Clips November 7, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips November 7,
2003

ARTICLES

Suit Claims 'No-Call' Violations
W3C criticizes antirobot tests
Chinese cyber dissident jailed
Attempted attack on Linux kernel foiled
Las Vegas airport to implement RFID baggage-tag system
Quick consumer notification key in identity theft cases
Palm-Print ID System Lends Big Hand to Detectives
As security concerns ease, businesses warm to Wi-Fi


*******************************
Los Angeles Times
Suit Claims 'No-Call' Violations
Lockyer accuses firm of disregarding new telemarketing registry.
By Nancy Vogel
November 7, 2003

SACRAMENTO  Atty. Gen. Bill Lockyer sued a home improvement company
Thursday for violating the national "do-not-call" registry by
calling dozens of Californians who had signed up to avoid
telemarketers.

The lawsuit, which is the nation's first enforcement action since the
registry of 51 million people took effect last month, seeks at least
$100,000 in penalties against American Home Craft Inc., based in
Hayward.

At least 60 people complained about receiving phone calls from American
Home Craft in October after they registered to be included on the
do-not-call list, Lockyer said.

"We hope that the legal action will put all telemarketers on notice
that they should get a copy of the do-not-call registry and take the law
seriously," he said. "If they don't, it's our intention to
protect the privacy rights and family time of the millions of
Californians who signed up for the do-not-call registry."

A woman who answered the phone at the American Home Craft offices
Thursday said the company would have no comment about the
lawsuit.

Lockyer's suit, filed in federal court in San Francisco, seeks an
injunction against the company and fines of as much as $1,500 for each
violation of the federal law.

The suit also alleges violations of California's unfair business
practices law, which carries penalties of as much as $2,500 for each
violation. Another California law that takes effect Jan. 1 could stiffen
those penalties to a maximum of $11,000 per violation.

In the last three weeks, telemarketers for American Home Craft called
dozens of people in 12 area codes in Hayward, Sacramento, Irvine and San
Diego, Lockyer said.

When consumers protested that they had registered for the do-not-call
list, the company's marketers responded by saying, "We use a
different list," or, "You must have registered late," the
attorney general said. But those excuses are proven wrong by the fact
that the company never purchased the do-not-call list from the federal
government, he said.

"We know who gets that list and who does not," Lockyer
said.

He predicted that there would be many more such lawsuits around the
country, including by his office. Since Oct. 1, California consumers have
filed 5,400 complaints alleging violations of the registry.

Lockyer encouraged people to gather as much information as possible from
telemarketers who may be violating the registry, such as the name of the
company they represent, the phone number that they called from and what
product they were selling. He said complaints made to the Federal Trade
Commission, by calling (888) 382-1222 or online at
http://www.donotcall.gov
, will be shared with his office.

In September, acting on telemarketer arguments that the federal registry violated free-speech rights, two federal judges blocked the FTC from enforcing the popular registry. But in October, an appellate court allowed the commission to begin enforcing the law while courts weigh the constitutional issue.

Lockyer's suit is based on the do-not-call registry that is run by the FTC. Earlier this week, the Federal Communications Commission proposed fining AT&T Corp. $780,000 in the first enforcement of separate federal do-not-call regulations that have been effect for months.
*******************************
CNET News.com
W3C criticizes antirobot tests
Last modified: November 6, 2003, 1:56 PM PST
By Paul Festa 

An increasingly popular robot-busting technique shuts out the visually impaired, according to a standards group. 

The World Wide Web Consortium (W3C) issued on Wednesday a draft criticizing visual verification tests Web-based e-mail services and other Internet businesses use. The tests are designed to prevent software robots from registering numerous accounts and harvesting information for spam schemes and the like. 

The tests, which have incensed the visually impaired and their advocates, have popped up on some of the Web's most trafficked sites, including Microsoft's and Yahoo's free e-mail services. Other sites using the tests include VeriSign's Network Solutions, which protects its WhoIs database of domain names with a test, and Ticketmaster. 

None of those companies was available for comment. 

Microsoft also uses a visual verification test to register people with its .Net Passport service, which lets people sign into a wide range of sites, including eBay, MSN, Monster.com, the Nasdaq, Pressplay, USA Today and Starbucks. And CNET News.com publishes some of its public e-mail addresses in a graphical, computer-unreadable form in order to throw off spam address harvesters.

Often called a "Turing test" (after computer scientist Alan Turing, who famously described the requirements for a test to distinguish between a computer and a person), the visual verification test requires a person to read and type a series of characters camouflaged in a bitmap image a computer can't decipher. 

The problem, the W3C warned in its draft, "Inaccessibility of Visually-Oriented Anti-Robot Tests," is that the visually impaired can't decipher it, either. 

"This type of visual verification comes at a huge price to users who are blind, visually impaired or dyslexic," W3C Web accessibility specialist Matt May wrote in the draft. "Naturally, this image has no text equivalent accompanying it, as that would make it a giveaway to computerized systems. In many cases, these systems make it impossible for users with certain disabilities to create accounts or make purchases on these sites." 

Some sites do offer a work-around for the visually impaired. Hotmail, for example, offers an audio alternative. And the report refers to an alternative Yahoo provides that lets people who can't pass the visual test call the company for verification through its customer service department, with a maximum 24-hour delay. But on Thursday, that option did not appear on Yahoo's sign-up page. 

Even the work-arounds pose problems. A day's delay could cause a concertgoer to get aced out of a ticket, the W3C pointed out. And the audio work-around, which requires some distortion to prevent computers from passing it, has a tendency to stymie humans. 

In an informal test, three out of four members of the CNET News.com staff failed Hotmail's audio Turing test. That was a slight improvement over the results of a similar test staffers took in July, in which Hotmail mistakenly pegged four out of four as software robots. 

In the draft, the W3C outlined various alternatives to the controversial verification tests, including biometric devices, logic tests and credit card verification. 

But the draft also outlined flaws to each of these and did not recommend one of them over the other or over the common visual tests. 

"There is no clear single solution for this," the WC3's May said in an interview. "What we attempted to do was provide a way to help people think through the problem they're trying to solve and to point out that the (visual verification) solution may not be the solution they think it is." 

May held out the highest hope for so-called federated identity systems, such as those in the works by Microsoft and by the competing Liberty Alliance. Such systems let people establish online identities that are difficult to spoof and that work in various online contexts. 

The W3C said the issue of Turing tests and accessibility was capturing more attention internationally from industry, standards and accessibility groups, as the use of such tests proliferates and that the W3C is trying to capitalize on that interest as it hones its draft. 

"We would like to collect community feedback and collaborate with groups that are working on different aspects of the problem," said Judy Brewer, director of the W3C's Web Accessibility Initiative (WAI). "We've heard from the Antispam Research Group of the IRTF, as well as groups in the disability community who are working on this and industry groups. There's a lot of buzz on this topic in a number of different countries. We're trying to get out in front of it before it creates an even larger accessibility problem."
*******************************
Australian IT
Chinese cyber dissident jailed
Robert J. Saiget
NOVEMBER 07, 2003  
 
LEADING Chinese dissident and democracy activist He Depu has been sentenced to eight years in jail in a hearing marked by defiant remarks against the state, his wife and a rights group said.

The sentencing hearing only lasted five minutes, with the Beijing intermediate court reading out the eight-year prison term as He shouted out criticisms of the ruling Communist Party, wife Jia Jianying said. 
"He shouted that he protested against the persecution of the China Democracy Party (CDP) by the Communist Party of China," she said.

"He was shouting for the full five minutes. He said he didn't recognize the verdict and that he was protesting against the Communist Party of China and demanded a multi-party political system."

Ms Jia was not allowed to speak with her husband during the hearing and was unsure if he planned to appeal. She was the only one allowed to witness the proceedings on behalf of the defendant. 

He, 47, was found guilty of subversion in a two-hour trial on October 14. He was arrested on November 4, 2002, just ahead of the appointment of Hu Jintao as the new head of the Communist Party.

Hu's leadership - he was also named president in March - has been marked by the arrests of a series of "cyber-dissidents", or people who have posted their political opposition to the ruling party on the internet.

"The centre strongly protests the heavy sentence on He Depu brought on by the Beijing authorities. China is ruthlessly persecuting dissent," the Hong Kong-based Information Center for Human Rights and Democracy said following the sentencing.

At least nine other intellectual dissidents were detained and are awaiting formal charges or trials in Beijing for publicly voicing their political beliefs, it said.

"'Subversion' has become the political test of the new government of Hu and Wen (Premier Wen Jiabao)," the center said.

"The fate of these people will measure which way the political winds are blowing."

He Depu's case was seen as different from the many others arrested recently, due to his long and open participation with the outlawed CDP and his standing as an intellectual once employed by the Beijing Academy of Social Sciences.

During his trial, evidence that he was trying to overthrow the state rested on his membership to the banned party which has seen some 50 members jailed mostly in 1998 and 1999.

Also cited were four open letters penned by He that were posted on overseas websites calling for greater democracy and the release of a string of recently arrested dissidents.

One letter was addressed to US President George W. Bush, calling on him to urge the release of Chinese political prisoners, including CDP founder Xu Wenli, who eventually was released on medical parole to the United States in December 2002.

"They said the letters were all to subvert state power. They said he publicized the CDP's opposition of the Chinese communist party," Ms Jia said.

"They said the letters were posted on the internet to create rumors and slander the Chinese communist party."

Lawyers told Ms Jia that the only way they could launch an appeal was after meeting with He, but it was unclear if the court was prepared to allow such a meeting, she said.

In 1979, He participated in the Democracy Wall protests that ushered into power the late leader Deng Xiaoping, who later crushed the movement by jailing its leaders, including Xu, who served 13 years in prison before resuming his political activities in the mid-1990s after his release. 

Agence France-Presse 
*******************************
CNET News.com
Attempted attack on Linux kernel foiled
Last modified: November 6, 2003, 2:39 PM PST
By Robert Lemos 
Staff Writer, CNET News.com

An unknown intruder attempted to insert a Trojan horse program into the code of the next version of the Linux kernel, stored at a publicly accessible database. 

Security features of the source-code repository, known as BitKeeper, detected the illicit change within 24 hours, and the public database was shut down, a key developer said Thursday. The public database was used only to provide the latest beta, or test version, of the Linux kernel to users of the Concurrent Versions System (CVS), a program designed to manage source code.

The changes, which would have introduced a security flaw to the kernel, never became a part of the Linux code and, thus, were never a threat, said Larry McVoy, founder of software company BitMover and primary architect of the source code database BitKeeper. 

"This never got close to the development tree," he said. "BitKeeper is really paranoid about integrity, and it turns out that was key to finding this Trojan horse." 

Linus Torvalds, the original creator of Linux and the lead developer of the kernel, uses BitKeeper to keep track of changes in the core software for the operating system. On a daily basis, the software exports those changes to public and private databases other developers use. 

An intruder apparently compromised one server earlier, and the attacker used his access to make a small change to one of the source code files, McVoy said. The change created a flaw that could have elevated a person's privileges on any Linux machine that runs a kernel compiled with the modified source code. However, only developers who used that database were affected--and only during a 24-hour period, he added. 

"The first thing we did was fix the difference," he said. "It took me five minutes to find the change." 

When BitKeeper exports the source code to other servers, it checks the integrity of every file, matching a digital fingerprint of its official version of the file with the version on the remote machine. That comparison caught the change to the code stored on the server. 

The changes looked like they were made by another developer, but that programmer said he hadn't submitted them, McVoy said. 

The recent incident raises questions about the security of open-source development methods, particularly how well a development team can guarantee that any changes are not introducing intentional security flaws. While Microsoft code has had similar problems, closed development is widely considered to be harder to exploit in that way. 

Linus Torvalds addressed the issue in a post to the Linux kernel mailing list. 

"A few things do make the current system fairly secure," he stated. "One of them is that if somebody were to actually access the (BitKeeper) trees (software repositories) directly, that would be noticed immediately." 

A critical security flaw was found in CVS in January, but it's unknown whether the attacker used the vulnerability to gain access to the CVS database. 

BitKeeper's McVoy hopes the current incident will quash objections raised by some members of the development who don't want to add a new feature that would require all changes to be digitally signed. 

Even so, he said, the open-source development model likely would have quickly turned up any security flaws. 

"A Trojan horse is just a bug that a person has put into the system deliberately," he said. "The open-source security model is that everyone is using this stuff, so bugs get found and get fixed. That's one of the reasons that you are not hearing me freak about this." 

McVoy said the disk from the compromised server has been saved for later analysis, but any decision to contact law enforcement belongs to Torvalds and others. Torvalds could not be immediately reached for comment.
*******************************
USA Today
Passing on the cost of convenience
By Andrew Backover, USA TODAY
Posted 11/6/2003 10:34 PM

Consumers cheering a new rule that will allow them to keep their cell phone numbers when switching carriers might also find a few unpleasant surprises.
The change  while expected to force carriers to offer better service, calling plans with more minutes and cheaper phones  also brings new fees, higher upfront costs and unexpected expenses. "A lot of people haven't looked at the total costs," says analyst Phillip Redman of research firm Gartner.

The rule change is a watershed for the 20-year-old cell phone industry and its 152 million U.S. subscribers. When it takes effect Nov. 24 in the top 100 markets, it will shatter a barrier that forced millions of consumers, loath to give up familiar cell phone numbers, to stay put despite poor service. The number of customers switching carriers could jump 20% to 30% over the next year. 

Still, there are downsides:

?Upfront costs. A 1,000-person business will spend more than $300,000 on switching expenses, such as labor and hardware, Redman estimates. A company could pay $235 per employee for new phones, headsets, chargers and batteries. Many companies expect to save 20% to 30% on contracts from competition, but "it will take longer to realize the savings than they think," he says.

?Fees. Customers will continue to pick up the tab as carriers pass along costs associated with the rule.

The think tank Progress & Freedom Foundation says spending to carry out the rule and the impact of customer defections will cost carriers $1.60 a month per customer over five years. Whether it's in fees or service prices, "the costs are going to be paid by the customers one way or another," says economist Thomas Lenard. 

While $1.60 more a month might not seem like a lot, Lenard says it could price 5 million people out of the cell phone market.

Carriers already pass along some portability costs in monthly fees they levy to pay for government-mandated programs. Among Cingular Wireless' fees, about 28 cents is for portability, spokesman Clay Owen says. That will continue for the near future, he says.

?Equipment. Switchers likely will have to buy new phones and transfer their old phone contact lists. That could take hours if done by hand.

Sprint PCS' retail stores do free phone-to-phone transfers. Verizon Wireless' stores charge about $5. Cingular will decide whether to charge, possibly up to $10. It's not clear if carriers' retail partners will do transfers. RadioShack won't do it for Verizon Wireless. Transfer service FutureDial is available in about 600 retail locations, including Sprint's. Some retailers might charge about $10 for it; others might offer it free. FutureDial works on more than 160 phone models.

Xpherix's iPhonebook, available via Verizon Wireless, Alltel and U.S. Cellular, downloads contacts from Microsoft Outlook to a phone. It costs $4 a month, but consumers can use it once and cancel the subscription.
*******************************
Government Computer News
11/07/03 
Accessibility benefits every user 
By Kevin McCaney 

Ergonomic and accessibility technologies serve all users regardless of their needs, speakers said yesterday at the Interagency Disability Educational Awareness Showcase 2003 in Washington. 

?Accessibility to people with disabilities applies equally to people who have none,? said Paul Richard, president of Ergogenic Technology Systems Ltd. of Doylestown, Pa. He spoke during a session on technologies for people with mobility impairments. 

Richard, whose company makes ergonomic workstations, stressed the importance of visual ergonomicsfor instance, setting up monitors in proper viewing angles to prevent musculoskeletal injuries. 

The session also covered accessibility of Web pages and application content. 

?One thing that makes me angry,? said Kyle Gingrich of Thomson NETg of Naperville, Ill., ?is when I hear people say ?We?re dumbing down our content?? to make it accessible via technologies such as text-to-speech. 

?There?s no need for that,? she said, arguing that well-written and well-presented content is easily adaptable to accessibility applications. 

Gingrich, software project manager for Thomson NETg, said meeting the requirements of Section 508 of the Rehabilitation Act Amendments of 1998 is an essential goal for agencies because of its value to users. ?Section 508 is not just an objective,? she said, it affects ?people?s lives every day.? 

The growing importance of government Web sites is another reason to make content accessible. Bob Regan, senior product manager for accessibility at Macromedia Inc. of San Francisco, said it?s best to factor in accessibility at the start of page design, rather than try to add it later. 

Regan praised access keys, which can take Web users directly to links and provide other shortcuts. But he said it?s important to explain what they are because the commands can vary from site to site. The United States, unlike the United Kingdom, does not have a standard approach to access keys, he said. 

He also demonstrated navigational keyboard shortcuts for users who have difficulty using a mouse. The shortcuts work under just about any operating system, at least partly because developers like them, too. ?[Software] engineers are all keyboard users,? Regan said.
*******************************
Computerworld
Las Vegas airport to implement RFID baggage-tag system
http://www.computerworld.com/mobiletopics/mobile/technology/story/0,10801,86909,00.html

The first phase of the airportwide system is expected to be in use by May 
Story by Linda Rosencrance 

NOVEMBER 06, 2003 ( COMPUTERWORLD ) - McCarran International Airport in Las Vegas is implementing a baggage-tracking system that will use radio frequency identification (RFID) bag tags from Matrics Inc. to improve customer safety. The decision to implement the tracking system makes McCarran one of the first airports to use the RFID technology airportwide. 
As part of the deal, Columbia, Md.-based Matrics will supply the airport with 100 million passive, nonbattery, disposable 900-MHz RFID tags over a five-year period for $25 million, or 25 cents per tag, according to John Shoemaker, vice president of business development at Matrics. 

The entire project is expected to cost $125 million, with $94 million of that amount being paid for by the Transportation Security Administration (TSA), said Samuel Ingalls, the airport's information systems manager. The airport will pick up the rest of the cost. 

The TSA is partially funding similar projects at other airports, including Denver International Airport and Los Angeles International Airport. Florida's Jacksonville International Airport has already implemented an airportwide in-line screening system for checked baggage but has only partially implemented an RFID tracking system. 

The first phase of McCarran's new system, expected to be operational in May 2004, will automatically track all checked-in passenger bags through in-line explosive detection and screening equipment, according to Shoemaker. This phase will include use of a facility that screens off-site baggage coming from hotels and car rental companies, as well as two other screening facilities to handle baggage checked in at the airport's main terminal, Ingalls said. Travelers check in about 60,000 bags a day at McCarran. 

Shoemaker said the first phase of the project will involve five airlines and 38% to 40% of airport travelers.

The process starts at the ticket counter or curbside check-in, where a regular baggage tag with an RFID chip and antenna imbedded in it will be printed out and attached to each bag, he said. Each tag will carry a unique identifier and will be read while the bag is transported on conveyors through the appropriate explosive-screening machine and onto the specific plane. If the bag doesn't clear the explosive-screening machine, it will be sent to a special facility to be checked by hand. 

Information from the tags is passed to FKI Logistex's software controls. FKI, based in Danville, Ky., is providing the systems architecture and integration. 

Shoemaker stressed the tags' 99.8% accuracy and noted that they can be tracked from a distance of up to 30 feet. Bar-code tags now commonly used must be in close proximity to a reader. 

The use of RFID tags has been gaining in popularity this year as a supply chain management tool. The U.S. Department of Defense last month said it will require its suppliers to use the tags on all cases and pallets by January 2005 (see story). And Wal-Mart Stores Inc. in June said it would require its top 100 suppliers to do the same thing (see story). One nagging issue has been the tags' cost. Although Matrics has promised to deliver them at 25 cents apiece, Jeff Woods, an analyst at Gartner Inc., was doubtful that it could hit that price. 

"I would want to know what all the terms and conditions are before I'd say 25 cents is the going rate for tags," Woods said. "I'm skeptical of it." 

Woods said, however, that he hopes Matrics can achieve that price, because doing so could speed the tags' adoption elsewhere. 

Gene Alvarez, an analyst at Meta Group Inc., said he believes the RFID technology will work its way into more and more airports, not just for security but as a way to match bags with passengers and reduce delays.
*******************************
Computerworld
Congress' role in IT security debated
One House member wants every U.S. computer to have antivirus software installed 
Story by Grant Gross

NOVEMBER 06, 2003 ( IDG NEWS SERVICE ) - A U.S. House of Representatives member proposed today that Congress require every computer to have antivirus software installed. But IT security experts disagreed with that suggestion and proposed other ways for the government to encourage cybersecurity among private companies and individual users. 
Rep. Charles Bass (R-N.H.) during a hearing questioned whether Congress should require that antivirus software be installed on every U.S. computer to counter the billions of dollars in damage done by viruses and worms in 2003 alone. 

"Is it time for the federal government to develop some kind of Internet security agency that would develop standards for all legitimate software, require automatic update and patching and establish a base level for every single computer in the country?" Bass said during a hearing on computer viruses by the House Energy and Commerce Committee's Subcommittee on Telecommunications and the Internet. "Is there any reason why any computer in this country shouldn't have some kind of antivirus software on it as a requirement?" 

No such reason exists, said Art Wong, vice president of security response for antivirus software vendor Symantec Corp., prompting some laughs from the audience. 

But other witnesses at the hearing expressed doubt over whether computer users would accept such a requirement. The outcry from users over their rights being trampled would be "shocking," said Ken Silva, vice president of VeriSign Inc. 

"What you're proposing is tantamount to trimming a little fat off the Constitution," Silva told Bass. "Smart computer users would in fact update their software, but I'm just not sure that any kind of federal agency that required automatic updates on people's computers for all of their software is something that the public would tolerate." 

Beyond a debate about the rights of computer users, an antivirus mandate could cause problems on computers not set up to run antivirus software, including ones used for factory automation or power or water treatment plants, said Bill Hancock, CEO of the Internet Security Alliance. "The result is certain infrastructure would go 'splat' and not work at all," he said of Bass' antivirus and update suggestions. 

The witnesses also disagreed on other ways to encourage cybersecurity. Software vendors should be pressed to write code that's less buggy, said Richard Pethia, director of the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. Other witnesses representing software vendors downplayed that issue.

Trying to figure out how to build better software is "a no-win situation and just beating a dead horse," Silva said. 

Silva and Hancock suggested that Congress promote cybersecurity education, with Silva recommending that it shift some federal funding to grade and high school education for cybersecurity awareness. 

But Pethia said he doubts education efforts could reach enough computer users, saying instead that software vendors need to be accountable. "The probability that we can drag 150 million users up that learning curve is relatively small," he said. 

Hancock and Robert Holleyman, president and CEO of the Business Software Alliance, also called for Congress to commit more law enforcement resources to fighting cybercrime. "Law enforcement is typically hampered due to a lack of tools, a lack of investment and a lack of skill sets," Hancock said. 

Fewer than 10 virus or worm writers were arrested worldwide in 2002, while more than 200 viruses and worms were unleashed on the Internet, he said. 

Holleyman called for Congress to push for international agreements to enforce cybercrime laws and to create a "culture of security" worldwide. U.S. laws alone will not solve cybersecurity problems, because some countries will continue to harbor hackers and spammers, he said. 

Even if the U.S. has international agreements with some countries, hackers and spammers will continue to find places to operate if U.S. laws drive them offshore, Hancock said. Responding to a question about how a federal antispam law would limit the spread of viruses and worms through e-mail, Hancock said Romania has one cybercrime investigator. "This guy is grossly overwhelmed," Hancock said. 

Rep. Gene Green (D-Texas) pushed his antispam legislation, the Anti-Spam Act of 2003, as a way to fight the spread of viruses and worms. "The combination of e-mail spam and viruses is like putting a SARS patient on every airline flight in the country," he said. 

Asked what motivates virus and worm writers, Hancock said many of them are dysfunctional people with limited social skills, but he predicted that cybercrime will increasingly be carried out by criminals with political or terrorist motives. Currently, virus trackers see activity jump between 4 p.m. Pacific time Fridays and 9 p.m. Pacific time Sundays, as "every kid without a date starts picking on the network," Hancock said.
*******************************
USA Today
Quick consumer notification key in identity theft cases
By Robert Gehrke, The Associated Press

WASHINGTON  Alerting consumers quickly that they are at risk for identity theft is crucial when hackers and thieves get their hands on personal information, experts backing a mandatory notification proposal in Congress said Tuesday. 

Consumers and companies have a matter of days to react after the information is stolen to minimize the damage, said David McIntyre Jr., president and CEO of TriWest Healthcare Alliance, which provides health insurance to military families in the central United States. 

Last December, TriWest's offices in Phoenix were broken into and computers and data files containing information on more than 500,000 armed forces clients were stolen. 

The company quickly notified federal investigators and the Pentagon, then began notifying patients whose information was taken. 

It proved effective, McIntyre told the Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security. None of the information was used for fraudulent purposes. 

"That was the goal," he said. "Shut it down" and make sure customers "weren't going to come home and find out their lives have been destroyed from a credit perspective." 

The bill, sponsored by Sen. Diane Feinstein, D-Calif., would require companies to notify customers when personal information has been compromised, either by hackers or physical security breaches. 

Mark MacCarthy, senior vice president of public policy for Visa U.S.A., Inc., said his group supports notifying customers when there is a sufficient chance the compromised information could lead to fraud. 

McIntyre said database theft is becoming increasingly common. For example, every week hackers attempt to crack the Arizona State University computer system and burglars who recently broke into a Tucson bank didn't touch the money, but made off with computers. 

In addition to the TriWest incident, other high-profile breaches cited in the hearing include: 

? In February, a hacker broke into the database for DPI Merchant Services in Omaha, a credit card processor, and gained access to 10 million credit card numbers from various companies. 

MacCarthy said Visa fined DPI $500,000 and put it on probation for not responding aggressively enough to the security breach. 

? In April 2002, a hacker broke into the California state payroll records, including social security numbers, for about 265,000 people. 

? Victoria's Secret, the lingerie retailer, agreed to pay a $50,000 fine after a glitch on its Web site allowed viewers to access other customers' orders and addresses, although no credit card numbers were compromised.
*******************************
Los Angeles Times
Palm-Print ID System Lends Big Hand to Detectives
A new L.A. County database, which includes fingerprints, gives law enforcement agencies a fast new tool to identify suspects.
By Richard Winton
November 7, 2003

For decades, detectives have known that the answer to solving a crime can lie in the palm of someone's hand.

Palm prints make up about one-third of all prints technicians lift from crime scenes, according to estimates. But until this year, unlike fingerprints, there was no easy way to compare them. 

Los Angeles County's law enforcement agencies have just taken a leap forward with delivery last month of a computer system that gives it one of the nation's largest palm-print databases. 

Investigators now can compare a palm print with 250,000 others from arrestees in minutes.

The $15-million Cogent Automated Palmprint and Fingerprint Identification system can also compare a fingerprint with a database of 80 million others drawn from 4 million arrestees. 

It was Cogent technology that allowed the Department of Homeland Security's immigration wing to identify the suspects accused in the Washington, D.C.-area sniper case.

The fingerprints of Lee Boyd Malvo, a Jamaican native, were in the old Immigration and Naturalization Service's database, a Cogent system. 

When detectives entered those lifted from an Alabama robbery allegedly committed by the snipers, the system provided a match.

"We have had hits on a murder, a burglary and a carjacking already, and it's only been up a couple of weeks," said Sheriff's Sgt. Larry Bryant, who oversees the Los Angeles County Regional Identification System, which serves law enforcement agencies across the county.

Bryant emphasized that the system is still in the testing phase. 

"Up until now, the only way we'd use palm prints was when someone gave us a name to do comparisons," Bryant said. "This [new system] requires just a small portion of the palm from a crime scene."

In the first two weeks of operation, the system generated 80 matches, mostly of fingerprints. 

The hits came from an analysis of prints that had earlier been submitted to a database maintained by the state of California, which local police agencies traditionally used without results.

"The system is a double-edged sword. With an increased number of suspects, you have to have the resources to review those results," said Sheriff's Capt. Chris Beattie, head of the department's Scientific Services Bureau.

The computers identify possible matches. But it is a technician using actual prints who must make the final determination, Beattie said.

Britain's Scotland Yard first used fingerprints in 1902 to obtain a conviction. But it was not until the 1970s that automated fingerprint comparisons came into use.

What is revolutionary about the new system is that it can check so many prints so quickly in comparison to the prior generation of technology, experts said.

Wally Briefs, senior vice president of South Pasadena-based Cogent Systems, which pioneered some of the breakthrough software, said older systems limited what could be reviewed and did not tackle palm prints, which are larger and would take too long to compare. 

"It used to take an entire room of computers to review this much data," Briefs said. "There is a potential to turn around the data and produce a suspect within minutes." 

In one case this year, Briefs said, a Cogent identification system in another city was able to identify the deteriorated body of a woman found in a streambed based on a tiny piece of her palm recovered from the scene.

"If you think of someone gripping a knife, they use the palm," said Briefs, a former detective and crime scene technician. "When they handle a gun, it's the palm. When they open a car door, it's the palm."

With technology advancing, the level of accuracy also is improving. As part of the contract, the county required the new system to have an accuracy rate of more than 99%. Bryant said the new system also searches every image in the database. 

Cogent's software converts scanned prints into digital form, then compares them to its library.

When converting the image, the software identifies specific points of data as match points, and then processes them using an algorithm that assigns them a value that can be compared with existing data.

Countywide, there are 29 terminals in use by law enforcement agencies for comparing latent prints with those in the system. There are 165 places at which prints can be scanned directly from a human hand into the Cogent database. Bryant said the new system is financed by penalties assessed on convicted criminals and a $1 fee on each vehicle registration. 

Los Angeles County's new system is not unique, but it is cutting edge. Britain's police agencies use a similar Cogent system.

The New York Police Department last month put online a similar system. Ontario police pioneered its use in California on a smaller scale three years ago.

During the Salt Lake City Winter Olympics, Cogent, along with another company, provided security personnel with mobile scanners connected to a fingerprint database.

"It's yet another technological boost for law enforcement," said Dist. Atty. Steve Cooley.
*******************************
CNET News.com
As security concerns ease, businesses warm to Wi-Fi
Last modified: November 7, 2003, 4:00 AM PST
By Richard Shim 

Security fears have kept many large companies on the wireless-networking sidelines for the past two years, but new intrusion defenses are beginning to put the worst concerns to rest, opening the door to renewed corporate Wi-Fi spending. 

Wi-Fi gained its reputation as an insecure protocol years ago, when hundreds of network access points were set up without basic security settings turned on. The result was a bonanza of free high-speed public Net access for anyone within range, and alarm on the part of businesses, who worried that such piggybacking pointed to the possibility of more serious breaches. Adding to the problem, Wi-Fi's original security standard used weak 40-bit encryption that's easily overcome by unsophisticated attacks, even when it's enabled. 

"We have been making headway with...colleges, health care, warehouses and, more recently, retail and government," said Carl Blume, director of product marketing at Colubris Networks, which sells Wi-Fi gear to corporations. "We've been waiting for major Fortune 500 companies, but the perception that there is a security problem with Wi-Fi has been a problem." 

The tepid response by large businesses stems from the failure of early security specifications to protect against unauthorized access. But increasingly, corporate information technology managers see the perception of Wi-Fi as a security problem as just that: a perception. 

Industry groups such as the Institute of Electrical and Electronics Engineers (IEEE) and the Wi-Fi Alliance, as well as manufacturers, have been working on new security specifications and making them available in products and as free downloads. As a result, Wi-Fi network managers already have access to potent replacements for the original flawed security standard, known as Wired Equivalent Privacy (WEP). 

Security experts have long pointed out that WEP's 40-bit encryption key can be broken easily using readily available software. Network managers who use the protocol routinely recommend changing WEP passwords monthly as a safeguard against potential security breaches. 

Specifications such as Wi-Fi Protected Access (WAP) and 802.1x are meant to encrypt data and securely transmit it from a network to a client. Gradually, those specifications will become part of the 802.11i standard, which is currently in development by the IEEE and is expected to be available to gear makers by the middle of next year. Although it will likely take a few months beyond that before 802.11i finds its way into products, manufacturers say that standard is already helping to ease security concerns. 

Among other things, the 802.11i standard will incorporate a new encryption technique known as the Advanced Encryption Algorithm (AES), which is considered to offer greater security than formulas used in earlier Wi-Fi security standards, including WEP. 

Signs of growth
Wi-Fi sales to big business are projected to increase nearly 19 percent in 2004 as more companies begin selling and buying devices that come with security and network management capabilities, said Aaron Vance, an analyst with Synergy Research Group. 

The uptick follows a trend that's been building since the second quarter of this year, after months of slipping corporate Wi-Fi sales. 

Sales for wireless networking gear nearly quadrupled in 2002, to $280 million, compared with 2001, according to retail market tracker NPD Techworld. The high sales trend continues as the latest Wi-Fi standard, 802.11g, begins to gain popularity and manufacturers look to retrofit old products with Wi-Fi capabilities. 

But the boom has so far been limited to specialized businesses and the consumer market. 

In the fourth quarter of 2001 to the first quarter of 2002, worldwide sales to big business dipped nearly 12 percent, from $237 million to $208 million, after security experts flagged WEP's weaknesses. Yearly sales in 2002 dipped 8.5 percent compared with 2001, according to research firm Synergy Research Group. 

Meanwhile, worldwide sales into the consumer and small- and medium-size business market--which tends to be less concerned with security issues over wireless networks--increased 11 percent in the fourth quarter of 2001 compared with the first quarter of 2002, from $183 million to $204 million. For the year, the sector jumped nearly 79 percent. 

Although sales in the big-business market for Wi-Fi gear picked up in the second quarter of 2003, they are expected to end the year with a paltry 7 percent gain over the previous year. 

After years of disappointment, some Wi-Fi gear makers are beginning to sound an optimistic note for the lagging corporate market. 

Large companies are dipping their toes into wireless networks and testing access with noncritical data. Already, about 57 percent of companies surveyed are using Wi-Fi networks to some degree, according to Jupiter Research. 

Gear makers take this as a positive sign and hope that as more businesses test Wi-Fi networking technology and use available security specifications, the perception that Wi-Fi is insecure can be changed. 

"Over the last 12 to 24 months, enterprise has been using Wi-Fi in niche applications, but it's gradually moving into the general office space," said Walter Gintz, director of wireless enterprise marketing at Intel. 

All unwired, with nowhere to go
The establishment of 802.11 wireless networking standards, known as Wi-Fi, over the last couple of years has helped to bring down pricing for products and makes setting them up easier. The standards, as well as the use of unlicensed radio frequencies, have helped to create a popular and common foundation for product development. The result has been a boom for a technology that has been around for nearly two decades. 

With the standards, data can be transferred wirelessly from a network to a client at varying rates, depending on the standard--54 megabits per second for 802.11g and 802.11a standards and 11mbps for the 802.11b standard. The range of the networks varies as well, depending on the environment and obstacles, such as walls and areas of interference, but the maximum range is up to 300 feet. 

In a survey conducted this year by Jupiter Research, 90 percent of business executives asked said improved security solutions would have an impact on their decision to install wireless networks. The increased need for wireless access was another reason to install networks, according to 70 percent of those executives. 

Although the new specifications do provide what some might call sufficient protection, analysts said there is a learning curve, and it will take time for these tools to find their way into products. Still, the trend appears promising for Wi-Fi gear makers hoping to court reluctant corporate buyers. 

"It's still a fairly new technology, and part of the problem is that some businesses aren't using the (security) tools that are out there now," Gintz said. "But companies are starting to learn and realize that if they implement some simple tools, they're going to be OK."
*******************************