Friday, July 28, 2006

MIRLN -- Misc. IT Related Legal News [8-28 July 2006; v9.10]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of Dickinson Wright PLLC ( and the American Bar Association’s Cyberspace Law Committee. Please feel free to distribute this message. Dickinson Wright’s IT & Security Law practice group is described here:

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at Older editions reside in the public materials section of the Cyberspace Committee’s 2002-2004 experimental collaboration space at

**************End of Introductory Note***************

DOD RELEASES OTD ROADMAP (NewsForge, 7 July 2006) -- The Open Source Software Institute (OSSI) has announced the release of a Department of Defense (DoD) report entitled the Open Technology Development Roadmap which focuses on how to make the use of open technology development an integral part of the Department of Defense (DoD) software acquisition and development processes. According to OSSI, “OTD methodology will enable DoD organizations and contractors to rapidly adapt and extend existing software capabilities in response to shifting threats and requirements without, being locked in to a specific vendor or held hostage to proprietary technologies.” The 79 page report defines Open Technology Development, explains the key need that it fulfills, and makes concrete recommendations on how to make its use a standard operating procedure within the DoD. Report at

VISA, MASTERCARD TO UNVEIL NEW SECURITY RULES (Computerworld, 7 July 2006) -- Visa U.S.A. Inc. and MasterCard International Inc. will release new security rules in the next 30 to 60 days for all organizations that handle credit card data, a Visa official said this week. The rules will be the first major updates to the one-year-old Payment Card Industry (PCI) data security standard, which analysts said is slowly but surely being adopted. One set of PCI extensions is aimed at protecting credit card data from emerging Web application security threats, said Eduardo Perez, vice president of corporate risk and compliance at Foster City, Calif.-based Visa. Other new rules will require companies to ensure that any third parties that they deal with, such as hosting providers, have proper controls for securing credit card data. Merchants who fail to comply with PCI can face fines or be excluded from processing credit cards. [Editor: FTC enforcement actions effectively have been converting these security standards—contractually applied between co-operating parties—into laws; failure to implement the standards are treated as unfair trade practices.]

YELLOW PAGES PUBLISHER FEELING THE HEAT FROM ONLINE ALTERNATIVE (ARS Technica, 7 July 2006) -- Sooner or later, all “old media” companies find themselves threatened by a site or phenomenon on the Internet. We’ve seen it happen with the music industry, TV, newspapers, and many others. Sometimes, it takes a while for the old guard to discover what’s happening—that appears to be the case with Yell, which calls itself the world’s largest yellow pages publisher. The problem—from Yell’s point of view—is Yellowikis, a wiki-based business directory available in several languages and containing listings for several different countries. The directory publisher is accusing Yellowikis of “misrepresentation,” maintaining that the site’s name “constitutes an ‘instrument of fraud.’” At first glance, it seems like a case of an elephant feeling threatened by a gnat. Yellowikis has only been operating since January 2005, has around 5,000 listings, and is run entirely by volunteers. In contrast, Yell had revenues of US$2.4 billion during 2005. However, Yellowikis offers something a telephone directory publisher cannot: dynamic, customizable content. In contrast, once a yellow pages business directory is published, that’s it until the next edition. Yell wants Yellowikis to pay damages and surrender the domain name, perhaps so it can launch a wiki-like service. As “Yellow Pages” is a trademarked name in the UK and Yellowikis refers to itself as “Yellow Pages for the 21st Century,” the small wiki may find itself embroiled in an expensive legal fight. Even if Yell wins or forces a settlement, it won’t change the fact that the business model of selling advertising, printing it in gigantic phone books, and dropping yellow pages directories off on front porches is endangered. Many directory publishers realize this and have developed an online presence that mixes paid placements in with search results. Others, like Verizon, are getting out of the yellow pages business altogether.

UTAH FILM SANITIZERS ORDERED TO CUT IT (Salt Lake Tribune, 8 July 2006) -- It’s the kind of ending Hollywood craves. After a bitter three-year legal battle involving Utah companies that sanitize movies on DVD and VHS tape, a federal judge in Denver ruled Thursday that such editing violates U.S. copyright laws and must be stopped. In a ruling in the case involving CleanFlicks vs. 16 of Hollywood’s hottest directors, U.S. District Judge Richard P. Matsch found that making copies of movies to delete objectionable language, sex and violence hurts studios and directors who own the movie rights. “Their [studios and directors] objective . . . is to stop the infringement because of its irreparable injury to the creative artistic expression in the copyrighted movies,” the judge wrote in a 16-page decision. “There is a public interest in providing such protection. Their business is illegitimate.” Michael Apted, director of “Coal Miner’s Daughter” and president of the Director’s Guild of America, said Friday that movie directors can feel “vindicated” by the ruling. “Audiences can now be assured that the films they buy or rent are the vision of the filmmakers who made them and not the arbitrary choices of a third-party editor,” he said. [Editor: Moral Rights, anyone?] Decision at

EMPLOYERS SPYING ON CANADIAN WORKERS, STUDY SUGGESTS (CBC News, 10 July 2006) -- Canadian employers in a wide range of industries conduct surveillance of employees at work, suggests a report to be released on Monday. Produced by Toronto’s Ryerson University, the study called “Under the Radar” asked Canadian businesses about surveillance of their employees. Employers view closed-circuit television cameras, listen to recorded phone calls, monitor e-mails and scan magnetic information from security passes, said lead author Avner Levin. Levin, a law professor at the university, said he isn’t surprised at the methods, but was taken aback by employers’ attitudes toward employee privacy. “Nobody said this is a problem, or even something they have to deal with in a proactive way. It’s just simply under the radar,” said Levin. Human resources executives responsible for workplace privacy often have little knowledge of the potential intrusiveness of technologies at work in their own companies, he said. They rarely know what information is being collected by colleagues running company computer systems, he said. “The executives that are responsible for privacy in the workplace are not fully aware of the extent of ... the surveillance activity that is conducted,” he said. Managers often work without guidelines about how to respond if surveillance reveals an employee behaving suspiciously, said Levin. The Ryerson study follows a large workplace survey in the United States and Britain, which suggested 40 per cent of employers regularly read employees’ e-mails. University of Ottawa privacy expert Michael Geist says Canadian firms are likely close behind. “I don’t have any doubt that we’re going to find more and more companies doing it,” he said. “To move directly to full-on monitoring of e-mail use is as invasive as it comes.”

20 INSPECTORS SUSPENDED OVER GPS (, 11 July 2006) -- The Massachusetts public safety commissioner yesterday suspended 20 state building and engineering inspectors for refusing to accept cellphones equipped with global positioning systems. Only two inspectors accepted the phones; another two were out on vacation when Commissioner Thomas Gatzunis tried to distribute the phones, which supervisors want to use to keep track of the inspectors during the work day. ``The act of insubordination leaves me with no choice but to impose disciplinary measures, including the immediate suspension of those who refused the phone,” Gatzunis said. Kelly Nantel, spokeswoman for the Executive Office of Public Safety, said the cellphone policy ``is about accountability. ``If you’re doing your job well, there shouldn’t be any concern with it. This allows the Department of Public Safety to ensure that taxpayers’ money is being spent in an appropriate way.”

A YEAR LATER, STILL NO DHS CYBERSECURITY CHIEF (FCW, 12 July 2006) – Some information technology industry groups and individuals are getting impatient waiting for the Homeland Security Department to fill its still-vacant assistant secretary for cybersecurity and telecommunications position, created a year ago July 13. DHS Secretary Michael Chertoff announced July 13, 2005, that he would create the position to answer calls from Congress and industry to have a senior DHS position dedicated to cybersecurity. Robert Holleyman, president and chief executive officer of the Business Software Alliance, sent a letter to Chertoff today saying, “We are hopeful that you and the [Bush] administration will soon be able to nominate a qualified individual for the assistant secretary position.” Other industry members are less polite. Although DHS “clearly has had a lot of very important priorities to manage, it is troubling that after an entire year, we still have not seen this crucial position filled,” said Paul Kurtz, executive director of the Cybersecurity Industry Alliance. “This is not a simple personnel issue,” Kurtz said. “It is indicative of the ongoing lack of attention being paid to cybersecurity at the most senior levels of government. Without strong federal leadership, our national information infrastructure remains at risk with no one clearly in charge of coordinating its security and reliability.”

MYSPACE GAINS TOP RANKING OF US WEB SITES (Reuters, 11 July 2006) -- Online teen hangout ranked as the No. 1 U.S. Web site last week, displacing Yahoo’s top-rated e-mail gateway and Google Inc.’s search site, Internet tracking firm Hitwise said on Tuesday. News Corp.’s MySpace accounted for 4.46 percent of all U.S. Internet visits for the week ending July 8, pushing it past Yahoo Mail for the first time and outpacing the home pages for Yahoo, Google and Microsoft’s MSN Hotmail. Hitwise does not provide figures for the number of unique visitors to a site. MySpace, which dominates social networking on the Web, also gained share in June from other sites that aim to create virtual communities online for sharing music, photos or other interests, Hitwise said. MySpace captured nearly 80 percent of visits to online social networking sites, up from 76 percent in April. A distant second was FaceBook at 7.6 percent. Rupert Murdoch’s News Corp bought MySpace for $580 million one year ago as part of a strategy to rapidly build up the media conglomerate’s Internet presence.

OUTSOURCED DATA MUST BE PROTECTED, SAYS U.K. PRIVACY CHIEF (The Register, 12 July 2006) -- Companies are still liable for data protection breaches that happen on third party premises thousands of miles away, the Information Commissioner has warned. With more and more firms outsourcing data-intensive processes such as call centre activity, companies must be aware of their responsibilities, the Information Commissioner’s Office (ICO) has said. Any breach of security at a contractor’s site will be the responsibility of the original company. “The [Data Protection] Act requires you to take appropriate technical and organisational measures to protect the personal information you process whether you process it yourself or whether someone else does it for you,” said an ICO statement. Outsourcing data processing to foreign suppliers does not absolve firms from protecting the data once it passes to a third party. In fact, new guidance issued by the ICO seems to tighten up rules concerning a company’s responsibilities to find an outsourcer who will safeguard the data.

OMB TIGHTENS IT SECURITY INCIDENT RULES (GCN, 13 July 2006) -- Agencies must now report all security incidents involving personally identifiable information within one hour of discovering the incident, the Office of Management and Budget said in a memo tightening information security notification procedures. OMB also added new requirements for incorporating the cost of security in agency IT investments for fiscal 2008 IT budget submissions. The Federal Information Security Management Act of 2002 requires all agencies to report security incidents to the U.S. Computer Emergency Readiness Team (US-CERT) within the Homeland Security Department. Procedures require agencies to report according to various time frames based on the type of incident. OMB has strengthened notification procedures by making the one-hour requirement standard for both electronic and physical security, and for suspected as well as confirmed security breaches. “You should report all incidents involving personally identifiable information in electronic or physical form and should not distinguish between suspected and confirmed breaches,” said Karen Evans, OMB administrator for e-government and IT in the memo dated yesterday. US-CERT will forward all agency reports to the appropriate Identity Theft Task Force point of contact, also within one hour of notification by an agency.

GOVERNMENT CALLS FOR DISMISSAL OF SUIT OVER AT&T PHONE RECORDS (, 13 July 2006) -- Justice Department lawyers asserted a rarely used ``state secrets” privilege in federal court Thursday morning in arguing for the dismissal of a lawsuit that alleges AT&T improperly handed over massive amounts of phone records to the government. Deputy Assistant Attorney General Carl Nichols said that AT&T won’t be able to defend itself against the allegations because the government is invoking the secrets privilege, which effectively shuts down any confirmation or denial of allegations in the suit. Nichols said such information would empower terrorists and endanger national security. Because AT&T can’t present a defense, the suit, filed by Chicago author Studs Terkel among others, must be dismissed, Nichols argued. ``We are facing a threat right now from al-Qaida,” Nichols said. ``Even the smallest risk is not a risk we should tolerate.” Harvey Grossman, legal director of the American Civil Liberties Union in Illinois, answered that his clients simply want to know that AT&T is acting lawfully. ``If it’s done lawfully, we’ll walk out the door,” Grossman said.

-- and --

IN TESTIMONY, GONZALES SAYS BUSH BLOCKED INQUIRY (New York Times, 18 July 2006) -- Attorney General Alberto Gonzales said Tuesday that President Bush personally blocked Justice Department lawyers from pursuing an internal probe of the warrantless eavesdropping program that monitors Americans’ international calls and e-mails when terrorism is suspected. The department’s Office of Professional Responsibility announced earlier this year it could not pursue an investigation into the role of Justice lawyers in crafting the program, under which the National Security Agency intercepts some telephone calls and e-mail without court approval. At the time, the office said it could not obtain security clearance to examine the classified program. Under sharp questioning from Senate Judiciary Committee chairman Arlen Specter, Gonzales said that Bush would not grant the access needed to allow the probe to move forward. “It was highly classified, very important and many other lawyers had access. Why not OPR?” asked Specter, R-Pa. “The president of the United States makes the decision,” Gonzales told the committee hearing, during which he was strongly criticized on a range of national security issues by Specter and Vermont Sen. Patrick Leahy, the panel’s senior Democrat.

NEW MODEL FOR SCHOLARLY PUBLISHING (Inside Higher Education, 14 July 2006) -- It’s hard to attend scholarly meetings these days without someone talking about the “crisis of scholarly publishing,” which goes something like this: Libraries can’t afford to buy new scholarly books; in turn, university presses can’t afford to publish books no one can buy and so cut back on their sales of monographs; in turn, junior professors can’t get their first books published and have a tough time getting tenure. Rice University on Thursday announced a plan to shake up those interconnected problems. Rice University Press, which was killed in 1996, will be revived. But unlike every other university press, it will publish all of its books online only. People will be able to read the books for no charge and to download them for a modest fee. Editors will solicit manuscripts and peer review panels will vet submissions — all in ways that are similar to the systems in traditional publishing. Without the pressure to publish only works that can sell enough copies to justify a print run, Rice hopes to be able to publish scholarship that university presses increasingly feel they can’t afford. And by using peer review as other presses do, the university hopes to make its books “count” in tenure reviews just as any other press’s would. And Rice also announced plans Thursday to take on the textbook industry, offering print-on-demand textbook versions of scholarly resources it has been assembling — generally for less than $25.

GOLDMAN SACHS GOES AFTER GOLDMANSEX.COM (CNET, 14 July 2006) -- Goldman Sachs Group, the blue chip investment bank, wants a Netherlands man to change the name of a sex-oriented Web site called Goldman Sachs last week submitted a complaint to the National Arbitration Forum, arguing that Goldmansex, whose domain name would might be confused with its own, contained links to objectionable “adult” material. and are registered domains of the bank. Rob Muller, 32, who founded Goldmansex and is its sole employee, said “Goldman” was a nickname given to him by his friends because “People thought I was always lucky in my life.” The Web site provides links to strip clubs and escort agencies. Muller said in a phone interview on Thursday from his Netherlands home in Albian that he had never heard of the world’s largest investment bank until recently. Muller said he had hired a lawyer and would fight to retain the domain name because he does not think it should cause confusion. “Would their clients really think this is some sort of new product line?” he said.

MICROSOFT SHUTTERS WINDOWS PRIVATE FOLDERS (CNET, 14 July 2006) -- Following an outcry from corporate customers, Microsoft is removing an add-on feature to Windows that allowed users to create password-protected folders. The feature was introduced as a free download last week. Almost immediately, people raised questions over how businesses would grapple with the ability of individual workers to encrypt their data. “Private Folder 1.0 was designed as a benefit for customers running genuine Windows,” Microsoft said in a statement to CNET on Friday. “However, we received feedback about concerns around manageability, data recovery and encryption, and based on that feedback, we are removing the application today. This change will take effect shortly.” [Editor: Over-reaction? There are lots of other, similar tools many employees already are using. What’s needed is employee education, more than a tool embargo.]

TO AGENCY INSIDERS, CYBER THEFTS AND SLOW RESPONSE ARE NO SURPRISE (Washington Post, 18 July 2006) -- Every day, an electronic wall guarding the Agriculture Department’s servers is probed for holes 2,000 times by potential hackers and data thieves. The probes usually can’t get through that wall. But on the first weekend in June, a hacker made it deep into one server, prompting an announcement late last month that personal information on 26,000 Washington area employees, contractors and retirees may have been compromised. To government officials responsible for information security and to outside experts, the intrusion -- and several recent security incidents at other agencies -- was no surprise. For the past five years, the department had received failing grades on a congressional report card for its information-security practices. The overall grade for federal agencies in 2005 was D-plus. In the past few weeks, the Agriculture incident was joined by cases of potentially compromised data at Veterans Affairs, Health and Human Services, the Federal Trade Commission, the Government Accountability Office, Housing and Urban Development, the Navy, and the Energy Department. The State Department also suffered a series of hacking attacks. The VA incident, with a loss of data on 26.5 million veterans and military personnel, drew the sharpest public attention. The data were later recovered. But officials and experts say that the frequency of the recent security incidents is not unusual, and that much more work needs to be done in the federal government to implement effective cybersecurity policies.

LESSONS IN CORPORATE BLOGGING (Yahoo!, 17 July 2006) -- Last week, Dell launched a corporate blog, joining the small but growing group of businesses that have embraced the trendy communication medium. You might think that the blogosphere would have rolled out the welcome mat for the newcomer. Far from it. Dell (DELL) was treated like a party crasher with bad hygiene. “Ho ho ho,” chortled one prominent blogger, ridiculing Dell’s site as “a blog in content management system name only.” Sniffed another: “Perhaps it might have been better for them to have stayed silent.”
The irony is that Dell’s blog, called “one2one,” is actually a pretty good one. It lets employees post messages and videos, in their own voices and under their own names, and it allows readers to submit comments, even negative ones. There are limits to what Dell will publish—no curse words, no defamatory rants—but the ground rules seem sensible, and they’re clearly laid out on the site. There are a few rules of thumb that can help companies reap the benefits of a blog while sidestepping the pitfalls. The first one is simple but critical: Don’t blog for blogging’s sake. Make sure you have a clear business goal for your blog—and that you stick to that goal and track how well you’re fulfilling it. Remember that, for companies, blogging isn’t an ideology—it’s a tool. Second, make sure your blog reflects your company’s desired image and supports its strategy. Dell’s blog provides a good model. By emphasizing how the blog provides a direct connection between the company and its customers, Dell reinforces its core strategy of selling gear directly to buyers, without having to go through middlemen. The blog has also been designed as part of a larger coordinated effort to rebuild the company’s reputation, which has been damaged recently by service miscues and other snafus. Third, remember that there’s no one “right way” to blog—no matter what the blogerati might say. You can certainly use blogs to let employees exchange information and ideas with customers. But you can design them more narrowly as well. Apple Computer (AAPL), for instance, doesn’t allow employees to blog on its behalf—probably because it doesn’t want to risk muddying a painstakingly designed corporate image—but it has set up a blog to promote its .Mac services. Finally, make sure you educate your employees about the legal and business risks inherent in blogging, such as the possibility that they might inadvertently disclose sensitive or regulated information.; see also,_i_rssPage=81cea682-52a8-11da-8d05-0000779e2340.html

-- and --

SURVEY: MAJORITY OF BLOGS ARE PERSONAL (AP, 20 July 2006) -- The most high-profile blogs may be about news, politics or technology, but the vast majority of Web journals are more personal in nature, a survey found. “My life and experiences” was cited as the primary focus by 37 percent of U.S. bloggers, with politics and government a distant second at 11 percent, according to the study issued Wednesday by the Pew Internet and American Life Project. “They are about people’s personal experiences,” said Amanda Lenhart, Pew’s senior research specialist. “They don’t tend to be about one topic. It’s not just about politics. It’s about politics, your kids and going for a walk. It’s about what crosses people’s minds and what inspires them.” The study also found that most bloggers — 84 percent — consider their blog mostly a hobby, not something they spend a lot of time on. Nearly 60 percent spend only one or two hours a week on it, and half the bloggers say they do it mostly for themselves, not for an audience. Despite a greater awareness of blogs — 39 percent of U.S. Internet users surveyed in January say they have them, compared with 27 percent in September — only 8 percent of online adults keep a blog, a figure that has remained steady. THE TOP 10

-- and --

SECRETARY SACKED FOR BLOGGING (Sydney Morning Herald, 19 July 2006) -- A 33-year-old British secretary has launched a test case before a French employment tribunal after bring sacked from her company for writing a blog about her day-to-day life in Paris. The blog - written under the pseudonym “La Petite Anglaise” - has built up a sizeable international following over the last two years, with up to 3000 people a day reading diary-style accounts about work, relationships and the travails of single-motherhood. But in April Catherine - she refuses to give her family name - was called in by superiors at the Paris office of British accounting firm Dixon Wilson and told she was being dismissed for gross misconduct. “In the dismissal letter they told me I had brought the company into disrepute, but I never once referred to it or the people there by name,” Catherine told AFP. Managers had also discovered from reading the blog that on two occasions she had lied about having nanny problems to take the afternoon off, Catherine said. And they objected to her using the computer in office hours to write the blog. The case - one of the first of its kind in France - will be brought before the “prud’hommes” or labour tribunals later this year, and Catherine’s lawyer is pressing for an award of two years’ salary.

-- and --

C.I.A. WORKER SAYS MESSAGE ON TORTURE GOT HER FIRED (New York Times, 22 July 2006) -- A contract employee working for the Central Intelligence Agency said she had been fired recently for posting a message on a classified computer server that said an interrogation technique used by the agency against some terror suspects amounted to torture. The employee, Christine Axsmith, kept the “Covert Communications” blog on a top-secret computer network used by American intelligence agencies. Ms. Axsmith was fired on Monday after C.I.A. officials objected to a message that criticized the interrogation technique called “waterboarding,” a particularly harsh practice that the C.I.A. is known to have used on Khalid Sheik Mohammed, who is widely regarded as the mastermind of the Sept. 11 attacks. The episode has opened a window into the new world of classified blogging: an experimental effort being carried out in top-secret computer forums where information and ideas are shared across the intelligence community. Intelligence officials said that since last year, more than 1,000 blogs had been set up on classified intelligence servers. Ms. Axsmith, a computer security expert with a law degree, posted the message this month, shortly after the Bush administration decided to grant some protections of the Geneva Conventions to suspected terrorists in American custody. She said that her message began, “Waterboarding is torture, and torture is wrong.” Ms. Axsmith’s firing was earlier reported on several blogs including on Thursday, and in Friday’s Washington Post. “I wanted an in-house discussion,” Ms. Axsmith said in an interview on Thursday in her home in Washington. “Something where I would be educating people on the background of the Geneva Conventions.” Instead, Ms. Axsmith was fired by her employer, B.A.E. Systems, which has an information technology contract with the C.I.A. Paul Gimigliano, a C.I.A. spokesman, said that the blogs were intended to “encourage collaboration” on business issues but that postings “should relate directly to the official business of the author and readers of the Web site.” Though stripped of her security clearance, Ms. Axsmith still maintains her public, unclassified blog: On that Web site on Friday, there were several messages supporting her, including postings from anonymous intelligence officials who said that they would miss her “Covert Communications” blog.

UNINTENTIONALLY WORST COMPANY URLS (Techlaw Advisor, 18 July 2006) -- Everyone knows that if you are going to operate a business in today’s world you need a domain name ... the following (legitimate) companies who deal in everyday humdrum products and services but clearly didn’t give their domain names enough consideration: [cute]

VA OFFICIAL CRITICIZED IN DATA THEFT IS LEAVING FOR PRIVATE SECTOR (, 19 July 2006) -- A top Veterans Affairs official criticized after the theft of a laptop containing 26.5 million veterans’ sensitive information is leaving to take a job in the private sector, the department said Wednesday. Tim McClain, the VA’s general counsel since 2001, is resigning effective Sept. 1 to pursue unspecified opportunities elsewhere. He is the fifth official to leave the department following the May 3 theft of a laptop from a VA data analyst’s suburban Maryland home. In recent weeks, McClain has come under fire by lawmakers of both parties who said he resisted repeated attempts in previous years to centralize authority for information security under the agency’s chief information officer. That lack of authority has been cited by auditors as a primary reason behind security weaknesses in the department that contributed to the May 3 theft, the government’s largest information security breach. Nicholson has since ordered that the CIO receive that authority. The stolen laptop and external drive containing veterans’ data have been recovered.

VULNERABILITY AUCTIONS KILLING RESPONSIBLE DISCLOSURE (ZDnet, 19 July 2006) -- More security researchers are selling vulnerabilities to the highest bidder rather than disclosing them “responsibly” to the vendor whose products are affected. At a breakfast briefing organised by e-mail security firm MessageLabs on Wednesday, Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), said that a market where vulnerabilities in software are traded is hotting up and the rewards for researchers can be very tempting. “I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under “responsible disclosure” or pay off my mortgage, which one do I choose? Responsible disclosure occurs when a security researcher discovers vulnerabilities in a popular application and then reports them to the relevant vendor rather than publishing the details online or, as has become a trend recently, selling that information to the highest bidder. “The economy on the market place is facilitating the sale of everything you want from custom Trojans to rootkit and moving through to things like vulnerabilities, which are a marketable commodity,” said Ingram. Last week, security firm Finjan published evidence, which was compiled by the company’s Malicious Code Research Centre, that showed examples of vulnerabilities being sold online. Finjan’s chief technical officer, Yuval Ben-Itzhak, said that researchers will be even more likely to sell their discoveries as the demand -- and therefore the price -- goes up.,2000061744,39263952,00.htm

-- and see older, related story --

EBAY PULLS VULNERABILITY AUCTION (Security Focus, 9 December 2005) -- Online auction giant eBay shut down the bidding for a vulnerability in Microsoft’s Excel spreadsheet program on Thursday, saying that the sale of flaw research violates the site’s policy against encouraging illegal activity. “The listing was immediately reviewed and pulled from the site for violating our policy against promoting illegal activity--hacking,” England said in an e-mail to SecurityFocus. “In general, research can be sold as a product. However, if the research were to violate the law or intellectual property rights then it would not be allowed.” The move comes as the idea of selling vulnerability research has gained more traction amongst the security industry and research communities. Buying flaw information is a controversial practice, but one currently supported by at least two security companies: iDefense and 3Com’s TippingPoint. Both companies have created initiatives aimed at procuring original vulnerability research from independent flaw finders.

-- and --

NO COMPENSATION FOR ‘RESPONSIBLE DISCLOSURE’: MICROSOFT (ZDnet, 20 July 2006) -- Paying independent security researchers a bounty for responsibly disclosing vulnerabilities is not the best way to protect users, according to Microsoft. Microsoft has said it will not offer money to security researchers for responsibly disclosing vulnerabilities in its products. Responsible disclosure is where a researcher discovers a vulnerability and informs the vendor but nobody else -- until a patch is available. However, Australia’s Computer Emergency Response Team (AusCERT) on Wednesday warned that crime gangs are paying big money for newly discovered vulnerabilities. This acquired knowledge is then used to develop new attack vectors in order to steal money, identities and intellectual property. Peter Watson, chief security advisor for Microsoft Australia, told ZDNet Australia that there are better ways to protect its customers than paying researchers “bug bounties”. “Microsoft works closely with numerous security researchers and security software companies and does not believe that offering compensation for vulnerability information is the best way we can help protect customers.,2000061744,39264106,00.htm

ZIMBABWE EYES PLAN TO SPY ON CITIZENS (Washington Post, 23 July 2006) -- Times are hard and getting harder in Zimbabwe, where people too proud to cry about hunger, joblessness and misrule could soon find it too dangerous to joke about them. Parliament plans to debate proposals next month to empower the secret police to eavesdrop on mail, e-mail and phones without any court approval. The government denies any sinister intent, saying it is putting its anti-terrorism legislation in line with international practice. But Zimbabwe is not on the front lines of the war on terror, and government agents could use the proposed powers to monitor the communications of the political opposition, journalists and human rights activists who are critical of President Robert Mugabe. Secret police and intelligence agents could violate attorney-client privilege, track financial transactions and negotiations, and eavesdrop on anyone’s private life. Anytime a Zimbabwean visits a Web site, makes a deal or tells a joke, Big Brother could be listening or watching. Internet and cell phone service providers would, at their own expense, have to provide the government with equipment to sort and intercept communications. The aim “is to monitor and block communications for political reasons and to use information they get to persecute opponents,” said Lovemore Madhuku, chairman of the National Constitutional Assembly, a group critical of repressive laws and actions of Mugabe’s government. Telephoned from neighboring South Africa, he said: “It is part and parcel of the process of controlling dissent and stifling democratic debate.” South Africa has quietly adopted a similar law, with the important difference that a court must approve any interception. In Zimbabwe, that authority would rest solely with Mugabe’s minister of transport and communications.

MARINES USE MYSPACE TO RECRUIT (Wired, 24 July 2006) -- Teens looking to hook up with a friend on the popular web community MySpace may bump into an unexpected buddy: the U.S. Marine Corps. So far, over 12,000 web surfers have signed on as friends of the Corps in response to the latest military recruiting tactic. Other military branches may follow. MySpace.Com, the internet’s most popular social networking site with over 94 million registered users, has helped redefine the way a generation communicates. Users, many in their teens and 20s, post personal profiles and accumulate lists of friends and contacts with common interests. The Marine Corps MySpace profile -- featuring streaming video of barking drill sergeants, fresh recruits enduring boot camp and Marines storming beaches -- underscores the growing importance of the internet to advertisers as a medium for reaching America’s youth. “That’s definitely the new wave,” said Gunnery Sgt. Brian Lancioni at a Hawaii recruiting event. “Everything’s technical with these kids, and the internet is a great way to show what the Marine Corps has to offer.” Patrick Baldwin, an 18-year-old recruit from Saratoga, New York, who linked his profile to the Marines’ site after hearing about it from a friend, said MySpace was a good place for interested teens to start learning more about the Marines. “The more information you have the better off you are,” said Baldwin, who left for boot camp a few weeks ago. The Army, which originally balked at advertising on MySpace because of well-publicized incidents of child predators using the site to meet kids, plans to soon set up its own profile page.,71448-0.html?tw=rss.index

BSA COLLECTS OVER $2M IN SETTLEMENTS FROM U.S. COMPANIES (Computerworld, 26 July 2006) -- The Business Software Alliance (BSA), a watchdog group representing the nation’s leading software manufacturers, today announced it has collected over $2 million in settlements from 19 U.S. companies that were running illegal software. In addition to making the payments, each company agreed to delete any unlicensed copies of programs it was using, purchase any needed replacements and strengthen software management practices, the BSA said. “We hope that these announcements will encourage other businesses to re-examine and update, if necessary, their software management systems,” Jenny Blank, director of enforcement at the BSA, said in a statement. “Businesses should be certain that using fully licensed software is part of their corporate responsibility checklist.”

CHAT ROOMS COULD FACE EXPULSION (CNET, 27 July 2006) -- Web sites like and may soon be inaccessible for many people using public terminals at American schools and libraries, thanks to the U.S. House of Representatives. By a 410-15 vote on Thursday, politicians approved a bill that would effectively require that “chat rooms” and “social networking sites” be rendered inaccessible to minors, an age group that includes some of the Internet’s most ardent users. Adults can ask for permission to access the sites. “Social networking sites such as MySpace and chat rooms have allowed sexual predators to sneak into homes and solicit kids,” said Rep. Ted Poe, a Texas Republican and co-founder of the Congressional Victim’s Rights Caucus. “This bill requires schools and libraries to establish (important) protections.” Even though politicians apparently meant to restrict access to MySpace, the definition of off-limits Web sites is so broad the bill would probably sweep in thousands of commercial Web sites that allow people to post profiles, include personal information and allow “communication among users.” Details [would] be left up to the Federal Communications Commission. The list could include Slashdot, which permits public profiles; Amazon, which allows author profiles and personal lists; and blogs like that show public profiles. In addition, many media companies, such as publisher CNET Networks, permit users to create profiles of favorite games and music. “While targeted at MySpace, the effects are far more wide-ranging than that, including sites like LinkedIn,” said Mark Blafkin, a representative of the Association for Competitive Technology, which counts small- to medium-size technology companies as members. “Nearly any news site now permits these types of behaviors that the bill covers.” House Republicans have enlisted the Deleting Online Predators Act, or DOPA, as part of a poll-driven effort to address topics that they view as important to suburban voters in advance of November’s elections. Republican pollster John McLaughlin surveyed 22 suburban districts and presented his research at a retreat earlier this year. DOPA was part of the result.

MUSIC INDUSTRY ANNOUNCES A DEAL WITH KAZAA (New York Times, 27 July 2006) -- The music industry and Hollywood film studios said today that they had settled lawsuits against a longtime nemesis: Kazaa, the digital file-sharing service. The settlement frees Kazaa to transform itself into an authorized online distributor of music and movies. The owner of Kazaa — Sharman Networks, a privately held company incorporated on the Pacific island nation of Vanuatu and operated out of Australia — agreed to pay $115 million to the major record companies and movie studios, which accused Kazaa of aiding the illegal copying and distribution of movies over the Internet. The settlement follows court decisions against Kazaa in Australia and against other file-sharing services by the United States Supreme Court. Sharman Networks said the agreements clear the way “to enable distribution of the broadest range of licensed content over Kazaa.” Under the agreement announced today, Sharman Networks will pay the major record companies — Sony BMG, Universal Music Group, EMI Group and Warner Music — “in excess of $100 million,” according to John Kennedy, chief executive of the International Federation of the Phonographic Industry, the London-based association representing the record companies. The music federation said that Kazaa agreed to license music from the record industry “majors,” which control most music copyrights. Independent record labels are not included in the settlement, but would be free to pursue their own licensing deals with Kazaa, executives said. In making the switch to a licensed, royalty-paying business, Kazaa would follow Napster, one of the original file-swapping services, which was reborn as a music seller after an adverse court ruling in 2001. Kazaa said it would take steps to prevent its network from being used for unauthorized distribution of copyrighted material in the meantime. Kazaa now earns revenue primarily from advertising, and does not charge fees to users of its site. Mr. Kennedy said the recording industry would not object to Kazaa sticking with that kind of advertising-supported business model, as long as it pays the proper royalties. Such a model would differentiate Kazaa from other online music services, which typically charge users for downloads, either song by song or through a subscription fee. Digital music offerings are proliferating, including several from companies that use peer-to-peer technology.

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. Internet Law & Policy Forum,
6. BNA’s Internet Law News,
7. Crypto-Gram,
8. McGuire Wood’s Technology & Business Articles of Note,
9. Steptoe & Johnson’s E-Commerce Law Week,
10. Readers’ submissions, and the editor’s discoveries.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: