"I am committed to ensuring that these [internet service] providers take all necessary actions to incorporate surveillance capabilities into their networks in a timely fashion." – FCC Chairman Kevin Martin
"Today, the studios' corporate parents own or control all six over-the-air networks, as well as 64 cable networks, accounting for almost all the prime-time television audience." – Edward Jay Epstein
"It is an individual's freedom where that person chooses to listen to music. I want to deliver my music wherever my listeners are." – Motoharu Sano
"As parents, we don't want our kid breaking in to the Defense Department or stealing credit card numbers, but downloading iChat and chatting with their friends? They are not hurting anybody. They're just curious." – James Shrawder
"Delaware law does not - indeed the common law cannot - hold fiduciaries liable for a failure to comply with the aspirational ideal of best practices." – William B. Chandler III
"There is absolutely no rule, regulation or law that says that." – Lauren Gelman
August 13th, 2005
Students Charged With Computer Trespass
Michael Rubinkam
They're being called the Kutztown 13 _ a group of high schoolers charged with felonies for bypassing security with school-issued laptops, downloading forbidden Internet goodies and using monitoring software to spy on district administrators.
The students, their families and outraged supporters say authorities are overreacting, punishing the kids not for any heinous behavior _ no malicious acts are alleged _ but rather because they outsmarted the district's technology workers.
The Kutztown Area School District begs to differ. It says it reported the students to police only after detentions, suspensions and other punishments failed to deter them from breaking school rules governing computer usage.
In Pennsylvania alone, more than a dozen school districts have reported student misuse of computers to police, and in some cases students have been expelled, according to Jeffrey Tucker, a lawyer for the district.
The students "fully knew it was wrong and they kept doing it," Tucker said. "Parents thought we should reward them for being creative. We don't accept that."
A hearing is set for Aug. 24 in Berks County juvenile court, where the 13 have been charged with computer trespass, an offense state law defines as altering computer data, programs or software without permission.
The youths could face a wide range of sanctions, including juvenile detention, probation and community service.
As school districts across the nation struggle to keep networks secure from mischievous students who are often more adept at computers than their elders, technology professionals say the case offers multiple lessons.
School districts often don't secure their computer networks well and students need to be better taught right from wrong on such networks, said Internet expert Jean Armour Polly, author of "Net-mom's Internet Kids & Family Yellow Pages."
"The kids basically stumbled through an open rabbit hole and found Wonderland," Polly, a library technology administrator, said of the Kutztown 13.
The trouble began last fall after the district issued some 600 Apple iBook laptops to every student at the high school about 50 miles northwest of Philadelphia. The computers were loaded with a filtering program that limited Internet access. They also had software that let administrators see what students were viewing on their screens.
But those barriers proved easily surmountable: The administrative password that allowed students to reconfigure computers and obtain unrestricted Internet access was easy to obtain. A shortened version of the school's street address, the password was taped to the backs of the computers.
The password got passed around and students began downloading such forbidden programs as the popular iChat instant-messaging tool.
At least one student viewed pornography. Some students also turned off the remote monitoring function and turned the tables on their elders_ using it to view administrators' own computer screens.
The administrative password on some laptops was subsequently changed but some students got hold of that one, too, and decrypted it with a password-cracking program they found on the Internet.
"This does not surprise me at all," said Pradeep Khosla, dean of Carnegie Mellon University's engineering department and director of the school's cybersecurity program.
IT staff at schools are often poorly trained, making it easy for students with even modest computer skills to get around security, he said.
Fifteen-year-old John Shrawder, one of the Kutztown 13, complained that the charges don't fit the offense. He fears a felony conviction could hurt his college and job prospects.
"There are a lot of adults who go 10 miles over the speed limit or don't come to a complete stop at a stop sign. They know it's not right, but they expect a fine" not a felony offense, he said.
Shrawder's uncle, James Shrawder, has set up a Web site that tells the students' side of the story.
"As parents, we don't want our kid breaking in to the Defense Department or stealing credit card numbers," said the elder Shrawder, a businessman. "But downloading iChat and chatting with their friends? They are not hurting anybody. They're just curious."
The site,
http://www.cutusabreak.org , has been visited tens of thousands of times and sells T-shirts and bumper stickers, including one that says: "Arrest me, I know the password!"
The district isn't backing down, however.
It points out that students and parents were required to sign a code of conduct and acceptable use policy, which contained warnings of legal action.
The 13 students charged violated that policy, said Kutztown Police Chief Theodore Cole, insisting the school district had exhausted all options short of expulsion before seeking the charges. Cole said, however, that there is no evidence the students attacked or disabled the school's computer network, altered grades or did anything else that could be deemed malicious.
An association of professional computer educators, The International Society for Technology in Education, believes in a less restrictive approach to computer usage. The more security barriers a district puts in place, the more students will be tempted to break them down, it believes.
"No matter how many ways you can think to protect something, the truth is that someone can hack their way around it," said Leslie Conery, the society's deputy CEO. "The gauntlet is thrown down if you have tighter control."
http://www.washingtonpost.com/wp-dyn...080901045.html
Fighting to defend political freedom. Except yours.
Pentagon Web Site Bans Politics
'America Supports You' Intended to Back U.S. Troops
Robert MacMillan and Mary Specht
The Defense Department has removed messages containing political commentary from a Web site designed for people to show their support for U.S. forces serving in Iraq and Afghanistan.
Most of the postings at America Supports You (
http://americasupportsyou.mil/ ) express love and encouragement -- "The greatest nation in the world is kept that way by men and women like you," reads one message -- without partisan asides.
But among the 60,000-plus messages were at least a few dozen -- found with the site's search function -- that equated troop support with backing the Bush administration's political goals. Still others lambasted Democratic politicians such as John F. Kerry and Edward M. Kennedy, the senators from Massachusetts.
One message said: "I thank you Mr. President for all you have done and standing up to the one's who don't believe in you. My theory is that if they don't like it here; we will pay their way out. Can you put that in the budget?"
Another said: "I show my support verbally in public and by donations to the RNC and reelect George W. Bush campaigns."
Both those messages, visible on the site two weeks ago, are gone.
The decision to remove such messages reflects a policy posted on the site last week warning that political speech will be barred. Last month the Wall Street Journal reported that two antiwar messages had disappeared from the site, but at the time the site had no posted policy on political statements.
Now, "we are not including messages with political commentary -- pro or con," said Allison Barber, deputy assistant defense secretary and creator of the Web site, which opened in November. "Frankly, this a site to support the troops and thankfully, our men and women in the military volunteer to defend our country no matter who is in political office."
Yesterday, though, several messages remained that both support and oppose the Bush administration and the U.S. military presence in Iraq and Afghanistan. For example, one said: "We very much support the troops serving but do not support the administration's handling of the conflicts where they are currently asked to serve. Please, bring them home as soon as possible."
Posting political content on Web site operated and financed by the government may not violate any rules, several experts said, but they warned that it creates an image problem.
The military "should not be seen as promoting a political agenda," said Lawrence M. Noble, head of the Center for Responsive Politics and former general counsel for the Federal Election Commission.
http://www.washingtonpost.com/wp-dyn...080401918.html
DMCA Thugs
Furniture Causes FedEx Fits
Kristen Philipkoski
Most of us have been there. You can just barely afford to pay the rent. But forget about buying furniture -- not if you want to eat, anyway.
Jose Avila recently found himself in just that predicament. Although he has a good job as a software developer, he's locked into two rents after moving to Arizona, and has no extra cash for an Ikea shopping spree. But instead of scouting street corners for a ratty, unwanted couch, Avila got creative and built an apartment full of surprisingly sturdy furniture -- out of FedEx shipping boxes.
Fanciful as his creations may seem, FedEx is not amused. The shipping giant's lawyers have sent Avila letters demanding he take down the site he created to document his project, invoking, among other things, the Digital Millennium Copyright Act, or DMCA.
Avila has outfitted his entire apartment with FedEx box designs, including a bed, a corner desk with wall shelves, a table, two chairs and a couch. Drawing from architecture and drafting classes he took in college, Avila has designed pieces that are surprisingly un-boxy.
He was blindsided by the cease-and-desist letter from the company to which he proclaims long-standing loyalty.
"I was surprised, actually," Avila said. "One thing I’ve always stood behind is I'm pro-FedEx. I ship stuff with FedEx all that time and I feel more comfortable shipping with FedEx because their boxes are stable and sturdy."
And that translates to strong furniture, Avila said. The bed can handle his 5-foot-6-inch, 165-pound frame, even when he jumps up and down on it (an experiment he tried in response to an e-mail asking if the bed could support two people).
Avila said he never intended to make money from the site, or to exploit FedEx in any way. He said he simply wanted to spread the word that "it's OK to be ghetto."
"That's pretty much the motto of the site," he said. "When you're stuck in a bind and you're feeling down, it's not the end of the world."
But that feel-good message seems to be lost on FedEx. The company claims that Avila is infringing on its trademark and its copyright. The day after Avila launched the site in June, FedEx asked him to take it down, claiming he had violated the DMCA.
Lawyers at the Stanford Law School Center for Internet and Society, who are representing Avila, argued the company's claims don't relate to copyright and therefore the DMCA doesn't apply. Rather, the claims refer to trademark infringement and conversion. After talking with his lawyers, Avila put the site back up.
"DMCA only applies to copyrighted works, and they were basically making trademark-related claims, so it was completely outrageous," said Lauren Gelman, associate director of the Stanford center. "This is just an example of how lawyers take advantage of copyright laws to use protecting provisions like those in the DMCA to take down stuff they just don't like."
A FedEx representative did not respond to questions about the claims and whether the company planned to take legal action against Avila.
In a letter sent Aug. 3 to Jennifer Granick, director of the Stanford center and Avila's lawyer, FedEx also claims Avila violated fedex.com's terms of use, which state that "fedex.com is provided solely for the use of current and potential FedEx customers to interact with FedEx and may not be used by any other person or entity, or for any other purpose.”
In her response to FedEx, Granick took issue with that argument.
"Frankly, it's the most interesting of the legal claims," Gelman said. "But in this case I see nothing in the terms of service that would prevent (making furniture from FedEx boxes and displaying them on a website)."
FedEx also said in the Aug. 3 letter that Avila clearly intended to operate a business from his website because he used the .com domain suffix, the "commercial level domain," rather than .net.
"There is absolutely no rule, regulation or law that says that," Gelman replied.
http://www.wired.com/news/culture/0,1284,68492,00.html
EU Opens Probe Into Chinese DVD Imports
AP
The European Union's executive agency opened an investigation Friday into claims that cheap imports of recordable DVDs from China, Hong Kong
and Taiwan have damaged European producers.
The European Commission said it was beginning an antidumping probe following a complaint from the Committee of CD-R manufacturers, which represents more than 60 percent of EU production of such discs.
``It is alleged that the volumes and the prices of the imported product concerned have, among other consequences, had a negative impact on the level of prices charged by the community industry, resulting in substantial adverse effects on the overall performance and the financial situation of the community industry,'' the Commission said in a formal notice published online.
The antidumping probe can last as long as 15 months. EU officials can recommend provisional trade restrictions during the investigation. If confirmed, restrictions can last five years.
http://www.siliconvalley.com/mld/sil...l/12313902.htm
Defying Record Companies, Musicians Try To Join Apple's iTunes In Japan
AP
Japanese musicians under contract with Sony and other labels that haven't joined Apple's iTunes Music Store are starting to defy their recording companies and trying to get their music on the popular download service launched last week in Japan.
At least one artist has already gone against his label to offer his songs on iTunes. And a major agency that manages Japanese musicians said Wednesday it was interested in a possible deal with Apple Computer Inc., regardless of the recording companies' positions.
Online music stores had not taken off in Japan until iTune's arrival last Thursday, which opened with a million songs from 15 Japanese record labels.
In just four days, customers downloaded 1 million songs -- the fastest pace for the service's launch in any of the 20 nations it's become available, including the U.S. Most songs cost 150 yen, or $1.35, to download, and only 10 percent cost 200 yen, or $1.80. The service costs 99 cents in the U.S.
But Sony Corp.'s music division, Sony Music Entertainment, has not signed up to join Apple's service. The companies say they're in talks but there's been no agreement.
Apple and Sony have emerged as major rivals in the portable music player business. Apple's iPod music player, which stores music on a hard drive, has hurt Sony, which is pushing its own Network Walkman, some of which have hard drives.
But wayward artists could just start averting the issue and opt to offer their music to iTunes.
Rock musician Motoharu Sano, who has a recording contract with Sony, is making some of his songs available on iTunes, according to his official Web page.
``It is an individual's freedom where that person chooses to listen to music. I want to deliver my music wherever my listeners are,'' Sano was quoted as saying by Japan's top business daily Nihon Keizai Shimbun Wednesday.
Amuse Inc., an agent for some of Japan's most popular artists, is also thinking about joining iTunes. The company, which pushes musicians signed not only with Sony but also others, had initially decided against signing with iTunes.
``But we are considering joining in the future,'' Amuse spokeswoman Kyoko Ijichi said Wednesday. ``We want to do what users want.''
Eddy Cue, Apple vice president of applications, acknowledged earlier this week that more work is needed to sign additional record companies for the Japanese service.
Tokyo-based recording company Victor Entertainment spokesman Yoshiaki Aoki said Wednesday talks are still continuing with Apple, but stressed he is interested in a deal.
Still, iTunes' popularity in Japan has been stunning. The publicity campaign, including a rare personal appearance by Chief Executive Steve Jobs, has grabbed media attention here.
Before iTunes' arrival, Japan's top music download service, which is backed by Sony and includes Sony recording artists, averaged about 450,000 downloads a month.
Apple has sold 21.8 million iPods worldwide since it went on sale in October 2001, and more than 500 million songs through its iTunes Music Store.
http://www.siliconvalley.com/mld/sil...l/12348399.htm
Google Balances Privacy, Reach
Elinor Mills
Google CEO Eric Schmidt doesn't reveal much about himself on his home page.
But spending 30 minutes on the Google search engine lets one discover that Schmidt, 50, was worth an estimated $1.5 billion last year. Earlier this year, he pulled in almost $90 million from sales of Google stock and made at least another $50 million selling shares in the past two months as the stock leaped to more than $300 a share.
He and his wife Wendy live in the affluent town of Atherton, Calif., where, at a $10,000-a-plate political fund-raiser five years ago, presidential candidate Al Gore and his wife Tipper danced as Elton John belted out "Bennie and the Jets."
Schmidt has also roamed the desert at the Burning Man art festival in Nevada, and is an avid amateur pilot.
That such detailed personal information is so readily available on public Web sites makes most people uncomfortable. But it's nothing compared with the information Google collects and doesn't make public.
What Google knows about you
• Gmail -- The e-mail service offers two gigabytes of free storage and scans the content of messages to serve up context-related ads.
• Cookies -- Google uses cookies, which are commonly used to link individual users with activities.
• Desktop Search -- Google's Desktop Search lets users easily search files stored on their computer.
• Web Accelerator -- The application speeds Web surfing by storing cached copies of Web pages you've visited; those page requests can include personal information.
Assuming Schmidt uses his company's services, someone with access to Google's databases could find out what he writes in his e-mails and to whom he sends them, where he shops online or even what restaurants he's located via online maps. Like so many other Google users, his virtual life has been meticulously recorded.
The fear, of course, is that hackers, zealous government investigators, or even a Google insider who falls short of the company's ethics standards could abuse that information. Google, some worry, is amassing a tempting record of personal information, and the onus is on the Mountain View, Calif., company to keep that information under wraps.
Privacy advocates say information collected at Yahoo, Microsoft's MSN, Amazon.com's A-9 and other search and e- commerce companies poses similar risks. Indeed, many of those companies' business plans tend to mimic what Google is trying to do, and some are less careful with the data they collect. But Google, which has more than a 50 percent share of the U.S. search engine market, according to the latest data from WebSideStory, has become a lightning rod for privacy concerns because of its high profile and its unmatched impact on the Internet community.
"Google is poised to trump Microsoft in its potential to invade privacy, and it's very hard for many consumers to get it because the Google brand name has so much trust," said Chris Hoofnagle of the Electronic Privacy Information Center. "But if you step back and look at the suite of products and how they are used, you realize Google can have a lot of personal information about individuals' Internet habits--e-mail, saving search history, images, personal information from (social network site) Orkut--it represents a significant threat to privacy."
Kevin Bankston, staff attorney at the Electronic Frontier Foundation, said Google is amassing data that could create some of the most detailed individual profiles ever devised.
"Your search history shows your associations, beliefs, perhaps your medical problems. The things you Google for define you," Bankston said.
The Google record
As is typical for search engines, Google retains log files that record search terms used, Web sites visited and the Internet Protocol address and browser type of the computer for every single search conducted through its Web site.
In addition, search engines are collecting personally identifiable information in order to offer certain services. For instance, Gmail asks for name and e-mail address. By comparison, Yahoo's registration also asks for address, phone number, birth date, gender and occupation and may ask for home address and Social Security number for financial services.
"It's data that's practically a printout of what's going on in your brain: What you are thinking of buying, who you talk to, what you talk about."
--Kevin Bankston, staff attorney, Electronic Frontier Foundation
If search history, e-mail and registration information were combined, a company could see intimate details about a person's health, sex life, religion, financial status and buying preferences.
It's "data that's practically a printout of what's going on in your brain: What you are thinking of buying, who you talk to, what you talk about," Bankston said. "It is an unprecedented amount of personal information, and these third parties (such as Google) have carte blanche control over that information."
Google uses the log information to analyze traffic in order to prevent people from rigging search results, for blocking denial-of-service attacks and to improve search services, said Nicole Wong, associate general counsel at Google.
Personally identifiable information that is required for consumers to register for and log in to Google services is not shared with any outside companies or used for marketing, according to Google's privacy policy, except with the consent of the user, or if outside "trusted" parties
http://news.com.com/Google+balances+...3-5787483.html
Google's Chief Is Googled, to the Company's Displeasure
Saul Hansell
Google says its mission is "to organize the world's information and make it universally accessible and useful." But it does not appear to take kindly to those who use its search engine to organize and publish information about its own executives.
CNETNews.com, a technology news Web site, said last week that Google had told it that the company would not answer any questions from CNET's reporters until July 2006. The move came after CNET published an article last month that discussed how the Google search engine can uncover personal information and that raised questions about what information Google collects about its users.
The article, by Elinor Mills, a CNET staff writer, gave several examples of information about Google's chief executive, Eric E. Schmidt, that could be gleaned from the search engine. These included that his shares in the company were worth $1.5 billion, that he lived in Atherton, Calif., that he was the host of a $10,000-a-plate fund-raiser for Al Gore's presidential campaign and that he was a pilot.
After the article appeared, David Krane, Google's director of public relations, called CNET editors to complain, said Jai Singh, the editor in chief of CNETNews.com. "They were unhappy about the fact we used Schmidt's private information in our story," Mr. Singh said. "Our view is what we published was all public information, and we actually used their own product to find it."
He said Mr. Krane called back to say that Google would not speak to any reporter from CNET for a year.
In an instant-message interview, Mr. Krane said, "You can put us down for a 'no comment.' "
When asked if Google had any objection to the reprinting of the information about Mr. Schmidt in this article, Mr. Krane replied that it did not.
Mr. Singh, who has worked in technology news for more than two decades, said he could not recall a similar situation. "Sometimes a company is ticked off and won't talk to a reporter for a bit," he said, "but I've never seen a company not talk to a whole news organization."
The Rise Of The Digital Thugs
Timothy L. O'Brien
Early last year, the corporate stalker made his move. He sent more than a dozen menacing e-mail messages to Daniel I. Videtto, the president of MicroPatent, a patent and trademarking firm, threatening to derail its operations unless he was paid $17 million.
In a pair of missives fired off on Feb. 3, 2004, the stalker said that he had thousands of proprietary MicroPatent documents, confidential customer data, computer passwords and e-mail addresses. Using an alias of "Brian Ryan" and signing off as "Wounded Grizzly," he warned that if Videtto ignored his demands, the information would "end up in e-mail boxes worldwide."
He also threatened to stymie the online operations of MicroPatent's clients by sending "salvo after salvo" of Internet attacks against them, stuffing their computers so full of MicroPatent data that they would shut down. Another message about two weeks later warned that if he did not get the money in three days, "the war will expand."
Unbeknownst to the stalker, MicroPatent had been quietly trying to track him for years, though without success. He
was able to mask his online identity so deftly that he routinely avoided capture, despite the involvement of federal investigators.
But in late 2003 the company upped the ante. It retained private investigators and deployed a former psychological profiler for the Central Intelligence Agency to put a face on the stalker. The manhunt, according to court documents and investigators, led last year to a suburban home in Hyattsville, Md., its basement stocked with parts for makeshift hand grenades and ingredients for ricin, one of the most potent and lethal biological toxins. Last March, on the same day that they raided his home, the authorities arrested the stalker as he sat in his car composing e-mail messages he planned to send wirelessly to Videtto. The stalker has since pleaded guilty to charges of extortion and possession of toxic materials.
What happened to MicroPatent is happening to other companies. Law enforcement authorities and computer security specialists warn that new breeds of white-collar criminals are on the prowl: corporate stalkers who are either computer-savvy extortionists, looking to shake down companies for large bribes, or malicious competitors who are trying to gain an upper hand in the marketplace.
"It's definitely a growing issue and problem, and it's something we think will definitely increase in both the numbers and severity," said Frank Harrill, an agent with the FBI who specializes in computer crimes and who has investigated corporate stalkers and online extortionists. The reason, he said, is that "the Internet is ceasing to be a means for communication and commerce and is becoming the means for communication and commerce."
Though the number of corporate stalkers appears to be growing--along with the number of payoffs to online extortionists--quantifying the dimensions of the threat is difficult. Last fall, a researcher at Carnegie Mellon University in Pittsburgh published a study of online extortion involving small and medium-size businesses, saying that the Internet's global reach had produced "a profound change in the nature of crime, as the existence of information systems and networks now makes criminal acts possible that were not before, both in increased scope and ease."
Threat of cyberextortion growing
The study also concluded that while the threat of cyberextortion was real and mounting, data and research about the subject were scant. That is because most businesses, particularly blue-chip companies, are concerned about negative publicity from computer security breaches and do not want to report digital bullying and intrusions to law enforcement officials.
"Cyberextortion was the main threat I identified that I thought corporations were overlooking," said Gregory M. Bednarski, the author of the Carnegie Mellon study, who now works at PricewaterhouseCoopers as a computer security consultant. "Unfortunately, I think that's still the issue--most companies are still not taking cyberextortion seriously enough. They just don't see themselves as vulnerable."
MicroPatent, based in East Haven, Conn., realized firsthand how vulnerable its data was. The company was also an exception in the world of cyberextortion victims: it chose not only to fight back and to contact the authorities, but it also assembled its own team of specialists familiar with the strategies and weaponry of cybercriminals.
Even so, MicroPatent's stalker, using hijacked Internet accounts and pirated wireless networks, was remarkably elusive. "What this means is that the criminals are getting smarter," said Scott K. Larson, a former FBI agent and a managing director of Stroz Friedberg, a private investigation firm that helped hunt down MicroPatent's stalker. "There's an arms race going on in cyberspace and in cybercrimes."
MicroPatent, a business that court papers describe as one of the world's largest commercial depositories of online patent data, first came under attack four years ago. Someone penetrated the company's databases and began transmitting phony e-mail messages to its customers. The messages were what are known as "spoofs," online communications--embroidered with pilfered company logos or names and e-mail addresses of MicroPatent employees--that are meant to trick recipients into believing that the messages were authorized.
The spoofs, according to court papers and investigators, contained derogatory comments about MicroPatent in the subject lines or text. Some included sexually explicit attachments, such as sex-toy patents that a computer hacker had culled from the company's online files.
MicroPatent and its parent company, the Thomson Corporation, did not respond to several phone calls seeking comment. But others with direct knowledge of the hunt for the company's stalker said MicroPatent, which had grown rapidly through acquisitions, had a computer network containing stretches of online turf that were once used by acquirees but were abandoned after the takeovers.
Those digital back alleys offered access to the entire MicroPatent network to people with old passwords. Once inside, they could inhabit the network undetected--in much the same way that anyone with a key to one abandoned house on a block of abandoned houses can live in a populous city without anyone knowing he is there. And MicroPatent's stalker was lurking on one of its network's nether zones.
By 2003, MicroPatent had become so frustrated with its unknown stalker that it reached out to the FBI for help. But with its resources spread thin, the FBI could not pin down the stalker's identity, his motivations or how he managed to trespass on MicroPatent's electronic turf. A year later, MicroPatent hired Stroz Friedburg and secured the services of Eric D. Shaw, a clinical psychologist who had once profiled terrorists and foreign potentates for the CIA.
The first order of business, investigators said, was to narrow the field of MicroPatent's potential stalkers and to try to isolate the perpetrator. "You need to take the temperature of the person on the other side and determine how seriously you need to take them," said Beryl Howell, who supervised the MicroPatent investigation for Stroz Friedburg. "Is it a youngster or is it someone who's angry? Is it someone who's fooling around or someone who's much more serious?"
Investigators said their examination of the stalker's communications indicated that he was much more than a hacker on a joy ride. That would be consistent with what law enforcement authorities and computer security specialists describe as the recent evolution of computer crime: from an unstructured digital underground of adolescent hackers and script-kiddies to what Bednarski describes in his study as "information merchants" representing "a structured threat that comes from profit-oriented and highly secretive professionals."
Profiting from corporate espionage
Stealing and selling data has become so lucrative, analysts say, that corporate espionage, identity theft and software piracy have mushroomed as profit centers for criminal groups. Analysts say cyberextortion is the newest addition to the digital Mafia's bag of tricks.
"Generally speaking, it's pretty clear it's on the upswing, but it's hard to gauge how big of an upswing because in a lot of cases it seems companies are paying the money," said Robert Richardson, editorial director of the Computer Security Institute, an organization in San Francisco that trains computer security professionals. "There's definitely a group of virus writers and hackers in Russia and in the Eastern European bloc that the Russian mob has tapped into."
Richardson is a co-author of an annual computer-security study that his organization publishes with the FBI. The latest version said that while corporate and institutional computer break-ins increased slightly last year from 2003, average financial losses stemming from those intrusions decreased substantially in all but two categories: unauthorized access to data and theft of proprietary information.
Among 639 of the survey's respondents, the average loss from unauthorized data access grew to $303,234 in 2004 from $51,545 in 2003; average losses from information theft rose to $355,552 from $168,529. The respondents suffered total losses in the two categories of about $62 million last year. While many cyberextortionists and cyberstalkers may be members of overseas crime groups, several recent prosecutions suggest that they can also be operating solo and hail from much less exotic climes--like the office building just down the street.
Episodes are multiplying
In March, a federal judge in San Francisco sentenced a Southern California businessman, Mark Erfurt, to five months in prison, followed by three and a half years of home detention and supervised release, for hacking into the databases of a competitor, the Manufacturing Electronic Sales Corporation, and disrupting its business.
In June, the FBI in Los Angeles arrested Richard Brewer, a former Web administrator for a trade show company, accusing him of disabling his employer's Web site and threatening further damage unless he was paid off. And last month in New York, the Westchester County district attorney's office charged a Tarrytown businessman, Gerald Martin, with hacking into a competitor's computer network in order to ruin its business by tampering with its phone system.
Small-fry stuff, some of this, except that even local law enforcement officials say the episodes are multiplying. "We have 590,000 people in our county, but we're seeing lots of examples of lax or lackadaisical computer security," said Sgt. Mike Nevil, head of the computer crimes unit of the Ocean County, N.J., prosecutor's office. "We've seen lots of examples of people going onto a competitor's computer network and clearing out whatever information they can get."
For its part, MicroPatent initially believed that its problems were the work of a competitor. It sued one company that it suspected but later dropped that lawsuit. After Howell's team joined the fray in late 2003, MicroPatent and its consultants began to isolate the stalker, using a small list of candidates distilled from earlier investigative work.
Shaw's analysis of e-mail messages led them to believe that they were tracking a technologically sophisticated man, older than 30, with a history of work problems and personal conflicts, who was compulsively obsessed with details and who might own weapons. The stalker was extremely angry and "holding a grudge," Shaw recalled. "People like that can be very dangerous. He referred to himself as a soldier behind enemy lines."
Within a few weeks, Shaw's analysis led the investigative team to focus on Myron Tereshchuk, a 43-year-old Maryland entrepreneur who ran his own patent business and had once been rebuffed by MicroPatent when he applied to the company for a job. And Tereshchuk was indeed their man. Members of Howell's investigative team all said that Shaw's profiling was a breakthrough in the pursuit, but that without the subsequent involvement of local and federal law enforcement officials, Tereshchuk would not have been captured.
"It's about grinding out a lot of data; it's not about intuition--though years of working clinically with patients is certainly important," Shaw said. "The Myron case involved a fair amount of case management because we needed to keep him talking, we needed to keep him engaged, so we could set him up for an arrest."
Indeed, the detective work that led to his arrest offers a revealing glimpse into how the new cat-and-mouse game is played in cyberspace--especially when the cloak of secrecy offered by newfangled wireless devices makes digital criminals so hard to track.
In early 2004, private investigators began corresponding with the stalker, sending spoofed e-mail back to him in the "voice" of a MicroPatent lawyer. At the same time, federal authorities began physically tracking Tereshchuk's comings and goings in the real world. By February, the stalker had also become an active e-mail correspondent with Videtto, the MicroPatent president.
It was then that the stalker made a series of mistakes. Among them, he began to brag. In an e-mail message titled "Fire them all," he informed Videtto that he had found valuable MicroPatent documents by going "Dumpster diving to the Dumpster and recycle bins located in a parking lot on Shawnee Road" in Alexandria, Va., where the company maintained a branch office. That allowed investigators to zero in on his location, further buttressing the notion that Tereshchuk, who lived nearby, was the author of the scheme.
In the same message, the stalker wrote angrily that staff members at the United States Patent and Trademark Office in northern Virginia had snubbed him and given preferential treatment to MicroPatent employees. Several years earlier, a patent office worker accused Tereshchuk of threatening to bomb the agency.
A computer forensics expert embedded a Web bug, a kind of digital tracking device, in one of the e-mail messages that Videtto sent to the stalker. But the stalker screened his e-mail with decoding devices that included a hex editor--software that allows users to preview the contents of incoming files--and he uncovered the bug. "Was it a script to capture my IP address?" the stalker wrote tauntingly to Videtto after finding the Web bug, referring to his Internet Protocol address. "I'll look at it later with a hex editor."
A clumsy mistake
Investigators said the failed bug worried them because they thought it might scare off the stalker, but by this point Tereshchuk had already demanded his $17 million extortion payment. He also clumsily revealed his identity by demanding that the money be sent to the person accused of threatening to bomb the patent office.
And he kept sending e-mail messages telling Videtto that he had MicroPatent's customer lists, patent applications, customer credit card numbers and the Social Security numbers of some employees, as well as the employees' birth dates, home addresses and the names of their spouses and children.
The stalker also threatened to flood the computer networks of MicroPatent clients with information pilfered from the company, overwhelming the customers' ability to process the data and thereby shuttering their online operations--a surreptitious digital attack known as distributed denial of service, or DDoS. Such assaults, analysts and law enforcement officials say, have become a trademark of cyberextortionists.
Federal prosecutors in Los Angeles are currently investigating a group of possible cyberextortionists linked to a television retailer indicted there last August. The retailer was accused of disrupting competitors' online operations, and prosecutors have called suspects in that case the "DDoS Mafia."
"DDoS attacks are still one of the primary ways of extorting a company, and we're seeing a lot of that," said Larry D. Johnson, special agent in charge of the United States Secret Service's criminal division. "I think the bad guys know that if the extortion amounts are relatively low a company will simply pay to make them go away."
Tereshchuk's apparent ability to start a DDoS attack attested to what investigators describe as his unusual technological dexterity, despite evidence of his psychological instability. It also explained how he was able to evade detection for years, and his methods for pulling off that feat surfaced after the FBI began following him.
Using wireless computing gear stashed in an old, blue Pontiac, and fishing for access from an antenna mounted on his car's dashboard, Tereshchuk cruised Virginia and Maryland neighborhoods. As he did so, federal court documents say, he lifted Yahoo and America Online accounts and passwords from unwitting homeowners and businesspeople with wireless Internet connections.
The documents also say he then hijacked the accounts and routed e-mail messages to MicroPatent from them; he used wireless home networks he had commandeered to hack into MicroPatent's computer network and occasionally made use of online accounts at the University of Maryland's student computer lab, which he had also anonymously penetrated.
Digital traps
By late February of last year, however, the FBI had laid digital traps for Tereshchuk inside the student lab, which was near his home. As investigators began to close in on him, his e-mail messages to Videtto became more frantic. A note sent on Feb. 28 told Videtto that if he forked over the $17 million then "everything gets deactivated, sanitized, and life will go on for everybody."
In his last e-mail message, sent several days later, he dropped his guard completely: "I am overwhelmed with the amount of information that can be used for embarrassment," he wrote. "When Myron gets compensated, things start to get deactivated."
On March 10, 2004, federal agents swarmed Tereshchuk's home, where they found the hand-grenade components and ricin ingredients. The agents arrested him in his car the same day, in the midst of writing his new crop of e-mail messages to Videtto.
Late last year, Tereshchuk was sentenced to five years in prison after pleading guilty to a criminal extortion charge filed by the United States attorney's office in Alexandria. Earlier this year he pleaded guilty to criminal possession of explosives and biological weapons, charges that the United States attorney's office in Baltimore had filed against him. Possessing illegal toxins carries a maximum term of life in prison. Tereshchuk is expected to be sentenced this fall.
http://news.com.com/The+rise+of+the+...3-5822417.html
Surveillance
Critics Slam Net Wiretapping Rule
Ryan Singel
An FCC ruling that internet telephony services must provide the same built-in wiretapping capabilities as conventional phone companies has civil libertarians feeling burned.
"I think a legal challenge is highly likely at this point," said John Morris, an attorney with the Center for Democracy and Technology.
The FCC announced (.pdf) last week that some voice over internet protocol, or VOIP, companies are substantial replacements for old- fashioned telephone service, and must equip their systems to respond to federal wiretap orders.
The services will have 18 months to comply with the order, which also applies to cable-modem companies and other broadband providers.
While the full text of the ruling has yet to be released, critics say the announcement marks a significant expansion of the Communications Assistance for Law Enforcement Act, or CALEA, which drew a line between "information services" and phone networks.
"The essential compromise of CALEA was hands off the internet, and that promise has been broken," said Electronic Frontier Foundation attorney Kurt Opsahl.
The FBI already has the necessary capabilities to conduct surveillance of internet activities, and the FCC's order runs contrary to Congress' intent when it passed the law, said Opsahl.
Enacted in 1994, CALEA required land line and cellular providers to build their networks to accommodate a variety of wiretaps, and established exacting technical standards regarding what information about a phone call or voice message had to be provided to law enforcement when subpoenaed.
After a protracted campaign by online civil liberties groups, Congress exempted "information services" -- like electronic publishing and online messaging -- from the rules, partly for fear the regulations could stifle innovation.
The Justice Department's request last year to expand CALEA to some internet services stirred vigorous opposition from online civil liberties groups, VOIP providers and technology companies like Sun Microsystems.
"Even if you make (the) argument that underlying broadband service is a non-information service, no one would dispute that VOIP or e-mail or IM are applications, and they are excluded from CALEA," said Morris.
The ruling only covers VOIP services like Vonage that let customers dial from their computers to the traditional phone network.
Some observers, such as Lauren Weinstein, co-founder of People for Internet Responsibility, see logic in the FCC's discrimination between those systems and computer-to-computer services, like the voice chat available through instant-messaging software or Skype's free peer-to-peer service.
"The reasoning from the FCC is that if law enforcement needs to tap a phone, they don't want to be worried if it is a conventional phone or an IP-based phone calling a traditional phone," Weinstein said.
But, he added, the real question is whether the final order requires companies like Skype to build in wiretapping capabilities only for the calls that reach the publicly switched telephone network, or for all calls placed by users.
Kevin Werbach, assistant professor of legal studies and business ethics at the University of Pennsylvania's Wharton School, thinks the distinction between the two isn't intellectually clear.
"The FCC is starting with a laudable impulse," said Werbach. "I don't doubt that law enforcement needs to do its job in a world that's changing. But the problem is that going down the road they are going forces them to distinguish between bits flowing over the network and that's just ultimately impossible."
Werbach believes Friday's order is unnecessary, because VOIP companies have been working to cooperate with law enforcement voluntarily.
Justice Department spokesman Bryan Sierra praised the decision.
"We are pleased that the commission has taken this important first step in affirming the application of CALEA to these modern forms of communications technology, and we look forward to the commission's prompt action on the remaining issues raised in our petition," Sierra said. "As communications technologies develop, we must ensure that such progress does not come at the expense of our nation's safety and security."
The issue is likely not to be settled even when the FCC releases the full text of the order. Congress could move to overrule the commission, and the EFF's Opsahl expects VOIP providers will challenge the potentially expensive requirements in court.
http://www.wired.com/news/privacy/0,1848,68483,00.html
FCC Schizo On DSL, Wiretapping
Declan McCullagh
The Federal Communications Commission has become weirdly schizophrenic. In a pair of decisions on Friday, the commissioners voted to veer in two radically different directions: deregulating DSL lines while simultaneously imposing onerous wiretapping requirements on broadband providers.
Let's first look at the FCC's more justifiable action, which says that companies providing high-speed Internet access over telephone wires no longer must share their lines with rivals.
Until now, companies like Verizon and SBC have been forced to offer competitors like EarthLink access to their networks at government-mandated rates. Friday's 4-0 vote, spurred along by a recent Supreme Court ruling, starts a one-year process of weaning the independent DSL providers and requiring them to negotiate new contracts.
As a result, liberal groups are yowling. Andrew Jay Schwartzman of the Media Access Project warned: "It means higher prices, less competition and disincentives for those entrepreneurs who have used the Internet as a platform for innovation and economic growth." Public Knowledge said it was "disappointed" that DSL is being deregulated.
Those arguments in favor of a Soviet-style regulatory regime might make sense if the Bells enjoyed a monopoly on better-than-dial-up Net access, but that's not the case. The bulk of fast connections are cable modems, not DSL, and satellite and long-distance wireless links are increasingly attractive alternatives.
Immutable laws of economics
Economists have long realized that the best way to ensure a healthy marketplace is not by adding more government regulations but by relaxing them--thus permitting Verizon, SBC and so on to reap the benefits of upgrading copper networks.
Russell Roberts, who teaches economics at George Mason University, offers this analogy: "Let's say I'm Southwest Airlines and I'm going to commission an airplane from Boeing that lets passengers stack more carry-ons in the overhead compartments. I want to order 100 of these planes. But I'm told that if I'm not using them at all times, United can borrow them. That affects my willingness to invest in an uncertain future."
The same economic principles apply to telecommunications companies: If they have secure property rights over their wires, they'll be more likely to invest.
This is what happened after the FCC voted in February 2003 to immunize fiber links from rules mandating sharing with rivals. It ushered in Verizon's Fios fiber service--and a broadband speed war between Verizon and cable operators that's great for consumers.
The benefits of DSL deregulation also promise to be huge. Jerry Ellig, a research fellow at an academic think tank called the Mercatus Center, says: "At a minimum that would create consumer benefits worth about $4.5 billion a year. That refers both to price reductions and the value received for new customers who only get broadband because of the decision."
FCC Chairman Kevin Martin seems to agree. He said on Friday: "Perpetuating the application of outdated regulations on only one set of Internet access providers inhibits infrastructure investment, innovation and competition generally."
Chairman Martin's double standard
So why doesn't Martin extend that logic to outdated eavesdropping regulations? In a second vote on Friday, the FCC extended onerous wiretapping rules designed for copper-wire telephone networks to the Internet. (The rules come from the 1994 Communications Assistance for Law Enforcement Act, or CALEA.)
The text of the FCC's CALEA order is not yet public, but early signs are worrisome. The FCC's two-page summary says that voice over Internet Protocol (VoIP) providers like Vonage that mimic traditional phone service must rewire their networks to be easily wiretappable.
It also proposes--and this is the worrisome part--to levy the same requirement on "facilities-based broadband Internet access service providers," which seems to cover any company or school offering any type of cable modem, DSL, satellite or wireless service. They'll have 18 months to comply or be fined.
"I am committed to ensuring that these providers take all necessary actions to incorporate surveillance capabilities into their networks in a timely fashion," Martin warned, bluntly. The FCC will work "closely with industry representatives, equipment manufacturers and law enforcement officials to address and overcome any challenges that stand in the way of effective lawful electronic surveillance."
What Martin didn't mention is that CALEA was never designed to apply to the Internet. In a column last year, I described how Congress never intended the law to cover online services or Internet service providers. (In fact, the FCC's schizophrenia required it to rule that DSL providers were an "information" service while also being a "telecommunications" service at the same time.)
The dictionary defines schizophrenia as "inappropriate actions" and "mental fragmentation." Unless the final CALEA rules differ from the summary, that seems to be a workable description of the unfortunate malady that's infected the FCC.
http://news.com.com/FCC+schizo+on+DS...3-5821077.html
Can you see me now?
Terror Threat Sharpens Focus On Urban Spy Cameras
Mike Dorning
The striking images of London subway bombers captured by the city's extensive video surveillance system, and a rising sense that similar attacks could happen in the United States, is stirring renewed interest in expanding police camera surveillance of America's public places.
In the aftermath of the London bombings, Sen. Hillary Clinton, D-N.Y., a liberal with a strongly pragmatic bent, called for installing more cameras to monitor passengers in the New York City subway system.
Washington Mayor Anthony Williams, whose post-Sept. 11 efforts to build a video surveillance system for downtown areas were curtailed by resistance from the D.C. City Council and some members of Congress, cited the attacks to press for broader use of cameras.
Meanwhile, Chicago, with the largest public video surveillance system in the country, is proceeding with plans to expand its 2,000-camera network and is beginning to encourage businesses to provide the city live feeds from their surveillance cameras.
The London bombings showcased the capabilities of a modern, digital video surveillance system. After both the July 7 and July 21 attacks, authorities quickly produced relatively high-resolution images of the bombers that figured prominently in fast-moving investigations.
But to critics, whose reservations are based primarily on privacy concerns, the London attacks also highlighted the limitations of camera surveillance. London has one of the world's largest surveillance systems -- the average person there is photographed by 300 cameras in the course of a day, according to an often-cited 1999 calculation by two British academics -- yet that did not prevent terrorist bombings in the heart of the city.
``It's very difficult to make a case that the cameras are a deterrent to the most determined terrorists, those who intend to give up their life,'' said Brian Jenkins, a terrorism expert and senior adviser to the president of RAND Corp.
But, he added, not every terrorist is willing to become a suicide bomber. And even with suicide bombers, camera surveillance can help with the hunt for the terrorist cells that provide them crucial logistical support. Clues captured on video can help rapidly trace a bomber's movements, possibly putting authorities on the trail of a previously undiscovered cell.
``How did they come in? How were they dressed? What were they carrying? What did they look like?'' Jenkins said, citing details cameras can reveal.
Even before the attacks on Sept. 11, 2001, technological advances were driving a rapid expansion in camera surveillance.
Modern digital cameras provide better-quality images. They are smaller and can be made less obvious. And they cost less, so authorities can buy more.
Cheaper computer capacity, more sophisticated software, fiber optic cable and wireless broadband all combine to allow easier monitoring at remote locations, more extensive storage of images and rapid retrieval of crucial video.
And while often still primitive, emerging technologies offer even greater promise. Chicago is installing gunshot detection equipment on cameras to automatically alert authorities and point the camera in the direction of the sound.
New Jersey Transit has a pilot project in one station to use computer analysis of video to alert authorities to suspicious behavior, such as someone leaving a package behind. Authorities also are experimenting with facial recognition software, though existing versions are of limited use in scanning crowds for suspected terrorists.
While advocates of camera surveillance argue that people have no legitimate expectation of privacy in a public place, civil libertarians raise concerns about possible abuses.
Critics contend that pervasive surveillance that can secretly store images of people creates a new potential for abuse, such as intimidation of political dissenters or blackmail of people caught stealing a kiss from the wrong person or entering a gay club.
``You've essentially imbued the police with Superman's powers,'' said Barry Steinhardt, director of the Technology & Liberty Program at the American Civil Liberties Union. ``You have the problem that police officers who have access to this data inevitably abuse it.''
There have been documented cases of operators abusing cameras for voyeuristic spying. During the 2004 Republican National Convention, a police helicopter that was supposed to be monitoring protesters instead trained its infrared camera on a couple engaged in a romantic encounter on a darkened high-rise apartment balcony. The resulting video was obtained by a local television station.
And there have been plenty of examples of abuses of less-powerful technologies. A Washington, D.C., police lieutenant was discovered using photos taken during police surveillance of gay nightclubs for a ``fairy-shaking'' scam in which he blackmailed men who showed evidence of a married life, such as child seats in their cars.
At a minimum, there should be tight legal controls on camera systems monitoring the public, Steinhardt argues.
``We've got to put some chains on these surveillance monsters,'' he said.
Evidence is mixed on how effective cameras have been in deterring run-of-the-mill criminals, much less terrorists who have dedicated their lives to a religious or political cause. A 2002 report by the British Home Office, which examined 22 separate studies of video monitoring systems in the United States and Britain, found that the cameras ``had little or no effect on crime in public transport and city centre settings'' but did appear to reduce crime in parking lots.
However, cameras do appear to have had an impact as part of a broader campaign that succeeded in pushing IRA attacks out of central London in the 1990s, said Jenkins, who co-authored a case study examining the British authorities' response.
In addition to the video surveillance system, London authorities added uniformed and undercover police patrols, provided extensive security training to transit staff and waged an intensive campaign to encourage the public to immediately report suspicious items.
The effort included regular tests in which covert inspectors would leave suspicious items to gauge the response. At the peak of the IRA threat, the testers would see a response within minutes, Jenkins said.
The IRA moved its attacks to other, more remote targets. Similar security efforts might simply shift terrorist attacks to other targets.
But that can be a significant achievement, Jenkins said, because it is better to push attacks out of the most crowded areas. Likewise, a bomb detonated in a subway tunnel has its explosive force channeled up and down the train, producing maximum casualties. Above ground, most of the force travels above into the air.
``Do we want to chase them out of the subways and into the streets? Probably yes,'' Jenkins said.
http://www.siliconvalley.com/mld/sil...l/12350080.htm
Consortium to Pool Radio-Tag Patents
Barnaby J. Feder
A consortium of companies that make radio-based identification tags, scanners and related software said yesterday that they planned to pool their patents in a venture that would provide one-stop licensing and royalty management.
The effort to stimulate adoption of what is known as radio frequency identification, or RFID, will be closely modeled on licensing organizations that have aided the growth of the DVD industry and the development of products that use the MPEG-2 standard for encoding audio and video programming, said Stan Drobac, vice president for RFID strategy and planning at Avery Dennison, one of the 20 founding members of the group.
"It's a model that's known to work," Mr. Drobac said, "and it has been approved in the past by the Justice Department."
RFID supporters are expecting the technology to supplant bar codes eventually because it allows goods to be identified without the need for them to be scanned item by item. Wal-Mart and the Defense Department are among those pushing for the technology's adoption.
The most conspicuous vendor missing from the consortium's member list is Intermec Technologies, a subsidiary of Unova; it claims its 145 RFID patents cover many crucial applications of the technology.
Intermec is already embroiled in RFID patent litigation with Symbol Technologies. An Intermec spokesman said yesterday that the company had not been asked to join the consortium.
The group plans to incorporate this fall and hire a specialist to evaluate who owns the most important patents and the potential royalty structure for its members. It is unlikely to begin offering licenses before next year.
Mr. Drobac said that even if Intermec and some others remained outside the consortium, the group's existence would make the patent landscape substantially simpler. There are more than 3,000 RFID patents, said Erik Michielsen, a RFID analyst in New York for ABI Research.
http://www.nytimes.com/2005/08/10/te...gy/10tags.html