[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips November 4, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx, sairy@xxxxxxxxx;
- Subject: Clips November 4, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Tue, 04 Nov 2003 11:18:11 -0500
Clips November 4,
2003
ARTICLES
Calif. Halts E-Vote Certification
Aussies Do It Right: E-Voting
Patent ruling tugs at Net downloads
Phone database 'abused'
Data Attacks Strike Spam Fighters
NIST releases security controls proposal
Putnam seeks industry emphasis on info security
Ensuring liability protection
Navy team evaluates weblogs
DOD extends Common Access Cards deadline
'DDoS' Attacks Still Pose Threat to Internet
Lieberman takes on video game violence in S.C. stop
Tulsa homeless community linked through technology
ELECTRONIC VOTING COVER-UP
Radio Tags Face Technical Hurdles, Deadlines
*******************************
Wired News
Calif. Halts E-Vote Certification
By Kim Zetter
05:49 PM Nov. 03, 2003 PT
SACRAMENTO, California -- Uncertified software may have been installed on
electronic voting machines used in one California county, according to
the secretary of state's office.
Marc Carrel, assistant secretary of state for policy and planning, told
attendees Thursday at a panel on voting systems that California was
halting the certification process for new voting machines manufactured by
Diebold Election Systems.
The reason, Carrel said, was that his office had recently received
"disconcerting information" that Diebold may have installed
uncertified software on its touch-screen machines used in one county.
He did not say which county was involved. However, secretary of state
spokesman Douglas Stone later told Wired News that the county in question
is Alameda.
Alameda County, a Democratic stronghold that includes the cities of
Berkeley and Oakland, converted to all-electronic voting last year at a
cost of more than $12 million. The county used the machines in state
elections last year and in last month's gubernatorial recall election.
The machines will also be used in tomorrow's municipal election in
Alameda.
The only other California county currently using the Diebold touch-screen
machines is Plumas. No one was available for comment on whether
uncertified software may have been installed on machines used in Plumas.
The Diebold machines slated for state certification, known as the
AccuVote TSx, are a modified version of the machines used in Alameda and
Plumas. The new machine is said to be a lighter, more compact version.
At the meeting, Carel delayed indefinitely the certification of the new
machines until the secretary of state's office can investigate the
matter.
Diebold officials, who were attending the meeting, seemed surprised by
the announcement and expressed displeasure to several panelists afterward
that it had been introduced in a public forum. They were unavailable for
comment.
Also present at the meeting were representatives from Solano, San Diego
and San Joaquin counties, where officials are waiting for state
certification to begin using the new machines.
Officials from Alameda County's registrar of voters were unavailable for
comment.
*******************************
Wired News
Aussies Do It Right: E-Voting
By Kim Zetter
02:00 AM Nov. 03, 2003 PT
While critics in the United States grow more concerned each day about the
insecurity of electronic voting machines, Australians designed a system
two years ago that addressed and eased most of those concerns: They chose
to make the software running their system completely open to public
scrutiny.
Although a private Australian company designed the system, it was based
on specifications set by independent election officials, who posted the
code on the Internet for all to see and evaluate. What's more, it was
accomplished from concept to product in six months. It went through a
trial run in a state election in 2001.
Critics say the development process is a model for how electronic voting
machines should be made in the United States.
Called eVACS, or Electronic Voting and Counting System, the system was
created by a company called Software Improvements to run on Linux, an
open-source operating system available on the Internet.
Election officials in the Australian Capital Territory, one of eight
states and territories in the country, turned to electronic voting for
the same reason the United States did -- a close election in 1998 exposed
errors in the state's hand-counting system. Two candidates were separated
by only three or four votes, said Phillip Green, electoral commissioner
for the territory. After recounting, officials discovered that out of
80,000 ballots, they had made about 100 mistakes. They decided to
investigate other voting methods.
In 1999, the Australian Capital Territory Electoral Commission put out a
public call for e-vote proposals to see if an electronic option was
viable. Over 15 proposals came in, but only one offered an open-source
solution. Two companies proposed the plan in partnership after extensive
consultation with academics at Australian National University. But one of
the companies later dropped out of the project, leaving Software
Improvements to build the system.
Green said that going the open-source route was an obvious choice.
"We'd been watching what had happened in America (in 2000), and we
were wary of using proprietary software that no one was allowed to
see," he said. "We were very keen for the whole process to be
transparent so that everyone -- particularly the political parties and
the candidates, but also the world at large -- could be satisfied that
the software was actually doing what it was meant to be
doing."
It took another year for changes in Australian law to allow electronic
voting to go forward. Then in April 2001, Software Improvements
contracted to build the system for the state's October election.
Software Improvement's Matt Quinn, the lead engineer on the product, said
the commission called all the shots.
"They, as the customer, dictated requirements including security and
functionality, (and they) were involved at every step of the development
process, from requirements to testing," Quinn said. "They
proofed every document we produced."
The commission posted drafts as well as the finished software code on the
Internet for the public to review.
The reaction was very positive.
"The fact that the source code had been published really deflected
criticism," Quinn said.
A few people wrote in to report bugs, including an academic at the
Australian National University who found the most serious problem.
"It wasn't a functional or a security issue but was a mistake
nonetheless, and one that we were glad to have flagged for us," said
Quinn.
In addition to the public review, the commission hired an independent
verification and validation company to audit the code, "specifically
to prevent us, as a developer, from having any election-subverting code
in there," Quinn said.
"We were concerned that it wouldn't be secure enough," said
Green, the electoral commissioner. The audit was performed specifically
to search for security weaknesses in the system, but Green says the
researchers found none.
The state tested 80 machines in the election, distributed among eight
polling places throughout Canberra (the country's capital). A comparative
manual count after the election showed that the system operated
accurately.
The plan is to use the 80 machines again next year, but Quinn said the
difficulty in deploying the system nationwide is that it would have to be
adapted for use over larger geographic areas.
The machines are not what Quinn would call high-tech. The voting terminal
consists of a PC and offers ballots in 12 languages, including Serbian
and Farsi. The system includes English audio for vision-impaired and
illiterate voters.
The voter swipes a bar code over a reader that resets the machine for a
new vote and calls up a ballot. Once a selection is made and reviewed,
the voter swipes the bar code again to cast the vote. The bar code
doesn't identify the voter; it simply authorizes the voter to cast one
ballot.
The terminals link to a server in each polling place through a secure
local-area network so no votes are transmitted over the Internet or phone
lines.
Quinn said the server writes two copies of the votes onto separate discs
that are digitally signed and delivered independently to a central
counting place. The digital signature is a 128-bit unique identifier
generated from the voting data. If the data were changed in transit, the
identifier would change too, raising red flags that something went wrong.
The machine does not include a voter-verifiable receipt, something
critics of U.S. systems want added to machines and voting machine makers
have resisted.
A voter-verifiable receipt is a printout from the machine, allowing the
voter to check the vote before depositing the receipt into a secure
ballot box at the polling station. It can be used as a paper audit trail
in case of a recount.
Green said the commission rejected the printout feature to keep expenses
down. The system cost $125,000 to develop and implement. The printouts
would have increased that cost significantly, primarily to pay for
personnel to manage and secure the receipts and make sure voters didn't
walk off with them.
Quinn, however, thinks all e-voting systems should offer a receipt.
"There's no reason voters should trust a system that doesn't have
it, and they shouldn't be asked to," he said.
"Why on earth should (voters) have to trust me -- someone with a
vested interest in the project's success?" he said. "A
voter-verified audit trail is the only way to 'prove' the system's
integrity to the vast majority of electors, who after all, own the
democracy."
As for the costs of securing and storing such receipts, Quinn said,
"Did anyone ever say that democracy was meant to be cheap?"
Quinn also believes that voting systems must use open-source software.
"The keystone of democracy is information," he said. "You
have a big problem when people don't have enough information to make up
their minds or, even worse, they have misleading information and make up
their minds in a way that would be contrary to what they would decide if
they had the full story.
"Any transparency you can add to that process is going to enhance
the democracy and, conversely, any information you remove from that
process is going to undermine your democracy."
The issues of voter-verifiable receipts and secret voting systems could
be resolved in the United States by a bill introduced to the House of
Representatives last May by Rep. Rush Holt (D-New Jersey). The bill would
force voting-machine makers nationwide to provide receipts and make the
source code for voting machines open to the public. The bill has 50
co-sponsors so far, all of them Democrats.
"If a voting system precludes any notion of a meaningful recount, is
cloaked in secrecy and controlled by individuals with conflicts of
interest, why would anyone buy it?," Quinn said. "At the very
least give citizens the right to choose whether they want to use paper
ballots ... thus allowing each elector to be personally satisfied as to
the integrity of the process in which they are participating."
Quinn, who was working in Chicago for Motorola during the 2000
presidential election, says he is "gob smacked" by what he sees
happening among U.S. electronic voting machine makers, whom he says have
too much control over the democratic process.
It has been widely reported that Ohio-based Diebold Election Systems, one
of the biggest U.S. voting-machine makers, purposely disabled some of the
security features in its software. According to reports the move left a
backdoor in the system through which someone could enter and manipulate
data. In addition, Walden O'Dell, Diebold Election System's chief
executive, is a leading fundraiser for the Republican Party. He stated
recently that he was "committed to helping Ohio deliver its
electoral votes to the president next year.''
"The only possible motive I can see for disabling some of the
security mechanisms and features in their system is to be able to rig
elections," Quinn said. "It is, at best, bad programming; at
worst, the system has been designed to rig an election."
"I can't imagine what it must be like to be an American in the midst
of this and watching what's going on," Quinn added. "Democracy
is for the voters, not for the companies making the machines.... I would
really like to think that when it finally seeps in to the collective
American psyche that their sacred Democracy has been so blatantly abused,
they will get mad."
But he says that the security of voting systems in the U.S. shouldn't
concern Americans alone.
"After all, we've all got a stake in who's in the White House these
days. I'm actually prone to think that the rest of the world should get a
vote in your elections since, quite frankly, the U.S. policy affects the
rest of the world so heavily."
To review the code, see:
http://www.elections.act.gov.au/Elecvote.html
*******************************
CNET News.com
Students buck DMCA threat
Last modified: November 3, 2003, 5:17 PM PST
By Declan McCullagh
Staff Writer, CNET News.com
When Diebold Election Systems learned that its internal e-mail
correspondence had popped up on the Web, it used a common legal tactic:
sending cease-and-desist letters to Webmasters.
But in the months since the North Canton, Ohio-based company began trying
to rid the Internet of those copyrighted files, it has arrived at a very
unusual impasse. Far from vanishing, the files have appeared on more than
50 Web sites, run mostly by students who claim Diebold has a suspiciously
cozy relationship with the Republican Party and that the e-mail
conversations demonstrate its election software is flawed and should not
be trusted.
On Tuesday, Diebold will find itself on the defensive in court as well.
The Electronic Frontier Foundation and Stanford Law School's Center for
Internet and Society are planning to file a lawsuit asking for a
temporary restraining order that would effectively halt Diebold's
campaign against the loosely organized network of mirror sites. A hearing
could be held as early as Tuesday in federal district court in San
Francisco.
EFF attorneys say the case is the first time that someone who has
received a "notice and takedown" request--one of the many
Diebold made, repeatedly invoking the Digital Millennium Copyright Act
(DMCA)--has attempted such a pre-emptive strike before being sued.
"We're saying that the hosting of the documents is fair use"
and therefore legal, said Wendy Seltzer, an EFF staff attorney.
"They're very thinly protected by copyright in the first place and
being posted as part of a political debate."
Diebold did not respond on Monday to a request for comment. Diebold
Election Systems sells electronic voting systems used in states including
California, Georgia, Ohio and Texas. Its parent company, Diebold Inc., is
publicly traded and reported revenue of $1.9 billion in 2002.
As part of the same suit, Stanford's Jennifer Granick is representing two
Swarthmore College students, Nelson Pavlosky and Luke Smith, who mirrored
the Diebold documents and received a DMCA notification. EFF is
representing the Online Policy Group, a free hosting service that had
hyperlinks to the Diebold documents, but not to the documents themselves,
on its server.
"Irregardless of the copyright status of the underlying documents,
copyright law does not allow you to go after someone who merely links to
the documents," Seltzer said.
Because the legal status of hyperlinking to copyrighted documents is
unclear, the lawsuit is noteworthy for that reason as well. In a November
2001 case that pitted the major movie studios against 2600 magazine, the
2nd Circuit Court of Appeals ruled that linking to illegal content can be
restricted "consistent with the limitations of the First
Amendment." That ruling is not binding on California courts.
In an unusual move for a college, Swarthmore decided to back its students
against the legal threats by Diebold. Its president, Alfred Bloom said in
a statement: "The college is deeply proud of its students' resolve
to act on behalf of an open and fair democracy."
The wealth of Diebold e-mail, which totals about 11MB when compressed,
includes internal conversations that cast doubt on the company's ability
to sell secure software. Some messages note that lists of bugs were
"irrecoverably lost," while others complain that "I have
never been at any other company that has been so miss [sic]
managed."
Diebold gave at least $195,000 to the Republican Party during a two-year
period starting in 2000, and its chief executive, Walden W. O'Dell, once
pledged to deliver Ohio's electoral votes for President George W. Bush.
Joseph Lorenzo Hall, a 28-year-old master's student at the University of
California at Berkeley, said he mirrored the Diebold documents because
the broader issue involves the "fundamental tenets of our democracy,
which is a fair and open election process."
"My opinion is that it's clearly a misuse of copyright law,"
said Hall, a Linux buff who recently finished his master's degree in
astrophysics and is now enrolled in the School of Information Management
and Systems. After receiving a DMCA notice from Diebold last Thursday,
Hall disabled his mirror and has not decided whether to put it back
online, which would expose him to a possible lawsuit.
A typical DMCA letter sent out by Diebold's attorneys says: "Please
note that (your) page actively encourages infringing activity. It
initially pointed to one infringing Web site. When that Web site was
removed two additional links were added pointing to a new Web site
hosting the same infringing material."
*******************************
CNET News.com
Patent ruling tugs at Net downloads
Last modified: November 3, 2003, 1:27 PM PST
By Stefanie Olsen
Staff Writer, CNET News.com
SightSound Technologies, a digital media company, has won a ruling in its
patent case against Bertelsmann subsidiaries that could have
wide-reaching effects on the business of Net music and video downloads.
Mount Lebanon, Penn.-based SightSound holds three patents related to the
sale and download of digital music and video over the Internet. In 1998,
the company sued the Internet site CDNow, owned by media titan
Bertelsmann, for infringement of patents filed in the late 1980s. The
case is the first and only test so far of the validity of SightSound's
intellectual property holdings.
Last Thursday, a federal judge in the Western District Court of
Pennsylvania and Pittsburgh granted SightSound's motion for summary
judgment against Bertelsmann's divisions, paving the road for the 5-year
dispute to go to jury trial. The court also dismissed Bertelsmann's
request to avoid trial, which was based on the assertion that SightSound
had not filed the proper information with the United States Patent and
Trademark Office.
"We are very pleased with the Court's thorough and well-reasoned
opinion and we look forward to taking this case to trial," said
SightSound's lead counsel William Wells, of law firm Kenyon &
Kenyon.
CDNow's parent company Bertelsmann could not be immediately reached for
comment.
If a jury decides that SightSound has a right to enforce the patents, it
could affect almost any business that sells downloadable music or video
online, including the major record labels and music studios. This is
increasingly important, as a number of download services emerge to offer
people a legal way obtain video and music content online.
The patent ruling, while not final, is a sign that more of the most basic
technologies and techniques underlying online media may be privately
"owned" than previously thought. For example, Acacia Media
Technologies has claimed it owns patents on the process of transmitting
compressed audio or video online--one of the most basic multimedia
technologies on the Net. So far, it has signed up licensees such as
Mexican satellite telecommunications company Grupo Pegaso and Radio Free
Virgin, the online music division of Richard Branson's Virgin group of
companies.
The patents--granted to SightSound in 1992--give the company control over
a technique for "electronic sales and distribution of digital audio
or video signals," specifically over a "telecommunications
line." SightSound is suing to stop CDNow from pursuing "any
infringing activities," as well as to claim unspecified damages.
Read in a business environment 10 years after the patents were granted,
the language is broad. They don't cover a specific technology for
encoding or transmitting data; instead, they outline a basic model for
sending a digital audio or video signal from one place to another over
telecommunications lines, in which a copy of the audio or video is stored
on a consumer's computer and a credit card is used for payment.
CDNow had contended, amongst other myriad objections, that this
description didn't cover Internet transmission. But in almost every case,
the judge's ruling on the scope of the patents agreed with SightSound's
contentions.
A pretrial and settlement conference between the parties is scheduled for
Nov. 12. A full trial could take place within the next year, unless the
parties settle.
*******************************
Australian IT
Phone database 'abused'
Selina Mitchell
NOVEMBER 04, 2003
THE telecommunications watchdog is investigating abuse of a huge national
database containing personal information on every Australian with a phone
connection.
The Australian Communications Authority is concerned that companies may
be misusing information stored in the database, which is meant to supply
data for emergency services, law enforcement and directory services.
The review of the Integrated Public Number Database (IPND), managed by
Telstra, was requested after the ACA began investigating a company on
suspicion of contravening the code of practice that governs use of
information in the database.
The ACA warned a public number directory producer in February that it had
contravened the code, and its investigation of the incident is ongoing.
During the investigation it detected weaknesses in code protecting the
data and errors in the data itself, an insider said.
The weaknesses have led to instances of information being misused, the
ACA's annual report says.
Under the code, the directory service company can only use information
from the database to provide directory assistance services or to publish
public number directories.
The rules governing the use of data stored in the IPND are being reviewed
by the Australian Communications Industry Forum.
The ACA has requested that it consider options for better protection of
the data.
The IPND stores names, addresses and phone numbers of every person who
has a telephone account in their name, regardless of age.
Details of unlisted phone numbers are stored, as well as mobile and
holiday home numbers associated with each person.
The ACA and privacy and consumer groups are likely to be concerned about
any contravention of the code governing the use of IPND information,
including creation of searchable databases based on the data, using the
data to spam email users and the publication of unlisted numbers.
"The database needs to strike a balance between helping contact
people when needed, and ensuring privacy," an ACA insider said.
"There is an increasing concern about privacy."
The transfer of data to or from the IPND is covered by a code of practice
developed by the Australian Communications Industry Forum.
A draft of a new code will be available early next year.
The current code says data can only be accessed and used for providing
directory assistance services; providing operator services or operator
assistance services; publishing public number directories; providing
location-dependent carriage services; operating emergency call services
or assisting emergency services; assisting enforcement agencies or
safeguarding national security and other activities specified by the ACA
in a written notice to the IPND manager.
The review is examining, among other things, clarity of detail on
approved uses of data and ways of ensuring the data's accuracy.
An audit of the accuracy of IPND data earlier this year found some
errors mostly nonsense data that was not misleading. A clean-up of
the data was undertaken.
"In February 2003 the ACA issued a warning to a public number
directory producer for a contravention of the industry code ACIF
C555:2000 Integrated Public Number Database (IPND) Data Provider; Data
user and IPND manager," the ACA annual report says.
"In investigating the matter the ACA also identified weaknesses in
the code that resulted in customer data being used for purposes
inconsistent with IPND regulatory policy.
"Those weaknesses were brought to the attention of ACIF with a
request that they be addressed through a review of the code.
"ACIF convened a working committee in June 2003 to begin that review
process."
*******************************
Washington Post
Data Attacks Strike Spam Fighters
By David McGuire
Monday, November 3, 2003; 7:52 AM
Ron Guilmette tried to cleanse the Internet of spam. For his good deed,
he got himself cleansed from the Internet.
The Roseville, Calif.-based software developer is back online, but only
after learning the hard way that fighting the junk e-mail business can be
harmful to your financial health. Guilmette lost his Internet access and
stood to lose his livelihood. Not only that, he said, local police and
the FBI did little more than lend a sympathetic ear.
Spammers decided to take Guilmette down because he belonged to a small
group of Internet vigilantes dedicated to wiping out junk e-mail, and
they used a devious tool to do it.
That tool is the distributed denial-of-service attack, pronounced
"DEE-doss" in techie circles. It's a crude, basic and very
effective way of enslaving personal computers -- usually without the
owner's knowledge. The hacker then uses the combined power of hundreds or
thousands of hijacked computers to flood their target's network with data
until it crashes.
Unlike viruses and worms, DDoS attacks are causing higher losses to
businesses struggling to keep their networks afloat. A study released in
May by the FBI and the Computer Security Institute found that DDoS
attacks cost businesses $66 million in 2002, compared to $18 million in
2001.
By waging an under-funded battle against a group with little regard for
the law, the spam fighters have offered themselves up as some of the
first casualties to the growing problem of DDoS attacks.
They're not the last barrier between spam and the world's e-mail in-boxes
-- Internet service providers and major U.S. corporations have a variety
of other tools at their disposal -- but they provide an important
resource to thousands of harried network administrators, and security
experts say their loss would take away a valuable bulwark in the daily
struggle to keep spam manageable.
"As the number of machines available to the attackers increases,
more and more organizations are going to be able to be brought to their
knees by people who are angry at them," said Allan Paller, director
of research for the SANS Institute, a computer security firm based in
Bethesda, Md. "There's no way for a small organization to stop
it."
Casualties of War
Guilmette's opinion of the bulk e-mail trade is anything but nuanced:
"I hate spammers. To me they're just the slugs of the
earth."
He started his anti-spam career in 1995 when he compiled a list of
unsecured computers that could be hijacked easily and used to send spam.
Posting the list on his Web site, monkeys.com, he warned universities,
Wall Street brokerage houses and Fortune 500 companies to block e-mail
messages from those computers.
Expanding his anti-spam efforts, Guilmette deployed unsecured "honey
pot" computers on the Internet to see if any spammers would try to
hijack them. The traps worked, and Guilmette reported the spammers to
their Internet service providers. More than 100 of them had their
accounts cancelled.
The spammers were not amused.
During a 10-day period in August, Guilmette's network was slammed by
traffic from 4,000 computers around the world in a DDoS attack that
dwarfed anything he'd seen before. Just as Guilmette was picking up the
pieces, a second attack took him down a month later.
"Given that I've only got one little consumer DSL line, I
lose," he said.
He was unable to get online, and his home software business, Infinite
Monkeys & Co., began to atrophy. Finally, he took down the spam links
on his Web site and posted an "unconditional surrender" on an
Internet newsgroup used by spammers.
The attacks almost completely vanished.
The Value of Bandwidth
Having lots of bandwidth is crucial to staying online during a DDoS
attack, but it's expensive to buy. That means individual players like
Guilmette don't stand much of a chance against the avalanche of
processing power that a DDoS attack musters.
Bandwidth is a measurement of how much information a network can handle.
The more bandwidth a network has, the bigger the denial-of-service attack
has to be to bring it down. Having more bandwidth also allows networks to
recover more quickly from attacks.
"The unfortunate state of affairs is that people who are trying to
protect themselves find themselves in a really lousy arms race,"
said Ted Julian, co-founder and chief strategist for Arbor Networks, a
Lexington, Mass.-based company that helps companies defend against
denial-of-service attacks.
Guilmette said his anti-spam efforts will remain halted "unless some
white knight rides to my rescue and gives me enough bandwidth to make me
DDoS-proof."
Joe Jared -- who maintained one of the Internet's most popular spam
blacklists at Osirusoft.com -- took a serious wallop earlier this year,
he said.
"On August 26, I shut down my site. The attack was so large it took
out two Qwest routers in Burbank," Jared said, referring to the
devices that direct Internet traffic on his ISP's network. Losing the two
routers snarled Internet traffic on that part of Qwest's
network.
The attack hurt more than Osirusoft -- Jared had merged data from several
blacklists into one downloadable file he offered for free to some of the
nation's largest technology companies.
"Between 10 and 15 percent of the e-mail worldwide was being checked
against my file," Jared said, adding that SBC Communications,
Pacific Bell and Ameritech were some of the companies that used his
list.
Jared didn't make a dime off of his list, but he estimated that he lost
more than $10,000 in delayed orders when his online foot orthotics
business was frozen in its tracks during the DDoS blizzard.
"An attack for a week or so, I can blow that off once in a while.
But when it becomes a month, I need to have an answer. I had to take a
course of action that would insure my business survives," he
said.
Relying on the FBI to investigate turned out to be a dead end for Jared
and Guilmette.
Guilmette explained his plight to an FBI operator. She put him through to
a duty officer who, he said, never returned his call.
Jared also was unimpressed with the FBI response. "They were
basically worthless."
"Law enforcement seems completely uninterested in helping,"
said Julian Haight, founder of the for-profit SpamCop Web site.
"Until you're a Yahoo they just don't care."
Hal Hendershot, section chief of the FBI's computer instrusion section,
disputed that claim.
"We don't pick the victims, and don't turn cases down. We look at
all of these attacks as a criminal violation," Hendershot said.
"A lot of it is going to depend on what data is available ... to
track back to the source. Some of that has to do with completeness of the
company's own logs."
Still Under Siege
There are several organizations that have enough money to afford the
bandwidth to fight spammers. The Spamhaus project -- an international
collective of spam fighters who maintain a widely used blacklist -- has
weathered heavy DDoS attacks for the past six months, said Spamhaus
volunteer John Reid.
The attacks got more savage in September after Osirusoft's demise
"seemed to embolden the people that were doing it," Reid
said.
Spamhaus could have met the same fate as Osirusoft and Guilmette but it
won much-needed cash investments to keep going. "Some people stepped
up who had a lot of bandwidth available," Reid said, declining to
name Spamhaus' silent benefactor.
With that backing, Spamhaus was able to move its servers off of a
houseboat in the Thames where they'd been housed since 1997, Reid
said.
Even the new bandwidth capability wasn't enough to keep Spamhaus running
when hackers snared more than 5,000 computers for a DDoS attack in
September. But with the increased server capacity, Spamhaus is able to
recover quickly from such attacks, Reid said.
While SpamCop has been a target since its inception in 1998 in Seattle,
Haight said the attacks "have gotten a lot more sophisticated and
coordinated lately. It definitely did hit SpamCop and we had to take some
rather expensive countermeasures to stop it."
None of the anti-spam crusaders can say for sure who was behind the
attacks, but they know why.
"I'm being targeted because I'm effective in targeting spam, and the
person targeting me is obviously a spammer or someone being paid by a
spammer -- it seems like a pretty easy conclusion," Haight
said.
*******************************
Federal Computer Week
NIST releases security controls proposal
BY Diane Frank
Nov. 3, 2003
The National Institute for Standards and Technology today released the
first draft of a publication describing mandated security controls for
federal information systems.
NIST officials want agencies to experiment with the initial public draft,
"Special Publication 800-53: Recommended Security Controls for
Federal Information Systems." It outlines electronic and physical
controls for systems categorized under three levels of potential impacts,
such as what would happen if someone steals information from a federal
system and modifies the data or disrupts a government service.
Low-, medium- and high-impact levels are defined in draft "Federal
Information Processing Standard (FIPS) 199: Standards for Security
Categorization of Federal Information and Information Systems." NIST
officials released the final draft of that standard in September.
Controls outlined in the Publication 800-53 draft fall into three classes
-- management, operational and technical and are then broken down
further into families. For example, under the management class, families
include security planning and acquisition of information systems and
services. Operational class families focus on issues such as incident
response and contingency planning and operations.
NIST's Computer Security Division plans to use agencies' comments from
the initial draft and an open workshop in March to develop final security
controls that would become the new "FIPS 200: Minimum Security
Controls for Federal Information Systems."
FIPS 199 and 200 are required under the Federal Information Security
Management Act of 2002. NIST expects to publish FIPS 200 in the fall of
2005, when its controls will become mandatory for all federal
agencies.
Comments are due by Jan. 31, 2004, and may be submitted to
sec-cert@xxxxxxxx.
*******************************
Federal Computer Week
Putnam seeks industry emphasis on info security
BY Diane Frank
Nov. 3, 2003
If companies don't incorporate information security best practices into
their planning and management, the House of Representatives' technology
leader says he will try to make them do it.
"While I would clearly prefer an option that did not require a
legislative initiative to address this matter as a management issue and
incorporate fundamental 'best practices' into information security
planning, I have prepared a draft bill that would require an annual
information security risk assessment by publicly traded companies,"
Rep. Adam Putnam (R-Fla.) wrote in an Oct. 30 letter to the Information
Technology Association of America.
Putnam, chairman of the House Government Reform Committee's Technology,
Information Policy, Intergovernmental Relations and the Census
subcommittee, outlined his concern that companies are treating security
as just a technology issue and not a corporate one. The Federal
Information Security Management Act (FISMA) of 2002 fostered an emphasis
on best practices at federal agencies, but there is no similar
across-the-board oversight for the private sector.
The draft Corporate Information Security Accountability Act has gone
through several experts in the private sector and, so far, has received
positive responses and suggestions, Putnam said. In addition, however, he
has organized a working group to work with the subcommittee staff on the
draft and to look at potential alternatives to legislation.
The Business Software Alliance last month released a white paper with the
beginnings of a security governance framework for the private sector,
drawing from FISMA and other security guidance. Officials are hoping to
expand on that framework, working with other industry
organizations.
*******************************
Federal Computer Week
Ensuring liability protection
DHS works to implement law designed to encourage new technologies
BY By Judi Hasson
Nov. 3, 2003
Homeland Security Department officials plan to make it easier for private
companies to develop anti-terrorism technologies without the fear of
costly lawsuits. Now experts are asking whether the move will be enough
and whether it will work.
As DHS begins the process of limiting the liability for companies
developing potentially lifesaving technologies, the government still has
a long way to go to make the Support Anti-Terrorism by Fostering
Effective Technologies Act of 2002 better known as the SAFETY
Act an effective part of the war against terrorism.
The law was passed primarily to encourage the development of new
technologies. Existing ones can be certified, but only under limited
circumstances.
There are other caveats. The liability protection does not cover
companies for damage caused by anti-terrorism tools when no terrorist act
occurred for instance, when the technology causes environmental
pollution.
Although it is supposed to encourage innovation, the certification
process is daunting. DHS officials estimated that filling out the
application would take 108 hours. Some vendors say it could be more like
1,000 hours and requires a great deal of legal advice.
But small steps are needed to find new ways to fight terrorism, and
encouraging new technologies is one of them.
For example, some contractors who rushed to help victims of the Sept. 11,
2001, terrorist attack on the World Trade Center in New York City learned
the hard way that they exposed themselves to unnecessary liability
because no exemptions were in place, according to Rep. Carolyn Maloney
(D-N.Y.).
Maloney, a member of the House Government Reform Committee, which held a
hearing Oct. 17 on the SAFETY Act, said she wants to make sure private
companies can extend a hand without opening themselves up to
lawsuits.
"Just from New York City, we're still reeling from some of the
aftermath of really being supportive to the contractors who rushed to the
scene to save the lives of others, and now they're facing certain
liability issues when all they were trying to do was save the lives of
others selflessly," she said.
In other cases, insurance has either been largely unobtainable or so
costly that companies do not want to develop the technologies or put them
on the market because they will never recoup their investments.
"It is hardly surprising that companies are unwilling to bet their
existence by developing and deploying services and products in this
uncertain climate," said Parney Albright, assistant secretary for
plans, programs and budgets at DHS. "This means that key
capabilities needed to secure the homeland may not be available for
deployment."
Rep. Henry Waxman (D-Calif.), ranking member on the committee, said the
law is weak and not about encouraging innovation, but providing
"absolute immunity" to defense contractors and other
manufacturers of anti-terrorism products.
"This act is ironically called the SAFETY Act, when in reality, the
only safety it provides is to corporate wrongdoers," Waxman
said.
But companies should have some accountability for a critical mistake,
according to Harris Miller, president of the Information Technology
Association of America.
"In these extreme situations?it's the only way we're going to get
these products to the government and protect the American people,"
Miller said.
DHS' liability coverage
Homeland Security Department Secretary Tom Ridge signed an interim rule
last month that put the Support Anti-Terrorism by Fostering Effective
Technologies Act of 2002 into effect. The final rule will be issued by
the end of this year.
Highlights include:
* The amount of liability insurance coverage is limited for each
technology. DHS officials will not require insurance beyond the point at
which the cost of coverage would unreasonably distort the price of the
technology.
* Vendors will be liable for the percentage of noneconomic benefits
proportionate to their responsibility for harm.
* Punitive damages are banned.
* Benefits may be given to plaintiffs who receive other awards, such as
insurance payouts.
Source: Federal Register
*******************************
Government Computer News
Navy team evaluates weblogs
By Joab Jackson
November 3, 2003
Long popular with Internet surfers, weblogs are getting a review by
Defense Department users for project management.
The Office of Naval Research is using a weblog to build a business case
for using them elsewhere in DOD, said Greg Lloyd, president of Traction
Software Inc. of Providence, R.I.
Earlier this fall, Naval Research started using Traction?s enterprise
blogging software to track its Liberty Project, an effort to develop
night vision technology.
The research staff uses the blog as a communications hub for posting and
responding to project updates, as well as troubleshooting difficulties.
The Navy?s Rapid Acquisition Incentive-Net Centricity initiative has
chosen the pilot as a basis for a business case for a project to evaluate
the usefulness of blogs throughout DOD. The initiative evaluates IT that
can significantly help in procurement and program management.
The Navy launched the five-year initiative this past summer. Traction?s
software was one of 12 technologies chosen for evaluation over the coming
year.
Lloyd said that use of Traction?s TeamPage Weblog provides a common
workspace for project management, eliminating the need to send documents
by e-mail.
Besides Naval Research, other Liberty Project participants that will
evaluate the Traction software are the Army Night Vision Lab, Defense
Acquisition University, Naval Undersea Warfare Center, Marine Corps and
New York City Police.
*******************************
Government Computer News
DOD extends Common Access Cards deadline
By Dawn S. Onley
November 3, 2003
The Defense Department has extended by six months its deadline for
issuing Common Access Cards to its more than 4 million users. It still
has about 500,000 cards to distribute.
Defense initially had planned to issue all the cards by October to
active-duty, civilian and contract workers and some reservists. The
cardholders use the CACs for network authentication and digital
signatures on the department?s public-key infrastructure.
The enormity of the project made the extension necessary, said Mike
Butler, chief of smart-card programs for DOD?s Access Card Program
Office. The department has been issuing between 10,000 and 14,000 cards a
day.
?It?s a big logistics deal,? Butler said. ?It?s a challenge because
there?s a lot of rules and policies especially when you are giving PKI
certificates to folks. Just the encoding time on the CAC takes about five
minutes.?
The Smart Card Senior Coordinating Group decided in September to push the
deadline date back to avoid an onslaught of last-minute waiver requests.
To date, 3.7 million users have received smart cards since the program
began more than three years ago. But that number fluctuates between the
several thousand employees who have left military service and turned back
in their cards and the thousands of new recruits being assigned cards
each day, Butler said. The cards currently use the Java Card run-time
environment on 32K chips.
After the April deadline, Butler said, the DOD Access Card Office is
looking ahead to the next wave of smart cards, which will carry 64K
chips. The next-generation cards will also include digital images and
biometric identifiers. DOD?s medical organizations also are working on
some standard data elements that they could include on the cards.
*******************************
Washington Post
'DDoS' Attacks Still Pose Threat to Internet
By David McGuire
Tuesday, November 4, 2003; 8:49 AM
On October 21, 2002, people around the world cruised through cyberspace
the way they do every day -- bidding on auctions, booking airline
reservations, sending e-mail -- all the while unaware that someone was
working overtime to try to bring the Internet to its knees.
Around 5 p.m. Eastern time, operators of the Internet's root servers, the
computers that provide the roadmap for all online traffic, saw an
unnaturally large spike in the amount of incoming data. It was a
"distributed denial-of-service attack," a concentrated attempt
to throw so much information at the servers that they would shut
down.
Seven of the 13 servers went down completely, and two were badly
crippled. In the course of the next frenzied hours, their operators tried
to repel the attack as Internet users typed and clicked away with little
idea that anything was wrong. In the end, the Internet held firm but
nearly everyone who fought off the attack agreed that it came closer than
ever before to sustaining major damage.
A little more than a year later, experts have been working to improve the
Internet's defenses but they say a better coordinated attack could do
even worse damage. The weapons are cheap and simple and plenty of people
know how to use them, leaving the Internet's caretakers looking for new
ways to win a lopsided electronic arms race with online
criminals.
"The people who did it last time were chicken-boners," said
Paul Vixie, president of the non-profit Internet Software Consortium,
which operates one of the root servers. "I'm sure that there are
still serious, well funded cyberwarfare people who would look at what
we've done and say 'yeah, there's a way that we could nail
that'."
DDoS (pronounced "DEE-Doss") attacks are one of the simplest
ways to cause online havoc but one of the most difficult to defend
against. Hackers snare "zombie" computers -- usually
unprotected home or business PCs -- and force them to send bundles of
data to their targets to try to make them crash.
If a DDoS attack took down all of the root servers -- something experts
said is unlikely -- Internet communications would slowly cease. Because
most computers store the information they get from the root servers, it
would take about three days to feel the full effect of the
attack.
The code that lets hackers into zombie computers spreads through worms
and viruses that roam the Internet looking for vulnerable PCs. Getting
that process started requires almost no investment on the part of the
attacker.
"Those things are in the hands of any angry teenager with a $300
Linux machine," Vixie said.
Computer experts have found that the best way to fend off an attack is
considerably more expensive -- buy lots of extra bandwidth to handle all
the data coming their way.
Mountain View, Calif.-based Internet security company VeriSign Inc., has
spent tens of millions of dollars to secure the two root servers it
supervises, but Ken Silva, VeriSign's vice president of networks and
information security, said the company worries that other operators don't
have the money or resources to follow VeriSign's lead.
Silva said that the servers should be in the hands of entities that can
afford to operate them securely. In October 2002, "when it was all
said and done and you looked at who survived ... it was the people who
made the investment," he said. "It is scary that at the root of
the Internet a significant number of these root servers are quite frankly
just run as a hobby. You don't get paid for running a root
server."
Other root server operators include the University of Maryland, the U.S.
Army Research Lab and NASA's Ames Research Center.
The idea that other server operators aren't up to the task has earned a
chilly reception from other members of the Internet community.
Vint Cerf, chairman of the Internet Corporation for Assigned Names and
Numbers (ICANN), said that the current model is faring well.
"It is an arms race, but so far we've kept up," Cerf said.
"Here it is in 2003 -- 20 years into the release of the 'Net -- and
you look at how far we've come since 1983, you have to have some
appreciation for the robustness of the system."
ICANN supervises the Internet's addressing system.
Karl Auerbach, an Internet software engineer and former ICANN director,
said that the server operators have performed admirably.
"All the work that's really been done has been done by the root
server operators themselves. [VeriSign Chief Executive] Stratton Sclavos
has been belittling the fact that the operators aren't professional.
Well, they've been doing a very professional job."
That work -- along with greater coordination among operators -- has made
the Internet safer, said Steve Crocker, who runs ICANN's Security and
Stability Advisory Committee. "I think it's unlikely that you'd have
a long sustained attack that wasn't dealt with," he said.
One of the ways sever operators have made the Internet less vulnerable to
attack is by decentralizing their operations.
The Internet Software Consortium runs the "F" root server in 12
cities instead of one. Splitting up the server's location, an idea known
as "anycasting," helps foil DDoS attacks that try to slam a
single target with a flood of data, Vixie said.
With anycasting, a DDOS attack targeted at "F" will get shunted
off to several different computers around the world, lessening its
impact.
It's a simple way to deflect a destructive problem, Vixie said, but most
root server operators were reticent to try it until the October 2002
attack made them realize the stakes of maintaining the status
quo.
"An attack of a certain volume can be launched this year by someone
with only half as much intelligence and skill as was necessary last
year," he said.
Silva said that VeriSign also runs the "J" server this way --
splitting its functions between several locations in the United States
and the Netherlands. Nevertheless, he said, not enough root server
operators are using the technique.
And the server operators are almost sure to get tested again as worms
continue seeding computers with instructions to launch DDoS
attacks.
"There's a trend in attack tools. First, attacks are invented, then
they're automated, and when they're automated, any moron with a computer
can do them," said Bruce Schneier, co-founder of Counterpane
Internet Security Inc., and author of Beyond Fear: Thinking Sensibly
About Security in an Uncertain World.
Auerbach, the former ICANN director, said that's not good news for the
people charged with keeping the Internet running.
"There's a lot of people out there who seem to have nothing better
to do than take down the infrastructure we have ... Sooner or later it's
going to happen [again] and it's going to happen with a degree of
virulence and professionalism that makes prior attacks look wimpy,"
Auerbach said.
*******************************
USA Today
Lieberman takes on video game violence in S.C. stop
November 3, 2003
GREENVILLE, S.C. (AP) Democratic presidential hopeful Joe Lieberman
pledged to fight violent video games in a campaign stop in Greenville,
S.C., over the weekend.
Lieberman, a U.S. senator from Connecticut, visited an Upstate church
Sunday.
He told the congregation at Springfield Baptist Church that he supports
rating systems for television programs and video games to give parents
more information.
He said one game, Grand Theft Auto: Vice City, rewards players for
attacking, beating and killing women. "It's awful," Lieberman
said. "If you saw it, you'd be disgusted and outraged."
Reaction to his anti-violence message was mixed.
Chris Anderson, a Furman University junior, said he thinks regulations
should be consistent. "Violence in Westerns is just as bad as the
violence Marilyn Manson talks about," he said, referring to a shock
rock act.
Lieberman is one of nine Democrats running for the nomination. South
Carolina's Feb. 3 primary is expected to be pivotal because it's the
first in the South.
*******************************
USA Today
Tulsa homeless community linked through technology
Posted 11/3/2003 2:18 PM
TULSA (AP) The business of caring for the homeless has become more
advanced than just passing out blankets and food.
By the end of the year, information about homeless people in the Tulsa
area will go into a computer system that tracks their medical, housing
and food needs. The new software, called Share Link, will connect
homeless providers to one database.
Homeless people will no longer have to repeat their personal information
each time they see a case manager, said Jim Lyall of the Homeless
Services Network.
With Share Link, the most vital information can be accessed by mental
health providers and shelter case managers.
Clients must choose to become part of the system and sign a permission
form. Extreme care and consideration are going into the wording of the
form, Lyall said.
"We want to make sure they totally understand what it is that will
be put into the system about them," he said. "A lot of thought
is going into it."
If a client is treated by the Family & Children's Services' COPES
(mental health mobile crisis team), their information will be entered
into the database. Then, if they go to the Salvation Army for shelter,
their case manager can pull up the information instantly.
"One of the things that the homeless complain about is having to
re-explain their case history and personal information to different
providers," Lyall said. "This eliminates the need for them to
do so."
Homeless clients complied when tracking tuberculosis became necessary so
officials hope Share Link eventually will be embraced. All clients are
supposed to carry a TB testing card, but because of Share Link, that may
no longer be needed.
"We're hoping that they see that this is a better service for them
and go along with it," Lyall said.
Share Link was paid for through donations from a private foundation and
grants from the U.S. Department of Housing and Urban Development and
Health and Human Services.
The software will be managed by the Tulsa City-County Health Department.
The system is expected to be fully operational by early 2004.
*******************************
MSNBC Online
ELECTRONIC VOTING COVER-UP
Nov. 3, 2003 / 3:38 PM ET
Well, I?m back from my trip to
Europe. Actually, I arrived home last week to discover that my loft in
New York had been severely flooded by a water leak in the apartment
above, so I?ve been distracted by damage control and insurance companies
until now.
It?s been strange déjà vu for me: I
lost my house in the 1991 Oakland Hills fire and spent five years
fighting with insurance companies to rebuild it. Now the news is full of
another California fire disaster and I?m back on the phone arguing with
insurance adjusters, this time about water. First fire, then flood: next
time I?m hoping for locusts.
But on to the news. I suspect we
students of the cyberworld are getting a distant early warning of a
potential electoral disaster that could make hanging chads look trivial.
Newsweek?s Steven Levy wrote about the gathering storm around electronic
voting systems last week in the magazine. Today, the New York Time?s
ever-vigilant John Schwartz has a terrific piece on the attempts of the
major electronic voting device maker, Diebold Voting Systems, to quash
efforts to expose its systems? flaws .
Briefly, Diebold is trying to use
copyright law to keep people from posting the company?s internal
documentation about flaws and security problems in its voting machines.
But it?s far too late for Diebold Voting Systems to try to kill this
story: it?s only going to get worse until an election outcome falls into
doubt, whereupon the whole notion of electronic balloting itself a
very good idea will fall into disfavor.
Diebold?s desperate attempts remind
me of the early days of the commercial Internet, when Cisco Systems was
among the first tech companies to put all of their bug reports on its Web
site. The Cisco salespeople in the field immediately complained, fearing
that their competitors? reps would just print out the bug reports as
arguments against buying Cisco. Cisco?s CEO John Chambers suggested they
remind customers that all software has bugs, but Cisco was honest enough
to admit it instead of making customers find out by accident. Cisco
thereafter prospered mightily.
The same standard should go for
companies like Diebold Voting Systems, who will profit richly by serving
the public trust. The public trust doesn?t come free, and the price of
entry must be openness even at the cost of corporate discomfort.
*******************************
Reuters Internet Reports
Radio Tags Face Technical Hurdles, Deadlines
Tue Nov 4, 3:03 AM ET
By Caroline Humer
NEW YORK (Reuters) - The latest technology craze can be found hanging
from a Prada shirt in downtown New York or tacked onto cases of
Boston-based Gillette razors.
Small tags that use radio frequencies to gather information are turning
up as a potential replacement to the UPC code that keeps tabs on consumer
goods, and technology companies are betting they will emerge as the next
hot thing.
But that may not happen any time soon, analysts say, because radio
frequency identification tags still don't work that well.
The tags fall far below the 99 percent reliability rate of UPC tags
because of the difficulty of transmitting clean radio signals. At 20
cents to 30 cents apiece, plus the cost of altering packaging lines to
accommodate them, the tags are also too expensive for most companies to
use.
"We are at an incredibly early stage of this technology and what it
is actually capable of doing. All the promise of real-time supply chain
visibility is just that. It's promise," IDC analyst Christopher
Boone said.
However, the world's largest retailer, Wal-Mart, and the Department of
Defense (news - web sites) are pushing their hundreds of suppliers to use
the technology, suggesting the tags could see wider adoption in the next
few years.
With the ability to track everything from cases of razors to a car
passing through a toll booth, analysts say the electronic tags are to
this decade what the Internet was to the 1990s -- a promise of radical
change in the way business is done.
"Everyone has a hunch there's something big here, but no one can
articulate it," said Jeff Woods, an analyst at Gartner Inc.
The tags use low radio frequencies to transmit data about items or
locations, enabling companies to better manage inventories, replenish
supplies and cut costs. Tagging items could create a more efficient way
of doing business, similar to the way Dell Inc. (Nasdaq:DELL - news) used
the Internet to change the personal computer industry.
Companies lining up for a piece of the action include venture capital
start-ups that make radio frequency identification tags, such as Alien
Technology, and technology services giants such as IBM, who want to show
corporations how to use them.
For tags to be more widely used, analysts say the price must drop to
under 5 cents each, which would happen only with higher volume.
Amid all the hype, companies are looking at real deadlines.
Wal-Mart and the Department of Defense have set January 2005 as the date
for use of RFID technology by their suppliers. Costco Wholesale Corp.
(Nasdaq:COST - news), the largest U.S. warehouse club operator, has said
it is looking at RFID as well.
In fact, Wal-Mart's top 100 suppliers will meet on Nov. 4 and 5 in its
hometown of Bentonville, Arkansas, to discuss the specifics of
implementing RFID technology.
But the giant retailer's suppliers won't be able to meet a demand for all
of their products to have RFID tags by 2005, analysts say, and some
expect the company to soften its message.
"We suspect that, for Wal-Mart, the 2005 deadline is a call to
action and not a mandate, and they will have a handful of suppliers they
will pilot this with in 2004 to be ready in 2005," said Sean
Campbell, a partner in IBM's business consulting services group.
IBM competes with consulting companies such as Accenture Ltd. (NYSE:ACN -
news) to advise companies on using RFID. IBM could also benefit as it
sells the software that's needed to make use of the data, as could other
software companies like SAP, Siebel and Oracle.
Campbell said that also hindering Wal-Mart's deadline is the fact there
are not enough RFID chips out there right now.
Companies that make the RFID tags or part of them include Alien
Technology, Philips Semiconductors, Texas Instruments Inc. (NYSE:TXN -
news), Zebra Technologies Corp. (Nasdaq:ZBRA - news) and Matrics Inc.
The technology is so far from being ready, analysts say, that some
companies may not last long enough to reap the benefits, as was the case
when UPC codes were introduced in the 1970s.
"Radio frequency has some limitations. It cannot be read through
liquid ... or through metal. If you have nylon conveyor belts it causes
RF noise. We don't know what happens when you shrink wrap this
stuff," said Kara Romanow, a senior analyst at AMR Research.
"So, when you look at companies like Matrics and Alien that are
providing this technology today, I don't know if they will be able to
survive long enough for this to pick up," she said.
There are also privacy issues. Civil liberties advocates fear that, under
the guise of protecting national security, RFID will be used to invade
peoples' privacy by monitoring their activities.
One storm of controversy developed when Tesco, a grocery retailer in
Cambridge, England, reportedly photographed customers removing Gillette
razors from the shelves.
Tesco was not immediately available for comment.
Efforts to use the technology for inventory management in places like
libraries and supermarkets have met resistance from groups who are
concerned the tags will link consumers with purchases to develop customer
profiles.
*******************************