Scientists say they have discovered a way of sniffing out data based on patterns of flashing LEDs

By monitoring the flashes of LED lights on electronics equipment and the indirect glow from monitors, scientists in the United States and Britain have discovered ways to remotely eavesdrop on computer data.

Optical signals from the flashing LEDs (light-emitting diodes), usually red and dotting everything from modems to keyboards and routers, can be captured with a telescope and processed to reveal all the data passing through the device, Joe Loughry, a computer programmer at Lockheed Martin Space Systems in Denver, told Reuters on Wednesday.

"It requires little apparatus, can be done at a considerable distance, and is completely undetectable," he writes in his paper, "Information Leakage from Optical Emanations". "In effect, LED indicators act as little free-space optical data transmitters, like fibre optics but without the fibre."

Not every LED-enabled device is at risk, though. Affected is equipment used in low-speed, long-distance networks typically found in proprietary networks, such as cashpoints at banks, as opposed to corporate local area networks or home Internet connections, Loughry said.

CNET NEWS.COM - Web language set to boost biometrics.

A Boston-based standards group is hoping that a key Web language will provide a standard way for computers and technology to describe human characteristics.

The Organization for the Advancement of Structured Information Standards, or OASIS, said Thursday that it has formed a technical committee to develop an XML standard for biometrics. XML, short for Extensible Markup Language, describes the contents of documents exchanged over the Web.

The field of biometrics puts computing hardware and software to the task of reading various parts of the human body, from fingerprints to the contours of a face, as a means of identifying people--whether to authorize access to bank accounts and airport terminals or to pick criminals out of a crowd.

Network World Fusion - Network Associates abandons search for PGP buyer, axes 18.

The halt in the search for potential buyers was confirmed Wednesday by Jennifer Kevney, vice president of corporate communications at NAI. NAI is no longer actively trying to sell the product lines, she said, because it was unable to find a buyer who made an appealing enough offer.

Slashdot | Network Associates Gives Up SSearch for PGP Buyer.

Slashdot | Book Review - Building Secure Software.

Who should read the book? Anyone who cares about security. There is information for the manager, coder and everyone in between. Throughout the book, there are plenty of examples which I found very useful. John and Gary use code to show th at what they are talking about is not 'just theory'. That is right, there is code that shows the problems. That means samples of bad code, 'secure' code and code to show exploits.

Slashdot | Developers: OpenSSH Local Root Hole.

SourceForge: Initial release of Linux ACL support.

Somethings to dig your security teeth into: ACL support for the Linux kernel.

Access Control Lists allow fine grained access control to filesystem objects, by attaching a list of permissions to grant or deny specific capabilities to users or groups.

The Register (UK) - PGP deep-freezed - NAI shrugs.

Network Associates has put its PGP Desktop software into the deep freeze, leaving both users and its own staff in the dark.

"Effective immediately Network Associates will cease new development on these products, and not sell additional licenses, services and support agreements," the company wrote in an email last week.

Network Associates, which had bought PGP Inc for $35 million in December 1997, put the division up for sale last year, but decided to keep certain parts of the technology in house, making the bundle less attractive to potential purchasers. In fact, NAI dismantled the bundle, removing the IPSEC utility and firewall and the SDK, before putting the entrails in the shop window, according to critics.

John Ashcroft has been drumming the beat recently, reminding the tech industry that a "lucrative surveillance state" (in our Tom's words) can be built from the ashes of the September 11 attacks. This obviously doesn't extend to personal privacy software. Are we the only people who find the neglect of PGP somewhat fishy?