Slashdot Mirror

Software liability, in the same sense as liability for a "standard" engineering product (electrical appliances, cars, buildings, etc.) is, like you say, ludicrous. That's because companies can employ underwriting laboratories to do testing that would exceed the cost of an in-house testing matrix. Engineering is governed by the laws of physics, which generally can tell you a lot about how resistant a building is to heat, wind, rain, etc. In general, software is just plain not tested enough. This is the biggest problem to the formulation of software engineering as a respectable discipline on par with civil or mechanical engineering.

1. Businesses can crumble because of security assured to them by their software vendor that doesn't exist. People lose houses, jobs, and families because of this kind of thing. Security is dependent on more than just each component of a solution being appropriately secure - it needs the combination of each individual piece to be secure. This task is, in general, too difficult for the average tech lead at a small business, college, or school, who will have enough problems with basic functionality. To some extent, the burden needs to be shifted to software providers- I don't think this is a point of contention.

2. It is easy to purchase the software you need, with a guarantee of security and reliability, and at a reasonable price, only if you are involved with the government of a large country, and even then you don't always get it right.

3. IIS on its own may be secure enough for a company intranet, but if the intranet's firewall and proxy servers are compromised, then it has become not secure enough. Schneier wants insurance companies to take the brunt of deciding how effective security solutions are - not the US government.

4. Schneier's main goal in instituting software liability is the management of security risk by lowering insurance premiums for people with more secure software. People who want to develop software without liability protection can count on an according security check level - if a system was in place that made security important for everybody, and not just these guys, the world might be a better place.

5. There are enough larger players within the software world that I don't think this would happen - specifically, IBM wants to protect AIX, Apple wants to protect OS X, and Sun wants to protect Solaris. And if IBM and the NSA want to continue to promote Linux, they WILL make it secure

6. OpenBSD has had four years without a remote hole in the default install configuration - it has also had several local holes, and this is entirely discounting the problem of people who configure the software the wrong way. People are choosing to do this, and the market is sorting it out, but not to the extent that's necessary to prevent another Nimda, Code Red, or Iloveyou virus - the cost in lost productivity alone is earth-shattering. And people don't need to get hacked for terrible things to happen to them- in fact, if they never figure it out, all the better for the attacker. No, for the most part, people don't care- and they should. Most people don't want to get vaccinated, but we make them- because the cost to not get vaccinated for society as a whole is that much greater.

My father used to tell me stories of when he was stationed in WWII in the Aleutian Islands, preparing as a SeaBee for the invasion of Japan. One of the stories that continued to amaze him was the deployment of Native Americans to handle communications, now populary referred to as Code Talkers.

Not only did they transmit messages in code, but they added a nice little touch, all transmissions were forwarded in their native dialects. Both my father and I would chortle at the prostpect of some enemy intercept trying to figure out Cherokee.

It makes me wonder, especially when you consider the costs of snooping everone's transmissions ... if it just wouldn't be too expensive if we not only encrypted our transmissions, but perhaps had an IRC in which we could roll our own dialects via tools like Bison in which only you, and your buddy on the other end would possess the necessary grammar file.

Sure, I'm sure the employer and their lawyers could still crack it ... but perhaps the process would become so expensive that they'll just move onto hammering the putz down the hall who continues to spew open text.

Just thought I'd point out that the NSA has been running similar programs for a while. I actually looked into them when I was in college, but then I realized I was looking at Big Brother and asking for a part in the book 1984... on the wrong side.

On a lighter note, after hearing that Intel is trying to claim the word 'inside' as its own, I decided to do a little investigating as to exactly what is inside. Take a look.

Just thought I'd point out that the NSA has been running similar programs for a while. I actually looked into them when I was in college, but then I realized I was looking at Big Brother and asking for a part in the book 1984... on the wrong side.

On a lighter note, after hearing that Intel is trying to claim the word 'inside' as its own, I decided to do a little investigating as to exactly what is inside. Take a look.

Stacking modules (loading more than one module at once) is problematic, because security policies are known to not be composable in general. However, if the modules have been designed to be stacked, then LSM will let you stack them.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase

You are correct in that the records were one time pads containing random noise, but Sigsaly was digital, not analog.

NSA Paper
/. story

We had a link with the British in the War that would use a disk of noise to overlay a signal on top of communications that would be un scrambled on the other side by the same wheel running on at the same time. The more things change, the more they stay the same.

Check out the NSA's explanation
Previous Slashdot Story

It's just a sawfish theme.

That's what I gathered from deciphering the "LainOS" website. But they claim, "LainOS is for the most part a modfified version of FreeBSD 4.5," and, "It sports a animated splash screen, a more fully intergrated X server, and a custom graphical login interface, amoung several other improvments over FreeBSD and Linux."

Either they don't know what they're talking about (a theme is not an OS, as you pointed out) or their goal is to roll their own *BSD distribution. Which is it? Themes are great, but that's not much of a vision for a distro. Does *BSD need another distro anyway? I think FreeBSD, NetBSD, and OpenBSD fit nicely in their own niches. About the only distro I'd like to see would be a fork off OpenBSD to harden security, much like what the NSA did with SE-Linux. OpenBSD is great, but could benefit from a little more paranoia.

...the No Such Agency

I've heard that a certain government agency is always hiring math freaks. I've also heard that they are the largest employer of math freaks in the world.

I don't know about the rest of the Three Letter Agencies, but the most important of them for this topic will only hire Americans.

From the NSA's employment FAQ,

3. Do I have to be a U.S. citizen to work at the NSA?
Yes. Only U.S. citizens are eligible for NSA Employment.

Seems you are right about the NSA employing more mathematicians than anyone else in the world. They believe this too. From a page on their web site:

NSA employs the country's premier codemakers and codebreakers. It is said to be the largest employer of mathematicians in the United States and perhaps the world. Its mathematicians contribute directly to the two missions of the Agency: designing cipher systems that will protect the integrity of U.S. information systems and searching for weaknesses in adversaries' systems and codes.

You might not believe it but the NSA has their own museum National Cryptologic Museum It has a real ENIGMA machine as well as the machine used to break the codes. The displays pretty much end in the 70's or 80's with a massive CRAY machine as the most modern thing they show

So does the NSA ...

http://www.nsa.gov/museum/index.html

However, Linux 2.5.3-nsa1 did come out today so you are right. 4 kernel trees out today!

I have personally seen it in several places , it's out there but the tech-guys often don't shout about it. I don't know why, whether it is internal pressure, or commercial pressure or interoperability between departments.

QinetiQ the UK's commercial wing of DERA (Defense Evaluation and Research Agency) produced this report: QinetiQ_OSS_rep.pdf. Which is the most pro-OSS report I've read.

The German Government support GnuPG and a few other security related projects.

And of course the NSA have SE-Linux, and have put money into research at the university of Utah.

LANL have some pretty serious Linux clustering.

1. They are shy or antisocial;
2. They spend a large percentage of their free time on a computer;
3. They are quick to criticise the government or corporations, often complaining about their "rights online";
4. They are obsessed with privacy;
5. They have a tendency to play violent computer games;
6. They frequently illegally copy music, movies, or software;
7. They listen to aggressive, "alternative" music;
8. They have an aversion to going outside;
9. They like to reverse-engineer, or "hack", anything they can for no substantive reason;
10. They use software such as Linux, which is designed by and for hackers.

The NSA has some fun problems on its USA Mathematical Talent Search (USAMTS) page.

2^(2^(2^2 + 1) - 1) - 1 = 2^31 - 1: Mersenne prime

The NSA has some fun problems on its USA Mathematical Talent Search (USAMTS) page.

2^(2^(2^2 + 1) - 1) - 1 = 2^31 - 1: Mersenne prime

There is no way I am ever going to submit anything to a National Software Agency, do you think I'd get a certificate for software they classify as munitions?

Probably not. I wonder a lot about google, because they offer a widely-used free product, don't run ads (actually, they run a few de-emphasized text-based ads), and are hiring like crazy during the middle of a recession which has seen hundreds of thousands of layoffs nationwide. My guess--based on their profitless existence and the fact they cache/index everything on the Internet--is that they are a front for either the CIA or NSA/NRO. Careful what you say, they have 16,000 60GB hard drives.

High taxes

Free, universal health care, lower tuition fees, free highways (no toll booths!!!) and lower rent for nicer appartments...

government regulation

Cleaner environment, easier recourse against abusive landlords/corporations/institutions, few guns all around...

lack of opportunity

Eh?

no free speech

Okay, it's marginally less well-protected here than in the states...yet our media is a lot freer from corporate meddling (well, CBC/SRC is, anyway...) and the charter of rights and freedom is still a pretty good safeguard on protecting free speech. The same problem as in the states, though: access to the distribution channels so what you SAY can actually be HEARD...

no right to self defense

You mean the right to bear arms? Look at it this way: you guys have the highest murder rate in the world. Guns kill people. People without guns just beat each other silly, occasionally stab each other - but they usually get to see the next day.

big brother government database on all citizens

Okay, that's disturbing...but at least we don't give our taxes to an agency that routinely eavesdrop on its citizens AND those of other countries (Echelon, anyone?). Don't you think they have secret databases of their own, mmh?

and what's more the postal service opens and photocopies a certain percentage of mail without a warrant as a matter of policy

Well, I think they do that in the States now, too!

RE: but...

Shouldn't that be "boot"?

No, it shouldn't. I really don't know where Americans got this notion that anglo-canadians pronounce "about" like "aboot". I lived in Toronto for two years and went across Canada in 1986 (I'm a franco-canadian myself) and never once heard it pronounced like this. I guess it shows how much you REALLY know about Canada. (They do say "eh" all the time, though! :-)

More to the point, what does Canada-bashing have to do with the current subject, anyway? I'm the separatist here, I'll do the bashing, thank you very much!

(Do we *really* need to be running our network services as root just so that they can bind to a low-numbered port?)

I suspect you knew this already (and just added that comment for effect), but that problem has been solved at least twice, with the LIDS patch and NSA's SELinux. Both accomplish this by untying capabilities from the user-id (such that, for example, a program can be given permission to bind to low-numbered ports while receiving no other advanced privileges).

A whitepaper can be found for the NSA's solution, and reasonable documentation can be found for the LIDS project.

(Do we *really* need to be running our network services as root just so that they can bind to a low-numbered port?)

I suspect you knew this already (and just added that comment for effect), but that problem has been solved at least twice, with the LIDS patch and NSA's SELinux. Both accomplish this by untying capabilities from the user-id (such that, for example, a program can be given permission to bind to low-numbered ports while receiving no other advanced privileges).

A whitepaper can be found for the NSA's solution, and reasonable documentation can be found for the LIDS project.

• Complexity and Flexibility: The more complex a product is, the more flexible it can be. SubDomain is less complex to manage than SELinux, but offers more flexibility than HP-LX.
• Price: SELinux is free, Immunix Systems are $90 each, and HP-LX is $3000 each.

• StackGuard: resists most buffer overflow attacks.
• FormatGuard: resists most printf format bug attacks.

Reconfigurable FPGAs would be better because they get around the problem where the message was encrypted using something other than DES.

Midway

How are they going to find that message, or understand its significance? The NSA intercepted and decrypted a large number of Soviet diplomatic/intelligence messages in the 1940s (VENONA). Despite a large amount of work, the identities of many of the agents referred to in the messages are unknown.

It seems to me that sooner or later these two government projects are going to come into conflict and it will be very interesting to see who comes out on top.

If an MSIE security hole is able expose information vital to national security then our national security is a joke, and any appeal which attempts to take it seriously is fatally flawed. Last I heard the NSA certified MS products as secure only if they weren't connected to a network. BTW, if you know where the Windows 2000 Security Recomendations are, please let me know.

On a side note, I was mildly disturbed to find that the NSA has a kid's page, but it's actually pretty cool. If only my school had access to something like it when they put me in their travesty of a gifted program, I might have even stayed in it...

From the NSA site:

Couldn't the Agency simply ask its allies to provide them with information about U.S. persons?

We have been prohibited by executive order since 1978 from having any person or government agency, whether foreign or U.S., conduct any activity on our behalf that we are prohibited from conducting ourselves. Therefore, NSA/CSS does not ask its allies to conduct such activities on its behalf nor does NSA/CSS do so on behalf of its allies.

Political News from Wired News - Cybercrime Treaty Finally Ready. After four years of haggling over the language, several countries including the United States will sign a cybercrime treaty.

WildernessCoast.org - Cybercrime Treaty Bibliography -- By Date. A wide collection of links that talk about the Cybercrime Treaty Same info sorted by title.

Council of Europe - Convention on Cybercrime.

The Convention on Cybercrime has been adopted by the Committee of Ministers during its 109th Session, on 8 November 2001 and will be opened for signature, in Budapest, on 23 November 2001.

The Convention will be the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception.

Its main objective, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation.

The Convention is the product of four years of work by Council of Europe experts, but also by the United States, Canada, Japan and other countries which are not members of the organisation.

It will be supplemented by an additional protocol making any publication of racist and xenophobic propaganda via computer networks a criminal offence.

[ ... ]

But Fred Eisner, a consultant for the Dutch government and private companies, said the draft made unfair demands on Internet service providers by asking them to track Web users' online movements.

"This draft convention lacks balance," Eisner told the assembly. "The convention explicitly gives much more power to law enforcement agencies and it has no system of checks and balances."

Bruce McConnell, president of McConnell International, a Washington-based consulting firm, said the treaty should be more forceful in protecting the privacy of Web users who are already worried about being spied on.

"There is concern that the powers of surveillance ... are not balanced by comparable protections for individuals' privacy," he said.

Maybe you trust the law-enforcement chiefs in D.C. to do the right thing. But here's the catch. The same new powers given to the United States will also handed over to Bulgaria, Romania, Azerbaijan, and other Council of Europe nations that-although officially democratic now-don't have a strong traditions of checks and balances on police power.

Do you want investigators rummaging around your clients' computer systems on warrants issued by former Soviet bloc nations?

That's the prospect that has pushed AT&T Corporation and other high-technology companies into feverishly trying to stop or at least soften the treaty. The U.S. Chamber of Commerce and Information Technology Association of America also oppose it.

Stewart Baker is one of the chief lobbyists for the treaty opponents. As a former general counsel of the National Security Agency and recipient of the Department of Defense Medal for Meritorious Civilian Service, he's got street cred on these issues in corporate America.

What worries Baker and his colleagues? Consider the following hypothetical: A Los Angeles screenwriter corresponds by e-mail with a neo-Nazi in Germany while researching a script. Shortly after, he finds federal agents examining the files on his home computer. The agents also visit America Online Inc. to retrieve records of the screenwriter's AOL usage.

The agents are fulfilling a warrant issued by German authorities allowing them to search for Nazi propaganda. Such material is unlawful in Germany but not in the U.S. They framed their warrant in terms of "suspected terrorist activity."

LAW.com (requires cookies) - International Treaty on Cybercrime Poses Burden on High-Tech Companies.

Maybe you're a civil libertarian, and maybe you're not. Maybe you worry about how the United States exercises its vast investigative and prosecutorial powers, and maybe you don't.

But if you counsel U.S. corporations on computer-related issues, you should be concerned about a new proposed treaty known as the "Convention on Cybercrime." The Council of Europe, a 43-nation public body created to promote democracy and the rule of law, is nominally drafting the treaty. Curiously, however, the primary architect is the U.S. Department of Justice.

The Department of Justice and Federal Bureau of Investigation are using a foreign forum to create an international law-enforcement regime that favors the interests of the feds over those of ordinary citizens and businesses. Their goal is to make it easier to get evidence from abroad and to extradite and prosecute foreign nationals for certain kinds of crimes.

Maybe you trust the law-enforcement chiefs in D.C. to do the right thing. But here's the catch. The same new powers given to the United States will also be handed over to Bulgaria, Romania, Azerbaijan, and other Council of Europe nations that -- although officially democratic now -- don't have a strong tradition of checks and balances on police power.

[ ... ]

Stewart Baker, a partner at Washington, D.C.'s Steptoe & Johnson, is one of the chief lobbyists for the treaty's opponents. As a former general counsel of the National Security Agency and recipient of the U.S. Department of Defense Medal for Meritorious Civilian Service, he's got street credentials on these issues in corporate America.

Slashdot | Implications Of The International Cybercrime Treaty.

SiliconValley.com part of San Jose Mercury News - Pioneer cybercrime pact tightens privacy rules.

MS-NBC - Pioneer cybercrime pact tightens privacy rules. PARIS, May 25 -- Stiff criticism from the EU and pressure groups has prompted drafters of the world's first treaty against cybercrime to tighten provisions protecting privacy online, the final text showed Friday.

[ ... ]

Against EU objections, it also limits the right of a country to reject a request from abroad to store and hand over data in potential crime cases if the requesting country thinks it could be misused.

The text says states should make sure that systems operators or other people who know how to use a certain system can be ordered to cooperate in any such a cyberprobe.

PARIS (Reuters) - Stiff criticism from the EU and pressure groups has prompted drafters of the world's first treaty against cybercrime to tighten provisions protecting privacy online, the final text showed on Friday.

The Council of Europe, a 43-state human rights watchdog, has amended the text to ensure police respect privacy rights when they follow digital trails to fight online crimes such as hacking, spreading viruses, using stolen credit card numbers or defrauding banks.

''The guarantees in the treaty have been reinforced,'' Peter Csonka, deputy head of the economic crime division at the Council's headquarters in Strasbourg, told Reuters after the Council posted the final text -- version 27 -- on its Web site.

But the treaty, which has aroused heated debate in cyberspace since its draft text became public last year, ignored calls by Internet service providers (ISPs) for fewer costly requirements on preserving data that could be linked to a crime.

It still accorded police wide powers to chase suspected cybercriminals -- powers some critics say go beyond what is legal in some Council member states or in observer countries like the United States, Canada and Japan due to sign the treaty.

ZDNet - Internet founder worried over EU cybercrime plans.

BRUSSELS --Vint Cerf, a founding father of today's Internet, said on Thursday that European Union plans for new rules to fight crime on the Web risked clashing with existing EU privacy regulations.

Cerf, who helped develop the Internet in the early 70s shortly after graduating from Stanford University and now works for WorldCom, said more secure network systems were an immediate priority for the successful development of the ubiquitous Web.

He told Reuters in an interview that Internet traffic should be retained only for billing purposes and was too cumbersome to be stored for police investigations.

Changes to a controversial treaty on cybercrime have done nothing to improve it, say civil liberty campaigners.

Next week, the Council of Europe will vote on the treaty, which has been redrafted 26 times before reaching its final version late in May.

The most recent changes were made to take into account the fears of civil liberty and privacy campaigners. But cyber-rights groups say the latest changes are purely cosmetic and have not diluted what they describe as its most pernicious sections.

The groups say that, if adopted in its current form, the treaty could lead to changes in legislation that would stifle rights to privacy and do little to curb the activities of law enforcement agencies.

[ ... ]

In December 2000, 23 organisations, banding together under the banner of the Global Internet Liberty Campaign (GILC), signed a letter condemning the 25th draft of the treaty as "appalling", and warned that it handed law enforcement agencies sweeping powers to snoop and could seriously erode online privacy.

Now, three civil liberty groups, the American Civil Liberties Union, the Electronic Privacy Information Center and Privacy International, have sent another letter to the Council of Europe outlining their "continuing concerns" over the wording of the treaty and saying that their fears have not been laid to rest.

The letter chastises the Council of Europe for refusing to open up the redrafting debates to non-governmental organisations and for, it says, ignoring the human rights and privacy concerns of organisations such as the GILC.

It goes on to say that the original criticisms still stand, and that the treaty does not pay enough attention to existing laws which safeguard human rights. It says the treaty's recommendations on protecting privacy are vague and do not go far enough.

IT industry gurus have branded the Council of Europe's Convention on Cybercrime 'foolish, unworkable and a legal con trick'.

The controversial treaty provides a blanket legislation to deal with all forms of internet crime from hacking to online pornography.

Caspar Bowden, director of internet think-tank FIPR, said: "The Convention is essentially a legal con trick, drafted in secret by a handful of nameless bureaucrats. It equates the internet - a network of private networks - with 'cyberspace', a metaphor from science fiction.

"By this sleight of hand, the internet is defined as a public space over which law enforcement should be granted unfettered powers of surveillance and extradition," he added.

International policy-makers this week ended a round of talks aimed at setting common rules affecting online trade and commerce, but they made little progress in bridging divisions that threaten to delay the pact.

In the works for nearly a decade, the Hague Convention on Jurisdiction and Foreign Judgments is still almost unknown outside international policy circles. Nevertheless, it could have broad implications for consumers and businesses by setting new rules for online copyrights, free speech and e-commerce--if it is approved.

Opposition to the treaty heated up Wednesday, when a two-week drafting session wrapped up with few concessions to critics, primarily from the United States, who say the pact threatens free speech and could force Internet service providers to become global content police.

"In a nutshell, it will strangle the Internet with a suffocating blanket of overlapping jurisdictional claims, expose every Web page publisher to liabilities for libel, defamation and other speech offenses from virtually any country, (and) effectively strip Internet service providers of protections from litigation over the content they carry," Jamie Love, director of Ralph Nader's Consumer Project on Technology (CPT), wrote in a report after the meeting.

The treaty is one of several efforts by the global community to grapple with a complicated legal issues on a borderless Web.

Four years ago, nations including the United States signed onto a World Intellectual Property Organization pact to protect copyright in the digital age. And several countries, including the United States, are hammering out the world's first cybercrime treaty, which would provide a standard for fighting online crime.

The Hague treaty differs from those efforts because it would not outline specific laws participants must follow. It's much broader, requiring participants to agree to enforce each others' laws on a variety of topics. As it stands, the treaty would require courts to enforce the commercial laws of the convention's 52 member nations, even if they prohibit actions that are legal under local laws.

BRUSSELS - The blueprint for a global code on Cyber-crime was agreed on in Strasbourg, France, Friday, paving the way for international rules governing online copyright infringement, online fraud, child pornography and hacking.

The 41 members of the Council of Europe (CoE), plus the U.S., Canada and Japan, signed on to a draft convention on cybercrime that is set to be rubber-stamped at ministerial level in September.

"Once adopted, the Convention will be the first international treaty on criminal offenses committed through the use of Internet and other computer networks," the Council of Europe said in a statement.

In September, the Council of Europe approved the Convention on cybercrime, a historic treatise that lays the foundation for legislation allowing for a greater sharing of information between countries to combat the rise of cybercrime.

The treatise isn't binding, but instead would have to be adopted into law by its 43 European member states and five outside countries including the United States, Canada and Japan.

The treaty is broad, covering crimes committed on the Internet such as fraud, child pornography and violations of computer network security. It also sets up global policing procedures for conducting computer searches, interception of e-mails, and extradition of criminal suspects.

More details on the CyberCrime Treaty can be found in the Privacy Digest archives dated September 26,2000, September 27,2000, October 09,2000, October 16,2000, October 18,2000, October 19,2000, October 25,2000, November 14,2000, November 20,2000, November 22,2000 and March 24,2001. This is not all the information at Privacy Digest and other sites so if you want to know more try a search

Political News from Wired News - Cybercrime Treaty Finally Ready. After four years of haggling over the language, several countries including the United States will sign a cybercrime treaty.

WildernessCoast.org - Cybercrime Treaty Bibliography -- By Date. A wide collection of links that talk about the Cybercrime Treaty Same info sorted by title.

Council of Europe - Convention on Cybercrime.

The Convention on Cybercrime has been adopted by the Committee of Ministers during its 109th Session, on 8 November 2001 and will be opened for signature, in Budapest, on 23 November 2001.

The Convention will be the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception.

Its main objective, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation.

The Convention is the product of four years of work by Council of Europe experts, but also by the United States, Canada, Japan and other countries which are not members of the organisation.

It will be supplemented by an additional protocol making any publication of racist and xenophobic propaganda via computer networks a criminal offence.

[ ... ]

But Fred Eisner, a consultant for the Dutch government and private companies, said the draft made unfair demands on Internet service providers by asking them to track Web users' online movements.

"This draft convention lacks balance," Eisner told the assembly. "The convention explicitly gives much more power to law enforcement agencies and it has no system of checks and balances."

Bruce McConnell, president of McConnell International, a Washington-based consulting firm, said the treaty should be more forceful in protecting the privacy of Web users who are already worried about being spied on.

"There is concern that the powers of surveillance ... are not balanced by comparable protections for individuals' privacy," he said.

Maybe you trust the law-enforcement chiefs in D.C. to do the right thing. But here's the catch. The same new powers given to the United States will also handed over to Bulgaria, Romania, Azerbaijan, and other Council of Europe nations that-although officially democratic now-don't have a strong traditions of checks and balances on police power.

Do you want investigators rummaging around your clients' computer systems on warrants issued by former Soviet bloc nations?

That's the prospect that has pushed AT&T Corporation and other high-technology companies into feverishly trying to stop or at least soften the treaty. The U.S. Chamber of Commerce and Information Technology Association of America also oppose it.

Stewart Baker is one of the chief lobbyists for the treaty opponents. As a former general counsel of the National Security Agency and recipient of the Department of Defense Medal for Meritorious Civilian Service, he's got street cred on these issues in corporate America.

What worries Baker and his colleagues? Consider the following hypothetical: A Los Angeles screenwriter corresponds by e-mail with a neo-Nazi in Germany while researching a script. Shortly after, he finds federal agents examining the files on his home computer. The agents also visit America Online Inc. to retrieve records of the screenwriter's AOL usage.

The agents are fulfilling a warrant issued by German authorities allowing them to search for Nazi propaganda. Such material is unlawful in Germany but not in the U.S. They framed their warrant in terms of "suspected terrorist activity."

LAW.com (requires cookies) - International Treaty on Cybercrime Poses Burden on High-Tech Companies.

Maybe you're a civil libertarian, and maybe you're not. Maybe you worry about how the United States exercises its vast investigative and prosecutorial powers, and maybe you don't.

But if you counsel U.S. corporations on computer-related issues, you should be concerned about a new proposed treaty known as the "Convention on Cybercrime." The Council of Europe, a 43-nation public body created to promote democracy and the rule of law, is nominally drafting the treaty. Curiously, however, the primary architect is the U.S. Department of Justice.

The Department of Justice and Federal Bureau of Investigation are using a foreign forum to create an international law-enforcement regime that favors the interests of the feds over those of ordinary citizens and businesses. Their goal is to make it easier to get evidence from abroad and to extradite and prosecute foreign nationals for certain kinds of crimes.

Maybe you trust the law-enforcement chiefs in D.C. to do the right thing. But here's the catch. The same new powers given to the United States will also be handed over to Bulgaria, Romania, Azerbaijan, and other Council of Europe nations that -- although officially democratic now -- don't have a strong tradition of checks and balances on police power.

[ ... ]

Stewart Baker, a partner at Washington, D.C.'s Steptoe & Johnson, is one of the chief lobbyists for the treaty's opponents. As a former general counsel of the National Security Agency and recipient of the U.S. Department of Defense Medal for Meritorious Civilian Service, he's got street credentials on these issues in corporate America.

Slashdot | Implications Of The International Cybercrime Treaty.

SiliconValley.com part of San Jose Mercury News - Pioneer cybercrime pact tightens privacy rules.

MS-NBC - Pioneer cybercrime pact tightens privacy rules. PARIS, May 25 -- Stiff criticism from the EU and pressure groups has prompted drafters of the world's first treaty against cybercrime to tighten provisions protecting privacy online, the final text showed Friday.

[ ... ]

Against EU objections, it also limits the right of a country to reject a request from abroad to store and hand over data in potential crime cases if the requesting country thinks it could be misused.

The text says states should make sure that systems operators or other people who know how to use a certain system can be ordered to cooperate in any such a cyberprobe.

PARIS (Reuters) - Stiff criticism from the EU and pressure groups has prompted drafters of the world's first treaty against cybercrime to tighten provisions protecting privacy online, the final text showed on Friday.

The Council of Europe, a 43-state human rights watchdog, has amended the text to ensure police respect privacy rights when they follow digital trails to fight online crimes such as hacking, spreading viruses, using stolen credit card numbers or defrauding banks.

''The guarantees in the treaty have been reinforced,'' Peter Csonka, deputy head of the economic crime division at the Council's headquarters in Strasbourg, told Reuters after the Council posted the final text -- version 27 -- on its Web site.

But the treaty, which has aroused heated debate in cyberspace since its draft text became public last year, ignored calls by Internet service providers (ISPs) for fewer costly requirements on preserving data that could be linked to a crime.

It still accorded police wide powers to chase suspected cybercriminals -- powers some critics say go beyond what is legal in some Council member states or in observer countries like the United States, Canada and Japan due to sign the treaty.

ZDNet - Internet founder worried over EU cybercrime plans.

BRUSSELS --Vint Cerf, a founding father of today's Internet, said on Thursday that European Union plans for new rules to fight crime on the Web risked clashing with existing EU privacy regulations.

Cerf, who helped develop the Internet in the early 70s shortly after graduating from Stanford University and now works for WorldCom, said more secure network systems were an immediate priority for the successful development of the ubiquitous Web.

He told Reuters in an interview that Internet traffic should be retained only for billing purposes and was too cumbersome to be stored for police investigations.

Changes to a controversial treaty on cybercrime have done nothing to improve it, say civil liberty campaigners.

Next week, the Council of Europe will vote on the treaty, which has been redrafted 26 times before reaching its final version late in May.

The most recent changes were made to take into account the fears of civil liberty and privacy campaigners. But cyber-rights groups say the latest changes are purely cosmetic and have not diluted what they describe as its most pernicious sections.

The groups say that, if adopted in its current form, the treaty could lead to changes in legislation that would stifle rights to privacy and do little to curb the activities of law enforcement agencies.

[ ... ]

In December 2000, 23 organisations, banding together under the banner of the Global Internet Liberty Campaign (GILC), signed a letter condemning the 25th draft of the treaty as "appalling", and warned that it handed law enforcement agencies sweeping powers to snoop and could seriously erode online privacy.

Now, three civil liberty groups, the American Civil Liberties Union, the Electronic Privacy Information Center and Privacy International, have sent another letter to the Council of Europe outlining their "continuing concerns" over the wording of the treaty and saying that their fears have not been laid to rest.

The letter chastises the Council of Europe for refusing to open up the redrafting debates to non-governmental organisations and for, it says, ignoring the human rights and privacy concerns of organisations such as the GILC.

It goes on to say that the original criticisms still stand, and that the treaty does not pay enough attention to existing laws which safeguard human rights. It says the treaty's recommendations on protecting privacy are vague and do not go far enough.

IT industry gurus have branded the Council of Europe's Convention on Cybercrime 'foolish, unworkable and a legal con trick'.

The controversial treaty provides a blanket legislation to deal with all forms of internet crime from hacking to online pornography.

Caspar Bowden, director of internet think-tank FIPR, said: "The Convention is essentially a legal con trick, drafted in secret by a handful of nameless bureaucrats. It equates the internet - a network of private networks - with 'cyberspace', a metaphor from science fiction.

"By this sleight of hand, the internet is defined as a public space over which law enforcement should be granted unfettered powers of surveillance and extradition," he added.

International policy-makers this week ended a round of talks aimed at setting common rules affecting online trade and commerce, but they made little progress in bridging divisions that threaten to delay the pact.

In the works for nearly a decade, the Hague Convention on Jurisdiction and Foreign Judgments is still almost unknown outside international policy circles. Nevertheless, it could have broad implications for consumers and businesses by setting new rules for online copyrights, free speech and e-commerce--if it is approved.

Opposition to the treaty heated up Wednesday, when a two-week drafting session wrapped up with few concessions to critics, primarily from the United States, who say the pact threatens free speech and could force Internet service providers to become global content police.

"In a nutshell, it will strangle the Internet with a suffocating blanket of overlapping jurisdictional claims, expose every Web page publisher to liabilities for libel, defamation and other speech offenses from virtually any country, (and) effectively strip Internet service providers of protections from litigation over the content they carry," Jamie Love, director of Ralph Nader's Consumer Project on Technology (CPT), wrote in a report after the meeting.

The treaty is one of several efforts by the global community to grapple with a complicated legal issues on a borderless Web.

Four years ago, nations including the United States signed onto a World Intellectual Property Organization pact to protect copyright in the digital age. And several countries, including the United States, are hammering out the world's first cybercrime treaty, which would provide a standard for fighting online crime.

The Hague treaty differs from those efforts because it would not outline specific laws participants must follow. It's much broader, requiring participants to agree to enforce each others' laws on a variety of topics. As it stands, the treaty would require courts to enforce the commercial laws of the convention's 52 member nations, even if they prohibit actions that are legal under local laws.

BRUSSELS - The blueprint for a global code on Cyber-crime was agreed on in Strasbourg, France, Friday, paving the way for international rules governing online copyright infringement, online fraud, child pornography and hacking.

The 41 members of the Council of Europe (CoE), plus the U.S., Canada and Japan, signed on to a draft convention on cybercrime that is set to be rubber-stamped at ministerial level in September.

"Once adopted, the Convention will be the first international treaty on criminal offenses committed through the use of Internet and other computer networks," the Council of Europe said in a statement.

In September, the Council of Europe approved the Convention on cybercrime, a historic treatise that lays the foundation for legislation allowing for a greater sharing of information between countries to combat the rise of cybercrime.

The treatise isn't binding, but instead would have to be adopted into law by its 43 European member states and five outside countries including the United States, Canada and Japan.

The treaty is broad, covering crimes committed on the Internet such as fraud, child pornography and violations of computer network security. It also sets up global policing procedures for conducting computer searches, interception of e-mails, and extradition of criminal suspects.

More details on the CyberCrime Treaty can be found in the Privacy Digest archives dated September 26,2000, September 27,2000, October 09,2000, October 16,2000, October 18,2000, October 19,2000, October 25,2000, November 14,2000, November 20,2000, November 22,2000 and March 24,2001. This is not all the information at Privacy Digest and other sites so if you want to know more try a search

Exactly. If you want to help import cocaine into America, sign up with the Cocaine Import Agency. If corporate espionage is your bag, go with the Nationalized Spies from America. Don't waste your time with any of the four branches. They're grunts anyway.

NSA.

Quarter. Clue. Buy.

The BBC article was kinda light on details . . . care to give more in-depth info about the Enigma Machine?

The Engima story is quite interesting and complex; volumes can and have been written about it and it's beyond the scope of a Slashdot post to relay the full history. But I've provided some links if you're curious.

It should be noted that Bletchley Park's work in deciphering the Enigma codes - used by the Germans to direct operations including U-boat attacks on Allied convoys - proved vital to the outcome of the WWII.

Bletchley Park, code-named Station X, employed teams of mathematicians, linguists and chess champions during the war.

By the end of 1945, 10,000 people worked there.

With the help of decoding machines, the army of experts were able to crack the German code Enigma, which Berlin believed to be unbreakable.

The work carried out at the top-secret centre is believed to have shortened the war by several years and was kept secret until 1967.

The stolen device, an Abwehr Enigma G312, is a rare four-rotor version, one of only three still known to be in existence.

I worked for Viisage Technology for a couple of years, and they use a system in the building where two cameras scan for faces in the hallway (as you're approaching to enter) and if a face found matches one in the employee database, it unlocks the door.

It was sophisticated enough to identify me as me even when I was wearing my eyeglasses, and later, when I grew a goatee type beard and moustache. No ID code to enter, no badge to carry. If you didn't match anyone in the database, it would summon security and leave the doors locked.

Having run their Technical Support Department for 2 years, I can tell you that the products not only work, but work very well. They use the facial recognition in Massachusetts at the Department of Transitional Assistance (Welfare) offices to identify those people obtaining multiple ID's under assumed names to weed out Welfare fraud.

The kind of access system they have in their entry could be used in an airport entry to identify a suspected terrorist trying to move about the country and alert security. It's pretty close to an Orwelian concept, except this type of monitoring would definately have oversight by a committee or White House office to prevent civil rights abuses.

I personally am against the idea on principle, but sometimes one principle takes precedence over another.

I've contacted several FBI employment offices via phone as well as the FBI employment websites, even checked the C3I and the DSS and the NSA websites.

There are no listings of a "Computer Hacker Extraordinaire" position.

Perhaps, the Cult of the Dead Cows are hiring...

We have met the enemy and he is us

The real trouble is that very few widely used operating systems can properly jail an executable. FreeBSD tries, but the jail facility in FreeBSD doesn't get used enough to establish that it's safe.

NSA Linux, which has mandatory security, is a big step in the right direction. A good exercise would be to make Mozilla run uner NSA Linux but insist that downloaded code run in an untrusted compartment, so it couldn't do much.

1. Mono has nothing to do with Linux development.
   
   
2. Linux is not trying to be a Windows clone, instead it is a rather successful Unix clone.
   
   
3. An operating system that addresses computing in a way that MSFT's don't? Do you mean like SE Linux or RTLinux?

1. They are shy or antisocial;
2. They spend a large percentage of their free time on a computer;
3. They are quick to criticize the government or corporations, often complaining about their "rights online";
4. They are obsessed with privacy;
5. They have a tendency to play violent computer games;
6. They frequently illegally copy music, movies, or software;
7. They listen to aggressive, "alternative" music;
8. They have an aversion to going outside;
9. They like to reverse-engineer, or "hack", anything they can for no substantive reason;
10. They use software such as Linux, which is designed by and for hackers.

Good points. Aside from that, what happens when these criminals take a page out of the U.S.' playbook and futher obfuscate their messages with native dialects as did the U.S. with their Navaho codetalkers ?

They are really missing the point here. Our government has the NSA. Their website states things like:

NSA also made ground-breaking developments in semiconductor technology and remains a world leader in many technological fields.

Its workforce represents an unusual combination of specialties: analysts, engineers, physicists, mathematicians, linguists, computer scientists, researchers, as well as customer relations specialists, security officers, data flow experts, managers, administrative and clerical assistants.

These guys job is make things secure or attempt to break things that are secure. With all these skills and knowledge, they must know to attack the weakest point of the ENTIRE SYSTEM. PGP is not a system. it is a piece of software in a system. Brute forcing an PGP encrypted email is not the smart way to break it. You would think the NSA would know such things. Do you think Mr. Bin Ladin's decrypts emails that are sent to him? His PGP keys are stored somewhere. Find them. Pay off someone in his posse to email you a copy of his private key. There are MANY alternatives. The attack tree is some much broader than a brute force attack against the algorithm. I would think that the NSA would know such things...

They are really missing the point here. Our government has the NSA. Their website states things like:

NSA also made ground-breaking developments in semiconductor technology and remains a world leader in many technological fields.

Its workforce represents an unusual combination of specialties: analysts, engineers, physicists, mathematicians, linguists, computer scientists, researchers, as well as customer relations specialists, security officers, data flow experts, managers, administrative and clerical assistants.

These guys job is make things secure or attempt to break things that are secure. With all these skills and knowledge, they must know to attack the weakest point of the ENTIRE SYSTEM. PGP is not a system. it is a piece of software in a system. Brute forcing an PGP encrypted email is not the smart way to break it. You would think the NSA would know such things. Do you think Mr. Bin Ladin's decrypts emails that are sent to him? His PGP keys are stored somewhere. Find them. Pay off someone in his posse to email you a copy of his private key. There are MANY alternatives. The attack tree is some much broader than a brute force attack against the algorithm. I would think that the NSA would know such things...

NSA is the single largest employer in Anne Arundel County and one of the largest in the state of Maryland.

NSA is the Baltimore Gas Electric (BGE) company's 2nd largest customer, and the 2nd largest user of electrical power in Maryland. NSA's yearly electrical bill is more than $21 million.

Considering the comments made in the mentioned article it is quite fun looking at NSA's carrers page. Especially the Computer Science section. The job description available to Computer/Electrical Engineers is also quite amusing.

at http://www.nsa.gov/programs/employ/index.html you also get the sidebar with job descriptions in Cryptoanalysis (code breaking), Foreign Languages, etc.

Considering the comments made in the mentioned article it is quite fun looking at NSA's carrers page. Especially the Computer Science section. The job description available to Computer/Electrical Engineers is also quite amusing.

at http://www.nsa.gov/programs/employ/index.html you also get the sidebar with job descriptions in Cryptoanalysis (code breaking), Foreign Languages, etc.

Considering the comments made in the mentioned article it is quite fun looking at NSA's carrers page. Especially the Computer Science section. The job description available to Computer/Electrical Engineers is also quite amusing.

at http://www.nsa.gov/programs/employ/index.html you also get the sidebar with job descriptions in Cryptoanalysis (code breaking), Foreign Languages, etc.

NSA employs the country's premier codemakers and codebreakers. It is said to be the largest employer of mathematicians in the United States and perhaps the world.

How many people work for the NSA/CSS and what is its budget?

Neither the number of employees nor the size of the Agency's budget can be publicly disclosed. However, if the NSA/CSS were considered a corporation in terms of dollars spent, floor space occupied, and personnel employed, it would rank in the top 10 percent of the Fortune 500 companies. It is far from true that NSA/CSS has an unlimited "black" budget, unknown by other government entities. While the budget and size of the NSA/CSS are classified, these details are known by the Office of Management and Budget, by both the Senate Select Committee on Intelligence (SSCI) and the House Permanent Select Committee on Intelligence (HPSCI), and by the Defense Subcommittees of the Appropriations Committees in both houses of Congress. Resources allocated to NSA/CSS are subject to rigorous examination and approval processes.

In 1997, the aggregate figure for all U.S. Government intelligence and intelligence-related activities ? of which NSA/CSS was one segment ? was made public for the first time. The aggregate intelligence budget was $26.6 billion in fiscal year (FY) 1997 and $26.7 billion for FY98. The intelligence budget for FY99 has not been publicly released.

NSA employs the country's premier codemakers and codebreakers. It is said to be the largest employer of mathematicians in the United States and perhaps the world.

How many people work for the NSA/CSS and what is its budget?

Neither the number of employees nor the size of the Agency's budget can be publicly disclosed. However, if the NSA/CSS were considered a corporation in terms of dollars spent, floor space occupied, and personnel employed, it would rank in the top 10 percent of the Fortune 500 companies. It is far from true that NSA/CSS has an unlimited "black" budget, unknown by other government entities. While the budget and size of the NSA/CSS are classified, these details are known by the Office of Management and Budget, by both the Senate Select Committee on Intelligence (SSCI) and the House Permanent Select Committee on Intelligence (HPSCI), and by the Defense Subcommittees of the Appropriations Committees in both houses of Congress. Resources allocated to NSA/CSS are subject to rigorous examination and approval processes.

In 1997, the aggregate figure for all U.S. Government intelligence and intelligence-related activities ? of which NSA/CSS was one segment ? was made public for the first time. The aggregate intelligence budget was $26.6 billion in fiscal year (FY) 1997 and $26.7 billion for FY98. The intelligence budget for FY99 has not been publicly released.