Clips October 15, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips October 15,
2003

ARTICLES

FBI found lagging on improvements
RIAA to Charter: Give up file-swapper names
GAO doesn't forget former employees
NIST releases security guides
Davis: Why the delay on 
OPM launches redesigned Web site 
DOD sets plan for move to IPv6 
How about IM via a Dick Tracy watch? 
UK officials call for cross-border anti-spam fight

*******************************
Washington Times
FBI found lagging on improvements
By Jerry Seper
THE WASHINGTON TIMES

The FBI, first warned in 1990 that its computer and information systems
were outdated and ineffective, has failed to make all the necessary
improvements to ensure it can effectively guard against terrorists who
target the United States, a report said yesterday. 
    The Justice Department's Office of Inspector General,
in a 145-page report, said that while the FBI made progress in correcting
problems with outdated infrastructures, fragmented management,
ineffective systems, inadequate training and problems with computer
security, more work is needed to guard against terrorists. 
    "In the past, FBI management had not paid
sufficient attention to improving its IT [information technology]
program," said Inspector General Glenn A. Fine. "Until recently
the FBI lacked an effective system to ensure that recommendations issued
by the OIG are implemented in a timely and consistent manner. 
    "This audit shows that while some progress has
been made, more needs to be done to correct deficiencies that we have
identified in prior reports," Mr. Fine said. 
    In a response to the report, the FBI agreed to make
and document efforts to meet the recommendations, and to hold bureau
supervisors accountable for getting the job done. 
    FBI Director Robert S. Mueller III has said the
overhaul of the FBI information-technology program is a bureau priority
and has been recognized as a "core function that must be fully
supported by management." 
    According to the report, the FBI has implemented 93 of
148 recommendations made over the past 13 years to correct an IT program
described by investigators as outdated and ineffective. But, the report
said, "many additional actions are required to ensure that the FBI's
IT program effectively supports its mission" of preventing
terrorism. 
    Following the September 11 attacks that killed more
than 3,000 people, Attorney General John Ashcroft made it clear that
prevention of terrorism was the Justice Department's top priority, and
that effective use of information technology was crucial to the FBI's
ability to meet that priority. 
    The FBI, according to the report, allocated $606
million in fiscal 2003 for IT projects. The bureau, under Mr. Mueller's
leadership, was "pursuing significant improvements ... which it
believes will correct many of the deficiencies identified by the OIG
reports," said the report. 
    But the report said that until recently, the FBI had
not established a system of management controls for tracking
recommendations, as required by the Justice Department and the Office of
Management and Budget. As a result the bureau had not adequately improved
its IT program to ensure data are safeguarded and reliable. 
    The report also said computer applications were not
secure from unauthorized access. 
    Mr. Fine noted the FBI leadership indicated it is
"committed to enhancing controls" to ensure the previous
recommendations are timely and consistently implemented, and that the
bureau established a system to facilitate tracking the implementation of
recommendations. 
    In the report, the Inspector General's Office
recommended the FBI develop, document and implement bureauwide procedures
to follow up the recommendations, and that it guarantee that managers are
held accountable.
*******************************
CNET News.com
RIAA to Charter: Give up file-swapper names
Last modified: October 14, 2003, 4:33 PM PDT
By Stefanie Olsen 
Staff Writer, CNET News.com

The Recording Industry Association of America is pressing a federal court
to ignore cable Internet provider Charter Communications' attempt to keep
private the names of 93 subscribers who allegedly traded songs online
illegally. 

On Friday, the trade organization filed a court memorandum opposing
Charter's "motion to quash" a subpoena request for the names.
The RIAA charges that Charter is unlawfully withholding the identities of
its high-speed Internet subscribers who, it says, disseminated more than
100,000 copyrighted songs in peer-to-peer communities like Kazaa without
the permission of rights holders. 

Among other arguments, the RIAA is denying claims by Charter that it has
not filed proper documentation to receive the detailed information on
alleged infringers, including their names, addresses, phone numbers and
e-mail addresses. 

"Charter...has the IP addresses of the 93 infringers, a subpoena
validly issued...a declaration complying with all of the (Digital
Millennium Copyright Act) requirements, and notices listing copyrighted
works illegally disseminated by each infringer," the filing says.
"Charter claims instead that the DMCA requires RIAA to fill out 93
different subpoena forms that will differ only as to the IP address (for
each infringer)...Charter's goal is transparent--to increase the
paperwork burden on copyright holders." 

The memorandum, submitted to the U.S. Eastern District Court in St.
Louis, was filed a week after Charter motioned to quash a subpoena for
the names. In doing so, Charter became the first cable company to fight
the RIAA in its campaign to target peer-to-peer song swappers with
lawsuits. Telecommunications companies, such as Verizon Communications,
have taken similar measures against the RIAA without success. 

A representative from Charter said that the company had not received the
filing as of early Tuesday so it could not comment on it. But the company
reaffirmed its commitment to protecting the identities of subscribers in
accordance with its privacy policy. 

"It's all about protecting the interests of our customers and our
business," said Anita Lamont, Charter spokeswoman. "Our intent
has never been not to comply with the law. We think we owe it to our
customers to take it as far as can be." 

In one slight discrepancy with the RIAA, Charter said the recording
association has requested the names of 150 subscribers, not 93. Lamont
said that the company has notified these 150 that the RIAA is seeking
their names. 

This summer, the RIAA filed 261 lawsuits against individuals that it
claimed had violated copyrights belonging to its member companies. Those
individuals' identities were obtained through subpoenas sent to Internet
service providers and cable Internet suppliers. 
*******************************
Washington Times
GAO doesn't forget former employees
By Audrey Hudson

  Joseph Evans knew better than to use the new government credit
card he was recently issued. 
    "That would be criminal," said the former
auditor for the General Accounting Office (GAO), the investigative arm of
Congress. 
    Mr. Evans worked for the GAO for more than 30 years
before he was "ushered out the door" and forced to retire, he
said. 
    That was nearly two years ago. So Mr. Evans was
somewhat surprised to get the MasterCard from Bank of America. 
    "You would think that the watchdog of the
government would be a little more careful about who it gives a credit
card to," Mr. Evans said. 
    A spokesman for the GAO confirmed there was a glitch
in the system and said 40 to 50 credit cards were issued to ex-employees
with a credit ceiling of $12,500. 
    "It's true, there was a breakdown in our
system," spokesman Jeff Nelligan said. 
    "We were notified by a former GAO employee, and
all cards were canceled Sept. 25. No transactions had been made, and we
now have a plan that has strengthened our accountability in these
areas," Mr. Nelligan said. 
    Mr. Evans said he was "just dumbstruck" that
the office charged with ferreting out waste, fraud and abuse in federal
agencies did not have controls in place to prevent such an error. 
    "There is a lot of potential in that for
abuse," Mr. Evans said. 
    The GAO devotes 90 percent of its investigations to
those requested by members of Congress, often with headline-grabbing
results. 
    Last week the GAO reported it had used a fake company
to buy excess Pentagon supplies over the Internet that terrorists could
use to make biological and chemical weapons. The items were bought for
$4,100 but the original acquisition price was $46,960. 
    A Pentagon audit accused Marine Corps Staff Sgt.
Sherry Pierre of using a military credit card to pay for
breast-enhancement surgery, a car, motorcycle and other items totaling
nearly $130,000. 
    Last month the GAO released its findings in an audit
of credit-card charges by Agriculture Department employees in the Forest
Service and found $1.6 million in improper purchases from Oct. 1, 2000,
through Sept. 30, 2001. 
    Among the items purchased on the government's tab were
a billiard table, digital cameras, costumes, caterers and a $2,900
aquarium. Credit cards were also used at a scuba shop and a bingo casino.
    Other audits have shown credit cards were used by
federal employees at brothels and sporting events. 
    Mr. Nelligan could not confirm by press time whether
the GAO has ever investigated the issuance of credit cards to former
employees, but said at the GAO "we're on top of this thing
now."
*******************************
Federal Computer Week
NIST releases security guides
BY Diane Frank 
Oct. 14, 2003

The National Institute of Standards and Technology last week released
guidelines for federal agencies to address areas such as the basics of
choosing security products and developing security training and
awareness.

The five final special publications range from technical descriptions to
high-level guidance aimed at agency executives. They have been
circulating for several months in draft form and represent the latest in
a series of guides meant to help agencies with issues in the Federal
Information Security Management Act (FISMA) of 2002 and highlighted by
the Office of Management and Budget.

Special Publication 800-42, "Guideline on Network Security
Testing," <see
http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf>
is meant for information technology and security officials in an agency.
It focuses on the details of setting up, maintaining and acting on
standard enterprise network penetration testing programs. Constant
testing is a major component of a security program, highlighted first by
the Government Information Security Reform Act (GISRA) of 2000, and now
FISMA.

The high-level view in Special Publication 800-64, "Security
Considerations in the Information System Development Life Cycle,"
<see
http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf>
addresses many key concerns from OMB. For years, officials have pushed
agencies to consider security from the very beginning of the development
of any system or program in order to head off potential incidents and
save money later. Including security in the business case for any new
system is now a key evaluation factor for determining whether OMB will
grant agency budget requests.

Specific training and general awareness are growing concerns within
agencies, as officials realize that technology will not help if users and
managers do not take security steps as well. Additional requirements are
laid out in FISMA, and Special Publication 800-50, "Building an
Information Technology Security Awareness and Training Program,"
<see
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf>
identifies four critical steps for training and awareness -- from
assessing agencywide needs to post-implementation feedback and
adjustment.

Special Publication 800-36, "Guide to Selecting Information Security
Products," <see
http://csrc.nist.gov/publications/nistpubs/800-36/NIST-SP800-36.pdf>
looks at product evaluation -- an area of security receiving increased
attention from Congress. It reviews potential issues for many types of
products, including identification and authorization, firewalls,
vulnerability scanners and forensics. It highlights the Common Criteria
Evaluation and Validation Scheme, an international standard for
evaluating security products now required for defense and national
security and being considered for civilian agencies. The National
Information Assurance Partnership, a joint venture between NIST and the
National Security Agency, oversees the Common Criteria for the United
States.

More agencies are contracting out for security services that support
their products and programs. Special Publication 800-35, "Guide to
Information Technology Security Services," <see
http://csrc.nist.gov/publications/nistpubs/800-35/NIST-SP800-35.pdf>
outlines a life cycle for these buying services -- from determining
whether a service can help in the first place all the way to ending it.
The guide details the pros and cons of possibilities instead of
prescribing a specific way to go about dealing with issues.
*******************************
Government Computer News
10/15/03 
Davis: Why the delay on 
E-Authentication? 
By Jason Miller 

Rep. Tom Davis is questioning whether the General Services
Administration?s E-Authentication Quicksilver initiative will be
completed by March and wants to know how the project?s delays are
affecting the other 24 e-government initiatives. 

In a letter to GSA administrator Stephen Perry, Davis (R-Va.), chairman
of the Government Reform Committee, requested a briefing on GSA?s efforts
to address the E-Authentication?s challenges. 

Davis? letter stems from an upcoming General Accounting Office report
that found limited progress in a variety of areas, including policy,
acquisition and technology development. 

?According to GAO, essential activities, such as developing
authentication profiles for the other 24 initiatives, has not been
completed,? Davis said. ?GSA also eliminated a step in the acquisition
process to award a new contract for the operational systems. This action
could mean the GSA will miss an opportunity to explore other potential
solutions for designing the gateway.? 

GAO also pointed out that GSA has yet to define user requirements,
achieve interoperability among available authentication products or fully
address funding, security and privacy issues, Davis said. 

?The E-Authentication Gateway is critical to the federal government?s
effort to encourage stakeholders to use electronic processes to conduct
transactions with the government and help make e-government a reality,?
Davis said. 

GSA has made progress with the project over the last few months. It has
set up a governance structure, let the Social Security Administration?s
prisoner data system use the gateway in a live production environment,
and released an E-Authentication policy guidance [see story
http://www.gcn.com/22_28/news/23602-1.html].
*******************************
Government Computer News
10/15/03 
OPM launches redesigned Web site 
By Jason Miller 

When the Office of Personnel Management decided to redesign its Web site,
officials spent most of the time researching how to meet the needs of
federal employees, retirees and job seekers. It also had to figure out
how many of the 86,000 pages on the site should be revamped. 

The new look affects about 10 percent of the pages on the site, said
Vivian Mackey, OPM?s director for Web design and publications, at
yesterday?s official unveiling of the new site,
www.opm.gov. ?Many of
the pages are not visited on a regular basis. We really wanted to
concentrate on the most visible pages.? 

OPM officials divided the site?s most visited pages into three areas:
strategic management of human capital, employment and benefits, and
career opportunities. It also provides easy access to federal forms,
human resources tools, OPM publications and provides a drop-down menu of
the most often visited pages on the site. 

Mackey said the content is better organized that it was and that the
search engine, from Inktomi Corp. of Foster City, Calif., is easier to
use. 

?This new Web site captures the principles of e-government,? OPM CIO
Janet Barnes said. ?President Bush wants results and for us to use
technology to transform government, and this new Web site does both.?

In developing the redesign, OPM officials conducted an online user
survey, conducted focus groups of federal employees under 30 years of age
and of retirees, and evaluated unsolicited feedback from Web site
visitors, Mackey said. 

Mackey said IT workers developed the site using Microsoft Active Server
Pages as well as Cold Fusion and Microsoft ASP.Net.
*******************************
Government Computer News
10/14/03 
DOD sets plan for move to IPv6 
By Dawn S. Onley 

The Defense Department has selected two networks that will lead the
transition to IP Version 6 during pilots over the next year. 

The Defense Research and Engineering Network and the Defense Information
Systems Network-Leading Edge Services were chosen as IPv6 test beds
because they have large numbers of users, are centrally managed and can
be isolated from other DOD networks, Defense officials said. 

?As is often the case, the DOD science and technology community is a key
enabler of transformation, and this is yet another opportunity to advance
a strategic technology that enables future warfighting capabilities,?
Charles J. Holland, deputy undersecretary of Defense for science and
technology, said in a statement. 

DOD expects that it will take until 2008 for all DOD users to shift to
IPv6, Defense CIO John Stenbit said. In June, Stenbit announced plans to
switch to IPv6 as the department standard for integrating sensor, weapons
and systems data on DOD?s Global Information Grid. 

Any new military communications systems bought or developed after Oct. 1
must comply with the new IP standard but be able to support IP Version 4,
Version 6?s predecessor, Stenbit said. 

The Defense Information Systems Agency will be the IPv6 manager for
DODacquiring, allocating and controlling address space. IPv6 is supposed
to overcome the security and address limitations of IPv4. 

Following the shift to IPv6 by the test bed networks, DOD will decide a
ramp-up plan for DOD-wide transition to the protocol. Additional users
are not expected to shift to IPv6 before next fall. One possible early
candidate is the Navy-Marine Corps Intranet, Defense officials 
said.
*******************************
Government Computer News
10/14/03 
How about IM via a Dick Tracy watch? 
By Susan M. Menke 

The .Net Common Language Runtime can power Internet-aware devices ranging
from PCs to wristwatches that exchange instant messages. 

Soon CLR will keep dashboard and refrigerator magnets up to date with
whatever Internet data their owners want to see, said Rick Rashid,
Microsoft Corp. senior vice president for research. 

Rashid, who helped develop the Mach operating system at Carnegie Mellon
University before joining Microsoft 12 years ago, said Smart Personal
Objects Technology (SPOT) using CLR is the foundation of what he called
?an ecology of devices that know about you. The intelligence is in the
device, not in the network.? 

A SPOT device downloads Extensible Markup Language data via Web services.
It continually displays or scrolls through a user?s desired datatime,
weather, calendar, news, instant messagesvia MSN Direct?s nationwide
agreements with radio stations across the United States and Canada.

About 80 percent of each country?s population can receive the signals on
devices with FM subcarrier chip sets from Motorola Inc., Rashid said.

Fossil, Citizen and other watchmakers will charge $100 to $200 for a SPOT
watch, he said. The prototype he wears has a black-and-white bitmap
screen with 90- by 120-pixel resolution in a boxy Dick Tracy style; see
www.microsoft.com/SPOT
for more information. 

MSN Direct?s monthly charge for the Internet service has not yet been decided, he said. 

A SPOT device?s private key is installed during manufacture to receive signals from MSN Direct. The user can set up a secondary private key for instant messaging with chosen persons, but no others will know it. ?You don?t want to get spam on your watch,? Rashid said. 

Microsoft has adapted CLR for Windows CE devices such as a forthcoming Global System for Mobile Communications smart phone, code-named Stinger, that will be available soon through AT&T Wireless.
*******************************
USA Today
UK officials call for cross-border anti-spam fight
By Andy Sullivan, Reuters

WASHINGTON  British officials Tuesday urged their U.S. counterparts to cooperate in their fight against "spam" e-mail, downplaying differences between the two countries' legal approaches to unwanted commercial marketing.
Several U.K. lawmakers and an appointee of Prime Minister Tony Blair are meeting this week with U.S. lawmakers and law enforcement agencies to discuss how to curb the unwanted messages that now account for roughly half of all e-mail traffic.

The two countries are likely to establish significantly different anti-spam laws, but that should not interfere with cross-border efforts to track down those who peddle snake-oil medicine or lie about their identities, U.K. officials said.

"An awful lot of this stuff is already illegal" under deceptive-trade laws, said Andrew Pinder, a Blair appointee in charge of Internet development.

The U.K. recently ratified an EU anti-spam law that would prevent businesses from e-mailing consumers without their explicit permission, and California adopted a similar law last month.

But such an "opt-in" approach has found no traction in the U.S. Congress, where the leading proposals would override the California law and allow businesses to e-mail consumers until asked to stop.

British lawmakers said they were worried that the U.S. Constitution's free-speech protections would ensure that their inboxes would still be clogged with unwanted come-ons. Nine out of 10 spam messages originate in the United States, according to a report commissioned by a parliamentary task force.

"Why should we be forced to receive adverts for Viagra?" said Andrew Miller, a member of Parliament. "This was not in the minds of the framers of the Constitution."

"If we could just get the Americans here to understand that this is not just an American issue, we would feel that we've achieved something," said Brian White, another Parliament member.

MP Derek Wyatt said an international body along the lines of the International Telecommunications Union, which sets international telecommunications standards, would be needed to handle Internet issues on a global basis.

Spammers and criminals have for years exploited the borderless nature of the Internet to cover their tracks, and law enforcers have scored some success in tracking them down.

Police last year broke up a child-pornography ring based in Denmark, Switzerland, the Netherlands and the United States, while consumer-protection agents in the United Kingdom and United States have managed to force at least one spammer to refund money he collected through a junk e-mail campaign.

The U.S. Federal Trade Commission and 29 other countries announced an effort in June to track down spammers, telemarketers and other scam artists who operate internationally.

The FTC has also asked Congress to give it greater authority to work more closely with foreign law-enforcement bodies.
*******************************