Blogs

As I blogged back in August, the Future of Music Coalition is a group representing musicians, the people at the creation end of the music food chain. Their interests and opinions do not necessarily align with those of the major labels and the other RIAA-member companies whose advertising, promotional, and lobbying efforts most frequently make the news. To quote from the FMC Manifesto:

The Recording Industry Association of America is a special interest group that claims from time to time to lobby on behalf of musicians, but it is funded by, and represents the interests of, the major record companies -- the same corporations traditionally known to be the primary exploiters of the musicians that the RIAA claims to represent. The RIAA simply cannot be trusted to serve two distinct masters -- the record companies and the artists.

FMC Newsletter #36 just came out (currently here, but check the archives when it's no longer the current issue), and it's a treasure trove of background and viewpoints from a perspective not seen nearly often enough. In particular, it contains an excellent summary of the history and current status of the INDUCE Act, ending with this observation:

While some in the music and recording industry feel like the INDUCE Act is a reasonable way for copyright owners to legally go after the P2P services that facilitate filetrading, the FMC continues to have serious reservations about the bill. As such, we are glad that the bill has not moved ahead. This does not mean that we do not value copyrights or think it's okay for people to steal music -- but rather we think that the bill would not have provided a workable solution. It could have chilled innovation, put legitimate hardware and software businesses at risk, and it would have given the record companies the legal tools to shut down file sharing systems that some musicians and artists actually embrace, not to mention the fact that P2P services are capable of non-infringing uses.

Trying to legislate P2P filesharing is akin to a game of whack-a-mole and the very bad actors will always come up with a way to shield themselves from being subject to the enforcement of US Copyright law, so there's a question of whether any piece of legislation could accomplish what Senator Hatch envisioned. FMC would like to see the market sort out the balance between copyrights and emerging technologies before any legislation that could hinder one or the other is enacted.

Here's my summary, in soundbyte form:

• You can maintain a deep respect for intellectual property and for artists' rights and still oppose the INDUCE Act as bad legislation.
• Notwithstanding the view of hammer-wielding legislators, not every problem is a nail. When challenged to provide replacement text for the current version of INDUCE, it is perfectly reasonable to say, "None. Let the market do its job."

And here's another notable soundbyte, from the Associated Press:

• U.S. album sales up 5.8 percent in first nine months of 2004.

Holster that hammer.

Steve

This message reflects the opinions of the author, and not necessarily those of EDUCAUSE or its members.

C|NET is reporting that RealNetworks/Rhapsody is the latest entry in the college music space. The service will be offered free through May 2005 and will cost two dollars a month to continue.

• http://news.com.com/2100-1027_3-5409569.html
• http://events.adelphi.edu/news/20041014.php

Many of you have probably heard about the Virginia Alliance for Secure Computing And Networking (VA SCAN). Their unique collaboration and partnership has been featured in a few different EDUCAUSE conference programs. I had the opportunity yesterday to participate in their conference ("Meeting IT Challenges: National Strategies and Local Solutions") that was co-hosted with the Association of Collegiate Computing Services. Below are a few observations:

• State or regional collaborations are an excellent, cost-effective way to facilitate human networking and resource sharing among institutions with similar interests, possibly including the in common need to respond to the security requirements of state government.
• Conferences held at the state or regional level also provide an affordable way for institutions to send multiple individuals to participate, often without the need for overnight stays and with minimal travel costs.
• Although cybersecurity is a global problem and the residents of the East Coast have similar needs with individuals in other parts of the U.S. and around the globe, the growing numbers of security professionals in the U.S. and abroad will require us to fragment into smaller communities over time - and geographic communities will continue to be a natural method by which security professionals will congregate.
• State or regional conferences allow you to highlight and promote local talent, ranging from Presidents who can serve as cybersecurity advocates (VASCAN conference featured JMU's President Linwood Rose) to policy and technical experts.

Accordingly, despite the efforts of the Security Task Force to create national forums (such as the Security Professionals Conference) or regional professional development opportunities (such as the pre-conference seminars provided at the EDUCAUSE Regional Conferences), we are also eager to support and promote state and regional efforts that are organized by member institutions. A listing of State/Regional Cybersecurity Events for Higher Education is maintained on our web site. Please keep us informed of your activities (send event notifications to Security-Task-Force@educause.edu) and let us know if you need any assistance in identifying speakers or program content.

We are pleased to see local alliances and partnerships emerge that in turn support the broader national and international efforts to secure cyberspace.

ITConversations.com has audio of the Gnomedex 4.0 Panel on Security available on it's web site. Their abstract suggests that these questions will be addressed:

"Are hardware methods superior to software? How do memory-managed languages help? How can we make security management within the skill set of the average user? Is automation the answer? Should upgrades be mandated? Should there be a security tax for those who don't upgrade their systems. DRM: Does it increase security risks? And what attacks should we expect in the future?"

Last week was a busy week on the cybersecurity front.  It was so eventful that my blog postings this week are in an effort to catch up with what may already be old news!  However, an event held earlier in the week, the Cybersecurity Summit 2004 organized by the National Center for Atmospheric Research, has not been broadly publicized and is worth a few summary notes and observations.

The purpose of this invitation-only Summit was to share information about recent security intrusions, to emphasize security best practices, and to develop a trust network among participants in which methods of communication for future security events will be explored.  Breakout discussion sessions focused on user education and policies, education and policies for sysadmins, intrusion detection and network security, protection of host computer systems, and security implications for grid computing.

The discussions regarding the security incidents of this past year that impacted supercomputing centers and others was confidential and will not be recanted here.  However, among the most important lessons from those incidents and the corresponding discussions during the breakout groups was the need for better coordination and information sharing among the individuals responsible for incident handling.

A few concluding observations:

• The security challenges of supercomputing centers are not really all that different from those confronted by institutions of higher education.  However, since many of the centers are co-located at major research universities, there is a lot of similarity between the needs of the centers and those generally experienced by the Internet2 community.
• While “incident handling” is a broad concept, there were generally two recommendations that emerged from the workshop.  First, the need for more automated tools to assist sysadmins in conducting forensics and analyzing intrusions.  Second, the need for a trusted network of incident handlers for information sharing.
• There was a general consensus that workshops of this type should be repeated as a way to increase awareness about security incidents and to bring together sysadmins and incident handlers for professional development and human networking.
• There is a need for security training and professional development opportunities for sysadmins that is not being currently met by EDUCAUSE, Internet2, or other entities.
• There was a large amount of unawareness about the activities of the EDUCAUSE/Internet2 Security Task Force and the REN-ISAC to address some of the needs identified at the Summit as well as issues raised during previous workshops organized by the task force, also funded by NSF.

The above observations are not meant as criticism of the workshop organizers or the attendees.  There are real concerns that point out that much work remains to be done and there is a need for greater outreach by the Security Task Force to the affected communities.  These observations along with new relationships developed during the Summit will lead to further conversations, I am sure, and a re-assessment of the Security Task Force strategies in light of the issues identified.

$92 million was the price tag attached to an out of court settlement that ended entry into trial's damages phase where Kodak was seeking more than one billion in lump-sum royalites.

• Read more about this case at USA Today

I attended two Congressional hearings last week that underscore the importance of securing information systems that contain Social Security Numbers (SSN) and that further mark the trend to discourage SSN use as identifiers except for limited purposes.

The House Government Reform Subcommittee on Technology and Information Policy in a hearing on identity theft explored the growing instances of electronic data theft. Patrick O'Carroll, Acting Inspector General of the Social Security Administration, in his testimony described how SSN's printed on university student ID cards make the owners of these SSN's potential targets. He also described a recently discovered offer to sell up to 10,000 SSN's with matching names on eBay which were traceable to the University of North Carolina at Pembroke where SSNs serve as the identifiers for its staff, current students, and applicants.

The House Subcommittee on Commerce, Trade, and Consumer Protection also held a hearing on H.R. 2971, the Social Security Privacy and Identity Theft Prevention Act of 2003, that would make it an unfair and deceptive trade practice under the Federal Trade Commission Act for any person to refuse to do business with an individual because the individual will not consent to that person's receipt of the Social Security number. Testimony provided by Barbara Bovbjerg from the U.S. Government Accountability Office warns:

The use of SSNs by both private and public sector entities is likely to continue, but the more frequently SSNs are used, the more likely they are to be misused given the continued rise in identity crimes. In considering restrictions to SSN use, policy makers will have to balance the protections that could occur from such restrictions with legitimate business needs for the use of SSNs.

The GAO Report ("SOCIAL SECURITY NUMBERS: Use Is Widespread and Protections Vary in Private and Public Sectors") is a useful resource, especially the discussion on pages 7-8 of restrictions placed upon SSN use as a result of federal laws and summary of state laws on pages 8-9. Additionally, if you are considering the elimination of SSNs as primary identifiers (a recommendation of the Security Task Force), then I would refer you to the resources that we have assembled at http://www.educause.edu/ir/library/pdf/EDU0349.pdf

Forget about the Abbott and Costello comedy act about "who's on first?" (in the spirit of the beginning of the baseball playoffs). The more comical routine in Washington, D.C., these days (among the many to choose from) is the question of "who's in charge of cybersecurity at DHS?" Actually, it is not a very funny topic because it concerns a very serious matter. Amit Yoran, director of the National Cyber Security Division, is the latest in a series of departures of individuals who were at the helm of our national strategy.

There has been much speculation in the media as to whether or not Yoran was frustrated by his lack of authority and placement three layers below Secretary Tom Ridge. Although I don't disagree with recent Congressional proposals to elevate the importance of cybersecurity (and I am sure that Yoran would have appreciated the promotion), I think there are other reasons behind his sudden departure. I was with Yoran at a National Press Club event on Thursday morning where he was announcing DHS's support of National Cyber Security Awareness Month and had a hallway conversation with him where he was very engaged regarding cybersecurity training and education. My last words to Yoran were "See you this afternoon" in reference to his scheduled testimony before a Senate committee regarding the security of Internet root servers. When he unexpectedly did not appear at the hearing and an aide was forced to read his written testimony, the news of his "abrupt resignation without notice" on the next day took on new significance for me. While I have theories as to what might have went wrong in those final hours/minutes, I will not speculate here.

Most importantly is the question of what does this mean for higher education? Arguably, DHS and their various programs and initiatives will have little impact - for good or bad - on colleges and universities across the United States. Of course, there is SEVIS, foreign student VISA's, and constraints on security-related research that impact faculty and students. Nonetheless, Yoran's departure from DHS is very unfortunate in many respects. First, Yoran had an affection for higher education that I experienced first-hand. I first met Amit, a few week prior to him beginning his new role at DHS, where he was giving a guest lecture to a group of students at Georgetown University where his wife is also an adjunct faculty member. He also had many close advisors from academia. Second, he had a unique appreciation for the role that higher education played in the cybersecurity of America - as a source of future leaders through our core mission of teaching and learning, as a basic source of much of our new knowledge and subsequent technologies as a result of research and discovery, and as operators of some of the world’s largest collections of computers and high-speed networks. He provided similar remarks at the EDUCAUSE Policy Conference this past Spring. Finally, in the pursuit of public-private partnerships, he consistently included EDUCAUSE, the Security Task Force, and other higher ed partners in both the strategic discussions as well as tactical efforts to implement the National Strategy to Secure Cyberspace. While it is certainly possible for his successor to do the same, it is unfortunate that we will potentially have to begin anew the process of informing, educating, and possibly convincing the national cybersecurity leadership of the important role that higher education plays in this public policy space.

I wish Amit Yoran well. He will land on his feet and we are all the better for his leadership this past year. Despite his polite remarks in press accounts that I have read, there are serious systemic problems that remain. The good news is that we've become accustomed to the "revolving door" - now at DHS and previously in the White House when cybersecurity was headquartered in the Executive Office. So, we will stay the course and do our best to keep the new leadership honest and forge a partnership that will hopefully be as productive as what we experienced under former cybersecurity czar Richard Clarke, Howard Schmidt, and most recently Amit Yoran.

For some press accounts of Yoran's sudden departure, see:

• Yoran Quits DHS (Federal Computer Week)
• U.S. Cybersecurity Chief Resigns (CNN)
• U.S. Cybersecurity Chief Abruptly Resigns (Forbes)
• Top U.S. Cyber-Security Official Resigns (Washington Post)

In a sign that ebook world continues to capture the attention and imagination of folks throughout the world, BodhTree has joined the likes of e-ink and Gyricon in developing an ePaper solution. If ePaper type solutions and Flexible OLEDs begin appearing in production at low cost, and with longer battery life, ebooks may yet prove a more pervasive force in publishing, but I suspect it will be some time for it to materialize.

For more on the BodhTree anouncement, read:

• http://www.expresscomputeronline.com/20041004/indianews05.shtml

Ted Goranson continues with his column on outliners and their many uses. In his September column Goranson extols the value of graphical representation of data. Arranging concepts in a two dimensional diagram to identify and map connections is one of the capabilities of mindmapping.

This post examines the what, why and how of the exciting worlds of mindmapping, concept mapping and outliners.  The post also evaluates the current crop of software packages available for working with data visually. (Note: the software package review is Mac centric; the Outliner concepts and background are universal).

My eye was caught the other day by a p2pnet story entitled "Mozilla-based Google browser". Our friends at p2pnet had noticed a Sept. 19 article in the New York Post headlined "Google Picks Gates' Brains", which reported on some recent staff defections from Microsoft to Google, as well as noting a few other interesting new additions to the Google payroll.

The take-away quote was: "Based on the half-dozen hires in recent weeks, Google appears to be planning to launch its own Web browser and other software products to challenge Microsoft."

And this got me thinking about the evolution of the digital economy.

In the beginning, the money was in hardware. IBM grew larger than many countries by selling big blinking boxes for millions of dollars each and giving the software away for free. And then Bill Gates reversed the equation, proving not only that you can, in fact, compete with free (nota bene, Jack Valenti), but that you can make billions of dollars doing it. Hardware has now become a commodity.

What's next? Will Google do to Gates what Bill did to IBM?

For a long time, we've been hearing that "Content is King", and the phrase does have the ring of truth. But Google doesn't create or even store content, they just facilitate access to it. And so if Google is positioning itself to out-Gates Gates, something else must be going on.

And that's when I thought of Greg Rawlins.

Back in November, 1991 -- in a pre-Google, pre-Web world -- I stumbled across a wonderful paper called "The New Publishing: Technology's Impact On The Publishing Industry Over The Next Decade", by Gregory Rawlins of the Computer Science Department at Indiana University. You can still find the original out on the Web, as well as updated versions and hundreds of citations and references. (Try this Google search.)

Rawlins anticipated an impressive variety of issues that today confront the process of creating, disseminating, and paying for content. Here's his take, for example, on file protection:

Traditionally, publishers and authors have used copyright and the courts to protect their investment. So the natural way for publishers to adapt to the new technology is to copy-protect their books, as software publishers and video producers first tried, and recording artists are still trying, to protect their products. Copy protection is like putting a lock on each copy then selling a key with each locked book.

Protections on marketable intellectual properties try to equate intellectual properties, like this report, with tangible properties, like ham sandwiches, or rights on tangible properties, like franchises, licenses, water rights, stock futures, or airline routes. Because of their artificiality, it could be said that copy protection merely feeds lawyers and annoys legitimate users. Whether that position is defensible, copy protection certainly adds expense and works against easy searching and collating. So for educators, scientists, and technologists it would be desirable to avoid it, if possible.

Remember, he said this in 1991!

But it's this observation of Rawlins' that the p2pnet/NYPost article brought to mind:

Soon there will be a whole new profession---people who find things, or know who to ask---perhaps they will be called ferrets. For those who want to rummage for themselves there will be another new profession --- people who arrange things --- perhaps they will be called mapmakers. And everyone will need people who select things --- perhaps they will be called filters.

These three professions mirror the three basic aids in non-fiction books: indices (ferreting), tables of contents (mapmaking), and bibliographies (filtering); and the three basic uses of computers: searching (ferreting), sorting (mapmaking), and selecting (filtering).

All three are marketable services.

Publishers may try to enter all three markets, but unless they enter them understanding their importance they may be shut out by more aggressive third-party companies. Eventually they will also have to compete with computer programs.

As computer power becomes more widespread each user's computer may run hundreds of ferret programs continuously, all separately exploring the world's data for useful information. When a ferret returns it may have to face dozens of filters who try to prevent them from adding the data found to the user's personal information base. Data that enough filters judge to be important or relevant is passed to the mapmaker to be linked into the user's personal map of what's important, where it is, and how it relates to other information in the personal map.

Pretty good predicting!

So, yes, Content is King. But I'll be watching for the next Bill Gates among the ferrets, filters, and mapmakers at Google and its competitors.

Steve

PS: The p2pnet item that started this whole rumination called the potential Google-built browser "mozoogle". I prefer "Goozilla".

This message reflects the opinions of the author, and not necessarily those of EDUCAUSE or its members.