Friday, May 05, 2006

MIRLN -- Misc. IT Related Legal News [15 April – 5 May 2006; v9.06]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of Dickinson Wright PLLC ( and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (click on “Settings” beside Members-Only Listserve Discussion). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at Older editions reside in the public materials section of the Cyberspace Committee’s collaboration space at

**************End of Introductory Note***************

BORDER SECURITY SYSTEM LEFT OPEN (Wired, 12 April 2006) -- A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News. The documents raise new questions about the $400 million US-VISIT program, a 2-year-old system aimed at securing the border from terrorists by gathering biometric information from visiting foreign nationals and comparing it against government watch lists. The Aug. 18 computer failure led to long lines at international airports in Los Angeles, San Francisco, Miami and elsewhere, while U.S. Customs and Border Protection, or CBP, officials processed foreign visitors by hand, or in some cases used backup computers, according to contemporaneous press reports. Publicly, officials initially attributed the failure to a virus, but later reversed themselves and claimed the incident was a routine system failure. DHS CBP officials have released six pages of heavily redacted documents about the Aug. 18 computer failure. But two CBP reports obtained under the Freedom of Information Act show that the virulent Zotob internet worm infiltrated agency computers the day of the outage, prompting a hurried effort to patch hundreds of Windows-based US-VISIT workstations installed at nearly 300 airports, seaports and land border crossings around the country. “When the virus problems appeared on (CBP) workstations Thursday evening, the decision was made to push the patch, immediately, to the ... US-VISIT workstations. Most workstations had received the patch by midnight and US-VISIT was back in operation at all locations,” reads a CBP summary of the incident.,70642-0.html

UNITED STATES SUPREME COURT APPROVES ELECTRONIC DISCOVERY AMENDMENTS TO FRCP (April 14, 2006) -- On Wednesday, April 12, 2006, the United States Supreme Court approved, without comment or dissent, the entire package of proposed amendments to the Federal Rules of Civil Procedure concerning the discovery of “electronically stored information.” The package includes revisions and additions to Rules 16, 26, 33, 34, 37, and 45, as well as Form 35. The proposed amendments were transmitted to the Supreme Court last September, after the Judicial Conference unanimously approved them. The new rules and amendments have now been transmitted to Congress and will take effect on December 1, 2006, unless Congress enacts legislation to reject, modify, or defer the amendments. The amendments may be accessed on the U.S. Court’s Federal Rulemaking website at:

-- and --

PANEL PROVIDES PLUG FOR PRIVILEGE HOLE (ABA Journal, 5 May 2006) -- A proposal to help protect attorney-client privilege during electronic discovery has been hammered out at a conference on federal evidence rules. The proposed rule change would allow privileged documents that are released to opposing counsel inadvertently or called back under a claw-back agreement to be protected from third parties seeking the documents in other cases, including in state court proceedings. To be able to bind the states, Congress will have to adopt the proposed rule directly, under its commerce clause authority, according to a commentary to the proposed Rule 502. At the request of the chairman of the U.S. House Judiciary Committee, the Advisory Committee on Federal Rules of Evidence conducted a miniconference on proposed Rule 502 at Fordham University last month. The committee was asked to consider how privilege is handled in litigation so as not to jeopardize attorney-client privilege. In some cases, lawyers waive privilege with an understanding from opposing counsel that they can withdraw privileged documents from the record before trial. This is often known as claw-back. However, many courts have ruled that agreements giving one side the claw-back privilege do not apply to outside parties. Suddenly, litigants in different lawsuits against a company can have access to those clawed-back documents. In other situations, attorneys inadvertently disclose documents protected by the attorney-client privilege or the work product doctrine during discovery of voluminous electronic documents. For example, ExxonMobil claims its employees generate 5.2 million e-mails each day and use 65,000 desktop computers and 30,000 laptops. The storage capacity of the average computer issued to employees is 40 gigabytes, which is equal to roughly 20 million typewritten pages. Currently, courts are in conflict over whether and in what circumstances inadvertent disclosure results in a waiver of the privilege. To address the problems, proposed Rule 502(b) protects documents inadvertently disclosed in federal proceedings from use in federal or state proceedings if the holder of the privilege took reasonable precautions to avoid disclosure and took reasonably prompt measures to correct the error after its discovery. Proposed Rule 502(e) provides that parties can enter into an agreement to limit waiver of claw-back documents, and such an agreement can bind third parties if it is incorporated in a court order.

DATA EXPOSURE: COUNTIES ACROSS THE U.S. POSTING SENSITIVE INFO ONLINE (Computer World, 12 April 2006) -- Broward County, Fla., Maricopa County, Ariz., Fort Bend County, Texas. Three counties separated by hundreds of miles with something in common: They’re among potentially hundreds of counties in several states that in recent years have made Social Security numbers, driver’s license information, bank account numbers and a variety of other personally sensitive data belonging to residents available to anyone in the world with Internet access. The exposure follows the failure to redact sensitive information from land records and other public documents posted on the Internet and makes county Web sites a veritable treasure trove of information for identity thieves and other criminals, according to a number of privacy advocates. “These sites are just spoon-feeding criminals the information they need,” said B.J. Ostergren, a privacy advocate based in Richmond, Va. “But no one appears to be seeing it and nobody’s changing the laws,” she said. Among the pieces of personally identifiable information from county Web sites made available to Computerworld by Ostergren and other privacy advocates were: Rep. Tom Delay’s Social Security number on a tax lien document; the Social Security numbers for Florida Gov. Jeb Bush and his wife on a quit claim deed from 1999; driver’s license numbers, addresses, vehicle registration information, height and race of individuals arrested for traffic violations; names and dates of birth of minors from final divorce decrees and family court documents; and even complete copies of death certificates with Social Security numbers, dates of birth and cause of death. (The Social Security numbers for Bush and his wife have been redacted and are no longer available online.),4814,110453,00.html

JUDGES FINDS WELLS FARGO NOT NEGLIGENT IN DATA THEFT CASE (, 14 April 2006) -- A US District Judge in Minnesota ruled that two people who had filed a class action lawsuit against Wells Fargo had not actually suffered any damages and were thus unable to demonstrate “reasonably certain future injury” due to the theft of computer hardware from a Wells Fargo contractor. The hardware contained unencrypted Wells Fargo customer data. The judge said the thieves never used the information and that time and effort the plaintiffs spent monitoring their credit reports “was not the result of any present injury, but rather the anticipation of future injury that has not materialized.” The judge found Wells Fargo not negligent because the information was never misused by the thieves.

REPORT DETAILS DMCA MISUSES (, 14 April 2006) -- A new report from the Electronic Frontier Foundation (EFF) takes aim at the Digital Millennium Copyright Act (DMCA), a controversial law enacted seven years ago to protect intellectual property in the digital age. “Unintended Consequences: Seven Years Under the DMCA” is a collection of well-known and obscure stories about the misuses of the DMCA. Among those accounts is that of J. Alex Halderman, a graduate student at Princeton University who, in the fall of 2005, discovered the existence of serious security vulnerabilities in the CD copy-protection software on dozens of Sony BMG titles. But he delayed publishing his discovery for several weeks while consulting with lawyers in order to avoid DMCA pitfalls. This left millions of music fans at risk longer than necessary. In October 2003, Halderman had been threatened with a DMCA lawsuit after publishing a report documenting weaknesses in a CD copy-protection technology developed by SunnComm. Halderman revealed that holding down the shift key on a Windows PC would render SunnComm’s copy-protection technology ineffective. SunnComm executives threatened legal action under the DMCA. Stories like these show that “rather than being used to stop piracy, the DMCA has predominantly been used to threaten and sue legitimate consumers, scientists, publishers and competitors,” said EFF senior staff attorney Fred von Lohmann. The EFF notes that the DMCA’s anti-circumvention provisions, which are contained in Section 1201 of the act, were developed in response to obligations imposed on the U.S. by the 1996 World Intellectual Property Organization (WIPO) Copyright Treaty and the concerns of copyright owners that their works would be pirated and made available for download online. Section 1201 of the DMCA contains a ban on acts of circumvention of Digital Rights Management technologies -- technological measures used by copyright owners to control access to their works -- and a ban on the distribution of tools and technologies used for circumvention. In its report, the EFF notes that the ban on acts of circumvention applies even where the purpose for circumventing copyright protection would otherwise be legitimate or strike a logical person as legitimate, such as research intended to expose serious security flaws directly caused by copyright protection programming code. [The EFF report is here:]

EU DATA RETENTION DIRECTIVE TO TAKE EFFECT, NOT WITHOUT CONTROVERSY (Steptoe & Johnson’s E-Commerce Law Week, 15 April 2006) -- The controversial new EU Data Retention Directive (“Directive”) was published April 13 in the Official Journal of the European Union. Under the Directive, which cleared its most important hurdle when it was adopted by the European Parliament last December, ISPs and fixed-line and mobile operators will be required to retain communications data of their EU customers (not including the content of communications). The Directive will take effect 20 days after publication, but the more important deadlines come later. EU member states will have until September 15, 2007, to implement the Directive for traditional telephone services and ordinary mobile voice services. For “Internet Access, Internet telephony and Internet e-mail”, member states had the option to declare that they would reserve the right to delay implementation until March 15, 2009, and 16 member states have exercised this option -- Austria, Belgium, Cyprus, Czech Republic, Estonia, Finland, Germany, Greece, Latvia, Lithuania, Luxembourg, Netherlands, Poland, Slovenia, Sweden, and the United Kingdom. But nine member states did not, including three of the EU’s five biggest economies -- France, Italy, and Spain -- as well as Denmark, Hungary, Ireland, Malta, Portugal, and Slovakia. For these countries, the earlier deadline of September 15, 2007, will apply to Internet services as well.

ONE BORROWED SHARE, BUT ONE VERY REAL VOTE (New York Times, 16 April 2006) – Some investors seem to be taking advantage of a loophole in financial regulations to cast shareholder votes that are far out of proportion to the number of shares they actually own, a new academic study suggests. The study, entitled “Vote Trading and Information Aggregation,” has been circulating in academic circles for several months. Its authors are the finance professors Susan E. K. Christoffersen of McGill University in Montreal, Christopher C. Geczy and David K. Musto of the Wharton School of the University of Pennsylvania and Adam V. Reed of the University of North Carolina. The authors describe a strategy that enables any investors, no matter how few of a company’s shares they own, to profoundly affect the outcome of corporate resolutions that are put to a vote at the annual shareholder meeting. In effect, a shareholder can borrow a large number of shares for a nominal fee and use them to cast a corresponding number of votes. As the study points out, the right to vote on a corporate resolution comes from possession, not ownership, of shares. That means a trader can borrow shares and thus be temporarily eligible to vote on corporate resolutions. The number of votes he can acquire is limited only by his ability to put up collateral — which is required to be 102 percent of the value of shares borrowed — and the number of shares available on the securities lending market. This market primarily serves those who wish to borrow shares in order to sell them short, but there is nothing to prevent its use by those whose motive is to influence the outcome of corporate votes. As long as you have the collateral, borrowing shares is very inexpensive. The annual cost can be as low as 20 basis points, or two-tenths of a percentage point, on the cash that is put up. And because the borrower must hold the shares for just one day in order to have voting rights, the interest can be almost nothing. The cost to borrow $1 million of stock for one day, for example, could be less than $6, according to Professor Reed. The professors are convinced that many traders are taking advantage of this loophole. They reached this conclusion after studying what happens in the securities lending market immediately before and after the record dates for corporate votes. These are the dates when a shareholder needs to have possession of a stock in order to vote on a corporate resolution. The professors focused on 6,186 record dates for resolutions at publicly traded companies from November 1998 to October 1999. They found that on the typical record date, there was a significant spike in the number of borrowed shares. And they found an almost-as-big decline in such shares, on average, the day after those record dates. In their opinion, the only plausible explanation is that traders borrowed shares solely to acquire votes. Study at

STITCHING UP HEALTH RECORDS: PRIVACY COMPLIANCE LAGS (eWeek, 16 April 2006) -- The good news about privacy and the Health Insurance Portability and Accountability Act is that more than 80 percent of companies involved in health care have technology and processes in place to provide the level of patient-privacy protection required by the 1996 law. The bad news? All were supposed to have done so by April 2003. More bad news? The percentage hasn’t changed since last summer, meaning about 20 percent of health care companies are “unable or unwilling to implement federal privacy requirements,” according to a twice-yearly survey of health care payers and providers conducted by Phoenix Health Systems and Healthcare Information and Management Systems Society, or HIMSS. And that’s just regarding the rule designed to make sure patient information isn’t sent to the wrong people or accessed by people without a right to know. Securing the data so hackers can’t force their way in is another category of compliance entirely. Meanwhile, as of April 21, another wave of companies will have the chance to be noncompliant, as the deadline passes for companies with less than $5 million in revenue to meet HIPAA Security standards.,1759,1949646,00.asp

KOREA: ONLINE COMMUNITIES TO BE MONITORED MONTHLY (AsiaMedia, 16 April 2006) -- The South Korean government plans to monitor the nation’s online communities every month, to crack down on an increasing number of personal information dealers within the virtual world. The Ministry of Information and Communication said the targets of the monthly surveillance plan would be cyber cafes, and peer-to-peer (P2P) file-sharing sites. “We have come up with this scheme as Internet-based clubs and P2P sites are recognized as the main culprits for recent woes regarding identity theft,” said Suh Byung-jo, director general at the ministry. “To straighten things out, we will check unlawful activities at sites prone to wrongdoings at least once every month from now on and will report malpractices to the police,” he said. As Suh pointed out, Internet clubs and P2P sites have been the playground for personal data dealers who gain private information like resident registration numbers, the Korean version of North American social security numbers. The identity theft issue caught Korea, the most wired country on the planet, off guard in February, when complaints piled up that hackers were stealing private data from millions of Korean people. In addition to Internet clubs and P2P sites, the ministry seeks to check the nation’s 100,000 most-visited Web sites to shield them from hackers’ attacks.

-- and --

CHINA BANS UNLICENSED E-MAIL SERVERS (ARS Technica, 17 April 2006) -- A new provision in an anti-spam law has apparently made it illegal to run an unlicensed e-mail server in China. The Chinese Ministry of Information Industry recently promulgated rules designed to crack down on the country’s spam epidemic, but buried in the new legislation is a requirement that so-called “E-mail Service Providers” must register with the government and receive a license in order to legally operate their mail servers. Though it does not appear as though Chinese authorities are yet enforcing the law, the new regulations would make it illegal for any business to operate their own e-mail server without obtaining a government license. The licensing protocol also requires that server operators maintain logs of incoming and outgoing e-mails for 60 days, and it makes open relays illegal. While it contains some solid anti-spam provisions, the new law certainly seems designed to have a chilling effect on e-mail use.

COURT FOLLOWS ProCD, RULES SHRINKWRAP LICENSE VALID (BNA’s Internet Law News, 20 April 2006) -- BNA’s Electronic Commerce & Law Report reports that a federal court in California has ruled that a shrinkwrap agreement in which software licensing terms are disclosed within the box containing the software media is enforceable under California law. The court also held that a state-law claim for breach of the shrinkwrap license was not preempted by the Copyright Act. Case name is Meridian Project Sys. Inc. v. Hardin Construction Co. Article at

N.Y. COUNTY REQUIRES SECURITY FOR WIRELESS BUSINESS NETWORKS (, 20 April 2006) -- Westchester County on Thursday enacted a law that is designed to limit identity theft by forcing local businesses to install basic security measures for any wireless network that stores customers’ credit card numbers or other financial information. The law also requires that businesses offering Internet access -- coffeehouses and hotels, for example -- post signs warning that users should have firewalls or other security measures. As he signed the bill, County Executive Andrew Spano said the county had been unable to find any law like it in the country and had received inquiries about the legislation from other states and from Great Britain, South Korea and the Czech Republic. ``There are many unsecured wireless networks out there, and any malicious individual with even minimal technical competence would have no trouble accessing information that should be kept confidential,” Spano said. ``It would be nice if these businesses took the necessary steps on their own to ensure their networks were kept secure, but the sad fact is that many don’t.” Bruce Schneier, chief technical officer of Counterpane Internet Security Inc., said laws like Westchester’s are probably helpful ``because the information companies have on their networks is more valuable to you than it is to them and the law gives them an incentive” to protect it.

GAS GUZZLERS FIND PRICE OF FORGIVENESS (New York Times, 22 April 2006) -- To people who take the threat of global warming personally, driving a car that spews heat-trapping greenhouse gases into the atmosphere can be a guilt trip. But to help atone for that environmental sin, some drivers are turning to groups on the Internet that offer pain-free ways to assuage their guilt while promoting clean energy. It involves buying something known as a carbon offset: a relatively inexpensive way to stimulate the production of clean electricity. Just go to one of several carbon-offset Web sites, calculate the amount of carbon dioxide produced when you drive, fly or otherwise burn fossil fuels, and then buy an offset that pays for an equivalent amount of clean energy. Of course, emissions could be reduced the old-fashioned way — by flying less, turning off the air-conditioning or buying a more fuel-efficient car. But that would probably require some sacrifice and perhaps even a change in lifestyle. Instead, carbon-offset programs allow individuals to skip the sacrifice and simply pay for the right to pollute. “To some extent, it’s a way for people to buy their way into heaven,” said Chip Giller, who is president of, an online environmental magazine. “On the other hand, this is such a big macro problem that this is one of the few things people can do to really make a difference.” While offsets do not actually eliminate pollution, they do enable groups like to use the money to stimulate the production of clean electricity, which is more costly than burning coal or oil.

THE CAMERA NEVER BLINKS, BUT IT MULTIPLIES (New York Times, 23 April 2006) -- IT’S spring, and a new crop of police surveillance cameras is sprouting in cities big and small. New York is installing 500 on street corners; Chicago is upgrading several thousand; and even the city of Dillingham, Alaska, has 80 — one for every 30 residents. Many of these newer cameras can pan, tilt and zoom, and are networked through the Internet, so video images can be viewed and stored centrally. They are often purchased with homeland security funds, meant for use against terrorism as well as street crime. But it is impossible for a police department to continuously monitor 2,000, 500 or even, in the case of Dillingham, 80 cameras. So other than producing mountains of visual data — and raising the inevitable questions of privacy — how useful are they? Law enforcement officials argue that just putting up a camera in plain sight can deter crime. And some see a future in which software will analyze video for possible signs of terrorist activity, like someone placing a suitcase in front of a building. “We have seen significant dividends as a result of implementing this program,” said Andrew Velasquez III, director of the Office of Emergency Management and Communications in Chicago. Drug trafficking has been reduced in areas where cameras have been installed, he said. And the city is starting a pilot program to see whether automated analysis can be effective. But some security experts say the cameras are of limited value — largely in helping investigators after a crime — and are not cost-effective. They point to a large study by the Home Office in Britain, which has perhaps the world’s most videotaped population, that found cameras to be ineffective in reducing crime, except in locations like parking garages. And even scientists involved in the development of visual recognition software acknowledge that the programs do not work well enough yet. “Cameras make people feel better,” said Bruce Schneier, an expert on security technology and the author of “Beyond Fear: Thinking Sensibly About Security in an Uncertain World.” “But they really don’t make sense. At best they move crime around a little bit.”

JUDGE: NOT UNREASONABLE FOR CITY WORKERS TO SURF WEB (, 24 April 2006) -- Surfing the Web at the work is equivalent to reading a newspaper or talking on the phone, an administrative law judge said in recommending the lightest possible punishment for a city worker accused of disregarding warnings to stay off the Internet. The case involved Toquir Choudhri, a 14-year veteran of the Department of Education, whose office computer had been used to visit news and travel Web sites. ``It should be observed that the Internet has become the modern equivalent of a telephone or a daily newspaper, providing a combination of communication and information that most employees use as frequently in their personal lives as for their work,” Administrative Law Judge John Spooner said in recommending only a reprimand for Choudhri. The judge noted that city agencies allow workers to make personal calls if it doesn’t interfere with their work performance.

DATA THEFT DISCLOSURE MEANT LESS PAIN FOR LEXISNEXIS (Computer World, 25 April 2006) -- After a high-profile security breach exposed personal data about thousands of customers, LexisNexis found that being forthright was the best approach, according to a company executive. By being forthcoming with the public and victims, the company survived with minimal impact, said Leo Cronin, LexisNexis senior director for information security, Tuesday at the Infosec Europe 2006 conference in London. The security breach hit LexisNexis, which is owned by Reed Elsevier PLC, early last year. “I think that’s why we were so successful in dealing with this,” Cronin said of the decision to be open and direct about the breach. LexisNexis is breaking its silence over the incident to help educate and get feedback about approaches to breaches, he said. LexisNexis faced a worst-case scenario after it acquired Seisint Inc. of Boca Raton, Fla., in September 2004. Seisint is a data broker, collecting personal information and providing it to law enforcement and private companies for services such as debt recovery and fraud detection. Attackers went after the service’s “less sophisticated customers” with a social engineering ploy that left the identities of up to 300,000 people at risk, Cronin said. The company’s customers received an e-mail with a pornographic lure, Cronin said. The mail also contained a worm and a keystroke logger, which stole LexisNexis credentials, specifically for its risk management services, he said. But when the damage became clear, LexisNexis made an immediate decision to be forthcoming and transparent about the breach, he said. “We tried to do the best job we could,” he said. The company contacted all those who were affected by the attack using the framework of a California data security disclosure law passed in 2003 as a guide, Cronin said. Such laws are catching on after the high-profile cases of last year, including ChoicePoint Inc., a data broker that acknowledged divulging sensitive personal information to identity thieves posing as customers. So far in the U.S., 20 states have implemented notification laws, and a federal law is under consideration. After the data breach, LexisNexis took several steps to implement stronger security, Cronin said. The company reviewed the security of all its Web applications and created new procedures for verifying customers with access to sensitive data, he said. LexisNexis encouraged certain customers to sign up for antivirus software. It revamped online security access, looking at password complexity and expiration times. The company also implemented measures to automatically detect anomalies in use of its products to identity potential security problems, Cronin said. LexisNexis learned other lessons. Passwords are dead, Cronin said, and two-factor authentication is recommended. But front-door perimeter attacks are less likely than the persistent weak link: people.,4814,110866,00.html

STATES STRUGGLING TO DEAL WITH DIGITAL DOCUMENTS (CNET, 25 April 2006) -- Most state governments are not actively tackling the creeping problem of digital archives and long-term access to public documents, according to the head of an industry group. Apart from a handful of cases, states have not devised comprehensive strategies for retaining “born digital” documents, said Doug Robinson, the executive director of the National Association of State CIOs (NASCIO). Such documents are created in electronic format and do not exist on paper. “There are very, very few states that have enacted any legislation or directive that addresses the permanent access to records,” Robinson said. “The challenge is that states are all over the map in what format they use in archiving born-digital content.” The state of Minnesota introduced a bill last month that would mandate the use of “open data formats” in state agencies by having them use standards-based products. By avoiding proprietary products and formats, the proposal’s backers hope to ensure access to state information. The bill also spells out criteria for what qualifies as a “standard” and proposes responsibilities for different IT-related state offices. Minnesota’s move toward long-term data access through standards follows the high-profile case of Massachusetts. The office of the former chief information officer in Massachusetts caused waves across the industry when it said it had chosen the OpenDocument format among its standards for desktop applications--a format not supported by Microsoft Office. The state, which named a new CIO in January, is in the process of converting its systems in anticipation of a January, 2007 deadline. There are a couple of reasons for the lack of state strategies, Robinson suggested. Most state IT executives are dealing with problems that require immediate attention, such as security or lowering costs by consolidating their servers, he said. In addition, the jurisdiction among different agencies, both state and federal, is not always clear. In the case of Massachusetts, for example, the CIO’s office ability to set technical standards has been challenged by legislators and the office of public records.

CHECKLIST OUTLINES NEW CYBERTHREATS (, 25 April 2006) -- The U.S. government and industry face many cyberthreats that, until now, have not received adequate attention, according to a new checklist outlining the threats. “We’re talking about vulnerabilities where we can calculate the effects, and the effects are considerable,” said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit. The unit’s Cybersecurity Checklist looks at potential avenues for real-world cyberattacks and recommends ways to thwart them. Borg presented a draft version of the list at the GovSec conference in Washington, D.C. DHS has not yet approved the draft. The list includes 478 questions relating to cybersecurity attacks in 16 attack venues in six areas of vulnerability. The list contains recent content that reflects how the cybersecurity environment has changed in the past several years, Borg said. It uses a simpler framework than many similar checklists and is more self-consistent and easy to use, he said. The checklist provides more specific guidance for industry and recognizes economic realities, Borg said. It also includes asterisked items that are necessary but difficult and expensive to implement, he said. If the list is going to be used as a standard, it’s a practical necessity to let companies off the hook for the asterisked items, Borg said. “We don’t have the services and products to deal with them,” he said. The unit analyzed each of the 16 critical infrastructure sectors, Borg said. Many sectors say they follow international security standards but still have gaping security vulnerabilities, he said.

INTERNET POPULATION HITS NEW HIGH (, 26 April 2006) -- The U.S. online population has hit an all-time high: 73 percent of adults, or 147 million, now use the Internet. The figures represent an increase from 66 percent, or 133 million adults, in January 2005, according to the Pew Internet and American Life Project. But only 42 percent of all adults, or 84 million, have the home high-speed connections important for viewing video and treating the Internet as an always-on reference. Looking only at home Internet users, 62 percent have broadband. In a report Wednesday, Pew noted that Internet use still varies with age and income. Eighty-eight percent of adults under 30 go online, compared with 32 percent for those age 65 and older. Only 53 percent of adults in households earning less than $30,000 a year use the Internet, compared with 91 percent in households with annual income exceeding $75,000.

NEW PHISHING SCAM MODEL LEVERAGES VOIP (Computer World, 26 April 2006) -- Small businesses and consumers aren’t the only ones enjoying the cost savings of switching to voice over IP (VoIP). According to messaging security company Cloudmark Inc., phishers have begun using the technology to help them steal personal and financial information over the phone. Earlier this month, San Francisco-based Cloudmark trapped an e-mailed phishing attack in its security filters that appeared to come from a small bank in a big city and directed recipients to verify their account information by dialing a certain phone number. The Cloudmark user who received the e-mail and alerted the company knew it was a phishing scam because he’s not a customer of this bank. Usually phishing scams are e-mail messages that direct unwitting recipients to a Web site where they’re tricked into giving up their personal or financial information. But because much of the public is learning not to visit the Web sites these messages try to direct them to, phishers believe asking recipients to dial a phone number instead is novel enough that people will do it, says Adam O’Donnell, senior research scientist at Cloudmark. And that’s where VoIP comes in. By simply acquiring a VoIP account, associating it with a phone number and backing it up with an interactive voice-recognition system and free PBX software running on a cheap PC, phishers can build phone systems that appear as elaborate as those used by banks, O’Donnell says. “They’re leveraging the same economies that make VoIP attractive for small businesses,” he says.,4814,110894,00.html

RAT ON YOUR PIRATE BOSS, WIN $36,000 (CNET, 27 April 2006) -- Anti-software piracy group the Business Software Alliance is offering a $36,000 reward to anyone who informs on employers who use illegal or unlicensed software. The BSA already has an online hotline for people to report the use of illegal software within U.K. organizations, but it has now doubled the reward from 10,000 pounds ($18,000) to 20,000 pounds ($36,000) until the end of June this year. The BSA said it opened 420 investigations in the last year as a result of these hotline tip-offs, the majority of which came from people in IT. Siobhan Carroll, regional manager for Northern Europe at the BSA, told said that with all the software auditing tools and advice available, organizations no longer have any excuse for being caught using illegal software. She said: “We are doubling the reward to make software licensing a priority for managers. It might seem harsh, but at the end of the day there are 27 percent of businesses who think they can get away with it.” Carroll said disgruntled staff members are often the source of tip-offs and a YouGov poll commissioned by the BSA found that three-quarters of workers would consider reporting their company if they felt their boss had treated them unfairly, while a quarter said poor pay raises would also spur them to rat on their employer.

POLITICAL DIRTY-TRICKSTERS ARE USING WIKIPEDIA (, 28 April 2006) -- Wikipedia, the online encyclopedia that can be altered by anyone with a computer, has proved remarkably useful for pulling political dirty tricks. Political operatives are covertly rewriting -- or defacing -- candidates’ biographical entries to make the boss look good or the opponent look ridiculous. As a result, political campaigns are monitoring the Web site more closely than ever this election year. Revisions made by Capitol Hill staffers became so frequent and disruptive earlier this year that Wikipedia temporarily blocked access to the site from some congressional Internet addresses. The pranks included bumping up the age of the Senate’s oldest member, West Virginia’s Robert Byrd, from 88 to 180, and giving crude names to other lawmakers. The entry for Democratic Rep. Jim Marshall of Georgia labeled him ``too liberal” for his state, in part because of a contribution he received from a political action committee run by Sen. Hillary Rodham Clinton. The man who doctored Marshall’s biography now works for his Republican challenger.

NIST RELEASES STANDARDS FOR SECURITY LOGS (, 28 April 2006) -- The National Institute of Standards and Technology released technical guidelines on how federal agencies should manage security logs. The guidelines cover log generation, transmission, storage, analysis and disposal. The guidelines, NIST Special Publication 800-92: Guide to Computer Security Log Management, include suggestions for creating a log management policy, prioritizing log files and creating a centralized log management infrastructure to include all hardware, software, networks and media. The 64-page document notes that agencies must deal with larger quantities, volumes and varieties of security logs. They also must comply with a growing number of legislative requirements such as the Federal Information Security Management Act and the Health Insurance Portability and Accountability Act.

F.B.I. DISCLOSES SUBPOENAS (New York Times, 29 April 2006) -- The F.B.I. secretly sought information last year on 3,501 American citizens and legal residents from their banks and credit card, telephone and Internet companies without a court’s approval, the Justice Department said. It was the first time the Bush administration publicly disclosed how often it had used the administrative subpoena known as a National Security Letter, which lets the executive branch obtain records about people in terrorism and espionage investigations without a judge’s approval or a grand jury subpoena. The disclosure was mandated as part of the renewal of the USA Patriot Act, the administration’s sweeping antiterror law. (AP)

FUNNY MONEY (New York Times Editorial, 4 May 2006) -- For most of us, there is nothing magical about withdrawing cash from an A.T.M. The money that slides out represents some aspect of our real lives — our labor, our interest, our savings. But the idea of using an A.T.M. card to withdraw real money from a virtual life — a fictional online gaming life — takes some getting used to. On Tuesday, MindArk, the makers of the popular online game called Entropia Universe, announced that it will offer A.T.M. cards that will allow players quick access to cash assets that are being held in an alternate reality. For many people, the real mind-twister here isn’t the A.T.M. card. Cash holdings in a game — where the cash is used to buy upgrades and enhancements — are no different from cash holdings in an electronic bank. Very few people ever go into a bank and ask to see their money. No, the real puzzle is the creation of an online economy based solely in fictional worlds, in which people invest assets and erect buildings and charge rent and derive real income. Entropia is only one example. Second Life is another. The population — what else can you call it? — of these virtual worlds is growing rapidly. It’s natural to think of Entropia players escaping from the real world and disappearing into a more fluid and more gratifying universe. But can it be long before their online avatars within the game begin to resent these intrusions from outside? There you are, an avatar about to close a deal on Calypso, only to discover that your real-world alter ego has drained you dry from an A.T.M. somewhere in Milwaukee. It hardly seems fair.

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. Internet Law & Policy Forum,
6. BNA’s Internet Law News,
7. Crypto-Gram,
8. McGuire Wood’s Technology & Business Articles of Note,
9. Steptoe & Johnson’s E-Commerce Law Week,
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: