A program called NCovert uses spoofing techniques to hide the source of communications and the data that travels over the network--a potential boon to both privacy advocates and hackers, said Mark Lovelace, senior security researcher for network protection firm BindView, who unveiled the program Thursday at the Black Hat Briefings security conference here.

"I am not going to beat around the bush," Lovelace said. "If you have something to hide, you would use this--so it could help black hats (criminal hackers)."

The technique essentially creates a covert channel for communications by hiding four characters of data in the header's initial sequence number (ISN) field. The header is the part of data packets that tells network hardware and servers how to handle the information. The header also includes source and destination Internet protocol (IP) addresses. Those addresses are used to add anonymity to the communications.

As the flaws keep flowing in, hackers and security experts gather in Las Vegas to work out what's needed to keep the Internet safe--and whether it's time for less talk and more action.

Backers of a financial privacy initiative said Wednesday that they've collected enough signatures to qualify it for the ballot. But in a surprise move, they promised to hold the signatures for three weeks to give state lawmakers a final chance to hammer out a bill instead.

``There's one last window of opportunity here, and it's in everybody's interest to come to a compromise,'' said Dan Schnur, political consultant to the coalition of consumer groups that has backed the initiative.

The coalition, led by Consumers Union and the AARP, said it had collected 550,000 signatures from registered voters, more than enough to place the measure on the ballot in March 2004. But the group said it would not turn in the signatures until Aug. 20 to give lawmakers another stab at resolving an issue they have unsuccessfully debated for four years.

Citing privacy concerns, the groups have been pushing for a bill that would give consumers the right to ask not to have their financial information passed around within large corporations and to outside companies.

But state lawmakers have repeatedly shot down financial privacy legislation, citing concerns raised by business groups that the bills were unworkable and would harm businesses.

A program to screen all airline passengers to determine what security risk they pose is drawing fire from privacy advocates, even as the Bush administration is catching flak for threatening to reduce the number of air marshals on cross-country flights.

[ ... ]

Privacy advocates remain leery, particularly because the government says the database could be used for other purposes. For example, information obtained about airline passengers could be used to arrest criminals, said David Sobel, spokesman for the Electronic Privacy Information Center.

"It's certainly an improvement in some ways, but opening the door to uses beyond aviation security certainly raises some serious concerns," Sobel said.

Under the program, an airline passenger would be required to provide name, birthday, address and phone number. That information would then be checked against the government database and, through a private company, publicly available commercial databases to determine a security threat level.

Congress recently expressed skepticism about whether the program will actually work and whether citizens' privacy would be adequately protected. House and Senate negotiators last week agreed to require the Homeland Security Department to first demonstrate the program meets requirements of due process, accuracy and privacy before it can be launched.

Two conspicuous public-relations failures -- the terrorist futures market and the Terrorism Information Awareness system -- are apparently enough to convince John Poindexter to quit his job at the Department of Defense.

[ ... ]

Among the lawmakers who expressed concern about the DARPA projects, Sen. Patrick Leahy (D-Vt.), said, "The problem is that these projects were just fine with the administration until the public found out about them.... The lesson seems to be that you can do whatever you want quietly, so long as it doesn't become a public embarrassment."

The Transportation Security Administration outlines new requirements for passengers planning to board airplanes. CAPPS II will require every would-be flier to submit personal information, which will be checked against multiple databases.

[ ... ]

The Transportation Security Administration on Thursday revealed details of the newest version of a computerized system designed to prevent terrorists from boarding airplanes by checking passengers' backgrounds against several databases.

The second-generation Computer Assisted Passenger Prescreening System, or CAPPS II, as outlined in a notice to be published Friday in the Federal Register, will rate every passenger by checking dates of birth, home addresses and phone numbers against commercial databases and the government's terrorist watch lists.

The system also would allow the Transportation Security Administration to look for people wanted for "crimes of violence." It could look for domestic groups accused of terrorism, including members of radical groups such as the Animal Liberation Front.

The original outline, published in January, garnered a storm of criticism from privacy advocates, who railed against provisions that would have allowed the agency to keep records for 50 years and share the information widely.

Some privacy advocates were heartened because some of the most sensitive provisions were left out.

"We've come a long way with this notice," said Lisa Dean of the Electronic Frontier Foundation. "No health or financial data will be used. Information will be retained for days, not years. And no (Internal Revenue Service) or deadbeat dads databases will be used."

Jim Dempsey, president of the Center for Democracy & Technology, was less enthusiastic, however, citing a provision that would allow the TSA to look for criminals and domestic terrorists.

"Maybe a person wanted for armed robbery flies on airplanes, but he's not going to rob a person on a plane," said Dempsey.

"On the one hand, we want people with outstanding warrants to be caught," said Dempsey. "On the other hand, we have not been a checkpoint society. We will fundamentally change the nature of our society if we start exploiting our society's gates for general law enforcement."

A TSA official, who requested anonymity, defended that portion of the proposal, saying it narrowed the original notice, which would have put almost no barriers around the TSA's authority to share information with federal, state and local officials.

Nazih Hassan is deliberately noncommittal when asked whether the Muslim organization he leads in Ann Arbor, Michigan, has been targeted by federal investigators.

"Even if I have been asked, I cannot tell you," he says, noting that under provisions of the USA Patriot Act, he isn't allowed to discuss pending investigations. According to the act -- drafted in the wake of the Sept. 11, 2001, attacks to broaden government powers in fighting terrorism -- organizations are prohibited from revealing requests for records by federal agents.

The obligation to secrecy, however, hasn't prevented Hassan from taking action to prevent future investigations carried out under the Patriot Act.

Hassan's 700-member Muslim Community Association of Ann Arbor signed on as lead plaintiff in a lawsuit filed this week by the American Civil Liberties Union and a coalition of U.S.-based Islamic organizations seeking to dismiss provisions of the Patriot Act on constitutional grounds.

The suit was filed in federal court for the Eastern District of Michigan, home to one of the largest populations of Muslim Americans. It focuses on a portion of the act -- Section 215 -- that lets the FBI secretly obtain personal records and belongings, including those of individuals not suspected of criminal activities, in the course of antiterrorism investigations.

The ACLU claims the act breaches constitutional protections against illegal search and seizure. The suit also accuses two defendants, Attorney General John Ashcroft and FBI Director Robert Mueller, of violating the First Amendment by authorizing the investigations of people based on activities that are constitutionally protected as free expression, free association and free exercise of religion.

This week's offensive against the Patriot Act is not a first for the ACLU. The organization has filed numerous lawsuits alleging civil liberties violations following the Sept. 11 attacks and launched a national campaign last fall to challenge government antiterror policies that it deems undemocratic.

Wendy Wagenheim, spokeswoman for the ACLU of Michigan, said this week's lawsuit is significant because it is the first to claim the Patriot Act provisions are unconstitutional.

"We want to make sure ordinary citizens don't have to worry about the FBI obtaining their medical records or their personal papers or other items the FBI has no right to have, when you've done nothing wrong," she said.