we were flying Predators over their heads 24/7, so it's easy to say, `yeah, I know that I'm going to do a signals analysis search for [the drone] and take advantage of it,” the officer said.

The laptops loaded with the SkyGrabber software also had footage filmed by smaller Army UAVs as well as the Predators.

“We are well aware, and [Office of the Secretary of Defense] is well aware, and we have a well-researched response set in motion,” said Col. Robert Sova, the Army's capability manager for unmanned aerial systems. “This ability, this is not new information.”

Ground units get the Predator feeds through a Remotely Operated Video Enhanced Receiver, or ROVER, — a mobile device that looks like a laptop that can either be carried by hand or mounted in a ground vehicle.

An encryption package can be added to the ROVER; however, not all troops have the encryption package. The latest ROVER model being tested by the Pentagon comes equipped with two advanced encryption packages.

The military has not implemented encryption for drones for “various reasons,” according to Sova.

But, Sova said, the ability to hack a drone's video feed is a “very low risk” since the insurgents haven't figured how to hack into the command and control systems of the drones.

“It's not like they're going to control the payload or move it off,” Sova said. “They're able to see a specific interval, like a camera system in the mall.”

Sova considers it unlikely that an insurgent could tap into a specific drone overhead.

“It's happenstance, if they were able to tap into that feed,” Sova said. “Only in the best scenario, and only for a short period of time.”

The Defense Department's Office of Acquisition, Technology and Logistics directed the services to beef up encryption. Prior to his departure last year, Pentagon acquisitions czar John Young oversaw such a push, across all services, according to Gonzalez.

“Since these systems were first introduced, we've known [the risks of unencrypted video feeds],” Gonzalez said. “Your average off-the-street person isn't able to get these feeds, but with enough effort you can. The risk to the Department of Defense seemed low. Now, for whatever reason, the Office of the Secretary of Defense has decided to reduce that risk.”

According to Gonzalez, by the first of the year, the Army will field encryption-capable Ravens, and other UAV systems will follow over the coming months and years.

“The priority is to give it to every unit in theater or going into theater, so that they will have encryption,” said Gonzalez. “The whole process will take a year, and within a year, several units will have encryption.”

Air Force officers and defense analysts caution that video broadcasts from manned aircraft to U.S. ground troops are vulnerable to hacking as well because they have technology similar to that of UAVs.

The Air Force has known for more than a decade that the live video feeds from its unmanned aerial vehicles can be intercepted by the enemy but opted not to do anything about it until this year. An official document puts a completion date to secure the feeds at 2014.

The Air Force first flew the RQ-1 Predator, the MQ-1's predecessor, in combat over Bosnia. In published reports, local residents with satellite television told of watching Predator video feeds on their televisions.

Defense analyst Peter Singer, author of “Wired for War: The Robotics Revolution and Conflict in the 21st Century,” said, “I remember that some of the people there said it was harder to get the Disney Channel than watch U.S. military operations.”

from the Wall Street Journal, 2009-Apr-8, p.A1, by Siobhan Gorman with Rebecca Smith contributing:

Electricity Grid in U.S. Penetrated By Spies

WASHINGTON -- Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official. "So have the Russians."

The espionage appeared pervasive across the U.S. and doesn't target a particular company or region, said a former Department of Homeland Security official. "There are intrusions, and they are growing," the former official said, referring to electrical systems. "There were a lot last year."

Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.

Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

Officials said water, sewage and other infrastructure systems also were at risk.

"Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts," Director of National Intelligence Dennis Blair recently told lawmakers. "A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure."

Officials cautioned that the motivation of the cyberspies wasn't well understood, and they don't see an immediate danger. China, for example, has little incentive to disrupt the U.S. economy because it relies on American consumers and holds U.S. government debt.

But protecting the electrical grid and other infrastructure is a key part of the Obama administration's cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage.

Overseas examples show the potential havoc. In 2000, a disgruntled employee rigged a computerized control system at a water-treatment plant in Australia, releasing more than 200,000 gallons of sewage into parks, rivers and the grounds of a Hyatt hotel.

Last year, a senior Central Intelligence Agency official, Tom Donahue, told a meeting of utility company representatives in New Orleans that a cyberattack had taken out power equipment in multiple regions outside the U.S. The outage was followed with extortion demands, he said.

The U.S. electrical grid comprises three separate electric networks, covering the East, the West and Texas. Each includes many thousands of miles of transmission lines, power plants and substations. The flow of power is controlled by local utilities or regional transmission organizations. The growing reliance of utilities on Internet-based communication has increased the vulnerability of control systems to spies and hackers, according to government reports.

The sophistication of the U.S. intrusions -- which extend beyond electric to other key infrastructure systems -- suggests that China and Russia are mainly responsible, according to intelligence officials and cybersecurity specialists. While terrorist groups could develop the ability to penetrate U.S. infrastructure, they don't appear to have yet mounted attacks, these officials say.

It is nearly impossible to know whether or not an attack is government-sponsored because of the difficulty in tracking true identities in cyberspace. U.S. officials said investigators have followed electronic trails of stolen data to China and Russia.

Russian and Chinese officials have denied any wrongdoing. "These are pure speculations," said Yevgeniy Khorishko, a spokesman at the Russian Embassy. "Russia has nothing to do with the cyberattacks on the U.S. infrastructure, or on any infrastructure in any other country in the world."

A spokesman for the Chinese Embassy in Washington, Wang Baodong, said the Chinese government "resolutely oppose[s] any crime, including hacking, that destroys the Internet or computer network" and has laws barring the practice. China was ready to cooperate with other countries to counter such attacks, he said, and added that "some people overseas with Cold War mentality are indulged in fabricating the sheer lies of the so-called cyberspies in China."

Utilities are reluctant to speak about the dangers. "Much of what we've done, we can't talk about," said Ray Dotter, a spokesman at PJM Interconnection LLC, which coordinates the movement of wholesale electricity in 13 states and the District of Columbia. He said the organization has beefed up its security, in conformance with federal standards.

In January 2008, the Federal Energy Regulatory Commission approved new protection measures that required improvements in the security of computer servers and better plans for handling attacks.

Last week, Senate Democrats introduced a proposal that would require all critical infrastructure companies to meet new cybersecurity standards and grant the president emergency powers over control of the grid systems and other infrastructure.

Specialists at the U.S. Cyber Consequences Unit, a nonprofit research institute, said attack programs search for openings in a network, much as a thief tests locks on doors. Once inside, these programs and their human controllers can acquire the same access and powers as a systems administrator.

NERC Letter The North American Electric Reliability Corporation on Tuesday warned its members that not all of them appear to be adhering to cybersecuirty requirements. Read the letter.

The White House review of cybersecurity programs is studying ways to shield the electrical grid from such attacks, said James Lewis, who directed a study for the Center for Strategic and International Studies and has met with White House reviewers.

The reliability of the grid is ultimately the responsibility of the North American Electric Reliability Corp., an independent standards-setting organization overseen by the Federal Energy Regulatory Commission.

The NERC set standards last year requiring companies to designate "critical cyber assets." Companies, for example, must check the backgrounds of employees and install firewalls to separate administrative networks from those that control electricity flow. The group will begin auditing compliance in July.

Corrections & Amplifications

Central Inteligence Agency official Tom Donahue's last name was misspelled in a previous version of this article.

from the Sydney Morning Herald, 2009-Sep-22, by Asher Moses:

Internet meltdown threat: Conficker worm refuses to turn

The brightest minds in technology and government are finding it "almost impossible" to defeat the Conficker worm, which has infected more than 5 million computers and, experts say, could be used to knock down the internet in entire countries.

The worm, first detected in November last year, spreads rapidly to computers through a flaw in the Windows operating system.

Infected machines are co-opted into a "botnet" army, which can be controlled and used by the hackers to launch unprecedented cyber attacks.

"The general agreement in the security world is that Conficker is the largest threat facing us from a cyber crime point of view ... it has proven to be extremely resilient. It's almost impossible to remove," said Rodney Joffe, a director of the Conficker Working Group formed to defeat the worm.

"The best minds in the world have not managed to crack the code behind this yet."

The scale of the threat has forced the world's largest computer security companies to join together with government around the world in an unusual alliance to pool their resources and solve the problem.

Microsoft has offered a $US250,000 ($290,000) reward for information leading to the identification of the individuals - or rogue governments - behind Conficker.

Those behind the worm can do anything they want with the infected machines including stealing users' banking details or flooding government servers to knock them offline.

"This could be used to launch the mother of all DDoS [distributed denial of service] attacks, it could be used as the basis of major financial fraud, it could be used for major spam runs," Joffe said.

"Even a small portion of the infected machines from Conficker have the ability to actually take away the usability of the internet in an entire country like Australia."

So far the international effort to find a solution has yielded few results, and the number of infected machines has remained fairly stable at 5 million. They include home, business and Government computers.

Joffe, who is also a senior technologist at US communications company Neustar, explained that the remarkable resilience was because Conficker had built-in mechanisms to prevent people from scanning their computers with anti-virus software. Even for those who wipe their computers clean and start fresh, if they back up any important data on a portable hard drive, the clean machine is reinfected when the drive is connected to the computer.

The worm also spreads automatically between computers on a network and infects machines without the user having to do anything other than switch their computers on.

"If you've been able to disinfect 99 machines out of 100 and one is still infected, it will begin to try to reinfect the others," Joffe said.

Most other botnets can be destroyed by disabling the server used to issue commands to infected machines, but with Conficker the location of this sever changes every day and state-of-the-art cryptography means it's almost impossible to crack.

Every time the security gurus feel they are on to a solution, the hackers send a new version of Conficker to the infected machines that stops them in their tracks.

"Conficker has proven to be the gold standard for botnets. It's rock solid, it's steady and it has mechanisms built in that have made it impossible for us to actually crack," Joffe said.

"As of today we have not been able to crack the cryptography behind it in order to disrupt it by authenticating ourselves as the command and control."

So far the "botnet masters" have been biding their time as the media buzz around Conficker dies down, but they have already sent malicious code to infected machines that co-opts them to send spam emails. Users of infected computers have also been conned with offers to buy fake anti-virus software.

In July, Manchester City Council in Britain was prevented from issuing hundreds of fines after Conficker knocked out parts of its IT system. The infection cost the council £1.5 million in total.

In January, the French Navy had to quarantine its computer network after it was infected with Conficker, forcing aircraft at several air bases to be grounded.

Joffe said that people who are not yet infected and have installed the latest Windows patches and anti-virus software should be safe, as long as yet another version of Conficker is not released.

But he said it was rare for people to have all the relevant patches installed on their computers, and anti-virus software would be of little use to those already infected.

"We're some ways away from being able to take any action, which is what is really concerning us," Joffe said.

from the Associated Press, 2009-May-19, by Bob Lewis:

Warner touts e-medical data despite hacker attack

A hacker's theft of millions of Virginia's most sensitive prescription drug records isn't slowing Democratic Sen. Mark Warner's push for electronic medical records.

The former governor convened a conference in Richmond Monday about the medical and cost-saving benefits of digitizing hundreds of millions of patient records nationally.

"We've been talking about this subject, policymakers have, for decades: how can we make sure that we can bring the power of information technology to our health care system," Warner told reporters at Virginia Commonwealth University.

Warner, who made a fortune as an early investor in cell phones and information technology, was among the earliest apostles of e-medical records. The federal economic stimulus package that Warner supported provides nearly $20 billion to begin the process of digitizing medical records and sharing them over secure networks.

Having such data instantly available to doctors anywhere would eliminate the need for expensive tests patients have already had and allow doctors to make smarter, faster treatment decisions, advocates say.

"Every Virginian has been frustrated when you go to the hospital and you get asked exactly the same question 10 different times in the first few hours you're there," Warner said before addressing the conference of several hundred medical professionals, hospital and health care interests and educators.

Just 2 1/2 weeks earlier, a hacker broke into what the Virginia Department of Health Professions believed was a secure computer database for the Prescription Monitoring Program.

The hacker accessed millions of individual prescription records about such powerful and closely controlled drugs as Oxycodone, morphine, Vicodin and Valium. The intruder also left a taunting note on the DHP Web site demanding a $10 million ransom for the return of the data. State officials said the information was fully backed up and never lost. Gov. Timothy M. Kaine said there will be no payments.

The FBI and Virginia State Police have launched a national criminal investigation into the serious security breach that could provide thieves a menu of names and home addresses of people to whom those drugs are prescribed.

"One of the keys is how we ensure security and privacy," Warner said. "Just as we see that in financial records you can never get 100 percent protection, we have a very efficiently functioning system around financial records (and) around other critical information," said Warner, who is four months into his Senate term.

"If you have a national platform that involves security and privacy, I think you take a giant step toward making sure what happened here in Virginia doesn't happen elsewhere," he said.

When officials from DHP and Kaine's administration appeared before the House Appropriations Committee last week to explain how the breach happened, and frustrated lawmakers wanted to know why a firewall put in place by the Virginia Information Technologies Agency and its contractors didn't foil the attack.

Legislators found no comfort from the assurance they were given that the DHP's servers were among the most secure in state government.

VITA was Warner's idea for consolidating the state's disparate and far-flung computer networks and technology procurement systems under one agency. It went online during his term as governor from 2002 to 2006.

"You're never going to have an infallible system. But ... you've got to make sure that you learn if there are breaches like this and improve and protect the system," he said.

from the Wall Street Journal, 2009-Apr-13, by bstephens@wsj.com:

Hiroshima, 2.0

"Gentlemen," Henry Stimson once said, "don't read each other's mail." Neither do gentlemen hack into each other's computers, electric grids, military networks and other critical infrastructure.

Ours is not a world of gentlemen.

Stimson was referring to cryptanalysis, or code-breaking, which he forbade as Herbert Hoover's Secretary of State. (He would revisit that opinion as Franklin Roosevelt's Secretary of War.) I am referring to Siobhan Gorman's front-page story in last Wednesday's Journal, in which she reported widespread cyberspying of the U.S. electricity grid, much of it apparently originating in China and Russia.

"Authorities investigating the intrusions," Ms. Gorman reported, "have found software tools left behind that could be used to destroy infrastructure components." A senior intelligence official told the Journal that, "If we go to war with them, they will try to turn them on."

To get a better sense of what all this is about, type the words "Cyber attack" and "generator" into YouTube. The first result should be a short clip from the Department of Homeland Security, leaked to CNN a couple of years ago, showing an electric generator under a simulated cyberattack at the Idaho National Laboratory. Within seconds the generator begins to shake violently. Within a minute, it's up in smoke.

Now imagine the attack being conducted against 60 large generators, simultaneously. Imagine, too, similar attacks against chemical plants, causing Bhopal-style toxic leaks. Imagine malicious software codes planted in U.S. weapons systems, which could lie undetected until triggered by a set of conditions similar to mobilization.

"It's as though we've entered something like the nuclear era without a Hiroshima," says Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, a nonprofit, nongovernmental organization that consults with government and industry about potential cyberattacks. "People aren't aware that everything has changed."

Today, the general perception of cyberattacks is that they amount to so much mischief-making by bored and spiteful 20-year-old computer geeks. Think of the 1998 Melissa computer virus. There's also some awareness of the uses of cyberpenetration for industrial espionage, though here cases are harder to name since victimized companies are often reluctant to go public. In April 2007, following a political row between Russia and Estonia over the latter's removal of a Soviet-era war memorial, a cyberattack paralyzed many of Estonia's key Web sites. The same happened in Georgia after Russia's invasion last August.

Still, none of this seems to amount to a strategic threat. Think again. In the early-1990s, the Chinese military resurrected the concept of Shashoujian, which loosely means any weapon or military strategy that can get the better of a seemingly invincible opponent. More often it's translated as "assassin's mace," or -- even better -- "killer ap."

The Chinese began investigating Shashoujian after noting how a highly networked, information-centric U.S. military easily bested Iraq in the 1991 Gulf War. The result was heavy investment in asymmetric weapons like an antisatellite missile, which China successfully tested in January 2007 and which could knock America's eyes out of the sky, as well as ultra-quiet, relatively inexpensive, diesel-electric submarines that could take out an aircraft carrier.

As for the penetrations into the U.S. electricity grid, the Chinese and Russians adamantly deny involvement. But the advantages to any potential enemy of shutting down large parts of the grid are huge, beginning with the fact that the nature of the Internet makes it virtually impossible confidently to pinpoint the author of the attack. As for consequences, Mr. Borg outlines a grim scenario.

"If you shut down power for about three days," he says, "it causes very little damage. We can handle a long weekend. But if you shut down power for longer, all kinds of other things begin to happen. After about 10 days the curve levels off with about 72% of all economic activity shut down. You don't have air conditioning in the summer; you don't have heating in the winter. Thousands of people die."

Among Mr. Borg's conceptual recommendations is for the U.S. to begin thinking about its critical infrastructure as the center of gravity in any future conflict. "This is no longer about perimeter defense," he stresses. As for who could pull off that kind of cyberattack, he names (besides the U.S. and other leading high-tech nations) China, Russia and Israel. And Iran? Probably not, he suspects, nor yet groups like al Qaeda. Then again, he adds, "the worry is that over the next six or seven years they will assemble this kind of expertise."

Under President George W. Bush, Congress secretly approved $17 billion in cyber-security spending. President Barack Obama's 2010 budget calls for an additional $355 million, and that's on the public side. Maybe it's helping. Then again, personal data involving 49,000 people was recently stolen from a Federal Aviation Administration data server, while the Los Alamos National Laboratory reports 13 computers lost or stolen and another 67 missing in the past year. Yes, it's that Los Alamos.

Plainly, we have a problem. And as we consider ever-more elaborate defenses for our vulnerable networks, here's a modest suggestion: Gently alert our non-NATO "partners" that we might be in their electricity grids, too.

from the Wall Street Journal, 2009-Apr-21, by Siobhan Gorman, August Cole, and Yochi Dreazen, with Evan Perez contributing:

Computer Spies Breach Fighter-Jet Project

WASHINGTON -- Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever -- according to current and former government officials familiar with the attacks.

Similar incidents have also breached the Air Force's air-traffic-control system in recent months, these people say. In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft.

The latest intrusions provide new evidence that a battle is heating up between the U.S. and potential adversaries over the data networks that tie the world together. The revelations follow a recent Wall Street Journal report that computers used to control the U.S. electrical-distribution system, as well as other infrastructure, have also been infiltrated by spies abroad.

Attacks like these -- or U.S. awareness of them -- appear to have escalated in the past six months, said one former official briefed on the matter. "There's never been anything like it," this person said, adding that other military and civilian agencies as well as private companies are affected. "It's everything that keeps this country going."

Many details couldn't be learned, including the specific identity of the attackers, and the scope of the damage to the U.S. defense program, either in financial or security terms. In addition, while the spies were able to download sizable amounts of data related to the jet-fighter, they weren't able to access the most sensitive material, which is stored on computers not connected to the Internet.

Former U.S. officials say the attacks appear to have originated in China. However it can be extremely difficult to determine the true origin because it is easy to mask identities online.

A Pentagon report issued last month said that the Chinese military has made "steady progress" in developing online-warfare techniques. China hopes its computer skills can help it compensate for an underdeveloped military, the report said.

The Chinese Embassy said in a statement that China "opposes and forbids all forms of cyber crimes." It called the Pentagon's report "a product of the Cold War mentality" and said the allegations of cyber espionage are "intentionally fabricated to fan up China threat sensations."

The U.S. has no single government or military office responsible for cyber security. The Obama administration is likely to soon propose creating a senior White House computer-security post to coordinate policy and a new military command that would take the lead in protecting key computer networks from intrusions, according to senior officials.

The Bush administration planned to spend about $17 billion over several years on a new online-security initiative and the Obama administration has indicated it could expand on that. Spending on this scale would represent a potential windfall for government agencies and private contractors at a time of falling budgets. While specialists broadly agree that the threat is growing, there is debate about how much to spend in defending against attacks.

The Joint Strike Fighter, also known as the F-35 Lightning II, is the costliest and most technically challenging weapons program the Pentagon has ever attempted. The plane, led by Lockheed Martin Corp., relies on 7.5 million lines of computer code, which the Government Accountability Office said is more than triple the amount used in the current top Air Force fighter.

Six current and former officials familiar with the matter confirmed that the fighter program had been repeatedly broken into. The Air Force has launched an investigation.

Pentagon officials declined to comment directly on the Joint Strike Fighter compromises. Pentagon systems "are probed daily," said Air Force Lt. Col. Eric Butterbaugh, a Pentagon spokesman. "We aggressively monitor our networks for intrusions and have appropriate procedures to address these threats." U.S. counterintelligence chief Joel Brenner, speaking earlier this month to a business audience in Austin, Texas, warned that fighter-jet programs have been compromised.

Foreign allies are helping develop the aircraft, which opens up other avenues of attack for spies online. At least one breach appears to have occurred in Turkey and another country that is a U.S. ally, according to people familiar with the matter.

Joint Strike Fighter test aircraft are already flying, and money to build the jet is included in the Pentagon's budget for this year and next.

Computer systems involved with the program appear to have been infiltrated at least as far back as 2007, according to people familiar with the matter. Evidence of penetrations continued to be discovered at least into 2008. The intruders appear to have been interested in data about the design of the plane, its performance statistics and its electronic systems, former officials said.

The intruders compromised the system responsible for diagnosing a plane's maintenance problems during flight, according to officials familiar with the matter. However, the plane's most vital systems -- such as flight controls and sensors -- are physically isolated from the publicly accessible Internet, they said.

The intruders entered through vulnerabilities in the networks of two or three contractors helping to build the high-tech fighter jet, according to people who have been briefed on the matter. Lockheed Martin is the lead contractor on the program, and Northrop Grumman Corp. and BAE Systems PLC also play major roles in its development.

Lockheed Martin and BAE declined to comment. Northrop referred questions to Lockheed.

The spies inserted technology that encrypts the data as it's being stolen; as a result, investigators can't tell exactly what data has been taken. A former Pentagon official said the military carried out a thorough cleanup.

Fighting online attacks like these is particularly difficult because defense contractors may have uneven network security, but the Pentagon is reliant on them to perform sensitive work. In the past year, the Pentagon has stepped up efforts to work with contractors to improve computer security.

Investigators traced the penetrations back with a "high level of certainty" to known Chinese Internet protocol, or IP, addresses and digital fingerprints that had been used for attacks in the past, said a person briefed on the matter.

As for the intrusion into the Air Force's air-traffic control systems, three current and former officials familiar with the incident said it occurred in recent months. It alarmed U.S. national security officials, particularly at the National Security Agency, because the access the spies gained could have allowed them to interfere with the system, said one former official. The danger is that intruders might find weaknesses that could be exploited to confuse or damage U.S. military craft.

Military officials declined to comment on the incident.

In his speech in Austin, Mr. Brenner, the U.S. counterintelligence chief, issued a veiled warning about threats to air traffic in the context of Chinese infiltration of U.S. networks. He spoke of his concerns about the vulnerability of U.S. air traffic control systems to cyber infiltration, adding "our networks are being mapped." He went on to warn of a potential situation where "a fighter pilot can't trust his radar."

from the San Jose Mercury News, 2009-Apr-9, by Mark Gomez:

Sabotage suspected in widespread phone outage in Santa Cruz and Santa Clara counties

Santa Clara County officials have declared a local emergency after they said someone intentionally cut an underground fiber optic cable in south San Jose, causing a widespread phone service outage in southern Santa Clara and Santa Cruz counties today that included disruption to 911 emergency phone service.

John Britton, a spokesman for AT&T, said it appears somebody opened a manhole in South San Jose, climbed down eight to 10 feet and cut four or five fiber-optic cables.Britton also said there was a report of underground cables being cut in San Carlos.

AT&T is offering a $100,000 reward for information leading to the arrest and conviction of whoever is responsible for the sabotage, Britton said.

The outage initially affected some cell phones, Internet access and about 52,200 Verizon household land lines in Morgan Hill, Gilroy and Santa Cruz County, according to the Santa Clara County Office of Emergency Services. The cell phone networks affected are Verizon, Nextel, Sprint and some AT&T.

Verizon is the sole provider of land lines in the South County area.

"We've never to this extent in recent history had this kind of phone outage,'' said Gilroy police Sgt. Jim Gillio.

ATMs in South Santa Clara County were not working.

Saint Louise Regional Hospital in Gilroy cancelled all elective surgeries in response to the emergency, according to county officials.

"It's kind of like an earthquake" said Jack Ahlin, a driver with T. Marx Towing who was standing outside the Gilroy police department.

Service is also affected in South San Jose around Monterey Road and Bailey Avenue.

Crews are repairing cut wires located underground on Monterey Road just north of the Blossom Hill Road exit in South San Jose. As of 2 p.m. one of the cables had been repaired and some service had been restored, Britton said. Full service is not expected to be restored until about midnight.

San Jose police spokesman Sgt. Ronnie Lopez said the manhole covers are heavy and would take quite an effort to lift, perhaps even requiring a tool.

AT&T's contract with the Communication Workers of America expired at 11:59 p.m. Saturday, but Britton said "we have a really good relationship with the union" and that negotiations continue between the two sides.

Asked if the potential sabotage had anything to with the strike-threatened contract negotiations between AT&T and the Communication Workers of America, union national spokeswoman Candice Johnson replied: "Absolutely not. Our members are not involved in this."

Johnson said that CWA would cooperate with the investigation. Any implication that a disgruntled worker cut the wires was false, she said.

"That would be counterproductive, '' Johnson said "We are on the job. So it doesn't make any sense. Our goal is to get a quality, fair contract and that us our focus right now.''

Johnson said she did not know if police had contacted the local union.

Meanwhile the disruption continues for thousands of residents.

The Santa Clara County Emergency Operations Center has been activated; the Santa Clara County Fire Department has moved more firefighters to south county fire stations; the county sheriff has increasing staffing and patrols; and additional ambulances have been positioned in the area.

Authorities say that residents with an emergency who can't reach 911 should use a cell phone if possible to call the police dispatch numbers for help. The numbers are: Gilroy (408) 846-0350; Morgan Hill: (408) 779-2101; unincorporated areas: (408) 299-2311; and San Jose: (408) 277-8900

Search and rescue crews have set up the following locations to respond to residents reporting locations: Uvas and Watsonville roads, near Gilroy; McKean and Bailey roads, near South San Jose and Morgan Hill; Oak Glen and Edmonson roads, near Morgan Hill; Watsonville Road and Highway 152, near Gilroy; New and Church avenues, near San Martin; and Maple and Foothill avenues, near San Martin.

Gilroy police called in eight officers to help patrol the city, more the doubling the force of seven officers on the streets on a typical day, according to Gillio. He said residents should flag down an officer if they need help.

The city of Gilroy is also sending out emergency notifications on cable channel 17 and 1610 a.m. radio and setting up freeway signs directing people to the cable and radio outlets, according to city spokesman Joe Kline. The city also sent fliers to the schools with information about how to report an emergency. Children were asked to bring the fliers home to their parents.

Elsewhere, officials are urging people to go to their nearest fire or police department or local hospital or flag down an emergency vehicle.

"Verizon is completely down; other carriers are intermittent at best," said Zachary DeVine, a Santa Clara County spokesman.

The damaged fiber optic line owned is by AT&T and leased out to Verizon, DeVine said.

The problem was first reported around 2 a.m. when police in Morgan Hill and Gilroy contacted Santa Clara county dispatchers to report their phones were down. That began a chain of reactions as Santa Clara County officials responded immediately, DeVine said. The county has held over fire crews and has sent additional sheriff's deputies to Morgan Hill and Gilroy.

Police and fire radios remain operational, meaning field officers are able to get calls from dispatchers and communicate with one another to coordinate aid for anyone reporting to a local fire or police station, DeVine said.

from MarketWatch.com, 2009-Apr-10, by John Dvorak:

Bad scenarios for the smart-grid concept
Commentary: Cable cuts in Bay Area look like someone's testing network

BERKELEY, Calif. -- The excellent analysis of the smart-grid initiative by MarketWatch columnist Thomas Kostigen pointed out the obvious: There may be more security issues than ever with a so-called smart grid controlling power distribution in the country.

The real likelihood that hackers can break into such a grid is actually not a possibility, but an inevitability. What is always overlooked when these fancy initiatives are unveiled is the nature of the Internet. Read Kostigen's column.

What we need is a distribution system that relies on computer technology for management, but which is completely off the Net itself. Nobody wants to do that.

It is crazy to put all of our eggs in one Internet basket, as the telecommunications scene worldwide is subject to too much hacking. Even a non-Internet network cannot be secured.

This problem goes further than hackers online -- it goes to our overdependence on interconnectivity through common connections.

This week in the San Francisco Bay Area, the fiber-optic cable network was purposely sliced at four distinct locations. Where a hacker cannot succeed, bolt cutters will do.

Once the cables were cut, Internet service was flaky for the region and completely out for 50,000 customers. On top of that, the landlines would not work and the cell-phone towers in the area went dead.

Does anyone find this sort of interdependency a little disconcerting? It is as if someone was testing the grid for either redundancy or failure points.

Much of the problem stems from the issues with technologies such as fiber optics. They require a level of public trust to work, because the cables must be clearly marked to prevent public works and contractors from accidentally cutting them.

In most parts of the country, there are signs up and down highways, across bodies of water and even in cities marking the location of a fiber-optic line. There are even maps of these things and where they are located.

How much work would it take to find some choke points that you could cut for the purposes of disrupting data communications in an area? How would this affect the so-called smart grid?

The peculiar nature of the four cuts around the Bay Area indicated to me that someone was mapping how they would affect the region, keeping in mind that by cutting the cable in key areas you might be able to take down half the country. If more cuts are made in the future, then someone is trying to reverse-engineer the network to find the most vulnerable points of disruption.

We all spent the last month fretting over the Conficker worm that was supposed to ruin the lives of millions on April 1, but nothing came of it. What was disturbing about the whole episode is that nobody had a clue as to what might happen.

Does this give anyone any confidence that the networked tech scene is in any way safe or secure? And what changed that led us to be so dependent on it?

While taking a lot of things off the Internet might not be a bad idea, keeping them on any network running over the fiber-optic system may not be such a good idea either.

So unless something can be done to assure me that cables cannot be cut and the smart grid is safe from hackers, I would never support these schemes. They put us all at too much risk.

from Forbes, 2009-Mar-9, by Andy Greenberg:

Top Cyber Official Sounds Off
The outgoing DHS cyber chief argues that too much NSA power prevents cooperation with businesses.

Since the Bush administration launched its $30 billion cybersecurity overhaul in January 2008, no element of the so-called "Cyber Initiative" has received more criticism from privacy advocates and private industry than the role of the National Security Agency in the project.

Now, add one more critic of that secretive agency's growing cybersecurity power: the Department of Homeland Security's top cybersecurity official, Rod Beckstrom.

Beckstrom announced Friday that he is stepping down from his post as the head of the National Cyber Security Center. In his resignation letter, Beckstrom said that the "NSA currently dominates most national cybersecurity efforts" and that "the threats to our democratic processes are significant if all top level network security and monitoring is handled by any one organization."

In an interview with Forbes on Monday, Beckstrom expanded on his letter, adding that the NSA's central role in the Cyber Initiative prevented the private sector from participating in information sharing projects--a collaborative side of the initiative aimed at protecting the nation's critical infrastructure, such as power plants, banks and telecommunications networks, from cyberspies and hackers.

"In intelligence environments like the NSA, you seek out and gather information, and then you classify it," Beckstrom says. "It's the opposite of collaboration."

Beckstrom added that while the NSA gains power under the Cyber Initiative, his branch of the DHS has been chronically under-funded by the DHS and the White House's Office of Management and Budget. The National Cyber Security Center received less than $500,000 over the last year, the equivalent of five weeks of operation, according to Beckstrom.

That imbalance between his group and the NSA makes private sector cooperation more difficult, he argues. "Clearly there are companies that are comfortable working in classified environments, and there are those that aren't," he says. "That would be one reason to support a credible, civilian, independent component like the NCSC. Otherwise, we'd lose those relationships we gained by bringing [these companies] into the fold."

In contrast to the NSA power grab he describes, Beckstrom had long advocated a decentralized approach to security. His influential book, The Starfish and the Spider, described how organizations gain strength and resiliency as they distribute leadership beyond a single "head." Because of its decentralized nervous system, a starfish is more resilient than a spider, he argued.

Whether Cyber Initiative power distribution will change under President Obama is far from clear. But the new administration's intentions for the project may come to light in a House of Representatives-DHS committee hearing Tuesday, in which the DHS will offer up findings from the first 30 days of a 60-day review of the cyber plan.

In a statement, DHS spokeswoman Amy Kudwa said the agency regrets losing Beckstrom, but "has a strong relationship with the NSA and continues to work in close collaboration with all of our federal partners on protecting federal civilian networks."

"We look forward to our continued, positive working relationship with all our partners on outreach to the private sector as we strive to further secure our nation's cyber networks," she added.

Aside from the question of private sector involvement in the Cyber Initiative, the NSA, which didn't respond to requests for comment, has drawn controversy from privacy groups who worry that it could gain increased power to comb private networks.

"The apparent ascendancy of the NSA as having a dominant role in setting cybersecurity policy and implementing the program increases the risk that surveillance will trump security," Jim Dempsey, the executive director of the Center for Democracy and Technology, told Forbes in December. (See: "How Obama Can Fix Cybersecurity.")

Beckstrom declined to comment on that privacy threat and added that the NSA has "the deepest pool of technical talent in the federal government in this area."

"The issue is that we have a federated government, decentralized for a reason," Beckstrom says. "Our founding fathers never believed that power should be concentrated in one place. And what today is more powerful than information?"

from ChannelWeb, 2009-Jan-30, by Stefanie Hoffman:

Fannie Mae Logic Bomb Attack 'Tip Of The Iceberg'

The contracted Fannie Mae engineer indicted Tuesday by the Justice Department for allegedly planting a logic bomb represents the beginning of a trend of insider attacks responding to layoffs and job insecurity because of the weak economy, experts say.

"To me, this is the tip of the iceberg," said Mandeep Khera, chief marketing officer of security company Cenzic. "If a small percentage of these IT workers are going to the dark side, they could potentially cause a lot of damage."

Federal investigators indicted Rajendrashinh Makwana, 35, a contracted Unix engineer for mortgage finance company Fannie Mae, for allegedly embedding malicious code known as a logic bomb in the mortgage lender's computer network, which was set to detonate on Jan. 31, 2009.

Had the attack been successful, the malware could have destroyed the entirety of the data on all 4,000 of the mortgage finance company's servers and shut down the company for a week, experts say.

The malware in Fannie Mae's servers was thwarted when another engineer detected the malicious code, embedded with legitimate script.

However, experts say that in many other cases, malicious code planted from the inside might not be so easily detected, especially in smaller and midsize companies with limited IT personnel and resources.

"I bet there's a lot more malicious code and a lot more hidden back doors that are being exploited," Khera said. "We'll hear about some of the big ones. We won't hear about a bunch of them that will never get caught."

Makwana planted the malicious code in Fannie Mae's servers after he was terminated on Oct. 24 for a scripting error in mid-October, which federal officials say was not "maliciously created." Makwana, a native of India in the U.S. on a work visa, had been an engineer for IT consulting firm OmniTech for three years, but worked full time at Fannie Mae's Urbana, Md. facility.

"After being terminated from his employment at Fannie Mae, Makwana intentionally and without authorization caused and attempted to cause damage to Fannie Mae's computer network by entering malicious code that was intended to execute on Jan. 31, 2009, and that would have resulted in destroying and altering all of the data on all Fannie Mae servers," the indictment said.

Makwana was told of his termination on Oct. 24 at about 2 p.m., after which he surrendered his badge and left the Urbana facility at about 4:45 p.m. that same day, according to an FBI affidavit. However, Makwana's server access was not terminated until 10 p.m. later that evening. Makwana used his extended access to reset the company's servers that would eliminate his "footprint" and impede security alerts that would ordinarily warn Fannie Mae engineers of an intruder's continued access to the servers. Makwana then launched code that would enable him to access the servers remotely, and created the logic bomb the following day, Oct. 25.

Khera said that 2009 will likely be a "big year" for insider threats and data breaches due to the weak economy that resulted in massive layoffs within the IT sector and other industries. Consequently, it would not be difficult for disgruntled or laid-off IT employees to infiltrate corporate networks and plant malicious code, which could be used to shut down systems or steal information, he said.

"After they leave, they can sell this information to hackers. There're a lot of things they can do," Khera said. "(The attacks) will continue, and I think we'll see a huge trend this year."

from the New York Times, 2009-Jan-31, by Liz Robbins:

Search Service on Google Briefly Fails

Google's Internet search service malfunctioned for nearly 55 minutes Saturday morning, upending users around the world with search results that carried false safety warnings and Web links that did not work.

The company acknowledged Saturday that all searches produced links with the same warning message: “This site may harm your computer.” Clicking on any of the links led to an error message stating that the desired site could not be reached.

“What happened? Very simply, human error,” Google explained in its blog.

Google said that it periodically updated its list of sites suspected of carrying software that could harm computers, and that Saturday morning a Google employee mistyped a Web address for one such site, causing all sites to be flagged harmful. Google estimated that most users would have been affected for only 40 minutes, depending on when their computers registered the error.

There was some momentary tension when Google seemed to imply that the glitch had been caused in part by StopBadware.org, the company that helps Google determine which sites are unsafe. Google later posted a statement that took full blame for the error and apologized to users.

“We have a good ongoing relationship with StopBadware.org,” a Google spokesman, Gabriel Stricker, said in a telephone interview. “In our post, we tried to clarify our role in this error.”

Google is not known for glitches, but Mr. Stricker confirmed that there was another, unrelated problem. The Staten Island Advance reported that Google Maps had a software glitch last month that sent drivers trying to get to different points within Staten Island on a 176-mile detour to Schenectady.

As for Saturday's search engine failure, Mr. Stricker added, “Our Web search is extremely reliable, and that's why when an interruption occurs, even if it's for a matter of minutes, for a Saturday morning, people notice it.”

from WindowsSecrets.com, 2009-Feb-5, by Brian Livingston:

Watch a live video, share your PC with CNN

Many people who watched live streaming video of the inauguration of U.S. President Barack Obama on Jan. 20 may not realize that their PC was used to send the video to other PCs, too.

Clicking "yes" to a CNN.com dialog box installed a peer-to-peer (P2P) application that uses your Internet bandwidth rather than CNN's to send live video to other viewers.

The P2P application is called Octoshape Grid Delivery and is managed by Octoshape ApS, a company based in Copenhagen, Denmark.

Web surfers who visit CNN.com and select a live video stream for the first time see in their browsers a dialog box, shown in Figure 1, saying, "This site requires the Octoshape Grid Delivery enhancement for Adobe Flash Player." The dialog box doesn't appear when playing an ordinary video file, only when starting a live feed. (Feeds labeled LIVE typically appear in the upper-right corner of CNN.com's home page during business hours.)

According to Octoshape's end-user license agreement (EULA), what's installed is a peer-to-peer app that will "deliver parts of the video and audio stream to other end users of the Software."

Why should you care? Windows Secrets contributing editor Ryan Russell, using a network sniffer, measured Octoshape using upstream bandwidth of 320 kilobits per second on a broadband connection. Dan Ferrell, in a comment on contributing editor Susan Bradley's blog, reports seeing 600 Kbps of upstream traffic. At first glance, Ferrell adds, the multiple connections to his PC looked on his security alert system like some kind of SQL attack.

The Internet Storm Center, an Internet security organization, reported that traffic on Jan. 20 had jumped to a level thousands of times higher than usual on port 8247, which is used for UDP, the User Datagram Protocol. (See Figure 2.) The center quickly identified the source as legitimate — CNN — but security consultant Raul Siles warned in his report, "It would be easy for an attacker to hide his actions on this port if we simply ignore it."

In a telephone interview, Octoshape's P2P nature was confirmed by Mike Wise, group technical advisor for platform R&D at Turner Broadcasting System, the parent of CNN.

Wise emphasized that the news network had selected the most considerate software for the job: "The Octoshape technology uses a congestion control mechanism that's less aggressive than TCP and most UDP implementations." As one example of the way Octoshape gives priority to user tasks, he explained, "we chose an implementation that wouldn't interfere with consumer's VoIP [Voice over Internet Protocol] applications."

As a European company, Octoshape's technology was initially used on the continent to stream live feeds of such high-profile events as the Eurovision Song Contest and the UEFA Cup. "We're their first big United States customer, as least that I know of," says Wise.

"We did some limited trials leading up to the election" on Nov. 4, as Wise describes it. The big test came with the Jan. 20 inaugural address. More than 26 million live feeds (including restarts of crashed streams) were served that day by CNN.com, according to a Jan. 25 article and chart in the New York Times. CNN's nearest rivals served "only" 9.1 million (MSNBC) and 8 million (AP).

To my surprise, I've seen only a few blogs comment on the implications of CNN using so much upstream bandwidth — and almost no headlines in the mainstream U.S. media.

Most Internet service providers support far less bandwidth in the upstream direction (from a PC to the Internet) than they do downstream (from the Internet to a PC). But that isn't the only concern with CNN's use of people's Internet connections:

• Deceptive marketing. Octoshape's dialog box warns that playing a live video "requires" installing new software. Despite this, however, if you click "no" to Octoshape, you can play the feed using the streaming video capability built into Windows Media Player or Adobe's Flash Player, although possibly with less fidelity. Small links to choose one of the two standard formats appear in the bottom-right corner of the playback window.
  
  The Octoshape EULA doesn't become available until after the user is required to select "yes" or "no" to install the app. But even if the EULA appeared before the buttons, burying in legalese the commandeering of a person's PC isn't my idea of "informed consent." Only a clear explanation of the repurposing of a PC's bandwidth — in on-screen text, readable without scrolling — is an adequate way to inform users of such a technique.
  
  
• Cost-shifting to ISPs. CNN's use of Octoshape might make live feeds look somewhat smoother to end users, but the primary benefit is a reduction in cost to the cable news network.
  
  The TorrentFreak blog cites an unnamed insider as saying 30% of CNN's live feed traffic was served from individual PCs and not the network's own servers. That saves CNN big time on bandwidth. But the cost doesn't just disappear — it's shifted to ISPs.
  
  Brett Glass, the owner of Lariat.net, a small ISP in Laramie, Wyoming, testified before the FCC last year on cost-shifting. Bandwidth, he explains, can cost hundreds of dollars per Mbps per month to providers in rural areas like his. "CNN is setting up a server on the ISP's network without permission or compensation," he told me in an interview. "CNN's not a charity, in fact it's doing a lot better than some ISPs."
  
  
• Costs to end users. Many ISPs around the world restrict how much bandwidth users can consume. Those providers charge by the megabyte for any traffic above that level. Users who installed Octoshape's app and served traffic upstream as well as down may get an unpleasant surprise in their next monthly bill. Octoshape anticipated this in the company's EULA by saying, "You are responsible for any telecommunication or other connectivity charges incurred through the use of the Software."
  
  In addition, ISP terms of service usually prohibit customers from using their Internet connection to host a server. The FCC ruled last year against Comcast, a major U.S. ISP, on peer-to-peer restrictions, as explained in an Ars Technica article. But other legal issues on home-grown servers remain unsettled.
  
  (In an interview, Comcast spokeswoman Jenny Moyer declined to address CNN's use of Octoshape, saying, "I don't think it's anything we're going to be able to comment on at this time.")
  
  
• Ludicrous license terms. Anyone who reads Octoshape's EULA after clicking "yes" to install the app finds that they've agreed to some hilarious prohibitions:
  
  "You may not collect any information about communication in the network of computers that are operating the Software or about the other users of the Software by monitoring, interdicting or intercepting any process of the Software. Octoshape recognizes that firewalls and anti-virus applications can collect such information, in which case you not are allowed to use or distribute such information."
  
  
• Company policies on outbound traffic. No one has suggested that Octoshape is doing anything other than relaying live video streams to other PCs. In a blog comment, Johan Ryman, Octoshape manager of strategic partnership and sales, assures users that the app is well-behaved and stops consuming upstream bandwidth within five seconds of a live stream being closed.
  
  Many companies, however, have policies against sending data outside their LAN. How many CIOs will be comfortable with an app that sends unknown information to random PCs?
  
  
• Use of Flash's install mechanism. Octoshape is the only outside company that's allowed to download software using the Adobe Flash Player's so-called Express Install feature, according to a Flash Magazine technical analysis. Express Install is used by Adobe to push updates and other software, such as Acrobat Connect and the Adobe AIR runtime.
  
  IT admins who'd like to turn off the installation of Octoshape within their companies could disable Flash's update mechanism, as explained in Adobe TechNote 16701594. But doing so would disable all auto-updates from Adobe, not just Octoshape.
  
  
• Security vulnerabilities. The Octoshape app is supported by an established company and is not any kind of virus or worm. However, most programs have bugs, and Octoshape specifically communicates with its own servers and other PCs in ways that are not apparent to end users.
  
  Any Web site you visit that is "Octoshape aware" can invoke the application. If a security vulnerability is discovered in the Octoshape software, hackers could exploit the weakness.
  
  Media players expose PC users to serious security flaws more often than Windows itself does, as WS associate editor Scott Dunn reported on Aug. 16, 2007. For instance, several new vulnerabilities were discovered in Flash Player version 9 in 2008 alone, including one rated "highly critical," according to advisories by the security firm Secunia.
  
  In a follow-up article on Sept. 6, 2007, Scott reported that Flash Player 9 was found to be unpatched in 62% of the Windows PCs that participated in a test. End users can correct these holes by patching the player or upgrading to version 10, but too few do so.
  
  
• Corporate revolving doors. It's remarkable to see how a small company in Denmark has managed to gain exclusive contracts with Adobe and CNN. I'm all for innovative software firms selling cutting-edge technology.
  
  At the same time, I wonder how these relationships came into being. Last month, Octoshape hired as its new U.S. CEO Scott Brown, previously a vice president of Turner Broadcasting, according to the Business of Video blog. Sounds like the connection between CNN and Octoshape is getting stronger all the time.
  

The question isn't whether peer-to-peer technology is "good" or "bad." P2P is here to stay.

But if all TV programs are going to be streamed live by media giants, as I'm sure will eventually happen, the question is what impact this will have on Internet bandwidth — and who will pay for it.

I'd like to see the computer industry start a well-publicized discussion in the major news media about this. If we're going to stream TV across the Internet, shouldn't we select an open standard (the TorrentFreak blog likes P2P-Next), rather than proprietary technology that's restricted to a few parties with patents?

What to do if you have Octoshape on your PC

As I mentioned earlier, the Octoshape app isn't currently a threat. But I personally would rather put up with a slightly jerky video than run an application on my PC that's sending God-knows-what to who-knows-whom.

Fortunately, the Octoshape program isn't hard to find or remove:

• Step 1. To find out whether the Octoshape app is running, you can use Windows' built-in Task Manager. (Right-click a blank space on the Task Bar, and then click Task Manager.)
  
  As Susan Bradley shows in a blog post, when you're viewing a live stream from CNN.com, you'll see in Task Manager a service called octoshape.exe. (In the illustration on her blog, instances of the service are shown to be consuming 63MB of RAM, but a lot of this memory may be taken up by the Flash Player itself.)

• Step 2. To remove Octoshape's app, you can use the Control Panel in either Windows XP or Vista. In XP, the applet is called Add or Remove Programs. In Vista, it's Programs and Features. The "Octoshape add-in for Adobe Flash Player" is the name of the program to uninstall.
  
  Strangely, there isn't an uninstaller for the Mac version of the app. You have to manually delete the Octoshape folder.
  
  These removal procedures are explained in detail at the bottom of the Octoshape Grid Delivery FAQ.
  

There's much more to write on this subject, but I'll stop here. If you have additional specifics on any of this, please send a tip via the Windows Secrets contact page. Thanks!

from the Associated Press via the St. Petersburg Times of Florida, 2009-Aug-14, by Hope Yen with AP Medical Writer Lauran Neergaard contributing:

VA computer glitch affected Bay Pines medical records

WASHINGTON — Patients at Veterans Affairs health centers around the country were given incorrect doses of drugs, had needed treatments delayed and may have been exposed to other medical errors due to software glitches that showed faulty displays of their electronic health records.

At the Bay Pines VA Medical Center in St. Petersburg, medical data would pop up with the wrong patient's name attached, according to the Associated Press. The James A. Haley VA Medical Center in Tampa was not mentioned in AP's list.

The glitches, which began in August and lingered until last month, were not disclosed by the Veterans Affairs Department to patients even though they sometimes involved prolonged infusions of drugs such as heparin, which in excessive doses can be life-threatening, according to internal documents obtained by the Associated Press under the Freedom of Information Act.

There is no evidence that any patient was harmed, even as the VA says it continues to review the situation. But the issue is more pressing as the federal government begins promoting universal use of electronic medical records. President George W. Bush has supported the effort and incoming President-elect Barack Obama has made it a top priority, part of an additional $50 billion a year in spending for health IT programs that he has proposed.

The goal of electronic medical records nationwide is to help avert millions of medical mistakes attributed in part to paper systems, such as poorly written prescriptions. But health care experts say the VA's problems illustrate the need for close monitoring.

Veterans groups were also harshly critical, saying the VA's secrecy created a false sense of security.

"It's very serious potentially," said Dr. Jeffrey A. Linder, an assistant professor of medicine at Harvard Medical School who has studied electronic health systems. "There's a lot of hype out there about electronic health records, that there is some unfettered good. It's a big piece of the puzzle, but they're not magic. There is also a potential for unintended consequences."

The VA's recent glitches involved medical data — vital signs, lab results, active meds — that sometimes popped up under another patient's name on the computer screen. Records also failed to clearly display a doctor's stop order for a treatment, leading to reported cases of unnecessary doses of intravenous drugs such as blood-thinning heparin.

In a statement late Tuesday, the VA said there were nine reported cases where patients at the VA medical centers in Milwaukee, Durham, N.C., and Marion, Ind., were given incorrect doses, six of them involving heparin drips that were given for up to 11 hours longer than necessary. The other cases involved infusions of either sodium chloride or dextrose mixtures that were prolonged for up to 15 hours past the doctor's prescribed deadline.

The VA noted that veterans with questions or concerns can request a copy of their medical record at any time, such as via the "My HealtheVet" online system at www.myhealth.va.gov.

In all, nearly one-third of the VA's 153 medical centers reported seeing some kind of glitch, although the VA said that number could be higher since some facilities may not have filed reports.

Stephen Warren, the VA's acting assistant secretary for information technology, said VA hospitals were able to minimize the consequences because they had several alternative systems in place for nurses to check on a patient's treatment. Alert doctors also reported glitches after noticing that a patient's record looked similar to a previous patient's.

Warren said the VA was confident that its doctors took the proper precautions to avoid any harm to their patients. But he added, "VA believes that veterans are active partners in their health care, and encourages patients to always follow up with their health care teams to ensure that their treatment options meet their understanding and their health care needs."

Veterans groups questioned the VA's decision to keep the problems quiet.

"This is disturbing on a number of levels because of what could have happened," said Veterans of Foreign Wars National Commander Glen Gardner. "Being told that no patients were harmed still does not absolve the VA from its responsibility to forewarn patients that something is amiss. Trust is paramount in doctor-patient relationships, and nothing should ever be allowed to undermine that confidence."

According to interviews and the VA's internal memos, the glitches began after the VA distributed its annual software upgrade last August.

By early October, hospitals began reporting the troubling problems: When doctors pulled up electronic records of different patients within 10 minutes of each other to offer treatment advice, the medical information of the first patient sometimes displayed under the second person's name. In some records, a doctor's stop order for intravenous injections also failed to clearly display.

The VA issued several safety alerts to medical centers beginning Oct. 10. It also imposed new safety measures until the glitches were fully corrected in December.

"Patients can ... be at risk for delay in treatment changes or possible medication errors," according to one internal memo dated Oct. 31. "These changes have resulted in reported delays for stopping continuous infusion orders (e.g., stopping IV heparin drips)."

Dr. Bart Harmon, a former Pentagon chief medical information officer who helped coordinate the government's electronic records system from 1997 to 2007, cautioned that the VA's problems could become more common as more hospitals and doctors' offices move toward electronic records.

"This is a classic problem in health care — it's hard to get people to invest in prevention," said Harmon, who now works for Harris Healthcare Solutions, an information technology firm based in Melbourne, Fla. "The money tends to drift to obvious risks that are wrong. But safety checks are a new investment that needs to be maintained."

from the Wall Street Journal, 2008-Aug-9, p.A10:

The EMP Threat

Imagine you're a terrorist with a single nuclear weapon. You could wipe out the U.S. city of your choice, or you could decide to destroy the infrastructure of the entire U.S. economy and leave millions of Americans to die of starvation or want of medical care.

The latter scenario is the one envisioned by a long-running commission to assess the threat from electromagnetic pulse, or EMP. The subject of its latest, and little discussed, report to Congress is the effect an EMP attack could have on civilian infrastructure. If you're prone to nightmares, don't read it before bedtime.

An EMP attack occurs when a nuclear bomb explodes high in the Earth's atmosphere. The electromagnetic pulse generated by the blast destroys all the electronics in its line of sight. For a bomb detonated over the Midwest, that includes most of the continental U.S. Few, if any, people die in the blast. It's what comes next that has the potential to be catastrophic. Since an EMP surge wipes out electronics, virtually every aspect of modern American life would come to a standstill.

The commission's list of horribles is 181 pages long. The chapter on food, for instance, catalogs the disruptions up and down the production chain as food spoils or has no way to get to market. Many families have food supplies of several days or more. But after that, and without refrigeration, what? The U.S. also has 75,000 dams and reservoirs, 168,000 drinking water-treatment facilities, and 19,000 wastewater treatment centers -- all with pumps, valves and filters run by electricity.

Getting everything up and running again is not merely a matter of flipping a switch, and the commission estimates that many systems could be out of service for months or a year or more -- far longer than emergency stockpiles or batteries could cover. The large transformers used in electrical transmission are no longer built in the U.S. and delivery time is typically three years. "Lack of high voltage equipment manufacturing capacity represents a glaring weakness in our survival and recovery," the commission notes.

Many industries rely on automated control systems maintained by small work forces. In emergencies -- say, during a blackout -- companies often have arrangements in place to borrow workers from outside the affected area to augment the locals and help with manual repairs. After an EMP attack, those workers would be busy in their home regions -- or foraging for food and water for their families.

The commission offers extensive recommendations for how industry and government can protect against the effects of an EMP attack and ensure a quicker recovery. They include "hardening" more equipment to withstand an electromagnetic pulse; making sure replacement equipment is on hand; training recovery personnel; increasing federal food stockpiles; and many others.

If not, our vulnerability "can both invite and reward attack," the commission's chairman, William Graham, told Congress last month. Iran's military writings "explicitly discuss a nuclear EMP attack that would gravely harm the United States," he said. James Shinn, an assistant secretary of defense, has said that China is developing EMP weapons. The commission calls an EMP attack "one of a small number of threats that can hold our society at risk of catastrophic consequences." The threat is real. It's past time to address it.

from the Financial Times of London, 2008-Nov-6, by Demetri Sevastopulo:

Chinese hack into White House network

Washington -- Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials, a senior US official told the Financial Times.

On each occasion, the cyber attackers accessed the White House computer system for brief periods, allowing them enough time to steal information before US computer experts patched the system.

US government cyber intelligence experts suspect the attacks were sponsored by the Chinese government because of their targeted nature. But they concede that it is extremely difficult to trace the exact source of an attack beyond a server in a particular country.

"We are getting very targeted Chinese attacks so it stretches credulity that these are not directed by government-related organisations," said the official.

The official said the Chinese cyber attacks had the hallmarks of the "grain of sands" approach taken by Chinese intelligence, which involves obtaining and pouring through lots of - often low-level - information to find a few nuggets.

Some US defence companies have privately warned about attacks on their systems, which they believe are attempts to learn about future weapons systems.

The National Cyber Investigative Joint Task Force, a new unit established in 2007 to tackle cyber security, detected the attacks on the White House. But the official stressed that the hackers had only accessed the unclassified computer network, not the more secure classified network.

"For a short period of time, they successfully breach a wall, and then you rebuild the wall ... it is not as if they have continued access," said the official. "It is constant cat and mouse."

Dana Perino, White House press secretary, declined to comment. The Chinese embassy also did not comment, but in the past China has called similar allegations reflective of "Cold-War thinking".

The US has increased efforts to tackle cyber security, particularly since Chinese hackers believed to be associated with the Peoples' Liberation Army last year perpetrated a major attack on the Pentagon.

US military computer experts battled for weeks against a sustained attack that eventually overcame the Pentagon's defences. The cyber attackers managed to obtain information and emails traffic from the unclassified computer system that supports Robert Gates, the defence secretary. Pentagon IT technicians were forced to take the network down for days to conduct repairs.

Concerns about Chinese hacking last year prompted President George W. Bush to tell reporters ahead of a meeting with President Hu Jintao of China that he might raise the issue with countries of concern.

Over the past year, the US government has tightened restrictions on officials using BlackBerrys and computers overseas, particularly in Russia and China, and sometimes bars them from removing the equipment from US government aircraft in the country.

In another incident, US government cyber investigators have determined that an attack this summer on the Obama and McCain campaign computer networks also originated in China. Details of the intrusion were first reported by Newsweek.

The Secret Service warned the Obama and McCain campaigns their networks had been comprised. The hackers successfully downloaded large quantities of information, which security agencies believed was an attempt to learn more about the contenders' policy positions.

According to the Newsweek report, the Obama campaign speculated that China or Russia were behind the attacks. A second US official said cyber analysts had concluded that the attacks originated in China, but stressed that they were not able to determine who was responsible.

"There is no doubt that foreign governments are actively targeting cyber space not only for sensitive information but to influence our most sensitive processes such as the US presidential election," said Sami Saydjari, head of the Cyber Defence Agency, a private company that advises government on hacking.

"This underscores the need for President-elect Obama to take leadership in the cyber space race that is well underway."

While the US has raised concerns about cyber attacks, many governments believe the US is also engaged in electronic spying. Bob Woodward, the veteran Washington Post reporter, this year revealed that the US had been spying on the Iraqi government.

from Newsweek online, 2008-Nov-5:

Hackers and Spending Sprees
Highlights from NEWSWEEK's special election project.

The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyberattack by an unknown "foreign entity," prompting a federal investigation, NEWSWEEK reports today.

At the Obama headquarters in midsummer, technology experts detected what they initially thought was a computer virus—a case of "phishing," a form of hacking often employed to steal passwords or credit-card numbers. But by the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten, to the same effect: "You have a real problem ... and you have to deal with it." The Feds told Obama's aides in late August that the McCain campaign's computer system had been similarly compromised. A top McCain official confirmed to NEWSWEEK that the campaign's computer system had been hacked and that the FBI had become involved.

Officials at the FBI and the White House told the Obama campaign that they believed a foreign entity or organization sought to gather information on the evolution of both camps' policy positions—information that might be useful in negotiations with a future administration. The Feds assured the Obama team that it had not been hacked by its political opponents. (Obama technical experts later speculated that the hackers were Russian or Chinese.) A security firm retained by the Obama campaign took steps to secure its computer system and end the intrusion. White House and FBI officials had no comment earlier this week.

NEWSWEEK has also learned that Palin's shopping spree at high-end department stores was more extensive than previously reported. [...]

from Fox News, 2008-Oct-10, by Richard Behar:

World Bank Under Cyber Siege in 'Unprecedented Crisis'

The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.

It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an "unprecedented crisis." In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public.

• Click here to see the e-mail.

• Click here to visit FOXNews.com's Cybersecurity Center.

The crisis comes at an awkward moment for World Bank president Robert Zoellick, who runs the world's largest and most influential anti-poverty agency, which doles out $25 billion a year, and whose board represents 185 member nations. This weekend, the bank holds its annual series of meetings in Washington — and just in advance of those sessions, Zoellick called for a radical revamping of multilateral organizations in light of the global economic meltdown.

Zoellick is positioning himself and the bank as an institution that can help chart a new path toward global financial stability. But that reputation, more than ever, depends on the bank's stable information infrastructure.

The fact that the information vaults of the World Bank have been repeatedly pried open won't help Zoellick's case.

While it remains unclear how much data has been pilfered from the bank, it's a lot. According to internal memos, "a minimum of 18 servers have been compromised," including some of the bank's most sensitive systems — ranging from the bank's security and password server to a Human Resources server "that contains scanned images of staff documents."

• Click here to see bank memos about the intrusions.

One World Bank director tells FOX News that as many as 40 servers have been penetrated, including one that held contract-procurement data.

Despite the gravity of the break-ins, the bank is trying hard to pretend to outsiders it didn't happen. "There were attempts to hack the bank's computer systems last summer," says a World Bank spokesman. "However, there was no compromise of confidential information." Requests for on-the-record interviews with Zoellick and other top officials were declined.

Meanwhile, the bank's treasurer, Kenneth G. Lay, has been briefing Zoellick's senior management team regularly on the situation since April.

Other bank officials are also sleuthing. The bank's chief information officer, Guy De Poerck, has engaged Price Waterhouse Coopers to do a confidential million-dollar assessment that is expected to tell him what's going on in his own department. And a 22-page internal report by a computer security company named MANDIANT, dated August 18, fleshes out many details of the June-July breaches. But very few people have ever seen the report, and nobody has been permitted to retain a paper copy.

At the same time, De Poerck has been downplaying the problem to the bank's 10,000 rank-and-file staffers as mere intrusion "attempts" in his e-mails. Yet most of those staffers have been asked to change their password three times in the past three months.

"As previously reported in mid-July," CIO De Poerck and a senior bank treasury official wrote in an August announcement to employees, "we would like to reassure you that there is no evidence that Bank staff personal information is at risk from the recent external attempts."

It's unclear how that statement squares with an internal memo to De Poerck a month earlier revealing that a sensitive Human Resources server "that contains scanned images of staff documents" had been successfully breached. De Poerk declined to comment to FOX News about any of these details.

• Click here to see De Poerck's memo.

In reality, the situation is serious enough that federal investigators have been called in. "We're not talking about hackers playing games or messing up our website," insists a senior member of the bank's IT department at its Washington headquarters. "It's about the FBI coming last summer and saying, 'You should take a look at your systems because we think something weird is going on.' It's about the intruders knowing what information they wanted — and getting to it whenever they wanted to. They took our existing data stores and organized them in a way that they could be easily accessed at will."

In plainspeak: "They had access to everything," says the source. "They had the keys to every room at the bank. And we can't say whether they still do or don't until we fully and openly address what's happening here."

The data raids are not a matter of stealing inconsequential bits and bytes. The World Bank's data center is literally a treasure trove of vital financial information from around the globe. As a clearinghouse for financial data from both governments and companies, the bank's computers could provide intruders with both a financial and intelligence gold mine — from inside information on bids and contracts to the minutes of confidential board meetings.

If the bank takes a position in a currency, for example, that currency usually moves in response to the bank's actions. Stocks and bonds can also swing up and down based on World Bank announcements. "If you know beforehand that the bank is going to put an order in for oil pipelines in Chad or healthcare systems in India, you can actually make a good amount of money," says one insider.

Although the bank typically provides only a fraction of the financing for a project, its influence on those projects is immense. Private corporations see the bank's stamp of approval as a guarantee that their own larger investments will be safe — and profitable. Knowing in advance what projects the bank's board will reject could be just as profitable.

Some insiders fear that contractors — perhaps even governments — might be seeking advance knowledge on the status of the bank's anti-corruption probes. "The bank knows the books of countries almost as well as the countries do — including the corruption at times," says one insider.

The first breach of the bank's secrets was discovered in September, 2007, after the FBI —while at work on a different cybercrime case — notified the bank that something was wrong. The feds pointed to a part of the bank's network that led out of the Johannesburg hub of the International Finance Corp. (IFC), a bank arm that lends to the private sector.

Within a week of the tip, teams of bank investigators sent to Johannesburg discovered that intruders had gained full and total access to all of IFC's worldwide information — including all incoming and outgoing e-mail — for at least six months. "They were downloading everything and anything," says one insider, who says that IFC's monitoring systems were extremely weak. "They [intruders] had full access."

Investigators discovered that the intruders were using a so-called "cluster" of IP addresses from Macao, China. But since those addresses can be spoofed (i.e., disguised) the discovery doesn't prove that the breaches actually originated in China. Nonetheless, bank officials and its executive director for China clashed behind closed doors over whether or not China's government is involved in the break-ins.

Bank sources tell FOX News that Johannesburg is one of several secret "hubs" containing a "common data store" (or CDS) that the World Bank Group has established around the globe. In layman's terms, a CDS is the cyber-world's version of a bomb shelter where every piece of an organization's data is replicated and backed up in case of a data-wipeout at headquarters in Washington. While it's known that IFC data was accessible at the hub, it remains unclear if all World Bank Group data was compromised there.

The second major breach — of the bank's treasury network in Washington — was discovered in April 2008. The World Bank's Treasury manages $70 billion in assets for 25 clients — including the central banks of some countries. It carries out substantial collaborations with the world's finance ministers on public wealth and debt management, runs an active bond-trading desk in Washington, and does everything from currency trading to capital markets financings.

After a forensic analysis of the treasury breach, bank investigators discovered that spy software was covertly installed on workstations inside the bank's Washington headquarters — allegedly by one or more contractors from Satyam Computer Services, one of India's largest IT companies.

The software — which operates through a method known as keystroke logging — enabled every character typed on a keyboard to be transmitted to a still-unknown location via the Internet.

Upon its discovery, insiders report, bank officials shut off the data link between Washington and Chennai, India, where Satyam has long operated the bank's sole offshore computer center responsible for all of the bank's financial and human resources information.

Satyam was also banned from any future work with the bank. "I want them off the premises now," Zoellick reportedly told his deputies. But at the urging of CIO De Poerck, Satyam employees remained at the bank as recently as Oct. 1 while it engaged in "knowledge transfer" with two new India-based contractors.

Satyam — one of the largest and most prestigious IT companies in India — is publicly listed on the NYSE and boasts having $2 billion in sales and more than 150 Fortune 500 companies as clients. In 2003, Satyam — it means "truth" in Sanskrit — won a much-heralded and lucrative five-year "sole source" contract to design, write and maintain all of the World Bank's information systems.

The contract — which began at $10 million and grew to more than $100 million by 2007 — was suddenly not renewed this year. Satyam so far declines to comment.

Then came the June-July breaches in Washington. They were similar to the Johannesburg attack, as the same group of IP addresses from Macao were used.

This time, however, the cyber-burglars used a different spyware. They broke into an external server run by the bank's private sector development unit. They were able to acquire passwords — including the password for the systems administrator.

That enabled them to jump into the servers at MIGA, the bank's giant insurance arm. It was there that they captured the security administrator's password as he was logging on to his computer.

It took ten days for bank officials to detect that they'd been invaded. Once they did, they shut down all external servers, except for e-mail — which it turns out the invaders were already using as their entrance point. By the end of July the invaders "had completely mapped out the topography of the bank's information systems," says one expert — "where everything was, the types of servers, and the types of files on the servers."

What the intruders did with all that information is the World Bank's most sensitive and painful mystery. It has clearly left the institution in a highly vulnerable position.

And the same may go for bank president Zoellick. Bank insiders say that he needs desperately to get the security of his own house in order. Despite the vast sums that the Bank spends on data and data storage, its information systems are deeply in disarray.

Today the total cost to maintain the bank's information infrastructure is at least $280 million per year. But according to one disgruntled bank staffer, "We don't even have an internal search engine that works."

The truly alarming fact, however, is that someone — or many people — seem to know their way around the bank's most valuable resource very well, even though they aren't supposed to be there at all.

UPDATE: After FOX News published its story, a World Bank spokesman issued the following statement:

"The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context.

"Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments."

FOX News stands by its story.

from the New York Times, 2008-Aug-12, by John Markoff:

Before the Gunfire, Cyberattacks

Weeks before bombs started falling on Georgia, a security researcher in suburban Massachusetts was watching an attack against the country in cyberspace.

[image caption:] A screen grab of the Georgian Parliament Web site, parliament.ge, which had been defaced by the "South Ossetia Hack Crew." The site's content had been replaced with images comparing Georgian President, Mikheil Saakashvili, to Adolf Hitler. [end image caption]

Jose Nazario of Arbor Networks in Lexington noticed a stream of data directed at Georgian government sites containing the message: “win+love+in+Rusia.”

Other Internet experts in the United States said the attacks against Georgia's Internet infrastructure began as early as July 20, with coordinated barrages of millions of requests — known as distributed denial of service, or D.D.O.S., attacks — that overloaded and effectively shut down Georgian servers.

Researchers at Shadowserver, a volunteer group that tracks malicious network activity, reported that the Web site of the Georgian president, Mikheil Saakashvili, had been rendered inoperable for 24 hours by multiple D.D.O.S. attacks. They said the command and control server that directed the attack was based in the United States and had come online several weeks before it began the assault.

As it turns out, the July attack may have been a dress rehearsal for an all-out cyberwar once the shooting started between Georgia and Russia. According to Internet technical experts, it was the first time a known cyberattack had coincided with a shooting war.

But it will likely not be the last, said Bill Woodcock, the research director of the Packet Clearing House, a nonprofit organization that tracks Internet traffic. He said cyberattacks are so inexpensive and easy to mount, with few fingerprints, they will almost certainly remain a feature of modern warfare.

“It costs about 4 cents per machine,” Mr. Woodcock said. “You could fund an entire cyberwarfare campaign for the cost of replacing a tank tread, so you would be foolish not to.”

Exactly who was behind the cyberattack is not known. The Georgian government blamed Russia for the attacks, but the Russian government said it was not involved. In the end, Georgia, with a population of just 4.6 million and a relative latecomer to the Internet, saw little effect beyond inaccessibility to many of its government Web sites, which limited the government's ability to spread its message online and to connect with sympathizers around the world during the fighting with Russia.

It ranks 74th out of 234 nations in terms of Internet addresses, behind Nigeria, Bangladesh, Bolivia and El Salvador. Cyberattacks have far less impact on such a country than they might on a more Internet-dependent nation, like Israel, Estonia or the United States, where vital services like transportation, power and banking are tied to the Internet.

In Georgia, media, communications and transportation companies were also attacked, according to security researchers. Shadowserver saw the attack against Georgia spread to computers throughout the government after Russian troops entered the Georgian province of South Ossetia. The National Bank of Georgia's Web site was defaced at one point. Images of 20th-century dictators as well as an image of Georgia's president, Mr. Saakashvili, were placed on the site. “Could this somehow be indirect Russian action? Yes, but considering Russia is past playing nice and uses real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically,” said Gadi Evron, an Israeli network security expert. “The nature of what's going on isn't clear,” he said.

The phrase “a wilderness of mirrors” usually describes the murky world surrounding opposing intelligence agencies. It also neatly summarizes the array of conflicting facts and accusations encompassing the cyberwar now taking place in tandem with the Russian fighting in Georgia.

In addition to D.D.O.S. attacks that crippled Georgia's limited Internet infrastructure, researchers said there was evidence of redirection of Internet traffic through Russian telecommunications firms beginning last weekend. The attacks continued on Tuesday, controlled by software programs that were located in hosting centers controlled by a Russian telecommunications firms. A Russian-language Web site, stopgeorgia.ru, also continued to operate and offer software for download used for D.D.O.S. attacks.

Over the weekend a number of American computer security researchers tracking malicious programs known as botnets, which were blasting streams of useless data at Georgian computers, said they saw clear evidence of a shadowy St. Petersburg-based criminal gang known as the Russian Business Network, or R.B.N.

“The attackers are using the same tools and the same attack commands that have been used by the R.B.N. and in some cases the attacks are being launched from computers they are known to control,” said Don Jackson, director of threat intelligence for SecureWorks, a computer security firm based in Atlanta.

He noted that in the run-up to the start of the war over the weekend, computer researchers had watched as botnets were “staged” in preparation for the attack, and then activated shortly before Russian air strikes began on Saturday.

The evidence on R.B.N. and whether it is controlled by, or coordinating with the Russian government remains unclear. The group has been linked to online criminal activities including child pornography, malware, identity theft, phishing and spam. Other computer researchers said that R.B.N.'s role is ambiguous at best. “We are simply seeing the attacks coming from known hosting services,” said Paul Ferguson, an advanced threat researcher at Trend Micro, an Internet security company based in Cupertino, Calif. A Russian government spokesman said that it was possible that individuals in Russia or elsewhere had taken it upon themselves to start the attacks.

“I cannot exclude this possibility,” Yevgeniy Khorishko, a spokesman for the Russian Embassy in Washington, said. “There are people who don't agree with something and they try to express themselves. You have people like this in your country.”

“Jumping to conclusions is premature,” said Mr. Evron, who founded the Israeli Computer Emergency Response Team.

from the Wall Street Journal, 2008-Aug-14, p.A6, by Siobhan Gorman:

Cyberattacks on Georgian Web Sites Are Reigniting a Washington Debate

WASHINGTON -- The cyberattacks in Georgia are re-energizing a debate over whether the laws of war apply in cyberspace. Among the biggest questions: When is a cyberattack an act of war?

As Russia continued military actions inside Georgia, in apparent violation of a Tuesday cease-fire agreement, some Georgian government Web sites, including the president's office, remained under attack.

Cyberweapons are becoming a staple of war. The Georgian conflict is perhaps the first time they have been used alongside conventional military action. Governments and private cyberwarriors can exploit Internet security gaps to not only take down government Web sites but also take control of power grids and nuclear reactors.

U.S. officials have begun to consider the legal and policy problems that cyberwarfare presents, but cybersecurity experts said the government has been slow to resolve them in the face of an increasing likelihood that cyberattacks will be used to augment, or even supplant, typical military action.

"We are in a world where governments have not decided yet whether the tools of cyberattacks are weapons," said Scott Borg, director of the U.S. Cyber Consequences Unit, a think tank that advises governments and companies. "We don't have any really clear international understandings about these matters."

The Pentagon doesn't have a policy on whether a cyberattack can be an act of war, said Pentagon spokesman Lt. Col. Eric Butterbaugh, adding, "it's ultimately the perception of the country under attack as to whether an act of war was committed." The Pentagon has, however, assigned its Strategic Command to head up cyberprotection and cybercounter-attack operations.

To begin to develop policies, officials from the U.S. State Department, the Pentagon and intelligence agencies have been tapping the private sector and academia for ideas. They convened a meeting two months ago to bring experts from the private sector together to discuss the foreign-policy implications of cyberwarfare. They considered the similarities between a bioterror attack and a cyberattack and agreed that cybersecurity needs to be seen as a major national security issue.

Among the group's conclusions was that because no government entity is responsible for establishing foreign policy on cyberwarfare, it isn't getting done, said O. Sami Saydjari, president of the Cyber Defense Agency, a consulting firm.

"Everyone was, in an unspoken way, looking forward to the next presidency to try to resolve the ownership issue," he said, noting that he had attended a similar meeting about five years ago.

So far, one policy the U.S. has established is that cyberattack capabilities won't be considered part of arms-control agreements. Russia has repeatedly argued to include it.

After Estonia was hit in 2007 with a cyberattack that disabled many government and bank Web sites, it made a formal request to the North Atlantic Treaty Organization to come to its defense. NATO declined to make a finding on the request, but it did accelerate its work on a common approach to cybersecurity. Earlier this year, the organization approved a cyberdefense policy that establishes a set of common principles recognizing the importance of cyberdefense and directing agencies within NATO to establish a coordinated approach.

The policy doesn't resolve many of the difficult legal and policy issues, such as when a cyberattack is an act of war or when and how NATO allies should retaliate.

"The document is the first, and an important step," said Lauri Almann, Deputy Minister of Defense of Estonia. "What now has to stem from these guidelines and policy documents is concrete action." One key challenge, he said, is the difficulty of attributing the source of the attack. If countries are going to retaliate -- either militarily or with economic sanctions -- they need to be certain that they have the culprit.

Cybersecurity specialists and officials such as Mr. Almann said that the attacks on Georgia, because they were so public, will likely drive government leaders to better align the laws of war to cyberwarfare.

But it isn't clear how Georgia could retaliate. With such "asymmetric" attacks, Mr. Borg said, the government leaders need to decide whether a government can fire back at the country hosting the group believed to be responsible for an attack. "We've entered the cyberdefense era," he said. "It's just as big a transition as entering the nuclear-defense era."

from the New York Times, 2008-Sep-8, by Micheline Maynard:

United Shares Fall on False Bankruptcy Report

Shares of United Airlines lost nearly all their value Monday morning when a false rumor swept financial markets that the struggling carrier had filed for bankruptcy protection.

United shares traded at one cent in late morning on the New York Stock Exchange, down 99.92 percent, or $12.29. Its volume was more than 29 million shares. Trading in United shares was halted at 11:08 a.m., pending news from the company. At the time, shares were still down 27.07 percent, at $8.97.

Earlier, a headline on Bloomberg News that referred to an Income Securities Advisers report said the airline had filed for bankruptcy protection. The report was picked up by industry Web sites, including Briefing.com and the Web site of The Chicago Tribune. I.S.A. is an independent investment and advisory research company.

A spokeswoman for United, Jeen Medina, said the report was “completely untrue.” In an e-mail message, Ms. Medina said United would issue a statement shortly.

United spent more than three years in bankruptcy protection earlier this decade, and has struggled in the wake of record fuel costs, posting losses in the first and second quarters.

The airline, which cut jobs and eliminated its pension plans while under bankruptcy protection, has accelerated its cost-cutting this year. Like other airlines, United has announced plans to cut flights and ground aging planes. It will also eliminate 7,000 more positions.

Although some analysts have raised questions about United's long-term outlook, another bankruptcy filing has not appeared to be imminent. Lawyers who were involved in United's case earlier this decade said Monday that they were trying to see if there was any basis for the rumor.

United is in a battle with its pilots' union, which has called for the resignation of its chief executive, Glenn F. Tilton. In turn, United sued pilots this summer, after they staged a slowdown that caused the airline to cancel hundreds of flights in late July.

from the Wall Street Journal, 2008-Sep-8, by Ann Keeton:

UAL Shares Are Buffeted By Incorrect Bankruptcy Report

CHICAGO -- UAL Corp., parent of United Airlines, denied Monday the company had filed for bankruptcy, after six-year-old information reporting on the carrier's previous Chapter 11 filing appeared on some Web sites.

The same story, written by Chicago Tribune reporters, was originally published by the paper on Dec 10, 2002.

Shares of UAL plummeted on the news early Monday, falling as much as 60%. Trading on Nasdaq was halted when the bankruptcy story was revealed as incorrect.

Airline stocks across the board traded lower Monday, as the price of crude oil spiked higher.

United, along with other airlines is expected to report heavy losses this year, hit by a huge increase in the price of fuel. While crude oil prices have fallen from a high this summer of $147 per barrel, airlines continue to look for ways to cut costs and increase revenue.

Early in 2006, United emerged from a painful three-year reorganization in bankruptcy, the longest in airline history.

from CNNMoney.com, 2008-Sep-8:

UAL ends lower after denying rumors
United Airlines' parent denies speculation about bankruptcy after Nasdaq halts trading.

NEW YORK -- Shares in the parent company of United Airlines fell 11% Monday after being halted on speculation about a bankruptcy filing based on what the company said was a dated news story.

UAL spokeswoman Jean Medina told CNNMoney.com said the bankruptcy rumors were "completely untrue."

The Nasdaq shut trading of the airline stock at 11:06 a.m. ET. The plummet seemed especially dramatic, given that the Nasdaq as a whole gained about 1% in morning trading.

At its lowest point, the stock was down 76% to $3 a share, but bargain buying brought the price up to $8.97 right before the Nasdaq shut trading.

UAL (UAUA, Fortune 500) resumed trading at 12:30 p.m. ET. The stock closed at $10.92, down $1.38, or 11.2%.

United issued a statement that the rumors stemmed from the Florida Sun Sentinel's "irresponsible posting" of a Chicago Tribune story from 2002 - the year that United actually did file for bankruptcy. But in the Sun Sentinel posting, the date was changed, United said.

United, which emerged from bankruptcy in 2006, said it "demanded a retraction from the Sun Sentinel and is launching an investigation."

"United continues to execute its previously announced business plan to successfully navigate through an environment marked by volatile fuel prices and continues to have strong liquidity," United said in a press release.

A statement on the Web site of Tribune Co., parent of the Tribune and Sun-Sentinel: "We have been informed that a 2002 Chicago Tribune news report about United Airlines' financial condition was picked up and circulated on the Internet Monday morning. The story is not current. We are looking into the situation."

from Bloomberg via the New York Times, 2008-Sep-9:

Paper Concedes Outdated Link

The Tribune Company said Tuesday that a link to the six-year-old article on the UAL Corporation's 2002 bankruptcy filing had appeared on the South Florida Sun-Sentinel's Web site before another news organization mistakenly presented the article as new.

Traffic in the newspaper's database pushed a link to the old article to the most-viewed section of the Web site's business page early on Sept. 7 and it was picked up by a Google search agent, Tribune said.

Tribune said on Monday that the article had never appeared on the Web site. An erroneous report from Income Securities Advisors Inc. caused a 76 percent drop in shares of UAL, the parent of United Airlines, before trading was halted Monday. An Income Securities summary appeared on the Bloomberg terminal, and Bloomberg News published its own headline before correcting it. UAL, based in Chicago, issued a statement Monday to assure investors it had not filed for bankruptcy.

United demanded a retraction from The Sun-Sentinel and said it was beginning an investigation. Tribune owns The Chicago Tribune and The Sun-Sentinel, which is based in Fort Lauderdale, Fla.

from the Boston Herald, 2008-Aug-11, by O'Ryan Johnson:

MIT student defends MBTA hacking research

One of the MIT computer hackers who uncovered flaws in the CharlieCard system that would let passengers swipe free rides said he and his classmates offered to show T officials how to fix the problem, but instead were hauled into court and barred from speaking about their work.

“We made first contact,” said Zack Anderson, 21, a Los Angeles native, who majors in electronic engineering and computer science. “We wanted to let them know what we found and we wanted to tell them some ideas we had on how they could fix that system ... We felt like the issue was resolved. That was verbally affirmed in a Monday meeting. Then Friday we find out there's a federal lawsuit against us.”

On Saturday morning, federal Judge Douglas Woodlock granted the MBTA a restraining order that blocked Anderson and classmates R.J. Ryan and Alessandro Chiesa from presenting their A-graded paper at DEFCON 16, an annual hackers conference in Las Vegas.

Civil libertarians and the students' lawyers quickly assailed the order as a blatant attack on free speech.

Jennifer Granick, a lawyer with the Electronic Frontier Foundation, which is representing the students, said in siding with the MBTA, Woodlock wrongly applied to speech a federal computer crime statute used to prevent transmitting harmful programs from one computer to another.

“The statute is meant to stop people from committing computer fraud and abuse, not to stop people from talking about computers,” she said. “These conferences are populated with people from Google, Microsoft, Sisco, wanting to collect information about security vulnerabilities that might exist in their systems. If you don't let this information be discussed, the attackers are going to research it, but no legitimate person is going to talk about it.”

MBTA spokeswoman Lydia Rivera said the 10-day injunction will give experts time to examine the students' research to see if they indeed discovered how to get free rides.

“The injunction prevents them from disclosing ways to hack into the system,” Rivera said. “It's a preventive matter for us.”

Anderson said the flaws he and his classmates used to exploit the MBTA's CharlieCard are still there, whether the agency conceals them or not.

“If you're designing a system, you have to know how to find its weaknesses,” Anderson said. “If you don't know how to break a system, you can't fix it. What DEFCON is all about is spreading knowledge to improve security.”

from the Boston Herald, 2008-Jun-16, by Laurel J. Sweet:

Probe shows kiddie porn rap was bogus

A child porn possession charge lodged against a Department of Industrial Accidents investigator fired for having smut on his state-issued laptop has been dismissed because experts concluded he was unwittingly spammed.

“The overall forensics of the laptop suggest that it had been compromised by a virus,” said Jake Wark, spokesman for Suffolk District Attorney Daniel Conley.

Nationally recognized computer forensic analyst Tami Loehrs told the Herald Michael Fiola's ordeal was “one of the most horrific cases I've seen.”

“As soon as you mention child pornography, everybody's senses go out the window,” she said.

Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye.

Two forensic examinations conducted by the state Attorney General's Office for the prosecution concurred with that conclusion, Wark said.

Still, Fiola, 53, whose wife, Robin, described as “computer-illiterate,” wants his day in court. He intends to sue the DIA for “destroying our lives.”

“Our lives have been hell,” said Fiola, a former state park ranger now living in Rhode Island. “I hope to recover my reputation, but our friends all ran.”

DIA spokeswoman Linnea Walsh confirmed Fiola “was terminated,” but declined to say if any internal discipline has been meted out as a result of his name being cleared in court.

“We stand by our decision,” she said.

Fiola's attorney Timothy Bradl is at a loss to understand why.

“Imagine this scenario: Your employer gives you a ticking time bomb full of child porn, and then you get fired, and then you get prosecuted as some kind of freak,” he railed.

“Anybody who has a work laptop, this could happen to,” he said. “Mike Fiola is a hunt-and-peck kind of computer guy. He can barely get on the Internet.”

Fiola's troubles began in November 2006 when, seven years into a job probing workers' compensation fraud, DIA gave him a replacement laptop for one that was stolen.

Months later, DIA information technology officials noted that the data usage on Fiola's Verizon wireless bill was 4 times greater than his colleagues'. After discovering the child porn , Commissioner Paul Buckley fired him on March 14, 2007.

DIA turned the matter over to state police who, after confirming “an overwhelming amount of images of prepubescent children engaged in pornographic poses” were stored on the laptop, persuaded Boston Municipal Court to issue a criminal complaint against Fiola in August 2007.

After poring over the laptop, Loehrs reported to the court “with 100-percent certainty that the laptop was compromised by numerous viruses and trojans, and may have been hacked by outside sources.”

“There is no evidence to support the claim that Michael Fiola was responsible for any of the pornographic activity,” she wrote.

All the porn, she said, was located in the laptop's cache, a computer feature that stores copies of Web pages. Consistently, Loehrs' findings noted, there was “no apparent origin or user interaction preceding the pornographic activity,” some of which was downloaded “fast and furious.”

Wark said Fiola's case was offically expunged from the court Tuesday.

from TheRegister.co.uk, 2008-Jun-27, by Dan Goodin:

Ankle-biting hackers storm net's overlords, hijack their domains
IANA and ICANN succumb to NetDevilz

San Francisco -- The websites of two of the net's most critical oversight organizations were hijacked by Turkish hackers who sent visitors to rogue pages that challenged the overseers' authority.

Some of the official domains for the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Assigned Numbers Authority (IANA) were temporarily under the control of a group that calls itself NetDevilz, according to zone-h, which tracks hijackings of individual websites. Specific domains that were hijacked included "icann.com," "icann.net," "iana.com" and "iana-servers.com."

People who tried to visit the sites were greeted with a message that read: "You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"

This may have come as something of a shock to the principals of IANA and ICANN, which have authority over some of the most the net's most critical functions. IP address allocation, management of the domain name system's root zone servers and oversight over the way domain names are registered and maintained are just a few of them.

That a group calling itself NetDevilz could even temporarily take control of the websites underscores the tentativeness of law and order on the net. Over the past six months millions of web pages, many belonging to Fortune 500 companies and government agencies throughout the world, have also been compromised through a technique known as SQL injection.

An ICANN spokesman said the redirection was corrected within 20 minutes and that an investigation is ongoing at its registrar to figure out how DNS records got changed. Representatives from IANA weren't reachable.

NetDevilz recently commandeered the website for popular photo-sharing site Photobucket, and last month pranksters briefly took control of Comcast's website. According to this post by researcher Dancho Danchev, NetDevilz carried out their latest feat using a single fraudulent email that instructed engineers to update DNS records for the organizations' domains. The IP address used to host the rogue pages was the same one used in last week's Photobucket incident.

The hijackings come a day after ICANN announced a landmark decision to create customized top-level domains, a move that will broaden the supply generic extensions such as .com and .org to include a seemingly infinite supply of words.

from USA Today, 2008-Jun-24, by Mary Brophy Marcus:

Research finds more electronic interference in hospitals

Hospital hallways are covered with warnings to silence mobile phones, which can interfere with medical equipment. It appears other devices commonly used in hospitals might have the same effect on critical-care medical equipment, new research suggests.

A study in today's Journal of the American Medical Association reports that radio frequency identification devices (RFIDs) — commonly used in security cards, blood bag tags and even surgical sponges — may cause ventilators and other lifesaving hospital equipment to malfunction.

Researchers from the Netherlands tested the effect two types of RFIDs had on 41 kinds of medical equipment, including pacemakers, mechanical ventilators, defibrillators, monitors and anesthesia devices.

The tests were conducted at varying distances in a one-bed, patient-free room in an intensive-care unit.

Out of 123 tests for electromagnetic interference between RFIDs and medical devices, 34 instances of interference occurred. In those cases, the midpoint between reader and device was less than a foot. Among the hazardous incidences, a mechanical ventilator switched off, a syringe pump stopped, and an external pacemaker malfunctioned.

The study authors were not surprised by the results. "We suspected there would be interference," says co-author Erik Jan van Lieshout, a critical-care physician at the Academic Medical Centre of the University of Amsterdam in the Netherlands.

The results are worth noting, but the methodology was not ideal, says Donald Berwick, president and CEO of the Institute for Healthcare Improvement in Cambridge, Mass. Berwick, who wrote an editorial in the same issue of JAMA, says more research is needed, and soon.

"To get a true understanding of the interference these devices might cause in a real critical-care unit, you need to conduct the study with patients present," Berwick says.

But van Lieshout says that type of testing could be risky: "It would have been foolish to do this type of study with patients because it could endanger them."

RFID and related technologies are invaluable to emergency departments for tracking patient location, treatments and tests, says Brian Keaton, chairman of the board of the American College of Emergency Physicians and an attending physician in the department of emergency medicine at Summa Health System in Akron, Ohio.

But Keaton agrees with Berwick that more research is necessary. "We don't want to throw the baby out with the bath water. We just want to control the temperature of the bath water and protect the baby," he says.

Study author van Lieshout says he hopes medical equipment makers will create protective technologies to shield their products from interfering signals.

from the Washington Post, 2008-Jun-11, by Sandhya Somashekhar:

'Several' Government Computers Attacked by Chinese Hackers

Rep. Frank R. Wolf (R-Va.) today called for better measures to protect government computers and cellphones from cyber attacks by foreign governments, after revealing that computers in his office and those of "several others" on Capitol Hill have been targeted by hackers in China.

Wolf, a champion for human rights in China and elsewhere, said in a news conference today that authorities investigated the attacks on four of his computers in August 2006 and traced them to a computer in China. The hackers, he said, gained access to sensitive information about the identities and locations of Chinese dissidents, among other data.

"That kind of information as well as everything else on my office computer -- e-mails, memos, correspondence, district case work -- was open to outside [eyes]," he said.

Rep. Christopher H. Smith (R-N.J.), another vocal critic of China's human rights record who appeared with Wolf to announce the breach and some companion legislation, said he was targeted by Chinese hackers twice and that the sophistication of the attacks and the kind of information retrieved suggests that the government may have been behind them.

"The Internet can be used as a terror weapon. It can be used as a disinformation apparatus," Smith said. "And nobody has done that more expertly than the Chinese government."

Neither Wolf nor Smith would name others who had been the subject of similar attacks. Wolf said there may be many who are not aware that hackers have gained access to their machines, and urged everyone on the Hill to have their computers investigated for signs of breaches.

The FBI, which Wolf said conducted the investigation on his computers, and a spokesman for the Chinese embassy in Washington could not be reached.

Wolf has sponsored a resolution, scheduled for discussion this afternoon, calling for better education for members of Congress about the dangers of cyber attacks in the United States and abroad.

Wolf's resolution calls for the chief administrative officer and sergeant at arms of the House, in consultation with the FBI, to alert House members and their staffs to the danger of electronic attacks. He also wants lawmakers to be fully briefed on ways to safeguard official records from electronic security breaches.

from the New York Times, 2008-May-9, by John Markoff:

F.B.I. Says the Military Had Bogus Computer Gear

SAN FRANCISCO — Counterfeit products are a routine threat for the electronics industry. However, the more sinister specter of an electronic Trojan horse, lurking in the circuitry of a computer or a network router and allowing attackers clandestine access or control, was raised again recently by the F.B.I. and the Pentagon.

The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components with an estimated retail value of more than $3.5 million, the F.B.I. said in a statement.

The F.B.I. is still not certain whether the ring's actions were for profit or part of a state-sponsored intelligence effort. The potential threat, according to the F.B.I. agents who gave a briefing at the Office of Management and Budget on Jan. 11, includes the remote jamming of supposedly secure computer networks and gaining access to supposedly highly secure systems. Contents of the briefing were contained in a PowerPoint presentation leaked to a Web site, Above Top Secret.

A Cisco spokesman said that the company had investigated the counterfeit gear seized by law enforcement agencies and had not found any secret back door.

“We did not find any evidence of re-engineering in the manner that was described in the F.B.I. presentation,” said John Noh, a Cisco spokesman. He added that the company believed the counterfeiters were interested in copying high volume products to make a quick profit. “We know what these counterfeiters are about.”

An F.B.I. spokeswoman, Catherine L. Milhoan, said the agency was not suggesting that the Chinese government was involved in the counterfeiting ring. “We worked very closely with the Chinese government,” she said. Arrests have been made in China as part of the investigation, she said. “The existence of this document shows that the cyber division of the F.B.I. has growing concerns about the production and distribution of counterfeit network hardware.”

Despite Cisco's reassurance, a number of industry executives and technologists said that the threat of secretly added circuitry intended to subvert computer and network gear is real.

“There are enormous vulnerabilities in our defense and national security infrastructure,” said Peter Levin, a former Clinton administration official who is chief executive of DAFCA, a Framingham, Mass., company that designs systems to prevent malicious tampering with computer chips. “We outsource the manufacturing of computer integrated circuits to places that can manufacture these devices cheaply.”

Last month, the Pentagon's Defense Advanced Research Projects Agency began distributing chips with hidden Trojan horse circuitry to military contractors who are participating in the agency's Trusted Integrated Circuits program. The goal is to test forensic techniques for finding hidden electronic trap doors, which can be maddeningly elusive. The agency is not yet ready to announce the results of the test, according to Jan Walker, a spokeswoman for the agency.

The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor by altering the data file on a chip with nearly 1.8 million circuits used in automated manufacturing equipment.

The researchers were able to create a stealth system that would allow them to automatically log in to a computer and steal passwords. The danger of such hidden circuitry is that it could potentially undermine the strongest computer security protections by essentially giving an attacker a secret key to gain access to a network or a computer.

“It's very difficult to detect and discover these issues,” said Ted Vucurevich, the chief technology officer of Cadence Design Systems, a company that provides design tools for chip makers. “That was one of the reasons” for the testing program.

Modern integrated circuits have billions of components, he said: “Adding a small number that do particular functions in particular cases is incredibly hard to detect.”

The potential threat of secret hardware-based backdoors or kill switches has been discussed for several decades. For example, the issue came up during the 1980s with a Swiss cryptography company, Crypto, which has been under suspicion of having installed back doors in its systems to give the National Security Agency access to encoded messages.

The issue was raised again during the first Iraq war and more recently in the Israeli bombing of a suspected Syrian nuclear plant. In both cases there has been speculation that booby-trapped antiaircraft equipment had been remotely turned off.

from the New York Times, 2008-Feb-26, by Brad Stone, with Miguel Helft contributing reporting:

Pakistan Cuts Access to YouTube Worldwide

SAN FRANCISCO — YouTube was back up two hours after Pakistan, in an act of information provincialism, inadvertently made the video-sharing site inaccessible to users around the world Sunday afternoon.

The blackout left network administrators and Internet activists wondering on Monday how Pakistan's actions, meant to restrict only its own citizens from accessing YouTube, could have such widespread reverberations — and whether such a disruption could be reproduced by someone with more malicious intent.

The incident began Friday, according to reports, when the Pakistani government of Pervez Musharraf became worried that a video clip attacking Islam might generate widespread unrest among its Muslim population. The government asked the Pakistan Telecommunication Authority, which oversees the country's Internet providers, to cut off access to YouTube for the country's estimated 8.2 million Internet users.

That action is not unusual. China, Morocco and Turkey have all reacted to potentially risky material posted to YouTube by blocking access to the site within their borders.

But two critical errors allowed Pakistan's action to echo around the globe for at least a brief period on Sunday afternoon, according to Martin A. Brown, a data engineer at the Renesys Corporation, an Internet monitoring company, which posted a timeline of the incident on its Web site.

As part of its effort to block YouTube within the country, Pakistan Telecom created a dummy route that essentially discarded YouTube traffic, sending it into what Internet experts call a black hole.

Pakistan Telecom then made an error by announcing that dummy route to its own telecommunications partner, PCCW, based in Hong Kong, shortly before noon New York time on Sunday, according to Renesys.

PCCW then made a second error, accepting that dummy route for YouTube and relaying it to other Internet providers around the world.

Internet service providers now had two conflicting online “roads” leading to YouTube. But because an important online protocol called Border Gateway Protocol favors longer routing addresses — they are thought to be more specific — at least 97 major Internet providers and thousands of smaller ones chose the dummy route, Pakistan's black hole.

About 1 p.m. Sunday, according to the Renesys timeline, YouTube began working to correct the error, in part by telling Internet service providers that they should direct traffic around Pakistan's dummy route. YouTube has removed the video clip that had concerned Pakistani officials.

In a statement Monday morning, YouTube addressed the situation. “For about two hours, traffic to YouTube was routed according to erroneous Internet protocols, and many users around the world could not access our site,” said a YouTube spokesman, Ricardo Reyes. “We have determined that the source of these events was a network in Pakistan. We are investigating and working with others in the Internet community to prevent this from happening again.”

Steven M. Bellovin, a professor of computer science at Columbia, said the same Internet routing flaw had been exploited in the past by spammers and other ne'er-do-wells, but he worried it could be more widely used now.

“If it's a big site that's affected, it will be spotted and dealt with within an hour or so, as happened this time,” he wrote in an e-mail message. “If it's a small site, it might take a lot longer to find someone who would think to look at this.”

Professor Bellovin said that efforts to upgrade Border Gateway Protocol within Internet standards organizations were moving slowly and that he was not optimistic improvements could be made quickly unless such incidents became more common.

Craig Aaron, communications director at Free Press, an Internet rights organization based in Washington, said the organization was worried that the tactic could be used to stifle free speech online.

“Maybe this Pakistan instance was an anomaly,” he said, “but it certainly should be raising alarms that we should be paying a lot more attention to our international Internet security.”

from the Financial Times of London, 2007-Sep-3, by Demetri Sevastopulo in Washington and Richard McGregor in Beijing:

Chinese military hacked into Pentagon

The Chinese military hacked into a Pentagon computer network in June in the most successful cyber attack on the US defence department, say American officials.

The Pentagon acknowledged shutting down part of a computer system serving the office of Robert Gates, defence secretary, but declined to say who it believed was behind the attack.

Current and former officials have told the Financial Times an internal investigation has revealed that the incursion came from the People's Liberation Army.

One senior US official said the Pentagon had pinpointed the exact origins of the attack. Another person familiar with the event said there was a “very high level of confidence...trending towards total certainty” that the PLA was responsible. The defence ministry in Beijing declined to comment on Monday.

Angela Merkel, Germany's chancellor, raised reports of Chinese infiltration of German government computers with Wen Jiabao, China's premier, in a visit to Beijing, after which the Chinese foreign ministry said the government opposed and forbade “any criminal acts undermining computer systems, including hacking”.

“We have explicit laws and regulations in this regard,” said Jiang Yu, from the ministry. “Hacking is a global issue and China is frequently a victim.”

George W. Bush, US president, is due to meet Hu Jintao, China's president, on Thursday in Australia prior to the Apec summit.

The PLA regularly probes US military networks – and the Pentagon is widely assumed to scan Chinese networks – but US officials said the penetration in June raised concerns to a new level because of fears that China had shown it could disrupt systems at critical times.

“The PLA has demonstrated the ability to conduct attacks that disable our system...and the ability in a conflict situation to re-enter and disrupt on a very large scale,” said a former official, who said the PLA had penetrated the networks of US defence companies and think-tanks.

Hackers from numerous locations in China spent several months probing the Pentagon system before overcoming its defences, according to people familiar with the matter.

The Pentagon took down the network for more than a week while the attacks continued, and is to conduct a comprehensive diagnosis. “These are multiple wake-up calls stirring us to levels of more aggressive vigilance,” said Richard Lawless, the Pentagon's top Asia official at the time of the attacks.

The Pentagon is still investigating how much data was downloaded, but one person with knowledge of the attack said most of the information was probably “unclassified”. He said the event had forced officials to reconsider the kind of information they send over unsecured e-mail systems.

John Hamre, a Clinton-era deputy defence secretary involved with cyber security, said that while he had no knowledge of the June attack, criminal groups sometimes masked cyber attacks to make it appear they came from government computers in a particular country.

The National Security Council said the White House had created a team of experts to consider whether the administration needed to restrict the use of BlackBerries because of concerns about cyber espionage.

from IDG News Service via PC World, 2008-Jan-19, by Robert McMillan:

CIA Says Hackers Have Cut Power Grid
Several cities outside the U.S. have sustained attacks on utility systems and extortion demands.

Criminals have been able to hack into computer systems via the Internet and cut power to several cities, a U.S. Central Intelligence Agency analyst said this week.

Speaking at a conference of security professionals on Wednesday, CIA analyst Tom Donahue disclosed the recently declassified attacks while offering few specifics on what actually went wrong.

Criminals have launched online attacks that disrupted power equipment in several regions outside of the U.S., he said, without identifying the countries affected. The goal of the attacks was extortion, he said.

"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands," he said in a statement posted to the Web on Friday by the conference's organizers, the SANS Institute. "In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

"According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure," SANS said in the statement.

One conference attendee said the disclosure came as news to many of the government and industry security professionals in attendance. "It appeared that there were a lot of people who didn't know this already," said the attendee, who asked not to be identified because he is not authorized to speak with the press.

He confirmed SANS' report of the talk. "There were apparently a couple of incidents where extortionists cut off power to several cities using some sort of attack on the power grid, and it does not appear to be a physical attack," he said.

Hacking the power grid made front-page headlines in September when CNN aired a video showing an Idaho National Laboratory demonstration of a software attack on the computer system used to control a power generator. In the demonstration, the smoking generator was rendered inoperable.

The U.S. is taking steps to lock down the computers that manage its power systems, however.

On Thursday, the Federal Energy Regulatory Commission (FERC) approved new mandatory standards designed to improve cybersecurity.

CIA representatives could not be reached immediately for comment.

from the Washington Post, 2008-Jan-19, p.A4, by Ellen Nakashima and Steven Mufson:

Hackers Have Attacked Foreign Utilities, CIA Analyst Says

In a rare public warning to the power and utility industry, a CIA analyst this week said cyber attackers have hacked into the computer systems of utility companies outside the United States and made demands, in at least one case causing a power outage that affected multiple cities.

"We do not know who executed these attacks or why, but all involved intrusions through the Internet," Tom Donahue, the CIA's top cybersecurity analyst, said Wednesday at a trade conference in New Orleans.

Donahue's comments were "designed to highlight to the audience the challenges posed by potential cyber intrusions," CIA spokesman George Little said. The audience was made up of 300 U.S. and international security officials from the government and from electric, water, oil and gas companies, including BP, Chevron and the Southern Co.

"We suspect, but cannot confirm, that some of the attackers had the benefit of inside knowledge," Donahue said. He did not specify where or when the attacks took place, their duration or the amount of money demanded. Little said the agency would not comment further.

The remarks come as cyber attackers have made increasingly sophisticated intrusions into corporate computer systems, costing companies worldwide more than $20 billion each year, according to some estimates.

Cyber extortion is a growing threat in the United States, and attackers have radically increased their take from online gambling sites, e-commerce sites and banks, which pay the money to prevent sites from being shut down and to keep the public from knowing their sites have been penetrated, said Alan Paller, research director at the SANS Institute, the cybersecurity education group that sponsored the meeting.

"The CIA wouldn't have changed its policy on disclosure if it wasn't important," Paller said. "Donahue wouldn't have said it publicly if he didn't think the threat was very large and that companies needed to fix things right now."

Over the past year to 18 months, there has been "a huge increase in focused attacks on our national infrastructure networks, . . . and they have been coming from outside the United States," said Ralph Logan, principal of the Logan Group, a cybersecurity firm.

It is difficult to track the sources of such attacks, because they are usually made by people who have disguised themselves by worming into three or four other computer networks, Logan said. He said he thinks the attacks were launched from computers belonging to foreign governments or militaries, not terrorist groups.

Over the past 10 years, electric utilities, pipelines, railroads and oil companies have used remotely controlled and monitored valves, switches and other mechanisms. This has resulted in substantial savings in man power and other costs.

But to do that, the companies have installed wireless Internet connections to link the devices to central offices.

"In the past, if they wanted to go out and read a gauge on a gas well, for example, they would have to send a technician in his vehicle; he would drive 100 miles and physically read the gauge and get back in his truck," Logan said. "Now they can read it from headquarters. But it allows attackers a gateway into the system."

In addition, within the companies' main offices, control equipment can be accessed from more computers than in the past.

The electric utility industry has also been adding software that allows more coordination among different parts of the electricity grid and will ultimately allow utilities and individuals to control devices remotely. This is a central part of what many firms call the "utility of the future," which will be better able to save energy and reduce greenhouse gas emissions.

"Often there are authentication methods that are less than secure," Logan said. "Sometimes there are no authentication methods."

On Thursday, the Federal Energy Regulatory Commission approved eight cybersecurity standards for electric utilities. They involve identity controls, training, security "perimeters," physical security of critical cyber equipment, incident reporting and recovery.

The U.S. electricity grid has always been vulnerable to outages. "Cybersecurity is a different kind of threat, however," Joseph T. Kelliher, the commission's chairman, said in a statement this week. "This threat is a conscious threat posed by a single hacker, or even an organized group that may be deliberately trying to disrupt the grid."

from TheInquirer.net, 2007-Oct-1, by "Wily Ferret":

Windows Update update screws updating
Stealth bomber

THE VOLE HAS ADMITTED that a flaw in its Windows XP repair system will permanently screwball systems and prevent them from updating to the latest security patches.

Earlier this year, Microsoft pushed out what is being termed a 'stealth update' to Windows Update. Normally, users are asked via the Update system what new patches, security fixes and the like to install and are prompted to install and reboot. However, this fix - which was to the Update system itself - was a stealth push from Microsoft, and installed under the radar.

However, it turns out that any system subsequently suffering a problem of any kind that requires the use of the Windows 'repair' function in installation will be locked out from Windows Update. Because the stealth update modifies original Windows files, attempting the repair will nix the fix and cause Windows Update to hang - thus preventing users from staying up to date.

Sure, you can go in and manually hack the Registry to get the whole thing to start working again - but this is hardly an ideal solution.

There's been no official Microsoft response on the issue so far, but many sysadmins are wondering why Windows Update needed to be patched in the first place, especially in this stealthy manner.

from ZDnet's Zero Day blog, 2007-Mar-2, by Ryan Naraine:

Hardware-based rootkit detection proven unreliable

For years, we've been convinced by companies like Komoku and BBN Technologies that hardware-based RAM acquisition is the most reliable and secure way to sniff out the presence of a sophisticated rootkit on a compromised machine.

Joanna Rutkowska, Jamie ButlerNot so fast, says Joanna Rutkowska, a security researcher at COSEINC Malware Labs.

Rutkowska, an elite hacker who specializes in offensive rootkit research, has found several ways to manipulate the results given to hardware-based solutions (PCI cards or FireWire bus).

At this year's Black Hat DC conference, Rutkowska demonstrated three different attacks against AMD64 based systems, showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU.

Rutkowska's research, though purely theoretical, underscores the need for multiple solutions (hardware and software) to work in tandem during forensics. It also highlights just how scary the threat from sophisticated rootkits can be. If, as Rutkowska proved, forensic examiners cannot rely on images collected from RAM, then it's basically game over.

Jamie Butler, a rootkit guru who works with software- and hardware-based anti-rootkit tools, said he was "very impressed" with Rutkowska's presentation. "We already know that software isn't reliable and now we know that you really can't trust the hardware either. You really need to combine both and, even then, you just never know," Butler said.

"I really don't want to meet the attacker who is at that level," he said. "That is scary stuff," Butler said, referring to the techniques used during Rutkowska's presentation.

In three different scenarios, Rutkowska showed how an attacker can crash a machine during memory acquisition. In this case, it would be a denial-of-service against the forensics examiner looking to find traces of malware on a hijacked machine.

She also described a "covering attack" where the malware is programmed to present garbage data to the hardware trying to read physical memory.

A third scenario is what Rutkowska described as a "full replacing attack" where the malware author not only hides malicious code from the memory acquisition tool but actually provides arbitrary/fake content to the examiner.

The overall problem, Rutkowska explained, is the design of the system that makes it impossible to reliably read memory from computers. "Maybe we should rethink the design of our computer systems so they they are somehow verifiable," she said.

Rutkowska suggests that hardware vendors come up with a special "auditing" interface dedicated only to memory acquisition.

"I'm thinking about motherboard manufacturers adding a special port which would allow for *direct* (this time really "direct") access to RAM and potentially some other critical resources like e.g. CPU system registers and maybe even caches," she said.

Here are the slides from Rutkowska's presentation (PDF).

from Defense Industry Daily, 2007-Mar-1:

F-22 Squadron Shot Down by the International Date Line

Aircraft software can be serious business. DID's F-22A Raptor FOCUS Article mentioned recent flight software problems that delayed the aircraft's first foreign deployment from Hickam AFB in Hawaii to Kadena AFB, Japan.

What we didn't mention at the time is how serious the problem was, and how dependent on computers modern aircraft - including military aircraft - have become. What follows are relevant excerpts from a CNN transcript on February 24, 2007 that covered a number of unrelated issues. We've cut that out, and left only the F-22 related section... transcript...

Maj. Gen. Don Sheppard (ret.): "...At the international date line, whoops, all systems dumped and when I say all systems, I mean all systems, their navigation, part of their communications, their fuel systems. They were -- they could have been in real trouble. They were with their tankers. The tankers - they tried to reset their systems, couldn't get them reset. The tankers brought them back to Hawaii. This could have been real serious. It certainly could have been real serious if the weather had been bad. It turned out OK. It was fixed in 48 hours. It was a computer glitch in the millions of lines of code, somebody made an error in a couple lines of the code and everything goes.

[snip]

SHEPPERD: Absolutely. When you think of airplanes from the old days, with cables and that type of thing and direct connections between the sticks and the yolks and the controls, not that way anymore. Everything is by computer. When your computers go, your airplanes go. You have multiple systems. When they all dump at the same time, you can be in real trouble. Luckily this turned out OK.

John Roberts, CNN anchor: What would have happened General Shepperd if these brand-new $120 million F-22s had been going into battle?

SHEPPERD: You would have been in real trouble in the middle of combat. The good thing is that we found this out. Any time -- before, you know, before we get into combat with an airplane like this. Any time you introduce a new airplane, you are going to find glitches and you are going to find things that go wrong. It happens in our civilian airliners. You just don't hear much about it but these things absolutely happen. And luckily this time we found out about it before combat. We got it fixed with tiger teams in about 48 hours and the airplanes were flying again, completed their deployment. But this could have been real serious in combat.

ROBERTS: So basically you had these advanced air -- not just superiority but air supremacy fighters that were in there, up there in the air, above the Pacific Ocean, not much more sophisticated than a little Cessna 152 only with a jet engine.

SHEPPERD: You got it. They are on a 12 to 15-hour flight from Hawaii to Okinawa, but all their systems dumped. They needed help. Had they gotten separated from their tankers or had the weather been bad, they had no attitude reference. They had no communications or navigation. They would have turned around and probably could have found the Hawaiian Islands. But if the weather had been bad on approach, there could have been real trouble. Again, you get refueling from your tankers. You don't run -- you don't get yourself where you run out of fuel. You always have enough fuel and refueling nine, 10, 11, 12 times on a flight like this where you can get somewhere to land. But again, attitude reference and navigation are essential as is communication. In this case all of that was affected. It was a serious problem.

from Forbes.com, 2006-Nov-13, by Bruce Schneier:

Did Your Vote Get Counted?

Last week in Florida's 13th Congressional district, the victory margin was only 386 votes out of 153,000. There'll be a mandatory lawyered-up recount, but it won't include the almost 18,000 votes that seem to have disappeared. The electronic voting machines didn't include them in their final tallies, and there's no backup to use for the recount. The district will pick a winner to send to Washington, but it won't be because they are sure the majority voted for him. Maybe the majority did, and maybe it didn't. There's no way to know.

Electronic voting machines represent a grave threat to fair and accurate elections, a threat that every American--Republican, Democrat or independent--should be concerned about. Because they're computer-based, the deliberate or accidental actions of a few can swing an entire election. The solution: Paper ballots, which can be verified by voters and recounted if necessary.

To understand the security of electronic voting machines, you first have to consider election security in general. The goal of any voting system is to capture the intent of each voter and collect them all into a final tally. In practice, this occurs through a series of transfer steps. When I voted last week, I transferred my intent onto a paper ballot, which was then transferred to a tabulation machine via an optical scan reader; at the end of the night, the individual machine tallies were transferred by election officials to a central facility and combined into a single result I saw on television.

All election problems are errors introduced at one of these steps, whether it's voter disenfranchisement, confusing ballots, broken machines or ballot stuffing. Even in normal operations, each step can introduce errors. Voting accuracy, therefore, is a matter of 1) minimizing the number of steps, and 2) increasing the reliability of each step.

Much of our election security is based on "security by competing interests." Every step, with the exception of voters completing their single anonymous ballots, is witnessed by someone from each major party; this ensures that any partisan shenanigans--or even honest mistakes--will be caught by the other observers. This system isn't perfect, but it's worked pretty well for a couple hundred years.

Electronic voting is like an iceberg; the real threats are below the waterline where you can't see them. Paperless electronic voting machines bypass that security process, allowing a small group of people--or even a single hacker--to affect an election. The problem is software--programs that are hidden from view and cannot be verified by a team of Republican and Democrat election judges, programs that can drastically change the final tallies. And because all that's left at the end of the day are those electronic tallies, there's no way to verify the results or to perform a recount. Recounts are important.

This isn't theoretical. In the U.S., there have been hundreds of documented cases of electronic voting machines distorting the vote to the detriment of candidates from both political parties: machines losing votes, machines swapping the votes for candidates, machines registering more votes for a candidate than there were voters, machines not registering votes at all. I would like to believe these are all mistakes and not deliberate fraud, but the truth is that we can't tell the difference. And these are just the problems we've caught; it's almost certain that many more problems have escaped detection because no one was paying attention.

This is both new and terrifying. For the most part, and throughout most of history, election fraud on a massive scale has been hard; it requires very public actions or a highly corrupt government--or both. But electronic voting is different: a lone hacker can affect an election. He can do his work secretly before the machines are shipped to the polling stations. He can affect an entire area's voting machines. And he can cover his tracks completely, writing code that deletes itself after the election.

And that assumes well-designed voting machines. The actual machines being sold by companies like Diebold, Sequoia Voting Systems and Election Systems & Software are much worse. The software is badly designed. Machines are "protected" by hotel minibar keys. Vote tallies are stored in easily changeable files. Machines can be infected with viruses. Some voting software runs on Microsoft Windows, with all the bugs and crashes and security vulnerabilities that introduces. The list of inadequate security practices goes on and on.

The voting machine companies counter that such attacks are impossible because the machines are never left unattended (they're not), the memory cards that hold the votes are carefully controlled (they're not), and everything is supervised (it isn't). Yes, they're lying, but they're also missing the point.

We shouldn't--and don't--have to accept voting machines that might someday be secure only if a long list of operational procedures are followed precisely. We need voting machines that are secure regardless of how they're programmed, handled and used, and that can be trusted even if they're sold by a partisan company, or a company with possible ties to Venezuela.

Sounds like an impossible task, but in reality, the solution is surprisingly easy. The trick is to use electronic voting machines as ballot-generating machines. Vote by whatever automatic touch-screen system you want: a machine that keeps no records or tallies of how people voted, but only generates a paper ballot. The voter can check it for accuracy, then process it with an optical-scan machine. The second machine provides the quick initial tally, while the paper ballot provides for recounts when necessary. And absentee and backup ballots can be counted the same way.

You can even do away with the electronic vote-generation machines entirely and hand-mark your ballots like we do in Minnesota. Or run a 100% mail-in election like Oregon does. Again, paper ballots are the key.

Paper? Yes, paper. A stack of paper is harder to tamper with than a number in a computer's memory. Voters can see their vote on paper, regardless of what goes on inside the computer. And most important, everyone understands paper. We get into hassles over our cellphone bills and credit card mischarges, but when was the last time you had a problem with a $20 bill? We know how to count paper. Banks count it all the time. Both Canada and the U.K. count paper ballots with no problems, as do the Swiss. We can do it, too. In today's world of computer crashes, worms and hackers, a low-tech solution is the most secure.

Secure voting machines are just one component of a fair and honest election, but they're an increasingly important part. They're where a dedicated attacker can most effectively commit election fraud (and we know that changing the results can be worth millions). But we shouldn't forget other voter suppression tactics: telling people the wrong polling place or election date, taking registered voters off the voting rolls, having too few machines at polling places, or making it onerous for people to register. (Oddly enough, ineligible people voting isn't a problem in the U.S., despite political rhetoric to the contrary; every study shows their numbers to be so small as to be insignificant. And photo ID requirements actually cause more problems than they solve.)

Voting is as much a perception issue as it is a technological issue. It's not enough for the result to be mathematically accurate; every citizen must also be confident that it is correct. Around the world, people protest or riot after an election not when their candidate loses, but when they think their candidate lost unfairly. It is vital for a democracy that an election both accurately determine the winner and adequately convince the loser. In the U.S., we're losing the perception battle.

The current crop of electronic voting machines fail on both counts. The results from Florida's 13th Congressional district are neither accurate nor convincing. As a democracy, we deserve better. We need to refuse to vote on electronic voting machines without a voter-verifiable paper ballot, and to continue to pressure our legislatures to implement voting technology that works.

Bruce Schneier is the CTO of BT Counterpane and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World and the popular blog Schneier on Security. You can contact him through his Web site.

from the Associated Press via the Boston Globe, 2007-Jan-3, by Devlin Barrett:

Few areas score high for emergency communications
Only 6 of 75 get top grade for disaster readiness

WASHINGTON -- Only six of 75 US metropolitan areas won the highest grades for their emergency agencies' ability to communicate during a disaster, five years after the Sept. 11 terrorist attacks, according to a federal report obtained yesterday by the Associated Press.

A draft portion of the report, to be released today, gives the best ratings to Washington, D.C.; San Diego; Minneapolis-St. Paul; Columbus, Ohio; Sioux Falls, S.D.; and Laramie County, Wyo.

The lowest scores went to Chicago; Cleveland; Baton Rouge, La.; Mandan, N.D.; and American Samoa. The report included large and small cities and their suburbs, along with US territories.

In an overview, the report said all 75 areas surveyed have policies in place for helping their emergency workers communicate. But it cautioned that regular testing and exercises are needed "to effectively link disparate systems."

It also said that while cooperation among emergency workers is strong, "formalized governance [leadership and planning] across regions has lagged."

The study, conducted by the Homeland Security Department, was likely to add fuel to what looms as a battle in Congress this year. Democrats, who take over the majority this week, have promised to try fixing the problem emergency agencies have communicating with one another but have not said specifically what they will do, how much it will cost, or how they will pay for it.

"Five years after 9/11, we continue to turn a deaf ear to gaps in interoperable communications" -- the term used for emergency agencies' abilities to talk to one another, said Senator Charles Schumer, a New York Democrat. "If it didn't have such potentially devastating consequences, it would be laughable."

Homeland Security spokesman Russ Knocke would not comment, saying only that in releasing the report today, Homeland Security Secretary Michael Chertoff will "talk about nationwide assessments for interoperable communications." The attacks of Sept. 11, 2001, revealed major problems in how well emergency agencies were able to talk to one another. Many firefighters climbing the World Trade Center towers died when they were unable to hear police radio warnings to leave the crumbling buildings.

In New York now, the report said, first responders were found to have well-established systems to communicate among one another -- but not the best possible. Thirteen US cities scored better than New York.

Just over a year ago, Hurricane Katrina underscored communication problems when radio transmissions were hindered because the storm's winds toppled towers.

Communities were judged in three categories: operating procedures in place, use of communications systems, and how effectively local governments have coordinated in preparation for a disaster. Overall, 16 percent of the communities were given the highest score for the communications procedures they have in place and 1 percent got the lowest rating.

Most of the areas surveyed included cities and their surrounding communities, based on the assumption that in a major crisis emergency personnel from all local jurisdictions would respond.

from the Baltimore Sun, 2007-Jun-24, by Siobhan Gorman:

Power supply still a vexation for the NSA
Summertime could pose hotter trouble for agency

WASHINGTON -- A year after the National Security Agency nearly maxed out its electrical capacity, some offices are experiencing significant power disruptions as the agency confronts the increasingly urgent problem of an infrastructure stretched to its limits, intelligence officials said.

The spy agency has delayed the deployment of some new data-processing equipment because it is short on power and space. Outages have shut down some offices in NSA headquarters for up to half a day. And some officials fear that major problems could occur this summer as temperatures climb.

The NSA has been working to develop and implement short- and long-term plans to ensure a steady supply of electricity to the nation's largest intelligence agency; they range from creating rapid-response teams to revamping power substations, internal documents show.

The current shortage has been projected for nearly a decade. Some of the rooms that house the NSA's enormous computer systems were not designed to handle newer computers that generate considerably more heat and draw far more electricity than their predecessors.

It is the result of "mismanagement at very high levels," said Ira Winkler, a former NSA analyst. "They let it get out of hand."

NSA spokeswoman Andrea Martino declined to comment on the reason for the electrical problems. "We cannot discuss the specifics that may or may not affect the agency's operations for national security purposes," she said, adding that Congress has been kept informed.

The agency has already been forced to delay installing some high-tech equipment to avoid overloading the system, according to a senior intelligence official who spoke on condition of anonymity because he is not authorized to speak to the news media.

New equipment for data processing, as well as some purchased for one of the agency's signature initiatives, the mammoth modernization effort dubbed Turbulence, are among those that have been held up, the senior official said. The lengths of the delays are classified.

The issue has become a top priority for the NSA's director, Lt. Gen. Keith B. Alexander. In recent classified testimony to Congress, he warned that the agency would have to shut down significant amounts of equipment and resort to rolling blackouts if drastic action were not taken, the official said. Alexander also told Congress that the NSA was delaying the deployment and installation of equipment, the official said.

His testimony was part of an effort to persuade lawmakers to add more than $800 million - the exact sum is classified - to the NSA's 2007 budget, the senior official added.

Congress recently approved the NSA request in a classified spending bill, said Rep. C.A. Dutch Ruppersberger, a Maryland Democrat who chairs the House Intelligence subcommittee that oversees the agency.

However, lawmakers also reprimanded the NSA, intelligence officials said, for using money for spy operations to pay for electrical expenses without congressional approval.

"It got to a point where it became a serious problem," Ruppersberger said, referring to the NSA's power shortage. "We're attempting to deal with it now."

For brief periods last summer, the NSA hit the ceiling of the power capacity at its Fort Meade campus, forcing the agency to turn off or idle technical equipment, the senior intelligence official said. The agency also had to shift the timing of power use for some computers responsible for processing data, to even out electrical loads, and continues to do so.

Some intelligence officials said they are worried that as this summer heats up, anticipated spikes in power demand could have dire consequences.

"I don't think it's going well," said one government source with direct knowledge of the power problem, who was speaking on condition of anonymity. "I am concerned with the possibility of a large-scale blackout and the damage it would cause across the board. ... We're experiencing problems in all of our buildings."

As the NSA has attempted to reduce electricity consumption, it has turned down air-conditioning and heating systems in parts of some buildings.

"In the morning, it's like a sweatshop," the government source said.

Last winter, according to one intelligence analyst, some employees wore gloves in the office to try to keep warm, adding that it made for challenging typing.

As part of its short-term effort to redirect power use and upgrade systems, the NSA has had to resort to partial, rolling brownouts at its computer "farms" and scheduled power outages, the senior intelligence official said, adding that these have become more frequent in recent months.

Among the most significant electrical issues was a series of outages in several buildings at NSA headquarters April 30 and May 1, which caused computers to unexpectedly restart and triggered blackouts that lasted between 45 minutes and four hours in some offices, according to the government source.

Ruppersberger said he was told the outages were scheduled. Martino would not comment on whether they had been planned but said in a statement that "routine power outages are carefully coordinated to ensure that backups are in place for mission assurance during repairs and upgrades to infrastructure."

The NSA's impending electrical crisis has been predicted since at least 1998. It had become an urgent priority by last summer.

As Alexander explained in a classified March 2007 memo, the three power substations that serve the main Fort Meade campus cannot support the agency's demands, according to the senior intelligence official. Each substation serves certain buildings, and power cannot easily be transferred to other substations if demand spikes, the senior official said.

The NSA's buildings are also exceeding the limits of their 1970s- and 1980s-era wiring, the senior official said.

Routine power demands have been disrupting work in some offices for up to half a day, the government source said. He noted, for example, that new office equipment has been overloading existing circuits in one office up to three times a week, taking anywhere from 30 minutes to four hours to get the power back on. This problem, however, is not yet widespread, the senior official said.

The problems cannot be fixed quickly because substantial re-engineering is required, the senior intelligence official explained.

The NSA's top brass is also concerned about a major space crunch. The agency's post-9/11 data deluge has pushed its computerized "data centers" to near capacity, the senior official said.

In an unclassified April 2007 memo, Alexander told NSA employees that he had created a "triage team" to address power problems as they arose. He said the NSA was taking steps to re-engineer some facilities to "better take advantage of existing power."

The agency is also employing conservation measures, according to the senior intelligence official, referring to the March classified memo. One example: incorporating "thrift savings" provisions into contracts, to create incentives for the use of power-saving equipment on new projects.

Other, longer-term measures include upgrading electrical infrastructure in buildings on the Fort Meade campus and the three substations, moving additional operations elsewhere to reduce demand and building new facilities. To handle the data overload, there are additional plans to move some of the agency's data-storage equipment to new government facilities in Tennessee and Texas. But those sites are not expected to be ready until about 2010.

"These measures are effectively addressing many of the short-term data-center, distribution, and campus-wide challenges," Alexander wrote in his April memo.

Ruppersberger said he believes Alexander's plan puts the NSA "on track" to fix the electrical problems. But he added that the agency still needs to show it can implement the plan.

Senate Intelligence Committee Chairman John D. Rockefeller IV said these issues will not be resolved quickly.

"The NSA is committing significant resources to fixing the problem," the West Virginia Democrat said in a statement. "We believe they have a plan in place to address the situation, but it will take time and a considerable amount of money."

Some current and former officials question whether the short-term plans will buy enough time to resolve a mostly long-term problem.

According to an agency document, the NSA's power consumption is nearly three times higher than the average for Defense Department buildings. The main culprit: power demand from the NSA's 24-hour watch centers and supercomputers, as well as a large number of computers in each building.

Some current and former officials said they are frustrated that NSA leaders took so long to address the problem.

The problem was first brought to the attention of then-Director Kenneth Minihan in 1998 as he prepared to upgrade the agency's technology infrastructure. But he chose not to pay for electricity upgrades along with the new technology infrastructure, the senior intelligence official said. Minihan did not respond to requests for comment.

The issue has arisen periodically since then, including the planning for the NSA's modernization programs, but each time leaders chose to set it aside, the official said. As recently as 2004 and 2005, the question of an emerging power deficit came up as the NSA outlined an expansion of its field sites under then-Director Gen. Michael V. Hayden, but no formal plans were made to address electricity problems, the official said.

A spokesman said that Hayden, who now heads the CIA, rejected that accusation and said Hayden took steps to deal with the problem when he was there.

"During his service at NSA, there was major construction at regional (signals-intelligence) operations centers. One goal of that initiative was to ease the burden on the Ft. Meade compound," spokesman Paul Gimigliano said in a written statement. "It's simply wrong to suggest that the director knew of a problem with NSA's electrical infrastructure and ignored it."

The regional centers did help, the senior official acknowledged, but they did not fix the outdated electrical system at headquarters, and some of the efforts were scaled back as Hayden left.

Early in 2006, an internal NSA team produced an extensive study of the power and space shortages that highlighted the urgency of the problem and predicted that the NSA would soon hit a "ceiling" in its electrical capacity, the official said.

Only when it hit that ceiling last summer, the official added, did the agency truly begin mobilizing to address the problem.

from the Baltimore Sun, 2006-Aug-6, by Siobhan Gorman with Paul Adams contributing:

NSA risking electrical overload
Officials say outage could leave Md.-based spy agency paralyzed

WASHINGTON -- The National Security Agency is running out of juice.

The demand for electricity to operate its expanding intelligence systems has left the high-tech eavesdropping agency on the verge of exceeding its power supply, the lifeblood of its sprawling 350-acre Fort Meade headquarters, according to current and former intelligence officials.

Agency officials anticipated the problem nearly a decade ago as they looked ahead at the technology needs of the agency, sources said, but it was never made a priority, and now the agency's ability to keep its operations going is threatened. The NSA is already unable to install some costly and sophisticated new equipment, including two new supercomputers, for fear of blowing out the electrical infrastructure, they said.

At minimum, the problem could produce disruptions leading to outages and power surges at the Fort Meade headquarters, hampering the work of intelligence analysts and damaging equipment, they said. At worst, it could force a virtual shutdown of the agency, paralyzing the intelligence operation, erasing crucial intelligence data and causing irreparable damage to computer systems -- all detrimental to the fight against terrorism.

Estimates on how long the agency has to stave off such an overload vary from just two months to less than two years. NSA officials "claim they will not be able to operate more than a month or two longer unless something is done," said a former senior NSA official familiar with the problem, who spoke on condition of anonymity.

Agency leaders, meanwhile, are scrambling for stopgap measures to buy time while they develop a sustainable plan. Limitations of the electrical infrastructure in the main NSA complex and the substation serving the agency, along with growing demand in the region, prevent an immediate fix, according to current and former government officials.

"If there's a major power failure out there, any backup systems would be inadequate to power the whole facility," said Michael Jacobs, who headed the NSA's information assurance division until 2002.

"It's obviously worrisome, particularly on days like today," he said in an interview during last week's barrage of triple-digit temperatures.

William Nolte, a former NSA executive who spent decades with the agency, said power disruptions would severely hamper the agency.

"You've got an awfully big computer plant and a lot of precision equipment, and I don't think they would handle power surges and the like really well," he said. "Even re-calibrating equipment would be really time consuming -- with lost opportunities and lost up-time."

Power surges can also wipe out analysts' hard drives, said Matthew Aid, a former NSA analyst who is writing a multivolume history of the agency. The information on those hard drives is so valuable that many NSA employees remove them from their computers and lock them in a safe when they leave each day, he said.

A half-dozen current and former government officials knowledgeable about the energy problem discussed it with The Sun on condition of anonymity because of the sensitivity of the issue.

NSA spokesman Don Weber declined to comment on specifics about the NSA's power needs or what is being done to address them, saying that even private companies consider such information proprietary.

In a statement to The Sun, he said that "as new technologies become available, the demand for power increases and NSA must determine the best and most economical way to use our existing power and bring on additional capacity."

Biggest BGE customer

The NSA is Baltimore Gas & Electric's largest customer, using as much electricity as the city of Annapolis, according to James Bamford, an intelligence expert and author of two comprehensive books on the agency.

BGE spokeswoman Linda Foy acknowledged a power company project to deal with the rising energy demand at the NSA, but she referred questions about it to the NSA.

The agency got a taste of the potential for trouble Jan. 24, 2000, when an information overload, rather than a power shortage, caused the NSA's first-ever network crash. It took the agency 3 1/2 days to resume operations, but with a power outage it could take considerably longer to get the NSA humming again.

The 2000 shutdown rendered the agency's headquarters "brain-dead," as then-NSA Director Gen. Michael V. Hayden told CBS's 60 Minutes in 2002.

"I don't want to trivialize this. This was really bad," Hayden said. "We were dark. Our ability to process information was gone."

As an immediate fallback measure, the NSA sent its incoming data to its counterpart in Great Britain, which stepped up efforts to process the NSA's information along with its own, said Bamford.

The agency came under intense criticism from members of Congress after the crash, and the incident rapidly accelerated efforts to modernize the agency.

One former NSA official familiar with the electricity problem noted a sense of deja vu six years later.

"To think that this was not a priority probably tells you more about the extent to which NSA has actually transformed," the former official said. "In the end, if you don't have power, you can't do [anything]."

Already some equipment is not being sufficiently cooled, and agency leaders have forgone plugging in some new machinery, current and former government officials said. The power shortage will also delay the installation of two new, multimillion-dollar supercomputers, they said.

To begin to alleviate pressure on the electrical grid, the NSA is considering buying additional generators and shutting down so-called "legacy" computer systems that are decades old and not considered crucial to the agency's operations, said three current and former government officials familiar with the situation.

"It's a temporary fix," one former senior NSA official said.

On Wednesday, the same day that The Sun inquired about the power issue with the NSA's public affairs office, the agency sent word to Capitol Hill about its energy conservation efforts.

"They have told us they have been shutting down all non-essential uses of power to help out BG&E," said one congressional aide, adding that the NSA is also raising the temperature in its buildings two degrees to conserve.

The information was presented in the context that the NSA was making these changes "to be a good corporate citizen," the aide said.

Contractors on at least one high-priority, power-intensive NSA project that is located off the headquarters campus, have upgraded their electrical infrastructure to ensure power for their project, according to two former agency officials. That lone upgrade, a fraction of the agency's total demand, took four months.

Longer-term solutions being considered would move some operations to off-campus facilities with more electrical capacity, current and former officials said.

Adding more capacity to the substation feeding NSA is an obvious answer, but constraints on that particular facility make an expansion difficult, they said. BGE's Foy declined to discuss specifics about the substation. She said it takes 1 1/2 to 2 1/2 years to design, procure equipment, obtain permits, and build a new one.

Post-9/11 needs

Since the 2001 terrorist attacks, the NSA has ramped up its operations, and the electricity needed to sustain major projects -- such as the warrantless surveillance program and technology modernization programs -- has increased sharply.

The computer systems supporting these programs demand far more wattage per square foot than their predecessors and still more energy to cool them.

Area development like the Arundel Mills Mall has contributed to the problem by putting additional strain on the local electrical grid, according to two sources familiar with the issue. Joe Bunch, BGE's director of strategic customer engineering, said, however, that the mall's demand "was fairly easily accommodated."

Demand in the Baltimore-Washington region has been growing, and the regional operator for Maryland and 12 other states has been studying the installation of up to $10 billion in new power lines to deliver more and cheaper electricity to this region.

"We've seen a lot of growth in Anne Arundel County as a whole but particularly in the north and northwest area of the county," said Bunch, who agreed to talk about trends in the area but not the NSA's specific demand. Much of that growth is because of the surge of high-tech jobs in the area from the NSA and government contractors, he said.

He said BGE is working to meet the demand by building new substations in the area. One was built about a year ago, and another is scheduled to be built in two to three years, he said.

"We have adequate capacity" now, he said, but upgrades like the new substation are being planned to stave off future strains on the electrical grid.

The NSA's problem was identified in the late 1990s and could have been fixed by now -- and for much less money -- had keeping the lights on been a priority, current and former officials said.

"It fits into a long, long pattern of crisis-of-the-day management as opposed to investing in the future," said one former government official familiar with the NSA's electricity shortfall.

Electrical infrastructure maintenance and upgrades have been a casualty of the fight against terrorism, according to unclassified budget documents.

Upgrades delayed

Even as the NSA's budget has ballooned after 9/11, the agency has put off basic utility upgrades such as a $4 million computer system to manage the allocation of power at the NSA -- a sliver of the NSA's estimated $8 billion budget.

"Due to budget constraint [sic] and other development [sic] in the fight against terrorism," a 2007 budget document reads, the system was never fully implemented.

Without this system, the document stated, the NSA "may experience difficulties in meeting its power requirement to support critical war fighting missions."

Neglect of infrastructure at the NSA has been a chronic problem, often fraught with bureaucratic politics, former agency officials said.

Fort Meade is not the only NSA outpost facing limitations on its ability to upgrade electrical infrastructure. Listening posts around the world, such as Menwith Hill in Britain and Bad Aibling in Germany, are ailing.

The NSA's largest listening station, Menwith Hill, has an "aging infrastructure that cannot support the people or equipment" there, according to a budget document for 2007.

It is faced with "concrete foundations that are crumbling," an "electrical infrastructure that is not in compliance with current codes," and a weakened infrastructure that poses a safety hazard, the document said.

Identical language appeared in the previous year's budget documents.

With agency operations facing an imminent threat, facilities issues are front and center. "It's a big deal," said one former senior NSA official. "They're all talking about it, anyway. That's progress."

from CNET News.com, 2006-Dec-1, by Joris Evers:

Another suspected NASA hacker indicted

A Romanian man was indicted Thursday for allegedly breaking into more than 150 U.S. government computers.

The indictment charges Victor Faur, 26, of Arad, Romania, with leading a hacking group called the "WhiteHat Team," according to a statement from the U.S. Attorney's Office in Los Angeles. The group allegedly hacked into the government systems because of their reputation as some of the most secure in the world.

"After hacking into and taking control of the government computers, Faur allegedly caused the compromised machines to display screens that flaunted the computer intrusion," the U.S. Attorney's Office said.

Faur is charged with conspiracy and nine counts of computer intrusion. If convicted of all counts, he faces up to 54 years in federal prison, the prosecutors said.

However, a trial isn't likely to happen soon. Faur is currently in Romania, where he was arrested and then released on bond on separate, Romanian charges, Assistant U.S. Attorney Brian Hoffstadt said in an interview.

"The next step for us is to seek extradition from the Romanian government," he said. There is an extradition treaty between the U.S. and Romania, but an extradition procedure can take up to two years. "It takes a long time," Hoffstadt said.

Computers that were compromised included machines at NASA's Jet Propulsion Laboratory and Goddard Space Flight Center, the Sandia National Laboratory, and the U.S. Naval Observatory, according to prosecutors.

The breached computers were used to collect and process data from spacecraft. Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said.

Several suspected NASA hackers have been dealing with law enforcement recently. In Sweden, a teen suspected of hacking into systems belonging to the U.S. military, NASA and networking giant Cisco Systems was charged recently. Earlier this year, London resident Gary McKinnon lost a crucial battle in his fight to avoid prosecution in the U.S.

No charges have been filed against any other suspected members of the WhiteHat Team, Hoffstadt said. "But the charges against Faur may not be the last charges," he said.

from Government Computer News, 2006-Jul-3, by Patience Wait:

Weapons projects misfire on software
Cost overruns constrict already tight budgets, GAO says

Every year the Government Accountability Office issues a report that gives a brief summary of the status of major weapons acquisition programs. And every year the reports say that many, if not most, of those acquisition programs are experiencing cost overruns and schedule delays in their software development segments.

The problem is huge. In fiscal 2006, the Defense Department will spend as much as $12 billion on reworking software30 percent of its estimated budget of $40 billion for research, development, testing and evaluation. By comparison, Motorolaand other large commercial companiesspends just a small percent of its budget on rework.

Nor can the significance of the problem be overlooked. In its summary for 2006, Assessments of Selected Major Weapon Programs (GCN.com, Quickfind 605), GAO pointed out that, in the past five years, DOD has doubled its planned investments in new weaponns systems from $700 [billion] to $1.4 trillion. This huge increase has not been accompanied by more stability, better outcomes or more buying power for the acquisition dollar.

The huge difference between military and private-sector efforts, according to Carol Mebane and Cheryl Andrew of GAOs weapons acquisition audits practice, exists because corporations use a structured, replicable approach to software development that emphasizes requirements planning upfront.

A few years ago, the two auditors spent months studying how commercial best practices could be applied to DOD projects to control both cost factors and schedule delays. They spoke to an audience of software and systems engineers at the Software and Systems Technology Conference in May, revisiting the conclusions of their 2004 report, Stronger Management Practices Are Needed to Improve DODs Software-intensive Weapon Acquisitions (GCN.com, Quickfind 606).

The importance of improving software development efficiency cant be overstated, Mebane said. When DOD developed the F-4 fighter in the 1960s, less than 10 percent of its functionality was based on software; in todays development of the F/A-22, its more than 80 percent.

The Joint Strike Fighter programone of those included in this years reporthas seen R&D overruns totaling 30 percent. Despite that, when its time for DOD to make a production decision on the JSF, the program will have released about 35 percent of the software needed for the system, GAO found.

Additionally, seven of the eight critical technologies identified by the watchdog agency are not yet mature; indeed, they are not expected to be until after the design review phase is over.

Based on our discussions with individual [companies], three factors determine the success of a software development program, Andrew said. A manageable environment, disciplined processes and metrics, metrics, metrics.

Creating a manageable environment means breaking software projects into manageable pieces, each generally with a six-month schedule.

In DOD, a project can be two years, three years, even four years long. It makes it hard for a program manager to get his arms around a project, [or to] get a handle on costs, Andrew said.

Both software and hardware programs generally follow a specific, four-phase process, whether in government or industry, he saidrequirements, design, coding and testing.

In the companies they examined, the GAO team found that 90 percent to 95 percent of requirements for a software program were set in the first phase, and leading companies are willing to spend 20 percent to 30 percent of their resources on getting the requirements established.

Also, projects in commercial companies undergo frequent reviews with management, and software teams often conduct reviews weekly to identify where problems could arise. At DOD, on the other hand, major management reviews of software projects usually happen only once a year, or even two years apart.

We were shocked at that, Andrew said. But when GAO recommended that program offices should get involved more often instead of waiting for major reviews, there was resistance. ... The program offices didnt have access to [software development status information], and didnt look for it.

GAO found that industry metrics fell into seven categories: requirements, cost, schedule, quality, size, tests and defects.

Defects are a big, big metric, Andrew said. Motorola tracked both errors and defects. An error, she said, was a problem caught in the requirements phase, while a problem caught in later stages of development was considered a defect.

Motorola even tracks, as a metric, how many errors and defects it finds, she said.

Motorola knows how many errors and defects it is likely to find. Finding too many or too few is also an error, she said, and the company re-examines its processes to see if something has been missed.

As part of the DOD audit, GAO examined five weapons programs, two of them involving existing systems and redevelopment of software, three of them new systems.

The first two did a relatively good job of staying close to time and cost estimates. But the three new programs saw more than 100 percent increases in costs and time. One of them, the Comanche helicopter program, was ultimately adandoned by the Army.

Revolution canceled

With the Comanche, DOD was seeking to make revolutionary changes in the way helicopters were built, Mebane said, but there was not a lot of analysis into allocating requirements. This weapons system was cancelled ... because the Army decided they could no longer afford to pour resources into it.

Based on the 2004 report, Mebane said, the Air Force adopted the processes in its software improvement plans, and DOD amended its 5000 series acquisition policy to include more emphasis on systems engineering and evolutionary development. But more improvement is needed.

Every year we do assessments on weapons systems. This year there are 52 of them in the summary, she said. Almost 35 percent of them are using immature technologies. This is kind of a hand-raise for, Youre going to have problems later on, she said.

DOD is not alone in wrestling with these problems. GAO is trying to find ways to measure the performance of software development programs within the overall weapon acquisitions process.

We [assess] 50 or 60 major weapons systems, each one confined to two pages. We go through technological, design and manufacturing risks on the programs, said Mike Sullivan, director of GAOs acquisition sourcing and management team. The software metric is something weve thought a lot about getting into. ... Were trying to figure out a way to depict [it].

from Federal Computer Week, 2006-May-25, by Josh Rogin:

DOD: China fielding cyberattack units

China is stepping up its information warfare and computer network attack capabilities, according to a Defense Department report released this week.

The Chinese People's Liberation Army (PLA) is developing information warfare reserve and militia units and has begun incorporating them into broader exercises and training. Also, China is developing the ability to launch pre-emptive attacks against enemy computer networks in a crisis, according to the document, “Annual Report to Congress: Military Power of the People's Republic of China 2006.”

The Chinese approach centers on using civilian computer expertise and equipment to enhance PLA operations, the DOD report states.

“During a military contingency, information warfare units could support active PLA forces by conducting ‘hacker attacks' and network intrusions, or other forms of ‘cyber' warfare, on an adversary's military and commercial computer systems, while helping to defend Chinese networks,” according to the report. These units would be composed of computer experts from academies, institutes and IT industries, it states.

In 2005, the PLA began to incorporate offensive computer network operations into military exercises, with the goal of developing first strike capability, “The PLA considers active offense to be the most important requirement for information warfare to destroy or disrupt an adversary's capability to receive and process data,” the report states.

Computer Network Operations is an important part of the Chinese strategy to achieve electromagnetic dominance in any conflict, and as a force multiplier, according to the report. The PLA seeks to combine CNO with electronic warfare, kinetic strikes against C4 nodes, and virus attacks on enemy systems, to form what PLA theorists call “Integrated Network Electronic Warfare,” it noted.

This year's DOD report on Chinese military modernization is the latest of six annual installments. Congress mandated the annual reports in the fiscal 2000 Defense authorization bill.

China has often criticized the reports as an attempt to exaggerate its military modernization and demonize China. A spokesman for the Chinese Foreign Ministry called this year's report an attempt to spread the China threat theory with a Cold War mentality, according to the Xinhua News Agency.

from the Daily Mail, 2006-Sep-13:

Courts use computers to decide who should face death sentence

Criminals in China face being sent to the firing squad by a computer after the introduction of a software programme to help decide the sentences handed out by courts.

Judges are using computers equipped with a sophisticated legal database as an aid to determining punishments for 100 different crimes including robbery and rape by tapping in details of the crime and the mitigating circumstances.

The programme – nicknamed “penalty calculator” - then flashes up its recommended sentence on crimes including murder and stealing state secrets, which are punishable by death by firing squad in the communist nation.

The software, which was designed by a Beijing hi-tech firm as a way of reigning in corrupt judges, has already helped determine sentences in 1,500 cases over the past two years in a trial run in China's eastern Shandong province.

Now the programme is being extended to other provincial courts and may be eventually used in court rooms across the nation of 1.3 billion, where more criminals are put to death than anywhere else in the world. Software designer Qin Ye has been working on the programme since 2003 and, helped by Shandong legal officials, has loaded it with a huge database of Chinese law and case precedents.

He said: “The software is aimed at ensuring standarised decisions on prison terms. Our programmes set standard terms for any subtle distinctions in different cases of the same crime.” Wang Hongmei, chief judge in the district where the concept is being trialled, said: “The software can avoid abuse of the discretionary power of judges as a result of corruption or insufficient legal training.” However, manufacturer Boya-Yingjie Communication Science stressed the “penalty calculator” did not have the final say and said judges retain the power to determine sentences based on their individual circumstances.

Use of the programme has been lambasted by some Chinese newspapers which describe the software as an excuse for well-paid judges to be lazy and not to pay attention in drawn-out trials.

Wang Qiuhua, law professor at southern China's Shenzhen University, warned judges not to be too reliant on the software. “Every single case is different and a computer may not appreciate this,” he said.

China executes more people every year than every other country in the world combined, killing them either by firing squad or lethal injection. Last year of 2,148 documented executions worldwide, 1,770 were carried out in China.

However, the real number of executions in China is believed by groups like Amnesty International to be closer to 8,000 because of the huge number of secret trials and unreported death penalties.

The death penalty can be given for 68 offences in China, including, bigamy, stealing petrol and tax evasion - and even computer hacking.

from Newsday (New York), 2006-Sep-18, by Mohamad Bazzi:

Hezbollah cracked the code
Technology likely supplied by Iran allowed guerrillas to stop Israeli tank assaults

AITA SHAAB, Lebanon -- Hezbollah guerrillas were able to hack into Israeli radio communications during last month's battles in south Lebanon, an intelligence breakthrough that helped them thwart Israeli tank assaults, according to Hezbollah and Lebanese officials.

Using technology most likely supplied by Iran, special Hezbollah teams monitored the constantly changing radio frequencies of Israeli troops on the ground. That gave guerrillas a picture of Israeli movements, casualty reports and supply routes. It also allowed Hezbollah anti-tank units to more effectively target advancing Israeli armor, according to the officials.

"We were able to monitor Israeli communications, and we used this information to adjust our planning," said a Hezbollah commander involved in the battles, speaking on the condition of anonymity. The official refused to detail how Hezbollah was able to intercept and decipher Israeli transmissions. He acknowledged that guerrillas were not able to hack into Israeli communications around the clock.

The Israeli military refused to comment on whether its radio communications were compromised, citing security concerns. But a former Israeli general, who spoke on the condition of anonymity, said Hezbollah's ability to secretly hack into military transmissions had "disastrous" consequences for the Israeli offensive.

"Israel's military leaders clearly underestimated the enemy and this is just one example," he said.

Dodging the efforts

Like most modern militaries, Israeli forces use a practice known as "frequency-hopping" - rapidly switching among dozens of frequencies per second - to prevent radio messages from being jammed or intercepted. It also uses encryption devices to make it difficult for enemy forces to decipher transmissions even if they are intercepted. The Israelis mostly rely on a U.S.-designed communication system called the Single Channel Ground and Airborne Radio System.

Hezbollah's ability to intercept and decode Israeli transmissions underscores how the Shia group had higher military capabilities than many Israeli and U.S. officials thought.

Much of Hezbollah's capability is believed to have come from its two main backers, Iran and Syria.

During 34 days of fighting, which ended Aug. 14 under a cease-fire brokered by the United Nations, Hezbollah repeatedly surprised Israel by deploying new types of missiles and battlefield tactics.

"The Israelis did not realize that they were facing a guerrilla force with the capabilities of a regular army," said a senior Lebanese security official who asked not to be identified. "Hezbollah invested a lot of resources into eavesdropping and signals interception."

Besides radio transmissions, the official said Hezbollah also monitored cell phone calls among Israeli troops. But cell phones are usually easier to intercept than military radio, and officials said Israeli forces were under strict orders not to divulge sensitive information over the phone.

Hezbollah eavesdropping teams had trained Hebrew speakers who could quickly translate intercepted Israeli transmissions and relay the information to local commanders, the Hezbollah official said. Even before the war, the group had dozens of translators working in its southern Beirut offices to monitor Israeli media and phone intercepts.

Mistakes happen

With frequency-hopping and encryption, most radio communications become very difficult to hack. But troops in the battlefield sometimes make mistakes in following secure radio procedures and can give an enemy a way to break into the frequency-hopping patterns. That might have happened during some battles between Israel and Hezbollah, according to the Lebanese official. Hezbollah teams likely also had sophisticated reconnaissance devices that could intercept radio signals even while they were frequency-hopping.

During one raid in southern Lebanon, Israeli special forces said they found a Hezbollah office equipped with jamming and eavesdropping devices. Israeli officials said the base also had detailed maps of northern Israel, lists of Israeli patrols along the border and cell phone numbers for Israeli commanders.

That raid highlighted the ongoing spy war between Hezbollah and Israel. Since Israeli troops withdrew from southern Lebanon in May 2000 - after an 18-year occupation and guerrilla war with Hezbollah - the militia has stepped up its espionage efforts against Israel. According to Israeli military officials, a special Hezbollah unit recruits Israeli Arabs and others to spy for it. The agents are assigned to obtain maps, monitor Israeli patrols, gather cell phone numbers and photograph military facilities. This information is used to draw up detailed maps and files that could be used to direct Hezbollah's rocket and missile attacks.

"After the Israeli withdrawal in 2000, each side competed to spy on the other," said Nizar Qader, a retired Lebanese army general who is now an independent military analyst. "This intelligence-gathering was essential to fighting a war ... Hezbollah appears to have collected better information than the Israelis."

After Hezbollah abducted two Israeli soldiers in a cross-border raid on July 12, Israel launched its most intense attack since it invaded Lebanon in 1982. The offensive crippled the country's infrastructure, displaced 1 million people, cut off Lebanon from the world and killed more than 1,200 Lebanese - the majority of them civilians. Hezbollah fired nearly 4,000 rockets at Israel, killing 43 civilians. Of the 119 Israeli soldiers killed, the majority were killed by anti-tank missiles.

Hezbollah's ability to hack into Israeli communications made its arsenal of anti-tank missiles even more deadly by improving the targeting. Throughout the ground war, Hezbollah deployed well-trained anti-tank teams to transport these missiles and fire them in ways that would inflict heavy casualties on Israeli forces. The units were made up of four to six fighters who moved around mostly on foot.

The militia used four kinds of sophisticated missiles that enabled it to disable - and, in some cases, destroy - Israel's most powerful armor: Merkava tanks. The Merkava is reinforced with several tons of armor, a virtual fortress on tracks intended to ensure its crew's survival on the battlefield.

All the missiles used by Hezbollah are relatively easy to transport and can be fired by a single guerrilla or a two-person team. They all rely on armor-piercing warheads. The most prevalent of Hezbollah's anti-tank weapons is the Russian made RPG-29, a powerful variation on a standard rocket-propelled grenade. The RPG-29 has a range of 500 yards.

Using all their capabilities

Hezbollah also used three other potent anti-tank missiles, according to Israeli and Lebanese officials: the Russian-made Metis, which has a range of 1 mile and can carry high-explosive warheads; the Russian-built Kornet, which has a range of 3 miles and thermal sights for tracking the heat signatures of tanks, and the European-built MILAN (a French acronym for Anti-Tank Light Infantry Missile), which has a range of 1.2 miles, a guidance system and the ability to be fired at night.

Israeli officials say the Kornet and RPG-29 were provided to Hezbollah by Syria, which bought them from Russia in the late 1990s. Russian officials are investigating whether Syria violated an agreement that these weapons would not be transferred to a third party.

Analysts say Hezbollah used all its capabilities - eavesdropping, anti-tank missiles and guerrilla fighting skills - to maximum effect.

"The information collected by signals intercepts was being used to help direct fighters on the battlefield," Qader said. "These are tactics of a modern army."

Sonia Verma contributed to this story from Jerusalem.

Key events

July 12. Hezbollah kidnaps two Israeli soldiers in a cross-border raid.

July 13. Israel begins bombing the runways at Beirut's airport and imposes a naval blockade of Lebanon. Hezbollah rocket attacks strike the northern Israeli city of Haifa.

July 18. The United States, others step up evacuations of their citizens from Lebanon.

July 22. Israeli ground troops enter Lebanon.

Aug. 6. Hezbollah rocket attacks kill 12 Israeli soldiers and 3 others in deadliest day for Israel in nearly 4 weeks of war.

Aug. 12. The UN Security Council approves a resolution calling for a "full cessation of hostilities."

Aug. 14. Cease-fire takes effect.

from Security Fix on WashingtonPost.com, 2007-Jan-4, by Brian Krebs:

Internet Explorer Unsafe for 284 Days in 2006

Security Fix spent the past several weeks compiling statistics on how long it took some of the major software vendors to issue patches for security flaws in their products. Since Windows is the most-used operating system in the world, it makes sense to lead off with data on Microsoft's security updates in 2006.

First, a note on the methodology behind this blog post: The data presented here builds on a project I began in late 2005 looking back on three years of efforts by Microsoft to address only the most severe security holes in its software. I conducted that same research again last month, individually contacting nearly all of the security researchers who submitted reports of critical flaws in Microsoft products to learn from them not only the dates that they had submitted their findings to the company, but also any other security trends or anomalies they observed in working with the world's largest software maker.

Several weeks prior to posting this information, I shared the data I had gathered with Microsoft. The officials I dealt with helpfully concurred or quibbled slightly with some of my findings, but the company raised no objections that would materially affect the results presented in this particular study of IE flaws. In fact, if you examine the links included in the vulnerability chart that accompanies this post, you can see for yourself how the data is supported by information posted on the Web over the past year.

Patching Internet Explorer in 2006

For all its touted security improvements, the release of Microsoft's new Internet Explorer 7 browser in November came too late in the year to improve the lot of IE users, who make up roughly 80 percent of the world's online community. For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.

In a total of ten cases last year, instructions detailing how to leverage "critical" vulnerabilities in IE were published online before Microsoft had a patch to fix them.

Microsoft labels software vulnerabilities "critical" -- its most severe rating -- if the flaws could be exploited to criminal advantage without any action on the part of the user, or by merely convincing an IE user to click on a link, visit a malicious Web site, or open a specially crafted e-mail or e-mail attachment.

[The chart posted here shows the overlap of threats from various IE flaws throughout the year.]

In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.

Criminals specializing in Internet fraud continued to ply much of their trade with the aid of security flaws in the Microsoft browser last year. In 2006, the company issued patches to fix a total of four "zero-day" flaws in IE. Zero-day (or 0day) attacks are so named because software vendors have no time to develop a fix for the flaws before they are exploited by cyber crooks for financial or personal gain.

The first major flaw in a Windows program last year involved one that could be easily exploited via Internet Explorer. In late December 2005, experts tracked organized criminals hacking into sites and seeding them with code that installed password-stealing spyware on machines used by anyone who merely visited the sites with IE. Microsoft initially downplayed the severity of the attacks, until it became clear that the threat was fairly widespread and that thousands of customers had already been attacked in the span of a few days. The threat was seen as so severe that a large number of security experts urged users to download and install a patch produced by a third party until Microsoft developed an official fix.

In September, attackers would exploit an unpatched flaw in non-Microsoft Web server software to install malicious code on thousands of legitimate Web sites that could infect Windows machines when users merely browsed the sites with IE. Much like the IE flaw first detected in December 2005, this sophisticated attack by organized criminals also would prompt a series of third-party security patches in the days before Microsoft issued an official update.

Check back with Security Fix on Friday for a look at the number of vulnerabilities that Microsoft patched in its Office applications last year.

from the Sydney Morning Herald, 2006-Sep-19, by Patrick Gray:

Code cracking is the new pot of gold

IF YOU think the password protection on your MS Word file is keeping it safe from prying eyes, chances are you're wrong. The time it takes to crack password-protected Microsoft Office files has tumbled from a 25-day average to a matter of seconds, thanks to a decades-old code-cracking technique that until recently was not viable.

The technique, described in a 1980 paper, A Cryptanalytic Time - Memory Trade-Off, involves pre-generating a massive "rainbow table" of passwords and their corresponding hashes - the encrypted strings of numbers computers use to verify passwords.

Until now, the terabytes of storage needed to write the tables haven't been available. But cheap storage means rainbow tables are in vogue in the IT security industry. "Take a look at hard-drive storage. I buy terabytes like I used to buy megabytes," says Christian Stankevitz, the laboratory manager for Chicago-based IT security consultancy Neohapsis.

In the past, passwords were cracked by randomly guessing at the correct string of characters in what's known as a "brute force" attack. In these assaults, the encrypted form of the password - the hash - is extracted from the target file or computer. A randomly generated password is encrypted and its encrypted form is compared to the extracted hash. If it doesn't match, the process is repeated until a match is found - it's a long and tedious process.

With rainbow tables, the encrypted form of most possible passwords are pre-computed and stored alongside the actual, clear-text password. Users can simply look up virtually any hash in the massive index and match it to the corresponding password in seconds.

The tables can break password protection in many common file formats, including versions of Adobe's PDF format (the current version is immune to the attack), the default encryption on protected Microsoft Office documents (40 bit) and even Windows password files.

"It's a lot of (storage) space but the nice thing is it only needs to be done once," says Pieter Zatko, a division scientist at BBN Technologies, a government contractor that conducts research for the US Department of Defence and other government agencies.

Mr Zatko is best known for writing the L0phtcrack password cracking tool in the '90s. It was used to crack Windows passwords with ease, something he hoped would change the way organisations managed their passwords. Instead, L0phtcrack was commercialised and became the industry-standard password auditor, much to Mr Zatko's dismay. "That was my problem with L0phtcrack. People were using it to audit their passwords," he says. "It was supposed to be a statement of 'understand your risks'."

It seems people haven't learnt from his work - passwords are still easy to crack. Neohapsis, for example, uses rainbow tables for forensic investigations, cracking passwords when a client's disgruntled ex-employees refuse to hand them over.

The tables can't be used to crack strongly encrypted passwords, but many computer users are lazy, using the same passwords over and over. Thus, obtaining a trivial, easily cracked password could be the foothold a consultant - or a criminal attacker - needs to unravel a user's full set of passwords.

"The scope of the password or pass-phrase problem is only increasing," says Neohapsis' Greg Shipley. "We found a password on a document and that password was used on other documents ... Unless a user is incredibly sophisticated, you crack one of them and there's a good chance you're going to get the rest of them."

By attacking the low-hanging fruit of easily cracked document or file passwords, it's possible to guess at more sensitive passwords, such as those used for email or remote network access. "Anything that's 40-bit encrypted you can hit with a rainbow table," Mr Stankevitz says.

Although 40-bit is far from the strongest encryption available, it's still in common use because of now-redundant US Government arms trafficking regulations, says Mr Zatko. "For quite some time we had these stupid regulations. Cryptography was considered a munition, so we weren't allowed to export anything that was greater than 40-bit encryption," he says.

It's not just the good guys using rainbow tables, either. "There are services online that you can upload your file to and they'll decrypt it for you for $50, no questions asked," says Mr Stankevitz.

The ease with which miscreants can crack file or document passwords means using the same password for your VPN access and password protected files is a very bad idea.

Indeed, Mr Shipley says that a fairly comprehensive rainbow table set is now within reach of hobbyists and criminals alike, and certainly organised crime syndicates.

"You can get a terabyte or two of storage in the four figure range and you can get computer power in the four figure range," he says. "You can still do a lot at a hobbyist level, and if you're dealing with organised crime rings they'll have the budgets."

In the meantime, the guys at Neohapsis has some advice for Microsoft Office users: change the encryption setting to 128 bit and use a 12-character password.

from the New York Times, 2006-Mar-27, by Steve Lohr and John Markoff:

Windows Is So Slow, but Why?

Back in 1998, the federal government declared that its landmark antitrust suit against the Microsoft Corporation was not merely a matter of law enforcement, but a defense of innovation. The concern was that the company was wielding its market power and its strategy of bundling more and more features into its dominant Windows desktop operating system to thwart competition and stifle innovation.

Eight years later, long after Microsoft lost and then settled the antitrust case, it turns out that Windows is indeed stifling innovation — at Microsoft.

The company's marathon effort to come up with the a new version of its desktop operating system, called Windows Vista, has repeatedly stalled. Last week, in the latest setback, Microsoft conceded that Vista would not be ready for consumers until January, missing the holiday sales season, to the chagrin of personal computer makers and electronics retailers — and those computer users eager to move up from Windows XP, a five-year-old product.

In those five years, Apple Computer has turned out four new versions of its Macintosh operating system, beating Microsoft to market with features that will be in Vista, like desktop search, advanced 3-D graphics and "widgets," an array of small, single-purpose programs like news tickers, traffic reports and weather maps.

So what's wrong with Microsoft? There is, after all, no shortage of smart software engineers working at the corporate campus in Redmond, Wash. The problem, it seems, is largely that Microsoft's past success and its bundling strategy have become a weakness.

Windows runs on 330 million personal computers worldwide. Three hundred PC manufacturers around the world install Windows on their machines; thousands of devices like printers, scanners and music players plug into Windows computers; and tens of thousands of third-party software applications run on Windows. And a crucial reason Microsoft holds more than 90 percent of the PC operating system market is that the company strains to make sure software and hardware that ran on previous versions of Windows will also work on the new one — compatibility, in computing terms.

As a result, each new version of Windows carries the baggage of its past. As Windows has grown, the technical challenge has become increasingly daunting. Several thousand engineers have labored to build and test Windows Vista, a sprawling, complex software construction project with 50 million lines of code, or more than 40 percent larger than Windows XP.

"Windows is now so big and onerous because of the size of its code base, the size of its ecosystem and its insistence on compatibility with the legacy hardware and software, that it just slows everything down," observed David B. Yoffie, a professor at the Harvard Business School. "That's why a company like Apple has such an easier time of innovation."

Microsoft certainly understands the problem, the need to change and the potential long-term threat to its business from rivals like Apple, the free Linux operating system, and from companies like Google that distribute software as a service over the Internet.

In an internal memo last October, Ray Ozzie, chief technical officer, who joined Microsoft last year, wrote, "Complexity kills. It sucks the life out of developers, it makes products difficult to plan, build and test, it introduces security challenges and it causes end-user and administrator frustration."

Last Monday afternoon, James Allchin, the longtime engineering executive who leads the Vista team, held a meeting with 75 Windows managers and senior engineers to discuss the status of Vista. On Tuesday morning, Mr. Allchin met with a handful of his lieutenants and told them of the decision to push back the consumer introduction, a move that was announced publicly later that day, after the close of the stock market.

Brad Goldberg, a general manager of Windows program management, who attended the Tuesday morning meeting, said he was not surprised, because he had been involved in the decision. "But it's a different place than Microsoft a few years ago would have wound up," he said.

Like other Microsoft executives, Mr. Goldberg bristles at the notion that little innovative work has come out of the Windows group since XP. In the last five years, he said, Microsoft has released two versions of the Windows Tablet PC software intended for pen-based notebook computers, and four versions of Windows Media Center. To combat viruses plaguing Windows, much of the engineering team focused for 18 months on fixing security flaws for a downloadable "service pack" in 2004.

"The perception that nothing new has come out of the Windows group since XP is just so far from the truth," Mr. Goldberg said.

But last Thursday, Microsoft reorganized the management of its Windows division. Steven Sinofsky, 40, a senior vice president, was placed in charge of product planning and engineering for Windows and Windows Live, a new Web service that lets consumers manage their e-mail accounts, instant messaging, blogs, photos and podcasts in one site.

Mr. Sinofsky, a former technical assistant to Bill Gates, the Microsoft chairman, was one of the early people in the company to recognize the importance of the Internet in the 1990's. He comes to the Windows job from heading Microsoft's big Office division, where he was known for bringing out new versions of the Office suite — Word, Excel, PowerPoint, Outlook and other offerings — on schedule every two or three years.

The move is seen as an effort to bring greater discipline to the Windows group. "But this doesn't seem to do anything to address the core Windows problem; Windows is too big and too complex," said Michael A. Cusumano, a professor at the Sloan School of Management at the Massachusetts Institute of Technology.

The Vista delay, Microsoft executives said, was only a matter of a few more weeks to improve quality further, not attributable to any single flaw and done to make sure all its industry partners were ready when the product was introduced. Vista will be ready for large corporate customers in November, while the consumer rollout is being pushed back to January 2007.

Mr. Allchin conceded in an interview that the decision was "a bit painful," but he insisted it was the "right thing." Mr. Allchin, 54, will continue to work on Vista until it ships and then retire, as he said he would last year.

Microsoft will not say so, but antitrust considerations may have played a role in the decision that Mr. Allchin called the right thing to do. As part of its antitrust settlement, Microsoft vowed to treat PC makers even-handedly, after evidence in the trial that Microsoft had rewarded some PC makers with better pricing or more marketing help in exchange for giving Microsoft products an edge over competing software.

In the last few weeks, Microsoft met with major PC makers and retailers to discuss Vista. Hewlett-Packard, the second-largest PC maker after Dell, is a leader in the consumer market. Yet unlike Dell, Hewlett-Packard sells extensively through retailers, whose orders must be taken and shelves stocked. That takes time.

Hewlett-Packard, according to a person close to the company who asked not to be identified because he was told the information confidentially, informed Microsoft that unless Vista was locked down and ready by August, Hewlett-Packard would be at a disadvantage in the year-end sales season.

Vista was also held up because the project was restarted in the summer of 2004. By then, it became clear to Mr. Allchin and others inside Microsoft that the way they were trying to build the new version of Windows, then called Longhorn, would not work. Two years' worth of work was scrapped, and some planned features were dropped, like an intelligent data storage system called WinFS.

The new work, Microsoft decided, would take a new approach. Vista was built more in small modules that then fit together like Lego blocks, making development and testing easier to manage.

"They did the right thing in deciding that the Longhorn code was a tangled, hopeless mess, and starting over," said Mr. Cusumano of M.I.T. "But Vista is still an enormous, complex structure."

Skeptics like Mr. Cusumano say that fixing the Windows problem will take a more radical approach, a willingness to walk away from its legacy. One instructive example, they say, is what happened at Apple.

Remember that Steven P. Jobs came back to Apple because the company's effort to develop an ambitious new operating system, codenamed Copland, had failed. Mr. Jobs convinced Apple to buy his company Next Inc. for $400 million in December 1996 for its operating system.

It took Mr. Jobs and his team years to retool and tailor the Next operating system into what became Macintosh OS X. When it arrived in 2001, the new system essentially walked away from Apple's previous operating system, OS 9. Software applications written for OS 9 would run on an OS X machine, but only by firing up the old operating system separately.

The approach was somewhat ungainly, but it allowed Apple to move to a new technology, a more stable, elegantly designed operating system. The one sacrifice was that OS X would not be compatible with old Macintosh programs, a step Microsoft has always refused to take with Windows.

"Microsoft feels it can't get away with breaking compatibility," said Mendel Rosenblum, a Stanford University computer scientist. "All of their applications must continue to run, and from an architectural point of view that's a very painful thing."

It is also costly in terms of time, money and manpower. Where Microsoft has thousands of engineers on its Windows team, Apple has a lean development group of roughly 350 programmers and fewer than 100 software testers, according to two Apple employees who spoke on the condition that they not be identified.

And Apple had the advantage of building on software from university laboratories, an experimental version of the Unix operating system developed at Carnegie Mellon University and a free variant of Unix from the University of California, Berkeley. That helps explain why a small team at Apple has been able to build an operating system rich in features with nearly as many lines of code as Microsoft's Windows.

And Apple, which makes operating systems that run only on its own computers, does not have to work with the massive business ecosystem of Microsoft, with its hundreds of PC makers and thousands of third-party software companies.

That ballast is also Microsoft's great strength, and a reason industry partners and computer users stick with Windows, even if its size and strategy slow innovation. Unless Microsoft can pick up the pace, "consumers may simply end up with a more and more inferior operating system over time, which is sad," said Mr. Yoffie of the Harvard Business School.

from EWeek.com, 2006-Apr-4, by Ryan Naraine:

Microsoft Says Recovery from Malware Becoming Impossible

LAKE BUENA VISTA, Fla.—In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here.

Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed.

He cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. "In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast," Danseglio added.

Danseglio, who delivered two separate presentations at the conference—one on threats and countermeasures to defend against malware infestations in Windows, and the other on the frightening world on Windows rootkits—said anti-virus software is getting better at detecting and removing the latest threats, but for some sophisticated forms of malware, he conceded that the cleanup process is "just way too hard."

"We've seen the self-healing malware that actually detects that you're trying to get rid of it. You remove it, and the next time you look in that directory, it's sitting there. It can simply reinstall itself," he said.

"Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background."

He recommended using PepiMK Software's SpyBot Search & Destroy, Mark Russinovich's RootkitRevealer and Microsoft's own Windows Defender, all free utilities that help with malware detection and cleanup, and urged CIOs to take a defense-in-depth approach to preventing infestations.

Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that the for-profit motive is much more serious than even the destructive network worms of the past. "In 2006, the attackers want to pay the rent. They don't want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money.

"At Microsoft, we are fielding 2,000 attacks per hour. We are a constant target, and you have to assume your Internet-facing service is also a big target," Danseglio said.

Next Page: Human stupidity.

Danseglio said the success of social engineering attacks is a sign that the weakest link in malware defense is "human stupidity."

"Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity," he said.

The most recent statistics from Microsoft's anti-malware engineering team confirm Danseglio's contention. In February alone, the company's free Malicious Software Removal Tool detected a social engineering worm called Win32/Alcan on more than 250,000 unique machines.

According to Danseglio, user education goes a long way to mitigating the threat from social engineering, but in companies where staff turnover is high, he said a company may never recoup that investment.

"The easy way to deal with this is to think about prevention. Preventing an infection is far easier than cleaning up," he said, urging enterprise administrators to block known bad content using firewalls and proxy filtering and to ensure security software regularly scans for infections.

from TheInquirer.net, 2006-Jan-19, by Guy Matthews:

Malware is getting nastier, says Fortinet
It's not just for fun any more

UTM VENDOR Fortinet says 2006 will see a huge rise in IM and mobile malware, as well as greater involvement by organized criminals and political and religious extremists.

It says its annual malware threat report studied a record number of viruses, worms, Trojans, phishes, blended threats and other IT security exploits over the last 12 months.

The revelations, authored by Fortinet's EMEA threat response team, include the growing scourge of threats proliferating among mobile devices - jamming functions, disabling address books and exhausting calling credit.

“Overall, mobile viruses and Trojans increased more than 500% to over 100 unique threats in 2005 compared to less than 20 in 2004,” said Guillaume Lovet, Team Leader of the Fortinet EMEA Threat Response Team. “As `smart' mobile devices continue to revolutionise lifestyles and working practices, user adoption rate and targeted malicious threat activity will increase significantly -- eventually surpassing that of what we've seen with PCs. Increased awareness and specialised protection is required to combat these malicious threats.”

Other findings in the report include worrying trends of increased professionalism among hackers, and the rise of international marketplaces for hacking services. Whilst the more mature virus and worm-based threats continued to evolve during 2005, Fortinet also identified a return to historic hacking tactics such as the use of rootkits and individually targeted rather than mass outbreak attacks.

“Professional criminals can use malware to defraud businesses and individuals and then disappear before anyone knows,” says Lovet. “Malware has moved on from those seeking fun and glory to profit, and will, I predict, become the tool of extremists and fundamentalists.”

from TheInquirer.net, 2006-Jan-11, by Nick Farrell:

Microsoft patches without permission
Vole sparks another security row

WHILE SECURITY vendors were pleased that Microsoft swiftly patched its flaw in Windows last week, many are miffed at the windows quirk Vole used to do it.

Users who have set their version of Windows to download any patch, but to ask permission before installing it, were shocked to see the Voleware install itself without asking.

According to Microsoft's documentation for Automatic Update, Administrative users should be allowed to delay the restart. This gives them time to save their work and remind other users to do the same.

That doesn't explain why XP machines and the odd server started to reboot themselves last week and had the patch installed when they came live again.

It seems that Microsoft had considered the installation so important, that it decided to take over everyone's computer to install it.

If this happened to you, you can have a good moan about it here.

from ArsTechnica.com, 2005-Feb-4, by Ken "Caesar" Fisher:

Why, oh why, does Windows suck?

San Francisco Gate columnist Mark Morford decided to make it a flamin' hot Friday by posting one of the hottest questions you can ask of Geekdom these does: ["]why does Windows still suck?" Of course, not everyone agrees that "Windows sucks," but Morford was horrified when his girlfriend's PC fell victim to a few exploits only minutes after finally getting on DSL. Of course, we've covered the honeypot to bot transformation before, but we haven't explicitly addressed the issue Morford raises:

Here, then, is my big obvious question: Why the hell do people put up with this? Why is there not some massive revolt, some huge insurrection against Microsoft? Why is there not a huge contingent of furious users stomping up to Seattle with torches and scythes and crowbars, demanding the Windows Frankenstein monster be sacrificed at the altar of decent functionality and an elegant user interface?

Straight up, I've got an honest answer for Morford. People simply react in different ways to the technology's failings because they're ambivalent about its use. A few people get royally fed up, and move to another platform. Among enthusiasts, it's often Linux, but sometimes MacOS. In my own experience consulting, the less technical tend to bail from Windows to the Mac, but that doesn't happen all that often. Some people decide to get their Windows learn on, and make sure they steer clear of problems. But any way you slice it, the majority of the desktop using populace stays on Windows. And, for the most part, they seem to accept their fate. (And I have often thought about how poorly timed the Apple Switcher ad campaign was... I suspect it would be doing rather well right now.)

Many users are of the opinion that the problem is not Microsoft, it's them. I call them the guilt group. They believe that they are not educated or experienced enough to properly maintain a computer, and they tend to view a computer's workings as quasi-magical. They get frustrated when things go wrong, but they also denigrate themselves in the process. When you service their computer, you're practically a shaman to them. They bow at your awesomeness, if not at your rates, and if they were happy with you, they'll probably call you again in 6 months when the next horrible event happens that they somehow managed to pull off, despite your previous work. Curiously, the guilt group is partially the same group that proves problematic in interface design, because they assume that the problem is them, and not the interface.

Another group is what I'd call the entitlement group. These are the people who expect something to work perfectly, in perpetuity, with little nor no maintenance. There are two sub-groups here. The first are the technical elite entitlement types, who bemoan such failures but are quick to seek out solutions themselves. Then there's the I'm too important for this crap types, who are much chagrinned by "technical mumbo jumbo," and they just want some underling or local neighborhood nerd to fix their problems, because dammit, it outta be working, I paid for this! At the same time, they'll never leave the platform because the technical skills they have acquired are viewed as critical skill acquisitions that must be maintained for the sake of efficiency. If you guessed that I have a few professorial types in mind, you'd be right. 

At the end of my broad, generic sociological report is the commodity group. There are a number of indifferent users out there who really look at a PC the way you and I may look at a toaster. Well, you plug it in, it does some stuff, and if it does it moderately well, then fine. I have friends in this group, and they frankly just don't care that they get pop-ups, spyware, whatever. If they can still do what they want to do, even if inconveniently, they're not bothered.

For better or for worse, Linux advocates and Apple have failed to attract these groups of users, and they have failed to send them a picture of a different way of computing. Instead, both seem mostly to rely on the assumption that disgruntled users will come looking for them, but that's not going to happen.

from SFGate.com, 2005-Feb-4, by Mark Morford:

Why Does Windows Still Suck?
Why do PC users put up with so many viruses and worms? Why isn't everyone on a Mac?

So about a year ago, the SO finally upgraded her Net connection to DSL, carefully installed the Yahoo! DSL software into her creaky Sony Vaio PC laptop and ran through all the checks and install verifications and appropriate nasty disclaimers.

And all seemed to go smoothly and reasonably enough considering it was a Windows PC and therefore nothing was really all that smooth or reasonable or elegant, but whatever. She just wanted to get online. Should be easy as 1-2-3, claimed the Yahoo! guide. Painless as tying your shoe, said the phone company.

She got online all right. The DSL worked great. For about four minutes.

Then, something happened. Something attacked. Something swarmed her computer the instant she tried to move around online and the computer slowed and bogged and cluttered and crashed, and multiple restarts and debuggings and what-the-hells only brought up only a flood of nightmarish pop-up windows and terrifying error messages and massive system slowdowns and all manner of inexplicable claims of infestation of this worm and that Trojan horse and did we want to buy McAfee AntiVirus protection for $39.95?

Four minutes. And she was already DOA.

My SO, she is not alone. This exact same scenario, with only slight variation, is happening throughout the nation, right now. Are you using a PC? You probably have spyware. The McAfee site claims a whopping 91 percent of PCs are infected. As every Windows user knows, PCs are ever waging a losing battle with a stunningly vicious array of malware and worms and viruses, all aimed at exploiting one of about ten thousand security flaws and holes in Microsoft Windows.

Here, then, is my big obvious question: Why the hell do people put up with this? Why is there not some massive revolt, some huge insurrection against Microsoft? Why is there not a huge contingent of furious users stomping up to Seattle with torches and scythes and crowbars, demanding the Windows Frankenstein monster be sacrificed at the altar of decent functionality and an elegant user interface?

There is nothing else like this phenomenon in the entire consumer culture. If anything else performed as horribly as Windows, and on such a global scale, consumers would scream bloody murder and demand their money back and there would be some sort of investigation, class-action litigation, a demand for Bill Gates' cute little geeky head on a platter.

Here is your brand new car, sir. Drive it off the lot. Yay yay new car. Suddenly, new car shuts off. New car barely starts again and then only goes about 6 miles per hour and it belches smoke and every warning light on the dashboard is blinking on and off and the tires are screaming and the heater is blasting your feet and something smells like burned hair. You hobble back to the dealer, who only says, gosh, sorry, we thought you knew -- that's they way they all run. Enjoy!

Would you not be, like, that is the goddamn last time I buy a Ford?

I see it all around me. All Chronicle employees receive regular email warnings from our IT department about all sorts of viruses that are coming their way and aiming for company PCs. The AP tech newswires are full tales of newly hatched viruses and worms and Trojan horses and insidious spyware programs sweeping networks and wreaking havoc on PCs and causing all manner of international problems, and all exploiting this or that serious flaw in the Windows OS.

Oh yes, the Serious Windows Flaw. This is astounding indeed. It seems not a month goes by that Gates & Co. isn't announcing yet another Microsoft Security Bulletin, one that could cause serious problems for users and networks and millions of Web sites alike, could compromise your personal data and make it very easy for any 10-year-old hacker to waltz right into your hard drive and swipe your credit card info and wipe out all your porn and read your secret emails to the babysitter and won't you please hurry over to Microsoft.com and download Major Windows Security Bug Fix #10-524-5b?

There have been not a few of these dire warnings. There have been dozens. Maybe hundreds. Each more dire and alarming than the last.

And with very few exceptions, every Mac owner everywhere on the planet simply looks at all this viral chaos and spyware noise and Microsoft apologia and shrugs. And smiles. And pretty much ignores it all outright, and gets back to work. (By the way, yes, I own a tiny handful of Apple stock. Do I need to advocate for Mac? Hardly. I'm already happy as can be thanks to the success of the brilliant, world-altering iPod.)

It's very simple. The Mac really has few, if any, known viruses or major debilitating anything, no spyware and no Trojans and no worms, and sure I've been affected by a couple email bugs over the years, but those were mostly related to my mail server and ISP. For the most part and for all intents and purposes, Macs are immune. Period.

I know of what I speak. I am not a novice. I've been using Macs almost daily for 15 years. I am online upward of 10-12 hours a day. I run multiple Net-connected programs at all times. I receive upward of 500 emails a day, much of it nasty spam that often comes with weird indecipherable attachments that try, in vain, to infiltrate my machine. My Mac just shrugs them off and keeps working perfectly. I dump them all in the trash and never look back.

I'm a power user. And I have yet to suffer a single debilitating virus or worm or spyware or malware whatsoever. Not one problem in 15 years, save the time I spilled water in the keyboard of my PowerBook and I took off the back and let it dry out for two days and it worked perfectly.

Oh, I know all the arguments as to why Macs aren't the dominant system in the world. I know Apple screwed up 20 years ago by not licensing its OS, and Gates stumbled in and made a killing by stealing the Mac's look and feel but mangling the actual usability and thus irritating about 150 million people for the next 20 years.

I know Macs are (well, were) more expensive, even though they're really not, when you finally jam that ugly cheapass Dell with enough video cards and sound cards and disk burners to make it comparable to a Mac that comes with all of it, standard.

I know Macs are not perfect, that there have been a handful of serious Apple security fixes over the years, and even a few rumored viruses and spyware apps (though rarely any reports of major server attacks or system shutdowns). I know Apple releases regular security updates of its own. The Mac is not flawless. But it's damn close.

And I know, finally, the argument that says that if the world was using Macs instead of PCs, the hackers would be attacking the Macs. It's a game of numbers, after all. Anti-Mac pundits always mutter the same thing as they install yet another PC bug fix: there just aren't enough Macs out there to warrant a hacker's attention.

Which is, of course, mostly bull. I'm no programmer, but I know what I read, and I know my experience: the Mac OS architecture is much more robust, much more solid, much more difficult to hack into. Apple's software is, by default, more sound and reliable, given its more stable core. (Sometime in the later '90s, a Mac org whose name I forget ran a rather amazing hacker competition: they offered a $13,000 cash prize to anyone in the world who could hack into the company's unprotected Mac server and alter the contest's home page in any way. Needless to say, no one ever could).

Perhaps there is something I'm missing. Maybe there's something I don't understand as to why there is not a massive rush of consumers and IT managers to dump PCs in favor of Macs (or even Linux OS). Surely thousands (millions?) of work-hours have been lost nationwide as tech departments spend untold months debugging and installing PC virus protections and keeping abreast of the latest and greatest worm to come down the pike, all due to Microsoft's lousy software.

Am I being unfair? Maybe. Hell, I'm sure Windows has its gnarled and wary defenders, war-torn and battle-tested folk who still insist that, because there's more software available for the Windows OS, it's somehow superior -- though I challenge them to name one significant, common activity the Mac can't do as well as, if not better than, PCs. For 97 percent of users in the world, Macs would be a more elegant and intuitive and appealing solution. Period.

So then. Here's hoping the new, incredibly affordable Mac Mini converts a hundred million people to Mac in the next year. Here's hoping the borderline illegal and monopolistic domination of Microsoft comes to an end in the next decade. Apple appears poised, finally, again, ready to take over the consumer world. Hell, thousands of glorious iPods have already infiltrated the Microsoft campus up in Redmond, causing MS management no end of humiliation and frustration. Can revolution be far behind?

And what about my SO's PC woes? Well, after her Vaio was so violently debilitated, and after being told by various experts that it would require nothing short of a complete (and very expensive) Windows system debugging and OS reinstall followed by a mandatory soak of the machine in a tub of bleach and then spraying it with a thick coat of road tar as she waved a burning effigy of Steve Ballmer over it while chanting the text of the Official Microsoft 'Screw You Sucker' Windows Troubleshooting Guide, she promptly dumped the useless hunk of sad landfill and bought herself a beautiful new iBook.

And of course, in a year of solid use, she has yet to have a single problem.

Oh wait. I take that back. She has had one nagging issue with her Mac. One program keeps crashing in the middle of her work, for no apparent reason. It is baffling and frustrating and makes you shake your head and want to scream.

The program in question? Microsoft Word.

from the Washington Post, 2005-Aug-23, p.D1, by Jonathan Krim, with Griff Witte contributing:

Hacker Steals Air Force Officers' Personal Information

Social Security numbers, birth dates and other private data on roughly 33,000 Air Force officers -- about half the branch's officer corps -- were stolen from a military computer database, the service informed its personnel late last week.

Officials of the Air Force Personnel Center, based at Randolph Air Force Base in San Antonio, said the intrusion occurred sometime in May or June, apparently by someone who used a legitimate user's log-in information to gain access to the system.

The exposed data did not include financial records, but contained such personal information as marital status, number of children and academic records. No incidents of identity fraud have been tied to the theft, the military said, but officers were warned that Social Security numbers could be used to get other private data.

Affected Air Force personnel were advised to monitor their credit reports closely.

The theft is the latest in a spate of data breaches over the past two years involving government agencies, universities, commercial firms and data brokers, resulting in the exposure of tens of millions of consumers to potential fraud.

The Air Force information was contained in an online system designed to help officers manage their assignments and careers. The Air Force detected the breach after "we determined that there was one individual who was reviewing a lot of these records . . . it was very uncharacteristic," Maj. Gen. Anthony F. Przybyslawski said in an interview.

The incident is being investigated by both military and civilian law-enforcement agencies. "We are conducting a wall-to-wall review of our personnel-related data systems to maximize the security of the systems," Przybyslawski wrote in a letter on Friday to Air Force personnel.

He wrote that the career-management system was shut down when the intrusion was discovered, but that personnel were not immediately notified pending an initial investigation.

The system was restored with enhanced security, the letter said, adding that "identity theft and other fraudulent uses of our resources steal from our operational budgets."

John E. Pike, director of GlobalSecurity.org, said the breach is part of a persistent problem with cyber-security that the Pentagon has been unable to overcome. While Pike said the military has a strong record of protecting classified information related to its mission, it has had less success guarding sensitive data about its people. "They have historically done much better at protecting operational systems than at protecting administrative systems," Pike said.

The problem, he said, is that the Pentagon doesn't make security for those systems a top priority. "Robust security can be expensive, and it can be annoying to implement," he said.

Three years ago, a San Diego security firm out to demonstrate vulnerabilities used the Internet to access government and military computers without authorization. Consultants for the firm used free, publicly available software to browse through files containing military procedures, e-mail, Social Security numbers and financial data.

In December, Bank of America lost tapes containing financial data on about 1.2 million federal employees, including some U.S. senators. About 900,000 of those exposed worked for the Department of Defense.

Bruce Schneier, chief technology officer for the security services company Counterpane Internet Security Inc., said the Air Force's problems are hardly surprising given the string of security breaches at commercial firms this year. He said that data security has been weak, "and the Pentagon is no different than ChoicePoint, CardSystems or Time Warner. People aren't taking it seriously, so this happens," he said.

Schneier said that while affected Air Force officers may be vulnerable to identity theft as a result of the intrusion, he doesn't think this breach is any more dangerous than others. Knowledge of an Air Force officer's Social Security number, he said, is unlikely to help the culprit get access to Air Force facilities or weaponry. "It takes a lot more than knowing who you are for that," he said.

from TheInquirer.net, 2005-Jun-24, by Nick Farrell:

Nuclear power plant leaks
Virus attack

CONFIDENTIAL data at two Japanese power plants has been leaked on the Internet.

Japan's government has promised to tighten its controls after an employee who was in charge of nuclear inspections was found to have been running a data sniffing virus for two years. His computer was infected with a virus that reveals data through the Winny file-sharing software.

It seems that confidential data on at least two facilities, the Tomari nuclear power plant in northern Japan and the Sendai plant in southern Japan, was leaked.

A somewhat red-faced chief cabinet secretary Hiroyuki Hosoda told hacks that yes he knew that nuclear plants were important facilities, and of course he knew there was a danger if data fell into the hands of terrorists.

According to Jiji Press, the list of what was taken included of plant workers' names, detailed inspection results and pictures of inside the plants. According to New Zealand's National Business Review, here, the hack was not a simple "contractor downloads virus" yarn. The virus had apparently been operating for more two years and seemed to have been put there to do slightly more than nick the contractor's address book.

from Reuters, 2005-Jul-1:

Bad keystroke leads to $251 million stock buy

A Taiwan stock trader mistakenly bought $251 million worth of shares with a misstroke of her computer keyboard, meaning her company is looking at a paper loss of more than $12 million and she is looking for a new job.

The trader with Fubon Securities miskeyed in a small order from Merrill Lynch on Monday, creating confusion when many small companies inexplicably surged past the 7 percent trading limit.

"Something like this is difficult to explain to superiors," a Fubon executive said Tuesday.

Fubon said that the trader was unfamiliar with new computer systems and will be fired. The company will also examine its procedures of placing orders, it said.

"There is a paper loss of more than $400 million (in Taiwan dollars)," the executive said.

"However, with a good outlook for stocks in the second half, there are no plans to sell the shares in the near term."

from TheInquirer.net, 2005-Mar-31, by Paul Hales:

Security software insecure
Holy antivirus!

ONLINE SECURITY firm Symantec said some of it anti-virus software has holes in it.

The company admitted its Norton Antivirus, Norton Internet Security and Norton System Works, 2004 and 2005 editions, were so flawed hackers could quite easily sneak in and knobble computers running the software.

Japan's Information-Technology Promotion Agency told Symantec about one situation with both Windows versions of Norton AntiVirus 2004 and 2005, where a real-time scan of a specific file type can cause the Blue Screen of Death to appear.

The programs' Auto-Protect and SmartScan features were found to be faulty and susceptible to Denial of Service attacks.

Red-faced company engineers released patches for the holes and distributed updates to users of its LiveUpdate automatic update service.

Symantec said it assessed the Risk Impact of the discoveries as low. Here's Symantec's security response.

from the New York Times, 2005-Jun-18, by Eric Dash and Tom Zeller Jr.:

MasterCard Says 40 Million Files Are Put at Risk

MasterCard International reported yesterday that more than 40 million credit card accounts of all brands might have been exposed to fraud through a computer security breach at a payment processing company, perhaps the largest case of stolen consumer data to date.

MasterCard said its analysts and law enforcement officials had identified a pattern of fraudulent charges that were traced to an intrusion at CardSystems Solutions of Tucson, Ariz., which processes more than $15 billion in payments for small to midsize merchants and financial institutions each year.

About 20 million Visa and 13.9 million MasterCard accounts were compromised; the other accounts belonged to American Express or Discover cardholders. The accounts affected included credit cards and certain kinds of debit cards. The F.B.I. said it was investigating.

A MasterCard spokeswoman, Sharon Gamsin, said an infiltrator had managed to place a computer code or script on the CardSystems network that made it possible to extract information. She would not elaborate on how long the breach might have lasted, on when the inquiry began or on whether any infiltrators had been identified. She did say that the breach occurred this year.

Deborah McCarley, a spokeswoman for the F.B.I. field office in Phoenix, said that her agency was trying to establish the scope of the breach and that "the investigation is just beginning."

MasterCard said its investigation found that CardSystems, in violation of MasterCard's rules, was storing cardholders' account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the bank handling the merchants' transactions but not retained by CardSystems.

Bill Reeves, a Card Systems spokesman, said last night that "there is quite a bit of transactional data that goes back and forth," but he declined to say whether the company was inappropriately storing data, as MasterCard indicated.

There were conflicting accounts on how the investigation began. CardSystems said it identified a potential problem on May 22 or May 23 and contacted the F.B.I., then the Visa and MasterCard associations. It said steps were taken immediately to ensure all systems were secure.

MasterCard said the investigation began when it was notified by several banks that they had detected atypical levels of fraudulent charges. In turn, MasterCard began monitoring information from the accounts for common purchasing points. Using data-analysis systems, it was able to focus on an unspecified bank receiving spending data from merchants.

"When we started to dig into it, working with the bank and working with their systems, we detected it couldn't be them and basically triangulated at the process and arrived at CardSystems Solutions," said John Brady, MasterCard's head of merchant risk services. MasterCard said it then began working with CardSystems, the other payment networks like Visa, banks and law enforcement personnel.

Visa said in a statement that it had been aware of the data breach but kept quiet at the request of the authorities. Discover and American Express said they recently learned of the breach and had been closely monitoring accounts.

Mr. Brady of MasterCard said CardSystems was "no longer storing the sensitive data."

MasterCard said an unauthorized person was able to exploit the security vulnerability and gain access to CardSystems' network, exposing cardholders' names, account numbers and expiration dates as well as the security code, typically three or four digits also printed on the credit card.

"The processing companies are hubs for millions of payment records," which could be infiltrated as information passes through, said Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center, a digital rights group based in Washington. "It is the juiciest target for an individual who wants account numbers. It is a honeypot for identity thieves."

MasterCard said other personal data that might contribute to identity theft, like Social Security numbers and dates of birth, was not stored on its cards and therefore not at risk. And it said credit card holders would not be liable for any fraudulent charges to their accounts.

The credit card industry is organized in a complicated way so that a consumer's transaction makes several stops before a shop owner gets paid. When a customer swipes a credit card, the information travels from the merchant's terminal to the merchant's bank along an electronic network, like Visa or MasterCard.

In the process, a third-party processor, like CardSystems, serves as a router, recording the payment at the merchant's terminal before sending it along to the merchant's bank so the shop gets paid.

Officials at major card issuers said they were still assessing the scope of the problem.

Janis Tarter, a spokeswoman for Citigroup's credit card division, said her company would notify customers likely to be at risk and more closely monitor any accounts that might have been affected. A Chase Card spokesman said his company was taking similar steps.

Although 40 million accounts were said to have been put at risk, it is not clear whether data on all of those accounts, or only some, was actually stolen. Nor would MasterCard and investigators detail the number of individuals affected or dollar amounts involved in any of the fraud.

The breach is by far the largest in a relentless string of recent security failures. Last week, the financial giant Citigroup announced that nearly four million consumer records, stored on magnetic computer tapes, had been lost during a shipment by United Parcel Service to a credit reporting agency. The tapes were not encrypted and they have not been found.

The growing concern over many of these breaches has been that information like Social Security numbers, names, addresses and dates of birth can be used to open new lines of credit, secure loans and otherwise engage in identity theft.

But the account numbers exposed in the most recent incident are the real lingua franca of cybercriminals, who either use them to purchase stolen goods, secure cash advances or sell the numbers in bulk at underground sites on the Internet.

Three of the most notorious online sites engaged in credit card fraud and peddling, known as ShadowCrew, DarkProfits and Carder Planet, were taken down in an extensive F.B.I. investigation.

Other sites - often based in Russia and other parts of the former Soviet Union - continue to thrive, and "dumps" of card numbers are routinely advertised, bought and sold.

It is far from clear where the CardSystems data was being siphoned to, but Mark Rasch, senior vice president of Solutionary, said the breach appeared to be particularly savvy.

"We've seen data security breaches involving computer viruses and worms," Mr. Rasch said, "but not typically at a processor. What's unique about this is that it appears to be a very targeted attack, which makes it sound very clever and insidious."

from TheInquirer.net, 2005-Jun-23:

People scared of banking and buying online
While newspaper buys credit card details

A GARTNER REPORT said that continuing raids on financial databases and online fraud are dissuading many people from buying and banking online.

That coincides with a report in today's Sun which claimed that it's easy and cheap to buy password, credit card numbers and the rest from corrupt staff at Indian call centres.

The newspaper said that an Indian IT worker offered one of its reporters thousands of names, credit card numbers, and passport details.

Banks involved include HSBC, according to the Sun.

The Gartner report, according to today's Wall Street Journal, claims 42 per cent of shoppers and 28 per cent of people using banking are restricting their online activities. That means that unless such data is better protected, online firms will take a financial hit.

The survey reckons that half of the USA's 148 million net users have had "phishing" emals - an attempt to gull people by luring them to sites masquerading as banks and other financial institutions.

from the Washington Post, 2005-Apr-9, p.E1, by Jonathan Krim:

States Scramble To Protect Data
Dozens of Privacy Bills Introduced After Spate of Security Breaches

Legislatures in more than two dozen states are considering ways to give consumers more control over personal information that is collected and sold by private firms, but many of the proposals are drawing fire from financial services companies.

Bills are on the table in 28 states responding to a series of high-profile security breaches at information brokers, banks and universities that so far this year have resulted in more than 1 million Social Security numbers, driver's license numbers, names and addresses falling into the hands of potential identity thieves.

In the most recent case, a medical group in San Jose announced yesterday that records on roughly 185,000 current and former patients may have been exposed after two of its computers were stolen.

The state activity is being closely tracked on Capitol Hill, where several House and Senate members have introduced or are preparing identity theft legislation.

Generally, the various state bills do not target how thieves are obtaining data, through hacking, fraud or other means. But consumer groups and privacy advocates, who are championing many of the initiatives, say they would help shield consumers from the havoc and damage that identity theft can cause.

One group of bills would allow consumers to "freeze" their credit reports so that sensitive data could not be given out to anyone without permission from the individual each time the data were requested.

Identity thieves often strike by obtaining a piece of private information, such as a Social Security number, and then using it to establish credit and make purchases.

Credit-freeze bills are moving through legislatures in about 20 states. In some cases, any consumer could order a freeze at any time. In other states, only people whose data have been breached would have that option.

"For years consumers have been told to take steps to protect their data by buying personal shredders and changing their passwords," said Kerry Smith, senior consumer attorney with state Public Interest Research Groups. "But, as the ChoicePoint and other scandals demonstrate, consumers have little control over their personal information. With the security freeze in place, consumers would be able to lock identity thieves out of their credit files."

Trade groups representing banks, mortgage brokers and credit bureaus are lobbying hard to defeat the freeze idea, arguing that it would cause consumers unforeseen headaches.

Since a consumer could not remove a freeze instantly -- because the request would have to be verified and processed -- some opportunities for the consumer to make purchases or do other business might be temporarily affected.

"Consumers may say they want the choice, and may exercise the choice, but they don't often realize the consequences," said Nessa Feddis, senior policy counsel with the American Bankers Association. "They may not realize that a freeze will slow a credit application. It may also delay job applications, apartment rental applications, insurance applications."

Norman Magnuson, a spokesman for the trade group that represents the three large companies that maintain credit reports on Americans, said that few consumers have used freezes in the three states that already have such laws, California, Vermont and Texas.

Robert Armbruster, president of the National Association of Mortgage Brokers, said consumers can already place fraud alerts in their credit files, which put financial agencies on notice to be especially cautious. There are fees for alerts and freezes.

Gail Hillebrand, a senior attorney with Consumers Union, countered that most consumers contemplate job moves or major purchases such as homes or cars long enough in advance that they can lift their credit freeze in plenty of time. And fraud alerts do not prevent data from being transferred.

"It would be more convenient if we left our front doors unlocked at all times, but most of don't choose to do that," she said. "Unfortunately, the neighborhood for information is starting to look like the neighborhoods where we live."

The large information brokers, such as ChoicePoint and LexisNexis, have not taken positions on credit freezes. Industry representatives say they also favor a federal solution rather than a patchwork of state laws.

Other bills moving in more than 20 states, including Virginia and Maryland, require organizations to notify consumers if breaches occur.

Some of the bills waive the requirement if internal investigations show that it is unlikely that the security breach will result in identity theft.

That system was recently adopted for banks and savings and loans, and is supported by both industry and Deborah Platt Majoras, head of the Federal Trade Commission.

Consumer groups say the exemption is a loophole that will allow organizations to evade disclosure, since they may not know for sure whether thieves obtained enough data to cause trouble.

from CNET News.com, 2005-May-4, by Munir Kotadia:

U.S. military security defeated by copy and paste

Experts are warning people to be careful with electronic documents that contain sensitive data after a breach in which classified U.S. military information thought to be hidden in a PDF document was uncovered.

Portions of the document had been "blacked out" by electronic means. But apparently, it was possible for outsiders to copy and paste the blacked-out sections into another file--and see the text that had been hidden.

The document is a report written after an investigation into the death of Italian citizen Nicola Calipari at a checkpoint in Iraq. It contains both classified and unclassified information about what happened at the traffic control points in Baghdad on March 4, the day of the incident. The U.S. military has since removed the document from the Internet, but not before it was copied and republished on several Web sites.

The military apparently made an error when it chose to use an electronic technique for obscuring certain words and paragraphs from the original document. (According to a report by the Associated Press, a representative of Adobe Systems, owner of the PDF format, has suggested that whoever attempted to censor the report did so by placing black rectangles over the text in question, rather than deleting the text.)

The technique used would indeed have protected the data if the document were being read online or printed. However, by an attacker selecting the blacked-out text and using the copy and paste functions, he or she could easily reproduce the document in its entirety on any word-processing application.

Samia Rauf, director at document security specialist Workshare in Asia-Pacific, said this kind of mistake is common--the information was hidden but not removed.

"(The military) had blacked out the text but not protected the document at the perimeter level," Raud said.

According to Rauf, the problems associated with hidden data are not restricted to the PDF format. Disharmony on your cell phone

She said it is actually far more common for people to make this type of mistake when using an application like Microsoft Word.

"Every single Word document contains metadata, but the scary thing is that 90 percent of the population don't know it exists," Rauf said. "Metadata has a useful purpose. If a document crashes, you can do an autorecover and it will bring everything back for you.

"Anyone can make this mistake--we heard a story about a law firm losing its clients because documents went out with 'track changes' enabled."

from the New York Daily News, 2005-Feb-21, by Joanna Molloy and Jane H. Furse:

Paris' li'l black book is hacked

The Internet is not kind to Paris Hilton.

The vampy hotel heiress has already seen her infamous sex tape with an ex-boyfriend spread across cyberspace.

Now hackers have apparently put the entire contents of her cell phone on the Web - including the numbers of her famous friends, whose phones started ringing off the hook Saturday night.

"I got 100 calls in two hours," said Victoria Gotti. "I didn't want to take the phones off the hook because my oldest son was out on a date.

"This went on all night," said the peeved reality TV star and writer. "Finally, at 5:30 a.m., I took them off the hook. This morning, I put them back on and they started ringing immediately. It's driving me insane."

It was unclear last night how the names and numbers got posted, but they appeared just days after a techno-crook pleaded guilty to hacking his way into T-Mobile last fall, gaining access to millions of customers, including Paris Hilton's T-Mobile Sidekick account.

The hacker, Nicolas Jacobsen, 22, reportedly pleaded guilty to one count of breaking into a protected computer Tuesday.

Jacobsen and other computer crooks apparently entertained themselves by raiding the Sidekick files of celebrities.

William Genovese, 27, another hacker facing unrelated charges, told the online newsletter securityfocus.com that Jacobsen had candid photos of Hilton, Demi Moore, Ashton Kutcher and Nicole Richie that the celebrities had snapped with their cell phone cameras.

Jacobsen's activities surfaced as part of a Secret Service crackdown on Internet fraud last October.

According to court papers, Jacobsen didn't just spy on celebs after he hacked into servers at T-Mobile. He also allegedly monitored Secret Service E-mail, and snatched passwords, Social Security and cell phone numbers from many of the wireless giant's customers. He allegedly used the online moniker "Ethics" to post the information.

FBI officials could not be reached for comment last night.

from the Associated Press, 2005-Feb-16:

Agencies earn D-plus on computer security

WASHINGTON - The overall security of computer systems inside the largest U.S. government agencies improved marginally since last year but still merits only a D-plus on the latest progress report from Congress.

The departments of Transportation, Justice and the Interior made remarkable improvements, according to the rankings, which were compiled by the House Government Reform Committee and based on reports from each agency's inspector general.

But seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country's computer networks.

"Several agencies continue to receive failing grades, and that's unacceptable," said Rep. Tom Davis, R-Va., the committee's chairman. "We're also seeing some exceptional turnarounds."

Davis said troubling areas included lax security at federal contractor computers, which could be used to break into government systems; a lack of contingency plans for broad system failures and little training available for employees responsible for security.

The Transportation Department improved from a D-plus to an A-minus; the Interior Department, which failed last year, improved to a C-plus; and the Justice Department rose from a failing grade to B-minus.

The poor grades effectively dampen efforts by U.S. policy makers to impose new laws or regulations to compel private companies and organizations to enhance their own security. Industry groups have argued that the government needs to improve its own computer security before requiring businesses to make such changes.

from National Review, 2004-Sep-13, by John Fund:

Democracy Imperiled
America's election problems.

EDITOR'S NOTE:This is the introduction of John Fund's new book, Stealing Elections: How Voter Fraud Threatens Our Democracy, released today from Encounter Books.

Our nation may be on the brink of repeating the 2000 Florida election debacle, but this time in several states, with allegations of voter fraud, intimidation and manipulation of voting machines added to the generalized chaos that sent our last presidential contest into overtime. There is still time to reduce the chance of another electoral meltdown, both this year and in future years. But this will not happen unless we acknowledge that the United States has a haphazard, fraud-prone election system befitting an emerging Third World country rather than the world's leading democracy.

With its hanging chads, butterfly ballots and Supreme Court intervention, the Florida fiasco compelled this country to confront an ugly reality: that we have been making do with what noted political scientist Walter Dean Burnham has called "the modern world's sloppiest electoral systems." How sloppy? Lethally so. At least eight of the nineteen hijackers who attacked the World Trade Center and the Pentagon were actually able to register to vote in either Virginia or Florida while they made their deadly preparations for 9/11.

The 2000 recount was more than merely a national embarrassment; it left a lasting scar on the American electoral psyche. A recent Zogby poll found that 38 percent of Americans still regard the 2000 election outcome as questionable. Many Republicans believe that Democratic judges on the Florida Supreme Court tried to hand their state to Al Gore based on selective partisan recounts and the illegal votes of felons and aliens. Many Democrats feel that the justices of the U.S. Supreme Court tilted toward Bush, and they refuse to accept his victory as valid. But this issue transcends "red state" vs. "blue state" partisan grievances. Many Americans are convinced that politicians can't be trusted to play by the rules and will either commit fraud or intimidate voters at the slightest opportunity.

Indeed, the level of suspicion has grown so dramatically that it threatens to undermine our political system. Nearly 10 percent of Americans believe their votes are not counted accurately, and almost as many worry that this is the case, according to a July 2004 poll by John Zogby. A Rasmussen Research poll in June found that 44 percent of Americans were either very or somewhat worried that a Florida-style mess could happen again in 2004. This growing cynicism diminishes respect for the nation's institutions and lowers voter participation. Only 11 percent of the 18- to 19-year-olds eligible to vote for the first time now bother to go to the polls. The United States ranks139th out of 163 democracies in the rate of voter participation. The more that voting is left to the zealous or self-interested few, the more we see harshly personal campaigns that dispense with any positive vision of our national future. "If this escalates, we're in horrendous shape as a country," says Curtis Gans, who runs the Committee for the Study of the American Electorate. "If election results are followed by lawsuits, appeals, fire and counterfire, many people who are already saying to hell with the process are going to exit."

The 2000 election resulted in some modest reforms, such as the federal Help America Vote Act, but the implementation has been so slow. Only $670 million of the promised $3.9 billion in grants to upgrade technology, cull voter rolls and enhance training had been dispersed to the states as of May 2004. This means that the nation's voting systems will be in no better shape this November than they were in 2000, when about 2 percent of all votes for president nationwide weren't counted for one reason or another, the vast majority because of voter error or outdated machines.

America's election problems go beyond the strapped budgets of many local election offices. More insidious are flawed voter rolls, voter ignorance, lackadaisical law enforcement and a shortage of trained volunteers. All this adds up to an open invitation for errors, miscounts or fraud.

Reform is easy to talk about, but difficult to bring about. Many of the suggested improvements, such as requiring voters to show ID at the polls, are bitterly opposed. For instance, Maria Cardona, spokeswoman for the Democratic National Committee, claims that "ballot security and preventing voter fraud are just code words for voter intimidation and suppression." Even improved technology is controversial. This November, around fifty million Americans will be using electronic voting machines similar to ATM machines, and some computer scientists are alarmed by the possibility that hackers could change the software to cast multiple votes or do other kinds of mischief. Both Democratic senator Hillary Clinton and GOP representative Steve King of Iowa are backing separate pieces of legislation to require that machines issue paper receipts for voters to verify before casting their ballots. But the legislation hasn't even had a hearing and only Nevada will have paper receipts in place by the fall 2004 election.

Confusion and claims of fraud are likely this time around, especially if the election is as close as it was in 2000. Can the nation take another Florida-style controversy?

Indeed, we may be on the way to turning Election Day into Election Month through a new legal quagmire: election by litigation. Every close race now carries with it the prospect of demands for recounts, lawsuits and seating challenges in Congress. "We're waiting for the day that pols can just cut out the middleman and settle all elections in court," jokes Chuck Todd, editor of the political tip sheet Hotline. Such gallows humor may be entirely appropriate given the predicament we face. The 2000 election may have marked a permanent change in how elections can be decided, much as the battle over the Supreme Court nomination of Robert Bork changed, apparently forever, the politics of judicial appointments. On April 19, 2004, John Kerry campaigned in Florida with Senator Joe Lieberman, the 2000 Democratic vice presidential candidate, and vowed — six months before a single ballot was cast, counted or disputed — that he was ready to take the 2004 election to court. "We are going to bring legal challenge to those districts that make it difficult for people to register. We're going to bring challenge to those people that disenroll people," he told a rally. "And we're going to challenge any place in America where you cannot trace the vote and count the votes of Americans. Period!" Democrats plan to have over ten thousand lawyers on the ground in all states this November, ready for action if the election is close and they see a way to contest it. "If you think of election problems as akin to forest fires, the woods are no drier than they were in 2000, but many more people have matches," says Doug Chapin of Electionline.org, an Internet clearinghouse of election news. If the trend toward litigation continues, winners in the future may have to hope not only that they win but that their margins are beyond "the margin of litigation."

Some of the sloppiness that makes fraud and foul-ups in election counts possible seems to be built into the system by design. The "Motor Voter Law," the first piece of legislation signed into law by President Clinton upon entering office, imposed fraud-friendly rules on the states by requiring driver's license bureaus to register anyone applying for licenses, to offer mail-in registration with no identification needed, and to forbid government workers to challenge new registrants, while making it difficult to purge "deadwood" voters (those who have died or moved away). In 2001, the voter rolls in many American cities included more names than the U.S. Census listed as the total number of residents over age eighteen. Philadelphia's voter rolls, for instance, have jumped 24 percent since 1995 at the same time that the city's population has declined by 13 percent. CBS's 60 Minutes created a stir in 1999 when it found people in California using mail-in forms to register fictitious people, or pets, and then obtaining absentee ballots in their names. By this means, for example, the illegal alien who assassinated the Mexican presidential candidate Luis Donaldo Colosio was registered to vote in San Pedro, California — twice.

Ironically, Mexico and many other countries have election systems that are far more secure than ours. To obtain voter credentials, the citizen must present a photo, write a signature and give a thumbprint. The voter card includes a picture with a hologram covering it, a magnetic strip and a serial number to guard against tampering. To cast a ballot, voters must present the card and be certified by a thumbprint scanner. This system was instrumental in allowing the 2000 election of Vicente Fox, the first opposition party candidate to be elected president in seventy years.

But in the United States, at a time of heightened security and mundane rules that require citizens to show ID to travel and even rent a video, only seventeen states require some form of documentation in order to vote. "Why should the important process of voting be the one exception to this rule?" asks Karen Saranita, a former fraud investigator for a Democratic state senator in California. Americans agree. A Rasmussen poll finds that 82 percent of Americans, including 75 percent of Democrats, believe that "people should be required to show a driver's license or some other form of photo ID before they are allowed to vote."

The reason for such support is that citizens instinctively realize that some people will be tempted to cut corners in the cutthroat world of politics. "Some of the world's most clever people are attracted to politics, because that's where the power is," says University of Virginia political scientist Larry Sabato. "So they're always going to be one step ahead of the law."

Election fraud, whether it's phony voter registrations, illegal absentee ballots, shady recounts or old-fashioned ballot-box stuffing, can be found in every part of the United States, although it is probably spreading because of the ever-so-tight red state/blue state divisions that have polarized the country and created so many close elections lately. Although most fraud is found in urban areas, there are current scandals in rural South Dakota and Texas. In recent years, Baltimore, Philadelphia, New Orleans and Milwaukee have all had election-related scandals. Wisconsin officials convicted a New York heiress working for Al Gore of giving homeless people cigarettes if they rode in a van to the polls and voted. The Miami Herald won a Pulitzer Prize in 1999 for uncovering how "vote brokers" employed by candidate Xavier Suarez stole a mayoral election by tampering with 4,740 absentee ballots. Many were cast by homeless people who didn't live in the city and were paid $10 apiece and shuttled to the elections office in vans. All of the absentee ballots were thrown out by a court four months later and Mr. Suarez's opponent was installed as mayor.

But such interventions are rare, even when fraud is proven. In 1997, the House of Representatives voted along partisan lines to demand that the Justice Department prosecute Hermandad Mexicana Nacional, a group that investigators for the House Administration Committee say registered hundreds of illegal voters in a razor-thin congressional race in Orange County, California. But federal immigration officials refused to cooperate with the probe, citing "privacy" concerns, and nothing was done beyond yanking a federal contract that paid Hermandad to conduct citizenship classes. The same year, a U.S. Senate probe into fraud in a Senate race in Louisiana found more than 1,500 cases in which two voters used the same Social Security number. But further investigations collapsed after Democratic senators walked off the probe, calling it unfair, and then Attorney General Janet Reno removed FBI agents from the case because the probe wasn't "bipartisan."

A note about partisanship: Since Democrats figure prominently in the vast majority of examples of election fraud described in Stealing Elections, some readers will jump to the conclusion that this is a one-sided attack on a single party. I do not believe Republicans are inherently more virtuous or honest than anyone else in politics, and I myself often vote Libertarian or independent. Voter fraud occurs in both Republican strongholds such as Kentucky hollows and Democratic bastions such as New Orleans. When Republicans operated political machines such as Philadelphia's Meehan dynasty up until 1951 or the patronage mill pf Nassau County, New York, until the 1990s, they were fully capable of bending — and breaking — the rules. Earl Mazo, the journalist who exhaustively documented the election fraud in Richard Daley's Chicago that may have handed Illinois to John F. Kennedy in the photo-finish 1960 election, says there was also "definitely fraud" in downstate Republican counties "but they didn't have the votes to counterbalance Chicago."

While they have not had the control of local and administrative offices necessary to tilt the rules improperly in their favor, Republicans have at times been guilty of intimidation tactics designed to discourage voting. In the 1980s, the Republican National Committee hired off-duty policemen to monitor polling places in New Jersey and Louisiana in the neighborhoods of minority voters, until the outcry forced them to sign a consent decree forswearing all such "ballot security" programs in the future.

In their book Dirty Little Secrets, Larry Sabato and co-author Glenn Simpson of the Wall Street Journal noted another factor in why Republican election fraud is less common. Republican base voters are middle-class and not easily induced to commit fraud, while "the pool of people who appear to be available and more vulnerable to an invitation to participate in vote fraud tend to lean Democratic." Some liberal activists that Sabato and Simpson interviewed even partly justified fraudulent electoral behavior on the grounds that because the poor and dispossessed have so little political clout, "extraordinary measures (for example, stretching the absentee ballot or registration rules) are required to compensate." Paul Herrison, director of the Center for American Politics at the University of Maryland, agrees that "most incidents of wide-scale voter fraud reportedly occur in inner cities, which are largely populated by minority groups."

Democrats are far more skilled at encouraging poor people — who need money — to participate in shady vote-buying schemes. "I had no choice. I was hungry that day," Thomas Felder told the Miami Herald in explaining why he illegally voted in a mayoral election. "You wanted the money, you were told who to vote for." Sometimes it's not just food that vote stealers are hungry for. A former Democratic congressman gave me this explanation of why voting irregularities more often crop up in his party's back yard: "When many Republicans lose an election, they go back into what they call the private sector. When many Democrats lose an election, they lose power and money. They need to eat, and people will do an awful lot in order to eat."

Investigations of voter fraud are inherently political; and because they often involve race, they are often not zealously pursued or prosecuted. Attorney General John Ashcroft did launch a Voter Integrity Program in 2002, which dramatically reduced both Republican allegations of fraud and Democratic complaints of suppressed minority votes. But many federal and state prosecutors remain leery of tackling fraud or intimidation. After extensive research, I can report that while voting irregularities are common, the number of people who have spent time in jail as a result of a conviction for voter fraud in the last dozen years can be counted on the fingers of one hand.

The U.S. attorney for northern Louisiana, Donald Washington, admits that "most of the time, we can't do much of anything [about ballot-box improprieties] until the election is over. And the closer we get to the election, the less willing we are to get involved because of just the appearance of impropriety, just the appearance of the federal government somehow shading how this election ought to occur." Several prosecutors told me they fear charges of racism or of a return to Jim Crow voter suppression tactics if they pursue touchy fraud cases. Wade Henderson of the Leadership Conference on Civil Rights calls efforts to fight election fraud "a solution in search of a problem" and "a warmed-over plan for voter intimidation."

But when voters are disfranchised by the counting of improperly cast ballots or outright fraud, their civil rights are violated just as surely as if they were prevented from voting. The integrity of the ballot box is just as important to the credibility of elections as access to it. Voting irregularities have a long pedigree in America, stretching back to the founding of the nation — though most people thought the "bad old days" had ended in 1948 after pistol-packing Texas sheriffs helped stuff Ballot Box 13, stealing a U.S. Senate seat and setting Lyndon Johnson on his road to the White House. Then came the 2004 primary election, when Representative Ciro Rodriguez, a Democrat, charged that during a recount, a missing ballot box appeared in south Texas with enough votes to make his opponent the Democratic nominee by 58 votes.

Political bosses such as Richard Daley or George Wallace may have died, but they have successors. A one-party machine in Hawaii intimidates critics and journalists who question its vote harvesting among noncitizens. In 1998, a former Democratic congressman named Austin Murphy was convicted in Pennsylvania of absentee ballot fraud. The Democratic county supervisor who uncovered this scandal, Sean Cavanaugh, was so ostracized by his party that he re-registered as an independent.

Even after Florida 2000, the media tend to downplay or ignore stories of election incompetence, manipulation or theft. Allowing such abuses to vanish into an informational black hole in effect legitimates them. The refusal to insist on simple procedural changes, such as requiring a photo ID at the polls, combined with secure technology and more vigorous prosecutions accelerates our drift toward banana-republic elections.

In 2002, Miami election officials hired the Center for Democracy, which normally observes voting in places like Guatemala or Albania, to send twenty election monitors to south Florida. In 2004, there will be even more observers on the ground. Scrutinizing our own elections the way we have traditionally scrutinized voting in developing countries is, unfortunately, a step in the right direction. But before we can get the clearer laws and better protections we need to deal with fraud and voter mishaps, we have to get a sense of the magnitude of the problem we face.

from Reuters, 2005-Jan-29:

Auto, Gas Security Chips Vulnerable, Study Finds

WASHINGTON - Tiny radio-transmitter chips that make possible high-security car keys and swipe-by gasoline passes can be cracked using cheap technology, U.S. computer experts said on Saturday.

The radio-frequency ID, or RFID, system uses a relatively simple code that criminals can easily decipher, making it easier to steal a car or get a free tankful of gasoline, the team at Johns Hopkins University in Baltimore and RSA Laboratories said.

"We've found that the security measures built into these devices are inadequate," said Avi Rubin, technical director of the Johns Hopkins Information Security Institute.

"Millions of tags that are currently in use by consumers have an encryption function that can be cracked without requiring direct contact. An attacker who cracks the secret key in an RFID tag can then bypass security measures and fool tag readers in cars or at gas stations," Rubin said in a statement.

Made by Texas Instruments, the RFID system studied for the report uses a device that prevents a car from starting unless both the right key and the correctly coded RFID chip are used.

"The devices have been credited with significant reductions in auto theft rates, as much as 90 percent," the researchers wrote. They cited Texas Instruments, which had been told about the problem, as saying the company had received no reports of thefts due to the vulnerability.

The fuel-purchase system uses a reader inside the gas pump that recognizes a key-chain tag waved nearby and automatically charges a designated credit card.

More than 150 million of the Texas Instruments transponders are embedded in keys for newer vehicles built by at least three leading makers, and in more than 6 million key-chain gas tags, the researchers said.

The problem is that the mathematical key used to code the verification system is too short, they said.

They bought a commercial microchip costing less than $200 and programmed it to find the key for a gasoline-purchase tag. They linked 16 such chips together and cracked the key in about 15 minutes.

The researchers said a metal sheath could help prevent the problem. Texas Instruments representatives were unavailable for comment.

The RFID system they used is called a Digital Signature Transponder, and is distinct from the Electronic Product Code used by retailers and pharmacies for inventory control.

RSA Laboratories, based in Bedford, Massachusetts, is a division of RSA Security.

from the New York Times, 2005-Jan-29, by John Schwartz:

Graduate Cryptographers Unlock Code of 'Thiefproof' Car Key

BALTIMORE - Matthew Green starts his 2005 Ford Escape with a duplicate key he had made at Lowe's. Nothing unusual about that, except that the automobile industry has spent millions of dollars to keep him from being able to do it.

Mr. Green, a graduate student at Johns Hopkins University, is part of a team that plans to announce on Jan. 29 that it has cracked the security behind "immobilizer" systems from Texas Instruments Inc. The systems reduce car theft, because vehicles will not start unless the system recognizes a tiny chip in the authorized key. They are used in millions of Fords, Toyotas and Nissans.

All that would be required to steal a car, the researchers said, is a moment next to the car owner to extract data from the key, less than an hour of computing, and a few minutes to break in, feed the key code to the car and hot-wire it.

An executive with the Texas Instruments division that makes the systems did not dispute that the Hopkins team had cracked its code, but said there was much more to stealing a car than that. The devices, said the executive, Tony Sabetti, "have been fraud-free and are likely to remain fraud-free."

The implications of the Hopkins finding go beyond stealing cars.

Variations on the technology used in the chips, known as RFID for radio frequency identification, are widely used. Similar systems deduct highway tolls from drivers' accounts and restrict access to workplaces.

Wal-Mart is using the technology to track inventory, the Food and Drug Administration is considering it to foil drug counterfeiting, and the medical school at the University of California, Los Angeles, plans to implant chips in cadavers to curtail unauthorized sale of body parts.

The Johns Hopkins researchers say that if other radio frequency ID systems are vulnerable, the new field could offer far less security than its proponents promise.

The computer scientists are not doing R.&D. for the Mafia. Aviel D. Rubin, a professor of computer science who led the team, said his three graduate students did what security experts often do: showed the lack of robust security in important devices that people use every day.

"What we find time and time again is the security is overlooked and not done right," said Dr. Rubin, who has exposed flaws in electronic voting systems and wireless computer networks.

David Wagner, an assistant professor of computer science at the University of California, Berkeley, who reviewed a draft of a paper by the Hopkins team, called it "great research," adding, "I see it as an early warning" for all radio frequency ID systems.

The "immobilizer" technology used in the keys has been an enormous success. Texas Instruments alone has its chips in an estimated 150 million keys. Replacing the key on newer cars can cost hundreds of dollars, but the technology is credited with greatly reducing auto theft. - Early versions of in-key chips were relatively easy to clone, but the Texas Instruments chips are considered to be among the best. Still, the amount of computing the chip can do is restricted by the fact that it has no power of its own; it builds a slight charge from an electromagnetic field from the car's transmitter.

Cracking the system took the graduate students three months, Dr. Rubin said. "There was a lot of trial and error work with, every once in a while, a little 'Aha!' "

The Hopkins researchers got unexpected help from Texas Instruments itself. They were able to buy a tag reader directly from the company, which sells kits for $280 on its Web site. They also found a general diagram on the Internet, from a technical presentation by the company's German division. The researchers wrote in the paper describing their work that the diagram provided "a useful foothold" into the system. (The Hopkins paper, which is online at www.rfidanalysis.org, does not provide information that might allow its work to be duplicated.

The researchers discovered a critically important fact: the encryption algorithm used by the chip to scramble the challenge uses a relatively short code, known as a key. The longer the code key, which is measured in bits, the harder it is to crack any encryption system.

"If you were to tell a cryptographer that this system uses 40-bit keys, you'd immediately conclude that the system is weak and that you'd be able to break it," said Ari Juels, a scientist with the research arm of RSA Security, which financed the team and collaborated with it.

The team wrote software that mimics the system, which works through a pattern of challenge and response. The researchers took each chip they were trying to clone and fed it challenges, and then tried to duplicate the response by testing all 1,099,511,627,776 possible encryption keys. Once they had the right key, they could answer future challenges correctly.

Mr. Sabetti of Texas Instruments argues that grabbing the code from a key would be very difficult, because the chips have a very short broadcast range. The greatest distance that his company's engineers have managed in the laboratory is 12 inches, and then only with large antennas that require a power source.

Dr. Rubin acknowledged that his team had been able to read the keys just a few inches from a reader, but said many situations could put an attacker and a target in close proximity, including crowded elevators.

The researchers used several thousand dollars of off-the-shelf computer equipment to crack the code, and had to fill a back seat of Mr. Green's S.U.V. with computers and other equipment to successfully imitate a key. But the cost of equipment could be brought down to several hundred dollars, Dr. Rubin said, and Adam Stubblefield, one of the Hopkins graduate students, said, "We think the entire attack could be done with a device the size of an iPod."

The Texas Instruments chips are also used in millions of the Speedpass tags that drivers use to buy gasoline at ExxonMobil stations without pulling out a credit card, and the researchers have shown that they can buy gas with a cracked code. A spokeswoman for ExxonMobil, Prem Nair, said the company used additional antifraud measures, including restrictions that only allow two gas purchases per day.

"We strongly believe that the Speedpass devices and the checks that we have in place are much more secure than those using credit cards with magnetic stripes," she said.

The team discussed its research with Texas Instruments before making the paper public. Matthew Buckley, a spokesman for RSA Security, said his company, which offers security consulting services and is developing radio frequency ID tags that resist unauthorized eavesdropping, had offered to work with Texas Instruments free of charge to address the security issues.

Dr. Wagner said that what graduate students could do, organized crime could also do. "The white hats don't have a monopoly on cryptographic expertise," he said.

Dr. Rubin said that if criminals did eventually duplicate his students' work, people could block eavesdroppers by keeping the key or Speedpass token in a tinfoil sheath when not in use. But Mr. Sabetti, the Texas Instruments executive, said such precautions were unnecessary. "It's a solution to a problem that doesn't exist," he said.

Dan Bedore, a spokesman for Ford, said the company had confidence in the technology. "No security device is foolproof," he said, but "it's a very, very effective deterrent" to drive-away theft. "Flatbed trucks are a bigger threat," he said, "and a lot lower tech."

from the Los Angeles Times, 2005-Jan-13, by Richard B. Schmitt:

New FBI Software May Be Unusable
A central feature of the agency's $581-million computer overhaul aimed at coordinating anti-terrorism efforts is reportedly inadequate.

WASHINGTON -- A new FBI computer program designed to help agents share information to ward off terrorist attacks may have to be scrapped, the agency has concluded, forcing a further delay in a four-year, half-billion-dollar overhaul of its antiquated computer system.

The bureau is so convinced that the software, known as Virtual Case File, will not work as planned that it has taken steps to begin soliciting proposals from outside contractors for new software, officials said.

The overhaul of the decrepit computer system was identified as a priority both by the independent commission that investigated the Sept. 11 attacks and by members of Congress, who found that the FBI's old system prevented agents from sharing information that could have headed off the attacks.

Since the attacks, Congress has given the FBI a blank check, allocating billions of dollars in additional funding. So far the overhaul has cost $581 million, and the software problems are expected to set off a debate over how well the bureau has been spending those dollars.

The bureau recently commissioned a series of independent studies to determine whether any part of the Virtual Case File software could be salvaged. Any decision to proceed with new software would add tens of millions of dollars to the development costs and render worthless much of a current $170-million contract.

Requests for proposals for new software could be sought this spring, the officials said. The bureau is no longer saying when the project, originally scheduled for completion by the end of 2003, might be finished.

FBI officials have scheduled a briefing today to discuss what a spokesman said was the "current status of FBI information technology upgrades."

A prototype of the Virtual Case File was delivered to the FBI last month by Science Applications International Corp. of San Diego. But bureau officials consider it inadequate and already outdated, and are using it mainly on a trial basis to glean information from users that will be incorporated in a new design.

Science Applications has received about $170 million from the FBI for its work on the project. Sources said about $100 million of that would be essentially lost if the FBI were to scrap the software.

"It would be a stunning reversal of progress," Sen. Judd Gregg (R-N.H.), the chairman of the Senate appropriations subcommittee that oversees funding for the FBI, said in an interview with the Los Angeles Times this week. "If the software has failed ... that sets us back a long way.

"This has been a fits-and-starts exercise, and a very expensive one for a very long time," he added. "There are very serious questions about whether the FBI is able to keep up with the expanding responsibility and the amount of new dollars that are flowing into it. We have fully funded it at its requested levels."

A spokesman for Science Applications, Ron Zollars, said via e-mail that the company had "successfully completed" delivery of the initial version of the Virtual Case File software last month. He declined to comment further.

The stripped-down prototype will be running for three months. The bureau plans to then "shut it down, take all the lessons learned and incorporate them in a future case management system," a person familiar with the bureau's plans said.

Science Applications will apparently be no part of that future: Its contract expires at the end of March, and there were no plans to renew it, sources said.

That the software may have outlived its usefulness even before it has been fully implemented did not surprise some computer experts.

An outside computer analyst who has studied the FBI's technology efforts said the agency's problem is that its officials thought they could get it right the first time. "That never happens with anybody," he said.

Some sources sympathetic to the FBI defended the process, and said that what has been learned in designing the software has given the bureau valuable design and user information.

The replacement software may even be called the Virtual Case File, although it is unlikely to bear much resemblance to the product that is being rolled out to about 300 users testing the prototype in New Orleans and Washington. The prototype's main feature allows users to prepare documents and forward them in a usable form.

Eventually, the FBI expects to have software with added features for managing records, evidence and other documents, along with the ability for users to collaborate on documents and share information online.

The move is being engineered by Zalmai Azmi, who has been the FBI's chief information officer for the last year. People familiar with his work say Azmi recognizes that the change in direction is likely to generate political heat but that it will serve the bureau better in the long run.

The development illustrates the problems in keeping up with rapidly changing technology that confront any business, as well as the changing mission of the FBI since the Sept. 11 attacks, among other issues.

Since the attacks, the FBI has rolled out thousands of new computers and set up new secure electronic networks to exchange information, both inside the bureau and with a small number of intelligence agencies. The bureau has also created a database covering millions of documents in the agency's files that are more easily retrievable than before the attacks, and established new systems for managing the overall architecture and budgeting for its computer programs.

The overhaul of the computer system was conceived before the Sept. 11 attacks, when the FBI's main job was catching drug dealers and corrupt politicians, rather than weeding out terrorists before they could strike. At least until recently, the bureau's shoe-leather culture never fully embraced cutting-edge technology, leading to rapid turnover in its management ranks.

A Government Accountability Office report last year noted that the FBI had gone through five chief information officers in the preceding 24 months. The chief manager of the technology upgrade known as Trilogy quit last year for personal reasons after being lured from private industry two years ago.

The effort has also been the subject of a number of critical reports. Last spring, technology experts for the National Research Council found that the Trilogy project failed to reflect the FBI's new emphasis on terrorism prevention and was "not on a path to success."

A trade publication, Government Computer News, reported late last month that the Justice Department's inspector general had concluded in a draft report that Virtual Case File would also fail to meet the bureau's needs, and that officials had "no clear timetable or prospect for completing" it.

A spokesman for the inspector general's office declined to comment on the draft, as a matter of policy.

The FBI has had preliminary discussions with a number of vendors about the possible design of new software. One approach that the bureau is considering is a case-management system that could be used by other agencies, including the departments of Justice and Homeland Security.

It is also looking into using off-the-shelf technology as a way to save money.

The FBI has retained Aerospace Corp., a nonprofit, federally funded research firm in El Segundo, to conduct an independent evaluation of Virtual Case File.

It has also hired BAE Systems, a British defense contractor, to identify and evaluate the specific needs and requirements for any permanent system.

The companies' reports are due later this month.

from TheInquirer.net, 2004-Apr-26, by Doug Mohney:

FBI a serious IT mess
The gang that (still) can't compute straight

WHILE THE FBI has a National Computer Crimes squad and there's much ado about Carnivore, Magic Lantern, and CALEA giving the American crime-fighting agency magic powers to snoop through one's private bits, a certain percentage of the rank-and-file G-men are computer illiterate. If s/he is computer savvy, they just got modern PC and network kit in the last year. And don't ask about the back-end web software, it's overbudget and behind schedule.

The September 11 Commission hearings put out one of the FBI's dirty little secrets in full public view. According to all testifying, including former directors and attorney generals of several administrations, the agency's computer systems were hopeless out of date and couldn't share information freely. Efforts over the years under both Democratic and Republican administrations to inject cash into upgrading FBI IT to an InterWeb environment failed due to lack of political will and leadership. E-mail was an ineffective tool since FBI field officers were limping around on plodding 56Kbps leased lines.

Former Attorney General Janet Reno described the situation when she arrived in town as "We didn't know what we didn't know." According to current U.S. Attorney General John Ashcroft, The Bureau had 42 separate information systems, none of which were connected and agents lacked even the most basic Internet technology prior to September 11. A key memo warning terrorist were training in commercial aviation -- the so-called Phoenix memo - was lost in the machine.

Perhaps the one man that should have been held accountable is still dodging bullets. Louis Freeh was FBI director from 1993-2001, setting policy and overseeing the agency for eight years. "The first thing he did when he became director was order his computer on his desk be taken out. He did not use e-mail," said Ronald Kessler, author of two books about the FBI. Of course, Freeh's computer phobia didn't prevent him from campaigning against the export of cryptography overseas and pushing for more extensive electronic wiretapping technology. Trying to defend himself in the Wall Street Journal, Freeh touted his creation of overseas FBI liaison offices to gather intel on terrorist activities and to play well with other national law enforcement agencies. He didn't explain why the IT systems never got upgunned on his watch.

After the attacks on September 11, FBI agents had to ship pictures of the hijackers via overnight mail because the FBI didn't have the capability to e-mail them within their network. A year later, as the "Beltway Sniper" (Snipers) made their way through Maryland, DC, and Virginia in October 2002, FBI trainees manned a 800-number telephone tip line, taking down information BY HAND on carbon copy forms. Thousands of tips flooded the line. How was all the paper handled? Sorted by location, then driven over to police departments in the various districts of Maryland and Virginia. No computer processing, no web site sharing information between different jurisdictions, nothing that could be moved in a time critical fashion. It was a '50s approach in the 21st Century.

In late November 2003, a Bureau official stated that "about 3,000" FBI employees need computer literacy training in basic skills such as how to use a mouse, copy and paste, and how to work in a Windows environment. It was also noted that some FBI employees still use dictation machines "and we have typing pools."

As a part of a nearly half-billion dollar modernization project called Trilogy, the FBI is building a web-based tool called the Virtual Case File System. The web-ware supposedly will allow FBI field offices to hold all notes and share them in one Web-based environment, like people on the InterWeb have been doing for years. Both Trilogy and the Virtual Case File System are behind schedule and over-cost. Trilogy was initially priced at $379 million and to date has racked up an additional $200 million in cost overruns. A good chunk of the funding has gone to deploy 21,000 desktop PCs; 622 LANs; 2,612 switches and routers; 291 servers; and a wide-area network to serve users at 595 sites. The Virtual Case File System is supposed to be deployed by the end of 2004 if the contractor doesn't miss another deployment deadline.

from TheRegister.co.uk, 2004-Feb-25, by John Leyden:

Homeland insecurity starts at home

The IT industry needs to stop worrying about who's behind cyber attacks and focus on making security technology easier to use and software more reliable, a senior White House security advisor told delegates at the RSA Conference today.

John Gordon, a retired US Air Force General who advises President Bush on Homeland Security, said that the industry needs to be more intolerant about security vulnerabilities in all software.

"As long as there is a vulnerability it will be exploited. It can't be beyond us to develop much higher standard code and reducing the vulnerability rate," he said.

"The industry needs to focus on removing vulnerabilities and remediation work and not get hung up on who the attacker might be."

Gordon argued there is widespread misunderstanding about the cyber terrorism risk. First, terrorists are only one of a "range of actors" who might carry out attacks on the Internet directed against a country's IT infrastructure.

So far cyber attacks have largely been limited to "criminals and intelligence agencies", according to Gordon, but that doesn't mean terrorist group like al-Qaeda will not resort to attacks carried out over the Internet.

Gordon said that Osama bin Laden has thus far used the Internet for recruitment and propaganda purposes but "there's evidence that he [bin Laden] is interested in cyber warfare and has some expertise."

Tomorrow will mark the tenth anniversary of the first terrorist attack on the World Trade Center. According to Gordon, most Americans have a "pre-1993 understanding" of Net security risks.

"People think that a digital February 26 is unlikely much less a 9/11-style attack but that view is wrong," Gordon said. "The security of cyberspace matters and an attack is likely."

In response, the industry needs to make personal cyber security easier.

Gordon told delegates how he spent a fruitless weekend trying to set up a secure Wi-Fi network. Even after hours on the phone with a vendor the task proved beyond Gordon, who was only able to (eventually) set up a secure system by applying undocumented techniques.

"The industry needs to make it much easier to employ solid security" if it expects people to heed its security advice, he said.

from The E-Commerce Times, 2005-Jan-28:

Microsoft Makes Anti-Piracy Move

People who try to download security patches will have to let Microsoft run a checking procedure on their computer or give an identification number. Microsoft's regular patches, which it releases for security flaws, are important because they stop viruses from penetrating PCs.

Microsoft is clamping down on people running pirated versions of its Windows operating system by restricting their access to security features.

The Windows Genuine Advantage scheme means people will have to prove their software is genuine from mid-2005.

It will still allow those with unauthorized copies to get some crucial security fixes via automatic updates, but their options would be "limited."

Microsoft releases regular security updates to its software to protect PCs.

Either PCs detect updates automatically or users manually download fixes through Microsoft's site.

Those running pirated Windows programs would not have access to other downloads and "add-ons" that the software giant offers.

People who try to manually download security patches will have to let Microsoft run an automated checking procedure on their computer or give an identification number.

Microsoft's regular patches which it releases for newly-found security flaws are important because they stop worms, viruses and other threats from penetrating PCs.

from the Los Angeles Times, 2005-Jan-14, by Joseph Menn:

No More Internet for Them
Fed up over problems stemming from viruses and spyware, some computer users are giving up or curbing their use of the Web.

Stephen Seemayer had the first Pong video game system on his block. A decade later, the Echo Park artist was the first in his neighborhood to get a personal computer. And in 1996, he was so inspired by the World Wide Web that he created a series of small paintings for viewing over the Internet.

Now the 50-year-old Seemayer is once again on the cutting edge: Sick of spam clogging his in-box and spyware and viruses crashing his system, Seemayer yanked out his high-speed connection.

"I'm not going to pay for something that I can't use," he said.

A small but growing number of frustrated computer owners are coming to the same conclusion. They're giving up or cutting back their use of the Internet, especially at home, where no corporate tech support team will ride to their rescue.

Instead of making life easier -- the essential promise of technologies since the steam engine -- the home PC of late has made some users feel stupid, endangered or just hassled beyond reason.

Seemayer's machine, for instance, got so jammed with spam that he stopped checking e-mail. When he surfed the Web, pop-up ads from a piece of spyware he couldn't wipe out spewed sexually explicit images and used so much computing power that the PC would just stop.

"I could be sitting here in the living room reading a book," Seemayer said, "and I'd hear my son scream: 'It froze up on me again!' "

So when his son left for college in September, Seemayer finally unplugged.

Now when he uses his computer, it's to compose letters or organize photos -- anything that doesn't require interaction with any other system.

Seemayer is still in the minority. Overall Internet use continues to grow.

But 2004 "was a real turning point in a bad direction," said technology analyst Ted Schadler of Forrester Research. "People are getting really angry. They're angry at Dell and Microsoft and their cable providers, and that's appropriate. They should be."

In a recent survey, 31% of online shoppers said they were buying less than before because of security issues. And though more people are signing up for high-speed, commerce-friendly connections, the proportion of U.S. Internet users paying for things online barely budged in 2004 from a year earlier. It rose to 27% from 26% in 2003 after jumping from 20% the previous year, according to Harris Interactive.

For many, spyware was the last straw. During the last 18 months, the sneaky programs have soared to the top of the list of tech woes, triggering the most tech support calls to Dell Inc., the nation's top PC maker. Spyware lurks on as many as 80% of computers nationwide, according to the National Cyber Security Alliance, a trade group.

Spyware generally transmits information to third parties and sometimes takes control of a PC, usually to display ads. The most pernicious varieties have instructed millions of computers to make expensive toll calls or logged every keystroke on affected machines and sent account numbers and passwords to identity thieves.

No one is immune. Microsoft Corp. Chairman Bill Gates discovered spyware on his personal machine not long ago.

The aggravation level has reached the point that some in the computer industry believe it threatens to undermine advances of the last decade, during which the Internet has grown from a virtually empty domain to a global community of 800 million souls. They say they need to act before the same early adopters who led mainstream Americans online lead them off.

"If, as an industry, we're not able to provide a safe, reliable computing environment, we do think consumers will get increasingly frustrated," said Michael George, general manager of Dell's U.S. consumer business. "We're concerned, and we want to get to a position where we play an instrumental role in fixing the problem."

It may well be up to private enterprise. Congress and the Federal Trade Commission are exploring a crackdown on spyware, but government efforts to stop another online scourge, spam, have had limited results, as many with an e-mail account will attest.

The root cause of the problems is the open architecture of the Internet, initially inhabited and managed by a collaborative community from government and universities.

"The Internet ... grew out of a shielded, nice-guy environment in academia," Web usability expert Jakob Nielsen said. Back then, "the worst abuse might have been sending a prank message. Nowadays, the Net reaches everyone in the industrialized world, including large amounts of people with no shame and large numbers of criminals."

Microsoft's dominant Windows operating system also makes it possible for malicious code to spread, in part because it was designed to allow so many functions. Once a weakness in Windows is discovered by hackers, a virus can wreak havoc on millions of computers before Microsoft can offer a patch -- which typical users may not take the initiative to download.

And consumer advocates claim that state and federal laws against spam don't help. Courts have protected software vendors from most consumer lawsuits, and some have held that the companies are all but immunized by warnings buried in lengthy user agreements, those boxes with massive amounts of text with the "I agree" button at the bottom.

Whatever the reasons, the threats have evolved from minor annoyances to serious computer risks.

Gerald Stark, 52, trained on computers in school and in the Navy before starting a small cleaning business in Lisbon Falls, Maine. He figured he could use the Internet to find equipment at a good price, track his sales and organize his volunteer activities with the Boy Scouts.

"I thought that the computer was the way to go because it was so much faster," he said. "It turned out to be a nightmare."

A virus killed one machine. Then spyware infested the next one, wiping out a year's worth of receipt records.

Stark read five years' worth of computer magazines just to keep up with how to defend himself.

Even with two firewalls and antivirus and anti-spyware programs running, Stark stopped looking for new business deals online. He said he would buy only from places he had dealt with before, preferably in the physical world rather than the virtual one.

"I'm not letting my guard down again," Stark said. "Never."

Henry Stiegel didn't think he needed his guard up in the first place. Pressed by his stockbroker and friends, Stiegel got his first home computer in 2003.

"I thought it was going to be like a television set -- I'm going to sit right in front of it all day and have some control and learn things, scan for airfare and travel," the former Grumman Aerospace Corp. engineer said from Homosassa, Fla.

Even after studying in computing classes, the 77-year-old Stiegel was swamped by hundreds of viruses, other malicious programs and pop-ups.

"I still have windows I can't delete when I want to get rid of them. When I send an e-mail, I get interrupted and have to start all over," Stiegel said. "I have actually pulled the plug out of the wall so I could reboot."

Stiegel now turns the computer on only two or three times a week, mostly to read his e-mail.

In Grand Rapids, Mich., homemaker Peggy Kasul sits halfway between the anxious newcomers like Stiegel and the jaded old pros like Seemayer.

A computer owner for seven years, Kasul did a little shopping online. Her husband used the machine to help manage some rental property, and her 16-year-old daughter wrote term papers for school.

Then her daughter went on the Internet to research a paper on the issue of breast-feeding in public. As if she had typed in a magic word, spyware ads for porn sites popped up and wouldn't go away.

Soon the computer was unusable. It took more than three weeks and $300 to get the thing working again, by which time all the family's data had been wiped out.

Now Kasul sends her daughter to use the computers at school or the library.

"I don't do much shopping online anymore because that scares me," Kasul said. "I go to the store."

The biggest factor behind the rapid increase in spyware is the amount of money at stake. Ads for such blue-chip companies as Motorola Inc., Verizon Communications Inc. and JP Morgan Chase & Co. appear in spyware programs.

The businesses most often accused of distributing spyware, including privately held Claria Corp., WhenU Inc. and 180Solutions Inc., say they are providing legitimate "adware" services to customers who approved the installation. But their disclosures are often misleading or buried: A recent Claria license ran for more than 60 electronic pages, first mentioning the phrase "pop-up" on page 18.

Much spyware arrives bundled with programs such as screensavers and file-sharing software.

"The part that worries me most is the tremendous amount of money that can be made by tricking people into installing junk on their computers," said Ben Edelman, a Harvard graduate student who has testified against spyware companies. "It's a great business."

The defenses remain scattered. Windows PCs often don't come with antivirus software installed. Firewalls and spam blockers are usually separate too, and there are dozens of small companies offering what they describe as anti-spyware products -- some of which are actually fronts that install spyware.

"Staying safe online has gotten too complicated for the average user to do by buying individual products and making them work together," America Online spokesman Andrew Weinstein said.

Realizing that such fragmentation is making matters worse, some companies are rounding up the pieces of a more complete resistance.

Microsoft recently bought both an antivirus company and an anti-spyware software maker. Time Warner's latest version of AOL checks for spyware and offers to delete it. And where Dell's online guide for configuring a PC used to suggest a combined antivirus and firewall program without saying why, it now explicitly warns buyers to protect themselves or face potentially costly problems in the future.

Legislation that would have required more direct warnings by spyware companies to consumers and ensured that users could delete the programs made headway in the last session of Congress, despite objections from top computer-security company Symantec Corp. and other software providers. Ari Schwartz, an anti-spyware lobbyist with the Washington-based Center for Democracy and Technology, put the odds of some legislation passing in 2005 at better than 80%.

The FTC last fall filed its first case against spyware companies accused of using a security flaw in Internet Explorer to cram system-glutting programs into the machines of website visitors. The companies named were Seismic Entertainment Productions Inc. and SmartBot.net Inc. But current fraud laws allow regulators only to recover ill-gotten gains -- no matter how much damage the bad guys have inflicted.

Enacting new federal bills "would be helpful," said Lydia Parnes, acting director of the FTC's Bureau of Consumer Protection. Spyware "needs to be understandable to consumers, and it needs to be presented in a way that's kind of visible to them."

Even if a strong law passes, Parnes said she didn't know whether the average computer user would be any better off in three years.

If it's worse, Seemayer probably won't be the only one on his block with a PC cut off from the Internet.

"It's great for anything you can do on your own," he said. "It seems to me an incredible typewriter -- and that's it."

from The Independent, 2004-Nov-27, by Barrie Clement:

Computer meltdown baffles the experts

Computer engineers were at a loss last night to explain why the Government had been hit by arguably the worst electronic meltdown in the history of Whitehall.

Senior sources said that the specialist troubleshooters called in to deal with the crisis at the Department for Work and Pensions (DWP) had failed to "get to the bottom" of the problem which blanked out up to 40,000 desktop screens.

While it has been established that the crash was provoked by an attempt to upgrade the screens, there was still no precise idea why it happened.

As the Government tried to play down the impact of the problems, Conservatives and union leaders demanded an immediate inquiry into a crash that affected one of the country's biggest IT networks.

Technicians were still struggling yesterday to fix the problem which began on Monday and which affected screens at more than 1,000 DWP offices.

The disruption follows a number of technical failures at the DWP and other government departments - notably the Child Support Agency. The American contractor EDS is responsible for IT networks at both those departments.

The DWP said the crash had only affected new claimants and people whose benefits were being amended.

from the New York Times, 2002-Sep-9, by John Schwartz:

Year After 9/11, Cyberspace Door Is Still Ajar

Sounding the alarm is not the same as paying for a deadbolt on the door. Which may explain why, despite the heightened fears of cyberterrorism and online security that followed last September's attacks in New York and Washington, few American businesses or organizations have responded with new measures to safeguard their computing systems from intruders.

Harris Miller had hoped it would be otherwise. He recalls that warning Americans about cyberterrorism and online security before Sept. 11 had been an exercise in futility.

"I felt like Sisyphus," said Mr. Miller, president of the the Information Technology Association of America, a trade group, adding that his pleas for greater awareness and quicker action were consistently ignored. "Just rolling the stone up the mountain, and it kept rolling right back down again." For government, corporations and individuals alike, Mr. Miller said, computer security was always "the 11th item on a 10-item list."

Then came the attacks -- and with them, a growing sense that terrorism could happen anywhere. And anywhere included the nation's computer networks and all the critical systems that were tied to them.

"It really was a wake-up call," said Mario Correa, director of Internet and network security policy for the Business Software Alliance, an industry lobbying group in Washington.

Security experts predicted that their calls would finally be heeded and that corporations and governments would shore up their cyberdefenses. Some even spoke of a "security dividend" for the industry arising from the attacks. The International Data Group, a publisher of trade magazines, even announced a new magazine, CSO, aimed at the hoped-for legions of deep-pocketed corporate chief security officers.

So what has changed in the year since the attacks?

Not so much, actually.

The fretting, certainly, has been vocal. Companies say in survey after survey that they believe they, and the government, are still vulnerable to cyberattack. Indeed, a poll published this summer by the Business Software Alliance found that 60 percent of those who are directly responsible for their companies' network security believe that United States businesses are at risk for a major cyberattack in the next 12 months.

And a government team led by Richard A. Clarke, the White House cyberspace security adviser, has been busy on a computer security framework that is to be announced next week and is expected to spell out actions that should be taken by government, industry and even individuals to safeguard the Internet.

The fretting and frameworking, however, has not escalated into spending. Money spent on security has been flat the last year, with no turnaround imminent, said Steve Hunt, a vice president of the Giga Information Group, a high-technology analysis company.

"The security market is not going to benefit in 2002," he said. A survey of the customers of Sanctum Inc., a security company in Santa Clara, Calif., which said it had extensively interviewed 10 customers on the topic, showed that only three had made new Internet security moves because of the Sept. 11 attacks.

Other areas of security, like the disaster preparedness of information technology systems, have also come under increased scrutiny since Sept. 11. But, as with cybersecurity, little money has been spent. In a survey conducted for AT&T, 73 percent of those questioned said their companies had reviewed their disaster recovery planning after Sept. 11, but only one in 10 said business disaster planning had become a top priority after the attacks.

That is not particularly surprising in tight economic times, when most information technology spending has focused on incremental improvements to current systems, said Art Coviello, the chief executive of RSA Data Security, a computer network security company in Bedford, Mass. At a conference of chief information officers early this year, Mr. Coviello recalled, executives listed the top three priorities in 2002 as "cut costs, cut costs and cut costs."

"The next priority was to make more out of what they had," he said. "The next priority after that was security."

Part of the reason for the lack of action is a growing sense of frustration with the task of making computer systems secure, said Peter S. Tippett, the chief technology officer of Trusecure, a computer security management firm in Herndon, Va. Trying to keep up with each individual software patch and vulnerability and apply each one to every computer and network has become an all but impossible task for many organizations.

The Computer Emergency Response Team, a federally financed monitoring group and information clearinghouse at Carnegie Mellon University, identified 2,437 software vulnerabilities in 2001, but fewer than 1 percent were used in actual attacks. "Why don't we figure out what the essential security is?" Mr. Tippett said.

He suggested that another reason companies had not acted decisively could be a growing sense among industry experts that the threat of cyberterrorism had been overstated. He noted that although the world's computer networks are increasingly tied to critical systems like power grids and telecommunications networks, a cyberterrorism episode is unlikely to stand alone, or to be devastating in itself. Instead, he said, such an attack would probably come in conjunction with physical attacks and be meant mainly to sow confusion. He compared such a disruption to "a snowstorm on top of an otherwise bad day."

Still, Mr. Tippett and other security experts agree that the nation's computer networks need more effective and extensive shoring up.

Meanwhile, Bush administration officials argue that despite the lack of progress cited by others, great strides have actually been made since last September.

Mr. Clarke, chairman of the president's Critical Infrastructure Protection Board, said the real alarm was sounded not on Sept. 11 but on Sept. 18. That is when a piece of rogue computer software named Nimda spread through Internet-connected computers around the world and caused damage that was estimated in the billions of dollars. The creator of Nimda, which attacked computers and installed "back doors" for subsequent hacker attacks, has never been identified.

"Sept. 11 made everybody in corporate America think about security," Mr. Clarke said. "Sept. 18 made them think about cybersecurity."

Since then, he said, software companies have grown far more serious about plugging the kinds of vulnerabilities that Nimda exploited. Microsoft, for example, shut down its software development efforts for nearly two months in a $100 million effort to analyze Windows software for bugs and to train its engineers in "trustworthy computing" techniques.

Other major software makers have announced similar efforts to make security "not an add-on, but a central thought" in software design, Mr. Clarke said. Industries that did not pay much heed to cybersecurity before -- Mr. Clarke cited power companies as an example -- have "really begun taking security seriously," with widespread use of encryption to shield data from prying eyes and authentication systems to ensure that only authorized people have access to critical system controls.

And government is "beginning to walk its talk" by shoring up its own systems, Mr. Clarke said. The administration's proposed budget for the 2003 fiscal year calls for $4.2 billion for securing federal networks, a 56 percent increase over the the current fiscal year. And next week, on Sept. 18, Mr. Clarke's team plans to release its action plan for safeguarding the Internet.

But government can only do so much, since most of the networks and systems that need to be protected are in private hands, Mr. Clarke observed. "The government is not going to secure hospitals and banks and railroads -- they have to do it for themselves," he said.

Mr. Correa's industry group has spent much of the last year trying to ensure that the government's responses to the Sept. 11 attacks do not do more harm than good. "You're seeing Congress look for what appear to be quick fixes and really are not," he said.

The group opposed, for example, well-intentioned early efforts by lawmakers that would have required federal agencies to upgrade computer security using very specific technologies obtained through strict government procurement guidelines.

Under early drafts of legislation, for example, the National Institute of Standards and Technology was to specify the kinds of antivirus and firewall software and hardware that would be used in government systems. Mr. Correa's group feared that the specifications would quickly become outdated, because antivirus software, for instance, must evolve continually to keep pace with new kinds of threats.

So Mr. Correa's group and others requested -- successfully -- that the bills specify only performance goals, like a requirement that any firewall software be able to block a certain number of intrusions a second, without defining how the software accomplish that task.

"You've got to make those security standards performance-based, not technology-based," Mr. Correa said, or "they will be outmoded in a week."

Mr. Correa's group is also fighting an administration plan to put a unit of the Commerce Department that helps set computer security standards, the Computer Security Division, into the new Department of Homeland Security -- a move that they argue would make that group less effective by blurring purely technical issues with military and law-enforcement agendas that could end up with worse, not better, technology.

His group has also tried to pave the way for greater cooperation among industries and the government on security issues. Those efforts have included legislative proposals for making sure that companies are willing to share information with the government by carving out exemptions in the Freedom of Information Act for such exchanges, so that information given voluntarily to the government about intrusions is not made public.

Mr. Hunt, the Giga Information analyst, sees reasons for optimism. "No security vendors are getting richer, and there are a lot of security problems yet to be solved," he said.

But, he added, companies have begun to shift toward viewing security as an integrated business function and not merely the province of a "little cult in the corner of the I.T. department." In surveys conducted more than a year ago, only 30 percent of all companies said they had a person responsible for connecting security efforts with the actual risks of the business, he said. Now, nearly 90 percent do.

"This is not a 200 percent improvement in spending," Mr. Hunt said. "It is an improvement in quality, meaning the haphazard approach to security management of the past -- an approach that left many holes -- is steadily being replaced by robust processes of detection and response."

Even Harris Miller says he is feeling less Sisyphean lately. "While there's been much more attention in the private sector, there's a long way to go," Mr. Miller said. "But I don't feel the exercise is as futile as it was a year ago. Now the need is to get the money spent."

from TheInquirer.net, 2003-Nov-26:

Cash machines suffered worm attack
Windows on the world

INTERNET WATCHER Netcraft reports that Windows-based automatic teller machines at two unnamed financial institutions were compromised by the Nachi worm in August of this year.

The machines in question were quickly isolated when they began scanning the ATM networks and triggering various intrusion detection systems.

Diebold, the manufacturers of the machines, apparently had neglected to install a patch against a RPC DCOM vulnerability that Microsoft issued in the previous month.

About 12 percent of ATM systems currently run on Windows-based operating systems but this is expected to increase to as much as 65% in the next few years as financial institutions move away from IBM's OS/2.

from TheInquirer.net, 2005-Jan-11, by Nick Farrell:

Finding bugs in software will get you jail
Only in France

A FRENCH security researcher who published exploit codes that could take advantage of bugs in an anti-virus application, could be imprisoned for violation of copyright laws.

According to ZDnet, French security researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam.

He pushed his research in March 2002.

Tegam, which rather than fix the glitch and move on with its life, was extremely miffed and called Les Flics.

French prosecutors claim Tena violated article 335.2 of the code of the intellectual property and want him sent down for a four month jail term and a 6,000 euro fine.

Just to make matters worse Tegam is proceeding with a civil case against Tena and asking for 900,000 euros in damages Tena, who is currently a researcher for Harvard University in Massachusetts, told ZDNet that Tegam first branded him a terrorist and then called the cops.

During the resulting tribunal, Tena said the judge decided that because the published exploits included some re-engineered source code from Viguard?s software, he had violated French copyright laws.

However, French security outfits are a little worried because they regularly publish code to do with security breaches. If software companies get into a tizzy and demand researchers are jailed and fined then no-one will dare point out faults in software other than the hackers.

from TheInquirer.net, 2004-Jun-30, by Tamlin Magee:

US Government warns against Internet Explorer
Internet Exploder will harm your machine

THE US GOVERNMENT has sent out a warning out to internet users through its Computer Emergency Readiness Team (US-CERT), pleading users to stop using Microsoft's Internet Explorer.

Following a malware attack last week which targeted a known flaw in IE, like so many other attacks, the US-CERT recommended using alternative browsers thanks to their increased security. Microsoft is hurriedly trying to increase IE's security with the Windows XP Service Pack 2, but it's not fast enough for many.

In a vulnerability note released by US-CERT, it says "there are a number of significant vulnerabilities in technologies relating to the IE domain" and that "it is possible to reduce exposure to these vulnerabilities by using a different web browser." Well, they're right.

The latest "extremely critical" IE bug has still not been patched by Microsoft.

from TheInquirer.net, 2004-Jul-7, by Nick Farrell:

Enterprises won't dump Internet Explorer
Better the devil you know

ENTERPRISE USERS are ignoring calls to dump the patchwork security hazard which is Internet Explorer.

Following a series of critical security flaws tied to IE, the US Computer Emergency Readiness Team last week suggested that companies dump the VoleWare browser post-haste.

But according to Eweek, IT managers and users have been telling them they are reluctant to change browsers because of their reliance on IE-specific intranet applications and Web sites.

The story quoted several who said that while Mozilla has shown itself to be a capable browser it was crippled by a lack of support for ActiveX controls. Even if users wanted to switch, they would still need IE to visit some sites, such as to use Microsoft's own Windows Update site.

In short Vole has managed to corner the market and the bigger users are stuck with it.

Vole spinsters are saying that IE will be security flavour of the month again after Service Pack 2 is released. The problems cited by the US Computer Emergency Readiness Team will all be addressed and there will be peace in our time.

However it won't offer SP2 security to older versions of Windows, which are still working in many corporate sites, meaning that the security nightmare will continue. Still, better the devil you know eh?

from TheInquirer.net, 2004-Jul-15, by "our pompous op-ed writer":

So you got Windows, there's a critical update required
Mozilla any good?

REMEMBER ALL that fuss about Microsoft grabbing the market by bundling its browser in with its operating system?

Sure you do. In a matter of years Microsoft gained the lion's share of the browser market and now owns nigh on all of it, despite the availability of software from Opera, Mozilla, and a stack of others too.

So, say you've a Windows operating system, but you've decided that there's more holes in Internet Explorer than Blackburn, Lancashire so you're using Mozilla, Opera or whatever but you still need to plug the holes in your Windows 2000 or Windows XP OS.

Well, you can just forget about trying to get those critical Windows updates you need if you're not using Internet Explorer. The Windows Update site only supports Internet Explorer.

Instead, you're going to have to use IE to download the Windows Update and then go back to whatever else you're using.

While it seems fair enough to us that if you need an Internet Explorer update you use IE, is it really fair that non-Microsoft browsers can't be used to help users make their systems secure?

As Microsoft explains here, this behaviour is by design.

But is it fair? Of course not. Life's not fair. Fairness and Microsoft don't necessarily sleep together as intimate bedmates either. You may also notice that if you go to a large number of corporate web sites they don't behave properly when using non-IE browsers. Such, as Ned Kelly is rumoured to have said, is life. Especially in the IT sector.

from electricnews.net via TheRegister.co.uk, 2004-Jan-23, by Anthony Quinn:

All Internet voting is insecure: report

Online voting is fundamentally insecure due to the architecture of the Internet, according to leading cyber-security experts.

Using a voting system based upon the Internet poses a "serious and unacceptable risk" for election fraud and is not secure enough for something as serious as the election of government officials, according to the four members of the Security Peer Review Group, an advisory group formed by the US Department of Defense to evaluate a new on-line voting system.

The review group's members, and the authors of the damning report, include David Wagner, Avi Rubin and David Jefferson from the University of California, Berkeley, Johns Hopkins University and the Lawrence Livermore National Laboratory, respectively, and Barbara Simons, a computer scientist and technology policy consultant.

The federally-funded Secure Electronic Registration and Voting Experiment (SERVE) system is currently slated for use in the US in this year's primary and general elections. It will allow eligible voters to register to vote at home and then to vote via the Internet from anywhere in the world. The first tryout of SERVE is early in February for South Carolina's presidential primary and its eventual goal is to provide voting services to all eligible US citizens overseas and to US military personnel and their dependents, a population estimated at six million.

After studying the prototype system the four researchers said that from anywhere in the world a hacker could disrupt an election or influence its outcome by employing any of several common types of cyber-attacks. "Attacks could occur on a large scale and could be launched by anyone from a disaffected lone individual to a well-financed enemy agency outside the reach of US law," state the three computer science professors and a former IBM researcher in the report.

A denial-of-service attack would delay or prevent a voter from casting a ballot through a Web site. A "man in the middle" or "spoofing" attack would involve the insertion of a phoney Web page between the voter and the authentic server to prevent the vote from being counted or to alter the voter's choice. What is particularly problematic, the authors say, is that victims of "spoofing" may never know that their votes were not counted.

A third type of attack involves the use a virus or other malicious software on the voter's computer to allow an outside party to monitor or modify a voter's choices. The malicious software might then erase itself and never be detected, according to the report.

While acknowledging the difficulties facing absentee voters, the authors of the security analysis conclude that Internet voting presents far too many opportunities for hackers or terrorists to interfere with fair and accurate voting, potentially in ways impossible to detect.

"The flaws are unsolvable because they are fundamental to the architecture of the Internet," said David Wagner, assistant professor of computer science at UC Berkeley. "Because the danger of successful large-scale attacks is so great, we reluctantly recommend shutting down the development of SERVE and not attempting anything like it in the future until both the Internet and the world's home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear, states the report. There is no way to plug the security vulnerabilities inherent in the SERVE on-line voting design, according to the report's authors.

The Internet voting plan and touchscreen equipment not linked to the Internet are part of a general move in the US toward greater use of computers, provoked in part by the problems associated with paper ballots during the 2000 presidential election. But the authors of the SERVE analysis conclude that opportunities for tampering are being overlooked in the rush to embrace new election technology.

"Voting in a national election will be conducted using proprietary software, insecure clients and an insecure network," concluded report author and former IBM researcher Barbara Simons.

The full security analysis of the SERVE system can be viewed online at servesecurityreport.org. Detailed information about the SERVE system is at

"I'm assuming the glitch was in the software."

A lengthy collaboration between the county's information technology director and advisers from the MicroVote software producer fixed the problem. But before that, computer readings of stored voting machine data showed far more votes than registered voters.

"It was like 144,000 votes cast," said Garofolo, whose corrected accounting showed just 5,352 ballots from a pool of fewer than 19,000 registered voters.

"Believe me, there was nobody more shook up than I was."

Electronic Voting Debacle

Opinion Grave concerns over the security of electronic voting machines in the United States means the heart of American democracy is at risk, writes SecurityFocus columnist Scott Granneman.

My grandmother, Ruth Scott, was passionately interested in politics her entire life. She never missed an election (an attitude she instilled in her descendents), she followed political debates with great fervor, and, in perhaps her most selfless action, she worked for decades as an Election Judge on election day. These were long days for her, as she had to be there before the polls opened and stay until they closed and the votes had been counted. I'm sure she would have appreciated any tool that made her job easier and enabled her to get home sooner. It seems that such a tool may now be gaining traction all over America: the electronic voting machine. But is it really a good thing for our country and our electoral system?

After the 2000 election debacle in Florida (and actually in plenty of other locations around the U.S.), with its hanging chads and pregnant chads and other punch-card problems, Congress passed the Help America Vote Act in 2002. One of the functions of the new law was to provide $4 billion for states to use in updating their often antiquated voting equipment. With federal money available, and the cautionary story of Florida as a warning, states began turning in droves to electronic voting machines.

Georgia uses voting machines made by Ohio-based Diebold Election Systems throughout the state. Maryland signed a $55.6 million deal with Diebold in July to supply the state with 11,000 voting machines. Other states using machines made by Diebold include Ohio, Texas, and California. Overall, there are more than 55,000 Diebold machines in use around the country.

A Litany of Problems

An election held in Houston just a few days ago was marred when election judges incorrectly set up twelve eSlate voting machines, resulting in a malfunction. The paper ballots that were supposed to be present were not, so judges gave voters pieces of paper torn in half and told them to write their votes down. Other voters simply left without casting their ballot. Some voters were told that they should come back later in the day, when the machines would be working, thereby casting their ballots twice.

The Oakland Tribune reported last week that several thousand voters in Alameda County used electronic voting machines made by Diebold that were never certified for use by state and county voting officials. Diebold altered the software running on the machines prior to the election, but never bothered to submit the software for testing or even notify the state that the software update had been made.

Another election last week also displayed troubling irregularities. After Rita Thompson, a school board member who lost a close race in Fairfax County, Virginia, complained, tests were performed on a WINvote machine made by Advanced Voting Solutions of Texas. Lo and behold, one out of every hundred votes for Thompson actually resulted in a subtracted vote for the candidate. But there's more. Ten machines broke down during the day, so they were brought to the county government center, repaired, and sent back to be used by voters ... with no oversight. But there's still more. At 7 p.m., most of the 223 precincts in the county attempted to report tallies. At the same time. The system, overworked, crashed. "Fiasco" is not a word I would disagree with in describing this situation.

In Georgia during the 2002 elections, some voters using Diebold machines tried to vote for one candidate, but the machine would instead register a vote for the opponent. It got weirder in Georgia in 2002. There were six electoral upsets in that election, including one in which the incumbent senator, who was far ahead in the polls, lost by 11 points. Diebold had changed the software used by the voting machines seven or eight times, without anyone examining it, and then after the election the company immediately overwrote the flash memory of all the cards used by those machines, so it is now impossible to know what the vote counts really were.

Also during the 2002 elections, machines made by Omaha-based Election Systems & Software erroneously reported that no one in several large Florida precincts had voted for governor. These examples are just the tip of the iceberg.

Problems abound. But it's actually much, much worse.

The Big Issue: Security

So, how do you know that the machine actually counted your vote? You don't! Oh sure, you may see a screen at the end of the process that shows you what you selected ... but how do you know that those choices are actually tabulated? The answer: trust the companies that make the machines. But that attitude, if it ever made sense, has been shown to be not just wrong but foolhardy in the past several months.

In March, someone broke into a Web server used by Diebold using an employee's ID number and copied thousands of messages posted to an online discussion board used internally by Diebold employees to discuss its voting machines, as well as actual code used in the voting machines. In August, the documents were sent to journalists. Within one month, student activists at Swarthmore College acquired the documents and began making them available on their Web site. Within a few days the documents had spread like kudzu and were available at over 50 other college Web sites, including MIT, Harvard, and UC-Berkeley.

One of the reasons the students are concerned about Diebold's involvement in the electoral process is the company's cozy relationship with the Republican party. Diebold donated more than $195,000 to the Republican party in 2000 and 2001, and Walden W. O'Dell, the company's CEO, pledged in an invitation to a fund-raiser to deliver Ohio to George W. Bush in the next election. Regardless of the political linkages, the content of the memos is extremely problematic, as you'll see in a moment.

Diebold responded in a heavy-handed manner by sending out cease and desist letters backed by the Digital Millenium Copyright Act (DMCA) of 1998, a poorly-designed law that has earned its share of opprobrium. These letters claim that those posting Diebold's files, or even just linking to the files, are in violation of Diebold's copyrights. Needless to say, these rather specious claims appear to fly in the face of fair use and the public's right to know.

Swarthmore, after an initial bout of cowardice, is now supporting its students. The College has asked Diebold to justify its claims, while aiding its students as they develop a legal response to Diebold's take-down notice. In fact, Swarthmore clearly states that "it is defensible on fair-use and free-speech grounds to use [the students'] web sites to describe the content of the memos they have seen and their implication for American democracy, and to use their sites to inform interested members of the public that the memos are available at sites not associated with Swarthmore."

Unfortunately for Diebold (and fortunately for American democracy), the files are now on servers all over the world, including Australia, New Zealand, Canada, and Italy, where the DMCA does not apply. Even better, Deibold's files are now on Freenet, the anonymous, encrypted peer-to-peer network, as well as other peer-to-peer networks like BitTorrent and Overnet. Too late, Diebold. The toothpaste is out of the tube. Game over.

If you'd like to view the Diebold files yourself, a simple Google search is all that you need. The files seem to portray a company lacking good practices in the area of software development, quality assurance, sales, and security, as the following excerpts make clear.

"Over [the past three years] I have become increasingly concerned about the apparent lack of concern over the practice of writing contracts to provide products and services which do not exist and then attempting to build these items on an unreasonable timetable with no written plan, little to no time for testing, and minimal resources. It also seems to be an accepted practice to exaggerate our progress and functionality to our customers and ourselves then make excuses at delivery time when these products and services do not meet expectations." (Source: "Resignation", announce.w3archive/200110/msg00001.html, dated 5 October 2001)

---

"It does not matter whether we get anything certified or not, if we can't even get the foundation of Global stable. This company is a mess! We should stop development on all new, and old products and concentrate on making them stable instead of showing vaporware. Selling a new account will only load more crap on an already over burdened entity. ... You are taxing the development team beyond what they can handle. ... Why is it so hard to get things right! I have never been at any other company that has been so miss managed [sic]." (Source: "Fw: Battery Status & Charging---and too much bull!!", announce.w3archive/200110/msg00002.html, dated 20 October 2001)

---

"I need some answers! Our department is being audited by the County. I have been waiting for someone to give me an explanation as to why Precinct 216 gave Al Gore a minus 16022 when it was uploaded. Will someone please explain this so that I have the information to give the auditor instead of standing here "looking dumb". I would appreciate an explanation on why the memory cards start giving check sum messages. We had this happen in several precincts ..." (Source: "Memory card checksum errors (was: 2000 November Election)", support.w3archive/200101/msg00061.html, dated 18 January 2001)

---

"For a demonstration [for El Paso County, Colorado] I suggest you fake it. Progam them both so they look the same, and then just do the upload fro [sic] the AV. That is what we did in the last AT/AV [AccuTouch/AccuVote] demo." (Source: "RE: El Paso, Colorado", support.w3archive/199903/msg00098.html, dated 19 March 1999)

---

"I hate more than anyone else in the company to bring up a certification issue with this, but a number of jurisdictions require a "system test" before every election. I just helped Knecht yesterday with an RFP from Riverside that required this. That is why the AccuVote displayes the silly ***System Test Passed*** message on boot up instead of "memory test passed", which is all it actually tests. No argument from me that it is pointless. You could probably get away with a batch file that prints "system test passed" for all I know. We will do something along those lines with the new unit after a memory test or whatever." (Source: "RE: AVTS - Diagnostics & Installation", support.w3archive/199907/msg00013.html, dated 6 July 1999)

---

"Right now you can open GEMS' .mdb file with MS-Access, and alter its contents. That includes the audit log. This isn't anything new. ... Now, where the perception comes in is that its right now very *easy* to change the contents. Double click the .mdb file. ... It is possible to put a secret password on the .mdb file to prevent Metamor [a consulting company] from opening it with Access. Being able to end-run the database has admittedly got people out of a bind though. Jane (I think it was Jane) did some fancy footwork on the .mdb file in Gaston recently. I know our dealers do it. King County is famous for it. That's why we've never put a password on the file before." (Source: "RE: alteration of Audit Log in Access", support.w3archive/200110/msg00122.html, dated 18 October 2001)

Think about those memos. In particular, the last one. Here we have a company using unprotected Microsoft Access database files to store votes and the audit log. That's bad. Really, really bad, in a whole host of ways. But even worse, after pondering a change, it decides not to implement a password! And what is meant by the "fancy footwork" that "King County is famous for"? That sounds shady as hell.

In July, Avi Rubin of Johns Hopkins University, along with other security experts, analyzed the purloined source code. His team issued a scathing report. Some of his findings: it would be easy for an insider at Diebold to alter the system to affect voting results; since the source code is kept secret, this could be done without detection. It would be simple for a voter, without invoking any special privileges, and without any detection by the system, to cast as many votes as she desired. All the voting machines use the same hard-coded passwords; in some cases, this password was set to "1111" (I think that's the sound of the collective jaws of security pros dropping to the floor). And finally, since there is no paper printout of votes, there is no way to accurately audit the system, and therefore no way to accurately reconstruct an election if it is contested. As the report put it:

"Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We highlight several issues including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes."

Of course, Diebold denied the findings of Rubin's report. The state of Maryland, however, commissioned an investigation of the Diebold machines by SIAC. SIAC found 328 security weaknesses; of those, 26 were designated critical. Among the problems: Diebold doesn't encrypt vote totals before they are transferred to the Board of Elections over the Internet. Diebold's response is far from reassuring, as the Washington Post reported:

"Further, as a result of the review, Diebold has rewritten its software to include better encryption coding and harder-to-crack passwords. The encryption and password upgrades will be made only for the machines destined for Maryland, [Diebold executive Mark] Radke said, and would not be available for the 33,000 touch-screen machines already in use elsewhere."

So there you have it: the squeaky wheel gets the grease. Diebold will fix Maryland's machines, but everyone else in America will continue to suffer from hundreds of security holes, 26 of them critical. Feel better?

Of course, anyone that really cares about security knows that a system has to be built with security in mind from the get-go. You can't just bolt security on top of a system after the fact and assume that the any problems will be fixed. But that's exactly what Diebold proposes to do. They told us to trust them before, and now they're asking us to trust them again. How trusting are you?

Some Proposed Solutions

Rep. Rush Holt (D-N.J.) has proposed the Voter Confidence and Increased Accessibility Act of 2003 (H.R. 2239). Holt's proposed law would mandate the following by the November 2004 general election:

• All voting systems must produce a voter-verified paper record which can be used during manual audits.
• Voting systems must use open software and may not use wireless communications devices; further, any electronic communication performed by the voting system may only be outgoing, and only then to report vote totals.
• Voting systems usable by people with disabilities must be in place by 1 January 2006.
• Surprise recounts must take place in .5% of domestic jurisdictions and .5% of overseas jurisdictions.

These are reasonable proposals that would go a long way toward helping alleviate the concerns that many people have about electronic voting. Unfortunately, Rep. Bob Ney, the chairman of the House committee that would propose Holt's bill, opposes it, so it is essentially dead in the water. Coincidentally, or perhaps not, Ney is a Republican representing Ohio, the home state of Diebold. Hmmmm ...

Certain changes in election machines and election law are definitely required. After you vote on an electronic machine, it should print your choices on a piece of paper that is placed into a locked box. If a problem arises and a candidate requests a recount, those slips of paper are there for verification. Wired News reported in October that some of the companies who manufacture electronic voting machines have finally agreed in principle to change their machines to produce a paper record of votes. We'll see if it actually comes to fruition.

The testing process should be opened up as well. Currently, all voting machines have to pass the Federal Election Commission's testing process so they can be certified for use. However, the General Accounting Office issued a report in 2001 stating that the FEC tests do not test for security in a thorough manner; in fact, the testing is so secretive that members of state boards that certify the equipment cannot even get information about exactly what is being tested and how. Worse, the tests themselves are laughable in their inattention to even basic concepts of security, reliability, or veracity. To top it all off, only 37 states follow the FEC standards in the first place.

To really ensure that the election process is fair and above the taint of corruption, federal law should require that the source code for the voting machines is opened up. If the code is not made entirely public, which would be best, then it should be opened up for expert study and review, with any findings published. Australia's voting machines run completely open source code that has been publicly audited; even better, the machines themselves run on Linux, an open source operating system. Can anyone doubt that this is better for democracy?

Security pros also need to work to change the perceptions of public officials. Unfortunately, many of them are ignorant about security, some willfully so ("In response to the Hopkins report [by Avi Rubin], Linda H. Lamone, the state election administrator, said yesterday that Maryland's experience in the 2002 election gave her 'absolute confidence' in the Diebold touch-screen system"). Couple that with a back-against-the-wall defensiveness, and you get statements like this, made by Penelope Bonsall, director of the Office of Election Administration at the Federal Election Commission: "The computer scientists are saying, 'The machinery you vote on is inaccurate and could be threatened; therefore, don't go. Your vote doesn't mean anything.'" No, Ms. Bonsall, that is most definitely not what security experts are saying. But believing so does help solidify your refusal to look at their concerns, doesn't it?

I have to admit, when I first heard about electronic voting, it made a lot of sense to me. After the Florida debacle in 2000, it made even more sense. But after extensive reading, I've come to the conclusion that electronic voting as a concept needs to be scrapped, or at least placed on hold while basic concerns are addressed. Unfortunately, I'm not very convinced that those basic concerns will ever be addressed, and that has me greatly concerned about the trustworthiness of elections in the United States.

Just because it's new and slick and sexy doesn't mean that we should adopt it. This is doubly true when we're talking about our elections, the heart of the American democracy. We shouldn't make a fetish out of speed and automation, especially when we ignore fairness, accuracy, and security. I think my grandmother would have agreed.

Further Reading

Bev Harris has been leading the fight against electronic voting for quite a while. Her Web site, at http://www.blackboxvoting.com or http://www.blackboxvoting.org, is required reading if you're interested in this issue. You can also download her book, Black Box Voting, from the site as well. Of course, if you buy her book, you further support her work.

Salon has published an excellent series of articles on the subject of electronic voting. You can find them by searching http://www.salon.com for the words "electronic voting".

Wired News has also been following the story, and you can read what they've said by searching the site for "electronic voting".

The Washington Post posts in-depth, well-researched columns regularly that deal with electonic voting. Search the archives for "electronic voting" or "Diebold".

For another technical analysis of the security problems associated with Diebold machines, Douglas W. Jones' "The Diebold AccuVote TS Should be Decertified".

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.

from TheInquirer.net, 2004-Jan-27, by Mike Magee:

Windows XP has "malicious folder" weakness
More joy to the world

SECUNIA SAID there's a hole in Windows XP Home and Professional which wicked folk can use to prise open systems.

The vulnerability allows a so-called "malicious folder" to be created which contains both script code and an .EXE file, said Secunia.

The problem was reported by http-equiv and malware.com and no fix is yet available.

The advice Secunia gives, here, is not to open untrusted folders and use up to date antiviral software.

from CNET News.com, 2003-Sep-24, by Matt Hines:

Virus strikes State Department

A computer virus hit the State Department on Tuesday, affecting the performance of the government's IT system that manages visa approvals, according to published reports.

The virus shut down the State Department's Consular Lookout and Support System (CLASS), Reuters and the Associated Press reported. A State Department representative reached Wednesday by CNET News.com would not confirm that the system had crashed but indicated that IT personnel were working on a problem.

The State Department sent a message to employees around the globe on Tuesday, warning that CLASS had been crippled, the wire services said. It was not clear which computer virus infected the system, but the department forwarded to people a warning indicating that the Welchia virus was found at one facility, reports said.

Welchia and the related MSBlast virus target openings in Microsoft's Windows operating system and have been linked to a number of government computer failures. A new report from the Computer and Communications Industry Association asserts that reliance on a single technology, such as Windows, for an overwhelming majority of computer systems threatens the security of the U.S. economy and critical infrastructure.

CLASS has been identified as one of the tools the U.S. government is leaning on to help stem the flow of terrorists and other criminals into the country. According to the State Department, CLASS has been improved over the past two years and has been given the ability to access more detailed information banks to scrutinize eligibility of potential visa applicants.

In a letter sent to Congress earlier this year, President Bush said that CLASS contains about 13 million name records, increasing the State Department's ability to recognize individuals who might be a threat to national safety.

"CLASS now has over 78,000 records of suspected terrorists, up 40 percent in the past year," Bush wrote in his letter. "This will allow federal, state, and local entities to share information nationwide that will ultimately contribute to securing our borders and protecting our nation."

from the Washington Post, 2004-Feb-27, p.A1, by David E. Hoffman:

Reagan Approved Plan to Sabotage Soviets
Book Recounts Cold War Program That Made Technology Go Haywire

In January 1982, President Ronald Reagan approved a CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that later triggered a huge explosion in a Siberian natural gas pipeline, according to a new memoir by a Reagan White House official.

Thomas C. Reed, a former Air Force secretary who was serving in the National Security Council at the time, describes the episode in "At the Abyss: An Insider's History of the Cold War," to be published next month by Ballantine Books. Reed writes that the pipeline explosion was just one example of "cold-eyed economic warfare" against the Soviet Union that the CIA carried out under Director William J. Casey during the final years of the Cold War.

At the time, the United States was attempting to block Western Europe from importing Soviet natural gas. There were also signs that the Soviets were trying to steal a wide variety of Western technology. Then, a KGB insider revealed the specific shopping list and the CIA slipped the flawed software to the Soviets in a way they would not detect it.

"In order to disrupt the Soviet gas supply, its hard currency earnings from the West, and the internal Russian economy, the pipeline software that was to run the pumps, turbines, and valves was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds," Reed writes.

"The result was the most monumental non-nuclear explosion and fire ever seen from space," he recalls, adding that U.S. satellites picked up the explosion. Reed said in an interview that the blast occurred in the summer of 1982.

"While there were no physical casualties from the pipeline explosion, there was significant damage to the Soviet economy," he writes. "Its ultimate bankruptcy, not a bloody battle or nuclear exchange, is what brought the Cold War to an end. In time the Soviets came to understand that they had been stealing bogus technology, but now what were they to do? By implication, every cell of the Soviet leviathan might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the entire operation."

Reed said he obtained CIA approval to publish details about the operation. The CIA learned of the full extent of the KGB's pursuit of Western technology in an intelligence operation known as the Farewell Dossier. Portions of the operation have been disclosed earlier, including in a 1996 paper in Studies in Intelligence, a CIA journal. The paper was written by Gus W. Weiss, an expert on technology and intelligence who was instrumental in devising the plan to send the flawed materials and served with Reed on the National Security Council. Weiss died Nov. 25 at 72.

According to the Weiss article and Reed's book, the Soviet authorities in 1970 set up a new KGB section, known as Directorate T, to plumb Western research and development for badly needed technology. Directorate T's operating arm to steal the technology was known as Line X. Its spies were often sprinkled throughout Soviet delegations to the United States; on one visit to a Boeing plant, "a Soviet guest applied adhesive to his shoes to obtain metal samples," Weiss recalled in his article.

Then, at a July 1981 economic summit in Ottawa, President Francois Mitterrand of France told Reagan that French intelligence had obtained the services of an agent they dubbed "Farewell," Col. Vladimir Vetrov, a 53-year-old engineer who was assigned to evaluate the intelligence collected by Directorate T.

Vetrov, who Weiss recalled had provided his services for ideological reasons, photographed and supplied 4,000 documents on the program. The documents revealed the names of more than 200 Line X officers around the world and showed how the Soviets were carrying out a broad-based effort to steal Western technology.

"Reagan expressed great interest in Mitterrand's sensitive revelations and was grateful for his offer to make the material available to the U.S. administration," Reed writes. The Farewell Dossier arrived at the CIA in August 1981. "It immediately caused a storm," Reed says in the book. "The files were incredibly explicit. They set forth the extent of Soviet penetration into U.S. and other Western laboratories, factories and government agencies."

"Reading the material caused my worst nightmares to come true," Weiss recalled. The documents showed the Soviets had stolen valuable data on radar, computers, machine tools and semiconductors, he wrote. "Our science was supporting their national defense."

The Farewell Dossier included a shopping list of future Soviet priorities. In January 1982, Weiss said he proposed to Casey a program to slip the Soviets technology that would work for a while, then fail. Reed said the CIA "would add 'extra ingredients' to the software and hardware on the KGB's shopping list."

"Reagan received the plan enthusiastically," Reed writes. "Casey was given a go." According to Weiss, "American industry helped in the preparation of items to be 'marketed' to Line X." Some details about the flawed technology were reported in Aviation Week and Space Technology in 1986 and in a 1995 book by Peter Schweizer, "Victory: The Reagan Administration's Secret Strategy that Hastened the Collapse of the Soviet Union."

The sabotage of the gas pipeline has not been previously disclosed, and at the time was a closely guarded secret. When the pipeline exploded, Reed writes, the first reports caused concern in the U.S. military and at the White House. "NORAD feared a missile liftoff from a place where no rockets were known to be based," he said, referring to North American Air Defense Command. "Or perhaps it was the detonation of a small nuclear device." However, satellites did not pick up any telltale signs of a nuclear explosion.

"Before these conflicting indicators could turn into an international crisis," he added, "Gus Weiss came down the hall to tell his fellow NSC staffers not to worry."

The role that Reagan and the United States played in the collapse of the Soviet Union is still a matter of intense debate. Some argue that U.S. policy was the key factor -- Reagan's military buildup; the Strategic Defense Initiative, Reagan's proposed missile defense system; confronting the Soviets in regional conflicts; and rapid advances in U.S. high technology. But others say that internal Soviet factors were more important, including economic decline and President Mikhail Gorbachev's revolutionary policies of glasnost and perestroika.

Reed, who served in the National Security Council from January 1982 to June 1983, said the United States and its NATO allies later "rolled up the entire Line X collection network, both in the U.S. and overseas." Weiss said "the heart of Soviet technology collection crumbled and would not recover."

However, Vetrov's espionage was discovered by the KGB, and he was executed in 1983.

from TheInquirer.net, 2004-Jan-21, by Rick Reroy:

Ebay lets sellers make up their own positive feedback
Says web pages without Javascript are boring

A BUG IN the Ebay web pages allows sellers to make up their own seller information, according to claims in PC-WELT, the German computer magazine.

Ebay, the leading auction site in the Internet, provides bidders with information about the seller whose products they are bidding for. As a virtual auction house, Ebay never sees the products that are auctioned off on their site and so they have no direct way to control the honesty of buyers and sellers. Instead, the 'seller information' tells potential bidders in the Ebay auctions how long the seller has been registered, how large a percentage of the seller's feedback (provided by other users) is positive and whether the seller is an Ebay 'Power Seller'. The information is the lynchpin of Ebay's reputation-based system, designed to assure buyers that they are not dealing with an online cyberfraudster.

Unfortunately, with the help of a few snippets of JavaScript embedded in the product details, PC-Welt was apparently able to take a newly opened account and make it look like it belonged to a 'Power Seller' with almost 2000 Ebay sales and a 99.8% positive feedback rating. The JavaScript, apparently freely available on the Net, rewrites the data used to display the seller information. When the user clicks on the seller information they get a page with more details, but this link can also be forged by the seller, sending the hapless buyer off to a page of the seller's own devising. By combining this problem with the spoofing bug in Internet Explorer the devious seller can make the subterfuge very hard to spot.

Ebay has already been made aware of the problem, but it seems that flashy web pages are more important than building a community where people can trust each other. At any rate, instead of merely banning Javascript which would make their sellers' web pages 'boring' according to a company spokesman they are looking for a better solution. Says a spokesman for Ebay (our translation):

"This problem is not unique to Ebay. We allow Javascript so the users can make their web pages as attractive as possible. Plain text web pages are boring. We are working hard to find a long term solution. We are able to identify and remove auctions like this".

In the meantime you can be sure to see the right seller information if you switch off Javascript when using Ebay. If the resulting boredom proves too much you can always surf back to your soaraway Inquirer for more facts and friction.

from CNET News.com, 2003-Sep-24, by Robert Lemos:

Report: Microsoft dominance poses security risk

A computer industry group critical of Microsoft plans to release a report on Wednesday arguing that the software giant's dominance in key technologies threatens national infrastructure.

The report, issued by the Computer and Communications Industry Association, argues that the reliance on a single technology such as the Windows operating system for such an overwhelming majority of computer systems threatens the security of the U.S. economy and critical infrastructure, according to a draft seen by CNET News.com. The paper, written by three security experts, also warns that many security improvements planned by Microsoft are likely designed to raise the barrier that deters customers from switching to another operating system.

"Under the guise of security, they (Microsoft) are achieving lock-in," said Bruce Schneier, chief technology officer for network monitoring service Counterpane Internet Security and one of the paper's three authors. "It's using security technologies to extend the monopolies."

The report will be presented to several key lawmakers and administration officials at the CCIA's 2003 Washington Caucus on Wednesday, according to the event's agenda. Another of the paper's authors, Dan Geer, chief technology officer for security firm @Stake, is scheduled to lead a discussion of the issues. Several members of Congress are slated to attend the event, including Representative Zoe Lofgren, D-Calif., Representative Rick Boucher, D-Virg., and Senator Ron Wyden, D-Ore.

The paper is the latest salvo fired by the CCIA at Microsoft and, though the argument has been made in security circles before, it may be the first time that the position has been outlined to legislators.

The group, whose members include America Online, Oracle and Sun Microsystems, has been critical of Microsoft in the past. Last month, after the Department of Homeland Security announced that Microsoft would supply the software for the agency's 140,000 desktops, the organization sent an open letter asking the DHS to reconsider. The group also founded the Open Source and Industry Alliance to promote open-source software such as Linux and oppose restrictive laws such as the Digital Millennium Copyright Act.

Microsoft did not immediately comment on the content of the report, but defended its track record in security.

"We are absolutely committed to increasing the security of technology for our customers," a Microsoft representative said in a statement issued to CNET News.com. "We recognize that CCIA represents many Microsoft competitors, but we are 100 percent committed to addressing the security concerns of customers, so we will review their white paper and address any concerns that they raise."

The draft white paper argues that Microsoft's problems in securing its products and the ubiquity of those technologies result in a hazard for the U.S. economy and industry, which increasingly relies on the Internet and computers for critical functions.

"The focus on Microsoft is simply that the clear and present danger can be ignored no longer," the paper states.

The paper recommends that the U.S. government force Microsoft to publish interface specifications to major functional components of its code, better support interoperable components to allow others to compete with more secure technology, and set specifications through industry standards bodies and consortia.

The report also takes the software giant to task for using security to lock in consumers to Microsoft's technology and recommends that, if the company continues to do so, it be held liable for any damage done by security threats in the future.

The authors call on the U.S. government to make sure that future Microsoft technologies, such as the controversial next-generation secure computing base formerly known as "Palladium," don't further lock in consumers.

"The impact on security of this lock-in is real and endangers society," the paper states, adding that "there can be no more critical duty of...governments than to ensure that a spread of trusted computers does not blithely create yet more opportunities for lock-in."

from TheInquirer.net, 2003-Aug-28:

Microsoft software "riddled with vulnerabilities", trade body claims
Dept of Homeland Security should avoid Microsoft

THE US Computer and Communications Industry Association (CCIA) has urged the US Department of Homeland Security to avoid using Microsoft software.

The Washington based association, which represents members that generate over $300 billion, has issued an open letter to Tom Ridge, Secretary of the department, urging him to review his decision to choose Microsoft for its desktops and servers.

It claims that last week's events relating to the Blaster and SoBig worms, have highlighted problems in cybersecurity.

The letter, from Ed Black, the association's president, said:"We believe that for software to be truly secure it must be well written from the outset with security considerations given a high priority".

It accuses Microsoft of being more interested in economic marketing and competition than security and said the lack of diversity within a network system "amplifies the risk emanating from any vulnerabilities that do exist".

It continues: "Our preliminary findings indicate the severity of the security problems relating to some Microsoft software".

The Blaster worm, it said, crashed the Navy Marine intranet, the CSX railway system, Maryland's Dept of Motor Vehicles, Air Canada systems, and most seriously earlier this year a nuclear power plant was downed by Slammer.

Microsoft, it claims, isn't guiltless, because it is continuing to "create software riddled with obvious and easily exploited vulnerabilities".

from SecurityFocus.com, 2003-Aug-19, by Kevin Poulsen:

The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall, SecurityFocus has learned.

The breach did not post a safety hazard. The troubled plant had been offline since February, 2002, when workers discovered a 6-by-5-inch hole in the plant's reactor head. Moreover, the monitoring system, called a Safety Parameter Display System, had a redundant analog backup that was unaffected by the worm. But at least one expert says the case illustrates a growing cybersecurity problem in the nuclear power industry, where interconnection between plant and corporate networks is becoming more common, and is permitted by federal safety regulations.

The Davis-Besse plant is operated by FirstEnergy Corp., the Ohio utility company that's become the focus of an investigation into the northeastern U.S. blackout last week.

The incident at the plant is described in an April e-mail to the Nuclear Regulatory Commission (NRC) from FirstEnergy, and in a similarly-worded March safety advisory distributed privately throughout the industry over the "Nuclear Network," an information-sharing program run by the Institute of Nuclear Power Operations. The March advisory was issued to "alert the industry to consequences of Internet Worms and Viruses on Plant Computer Systems," according to the text.

The reports paint a sobering picture of cybersecurity at FirstEnergy.

The Slammer worm entered the Davis-Besse plant through a circuitous route. It began by penetrating the unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network. The T1 line, investigators later found, was one of multiple ingresses into Davis-Besse's business network that completely bypassed the plant's firewall, which was programmed to block the port Slammer used to spread.

"This is in essence a backdoor from the Internet to the Corporate internal network that was not monitored by Corporate personnel," reads the April NRC filing by FirstEnergy's Dale Wuokko. "[S]ome people in Corporate's Network Services department were aware of this T1 connection and some were not."

Users noticed slow performance on Davis-Besse's business network at 9:00 a.m., Saturday, January 25th, at the same time Slammer began hitting networks around the world. From the business network, the worm spread to the plant network, where it found purchase in at least one unpatched Windows server. According to the reports, plant computer engineers hadn't installed the patch for the MS-SQL vulnerability that Slammer exploited. In fact, they didn't know there was a patch, which Microsoft released six months before Slammer struck.

Operators Burdened

By 4:00 p.m., power plant workers noticed a slowdown on the plant network. At 4:50 p.m., the congestion created by the worm's scanning crashed the plant's computerized display panel, called the Safety Parameter Display System.

An SPDS monitors the most crucial safety indicators at a plant, like coolant systems, core temperature sensors, and external radiation sensors. Many of those continue to require careful monitoring even while a plant is offline, says one expert. An SPDS outage lasting eight hours or more requires that the NRC be notified.

At 5:13 p.m., another, less critical, monitoring system called the "Plant Process Computer" crashed. Both systems had redundant analog backups that were unaffected by the worm, but, "The unavailability of the SPDS and the PPC was burdensome on the operators," notes the March advisory.

It took four hours and fifty minutes to restore the SPDS, six hours and nine minutes to get the PPC working again.

FirstEnergy declined to elaborate on the incident. The company has become the focus of an investigation into last week's northeastern U.S. blackout. Though the full cause of the blackout has yet to be determined, investigators have reportedly found that it began when an Ohio high-voltage transmission line "tripped" after sagging into a tree. An alarm system that was part of FirstEnergy's Energy Management System failed to warn operators at the company's control center that the line had failed.

Asked if last week's "Blaster" worm might have had a hand in the alarm system failure, just as Slammer disabled the Davis-Besse safety display panel, FirstEnergy spokesman Todd Schneider said, "We're investigating everything right now."

"I have not heard of anything like that," added Schneider. "The alarm system was the only system that was not functioning."

SCADA Issues

The Davis-Besse incident was not Slammer's only point of impact on the electric industry. According to a document released by the North American Electric Reliability Council in June, Slammer downed one utility's critical SCADA network after moving from a corporate network, through a remote computer to a VPN connection to the control center LAN.

A SCADA (Supervisory Control and Data Acquisition) system consists of central host that monitors and controls smaller Remote Terminal Units (RTUs) sprinkled throughout a plant, or in the field at key points in an electrical distribution network. The RTUs, in turn, directly monitor and controls various pieces of equipment.

In a second case reported in the same document, a power company's SCADA traffic was blocked because it relied on bandwidth leased from a telecommunications company that fell prey to the worm.

Reports on the effect of last week's Blaster worm on the electric grid, if any, have yet to emerge.

The Slammer attacks came after years of warnings about the vulnerability of power plants and electric distribution systems to cyber attack. A 1997 report by the Clinton White House's National Security Telecommunications Advisory Committee, which conducted a six-month investigation of power grid cybersecurity, described a national system controlled by Byzantine networks riddled with basic security holes, including widespread use of unsecured SCADA systems, and ample connections between control centers and utility company business networks.

"[T]he distinct trend within the industry is to link the systems to access control center data necessary for business purposes," reads the report. "One utility interviewed considered the business value of access to the data within the control center worth the risk of open connections between the control center and the corporate network."

Future Safety Concerns An energy sector cybersecurity expert who's reviewed nuclear plant networks, speaking on condition of anonymity, said the trend of linking operations networks with corporate LANs continues unabated within the nuclear energy industry, because of the economic benefits of giving engineers easy access to plant data. An increase in plant efficient of a couple percentage points "can translate to millions upon millions of dollars per year," says the expert.

He says Slammer's effect on Davis-Besse highlights the dangers of such interconnectivity.

Currently, U.S. nuclear plants generally have digital systems monitoring critical plant operations, but not controlling them, said the expert. But if an intruder could tamper with monitoring systems like Davis-Besse's SPDS, which operators are accustomed to trusting, that could increase the risk of an accident.

Moreover, the industry is moving in the direction of installing digital controls that would allow for remote operation of plant functions, perhaps within a few years, if the NRC approves it. "This is absolutely unacceptable without drastic changes to plant computer networks," says the expert. "If a non-intelligent worm can get in, imagine what an intruder can do."

Jim Davis, director of operations at the Nuclear Energy Institute, an industry association, says those concerns are overblown. "If you break all the connections and allow no data to pass from anywhere to anywhere, you've got great security -- but why'd you put the digital systems in the first place?," says Davis.

Davis says the industry learned from the Davis-Besse incident, but that the breach didn't prove that connections between plant and corporate networks can't be implemented securely. "You can put a well-protected read-only capability on a data stream that provides you reasonable assurance that nobody can come back down that line to the control system," says Davis.

Last year the NEI formed a task force to develop updated cybersecurity management guidelines for the industry. The results -- which will be secret -- are expected within a few months. As part of a research effort earlier this year, the NEI's task force worked with the NRC and a contractor to review cybersecurity at four nuclear power plants. The details of the review are classified as "Safeguards" material, but Davis says the investigation found no serious problems. "There are no issues that generate a public health and safety concern," says Davis.

"Sometime people get very anxious about digital systems and what you could or couldn't do with digital systems, but in lots of cases you've got switches and valves and little override buttons on this thing and that thing that could cause a component to shut down as quickly as any digital system," Davis says.

Despite the Slammer breach, FirstEnergy was apparently not in violation of NRC's limited, and aging, cybersecurity regulations. For its part, the commission wouldn't comment on the incident. The NRC has faced fierce criticism for not acting sooner to curb far more serious physical safety problems at the plant.

from CNET News.com, 2005-Feb-4, by Robert Lemos:

Study: Few bugs in MySQL database

A source-code analysis of the MySQL database, a popular open-source program at the heart of many Web sites, revealed few bugs compared with the number found in commercial code, testing company Coverity said Friday.

The analysis, done using the company's homegrown tools, found 97 flaws, at least one of which was a serious security problem, Coverity said in a report. However, that number is small compared with most commercial software code, said Seth Hallem, Coverity's CEO.

"In terms of industry averages, MySQL is excellent," Hallem said. "There is not a lot of easy gotchas in there."

Source-code analysis tools such as Coverity's are quickly becoming must-haves for software developers. Microsoft uses its own internal tools to vet its software, find bugs and reduce security vulnerabilities. Other companies, such as Ounce Labs and Reflective, have sold their wares to major companies. Coverity counts technology giants Cisco Systems and Oracle among its customers.

MySQL, the Swedish company that develops and maintains the MySQL database, contacted Coverity and asked for the audit, said Zack Urlocker, vice president of marketing for MySQL.

"We have fixed all the bugs that have been reported," Urlocker said. "And they will go out in our next release."

While the analysis software does not catch all bugs, the programs can effectively find certain classes of software problems. In many cases, such flaws could be the low-hanging fruit that might otherwise be found by an external hacker or independent security researcher. Moreover, since many companies allow free use of these tools for noncommercial software, an open-source project will likely have to analyze their code or risk attacks by malicious attackers who use the tools first.

Eliminating bugs is not the only use of such tools. Many IT professionals look to analysis tools to generate a measure of the quality of two code bases for comparison. While open-source software has its own share of problems, the fact that MySQL has fewer than 100 bugs indicates that the open-source database has been well-coded, Hallem said.

"By eliminating these, we are eliminating the most obvious flaws in the code," Hallem said.

Commercial code typically has anywhere from one to seven bugs per 1,000 lines of code, according to an April report from the National Cybersecurity Partnership's Working Group on the Software Lifecycle, which cited an analysis of development methods by the Software Engineering Institute at Carnegie Mellon University.

Coverity's analysis of MySQL found an average of one bug in every 4,000 lines of code--results that are at least four times better than is typical with commercial software.

The findings parallel earlier work by Coverity in auditing the Linux kernel; that work found that a recent version of the kernel had 985 flaws in 5.7 million lines of code, less than a single flaw in every 10,000 lines of code.

"It is similar to other studies that have been done in the past that have shown that open-source code is clean and well-structured," said MySQL's Urlocker. He added that the open-source development process compels programmers to write cleaner code because the code will be seen and evaluated by others.

"It's like if you get ready to go to your high school reunion, you probably work out a bit before you go," he said.

By analyzing Linux and MySQL, Coverity has done quality checks on two of the four common components of open-source-based Web servers. The other two components--the Apache Web server and the PHP Web-scripting language--will be analyzed in the near future, Hallem said.

from TheInquirer.net, 2003-Sep-28:

Power cut infection hits whole of Italy
Whole country affected

A POWER CUT downed all of Italy early this morning, with electrical engineers blaming France for defective power lines.

The cut started about 3.30am, and continues, with all services still struggling to recover the situation.

This power cut follows problems last week in Denmark, before that in London, and first of all in New York.

Just like the three previous cuts, lots of people were stranded on trains and in the underground.

from the Washington Post, 2003-Aug-15, p.A1, by Peter Behr:

The Warnings
System's Crash Was Predicted

The warning from David Cook, general counsel for the nation's electric reliability organization, was stark: "The question is not whether, but when, the next major failure of the grid will occur."

Cook was speaking to Congress two years ago, and yesterday his prediction came crashingly true in what may have been the largest power blackout in history, a catastrophe for the industry that experts said has exposed the steadily growing vulnerability of the nation's nearly 200,000-mile network of high-voltage transmission lines.

The country's halting moves toward electricity deregulation over the past decade have dramatically increased the volume of power flowing on the grids.

But the transmission towers themselves remain the stepchildren of the nation's energy infrastructure. People don't want them in their back yards or on their farms. Energy companies aren't interested in building them. And while the system is linked together with advanced computer systems, much of the equipment that opens and closes connections around the nation's three major grids is 1950s vintage, officials said.

"We're a superpower with a Third World grid," New Mexico Gov. Bill Richardson, a former energy secretary, said yesterday.

Cook's organization, the North American Electric Reliability Council warned last year, "The nation is at . . . a crisis stage with respect to reliability of transmission grids." It calculated that $56 billion was needed to upgrade the nation's grids, but only $35 billion was likely to be invested.

For two years, the Bush administration and leaders of congressional energy committee have called for new legislation to help expand the transmission system, but a major energy bill has yet to get through Congress.

The Federal Energy Regulatory Commission, the agency that oversees transmission, has been trying for years to prod power companies into forming new, multi-state regional grids with authority over planning and system reliability measures. But utilities in the Southeast and Northwest fear that a more wide-open system would allow their cheaper power to be siphoned away from their customers. They have made war on FERC's plans and some members of Congress are trying to block the commission's transmission initiative from going forward until 2005 or 2007.

The Electric Power Research Institute in Palo Alto, Calif., estimated that while power demand has shot up 30 percent in the past 10 years, transmission capacity has increased by just 15 percent. That wouldn't have mattered much as recently as the 1970s, when most electricity was distributed within states or small regions. Today, when heat waves strike New York, power often courses southward from Canada, or eastward from the Dakotas. When weather is cool in Chicago and hot in New Orleans, electricity from the Windy City may help feed the Big Easy.

But throughout the country, bottlenecks in transmission line capacity often overload the system, forcing power in different and unplanned directions and compelling operators to increase output from some generators while ordering others to power down.

The most famous of the bottlenecks, called Path 15 in central California, prevented surplus electricity in the southern part of the state from reaching San Francisco and northern cities early in 2001, aggravating blackouts that on the worst day cut off power to 1 million people.

Robert Mitchell, who heads a Reston company, Trans-Elect Inc., that has raised $250 million for a joint venture with federal and California partners to expand Path 15's capacity, said, "Transmission deserves to be treated as an enormous infrastructure problem, but it gets little attention." If the interstate highway system were as jammed as the grid often is now, "we would have a parking lot from coast to coast," he said.

The nation's major utility companies, which own the bulk of the transmission lines, often balk are sharing them with competing independent merchant power providers that have been building generating stations along the lines, hoping to take customers away.

As deregulation flourished, investment dwindled in transmission lines, whose profits are limited by regulation.

The 1965 Northeast power blackout led to the creation of the reliability council, an advisory and watchdog group over the transmission system, said Peter Fox-Penner, a principal with the Brattle Group, a consulting firm advising utilities.

But the move toward deregulation has also exposed NERC's limitations, particularly its lack of enforcement powers to detect and stop generators from abusing the grid with unscheduled power deliveries. Yesterday's blackout will force attention back to the grid, Fox-Penner predicted.

"This will undoubtedly focus attention on the infrastructure, the need for investment in power grid and the best ways to attract investment in the grid," said Merribel Ayres, president of the Lighthouse Energy Group, a power industry consulting firm.

from CNET.com, 2002-May-12, by Joe Wilcox:

Outage hits MSN Web sites

Microsoft on Sunday afternoon restored its MSN Web sites and services that had been inaccessible most of the morning and left many users unable to access game, Web-based e-mail, chat, search and other features.

The outage also brought down for a while MSNBC.com and Newsweek.com, which has a hosting arrangement with the Microsoft-NBC news site.

Sunday's lack of access was the latest in a series of recent glitches affecting MSN Web sites or Passport online authentication services.

Users could not access Microsoft's popular Game Zone Web site, nor could they log in to popular MSN chat rooms. Some Hotmail users also found they could not access the Passport log-in page. The outage also affected Internet Explorer 6 users, who discovered they could not search the Web using the default setting. IE 6, which is integrated into Windows XP, uses MSN for Web searches.

"This also affected people wishing to sign out of their Passports on the Zone.msn.com site, causing a potential security issue for that segment of their Passport access," said Shane Johnson, a network/messaging consultant from Puyallup, Wash.

Not being able to log out could be as much of a problem as not being able to log in. Users typically need to sign out of Microsoft services such as bCentral, Game Zone and Hotmail, all of which require Passport authentication, to avoid exposure to a possible security problem. The action removes a cookie that, if pilfered by a Web site or other program, could allow a hacker to take control of the account.

CNET News.com started receiving user complaints about the outage around 9:15 a.m PDT Sunday and later confirmed through testing that some kind of failure had occurred with a number of MSN Web sites or services. Most services appeared to have been restored early Sunday afternoon.

Johnson was one of those users alerting CNET News.com to the problem. He concluded that Microsoft had a problem with one of its primary backbone routers.

Microsoft could not be reached for comment about the problems.

Microsoft's .Net Messenger service appeared unaffected by the outage, as were the main MSN and Microsoft Web sites.

Sunday's outage follows a string of gaffes or security glitches that have called Microsoft's .Net Web services strategy into question. In court last week, testifying as part of Microsoft's antitrust trial, Jim Allchin, the company's senior vice president responsible for Windows, described .Net My Services as being "in a little bit of disarray."

In April, a server glitch locked many Hotmail users out of their accounts. In January, a glitch with Passport authentication blocked some users from accessing Microsoft's game site. This followed a more serious December outage, when Microsoft's switching users over to Passport authentication prevented some users from logging onto the Web site.

On Wednesday, Microsoft warned of a critical security hole in MSN Messenger's chat feature. In February, a fast-spreading worm exploited a glitch in MSN Messenger, while another problem prevented some Windows Messenger and MSN Messenger users from staying connected to the Internet. A summer 2001 outage kept about 10 million Messenger users offline for about a week.

Instant messaging is an important component of Microsoft's .Net My Services, the company's consumer Web services offering that is under construction. Microsoft plans to use Windows Messenger, which is integrated into Windows XP, and MSN Messenger as a way for the company and third-party service providers to communicate with customers. The first such service, .Net Alerts, delivers stock quotes, traffic reports and other information through Microsoft's instant messenger.

Other security problems continue, despite Microsoft Chairman Bill Gates' call earlier this year that the company put more emphasis on making software secure than adding new features.

In March, Microsoft issued a pair of patches for Internet Explorer security holes. February and April security holes potentially opened Office for the Mac to hackers. Also in April, Microsoft issued fixes for about 10 security holes affecting three versions of Internet Information Server.

from the Associated Press, 2001-Nov-3:

Microsoft admits major 'Passport' flaw
Company says no one's account has been compromised

WASHINGTON (AP) --Microsoft is making repairs after acknowledging that its "Passport" technology for safeguarding purchases on the Internet has a serious design flaw that might have allowed hackers to steal credit card numbers and personal information.

Microsoft said 2 million customers use the vulnerable "e-wallet" feature of Passport, and there was no evidence of actual theft. The company temporarily shut down access to virtual wallets Wednesday, inconveniencing buyers at roughly 70 e-commerce Web sites that support the technology, called "Express Purchase."

Up to 200 million people have signed up for Passport accounts, which are nearly impossible to avoid under Microsoft's new Windows XP operating system. Passport promises consumers a single, convenient method for identifying themselves across different Web sites.

"We do not believe customer data was compromised in any way," Microsoft spokesman Adam Sohn said Friday. "We know we've got to build and earn trust for (Passport) to be successful. We're taking the right steps to do that."

Users of Windows XP were never vulnerable because of additional security measures built in, Sohn said.

An outside researcher, Marc Slemko of Seattle, discovered the flaw and notified Microsoft engineers this week.

The vulnerability, which Microsoft said would require a sophisticated hacker to exploit, was significant because Passport is integral to Microsoft's upcoming services, including its .NET initiative. Passport users could entrust Microsoft or another company to hold their personal information -- such as credit card numbers or medical records -- and make it available whenever needed.

Slemko, a prominent Internet security researcher, said he discovered a method for fooling Microsoft's central Passport computers into sending him the contents of someone else's virtual wallet.

The hacker sends a message to the victim's Microsoft Hotmail e-mail account. If the victim clicks on an apparent Web link within the message, Slemko said, "Within minutes ... I have access to their wallet and credit-card information."

Microsoft said it fixed problems to prevent such online impersonations, and was making further changes to improve security.

Microsoft's growing emphasis on Passport has angered some privacy groups, who have pressed the Federal Trade Commission (FTC) in recent weeks to investigate whether the company can adequately guarantee the safety of a customer's information. The groups said the newly discovered flaw reinforces their arguments.

"It's an identity thief's dream-come-true to be able to grab the online credentials of someone simply by sending the victim an e-mail," said Jason Catlett, head of Junkbusters Corp., a New Jersey-based privacy organization.

Marc Rotenberg of the Electronic Privacy Information Center called it "very serious that so much personal information of so many American consumers is held by a single company with such a bad reputation for security."

Microsoft responded that its Passport technology allows consumers to store their sensitive records with other organizations they trust, not just Microsoft.

"The long-term vision for all this has never been that Microsoft would be the sole repository for all the data," Sohn said.

from Wired News, 2002-Jun-5, by Michelle Delio:

Did MS Pay for Open-Source Scare?

Authors of a new report on the perils of open source software are being very closed-mouth about their funding sources.

"Opening the Open Source Debate," a white paper slated to be released Friday by the Alexis de Tocqueville Institution, indicates that open-source software is inherently less secure than proprietary software. The report warns governments against relying on open-source software for national security.

Open-source advocates wondered if the white paper is actually a veiled Microsoft response to recent reports of rising government and military interest in open-source systems.

A Microsoft spokesman confirmed that Microsoft provides funding to the Alexis de Tocqueville Institution.

"We support a diverse array of public policy organizations with which we share a common interest or public policy agenda such as the de Tocqueville Institution," the spokesman wrote in an e-mail.

Microsoft did not respond to requests for comment on whether the company directly sponsored the debate paper. De Tocqueville Institute president Ken Brown and chairman Gregory Fossedal refused to comment on whether Microsoft sponsored the report.

"It is not our policy to comment on supporters; I'm sure you can understand. From this you should not infer that information you have is correct or not correct; we just don't comment," Fossedal wrote in an e-mail.

"These folks really need to be more straight-forward about this," security researcher Richard Smith said. "Not commenting makes it appear as if they have something to hide."

A Microsoft spokesman did say that open-source software is not innately more or less secure than proprietary software.

"Microsoft has held the position that security is an industry-wide issue and software is only one part of it. Implementation and administration are also key in security."

Most security experts do believe that open source is neither more nor less secure than propriety software. How a systems administrator configures and maintains the application is equally important.

Open-source software allows programmers to view and modify the software's program code. Closed-source software code is not viewable to all.

Since malicious hackers cannot view the underlying code of propriety software, they can't study it to discover possible exploits, a principle known as "security through obscurity," according to Bill Wall and Darwin Ammala of Harris Corporation's STAT computer security unit.

But open source software is presented to a very large and knowledgeable audience of software development peers. This substantially large body of reviewers provides deep scrutiny to software. They are able to test a wide variety of scenarios and feed improvements back into the code base. Over time this strengthens the software, Wall and Ammala added.

A recent report by Gartner Group analyst John Pescatore suggested that open-source style review would make Microsoft's software more trustworthy.

But the question of whether closed- or open-source software is inherently more secure can't really be answered because the issue has not been subjected to rigorous analysis, security experts said.

Wall said such an analysis should be done within the software engineering research community by an entity such as the Software Engineering Institute (SEI) or the Defense Advanced Research Projects Agency (DARPA).

"I would really like to see rigorous testing with hard statistics and not mere speculation on an issue as serious as this," Smith said.

from TPDL 2001-Oct-23, from Gannett News Service via The Cincinnati Enquirer, by John Yaukey:

Hacker Havoc
Armed with new tools, a new breed of troublemakers wreaks widespread damage to computers, Internet

When Maurice Paynter installed his new Internet security software he got a sobering look at modern life online. "I realized I'm being attacked constantly," he said. "It's like I'm in a war zone."

The software, which records attempts by hackers to infiltrate the host computer, showed Paynter was being scanned for vulnerable openings 30 to 40 times a day. Scarcely a day passes now that his software doesn't detect a virus.

"It's hard to believe how bad it's gotten," he said.

According to watchers of malicious codes, hacking is becoming pandemic, a national pastime for computer enthusiasts tempted to test their skills against the establishment.

Since 1998, the number of hacking attacks and virus releases has increased sevenfold. Viruses are being produced at a rate of a dozen or more per day, with some causing tens of millions of dollars in damages and lost productivity.

To make matters worse, many hackers are employing more intentionally destructive tools and tactics, some so callous that even their fellow code crackers have denounced them as a different breed.

Shortly after Sept. 11's terrorist attacks, some hackers exploited the catastrophe to spread a virus using what appeared to be an e-mail pleading for peace. When the message was opened, the virus loaded onto the recipient's computer and damaged files.

In what is perhaps the most disturbing new trend, hackers are infiltrating well-known news sites, including Yahoo! and the Orange County Register, and rewriting stories. These "subversion of information" attacks raise a host of concerns in the wake of the Sept. 11th events when news sites were a major source of information.

"There used to be a strong ethic among hackers — get in and look around, but do no harm," said William Knowles, a 32-year-old Chicago-based computer security analyst and a former "benign" hacker. "That's been lost on the younger masses."

Experts say it's changing the Internet the way crime changes a neighborhood.

People are now constantly on alert for suspicious e-mail and other applications that could potentially harbor malicious code. It's gotten so bad several Internet service providers have been threatening to disconnect customers who don't use protective anti-virus software.

Meaner viruses

The modern hacker has a selection of tools and strategies to choose from, including viruses and worms that typically spread over networks and clog computers, and attacks, which they can launch against Web sites to disable them or change their contents.

Viruses and worms have typically been considered dangerous because once downloaded, say unwittingly from an e-mail attachment, they often destroy valuable files — and many still do that.

But new strains are being designed to add extra sting.

Consider the recent SirCam virus. It arrives in the form of a seemingly harmless e-mail attachment. If opened by the recipient, it sends itself to every name in the victim's address book. There's nothing special about that. But SirCam doesn't stop there. Before forwarding itself on, it raids your "My Documents" folder — where people often store their most sensitive material — and randomly selects a file that it sends out with the infected e-mail. Maybe it's a boring, meaningless file; maybe it's a file that gets you fired or divorced.

"With SirCam and some of these other recent releases you see a blending of standard basic virus making with some new, more sophisticated hacking tools," said Tom Powerledge, with security software maker Symantec.

But before a virus can do damage it has to enter a computer or network, and hackers have taken infiltration methods to new levels as well.

Most garden-variety viruses and worms enter computers when infected e-mail is downloaded.

This usually requires some sort of a trick euphemistically known as "social engineering." The Anna Kournikova virus released earlier this year as an e-mail attachment promised those who would download it a picture of the heartthrob tennis star.

But the recent Nimda virus was a different animal altogether, infecting e-mail, network servers, which regulate digital traffic, Web sites and shared disk drives where it automatically copied itself without the need for anyone to download it.

Nimda was so persistent, it took several major efforts on the part of network managers around the world to finally suppress it.

"Nimda was certainly alarming but not unexpected," said Chad Dougherty, an Internet security analyst at Carnegie Mellon's federally funded Software Engineering Institute. "Hackers are now using best-of-breed methods for propagating malicious code, and viruses like Nimda are the result."

Culture of hacking

Hacking wasn't always this destructive.

In fact, it started at MIT in the 1960s as a perfectly innocent pastime, aimed at tweaking higher performance out of some of the first mainframe computers to appear on college campuses. The term hacker was taken from a model train club at the university that amused itself by "hacking" better performance out of electronic toys.

In the 1970s, college students known as "phone phreaks" turned their fascination with technology to hacking long distance telephone networks for free calls. Apple computer founders Steve Jobs and Steve Wozniak were among hacking's early gurus.

By the 1980s, as academic and defense research computer networks began rapidly expanding into what would become the Internet, the hobby had started turning dark. Phone phreaks turned to hacking these networks, exchanging passwords and techniques on some of the first electronic message boards.

Later, the first hacking groups formed while the movie "War Games" introduced the public to hacking with a story about a teen-ager who nearly sparks nuclear war by meddling with defense computers.

It wasn't until 1988 that hacking publicly shook the establishment with the Morris worm.

Created by Cornell graduate student Robert Morris Jr., the worm program spread through some 6,000 academic and defense computers, paralyzing many.

The spindly, bespectacled Morris typified the new computer nerd and showed the world what a few lines of renegade code could do. At his federal trial, covered on the front page of The New York Times, Morris told prosecutors he never intended to crash computers, but rather only wanted to expose security flaws.

Until recently, this has been the credo of the hacker: Expose weaknesses so software venders will fix them. It took exceptional skill to do this, and indeed, Morris was the son of a federal computer security expert.

But as the Internet exploded and a new generation raised on computers has taken to hacking, the hobby has degenerated into what old school hackers call "crass vandalism" perpetrated by "script kiddies."

These are typically young, suburban males, in the their late teens and 20s who create often highly destructive viruses using prewritten code such as the VBS Worm Generator downloaded from the Internet. The 20-year-old hacker who released the Kournikova virus was found by police to be in possession of hundreds of viruses he had collected off the Internet.

"This is point-and-click hacking," said a San Francisco-area "white hat" hacker who calls himself Pauly Morf. "It requires no skill or understanding of network vulnerabilities. I have no respect for it or this generation."

That said, the recent spike in hacking that the script kiddies are largely responsible for has helped send a wake-up call across the Internet that should eventually make it more secure.

Despite the occasional warning of a looming digital apocalypse, many hackers and security experts alike predict more awareness, especially among home computer users, and more secure software will help keep hackers in check, at least those attracted by the cheap thrill of hurling monkey wrenches.

"Hackers have had it pretty easy lately," said Pauly Morf. "But the bar will be raised."

from ZDNet News, 2001-Sep-6, by Robert Lemos

Security experts protest copyright act

Two well-known computer security experts pulled down their works from the Internet this week for fear of being prosecuted under 1998's Digital Millennium Copyright Act.

Along with the threatened lawsuit of Princeton computer-science professor Edward Felten, and the arrest of Russian encryption expert Dmitry Sklyarov, the incidents are the latest to point at what is quickly becoming a touchy environment for security experts.

"When they started to arrest people and threaten researchers, I decided the legal risk was not worth it," said Fred Cohen, a well-known security consultant and a professor of digital forensics, who took his evidence-gathering tool--dubbed Forensix--off his Web site earlier this week.

Dug Song, a security expert at network-protection company Arbor Networks, pulled his own site down in protest as well. Now the only text on the site, "Censored by the Digital Millennium Copyright Act," links to a DMCA protest site, Anti-DMCA.org.

And last month, fearing retribution, Dutch encryption expert Niels Ferguson refused to publish his discovery that Intel's encryption scheme for Firewire connections, known as the high-bandwidth digital content protection (HDCP) system, had a major flaw.

"I travel to the U.S. regularly, both for professional and for personal reasons," he said in an online statement. "I simply cannot afford to be sued or prosecuted in the U.S. I would go bankrupt paying for my lawyers."

Lawyers and proponents of the law argue that the response from the security community is at best a misinterpretation of the law and more likely protest veiled as legitimate fear.

"Some of the opponents of the DMCA are trying to resurrect this issue to get another day in court," said Robert Holleyman, president and CEO of the Business Software Alliance, the piracy-fighting organization that represents the lion's share of software companies. "Security testing is definitely permitted under the DMCA."

The DMCA, passed in 1998, prohibits the circumvention of copy protection and the distribution of devices that can be used to circumvent copyrights--even if their users don't do anything illegal once they've broken the security. Software makers, Hollywood and the music industry make up the core proponents of the law.

The BSA says such laws are necessary to head off software piracy, which the group estimates cost software companies $11 billion in lost revenue last year.

Yet, for many security researchers the question is whether stress-testing the security of software products and publicizing vulnerabilities and how they were taken advantage of violates the DMCA.

The Man bites watchdog?

"There are provisions in the law for certain security research," said Mark Smith, a network-security engineer and spokesman for Anti-DMCA.org, "but you shouldn't have to hire a lawyer to make sure you are not breaking a law."

That's a problem in an industry where a large number of security vulnerabilities are found by individuals and small groups of hackers--the people without the deep pockets to fend off a lawsuit or hire lawyers to review research prior to its release.

That pretty much turns the question of publishing into a business decision, said consultant Cohen. "From a risk-management standpoint, I can't afford to deal with the issue," he said. "Some big businesses can afford to sell the product. I can't."

But Marc Zwillinger, an intellectual-property attorney and partner at Washington, D.C., law firm Kirkland & Ellis, calls Cohen's move a political one.

"I don't think that forensics software would (be considered illegal) under any reading of the DMCA," said the former Department of Justice attorney, who now files suit on behalf of copyright holders.

He said Cohen's forensics tool is a program that is not primarily designed to circumvent the protections of copyrighted work, so his actions are unnecessary. And the Dutch researcher has little to worry about, at least from U.S. authorities, Zwillinger said. "You cannot be arrested under the DMCA unless you are selling software for profit," he said.

Yet the willingness of software makers and media companies to sue over any potential threat makes security researchers nervous.

In 1999, the movie industry filed multiple lawsuits against the creators of a program to decrypt DVD disks. Originally, the program had been created to add DVD playback ability to the Linux operating system.

This April, Princeton's Felten found himself on the sticky side of a threatened lawsuit when he planned to release research questioning the effectiveness of a purported Secure Digital Music Initiative. Following the filing of his own suit, the professor presented his paper at the USENIX Security Conference in August.

But it was the arrest and criminal indictment of Russian encryption expert Dmitry Sklyarov at the Def Con hacking conference that really drove the point home. The incident also unnerved Russian programmers thinking of visiting the United States.

"We would like to draw the attention of all the Russian software and programming specialists cooperating with U.S. firms that, regardless of a final decision in the Sklyarov case, provisions of the 1998 Act may be used against them on the territory of the United States," the Russian Ministry of Foreign Affairs said in a statement issued last week.

Already, some security researchers are going underground.

Last week, when an encryption expert reportedly found a hole in Microsoft's e-Book format, he anonymously went to the news media rather than face arrest.

According to Anti-DMCA.org's Smith, the DMCA could dramatically set back computer security.

"We crash test cars to create stronger, safer vehicles," he said. "We need to crash test software to promote stronger, safer software. But with the DMCA, a company can do minimal research on security, and if someone does crack their software, they can sic the FBI on them."

(The following two items also appear in the Media Bias chapter.)

from ZDNet News (Ziff Davis), 2001-Aug-9, by Erich Luening:

Hotmail, FedEx infected by Code Red

Code Red claimed two major victims this week, as Microsoft confirmed that some servers running its MSN Hotmail service were infected with a version of the worm and express-shipping giant Federal Express said the worm interfered with some deliveries Wednesday.

Microsoft spokesman Jim Desler said Thursday that some Hotmail servers were brought offline to deal with the problem and that service was not disrupted. About 110 million people have accounts with the free Web-based e-mail service, according to Microsoft.

The infection comes after a big push by the Redmond, Wash.-based software giant to get customers to download a patch to protect their computers from the worm, which takes advantage of a security hole in the company's Web server software running on Windows NT and Windows 2000 systems.

Desler said he did not know how Microsoft itself had managed to fall victim to the virus. He said some Hotmail servers may have been replaced recently for some reason with servers that hadn't been patched yet.

Desler also said the company was still not sure which variant of the worm corrupted its serv The original Code Red worm spawned a nastier sequel, Code Red II, which leaves an infected server with a "back door" that could be used by hackers to gain control of the server or gain access to the data it contains. Microsoft said no personal information had been breached as a result of the Hotmail infections.

"We continue to take this very seriously," Desler said. "This is a highly malicious worm, and we are taking extra steps to protect our servers from further attacks."

Also Thursday, shipping giant Federal Express said it suffered isolated server problems Wednesday that it attributed to the Code Red worm.

Spokeswoman Pam Roberson said the company has implemented a contingency plan and is working on cleansing its systems of the worm. She said the problems caused delivery delays in isolated areas of the United States on Wednesday but said things were running normally Thursday.

Code Red has contaminated hundreds of thousands of server systems around the world since its introduction last month. The original worm prompted the White House to move the address of its Web site when officials learned the site had been specifically targeted by Code Red. The worm also led to government warnings from the FBI before tapering off as a result of people applying the Microsoft patch.

Note the prescience of the following article, as evidenced by the two articles that follow it.

from PBS online, 2001-Aug-2, by Robert X. Cringely, from http://www.pbs.org/cringely/pulpit/pulpit20010802.html :

The Death of TCP/IP
Why the Age of Internet Innocence is Over

As events of the last several weeks have shown, Microsoft Windows, e-mail and the Internet create the perfect breeding ground for virus attacks. They don't even have to exploit Windows flaws to be effective. Any Visual BASIC programmer with a good understanding of how Windows works can write a virus. All that is needed is a cleverly titled file attachment payload, and almost anyone can be induced to open it, spreading the contagion. It is too darned easy to create these programs that can do billions in damage. The only sure way to fix the problem is to re-stripe the playing field, to change the game to one with all new rules. Some might argue that such a rule change calls for the elimination of Microsoft software, but that simply isn't likely to happen. It's true that Linux and Apache are generally safer than Windows 2000 and IIS, but Microsoft products aren't going to go away. I promised you an answer to how to secure the Internet, and I mean to come through. First, we'll start with the way I would do it, then follow with a rumor I have heard about one way Microsoft might want to do it.

The wonder of all these Internet security problems is that they are continually labeled as "e-mail viruses" or "Internet worms," rather than the more correct designation of "Windows viruses" or "Microsoft Outlook viruses." It is to the credit of the Microsoft public relations team that Redmond has somehow escaped blame, because nearly all the data security problems of recent years have been Windows-specific, taking advantage of the glaring security loopholes that exist in these Microsoft products. If it were not for Microsoft's carefully worded user license agreement, which holds the company blameless for absolutely anything, they would probably have been awash in class action lawsuits by now.

Of course, it is not as though Microsoft intended things to be this way. No company deliberately designs bad products. But you must understand that Microsoft limits its investments to things that will enhance a product's market share. Every feature in Windows had to pass the litmus test, "Does it increase market share?" Putting security safeguards in their products evidently failed the litmus test, and therefore weren't added. While it is true that virus authors will target platforms that give them the most bang for their programming buck, the Windows platform has virtually no security to even slow them down. I believe the lack of security in Microsoft software was a deliberate business decision.

Alas, things are only likely to get worse in the near term. So far, we've been lucky in that most virus authors have been impatient and want to see the immediate effects of their work. It is far more effective to be patient and let the virus spread quietly for months. If the virus does nothing, the defense against it will be slow and/or too late. If the virus does very little on one's PC (for awhile), it won't be discovered easily. It is also possible to make a stealth virus. I won't go into specifics for obvious reasons, but if you think about how virus detection software works, it isn't hard to trip it up.

Even if 98 percent of the world's computers had current anti-virus software (which they don't), the remaining two percent would still be millions of devices capable of bringing down the entire Internet if infected.

And now, we have the impending release of Windows XP, and its problem of raw TCP/IP socket exposure. As I detailed two weeks ago, XP is the first home version of Windows to allow complete access to TCP/IP sockets, which can be exploited by viruses to do all sorts of damage. Windows XP uses essentially the same TCP/IP software as Windows 2000, except that XP lacks 2000's higher-level security features. In order to be backward compatible with applications written for Windows 95, 98, and ME [NT? -AMPP Ed.], Windows XP allows any application full access to raw sockets.

This is dangerous.

Not only is it dangerous, it is unnecessary. What is wrong with telling application developers, "Your application can't have access to raw sockets," or, "When XP ships you need to have a non-raw socket version ready for your customers," or, "If your application needs to access raw sockets, these are the security rules and interfaces you will have to use"? The bottom line is that Microsoft's choice to provide access to raw sockets was based on the market share litmus test, period.

Unless this feature is changed before XP is released, it will mean that millions of new computers will be manufactured as perfect little virus machines. Virus authors who are anticipating these new PCs will be able to pre-position their digital vermin to take advantage of the socket flaw as the new machines appear. The result is that, in all likelihood, there will be massive data security problems, as well as massive damage to files and property, all as a result of Windows XP.

But as consumers, guess what -- we won't even get a choice. Microsoft will require the PC makers to install XP in the factory. It will come on your PC, and you won't have the choice or option to pick something different. When Microsoft issues a new OS, it is forced into the market.

Here is my preferred solution for Internet security. We could implement a secure user identity system precisely like telephone Caller ID. It would be essentially an Internet ID. All Internet transactions could be based on it. Anyone who sends me e-mail can be identified. Anything I send can be traced to me. People wouldn't be forced to participate, but if they remain anonymous, I might choose to block them. I certainly wouldn't accept file attachments from them. I know you hate this idea, but I think the Internet needs a fingerprint. It does not have to have personal information, but if you break the law it can be traced to you. You can choose not to have a fingerprint, but then your ability to communicate with others may be limited -- a price many people may choose to pay.

I am not opposed to people being anonymous -- just to anonymous people receiving public assistance. Send all the anonymous love or hate mail you like, but don't expect to attach a file.

And what's with those file attachments, anyway? Replace mail clients and APIs with secure models. The new model will not run attachments as they do today. E-mail attachments should not have access to the e-mail client, APIs, etc. Attachments should not have access to the operating system by default. The user should approve the use of some APIs, like having to give permission before device drivers are updated.

Any application that wants to send bits onto the Internet must first be permitted to do so. Applications would be registered to send outgoing traffic. The applications would be limited by function and port. You would register your e-mail program as the only application that could talk SMTP, POP3, etc. If Microsoft Word wanted to send an e-mail, your e-mail program would pop up, ask you to authenticate yourself and explicitly send the message. At that point, you would be in complete control of what was happening on your PC. For mail-enabled applications, there would be an application user account registered on the post office. The account would be unique, and registered to a unique application.

If kids want to install an Internet game, the game's IP port would be registered and permitted to operate, hopefully by the parent. If kids wanted to install an Internet chat program, too bad -- it wouldn't work if Dad didn't want it to work.

By default, under this scenario, your PC becomes a TCP/IP read-only device. By running applications like Gibson's Zone Alarm you can -- right now -- severely limit the use of TCP/IP by applications on your PC. And what happens when you do so? Everything works just fine. So rather than ripping the protocol stack wide open, let's do the exact opposite. Restrict access to it.

The only e-mail activity on my PC should be initiated by me, personally. Nothing else should access my address book or send out messages without my express permission. Microsoft will of course reject the idea, mostly because it will fail the "increase market share litmus test." My answer is, "Microsoft, if you do not take responsibility for locking down your APIs, it will become obvious to the public and become a detriment to your market share."

Now to the other approach, the one some people attribute to Microsoft. I am not making this up. The story came to me from people I have come to trust, and I have looked into it closely enough to think it might have some validity. But for the sake of keeping lawyers off my back, let's just call it a rumor, and only use it as a basis for discussion. To be perfectly clear, I am not claiming that the following is true -- just that I have heard it from more than one source, and think it accurately characterizes some past behaviors of Microsoft. Perhaps by bringing it into the light, we can ensure that Redmond takes a more thoughtful course. I certainly hope it is wrong.

Programmers who ought to be familiar with Microsoft's plans have suggested that the real motive for raw socket support is for Microsoft to use Windows XP to exploit a bad situation, to deliberately make things worse.

According to these programmers, Microsoft wants to replace TCP/IP with a proprietary protocol -- a protocol owned by Microsoft -- that it will tout as being more secure. Actually, the new protocol would likely be TCP/IP with some of the reserved fields used as pointers to proprietary extensions, quite similar to Vines IP, if you remember that product from Banyan Systems. I'll call it TCP/MS.

How do you push for the acceptance of a new protocol? First, make the old one unworkable by placing millions of exploitable TCP/IP stacks out on the Net, ready-to-use by any teenage sociopath. When the Net slows or crashes, the blame would not be assigned to Microsoft. Then ship the new protocol with every new copy of Windows, and install it with every Windows Update over the Internet. Zero to 100 million copies could happen in less than a year, and that year could be prior to the new protocol even being announced. It could be shipping right now.

Suppose you are a typical firm that also has some non-Microsoft servers. You will want to use this new protocol between your Microsoft and non-Microsoft servers. Microsoft could charge Sun millions to put TCP/MS on their systems. Microsoft can promise open support, but make it financially impractical. Then use it in a marketing attack against competitors. Zero-Footprint network drivers, ODBC, and MAPI are examples of Microsoft "open" standards that took years for non-Microsoft firms to use. Almost anyone who would have wanted to use these open standards has been driven out of business.

Second part of the push for the new protocol will be from AOL/Time-Warner, normally Microsoft's top competitor -- but not on this issue. AOL isn't really part of the grand vision of the new protocol. It's just that if they get more of what they want (paid accounts, music and video royalties), they won't object to Microsoft pushing for secure authenticated connections.

Third and most powerful part of the push for Microsoft's new protocol will be action by Congress. They'll cite concerns of business, and hold up the standard scare tactics of terrorists and child pornographers. They want all connections, all packets to be traceable.

Say goodbye to TCP/IP and to anonymous connections of any kind. Hello to Hailstorm, tracking everything down to the last mile, and a more business-friendly Internet with prioritized packet-handling.

If this seems like too much infrastructure to change, it isn't. Not if the old protocol has been rendered useless and the new one can be implemented by an upgrade to your router. Vines IP -- in many ways the basis for TCP/MS -- was sufficiently close to regular TCP/IP that most routers only had to have a flash upgrade (to IOS, in the case of Cisco) in order to route Vines IP. This will be an inconvenience, sure, but marketing types will see it more like another Y2K bug -- an opportunity to sell, sell, sell.

But won't the Internet Engineering Task Force (IETF) stop it from happening? No. The entire basis for setting standards on the Internet is to first put the new code in service, and then seek standardization. There are no IETF rules that say 100 million plus computers can't run TCP/MS, and there is no deadline for standardization. Once the right 100 million plus computers are running the new protocol, Microsoft won't have any reason to seek standardization. Why not? It is Possible, for awhile, to run more than one protocol at a time. Take as examples of the coexistence of IPX and IP in Netware systems, or AppleTalk and IP in MacOS systems. Business will push for the new protocol, and the result will be that TCP/MS will become a de facto standard, and Microsoft will own the Net.

And all you have to do to kick it off is implement raw socket support in the next shipping version of Windows, with the possible bonus of blaming any problems on UNIX code later.

If business feels a need for the ability to have prioritized packet Delivery, and government (plus the Recording Industry Association of America) is uncomfortable with the notion of untraceable packets and connections, of course Microsoft is going to try to fill that niche. Haven't you noticed how their ads have been trying to convince people that Microsoft software is amazingly stable and secure, and doesn't need minding? That's the image they're trying to build -- solid as a bank.

MS/TCP will ostensibly be a solution to the problems businesses are having with the Internet. It will assign priorities to packets. It will insure that all connections and packets can be traced, authenticated, and monitored. And since all these connections to the Internet have to be authenticated to someone, it will likely be hooked into a credit card or some sort of account, from which Microsoft can extract its price as the gatekeeper for the authentication via Hailstorm, Passport and .NET.

But how will this stop the "I just e-mailed you a virus" problem? How does this stop my personal information being sucked out of my PC via cookies? It won't. Solving those particular problems is not the protocol's real purpose, which is to increase Microsoft's market share. It is a marketing concept that will be sold as the solution to a problem. It won't really work.

from TheRegister.co.uk, 2002-Jun-24, by Richard Forno:

MS to micro-manage your computer

A recent MSNBC article by techno-pundit Steven Levy discusses Microsoft's plans for a new computer operating environment (code-named "Palladium") that links hardware, software, and data into a neat package, allegedly more secure and convenient for users.

Or, putting it in simpler terms, it's Microsoft's answer to fixing everything that's wrong with computing today.

According to Levy, Palladium is a hardware and software combination that will supposedly seal information from attackers, block viruses and worms, eliminate spam, and allow users to control their personal information even after it leaves their computer. It will also implement Digital Rights Management (DRM) for movies and music to allow users to exercise 'fair use' rights of such products. Palladium will essentially create a proprietary computing environment where Microsoft is the trusted gatekeeper, guard, watchstander, and ruler of all it surveys, thus turning the majority of computing users into unwilling corporate serfs and subjects of the Redmond Regime.

Isn't it ironic that the company responsible for nearly every major computer security problem, virus, and backdoor -- thanks to its poor software development and testing among other factors -- is now heralding its ability to make everything right in a stroke? One might sense this is a manufactured problem resulting from Microsoft's inability to develop effective software in the first place. As is commonly known, the single most significant factor contributing to the dismal state of today's internet security is Microsoft's complacency, rather than hackers, crackers, and pirates. As I mentioned in an earlier article, we're vulnerable because Microsoft makes it so damn easy for the bad guys to cause mischief. (It's also a result of lazy or incompetent system administrators, poor network design, and clueless executives and Congressfolk, but that's another essay.)

Contrary to Levy's fear-mongering remarks and naively positive spin on the need for Palladium to protect us, the Internet is not all evil. In fact, the Internet is safer than many parts of our physical world. It does, however, represent an evolution in social control, something that evokes fear in the hearts of established entities of such control: corporations, media, and governments. Hence the desire to trump up any number of reasons -- real or perceived -- to beguile the public and garner support for ways to maintain social control and profit margins at once. This technical tool of social control follows on the heels of the CBDTPA, TCPA, and DMCA, and other controversial legislative efforts.

As such, Levy's article is full of sensational soundbytes, including one particularly fear-mongering paragraph: "An endless roster of security holes allows cyber-thieves to fill up their buffers with credit-card numbers and corporate secrets. It's easier to vandalize a Web site than to program a remote control. Entertainment moguls boil in their hot tubs as movies and music are swapped, gratis, on the Internet. Consumers fret about the loss of privacy. And computer viruses proliferate and mutate faster than they can be named."

Vandalizing a website happens most often not because of the skills of the vandal, but rather a combination of poor system administration coupled with notoriously buggy, easily-exploitable Web site software such as Microsoft's Internet Information Server. From what I've seen over the years, you probably don't even need opposable thumbs to break into IIS. Palladium won't help here, but more competent system administrators and much more secure server software (such as Apache or WebStar) most certainly would.

Regarding the potential of stealing credit cards numbers, you've got a greater chance of losing your wallet or purse walking around town than a cyber-thief stealing your credit card from a webserver. What people forget in the hype is that despite the immense pain in the ass associated with canceling credit cards and re-authorizing charges on a new one, people are not responsible for losses over $50 provided they promptly report the loss to their credit card issuer. I've had my card stolen on-line, but I haven't run away in terror about the chances it could happen again. Again, Palladium won't be of benefit to me -- my credit card company already protects me and limits my liability.

Perhaps the most sinister part of Microsoft's concept (something that Levy glosses over) is that it "stops viruses and worms. Palladium won't run unauthorized programs, so viruses can't trash protected parts of your system." True, Windows-based viruses do proliferate and mutate quickly, but it's because Microsoft products are so interlinked and poorly-configured. If Microsoft would only allow users to display e-mail in plain text, ninety per cent of 'viruses and worms' would be eliminated. Yet to hear Redmond tell it, what we really need is some expensive and Draconian ghost in the machine to break applications of which the company, or its partners, or the government, or Hollywood, disapproves.

In short, under the feel-good guise of 'enhanced security' and 'new features for customers' (and despite being found guilty of monopoly), Microsoft still wants to rule all it surveys. In essence, Palladium can be interpreted as Microsoft's attempt to play God. Again.

With this announcement, Microsoft competitors and independent programmers should be gearing up for another court case, as this concept reeks of Redmond's historic anti-competitive tactics in the marketplace. Savvy consumers should be very concerned that Palladium will mean that their computers and information are no longer under their positive control but rather under the omnipresent surveillance and enforcement of a third party more interested in turning a profit than empowering their customers to think and act for themselves. The computer will essentially become a tool of surveillance, judgment and control over users, rather than a tool of innovation, communication, and enlightenment.

Given the pervasiveness of computers in modern society, the worldwide social ramifications of Palladium are enormous. Consider the ability of one entity -- in this case, Microsoft -- to dictate acceptable behavior and content (remember Smart Tags?) in service of its own commercial aspirations. If your behavior or actions are deemed 'unacceptable' by such a third party, you could find yourself impotent on the global stage. So you'd better toe the party line and be a good little Windows user.

Palladium represents a modern 'innovation' which could lead to a Digital Dark Age: a period of innovative stagnation where the majority of the world's computing population will become unwitting subjects and indentured servants to the profiteering desires of the new corporate ruling class, and Microsoft the enforcer.

One wonders if Palladium error messages will include a computer-generated audio clip of Bill Gates announcing, "I'm sorry [USERNAME], I'm afraid I can't do that....?"

The first step in any revolution is the seizure of the lines of communication to hinder the target population's ability to communicate and exchange information amongst themselves. Palladium has the ability to do just that, and convert the open fabric of the modern computing environment into a closed, proprietary domain under the rule of Redmond.

Under the Palladium concept -- despite the marketing spin and hype -- the danger is that you will be asked (though not directly) to pledge allegiance to Microsoft and its dismal record of security and reliability while unwittingly relinquishing your ability to remain an independent person in cyberspace. In essence, you'll go back to the future instead of forward to innovation and enlightenment.

Personally, I prefer being the one in charge of my computer and not subordinate to it or its vendors. I also prefer Camelot over Redmond...which goes a long way explaining why I don't run Windows.

Thomas C. Greene contributed to this article (and he doesn't run Windows either).

from TheRegister.co.uk, 2002-Jun-24, by John Lettice:

MS DRM OS, retagged 'secure OS' to ship with Longhorn?

The Microsoft Secure PC project is rolling out, and could be with us as early as the next major version of Windows, Longhorn. The whole idea of a computer that just plain won't let you steal other people's stuff is of course a tricky one (why would you buy it?), as we've previously indicated here, and here, so the ever-resourceful Beast is proposing to spin it as the ultimate tool for protecting your stuff.

Starting with a Newsweek exclusive which wonderfully quotes His Billness as saying: "It?s a funny thing, we came at this thinking about music, but then we realized that e-mail and documents were far more interesting domains." Which is cute, because it suggests that Microsoft's original plans to produce a secure PC that will protect the music companies' stuff from us have been spiked in favour of something much more positive and progressive.

The Newsweek piece claims that although the researchers came at the project from a DRM angle they "quickly understood that the problems of intellectual property were linked to problems of security and privacy," and that therefore it had far wider applicability. Their early understanding of this in an alleged "skunkworks" project commenced in 1997 however is somewhat questionable, considering Microsoft Research published a piece in 2001 saying that researcher Paul "England has a bold plan to improve the PC and make it a secure delivery system for audio and video... making minor modifications to the PC's hardware to allow Microsoft to make a secure version of the Windows Media Player."

The Microsoft patent claim application granted last December is also for a digital rights management operating system, although here we do see clear indications of what it can do other than keep music moguls in coke:

"a computerized method for a digital rights management operating system comprising: assuming a trusted identity; executing a trusted application; loading rights-managed data into memory for access by the trusted application; and protecting the rights-managed data from access by an untrusted program while the trusted application is executing."

The Newsweek exclusive has, as we said earlier, been deliberately planted in order to prepare the way for the DRM OS, but it nevertheless contains many useful nuggets which we'd do well to consider before Microsoft attempts to build up unstoppable momentum behind the secure Windows you can't afford not to buy.

First, the project, called Palladium, has at least a hardware component. Intel and AMD have both been recruited to build the security into their chips, and while we can probably expect some more spinning on this, the mods will probably be relatively minor. As England said in his paper last year, it involves "minor modifications to the PC's hardware." As we understood it the original plan was to nobble the sound card rather than the whole machine, so we can see development here. It's also worth noting that: "Intel originally turned down the idea before eventually embracing it. AMD had already been thinking along similar lines, and eagerly signed on."

Which looks a little like Microsoft playing the old chippledum and chippledee game to its advantage again.

Newsweek provides us with helpful bullet points on the uses and applications of Palladium; we can infer a fair bit from these, and we very sportingly won't move the order around so DRM is at the top. First, it knows who you are (we don't know how, but as it's a 2004 timeframe product, we can surmise), and it knows who you're dealing with, so it verifies the origin of incomings, and decides what is allowed to run on your computer (No, we know this is DRM, but we haven't moved it up, honest).

There will almost certainly be an ID in the chip, and the 'what can run' question is rather broader than you might expect. "Only certain applications will access the part of Windows (nicknamed 'the nub') that performs Palladium?s functions with the help of the security chip - everything else will work exactly the same." Which implies a new generation of trusted Palladium applications, and "Microsoft expects a flood of Palladium-savvy applications and services to spring up" rather confirms that. The trusted application idea also applies to viruses and worms, of course, but it's not clear how Palladium will differentiate between the new generation of "trusted Palladium applications" and plain old 'not-a-worm really' applications. Maybe it won't, maybe in the long run the latter just won't run.

Encryption capabilities add to the picture, encrypting data moving from keyboard to computer and computer to screen, and of course computer to sound card output, but we don't mention that, for some reason. Encryption also appears to be standard on locally stored stuff

Palladium also: "Cans spam. Eventually, commercial pitches for recycled printer cartridges and barnyard porn can be stopped before they hit your inbox - while unsolicited mail that you might want to see can arrive if it has credentials that meet your standards."

This is a tricky one, as it implies a widescale certification process for email. It could work if it were possible to know absolutely that everybody in front of a computer was who they said they were, and to know where they lived, but we'll get back to that.

"Safeguards privacy." We have what looks like another crack at the services model here, with MS proposing a collection of services currently tagged "My Man." These are intended to operate as agents sending out information about you to the people you want to receive it, and encrypting it along the way. So "If you apply for a loan, you?d say to the lender, 'Get my details from My Man,' which, upon your authorization, would then provide your bank information, etc." Bad example, we reckon. If you have to send all of the information you'd ordinarily put on a loan form the vipers will know practically everything about you anyway, and given that you have no choice, automation will probably lead to them squeezing even more data out of you. Plus you can't lie, because all of that data's been verified - crumbs, there go the credit cards...

"Controls your information after you send it." Yes folks, here it comes, DRM - we've softened the bullet point head, but accidentally got onto the record companies in the next sentence. But they've evolved: Palladium "could allow users to exercise 'fair use' (like making personal copies of a CD) and publishers could at least start releasing works that cut a compromise between free and locked-down."

We're not entirely sure we know these record companies, but they're clearly not related to the ones who're trying to stop you playing your music CDs on your PC, copying your CDs at all, and salivating at the prospect of time-limited/per play rental arrangements.

More softening of the impact. The first generation of Palladium installations will allegedly be at the business end of the scale, "financial services, health care and government," where security is important, and Jim Allchin says he'd "have a hard time imagining that businesses wouldn?t want this." Certainly, it fits in nicely with Microsoft's current determination to reshape itself as a prime vendor of Trustworthy Computing, and it can be worked up into a sales pitch to counteract all that Windows security bad news in government and business.

But there's just a tad of dissonance here. If the system's ability to identify other trusted systems is dependent on those other systems being Palladium systems, then it doesn't altogether work if practically everybody doesn't have it. So MS VP Will Poole's contrary claim that: "We have to ship 100 million of these before it really makes a difference" is significant.

Given the way Microsoft ordinarily ships 100 million of whatever it wants to ship, we'd expect the company to continue thumping the security and privacy tubs for all they're worth, to start rolling it out around Longhorn time, and to evolve towards making it, and the chips, virtually compulsory through the good offices of Intel, AMD and the major PC companies. This will only work if the publicity campaign to reposition DRM as A Good Thing convinces the users, and that's by no means a given. We haven't even got on to the trustworthiness of the people who'll be keeping custody of your secure digital identity, for starters. Not yet...

from NewsWeek print edition 2002-Jul-1, via MSNBC.com, by Steven Levy:

The Big Secret
An exclusive first look at Microsoft's ambitious-and risky-plan to remake the personal computer to ensure security, privacy and intellectual property rights. Will you buy it?

In ancient Troy stood the Palladium, a statue of the goddess Athena. Legend has it that the safety of the city depended on that icon's preservation. Later the term came to mean a more generic safeguard.

HERE'S SOMETHING THAT cries for a safeguard: the world of computer bits. An endless roster of security holes allows cyber-thieves to fill up their buffers with credit-card numbers and corporate secrets. It's easier to vandalize a Web site than to program a remote control. Entertainment moguls boil in their hot tubs as movies and music are swapped, gratis, on the Internet. Consumers fret about the loss of privacy. And computer viruses proliferate and mutate faster than they can be named.

Computer security is enough of a worry that the software colossus Microsoft views it as a threat to its continued success: thus the apocalyptic Bill Gates memo in January calling for a ``Trustworthy Computing'' jihad. What Gates did not specifically mention was Microsoft's hyperambitious long-range plan to literally change the architecture of PCs in order to address the concerns of security, privacy and intellectual property. The plan, revealed for the first time to NEWSWEEK, is... Palladium, and it's one of the riskiest ventures the company has ever attempted. Though Microsoft does not claim a panacea, the system is designed to dramatically improve our ability to control and protect personal and corporate information. Even more important, Palladium is intended to become a new platform for a host of yet-unimagined services to enable privacy, commerce and entertainment in the coming decades. ``This isn't just about solving problems, but expanding new realms of possibilities in the way people live and work with computers,'' says product manager Mario Juarez.

Because its ultimate success depends on ubiquity, Palladium is either going to be a home run or a mortifying whiff. ``We have to ship 100 million of these before it really makes a difference,'' says Microsoft vice president Will Poole. That's why the company can't do it without heavyweight partners. Chipmakers Intel and Advanced Micro Devices have signed on to produce special security chips that are integral to the system. ``It's a groundswell change,'' says AMD's Geoffrey Strongin. ``A whole new class of processors not differentiated by speed, but security.'' The next step is getting the likes of Dell, HP and IBM to remake their PCs to accommodate the system.

``It's one of the most technically complex things ever attempted on the PC,'' says Gartner analyst Martin Reynolds. And the new additions will make your next computer a little more expensive. Will the added cost - or a potential earlier-than-otherwise upgrade - be worth it? Spend a day or two with the geeks implementing Palladium - thrilled to be talking to a reporter about the project - and you'll hear an enticing litany of potential uses.

* Tells you who you're dealing with--and what they're doing. Palladium is all about deciding what's trustworthy. It not only lets your computer know that you're you , but also can limit what arrives (and runs on) your computer, verifying where it comes from and who created it.

* Protects information. The system uses high-level encryption to ``seal'' data so that snoops and thieves are thwarted. It also can protect the integrity of documents so that they can't be altered without your knowledge.

* Stops viruses and worms. Palladium won't run unauthorized programs, so viruses can't trash protected parts of your system.

* Cans spam. Eventually, commercial pitches for recycled printer cartridges and barnyard porn can be stopped before they hit your inbox--while unsolicited mail that you might want to see can arrive if it has credentials that meet your standards.

* Safeguards privacy. With Palladium, it's possible not only to seal data on your own computer, but also to send it out to ``agents'' who can distribute just the discreet pieces you want released to the proper people. Microsofties have nicknamed these services ``My Man.'' If you apply for a loan, you'd say to the lender, ``Get my details from My Man,'' which, upon your authorization, would then provide your bank information, etc. Best part: Da Man can't read the information himself, and neither can a hacker who breaks into his system.

* Controls your information after you send it . Palladium is being offered to the studios and record labels as a way to distribute music and film with ``digital rights management'' (DRM). This could allow users to exercise ``fair use'' (like making personal copies of a CD) and publishers could at least start releasing works that cut a compromise between free and locked-down. But a more interesting possibility is that Palladium could help introduce DRM to business and just plain people. ``It's a funny thing,'' says Bill Gates. ``We came at this thinking about music, but then we realized that e-mail and documents were far more interesting domains.'' For instance, Palladium might allow you to send out e-mail so that no one (or only certain people) can copy it or forward it to others. Or you could create Word documents that could be read only in the next week. In all cases, it would be the user, not Microsoft, who sets these policies.

Some of these ideas aren't new--they're part of the promise of public key cryptography, discovered 25 years back. Palladium is a dead-serious attempt to finally make it happen, with a secure basis and critical mass. But it didn't start that way. In 1997, Peter Biddle, a Microsoft manager who used to run a paintball arena, was the company's liason to the DVD-drive world. Naturally, he began to think of ways to address Hollywood's fear of digital copying. He hooked up with -- Softie researchers Paul England and John Manferdelli, and they set up a skunkworks operation, stealing time from their regular jobs to pursue a preposterously ambitious idea--creating virtual vaults in Windows to protect information. They quickly understood that the problems of intellectual property were linked to problems of security and privacy.

They also realized that if they wanted to foil hackers and intruders, at least part of the system had to be embedded in silicon, not software. This made their task incredibly daunting. Not only would they have to build new secrecy functions into Windows (without messing up any programs that run on the current versions), but then they'd have to convince the entire industry to, in effect, update the basic hardware setup of the PC.

Intel originally turned down the idea before eventually embracing it. AMD had already been thinking along similar lines, and eagerly signed on. Biddle's virtual team kept working, and in October 2001, it became a formal green-lighted project.

As now envisioned, Palladium will ship ``in a future version of Windows.'' (Perhaps in the next big revision, due around 2004.) By then the special security chips will be rolling out of the fabs, and the computer makers--salivating at an opportunity to sell more boxes--will have motherboards to accommodate them. There will also be components that encrypt information as it moves from keyboard to computer (to prevent someone from wiretapping or altering what you type) and from computer to screen (to prevent someone from generating a phony output to your monitor that can trick you into OKing something you hadn't intended to). Only certain applications will access the part of Windows (nicknamed ``the nub'') that performs Palladium's functions with the help of the security chip--everything else will work exactly the same.

The first adopters will probably be in financial services, health care and government--places where security and privacy are mandated. Then will come big corporations, where information-technology managers will find it easier to control and protect their networks. (Some employees may bridle at the system's ability to ineluctably log their e-mail, Web browsing and even instant messages.) ``I have a hard time imagining that businesses wouldn't want this,'' says Windows czar Jim Allchin.

Finally, when tens of millions of the units are in circulation, Microsoft expects a flood of Palladium-savvy applications and services to spring up--that's when consumers will join the game.

None of this is a cinch. One hurdle is getting people to trust Microsoft . To diffuse the inevitable skepticism, the Redmondites have begun educational briefings of industry groups, security experts, government agencies and civil-liberties watchdogs. Early opinion makers are giving them the benefit of the doubt. ``I'm willing to take a chance that the benefits are more than the potential downside,'' says Dave Farber, a renowned Internet guru. ``But if they screw up, I'll squeal like a bloody pig.'' Microsoft is also publishing the system's source code. ``We are trying to be transparent in all this,'' says Allchin.

Others will note that the Windows-only Palladium will, at least in the short run, further bolster the Windows monopoly. In time, says Microsoft, Palladium will spread out. ``We don't blink at the thought of putting Palladium on your Palm... on the telephone, on your wristwatch,'' says software architect Brian Willman.

And what if some government thinks that Palladium protects information too much? So far, the United States doesn't seem to have a problem, but less tolerant nations might insist on a ``back door'' that would allow it to wiretap and search people's data. There would be problems in implementing this, um, feature.

Other potential snags: will Microsoft make it easy enough for people to use? Will someone make a well-publicized crack and destroy confidence off the bat? ``I firmly believe we will be shipping with bugs,'' says Paul England. Don't expect wonders until version 2.0. Or 3.0. Ultimately, Palladium's future defies prediction. Boosting privacy, increasing control of one's own information and making computers more secure are obviously a plus. But there could be unintended consequences. What might be lost if billions of pieces of personal information were forever hidden? Would our ability to communicate or engage in free commerce be restrained if we have to prove our identity first? When Microsoft manages to get Palladium in our computers, the effects could indeed be profound. Let's hope that in setting the policies for its use, we keep in mind the key attribute of the woman embodied in the first Palladium. Athena was the goddess of wisdom.

It's not all bad:

from the Washington Post, 2001-Sep-27, p.E1, by Justin Gillis, with contributions by Bill Brubaker and Jackie Spinner:

Backup Systems Passed Trying Test
Despite Scale of Destruction, Wall St. Data Largely Saved

NEW YORK -- As people fled the ruins of Lower Manhattan on that fateful morning, some of the first urgent phone calls from this stricken city went to an innocuous building across the Hudson River.

Workers swung into action. By noon on Sept. 11, as America was still absorbing the magnitude of the attack, white panel vans loaded with backup computer tapes from a northern New Jersey site were rolling down the highway to corporate emergency centers. And within hours, some of the country's biggest financial enterprises -- their offices vacated or reduced to smoking piles of rubble -- were back in business.

Years of planning and of mock disaster drills got their big test when two planes brought down the World Trade Center and turned surrounding blocks into a war zone. At least eight banks were knocked off line. Thousands of paper files took wing as the trade center fell, drifting as far as Brooklyn and northern New Jersey.

Yet the American financial system has continued to function smoothly, to a degree that has amazed even the people who are responsible for that success. It is not an accident: Regulators in Washington have been fretting for years about how to protect the nation's critical infrastructure from a disaster, and they have cajoled big firms into extensive disaster planning.

The verdict isn't entirely in, but it's beginning to appear that Wall Street passed with flying colors. So, it seems, did the companies that store data for corporate America and the financial networks that transfer huge sums from bank to bank. Even as the attacks unfolded, hundreds of billions of dollars continued to move at light speed to and from the far corners of the globe via New York. So far, there is no documented case of a bank-account holder or brokerage client losing assets in the disaster.

"That's an astonishing tribute to the fact that the system works," said Stephen Harbeck, general counsel of the Securities Investor Protection Corp., a federally chartered agency in Washington that safeguards brokerage accounts. "It has passed a very severe test."

The sheer scale of the destruction in New York, in a business district that is the heart and soul of American capitalism, might have been expected to disrupt the financial system for months or years. That may, indeed, have been one of the intentions behind the attack.

But the disaster has made clear that the American financial system in 2001 does not really consist of buildings. It consists of people and the all-important computer databases that capture their work, minute by minute. Awful as the death toll is likely to prove to be, the vast majority of the people who worked in the trade center and on Wall Street survived -- and so, by design, did their data.

Securities and Exchange Commission Chairman Harvey L. Pitt told a House committee yesterday that he was impressed with the preparedness of the securities industry. "From what we saw, we thought all of the major firms had very good duplication," he said.

The recovery has not been perfect. The disaster revealed weaknesses in the communications links that tie the disparate pieces of the financial network together. One institution, the Bank of New York, suffered an eight-day outage in its network of automated teller machines, though customers were able to get their money from branches or from ATMs owned by other banks. And many firms had adequate backups of data but not of equipment, forcing them to scramble to get back into operation.

The trade center housed more than a dozen law firms, and the disaster has revealed particular flaws in the way law offices keep backup records, many of them paper files that are hard to duplicate.

"One of the things we should have done and did not do was copy all of our legal documents," said Michael Stocker, chief executive of Empire Blue Cross and Blue Shield, which had some offices in the trade center. "So we have to recover those from various regulatory agencies."

Moreover, cases may yet emerge of investors whose small brokerage houses disappeared when the trade center collapsed, taking account information with them. But Harbeck said these are likely to be few, if any, because most smaller firms used bigger ones to handle customer accounts and records. If such cases do emerge, he said, there's money to replace investors' shares.

Several people involved in the recovery attributed the outcome, at least in part, to a sort of dry run that occurred nearly two years ago -- the year 2000 computer bug. That glitch never produced the crisis many had feared, but it did produce a lot of corporate disaster plans.

"I think all of that had a very beneficial effect," said Jeffrey Neubert, president of the New York Clearing House, which ties many banks together.

Across the country, the terrorist attack is prompting leaders of companies large and small to rethink disaster planning. In particular, it has raised the question of whether every company needs some form of "off site" computer backup to supplement the in-house tapes most of them keep already.

That, in turn, has raised the visibility of a little-known group of companies whose business is data storage. The biggest of these by far is Iron Mountain Inc. of Boston, which stores both paper records and computer tapes at 650 locations around the world.

Iron Mountain's shares have largely retained their value in a down market since the attack, and the disaster has opened doors. "I think you're going to see a lot of companies who've said, 'Yeah, someday I'll get around to it' -- they're going to get around to it now," said Harry Ebbighausen, president of Iron Mountain's off-site data-protection unit. "My sales people aren't having any trouble getting appointments."

Iron Mountain played a critical role in getting Wall Street back up and running. Ebbighausen had just left the dentist's chair that Tuesday morning when it became clear the trade center was under deliberate attack. When he called the company facility in New Jersey that services Wall Street, it was already in crisis mode.

For years, that center had been making regular pickups of data tapes from customers on Wall Street. Late on the morning of the attack, Iron Mountain's clients began ordering copies.

Ultimately nearly 100 customers declared disasters, ordering more than 1 million tapes from Iron Mountain's vaults. The firm called in employees from as far away as Chicago and switched to long shifts to meet the demand. A single client -- Iron Mountain wouldn't identify the company -- ordered 68,000 backup tapes.

Another impressive performance was turned in by the little-known but critically important networks that transfer money electronically.

The World Trade Center was not, despite its name, the center of world trade. That honor might well belong to an outfit called the Clearing House Interbank Payment System, or CHIPS, a computer network that links 59 of the world's largest banks.

A similar system operated by the Federal Reserve Board moves a lot of money domestically, while CHIPS, operated by the New York Clearing House, is strong in international transfers. If a factory owner in Tokyo pays a supplier in Calcutta for parts, odds are the transaction will go from Japanese yen to U.S. dollars to Indian rupees -- and will move through CHIPS in New York in the process.

The people who run CHIPS keep its Manhattan location secret, precisely to guard against attack. Behind layers of security that included fingertip readers, Albert Wood sat at his desk the other day to demonstrate just how much money CHIPS moves, a rough measure of its importance in world trade.

Wood, a senior vice president, punched a computer keyboard in the late morning to show that by then, the system had transferred $653,595,691,068.36 to and from the far corners of the planet. He punched it again 1 minute 18 seconds later to show a total of $654,690,555,868.27. In other words, the system had moved nearly $1.1 billion from someplace in the world to someplace else in little more than a minute.

All that money flows through one cool blue room full of blinking machinery, monitored by a handful of workers. Many of the same dollars go through CHIPS again and again as they move through international trade, so that last year the network moved $292 trillion -- nearly seven times the value of the entire world economy.

Nobody tried to attack CHIPS on Sept. 11, but at least eight banks that are tied into the system were knocked out of service. All of them were back within hours, using backup sites and computer tapes. Volume was down some 15 percent the day of the attack, but quickly returned to normal.

For more than a decade, CHIPS managers have maintained a backup site in New Jersey with computers that run in tandem with those in New York. A fire or terrorist's bomb at the Manhattan site might produce a five-minute outage, Wood said, but no more.

Still, the World Trade Center attack has prompted new thinking at CHIPS, just as it has everywhere else. One reason the Bank of New York had problems was that several of its sites were close together in Lower Manhattan, an obvious weakness given that terrorists now seem willing to mount large-scale attacks. The CHIPS locations, though in different states, are close enough that certain kinds of attacks -- a nuclear bomb, for instance -- could damage both sites.

Do critical American institutions need to spend the money to have more than one backup site, with the second located perhaps hundreds of miles from headquarters? It is a question certain to be debated in many boardrooms and in Congress in coming months.

"To what extent do you spend money on the backup of the backup of the backup?" Wood asked. "There is a point where you have to make some judgments."

from TPDL 2000-Mar-29, from the Washington Post p.A1, by Kathy Sawyer:

Another Avoidable Mistake For NASA

The likely fate of the lost Mars Polar Lander was a 50-mph impact with the planet's frozen surface caused by a missing line of computer code--part of a pattern of avoidable errors that have left the U.S. Mars program a shambles.

Outside investigators announced these conclusions yesterday, as NASA's top scientist confirmed that the agency will cancel plans to launch a robot spacecraft in 2001 on a mission to land on Mars and indefinitely postpone all future launches to Mars, with one exception. A 2001 mission to send a craft to orbit the Red Planet is still on track.

With only its aging Mars Global Surveyor in orbit around Mars, NASA is reassessing its entire approach to the exploration of the planet after losing all four of its spacecraft bound for Mars last year--a package totaling $360 million.

NASA's first priority, officials said, is to comply with the prescriptions of multiple investigations that have revealed serious lapses in the program's management at the Jet Propulsion Laboratory (JPL) in Pasadena, Calif., and a long list of shortcomings in areas ranging from systems analysis and testing to staffing and communications.

"They were just young people. We put them in a box there was no way out of," said John Casani of JPL, a veteran of many interplanetary missions who led an investigation into the lander failure. "Management has to take the blame."

The Mars Climate Orbiter was lost because contractor Lockheed Martin's Mars team in Denver forgot to convert from English to metric units, and NASA managers failed to catch the error. Also lost, along with the lander, were two piggybacking microprobes whose fate remains unknown.

The common theme running through all the failures, the investigations have shown, is that NASA's efforts to tighten the budget screws and encourage certain kinds of risk-taking--under a philosophy known as "faster, cheaper, better"--finally went too far. This left the latest Mars projects underfunded, understaffed and overstressed. The JPL team, for example, consisted of just 10 people, each working on a given function in relative isolation and putting in 80-hour weeks.

"We've found the boundary," said NASA's top scientist, Edward Weiler, at a headquarters briefing.

There were scattered signals that something was wrong, investigators say, but the system failed to respond. Both Lockheed Martin and JPL managers may have failed to raise alarms more clearly up the chain of command because of concern that they would lose ground in the competition for tight funding, said Thomas Young, a veteran space company executive and former NASA official who headed the independent Mars review for NASA Administrator Daniel Goldin. "There was clearly some apprehension," he said.

The agency took a team of young, relatively inexperienced people buoyed by the success of the Mars Pathfinder Lander in 1997, greatly reduced their resources and asked them to "do the impossible," Weiler said. The agency will respond fully to all the Young committee recommendations, he said, announcing the beginnings of a restructuring. He added that officials will take a broad, open-minded approach to the full array of options for Mars. "Nothing is off the table."

A comprehensive new plan for Mars exploration will be announced in three or four months, officials said.

The "most probable cause" of the Mars Polar Lander's loss was the generation of "spurious signals" when the lander's legs were deployed during its controlled descent. These signals falsely indicated to the onboard systems that the spacecraft was safely on the surface. This would have prompted the braking thrusters to shut down at an altitude of about 130 feet, investigators found.

The potential for this "spurious signal" problem on the lost lander was uncovered by Lockheed Martin engineers in Denver around early February as they worked on the next lander (the one now canceled). The investigators then helped set up a series of four tests that pointed to this mode of failure as the culprit, Young said.

Although his committee lists various other possible scenarios, he said, if the spacecraft reached this point in its flight, "it's almost certain . . . this is the cause."

Spurious signals of this type are a familiar phenomenon, and routine systems testing should have exposed the potential, he said.

"One line of code" would have fixed the problem, Casani said. Instead, the spacecraft probably ended in a spray of shrapnel when its propellant tanks burst at impact. "There probably was no fire, but it would have been like a land mine going off, one of those Bouncing Betties. You wouldn't want to have been around," he said.

Engineers cannot say for sure whether the spacecraft reached the point where the spurious signal would occur, Young said. This is because project managers, strapped for funds, eliminated telemetry that would have communicated the lander's condition as it negotiated the tricky descent into the Martian atmosphere.

"The team believes that not having this communication system was a major mistake," Young said, because it eliminated the ability of future planners to learn a clear lesson from this costly failure.

from the Washington Post, 1999-Oct-1, from Rough Draft by Joel Achenbach:

Spacing Out at NASA

WE have no choice but to discuss this Mars Climate Orbiter fiasco, but first, let me say I hope everyone's feeling okay this morning after last night's celebration of the new federal fiscal year.

I know many of you got carried away in the hoopla surrounding FY2000. There were fearmongers who claimed that, at the stroke of midnight, the spreadsheets and budget tables would suddenly go haywire, and figures expressed in thousands would retabulate themselves as though they were hundreds. That didn't happen. The numbers still look good. But as we nurse our hangovers we should really think again about whether it's such a wonderful tradition to ring in the new fiscal year by throwing our pencils and slide rules in the air. Someone could lose an eye.

Now, back to the Mars Climate Orbiter. No, wait, one more thing. Jesse Ventura, in a Playboy interview, has denounced organized religion, people who like gun control and fat people. His words were as blunt as his head. Most strikingly, he declared that he wants to be reincarnated as - a 38-DD brassiere!

Interesting choice - he's already a boob.

So it's not a good day at NASA. The engineers were supposed to fly the Mars Climate Orbiter TO Mars, not INTO Mars. Right there in the name it says "Orbiter," not "Lander." When you design an "Orbiter" you are supposed to MISS the planet.

What actually happened is that the spacecraft got way too close to the surface, where the atmosphere was thicker, and it burned up. But the spacecraft didn't make an error. It followed directions perfectly. The engineers, making their calculations, suffered a mix-up over English units and metric units. They thought they were dealing in newtons, and in fact they were dealing in pounds.

Our reflexive ridicule for such a boneheaded move is tempered only by the fact that most of us don't actually know what a newton is (though I personally am pleased that someone named a unit of measurement after one of history's greatest, if perhaps overly mushy, snacks). NASA, however, isn't supposed to have a pound-newton problem. NASA is not expected to be perfect - cracks develop, fuel lines leak, engines overheat - but we expect it to get the math right. This is an error worse than blowing a 21-point lead in the fourth quarter, worse even than building a stadium that's not on the local subway system. This is, quite frankly, Jesse Ventura dumb. [Apologies to Jesse Ventura, retired Navy SEAL, principled Libertarian, and far more serious fellow than any of the clowns in Congress or the White House -Editor]

NASA's announcement of what went wrong induced a state of shock on Capitol Hill. Rep. James Sensenbrenner chairman of the House Science Committee, issued a statement that is herewith reprinted in full:

"I'm speechless."

This sort of thing has happened before. Lou Friedman, executive director of The Planetary Society, recalls that one of the early Mariner spacecraft had a minus sign instead of a plus sign on one of the codes controlling the launch. It was supposed to go into space and went to the bottom of the ocean.

You have to feel terrible for the scientists and engineers who worked on the mission - these people are unbelievably dedicated and spend not months but years of their lives trying to thread a needle on a planet that's tens of millions of miles away. Obviously someone should have noticed the problem, but in a way it's easier to make a mistake as a team than as an individual. In a group you always assume that someone else is monitoring the toddler.

NASA's going to have some rough days ahead. It has two probes on the way to Mars and is simultaneously trying to put together a giant Lego contraption called the International Space Stations. The space station also has some hybrid English-metric components. It's a good time to triple check the conversions.

A congressional aide said yesterday of NASA's mistake, "It's a junior high school error."

The truth is, the junior high-school error is precisely the kind of error that we all fear throughout our lives. As a reporter I don't worry about making an adult mistake, I worry about making a childish one, a real howler, the kind that makes the phone ring at 6 a.m., the kind where you don't merely misspell a name but you get the gender wrong AND inadvertently kill off someone who's still living.

If I'm not mistaken it was the late Neil Armstrong who said, "Always make sure you convert to newtons."

Rough Draft is posted at approximately 1 p.m. on Mondays, Wednesdays, and Fridays, unless it accidentally burns up in the atmosphere.

from TPDL 2000-Mar-25, from WorldNetDaily, by Tanya K. Metaksa:

Stolen credit

Last year, Amazon.com, the super-bookstore on the Internet, was running clever radio commercials "looking" for space to hold its gigantic inventory. The only place they overlooked was a government computer. If they hadn't, those 485,000 credit cards, which had been stolen from Visa, MasterCard, American Express, and Discover sometime before March 1999 might have been discovered sooner.

Was your credit card among those stolen? It may have been, and neither your credit card company nor your bank ever notified you. What, that couldn't happen, you say. Well it has and no one appears to be paying attention, let alone doing anything about it. This frightening scenario could affect each and every one of us. It is obvious that the credit card companies, the issuing banks and the federal government deliberately did not disclose a significant crime.

Sometime in January 1999 someone stole the records of 485,000 credit card holders from an undisclosed credit card computer and stored them in a federal computer. No one in government has revealed which federal computer was compromised and exactly when it happened. Although according to MSNBC this case had been included in Secret Service testimony before Congress last March as illustrative of the danger to online commerce by computer hackers. At that time the news of such a large theft generated very little press coverage.

Maybe the lack of coverage was deliberate. The federal government certainly didn't want to demonstrate the vulnerability of its computers, while the credit card companies are sensitive to customers becoming nervous about the safety of their plastic money. In fact, some credit card companies and other financial institutions made the decision not to inform at-risk customers of the theft. It wasn't until Dec. 27, 1999, that Visa sent a letter to financial institutions including the Navy Federal Credit Union (NFCU), the world's largest credit union, detailing the incident.

According to the NFCU source who revealed the Visa letter to MSNBC the Navy Federal Credit Union "decided that ... it would be too much of an inconvenience and too costly to shut down the accounts and issue new numbers. It was deemed not the credit union's responsibility." Unfortunately this was not just an isolated incident. The same lack of notification occurred several weeks ago when Visa alerted NFCU that 300,000 credit cards had been stolen from the CD Universe website.

Yet, when the credit card company suspects consumer fraud there is no lack of notification. Last fall I headed out of town for a few days thinking no one would care where I was. Sure I have a cell phone, but only a few people have the number and finding someone's cell phone number is a nightmare.

However, I never even considered MasterCard International's interference. Stopping in rural eastern Georgia for gas I found out "they" had my number. I gave the lady my MasterCard to pay for $31 worth of gas. For the next 20 minutes she hung onto her telephone, while she discussed my purchase with at least four different people. Finally they asked her to verify my driver's license and then they asked to talk to me personally. They verified my mother's maiden name, the last four digits of my social security number, and told me to call the lending institution that handles my card as soon as possible. Finally the charge was OK'd. It certainly would have been quicker, easier and far less hassle to use cash!

Once back on the road I called my bank. They wouldn't tell me why my purchase had been scrutinized, but since MasterCard International had now cleared my account of any question, I could keep on charging. I kept wondering if MasterCard International was concerned because I had charged gas and dinner in North Carolina the previous day and they suspected I was on a vicious get-away spree across the South. Their fraud protection people assured me all that delay and hassle was to protect my credit rating. Yeah sure! It's really to protect MasterCard International against the millions of dollars of credit card fraud that is perpetrated every year by credit card thieves.

In my case the inconvenience was a 20-minute wait in a gas station, but what about the 485,000 credit card holders who don't know their credit cards have been stolen. How do they find out? Obviously their credit card company or their banking institution isn't telling them. They may find out when they get a charge for something they never purchased, or like Darlene Zele, a Rhode Island hospital worker, who testified last week before The Treasury Department's two-day national summit on identity theft. Darlene has spent five years trying to get her "identity" cleared after criminals wrecked her credit records, and "it's still not over."

Maybe it was Eastern European criminals who stole the almost half a million credit cards numbers complete with expiration dates and cardholder names and addresses just for a prank. On the other hand the owners of those cards are human beings who have put their trust -- for a fee -- in the banks and credit companies with whom they do business. These people deserve better than silence. At the least they should all be notified that their credit cards were compromised and have them reissued. The equally serious question is how to prevent such theft.

It appears to be happening with some regularity. Just a few months ago there was the incident of active credit card numbers appearing on a website with its origins in Russia for 24 hours before it was shut down. If MasterCard International checks out my 30-dollar charges in South Carolina and Georgia, they should also be concerned enough to let me and others know when some Internet credit card hijacker is on the loose and is about to steal my credit identity. Is it too much to ask for full disclosure from financial institutions when crimes are committed using credit card numbers belonging to hundreds of thousands of their hard-working, credit-worthy customers?

Tanya K. Metaksa is the former executive director of the National Rifle Association's Institute for Legislative Action. She is the author of "Safe, Not Sorry," a self-protection manual, published in 1997. She has appeared on numerous talk and interview shows such as "Crossfire," the "Today" show, "Nightline," "This Week with David Brinkley" and the "McNeil-Lehrer Hour," among others.

from the Washington Post, 2000-Jan-30, p.A2, by Walter Pincus, staff writer:

NSA System Inoperative For Four Days
Computer Glitch Halted Data Interpretation

From Monday evening through early Friday morning last week, the main computers of the National Security Agency failed, causing an unprecedented blackout of information at Fort Meade, where signals intelligence intercepted around the world is processed, officials said last night.

In what NSA said in a statement was a "serious computer problem," analytical reports from Fort Meade that turn intercepted foreign telephone, cable and radio messages into meaningful data for the government were halted for 72 hours, starting at 7 p.m. Monday. "Other NSA analysis kept flowing from other parts of the world," a senior intelligence official said, "but this was not a trivial" failure.

The computer shutdown, which was first reported yesterday by ABC News, was caused by a "system overload," one source said, and was not the result of a Y2K problem, sabotage or hackers invading the system. Another official, who described it as a "software anomaly," put knowledge of the cause more cautiously. "As of now," he said, "there is no evidence other than this was a system stressed to meet day-to-day operational pressures."

"There was a significant loss of processing, but collection continued unaffected," the senior intelligence official said. "We may have lost timeliness, but we have not lost intelligence."

The "backlog of intelligence processing is almost complete and NSA is confident that no significant intelligence information has been lost," the agency said in a statement.

Almost immediately after a signals intelligence officer Monday night saw that the system had crashed, he turned to other parts of the NSA worldwide system to pick up the processing responsibility, officials said.

To keep current on key early warning issues during the failure, sources said the U.S. intelligence community turned to other NSA intercept assets in the hands of the CIA and the military. In addition, NSA regularly exchanges information with allied intelligence agencies.

Early Friday morning, after calling in various contractors and having personnel work around the clock, fixes had "brought the operation back to operational stability," the senior official said. As of yesterday, processing had largely been restored to 90 percent to 95 percent of operational capability, the senior official said.

To bring the system back up to that level, NSA spent nearly $1.5 million adding new equipment to build up the "backbone" of the system, making fixes and having personnel work thousands of hours of overtime.

NSA has been sharply criticized by congressional intelligence committees over the years for failing to modernize quickly enough as telecommunications capabilities have accelerated with new technologies.

from the Washington Post, 2000-Feb-2 p.A19, by Walter Pincus, staff writer:

NSA System Crash Raises Hill Worries
Agency Computers Termed Out of Date

The failure of the National Security Agency's information processing system, which crashed for four days last week, is merely the latest sign that the super-secret agency has allowed some of its computer technology to fall woefully out of date, members of the House and Senate intelligence committees said yesterday.

Both committees, which have increased the NSA's budget and pressed it to modernize for three years in a row, have launched inquiries into the failure of the NSA's backbone data communications system at Fort Meade.

NSA satellites and listening posts continuously eavesdrop on radio, telephone, cable, fax and e-mail communications outside the United States. The information is relayed to Fort Meade, where huge computers sort the electronic signals and analysts review them for significant intelligence.

Rep. Porter J. Goss (R-Fla.), chairman of the House Permanent Select Committee on Intelligence, said the failure was not in any "super-secret" equipment, but rather in the ordinary "wires and switches that transmit data from computer to computer and office to office." He described it as "the sort of modern, off-the-shelf technologies any . . . company would be buying to link its computers."

The NSA says no important intelligence information was lost. According to a senior intelligence official, all of the intercepted material was saved and will be processed normally.

But Goss is not mollified. "We are extraordinarily fortunate that this incident did not take place in the midst of an escalating international crisis--lives may well have been lost because of it," he said.

He added that the incident demonstrates "a lack of management attention until recently and a chronic underfunding of infrastructure at NSA."

Richard C. Shelby (R-Alabama), chairman of the Senate Select Committee on Intelligence, said it was "no surprise" that "NSA has encountered significant problems recently that relate directly to their ability to process the incredible amounts of data that they collect every day."

Shelby said an advisory group of technical experts appointed by his committee two years ago found "an organization in desperate need of organizational restructuring and modernization of its information technology infrastructure."

The NSA's exact budget is secret. But Congress has repeatedly raised it in recent years, and it is now said to top $6 billion.

The computer outage lasted from Monday until Friday. The agency said Saturday night that it had spent about $1.5 million on emergency repairs and outside consultants to put the system back into operation.

According to one expert familiar with the situation, however, the system "is being held together by bailing wire and will not be fixed for long." He estimated that a permanent remedy could cost tens of millions of dollars.

When Air Force Lt. Gen. Michael V. Hayden was named director of the NSA last year, he promised to tackle technical problems previously cited by Congress, and he established a task force to look at the most pressing needs.

Last summer, the House intelligence panel bluntly declared in a committee report that "NSA is in serious trouble." It had earlier criticized the agency for failing to modernize its computer-processing capability while committing huge amounts of money to upgrade its worldwide system for intercepting communications.

"We have been beating the drum on this," said one Capitol Hill aide.

from WorldNetDaily 1999-Mar-2, by Jon E. Dougherty:

More concerns about NT security
Computer security analysts agree it is compromised

Before its debut, computer security analysts were already labeling Intel's newest processor, the Pentium III, as an unsecure platform, open to Internet-based alteration. The same claims have been made against Microsoft's Windows NT operating systems for years, though both companies routinely deny there are any security problems inherent in their systems.

However, Ed Curry, an independent contractor who developed a security system specifically for Windows NT Version 3.5, ostensibly to be bundled with every new NT package sold to the federal government, says the program was designed to prevent processors in NT 3.5 systems from being accessed by unauthorized sources.

But before Microsoft made good on their contract with Curry -- reportedly worth billions of dollars -- government agencies were ready to upgrade to other versions of NT, which were not able to accommodate Curry's program.

Since then, Craig Newlander, a Chicago-based NT systems security analyst and owner of Telesoft, Inc., has told WorldNetDaily that not only are Curry's assessments of the Windows NT 4.0 systems correct, but "off the shelf, NT has always been a weak system."

Newlander, whose job is to perform "vulnerability assessments" on NT systems, said over the past few years he has received "lots of security notices regarding NT operating systems."

The security analyst downplayed assertions by Microsoft personnel that their NT 4.0 systems -- particularly those being sold "by the thousands" to the federal government, including the Department of Defense -- are inherently safe. He said Microsoft "seems to promote security by obscurity" -- meaning as long as they could hide their system's deficiencies, "they're happy with that."

"All of these systems work basically the same way," Newlander said. "Barring any major, major technological upgrades that I'm not aware of, NT is no different than most other operating systems, in terms of internal functionality."

One thing that makes NT systems vulnerable, he said, was the ease with which a low-level programmer could present himself as a system administrator. "Essentially, you'd have full control over the machine."

And, he added, "Gaining local admin access is extremely easy with tools available over the Internet. Passwords can also be computed back to clear text from a captured cipher (code), which is useful for gaining domain admin access."

"NT can be made secure, but it requires modifying a lot of parameters," Newlander said.

What makes systems especially susceptible is their connectability to LANs -- Local Area Networks -- which help computers communicate with each other. "Every computer on a LAN can see every message on that network," he said. "That includes the SAMs -- Security Account Managers." He said hackers can "look for SAM messages -- with programs on the Internet that can read and decipher log-on codes, for example."

Later, perhaps when no one is looking, a person can then access vulnerable machines "and it will appear as though they logged on as the real user of that system."

"The way NT authenticates SAMs has been the same since version 3.1," Newlander told WorldNetDaily. "And if that's the case, then what makes 4.0 any different? Nothing I can think of."

Regardless of what Microsoft is telling the government, Newlander said "any programmer worth his salt will never tell you his encryption code can never be broken, because just when you think it can't, it will be." He said there is almost no way to make NT systems completely secure, but there are ways he suggests to make them much more difficult to crack for the average hacker with a substandard deciphering program.

"No matter how secure a system is, there is always a way in," he said. "But using longer passwords, passwords that are irregular, and those that involve more than eight or nine characters and are alpha-numeric are the hardest to crack."

In January, L0pht Security put out a security notice that users of the Quakenbush NT tool Password Appraiser are unwittingly publishing NT user passwords to the Internet. And on Jan. 5, L0pht also announced than other Windows operating systems -- Win95 and Win98 -- were allowing possible attackers to impersonate valid system users. All of these security concerns were initially addressed by Curry to the Department of Defense and representatives of the National Security Agency, but were met with tepid responses.

from WorldNetDaily, 1999-Feb-23, by Jon E. Dougherty:

Are Pentagon computers compromised?
Analyst charges Windows NT isn't secure

A National Security Agency-trained computer vendor and security analyst says the Pentagon and other government agencies have violated their own security rules by purchasing mass quantities of a non-secure computer operating system.

Ed Curry, a former independent contractor for the Microsoft Corporation, developed one such secure processor program for one version of the computer giant's Windows NT program. He said since it was destined for government computer systems, the program had to pass the scrutiny of the National Computer Security Center (NCSC), which ran the program through a battery of tests and diagnostics to obtain a "level of trust" rating.

But Curry told WorldNetDaily the current version of Windows NT being purchased "in mass quantities" by the federal government is insecure and subject to alteration. The version he tested and knows to be secure is Windows NT 3.5, whereas the government -- even the Department of Defense -- has been buying version 4.0.

According to Curry, the most susceptible component of the computer is the processor. With no security program in place, the processor can be altered, and therefore so too can the processor commands and functions. When these systems are used to operate or monitor defense systems, guided missiles, or any number of other applications, vulnerability means they can be changed in any number of ways -- perhaps without the operator knowing until it's too late.

Curry said that processors on Windows NT Version 4.0 are insecure because they have been designed to automatically "open the processor up to accept commands" on start-up, whereas the 3.5 version does not do that. That alone, he said, "makes the processor insecure and hence, the entire system as well."

Curry's program is not compatible with the 4.0 version. But because government buyers wanted other "bundled" Windows applications that were incompatible with the 3.5 version, they decided to buy 4.0 instead, despite being notified of the security problems.

"Basically it was money over security," Curry explained. "They had already bought thousands of the 4.0 systems, and didn't want to have to replace them."

In the meantime, Curry says he has met with a number of government and defense representatives but has been unable to change their minds.

"I have met with representatives of Defense Secretary William Cohen," Curry told WorldNetDaily, "and have presented my evidence to them. They know I'm right, and they know what I've told them -- that they're violating their own security rules -- is right. But they basically said it didn't matter, that they would continue to use the 4.0 version."

Dick Schaefer, an aide to Defense Secretary William Cohen, as well as representatives of the NSA, told Curry "their hands were tied" in the matter.

To continue getting the government contracts, Curry said, Microsoft "misled" the government about the 4.0 version. "Microsoft said that version was security tested by the government (NSA), which was patently untrue." He said that the huge computer corporation is taking advantage of poor enforcement of government-security-rating requirements to sell non-certified versions of the same product in the lucrative federal market.

"In fact," he added, "Microsoft NT 4.0 is the least secure of all the NT versions." Version 3.5 is the only one that is secure, Curry said, but other reports quoted some officials as saying that version is now out of date.

Ironically, when the NSA was evaluating NT in 1994, the government told Curry "they needed a program to make sure the processor was secure. It was sort of a rush job, but I got to work and got a program written to their specifications." Normally, he said, the process takes "several months" or longer, "but they wanted this one in a hurry."

Curry told WorldNetDaily that initially, Microsoft promised to bundle and co-market his security-testing software with each licensed copy of NT. But later the company broke that agreement, thereby leaving his company holding a serious amount of research and development debt over the project. When he requested that Microsoft compensate him for his loss after they broke their contract with him, the company threatened legal action, he said.

Microsoft would not return phone calls to WorldNetDaily, but in other published reports the company has denied Curry's charges, saying they are "working closely with the federal government to ensure all versions of NT are secure."

Curry said a government security rating is not easy to obtain, but once he received it, the potential sales of his software could have comprised some 3 to 4 million units, totaling about a billion dollars in sales.

Curry also explained that it was critical to make sure the processor of every system is protected, particularly government computers in any setting that can be exposed to hacking attacks or other methods of alteration.

"All computer security systems begin with the Intel processor itself," Curry said. "I helped Intel develop their processor, so I know how they work and how vulnerable they can be if left exposed."

Curry added that beginning with the Pentium Pro processor, people using the Internet could download programs that would fix certain glitches and bugs in existing software and systems. Many of those fixes were geared toward the processors, which means, "you can also download a program that could shut off the security," he said. Consequently, "those programs which alter the processors (and are being used in DoD systems) can also make weapons fire certain ways, or not at all. My program was designed not only to make sure all processors are secure, but to make sure they stay secure."

Curry repeatedly emphasized that his continued attempts to make the government aware of the shortcomings in unsecured Windows NT operating systems "is because of what it is doing to our national security, nothing more." He said his consulting and software design business is gone, "and there isn't much I can do about that right now."

"But I can continue to try to let these people know what kind of product Microsoft is actually selling them," he added. "It's been hard, partially because I don't think the government agencies really understand the nature of PCs."

Other government sources confirmed that Windows NT sales are booming, and are steadily replacing competitor Novell Netware in federal systems. And, it's likely to get worse.

In May 1998, Microsoft announced a major contract with the U.S. Air Force to begin changing military command and control applications from the UNIX operating system to Windows NT. And Curry said the U.S. Navy is extensively using the unsecured NT versions about its warships.

The following article covers the operating system family I (the AMPP editor) have used since 1990 - BSD (Berkeley Software Distribution) Unix. Starting with Ultrix and 4.3BSD in 1990, I moved to SunOS4, then NetBSD, and currently, FreeBSD. To this day, I operate a residential cluster with one each of the latter three OS's. My new main machine runs FreeBSD 4.0-RELEASE, which has proven to be unusually stable and consistent (rivalling SunOS 4.1.3_U1 and 4.1.4 in that regard), with rock solid Linux binary interoperability. BSD Unix is certainly the most powerful, accessible operating system. Cray's (formerly known as Tera Computer Company) beyond-state-of-the-art MTA supercomputer runs BSD Unix.

from the San Francisco Chronicle, 2000-May-29, by Henry Norr, Staff Writer:

RIDING THE WEB WAVE
FreeBSD is a relatively unknown operating system playing big role on Internet

Name an operating system that's distributed free, maintained by a far-flung network of mostly unpaid enthusiasts and relied upon by a growing number of Internet service providers and Web sites.

Chances are you guessed Linux.

After all, that OS has become almost a household word in recent years, as it has evolved from geek plaything to Internet workhorse and even (until a few months ago) Wall Street darling.

But Linux wasn't the first freely distributed OS, nor is it the only one that's caught the Internet wave. An alternative called FreeBSD and other members of the Unix-derived BSD family arguably play a more central role on the Internet, even though the general public has little awareness of them.

The FreeBSD customer roster includes such Internet powerhouses as Yahoo, the most heavily trafficked site on the Web; Microsoft's Hotmail, the world's largest e-mail services; MCI WorldCom's UUNet, a giant

provider of Internet services to businesses and to consumer ISPs; MindSpring, a national ISP that last year ranked No. 1 in customer satisfaction according to J.D. Power and Associates; and Verio, a company that says it hosts more than 300,000 Web sites in 170 countries.

Yahoo has been relying on FreeBSD since 1995, according to co-founder and Chief Yahoo David Filo. Today, the company has ``well over 1,000'' servers, and about 90 percent of them run the free OS, he said; the only exceptions are machines Yahoo picked up by acquiring other companies (most of which will be shifted to FreeBSD eventually) and a handful running applications that require other operating systems.

``When we started,'' Filo explained, ``it offered more stability and better performance than anything else we could find, and it's continued to perform well in those two departments. It's a system that has always worked for us, and it looks like it's only going to get better over time.''

So convinced of FreeBSD's merits are Filo and his fellow Yahoos that they've recently put some of their riches behind an effort to raise its previously modest profile. In March, Yahoo took an unspecified equity stake in Berkeley Software Design Inc. (BSDI), a Colorado Springs, Colo., company that markets a commercial version of BSD called BSD/OS.

The investment helped BSDI buy Walnut Creek CDROM, the leading distributor of FreeBSD, and arrange another acquisition that will be announced within six weeks, according to BSDI spokesman Kevin Rose.

While it will continue to improve and market its commercial OS, the beefed-up company also has big plans for the free version: Like Red Hat, Caldera Systems and other companies that have grown large by providing added-value services to Linux customers, BSDI plans to offer professional support, consulting and custom development for users of FreeBSD.

The 9-year-old company, which already has more than 100 employees and is profitable, also plans to raise additional funds from venture capitalists to fuel its new ambitions, according to Rose.

Along with Yahoo, the biggest feather in FreeBSD's cap has to be Hotmail. After all, Microsoft touts its own heavy-duty OSes, Windows NT and now Windows 2000, as alternatives to Unix, yet it continues to rely on FreeBSD to manage the mail of Hotmail's 66 million users.

In a revealing message explaining why it hasn't switched to its home- grown systems, product manager Sarah Lefko said Microsoft is ``committed to providing a stable and high-quality user experience for Hotmail.''

While the company does plan to switch to Windows 2000 servers eventually, Lefko noted that such a massive migration can't happen ``overnight.'' She didn't explain why the process hasn't even begun yet, even though there have been approximately 880 ``overnights'' since the company acquired Hotmail at the end of 1997. Along with FreeBSD and the commercial BSD/OS, the family includes two other major free versions, NetBSD and OpenBSD, plus some smaller variants. No one knows for sure how many users the free versions have, and Stephan Somogyi, a BSD watcher who works as director of strategic development at a San Francisco startup called Flying Packets, says, ``I'd distrust anyone who says they have hard numbers,'' since users can make unlimited copies of the free versions.

BSDI, however, estimates that more than 100,000 commercial sites run one or another BSD variant on some 2 million servers. A survey of major national Internet carriers conducted last fall by Infonetics, a San Jose market research company, found that roughly three-quarters of these companies' servers ran some form of Unix, and of these, 15 percent used FreeBSD and 5 percent used the commercial BSD/OS. By contrast, Sun's Solaris was installed on 45 percent of the Unix servers, but the much-hyped Linux had only a 9 percent share.

On the other hand, by next fall, the companies Infonetics surveyed expect to have Linux on 18 percent of their servers and Solaris on 47 percent; FreeBSD's share is projected to drop to 13 percent.

And a separate survey of smaller service providers, completed by Infonetics in March, gave Linux a current share of 41 percent of Unix servers, compared to 26 percent for Solaris, 15 percent for the older, BSD-based SunOS, 8 percent for FreeBSD and 5 percent for BSD/ OS. That study also projected that FreeBSD's share would increase by a quarter, to 10 percent, over the next year.

The BSD camp will also get an indirect boost over the next year as Apple rolls out its next-generation operating system, Mac OS X. That product is derived from Steve Jobs' old NeXTstep system and, like NeXTstep, it incorporates a ``layer''' of BSD software, mainly from the FreeBSD version.

Not everyone is convinced that the BSD camp's prospects are bright, considering the momentum and ``mind share'' Linux has acquired and the marketing muscle Microsoft and Sun can put behind their commercial offerings. Daniel Kusnetzky, vice president of system software research at International Data Corp., is among the skeptics. BSD's supporters, he said, ``really have a challenge ahead of them,'' because their OS is largely unknown to the information-technology staff at most corporations.

``If they don't know about something,'' Kusnetzky said, ``they won't consider it, and if they won't consider it, they won't buy it.''

BSDI's Rose, however, is undaunted. Comparing the BSD family to Linux and even commercial competitors, he said, ``We think we have a product that's more reliable, scalable and robust for high-performance, infrastructure-grade computing.''

Yahoo's Filo agrees, noting that his company recently started rolling out the latest version of FreeBSD, 4.0. Despite all the competition it faces, he said, ``it seems to have plenty of momentum.''

``Open source for us has been such a huge benefit, I can't imagine us moving to a proprietary system,'' he said. ``The only other alternative is Linux, and I don't see much reason to do that at this point. As long as FreeBSD continues to give us what we need, there's no reason to move.''

from ABC News, 1999-Mar-5, by Barbara Starr:

W A S H I N G T O N,   March 5 - The Pentagon's military computer systems are being subjected to ongoing, sophisticated and organized cyber-attacks, officials there tell ABCNEWS.
     And unlike in past attacks by teenage hackers, officials believe the latest series of strikes at defense networks may be a concerted and coordinated effort coming from abroad.
     Until now, the Defense Department had not publicly acknowledged this latest cyber-war.
     But in an interview Thursday with ABCNEWS, Deputy Defense Secretary John Hamre, who oversees all Pentagon computer security matters, confirmed the attacks have occurred over the last several months and called them “a major concern.”
     “This is an ongoing law enforcement and intelligence matter,” said Hamre, who last month briefed the House Armed Services Committee on the attacks in a classified session.

Firewalls Breached?
The investigation is looking at a pattern of attacks that has not been seen before. Officials tell ABCNEWS there are several matters under investigation, and it is not clear to what extent the cyber-attacks are all linked.
     Sources insist no classified networks have been breached, but they do say attacks have been aimed at sensitive information that may be “locked” behind firewalls and computer passwords.
     Officials believe some of the most sophisticated attacks are coming from Russia. Federal investigators are detecting probes and attacks on U.S. military research and technology systems — including the nuclear weapons laboratories run by the Department of Energy.
     What is not clear, however, is whether the attacks are coming directly from Russia or whether the probes are coming from other countries that are simply routing through Russian computer addresses to disguise their origin.
     Initial indications are that, wherever the probes and attacks are originating abroad, they are not from individuals. But U.S. officials say they would treat any Russian threat similarly whether it comes from the government, industry or high-technology interests.

A Russian Gateway for Espionage
The U.S. National Counterintelligence Center, or NACIC, which monitors espionage activities worldwide, has been tracking the threats posed by lack of official security systems on Russian computer networks for some time. A September 1998 NACIC report noted Kremlin statements that foreign secret services were regularly penetrating Russian computer networks.
     U.S. officials believe, however, that there may be an even more disturbing problem: Foreign government hackers may be getting help from within the U.S. government.
    

Testing Security In February 1998, Pentagon computers were attacked by hackers in what was then characterized as one of the most serious computer intrusions to date. A series of attacks known as “Solar Sunrise” targeted Defense Department network domain name servers, exploiting a vulnerability in the Solaris Operating System that runs many of the computers.      The attacks were thought to be a preliminary attempt for a widespread attack on the entire Pentagon information infrastructure. The attacks also were especially sensitive because they came at a time when many elements of the Defense Department's computer network were being used in preparation for possible military operations against Iraq.      Subsequently, the Pentagon conducted its first large-scale exercise designed to test the ability of the military to respond to an information attack. The “Eligible Receiver” exercise demonstrated that the Pentagon and the intelligence community had little capability to detect or assess cyber-attacks.      Since then, the Pentagon has made several efforts to improve network security and its ability to detect intrusions and attacks. But while the system may be in better shape than it was last year, officials are urgently trying to find the latest attacker and stop the cyber-war before U.S. national security is compromised.

“We are increasingly concerned about those who have legitimate access to our networks — the trusted insider,” Hamre told the House committee in a written statement on Feb. 23. “I cannot emphasize strongly enough the seriousness of the insider threat to our information systems and, through those systems, to the Department's operations.”
     Senior Defense Department officials are being briefed regularly on the investigations into the insider threat.

Congressional Concerns
Indeed, the Pentagon has quietly established a new organization — the Joint Counterintelligence Evaluation Office — which is tracking foreign intelligence services attempts to gain access to critical Defense Department technologies as well as their attempts to penetrate information infrastructure and U.S. military operations. All of the military services are beefing up their own counterintelligence efforts as well.
     Hamre's closed-door appearance has sparked a new round of concerns in Congress. Pentagon computer systems are probed about 60 times a day with as many as 60 actual computer attacks each week. Many of these are from more typical hackers, and the Defense Department has the capability to freeze out access to government networks.
     But the current situation is far more serious, according to Congress. Rep. Curt Weldon, R-Pa., chairman of the House Armed Services Research and Development Subcommittee, told ABCNEWS: “What we've been seeing in recent months is more of what could be a coordinated attack, that could be some attack we have not yet fully uncovered that could be involved in a very planned effort to acquire technology and information about our systems in a way that we have not seen before.”

from NBC News, 1999-Mar-4, by Jim Miklaszewski and Robert Windrem, from http://www.msnbc.com/news/246801.asp:

Pentagon and hackers in ``cyberwar''
Officials say computers attacked up to 100 times a day

[Photo caption: "On Jan. 7 and 8, Kelly Air Force Base in San Antonio was the focus of a sophisticated computer attack, say U.S. officials."]

WASHINGTON, D.C., March 4 -   The Pentagon has been warning about a future computer war. Well, the future is now, and the war is on. For two days in January, hackers repeatedly tapped into military computers at Kelly Air Force Base in San Antonio — the center for the most sensitive Air Force intelligence, the kind of information critical to American troops now on patrol over Iraq and in Bosnia.        NBC NEWS has learned the attack was a sophisticated, coordinated assault through computer networks in Canada, Norway and Thailand.
       The hackers didn't receive top secrets but the Pentagon's No. 2 man, Deputy Secretary of Defense John Hamre, says the United States is essentially engaged in an all-out cyberwar.
       ``The department is experiencing fairly sophisticated challenges right now,'' said Hamre.
       For the past several months, so-called cyberterrorists, operating from as many as 15 locations worldwide, have launched a series of coordinated attacks on Pentagon computers - as many as 100 per day.
       The attackers remain unidentified and since anyone with a computer is a potential enemy, experts warn the United States military is vulnerable to a sneak attack.
       ``It's not a matter of if America has an electronic Pearl Harbor - it's a matter of when,'' said Rep. Curtis Weldon, R-Penn.        At Kelly, the hackers were trying to enter a server that controls a number of sensitive computers at the base and other bases in the San Antonio area.
       Among the computers targeted were those of the Air Intelligence Agency, the Air Force Information Warfare Center and a Joint Chiefs of Staff command-and-control operation. Officials said it was the most sophisticated attack yet on Pentagon computers.
       ``What is clear is that the attacks were coordinated,'' said Steven Northcutt, head of the intrusion center at the U.S. Naval Surface Warfare Center in Virginia, which tracked the assault. ``But exactly how many people are driving it is not clear.''
       
FBI CALLED IN
       The attack so worried the Pentagon that it called in the FBI, which has launched a criminal investigation.
       Officials said the attacks were coordinated to increase the ``stealth and firepower'' of the perpetrators and were ``difficult to detect'' because they were planted in ``a large volume of identical traffic that is too massive to process without specialized techniques.''        A copy of the Navy's briefing on the attacks, called ``Internet Threat Briefing - Stealth and Coordinated Probes and Attacks,'' shows an ``evolution of the cat-and-mouse game hackers and administrators play,'' said Peter Durham, MSNBC's network security analyst.
       ``This is a new strategy, not a new weapon,'' said Durham, who reviewed the briefing. ``Each attack is a regular, familiar kind of attack. What is different is the way it's being executed.''
       Durham said what distinguishes this attack is that it came from a number of different, unrelated locations, which makes tracking it difficult.
       
MAKING PROGRESS
       But the military is making some progress. New technology developed by the Navy did detect the attacks on Kelly Air Force Base, but failed to find the hackers themselves. Several experts said such an attack wouldn't have even been detected at all a few months ago but the government has been quietly setting up cyberwar early-warning operations at the Pentagon, CIA and the National Security Agency over the past year.
       In a speech last November, National Security Council Terrorism Coordinator Richard Clarke said Department of Defense Web sites are being visited regularly by foreign governments.
       U.S. officials said none of these nations is believed to have aggressive plans and attribute their ``pinging'' of sensitive systems to an extension of their economic espionage activities.
       In speeches and interviews, Clarke has been unsparing in his declarations of the threat. He told The New York Times in a recent interview: ``I'm talking about people shutting down a city's electricity, shutting down 911 systems, shutting down telephone networks and transportation systems. You black out a city, people die. Black out lots of cities, lots of people die. It's as bad as being attacked by bombs.''
       ``An attack on American cyberspace is an attack on the United States, just as much as a landing on New Jersey,'' he said. ``The notion that we could respond with military force against a cyberattack has to be accepted.''
       President Bill Clinton recently proposed spending $1.5 billion in fiscal 2000 to shore up the nation's defenses against cyberterrorism.
       
FRANCE AND ISRAEL CITED
       Specifics on the threat are hard to come by, say experts. One of the few instances where the United States has in any way detailed the threat came last week after Hamre described the Kelly Air Force Base attack before Weldon's committee. Afterward, Weldon described what Hamre told the committee as a ``siege by a coordinated, organized attack.''
       Sources tell NBC News that a top-secret intelligence document written in 1996 identified Israel and France as trying to penetrate sensitive U.S. government and commercial computers.
       ``French and Israeli attempts were noted'' in the report, a source familiar with the document said. A second source in the U.S. government confirmed the two countries' attempts.
       This effort is reportedly centered in two places inside the U.S. intelligence community. One is the Critical Technologies Branch of the CIA's Office of Science and Weapons Research. The other is the Infowar Support Center, also known as G42, at the National Security Agency.
       Both are involved in the American effort to have cyberweapons available to retaliate against an enemy who goes after U.S. systems or to use these weapons to disable enemy defenses in a war.
       Pentagon officials insist the military's deepest secrets are still safe, but they admit that as these computer terrorists become more sophisticated, this is one war that's getting tougher to fight.
       
       Jim Miklaszewski covers the Pentagon for NBC News and Robert Windrem is an investigative producer specializing in the U.S. military.
       

time.com / The Netly News / Afternoon Line / with Jonathan Gregg May 5, 1998 http://cgi.pathfinder.com/netly/afternoon/0%2c1012%2c1961%2c00.html

Domino EFX

A global Y2K crash? That's what's spooking the CIA. Even if the U.S. muddles past 1-1-00 without catastrophe, the agency believes other countries' problems could be infectious. The CIA says Canada, Britain and Australia are six months behind the U.S., with Asia and Latin America lagging somewhere in the distant rear. "We're concerned about the potential disruption of power grids, telecommunications and banking services," Sherry Burns, head of the CIA's Y2K research group, told Reuters. "As you start getting out into the population, I think most people are again assuming that things are going to operate the way they always have. That is not going to be the case." When we called Burns for an interview, the CIA nixed the idea. "We're not inclined to discuss it any more at this time," a spokesperson told us. But we do know the folks at Langley are making their own preparations: Some CIA employees have been told to keep cash on hand and be prepared for possible blackouts on what could be a very chilly New Year's Eve.
--By Declan McCullagh/Washington

[snip]

from the Progressive Review Mailbox on Dejanews, posted 1999-Jan-5:

Ian Hugo, Assistant Director of British Y2K group TASKFORCE 2000,has plotted a "failure curve" for 1999. Hugo believes 10 percent of all failures have already happened; 60 percent of failures will occur in1999; and only 30 percent will occur in 2000. A "big danger zone" is April 1999, the time when many organizations begin budgeting and scheduling for 2000.

from CNET, 1999-Mar-31, by Erich Luening, Staff Writer, CNET News.com, from http://www.news.com/SpecialFeatures/0,5,34315,00.html?st.ne.fd.gif.h:

Agencies miss deadline on Y2K fixes

The federal government said it did not meet its self-imposed deadline today for completing Year 2000 computer fixes.

The Clinton administration said 11 agencies have not finished updating all of their "mission-critical" computer systems. The White House last year ordered the agencies to meet today's deadline in hopes of staving off last-minute chaos as this year ends.

At a press conference this afternoon in Washington, John Koskinen, chairman of the President's Council on Year 2000 Conversion, said 13 of the 24 federal departments did make the deadline. But the Agency for International Development missed it completely, reporting that none of its systems have been fixed, officials said.

In addition, the 8 percent of agencies that missed the White House deadline include components of several vital agencies, such as the Health and Human Services Department, the Defense Department, and the Federal Aviation Administration. Services eliciting the most concern are flight controls, Medicare check processing, and weapons systems.

Koskinen also said 25 percent of the White House's own mission-critical systems missed the deadline. He said the White House expects to have its systems 50 percent compliant by June and fully compliant by the end of the summer.

Koskinen reported that 92 percent of the government's mission-critical systems at the 24 largest agencies have been fixed, have undergone an initial round of Year 2000 tests, and have been put back online, meeting the March 31 deadline set 16 months ago.

Koskinen said the rest of the lagging agencies will complete their Y2K work by summer's end. Of 6,123 critical federal systems, only about 500 systems at 11 large agencies still need repairs, he said.

Republican leaders immediately lambasted the Clinton administration for failing to meet the Y2K deadline. "Today the administration is redefining success by patting themselves on the back for being 92 percent Y2K compliant. The reality is, the Administration has failed to meet its own deadline," House majority leader Dick Armey (R-Texas) said in a statement released this afternoon.

"The administration is fooling itself and luring the American public into a false sense of security. The Administration's definition of 'compliant' just isn't good enough," Armey said.

"We view this 92 percent as a major milestone," Koskinen said. "Yet there is still work to be done."

To make sure the job gets done, the administration will ask for monthly updates on the status of lagging Y2K programs and systems.

"We will also ask agencies to submit contingency plans by June 30," said Office of Management and Budget deputy director Edward DeSeve, who joined Koskinen at the press conference. "We'll ask them what is the risk of Y2K failure and how likely is this risk to happen."

Yesterday, Sens. Bob Bennett (R-Utah) and Chris Dodd (D-Connecticut), chairman and vice chairman of the Senate Special Committee on the Year 2000 Technology Problem, warned that despite the number of computers that are free of bugs, some of the government's most vital operations remain vulnerable to Y2K problems.

"The remaining 10 percent are a concern because they include critical systems and services which play an important part of maintaining the health and well-being of our nation's citizens," the senators said in a joint statement issued yesterday.

Other agencies eliciting concern, besides the Defense Department, which has made headway but is still not 100 percent ready, are the Energy Department, and the State Department, according to the senators.

Some of the critical government computers that will not be ready by March 31 include mission planning systems for F-117A Stealth and F-15E fighters. U.S. Ballistic Missile Early Warning System command and control networks also will miss the deadline, although they should be operational later this year, according to Bennett.

The many computers vulnerable to the so-called millennium bug are programmed to register only the last two digits of the year, meaning that "2000" may be read as "1900," generating errors and scrambling computers.

If the agencies do not bring their systems into compliance, some experts warn, Americans could feel the consequences in paralyzed air travel, electric power failures, nuclear plant shutdowns, undelivered pension checks, and unpaid government employee payrolls.

Five agencies--the Environmental Protection Agency, the Social Security Administration, the Small Business Administration, the Nuclear Regulatory Commission, and the National Science Foundation--report that their mission-critical systems are now 100 percent compliant.

Dodd and Bennett said their committee will hold a hearing next month to further examine the details of the government's progress. Invited witnesses include Koskinen, chairman of the President's Council on Year 2000 Conversion, and Jacob Lew, director of the Office of Management and Budget.

A key aspect of the hearing will be the extent of the government's "end-to-end" testing of interdependent computer systems. End-to-end testing is considered one of the most important steps in the verification process.

"Just because a system or unit is Y2K-compliant on its own does not guarantee it will be free of Y2K problems when run with other systems," Dodd and Bennett wrote in their joint statement. "It's like testing a parachute without pulling the ripcord."

The Senate committee will also look at agency contingency plans, which Dodd and Bennett have increasingly focused upon as January 1 approaches.

As reported earlier, other members of Congress joined the two senators in asking 22 agency heads to submit contingency plans for dealing with possible Y2K-related failures.

To date, the federal government estimates it will spend as much as $6.8 billion fixing the Y2K computer problem, a figure that is expected to increase significantly before 2000 arrives.

from the Netly News, 1998-Jun-4, by Declan McCullagh, Nathaniel Wice and Lev Grossman, from http://cgi.pathfinder.com/netly/opinion/0%2c1042%2c2037%2c00.html:

Major Headache

    Call it an act of contrition that's long overdue. During Bill Curtis's 27-year career as a military computer jock and head of the Army's Decision Systems Management Agency, he wrote more than a few lines of code that were century-insensitive. "I made decisions that we could only use two digits for the date," the former Army Ranger confessed in an interview yesterday. Now, in a move that proves karmic justice exists after all, Curtis is in charge of fixing his own -- and everyone else's -- software screwups as the head of the Department of Defense's Y2K office.

    It's a job nobody else wanted, for a few very good reasons. Of all the federal agencies bumbling through Y2K fixes, the Department of Defense is in particularly poor health. Repairs of the most vital computer systems were just 9 percent complete as of this spring -- though the Pentagon began Y2K planning in 1995. More optimistic projections predict the Defense Department will finish its Y2K work in 2002. What kind of masochist is Curtis? "I heard about this job and I decided I want that," says Curtis, who accepted the assignment in April. "There's a chance to make a real difference."

    Curtis seems to be making the right moves so far. His 10-person staff is settling into their new digs in the Virginia suburb of Crystal City (their Pentagon offices got too cramped), and they're talking to the right people. Curtis has briefed the Secretary of Defense three times, and reports that the secretary's staff met last night for a Y2K confab, complete with charts and horror stories.

    Hey, spend enough time puzzling through possible outcomes and you'll get the heebie-jeebies too. About 120 of the Army's 376 most vital information and weapons systems need to be fixed and have not been revamped yet. Worse yet, 17,000 of 88,000 military communications systems aren't century-savvy (and 18,000 still have to be tested). The Navy's Tomahawk missile system -- and its date-related problems -- appear twice in the appendix of a Y2K report expected to be released soon by the Office of Management and Budget. When pressed, Curtis admits that even the military's perhaps 2,800 "mission critical" systems won't make it, let alone the thousands or millions (nobody quite knows for sure) of other computers in use. Says Curtis: "I believe there are mission-critical systems that won't be done."

    These are hardly comforting words, but at least they're realistic. They also mean contingency planning. That's trickier than it sounds, since the military relies on utilities like telephone networks (for 95 percent of its telecommunications) and electrical power. "The good side is the number of people dedicated to getting the job done," Curtis says. His forecast? "It's a huge problem, but I'm cautiously optimistic."

from the Associated Press, 1999-Feb-24, by Jim Abrams, AP writer:

CIA Sees Y2K Problems Overseas

WASHINGTON (AP) -- Russian missiles, Chinese power systems and Mideast shipping could all face breakdowns because many foreign countries are failing to face up to the seriousness of the Year 2000 computer problem, the CIA told Congress on Wednesday.

Air Force Gen. John Gordon, CIA deputy director, told a Senate Armed Services Committee hearing that Russia appears particularly vulnerable, raising concerns about the safety of its missiles, nuclear plants and gas pipelines.

``We do not see a problem in terms of Russian or Chinese missiles automatically being launched'' because of Y2K-related problems. But computer glitches could cause local accidents if temperature or humidity monitors malfunction, or Russian missile early warning systems might put out incorrect information about foreign missile launches, Gordon said. He said the Pentagon has been consulting with the Russians on how to avoid that danger.

Separately, a special Senate committee on the Y2K problem was finishing a draft of a report finding that the United States, while well ahead of most of the rest of the world in fixing computers, is likely to experience some disruptions in health care, electric power and food distribution.

``All sectors of the economy, many of which provide goods and services that are vital to our health and well being, are at risk,'' Sens. Robert Bennett, R-Utah, and Christopher Dodd, D-Conn., wrote their Senate colleagues.

Because older computers use only two digits to read dates, they will misread the year 2000 as 1900, resulting in possible erroneous data and shutdowns.

Both Gordon and the Senate report emphasized that it is difficult to assess what will happen on Jan. 1. Within the United States, many companies have been reluctant to reveal their status out of fear of litigation, while many foreign nations are just beginning to deal with the ``millennium bug.''

There are some who ``paint a picture of the collapse of society where roving bands of marauders travel the countryside looting supplies,'' Sen. James Inhofe, R-Okla., said at the Senate hearing. Inhofe said he didn't think that likely, although ``I am sure that we will experience some disruptions in our daily lives.''

Gordon said a major concern was a midwinter power outage that could have ``major humanitarian consequences'' for such countries as Russia and Ukraine. He noted that Russia's Gazprom Natural Gas Pipeline network supplies more than one-third of Europe's natural gas and is run by Soviet-era mainframe computers highly likely to contain Y2K imperfections.

China, he said, is belatedly addressing the problem, but with limited time remaining ``will probably experience failures in key sectors such as telecommunications, electric power and banking.''

Gordon said oil supplies are also worrisome because world ports and ocean shipping are among the sectors that have done the least to prepare for the Y2K problem.

Among the draft report's findings were that 90 percent of doctors and 50 percent of smaller businesses have not addressed the problem. Half of electric power companies had fixed their computers by the end of 1998, but ``failure of some parts of the electric industry's system is likely.''

However, a prolonged, nationwide blackout was not expected, and 95 percent of telephone systems are supposed to be Y2K-compliant in time. Planes, it said, ``will not fall out of the sky.''

There is nothing to suggest this country will experience nationwide social or economic collapse, but ``those who suggest that it will be nothing more than a 'bump in the road' are simply misinformed,'' the draft report said.

It estimated that Americans will withdraw an average of $500 from banks, and urged consumers to keep bank statements and take extra care with investment decisions. It also said that ``stockpiling a small amount of extra food and water in the event of temporary shortages may also be advisable.''

At the hearing, Deputy Secretary of Defense John Hamre stressed that ``our nuclear command and control system has been thoroughly tested and has performed superbly.''

The Pentagon has been criticized as among the worst government agencies in confronting the crisis. But Hamre said 93 percent of systems will be fixed by March 31, the deadline President Clinton set, and 100 percent by the end of the year.

``The Department of Defense is like a large ship headed toward an iceberg,'' he said. ``We have successfully changed course to avoid the tip but we must continue our efforts to ensure we miss the submerged portion.''

from Wired magazine, 1999-Feb-25, by Declan McCullagh, from http://www.wired.com/news/news/politics/story/18124.html:

The US military is beginning war games to simulate Y2K outages in weapons and communications gear, a Pentagon official said Wednesday.

Codenamed "Positive Response," the operation is scheduled to last through September. It simulates the assistance that federal agencies and National Guard units might expect of the nation's defense force.

"In many cases, the situations result from likely requests for [US Department of Defense] assistance from other agencies and activities," Deputy Defense Secretary John Hamre told a Senate Armed Services subcommittee. "Consequently, as this year progresses, we will become increasingly involved in DOD support to others."

Hamre said several states, including Washington and Oregon, "already have concluded detailed agreements regarding National Guard response during a Y2K-induced emergency."

The military sometimes furnishes troops to deliver aid following hurricanes or natural disasters. Once an emergency has been declared, soldiers on active duty can be deployed as directed by the Federal Emergency Management Agency, which chairs the emergency-sector working group of the president's Y2K council.

At previous hearings, officials also have raised the possibility of martial law in response to disruptions in electric power.

"We are in the process of refining the list of assets that have utility in military support to civil authorities [MSCA]," Hamre said. "Because Y2K is a special case of MSCA in that many concurrent emergencies may occur, special procedures may be required to ensure the most effective use of these resources."

A separate federal simulation -- called a tabletop exercise -- brings together officials from multiple agencies to walk through "reasonably worst-case scenarios." The goal is to "enhance participants' understanding of potential Y2K impacts on national security," he said.

At a 30 January workshop, Hamre, the White House's Y2K council chairman John Koskinen, FEMA representatives, and Congressional staffers laid plans for an April exercise. A broader one will be held in June, Hamre said.

While US agencies and corporations may be on their way to debugging Y2K glitches, other countries are in poor shape, the deputy director of the CIA said at the hearing.

"In many cases, foreign countries only recently have become aware of the problem and begun to examine their critical infrastructure systems for potential Y2K failures," John Gordon said.

Lagging furthest behind are Russia, Latin America, Africa, and the Middle East, he said.

"The coincidence of widespread Y2K-related failures in the winter of 1999-2000 in Russia and Ukraine with continuing economic problems, food shortages, and already difficult conditions for the population could have major humanitarian consequences for these countries," he said.

Russian nuclear reactors could have catastrophic problems -- and might even have Y2K glitches that could prevent them from shutting down safely.

"There are digital controllers in some of the reactors that are used to drive pumps, valves, backup diesel generators, or other equipment crucial to the shutdown process," Gordon said.

from Wired magazine, 1999-Feb-20, by Declan McCullagh, from http://www.wired.com/news/news/politics/story/18029.html:

The District of Calamity

The single strangest thing about Friday's report that the District of Columbia's computer systems were about to become as useful as a Commodore 64 was how surprised everyone acted.

Officials darkly warned that the federal auditors' report of Year 2000's dire impact on city services should alarm the public. "The District remains in crisis mode," announced Representative Tom Davis, a Virginia Republican.

To be sure, the report was damning. Less than 1 percent of Washington's 200 key computers -- in other words, just one -- have been fixed so far. The rest aren't expected to make it in time.

But none of this should come as a surprise. Washington boasts a city government best known for its unparalleled sloth and incompetence. A new report from the city's inspector general reveals the District is paying US$1.8 million a year for over 9,000 telephone lines -- one-third of the total -- that the government has never used.

In 1995, the city was in such miserable shape that Congress created a financial-control board to oversee all budgets and revenue. It didn't help. A 1997 report from the General Accounting Office, Congress' auditing arm, revealed that the city didn't know how many students were enrolled in public schools. "The Department of Education's Office for Civil Rights released figures differing from [Washington public schools'] official counts by more than 5,000 and 2,000," the report said.

As far back as last fall, Congress was warned that the city was in Y2K peril. The fire department and the city's reviled police force might be hamstrung because of communications and 911 failures, GAO said. Unemployment, tax, accounts payable, retirement, alarm, security, and a slew of other major computer-provided services were at risk, said the 2 October report, entitled "Year 2000 Computing Crisis: The District of Columbia Faces Tremendous Challenges in Ensuring Vital Services Are Not Disrupted."

So what's changed? Perhaps officials realized that 314 days left until 1 January 2000 leaves scant time for error. Another likely explanation is that Davis, chairman of the DC oversight committee that met Friday, realized that any problems in the city would affect his district in the nearby suburbs.

In particular, Davis wasn't pleased to hear that the District was over one year behind where it should be.

(for more see Wired News' special section.)

May 5th Netly News on Y2K, http://cgi.pathfinder.com/netly/more/1%2c1311%2c1960%2c00.html?pg=2&continue=0

     And now, for today's dose of Y2K hysteria. The federal government's accountants and bookkeepers are rarely prone to alarmism, let alone panic. So when the General Accounting Office starts predicting a "catastrophe" if the government's Year 2000 bugs aren't exterminated, we're inclined to take the warning seriously.

    The Department of Defense is a mess, the GAO claims. Why? Take your pick: Nobody's in charge, or knows how much repairs will cost. Worst-case contingency plans have yet to be devised. No one even knows how many computer systems the military has -- let alone how many need to be reprogrammed. "Defense does not yet have a complete inventory of systems," says the report, titled "Year 2000 Computer Problems Threaten DOD Operations." Efforts to repair the most vital computer systems are just 9 percent complete, though the Defense Department began its Y2K planning in 1995. Worse yet, 17,000 of its 88,000 communications systems aren't century-savvy (and 18,000 still have to be tested). The failure rate is higher for embedded microprocessors glued into security systems, elevators and medical devices: 34 percent won't make it. Not to mention 52 percent of PCs.

    A penchant for secrecy isn't helping. The military yanked a database listing its computer systems from the Internet in January. They soon classified it "at the Secret level on February 4, 1998," the Defense Department says. Three months later, it's still unavailable even to authorized users because "detailed access and security procedures" are still being developed.

    The GAO report concludes: "Until Defense supports remediation efforts with adequate centralized program management and oversight, its mission-critical operations may well be severely degraded or disrupted as a result of the Year 2000 problem." Translation: Oops.

from http://www.cnn.com/US/9810/17/pentagon.waves.ap:

Report: Radio waves from U.S. military hardware making waves overseas

October 17, 1998
Web posted at: 7:10 p.m. EDT (2310 GMT)

WASHINGTON (AP) -- U.S. military technology deployed overseas is disrupting emergency telephone service in some countries and causing other telecommunications glitches, annoying allies and incapacitating some weapons, a defense industry publication reports.

Quoting an internal Defense Department review, Defense Week said multibillion-dollar systems -- such as Patriot missile defenses and Predator unmanned aerial vehicles -- won't work to their full capabilities in some countries and, in others, can't be used at all.

That's because their radio waves clash with same-frequency users in host nations, the newsletter said in its edition to be published Monday.

"At least 89 telecommunications systems ... were deployed within the European, Pacific and Southwest Asian theaters without the proper frequency certification and host-nation approval," it quoted the Defense Department's inspector general's report as saying.

This has caused telecommunications disruptions in Germany, Japan, South Korea and Bahrain.

Billions of dollars worth of equipment "cannot be utilized to its full capability ... In some cases, fully functional equipment sits idle while its useful life expires," the report said.

Pentagon addressing the problem

Pentagon officials said in written responses to the audit that they generally agreed with the criticism. They added that steps were being taken to deal with the problem, which they conceded was serious.

The officials said a key problem was that the United States has little control over which radio frequencies host countries allocate to other purposes, and that often these change after the systems are deployed.

The Patriot missile system's radios, radars and data-link terminals have interfered with Korean cellular phones. Pagers used by U.S. forces in Japan clash with Japanese aeronautical systems. In Germany, infant crib monitors used on U.S. bases have clashed with German telephone service, the report said.

In Bahrain, SPS-40 and SPS-49 radars "are unusable because the equipment operates on a frequency that interferes with the Bahrain telecommunications services," the report said.

Unless the conflicts are resolved, it said, some U.S. air defense systems may be unable to do their jobs.

Host nations are angry about the disruptions, the report said. Germany has passed a law allowing it to confiscate U.S. equipment using frequencies not approved and to arrest the user.

And Saudi Arabia barred the United States from using a $1.4 million satellite-communications device because it had not gotten frequency rights.

from TPDL 1999-Apr-10, from the Associated Press, by H. Josef Hebert:

Lab sold $3 million in misleading radar licenses, House report says

WASHINGTON (April 9, 1999 9:48 p.m. EDT http://www.nandotimes.com) - A government research facility sold $3 million in licenses to develop a new radar technology but didn't tell buyers the patent was in dispute and the radar did not meet federal requirements, a congressional report said Friday.

The report by the House Science Committee asserted that as many as 30 investors, among them many small start-up companies, were misled by the Lawrence Livermore National Laboratory, where a scientist filed a patent on the technology in 1993.

Each licensee paid $100,000 for the right to develop the technology known as "impulse" or "ultrawide band" radar for a variety of commercial purposes from home security systems to inspecting bridge abutments.

Many discovered later the laboratory's patent had been challenged by an Alabama scientist, who claims to have patented the technology in 1987. They also found out the Federal Communications Commission would not pass the technology because its signals interfere with other operations that use the nation's airwaves.

Reps. George Brown, D-Calif., and Bud Cramer, D-Ala., demanded Friday that the Energy Department investigate the commercialization of the so-called micropower pulse radar, or MIR, and the patenting dispute that remains under review by the Patent and Trademark Office.

The congressmen said the matter raises serious questions about technology transfers at federal research laboratories, where government scientists and private industry work together to develop commercial uses for groundbreaking technologies.

"There is sufficient information to suggest that (Livermore) personnel engaged in activities that do not live up to the high professional and ethical standards expected of a federally funded entity," the congressmen wrote Energy Secretary Bill Richardson.

Thomas McEwan, the former Livermore scientist who claims MIR, has insisted his technology differs significantly from the technology patented by Larry Fullerton, the scientist from Huntsville, Ala. Fullerton claims McEwan was tipped about the technology at a conference in 1990 where two papers describing Fullerton's findings were discussed.

McEwan, who has left Livermore and runs his own company developing MIR, told a colleague in a letter last year that "the idea of MIR came ... in a flash of inspiration" and had nothing to do with the 1990 meeting, according to congressional investigators.

The U.S. Patents and Trademark office sided, at least in part, with Fullerton last year and found that 12 of the 20 patents filed by Livermore were based on Fullerton's earlier patents. An appeal of that decision is pending.

C. Bruce Tarter, the federal laboratory's director, contends the Fullerton and McEwan devices differ sufficiently to lead him to believe the Livermore patents will be found valid. Livermore "proceeded in good faith to license MIR technology based on valid patents," Tarter wrote Brown last September.

McEwan, as the inventor of MIR, is believed to have received at least one-third of the licensing proceeds, and the rest went to the laboratory, investigators said. He could not be reached Friday for comment.

House investigators said they found substantial evidence that Livermore officials were far from candid about MIR when they aggressively marketed the technology to private businesses.

The lab claimed MIR could immediately be incorporated into commercial products in the form of a chip for no more than $20 per device, investigators said, citing promotions to potential buyers.

When the lab submitted McEwan's invention for the prestigious National Medal of Technology award, it said the new radar "harnesses the speed of light, ... all for $10, doing what used to require equipment costing $40,000." McEwan won the award.

When companies signed up for licenses at $100,000 each, they were not told of the shadow hanging over the MIR patent, nor of the FCC's reservations about the technology.

But investigators found evidence that in 1994 McEwan was told by a senior FCC official in clear terms that the MIR technology would run into problems. He was told the equipment was prohibited under FCC regulations and would require a waiver, that it encroached on some restricted broadcast bands reserved for emergency use, and that without an FCC waiver devices containing the technology could not be sold legally.

a Usenet article:

Article 104157 of misc.survivalism:
Path: ai-lab!island.idirect.com!Supernews60!supernews.com!Supernews73!supernews.com!Supernews69!tcmay
From: tcmay@got.net (Tim May)
Newsgroups: comp.software.year-2000,misc.survivalism,scruz.general
Subject: The Panic Begins in a Few Months
Date: Sun, 02 Aug 1998 09:32:35 -0700
Organization: Cypherpunks
Lines: 93
Message-ID: <tcmay-0208980932380001@santacruz-x2-3-149.got.net>
References: <35c33dbb.0@news-out2.newsnerds.com>
NNTP-Posting-Host: 209.66.100.149
X-Trace: 902075589 SZBOGXDPG6495D142C usenet88.supernews.com
X-Complaints-To: newsabuse@supernews.com
X-Newsreader: MT-NewsWatcher 2.4.1
Xref: ai-lab comp.software.year-2000:70785 misc.survivalism:104157 scruz.general:12102



In article <35c33dbb.0@news-out2.newsnerds.com>, "shek borkowski"
<sborkowski@dmci.net> wrote:

> "Our goal is not perfection. Our goal, ***if*** we are really successful,
> will be that disruptions will be minimal and inconvenience will be minor."
> from Reuters "North American power council sees Year 2000 readiness" July
> 28, 1998.
> 
> So, if its less than perfect, we will have major disruptions and
> inconvenience.

I think we're seeing signs of a shift in "official" pronouncements from
"it will be fixed because we are Americans and we know how to get things
done" to "we will try to minimize the consequences of failure."

Hamre is talking about DOD problems and possible martial law, Koskinen is
admitting that remediation efforts are way, way behind schedule, and
Bennett is hearing more testimony that major industries and most of the
rest of the world are essentially making no progress.

A few months ago the popular press was basically just discovering the Y2K
problem, with reporters slowly convincing their editors that Y2K deserved
more coverage. Predictably, the focus of many of these reports was on
"survivalists" (e.g., catchy but insulting titles like "The Great Geek
Migration"). Those who took prudent steps to have food and water and
personal protection were portrayed as high tech versions of Ted Kaczynski,
holed up in their mountain bunkers waiting to shoot the marauding "spiky
hairs" and "cannibal welfare mutants." Ever trendy, "Wired" magazine has
in the current issue an article on these "gun nut survivalists," including
a visual on a geek/nerd sitting amongst his bags of grain and stockpiles
of canned food and survival supplies. Makes for good press.

Call this Phase One: Alerting the sheeple that _something_ is out there.

I expect the tone of reports in the next few months to be grimmer, as the
tone of Koskinen, Hamre, Bennett, Horn, and others cannot be ignored.

This will affect markets. Probably around October, November.

My prediction, made months ago, is that the Trigger Event may be the
absence of any credible bids by industry to fix the colossal IRS problems.
As we all know from Gary North's articles from last summer, the IRS
admitted it could not tackle this massive problem and sent out a bid
request to the major software companies (EDS, Computer Sciences Corp.,
IBM, Boeing, etc.). The bids are due October 1, 1998, a mere two months
from now. The fixes to the IRS system are due by June 1, 1999...this to
give them a "30 day safety margin" and "time for testing" before D-Day:
the start of FY 00 on July 1, 1999. As Paul Milne would put it:
BWWAAHAAAA! There is absolutely no way a contractor could get the
contract, hire the additional programmers (tens of thousands of them?),
make the changes, upgrade hardware and mainframes and minis, install the
changes, test the new code...probably not in six or eight _years_, and
certainly not in FIVE OR SIX MONTHS!!!!

(As we all know, _testing_ is usually as big a part of changing a large
program as making the actual changes is. The 6 months for this IRS process
is absurd for many reasons. Testing the changes is only one of them.
Probably a showstopper, though.)

These outside contractors will realize that essentially no amount of money
could let them do all that needs to be done to fix the massive IRS
problems in the several months they'll have between the awarding of the
contract and the hard due date...so they won't bid. At least not credibly.
(I.e., they may "sandbag" their bids to say they'll complete the fixes by,
say, 2003 or so, and with no guarantees that the changed code will run on
existing IRS computers, blah blah. This is obviously equivalent to "IRS
shuts down for several years." A good thing to many of us, but not
something the government can accept.)

This will add to the realization that "awareness" of the Y2K problem is
coming many years too late, that the problems are not about awareness and
team spirit but about the sheer difficulty of actually fixing hundreds of
millions of lines of code, millions of small business systems, and dealing
with the rest of the world (which is more concerned with mounting local
and "right now" problems than it is with solving "future" problems which
lie _months_ off in the future).

The panic will start in earnest in just a few months.  Oh, and the panic
will not help remediation efforts...it will only make things worse. This
is why I focus on something I can do something about: personal
preparedness.

Your longevity may vary.

--Tim May

-- 
Just Say No to "Big Brother Inside"


---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^3,021,377   | black markets, collapse of governments.

from email of 1998-Dec-7, from Business Week:

Y2K Is Worse Than Anyone Thought

Business Week Dec 14th -- "The final reckoning for the bug could hit $1 trillion. People have been sounding the alarm about the costs of the millennium bug--the software glitch that could paralyze computers come Jan. 1, 2000--for a couple of years. Now, the hard numbers are coming in and, if the pattern holds, they point to an even larger bill than many feared just a few months ago.

"The disturbing news: Many (companies) now plan to spend, on average, about 26% more than they thought just months ago. AT&T, for example, had said in early 1997 that it might shell out $300 million. Now, it says it could spend $900 million before Jan. 1, 2000--some $186 million of that in this year's fourth quarter alone. Chase says it will spend $363 million, up 21% from its $300 million second-quarter estimate. And Aetna Inc. is blaming fatter-than-expected Y2K bills -- $195 million instead of the $139 million forecasted last summer -- for a 6.1% drop in third-quarter profits.

"The sad tale of Samsonite Corp. illustrates how costs can mushroom. After spending $10 million to upgrade its computer system to head off the bug, President Tom Sandler proudly assembled some of the troops to unveil the programmers' Y2K handiwork during a dry-run at a distribution warehouse in suburban Denver. 'We had 20 outside consultants working with us, all telling me everything was going to work fine,' recalls Sandler. 'But then I walked down to the loading dock to flip on the switch. Nothing happened.'

"Besides driving up Samsonite's Y2K budget, the glitch messed up the company's entire distribution system, freezing deliveries for the first 20 days of July and hampering operations for months afterward. As a result, many stores were unable to get shipments of suitcases, duffle bags, and computer cases for the busy back-to-school season. Some systems were giving out incorrect information--including sending trucks to the wrong stores and forklifts to the wrong locations in the plant. The tally: In the second and third quarters, the Y2K snafu ate up roughly $4 million in profits and scuttled $10 million in sales."

from TPDL 1998-Nov-27, from USA Today:

Pentagon exaggerated Y2K readiness

WASHINGTON - The Pentagon office responsible for monitoring nuclear stockpiles and coordinating emergency nuclear responses falsified readiness reports on the Year 2000 computer problem, military officials have acknowledged. The Defense Special Weapons Agency claimed that three critical computer systems were fully prepared to face the computer crisis despite never conducting necessary testing, and agency officials neglected to develop required contingency plans that would take effect if any systems failed. But Pentagon defenders say the exaggeration will become reality before the millennium, and the public shouldn't worry.

Read "The Bug in the Bomb: The Impact of the Year 2000 Problem on Nuclear Weapons" by Michael Kraig, Research Report 98.6 (November 1998) from the British American Security Information Council

from Reuters 1999-Mar-1:

Hackers Seize UK Military Satellite

LONDON (Reuters) - Hackers have seized control of one of Britain's military communication satellites and issued blackmail threats, The Sunday Business newspaper reported.

The paper, quoting security sources, said the intruders altered the course of one of Britain's four satellites which are used by defense planners and military forces around the world.

The sources said the satellite's course was changed just over two weeks ago. The hackers then issued a blackmail threat, demanding money to stop interfering with the satellite.

``This is a nightmare scenario,'' said one intelligence source. Military strategists said that if Britain were to come under nuclear attack, an aggressor would first interfere with military communications systems.

``This is not just a case of computer nerds mucking about. This is very, very serious and the blackmail threat has made it even more serious,'' one security source said.

Police said they would not comment as the investigation was at too sensitive a stage. The Ministry of Defense made no comment.

from http://www.y2ksupply.com/bankchart.htm:

Explanation: This chart shows why Y2K might cause a worldwide bank run crisis if the general public becomes frightened about the shortage of cash reserves (lets hope this doesn't happen, it would have serious long-term consequences...)

Total $ in circulation is the total cash (green paper dollars) in circulation around the world. Approximately 1/3 of this is in circulation in the United States according to Federal Reserve estimates. The amount is $480 billion.

Deposit obligations is the total dollar amount that U.S. banks owe to depositors. This is the amount people "think" they have safely saved in their checking and savings accounts. The amount is $3.7 trillion.

Actual cash reserves is the amount that U.S. banks actually have on hand as cash. The actual figure is $43.2 billion.

What it all means: First, look at the difference between actual cash reserves and deposit obligations. The ratio is 1.17%. That means for every $100 you think you have in the bank, that bank, on average, actually has only one dollar and seventeen cents. You can see from the chart that actual cash reserves would have to increase by a factor of almost 100 in order to meet the deposit obligations.

Furthermore, the total $ in circulation, which is indirectly controlled by the Fed, isn't even enough to meet the deposit obligations. From this comparison, you can also see that even though the Fed is promising to put an additional $200 billion into circulation between now and 2000, that's hardly a blip on this chart.

The only thing that can save this system from collapse is if the public maintains confidence in the system and does not withdraw funds. Fractional reserve banking is, by definition, unable to meet the deposit obligations of all depositors simultaneously. The reason Y2K has the Fed rightfully frightened is that Y2K hits everybody at the same time. While on any normal day, only a certain minority of people are suffering some kind of financial crisis and need their cash; on January 1, 2000, almost everyone will want some extra cash.

Note: Y2KSUPPLY.COM provides this information for awareness purposes only. It does not wish banking failures to occur. In fact, the failure of our banks and our Federal Reserve system would be extremely harmful to our quality of life and would obviously put Y2KSUPPLY.COM out of business. This information is provided in the hopes that some solution may be found to alleviate or prevent the collapse of worldwide banking.

from Reuters, May 1998, "RISK OF ACCIDENTAL NUCLEAR ATTACK RISING, REPORT SAYS"

Citing what they call the steadily deteriorating condition of Russia's nuclear command system, scientists report in today's 'New England Journal of Medicine' that the risk of millions of Americans dying from an accidental attack by a single Russian nuclear submarine is rising.

The scientists picked a submarine scenario because the Russians have had trouble with the sub force historically, and because authorities believe that a launch based on a false warning of a nuclear attack would be the most plausible scenario for an accidental attack.

If a single Russian nuclear sub, armed with 16 missles carrying 48 100-kiloton warheads with a 5,150-mile range, were to launch against the continental U.S. from the Barents Sea, researchers estimate 6.83 million people located in Atlanta, Boston, Chicago, New York, Pittsburgh, San Francisco, Seattle and Washington D.C. would be instantly killed by the thermonuclear blasts. Additionally, millions would perish as a result of radiation injuries, and such an attack would plausibly trigger a U.S. nuclear response.

Both the U.S. & Russia maintain their nuclear arsenals on high alert, researchers say.

In the words of the study's lead author, Dr. Lachlan Forrow of Beth Israel Deaconess Medical Center, "During a period when Russia is not even our adversary, this is politically, medically, and morally obscene."

The report on this study is the first salvo in a campaign called 'Abolition 2000', which has a simple goal: a signed global agreement by year 2000 committing the world to the permanent abolition of nuclear weapons within a specific time frame.

This isn't exactly about computer glitches, but the above item about accidental nukes makes a good segue to the below item. The key commonality is that Mutually Assured Destruction is still around because the US government has prevented progress toward deployment of a bonafide ABM system (SDI), and the asteroid/comet threat is still around because the US government has prevented progress toward a thorough cataloging of comets and asteroids. The following item makes this unavoidably clear; you'll know when you've come across the paragraph I'm talking about. By preventing appropriate defensive measures, the US government is perpetuating "pervasive fear and dread."

Experts Say Asteroid Danger Is Real

PAUL RECER, AP Science Writer
21 May 1998

WASHINGTON (AP) -- A mile-wide asteroid could smash the Earth, causing widespread death and destruction, and ``we wouldn't even know it was coming,'' an expert told a congressional panel Thursday.

Such an asteroid, striking the planet at thousands of miles an hour, would ``threaten the future of modern civilization'' by darkening the sky for a year, causing widespread starvation by destroying food crops and directly or indirectly killing millions of people, said Clark R. Chapman, an asteroid expert with the Southwest Research Institute in San Antonio.

Testifying at a hearing of the House Science Committee's panel on space and aeronautics, Chapman said a mile-wide asteroid would gouge a crater bigger than Washington, D.C., and deeper than 20 Washington Monuments piled on top of each other.

Chapman said the chances of such an asteroid striking the Earth next year are one in a few hundred thousand, but this ``is more likely to happen than that the next poker hand you are dealt will be a royal flush.'' The odds for a such a poker hand are about 649,000 to one, he said.

A person's lifetime chances of being killed by an asteroid, of any size, are about one in 20,000, said Chapman. He noted the odds of being killed by an asteroid are about the same as the risk of dying in a passenger aircraft crash, but more likely than being killed by a tornado or a flood.

The scientist said that an asteroid much smaller than a mile wide exploded over Tunguska, Siberia, in 1908 and the shock wave flattened trees across an area larger than New York City. Such a burst over a major city, he said, could kill millions instantly.

Chapman and other experts said that the Earth's only protection from such a space bombardment is to search the skies, find asteroids apt to hit the Earth and then rocket out bombs that would divert the space rocks away from the planet.

With a 10-year warning, ``we could probably save ourselves,'' said Chapman. ``At the very least, we could evacuate ground-zero and save up food supplies to weather a global environmental catastrophe.''

But he said that little effort is being put out to find Earth-threatening asteroids and only about 10 percent of an expected 2,000 near-Earth objects have been identified and tracked.

Rep. Dana Rohrabacher, R-Calif., the committee chairman, pressed Chapman on his statement that a killer asteroid could hit without warning.

``Yes,'' said Chapman. ``A mile-wide asteroid could hit tomorrow and we wouldn't even know it was coming.''

Rohrabacher said that a committee led by the late asteroid expert Eugene Shoemaker recommended five years ago that the National Aeronautics and Space Administration start a systematic effort to search out, identify and plot all asteroids that pose a threat to the Earth. The report said the effort would cost about $5 million a year, but the congressman said the space agency has done little to follow up on that recommendation.

Also, he said, an Air Force asteroid mission was canceled last year after President Clinton used his line-item veto against the project.

In response, Carl Pilcher, NASA's science director for solar system exploration, told the panel that his agency a year ago recognized it was not spending enough to complete a comprehensive survey of Earth-threatening asteroids. Pilcher said, however, that NASA has six missions either planned or under way to explore, land on and sample asteroids. He said this work is essential for science to understand how best to divert threatening asteroids.

Copyright 1998 by The Associated Press

Here for laughs:

United States House of Representatives Committee on Science F. James Sensenbrenner, Jr., Chairman George E. Brown, Jr., California, Ranking Democrat www.house.gov/science/welcome.htm

March 11, 1999

Press Contact: Jeff Lungren (Jeff.Lungren@mail.house.gov) (202) 225-4275

DELUSIONS OF GRANDEUR: VICE PRESIDENT GORE TAKES CREDIT FOR CREATING THE INTERNET

Sensenbrenner: "I had no idea!"

WASHINGTON, D.C. - House Science Committee Chairman F. JAMES SENSENBRENNER, JR., (R-WI) today expressed surprise at learning Vice President Al Gore is taking credit for creating the Internet.

"Having served with the Vice President for four years on the Science Committee, I must admit I had no idea my friend Al Gore created the Internet. I know he was involved in a lot of big projects like accomplishing the 'strategic goal of completely eliminating the internal combustion engine' (Earth in the Balance, p. 326), but I was totally unaware of his Internet creation," Sensenbrenner said.

In an interview that aired March 9, 1999 with CNN's Wolf Blitzer, Gore said, "During my service in the United States Congress, I took the initiative in creating the Internet."

The Internet's initial development, a system called ARPANET, here-to-for had been credited to scientists in the 1960's, with approximately thirty universities having ARPANET by 1971. Al Gore did not serve in Congress until 1979.

"Vice President Gore taking credit for creating the Internet certainly gives new meaning to the term 'March Madness,'" added Sensenbrenner.

from the Economist, 1999-Feb-20:

Software that has been developed by thousands of volunteers
and is given away is often better than the stuff for sale

WHEN Silicon Valley nerds stage a demonstration, it is usually to show off new technology. But when a hundred of them gathered on February 15th, on top of a parking garage next to Microsoft's Silicon Valley offices, it was to protest against the ``Windows tax''. Computer users, they argue, have to pay dues to Microsoft, because almost all PCs come with Windows. Consumers who use another operating system, such as Linux, should get a refund.

Microsoft offered the protesters soft drinks, but no cash. However they will not be so easily brushed aside. Linux is the most successful example of software developed by a loose fraternity of volunteers rather than a firm's in-house programmers. This ``open-source'' software challenges the way the software industry - and Microsoft in particular - has always gone about its business.

Several big software firms, such as Informix and Oracle, have recently released products that run on Linux. This has helped Linux almost to triple its share of the market for server operating systems, to 17.2% last year, outpacing even Windows NT, according to International Data Corporation, a consultancy (see chart). Linux now has 7.5m-10m users. It will get a further boost in March when IBM launches full backing for the free program.

But Linux's main significance may be its proof of the advantages of open-source software. Sun Microsystems has adopted a variation of open-source for its Java and Jini technologies, and is considering the same for its Unix operating system, Solaris. IBM is already using open-source for some products, including an e-mail program. If it wins its antitrust case against Microsoft, the Department of Justice might try to end the company's monopoly of PC operating systems by making Windows more like an open-source program.

The Internet has allowed open-source programming to flourish. Without it, it would have been impossible for thousands of volunteer programmers in different countries to collaborate. The Internet makes it possible to distribute the results of their labour anywhere at almost no cost.

Companies using the Internet often rely on open-source software for ``mission-critical'' tasks. Yahoo!, the world's most popular website, uses an open-source operating system called FreeBSD, a web-server program called Apache and the programming language Perl. Without collectively written code, the Internet would disintegrate: Apache runs on 53% of all web servers, and Sendmail routes 78% of all e-mail.

The beauty of the bazaar

Open-source software is the fruit of creative anarchy. With almost all software, programmers first write the ``source code,'' the actual set of instructions, which is then translated into ``binary code'', a form that computers can easily handle. Because this procedure, called compilation, is hard to reverse, firms can sell a program without revealing the instructions that underlie it - rather as Coca-Cola can market soft drinks without giving away its secret recipe.

In the early days of computing, software usually came complete with its source code. Pioneers needed to tweak their programs and shared improvements freely. It was only in the 1970s, as computing spread, that firms such as Microsoft started to withhold the source code, making software truly private. It became highly profitable to sell programs shorn of their source code.

Many early programmers were unhappy. Proprietary software was ``spiritually wasteful'' because it discouraged co-operation. One such, Richard Stallman, founded the Free Software Foundation in 1983. Mr Stallman developed ``copyleft'', the mirror-image of copyright. You can do what you want with the programs, which come with a sort of public licence - even sell your own version. However, the source code must stay open. And the licence is ``viral'', preventing the combination of copyleft and proprietary code.

Open-source programming is more like academic work than business. And just as the disclosure of theories and empirical data usually produces good science, so published code leads to better software. The programmers are motivated not chiefly by money, but by reputation. It is a coup to write ``patches'' that pass the scrutiny of fellow hackers and get incorporated in the next version of a program. Increasingly, there are longer-term financial rewards too. O'Reilly & Associates, which sells manuals for open-source programs, employs Brian Behlendorf, who developed Apache, and the creator of Perl, Larry Wall.

This unusual economy is regulated by a set of unwritten rules, according to Eric Raymond, its leading intellectual light. The programmers are mostly governed by a ``benevolent dictator'', such as Linus Torvalds, the founder of Linux, who has the final say about which ``patch'' makes it into the program. Tampering with the file that lists the contributors to a program amounts to a high crime.

``Given enough eyeballs, all bugs are shallow,'' says Mr Raymond. In ``The Cathedral and the Bazaar'', the manifesto of the open-source movement, he argues that the proprietary model has reached its limits. His case in point is Microsoft's biggest-ever cathedral, Windows 2000. Microsoft keeps delaying the release because the architects and stonemasons swarming all over it are struggling to rid it of bugs.

By contrast the legion of unco-ordinated contributions to Linux, made in the bazaar, has created an operating system that gets top marks for reliability and performance. It is free and adaptable. And it liberates firms from the program-release schedules of software suppliers, which are often inconvenient and late.

Yet there are drawbacks. Big software companies have every reason not to go open-source. Hackers might also not be keen to work alongside the likes of IBM and Sun; many are strongly anti-commercial. There is also the danger of ``forking'' - when a group falls apart and incompatible versions of a program emerge - as has happened to one operating system, BSD Unix, when personality conflicts led to splits. Few managers will bet their companies on the product support they receive in news groups on the Internet.

Hence the importance of the commercial fringe to open-source software. Numerous service companies, such as Caldera, Red Hat and S.u.S.E, have built a business out of making Linux easier to install. Eric Allman, the ``benevolent dictator'' of Sendmail, has set up a company that supports the open-source development of the program, while selling a commercial version and services to support it.

Software companies are also trying to adapt open-source - though purists are not pleased. When Netscape released the source code of its web browser in March 1998, it wanted to involve other companies. The project's licence allows contributors to keep code they supply for the browser secret under certain circumstances.

Sun has tackled the danger of different, non-compatible versions - not least because it is afraid that Microsoft could hijack its technologies. Anyone can download the Java and Jini source codes, thus becoming a member of the club of developers. But this membership comes with obligations. Changes to the original code, for example, have to pass a compatibility test.

It is too early to say whether such approaches will work. But open-source is here to stay. Perhaps the software industry will eventually look a bit like a highway. The infrastructure (operating systems, networking technologies) will be largely a public good, while services (support, training) and specialised applications are for sale. Just don't expect Bill Gates to like the idea.

A few brief comments on the foregoing are in order. First of all, the Economist is Bilderberg. Bilderberg cares about Linux. Bilderberg likes concepts like volunteerism, co-operation, collaboration, collectivization, and reputation motivation. Second, the solution I have long since enunciated for situations like the onerous Microsoft monopoly is court-ordered open source. In fact, I support a system in which all software protected by the courts (by copyright law) must be open source. Third, my computers are an entirely open-source affair. This web server runs Apache. My workstation runs NetBSD (one of the three BSD splinter factions). My editor is Gnu emacs (Stallman's tour de force). In fact, I have source for everything on my machines. This is prompted both by the desire for quality and the desire for security.

from the Federal Times, 1999-Sep, by Stephen Trimble:

Top Officials Seek Alternatives to Microsoft

Concerned about security and an excessive reliance on Microsoft software, senior administration officials plan to diversify the types of operating systems software purchased by the government.

The National Security Council soon will create a new office to assess the ways federal agencies could make greater use of open-source, or nonproprietary, software that is freely available to anyone and has codes that are not secret.

"One of the areas we are very interested in looking at is open-source code," a senior White House official told Federal Times.

The effort ultimately could affect the types of software the government purchases for network servers and desktop applications.

The government will buy $2 billion worth of software in 2000, according to Federal Sources Inc., of Fairfax, Va., a market research company.

The initial purpose of the new software assessment office will be to identify agencies and programs that will be candidates for trials of open source software, said the White House official, who asked not to be identified.

The General Services Administration and the National Institute of Standards and Technology also are involved in creating the office. Its location still is to be decided.

The new office will assess the costs and benefits of using open-source software to operate many government computers. Also to be determined are the cost and technical obstacles to communication between systems using open-source and the proprietary software now in use.

The White House official declined to say how extensive is the administration's plan to diversify its reliance on operating systems software. A chief reason for the effort, according to advocates, is to address concerns that Microsoft operating systems are vulnerable to malicious computer viruses and hacker attacks. This is partly because the Microsoft software is proprietary and security vulnerabilities are more difficult to find and correct, said Przemek Klosowski, a NIST physicist and leader of the Washington, D.C., Linux User's Group.

"Government should be vendor-neutral, and the government should not formulate IT requirements that say only a single vendor is applicable," Klosowski said.

Klosowski said Linux is used on a limited basis for computer research applications at Energy Department laboratories, NASA, NIST and the Defense Department.

"I don't know of any large government Linux contracts," he added.

Another purpose of adopting different types of software is to diversify the government's inventory of operating systems, so not all are vulnerable to the same viruses and attacks, the White House official said.

Linux, an open-source operating system similar in functionality to Microsoft Windows, is being given serious consideration as an alternative for government computer users, the official said.

Access to the Linux source code "gives us some confidence," the White House official said, adding that it simplifies patching security breeches and correcting routine errors.

Created by a Finnish graduate student named Linus Torvalls in 1991, Linux's open code is relentlessly scrutinized and tested by tens of thousands of systems analysts worldwide, who constantly recommend improvements, Klosowski said.

As a result, Linux boasts a robust code that rarely malfunctions and is extremely difficult for hackers to crack, Klosowski said.

Microsoft, on the other hand, keeps its code secret and makes upgrades to its products on a yearly basis, he said.

Microsoft software products have been the target of numerous computer viruses.

One of the best known was the Melissa virus that struck thousands of government and nongovernment computers in March by exploiting vulnerabilities in Microsoft Word 97 and Microsoft Word 2000. In June, another virus called ExploreZip targeted vulnerabilities in Microsoft Windows 95, Windows 98 and Windows NT.

Microsoft officials argue their software products meet federal security standards.

Microsoft's main server software, Microsoft Windows NT 3.5, for instance, is certified under the federal security standard known as Federal Information Processing Standard 140-1, said Quazi Zaman, advanced technology manager for Microsoft Federal Systems of Washington, D.C. The newest version of Microsoft's server operating system, called Microsoft Windows NT 4.0, is undergoing certification and is expected to be certified "in the next three months," Zaman said.

Zaman added that Microsoft has been considering making some of its software products open source for two years.

"Open source is a very innovative way to develop software," Zaman said. "The issue is how much of our own code we should put out in the open source environment."

Zaman added that Microsoft likely would be willing to provide the National Security Council with its code for security inspections if it is for national security purposes. So far, he said, the NSC has not asked for access to any of Microsoft's software code.

Zaman argued that government agencies are not excessively reliant on Microsoft products, adding that other software suppliers, namely, database software suppliers, have larger shares of the federal software market.

The project to increase the government's use of open-source operating systems likely will present formidable challenges.

The government already relies extensively on Microsoft products for desktop and, increasingly, server applications. Thus, there are sure to be communications problems between systems that use different software, said John Gilligan, the Energy Department's chief information officer.

The concept also appears to run counter to the government's 3-year-old effort to concentrate on buying commercial, easy-to-use software, said Payton Smith of Federal Sources Inc.

Regardless of security concerns, Smith added, a multitude of software systems within an agency often can lead to interoperability problems.

"The more variations you have in the software, the more problems and the more costs you're going to have," Smith said.

The White House official acknowledged that concerns over costs and interoperability issues must be settled for the project to succeed.

"That's exactly the issues we're looking at," the official said. "Both costs and interoperability are critical issues."

from the Wall Street Journal, 1999-Sep-10, by Lee Gomes:

Beyond Linux, Free Systems Help Build The Web

HERE's a little-known fact about the world's busiest Web site: It runs on a piece of free software. And it isn't the free operating system called Linux.

To serve nearly 80 million people each month, Yahoo! Inc. operates about 1,000 computers that run on FreeBSD, a program distributed without charge over the Internet. FreeBSD is the most popular in a trio of free operating systems -- all historically linked to the University of California at Berkeley -- that are quietly playing a major role in the evolution of the Internet.

Among operating systems, the internal engines that run computers, Linux has stolen the spotlight lately, as supporters hope it will eventually challenge the dominance of Microsoft Corp.'s Windows. The initial public offering of Red Hat Inc., the Linux software vendor, was one of the hottest deals on Wall Street this summer.

But the role of FreeBSD and its cousins shows how free programs keep changing the software world and creating headaches for big established players. Sun Microsystems Inc., a leader in managing big Web sites, is carefully watching the growth of Linux and other free programs. And Microsoft faces a particularly significant challenge, since the Redmond, Wash., company wants its forthcoming Windows 2000 to dominate the "dot-com" world where the freebies are strong.

"With Linux capturing the public imagination, the BSDs have gotten lost in the noise," said International Data Corp. analyst Dan Kusnetzky. "But they are very sophisticated technologies that do a lot of work in the world, even if people don't know about them."

The BSD programs and Linux actually share a common lineage, a collective development process and a rambunctious cast of characters.

The free programs are all variants of the venerable Unix system invented by AT&T Corp. And they aren't just running Yahoo. While Microsoft almost never talks about it, its own Hotmail free e-mail service runs not on its flagship Windows NT but on FreeBSD.

In fact, one recent survey showed that BSD accounted for nearly 15% of all server machines connected to the Internet. Linux leads the pack with 31%,and is the only major operating system making any gains. Windows had 24%.

The Linux saga is already the stuff of modern legend. In 1991, Linus Torvalds, a 21-year-old student in Helsinki, began writing an operating system essentially from scratch so he could have something to use on his home computer. The programs FreeBSD, NetBSD and OpenBSD, by contrast, are the descendants of code written in the late 1970s and early 1980s at UC Berkeley.

Factional battles and online fusillades between and among the various BSDs and Linux are common. OpenBSD was started in 1995 by Theo de Raadt, a mountain biking 31-year-old Canadian after being kicked out of the NetBSD movement.

BSD buffs like to think of themselves as a slightly more grown-up version of the "open source" movement, which distributes underlying programming instructions so users can study and modify software. While Mr. Torvalds has full control of Linux, for example, FreeBSD is overseen by a 15-person group called the "Core." What's more, the various BSDs say that their software, by virtue of its head start on Linux, is more mature and stable.

"We didn't write most of this code, so we don't have a lot of ego involved in getting people to use it," says Jordan K. Hubbard, 36 years old, an evangelist for FreeBSD who many people credit for its popularity.

David Filo is one fan. The co-founder of Yahoo says he tried several operating systems before settling on FreeBSD. Now, Yahoo has become a major sponsor. At FreeBSD's first users' convention, to be held next month in Berkeley, Yahoo is paying to fly in some key developers. Mr. Filo said he would still use FreeBSD if he could do it over again, since his team now has so much experience with the software. But for someone starting out, he says, he might recommend Linux. "Right now, there seems to be more energy and resources behind it," he says.

Such sentiments make some people wonder what the future is for the BSDs in a world where Linux is getting most of the "mindshare."

Mr. Hubbard says the ranks of FreeBSD users continue to swell. One reason is that all BSDs are distributed under a license that lets users do almost anything with them -- including put the software into traditional commercial products. The Linux license, by contrast, requires users to make any use of the software -- such as a piece of specialized computer networking gear -- freely available to everyone else. That restriction keeps many companies from using Linux in key products.

It might well make sense for the BSDs to put aside their differences and unite under a common set of specs. But peace may be too much to expect in the free software world. Two of the BSDs tried to merge a few years ago, recalls Charles M. Hannum, a programmer with the NetBSD project. But at a meeting between the two camps, "while everyone agreed it was a good idea," he says, "no one wanted to give anything up, and it just fell apart."