Wired News: Monster.com Warns About ID Theft

Internet job board Monster.com, acknowledging a growing problem for online career sites, is e-mailing millions of job seekers, warning that fake listings are being used to gather and steal personal information.

Analysis: McNealy dumps Tux, gets serious

For example, Sun sells a type of thin client called Sun Ray that replaces a desktop PC with a quiet skeleton of a computer that connects to a server. Users can insert a smart card into the machine and access all their files no matter where they are in the world. This type of computing could be blissful for travelers who can reach their files in a hotel by carrying a card in a wallet instead of lugging around a laptop, according to McNealy.

Hey, look! An identity-centric computing system.

Novell posts loss, forgoes forecast

Novell, which competes with such industry heavy-weights as Microsoft Corp. and International Business Machines Corp. , said it saw its newer identity management and secure Web services offerings grow 37 percent while more traditional networking products continued to decline.

DOD spy database funding revealed

The U.S. Defense Department has awarded millions of dollars to more than two-dozen research projects that involve a controversial data-mining project aimed at compiling electronic dossiers on Americans.

CNET News.com
From the Vice Chairman, Office of the CEO:

Secure identity management in essence is a directory, secure login, provisioning software, authorization and authentication--all the security and identity-related software that we've been building for years. And if you remember a few years ago, when I was running around talking about directories, everyone said, "That's great, Chris, but what the heck do you do with it?" Well we figured it out. Identity management is probably the biggest problem in any large enterprise today.

VeriSign, RSA in court over SSL | CNET News.com

Leon Stambler, 74, is seeking more than $20 million in damages in a trial that began in the federal district court in Wilmington, Del., after settling similar claims with other companies.

This storyindicates that the government will soon be testing a shipping container RFID system that is satellite driven to track container opening/closing anywhere in the world in real time. This makes it possible to address the issue of container security by checking every container on every ship and in every port regularly, something which is clearly infeasible today (estimates are that a maximum of 2% of containers are inspected even at port entry.)

If the opening of a container anywhere in the world at any time of day was part of its log, many security issues (such as putting people or weapons in containers to smuggle them into a country) become nearly impossible. Costs today are $400 per container and $7.50 to $15/mo for network and satellite service fees depending on how many times per day the container is checked. If governments begin to legislate this type of device and network for security purposes, those costs would drop rapidly.

The ACLU sent out email that revealed the addresses of all recipients just weeks after it had already been warned by New York Attorney General Elliott SPitzer about just such behavior and paid a $10,000 fine.

This "gotcha" article (dabbling in Schadenfraude because it happened to the ACLU) does indicate that simply reacting to privacy issues emotionally is no substitute for actually trying to solve the underlying issues...

Speaking at the Instant Messaging Planet Spring 2003 Conference, Microsoft product unit manager David Gurle said, "IM has an identity crisis", because of the current status of namespace, which often connects people via aliases rather than their true names or identities within a corporation.

The key item here is that Gurle said IM needs a scenario where individuals and companies control their namespace and have authentication of these identities. But for this to happen, separate IM and presence networks must work together. Microsoft's Greenwich IM release (Q3 2003) will have a federated approach, however Gurle is honest enough to say "But we know this won't scale." And that it would be an "ID nightmare" to give access to numerous partners and customers using the Greenwich federation methods.

That Microsoft clearly still sees identity federation in a centralized sense is revealed by Gurle's comment that "If we don't get a clearinghouse infrastructure, we are never going to get past presence and IM."

Also Gurle's plaintive remark "Current service providers are struggling with their business model, offering all sorts of networks, but what is their soul" seems to me to reveal most about where Microsoft is on understanding identity. Historically they don't stay in such positions for very long...

Call it an educated guess:

MS's Trustbridge is a SAML based, identity federation system....as Microsoft steps away from Kerberos.

You hear it here first.

Jon Udell: Ari Pernick on HTTP kernelization in Windows Server 2003

I'd say the cat's most of the way out of the bag already. Public information is, well, public. Is it it even theoretically possible to stuff the cat back into the bag? I don't see how we can legislate practical obscurity back into existence.

ICANNWatch | ENUM: Bad For Privacy, or Very Bad For Privacy?

DNS, as used by ENUM, is a global, distributed database. Thus any information stored there is visible to anyone anonymously. Whilst this is not qualitatively different from publication in a Telephone Directory, it does open the data subject to having "their" information collected automatically without any indication that this has been done or by whom.

ZDNet: Story: Why we must stop the plot to ban encryption
A couple of points, but first the quote:

THIS IS NOT the first--nor, I expect, the last--time that the U.S. government has sought to regulate the use of encryption. But I believe we must oppose any attempts--backdoor or otherwise--to restrict or ban its use. Encryption is a basic element of our right to online privacy and, as such, must be protected.

1. I agree that citizens should have some reasonable level of encryption. The idea of outlawing ALL encryption is not only ludicrous; it wouldn't work. That said, I haven't looked at the legislation referred to -- so I'm not sure that a total outlaw is actually called for.

2. Bruce Schneier (encryption guru) recently made a great point: its not about encryption of data, its about authentication of the point that's sending the data.

3. As for the "right to online privacy": I'm going to start attacking this one hard (cuz no one else is)......basically, it breaks down as follows....

A) The 4th amendment outlines what the supreme court recognizes as the "right to be let alone" -- but the SC simultaneously calls the right to privacy a "deriviative right" (ie, not "fundamental" like free speech).

B) IF we're extending constitutional rights to online, then privacy is not even necessarily fundamental.

C) IF we're *not* extending constitutional rights to online, then i'm wondering where this "right to online privacy" is coming from. Is there the right to expect certain "reasonable" limitations on privacy? I think so.

yeah, i know -- eric, the big mean guy.

A Radio Chip in Every Consumer Product

And, yes, Procter & Gamble will notice if a case of Pantene shampoo does not make it to the Wal-mart Supercenter in Broken Arrow, Okla. Its truck is equipped to monitor signals continuously from chips hidden in each case. If any case stops sending its "Hi, I'm still here" signal, a monitor in the "smart truck" will record exactly when and where.

The Liberty Alliance has published a White Paper (15 page PDF) about interoperability of Liberty with 3rd Party Identity Systems. Specifically, it talks about possible Liberty interactions with Passport, PingID, 3D-Secure, and Shibboleth.

This paper is useful not only for its express purpose of showing how Liberty might interoperate with these other systems, but also for its clear description and discussion of how these other systems are architected. It is a useful study piece for anyone who wants to understand different approaches to identity infrastructure that have resulted from different missions and customer universes.

We can also hope that those who still haven't gotten past the "Liberty vs. Passport" template might learn from this white paper why that is the wrong question...

News: Web services: Nervous about security
This article talks about "security" as the necessary step to widespread web services deployment -- a premise that is necessarily a digital identity one.

Interestingly, the article calls RSA Security a "trust specialist." I wonder if that is new positioning from RSA or something out of the journalist's mouth.

Amex hit by card break-in, too

American Express card holders were exposed during the same computer break-in which hit millions of Visa and MasterCard members, the company said Tuesday. Overall, 8 million accounts were said put at risk by the hack into a third-party credit card processing system, but with no outbreak of fraud, the companies said they were hopeful the account information had not actually been stolen. Separately, Discover said that its users were also recently exposed by a computer hack, but would not confirm it was the same incident.

Phoenix targets security, ease of use | CNET News.com
Just a thought: Is DRM (in its current form of hardware/OS based initiatives) the last dying gasp of trying to make location a proxy for identity???

More from our editors
Just came across this great article from Esther Dyson....in its she's writing about technology in the year 2023....quoting:

U.S. rules on anonymity/identity upheld -- to be tested by Supremes? The local court in Sudsbury, West Carolina, has ruled that requiring biometric ID from anyone entering this rural county isn't an infringement of civil liberties. Reason: Access to the county isn't an "essential facility." Beleagured Supreme Court Justice Larry Lessig breaks protocol and denounces the decision. Appointed during the Hillary Clinton administration, Lessig is already under pressure to resign because of his previous statements about the extension of copyright protection to the life of the creator, plus 125 years.

;-)

Perspective: Closer to a national ID plan? | CNET News.com
never met Declan -- and I admit that I find some of his articles very informative. But I find an equal amount to be about little more than fear-mongering. I place this one in that category.

Passport and Liberty: A Match Made in Heaven?
hmmm....i think this is a long ways off -- but surely coming. After all, do we really want the universe divided into Liberty and Passport? I didn't think so.

Wired News: New Privacy Menace: Cell Phones?
The larger context for digital identity is the social transformation that is occurring. For more on the problems that are raised by ubiquitous cameras, computing, etc -- see David Brin's "The Transparent Society" -- highly recommended.

A $55,000 Net scam warning

But plenty of victims are being hurt by a combination of auction fraud and fake escrow sites. In December, MSNBC.com revealed that a single fake escrow site had probably netted well over $1 million from victims like Lachot. And at any given time, about 20 fake escrow sites are operating, according to Paul Moreau, who runs a Web site devoted to exposing fake escrow sites called SOS4auctions.com.

Government Executive Magazine - 2/11/03 Funding delays stall expansion of online identification

U.S. military expands radio-wave tracking | CNET News.com

Strong national standard vs. ID theft

InformationWeek > Security > Slow Acceptance For Biometrics > February 6, 2003

ZDNet: Story: How we can stop identity theft--for good

New laws put new rules on ID management - Computerworld

ID theft victims get little help

In this article the "Security Market" is expected to double to $45 billion by 2006 according to IDC. What I find interesting is the following from IDC analyst Brian Burke:

''They're starting to understand that firewalls aren't enough anymore. They're adopting a layered approach, protecting mail servers and file servers, and installing antivirus protection at the gateway. They're looking at protection on each layer.''

In other words, they know firewalls aren't working, so they are trying firewalls in different places!

Ok, I'm going to vent my frustration with the mainstream security viewpoint... There's a definition of insanity - about doing something that doesn't work over and over again - that comes into play here. When will "they" figure out that without digital identity this is a losing battle?

Networks destroy location as a proxy for identity. Security can only be restored by restoring identity. And time for building Maginot Lines, saying "they shall not pass" and falsely thinking that will keep networks safe is rapidly running out...

Identix has received a DoD purchase order for a 5.4 Million User License for it's BioEngine fingerprint technology.

The DOD is using Identix's BioEngine in conjunction with Identix DFR(R) 2080 single fingerprint readers to capture and enroll the biometric fingerprint templates of new DOD personnel prior to issuance of identity cards, as well as to verify the identity of current DOD personnel before re-issuance of their RAPIDS and/or Common Access Card (CAC).

Defense Manpower Data Center Director Kenneth C. Scheflen said, "We are committed to deploying biometrics as a key aspect of identity management within the Department of Defense. The ability to verify and identify our personnel with Identix' latest state-of-the-art fingerprint technology will enable us to take the next steps toward implementing heightened security measures via biometrics through securing physical and logical access for and within our facilities worldwide."

Computerworld journalist Dan Verton writes today about an internet terrorist hoax that he was drawn into while researching the Slammer virus. It's a fascinating story of how another journalist, Brian McWilliams, created a fake Pakistani terrorist site to gain information about terrorists first hand.

The part that applies here is that McWilliams could do what he did because "the Internet gives those who want to spread misinformation a big advantage. It's so easy to conceal ... the ownership of a domain." Verton, along with journalists in India, several computer security firms and even law enforcement experts, couldn't see through McWilliams' hoax.

Anonymity, like nearly everything else, is a two-edged sword, just like digital identity. Building cyberspace to allow people to use it to productive and rewarding ends, will require understanding the subtle but important effects of both identity and its absence.

This article shows that its not just individuals who can be a victim of identity theft. While we don't think of it as often, companies can have their identities stolen and used criminally too. And their reputations are damaged just as an individual's is.

In this case, a thief is trafficking in Microsoft's identity to take money from its customers by posing as "Microsoft Tech Support." The use of email to fake the identity doesn't change the fact that this is ID theft. And they are properly calling in the police to deal with the crime..

GAO flags smart card challenges

Although 18 agencies have launched projects using smart cards to identify people or control access to buildings and systems, the technology remains difficult to implement and is gaining traction slowly, according to a General Accounting Office report.

Bush's database faces privacy, not technical, concerns

19 Charged in Identity Theft That Netted $7 Million in Tax Refunds

An interesting article on WS-I - even if it is infected by News.com's relentless desire to focus on infighting. It indicates that WS-I plans to begin seriously looking at WS-Security interoperability starting in March. This will be a large task, but it is critical to get the "identity pipes" working for Web Services to move beyond the firewall.

Groove Networks ships version 2.5 which has the ability to use SOAP for interlinking. Microsoft owns 19% of Groove, and this version allows Groove to integrate with Outlook, Office, and Sharepoint much better as well.

Groove, founded by Lotus Notes creator Ray Ozzie, has been finding its way towards digital identity through a unique path with a focus on collaboration on work. This path has illuminated many issues and created some novel solutions. Its integration with Web Services, which is what this release is a step towards, will be interesting to watch...

eBay account hijacked, bidders bilked in 'rampant' fraud - smh.com.au

"They've got a great system but they didn't think to install a security system that is usable in an emergency," he said. "My identity was stolen and people lost a lot of money."

News: Wall Street gets a taste of Liberty

Since 1999, about 22,000 customers of Merrill Lynch, Morgan Stanley, Goldman Sachs and other Wall Street firms have been using a service called SecuritiesHub from White Plains, N.Y.-based Communicator. SecuritiesHub, based on Communicator's Hub ID service, now has been retrofitted with the authentication standards from the Liberty Alliance Project.

ZDNet |UK| - News - Story - Survey gives thumbs-up to ID cards

Four out of five UK citizens are in favour of the introduction of entitlement cards, including the use of biometrics, according to a survey published on Thursday.

Gates predicts boom, but warns on privacy - smh.com.au
Bill says a tech driven economic recovery will happen at the end of the decade, but that "privacy concerns" are holding it back...

RFID is about to explode

Converging on identity