Whoever planned and carried out the deadly bombing of the Boston Marathon may have had plenty of help, experts say, from the Internet.

“Every aspect of a terrorist attack is now managed or researched” in some way using the Internet, said Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, an independent research institute that assesses cyber threats.

“That's where people figure out what their target is, how to go after the target, it's how they learn how to make bombs, it's how they coordinate their activities with each other,” he told NBC News’ Lisa Myers in an interview.

Borg said there are hundreds of websites in multiple languages advising and instructing people how to commit terrorist acts.

Last month, al Qaeda in the Arabian Peninsula published a how-to guide that urged small-scale attacks in the United States and other Western countries using easily obtainable materials.

Titled the “Lone Mujahid Pocketbook” and published in the spring edition of the terrorist group’s “Inspire” online propaganda magazine, the guidebook borrowed from social media speak and rap lyrics to encourage Islamic extremists in the West to commit acts of violence. The guidebook also offered detailed instructions to “Make a bomb in the kitchen of your Mom,” including detailed, illustrated instructions on making pressure cooker bombs – the type of explosive authorities say was used in the Boston Marathon attack.

Richard Esposito, NBC News’ senior executive producer for investigations, calls the prevalence of online bomb-making guides “a frightening development.”

FBI via AP

This image from the FBI shows the remains of a pressure cooker that the FBI says was part of one of the bombs that exploded during the Boston Marathon.

But he adds that the same websites and chat rooms that would-be jihadists use in their planning can also be a hunting ground for the U.S. intelligence and law enforcement officials looking for whoever built the Boston pressure cooker bombs.

The intelligence community is already at work there, experts say – watching for signs of imminent attacks, but also sowing disinformation and altering recipes for bombs.

“Law enforcement actively attempts to post content on these websites,” said Esposito. “They use all the investigative tools that are now available to them to thwart the terrorists online.”

So far, those methods have been very effective. And experts say the easy availability of bomb-making formulas does not seem to have increased the frequency of attacks. But they worry it may be making the successful ones more lethal.

Related stories

• Bomb type gives first clue on path to perpetrator
• Pressure cooker bombs used around the world for years

Slideshow: Aftermath and reaction following Boston bombings

Shannon Stapleton / Reuters

Heightened security, empty streets, and memorials mark the the day after the Boston Marathon bombings.

Launch slideshow

Rick Wilking / Reuters file

First Lt Michael Newman examines a server rack that is isolated from the Internet at the Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colo., in July 2010.

The United States is locked in a tight race with China and Russia to build destructive cyberweapons capable of seriously damaging other nations’ critical infrastructure, according to a leading expert on hostilities waged via the Internet.

Scott Borg, CEO of the U.S. Cyber Consequences Unit, a nonprofit institute that advises the U.S. government and businesses on cybersecurity, said all three nations have built arsenals of sophisticated computer viruses, worms, Trojan horses and other tools that place them atop the rest of the world in the ability to inflict serious damage on one another, or lesser powers.

Ranked just below the Big Three, he said, are four U.S. allies: Great Britain, Germany, Israel and perhaps Taiwan.

But in testament to the uncertain risk/reward ratio in cyberwarfare, Iran has used attacks on its nuclear program to bolster its offensive capabilities and is now developing its own "cyberarmy," Borg said.

Borg offered his assessment of the current state of cyberwar capabilities Tuesday in the wake of a report by the American computer security company Mandiant linking hacking attacks and cyber espionage against the U.S. to a sophisticated Chinese group known as “Peoples Liberation Army Unit 61398.

In today’s brave new interconnected world, hackers who can defeat security defenses are capable of disrupting an array of critical services, including delivery of water, electricity and heat, or bringing transportation to a grinding halt. U.S. senators last year received a closed-door briefing at which experts demonstrated how a power company employee could take down the New York City electrical grid by clicking on a single email attachment, the New York Times reported.

U.S. officials rarely discuss offensive capability when discussing cyberwar, though several privately told NBC News recently that the U.S. could "shut down" the electrical grid of a smaller nation -- Iran, for example – if it chose to do so.

Borg echoed that assessment, saying the U.S. cyberwarriors, who work within the National Security Agency, are “very good across the board. … There is a formidable capability.”

“Stuxnet and Flame (malware used to disrupt and gather intelligence on Iran's nuclear program) are demonstrations of that,” he said. “… (The U.S.) could shut down most critical infrastructure in potential adversaries relatively quickly.”

China, Russia have different priorities
Borg said China and Russia have similar capacity to cause mayhem, but have different priorities and skill sets.

usccu.us

Scott Borg says the U.S. possesses a 'formidable capability' to wage cyberwar.

“Russia is best at military espionage and operations,” he said. “That's what they have focused on for a long time. China is looking for crucial business information and technology. China's main focus is stealing technology. These things quite separate. You use different tools on critical infrastructure than you use for military espionage and different tools again on stealing technology."

Borg said that each has its strong suit. "The Russians are technically advanced. The Chinese just have more people dedicated to the effort, by a wide margin,” he said. “They are not as innovative or creative as the U.S. and Russia. China has the greatest quantity, if not quality."

Borg said the group featured in Mandiant’s report, the People’s Liberation Army Unit 61398, may be one of the most important groups working in China, but not necessarily the most important.

"There are at least two dozen groups carrying out aggressive operations against the U.S.,” he said. “They get in each other’s way and trip over one another, but they are all operating with the tacit approval of the Chinese government.

"They're not cooperating with each other because they don’t share capabilities," he added. "One group has good programming, but is bad at access or targeting." 

The Chinese hacking efforts are so broad, Borg said, that the highest-ranking Chinese officials “almost certainly do not know what all the groups are doing,” or the consequences. As a result, he added, they have been embarrassed by reports like the one in Tuesday’s New York Times, which first reported on the Mandiant assessment.

China is the most likely of the superpowers to leave a calling card, making their work the easiest to track. "China is very arrogant in its authorship of cyberweapons,” Borg said. “It does little to conceal its identity."

That’s in sharp contrast to the Russians, who he noted are not above writing code in Chinese to throw off investigators.

While the U.S. could respond to ongoing cyberattacks from China and Russia by shutting down the power grid of "any of its adversaries” and causing severe physical damage, Borg said it is encumbered by several factors.

One is its vulnerability to cyberwarfare as the world’s most networked nation, he said.

And from a geopolitical standpoint, Borg said, the U.S. would not want to badly damage the economy of either China or Russia. In fact, he said, the U.S. would almost certainly have to incorporate protections for critical systems like the power grid in any cyberattack.

Also, detecting the source of hostilities is not always easy, Borg said, as cybertracks are not as easy to follow as missile tracks. That means “mutually assured destruction,” the main strategic tenet of the Cold War, is problematic at best when talking about cyberwar, he said.

"It might be difficult to determine proportionate response,” he said. “It might not be simple to attack the attacker.”

For example, policymakers may think an attack has been carried out by the Chinese, when it was actually the work of the Russians or a rising power in the cyber world, like Iran. That is why intelligence -- getting insight into these operations -- is more important in a crisis than cyberforensics, which can take longer and not be as certain.

"There is no MAD in the Cold War sense," he said, "You can’t be 'assured' of attribution. The attack can be anonymous. It can be spoofed," or disguised as coming from another source. 

Iran developing 'serious capability'
The U.S. first began to develop its own offensive capabilities 20 years ago when several strategic thinkers, particularly at the Naval Post-Graduate School, began to see the possibilities. It was not so much a strategic priority, but more "people familiar with electronics and hackers exercising their imagination." (Borg says one of those thinkers, Winn Schwartau, used fiction to discuss the threat and the possibilities, in a 1991 book, "Terminal Compromise.")

While the U.S. has the means to respond and to defend itself, Borg notes that some countries have no recourse. He cited the Russian invasion of the Republic of Georgia in August 2008, when the Georgian government and media infrastructure was quickly compromised.

What was particularly interesting, Borg said, was that the Russian military and intelligence services weren’t directly involved.

"The first wave was carried by organized crime," he noted. "The second wave was carried out by a (hacker) group organized though social media.” He said Russian hackers could download the attack software from a variety of popular sites, including dating and gun-collecting websites.

In both cases, Borg concluded, the organizers apparently were tipped off early about the timing of Russian military operations, he said.

The attack on Georgia also illustrated another aspect of cyberwarfare, Borg said, noting that Georgia, Estonia and Lithuania afterward formed a cyberalliance, leaving them in a better position to deal with future assaults.

That also appears to be the case with Iran, which recently announced that it decided to establish cyber army and claimed to have 4,000 to 5,000 military personnel involved in defensive and offensive operations. That isn’t all bluster, Borg said, noting that when the U.S. leveled new sanctions on Iranian banks last year, U.S. banks suddenly came under attack.

"Iran is developing a serious capability," said Borg. “It's exaggerating the present capabilities, but it’s working toward the future."

That’s especially troubling because the risk of smaller nations waging cyberwar against one other may be higher than with the online superpowers, he said.

He cited reports indicating that Iran may have been behind what he called one of the more serious cyberattacks to date -- an assault last August on the Saudi Aramco computer network that disabled more than 30,000 computers used to control the flow of Saudi oil. The Saudi Interior Ministry blamed "foreign countries" for the attack.

Borg said he believes the attack was an "Iranian fundamentalist attack ... at some point loosely the under auspices of Iran, and blessed by Iran. The fundamentalist group made a claim of responsibility. ... “Based on technical analysis, the claim has credibility."

For that reason, Borg says he is less worried about the possibility of China or Russia launching a catastrophic attack against the U.S. than he is about the emerging cyberpowers.

“What I’m really concerned about isn’t Russia or China, but attacks from Iran or terrorist groups working with state actors,” he said.

More from Open Channel:

 Lights, cameras, reaction: Resistance builds to red-light cameras

Suburban Chicago cops allowed to work 'half drunk,' investigation shows

GAO: Climate change poses big financial risk to federal government

Follow Open Channel from NBCNews.com on Twitter and Facebook 

/

A Huawei telecommunication array, displayed in a company exhibition hall in Shenzhen, China, on March 2012.

LONDON -- In the summer of 2008, Iranian security agents arrived at the family home of Saleh Hamid, who was visiting his parents in Iran during a break from his university studies. 

The plainclothes agents, he says, shackled him and drove him blindfolded to a local intelligence detention center. There, he says, they beat him with an iron bar, breaking bones and damaging his left ear and right eye.

Hamid says the authorities accused him of spreading propaganda against the regime and contacting opposition groups outside Iran. The evidence? His own phone calls.

"They said, ‘On this and this day you spoke to such and such person,'" says Hamid, now 30 and a human rights activist in Sweden. "They had both recorded it and later they also showed me the transcript."

Hamid was not the only one. The Iran Human Rights Documentation Center and other human rights groups say they have documented a number of cases in which the Iranian regime has used the country's communications networks to crack down on dissidents by monitoring their telephone calls or Internet activities.

Now a Reuters investigation has uncovered new evidence of how willing some foreign companies were to assist Iran's state security network, and the regime's keenness to access as much information as possible.

Documents seen by Reuters show that a partner of China's Huawei Technologies Co. Ltd. offered to sell a Huawei-developed "Lawful Interception Solution" to MobinNet, Iran's first nationwide wireless broadband provider, as MobinNet was preparing to launch in 2010.

The system's capabilities included "supporting the special requirements from security agencies to monitor in real time the communication traffic between subscribers," according to a proposal by Huawei's Chinese partner seen by Reuters.

The headquarters of Huawei Technologies Co. Ltd. in Shenzhen, China.

Huawei also gave MobinNet a marketing presentation on a system that features "deep packet inspection" -- a powerful and potentially intrusive technology that can read and analyze "packets" of data that travel across the Internet. Internet service providers use DPI to guard against cyberattacks and improve network efficiency, but it also can be used to block websites, track Internet users and reconstruct email messages.

Huawei says it has never sold either system to MobinNet and doesn't sell DPI equipment in Iran. But a person familiar with the matter says MobinNet obtained a Huawei DPI system before it began operating in 2010. The person does not know how MobinNet acquired it or if it is being used.

Asked to comment, Vic Guyang, a Huawei spokesman, said in a statement, "We think it's not for us to confirm or deny what systems other companies have." He later said, "It is our understanding that MobinNet does not have such equipment." An official with MobinNet declined to answer any questions, saying only, "So you know the answers. Why do you need confirmation?"

The relative ease with which Iran has been able to obtain technology that enables surveillance illustrates the cat-and-mouse nature of the American-European campaign to contain Iran's nuclear ambitions through crippling economic sanctions. It wasn't until this year that Europe and Washington -- which primarily have focused on Iran's banks and oil industry -- targeted the sale of monitoring gear to Iran. But even now, the ban is not global, and does not extend to Chinese companies.

Reuters reported in March that China's ZTE Corp had recently sold Iran's largest telecom firm, Telecommunication Co. of Iran, a DPI-based surveillance system that was capable of monitoring landline, mobile and internet communications.

ZTE later said it intends to reduce its business in Iran. Huawei made a similar announcement a year ago.

Fixing ‘the problem of youth’
The documents seen by Reuters challenge statements made by Shenzhen-based Huawei that it doesn't sell any Internet monitoring or filtering equipment.  

But the documents' descriptions of the Huawei systems pitched to MobinNet emphasize their filtering capabilities and ability to enable monitoring by security agencies.

For example, a proposal made to MobinNet dated April 2009 offers what it calls a Huawei "lawful interception" solution. The proposal was prepared by China's CMEC International Trading Co., which states in the document that it had selected Huawei as its bid partner.

"As we know, lawful interception is mandatory and sensitive for the operators in Iran," the proposal states.

An accompanying diagram illustrates how the system can duplicate data streams and transmit the copies to multiple "monitoring" centers. It also states that more than 0.5 percent of all subscribers could be targeted and that individuals would not be aware their communications were "being intercepted."

CMEC is a part of an engineering conglomerate that includes a unit that for years has been under U.S. sanctions for allegedly helping Iran and Iraq obtain weapons of mass destruction. CMEC didn't respond to a request for comment. Huawei says it no longer partners with CMEC.

U.S. and other international sanctions are designed to deter Iran from developing nuclear weapons; Iran says its nuclear program is aimed purely at producing domestic energy.

Although Huawei maintains it doesn't sell any filtering technologies, its presentation given to MobinNet, marked confidential, repeatedly says its "DPI Solution" features "URL filtering," which can be used to block specific websites. The presentation also cites a number of customer "success" case studies -- including in Britain, Russia, Colombia, and China -- where it says telecommunication operators were using its system to filter websites.

For example, the presentation states that a Chinese telecoms firm was using the Huawei system "to settle the problem of youth getting secure and healthy access to websites, and the traffic should be controllable." The presentation also states that the system was used during the 2008 Beijing Olympic games to block "illegal" Internet phone services, filter websites and to conduct "user behavior analysis."

In a series of emailed statements, Guyang, the Huawei spokesman, did not address Huawei's claim that it doesn't "provide any services related to monitoring of filtering." But he says website filtering is used by many telecoms, including in the U.S., "as part of efforts to counter cyberterrorism, child pornography, smuggling of narcotics and other crimes, as well as illegal websites and data."

He said Huawei "did not sell products containing this function in Iran." He also said the Huawei system described in the proposal -- the Quidway SIG9800 -- can't access "content" in the telecommunications network.

But a former Huawei employee who has worked in Iran said the SIG9800 can be used to reconstruct email messages provided they are not encrypted. "This product has some special usage which Huawei customers do not like to share ... especially in Iran," said the former employee, who spoke on condition of anonymity.

Storing every text message
The proposal to MobinNet for the Huawei lawful-intercept system states that it includes technology from a German company called Utimaco Safeware AG. Utimaco says Huawei is one of its worldwide resellers but that neither MobinNet directly -- nor Huawei on behalf of MobinNet -- purchased or licensed its products.

The proposal also states that Huawei equipment at another Iranian telecom had "already successfully integrated with" an Utimaco product "and accumulated rich integration experience, which will be shared."

The other Iranian telecom isn't named but Malte Pollmann, Utimaco's chief executive officer, confirmed that in 2006, Nokia's German unit had purchased Utimaco software for MTN Irancell, Iran's second-largest mobile phone operator which has a major contract with Huawei. He said the product hadn't been maintained for several years and that Utimaco believes it no longer is being used.

MTN Irancell is 49 percent owned by South Africa's MTN Group, Africa's largest telecom carrier. It declined to comment about the Utimaco product.

Interviews and internal MTN documents reviewed by Reuters show that prior to MTN Irancell's launch, Iranian intelligence authorities took a keen interest in the capabilities of its lawful-intercept system, and pushed to make it more intrusive.

Like most countries, including the United States, Iran requires telephone operators to provide law enforcement authorities with access to communications. But people who have worked at Iranian telecoms say authorities sometimes abused their access, targeting certain individuals without a warrant or with little or no explanation.

In response, a spokesman for Iran's mission to the United Nations in New York emailed a section of Iran's constitution which states that recording telephone calls, eavesdropping and censorship "are forbidden, except as provided by law." 

The terms of MTN Irancell's license agreement stipulated that Iran's security agency could record and monitor subscribers' communications, including voice, data, fax, text messaging and voicemail, the internal MTN documents show. "At least 1 percent of all subscribers" could be targeted, and authorities wanted access to their location -- "within 10 to 20 meters" -- as well as billing information, according to the documents.

Related stories

Navy officials poke holes in Iran's drone claim

US nonprofit 'names and shames' businesses to put bite into Iran sanctions

Skulduggery at sea: Iran uses tankers off Malaysia to evade oil embargo

Iran sanctions exceed expectations but still don't change Tehran's behavior

According to a person familiar with the matter, prior to its launch, Iranian authorities pushed MTN Irancell to provide them with even more surveillance capabilities. The requests included copying and storing all text messages on the network for 30 days and providing 36 different monitoring centers with access to communications. 

The authorities also wanted to be able to intercept every call handled by an individual mobile-phone tower. "They were not talking of a single tower, they were talking of a large number of towers," the person said. "That is not the norm."

MTN, which oversaw the telecom's launch, didn't express to the authorities any concern about potential abuse, according to this person. Rather, the company argued during a series of meetings that the new requirements weren't part of the scope of the licensing agreement. MTN offered to add other surveillance capabilities over time, this person said.

MTN declined to comment. In April, its chief executive, Sifiso Dabengwa, said that any allegations that MTN was complicit in human rights abuses in Iran "are both false and offensive."

The Iranian intelligence authorities eventually agreed to hold off on their surveillance wish list - and allowed the telecom's launch. But they made clear they expected MTN Irancell would eventually install more capabilities, according to the person familiar with the situation.

The extent to which MTN Irancell later added new surveillance capabilities to its network remains unclear. The network did add enhanced location-based services in 2011.

A British company, Creativity Software, announced in August 2009 that it had won a contract to supply the technology, which it said would allow MTN Irancell to offer its customers special rates at home.

An official with Creativity Software did not respond to requests for comment. In a statement last year, the company said its sale was legal and "any connection implied between the provision of commercial location-based services deployed by MTN Irancell in Iran and any possible human rights abuses is ... erroneous."

Hamid, the human rights activist who says Iranian security agents told him in 2008 they had listened to his telephone conversations, says he had been using a cellphone he had purchased through MTN Irancell.

Then a student at a Syrian university, he said that he had returned to Iran to visit his family in Ahwaz, Khuzestan. The region is home to many Iranian Arabs who allege they have been subject to discrimination and economic deprivation by the Iranian government.

Now 30, Hamid said he eventually was released on bail and fled the country. But he said he was arrested in Iraq, jailed for three years and finally received refugee status in Sweden.

He said he was surprised that Iranian authorities had intercepted his phone calls. "I was completely taken aback," he said. "When I bought the Irancell mobile, I didn't even buy it in my name."

MTN declined to comment. The spokesman for Iran's U.N. mission said Hamid's allegations "are unfounded" and that Iran's constitution protects the rights of Iranian Arabs and other ethnic groups.

"Iran's constitution also bans any kind of torture and espionage," the spokesman added.

Additional reporting by Yeganeh Torbati in Dubai.

More from Open Channel:

• Behind high court racial cases, a little-known conservative recruiter
• Asia coal export boom brings no bonus to American taxpayers
• Toll authority quick to seek payment, not so good at refunding overpayments
• American held in Cuba wants US to sign 'non-belligerency pact' to pave release
• Cuba pushes swap: its spies jailed in US for  American jailed in Havana
• Livestock falling ill in fracking regions | Industry insider offers rebuttal
• Tobacco industry used trade pacts to try to snuff out anti-smoking laws
• Jeb Bush's reputation as education reformer gets a second look

 

Follow Open Channel from NBCNews.com on Twitter and Facebook

N.J. Sex Offender Internet Registry

The poster child of sex offenders who altered their digital identity is Fran Kuni, who changed his name to Jamie Shepard and was able to get a job as a U.S. Census worker in New Jersey before being busted by a mom who recognized him when he knocked on the door of her home.

Nearly one in six convicted sex offenders is using sophisticated techniques invented by identity thieves to avoid their legally mandated registration requirements, a new study has found. These digital absconders might be able to avoid post-incarceration restrictions by living near schools and playgrounds, and could possibly gain employment working with children.

The study, conducted by Utica College and funded by the U.S. Justice Department, estimates that roughly 92,000 of the 570,000 registered sex offenders across the country are systematically manipulating their names, birthdays, Social Security numbers and other personal identifiers so they can live as they want while appearing to satisfy court-imposed or statutory restrictions.

"These are offenders who are flying under the radar and authorities don't know it," said Don Rebovich, the Utica professor who directed the study. "The authorities really don’t have the resources to keep on checking on these people. Offenders find where the vulnerabilities are in the system and exploit them."

These digital absconders create two obvious problems. Communities expend energy and resources dealing with offenders who aren't really there -- local police knock on doors and send notices to warn neighbors; public listings are published on the Internet. And sex offenders live where they please as normal adults, without any protective measures kicking in.

"In the worst-case scenario, by thwarting registration requirements, they could potentially have easier access to children," said Staca Shehan, director of case analysis at the Center for Missing and Exploited Children, who is familiar with the study. "(In) those jurisdictions that have residency restrictions that would not allow (offenders) to live within distance of a school, daycare or park, (they) could avoid that type of requirement."

While the study found that an average of 16.2 percent of sex offenders manipulate their identities nationally, some states fared worse: Louisiana, Washington, D.C., Nevada, Tennessee and Delaware all had digital absconder rates of higher than 25 percent.

Officials in Tennessee, Nevada and Delaware challenged the study's conclusions and complained that they had not been contacted by the researchers for additional information that might have clarified the results; officials in the other states did not immediately respond to requests for comment.

'Strategic' manipulation
Shehan said there are generally two kinds of sex offender absconders: those who simply fail to keep their records current, and hope they fall through the cracks; and those who are more systematic in their evasion, intentionally altering their identities so they can circumvent the restrictions. 

"That takes a lot more thought," she said. "They are much more strategic about what they are doing ... and so that's much more concerning."

In one celebrated case of sex offender identity manipulation, a convict named Frank Kuni changed his name to Jamie Shepard and was able to get a job as a U.S. Census worker in New Jersey. Kuni was recognized by a mom after he knocked on the door of her Pennsauken home, and he was later sentenced to three years in prison. Kuni’s case attracted national headlines because of the fear it created surrounding temporary Census workers.

The Utica study, believed to be the first attempt to quantify these more strategic absconders, was conducted by Utica College's Center for Identity Management, set up to examine a variety of identity issues in the digital age. Rebovich is director of the center.

It's well known that some sex offenders neglect their registration requirements, dropping off the grid and accepting only cash-paying jobs to remain hidden. But the Utica study found something more subtle, and perhaps more disturbing -- sex offenders who appear to be satisfying their registration requirements while living a digital double life.

In a parallel survey of 223 law enforcement agencies from 46 states, Utica found that awareness of ID-theft style registry evasion was low -- only 5 percent of respondents said they knew of an identity manipulation case within their jurisdiction. 

And nearly 40 percent of the agencies responded that they had zero absconders, suggesting some law enforcement agencies are unaware of the problem.

The power of the Utica study lies in the use of sophisticated algorithms developed by private firm ID Analytics, a fraud-fighting company used by many large banks and other financial institutions. ID Analytics receives more than 1 billion credit applications and other credit-related events from clients every year. It uses sophisticated software to track the behavior of identity thieves across the credit system, and can find fraud that individual firms miss. It knows, for example, if a criminal uses a systematic series of birthdays or addresses on a set of credit card applications at various banks in an attempt to evade fraud detection. The ID Analytics tool has enough data that it can generally tell the difference between honest typographical errors and systematic fraud attempts. 

ID Analytics ran sex offender data through its massive database of credit-related events, and found evidence of rampant identity manipulation among the offenders.

Kristin Helm, a spokeswoman for Tennessee's sex registry, challenged the study's findings, saying that fewer than 1 percent of that state's sex offenders are absconders. Criminals have always used false identities to try to evade police, but law enforcement systems are geared to handle that issue, she said. "Fingerprints obtained by law enforcement identify individuals regardless of a name or Social Security number," she said, adding that names sometimes change for legitimate reasons, too, such as marriage. 

But Stephen Coggeshall, chief technology officer for ID Analytics, said his technology is well-versed in screening out mundane reasons for identity changes and finding patterns that specifically indicate active evasion is taking place.

"This goes way beyond typos," he said. "These are people who have slightly adjusted or substantially adjusted their personally identifiable information for a reason. They are actively doing so, and we are observing them use these aliases relatively recently."

Nevada spokeswoman Julie Butler also questioned the validity of the study, which she had not seen. She said that Nevada uses fingerprints to track sex offenders, so identity manipulation techniques would be ineffective.

"Our registry is fingerprint-based. We don't base it on date of birth, or Social Security number, or name," Butler said. "They can put down their name as whatever and we still have them in the database."

But Coggeshall responded that even in states which use fingerprint identification, an identity manipulator would only be discovered when trying to engage in an activity – such as becoming an elementary school teacher – which triggers a fingerprint evaluation. 

"In general it doesn't help you track where they are or if they're living under an alias at an unregistered location," he said. "It can help to find sex offenders as they enroll in certain groups, but many … groups don't routinely fingerprint new enrollees."

SSNs connected to multiple people
Two years ago, using this tool on a database of Social Security numbers, ID Analytics found that rampant evidence of identity theft: 5 million SSNs were connected to three or more U.S. adults in credit applications, and 140,000 were associated with five or more people, indicating almost certain fraud. The tool can also track individual identity manipulators, as ID Analytics calls them, as they attempt various frauds across an array of credit issuers.

This tool was turned on the sex offender registry problem at the invitation of Utica College in Utica, N.Y., beginning last year. ID Analytics took a large sample -- nearly 100,000 -- of the 570,000 active registered sex offender records and ran them through its credit application database, looking for signs of manipulation.

The findings were disturbing. In Louisiana, the study found, nearly two-thirds of offenders' records showed signs of manipulation. Rebovich theorized that Louisiana's problem might stem from the aftermath of Hurricane Katrina, which gave some people a golden opportunity to drop off the grid.

Officials in Louisiana did not immediately respond to requests for comment.

In many cases, the study found, the steps criminals take are subtle -- changing an address from "440 Monroeville Road" to "434 Monroeville Road," for example. In fact, in the majority of cases, digital absconders were much more likely to move across town than across the country. Absconders who fake their address are six times more likely to remain in the same state than to cross state lines, the study found, and 90 percent of those who remain in state stay within 40 miles of their original registered address. In many cases, the data shows, those addresses belong to a family member. That might allow absconders to show up on a moment's notice at their registered address in case local police do a random check, Rebovich said.

But the address change could also allow them to apply for jobs and housing they would otherwise be unable to qualify for, he said.

While half of the manipulations involve bad addresses, plenty of other types of evasion are going on, the study found. One subject studied had five names, three Social Security numbers and four dates of birth, for example.

About 10,000 offenders had used at least four different Social Security numbers, Rebovich said. The evidence indicates this was usually done to evade the court registration requirements rather than commit financial identity theft, the study found.

One reason sex offenders seem to get away with evasion is that registration requirements are set by states and vary widely. In some states, convicts merely send updates through the U.S. mail to state officials, and are subjected to little, if any, verification. In others, officers try to check on sex offenders, but ofter are assigned hundreds, or even thousands of offenders, to track.

In other states, such as Florida, there are strict requirements and frequent random inspections, Rebovich said. That shows up in the data -- Florida's digital absconder rate is about half the national average, at 9.4 percent.

The study was funded by the Justice Department's Bureau of Justice Assistance, which plans on issuing a comprehensive report later this fall. Requests for comment from the Department of Justice went unanswered.

'System is never going to be perfect'
Shehan, of the Center for Missing and Exploited Children, said she didn't believe that the potentially high rate of digital absconders means the entire sex offender registry program is broken. In fact, she said the situation has improved since passage of the Child Safety and Protection Act of 2006, which instituted some national standards on offender registries.

Still, she said it's important that states move to biometric identifiers, such as fingerprints, to maintain more accurate records of offenders and their whereabouts.

"Criminals are constantly thinking of ways to beat the system," she said. "The system is never going to be perfect."

Rebovich is hoping the study will spur new methods for checking up on sex offenders, including techniques that would seem familiar to those who work in financial fraud. In a model developed by Utica and ID Analytics, offenders could be given a score, similar to a credit score, which would rate the likelihood that identity manipulation was occurring. 

"We are trying to develop a predictive model," he said. "So we can turn it into an alert system, so states can do this in real time, if they want to."  

Coggeshall said such an alert system would have helped police track down Frank Kuni before he was able to get a job with the Census Bureau.

"In retrospect, we know there are things we would have been able to observe" he said.

http://on.msnbc.com/topnewsemailsignup">Click here to sign up to receive our Top News email each day.

 *Follow Bob Sullivan on Facebook.

*Follow Bob Sullivan on Twitter.  

/

Traffic on Tropicana Avenue in Las Vegas, Nevada, passes in front of the MGM Grand.

SAN FRANCISCO -- To prime itself for the U.S. debut of legal online poker, MGM Resorts International, owner of such Las Vegas Strip monuments as the MGM Grand, the Bellagio and the Mirage, wanted a partner that knew the ropes.

So last October it hooked up with Bwin.Party Digital Entertainment Plc, a London-listed, Gibraltar-based specialist that rakes in more from Web betting than any other publicly traded company. MGM Resorts took 25 percent of a new venture 65 percent owned by Bwin.Party, with smaller Las Vegas casino operator Boyd Gaming getting the remaining 10 percent.

Reuters

MGM Resorts International CEO Jim Murren attends a news conference in Hong Kong on May 19, 2011. Murren says his company's online poker tie-up with Bwin.Party, backed by onetime phone-sex and porn entrepreneur Ruth Parasol, gives it a competitive edge.

"We'll be out of the gate as soon as anybody," MGM Resorts Chief Executive Officer Jim Murren boasted to investors in February. 

Online expertise isn't the only thing that distinguishes Bwin.Party. In 2009, an earlier incarnation of the company paid $105 million while admitting to U.S. prosecutors it had run an illegal gambling operation and engaged in bank and wire fraud.

Among its principal backers: a California-born woman who made a fortune in phone sex and Web pornography businesses that, like the pioneering online-gambling company that became Bwin.Party, faced multiple allegations of wrongdoing.

MGM Resorts' choice of Bwin.Party as a partner while applying for online poker licenses in Nevada might seem unusual. It isn't. The alliance reflects the calculated risks that major casino operators, Native American tribes and social-gaming giants Zynga and Facebook are weighing as they angle for a slice of a market valued at billions of dollars a year. 

Caesars Entertainment Corp is prepping for online poker by tying up with an Israeli company that in 2007 acknowledged settlement talks with the U.S. Justice Department over alleged breaches of anti-gambling laws.

A group of Native American tribes in California has signed up to use software from another Israeli company, run by a man who served prison time for stock manipulation and bribery. Another tribe last week announced a deal with Bwin.Party.

Zynga, eager to convert some of its tens of millions of virtual poker enthusiasts into cash gamblers, also has been in talks with Bwin.Party and others that have had brushes with the law, according to people familiar with the matter.

Meanwhile, offshore gambling outfit PokerStars is considering buying its chief offshore rival, Full Tilt, and making a run at the U.S. market even though founders of both were indicted by the Justice Department last year on charges of illegal gambling, bank fraud and money laundering, according to people familiar with the situation. 

All this comes as Nevada prepares to license the first online poker operators and software suppliers late next month -- and as California, New Jersey, Iowa, Massachusetts, Delaware and other states debate similar moves.

Many of the cash-starved states, encouraged by intensive industry lobbying, have felt freer to act since December, when the Justice Department declared that one federal anti-gambling law, the Wire Act, would no longer be enforced beyond sports betting.

But casino operators, Indian tribes and Internet powers bent on offering online poker lack experience delivering it. Online poker is a business that involves processing billions of dollars worth of bets and battling the fraudsters, cheats and robot-player software that can ruin the games. Hence the casinos are cozying up to some tech-savvy offshore partners whose pedigrees might give regulators pause. 

Most states have "suitability" rules designed to keep crooks out of the gambling industry. Nevada requires that successful license applicants and their large shareholders possess "good character, honesty and integrity." Nevertheless, the big casino operators and their offshore partners are betting that regulators will look favorably on their license applications for two good reasons: tax money and high-tech jobs.

Early indications are that they are right.

At a hearing on a Caesars deal with the Israeli company last year, Mark Lipparelli, chairman of Nevada's Gaming Control Board, said: "I don't think as we look at companies that we can have perfection as the standard, because I think that would be a disservice to the state in attracting business here." The board unanimously recommended approval of the venture.

Gambling foes warn that states are putting fiscal worries ahead of public safety, exposing a huge and vulnerable population to the potential for compulsive betting. "The governments are so desperate for revenues that they will partner with these lawbreaking outfits," said Les Bernal, executive director of the nonprofit Stop Predatory Gambling Foundation in Washington, D.C. "They will create addiction in order to feed off of it." 

Porn and cards
Jim Ryan, co-chief executive officer of Bwin.Party, acknowledged in an interview that when the company was looking for U.S. partners, its history was a chief concern of MGM Resorts and other U.S. companies. 

Reuters

Jim Ryan, co-CEO of Bwin.Party Digital Entertainment, sits on a discussion panel during the GiGse online gaming convention at the Westin hotel in San Francisco on April 24.

"Suitability is the very first question on all of their minds," he told Reuters during a recent business trip to San Francisco.

It's easy to see why. 

Bwin.Party grew out of PartyGaming, a brainchild of San Francisco-area native Ruth Parasol, who has a history as colorful as Las Vegas. After earning a law degree, Parasol first prospered in the 1990s through 1-900 phone-sex and other services that were sued by multiple states for aggressive billing and collection practices. In North Carolina's suit, the judge ordered a company she co-founded to pay $270,000 in damages.

Then Parasol put her money behind Internet Entertainment Group, which gained notoriety for releasing an early Pamela Anderson sex video and promising an initial public offering that never happened. Employees accused the company of routinely overbilling customers, and Chief Executive Seth Warshavsky fled to Thailand as authorities investigated. Warshavsky didn't respond to an interview request.

Parasol managed to emerge unscathed, and in 1997 founded Starluck Casino in the Caribbean, providing online gambling to customers in the U.S. and elsewhere. The company had a big hit with its PartyPoker website, which became the dominant force in U.S. online cards, and then renamed itself PartyGaming.

Parasol, who has been living in Gibraltar for most of the past decade, declined requests for an interview.

In 2005, PartyGaming's IPO became the largest London had seen in four years, valuing the company at more than $8 billion. Just then, debate over the U.S. legal status of online gambling flared.

Poker players sue to get to bottom of online cheating scheme

The Justice Department had long argued that Internet poker violated the Wire Act and other federal and state laws. Despite the success of PartyGaming and other offshore companies, no U.S.-based companies offered alternatives for fear of prosecution. 
In 2006, Congress clarified the matter by passing the Unlawful Internet Gambling Enforcement Act, or UIGEA, explicitly barring processing interstate or international poker transactions where state laws forbade such gambling. PartyGaming responded by pulling out of the U.S., leaving two-thirds of its players behind to be claimed by privately held offshore companies.

The law didn't snuff out online poker in the U.S. as players migrated to other offshore providers. Research firm H2 Gambling Capital estimates the U.S. accounts for about $400 million of global annual online poker revenue of nearly $5 billion, or 8 percent. Depending on how many states ultimately legalize online cards, that share could rise to as high as 28 percent in five years, the company says.

PartyGaming's problems didn't end when it left the United States. In 2008, co-founder Anurag Dikshit pleaded guilty to gambling via the wires in federal district court in New York. He forfeited $300 million and agreed to cooperate with prosecutors, leading PartyGaming itself to settle in 2009. The company paid $105 million to avoid prosecution for pre-UIGEA violations. Dikshit couldn't be reached. His lawyer didn't return calls seeking comment. 

In 2010, prosecutor Arlo Devlin-Brown told the court that the probe was continuing and referred to documents under seal. He recently told Reuters he could not comment further, leaving open the possibility that Parasol could be charged if she returns home to the United States. 

PartyGaming's fortunes recovered as it began to focus on non-U.S. customers. Last year it bought rival Bwin Interactive of Austria and changed the merged company's name to Bwin.Party, with annual revenue of 691 million euros, or $902 million. 

During the merger talks, the regulatory suitability of PartyGaming and Parasol became an issue. Parasol and her husband, Russell DeLeon, agreed that the board could force them to restructure their more than 13 percent stake in the merged company or sell it if "required by any gaming regulatory authority in connection with business opportunities," according to merger documents filed with regulators. 

That clause wouldn't apply, however, if the licensing process is "more burdensome to the principal PartyGaming shareholders than the licensing requirements currently imposed by the state of Nevada." That means the couple's stake could, in effect, block deals in states with tougher standards. Bwin.Party's Ryan said he couldn't imagine the couple standing in the way. DeLeon couldn't be reached for comment.

Now partnered with MGM Resorts, Bwin.Party has applied for a Nevada license to offer Internet poker software and services. Co-CEO Ryan said the joint venture will handle all U.S. games where players pay to play and can cash out their winnings. 

In the meantime, he said, Bwin.Party will promote its brands through a social game, to be announced soon, without the ability to cash out. Ryan said negotiations with Facebook, a likely game platform, are continuing.

Facebook declined to comment. MGM did not respond to repeated interview requests about its choice of Bwin.Party.

'Prettiest girl in town'  
One of Bwin.Party's top rivals is also listed in London but based in Israel. That company is 888 Holdings, founded by a dentist inspired to put poker on the Net after a 1996 trip to Monte Carlo. The late Aharon Shaked and his brother Avi mortgaged their homes to fund the company, and their families and a co-founding family still have majority control.

In 2006, 888 joined PartyGaming in pulling out of the U.S. market. But for a time before that, 888's Casino-on-Net gambling website was among the top 10 buyers of banner ads aimed at U.S. home Internet users, reaching more than 10 percent of them in a single week, according to Nielsen/NetRatings.

In 2007 the company acknowledged it was in settlement talks with the Justice Department over suspected breaches of pre-2006 anti gambling laws. No charges were filed.

The 888 deal with Caesars that Nevada regulators approved last year was a trial run of Caesars-branded online poker in the British market, where such games have been legal for years. Caesars, operator of the Strip's Caesars Palace, Harrah's and Rio, has since expanded its relationship with 888, agreeing to use its software in the United States once states approve.

Ambitions are running high at 888. "The most exciting market opportunity for the industry must be that of the States, and we are definitely the prettiest girl in town, with everybody keen to have discussions with us," 888 Chief Executive Officer Brian Mattingley told investors last month. Officials at 888 declined interview requests, as did those at Caesars.

Lipparelli, the Nevada Gaming Control Board chairman, said scrutiny of the initial Caesars venture was lower than what it would have been for a U.S. venture. He said current investigations of Bwin.Party, 888 and more than 20 other license applicants would be far more rigorous than anything the overseas outfits had experienced in their home countries. "Some will probably not make it through," Lipparelli said. 

He said confessions of pre-2006 wrongdoing wouldn't automatically prevent licensing, though. Gambling executives say they expect smooth sailing in Nevada because regulators want to add local technology jobs. Concern about past lawbreaking "has all gone away," one casino executive said. 

One big test could come in the case of PokerStars, based in the Isle of Man, and Full Tilt Poker, based in the Channel Islands, which together snapped up most of the U.S. market after the 2006 law was passed and PartyGaming ran for the exits.

Last year, on an April day known in online poker circles as Black Friday, federal prosecutors unsealed indictments alleging illegal gambling, bank fraud and money laundering against the founders of PokerStars and Full Tilt. Preet Bharara, U.S. Attorney for the Southern District of New York, said Full Tilt had operated as a Ponzi scheme, relying on new players' deposits to cover payouts to older customers while executives and advisers took hundreds of millions of dollars from player accounts.

The indictments prompted Wynn Resorts Ltd to drop a weeks-old "strategic relationship" with PokerStars. The main owner of Station Casinos, which serves Las Vegas locals at 11 casinos off the Strip, abandoned a similar tie-up with Full Tilt. Neither Nevada company returned calls seeking comment.

Full Tilt has shut down while it negotiates with the Justice Department. But PokerStars remains the biggest site worldwide, with what others in the industry believe tops $1 billion in annual revenue. It harbors hopes that a deal with prosecutors could pave the way for a return to the U.S. 

People familiar with the situation say that as part of the settlement talks with the Justice Department, PokerStars is considering buying Full Tilt and refunding U.S. players hundreds of millions of dollars missing from their accounts. PokerStars confirmed the settlement talks but declined to comment on Full Tilt or its American aspirations. Full Tilt officials couldn't be reached for comment. 

'Concerned about probity'  
In California, casinos and gambling-software companies already are scurrying for deals with the tribes and others that would be eligible for direct licenses under a bill pending in the state senate. Caesars manages the Rincon tribe's Harrah's casino and is hoping to build on that with software from 888. 

A coalition of tribes and card rooms known as the California Online Poker Association has signed up to use software from Playtech Ltd, a London-listed British company. About 40 per cent of Playtech is owned by Teddy Sagi, an Israeli billionaire who pleaded guilty to stock manipulation and bribery in 1996 in a scandal known as the Discount Affair. He was sentenced to nine months in prison. Playtech didn't respond to a request for comment.

The tribes are aware of the risks of choosing partners that won't satisfy the state Justice Department, which the current bill would empower to approve license applications.

"We are very, very concerned about probity," said Joaquin Fletcher, president of the Pechanga Development Corp, owner of the Pechanga Resort and Casino in Temecula, California. "We don't want whoever we pick to just create more nightmares down the road." 

Similar concerns are on the minds of social media companies.

Zynga, the dominant provider of recreational games on Facebook, has 36 million monthly average users of its Texas HoldEm Poker, the second most popular game on Facebook after its CityVille, according to market research firm AppData.

The card game doesn't require regulation because players don't receive cash payouts, though they often pay for extra chips to play with. Those virtual chip purchases have made the game one of Zynga's top earners and opened the company's eyes to the potential of the real thing. 

Lazard Capital Markets said in March that it expected Zynga to move "aggressively" and capture an extra $100 million in annual profit by offering online poker with cash payouts and prizes. 

Zynga has held talks with Bwin.Party, 888, multiple California tribes and card rooms, and the big brick-and-mortar casinos, people familiar with the discussions said. The company might experiment first with poker in well-regulated overseas markets such as the United Kingdom, they said. Zynga declined to comment.

The gambling majors have seen the promise of social networking as well. MGM Resorts, like Bwin.Party, is planning its own game without cash payouts but with social networking built in. Caesars recently bought game application developer Playtika, which has a popular free slot machine app on Facebook called Slotomania, and it launched a Caesars-branded casino game suite there, too. 
Despite the enthusiasm, the risks of a regulatory, legal or public-relations setback for Zynga and Facebook are substantial, even if they partner well. 

With millions of free players, "it's very likely these people can be converted" to playing for real money, said one longtime offshore poker executive. "But do they want a headline saying some kid lost $10,000 playing poker on Facebook?"

More content from msnbc.com and NBC News:

• Gov. Christie's pension issue: Double-dipping in New Jersey
• Edwards case: Dismissal denial anything but routine
• Video: Obama, Romney play up gay marriage split
• Four heading to Christian youth rally killed in plane crash
• BU mourns deaths of 3 students in New Zealand crash
• Father: 'Miracle' as woman fights flesh-eating bacteria

It should be clear by now that nothing online is sacred, and no security company is safe from hackers. VeriSign Inc., the firm at the center of so many critical systems on the Web, was infiltrated by hackers in 2010.  Because details of the attack, first disclosed Thursday by Reuters, are so vague we are left to assume the worst -- and the worst is pretty bad.

It's possible that the VeriSign hackers could turn the Web upside down and create an Internet where nothing would be what it seems.  A hacker website could look and act just like your bank's website. Your PC could easily be tricked into downloading automatic software updates that would appear authentic but actually contain viruses. And no matter what web address you typed into your browser, you could be redirected to a criminal's website half-way around the world.

But there's important context to this story which might ratchet down the "Oh My God!" factor considerably.  For starters, there is reason to believe that VeriSign's revelation is nothing more than evidence companies are starting to comply with rules forcing them to disclose such incidents: In other words, similar successful hacks like this may have occurred in the past but simply went unreported.  We'll discuss the evidence for that in a moment. First, let's look at the possibilities raised by the VeriSign attack.

VeriSign is involved in two distinct, fundamental Internet security structures that could be impacted by this attack.  A successful attack on one would be serious, but a raid on the other could threaten the Internet itself. So let's start there.

VeriSign's most critical function is its role in the Domain Name System address book, which governs what happens when Web users type common name Web addresses into their browsers.  There are 13 "root"  DNS servers placed strategically around the planet for redundancy. VeriSign operates two of them. Should a hacker gain access to this part of VeriSign's business, he or she could theoretically poison the other 11 root DNS servers, and the bad data would eventually spread to the other DNS servers. The consequences could be dire: It could mean that everyone who typed "msnbc.com" into a Web browser would be sent to a computer controlled by criminals, instead of the real msnbc.com website.  A computer criminal with destructive intensions could theoretically ruin the database that maps names with IP addresses and effectively shut down parts of the Internet. It has long been discussed that these root name servers are perhaps the most vulnerable point of the attack on the Internet

But it's more likely that the agencies controlling the other 11 root Domain Name Servers would be able to regain control of the DNS table and restore the system within a day or two, if not within hours. As you might imagine, root DNS servers do disagree from time to time and there is a process for handling that.

It's also important to note that VeriSign, in the SEC disclosure which started this incident, claims that its DNS servers were not attacked by hackers.

"Access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ("DNS") network," the firm wrote in the filing.

VeriSign's other crucial function is issuing digital certificates through its VeriSign Authentication Services group. Certificates impact your computer use every day because they tell your PC that a company's website or software is really what is says it is. Certificates are a crucial part of the SSL system that ultimately displays a friendly looking lock when you visit your online bank.  They also identify the legitimacy of software updates sent to your computer by software makers.  Many modern PCs won't install software unless it is digitally signed. 

A hacker who could influence the way VeriSign issues certificates would be a massive problem for both consumers and corporations.

"VeriSign is one of the most important enterprise trust authorities in the world, which delivers people safely to more than half the world's websites,” wrote Catalin Cosoi, Chief Security Researcher at Bitdefender Labs. “A certificate issued by VeriSign will automatically be accepted by both browsers and operating systems. This kind of incident practically voids all the security provided by 64-bit operating systems,"

In other words, hackers would have an easy time loading viruses onto PCs around the world.

That's terrible, but it's not new. Virus writers have been compromising certificate issuers with abandon for the past 18 months. It's one of the reasons that Stuxnet computer virus managed to infect millions of PCs worldwide.  That also means structures are in place to deal with fraudulent certificates.

"The worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit," Cosoi said. "This would potentially yield a huge level of data that could be exploited for financial gain. However, it’s important to remember that a strong anti-phishing solution will keep you protected."

Of course, it's not even clear from VeriSign's filing that its certificate business was compromised.  Complicating matters further: Symantec Corp. purchased most of that business from VeriSign last year. For its part, Symantec said on Thursday that the assets it acquired in the sale were not compromised.

"We want to make it very clear that Symantec takes the security and proper functionality of its solutions very seriously. The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing," said Symantec spokeswoman Nicole Kenyon in a statement to msnbnc.com.

Of course, it’s possible that one of Verisign’s other business unit – it provides extensive security consulting, for example – was the hackers’ only target.  That seems unlikely, however, given the target-rich environment the offers to computer criminals.

To be sure, many experts think the Verisign attack is serious business.

"The SEC filing says 'Information stored on the compromised corporate systems was exfiltrated.' That sounds like a targeted attack to me," said Mikko Hypponen, chief technology officer at F-Secure.com. "Like the one against Google. And RSA. And Lockheed-Martin."

But it's possible the VeriSign admission, buried in the SEC filing, is little more than paperwork which puts in print something that security professionals have long understood: No firm is safe from hackers.  This might be at once comforting and disturbing: In October of last year, the SEC issued guidelines that called out public firms for under-disclosing security leaks and hinted strongly that fines would come when firms failed to report successful hacker attacks. The VeriSign quarterly report was issued soon after, and it's easy to imagine the disclosure is more routine than anyone would like to admit.  In fact, Stewart Baker, a lawyer at Steptoe & Johnson, predicted as much in a blog earlier this month.

"With enforcement so easy, and the harm from breaches so tangible, so serious and so likely to bring headlines, no one should expect the enforcers to go easy on companies that have been slow to disclose. Instead I expect a growing wave of cases based on companies' failure to make timely disclosure of ongoing breaches," he wrote.

Clearly, admission by VeriSign that executives at the firm were unaware of the breach shows a terrible lack of coordination inside the firm. And it's scary to read this admission, too: "Given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information."

Still, it’s important to note that we are talking about attacks that could be a year old, and whatever they were, criminals are already deep in the process of exploiting them. Sad to say there’s nothing most consumers can do in response to this report.

In health news, there’s always the complicated issue of increased diagnosis vs. increased incidence. Is a new disease on the rise, or are we simply better at finding cases of it? The VeriSign incident raises the same question.

But the deeper truth here is probably something that professionals have known for some time: In the cat and mouse game between hackers and security firms, hackers are winning and, in some places, it's starting to look like a blowout.  

 Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).

By Rich Gardella and Jamie Forzato, NBC News

Amid growing calls for more government regulation of the Internet, the United States is conducting what it calls "a sustained law enforcement initiative aimed at counterfeiting and piracy" – an effort that already has resulted in arrests and the seizure of 125 websites.

Ask anybody who uses a computer if they've ever downloaded or streamed media content for free on the Internet, and the answer most likely will be yes. The U.S. government and the American media industry say as much as a quarter of this kind of media traffic violates U.S. copyright law, and both are getting serious in their attempts to turn off the spigot.

But detractors of the crackdown say that the government shouldn’t side with industry and attempt to restrict what flows across the Internet.

(A similar debate unfolded this week at the G8 summit in Paris, with French President Nicolas Sarkozy arguing that governments need to impose more rules of the road on the Internet, and tech leaders like Google’s Eric Schmidt and Facebook’s Mark Zuckerberg warning that could stymie innovation and squelch free expression.)

The most recent skirmish in the escalating conflict occurred this week, when the U.S. Immigration and Customs Enforcement agency (ICE) announced that its Homeland Security Investigations unit had seized the domain names of five websites that it said were being used to sell counterfeit goods or illegally distribute copyrighted materials, including media content.

"American business is threatened by those who produce counterfeit trademarked goods and pirate copyrighted materials," ICE Director John Morton said Wednesday in a press release announcing the seizures. "From counterfeit pharmaceuticals and electronics to pirated movies, music, and software, IP thieves undermine the U.S. economy and jeopardize public safety. Our efforts through this operation successfully disrupt the ability of criminals to purvey counterfeit goods and copyrighted materials illegally over the Internet."

The crackdown – dubbed “Operation In Our Sites" – is being spearheaded by ICE’s National Intellectual Property Rights Coordination Center, working in coordination with U.S. attorneys' offices across the country. The initiative has so far seized the domain names of 125 websites since it began last year, ICE says, effectively shutting them down.

Of the seized website domains, approximately 25 – including two of the five announced this week – were hosting or linking to copyrighted media content illegally, the government says. (The rest have been selling counterfeit goods, everything from shoes and clothing and accessories to DVDs of movies and TV shows to pharmaceutical products.)

Free downloading or "streaming" media content from Internet websites – including movies, TV shows, sports events and music – is a big and rapidly growing business. While an exact number is difficult to pin down, available data and estimates show that millions of streamings and downloads occur daily. 

A lot of that traffic is legal – downloading or streaming a full episode of a current television program from an authorized and sponsored service, such as a network's website, for example.

But the U.S. government and the American media industry claim a significant amount of it is illegal. A lot of the media content streamed and downloaded is copyrighted – owned by the person or entity that created it – and a lot of the services providing access to the material don't have permission from the copyright holder to do so.

The government and the media industry say U.S. copyright law (specifically, 18 USC 2319), states that distributing such content without permission from the copyright holder is a crime – copyright infringement.  They generally use a simpler name: theft – of intellectual property, or "IP theft" for short.

It’s been more than a decade since the online music-sharing service Napster made headlines for distributing copyrighted content without permission.  At the service's peak, millions of Napster users traded and downloaded millions of data files containing copyrighted music, free of charge. The music industry, through some of its largest companies, sued over copyright infringements and lost revenue. After losing in federal court, Napster shut itself down in 2001. (Its name and now-legal music service lives on as a part of the electronics retailer Best Buy.)  Despite Napster’s legal troubles, online services providing unauthorized access to copyrighted media content have continued to ply the Internet, though not on such a large scale.

Study: Nearly a quarter of streams, downloads illegal
The media industry seeks to quantify IP theft as a problem.  

It commissioned a study that found that almost one-quarter of all that streaming and downloading is illegal.  In a January report, the Internet intelligence and research company Envisional of Cambridge, England, found that "across all areas of the global internet, 23.76 percent of traffic was estimated to be infringing" on copyrighted material.  

(The report, "An Estimate of Infringing Use of the Internet," was commissioned by NBCUniversal Media LLC, part owner of msnbc.com. The media industry's powerful lobby, the Motion Picture Association of America, supports its conclusions. Microsoft, another parent company of msnbc.com, also is a leading advocate of stricter enforcement of digital copyright protections.)  

The industry claims that all that copyright-infringing media traffic translates not only to lost revenue, but also to lost jobs and wages for media industry workers.

The Motion Picture Association of America claims illegal streaming and downloading cost American workers 375,000 jobs and $16 billion in earnings every year.

A public service announcement, originally produced for the City of New York to help protect its film and television business, with support from NBCUniversal, makes that point bluntly.

Comedian Tom Papa appears on a New York City sidewalk as a vendor hawking illegally downloaded "free movies." As passers-by express interest, Papa gestures to a woman standing beside him carrying audio equipment, who looks a bit forlorn. 

"These are illegally downloaded movies," Papa says, "and because of that people like her are losing their jobs."

"Whether you get it off the streets or off the Internet,” Papa concludes, now facing the camera, "digital piracy and product counterfeiting are not victimless crimes." 

The federal government has adopted that message, releasing the public service announcement to the public through its own media office, and linking it to some of now-shuttered websites whose domains it has seized.

A warning to surfers
Visitors to these websites are redirected first to a government warning banner bearing the seals of the Department of Justice, the National Intellectual Property Rights Coordination Center and Homeland Security Investigations. The banner states that the government has seized the domain name, that it is illegal to reproduce or distribute copyrighted material without authorization and that willful offenders risk prosecution for criminal felony violation copyright law. If convicted, the banner warns, even first-time offenders "will face up to five years in federal prison," plus "restitution, forfeiture and fine."  

William Ross, the unit chief for investigations at the National Intellectual Property Rights Center, said Operation In Our Sites is about enforcing copyright law and protecting the U.S. economy from intellectual property theft, which the government considers a national threat.

"We try to protect the economic interests of U.S. industries and manufacturers," Ross said. "We're protecting them from other people taking their ideas and selling them."

In some cases, the government has arrested and charged website operators. In February, it arrested and charged a Texas man who had streamed copyrighted sports events on one seized site, channelsurfing.net, claiming he'd collected $90,000 in online advertising revenue.

Most of the seized websites appear to be strictly online operations, and their operators were difficult to contact.  But NBC News found one willing to talk: Waleed Gadelkareem, an Egyptian businessman.

The U.S. government seized his domain – torrent-finder.com, which was based in the U.S. – in November. He says his site was getting 100,000 hits a day and generating revenue from online advertising. 

But Gadelkareem claims he wasn't doing anything wrong. He said his site was a just a search engine that linked to other sites with such content, just like other big search engines do.

"It's a dirty game they are playing. and it's totally unfair," said Gadelkareem, interviewed via Skype from his home office in Alexandria, Egypt. "I don't try to sell anything. I'm a search engine. I don't have any database of any copyrighted materials."

Ross said he could not discuss Gadelkareem's case, an ongoing investigation. But he said every website the government acted against was violating American copyright law. 

After the government seized his U.S.-based domain, which was run from a server in Texas, Gadelkareem changed its name slightly, to torrent-finder.info, and moved it to a server based in Sweden.  He continues to operate it from Egypt.

Ross said the U.S. is working with foreign governments to shut down sites if they move out of the U.S. "We keep going after them,” Ross said, “no matter how many times they come back up."

Proposed legislation in Congress would give the U.S. government the power to shut down copyright-infringing websites in other countries – even if they mainly link to copyright-protected material without permission.

Businessman says he was wrongly shut down
Waleed Gadelkareem sees big business behind the government’s efforts.

"The USA government is trying to shut it down," Gadelkareem said, "for the sake of a group of rich businessmen.  That's what I think. That's (what) everybody thinks."

His American lawyer, David Snead, who represents and advises online service providers who distribute content on copyright issues, agrees.

"The government is doing industry's bidding here," Snead said. "I think that it is wrong for prosecutorial resources to be used on behalf of any one industry."

There is vigorous debate in the various precincts of the Internet about whether the government's crackdown and seizures are appropriate. 

The media and entertainment industry – including NBCUniversal – has long advocated more government enforcement of intellectual property violations.

Ross said the motivation for the government's efforts to crack down on unauthorized distribution of media content is simply to enforce copyright law and to protect the U.S. economy and jobs.

He says the media industry itself takes down far more websites hosting illegal copyrighted content than the government does, using its own mechanisms.

"They have a lot more resources, a lot more manpower to do those type things than we have within the government,” Ross said. “So what we're doing is a very small percentage."

As the government and industry crack down on supply, what will happen to demand – the computer users who aren't distributing unauthorized media content but are consuming it, who initiate all those unauthorized downloads and streams?

NBC News recently discussed these issues with six college students at the University of Maryland. 

"I think it's common, especially among college students,” said one, “because it seems anonymous and it seems like something you can get away with."

All six students we talked to at the University of Maryland/College Park agreed that hosting or providing access to copyrighted content without the permission of the copyright holder was illegal. 

They made a distinction between illegal and wrong, however, with only one saying it was wrong.

"If it violates the law," the student said, "then, yeah, I think it should be enforced."

But while five of the six thought that consuming copyrighted media content without the permission of the copyright holder was illegal, none thought that was wrong.

"I just don't think that it's wrong enough for me to stop doing something that's so easy and so available to me," said another, expressing the view of the majority.  "I just don't feel it's wrong."