Microsoft has issued a software patch for what it calls a critical security flaw in its Windows Millennium Edition operating system, according to the company's Web site.

The security flaw is a "buffer run" vulnerability, which, if exploited, lets an attacker execute software programs on a victim's computer. The flaw could allow attackers to delete files, run software code and modify programs that appear to have originated locally on the victim's PC, according to the warning on Microsoft's Web site.

Microsoft has issued a patch for the flaw that can be downloaded by Windows ME users.

MIT's Technology Review - The Diversity Divide. Further FCC deregulation could result in a dangerous level of media concentration.

The present media environment is being shaped by two seemingly contradictory trends: on the one hand, the digital revolution has lowered the costs of content production and distribution and greatly expanded the range of available channels to deliver it. At the same time, there has been an alarming concentration of the ownership of mainstream commercial media, with a small handful of multinational media conglomerates dominating all sectors of the entertainment industry.

The tension between these two seemingly contradictory trends is coming to a head as the Federal Communications Commission debates lifting longstanding restrictions on media ownership. Under review are rules which prohibit a network from owning stations that broadcast to more than 35 percent of American homes, prevent a media conglomerate from owning two or more broadcast networks, restrict newspapers from owning television stations in the same market, or limit how many television stations the same company can own in any given market. FCC chairman Michael Powell argues that such restrictions have outlived their usefulness, given the diminished place of broadcasting in an era of cable television, videotape, game systems, and the Internet. FCC Commissioner Michael Copps disagrees, warning that lowering restrictions on media ownership will increase media concentration: "There is the potential here to remake our entire media landscape, for better or for worse, for a long time to come." 

TechNews.com part of the Washington Post - An ID With a High IQ. 'Smart Cards' Are in Demand as Concerns About Security Rise, but Privacy Issues Loom

[ ... ]

With security tighter than ever, "smart card" IDs are becoming a first line of defense against terrorists or hackers seeking to penetrate computer networks and office buildings. The cards are hot items with government agencies and corporations -- and their popularity is set to expand significantly.

The government has launched 64 smart-card programs in various agencies. The largest program will give cards to an estimated 15 million transportation workers, many of whom do not work for the government. The contract, expected to be offered by the Transportation Security Administration later this year, is a potential bonanza for smart-card manufacturers competing to supply the cards over the next few years. The TSA expects the cards to improve its ability to document and manage workers who have access to secure areas of the nation's airports, ports, rails, intercity buses and trucks.

[ ... ]

As the cards swiftly proliferate, privacy advocates worry that security badges may be a first step toward national identity cards that contain masses of personal information. The data-storage capability of the cards continues to grow as the industry expands, and governments and companies have found wide uses for the cards.

Prepaid phone cards in Europe are by far the most common use for smart cards, which are widely used by Europeans for public and cellular telephones. Financial services firms, such as banks and American Express, are also big card buyers. These firms issue credit cards embedded with computer chips to customers for added convenience in storing passwords and other data, although analysts say Americans rarely use these services.

Retailers such as Target Corp. are beginning to experiment with smart cards as customer loyalty programs that also track spending habits. Target issues "smart" credit cards to customers who can earn discounts based on the amount of money they spend, although it's still early to measure its success.

[ ... ]

Three smart-card companies, Gemplus SA, SchlumbergerSema and Oberthur Card Systems, have formed an alliance and hired a lobbyist to press their case with the TSA and on Capitol Hill for their cards, which include an embedded computer chip. Rival companies Datatrac Information Services Inc. and Lasercard Technologies Corp. claim the alliance is spreading false information about their smart-card products, which use an "optical card" technology that functions like a mini CD burner. Both groups said they intend to bid on the TSA contract.

The contract "means a lot of money for one of the technologies," said Shalini Chowdary, smart-card analyst at the Frost & Sullivan consulting firm in Santa Fe, N.M. "If you talk to optical-card people, they will claim the optical card is more secure than the [computer chip] card. The [computer chip] card people will tell you theirs is better than the optical card."

[ ... ]

"Our basic concern is that the program could be a bridge to a broader national ID program," Katie Corrigan, legislative counsel at the American Civil Liberties Union, said of the TSA program. "A lot of it depends on how it gets implemented and whether it extends beyond the transportation worker. That's the type of thing where you build a system for one purpose and immediately you see other uses built on top of it."

TechNews.com part of the Washington Post - ACLU Admits Another Privacy Gaffe. Names, E-Mail Addresses of Hundreds Sent Over Internet

Protecting personal information on the digital frontier remains a tough task, even for the most ardent privacy activists.

That's the lesson the American Civil Liberties Union learned this week after sending out an e-mail newsletter that inadvertently contained the names and e-mail addresses of the hundreds of groups and individuals who received it. The gaffe, on Monday afternoon, came just weeks after the group was chided by New York State Attorney General Eliot L. Spitzer for exposing the names, phone numbers and other details of about 91 people who bought merchandise in 2001 from an ACLU site online. The group apologized, paid a $10,000 fine and agreed to implement changes to prevent similar mishaps.

Shane Ham, a policy analyst in the District, said yesterday he was startled to receive the ACLU e-mail this week and see so many names and address on it. "This is the kind of thing they're not supposed to do," said Ham, of the Progressive Policy Institute, who has been critical of the ACLU on privacy issues.

[ ... ]

ACLU spokeswoman Emily Whitfield said that Monday's e-mail was sent out to nearly 900 people whose names were gathered over the telephone and on the Web. When ACLU officials realized the mistake, they sent out a recall letter that repeated the error. Whitfield said the information did not come from membership rolls.

"We recognized the mistake immediately and we immediately apologized," said Whitfield, adding that the group intends to use additional safeguards in the future.

[ ... ]

David L. Sobel, general counsel at the Electronic Privacy Information Center in the District, said the ACLU's mistakes, while not as serious as Lilly's, serve as a reminder for everyone to be careful online. "The Internet can amplify minor mistakes from anyone," he said.

They must send their E-mail out in batches. The one I got did expose some E-mail addresses but not 900. So although the number may be as high as 900 addresses exposed, it seems that they were not all made available in each exposure.

Homeland Security Conference.

Eighteen months have now elapsed since the fateful events of "9-11." President Bush, responding to this new and growing threat, has placed the nation on a wartime footing and published the National Homeland Security Strategy. This bold plan, the lynchpin of which is the establishment of the Department of Homeland Security, will serve as the philosophical underpinning for our nation's defense against terrorism.

The AFCEA Homeland Security Conference, one of the first to be held since the establishment of the new Department, will feature nationally prominent leaders from all levels of government, industry and academia. These leaders will examine the nature of the ever-evolving terrorist threat, outline those actions that government and the private

sector are taking to counter this threat, discuss state-of-the-art technologies providing America with a technological edge, and look over the immediate horizon to help determine what may be next.

Conference speakers and panels have been organized to provide insight along the four principle axes of the President's National Homeland Security Strategy:

Conflict News from Wired News - Spy Agencies Tight-Fisted on Data.

As the U.S. government tweaks its computer networks to fight terrorism, one thing is clear: Wrangling in the intelligence community about how to share vital data has yet to die down even nearly 18 months after the Sept. 11 attacks.

Industry and government security gurus who gathered Wednesday in Washington for the Armed Forces Communications and Electronics Association's Homeland Security Conference said the resistance stems more from culture than technology.

"We have the technology," said William Dawson, chief information officer at the CIA's Department of Intelligence Communications. "But we don't have the processes yet. That's what we need to work on."

Part of the problem is that the two leading U.S. intelligence agencies -- the CIA and the FBI -- are naturally prone to limiting access to intelligence, not to sharing it, and for obvious reasons.

"Have any of you ever heard of Robert Hansen?" asked John Pistole, FBI deputy assistant director for counterterrorism, in reference to the FBI agent convicted in 2001 of spying for Russia. Pistole said it's because of such espionage risks that agencies avoid sharing data even within their own ranks, not to mention with other agencies.

"FBI agents are trained to collect information, but not to be the Federal Bureau of Information," he said.

Political News from Wired News - Voting Software Firm Gets Sued.

In a case calling into question the thoroughness of the certification process for touch-screen voting systems, a former engineer for an election software company has filed a lawsuit against his ex-employer, claiming executives ignored his warnings of potential defects.

In the suit, filed in superior court in King County, Washington, software engineer Dan Spillane claims that his ex-employer, voting software developer VoteHere, wrongfully fired him after less than seven months on the job.

The suit claims the termination occurred shortly before Spillane had planned to meet with officials of the independent testing authority responsible for certifying voting machines and the U.S. General Accounting Office. He claims the firing was "clearly in retaliation for whistleblowing."

Although more than a year and a half has passed since he lost his job, Spillane said he decided to file the suit because he believed it was important to disclose potential defects in voting software applications and in the certification process.

Chi Lib Rocks! via The Shifted Librarian - ALA's Office for Information Technology Policy to Offer "Privacy 101 for Librarians".

"March 3 through May 5, 2003 OITP will host an online e-mail tutorial on privacy. Similar in format to the successful copyright, UCITA and licensing tutorials offered in past years, the privacy tutorial will cover privacy basics for library professionals in 20-25 brief, but informative messages written by Leslie Harris, experienced lawyer, lobbyist and public policy strategist in Washington, D.C. Leslie is founder and president of Leslie Harris & Associates, and has been a long-standing partner with ALA in defending civil liberties and protecting library patron privacy.

The tutorial will address privacy expectations of library patrons and practical ways to meet them; legal protections for library records and their limitations; how technology has changed the way libraries must address privacy; and privacy audits. The tutorial course is FREE to ALA members, and only $25 for non-ALA members.

Slashdot | SecurityFocus On MS Security "Hole".

friday2k writes "There is an interesting writeup at SecurityFocus that puts the latest security 'hole' in XP into perspective. It is a worthy read and should remind us all of the real issues out there." --- And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console.

vnunet.com Q+A: Stuart Okin, Microsoft UK's chief security officer.

It's been a year since Bill Gates sent an email to Microsoft's 50,000 staff, informing them that security was the company's new watchword and its Trustworthy Computing strategy was its newest and biggest priority.

Twelve months later and the company says it wants people to be able to trust computing infrastructures within the next 10 years. The software giant is doing all it can to shake off its reputation of having bug-ridden software that is inherently insecure.

Stuart Okin, Microsoft UK's chief security officer talked to Computing about the company's security vision.

Slashdot | Trustworthy Computing At One Year.

ackthpt writes "One year ago Bill Gates issued forth an email directing the company to work toward Trustworthy Computing, making Microsoft operating systems, applications and services secure and reliable. Where is that effort at today? vnunet has this Q&A with Microsoft security chief Stuart Okin. Slow, steady progress seems to be the result. They've targeted Security, Privacy, Reliability and Business Integrity, but so far have had a go at Privacy. Okin indicates the strategy may take 5 to 15 years, but more immediate milestones are targeted within the next two years and focusing on reducing vulnerabilities in the next version of Windows, rather than attempting to fix 2000 or XP. I'd chalk this up as a frank and honest interview, rather than madly spun, and paints a picture of the massive cat herding effort undertaken."

U.S. Senator Patrick Leahy - FBI Oversight in the 107th Congress by the Senate Judiciary Committee: FISA Implementation Failures .

An Interim Report by Senators Patrick Leahy, Charles Grassley, & Arlen Specter

PC World - Are the Feds reading your e-mail? Senators ask how expanded surveillance powers are used.

[ ... ]

"Before we give the government more power to conduct surveillance on its own citizens, we must look at how it is using the power that it already has," says Leahy. "Is that power being used effectively, so that our citizens not only feel safer but are in fact safer? Is that power being used appropriately, so that our liberties are not sacrificed?"

He says cities across the country have sent "clear signals" to Washington by debating or passing resolutions urging Congress to ensure a proper balance between civil liberties and government's police and surveillance powers. Last session, two senators called for an oversight commission to balance security and privacy.

[ ... ]

The Senate bill introduced Tuesday would require the attorney general to issue an annual report showing how often FISA orders were issued for U.S. citizens. It also asks how often agents monitor library computers, how they use FISA provisions in criminal court cases, and how FISA courts interpret search applications.

Slashdot | Your Rights Online - Domestic Surveillance Oversight Act.

miladus writes "PCWorld is running a story about the latest effort by the Senate to oversee the FBI's use of anti-terrorist laws and 'excessive secrecy'. Senator P. Leahy (D-Vermont) along with C. Grassley (R-Iowa) and A. Specter (R-PA) are proposing the Domestic Surveillance Oversight Act (pdf file) which will require the FBI and the Department of Justice to tell 'how often they spy on American citizens under powers granted by the 1978 Foreign Intelligence Act (FISA) and expanded in the Patriot Act of 2001'. The senators released a report charging the FBI and the DOJ of 'excessive secrecy' and of 'inadequate training with respect to the FISA provision' concerning the balance between privacy and security."