After this Slashdot discussion about the relationship between BIOS biggie American Megatrends Inc. (AMI) and Palladium appeared, we got an email from AMI sales engineer (and former Linux.com contributor) Brian Richardson, who wrote, "I am a bit concerned that the information you provided misled your readers into thinking AMI was promoting Palladium or taking some sort of anti-open-source stance. This might be due to the fact that TCPA was mistakenly equated to Palladium, or questioning how Linux would run on a TCPA-enabled system ... or by the horde of angry Slashdot readers telling us they would never buy an AMI product because we were forcing standards on them." Brian offered himself up as (his words) a "Slashdot interview victim" to clear things up.(Update by RM: And, says Brian, he's happy to answer other BIOS questions as well.) So ask, already, and let's get things cleared up. (Usual Slashdot interview rules.)

The Open Web Application Security Project.

The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com. All software and documentation is released under the GNU public licenses.

Slashdot | Developers - Top 10 Vulnerabilities in Web Applications.

sverrehu writes "The Open Web Application Security Project (OWASP) has released a well-written document that is a must read for every web programmer out there. This security document is not about firewalls, encryption and patching. It's about common, highly exploitable errors made by the application programmers. Pick up your copy of "The Ten Most Critical Web Application Security Vulnerabilities" from the OWASP web site."

SILC Secure Internet Live Conferencing.

freshmeat.net: SILC 0.9.8 (Toolkit).

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet. It can be used to send any kind of messages, in addition to normal text messages. This includes multimedia messages like images, video, and audio stream. All messages in the SILC network are encrypted and authenticated, and messages can also be digitally signed. SILC protocol supports AES, SHA-1, PKCS#1, PKCS#3, X.509, OpenPGP, and is being developed in the IETF. The software is delivered as SILC Client for end users, SILC Server for system administrators, and SILC Toolkit for application developers.

Slashdot | Your Rights Online - A Lucid Explanation of Palladium.

buro9 writes "Last week on the WMTalk list a heated debate raged on the rights of a consumer to rip their DVD's locally for more convenient playback later. As the debate started to border on a flameware an anonymous user managed to give the most clear description of Palladium and its implications to us as both users and developers."

Auto-ID Center.

The Center is an industry-funded research program headquartered at the Massachusetts Institute of Technology in Cambridge, Massachusetts (USA) and at the Cambridge Institute for Manufacturing in Mill Lane, Cambridge. The Center is headed by Director Kevin Ashton and Prof. Sanjay Sarma at MIT and by Dr. Duncan McFarlane in Cambridge, England. Funded by corporate sponsorship, the Center is governed by two symbiotic sponsor groups. The Board of Overseers comprises end-user companies (businesses that will buy and use Auto-ID technologies) who guide the Center's research and oversee progress. The Technology Board is a forum for technology vendors (companies that will make and sell Auto-ID technologies) who provide expert advice to the Center's scientists and the Board of Overseers about the technologies and standards being proposed.

CNET NEWS.COM Perspectives By Declan McCullagh - RFID tags: Big Brother in small packages.

Could we be constantly tracked through our clothes, shoes or even our cash in the future?

I'm not talking about having a microchip surgically implanted beneath your skin, which is what Applied Digital Systems of Palm Beach, Fla., would like to do. Nor am I talking about John Poindexter's creepy Total Information Awareness spy-veillance system, which I wrote about last week.

Instead, in the future, we could be tracked because we'll be wearing, eating and carrying objects that are carefully designed to do so.

The generic name for this technology is RFID, which stands for radio frequency identification. RFID tags are miniscule microchips, which already have shrunk to half the size of a grain of sand. They listen for a radio query and respond by transmitting their unique ID code. Most RFID tags have no batteries: They use the power from the initial radio signal to transmit their response.

[ ... ]

You can imagine nightmare legal scenarios that don't involve the cops. Future divorce cases could involve one party seeking a subpoena for RFID logs--to prove that a spouse was in a certain location at a certain time. Future burglars could canvass alleys with RFID detectors, looking for RFID tags on discarded packaging that indicates expensive electronic gear is nearby. In all of these scenarios, the ability to remain anonymous is eroded.

Don't get me wrong. RFID tags are, on the whole, a useful development and a compelling technology. They permit retailers to slim inventory levels and reduce theft, which one industry group estimates at $50 billion a year. With RFID tags providing economic efficiencies for businesses, consumers likely will end up with more choices and lower prices. Besides, wouldn't it be handy to grab a few items from store shelves and simply walk out, with the purchase automatically debited from your (hopefully secure) RFID'd credit card?

The privacy threat comes when RFID tags remain active once you leave a store. That's the scenario that should raise alarms--and currently the RFID industry seems to be giving mixed signals about whether the tags will be disabled or left enabled by default.

In an interview with News.com last week, Gillette Vice President Dick Cantwell said that its RFID tags would be disabled at the cash register only if the consumer chooses to "opt out" and asks for the tags to be turned off. "The protocol for the tag is that it has built in opt-out function for the retailer, manufacturer, consumer," Cantwell said.

[ ... ]

If the tags stay active after they leave the store, the biggest privacy worries depend on the range of the RFID readers. There's a big difference between tags that can be read from an inch away compared to dozens or hundreds of feet away.

[ ... ]

But what about a more powerful RFID reader, created by criminals or police who don't mind violating FCC regulations? Eric Blossom, a veteran radio engineer, said it would not be difficult to build a beefier transmitter and a more sensitive receiver that would make the range far greater. "I don't see any problem building a sensitive receiver," Blossom said. "It's well-known technology, particularly if it's a specialty item where you're willing to spend five times as much."

Privacy worries also depend on the size of the tags. Matrics of Columbia, Md., said it has claimed the record for the smallest RFID tag, a flat square measuring 550 microns a side with an antenna that varies between half an inch long to four inches by four inches, depending on the application. Without an antenna, the RFID tag is about the size of a flake of pepper.

[ ... ]

To the credit of the people in the nascent RFID industry, these trials are allowing them to think through the privacy concerns. An MIT-affiliated standards group called the Auto-ID Center said in an e-mailed statement to News.com that they have "designed a kill feature to be built into every (RFID) tag. If consumers are concerned, the tags can be easily destroyed with an inexpensive reader. How this will be executed i.e. in the home or at point of sale is still being defined, and will be tested in the third phase of the field test."

If you care about privacy, now's your chance to let the industry know how you feel. (And, no, I'm not calling for new laws or regulations.) Tell them that RFID tags are perfectly acceptable inside stores to track pallets and crates, but that if retailers wish to use them on consumer goods, they should follow four voluntary guidelines.

First, consumers should be notified--a notice on a checkout receipt would work--when RFID tags are present in what they're buying. Second, RFID tags should be disabled by default at the checkout counter. Third, RFID tags should be placed on the product's packaging instead of on the product when possible. Fourth, RFID tags should be readily visible and easily removable.

Given RFID's potential for tracking your every move, is that too much to ask?

CNET NEWS.COM - Sun releases Liberty-enabled software.

Sun Microsystems will release new software Monday that takes advantage of the Liberty technology for simplifying the process of signing on to multiple Web sites.

Sun's Identity Server 6.0 software product is generally available now, and later this quarter will be available bundled with Sun hardware, said John Barco, senior product marketing manager for the Sun Open Network Environment (Sun ONE) software suite.

The Liberty Alliance Project is working on a software standard that permits "single sign-on," in which a person who logs on to one Web site doesn't have to re-enter a username and password for an affiliated site. The technology is based on Security Assertion Markup Language (SAML), which handles single sign-on chores, with enhancements for tasks such as setting up ways for two Web sites to register a single person.

Wired News - Hitting P2P Users Where It Hurts.

Overpeer's name doesn't call up images of Big Brother for nothing. Entertainment companies hire the tech startup to stamp out online file swapping by degrading content on peer-to-peer networks. But some say P2P users can always find a workaround.

Conflict News from Wired News - Wanted: What's His Name Again?

For U.S. intelligence agencies, the varied spellings of foreign names that sound similar make it difficult to maintain accurate terrorist watch lists. Name-matching technology is helping make sense of the alphabet soup.