Issue 48 June 2001	BYTES IN BRIEF® by Editors: Sharon D. Nelson, Esq. and John W. Simek Associate Editor: Amelia C. Hierholzer Editor Emeritus: G.V. Nelson 9500+ subscribers worldwide © 2001 Sensei Enterprises, Inc./Nelson & Wolfe. All rights reserved. This newsletter may not be reproduced or redistributed in any manner except with consent of the copyright owner. Distributed by Silver Law Inc. under license.

FBI HACKS RUSSIAN SERVERS: IS IT LEGAL???

Two alleged network hackers, Russians Alexey Ivanov and Vasiliy Gorshkov, were indicted in April in the U.S. District Court for the Western District of Washington for conspiracy, wire fraud, and violations of the Computer Crime and Abuse Act. They allegedly broke into the networks of several corporations, lifted credit card information and then offered their consulting services to the companies to fix the security flaws they had exploited. Victimized were Speakeasy.net, CTS and the U.S. subsidiary of South Korea's Nara Bank. Controversy has been swirling around the manner in which the FBI caught the Russians, by creating a sting operation in which the Russians were invited to the state of Washington on the pretext of being offered computer security jobs. Their activities were then monitored, and after surveillance of their connection to two servers in Russia, the FBI used their passwords to download incriminating evidence from those servers. Legal experts are concerned that this will set a precedent allowing U.S. law enforcement authorities free rein to hack into foreign computers and, conversely, that other countries will use this legal justification to break into U.S. computers to aid their own  investigations. U.S. authorities had asked their Russian counterparts to assist in gathering the information from the servers, but received no help. This is the first acknowledged hacking by U.S. authorities of foreign servers. Further information may be found at http://news.cnet.com/news/0-1003-200-5785729.html

FORGET THE HACKERS, IT'S THE DEVIL YOU KNOW!

It's the devil you know that is the weak link in network security according to a survey published on May 1st by the computer consulting firm @Stake. The company, best known for locating bugs in operating systems and network software, surveyed the most common means by which network security is breached. Employees still leave their passwords on sticky notes, fail to change passwords from the default, and incorrectly configure hardware. Other security no-nos: they encrypt data but leave it on their machines in unencrypted form, lock it with a blank password, and fail to change system passwords during updates. They connect servers directly to the Net, bypassing firewalls, fail to apply patches to software, and carry proprietary data around on laptops that they proceed to lose. The conclusion is that many companies shoot themselves in the foot by spending vast sums on sophisticated security measures when they fail to enforce the elementary ones. Further information may be found at http://www.@stake.com/events_news/press_releases/index.html?europe/050101

LUCENT SCIENTISTS CHARGED WITH STEALING SECRETS FOR CHINA

On May lst, two Chinese nationals and a U.S. citizen were charged in a New Jersey federal court with stealing trade secrets from Lucent Technologies, Inc. in order to pass them to a state-owned Chinese company, Datang Telecom Technology. Lin Hai and Xu Kai are scientists who held high level positions at Lucent and Chang Yong-Qing is the Vice President of Village Networks, an optical network vendor. Together, the three are charged with pirating Lucent's PathStar technology, which enables the transmission of voice communication over the Net including call waiting, speed dialing, and other advanced telephone features. They were each charged with one count of conspiring to commit wire fraud and face a maximum of five years in prison and a $250,000 fine if convicted. They may also be charged under the Economic Espionage Act, which makes it a federal crime to steal or use stolen trade secrets. If so, they could face up to 15 years in prison and fines of up to $500,000. Further information may be found at http://news.cnet.com/news/0-1004-200-5853037.html?tag=mainstry

EBAY BANS NAZI AND HATE ITEM AUCTIONS

eBay announced on May 3rd that it would ban the auction of items connected to Nazi Germany, hate groups and murderers. The ban comes on the heels of a similar ban by rival Yahoo, which had settled a court battle over the auction of Nazi items. eBay had already had an offensive item policy in place, but allowed the auction of some items if they were at least 50 years old. Over 4000 of the items listed on eBay as of May 3rd were removed by the policy on its effective date, May 17th. Included in the new ban are items associated with people who have committed murder within the last 100 years. eBay's new listing policy may be found at http://pages.ebay.com/help/community/png-offensive.html

COUNCIL OF EUROPE REVISES CYBERCRIME TREATY

On May 25th, the Council of Europe released the latest version of its Draft Convention on Cybercrime, entitled "Version No. 27 Revised." It immediately met a hailstorm of criticism from privacy advocates who say it lacks sufficient assurances of privacy protection. The Draft will be submitted to the European Committee on Crime Problems on June 18th and could be ratified by member states by the end of 2001. The 113 page treaty would set legal rules and guidelines for such things as obtaining information from Internet Service Providers, tapping and collecting Net traffic and content data, the extradition of cybercriminals and international collaboration among law enforcement authorities. Any state which ratifies the treaty must amend its national laws to conform to the treaty. The final draft treaty may be found at http://conventions.coe.int/treaty/EN/cadreprojets.htm

MICROSOFT SAYS "FREE SOFTWARE" MODEL POSES A THREAT

Microsoft surprised absolutely no one on May 3rd when it declared its opposition to Linux and other software which bare their instruction codes to full view, saying that the "free software" movement poses a threat to commercial software and corporate proprietary property. In contrast, Craig Mundie, a senior president at Microsoft, praised the careful "shared source" partnering approach utilized by Microsoft. According to Mundie, open-source programming increases security risks, produces software instability, and breaks up common industry design standards which could push corporate proprietary intellectual property into the public domain. Mundie particularly attacked the General Public License (GPL), the basic agreement under which open-source software is distributed. He likened the GPL to failed dot-com models, saying that the GPL makes software developers give away their coding, the thing that has the greatest value, hoping they'll make money elsewhere. He described Microsoft's Shared Source strategy as "a balanced approach that allows us to share source code with customers and partners while maintaining the intellectual property needed to support a strong software business." Further information may be found at http://www.techweb.com/wire/story/reuters/REU20010503S0006

MICROSOFT REWARDS "NAKED PC" INFORMANTS

Microsoft, seeming to relish being under fire in May, took more heat for a program that offers prizes to those who build computer systems if they report customers ordering PCs without a pre-installed operating system. The program was announced via an e-mail explaining that the program is meant to insure compliance with software licensing agreements. According to Microsoft, some firms believe that because they have enrolled in a Microsoft volume licensing program, operating systems for new PCs are automatically enrolled when they are not. Microsoft therefore asks system builders to turn over suspect bids. If they are found to involve a site license violation, informants earn one point for each PC listed on the bid. Points can be redeemed for prizes. 250 points earns five Microsoft games, 500 earns a Fossil watch, and 1,000 earns a Fast Cook & Grill Combo and Travel Chair. Microsoft critics are concerned that the program will be utilized to find or intimidate those who might order machines without operating systems in order to install operating systems such as Linux. Further information may be found at http://www.zdnet.com/zdnn/stories/news/0,4586,2714441,00.html

NIPC ISSUES DDOS WARNING

On May 7th, the FBI's National Infrastructure Protection Center warned that companies should be extra vigilant in monitoring for evidence of distributed denial of service attacks. The NIPC said it had information indicating ongoing attempts to disrupt the operation of web sites, including that of the White House. The latest attacks identified by the NIPC have used data fragmented into large UDP (User Datagram Protocol) packets for transmission, directed at the commonly used port 80, the default port for web access. This method bypasses standard port protocol blocking techniques. Network administrators are advised to inspect firewall logs for evidence of fragmented UDP packets directed at port 80, meaning that an attack may be taking place. Outgoing UDP packets indicate a high likelihood that the network has already been compromised. A special utility to detect DDOS software is available from the NIPC. Further information may be found at http://www.nipc.gov/warnings/advisories/2001/01-012.htm

MICROSOFT WARNS OF WINDOWS 2000 FLAW

Microsoft warned its customers on May 2nd that an "extremely serious" flaw in Windows 2000 could allow a hacker to gain control over any system running the Internet Information Services (IIS) 5.0 software that ships with the operating system. Microsoft has released a patch and stresses that it is critical that the patch be applied, because a hacker would have full access to an exploited system. Hackers have already posted a program exploiting the flaw on the Internet. The flaw affects users who have Internet Information Server 5.0 running with Internet printing turned on, which is the default configuration. A hacker sending a string to the server can cause a buffer overflow that allows the hacker to run any program they want on the server. The pertinent Microsoft security bulletin and patch may be found at http://www.microsoft.com/technet/security/bulletin/ms01-023.asp

E-GOVERNMENT ACT INTRODUCED

Senators Joseph Lieberman and Conrad Burns introduced the E-Government Act on May 2nd, in an attempt to make it easier for citizens to access federal information and services via the Internet. The bill would create a federal chief information officer and would allocate $225 million each year to improve online government services. The federal CIO's office would be within the Office of Management and Budget. The bill would provide funds specifically for the improvement of the federal portal, www.firstgov.gov, and would create an online directory of federal websites and resource indexes. The text of the bill may be found at http://lieberman.senate.gov/newsite/egov.pdf

COURT HEARS DVD APPEAL

The Second Circuit Court of Appeals heard the appeal in the DVD movie encryption case on May 1st. The court battle began in January of 2000, when the Motion Picture Association of America sued The Hacker Quarterly 2600 for publishing and linking to the DeCSS code, a program that strips encryption from DVD movies. Though 2600 argued that the program is a legitimate tool, created to allow Linux users to watch legally purchased movies on their computers, the MPAA asserted that DeCSS is a pirating tool that facilitated the illegal copying of movies. New York Federal District Judge Lewis Kaplan found for the MPAA, forbidding 2600 from publishing or linking to the DeCSS code. 2600 argues that the injunction is analogous to banning blueprints of photocopiers because they might lead to copyright infringement, and defended DeCSS as a tool with legitimate uses covered under fair-use clauses of copyright law. Further information may be found at http://www.2600.com/news/display.shtml?id=378 and the pleadings in the case may be found at http://www.2600.com/dvd/docs/

COURT WILL DECIDE E-BOOK CASE

We used to know the meaning of the word "book." It referred to printed material – period. For many years, authors signed publishing contracts which assumed books were in print. But newly created e-books have given rise to a case in a New York federal court in which Random House is seeking a preliminary injunction against e-book publisher RosettaBooks. Rosetta had signed contracts with some of the world's most famous authors, including Kurt Vonnegut, William Styron and Robert Park, to publish electronic versions of their books, despite their contracts with Random House. Random House filed suit on February 27th arguing that the contractual language which grants them the exclusive right to "print, publish and sell in book form" an author's work gives them exclusive ownership of all e-book rights. The most recent volley was filed in a reply brief filed by Random House on April 30th, in which it ridicules the notion that publishing a book electronically makes it "something other than a book." Further information and pleadings in the case may be found at http://www.rosettabooks.com/pages/legal.html

DEBATING THE COST OF PRIVACY LAWS

A new study, commissioned by the Association for Competitive Technology (ACT) says that web businesses might have to spend $100,000 each to comply with privacy laws pending in Congress. Privacy law proponents say the study is flawed because it assumes that most web sites have taken little or no action to protect consumer privacy. The study gauges the cost of constructing web sites which allow consumers access to information about themselves as well as the cost of building tracking databases that would give evidence of compliance in the event of private lawsuits or government enforcement actions. The study collected estimates from more than a dozen software consulting firms. Using the Federal Trade Commission premise that approximately 3.6 million web sites collect personally identifiable information, the study concludes that, if even a reasonable portion of the sites try to comply, the cost may be as high as $36 billion. The study itself may be found at http://www.actonline.org/pubs/HahnStudy.pdf

JUNO SETTLES WITH FTC OVER DECEPTIVE AD CHARGES

The Federal Trade Commission announced on May 15th that it had reached a consent agreement with Juno Online Services, Inc. with respect to charges that its ads for "free" and fee-based dial up Internet access services were deceptive. The FTC said that Juno engaged in deceptive practices that made it unreasonably difficult for consumers to cancel their "free" trial periods, causing them to be billed for services they no longer wanted. Customers were kept on hold for long periods, and cancellations were allowed only through one unpublished phone number, according to the FTC. The FTC also alleged that Juno failed to adequately disclose that some subscribers to its services would incur long distance charges while connecting to the Internet. Juno has agreed to stop misrepresenting the cost of its Internet services, to clearly and conspicuously disclose the cancellation terms for these services, to provide adequate customer support to handle consumer requests for cancellation, and to make prominent disclosure of long distance telephone charges that some consumers may incur while using its Internet services. The proposed settlement also calls for Juno to reimburse certain former customers for long distance charges. Further information may be found at http://www.ftc.gov/opa/2001/05/juno.htm

GATEWAY SETTLES WITH FTC OVER "FREE" INTERNET SERVICE ADS

The Federal Trade Commission announced on May 15th that Gateway, Inc., one of the country's largest PC manufacturers, has agreed to settle its charges that the company misrepresented the cost of its "Gateway.net" Internet access service. According to the FTC, so-called "free" or flat-fee services offered by Gateway actually resulted in significant additional charges to many consumers - a fact inadequately disclosed by the company, which hid the fees in fine print. The settlement order requires Gateway to refund all charges for the so-called "toll free" numbers paid by customers who registered on the local access plan between January and April 1999, before consumers were adequately warned of the fee ($3.95 per hour) for "toll-free" calling. Further information may be found at http://www.ftc.gov/opa/2001/05/gateway.htm

LIBRARIES AND U.S. DELAY FILTERING DECISION

The American Library Association and the American Civil Liberties Union are in the midst of a federal suit in Pennsylvania which seeks to overturn the Children's Internet Protection Act on the grounds that it unconstitutionally restricts protected speech. The law mandates that all libraries that receive federal funds must demonstrate that they are taking steps to comply with the law by October 28, 2001, and must have filters installed by July 1, 2002. The ACLU and the ALA had intended to file a preliminary injunction seeking clarification, concerned that libraries would have to make a decision by July 1, 2001, the date when libraries must begin applying for next year's funding, whether to install the filters or give up funding for the coming year. A clarification letter, issued by the Justice Department after discussions between the parties, said that libraries do not need to make a decision in order to keep their funding for this year. Further information may be found at http://www.ala.org/cipa/may16letter.html

NET PORN ACCESS IN LIBRARIES: A HOSTILE ENVIRONMENT???

In an interesting new spin on the library Internet filtering battle, the Equal Employment Opportunity Commission has issued a preliminary finding that library users may be creating a hostile environment for library employees by downloading pornography. The ruling was issued after 12 public librarians in Minneapolis filed a complaint saying that visitors were downloading pornography, including images of bestiality and child molestation, leaving it for librarians and other patrons to see, creating a sexually hostile work environment. The ruling has no impact on libraries at large, but it does allow the librarians to pursue legal action against the Minnesota Public Library. The EEOC is encouraging settlement discussions. Further information may be found at http://www.zdnet.com/zdnn/stories/news/0,4586,5083622,00.html

FIRM MUST PAY LEGAL FEES IN CHAT ROOM CASE

On May 17th, a federal District Court in California ordered Global Telemedia International (GTMI) to pay more than $55,000 in attorney's fees to defendants who had been sued for anonymously posting messages critical of GTMI in an Internet chat room. GTMI said the postings constituted trade libel and interfered with contractual relations. The case was dismissed on February 23rd on defendants' motion, the judge finding that the writings contained only opinions and were protected under the First Amendment. The attorney's fees were awarded under the provisions of a California law protecting individuals against retaliatory lawsuits by corporations which believed they have been disparaged. In California, such suits are called "Strategic Litigation Against Public Participation" or SLAPP lawsuits. This is thought to be the first time a court has applied the mandatory attorney fee provision in the anti-SLAPP law to a defamation case involving Internet postings. 15 other states have similar laws and this case is expected to have impact in those states. The decision granting the dismissal of the case may be found at http://www.cacd.uscourts.gov/CACD/RecentPubOp.nsf/ bb61c530eab0911c882567cf005ac6f9/f7212ed54f47e7c588256a0d005e4715?OpenDocument

COMMERCE DEPARTMENT SIGNS OFF ON VERISIGN DEAL

On May 18th, the Commerce Department approved a deal allowing the Internet addressing company VeriSign Inc. to retain control of the lucrative ".com" Web domain. In return, VeriSign will give up control of the ".org" domain and allow rights to the ".net" domain to be open to competitive bidding. VeriSign maintains control over the .com domain, which accounts for roughly three quarters of all Internet addresses, through 2007 and can renew its control at that point. Rights to the .org domain will be given to a nonprofit organization in 2002. Competitive bidding for the .net domain will be moved up to June 2005. Further information may be found at http://www2.osec.doc.gov/public.nsf/docs/icann-verisign-0518

SUPREME COURT WILL HEAR CHILD PORN LAW CASE

The Supreme Court announced on May 21st that it would review a case involving the Child Online Protection Act (COPA) which would have prohibited commercial sites from selling sexually explicit materials to minors. The Act never became effective, having been overturned in 2000 by the Third Circuit after the American Civil Liberties Union and others argued that the law violated the First Amendment. The appellate court said the law would have forced web sites to adhere to the moral standards of the strictest communities, and would impact sites involving art, health, and sexual advice columns, among others. The Justice Department appealed the decision to the Supreme Court. The appellate court ruling in ACLU v. Reno may be found at http://www.ca3.uscourts.gov/ in the opinion archives.

SOFTWARE PIRACY TALLIES $11.8 BILLION GLOBALLY

On May 21st, the Business Software Alliance released the results of its annual survey on software piracy worldwide, concluding that losses were nearly $11.8 billion in 2000. The BSA represents most of the major software development companies and had contracted for an independent study to be conducted by International Planning and Research Corp. The survey found that one third of all business software applications are pirated. This was the first year in which the survey found that the world piracy rate did not decline. The majority of revenue losses, as always, occurred in North America, Asia and Western Europe. The 10 countries with the highest piracy rate are Vietnam, China, Indonesia, Ukraine, Russia, Lebanon, Pakistan, Bolivia, Qatar, and Bahrain. The region with the highest piracy rate continues to be Western Europe, with a piracy rate of 63%. The North American region again had the lowest piracy rate at 25%, though it had the third highest piracy losses, totaling $2.9 billion. The BSA study may be found at http://www.bsa.org/resources/2001-05-21.55.pdf

AIMSTER SUED BY AOL TIME WARNER AND RECORD LABELS

On May 24th, major music companies and several divisions of AOL Time Warner Inc. filed copyright infringement suits against file-sharing service Aimster. Both of the suits were filed in a Manhattan federal court, with one being lodged on behalf of several major record labels such as Vivendi Universal's Universal Music, Sony Music, EMI Group PLC, and Bertelsmann AG's BMG. The second suit against Aimster was filed on behalf of several divisions of AOL Time Warner, including Warner Music, New Line Cinema, and Atlantic Records. Aimster is an application similar to Napster that piggybacks on an instant messaging service run by AOL. Further information may be found at http://www.zdnet.com/intweek/stories/news/0,4164,2765330,00.html