Blogs

On the heels of our own conference, I thought I'd provide some pointers to presentations from another. Earlier this month, the Internet Librarian International 2004 was held in London. Multimedia from their track on open access publishing is listed below.

• Interview with Open Access Advocate, Stevan Harnad
• Panel Discussion: Open Access Issues for Librarians
• Open Discussion for ILI Delegates and Open Access Forum Guests

CompTIA (Computing Technology Industry Association), a global trade association representing the business interests of the information technology industry, will hold an interactive briefing this week at the National Press Club in Washington, D.C., on the tech policy positions of President George W. Bush and Senator John F. Kerry.  Leading tech policy experts will explain key issues and break down the positions of each candidate on such issues as spam, broadband deployment, tech workforce development, unlicensed wireless spectrum, and cybersecurity (among others).

CompTIA created a voter's election guide from the candidates’ responses (see "Election 2004: Bush and Kerry on Technology"). Here is what the two candidates had to say about cybersecurity.

Bush Response:

Given the enormous importance of e-commerce, Internet-based communications, and the use of cyberspace to control portions of our physical infrastructure, cyber security is critical. The investments being made today in securing out Nation's cyber infrastructure and in cyber security R&D are working to ensure that future generations of network software and hardware are less vulnerable to an attack and can maintain critical operations even when compromised.

I announced the National Strategy to Secure Cyberspace in February 2003. This plan, which complements the National Strategy for the Physical Protection of Critical Infrastructure and Key Assets, depends on both public and private efforts to secure the many elements that comprise the national information infrastructure, including routers, switches, fiber-optic cables, and tens of millions of interconnected computers. The strategy provides five national cyber security priorities: a national security response system; vulnerability reduction program; an awareness and training program; a government cyberspace security program; and national security and international cyberspace security cooperation.

Kerry Response:

In particular, worms and viruses are causing economic losses of billions of dollars a year. Experts have argued that future worms could allow attackers to rapidly control millions of Internet-connected computers. They could then use those computers to launch "denial of service attacks," or steal and corrupt large quantities of sensitive information. Moreover, these worms could reach most vulnerable targets in an hour or less. We need a president who is actively supportive of developing technologies that will automatically detect and respond to these kinds of attacks.

We need a president who will devote the energy of the White House to making our networks - our 21st century infrastructure - stronger and more secure. That means supporting a cyber security intelligence system ready to detect these threats. I will implement global standards and best practices so that weak links are strengthened. And we need a real partnership between the public and private sectors. Most of the infrastructure we need to protect doesn't belong to government - and neither government nor business can fix these problems alone.

Of course, we have seen the track record of President Bush which by many accounts has given insufficient attention to cybersecurity. In fact, many have claimed that the (relatively small) budget devoted to cybersecurity in the U.S. Dept. of Homeland Security (DHS) is a clear indication that it has not received priority consideration under the Bush Administration. Additionally, as "The Revolving Door at DHS Continues" there has not been a continuity of leadership to inspire higher education and the private sector to have much faith in the public sector contributions to implementing the National Strategy. On the other hand, it is not clear what Kerry means when he states that "we need a real partnership between the public and private sectors." The National Cyber Security Partnership and other similar efforts are evidence of an attempt of the private sector to step up to the challenge. However, it is encouraging to hear him promise to "devote the energy of the White House to making our networks stronger and more secure."

There is little doubt that the outcome of the elections could set the stage for future directions of cybersecurity under the White House and DHS. A new administration will mean a new secretary of DHS and other changes (for better or worse). Many expect further personnel changes in DHS even if President Bush wins a second term. And, of course, there is the recent sentiments of Congress, supported in part by DHS's Secretary Ridge, that cybersecurity should be elevated in the DHS management. But the real battles for cybersecurity will continue to be fought in the corporate board rooms, within the management ranks of both private and public sector organizations, and the IT operations centers where the latest vulnerabilities are exposed.

See the CompTIA press release and a related news story by internet news ("Bush, Kerry Agree on P2P").

Yesterday, at the annual face-to-face meeting of the EDUCAUSE CIO Constituent Group, Jason Schultz of the Electronic Frontier Foundation reviewed the past, present, and likely future of the patent infringement claims being pursued by Acacia Media Technologies.

As noted in my August blog, Acacia is number one on the EFF Patent Busting Project's top-ten "most wanted list" for "crimes against the public domain, willful ignorance of prior art, and egregious display of obviousness". In particular, Acacia claims to have invented online streaming of audio and video, or, according to the EFF, "everything from online distribution of home movies to scanned documents and MP3s".

And now, just when you thought your jaw couldn't drop any further or your eyes pop any wider, Acacia is sending out a new round of letters. This time they're asserting rights to the technology by which hotels, coffee shops, and all of our campuses redirect unrecognized computers to registration Web pages. For more details, see this article in Wi-Fi Networking News. Remember: Deep breaths, stay calm, don't grind your teeth.

Next Wednesday, October 27, Jason will be my guest on EDUCAUSE Live!, a free 60-minute Webcast from 1 to 2pm Eastern Time. We'll be talking about Acacia's business model of turning dubious patent claims into royalty checks, about how and why our patent system got to this sorry state, and about what we can do, both individually and collectively, to help make things better. Registration is required and limited. Sign up now!

What?

No, don't be silly. The Webcast uses no streaming media.

See you Wednesday.

Steve

This message reflects the opinions of the author, and not necessarily those of EDUCAUSE or its members.

As I blogged back in August, the Future of Music Coalition is a group representing musicians, the people at the creation end of the music food chain. Their interests and opinions do not necessarily align with those of the major labels and the other RIAA-member companies whose advertising, promotional, and lobbying efforts most frequently make the news. To quote from the FMC Manifesto:

The Recording Industry Association of America is a special interest group that claims from time to time to lobby on behalf of musicians, but it is funded by, and represents the interests of, the major record companies -- the same corporations traditionally known to be the primary exploiters of the musicians that the RIAA claims to represent. The RIAA simply cannot be trusted to serve two distinct masters -- the record companies and the artists.

FMC Newsletter #36 just came out (currently here, but check the archives when it's no longer the current issue), and it's a treasure trove of background and viewpoints from a perspective not seen nearly often enough. In particular, it contains an excellent summary of the history and current status of the INDUCE Act, ending with this observation:

While some in the music and recording industry feel like the INDUCE Act is a reasonable way for copyright owners to legally go after the P2P services that facilitate filetrading, the FMC continues to have serious reservations about the bill. As such, we are glad that the bill has not moved ahead. This does not mean that we do not value copyrights or think it's okay for people to steal music -- but rather we think that the bill would not have provided a workable solution. It could have chilled innovation, put legitimate hardware and software businesses at risk, and it would have given the record companies the legal tools to shut down file sharing systems that some musicians and artists actually embrace, not to mention the fact that P2P services are capable of non-infringing uses.

Trying to legislate P2P filesharing is akin to a game of whack-a-mole and the very bad actors will always come up with a way to shield themselves from being subject to the enforcement of US Copyright law, so there's a question of whether any piece of legislation could accomplish what Senator Hatch envisioned. FMC would like to see the market sort out the balance between copyrights and emerging technologies before any legislation that could hinder one or the other is enacted.

Here's my summary, in soundbyte form:

• You can maintain a deep respect for intellectual property and for artists' rights and still oppose the INDUCE Act as bad legislation.
• Notwithstanding the view of hammer-wielding legislators, not every problem is a nail. When challenged to provide replacement text for the current version of INDUCE, it is perfectly reasonable to say, "None. Let the market do its job."

And here's another notable soundbyte, from the Associated Press:

• U.S. album sales up 5.8 percent in first nine months of 2004.

Holster that hammer.

Steve

This message reflects the opinions of the author, and not necessarily those of EDUCAUSE or its members.

C|NET is reporting that RealNetworks/Rhapsody is the latest entry in the college music space. The service will be offered free through May 2005 and will cost two dollars a month to continue.

• http://news.com.com/2100-1027_3-5409569.html
• http://events.adelphi.edu/news/20041014.php

Many of you have probably heard about the Virginia Alliance for Secure Computing And Networking (VA SCAN). Their unique collaboration and partnership has been featured in a few different EDUCAUSE conference programs. I had the opportunity yesterday to participate in their conference ("Meeting IT Challenges: National Strategies and Local Solutions") that was co-hosted with the Association of Collegiate Computing Services. Below are a few observations:

• State or regional collaborations are an excellent, cost-effective way to facilitate human networking and resource sharing among institutions with similar interests, possibly including the in common need to respond to the security requirements of state government.
• Conferences held at the state or regional level also provide an affordable way for institutions to send multiple individuals to participate, often without the need for overnight stays and with minimal travel costs.
• Although cybersecurity is a global problem and the residents of the East Coast have similar needs with individuals in other parts of the U.S. and around the globe, the growing numbers of security professionals in the U.S. and abroad will require us to fragment into smaller communities over time - and geographic communities will continue to be a natural method by which security professionals will congregate.
• State or regional conferences allow you to highlight and promote local talent, ranging from Presidents who can serve as cybersecurity advocates (VASCAN conference featured JMU's President Linwood Rose) to policy and technical experts.

Accordingly, despite the efforts of the Security Task Force to create national forums (such as the Security Professionals Conference) or regional professional development opportunities (such as the pre-conference seminars provided at the EDUCAUSE Regional Conferences), we are also eager to support and promote state and regional efforts that are organized by member institutions. A listing of State/Regional Cybersecurity Events for Higher Education is maintained on our web site. Please keep us informed of your activities (send event notifications to Security-Task-Force@educause.edu) and let us know if you need any assistance in identifying speakers or program content.

We are pleased to see local alliances and partnerships emerge that in turn support the broader national and international efforts to secure cyberspace.

ITConversations.com has audio of the Gnomedex 4.0 Panel on Security available on it's web site. Their abstract suggests that these questions will be addressed:

"Are hardware methods superior to software? How do memory-managed languages help? How can we make security management within the skill set of the average user? Is automation the answer? Should upgrades be mandated? Should there be a security tax for those who don't upgrade their systems. DRM: Does it increase security risks? And what attacks should we expect in the future?"

Last week was a busy week on the cybersecurity front.  It was so eventful that my blog postings this week are in an effort to catch up with what may already be old news!  However, an event held earlier in the week, the Cybersecurity Summit 2004 organized by the National Center for Atmospheric Research, has not been broadly publicized and is worth a few summary notes and observations.

The purpose of this invitation-only Summit was to share information about recent security intrusions, to emphasize security best practices, and to develop a trust network among participants in which methods of communication for future security events will be explored.  Breakout discussion sessions focused on user education and policies, education and policies for sysadmins, intrusion detection and network security, protection of host computer systems, and security implications for grid computing.

The discussions regarding the security incidents of this past year that impacted supercomputing centers and others was confidential and will not be recanted here.  However, among the most important lessons from those incidents and the corresponding discussions during the breakout groups was the need for better coordination and information sharing among the individuals responsible for incident handling.

A few concluding observations:

• The security challenges of supercomputing centers are not really all that different from those confronted by institutions of higher education.  However, since many of the centers are co-located at major research universities, there is a lot of similarity between the needs of the centers and those generally experienced by the Internet2 community.
• While “incident handling” is a broad concept, there were generally two recommendations that emerged from the workshop.  First, the need for more automated tools to assist sysadmins in conducting forensics and analyzing intrusions.  Second, the need for a trusted network of incident handlers for information sharing.
• There was a general consensus that workshops of this type should be repeated as a way to increase awareness about security incidents and to bring together sysadmins and incident handlers for professional development and human networking.
• There is a need for security training and professional development opportunities for sysadmins that is not being currently met by EDUCAUSE, Internet2, or other entities.
• There was a large amount of unawareness about the activities of the EDUCAUSE/Internet2 Security Task Force and the REN-ISAC to address some of the needs identified at the Summit as well as issues raised during previous workshops organized by the task force, also funded by NSF.

The above observations are not meant as criticism of the workshop organizers or the attendees.  There are real concerns that point out that much work remains to be done and there is a need for greater outreach by the Security Task Force to the affected communities.  These observations along with new relationships developed during the Summit will lead to further conversations, I am sure, and a re-assessment of the Security Task Force strategies in light of the issues identified.

$92 million was the price tag attached to an out of court settlement that ended entry into trial's damages phase where Kodak was seeking more than one billion in lump-sum royalites.

• Read more about this case at USA Today

I attended two Congressional hearings last week that underscore the importance of securing information systems that contain Social Security Numbers (SSN) and that further mark the trend to discourage SSN use as identifiers except for limited purposes.

The House Government Reform Subcommittee on Technology and Information Policy in a hearing on identity theft explored the growing instances of electronic data theft. Patrick O'Carroll, Acting Inspector General of the Social Security Administration, in his testimony described how SSN's printed on university student ID cards make the owners of these SSN's potential targets. He also described a recently discovered offer to sell up to 10,000 SSN's with matching names on eBay which were traceable to the University of North Carolina at Pembroke where SSNs serve as the identifiers for its staff, current students, and applicants.

The House Subcommittee on Commerce, Trade, and Consumer Protection also held a hearing on H.R. 2971, the Social Security Privacy and Identity Theft Prevention Act of 2003, that would make it an unfair and deceptive trade practice under the Federal Trade Commission Act for any person to refuse to do business with an individual because the individual will not consent to that person's receipt of the Social Security number. Testimony provided by Barbara Bovbjerg from the U.S. Government Accountability Office warns:

The use of SSNs by both private and public sector entities is likely to continue, but the more frequently SSNs are used, the more likely they are to be misused given the continued rise in identity crimes. In considering restrictions to SSN use, policy makers will have to balance the protections that could occur from such restrictions with legitimate business needs for the use of SSNs.

The GAO Report ("SOCIAL SECURITY NUMBERS: Use Is Widespread and Protections Vary in Private and Public Sectors") is a useful resource, especially the discussion on pages 7-8 of restrictions placed upon SSN use as a result of federal laws and summary of state laws on pages 8-9. Additionally, if you are considering the elimination of SSNs as primary identifiers (a recommendation of the Security Task Force), then I would refer you to the resources that we have assembled at http://www.educause.edu/ir/library/pdf/EDU0349.pdf

Forget about the Abbott and Costello comedy act about "who's on first?" (in the spirit of the beginning of the baseball playoffs). The more comical routine in Washington, D.C., these days (among the many to choose from) is the question of "who's in charge of cybersecurity at DHS?" Actually, it is not a very funny topic because it concerns a very serious matter. Amit Yoran, director of the National Cyber Security Division, is the latest in a series of departures of individuals who were at the helm of our national strategy.

There has been much speculation in the media as to whether or not Yoran was frustrated by his lack of authority and placement three layers below Secretary Tom Ridge. Although I don't disagree with recent Congressional proposals to elevate the importance of cybersecurity (and I am sure that Yoran would have appreciated the promotion), I think there are other reasons behind his sudden departure. I was with Yoran at a National Press Club event on Thursday morning where he was announcing DHS's support of National Cyber Security Awareness Month and had a hallway conversation with him where he was very engaged regarding cybersecurity training and education. My last words to Yoran were "See you this afternoon" in reference to his scheduled testimony before a Senate committee regarding the security of Internet root servers. When he unexpectedly did not appear at the hearing and an aide was forced to read his written testimony, the news of his "abrupt resignation without notice" on the next day took on new significance for me. While I have theories as to what might have went wrong in those final hours/minutes, I will not speculate here.

Most importantly is the question of what does this mean for higher education? Arguably, DHS and their various programs and initiatives will have little impact - for good or bad - on colleges and universities across the United States. Of course, there is SEVIS, foreign student VISA's, and constraints on security-related research that impact faculty and students. Nonetheless, Yoran's departure from DHS is very unfortunate in many respects. First, Yoran had an affection for higher education that I experienced first-hand. I first met Amit, a few week prior to him beginning his new role at DHS, where he was giving a guest lecture to a group of students at Georgetown University where his wife is also an adjunct faculty member. He also had many close advisors from academia. Second, he had a unique appreciation for the role that higher education played in the cybersecurity of America - as a source of future leaders through our core mission of teaching and learning, as a basic source of much of our new knowledge and subsequent technologies as a result of research and discovery, and as operators of some of the world’s largest collections of computers and high-speed networks. He provided similar remarks at the EDUCAUSE Policy Conference this past Spring. Finally, in the pursuit of public-private partnerships, he consistently included EDUCAUSE, the Security Task Force, and other higher ed partners in both the strategic discussions as well as tactical efforts to implement the National Strategy to Secure Cyberspace. While it is certainly possible for his successor to do the same, it is unfortunate that we will potentially have to begin anew the process of informing, educating, and possibly convincing the national cybersecurity leadership of the important role that higher education plays in this public policy space.

I wish Amit Yoran well. He will land on his feet and we are all the better for his leadership this past year. Despite his polite remarks in press accounts that I have read, there are serious systemic problems that remain. The good news is that we've become accustomed to the "revolving door" - now at DHS and previously in the White House when cybersecurity was headquartered in the Executive Office. So, we will stay the course and do our best to keep the new leadership honest and forge a partnership that will hopefully be as productive as what we experienced under former cybersecurity czar Richard Clarke, Howard Schmidt, and most recently Amit Yoran.

For some press accounts of Yoran's sudden departure, see:

• Yoran Quits DHS (Federal Computer Week)
• U.S. Cybersecurity Chief Resigns (CNN)
• U.S. Cybersecurity Chief Abruptly Resigns (Forbes)
• Top U.S. Cyber-Security Official Resigns (Washington Post)

In a sign that ebook world continues to capture the attention and imagination of folks throughout the world, BodhTree has joined the likes of e-ink and Gyricon in developing an ePaper solution. If ePaper type solutions and Flexible OLEDs begin appearing in production at low cost, and with longer battery life, ebooks may yet prove a more pervasive force in publishing, but I suspect it will be some time for it to materialize.

For more on the BodhTree anouncement, read:

• http://www.expresscomputeronline.com/20041004/indianews05.shtml