Clips October 29, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips October 29,
2003

ARTICLES

Feds grant DMCA exceptions
Mandate Is Upheld for Digital TV Tuners
Web Group Backs Microsoft in Patent Suit
Orbitz investigates security breach
Justice renews Web use monitor
Officials unveil first phase of foreign visitor tracking system
Hackers get novel defense: The computer did it
Outburst From Sun Headed For Earth 
Government unveils system to check identities of foreign visitors
Brazil Becomes a Cybercrime Lab

*******************************
CNET News.com
Feds grant DMCA exceptions
Last modified: October 28, 2003, 6:16 PM PST
By John Borland 

The Library of Congress created on Tuesday four narrow exemptions to a
controversial digital-piracy statute but faces criticism from free-speech
activists, who had hoped for more exceptions. 

As part of a regular process of reviewing the Digital Millennium
Copyright Act, regulators created four new instances in which it is legal
to crack digital copyright protections. Such protections can now be
broken to access: 

? Lists of sites blocked by commercial Internet filtering software, but
not spam-fighting lists.

? Computer programs protected by hardware dongles that are broken or
obsolete.

? Computer programs or video games that use obsolete formats or
hardware.

? E-books that prevent read-aloud or other handicapped access formats
from functioning. 

Some DMCA critics had asked for far more sweeping exemptions, such as the
ability to break through copy or usage restrictions on DVDs and CDs in
order to use the content in different devices and mediums. 

"It's disappointing that the U.S. Copyright Office and the Librarian
(of Congress) continue to relinquish their power to protect the rights of
American consumers to lawfully use their own property," said Robin
Gross, executive director of IP Justice, a digital rights activist group.

In a statement accompanying the ruling, Librarian of Congress James
Billington said that he did not have the power to go as far as critics
wanted and that many of the most expansive proposals for exemptions had
been put forward by people who misunderstood the law. 

Some participants "sought exemptions that would permit them to
circumvent access controls on all works when they are engaging in
particular noninfringing uses of those works," Billington wrote in
his statement. "The law does not give me that power." 

The exemptions will be in effect for three years, after which time
regulators will examine the law again.
*******************************
Los Angeles Times
Mandate Is Upheld for Digital TV Tuners
 From Reuters
October 29, 2003

A U.S. appeals court upheld federal regulations requiring television set
manufacturers to install tuners that can receive high-quality digital
broadcast signals in new sets starting next summer. 

The Federal Communications Commission in August 2002 ordered that digital
tuners be included in new sets as part of an effort to jump-start the
lagging transition to crisper digital television, targeted for completion
by 2007. 

The Consumer Electronics Assn., which represents manufacturers such as LG
Electronics Ltd.'s Zenith and Sony Corp., had challenged the rules,
arguing that the FCC lacked the authority to impose such a
requirement.

The U.S. Court of Appeals for the District of Columbia found that the FCC
had the authority and "reasonably determined" that requiring TV
manufacturers to phase in digital tuners would increase production and
lower costs.
*******************************
New York Times
October 29, 2003
Web Group Backs Microsoft in Patent Suit
By STEVE LOHR

A leading Internet standards-setting organization took the unusual step
yesterday of urging the director of the United States Patent and
Trademark Office to invalidate a software patent that the group says
threatens the development of the World Wide Web.

The move by the World Wide Web Consortium puts the group squarely behind
Microsoft in a patent-infringement lawsuit that the company is losing so
far. A federal jury ruled against Microsoft in August and awarded $521
million to a former University of California researcher who holds the
patent the Web consortium now wants revoked.

The Web group contends that the patent based on work done by Michael
Doyle, founder of Eolas Technologies in Chicago, while he was an adjunct
professor at the University of California at San Francisco, was
improperly granted. In a filing with the patent office, the Web
consortium asserts that the ideas in the Eolas patent had previously been
published as prior art, a legal term. That prior art was not considered
when the patent was granted, or in the Microsoft trial, and thus the
patent claims should be invalidated, the consortium contends.

In a long letter yesterday, Tim Berners-Lee, the consortium director, who
created the basic software standards for the Web, said the patent office
should begin a review of the patent "to prevent substantial economic
and technical damage to the operation of the World Wide
Web."

In his letter to James E. Rogan, director of the patent office, Mr.
Berners-Lee repeatedly emphasized the wider public interest in a review
of the patent. If the claims in the patent are upheld and enforced, Mr.
Berners-Lee warned, "the cycle of innovation on the Web would be
substantially retarded." Later, he wrote that the patent, if
unchallenged, represented "a substantial setback for global
interoperability and the success of the open Web."

The technology in question lets a Web browser summon programs
automatically over the Internet. The programs that use this technology
include those for playing music, videos and animations and exchanging
documents over the Internet. The technology has become a standard feature
in the software for coding Web pages, called hypertext markup
language.

To comply with the court ruling, Microsoft has told several software
companies and the Web consortium that it plans to make changes in its
Internet Explorer browser, the on-ramp to the Web for 90 percent of
computer users. That, the Web consortium warned, could force changes in
other Internet media software including the Real Networks music player,
Apple's QuickTime video program, Macromedia Flash, Adobe's document
reader, and Web scripting languages like Sun Microsystems' Java. In
addition, the standards group said, Web pages across the Internet might
have to be modified to adjust to changes made by Microsoft to comply with
the court ruling.

The Web consortium has representatives from many technology companies,
including competitors of Microsoft. But after discussions among the
consortium members, the group agreed that there was an overriding broader
interest in challenging the patent, thus helping Microsoft.

"There was a real recognition that the issues here go way beyond one
company losing a lot of money in a lawsuit," said Daniel J.
Weitzner, director for technology and society activities at the Web
consortium. "And we really are persuaded that the patent is
invalid." 

In the trial, Microsoft did claim that there was prior art that
undermined the claims of the Eolas patent. But in its filing, the Web
consortium offers different examples including pre-Internet era software
like Write, a word-processing program included with the Windows 3.1
operating system, which included software for summoning and displaying
other programs. That, the standards group said, is the same basic
function and idea described in the Eolas patent.

A spokesman for Microsoft, Lou Gellos, said Microsoft had not seen the
Web consortium's filing. "It's news to us," he said.

The lawyers representing Eolas and Mr. Doyle could not be reached for
comment yesterday evening.
*******************************
CNET News.com
Orbitz investigates security breach
Last modified: October 28, 2003, 6:35 PM PST
By Alorie Gilbert 
Staff Writer, CNET News.com

Online travel agency Orbitz has notified law enforcement authorities
about a recent security breach that has resulted in its customers' e-mail
addresses falling into the hands of spammers, an Orbitz representative
confirmed Tuesday. 

"A small number of customers have informed us that they have
received spam or junk e-mail from an unknown party that apparently used
unauthorized and/or illegal means to obtain their e-mail addresses used
with Orbitz," spokeswoman Carol Jouzaitis said in a statement.
"There is no evidence that customer password or account information
has been compromised." 

Orbitz found no indication that credit card information had been
compromised, Jouzaitis added. 

Orbitz became aware of the problem "in the last day or so,"
Jouzaitis said. 

The Chicago-based company has informed the FBI of the information leak
and has launched its own internal investigation with a team of security
experts, said Jouzaitis. 

"We will aggressively pursue all individuals who may have been
involved," Jouzaitis said in her statement. She declined to provide
any further information on the nature of the breach. 

Orbitz' privacy policy states that the company does not disclose
customers' personal information, including e-mail addresses, to
third-party advertisers unless customers authorize it to do so. The
company says that permission process is separate from any permissions
customers provide during the registration process. 

One CNET News.com reader said spam messages began trickling in on Sunday
to an e-mail address that the reader had given only to Orbitz. The
offending e-mail was completely unrelated to Orbitz or airline travel,
the reader said. 

"I did not give them permission to share my personal data, and I did
opt out of receiving their ads during the registration process, as I
always do," said the reader, who wished to remain anonymous.
"Plus, they already admitted in their e-mails to me that they are
aware that there was a problem and that my info should not have been
divulged--now the question is: What happened and how severe of a problem
is it?" 

Several other apparent Orbitz members aired similar complaints about
Orbitz and spam on Google's Usenet discussion forum and on the
BroadbandReports.com discussion board on Monday.
*******************************
Federal Computer Week
Justice renews Web use monitor
BY Sara Michael 
Oct. 28, 2003

The Justice Department will continue to monitor employee Internet use
with Wavecrest Computing's Cyfin Reporter software.

For the second year, DOJ officials will use the software to try to stop
misuse of the Internet by the department's 100,000 users. Justice first
purchased the software in 2002 through a General Services Administration
schedule. The renewal cost the department $36,000, according to the
company.

Wavecrest monitors Internet use and automatically tracks compliance with
the organization's policy. The software creates categorized reports on
Web use by user, group or entire organization, the company 
said.

"DOJ set rigorous standards for accuracy, performance and
scalability in an Internet monitoring software product," said Dennis
McCabe, Wavecrest's vice president of business development. "We're
very pleased to have implemented Cyfin so successfully."

Wavecrest is based in Melbourne, Fla., and the Internet monitoring
software is currently installed in more than 2,000 businesses and
government organizations worldwide, according to the company.
*******************************
Government Executive
October 28, 2003 
Officials unveil first phase of foreign visitor tracking system
By Shane Harris 
sharris@xxxxxxxxxxx

Homeland Security Department officials Tuesday unveiled the first phase
of a massive new immigration system to track the comings and goings of
millions of annual visitors to the United States. 

Asa Hutchinson, Homeland Security undersecretary for border and
transportation security, said at a press conference in Washington that
the new system represents an ?historic leap forward? in U.S. immigration
enforcement and national security. 

Beginning Jan. 5, the program, known as US VISIT, will begin operating at
115 U.S. airports and 14 seaports, Hutchinson said. Foreign visitors will
be required to submit two electronic copies of their fingerprints as well
as a digital photo of their face. This information will be collected by
immigration inspectors during the routine interviews all visitors undergo
when they arrive at U.S. ports of entry. 

Homeland Security officials staged a mock demonstration of an interview
to show how taking fingerprints and a photograph would add only seconds
to the clearance process. The department will use collection systems that
are in place now, and will hand over expansion of VISIT next year to a
contractor. Hutchinson said requests for proposals would be issued in
November. 

While collecting fingerprints and photographs, known as biometrics,
represents a significant step forward for immigration control, the
version of VISIT officials demonstrated doesn?t approximate what the full
program will look like. The system still cannot search all terrorist
suspect watch lists maintained by several intelligence and law
enforcement agencies. Jim Williams, VISIT?s program director, said that
Homeland Security currently receives electronic ?downloads? of watchlists
from the FBI, but only occasionally. 

Lawmakers and the General Accounting Office have criticized the
department for not integrating terrorist watch lists into one repository.
Homeland Security officials had said they would accomplish that task
within the first 100 days of the department?s official opening, which
took place in January, but they haven?t done so yet.

Williams downplayed Homeland Security?s role in that effort. ?Frankly,
we?re a customer of that? watch list data, he said, adding that the
department needs to do a better job of getting watch lists from the FBI
more frequently. 

Hutchinson stressed a number of times that VISIT would be designed to
?facilitate? the entry of people into the country. ?The United States
wants to continue to be a welcoming nation,? he said. 

A number of groups, particularly in the transportation and shipping
industries, are concerned that the extra time it takes to process
visitors could back up immigration lines for miles at the U.S. borders
with Canada and Mexico. Hutchinson said the department is ?committed . .
. to not increasing the wait times dramatically.? VISIT must be deployed
at the 50 busiest land border crossings next year, and by 2005 it must be
operating at every port of entryair, sea and land. 

Hutchinson said training of federal employees on how to use the first
phase of VISIT will begin next month at Atlanta?s Hartsfield
International Airport. He noted that although the law requires the
program be in place by Dec. 31 of this year, it wouldn?t start operating
until Jan. 5. Hutchinson said airline industry groups complained that
launching VISIT at the height of the holiday travel season would be
overly burdensome. 

Congress appropriated $330 million for the VISIT program for fiscal 2004,
about $50 million less than for fiscal 2003. Hutchinson said he was
?disappointed? that lawmakers didn?t meet President Bush?s full $400
million request. 

Williams, the VISIT director, declined to specify how much the system
could ultimately cost. He said that in addition to proposing how to build
the system, companies that bid on the program would submit a ?funding
profile.? Officials are turning to industry to design, build and manage
VISIT because they are so saddled with the administrative tasks of
forming the new department. 

Exit processing, the other half of the VISIT coin, will be phased in
beginning next year, Hutchinson said. Rather than submit to an exit
interview, travelers will be able to check out of the country at an
electronic kiosk. The exit confirmation will be added to the visitor?s
record, and will help Homeland Security officials keep track of people
who have overstayed their visas, he said. 

Exit procedures will be in place at as many as 10 major airports and at
least one seaport by early 2004. 

Also, by Oct. 26, 2004, countries that are permitted to waive visa
requirements for their citizens must certify that they are able to issue
machine-readable passports that incorporate biometrics. That requirement
was instituted as part of the USA Patriot Act, signed into law after the
Sept. 11 terrorist attacks.
*******************************
Computerworld
Hackers get novel defense: The computer did it
Legal experts said the argument could become more widespread 
Story by Elinor Mills Abreu

OCTOBER 28, 2003 ( REUTERS ) - Prosecutors looking to throw the book at
accused computer hackers have come across a legal defense that could
become even more widespread in an era of hijacked PCs and laptops: The
computer did it. 
In one case that was seen as a bellwether by computer security experts,
Aaron Caffrey, 19, was acquitted on Oct. 17 in the U.K. on charges of
hacking into the computer system of the Houston Pilots, an independent
contractor for the port of Houston, Texas, in September 2001 (see story).
Caffrey was charged with breaking into the system and crippling the
server that provides scheduling information for all ships entering the
world's sixth-largest port. 

Although authorities traced the hack back to Caffrey's computer, he said
that someone must have remotely planted a program, or Trojan, onto the
computer and that the program could have been designed to self destruct.
In two other cases, British men were accused of downloading child
pornography but their attorneys successfully argued that Trojan programs
found on their computers were to blame. 

In all three cases, no one has suggested that the verdicts were anything
other than correct. 

Some legal and security experts say the Trojan defense is a valid one
because computer hijacking occurs all the time and savvy hackers can
easily cover their tracks. "I've seen cases where there is a similar
defense, and it could work or not work based on corroborating
evidence," such as how technical the defendant is, said Jennifer
Stisa Granick, clinical director of the Stanford Law School's Center for
Internet and Society. 

It's relatively easy to trace a hack back to a particular computer, but
proving that a specific person committed the crime is much more
difficult, she said. 

Someone other than the computer owner could use the machine, either by
gaining physical access or by remotely installing Trojan software via an
e-mail or a download from a malicious Web site, security experts
said.

"On the one hand, this is 100% correct that you cannot make that
jump from computer to keyboard to person," said Bruce Schneier,
chief technology officer at Counterpane Internet Security Inc. in
Cupertino, Calif. "On the other hand, this defense could [be used]
to acquit everybody. It makes prosecuting the guilty harder, but that's a
good thing." 

Mark Rasch, former head of the U.S. Department of Justice's computer
crime unit, agreed. "The more difficult problem is people could
actually go to jail for something they didn't do" as a result of
Trojan programs, said Rasch, chief security counsel for computer security
provider Solutionary Inc. in Omaha. "If I want to do something
illegal, I want to do it on someone else's machine." 

But Dave Morrell, a computer consultant for the Houston Pilots who worked
with the FBI after the attack, said the defense also opens the door to
hackers. "It sets a precedent now in the judicial system where a
hacker can just claim somebody took over his computer, the program
vanished, and he's free and clear," he said. 

Michael Allison, CEO of computer forensics firm Internet Crimes Group
Inc. in Princeton, N.J., said experts should have been able to prove
whether there had been a Trojan on the computer in question. "In
some cases, I do suspect there are people whose computer is taken over by
third parties," he said. "It's also a clever defense to
exculpate your client." 

The defense is likely to become more widespread, especially given the
increasing use of "spyware" programs that can be used to steal
passwords and essentially eavesdrop on a computer user. "The
emergence of spyware will only enhance these claims," said Michael
Geist, a law professor at the University of Ottawa Law School.
"We're going to have to sort through the level of responsibility a
person has for operating their own computer." 

The Trojan defense has not yet been put to the test in the U.S. 

Bernhard Warner of Reuters contributed to this report. 
*******************************
Washington Post
Outburst From Sun Headed For Earth 
Power and Phones May Be Disrupted 
By Kathy Sawyer
Wednesday, October 29, 2003; Page A03 

One of the strongest geomagnetic storms in years will hit Earth today at
midday with potentially disruptive effects on spacecraft, satellite
communications, electrical power grids and pipelines, according to space
weather forecasters and solar scientists.

A gigantic solar flare exploded from a sunspot on the sun's surface
yesterday at 5:54 a.m. EST, blasting energy and matter into space and
sending billions of tons of hot gas and charged particles straight toward
Earth at almost 5 million mph.

When the storm gets here, it will cause a rapid global change in the
magnetic field, scientists said, setting the stage for effects ranging
from possible power grid shutdowns to cell phone outages and dazzling
displays of northern lights in the skies farther south than
usual.

Larry Combs of the National Oceanic and Atmospheric Administration's
Space Environment Center in Boulder, Colo., said the geomagnetic storm
will be much more severe than two others that reached Earth in the last
five days. 

The storm, which will likely last 18 to 24 hours, will periodically reach
the highest level on NOAA's space weather scale, Combs said in a
telephone interview.

The solar outbursts have already caused a series of radio blackouts,
including a pronounced one yesterday morning that resulted from what one
scientist called "the strongest flare we've seen in the past 30
years." The blackouts, which primarily affect aircraft traveling at
far northern or southern latitudes, could continue for weeks, scientists
said.

The solar eruption is "headed straight for us like a freight
train," said John Kohl, a solar astrophysicist at the
Harvard-Smithsonian Center for Astrophysics in Cambridge, Mass. Two
similar eruptions -- known as coronal mass ejections -- that swept past
Earth in recent days "hit with only a glancing blow."

Managers of satellites and utilities were taking protective actions to
mitigate possible power surges. 

Solar scientists warned that emergency personnel fighting wildfires in
California should prepare for potential communications disruptions.
Because the fires have damaged many microwave antennas on the ground,
they said, satellite communications have become crucial to the emergency
effort.

During periods when the orbit of the international space station exposes
it to the highest levels of radiation, NASA has directed the two crewmen
aboard to stay in the back of a Russian module where shielding is
thickest, NASA spokesman Kyle Herring said.

Both pieces of onboard equipment used to measure radiation doses to the
astronauts' bodies inside the station failed months ago, and there are
problems with other types of radiation detectors, according to NASA
officials responsible for crew health. 

Herring said, however, there are other ways to measure the radiation
levels remotely. 

If the crew took no action to protect itself, he said, it would
experience in 20 minutes the amount of radiation it normally gets over 24
hours. As it is, crew members "will experience slightly higher
levels, but the precautions minimize those risks," Herring
said.

The Air Force Space Command in Colorado, which manages U.S. military
space assets, was monitoring the situation but expected no more than
minor disruptions, said spokeswoman Jenna McMullin. "Our satellites
are engineered with radiation shielding," McMullin said.

Depending on the severity of the storm, she added, "some operators
might be putting their satellites in a 'stow' mode, " to minimize
damage.

Some research satellites or detectors that monitor the sun's activity
were shut down yesterday to protect them, scientists said.

In a Category 5 geomagnetic storm, the following effects are possible,
according to NOAA:

? Some power grid systems may shut down or experience blackouts.

? Spacecraft "may be rendered useless" because of damage to
memory devices or other systems. 

? Passengers in aircraft at high latitudes could be exposed to radiation
equal to about 100 chest X-rays.

To assess a solar eruption, scientists measure several variables, Kohl
said in a telephone interview. These include the intensity of the
high-energy X-rays that reach Earth almost immediately and which
yesterday caused the radio blackouts; and the characteristics of the
cloud of lower-energy charged particles, which will arrive today. The
power of the storm also depends on conditions such as the relative
orientation of the two colliding magnetic fields.

Particles from the sun typically are funneled down into the atmosphere
along the lines of Earth's magnetic field at each of the poles, creating
the auroras. 

The effects of a solar storm on the machinery of civilization result from
the sudden change as Earth's magnetic field suddenly gains strength from
the one arriving from the sun, Kohl said. This induces an electrical
voltage surge on a global scale. Any conductor -- such as a power grid or
a pipeline -- lying in this altered magnetic field can experience a surge
in current.

Scientists are comparing the coming storm to a 1989 event that set off
radiation alarms aboard the supersonic Concorde in flight, damaged
orbiting satellites, caused a nine-hour power blackout in most of
Canada's Quebec province, damaged transformers as far south as New Jersey
and sent the northern lights shimmering as far south as the Florida
Keys.
*******************************
USA Today
Government unveils system to check identities of foreign visitors
By Suzanne Gamboa, Associated Press
WASHINGTON  The public got its first look Tuesday at fingerprinting
and photo equipment that will be installed at 115 airports and 14
seaports to check identities of millions of foreign visitors. 
The equipment, which goes into use Jan. 5, will allow inspectors to check
identities of visitors against those on terrorist watch lists. 

"This gives us the ability to know those who would violate a visa or
overstay a visa," said Asa Hutchinson, undersecretary for Border and
Transportation Security in Homeland Security. 

A General Accounting Office report issued last month called the system
"a very risky endeavor" with daunting goals, likely high costs
and details that had yet to be worked out. The GAO said the system could
lead to long lines at ports of entry. 

But Hutchinson said it will add only a few minutes to the inspection of a
traveler while significantly enhancing national security. 

Travel industry groups have voiced concern in the past that the system
could hurt the industry. Members of the Travel Industry Association of
America were meeting with Hutchinson about the new system Tuesday.

"It has to be effective and in fact improve security and it has to
do it without adding a really onerous burden to travelers to the United
States," said Dexter Koehl, an association spokesman. 

The system consists of a small box that digitally scans fingerprints and
a spherical computer camera that snaps pictures. It will be used for the
estimated 24 million foreigners traveling on tourist, business and
student visas who enter through an airport or seaport. 

Fifteen of the 19 Sept. 11, 2001, hijackers entered the United States
legally on travel visas. Three were admitted with business visas. The
19th entered on a student visa. At least three of the hijackers had
expired visas. 

The new system will gradually phase out a paper-based system that
Congress mandated be modernized following the attacks. 

The "exit" portion of the system to ensure visitors leave when
required still is being developed, but officials showed off an electronic
kiosk, much like those used to dispense e-tickets at airports. The kiosk
would allow foreigners to scan documents and provide fingerprints as they
leave. 

A person whose fingerprints or photos raise questions would not be turned
away automatically. The visa holder would be sent to secondary inspection
for further questions and checks. False hits on the system have been less
than 0.1%, officials said. 

Training on the system and a tryout will begin next month at the Atlanta
airport. Originally, the system was scheduled to begin operation Jan. 1,
but Hutchinson said its debut was delayed to avoid the busy holiday
travel period, a decision made after consultation with industry groups.

Congress provided $368 million to produce the system and put it in
airports, but only provided $330 million of the $400 million President
Bush requested to put the system in land borders in 2004. 

Hutchinson said the lower appropriation could affect meeting deadlines
for next year. He said he does not anticipate a user fee like the $100
foreign students may pay to cover the costs of a student tracking
system.
*******************************
New York Times
October 27, 2003
Brazil Becomes a Cybercrime Lab
By TONY SMITH

SÃO PAULO, Brazil, Oct. 26 - With a told-you-so grin, Marcos Flávio
Assunção reads out four digits - an Internet banking password - that he
has just intercepted as a reporter communicates via laptop with a bank's
supposedly secure Web site. 

"It wouldn't matter if you were on the other side of the world in
Malaysia," said Mr. Assunção, a confident 22-year-old. "I could
still steal your password."

While impressive, Mr. Assunção's hacking talents are hardly unique in
Brazil, where organized crime is rife and laws to prevent digital crime
are few and largely ineffective. The country is becoming a laboratory for
cybercrime, with hackers - able to collaborate with relative impunity -
specializing in identity and data theft, credit card fraud and piracy, as
well as online vandalism.

"Most of us are hackers, not crackers; good guys just doing it for
the challenge, not criminals," Mr. Assunção said. He insisted that
he had never put his talents to criminal use, although he acknowledged
that at age 14 he once took down an Internet service provider for a
weekend after arguing with its owner.

Across the globe, hackers like to classify themselves as white hats (the
good guys) or black hats (the bad guys), said one Brazilian expert,
Alessio Fon Melozo, the editorial director of Digerati, which publishes a
hacker magazine, H4ck3r: The Magazine of the Digital Underworld.
"Here in Brazil, though, there are just various shades of
gray," Mr. Melozo said.

Mr. Assunção has created a security software program for his employer,
Defnet, a small Internet consultant in São Paulo.

The software uses a honey-pot system that can lure and monitor intruders
in real time. It also uses techniques to foil "man in the
middle" imposters who try to disguise their computers as those of
banks or other secure sites. So far, Mr. Assunção has been unable to get
an appointment with his target customers: security executives at major
banks.

"They say they have their own security and prefer to turn a blind
eye," he said. "But Brazilian hackers are known for our
creativity. If things go on like this, there'll be no more bank holdups
with guns. All robberies will be done over the Net."

For the last two years at least, Brazil has been the most active base for
Internet ne'er-do-wells, according to mi2g Intelligence Unit, a digital
risk consulting firm in London. 

Last year, the world's 10 most active groups of Internet vandals and
criminals were Brazilian, according to mi2g, and included syndicates with
names like Breaking Your Security, Virtual Hell and Rooting Your Admin.
So far this year, nearly 96,000 overt Internet attacks - ones that are
reported, validated or witnessed - have been traced to Brazil. That was
more than six times the number of attacks traced to the runner-up,
Turkey, mi2g reported last month. 

Already overburdened in their fight to contain violent crime in cities
like São Paulo, Rio de Janeiro and Brasília, police officials are finding
it difficult to keep pace with hacker syndicates.

The 20 officers working for the electronic crime division of the São
Paulo police catch about 40 cybercrooks a month. But those criminals
account for but a fraction of the "notorious and ever
increasing" number of cybercrimes in São Paulo, Brazil's economic
capital, said Ronaldo Tossunian, the department's deputy
commissioner.

The São Paulo department's effort is not helped by vague legislation
dating back to 1988, well before most Brazilians had even heard of the
Internet. Under that law, police officers cannot arrest a hacker merely
for breaking into a site, or even distributing a software virus, unless
they can prove the action resulted in the commission of a crime.

So even after police investigators identified an 18-year-old hacker in
Rio de Janeiro, they had to track him for seven months and find evidence
that he had actually stolen money from several credit card companies
before they could pounce.

"We don't have the specific legislation for these crimes like they
do in America and Europe," Mr. Tossunian said. "Just breaking
in isn't enough to make an arrest, which means there's no
deterrent."

In addition, analysts say many businesses, including banks, have been
slow to grasp, or refuse to acknowledge, how serious the problem is.
Banco Itaú, one of Brazil's largest private banks and the institution
from whose site Mr. Assunção filched the password during his
demonstration, declined to make someone available to comment. 

Fabrício Martins, the chief security officer at Nexxy Capital Group, a
top provider of Web sites for e-commerce companies, said, "Most
businesses here don't take precautions until something bad happens that
obliges them to take action."

Mr. Martins, for example, first reinforced Nexxy's security software
after e-mail addresses of online clients were stolen two years ago. Now
his is one of 20 software programs for credit card clearing approved by
Visa International in Brazil.

Why are Brazil's hackers so strong and resourceful? Because they have
little to fear legally, Mr. Assunção said, adding that hackers here are
sociable and share more information than hackers in developed countries.
"It's a cultural thing," he said. "I don't see American
hackers as willing to share information among themselves."

Though the expense of owning a computer is prohibitive for most people in
this country, where the average wage is less than $300 a month, getting
information about hacking is simple. H4ck3r magazine, available at
newsstands across the country, sells about 20,000 copies a
month.

Mr. Melozo, the editorial director, rejects any suggestion that H4ck3r
teaches Brazilians to commit cybercrime.

"It is a very fine line, I know," he said. "But what
guides us is the principle of informing, educating our readers in a
responsible way."
*******************************