The following
are articles, links, web
page content and other information we find
interesting about privacy.
They are listed below in the order shown. Click on the title or
scroll down and read them all. Please comment if you like.
* * * * * * * * * * * * * * * * * * * *
List of Privacy Articles
* * * * * * * * * * * * * * * * * * * *
Click here to protect your privacy with
Freedom.
* * * * * * * * * * * * * * * * * * * *
Thursday August 10
Reno Plans FBI E-mail Probe
By MICHAEL J. SNIFFEN, Associated Press Writer
WASHINGTON (AP) - The Justice Department will hire a major
university to conduct an independent analysis of the FBI's
"Carnivore" e-mail surveillance system, Attorney General Janet
Reno said Thursday.
"The university review team will have total access to any
information they need to conduct their review," Reno told her
weekly news conference.
The team report will be made public and a review team of top
department officials will ask privacy and law enforcement
experts to comment before making a final recommendation to Reno.
"I would hope we could do it quickly," Reno said.
Assistant Attorney General Steve Colgate, a career official
who is supervising the review and will chair the department
review committee, said Reno might be able to choose a university
in 10 days and that final recommendations from the university
and from the department panel might reach her by Dec. 1.
"Carnivore" is the name for an FBI system for monitoring
e-mail transmissions that has caused an uproar in Congress
and among privacy and civil liberties advocates.
The system is composed of a computer running the Microsoft
Windows NT operating system and software that scans and
captures "packets," the standard unit of Internet traffic,
as they travel through an internet service provider's network.
The FBI installs a Carnivore unit at a provider's network
station and configures it to capture only e-mail going to
or from the person under investigation.
FBI officials say they obtain court orders for the surveillance
and see only those e-mails covered by the orders. But privacy
advocates say only the FBI knows what Carnivore can do, and
Internet providers are not allowed access to the system while
it is installed.
"As much as possible will be made public, and we will get
as much input from outside as possible, Colgate said Thursday.
Reno and Colgate said that the FBI, state and local law
enforcers and privacy and civil liberties groups will be
consulted not only on the choice of a university and the
scope of its review but also for their reactions to any
recommendations from the university panel.
The university team will have complete access to all
hardware and software involved, including the computer
source code for Carnivore, Colgate said. The source code,
however, is likely to be withheld from
the public, because it is a trade secret of the company
that produced the software, Colgate said. He said the
commercial software had been modified by the FBI.
The department's chief science and technology officer,
Donald Prosnitz, formerly a physicist at the Lawrence
Livermore National Laboratory in California, has contacted
three major universities and will probably contact another
six before recommending one to Reno, Colgate said.
"Some folks have volunteered to do this for free," Colgate
said. He said Reno would select a university with computer
security and Internet expertise but the school might also
bring outside experts into its review.
Colgate anticipated that among the schools that Prosnitz
will contact is the University of California at San Diego,
which he said had had some preliminary discussions with the
FBI about a review before Reno expanded the review to include
officials outside the FBI.
Reno said Colgate will chair the department panel that
analyzes the university's recommendations for her. Also on
that panel will be FBI Assistant Director Donald Kerr, a
nuclear physicist who heads the FBI laboratory; Prosnitz;
Ed Dumont, the Justice Department's chief privacy officer;
and a senior representative of the department's criminal
division.
* * * * * * * * * * * * * * * * * * *
Does Issuing Passports Make Microsoft a Country?
Posted by Joel Spolsky,
7/26/00
Am I the only one who is terrified about Microsoft Passport?
It seems to me like a fairly blatant attempt to build the
world's largest, richest consumer database, and then make
fabulous profits mining it. It's a terrifying threat to
everyone's personal privacy and it will make today's "cookies"
seem positively tame by comparison. The scariest thing is
that Microsoft is advertising Passport as if it were a
benefit to consumers, and people seem to be falling for it!
By the time you've read this article, I can guarantee that
I'll scare you into turning off your Hotmail account and
staying away from MSN web sites.
This article has two parts. First, I'll present a brief
technical overview of how Passport works and why it
eliminates the last line of defense protecting your privacy.
Second, I'll talk about how Microsoft plans to develop
Passport to create a massive consumer information database
and link all your private information together, and how
they plan to profit fantastically from it.
But before I get started, let me say that I'm not just
writing this to bash Microsoft. That's not my goal here.
Microsoft is a large, diverse company with many smart
people and many ethical people; they have many great products
and some pathetic products, too. I spent 3 years working
at Microsoft, many of my friends are still there, and
I'm a Microsoft shareholder. I'm writing this article
because I think the Microsoft Passport story is fascinating
from a privacy perspective and from a business strategy
perspective, and because nobody else seems to be covering it.
1. How Passport Works
In the olden days of interactive computing, you got an
account on one computer which was all you ever used. You
had one username and one password to remember. The web has
changed things dramatically: because it is so easy to visit
lots of web sites, you may have accounts with dozens of
companies on dozens of different computers. I have 81 at
last count. Most people have no hope of remembering 81
different account names and passwords, so they tend to
just use the same password on every site, or they keep a
long list of passwords written down somewhere. It's a bit
of a nuisance. If you regularly shop online, you're probably
getting sick of typing in your home address, credit card
information, and remembering the user name and password
for all those sites. It's extremely common for people to
abandon their shopping carts on the web when they see the
long form they have to fill out to make an account and
purchase their products.
This is the kind of problem that Passport is promising
to solve. To understand how it works, I'd like to take a
few minutes to talk about some web security and privacy
technology and how Passport subverts it.
How Cookies Work
There's a lot of wrong information about cookies out there.
All a cookie does is tell a web site operator when somebody
comes back to their site that has been there before. It
doesn't give the web site operator any information about
that person's identity; it just says "Hey, that visitor
who was here last Tuesday at 4:15 PM? That person is back
again."
Technically, the way it works is that when you go to
the web site for the first time, the web server makes up
an ID for you, for example, if I go to www.eCrap.com,
it might make up the number 76JU589SU for me, which is
completely meaningless. The web server sends this meaningless
ID number to my web browser, which stores it.
Now, the next time I go to eCrap.com, my web browser
will tell the web server: "Yo, in case you care, this
is 76JU589SU coming back again. Thought you might want to
know."
That's all there is to it. Now, since eCrap is smart,
they opened a file on me, marked 76JU589SU. In that file,
they could keep any information I give them. If I buy
something from eCrap and give them my address, they could
store my address in their 76JU589SU file. And my credit card.
And a list of the things I bought. Next time I wanted to buy
something, since they already knew who I am, they can offer
to let me purchase it without typing in an address or credit
card number, because they can just look that up in their file.
Theoretically, the only information eCrap can put in their
file is the information that I give them. Amazon's files
probably contain information about what books I bought,
my address, credit card information, and maybe some
information about what books I looked at but didn't buy...
any information that they can gather from my activity on
their web site. Amazon does not know how old I am or what
color my hair is, since I never told them that information.
They don't know that my favorite cafe is The Big Cup in New
York City, because I never gave them that information, either.
But they do know that I bought the book 101 Cute Puppies
from them. One day, if 101 More Cute Puppies comes out,
they are probably going to search their files for people
who bought 101 Cute Puppies and tell us about the sequel
the next time we log on.
How Cookies Protect Your Privacy
Now, suppose I decide to open a credit card account online.
Of course, the credit card company would probably love to
know that I just bought "Bankruptcy for Dummies" and "How to
Stiff Everyone And Move To Brazil" from Amazon.com, but they
are not going to find out. Why? Because my web browser will
simply never send my Amazon cookie to the credit card company.
The golden rule of cookies is that they are only sent back
to the same web domain as they came from. This is important
to remember, because it's the only thing that really protects
you from having all the web sites you visit swap information
about you. I don't want my credit card company to know that
I bought a bankruptcy book. I don't want potential landlords
to know that I read lots of articles about caring for
Boa Constrictors. I don't want potential employers to know
that I read web sites about homemade bombs. They'll probably
take it the wrong way.
Unfortunately, this is one case where the consumer's interests
and the web site's interests are diametrically opposed.
Every web site in the world wants to show you targeted ads.
When I visit The Dilbert Zone, they would love to know that
I read The Jerusalem Post online and send me an ad for
luxury apartments in Israel, because targeted ads sell for
a lot more money than non-targeted ads.
Subverting The Golden Rule
Web advertising companies, like Doubleclick, are trying to
collect as much information about people as possible, so that
they can send them targeted ads. The way they do this is by
having their member sites show ads which come from the same
web domain.
Here's an example of how this works: I go to The Jerusalem
Post to read the latest news. The Jerusalem Post web site
includes an advertisement which is actually served up by
the Doubleclick web server. Now Doubleclick opens a file
on me and sends a cookie back to my web browser.
Later that day, I go to the Dilbert Zone. Dilbert also
includes an advertisement, also served up by the
Doubleclick web server. Remember, The golden rule of cookies
is that they are only sent back to the same web domain as they
came from. So my naive web browser says, "Oh, you're going
back to Doubleclick, I'll just tell them that you're the
same person that was here before..." and now Doubleclick
knows that somebody who went to The Jerusalem Post before
is now visiting Dilbert, so they show me that ad for the
expensive apartment in Israel.
Passport Has Another Way
The Doubleclick trick for sharing your information only
works for ads, but Microsoft Passport found a way to work
around the golden rule for any site. Here's how it works.
Go to http://www.hotmail.com. Watch what your web browser
does. You'll see that your browser first goes to Hotmail for
a second, then jumps to www.passport.com for a split second,
and then immediately goes right back to Hotmail. What's going on?
It turns out that there's a feature to allow a web page to
tell your browser to go somewhere else instead. For example,
if you try to go to eCrap.com, that site might tell your web
browser "Oh, we've gone bankrupt. Please go to our lawyer's site
instead, DeweyCheatumAndHowe.com." It's called a client redirect.
That's what Hotmail is doing. It only takes a couple of
seconds, but while it's happening, Hotmail and Passport are
communicating through your web browser about who you are.
Now, if you go to another Microsoft web site, say,
www.investor.com, the same thing will happen: you'll get
redirected to Passport and then back to Investor. Because
Passport is "telling on you", even though your web browser
is supposed to be protecting your security by following the
golden rule of cookies, it's really Passport that is signing
you in. Bottom line: Hotmail knows that you're the same
person that just went to Investor. And that applies to
any Microsoft web site: Slate, Expedia, Hotmail, Investor,
MSN, etc.
The way Passport uses client redirect to subvert cookie
security is basically just taking advantage of a security
hole in web browsers. Cookies weren't meant to allow this.
But you can bet that this is one security bug that Microsoft
is not going to fix.
To Summarize:
The golden rule of cookies that protects your privacy is
that they are only sent back to the same web domain as they
came from. Microsoft Passport eliminates this protection
allowing any Passport site to share information about you.
2. How Passport Will Be Developed
The supposed benefit of Passport to consumers is that it
allows them to use one login and password to access all the
Passport web sites.
But the benefit to the web sites is much greater, because
now they can pool and share their information about you.
Let's take a hypothetical example that's possible today.
Microsoft's online travel agency Expedia is a Passport web
site, and Microsoft Investor is too. One day, Expedia could
start offering higher fares to customers who have more than
a million dollars in their Investor stock portfolio. There's
not really anything technically impossible about this,
and it's probably legal, too.
Web businesses would love to have a way to combine their
files on you. And the more businesses that have the
opportunity to combine their files, the more valuable
it is. There's a network effect going on here (a.k.a.
Metcalfe's Law): the value of a network of web sites who
swap data is the square of the number of sites in the
network, because every site can exchange data with every
other site.
The spooky thing about Passport is that there's one
company that serves as the gatekeeper to joining the
network: Microsoft. Which is why this has the potential
of being a phenomenally valuable business.
There are many ways Microsoft can profit from Passport.
They could charge a commission when web sites sell data
about consumers. They could sell private information which
they collect from their participant sites. Or they could
just charge web sites to belong to the network. It's a great
business that makes credit agencies look like they have nothing.
The scary thing is that if you use Internet Explorer, Microsoft
controls your web browser. You can be sure that Microsoft
would love to eliminate that nasty two second flash while
your web browser is redirected through passport.com.
I'll bet there's a feature under development for a future
version of IE that will make Passport just be built into
the web browser, or even built into the operating system
itself. Don't believe me? Here's a quote from Microsoft's
.NET white paper:
Building on Microsoft Passport and Windows
authentication technology, [Windows.NET] provides
levels of authentication ranging from passwords and
wallets to smart cards and biometric devices. Enables
developers to build services that provide personalization
and privacy for their customers, who in turn can enjoy
new levels of safe and secure access to their services,
no matter where they are or on what device. Supported
in the first major release of Windows.NET, code-named
"Whistler."
Notice the way Microsoft acts as if they are providing
"privacy" and a "new level of safe and secure access."
Uh huh. The best way to lie is through repeated assertion
until eventually nobody notices the lie.
Passport will be built into IE, it will be built into the
operating system, and it will be made available as a
programming interface so that developers can use it,
and frankly, there goes your last defense against
corporations building up gigantic super-databases with
outrageous amounts of personal information about everyone.
Yeah sure, Microsoft promises to protect your privacy...
Does anybody really believe this for a minute? Every day
there's a new story about a security breach -- Hotmail
itself, a Passport site, had a major security breach a
couple of months ago that made it into the headlines.
During the next wave of web based business failures, we're
going to start seeing a lot more stories like the one about
how toysmart.com, as soon as they went bankrupt, reneged
on their promise to protect the privacy of their customers.
Even the best laid plans to protect consumer's privacy
don't work. There are always software bugs and security
goof-ups. Unscrupulous employees on the inside abuse
their ability to look at the database. Court orders
and subpoenas force companies to divulge information
they promised to keep secret.
If Microsoft was honest about protecting your privacy,
they would let users keep their private information on
their own computers, and they would ask you every time
they were going to reveal some data.
But they're not being honest. They want all your data in
a big database on their server, thank you very much, and
they want you to click "I Agree" to the 27 pages of legalese
which says things like "Microsoft reserves the right to
amend this agreement at any time." If you really trust any
Internet company to protect your privacy, I've got a bridge
to sell ya.
Copyright 2000 by Joel Spolsky. All Rights Reserved.
* * * * * * * * * * * * * * * * * * *
Identity crisis
by Richard L. Brandt
July 10, 2000
UPSIDE TODAY - The big issue of the early 21st century is undoubtedly going
to be privacy. In the United States, we have not had much
privacy for years. But the spread of the Internet has brought
the issue to the forefront, much the way the Columbine shootings
pushed the issue of high school violence to the top of every
parent's mind. This is not an idle analogy. The Internet
highlights not just the best, but also the worst that
technology can bring us, including violence-advocating hate
groups, sexual predation, greed and fraud.
- - - - - - - - - - -
Capitalism is leading the invasion of privacy.
- - - - - - - - - - -
The question before us is whether we will use the technology
of the Internet to move toward an Orwellian future, or to
actually increase our privacy. Which path we take will not
be determined by the vagaries of politics, but by the driving
forces of capitalism.
Retailers, insurance companies and banks want to know
everything about us and, let's face it, they're getting it.
Capitalism is leading the invasion of privacy.
Mission impossible:
Despite the best efforts of the Federal Trade Commission
or the European Commission, governments have absolutely no
chance of changing this until all the governments of the
world come to a common agreement (which is probably not a
reasonable prospect for the 21st century). The U.S. government,
in its grand wisdom of trying to keep strong encryption
from getting into the hands of those nasty, foreign bad
guys, has simply succeeded in handing a $3 billion
data-encryption industry to Canada.
However, you cannot hide from technology. We have
incredibly powerful encryption tools, designed around
the laws of mathematics and Gordon Moore. Austin Hill,
president of Montreal-based Zero-Knowledge Systems Inc.,
recommends: "Put your faith in math, not in laws."
Zero-Knowledge is a prime example of the way in which
capitalist-inspired technology can solve the problem.
The company has created what may be the ultimate in privacy
systems, called "Freedom."
The system allows you to browse the Web, send email, and
join chat rooms and newsgroups anonymously. You set up an
identity (called a "nym") and the system makes it impossible
for anyone to trace the nym back to you. Your identity is
encrypted on one server, passed to another server and
encrypted again, passed to a third server and encrypted again.
Only the first server knows who you are, only the last one
knows your nym. But the bond between you is unbreakable,
if also untraceable. Not even the folks at Zero-Knowledge
can recreate the connection. Screw the FBI, not even a
subpoena can help track you down.
Is there danger of abuse? Sure. People will use it to
lie, cheat and steal. But they can already do that on the Web.
A whole new you!
The interesting thing about this system is that the nyms
can accurately represent you. Because the encrypted links
are unbreakable, a bank-credit rating can be transferred
to your nym -- or you can start from scratch and get the
nym to create its own rating. So much for that past bankruptcy.
Zero-Knowledge is also working on a Web-payment system
that your nym can use instead of a credit card (although
I am not sure what shipping address you give to the retailer).
You control this "reputation capital." You can sell it to
the marketing people, who get valid profiles of your
shopping habits, credit rating, or AARP membership, but
only through your nym.
The biggest obstacle: Privacy is like the weather. Most
people talk about it, but few actually do anything about it.
Still, this demonstrates not only that government
intervention is futile, but that it is unnecessary. If
people are willing to go for this model, we don't need
regulations. If they are not, we don't deserve them. It's
all up to us.
Copyright ©1997-1999 Upside Media Inc. All rights reserved.
* * * * * * * * * * * * * * * * * * *
07/13/2000
Lawsuit Charges Netscape With Spying On Customers
By Dan Ackman
Joshua Rubin says Netscape is handing out software that is
"covertly sending data to the mother ship." Rubin is not a nut;
he's a lawyer who recently filed a lawsuit he hopes will become
a class action against Netscape and its parent company, America
Online.
The action alleges that Netscape and AOL have been spying on Web
surfers by secretly recording what files they download via a
Netscape software product called SmartDownload.
SmartDownload is designed to facilitate the downloading of files
from Internet. Its main feature allows users to resume downloads
that were partially completed when their Internet connection was
broken. The lawsuit filed in federal court in Manhattan alleges
that "Unbeknownst to [the program's users] and without their
authorization [Netscape and AOL] have been spying on their
Internet activities." The spying occurs, Rubin claims, when
Netscape captures "the name, type and source of each and every
.exe or Zip file that an Internet user downloads using
SmartDownload."
Rubin's claim follows actions alleging privacy violations against
Internet advertising giant DoubleClick (nasdaq: DCLK) and Internet
broadcaster RealNetworks (nasdaq: RNWK). It also comes at a time
when Internet privacy concerns are in the news and when the
Internet industry is trying to forestall restrictive
privacy-protecting legislation with self-regulation. Polls indicate
that Internet users are concerned about releasing personal
data online.
The action against Netscape and AOL (nyse: AOL) raises
interesting issues. But there are serious questions about
whether Netscape does what the lawsuit alleges and whether
the allegations, even if true, would constitute a violation of
federal law. If the allegations prove false, the lawsuit may
be a harbinger of a different trend--one in which plaintiffs
seek to profit from consumer paranoia about privacy violations
and from companies' fears that they can be labeled a
private-sector Big Brother based on vague or cursory allegations.
If that happens, such companies will have only themselves to
blame, says Eben Moglen, a law professor at Columbia University
and general counsel to the Free Software Foundation, a Cambridge,
Mass.-based organization dedicated to eliminating copyright
restrictions on software.
"Even if the thing turns out to be false, people have a big
problem," Moglen says. "They don't know what the software they
use does, and even if they do, they can't fix it; they can only
complain about it."
The plaintiff in the case is Christopher Specht. The complaint
says only that he maintains Web sites on the Internet. But his
main business is forensic photography, taking pictures of accident
scenes, injuries and other subjects that can be used as exhibits
in court. He also is a Webmaster for Web sites that promote
Playboy models and on which would-be professional models can
post their pictures and vital statistics. He and Rubin know
each other from prior cases, but both refused comment on the
genesis of the action.
Neither Specht nor Rubin would say how they know Netscape
records the files users download, but they do say that
Netscape's practice has been confirmed by independent
testers. Yet Rubin isn't clear why Netscape would want
the information.
"I imagine they profit from it. Otherwise they wouldn't be
doing it. I don't know. I'd just be speculating. But the
company has committed an offense," Rubin says. Neither Netscape
nor AOL returned repeated phone calls seeking comment.
Netscape doesn't need to track user downloads in order
to make SmartDownload do its basic work, says Michael Klein,
chief operating officer of Great Neck, N.Y.-based Forty
Software, the manufacturer of download facilitating program
Download Wonder.
"It's definitely possible, but it makes no sense at all,"
Klein says. "It's a lot of bandwidth on something that's
not necessary or desirable."
- - - - - - - - - - -
The legality of the conduct alleged depends on what
the information acquired is used for.
- - - - - - - - - - -
If Netscape is tracking its users' downloads, that may or
may not be illegal. The complaint cites the Electronic
Communications Privacy Act. That statute, enacted in 1986,
is designed to extend laws against wiretapping to the
interception of electronic communications. It also cites
the Computer Fraud and Abuse Act, which is designed to
prohibit the unauthorized entry into computer systems
and networks.
Yochai Benkler, a law professor at New York University,
calls the claims "plausible and creative, but not ludicrous."
Whether the surreptitious recording of downloads can be
considered the unauthorized interception of an electronic
communication, as the ECPA requires, "depends a lot on how
the software actually works," he says.
Bart Lazar, a Chicago lawyer who advises Internet companies
on their privacy policies, says the legality of the conduct
alleged depends on what the information acquired is used for.
It may be no more illegal than the use of cookies, a widespread
practice that allows Web sites to track where users go on the Web.
Rubin calls his claims "within the plain meaning of the
statutes," while allowing that "neither statute has yet
been interpreted to cover a claim of this kind."
The real problem, Columbia University's Moglen says, goes
way beyond the allegations in this particular complaint.
There is widespread suspicion of software distributed on
the Internet. "When the source code is not distributed,
people don't know how it works." This phenomenon, Moglen
says, makes it possible for viruses to spread quickly and
for bugs to spread without anyone being able to fix them.
It is this atmosphere of distrust that "reinforces the
sense that it is very dangerous for people to use tools
in a networked environment that they can't understand,"
Moglen says.
™ © 2000 Forbes.com
* * * * * * * * * * * * * * * * * * *
Security Experts Say Hackers Have the Edge
May 11, 2000 by James Niccolai
(IDG) -- Leaders from industry, government and law
enforcement hunkered down earlier this week for a day of
closed-door meetings in Menlo Park, Calif., to brainstorm
about the difficult task of protecting the world's
computer networks against cybercriminals.
One theme to emerge early on at the event,
billed as the Internet Defense Summit, was that
governments have neither the financial resources
nor the technical know-how to stay on top of
hackers and computer terrorists.
"The private sector must (provide for) themselves
much of the action which is necessary to prevent attacks
being made on the Internet," Raymond Kendall, the
secretary general of Interpol, said in a speech at the
start of the day's activities. "It's no longer
possible for governments to provide the kind of resources
and investment necessary to deal with
these kinds of issues," said
Kendall, who spoke via satellite link from Brussels.
The summit, which took place at the Stanford Research
Institute's (SRI) leafy campus, attracted more than 100
chief information officers and other top executives
from companies and organizations including IBM, Microsoft,
Visa International, the U.S. Postal Service and the Los
Angeles County Sheriff's Office.
Meetings were held behind closed doors to
encourage candid discussion
about security problems and the ways participants
have learned to cope with them. The event took place in
the shadow of the I Love You virus,
which emerged last week and has wreaked havoc in public
and private computer networks the world over.
"There won't be a lot of resolutions
passed here today, but the key is to get the dialogue
open and to get CEOs interested in providing their
customers with protection," William
Crowell, president and CEO of Cylink, which provides
security products and services for businesses, said
in an interview. "There are no cookie-cutter
solutions; every network is different," he added.
At the top of CIOs' concerns here was denial
of service (DoS) attacks, he said, which earlier this
year brought Yahoo, Amazon.com, eBay and other
high-profile Web sites to their knees. DoS attacks are
a key concern because the only way that is currently
available to prevent them is to catch the perpetrators,
Crowell said.
Second on the list of concerns was attacks
that reach into networks to steal valuable corporate
data. Firewalls are the best way to prevent data
theft that originates outside of a network,
while cryptography can help to protect data from
internal theft, he said.
Selwyn Gerber, a managing partner with
offshore banking firm PrimeGlobal
USA, said his company considers the Internet
so insecure that it won't use it at all to transmit
sensitive customer data. "We're back to
using faxes, and we find that much more secure. We use
FedEx. In fact, if there were ponies still
traveling across Europe we'd
probably use those too," Gerber said,
speaking at a lunch event that was
opened to reporters.
While the business leaders seemed focused
on computer hackers, Interpol's
Kendall said there is a "real danger"
of terrorists and hostile nations
using computer networks to wage international
warfare. "We know already ... that most
of the major terrorist organizations have
their own Web sites, and therefore have the
facility to carry out the same sort of action
that we've seen carried out over the last week,"
Kendall said, referring to the I Love You virus.
Cyberterrorism can be "more effective
and more costly" to governments
than "the classic methods of bomb attacks
and assassination." Kendall said.
"It is really a serious threat to all of
us and all of our societies."
Solutions seemed harder to come by
today than the problems discussed.
Governments, businesses and research
institutions must band together to
find the best technologies and courses
of action to defeat cybercrimes,
the participants said. And companies
must be more willing to invest in
security systems to protect their networks.
A few participants called on software
companies and service providers to
make their products more secure. Default
settings for software products
sold to consumers should be at the
highest level of security, they said.
"You wouldn't build a swimming pool
in the center of town and not put a
fence around it, and I think that's
what the software companies are
doing," Glenn Tenney, a director
with Pilot Network Services in Alameda,
California, said during the luncheon.
Although security firms have financial
incentives for promoting security
issues, for the average corporation, the
benefits of spending millions of
dollars to bolster security in networks
aren't immediately obvious, making
them slow to act, others said.
"If you have a choice of spending a
million dollars on getting 250,000
new customers, or a million dollars on
serving the ones you already have,
better, that's a difficult value proposition,"
Cylink's Crowell said, suggesting that most
companies would take the additional customers.
But the severity of attacks could get worse,
and businesses would be wise to make precautionary
investments now, he said. "I think we've been
lucky so far," Crowell said.
SRI International, which co-hosted Tuesday's
summit with its consulting
arm, Atomic Tangerine, used the event to
launch a new software component for Sun
Microsystems' Solaris servers. Called Emerald, it
is designed for network surveillance and intrusion
detection. In addition, Atomic Tangerine took
the wraps off of a new technology,
NetRadar, that uses sophisticated network
agents to reduce the threat of attacks before they
actually occur, according to Atomic Tangerine.
© 2000 Cable News Network.
* * * * * * * * * * * * * * * * * * * *
National Fraud Center White Paper Says Internet
Driving Dramatic Increase in Identity Theft
-- Balanced Approach Required to Address Issue
"Crime Of The '90s" Positioned
To Be The Scourge Of The 21st Century Without
Immediate Action, According To Report Distributed
Today At Washington, D.C., Summit On Identity
Theft
WASHINGTON, D.C.--(BUSINESS WIRE)--March
16, 2000 -- "The Internet, which provides so much
potential to the world's commerce, also stands
to provide so much potential to the world's
identity thieves," according to a White
Paper released by the National Fraud Center,
Inc. (NFC) at the National Summit on Identity
Theft in Washington, D.C.
"The computer and, more recently, the Internet
have brought identity theft to a much more
insidious level," says Norman A. Willox
Jr., Chief Executive Officer of the NFC and
author of the White Paper. "They have allowed
the identity thief to obtain personal identifiers
of multiple persons quicker; to access higher
quality fake identification tools (drivers
licenses, birth certificates, social security
cards, etc.) and, through e-commerce, to
render the credit transaction completely
impersonal. The potential harm caused by
an identity thief using the Internet is exponential."
The National Fraud Center, based in Horsham,
Pa., has been studying economic crime, including
identity theft, since 1986. Willox writes
that despite recent efforts of industry and
government, including passage of the Identity
Theft and Assumption Deterrence Act of 1998,
identity theft will never be eradicated.
In fact, we need to study the fraud perpetrator
more carefully and utilize multiple processes
in order to be effective.
According to the latest statistics available
from the Government Accounting Office, arrests
for identity fraud increased from 8,806 in
1995 to 9,455 in 1997 and financial losses
due to identity theft grew from $442 million
to $745 million during the same period. One
national credit bureau reports that reports
of identity theft increased from 35,000 in
1992 to 523,000 in 1997.
"The dramatic growth of identity theft appears
to be tied to technology, particularly the
Internet and as a result, is rapidly developing
international implications," he writes.
"Identity theft is becoming an increasing
threat to consumer confidence in the Internet
as a means to conduct business. Federal,
state and local governments are concerned
about identity theft and have initiated laws
to begin to deal with this issue. They are
also continuing their efforts to study and
combat this problem."
Historically, thefts of identity are committed
through virtually every deceptive act imaginable,
including intercepting mail, plowing through
trash, watching the victim insert a telephone
credit-card number, tricking the consumer
into providing personal identifying or financial
data over the telephone, pick pocketing,
etc.
The "faceless" world of Internet credit
purchase transactions, however, provides
none of the traditional fraud prevention
or limitation measures such as in-person
verification of identity. On the Internet,
an identity thief can conceivably commit
as many fraudulent transactions as his or
her fingers allow, cloaked in anonymity and
protected by the privacy of the Internet.
The Internet allows the identity thief access,
often illegally, to databases containing
dates of birth, social security numbers and
mother's maiden names. Further, simply by
placing a member of the fraud gang in a low
paying, but strategic employment position,
provides the identity thief with credit reports
through access to a company's credit bureau
account.
Recent high profile cases reflect the extent
to which the problem is spreading. Expedia,
a subsidiary of Microsoft and leading online
travel site, was bilked of between $4 million
and $6 million by frauds who used stolen
credit-card numbers to purchase online travel.
State Farm was fleeced of up to $350,000
in claims involving defendants accused of
stealing a New York man's identity to obtain
insurance policies, then staging the crashes
and filing several claims in his name. Police
in Catania, Italy arrested an Italian couple
that had used illegally acquired "thousands
of credit-card numbers" of U.S. citizens
to place thousands of bets on an online betting
shop based in the northern Italian city of
Bergamo.
Experience at the NFC, according to Willox,
has shown that professional frauds follow
the path of least resistance with the greatest
reward and the lowest risk. Therefore, many
of the insurance fraud perpetrators of the
mid-1980s migrated to telemarketing fraud
in the early 1990s, and to Internet stock
fraud today. This is a complex global and
societal issue.
Willox concludes from his research that although
the ideal objective is to deter the professional
criminal and to thereby completely prevent
him from plying his illegal trade, a more
achievable and hence more realistic goal
is to place prevention and detection barriers
in his path, forcing him to find another
means of accomplishing his objective.
And he recognizes that due to privacy issues,
this can only be accomplished through a partnership
of all interested parties, namely government,
law enforcement, private industry, privacy
advocates and consumers.
"Although we recommend the placing of 'speed
bumps' in the path of the professional fraud's
access to this data," he writes, "we recognize
that it is impossible to return the genie
to the bottle."
The report concludes that the most effective
means of detecting and preventing identity
theft fall into one of the following categories:
* Digital certificate/digital signature
* Biometrics
* Authentication (independent verification)
While digital signatures and biometric solutions
such as fingerprinting and eye retina scanning
have their roles, Willox says the authentication
means of detecting and preventing identity
theft will be an indispensable aspect of
any solution and is truly a missing link
today.
The authentication process need not be time
consuming nor difficult for the consumer
to experience, he writes. Authentication
can be made to appear seamless and it is
incumbent on industry to identify the appropriate
authentication process and to implement it.
"It is equally incumbent upon all interested
parties in this fight against identity theft
to empower private industry to obtain the
appropriate types of identifying data necessary
to implement an authentication process,"
he concludes. "This means that private industry
and government must have the right, and the
means, to obtain the identifying data needed
to independently verify their customers and
prevent fraud. However, implementing this
solution requires that private industry be
enabled to obtain the relevant personal identifying
information. Private industry must recognize
the sensitivity of the data it receives and
use it responsibly, recognizing and protecting
consumers right to privacy."
Editors: Copies of the National Fraud Center
White Paper on Identity Theft are available
at the National Fraud Center's web site at
http://www.nationalfraud.com/ or by contacting
Melanie Carroll at 940/321-5502 or melaniecarroll@mindspring.com.
National Fraud Center is a founding member
of the Individual Reference Services Group
(IRSG).
* * * * * * * * * * * * * * * * * * * *
Friday February 11, 2000
Public Aware Of Digital Age Risks
By MICHAEL J. SNIFFEN Associated Press Writer
WASHINGTON (AP) - In the midst of a difficult
investigation, federal investigators gained
cold comfort from the fact that this week's
massive attacks on the Internet sites woke
people up to the risks of the digital age.
"This week's events did more than we have
ever been able to do with white papers and
posting fixes on our Web site to alert the
private sector to the dangers out there,"
John Bentivoglio, counsel to the deputy attorney
general, said Thursday.
Private Internet service providers and Internet
sites have been turning over computer logs
to help trace the attacks that temporarily
overloaded sites such as eBay and ETrade,
Bentivoglio said. Requests for protective
software have surged.
Investigators prefer to trace attacks while
still in progress, but that is difficult
and has not been possible this week. So they
are relying on computer transaction records
at dozens, possibly hundreds, of company
sites, university computer systems and other
places. The quality of these records
varies. "This is going to be a difficult case to
crack," acknowledged Deputy Attorney General
Eric Holder. "These are people who are criminals,
and we will do all that we can ... to put
them in jail."
With tens of millions of dollars in losses
possible, Holder said the attacks might lead
to tougher penalties than the current 10-year
maximum prison sentence for second offenses.
President Clinton will meet next week with
computer security experts and technology
executives to talk about the attacks and
his proposal for $2 billion to protect the
country's most important computer systems.
Months ago, a Carnegie Mellon University
team issued a white paper warning about denial-of-service
attacks like those this week. Over the New
Year's weekend, the FBI posted free software
on its Web site that would allow computer
owners to detect whether denial-of-service
tools, known as daemons, had been secretly
placed on their computers. Some 2,600 companies
and others downloaded the free software,
and three found daemons, triggering FBI criminal
investigations. Daemons are later activated by a signal
from a remote location or an internal timer
to attack a victim computer site with so
many messages it cannot handle them all.
The sites get tied up and shut down, like
an overloaded telephone system that gives
only busy signals or no dial tone. Machines
unwittingly housing daemons are known as
zombie computers.
The Pentagon began checking for daemons Thursday
on all its computers with Internet access.
The General Services Administration alerted
all federal agencies about ways to detect
and disable daemons. Dozens or even hundreds
of zombie computers
have been used in past attacks, Bentivoglio
said. The daemons arrive at the victim site
with phony return addresses, making them
harder to trace.
Holder said there was no evidence overseas
computers were used this week, but that isn't
being ruled out. So little is known about who launched these
attacks or why, said Ron Dick, head of the
FBI's computer investigations section, that
potential suspects range "from a teen-aged
hacker to state-supported terrorists."
The Justice Department has trained prosecutors
throughout the nation to respond quickly
to computer attacks, but the law poses obstacles
to cracking an attack in progress, Bentivoglio
said. To tap a telephone line carrying an attack
requires a court order, he said. Just to
trace the origin of an ongoing transmission
without monitoring its content also requires
a court order, but one that is easier to
get.
This week, the administration sought $37
million in additional money to set up 10
regional computer laboratories, train state
and local officers and add 100 members to
its computer response teams. As it is,
"we catch some; but we don't catch
them all," Bentivoglio said.
* * * * * * * * * * * * * * * * * * *
Will Grow Consulting