So now I'm moving my prose stylings over to a Wired News blog called 27B Stroke 6. I for one welcome my Lycos overlords.

Kevin describes the new site like this: "Investigative reporter Ryan Singel and senior editor Kevin Poulsen scare peace-loving people with phantoms of lost liberty, in a daily briefing on security, freedom and privacy in the wired world."

I love this little blog and will post here irregularly, but the new blog is gonna be even better more greater.

Sorry to mess with your bookmarks, but remember, we are all in this together.

For those who want to update their RSS readers, here's the XML file for 27B Stroke 6.

Technorati Tags: 27BStroke6, 27B Stroke 6, Kevin Poulsen, Ryan Singel

The Transportation Security Administration announced the latest timetable and specifications Thursday. While each airport could be run by a different company, which will have to pay for its own security lanes, screeners and registration process, a traveler registered with one company will be able to use the lanes at other airports.

But the press release is vague on what the benefits for travelers will be:

In order to enter the RT program, applicants must provide biographic information, which will be verified and authenticated to safeguard against the use of a false or stolen identity. All applicants must undergo a TSA Security Threat Assessment that includes perpetual vetting. When traveling, an RT participant must confirm his or her identity at an RT station using biometrics (fingerprints or iris). RT participants will still be required to pass through the metal detector, have their carry-on and checked luggage screened, and will be subject to secondary screening by TSA if they trigger an alarm. Consistent with TSA policies, an element of randomness will also be integrated into Registered Traveler to ensure unpredictability and disrupt potential efforts by terrorists to thwart the system.

The release also alludes to benefits: "While the combination of benefits and security measures available at each participating airport may vary, all RT travelers should receive an expedited and more convenient checkpoint experience." However if participants still have to have their luggage checked and could get secondary screening randomly, I don't see what the benefits are? Shorter lines? Snappier dressed security personnel? Free Starbucks while waiting in line? The feeling that while we are all in this together, some of us are more all in this than others?

In order to break up the tedium of scanning bags full of books and cosmestics, the TSA uses software that randomly inserts images of bags with explosives and weapons. A few seconds later, hopefully after the screener identifies the bag as a threat, the software is supposed to flash a message that the image is fake.

Only this time it didn't.

While screening carry-on luggage, a TSA employee identified the image of a suspicious device but did not realize it was part of routine testing for security screeners because the software failed to indicate such a test was under way, [Transportation Security Administration Director Kip] Hawley said.

Authorities evacuated the security area for two hours while searching for the suspicious device, causing flight delays and forcing travelers who could not get through to the terminals to wait outside the airport.

Link.

Two thoughts. One, I'm surprised this hasn't happened more often. And two, systems, especially one as sprawling as the air transportation system, are fragile. For over three years now, the TSA has been working to take the job of checking passengers' names against a terrorist watchlist out of the hands of individual airlines and centralize the checks in D.C. What happens to airline travel if the government's planned computer system goes down? Is that an acceptable risk?

I found the host of the responsible site and reported the abuse.

I also dropped a note to the spammer, who lives in Mexico. He wrote me back saying his spam wasn't illegal and that my IP ban wouldn't work and that his ISP wouldn't disconnect him.

HostGator took his site down minutes later.

No hosting company wants to lose a customer, so I'm super impressed with these folks.

For those who don't run blogs, this may seem not to be a big deal, but blog spam is really tedious and really tough to shut down. I highly appreciate any help I can get keeping these folks off my site.

Their butter is better than normal capitalist butter:

It also has a butter-fat content of 87 percent, significantly higher than other butters made in the United States and the equivalent of the finest French butters. This makes Animal Farm butter superb for pastry-making - as well as for every other use.

(brazenly borrowed from A. Shostack)

The TSA has also been unable to score any touchdowns with a computerized passenger-screening system known as CAPPS II or Secure Flight. Congress and its investigative arm, the Government Accountability Office, have repeatedly forced the TSA to punt.

TSA hopes Pietra, who will be working with halfback/Privacy Officer Lisa Dean, will help the TSA overtake the FBI and NSA in the NPL's Federal Agency Conference, according to today's announcement.

"The devotion of increased resources and expertise to TSA privacy programs is expected to make the agency a leader in privacy efforts within DHS and the Federal government as a whole. With the anticipated launch of several programs, including TWIC, Registered Traveler and Secure Flight, it's critical the agency is poised to meet the workload and improve communication with stakeholders and the traveling public."

Pietra says he's just happy to get a shot at the bigs.

"We gotta play privacy impact assessments one day at a time. I'm just happy to be here. Hope I can help the agency," Pietra said. "I just want to give it my best shot, and the good Lord willing, things will work out."

That customer? Judge Vaughn Walker, the San Francisco District Chief Judge who is assigned to the case.

In an order Walker released today, the judge told the parties that he was an AT&T phone customer when the case was assigned to him, so he switched telecom providers to avoid a conflict of interest. Walker did not say what company he switched to, or if he got a better long distance rate.

Being a former AT&T customer also makes him a potential member of the class suing AT&T, so he foreswore any money he might be entitled to.

Walker is not recusing himself, however, and cited a number of cases supporting his position. He also mentions that if he had to do so, so too would almost every judge in the district since it's highly likely that some member of every judge's family was an AT&T subscriber. Walker is giving both AT&T and the EFF a week to file briefs agreeing or disagreeing (or in AT&T's case, to offer him free conference calling if he comes back into the fold). After that, Walker says he will stat to rule on the flurry of motions filed this week.

Full recusal order here. (.pdf)

Now that we have them, it's far from clear that the average phoner wants video for routine calls like ordering a pizza or checking in with mom and dad. But one community is certain of the videophone's benefits: the deaf.

An FCC program for the deaf sounds like the modern equivalent of ringing Mabel the operator down at the phone exchange so she can patch through your call. Assuming, of course, that Mabel has signing skills.

The system, called video relay services, or VRS, is proving a godsend to the deaf and hearing-impaired, allowing them to communicate using American Sign Language through a translator to a third party.

Increasing numbers of the hearing-impaired are now using various sorts of video phones with VRS to place calls to each other and to the hearing world.

VRS providers are paid approximately $6 a minute by the FCC from a tax levied on every U.S. phone bill. That makes VRS an expensive replacement for conventional TDD-based services, in which an operator relays between a deaf person typing on a computer terminal and a hearing person on the phone. Those calls cost the FCC about $1 a minute.

But the technology is a quantum leap for deaf people, according to Pat Nola, CEO of Sorenson Communications, the nation's largest VRS provider.

For the deaf, switching to the new service is like a hearing person going from Morse code to a telephone, says Nola.

Full story here.

Josh, a reader, writes in to chide me for not including Captioned Telephone as part of the story:

From what I understand, the majority of the deaf and hard of hearing community can still speak. This technology allows a normal telephone conversation to take place with the operator uses voice recognition to provide real-time captions of the phone call. I know several people that use this and it seems much less cumbersome than a video conference system.

That does sound interesting and I didn't include it in the story because I hadn't run it across it in my reporting. Score another point for my readers being smarter than I am.

In papers filed late Monday, AT&T argued that confidential technical documents provided by an ex-AT&T technician to the Electronic Frontier Foundation shouldn't be used as evidence in the case and should be returned.

The documents, which the EFF filed under a temporary seal last Wednesday, purportedly detail how AT&T diverts internet traffic to the National Security Agency via a secret room in San Francisco and allege that such rooms exist in other AT&T switching centers.

The EFF filed the class-action lawsuit in U.S. District Court in Northern California in January, seeking damages from AT&T on behalf of AT&T customers for alleged violation of state and federal laws.

Mark Klein, a former technician who worked for AT&T for 22 years, provided three technical documents, totaling 140 pages, to the EFF and to The New York Times, which first reported last December that the Bush administration was eavesdropping on citizens' phone calls without obtaining warrants.

Klein issued a detailed public statement last week, saying he came forward because he believes the government's extrajudicial spying extended beyond wiretapping of phone calls between Americans and a party with suspected ties to terrorists, and included wholesale monitoring of the nation's internet communications.

The rest of today's story is here. Earlier stories on the lawsuit (1 , 2,3)

Technorati Tags: narus, nsa, eff, at&t, mark klein

The engineers at Narus weren't intending to create Big Brother's dream machine when they began writing software a decade ago to help phone companies send out more detailed bills.

But as the Mountain View company's code became more and more sophisticated, customers began to discover new uses for software that was originally designed to monitor and analyze network traffic.

Now Narus finds itself at the center of a legal fight over domestic spying.

[...]

Narus executives confirm AT&T is a customer but say they do not know how the telecommunications giant uses its software. ``Once our customers buy our product, it's relatively opaque to us,'' said Steve Bannerman, vice president of marketing.

Narus CEO Greg Oslan said the company's software is designed to allow carriers to monitor all Internet traffic, including Web searches, e-mail content and attachments, and Internet phone calls.

Full story here.

Kirk Nahra's essay essay for Privacy in Focus is a prime example of that hand-wringing. Nahra, a partner at the law firm of Wiley Rein & Fielding, described the settlement holding Datran responsible for checking the privacy policy of the database it wanted to deluge with emails as an "Alice-in-Wonderland result."

The settlement appears to impose a new "due diligence" obligation on the vendor to understand and review the privacy policy of its principals and sub-vendors to make sure that the data supplier isn't doing something wrong in providing data.

How far will this go? Does the vendor have to review underlying consents? Does the vendor have to engage in an audit of the list supplier's privacy practices? How does this new vendor-to-vendor due diligence obligation affect the already growing client-to-vendor oversight obligations?

Obviously, it is too soon to know the full implications of this case-including whether there are any real implications beyond this specific set of facts and companies. It is clear, however, that the Datran settlement adds a new and difficult dimension to vendor contracting, making it even more time consuming and burdensome to retain vendors for any activity that involves personal information. Is that really a result that protects people's privacy?

Weirdly, Nahra mentions the follow-up lawsuit against Gratis Internet, but it seems Nahra couldn't be bothered to read the filings, which might have answered some of his questions.

For instance, according to Spitzer's allegations, which rely heavily on documents and emails obtained during the investigation, Datran employee Susan Weiner asked Gratis Internet to change its privacy policy retroactively, after Datran entered into a contract with Gratis. If true, and Datran's settlement indicates it was, is there any wonder Spitzer considered Datran negligent?

And really, so what if Spitzer sets a precedent that list buyers have to check the privacy policies of the databases they want to buy or rent? Really, how hard is it to check a privacy policy before you buy millions of pieces of intimate information on American citizens? It's at most a couple of clicks. I do that before buying batteries online.

bewert looked into the machine alleging Narus STA 6400, did a little math and parsing of some public statements to find that the machine was capable of monitoring 39,000 DSL lines at any one time.

Prior to 9/11 Narus worked on building carrier-grade tools to analyze IP network traffic for billing purposes, to prevent what they term "revenue leakage". Post-9/11 they have continued down that path while adding more semantic monitoring abilities for surveillance purposes. They even brought in former Deputy Director of the NSA William P. Crowell as an addition to their Board of Directors. [...]

Remember that semantics is not just the data, but rather the meaning of the data. It looks at the data in a more comprehensive way than looking for keywords. Each NarusInsight machine does this at 2500 million bits per second, in real-time.[...]

These capabilities include playback of streaming media (i.e. VoIP), rendering of web pages, examination of e-mail and the ability to analyze the payload/attachments of e-mail or file transfer protocols. Narus partner products offer the ability to quickly analyze information collected by the Directed Analysis or Lawful Intercept modules. When Narus partners' powerful analytic tools are combined with the surgical targeting and real-time collection capabilities of Directed Analysis and Lawful Intercept modules, analysts or law enforcement agents are provided capabilities that have been unavailable thus far.[...]

AT&T provided NSA eavesdroppers with full access to its customers' phone calls, and shunted its customers' internet traffic to data mining equipment installed in a secret room in its San Francisco switching center, according a former AT&T worker cooperating in the Electronic Frontier Foundation's lawsuit against the company.

Mark Klein, a retired AT&T communications technician, submitted an affidavit in support of the EFF's lawsuit this week. That class action lawsuit, filed in federal court in San Francisco last January, alleges that AT&T violated federal and state laws by surreptiously allowing the government to monitor phone and internet communications of AT&T customers without warrants.

On Wednesday, the EFF asked the court to issue an injunction prohibiting AT&T from continuing the alleged wiretapping, and filed a number of documents under seal, including three AT&T documents that purportedly explain how the wiretapping system works.

According to a statement released by Klein's attorney, an NSA agent showed up at the San Francisco switching center in 2002 to interview a management-level technician for a special job. In January 2003, Klein observed a new room being built adjacent to the room housing AT&T's #4ESS switching equipment, which is responsible for routing long distance and international calls.

"I learned that the person whom the NSA interviewed for the secret job was the person working to install equipment in this room," Klein wrote. "The regular technician workforce was not allowed in the room."

Klein's job eventually included connecting internet circuits to a splitting cabinet that led to the secret room. During the course of that work, he learned from a co-worker that similar cabinets were being installed in other cities, including Seattle, San Jose, Los Angeles and San Diego.

"While doing my job, I learned that fiber optic cables from the secret room were tapping into the WorldNet (AT&T's internet service) circuits by splitting off a portion of the light signal," Klein said wrote.

The split circuits included traffic from peering links connecting to other internet backbone providers, meaning that AT&T's was also diverting traffic routed from its network to or from other domestic and international providers, according to Klein's statement.

The secret room also included data-mining equipment called a Narus STA 6400, "known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets," according to Klein's statement.

Full story here. Justin Scheck of The Recorder had the story first, and has some great info on the story and Klein's lawyer, Miles Ehrlich, a former U.S. attorney, over at the CalLaw's blog, Legal Pad.

Fax? I mean that's not even retro enough to be cool. If they said, Citizen's Band radio or shortwave radio, or even better, telegrams, that would be cool. But faxes? That's 1980's uncool, like Alex P. Keaton uncool. Since I don't feel like wasting toner and paper on routine press releases, I did some quick research on e-faxes and found one place that might not cost more than $30 a year for a phone number somewhere in Chicago that will forward PDFs to my inbox.

But that's just absurd -- I ain't wasting cash on an e-version of an outmoded technology. BUT, Spitzer's office does have a web page with press releases (although I don't know if the faxes come before or after the news is posted online).

So to help you intrepid reporters and bloggers out there who also think a faxed press release is just stinking stupid, I used FeedTier to create an RSS feed of the press releases, and then used RSSFWD: to create a press list from the RSS feed (subscribe here). Don't tell Spitzer though, he'd probably find some statute to sue me with.

I'm fairly certain that Horvath has no power to subpoena documents (Homeland Security's chief privacy officer doesn't) so any investigation she starts will rely on voluntary cooperation and whatever institutional leverage she has. If AG Gonzales isn't on her side, then she won't get anywhere in investigations.

Of course, there's a great irony of being a privacy cop without subpoena power when your job is to oversee cops with the power and the inclination to write their own subpoenas (say a National Security Letter demanding an airline turn over its passenger database) and use that data however they wish, including using it to build out a massive data-ming operation.

Horvath might get a feel for the job and not alienate too many people internally by starting with a close look at the DOJ's use of private data aggregators (think privatized intelligence gathering operation) such as Axciom, Choicepoint and LexisNexis. The GAO just released a study (.pdf) which found that these information gatherers don't really follow Fair Information Practices and that federal agencies, including the DOJ, don't always follow them either.

For example, the principles that the collection and use of personal information should be limited and its intended use specified are largely at odds with the nature of the information reseller business, which presupposes that personal information can be made available to multiple customers and for multiple purposes.[...]

Resellers generally limit the extent to which individuals can gain access to personal information held about themselves, as well as the extent to which inaccurate information contained in their databases can be corrected or deleted.

For more see, Robert O'Harrow, Jr.'s Washington Post story and the GAO's testimony (.pdf). to Congress yesterday.