Subject: Re: SSSCA - Analysis (Q&D)
From: Ben_Tilly@trepp.com
Date: Mon, 10 Sep 2001 19:49:02 -0400


Karsten Self wrote:
> ...and not altogether unbiased.
>
I think that in this case, "bias" is a perfectly reasonable reaction.

> I'd be interested to hear other's reads of this, I think I'm on
> relatively firm ground for most of the analysis here, but it's pretty
> breathtaking.
>
Well, my reaction is that you underestimated this entirely.  By several
orders of magnitude.

I believe that this is Microsoft's game plan.  This is how they intend
to achieve World (or at least US) Domination.  If others read and agree
with my analysis, then I think our natural allies are companies like Sun,
IBM, AOL, and Sony.  They just need to have the true implications
explained in clear terms to them to realize what is going on.

> ------------------------------------------------------------------------
>
> Looks like this might be what our CPRM friends have been up to, among
> others.
>
> A (very quick and dirty) analysis of SSCA.
>
I think you overlooked the meat of this.
>
> | ========================================================================
> |
> | [19 pages]
> | [header] S:\SP5HR\LEGCNSL\XYWRITE\COMMS\COPYRITE.5A
> | [footer] August 6, 2001 (10:37 a.m.)
> |
> |
> |            [STAFF WORKING DRAFT]
> |                AUGUST 6, 2001
> |
> |     107TH CONGRESS
> |     1ST SESSION
> |
> |            S.____________
> |
> |
> |     To provide for private sector development of workable security
> |     systems standards and a certification protocol that could be
> |     implemented and enforced by Federal regulation, and for other
> |     purposes.
> |
What other purposes?

> |       ----------------------------------------
> |
> | IN THE SENATE OF THE UNITED STATES
> | SEPTEMBER __, 2001
> |
> | Mr. HOLLINGS (for himself and Mr. STEVENS) introduced the following bill
> | which was read twice and referred to the Committee on _________________.
> |
> |       ----------------------------------------
> |
> |
> |                A BILL
> |
> |
> |     To provide for private sector development of workable security
> |     system standards and a certification protocol that could be
> |     implemented and enforced by Federal regulations, and for other
> |     purposes.
>
> E.g.:  the US Government is going into the business of specifying and
> enforcing security standards.
>
Note that, by omission, public sector development is excluded.

> |     Be it enacted by the Senate and House of Representatives of the
> |     United States of America in Congress assembled,
> |
> |
> |
> | SECTION 1.  SHORT TITLE:  TABLE OF SECTIONS.
> |
> |     (a) SHORT TITLE. -- This Act may be cited as the "Security Systems
> |     Standards and Certification Act".
> |
> |     (b)  TABLE OF SECTIONS. -- The table of sections for this Act is as
> |     follows:
> |
> |  Sec 1.  Short title, table of sections.
> |  Sec 2.  Findings.
> |
> |           TITLE 1 -- SECURITY SYSTEM STANDARDS AND CERTIFICATION
> |
> |  Sec 101.  Prohibition of certain devices.
> |  Sec 102.  Preservation of the integrity of security.
> |  Sec 103.  Prohibited acts.
> |  Sec 104.  Adoption of security system standards.
> |  Sec 105.  Certification of technologies.
> |  Sec 106.  Federal Advisory Committee Committee Act Exemption.
> |  Sec 107.  Antitrust Exemption.
> |  Sec 108.  Enforcement.
> |  Sec 109.  Definitions.
> |  Sec 110.  Effective date.
> |
> |           TITLE II -- INTERNET SECURITY INITIATIVES
> |
> |  Sec 201.  Findings.
> |  Sec 202.  Computer Security Partnership Counsel.
> |  Sec 203.  Research and development.
> |  Sec 204.  Computer security training programs.
> |  Sec 205.  Government Information Security Standards.
> |  Sec 206.  Recognition of quality in computer security practices.
> |  Sec 207.  Development of automated privacy controls.
> |
> |
> |
> | Sec 2.  Findings.
> |
> |            (TO BE SUPPLIED)
>
> Note that the justifications for this act have yet to be enumerated.
> "It's good for you, we'll die without it, it will bring forth a Grand
> New Age of Prosperity For All".
>
> Why am I not convinced?
>
> Watch this space.
>
Now, now.  Don't be so naive.

I suspect that it is much worse than you think.
>
> |           TITLE 1 -- SECURITY SYSTEM
> |                STANDARDS
> |
> | Sec. 101.  PROHIBITION OF CERTAIN DEVICES.
> |
> |     (a) IN GENERAL -- It is unlawful to manufacture, import, offer to
> |     the public, provide or otherwise traffic in any interactive digital
> |     device that does not include and utilize certified security
> |     technologies that adhere to the security system standards adopted
> |     under section 104.
>
> As this is written and terms defined, it effectively outlaws free
> software.  It violates the terms of the GNU GPL, and the definitions of
> FSF Free Software and OSI Open Source.
>
I don't agree with that.  If the free software includes certified
security technologies, then it is just fine.

Instead I see this as banning items of software like these:

 - ls
 - diff
 - patch
 - bash
 - emacs
 - vi
 - perl
 - python

and so on.  All software which by reason of function has every reason
to not include and utilize "certified security technologies".  What
security technologies needs to be used in a text editor?  Security
there is an issue that is up to the OS.

However the following items of software would have reason to include
and utilize security systems:

 - OpenSSH
 - Microsoft Word
 - Adobe Acrobat

Also note that while this devastates a system which consists of many
tools, which are independent but cooperate well together (eg Unix),
it does not mean much to a system where every component participates
in a common security infrastructure (eg Microsoft's .NET).

> "Offer to the public" and "provider or otherwise traffic in" would apply
> to common modes of distribution of free software.  As defined in 109,
> "interactive digital device" includes "software".
>
Note that "offer to the public" and "provide" arguably include even
such distribution mechanisms as posting to public technical forums.
Care to speculate on the potential impact of that to Usenet, mailing
lists, and websites?  Of course those are also potential rallying
points for people who would oppose Microsoft Everywhere.  For reasons
why that matters, read on.

[...]
> Note that the safty/security aspects of this measure can be accomplished
> by legislating effects (liability for security compromise) rather than
> means (software/hardware).  At far less impact on civil liberties, I
> might add, but the Estimable Senators of SC and AK clearly don't care.
>
This is an excellent point.  History shows that companies are much
more motivated by potential liabilities than by government imposed
standards.  A bill that contains no provisions for detracting from
liabilities is going to fail in the goal of security.  Therefore it
is unlikely that security is the true goal of this bill.

> |     (b) EXCEPTION -- Subsection (a) does not apply to the offer for sale
> |     or provision of, or other trafficking in, any previously-owned
> |     interactive digital device, if such device was legally manufactured
> |     or imported, and sold, prior to the effective date of regulations
> |     adopted under section 104 and not subsequently modified in violation
> |     of subsection (a) or 103(a)
>
> This effectively prohibits free modification of free software.
>
Or at least the free software that is not allowed under the previous
terms.
> |
> | Sec. 102.  PRESERVATION OF THE INTEGRITY OF SECURITY.
> |
> |     An interactive computer service shall store and transmit with
> |     integrity and security measures associated with certified security
> |     technologies that is used in connection with copyrighted material or
> |     other protected content such service transmits or stores.
>
> This effectively mandates security levels, practices, and procedures to
> be used by any binary device.  See definitions section 109 below.

Am I wrong in thinking that this can be construed as making a plain
text editor illegal?  After all by typing my words into the editor
and saving I create copyrighted material, and my words have not been
protected from further modification.  Therefore plain text is in one
stroke banned as a method of disseminating information.  Closed
document formats like Microsoft Word are fine.  Most open ones like
XML, HTML, TeX, and so on are not.

> |
> | Sec. 103.  PROHIBITED ACTS.
> |
> |     (a) REMOVAL OR ALTERATIONS OF SECURITY. -- No person may--
> |
> |  (1) remove or alter any certified security technology in an
> |  interactive digital device; or
> |
Does this make chmod illegal?  It depends.  Only if the Unix
permission system is certified.  That is a damned if you do and
damned if you don't situation.  Make it certified and the Unix
permission system becomes illegal to manage.  Make it not
certified and Unix becomes illegal to sell.  What flavour of
poison would you prefer?

> |  (2) transmit or make available to the public any copyrighted
> |  material or other protected content where the security measure
> |  associated with a certified technology has been removed or
> |  altered.
>
> I'd be repeating myself.  Outlaws/restricts free software, modification
> of, and/or distribution of.
>
It also outlaws copying words out of Microsoft Word and pasting that
text into your email.  Also note that no exemption has been provided
based on being the copyright holder.  For instance if I wrote a
document in Microsoft word and then proceeded to produce a version
in pdf form, that would be illegal unless they used THE SAME security
technology.

Kiss interoperability goodbye.

> |     (b)  PERSONAL TIME-SHIFTING COPIES CANNOT BE BLOCKED. -- No person
> |     may apply a security measure that uses a certified security
> |     technology to prevent a lawful recipient from making a personal copy
> |     for time-shifting purposes of programming at the time it is
> |     lawfully performed on an over-the-air broadcast, non-premium cable
> |     channel, or non-premium satellite channel, by a television broadcast
> |     station (as defined in section 122(j)(5)(A) of title 17, United
> |     States Code), a cable system (as defined in section 111(f) of such
> |     title), or a satellite carrier (as defined in section 119(d)(6) of
> |     such title).
>
> Interesting.
>
> We're going to shit on the IT sector and free software.  But we're not
> going to disturb the masses who want to tape the football game, last
> night's WWF (too drunk to watch), or the afternoon's episode of As the
> World Churns (economy's in the tank, Mom's got to work).

More interesting.  By having made the exemption so narrow they make it
legal to watch the show at a different time.  They make it illegal by
omission to skip the ads.  That is a nice little bone for the content
providers...
> |
> |
> | Sec. 104.  ADOPTION OF SECURITY SYSTEM STANDARDS.
> |
> |     (a) CRITERIA. -- In achieving the goals of setting standards that
> |     will provide effective security for content and certifying as many
> |     conforming technologies as possible to develop a competitive and
> |     innovative marketplace, the following criteria shall be applied to
> |     the development of security system standards and certified security
> |     technologies:
> |
> |  (1) Reliability.
> |  (2) Renewability.
> |  (3) Resistance to attack.
> |  (4) Base of implementation.
> |  (5) Modularity.
> |  (6) Applicability to multiple technology platforms.
>
> Estimable goals, but why not allow these to emerge otherwise?

My question is what it means to apply a criteria to a technology.

I also note, with interest, that they include renewability (which
could be interpreted as including the ability to retroactively retract
your ability to view content) but they do not include
interoperability as a goal.  Considering how many ways they have
already made non-interoperability trivial to achieve, that is likely
not an accidental oversight.

> |     (b) PRIVATE SECTOR EFFORTS. --
> |
> |  (1) IN GENERAL. -- The Secretary shall make a determination,
> |  not more than 12 months after the date of enactment of this Act,
> |  as to whether --
> |
> |      (A) representatives of interactive digital device
> |      manufacturers and representatives of copyright owners have
> |      reached agreement on security system standards for use in
> |      interactive digital devices; and
> |
> |      (B) the standards meet the criteria in subsection (a).
>
> Security standards are to be established by executive fiat.
>
The flip side of being established by executive fiat is that the
certification is in no danger if the certified standard is later
found to fail all of the criteria.  And there is no discussion
anywhere on incentives for the Secretary to be honest here.  How
much does one man cost?

> |  (2) EXTENSION OF 12-MONTH PERIOD. -- The Secretary may, for good
> |  cause shown, extend the 12-month period in paragraph (1) for a
> |  period of not more than 6 months if the Secretary determines
> |  that --
> |
> |      (A) substantial progress has been made by those
> |      representatives toward development of security system
> |      standards that will meet those criteria;
> |
> |      (B) those representatives are continuing to negotiate in
> |      good faith; and
> |
> |      (C) there is a reasonable expectation that final agreement
> |      will be reached by those representatives before the
> |      expiration of the extended period of time.
>
> We'll allow corporate collusion for a reasonable amount of time, and
> then some.
>
I think you have completely missed this one.  The representatives
have 12 months to show progress and no more than 6 more months to
finish completely reworking their standards.  Interoperability is
not a goal.  These deadlines are hard.  There are no rules set forth
about who those representatives are.

This move *STRONGLY* favours single-vendor attempts to produce
security protocols.  It offers no incentive for those vendors to
allow others input into the process, and it offers no incentive for
those vendors to allow others into the process, and indeed the time
limits offer significant disincentives for sharing.  Furthermore
this effort will favour any vendor who already has plans in the work
to provide for putting security measures in every single application.

As far as I know, the ONLY vendor who fits this profile right now is
based in Redmond.  Their infrastructure is called .NET, and the
security profile is called Hailstorm.  This profile is emphatically
not achievable by the security system of any other system in
widespread use today.

If this analysis is correct, and at the moment it is looking correct
to me, I think that this point needs to be made loudly and clearly
to every vendor in the industry other than Microsoft.  This is a
blatant attempt to make all software produced by competitors to
Microsoft illegal.  If any of you have contacts at companies like Sun,
IBM, Oracle and so on, then I would appreciate your making this
passage and my interpretation of it known to them.  Likewise if you
know any IT reporters, I think that this is the correct spin for them
to report on this issue.

> |     (c)  AFFIRMATIVE DETERMINATION. -- If the Secretary makes a
> |     determination under subsection(b)(1) that an agreement on security
> |     system standards that meet the criteria in subsection (a) has been
> |     reached by these representatives, then the Secretary shall --
> |
> |  (1) initiate a rulemaking within 30 days after the date on which
> |  the determination is made to adopt these standards; and
> |
> |  (2) publish a final rule pursuant to that rulemaking not later
> |  than 90 days after initiating the rulemaking that will take
> |  effect 1 year after its publication.
> |
Microsoft's representatives have a proposal and have definitely
reached agreement on a system which they claim meets all of the
above criteria.  They therefore have 12 months in which to submit
their proposal (and possibly to round up a few partners), after
which it becomes a certified government standard within 4 months
following.

> |     (d) NEGATIVE DETERMINATION. -- If the Secretary makes a determination
> |     under subsection (b)(1) that an agreement on security system
> |     standards that meet the criteria in subsection (a) has not been
> |     reached by those representatives, then the Secretary --
> |
> |  (1) in consultation with the representatives described in
> |  subsection (b)(1)(A), the National Institute of Standards and
> |  Technology and the Register of Copyrights, shall initiate a
> |  rulemaking within 30 days after the date on which the
> |  determination is made to adopt security system standards that
> |  meet those criteria to provide effective security for
> |  copyrighted material and other protected content; and
> |
> |  (2) publish a final rule pursuant to that rulemaking not later
> |  than 1 year after initiating the rulemaking that will take
> |  effect 1 year after its publication.
>
> If corporate collusion doesn't work, government mandate shall establish
> the standard.
>
Oh, I really don't think that collusion is in Microsoft's game plan.

There are 12 months to show progress and no more than 18 months to
come to a final decision.  What is the _fastest_ that you have ever
seen any real multi-vendor organization achieve a consensus on a
standard?  What are the odds that it will happen this time?  What
are the odds when it has to cover virtually every piece of software
that exists?

Do you think that C, C++, or Java can come in that time period to
and agreement on a standard guaranteeing that the author of any
piece of text transmitted anywhere is still acknowledged in said
text?  That functionality is *exactly* what Microsoft claims to
achieve with Passport, and is the absolute legal requirement of
this bill.

This is nothing short of an attempt to make software that is not
produced on the .NET platform illegal.

> |     (e)  MEANS OF IMPLEMENTING STANDARDS. -- The security system
> |     standards adopted under subsection (c) or (d) shall provide for
> |     secure technical means of implementing directions of copyright
> |     owners, for copyrighted material, and rights holders, for other
> |     protected content with regard to the reproduction, performances,
> |     display, storage, and transmission of such material or content.
>
> For all this bill refers to security, it's really the Copyright Robber
> Barron's Evisceration of the Public Rights Act of 2001.  There's no
> concern for the typical issues of system security, and no effective
> protection given in any event.  System security cannot be legislated, it
> has to be designed into the system, and afforded by competent
> administration.
>
As another Benjamin famously said, "We must indeed all hang together,
or most assuredly we will all hang separately."

This is not all Barons.  This is Microsoft and all of the people who
are willing to work with Microsoft to achieve their vision of the
future.  This is Microsoft's 2001 version of the 1995 consent decree.
It is their vision for how to bypass any possible adverse court ruling
through a level of audacity that nobody else can conceive of.

If people in the FSB world cannot bring home to corporations large and
small exactly what this means, and this bill passes, I will invest
heavily in Microsoft stock.  No matter how much I detest them, I know
what defeat looks like.

> Bruce Schneier:  Security is not a product.  Security is not a state.
> Security is a process.
>
> Let's disabuse ourselves of the shibboleth of "security" in this act.
> It is *not* about computer security.  It's about security to eviscerate
> the public of its rights, by Disney, et al (see Holling's campaign
> contributions list, posted by McCullaugh).

More precisely it is about the ability of Microsoft to shut down all
hope of competition.

> |     (f)  SUBSEQUENT MODIFICATION; NEW STANDARDS. -- The Secretary may
> |     conduct subsequent rulemakings to modify any standards established
> |     under subsection (c) or (d) or adopt new security system standards
> |     that meet the criteria in subsection (a).  In conducting any such
> |     subsequent rulemaking, the Secretary shall consult with
> |     representatives of interactive digital device manufacturers,
> |     representatives of copyright owners, the National Institute of
> |     Standards and Technology, and the Register of Copyrights.  Any final
> |     rule published in subs a subsequent rulemaking shall --
>
> If we didn't bend you over hard enough the first time, we'll come around
> and do it again.

No, no, no.  If by some miracle someone does manage to produce a
competing standard then Microsoft wants a single person they can
bribe to rectify that situation.

> |  (1) apply prospectively only; and
>
> But not retrospectively.  Thank us for this profusely, please.  Your
> gratitude will be rewarded in future Robber Barron Power Extension Acts.
>
Remember how with a single change of microcode, IBM managed to
completely lock Amdahl out of the mainframe market?  I believe
that locking down all competing development once, with a clear
demonstration of the ability to do so again at will would
result in the utter destruction of any competitors.

> |  (2) take into consideration the effect of adoption of the
> |  modified or new security system standards on consumers' ability
> |  to utilize interactive digital devices manufactured before the
> |  modified or new standards take effect.
>
> We wouldn't want the hoi polloi complaining to Congress, now would we?
> That might make our (Hollings, Stephens) live hard.
>
No, no, no.  You miss the point.

The point is that Microsoft owns the client and can upgrade their clients
at will.  Any competing standard is going to be stronger on the server,
and by omission any and all adverse effects on people trying to run
servers are not open for discussion.

Given the rest of the bill, that seems to be gratuitous abuse.  But
there you have it.
> |
> |
> | Sec. 105.  CERTIFICATION OF TECHNOLOGIES.
> |
> |     The Secretary shall certify technologies that adhere to the security
> |     system standards adopted under section 104.  The Secretary shall
> |     certify only those conforming technologies that are available for
> |     licensing on reasonable and nondiscriminatory terms.
>
> Note on "reasonable and nondiscriminatory".
>
> This is a standard term used in establishing standards.  It means that
> the terms used to license any patents shall be equivalent, and
> sufficiently non-avaricious that a typical commercial participant won't
> be precluded from using the technology.
>
> The problem is that it's a non-starter for free software.  RF (royalty
> free) terms for standards must be specified for standards to be
> utilizeable by free software.  In a world in which free software is a
> significant player, non-RF standards won't be readily adopted.  This Act
> largely precludes FS being a significant player.
>
Note carefully the word "licensing".  Microsoft is willing to license
the use of Hailstorm at an ongoing recurring rate.  They get a portion
of every online transaction.  They don't consider that unreasonable.

But note that Microsoft plans to keep the consumer data locked up on
their servers.  The bill makes no (read zero) provisions that anyone
can get direct access to the data.

An incidental detail.  Microsoft is investing heavily in cable.  What
do they know that we don't?  I suspect that they know that they intend
to make all data be stored on Microsoft servers, requiring simply huge
amounts of traffic.  Therefore they anticipate making filling in "the
last mile" a very profitable business indeed.  It is so characteristic
of Bill Gates to not let a profitable detail like that slip his
fingers...
> |
> | Sec. 106.  FEDERAL ADVISORY COMMITTEE COMMITTEE ACT EXEMPTION.
> |
> |     The Federal Advisory Committee Act (5 U.S.C. Ap.) does not apply to
> |     any committee, board, commission, council, conference, panel, task
> |     force, or other similar group of representatives of interactive
> |     digital devices and representatives of copyright owners convened
> |     for the purpose of developing the security system standards
> |     described in section 104.
>
> No sunshine.
>
> 5 USC Appendix dictates that all meetings, hearings, etc., that concern
> the making of public policy be open to public participation and/or
> viewing.
>
Microsoft does not want any witnesses to its bullying as it lines up
its "partners" to get Hailstorm through the process.  Of course we all
know that they intend to leave the partners lined up for target
practice afterwards...

> Specifically, 5 USC 522b holds:
>
>     http://www4.law.cornell.edu/uscode/5/552b.text.html
>
[very relevant note snipped, sorry]
> All waived.
>
Anyone who is a potential Microsoft competitor should review the
protections shown.
> |
> | Sec. 107.  ANTITRUST EXEMPTION.
> |
> |     (a)  IN GENERAL. -- Any person described in section 104(b)(1)(A) may
> |     file with the Secretary of Commerce a request for authority for a
> |     group of 2 or more such persons to meet and enter into discussions,
> |     if the sole purpose of the discussions is to discuss the development
> |     of security system standards under section 104.  The Secretary shall
> |     grant or deny the request within 10 days after it is received.
>
> Permission for industrial collusion is granted on request.
>
Collusion?  I sincerely doubt it.  Microsoft wants it clearly laid out
that they can bully any other company one on one without any public
oversight.  They fully plan to do this, and they don't want any
troubling questions to arise afterwards.

> |     (b)  PROCEDURE. -- The Secretary shall establish procedures within
> |     30 days after the date of enactment of this Act for filing requests
> |     for an authorization under subsection (a).
> |
> |     (c)  EXEMPTION AUTHORIZED. -- When the Secretary fiends that it is
> |     required by the public interest, the Secretary shall exempt a person
> |     participating in a meeting or discussion described in subsection (a)
> |     from the antitrust laws to the extent necessary to allow the person
> |     to proceed with the activities approved in the order.
>
> Antitrust provisions are waived.
>
> The above gives full rein to groups such as the CPRM to operate in
> secrecy, without accountability, and with no public oversite, despite
> the impacts their actions will have on hundreds of millions of
> Americans, and by extension, the billions of inhabitants of this planet.

Karsten, you are such a naive sucker.

This is Bill Gates' answer to the anti-trust ruling.  No more, and
certainly no less.  The above is carte blanche to turn Hailstorm into
a government mandated monopoly but be utterly exempt from any and all
possibility of anti-trust proceedings no matter how nasty he gets.
After this it explicitly does not matter how many times Microsoft is
ruled to be a monopoly.  This is their, "Abuse being a monopoly"
loophole, laid out in black and white.

> |     (d)  ANTITRUST LAWS DEFINED. -- In this section, the term "antitrust
> |     laws" has the meaning given that term in the first section of the
> |     Clayton Act (15 U.S.C. 12).
> |
> |
> |
> | Sec. 108.  ENFORCEMENT.
> |
> |     The provisions of section 1203 and 1204 of title 17, United States
> |     Code, shall apply to any violation of this title as if --
> |
> |  (1) a violation of section 101 or 103(a)(1) of this Act were a
> |  violation of section 1201 of title 17, United States Code; and
> |
> |  (2) a violation of section 102 or section 103(a)(2) of this Act
> |  were a violation of section 1202 of that title.
>
> You remember that outrageous shit we slipped by you in the DMCA?
> Bend over, here it comes again.
>
We?  Who is this we?  Microsoft's name for a friend is "chum".  Only
the stupid misinterpret what they mean by that.
> |
> | Sec. 109.  DEFINITIONS.
> |
> |     In this title:
> |
> |  (1) CERTIFIED SECURITY TECHNOLOGY. -- The term "certified
> |  security technology" means a security technology certified by the
> |  Secretary of Commerce under section 105.
>
> We say what's safe.  You'll believe us.  You have no choice.
>
More precisely the government decides the standard and nobody else has
a choice.  And with this bill they have no choice but to declare
Microsoft to be the standard.

> |  (2) INTERACTIVE COMPUTER SERVICE. -- The term "interactive
> |  computer service" has the meaning given that term in section
> |  230(f) of the Communications Act of 1984 (47 U.S.C 230(f)).
>
> Viz:
>
>     http://www4.law.cornell.edu/uscode/47/230.text.html
>
>     The term ''interactive computer service'' means any information
>     service, system, or access software provider that provides or
>     enables computer access by multiple users to a computer server,
>     including specifically a service or system that provides access to
>     the Internet and such systems operated or services offered by
>     libraries or educational institutions.
>
Microsoft wants it all.
> |
> |  (3)  INTERACTIVE DIGITAL DEVICE. --  The term "interactive
> |  digital device" means any machine, device, product, software, or
> |  technology, whether or not included with or as a part of some
> |  other machine, device, product, software, or technology, that is
> |  designed, marketed or used for the primary purpose of, and that
> |  is capable of, storing, retrieving, processing, performing,
> |  transmitting, receiving, or copying information in digital form.
>
> Eg, anything that slings bits.  Including your PC, laptop, handheld,
> cell phone, and, incidentally, Linux and all other free software.

Bill Gates is thinking big.  BTW I don't know who this Secretary is
going to be, but whoever it is will be very, very rich.

> |  (4) SECRETARY. -- The term "Secretary" means the Secretary of
> |  Commerce.
>
> Seig Heil!
>
Is Gates German?
> |
> | Sec. 110.  EFFECTIVE DATE.
> |
> |     This title shall take effect on the date of enactment of this Act,
> |     except that sections 101, 102, and 103 shall take effect on the day
> |     on which the final rule published under section 104(c) or (d) takes
> |     effect.
> |
> |
> |      TITLE II -- INTERNET SECURITY INITIATIVES
> |
> |
> |
> | Sec. 201.  FINDINGS.
> |
> |     The Congress finds the following:
> |
> |  (1) Good computer security practices are an underpinning of any
> |  privacy protection.  The operator of a computer system should
> |  protect the system from unauthorized use and secure any sensitive
> |  information.
>
> ...and Mom and apple pie...

I wonder who the authority is that is authorizing?

> |  (2) The Federal Government should be a role model in securing
> |  its computer systems and should ensure the protection of
> |  sensitive information controlled by Federal agencies.
>
> ...and, press notwithstanding, the Governement tends to do a relatively
> decent job.  I didn't say perfect, or even admirable.  I said relatively
> decent.  This is in large part due to the fact that it's easier to
> publicize problems involving Government sites than those effecting
> commercial ones.  Sunshine is good.
>
> |  (3) The National Institute of Standards and Technology has the
> |  responsibility for developing standards and guidelines needed to
> |  ensure the cost-effective security and privacy of sensitive
> |  information in Federal computer systems.
>
> ...but there are many other means of establishing standards, including,
> as an example, the IETF.
>
Microsoft wants a single point of bribery.

> |  (4) This Nation faces a shortage of trained, qualified
> |  information technology workers, including computer security
> |  professionals.  As the demand for information technology workers
> |  grows, the Federal government will have an increasingly
> |  difficult time attracting such workers into the Federal
> |  workforce.
>
> It does?  [Hollings:  Memo to Self:  must rewrite draft to reflect
> current economic conditions.  Naw, everyone's eyes will be sufficiently
> glazed over at this point they'll never notice].
>
> But the finding does point to the fact that you've got to pay people
> commensurate with the responsibilities of their work.  H1-B or no H1-B.
>
> |  (5) Some commercial off-the-shelf hardware and off-the-shelf
> |  software components to protect computer systems are widely
> |  available.  There is still a need for long-term computer
> |  security research, particularly in the area of infrastructure
> |  protection.
>
> ...many of which are, in fact, free...and will be adversely effected by
> the proposed legislation.
>
Oh, I don't think Microsoft wants to leave "many" around.  Besides
which, Microsoft plans on _being_ the infrastructure.

> |  (6) The Nation's information infrastructures are owned, for the
> |  most part, by the private sector, and partnerships and
> |  cooperation will be needed for the security of these
> |  infrastructures.
> |
Note that, "the private sector" has always been Microsoft's
code-name for itself.

> |  (7) There is little financial incentive for private companies to
> |  enhance the security of the Internet and other infrastructures
> |  as a whole.  The Federal government will need to make
> |  investments in this area to address issues and concerns not
> |  addressed by the private sector.
> |
Remember what I said about Bill Gates trying to cover all of the
possible profit angles?  This bill already has provisions in it
setting the government up to later make investments in whatever
becomes the dominant infrastructure.  Microsoft clearly expects to
own that structure.  Microsoft is willing to take your money directly,
rob its competitors with government support, and suck from the public
teat all at the same time.
> |
> | Sec. 202.  COMPUTER SECURITY PARTNERSHIP COUNSEL.
>
> In which The Cabal is formed.
>
> One wonders if they too will have black cats?
>
Oh, the Cabal was formed a while ago.  This is merely their takeover
plan.

> |     (a) ESTABLISHMENT. -- The Secretary of Commerce, in consultation
> |     with the Presidents Information Technology Advisory Committee
> |     established by Executive Order No. 13035 of February 11, 1997 (62
> |     F.R. 7281), shall establish a 25-member Computer Security
> |     Partnership Council the membership of which shall be drawn from
> |     Federal, State, and local governments, universities, and businesses.
> |
What kinds of contacts does Microsoft have at the Secretary of
Commerce?  I suspect you will find they are pretty good.

> |     (b) PURPOSE. -- The purpose of the Council is to collect and share
> |     information about, and to increase public awareness of, information
> |     security practices and programs, threats to information security,
> |     and responses to those threats.
> |
Note that all threats to information security are about to be threats
to Microsoft.  Microsoft wants its own government department to go
along with its thugs at the BSA!

> |     (c) STUDY. -- Within 12 months after the date of enactment of this
> |     Act, the Council shall publish a report which evaluates and
> |     describes areas of computer security research and development that
> |     are not adequately developed or funded.
> |
The government has a year to decide to fund someone, has promised to
fund the private sector, and has arranged to lock everyone other than
Microsoft out of the market.  The only decision left is how much hush
money the participants need.
> |
> | Sec. 203.  RESEARCH AND DEVELOPMENT.
> |
> |     Section 20 of The National Institute of Standards and Technology Act
> |     (15 U.S.C. 278g-3) is amended --
> |
> |      (1) by redesignating subsections (c) and (d) as subsections
> |      (d) and (e), respectively; and
> |
> |      (2) by inserting after subsection (b) the following:
> |
> |       "(c) RESEARCH AND DEVELOPMENT OF PROTECTION
> |       TECHNOLOGIES. --
> |
> |           "(1) IN GENERAL. -- The Institute shall establish a
> |           program at The National Institute of Standards and
> |           Technology to conduct, or to fund the conduct of,
> |           research and development of technology and
> |           techniques to provide security for advanced
> |           communications and computing systems and networks
> |           including the Next Generation Internet, the
> |           underlying structure of the Internet, and networked
> |           computers.
> |
> |           "(2) PURPOSE. -- A purpose of the program
> |           established under paragraph(1) is to address issues
> |           or problems that are not addressed by market-driven,
> |           private sector information security research.  This
> |           may include research --
> |
> |            "(A) to identify internet security problems
> |            which are not adequately addressed by current
> |            security technologies;
> |
> |            "(B) to develop interactive tools to analyze
> |            security risks in an easy-to-understand manner;
> |
> |            "(C) to enhance the security and reliability of
> |            the underlying Internet infrastructure while
> |            minimizing other operational impacts such as
> |            speed; and
> |
> |            "(D) to allow networks to become self-healing
> |            and provide for better analysis of the state of
> |            Internet and infrastructure operations and
> |            security.
> |
> |           "(3) MATCHING GRANTS. -- A grant awarded by the
> |           Institute under the program established under
> |           paragraph (1) to a commercial enterprise may not
> |           exceed 50 percent of the cost of the project to be
> |           funded by the grant.
> |
> |           "(4) AUTHORIZATION OF APPROPRIATIONS. -- There are
> |           authorized to be appropriated to the Institute to
> |           carry out this subsection --
> |
> |            "(A) $50,000,000 for fiscal year 2001;
> |            "(B) $60,000,000 for fiscal year 2002;
> |            "(C) $70,000,000 for fiscal year 2003;
> |            "(D) $80,000,000 for fiscal year 2004;
> |            "(E) $90,000,000 for fiscal year 2005; and
> |            "(F) $100,000,000 for fiscal year 2006;"
> |
I believe the British call this a "quango".  They are theoretically
illegal in the US.  Microsoft epitomizes the belief that theory and
practice are different things.
> |
> |
> | Sec. 204.  COMPUTER SECURITY TRAINING PROGRAMS.
> |
> |     (a)  IN GENERAL. -- The Secretary of Commerce, in consultation with
> |     appropriate Federal agencies, shall establish a program to support
> |     the training of individuals in computer security, Internet security,
> |     and related fields at institutions of higher education located in
> |     the United States.
> |
Oh, the MCSE is going to become a university degree!  That will be a
fun one to shove down the throats of people who a few short years
before were engaged in subversive Linux research!

You know, at every stage of the game, Bill Gates has gotten more
extreme and had more success.  If he succeeds in thie one, he really
doesn't have too many ways to raise the stakes for his next round...

> |     (b)  SUPPORT AUTHORIZED. -- [...]
> |
I can't stand reading Bill's plans for World Domination laid down in
detail.  I hope nobody minds the omission.
> |
> | Sec. 205.  GOVERNMENT INFORMATION SECURITY STANDARDS.
> |
> |     (a)  IN GENERAL. -- Section 20(b) of The National Institute of
> |     Standards and Technology Act (15 U.S.C. 278g-3(b)) is amended --
> |
> |  (1) by striking "and" after the semicolon in paragraph (4);
> |
> |  (2) by redesignating paragraph (5) as paragraph (6); and
> |
> |  (3) by inserting after paragraph (4) the following;
> |
> |      "(5) to provide guidance and assistance to Federal agencies
> |      in the protection of interconnected computer systems and to
> |      coordinate Federal response efforts related to unauthorized
> |      access to Federal computer systems; and".
> |
> |     (b)  FEDERAL COMPUTER SYSTEM SECURITY TRAINING. -- Section 5(b) of
> |     the Computer Security Act of 1987 (49 U.S.C. 759 note) is amended --
> |
> |  (1) by striking "and" at the end of paragraph (1);
> |
> |  (2) by striking the period at the end of paragraph (2) and
> |  inserting in lieu thereof "; and"; and
> |
> |  (3) by adding at the end of the following new paragraph;
> |
> |      "(3) to include emphasis on protecting the availability of
> |      Federal electronic citizen services and protecting sensitive
> |      information in Federal databases and Federal computer sites
> |      that are accessible through public networks.".
> |
I am sure that if someone tracks it down, the result is favourable to
Microsoft.  Probably doubly so because they go to such lengths to
avoid showing people what it looks like.
> |
> | Sec. 206.  RECOGNITION OF QUALITY IN COMPUTER SECURITY PRACTICES.
> |
> |     Section 20 of The National Institute of Standards and Technology Act
> |     (15 U.S.C. 279g-3), as amended by section 203, is further amended --
> |
> |  (1) by redesignating subsections (d) and (e) as subsections (e)
> |  and (f), respectively; and
> |
> |  (2) by inserting after subsection (c), the following;
> |
> |      "(d) AWARD PROGRAM. -- The Institute may establish a program
> |      for the recognition of excellence in Federal computer system
> |      security practices, including the development of a goal,
> |      symbol, mark, or logo that could be displayed on the website
> |      maintained by the operator of such a system recognized under
> |      the program.  In order to be recognized under the program,
> |      the operator --
> |
> |       "(1) shall have implemented exemplary processes for the
> |       protection of its systems and the information stored on
> |       that system;
> |
> |       "(2) shall have met any standard established under
> |       subsection (a);
> |
> |       "(3) shall have a process in place for updating the
> |       system security procedures; and
> |
> |       "(4) shall meet such other criteria as the Institute ma
> |       require.".
> |
Ooh!  Lookee!  Microsoft gets the government to sponsor its logo
contest for it!
> |
> | Sec. 207.  DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.
> |
> |
> |     Section 20 of The National Institute of Standards and Technology Act
> |     (15 U.S.C. 278g-3), as amended by section 206, is further amended --
> |
> |  (1) by redesignating subsection (f) as subsection (g); and
> |
> |  (2) by inserting after subsection (e) the following:
> |
> |      "(f) DEVELOPMENT OF INTERNET PRIVACY PROGRAM. -- The
> |      Institute shall encourage and support the development of one
> |      or more computer programs, protocols, or other software,
> |      such as the World Wide Web Consortium's P3P program, capable
> |      of being installed on computers, or computer networks, with
> |      Internet access that would reflect the user's preferences
> |      for protecting personally-identifiable or other sensitive,
> |      privacy-related information, and automatically executes the
> |      program, once activated, without requiring user
> |      intervention.".

The government shall encourage the development of a program, protocol
or other software to be installed on every computer which runs without
any possibility of the user being involved and controls everything that
the user can possibly access.

Game Over.

I mean, after this, what more can Bill Gates possibly aspire to?

OTOH people have said that after every previous round.

I am sure he will think of something...

Ben

PS I believe that if this bill passes, I will never again work in IT.
My having written this letter will by itself be sufficient to
guarantee that.  You see, I remember Ed Curry, and see no reason to
believe that my case would be any different...