NEW MASS MAILER WORMS TARGET SCO/MICROSOFT

On January 26th, a new mass mailer worm spread quickly across the Internet, designed to compromise computers so they will attack the SCO Group’s Web server with a denial of service (DoS) attack on February 1, 2004. The virus, known as MyDoom, Novarg and as a variant of the Mimail worm by different antivirus companies, arrives in an in-box with one of several different subject lines, such as "Mail Delivery System," "Report," "Test," "Hi," or "Mail Transaction Failed." The body of the e-mail contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment." Network Associates' antivirus emergency response team has classified this a high-risk virus. In one hour, Network Associates itself received 19,500 e-mails bearing the worm from 3,400 unique Internet addresses. The MyDoom worm has already surpassed the "SoBig" worm as the largest mass mailer in history. The SCO Group is probably the target of the attack because it has incurred the anger of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims. SCO has offered a reward of $250,000 for information leading to the arrest and conviction of the individual or individuals responsible for creating the MyDoom virus. By January 29th, a new version of the worm was attacking Microsoft’s web site and preventing infected machines from downloading security software. Symantec’s description of the worm, as well as removal instructions, may be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html. Further information from the SCO Group may be found at http:www.sco.com

On January 20th, the SCO Group filed suit against Novell for allegedly infringing SCO's rights covering the Unix and UnixWare operating systems. Novell said it would assume the legal risks for customers of its Linux version, indemnifying new users of the SUSE Linux software who have signed support agreements. The suit was filed in Utah’s Third District Court in Salt Lake City and seeks an order that would require Novell to assign to SCO all Unix-related copyrights and to withdraw any statements claiming ownership of Unix. The complaint in SCO v. Novell may be found at http://i.i.com.com/cnwk.1d/pdf/ne/2004/complaint012004.pdf

Though WhenU.com has chalked up two earlier victories, New York District Judge Deborah A. Batts handed it a defeat on December 22nd, enjoining WhenU from popping up a competitor’s ads over plaintiff 1-800 Contacts' website. The judge ruled that users might be confused about the origin of the pop-up ads, which advertised co-defendant Vision Direct, a competitor of 1-800 Contacts. Avi Naidern, CEO of WhenU, said he was confident that the ruling would be overturned on appeal. Judge Batts granted the injunction based on trademark infringement, finding that there was indeed a likelihood of confusion, even though there was a disclaimer on the pop-up ads saying that they were from WhenU rather than the underlying site. The decision in 1-800 Contacts, Inc. v. WhenU.com and Vision Direct, Inc. may be found at http://www.nysd.uscourts.gov/courtweb/pdf/D02NYSC/03-10121.PDF

On January 16th, Chicago federal Judge James Zagel said that he saw no reason to overturn an August jury verdict that held that Microsoft's Internet Explorer Web browsing software had infringed on patent rights held jointly by small developer Eolas Technologies and the University of California. The $521 million patent verdict includes a prohibition barring Microsoft from distributing versions of its Web software that include the potentially infringing technology. However, Judge Zagel put that injunction on hold until an appeal has run its course. Microsoft said it would appeal immediately. The Eolas patent covers technology used to call up separate applications, such as a media player or document viewer, within a Web page. The U.S. Patent and Trademark Office has opened a rare hearing to investigate the validity of the patent, looking for prior art that may invalidate the patent. The decision in Eolas v. Microsoft may be found at http://www.eolas.com/Zagel-final-judgement-99c0626.pdf

On January 12th, Lindows announced that the San Francisco Superior Court had ruled that it could no longer use its MsfreePC.com site to provide instant Microsoft rebates as part of Microsoft’s $1.1 billion settlement with California. Lindows had set up the site to let consumers automatically qualify and apply for rebates Microsoft offered to settle state consumers’ four-year-old class action suit on July 19, 2003. On the Lindows site, consumers could use an "Instant Settlement Wizard," and if they qualified, immediately use the pending rebate to instantly purchase a Windows-compatible Office suite, LindowsCD, Lindows OS 4.0 or a library of Linux software. Lindows contributed 10 percent of each rebate to open source projects such as Mozilla and OpenOffice. Judge Paul Alvarado ruled that claims against Microsoft collected by Lindows.com are not valid. The judge noted that there is an official Web site with consumer information and forms, but users must print out the forms and file them through the mail. Claim forms are due by March 14, 2004. Further information may be found at http://www.lindows.com/lindows_news_pressreleases_archives.php?id=95

On January 14th, the 9th Circuit Court of Appeals in San Francisco found that Playboy Enterprises could pursue charges that Excite and Netscape Communications violated its trademark by selling banner advertisements triggered by the terms "playboy" and "playmate." The ruling reverses a district court decision that dismissed the suit without a trial in 2000. Playboy "clearly holds the marks in question, and defendants used the marks in commerce without (its) permission," a split three-judge panel wrote in its majority decision. "Some consumers, initially seeking Playboy's sites, may initially believe that unlabeled banner advertisements are links to Playboy's sites..." The decision in Playboy Enterprises v. Netscape Communications and Excite may be found at http://caselaw.lp.findlaw.com/data2/circs/9th/0056648p.pdf. On January 23, America Online, which owns Netscape, said that the two parties had reached an agreement. Terms of the settlement were not disclosed.

On January 5th, the Federal Communications Commission (FCC) said that it had fined Fax.com nearly $5.4 million for sending unsolicited advertisements via facsimile machines, the largest fine ever imposed for such a violation. The FCC said that on 489 occasions the California-based company, which faxes messages for clients for a fee, violated the law and regulations that prohibit companies from sending junk faxes. Fax.com had told the commission that the ban on junk faxes was unconstitutional and that the fine, proposed in August 2002, was excessive. The agency fined the company $11,000 per incident. The FCC ordered Fax.com to file a report within 30 days informing regulators whether it has complied with the law and regulations barring junk faxes. Further information may be found at http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-242654A1.doc

In a recent study published by security firm TruSecure, 45% of the executable files downloaded via Kazaa, the most popular file-sharing program, contained malicious code like viruses and Trojan horses. Some code was designed to infect every file in a computer user's Kazaa download directory with a virus. Other code would steal users' AOL Instant Messenger password or install a program on their computer to allow the attacker to surreptitiously send spam through it or otherwise take over the machine remotely to steal personal data and files on the computer. The infected files apparently got there in one of three ways: The person hosting the shared file embedded the malicious code in a file on purpose; the code was a peer-to-peer worm designed to search the network and drop itself into download directories; or, in the case of some viruses, once the user downloaded an infected file, the code automatically infected other files in the user's file-share directory so that the user inadvertently infected the computers of other users who downloaded those files. A lot of the malicious code was embedded in program files designed to bypass copyright protections placed on software files like Microsoft Office to allow users to share pirated copies of the software. Non-executable files cannot automatically infect a system because users need to open them through another program. A very high percentage of malicious code can be detected with antivirus software, but many people do not have updated virus definitions. Further information may be found at http://www.wired.com/news/print/0,1294,61852,00.html

On December 22nd, Symantec Corp., well known for its antivirus and security software, announced that a court had granted it a $3 million judgment against Baltimore-based Maryland Internet Marketing for selling counterfeit Symantec software. Symantec said that Maryland Internet Marketing was the largest source of spam e-mails in the U.S. selling counterfeit Symantec software. The court permanently barred Maryland Internet Marketing and its CEO from producing or selling unauthorized Symantec products. Internet Marketing’s CEO, George Moore, was ordered to personally pay $300,000 in damages to Symantec. The injunction also prohibits the defendants from using unsolicited e-mail as a means to sell Symantec products. Furthermore, CEO Moore is required under the settlement to provide assistance to Symantec in its investigative actions against other suppliers of counterfeit Symantec software. Further information may be found at http://www.symantec.com/press/2003/n031222.html

On December 23rd, the 8th Circuit Court of Appeals overturned a defrocked Roman Catholic priest's federal conviction of possessing child pornography and his prison sentence of nearly five years, ruling that investigators illegally seized key evidence against him. The ruling does not affect the 12-year state prison sentence imposed in September on James Beine, also known as Mar James, for exposing himself to three boys while working as an elementary school counselor. The 8th Circuit ruled that investigators lacked a warrant needed to seize 10 compact discs, later found to contain child pornography, from Beine's friend Michael Laschober. Laschober gave investigators a sealed, brown envelope addressed to Mar James, saying he believed the enclosed discs entrusted to him by Beine contained church and financial records. Laschober authorized investigators to open the envelope and take the discs with them, signing a modified consent form, but authorities never sought a warrant to search or seize the discs. The 8th Circuit ruled that Beine did not give Laschober permission to exercise control of the discs or to consent to their being searched, only to store them for him. Beine was dismissed from the Roman Catholic priesthood in 1977 over allegations of sexual abuse. The decision in U.S. v. Mar James may be found at http://www.ca8.uscourts.gov/opndir/03/12/032506P.pdf

YALE HOLDS CYBERCRIME CONFERENCE/CALLS FOR PAPERS

The Yale Law School’s Information Society Project (ISP) will hold a CyberCrime and Digital Law Enforcement conference on March 26-28, 2004 at Yale Law School. Further information about the conference and registration information may be found at http://islandia.law.yale.edu/isp/digital_cops.htm. The ISP, along with the Yale Journal of Law & Technology (YJoLT) and the International Journal of Communications Law and Policy (IJCLP), have organized a writing competition and call for papers in conjunction with the conference. Special volumes of the Yale Journal of Law & Technology and the International Journal of Communications Law and Policy will be devoted in fall 2004 to the conference's topics. The volumes will include publication of papers by participants in the conference. The authors of the two best papers will be awarded an honorary invitation to present their work at the conference. Further information about the call for papers may be found at http://islandia.law.yale.edu/isp/digital%20cops/call_for_papers%20cybercrime.pdf

On December 24th, Judge Claude Hilton of the U.S. District Court for the Eastern District of Virginia dismissed a lawsuit brought by America Online (AOL) against a group of Florida computer technicians that it charged with assisting in delivering spam. Hilton ruled that Virginia courts do not have jurisdiction over the Florida defendants even though AOL does business in Virginia and spam was directed there. AOL said the decision would allow it to resubmit its suit in Virginia with additional information or file suit in Florida. Further information may be found at http://www.reuters.com/newsArticle.jhtml;?storyID=4059848

On January 8th, 22-year-old Adriam Lamo pleaded guilty to hacking into the New York Times Company computer network. California resident Lamo turned himself in to federal authorities in September. He pleaded guilty to one count of computer damage causing more than $5,000 in losses. Under the plea agreement, he agreed to serve between 6 months and one year in prison. His sentencing hearing is scheduled for April 8th. According to authorities, he has also admitted to breaking into the networks of such major companies as Microsoft, Cingular Wireless and Yahoo. Further information may be found at http://www.informationweek.com/story/showArticle.jhtml?articleID=17300125

On January 21st, the Recording Industry of American (RIAA) filed another 532 suits against file-swappers whose identity is currently unknown. The "John Doe" suits will be followed by subpoenas to the swappers’ Internet Service Providers to learn their identities. Studies have disputed whether file swapping has grown or diminished since the suits began, but the RIAA says it will persist in its enforcement policies. The RIAA says that, before it began its legal actions, only 35 percent of the population understood that trading copyrighted music online was illegal. Currently, it says that more than 60 percent understand that such actions are illegal. The subscribers will be given a chance to settle before their names are officially added to the suits, according to the RIAA. However, the settlement amount may be higher because the new legal process has raised legal costs. Further information may be found at http://www.riaa.com/news/newsletter/012104.asp

On July 12th, Troy K. Javaher and Frank M. Weyer, operating under the newly formed company Nizza Group, filed a patent infringement lawsuit in U.S. District Court in California against domain name registrars Network Solutions and Register.com. The suit accuses them of selling rights to Web URLs and e-mail addresses that infringe on a patent that was granted to Javaher and Weyer on Dec. 30, 2003. The patent covers the method of assigning URLs and e-mail addresses of members of a group such that the "@" sign is the dot in the URL. For example, if a group used a so-called third-level URL, www.john.smith.com, the e-mail address would be john@smith.com. In the complaint, Nizza Group claims that the registrars are infringing the patent by selling rights to URLs and e-mail addresses under the .name domain. The .name domain is called a third-level domain, because it uses an extra dot, as in the case of john.smith.name. Even though the database of .name domains is owned and operated by Global Name Registry (GNR), it was not named in the lawsuit. The complaint seeks an undisclosed amount of monetary damages and an injunction against further infringement by the two domain name registrars. Weyer has said he will work with the registrars to license the patent. Further information about the patent may be found at http://www.prweb.com/releases/2004/1/prwebxml97298.php

Adobe systems acknowledged on January 9th that it had quietly added technology to its graphics software at the request of government regulators and international bankers to prevent consumers from making copies of the world's major currencies. The U.S. Federal Reserve and other organizations that worked on the technology said they could not disclose how it works and would not name which other software companies include it in their products, although there has been much discussion of the technology methods on several listservs recently. They cited concerns that counterfeiters would try to defeat it. Rival graphics software by Taiwan-based Ulead Systems also blocks customers from making copies of currency. Experts said the decision by Adobe represents one of the rare occasions when the U.S. technology industry has agreed to include third-party software code into commercial products at the request of government and finance officials. The technology was designed by the Central Bank Counterfeit Deterrence Group, a consortium of 27 central banks in the United States, England, Japan, Canada and across the European Union, where a formal proposal to require all software companies to include similar anti-counterfeit technology already exists. Further information may be found at http://www.eweek.com/print_article/0,3048,a=116050,00.asp

On January 15th, federal officials announced that they had cracked an international child pornography ring with arrests in New Jersey, France, Spain and Belarus. The cases stem from an Internet processor of Web site subscriptions in Minsk, Belarus, which collected fees for memberships to child pornography Web sites that brought in millions of dollars. An executive with a Florida company has pleaded guilty in the case. About two dozen people in New Jersey and 20 others around the nation have been charged with downloading child pornography, including a doctor, a minister and a teacher. The Belarus Company, Regpay Co. Ltd., and Connections USA, of Fort Lauderdale, Fla., were indicted in a money-laundering scheme involving paid memberships to about 50 pornography Web sites. The investigation was part of Operation Falcon, aimed at severing commercial support of child pornography. Further information may be found at http://www.cbsnews.com/stories/2004/01/15/national/main593548.shtml

Wisconsin federal court judge Barbara Crabb rejected an attempt by cookware maker Hy City to proceed with a defamation action against BadBusinessBureau.com, which features thousands of negative reviews from consumers who believe they were ripped off by retailers. The January 8th decision dismissed a defamation lawsuit against the site, which is also known as RipOffReport.com, saying that the site has no offices in Wisconsin and only limited contact with the state, not targeting Wisconsin more than any other state. To avoid frivolous lawsuits, the site’s owner, Ed Magedson, incorporated BadBusinessBureau.com on the Caribbean island nation of St. Kitts and Nevis in the West Indies. In addition to not being bound by Wisconsin law, Magedson said, U.S. federal law says he is not liable for reviews posted by visitors to his site. The site may be found at http://www.badbusinessbureau.com

On January 22nd, the Federal Trade Commission (FTC) released statistics showing that identity theft and fraud cost Americans at least $437 million last year. Identity theft, the practice of running up bills or committing crimes in someone else's name, topped the list of complaints with 215,000 reports, up 33 percent from the previous year. Internet-related fraud accounted for more than half of the remaining complaints. Auction fraud was the most prevalent form of Internet scam, followed by complaints about e-commerce and Internet access services. Consumers lost an average of $1,868 per incident, though that figure was inflated by a few reports of losses of more than $1 million. Half of those who filed reports said they lost less than $228. The actual number of victims is probably much higher, as the FTC only reported on the number of formal complaints filed by consumers. More than 60 percent of those who filed reports did not notify their local police department, according to the FTC. Further information may be found at http://www.ftc.gov/opa/2004/01/top10.htm

The DVD Copy Control Association (DVDCCA) has asked California state courts to dismiss its case against programmer Andrew Bunner. The DVDCCA had sued Bunner and others four years ago, alleging that the act of posting DeCSS code, which can help to decode and copy DVDs, violated its trade secret rights. Bunner's attorneys had sought broad First Amendment free-speech protections for posting software code online, while the DVDCCA had argued that speech rights did not cover trade secrets. An appeals court ruled in favor of Bunner, affording software the highest protection available. However, a state Supreme Court ruling overturned that lower-court ruling late last year, saying software should have some First Amendment protections but that trade secret rights might take precedence. Further information may be found at http://news.com.com/2102-1025_3-5145809.html?tag=st_util_print

On January 26th, FindLaw, a Thomson business, announced it had acquired Glasser LegalWorks, a producer of legal and law practice seminars, events and publications. Glasser LegalWorks will become part of FindLaw. The company's operations and employees, under the direction of Lynn S. Glasser and Stephen A. Glasser, will continue to be based in Little Falls, N.J. The terms of the acquisition were not disclosed. Glasser LegalWorks brings to FindLaw an extensive series of seminars, forums and newsletters covering the latest issues on substantive legal topics, and management of law firms and corporate law departments. Further information may be found at http://company.findlaw.com/pr/2004/012604.glasser.html

Though the Department of Justice (DOJ) is not happy with all the measures Microsoft has taken in response to its antitrust settlement, U.S. District Judge Colleen Kollar-Kotelly said on January 23rd that the 2002 settlement with the government is working and brushed aside concerns from the U.S. Department of Justice that a key provision had failed to live up to expectations, as detailed in an 18 page filing in which the government charged that the Microsoft Communications Protocol Program (MCPP) has fallen short and requires additional work so that that competitors can make their server software work properly with the Windows operating system. In response, Microsoft gave Kollar-Kotelly a list of changes it will implement to make it easier for competitors to license the necessary computer code. So far, only 11 companies have signed licenses for the Windows protocols. The DOJ said most have been for development of niche products that are unlikely to spur broad competition for the Windows desktop. Microsoft, in response to the complaints, has announced improvements to its protocol licensing system, which may be found at http://www.microsoft.com/presspass/press/2004/jan04/01-23mcppPR.asp

The Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) have asked the Federal Communications Commission (FCC) to order companies offering voice over Internet Protocol (VoIP) service to rewire their networks to ensure that law enforcement has the capacity to monitor subscribers’ conversations. Minus such rules, the FBI and DOJ told the FCC in a letter that "criminals, terrorists and spies (could) use VoIP services to avoid lawfully authorized surveillance." The letter was also signed by the Drug Enforcement Administration. Further information may be found at http://news.com.com/2100-7352_3-5137344.html

On January 15th, the Fourth Circuit Court of Appeals ruled that Sun Microsystems could not prevent 356 facts favorable to its suit against Microsoft from being contested, even though they were part of the federal government's successful antitrust case. In a 14-page published opinion, a three-judge panel reversed a 2002 pretrial motion by US District Judge Frederick W. Motz in Baltimore. The decision in In Re: Microsoft Corporation Antitrust Litigation may be found at http://caselaw.findlaw.com/data2/circs/4th/031817p.pdf

On January 3rd, the U.S. Supreme Court reversed an emergency stay involving DeCSS software, which allows people to watch DVDs without technological restrictions such as watching commercials imposed by movie studios. The reversal allows Matthew Pavlovich, who previously won a California Supreme Court decision that determined that the Texas resident could not be forced to stand trial in California, to post the software online. The court said that Pavlovich could not be sued in California because he does not have substantial ties to that state. Further information may be found at http://www.reuters.com/newsArticle.jhtml?type=musicNews&storyID=4152687

On January 23rd, the 2nd Circuit Court of Appeals upheld the Register.com v. Verio decision in which Register.com obtained an injunction blocking Verio ffrom using automated software programs to access Register.com's WHOIS directory and then using the data to market to domain name registrants. The decision focuses on the enforceability of Register.com's terms of use, discussing the applicability of the Specht browsewrap decision (differentiated) and the Ticketmaster terms of use decision (disagreed with). The court concludes that online contracts do not always require a formal acceptance. The decision also touches on ICANN policy and trespass to chattels issues. The decision may be found at http://www.ca2.uscourts.gov

Four computer security experts say in a report released on January 21st that an Internet voting system developed by the Pentagon for U.S. citizens overseas is so vulnerable to attacks that it should be scrapped. The Pentagon is standing by the system, which could get its first test February 3rd in South Carolina's primary election. Essentially, the report concludes that the system could be hacked into in order to change votes or to gather information about users. The report, entitled "A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)," may be found at http://www.servesecurityreport.org/paper.pdf