Privacy Digest
Your daily source for news that can impact people's privacy.
     





    Advertisment

     
    « webloggers »

Search for this:
WEBINATOR COPYRIGHT © 1995-1998 THUNDERSTONE - EPI, INC.

 Thursday, October 31, 2002
 
Privacy News from Wired News - Feds Share College Students' Info.

The U.S. Department of Education exchanges student aid applicants' personal data with a handful of other agencies, and even private companies. The practice may spook privacy advocates, but it's entirely legal.

InfoWorld - Wi-Fi group lays out better wireless security.

The certification body, Wi-Fi Alliance, plans to lay the mechanisms out as optional features beginning in February and require them for Wi-Fi compliance about six months later, said Dennis Eaton, chairman of the Wi-Fi Alliance.

A task group within the IEEE (Institute of Electrical and Electronic Engineers) 802.11 working group, which is in charge of the IEEE 802.11b and 802.11a standards on which Wi-Fi products are based, is now working on a tough new security standard called 802.11i. However, it isn't expected to ratify that standard until September 2003, so the Wi-Fi Alliance took a "snapshot" of 802.11i.

"Their work is ongoing, but ... security has been a big issue for Wi-Fi equipment, and the market was really in need of a security solution today," Eaton said.

Fear of snooping from street corners or office parking lots has kept many enterprises from deploying wireless LANs, which can link users to corporate data and the Internet at 11Mbps with 802.11b and 54M bps with 802.11a, industry analysts have said.

With WEP, the keys used to encrypt data passing over the network can be cracked just by examining a brief sample of packets, according to Peter Shipley, an independent security consultant in Berkeley, Calif.

Some vendors, such as Cisco Systems, sell corporate 802.11 systems equipped with other methods of security on top of WEP. However, most consumer-oriented wireless LAN equipment offers only WEP.

Slashdot | Replacing WEP for Wireless Security.

i.r.id10t writes "Over at infoworld.com they have an article about the organization that certifies wireless LAN products under the Wi-Fi name revealed new specifications Thursday for how vendors should make their products more secure. The guidelines call for new mechanisms to replace the current security system, based on WEP, which has come under fire for being too easy to circumvent. The certification body, Wi-Fi Alliance, plans to lay the mechanisms out as optional features beginning in February and require them for Wi-Fi compliance about six months later, said Dennis Eaton, chairman of the Wi-Fi Alliance."

Slashdot | Windows 2000 Gets Common Criteria Certification.

Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."

void.thunderteam.org - FormMail-Trap.

Formmail-trap is a CGI program that automatically detects attempts to probe a formmail open relay and reports the event to the ISP of the one who made the attempt.

Just a reminder I have not tried or tested this program. So check out the code and use at your own risk

Forbes.com: The Man Who Knows Too Much.

Fair, Isaac's Tom Grudnowski leads a team of math whizzes who help companies learn everything about your credit history, buying habits and what you're likely to do next. Should he be stopped?

[ ... ]

But do businesses have a right to know so much about you? And while telecom carriers, insurers, HMOs and banks use such information to assess your risk as a customer, should they be allowed to parlay those insights to sell you more goods and services? Privacy advocates, who already see Big Brother in every piece of junk mail, are lining up legislators. Bills pending around the nation seek to limit the use of Social Security numbers, often linked to marketing databases. Forty-two states are likely to consider laws in 2003 that would restrict or disclose which companies use credit scores for insurance policies. When a portion of the Fair Credit Reporting Act expires in 2004, Fair, Isaac foes will get another shot at reining it in.

[ ... ]

Of course, Fair, Isaac and its peers do make mistakes, though they won't admit how often their technology screws up or reveal how they arrived at your score. And those mistakes can be costly, passed along to the government and company after company. Judy C. Thomas of Klamath Falls, Ore. spent six years trying to unravel an erroneously low score reported to banks, retailers and insurers. The snafu: A credit firm had confused her with a woman who had a similar name and Social Security number.

Grudnowski shrugs off the controversy. Fair, Isaac doesn't keep the databases, he points out; other companies own and use the information. Last year the firm introduced MyFICO.com--a Web-based service that for $13 lets you read your credit score and provides up to four reasons for the rating and suggestions for improving it--partly in an attempt to appease angry consumers. Given the political debate about using scores for insurance, the company is considering a similar product to suggest how people can boost their scores to lower the costs of car and homeowner's insurance.

Sydney Morning Herald - Optus online payment system raises privacy concerns.

Optus's online payment system can reveal details of payments made online to anyone who has the patience to keep inputting random account numbers.

The secure payment page has a link at the bottom to a page where those who have paid bills earlier using the system can view their past payments by inputting their account number.

It is trivial to write a small program to generate random account numbers. One can keep looking until one gets details of payments of someone who has paid online.

NIST - An Agency of the U.S. Commerce Department's Technology Administration - System Certification and Accreditation Project.

Promote the development of :

  • A standardized process for certifying and accrediting federal IT systems including the critical infrastructure of the United States;
  • Minimum security controls for IT systems supporting confidentiality, integrity, and availability;
  • Techniques and procedures for the verification of security controls;
  • Robust, automated tools supporting the certification and accreditation process; and
  • Public and private sector assessment organizations capable of providing cost effective, high quality, certification services.

CNET NEWS.COM - Security guide aims to lock up agencies.

The U.S. government unveiled the first of three documents designed to help civilian government agencies secure themselves from Internet and insider attacks.

The National Institute of Standards and Technology (NIST) published this week a draft of the first guidelines, developed to help the agencies standardize how they measure the security of their systems.

When finished, the guidelines will allow agencies to express the degree of security that their systems can provide--a rating that could prove important when data is shared among other federal agencies.

[ ... ]

The guideline document is the first in a set of three that will spell out how agencies should secure themselves against Internet and insider threats to their computer systems. The second document, due in spring 2003, will outline the minimum security that every agency must have in place. A third document, due at the same time, will tell auditors how to verify that systems have been secured properly.

LWN: LinusWatch: Crypto API and IPSec merged.

Linus has yet to post a message to linux-kernel since his return, but he continues to merge patches at a high rate. The latest code to go in includes a new, reworked API for the performance of cryptographic functions within the kernel; implementations of DES (and triple DES), MD4, MD5, and SHA have been included. This is the first time that serious cryptographic code has been part of the mainline kernel. The first use of this API is to support the new IPSec implementation, which has also just been merged.

Slashdot | Developers - Crypto and IPSec Merged into 2.5.

Corbet writes "Linus has just merged the new crypto API and IPSec implementation into his 2.5 BitKeeper tree. This is the first time that serious cryptographic code has made an appearance in the mainline kernel, and it will hopefully lead to more secure communications for all Linux users in the future."

CNN.com - Telecoms play both sides. They charge to block calls, sell dialing gadgets to marketers

[ ... ]

For regional phone companies like Verizon, Qwest, SBC and BellSouth, privacy services like Caller ID and Security Screen are a growing revenue source.

But the phone companies aren't just trying to thwart sales calls. They're also helping telemarketers make them.

Telecoms sell telemarketers high-capacity lines and sophisticated "predictive dialing" machines that have helped unleash a stampede of automated sales calls.

Some, including Qwest and Verizon, even sell home numbers of the same customers who buy their privacy services -- unless they pay a fee to have their numbers unlisted.

"The phone companies are like arms merchants in a technological war between telemarketers and phone subscribers," said privacy advocate "Jason Catlett". "They profit from both sides."

[ ... ]

Verizon spokeswoman Catherine Lewis says the company isn't playing telemarketers and consumers against each other.

"I don't think it's a case of we should pick one side over the other," she said. "We do serve both sides."

[ ... ]

An FCC memo says telemarketers attempt 104 million calls a day to U.S. businesses and consumers. Sales revenue has risen from about $435 billion in 1990 to around $660 billion last year.

[ ... ]

Phone companies offer their own blocking and screening solutions, like SBC's Privacy Manager, Sprint's Privacy ID and Qwest's No Solicitation, which intercept calls without ID and ask solicitors to hang up.

For those who don't like the idea of paying for privacy, the FTC and FCC may soon offer some relief. Advocates believe both agencies will create a nationwide list of residents whom telemarketers may not call.

"The stars are in alignment here," said Chris Hoofnagle, legislative counsel with the Electronic Privacy Information Center. "This is one of those areas where it's safe for the government to tackle a big industry because the public is so fed up."

Charities and political campaigns will get loopholes, Hoofnagle predicts.

"Politicians, they'll always be able to do it," he said. "I guarantee you."

Slashdot | Telcos Play Both Sides of Telemarketing War.

Monoman writes "Most Slasdot readers already know this but CNN has an article about how the telcos are reaping profits from selling your phone number to the telemarketers, and selling customers ways to block the telemareketers, and selling telemarketers ways to get around the customers who are paying to have telemarketers blocked and... I think you get the picture. It is nice to see stuff like this in the mainstream media." --- So either both sides pay the local Baby Bell for its protection racket, or you just pass a law and the problem goes away.


 

© copyright 1997-2003 by Paul Hardwick. All rights reserved.
All trademarks are the property of their respective owners.
Modified: 11/18/02; 2:47:40 PM
Built: 3/2/03; 12:34:20 AM
URL for current page: http://www.PrivacyDigest.com/2002/10/31

October 2002
Sun
Mon
Tue
Wed
Thu
Fri
Sat
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
Sep   Nov
Open links in new window