Saturday, September 17, 2005

MIRLN -- Misc. IT Related Legal News [28 August – 17 September 2005; v8.11]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of KnowConnect, Inc. (www.knowconnect.com) and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.buslaw.org/cgi-bin/controlpanel.cgi?committee=CL320000 (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and in the public materials section of the Cyberspace Committee’s collaboration space at http://lawplace.metadot.com.

**************End of Introductory Note***************

BACK TO THE FUTURE -- CYBERSECURITY AND CRITICAL INFRASTRUCTURE PROTECTION (Steptoe & Johnson’s E-Commerce Law Week, 27 August 2005) – The recent flurry of breach notification legislation in Congress and state legislatures might lead one to think that cybersecurity is all about preventing identity theft and protecting personal information. Broader concerns about protecting “critical infrastructures” from cyber attacks that could cripple their operation just seem so -- so “1990s.” Perhaps it was the fact that the “Digital Pearl Harbor” scenario warned of by some cybersecurity gurus never materialized, or perhaps it was the years of false starts and personnel rollover at the Department of Homeland Security’s cybersecurity shop that led to the broader concerns receiving little attention from policymakers the last four years. Whatever the cause of that period of repose, Washington now appears ready to revive its interest in the critical infrastructure aspects of cyber security -- and in a major way. Several provisions in the mammoth “Energy Policy Act of 2005” (signed by President Bush on August 8) lay out a regulatory scheme to establish cybersecurity standards for power utilities across the country. The provisions mark the first real effort by Congress to impose cybersecurity standards, not for the sake of protecting the privacy of personal information, but for the sake of preventing attacks that could disrupt the functioning of critical infrastructure. And for this reason, companies that own or operate parts of other “critical infrastructures” -- financial institutions, telecommunications companies, and Internet service providers, for instance -- may want to take a close look at the legislation, since parts of it could represent their regulatory future. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=10373&siteId=547

DO YOU MYSPACE? (New York Times, 28 August 2005) -- IT seems a hazy memory, but Keith Wilson, a spiky-haired club promoter, can recall what it was like before MySpace - about two years ago. Back then people had normal names like “Joe” or “Keith.” “People don’t call me ‘Keith,’ “ he said, straining to be heard as cascades of power chords rumbled from the stage at Boardner’s, a club just off Hollywood Boulevard, on a mid-August Wednesday night. “They call me ‘Keith 2.0,’ because that’s my MySpace name. That guy over there, he’s ‘Joeymachine.’ Everyone has a MySpace name now.” “I conduct my entire business through MySpace,” said Mr. Wilson, 25, who relies on MySpace.com, a social-networking Web site, to orchestrate his professional and personal schedule and is no longer sure he needs an America Online account or even a telephone. Created in the fall of 2003 as a looser, music-driven version of www.friendster.com, MySpace quickly caught on with millions of teenagers and young adults as a place to maintain their home pages, which they often decorate with garish artwork, intimate snapshots and blogs filled with frank and often ribald commentary on their lives, all linked to the home pages of friends. Even with many users in their 20’s MySpace has the personality of an online version of a teenager’s bedroom, a place where the walls are papered with posters and photographs, the music is loud, and grownups are an alien species. Although many people over 30 have never heard of MySpace, it has about 27 million members, a nearly 400 percent growth since the start of the year. It passed Google in April in hits, the number of pages viewed monthly, according to comScore MediaMetrix, a company that tracks Web traffic. (MySpace members often cycle through dozens of pages each time they log on, checking up on friends’ pages.) According to Nielsen/NetRatings, users spend an average of an hour and 43 minutes on the site each month, compared with 34 minutes for facebook.com and 25 minutes for Friendster. http://www.nytimes.com/2005/08/28/fashion/sundaystyles/28MYSPACE.html?ex=1282881600&en=0a3ebdaf0f4ac4da&ei=5090&partner=rssuserland&emc=rss

P2P USERS TRAVELING BY EDONKEY (CNET, 28 August 2005) -- A new study by ISP network service CacheLogic suggests that file swappers around the world are converging on a new favorite technology, possibly in response to pressure by Hollywood studios. Last year, British company CacheLogic said BitTorrent--a peer-to-peer technology optimized for downloading large files--was accounting for more than half of all the file-swapping traffic on Internet service provider networks around the world. A year later, peer-to-peer traffic in general continues to account for the majority of data traffic on ISP networks, usually between 50 percent and 70 percent of the total, the company said. But BitTorrent has been overtaken by usage of eDonkey, a rival with more power to search for content, but with similar speedy download features. “That seems to be the trend most of the way around the globe, apart from Asia where there is a lot of BitTorrent,” said Andrew Parker, CacheLogic’s chief technology officer. “BitTorrent traffic levels are in decline.” The study, CacheLogic’s second comprehensive survey of the traffic that runs over its ISP clients’ networks, is an indication that file swapping remains a powerful force online around the world. Overall, peer-to-peer traffic accounted for 60 percent of the data traveling through networks around the world at the end of 2004, the company said. http://news.com.com/2100-1025_3-5843859.html

ARIZONA HEARS THE CALL OF IP TELEPHONY (GCN, 29 August 2005) -- For Arizona’s 114 state agencies, moving from antiquated phone systems to a converged voice over IP network wasn’t merely a good idea, it was the law. In 2003, the Arizona State Legislature approved a bill mandating that state agencies replace their aging telecommunications infrastructure with modern IP-based networks. So far, nine state agencies, employing some 5,000 users, have made the switch to IP telephony. Included in that number are some of the state’s biggest organizations, among them the departments of Revenue, Education, Commerce and Corrections. Their primary motivation? To save taxpayer money, of course. But along the way, the state discovered that a converged network not only increases efficiency and boosts security, it helps to create a government more responsive to the needs of its constituents. For example, Mayer’s staff developed a custom XML application that allows Commerce staffers to access their Outlook address books, department directories and group calendars from their phones. http://www.gcn.com/24_25/tech-report/36789-1.html

SAMPLING FINDS FEDERAL DATA MINING FAILS TO ASSURE PRIVACY PROTECTIONS (SiliconValley.com, 29 August 2005) -- None of five federal agencies using electronic data mining to track terrorists, catch criminals or prevent fraud complied with all rules for gathering citizen information. As a result, they cannot ensure that individual privacy rights are appropriately protected, congressional investigators said Monday. The agencies’ lapses either ``increased the risk that personal information could be improperly exposed or altered’’ or ``limited the ability of the public -- including those individuals whose information was used -- to participate in the management of that personal information,’’ the Government Accountability Office said. A study by the GAO, Congress’ investigating arm, sampled five of the dozens of federal agencies that use computerized data analysis: the Agriculture Department, FBI, Internal Revenue Service, Small Business Administration and State Department. It evaluated how one data mining activity in each agency complied with the Privacy Act, federal information security laws and government directives. The ranking Democrat on the Senate government management subcommittee, Daniel Akaka of Hawaii, who requested the study, said the findings represent ``a troubling trend given the number of data mining activities in the federal government that use personal information.’’ In May 2004, a GAO survey found that federal agencies were using or planning 199 data mining projects, including 122 that used personal information, including credit reports, credit card transactions, student loan application data, bank account numbers and taxpayer identification numbers. This time, GAO looked at:
--an Agriculture Department Risk Management Agency effort to detect fraud in federal crop insurance.
--a State Department-General Services Administration program to police how employees use government charge cards.
--the FBI Foreign Terrorist Tracking Task Force’s effort to locate terrorists in the United States.
--the IRS’ Reveal system to detect financial crimes, fraud and terrorist activity.
--the SBA’s system to measure and manage risk in two loan programs.
The GAO found only three had prepared privacy impact assessments of their data programs, and none of those complied with all Office of Management and Budget guidance. http://www.siliconvalley.com/mld/siliconvalley/business/technology/12507991.htm

HOLLYWOOD, MICROSOFT ALIGN ON NEW WINDOWS (CNET, 30 August 2005) -- As Microsoft readies the next version of its Windows operating system, called Vista, the software giant is building in unprecedented levels of safeguards against video piracy. For the first time, the Windows operating system will wall off some audio and video processes almost completely from users and outside programmers, in hopes of making them harder for hackers to reach. The company is establishing digital security checks that could even shut off a computer’s connections to some monitors or televisions if antipiracy procedures that stop high-quality video copying aren’t in place. In short, the company is bending over backward--and investing considerable technological resources--to make sure Hollywood studios are happy with the next version of Windows, which is expected to ship on new PCs by late 2006. Microsoft believes it has to make nice with the entertainment industry if the PC is going to form the center of new digital home networks, which could allow such new features as streaming high-definition movies around the home. PCs won’t be the only ones with reinforced pirate-proofing. Other new consumer electronics devices will have to play by a similar set of rules in order to play back the studios’ most valuable content, Microsoft executives say. http://news.com.com/2100-1025_3-5844393.html

SEC MAY FINE MORGAN STANLEY $10 MILLION OVER E-MAIL (CNET, 30 August 2005) -- The Securities and Exchange Commission is threatening to fine Morgan Stanley more than $10 million for failing to keep e-mails in a number of cases the agency brought against the brokerage firm. The fine, if levied, would be one of the biggest monetary penalties ever paid by a Wall Street brokerage firm for failing to preserve records, the Wall Street Journal reported on Tuesday. http://news.com.com/2100-1030_3-5844536.html

U.S. ATTORNEY’S PORN FIGHT GETS BAD REVIEWS (Law.com, 30 August 2005) -- When FBI supervisors in Miami met with new interim U.S. Attorney Alex Acosta last month, they wondered what the top enforcement priority for Acosta and Attorney General Alberto Gonzales would be. Would it be terrorism? Organized crime? Narcotics trafficking? Immigration? Or maybe public corruption? The agents were stunned to learn that a top prosecutorial priority of Acosta and the Department of Justice was none of the above. Instead, Acosta told them, it’s obscenity. Not pornography involving children, but pornographic material featuring consenting adults. Acosta’s stated goal of prosecuting distributors of adult porn has angered federal and local law enforcement officials, as well as prosecutors in his own office. They say there are far more important issues in a high-crime area like South Florida, which is an international hub at risk for terrorism, money laundering and other dangerous activities. His own prosecutors have warned Acosta that prioritizing adult porn would reduce resources for prosecuting other crimes, including porn involving children. According to high-level sources who did not want to be identified, Acosta has assigned prosecutors porn cases over their objections. Acosta, who told the Daily Business Review last month that prosecuting obscenity was a priority for Gonzales, did not return calls for comment. http://www.law.com/jsp/article.jsp?id=1125318960389

ARMY TO BETTER MONITOR BLOGS, WEB SITES (Federal Computer Week, 30 August 2005) -- Gen. Peter Schoomaker, the Army’s chief of staff, wants military leaders to better monitor soldiers’ Web sites and blogs for the posting of sensitive information that could aid the enemy. Schoomaker said some soldiers, for example, continue to post pictures “depicting weapon system vulnerabilities and tactics, techniques, and procedures (TTPs).” “Such OPSEC (operational security) violations needlessly place lives at risk and degrade the effectiveness of our operations,” he said in a memo issued earlier this month obtained by the Federation of American Scientists and posted on its Web site. Schoomaker said the Army’s Office of the Chief Information Officer/G-6, with help from the service’s Office of the Deputy Chief of Staff for Intelligence/G-2, will track and report OPSEC violations every three months. He said the service is also preparing more OPSEC training. “The enemy is actively searching the unclassified networks for information, especially sensitive photos, in order to obtain targeting data, weapons system vulnerabilities and TTPs,” Cody said. http://www.fcw.com/article90522-08-30-05-Web

NEW MICROSOFT PORTAL WILL HELP COPS (CNET, 31 August 2005) -- Expanding its efforts to help law enforcement with cybercrime investigations, Microsoft plans in the coming months to launch a new online resource. The Web site will include training, tips and tools for investigations and information on cybercrime, Richard LaMagna, director of worldwide law enforcement programs at Microsoft, said in an interview with CNET News.com on Wednesday at the annual High Technology Crime Investigation Association event here. Microsoft’s online training will include simple forensic skills--for example, guidance on digging up information on the hard drive of a seized Windows PC, and basic online investigation techniques such as trace routes and Whois domain database lookups, LaMagna said. Other information on the Web site will include details on recent legislation. Microsoft also plans to offer specialized technical support to investigators. The “Law Enforcement Portal” also will have contact details for people within Microsoft who deal with requests from the authorities, LaMagna said. These could be requests for information on Hotmail users, for example, he said. The new Law Enforcement Portal should be online by November, LaMagna said. The site will initially be in English only, but there are plans to translate it into other languages. Access will be limited to law enforcement officials. http://news.com.com/2102-7348_3-5845205.html?tag=st.util.print

CT REJECTS GROKSTER INDUCEMENT THEORY IN FONT EMULATOR CASE (BNA’s Internet Law News, 1 Sept 2005) -- BNA’s Electronic Commerce & Law Report reports that a federal court in Illinois has rejected a claim of secondary liability brought against a software developer whose program allowed users to make, in theory, unauthorized use of copyrighted typeface fonts. Citing Grokster, the court points out that the defendant did not target known copyright infringers as its customers, that it did not encourage them to infringe the plaintiffs’ copyrights, and that copyright infringement did not advance that plaintiff’s business interests. Case name is Monotype Imaging Inc. v. Bitstream Inc. Decision at http://www.svmedialaw.com/monotype%20v%20bitstream.pdf

COMPLIANCE TAKING OVER IT SECURITY CHIEFS’ SCHEDULES (GovExec.com, 30 August 2005) -- Agency chief information security officers are spending more time complying with laws governing the safekeeping of computer and network systems, according to a survey. With the burden of complying with the 2002 Federal Information Security Management Act growing, CISOs are spending an average of 3.75 hours per day on FISMA, a law written to bolster agencies’ computer and network security. Last year, the survey found that CISOs spent an average of 3.06 hours on FISMA compliance. Intelligent Decisions Inc., a technology firm based in Ashburn, Va., commissioned the 21-question survey, which was conducted through online and telephone interviews with 29 top government security officials from both large and small civilian and Defense Department agencies. http://govexec.com/dailyfed/0805/083005p1.htm

BLOGGERS DEBATE CODE OF CONDUCT FOR POLITICAL SITES (Washington Post, 1 Sept 2005) -- Should Virginia’s political bloggers adhere to a code of ethical conduct? That question was posed at a first-of-its-kind conference last weekend hosted by the Sorensen Institute for Political Leadership at the University of Virginia. Using a computer with Internet access and some simple Web-based software, anyone can create a blog, which allows commentary from the well-informed as well as from people who have little to add to public discussions. On Saturday, more than 50 of the state’s bloggers -- on the right and the left, the young and the old -- spent a day meeting each other and debating whether there is a need for a common moral compass for this new form of political communication. The conclusion among many of them was that there is not. Several said they view their blogs as extensions of their very personal voices. No one, they insisted, has any business telling them what they should say or how they should say it. Those who held that view expressed exasperation at the idea that government would try to regulate blogs. “Have you ever heard of ‘Congress shall make no law?’ “ one asked, referring to the first few words of the First Amendment and the constitutional protection of freedom of speech. http://www.washingtonpost.com/wp-dyn/content/article/2005/08/30/AR2005083002181.html

AGENCIES, OMB PUSHING SECURITY REQUIREMENTS THROUGH CONTRACTS (GCN, 1 Sept 2005) -- As the new CIO of the Housing and Urban Development Department, Lisa Schlosser is on a mission to improve the agency’s cybersecurity, and one of her first steps is to put language in all vendor contracts requiring minimum baseline standards. Schlosser, who came to HUD in February from the Transportation Department, is modeling the program after similar ones in the Air Force and her former agency. “We got an F on the Federal Information Security Management Act report card, but we are starting the process to improvement,” she said yesterday at a CIO Council’s symposium on cybersecurity in Washington. The effort to include security requirements in contracts also is happening in the SmartBuy program, the administration’s enterprise software agreement initiative. Karen Evans, the Office of Management and Budget’s administrator for e-government and IT, said at the symposium that the CIO Council is working with the General Services Administration’s SmartBuy office to build security into the existing and future agreements. In fact, OMB issued a memo on SmartBuy this week outlining the details of the deal with Oracle Corp. An administration official said the memo was released to remind acquisition personnel that the terms and conditions are mandatory for purchasing Oracle products, such as database software. The official added that SmartBuy is working on redoing the other five other enterprise agreements to standardize the terms and conditions for all purchases for those specific products. At the CIO Council symposium, Schlosser — who while at Transportation led that agency’s climb to an A- in the 2004 report card from a D+ — hopes to use her experience, which includes putting security provisions in contracts, to help HUD improve. She said HUD is looking at ways to automate the capture and benchmarking of security test results, possibly using a government-owned software program from the Environmental Protection Agency called the Automated Security Self-Evaluation Reporting Tool. HUD also is looking at a configuration management and testing tool from BindView Corp. of Houston. All of this work Schlosser and other CIOs have been doing is to meet the FISMA reporting requirements. But more importantly, the efforts are improving the security of their systems, Evans said. http://www.gcn.com/vol1_no1/daily-updates/36876-1.html

FILE-SWAPPING ILLEGAL DOWN UNDER (Wired, 5 Sept 2005) -- A federal court ruled Monday that the popular file-swapping program Kazaa infringes on copyright and gave its purveyors two months to alter the system so its users can no longer engage in music piracy. Hailed as a victory by the recording industry, the court’s decision has implications well beyond the borders of Australia, where Kazaa executives are based, due to the internet’s global nature. Federal Court Judge Murray Wilcox determined that Kazaa’s owners and distributors, led by Sharman Networks, took no action to rein in illegal activity despite posted warnings on their website urging Kazaa users not to swap copyright material. Wilcox said it had been in the financial interest of Sharman and its partners “to maximize, not minimize, music file-sharing.” He found six of the 10 defendants, including Sharman, its Sydney-based chief executive Nikki Hemming, as well as Altnet, a Sharman software partner, guilty of copyright infringement and ordered them to pay 90 percent of the record industry’s costs in the case. http://www.wired.com/news/digiwood/0,1412,68762,00.html Decision at
http://www.austlii.edu.au/au/cases/cth/federal_ct/2005/1242.html

CONGRESS LOOKS TO PASS DATA BREACH LAW (InfoWorld, 2 Sept 2005) -- The U.S. Congress will look to pass consumer data protection legislation as it returns next week from its mid-year recess, but if Congress fails to act, a tough new state law will force interstate companies to disclose virtually all data breaches, no matter how small the risk. A New York data breach law, signed by Governor George Pataki on Aug. 10, would take effect in mid-December. New York, the 19th state to pass a data breach notification law, would allow no exceptions for companies that have their own disclosure policies. The New York law requires companies to disclose any unauthorized breach of databases that contain New York residents’ personal information such as Social Security, drivers’ license and credit card numbers, with a limited exception for some encrypted data. The New York law makes no exception for small data breaches or breaches unlikely to result in identity theft, despite concerns raised by groups such as the Information Technology Association of America (ITAA) that customers could be bombarded with too much notification in cases where there’s little chance of harm. The New York law would replace the California breach notification law, which includes some notification exceptions, as national standard if Congress doesn’t pass its own bill preempting state legislation, said Dan Burton, vice president of government affairs for Entrust (Profile, Products, Articles) Inc., a security software vendor. “If you’re breached, you’ve got to notify,” Burton said of the New York law. http://www.infoworld.com/article/05/09/02/HNcongressdata_1.html

SEARCH WARRANT BASED ON WEB-GROUP MEMBERSHIP SETS “DANGEROUS PRECEDENT,” COURT WARNS, BUT UPHOLDS IT ANYWAY (Steptoe & Johnson’s E-Commerce Law Week, 3 Sept 2005) -- On August 18, in U.S. v. Coreas, a panel of the U.S. Court of Appeals for the Second Circuit upheld a search warrant of a private home, the basis of which was an FBI affidavit whose central allegations, the court believed, were “knowingly or recklessly false.” Without those allegations, the only basis for the warrant was the defendant’s membership in a web group that fostered the dissemination of child pornography. While expressing its concern that its ruling both violated First Amendment protection against guilt by association and “made a mockery” of the Fourth Amendment, the court held that it was bound by stare decisis to follow an earlier Second Circuit panel decision to uphold a search warrant in a similar case. In reaching its decision, the court made clear that it felt the earlier decision -- U.S. v. Martin -- had been wrongly decided and set “a dangerous precedent.” But since the Martin case had been heard first, the court held, it was compelled by the circuit’s rules to affirm the defendant’s conviction. If, as seems likely, this case is reheard en banc , it may provide guidance on when membership alone in a web group that fosters illegal activity is sufficient to justify a search warrant of an individual’s home or business. Moreover, whatever the final outcome of this case, the Coreas panel’s scathing opinion of the government’s actions could cause law enforcement to seek more evidence from Internet service Providers (“ISPs) about e-group members’ activities -- such as by monitoring web traffic and requesting data about users’ email preferences -- before seeking warrants to obtain evidence directly from a suspect. http://www.steptoe.com/index.cfm?fuseaction=ws.getItem&pubItemId=10407&siteId=547

UK SETS OUT CASE FOR DATA LOGS TO FIGHT TERROR (Reuters, 7 Sept 2005) -- Britain, which is pushing for new EU laws on data retention, said on Wednesday that logging and storing telephone calls, email and Internet use had helped its police trap suspected terrorists. European Union states have agreed to speed up plans for common rules on the use of data after the July 7 London attacks but the strategy has drawn criticism from EU lawmakers and the European telecommunications industry. The Home Office cited examples of where stored telephone calls, email and Internet use had proved essential in crime investigations. The country currently holds the rotating chair of the EU. “In at least one case in the UK, the ability of police and intelligence agencies to identify a terrorist network ... has depended on access to retained telecommunications data which revealed links between individuals otherwise invisible to investigators,” a policy paper from the ministry said. EU justice and interior ministers will discuss the data proposals on Thursday when they meet in Newcastle. EU lawmakers -- who received the paper on Wednesday from Home Secretary Charles Clarke in Strasbourg -- have complained that member states want to adopt the proposed measures without the European Parliament having a say. Industry is concerned about costs, which in some EU countries could be hundreds of millions of euros. But the Home Office said cooperation between police and phone operators was relatively cheap and governments could pay some of the price for storing the data. http://uk.news.yahoo.com/07092005/325/uk-sets-case-data-logs-fight-terror.html

NEXT GPL TO PROTECT FREE SOFTWARE FROM LAWSUITS? (CNET, 6 Sept 2005) -- The next version of the General Public License may contain a clause to penalize companies that use software patents against free software. GPL version 3, a draft of which will be released in January 2006, may contain a patent retaliation clause, Georg Greve, the president of the Free Software Foundation Europe, said Tuesday. Such a clause would mean that if a company accused a free-software product of infringing its software patents, that company would lose the right to distribute that product. Joachim Jakobs from FSF Europe said such a clause would only affect companies that used their software patents against free software. “We don’t want to hinder people from using free software if they merely hold software patents,” Jakobs said. The GPL may also contain a clause to penalize companies that use copy-restricting technologies. “There could be something that addresses this if we can find a sensible way to put it,” Greve said. http://news.com.com/2100-7344_3-5851365.html

-- and --

CA OPENS PATENTS TO OPEN SOURCE (ZDnet, 7 Sept 2005) -- Computer Associates International will give open-source projects access to 14 of its patents, the company said Wednesday as it also announced a technology cross-licensing deal with IBM. The U.S. patents, which include their equivalents in other countries, address a range of technologies, covering application development, data analytics and systems management. CA said it will provide royalty-free access to the patents and not assert claims against people who make use of them. CA said it is following IBM’s lead, which earlier this year pledged 500 patents to open-source communities. CA also urged other technology companies to help create a “patent commons.” http://news.zdnet.com/2100-3513_22-5852500.html

A COPYRIGHT ANALYSIS OF THE GOOGLE PRINT PROJECT (BNA’s Internet Law News, 7 Sept 2005) -- Jonathan Band, a leading IP lawyer, has written an interesting copyright analysis of the Google Print project. Band concludes that the project is similar to the everyday activities of Internet search engines that is covered by the fair use doctrine. Band article at http://www.policybandwidth.com/doc/googleprint.pdf

DHS: OUR PLANLESS LEADER (CSO Magazine, Sept 2005) -- The Office of Inspector General has deemed DHS unfit because the organization devised to protect the homeland does not have a disaster recovery plan. It’s disheartening. It’s incredible. But it’s not all that surprising. That’s how some business continuity experts and government officials reacted to the news that 15 out of 19 agencies under the Department of Homeland Security lack fully operational disaster recovery sites—a shortfall that could hinder DHS’s ability to carry out its mission during a service disruption or national emergency. The report, “Disaster Recovery Planning for DHS Information Systems Needs Improvement,” published in May by the DHS Office of Inspector General, also found that the four agencies with recovery sites lacked other continuity measures, such as thorough, written disaster recovery plans. (For a full copy of the report, go to www.csoonline.com/printlinks.) Without naming agencies, the report warned that these security gaps could result in “a disruption in passenger screening operations, delays in processing grants in response to a disaster and delays in the flow of goods across U.S. borders.” “I’m not surprised by the number of agencies and IT facilities that have no backup [site],” says John Copenhaver, thesoutheast region director of FEMA from 1997 to 2001. “You’ve taken such a huge patchwork quilt of agencies and departments and cobbled them all together” into a new homeland security hub, Copenhaver says. But he’s quick to add that there’s no excuse for such lapses in this critical department. Still, some private-sector groups are disappointed. “The government as a whole put down a lot of regulations for the financial services industry, and it’s disheartening to see that they don’t necessarily follow their own guidelines,” says Marie Johnson, who’s president of the Business Continuity Planners Association, made up of 150 business continuity professionals in the Minneapolis/St. Paul area. http://www.csoonline.com/read/090105/wonk_dhs.html

REALTORS BACK AWAY FROM PLAN TO RESTRICT ACCESS TO LISTINGS (Washington Post, 8 Sept 2005) -- In response to antitrust concerns, the National Association of Realtors plans to announce today that it will drop a plan to permit real estate agents to restrict access to home sales listings on the Internet. Instead it will set rules ensuring that all real estate agents have access to the same information, the trade group said in a statement to be released today. Association officials had previously insisted on maintaining policies that allowed agents to control listings. They said they changed their minds because of a Justice Department investigation into whether the association’s policy was stifling competition. Regulators have been investigating an earlier Internet multiple-listing policy proposed by the trade group because of concerns it would effectively allow traditional real estate agents to steer potential sales away from new competitors working for smaller commissions. The Realtors association dropped its previously proposed policy in May and had said it was developing a new one. Consumer activists and antitrust advocates have said the previously proposed policy was designed to make it harder for discount real estate firms to obtain the listing information they need to make sales. http://www.washingtonpost.com/wp-dyn/content/article/2005/09/07/AR2005090702263.html Related story at http://www.nytimes.com/2005/09/17/business/17realtor.ready.html?ex=1284609600&en=bfaf86319ba60238&ei=5090&partner=rssuserland&emc=rss

SEARCH ENGINES SET OUT TO FIND MISSING PERSONS (New York Times, 12 Sept 2005) -- Scores of bulletin boards aimed at finding missing persons have popped up on the Internet since Hurricane Katrina hit the Gulf Coast, and two companies have built specialized search engines to help scour them. Lycos, the 10-year-old search company based in Waltham, Mass., searches at least 20 bulletin boards and missing persons Web sites every four hours to capture data for its service (lycos.com/katrina), while Yahoo retrieves information every hour from 15 large sites and many smaller ones for its engine (news.yahoo.com/katrinahelp). Engineers for Lycos said they started the site Aug. 31 after noticing the proliferation of places for posting such information. Users initially had to go to each site and conduct a separate search, said Steve Quince, a director of engineering for Lycos. “We’re not so much trying to solve the fragmentation as we are trying to accommodate it,” he said. Both search engines comb the Family News Network of the International Committee of the Red Cross, Nola .com (the Web site affiliated with The Times-Picayune, a New Orleans newspaper), Craigslist and the Katrina Safe List by the Cable News Network. Yahoo also scours its own bulletin boards dedicated to cities affected by the hurricane, universities and relief centers. The online boards started with desperate posts for rescues and medicine drops. But they continue to be inundated with queries from people trying to reconnect with family members - and pets - after being evacuated to other cities. http://www.nytimes.com/2005/09/12/technology/12lycos.html?ex=1284177600&en=e1db8b2f5071eac4&ei=5090&partner=rssuserland&emc=rss

YAHOO HIRES JOURNALIST TO REPORT ON WARS (New York Times, 12 Sept 2005) -- Yahoo, in its first big move into original online video programming, is betting that war and conflict will lure new viewers. Lloyd Braun, the former chairman of ABC’s entertainment group who now oversees Yahoo’s expanded media group in Santa Monica, has hired Kevin Sites, a veteran television correspondent, to produce a multimedia Web site that will report on wars around the world. Mr. Sites, who has worked as a producer and correspondent for NBC and CNN, is probably most notable for a videotape he shot for NBC of a marine shooting and killing, in a mosque in Falluja last year, an Iraqi prisoner who appeared to be unarmed. That video generated a storm of outrage in the Arab world, and spawned both a military investigation into the incident and controversy about Mr. Sites. The Web site, called “Kevin Sites in the Hot Zone” (hotzone.yahoo.com) will focus entirely on Mr. Sites’s travels as a war correspondent and will use nearly every kind of format the Internet allows. His reports will begin Sept. 26. Yahoo is building a large beachhead in Santa Monica to establish relations with Hollywood, both to buy content from others and to produce its own. One of its motivations is to tap into the rapidly growing demand for video advertising on the Internet. Mr. Braun said the project did not mean that Yahoo was “building any kind of news organization.” Rather, he said, the company is trying to develop signature programming in all areas - news, sports, health, entertainment, finance - that will complement content it already carries from other providers. http://www.nytimes.com/2005/09/12/technology/12yahoo.html?ex=1284177600&en=601508afe447d1f8&ei=5090&partner=rssuserland&emc=rss

KEYBOARD CLICKS CAN LEAD TO SECURITY HACKS (ZDnet, 14 Sept 2005) -- A new security vulnerability has been discovered: the clickety clack of the keyboard. An audio recording of an individual’s typing can be transposed into a transcript of what was typed, according to University of California at Berkeley researchers. The technique works because each key makes a distinct sound when hit, and users, who typically type about 300 characters a minute, leave enough time between keystrokes for a computer to isolate the individual sounds. The researchers were able to take several 10-minute sound recordings of users typing at a keyboard, feed the audio into a computer, and use an algorithm to recover up to 96 percent of the characters entered. The technique worked when music or cell phone ringing jangled in the background--and even on so-called “quiet” keyboards with off-the-shelf recording equipment. While any sort of typed documents could be pilfered through this technique, the study underscores the vulnerability of passwords, said Doug Tygar, a UC Berkeley professor of computer science and information management, and a principal investigator of the study. The UC Berkeley technique relies on probabilistic computing techniques that underlie search engines. The computer categorizes the sound of each key and takes an educated guess about the character or word that was written. The computer uses both the sound of the keystroke and linguistic conventions to interpret a keystroke as an E after TH rather than a Q when the sound is similar--to come to a conclusion. The first pass is right about 60 percent of the time for characters and 20 percent of the time for entire words. The transcript is then run through spelling and grammar checks, which increased character accuracy to 70 percent and the word accuracy to 50 percent. The results are then fed back through the computer to refine future results. After three feedback cycles, the accuracy rate rose to 88 percent for words and 96 percent for characters. http://news.zdnet.com/2100-1009_22-5865318.html Berkeley paper at http://www.cs.berkeley.edu/~tygar/papers/Keyboard_Acoustic_Emanations_Revisited/preprint.pdf

WHERE ARE YOU ON THE JOURNEY TO ERM? (Risk Management Magazine, Sept 2005) -- According to a recent study by the Financial Executives Institute, the average cost of Sarbanes-Oxley compliance for Fortune 1000 companies in 2004 was $5.9 million. As chief financial officers consider the cost of doing business, many are looking at enterprise risk management (ERM) as a way to leverage their significant investment in compliance and convert it into a shareholder value strategy like cost containment or revenue enhancement. They are considering moving beyond the risk associated with internal controls, information technology and fraud to a more integrated approach that includes the full spectrum of risk: strategic, operational, and financial reporting as well as compliance. CFOs, chief risk officers and board members must question where their company is on the journey to lift risk management from its actuarial silos of past decades and to create a new systemic approach integrated into essential processes such as strategic planning and performance management. Only when risk management is woven into the fabric of the business in this fashion will everyone in the organization understand the importance of risk and incorporate it into their everyday decision making. http://www.rmmag.com/MGTemplate.cfm?Section=RMMagazine&NavMenuID=128&template=/Magazine/DisplayMagazines.cfm&MGPreview=1&Volume=52&IssueID=245&AID=2853&ShowArticle=1

PROGRESS IS SLOW ON HIPAA SECURITY RULES (Computer World, 12 Sept 2005) -- Almost five months after the data security rules mandated by the Health Insurance Portability and Accountability Act went into effect, many health care companies still aren’t fully compliant with them, according to IT managers and analysts. They said technology, process and budgetary issues continue to delay compliance efforts, along with what is seen as a weak enforcement component that has many health care organizations feeling that they can take a wait-and-see attitude toward the rules. Tim Harrison, information security officer at Cincinnati-based Catholic Healthcare Partners, said the $3.2 billion not-for-profit company doesn’t expect to be fully compliant with the security mandates for another two years. CHP, which operates 29 hospitals, has implemented many of the requirements but still needs to address the disaster recovery component, Harrison said. That part of the process has been put off because of a lack of IT staffers to dedicate to the task, he said, noting that CHP’s security team has just two workers who are responsible for securing more than 2,000 servers across two data centers. In addition, HIPAA requires that people with access to protected health information be uniquely identified to an IT system each time they use it, Harrison said. But, he added, that capability can be “next to impossible” to implement efficiently, especially in busy areas such as hospital emergency rooms. “I’m not sure that any health care organization is ever going to be fully compliant,” said William Gillespie, CIO at WellSpan Health, a York, Pa.-based not-for-profit provider that serves over 650,000 people in central Pennsylvania and northern Maryland. http://www.computerworld.com/securitytopics/security/story/0,10801,104543,00.html?source=NLT_PM&nid=104543

GOOGLE LAUNCHES SPECIALTY SEARCH ENGINE FOR BLOGS (SiliconValley.com, 14 Sept 2005) -- A new Google Inc. specialty search engine sifts through the Internet’s millions of frequently updated personal journals, a long-anticipated development expected to help propel ``blogging’’ into the cultural mainstream. The new tool, unveiled Wednesday at http://blogsearch.google.com, focuses exclusively on the material contained in the journals known as Web logs, or ``blogs.’’ Mountain View-based Google, the Internet’s general search engine leader, first set its sights on blogs with its 2003 acquisition of a small startup called Blogger that makes software to publish and manage the journals. Since that deal, Google had been expected to build a blogging-focused search engine -- a mission finally accomplished by a group of by developers in the company’s New York office. ``There really has been a need for a world-class search product to expose this dynamic content to a worldwide audience,’’ said Jason Goldman, who came to Google in the Blogger deal and is now the company’s product manager for blogging search. Google, Yahoo and Microsoft’s MSN already had been indexing blogs in their general search engines, but the broad approach reaps results that often buries blog links or points to outdated information. By focusing exclusively on blog feeds, Google theoretically will be able to deliver fresher and more relevant results. http://www.siliconvalley.com/mld/siliconvalley/business/technology/12645189.htm

**** PROGRAM ANNOUNCEMENTS ****
STANDARDIZATION AND THE LAW: DEVELOPING THE GOLDEN MEAN FOR GLOBAL TRADE (22-23 Sept 2005 at Stanford Law School) -- Sun and the Stanford Law School Program in Law, Science and Technology are co-sponsoring a two-day conference entitled “Standardization and the Law: Developing the Golden Mean for Global Trade.” Scheduled for September 22-23 at the Stanford University Bechtel Conference Center, this conference will focus on how standards can create a harmonic balance in global trade. http://systemnews.cdsinc.com/articles/90/3/Standards/14951

SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. The Ifra Trend Report, http://www.ifra.com/website/ifra.nsf/html/ITR-HTML.
8. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
9. Gordon & Glickson’s Articles of Note, http://www.ggtech.com
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.