Saturday, April 30, 2005

Feds Rethinking Passport Chip Encryption


Wireless World: Rethinking passport chips - (United Press International) in this story by Gene J. Koprowski at te Washington Times. At least the feds are realizing, after hearing from 2400 groups and individuals, that unencrypted RFID tags in passports is a stupid idea and endangers any American citizen traveling abroad. They are now considering encryption of the data stored and broadcast by those chips that are coming by late 2005 or early 2006 to all new passports issued.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:22 AM 0 comments

California Privacy Bill Restricts RFID


Wired News article on a California Bill to Limit RFID in state identification documents such as driver licenses, student ID cards, medical cards and employee ID cards. The bill as introduced would also outlaw the practice of "Skimming" ID cards with RFID readers used surreptitiously by bad guys seeking to either identify people without their knowledge or to clone their badges for unauthorized or nefarious uses.

I'm very happy to see this bill introduced and making progress. As is so often said, and demonstrated in major cases - "Where goes California, there goes the nation." In which case, we'd see this implemented across the US. The only holdouts would be Texas and Florida, where BushCo rules.

This bill was drafted by the ACLU of Northern California, the Electronic Frontier Foundation and the Privacy Rights Clearinghouse. Thank you for that work to protect privacy and security.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:51 AM 0 comments

Friday, April 29, 2005

ID Stolen? You Cannot Fly


USATODAY.com - Just who do you think you are, without ID? This USA Today story shows the first signs of why we must always have a photo ID when traveling and if you lose it to thieves or even forgetfulness, you can't even go home. You are in the airport, a pickpocket or sneaky thief steals your wallet or purse and now you have no money, no credit cards, no ID - and you can't go home again if out of town! The airlines will NOT allow you on a plane, even if you are ticketed - unless you have a police report to show them that "Proves" your photo ID was stolen. Proof that terrorism has stopped us from traveling freely within our own country. Hold on to that purse or wallet as if your life depended on it. I imagine that this problem will lead to people carrying multiple photo ID's in separate places - one in a wallet or purse and another in a pocket or briefcase. THAT will make us less secure as it allows a thief to use our ID freely while we go home using the second ID.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:50 AM 0 comments

Wednesday, April 27, 2005

Privacy Nuts, Chill Out - Forbes.com


Privacy Nuts, Chill Out - Forbes.com by Arik Hesseldahl. Presents a haughty attitude over privacy concerns expressed by un-named "Privacy Nuts" about Google's beta test of "My Search History" in which Google saves searches you've made once you sign up for the service. I'm bothered by Hesseldahl's assumption that those advocating for privacy are "Nuts" and that all privacy advocates are extremists opposing anything at all that offers tracking or history.

He points out that Google got flack after announcements that their Gmail service would see ads based on the text of their email messages beside the emails you read on the web. As a privacy advocate myself, I have no trouble at all with either this new "My Search History" or the Gmail service showing ads beside my email.

Also, as Hesseldahl points out, Google founders base their business decisions around the motto, "Don't Be Evil" and they have so far kept to that and deserve, if not our complete trust, then at least a lack of fear.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:08 AM 0 comments

Tuesday, April 26, 2005

Financial Privacy: Your Money Scrutinized


Your Money Under More ScrutinyThis Wired News article discusses anti-money laundering software being adopted by major banks and while we'd all like for bad guys who need to launder money to be caught with their dirty money, the effect of the software is to monitor banking activity over a much broader range than just bad guys.

Banks will be contacting depositors more often asking why this amount went to that person or organization, flagging certain patterns of banking activity as "Suspicious" and generally rooting about in our financial lives. While those with sufficient funds and large enough transactions to trigger alarms with anti-money laundering software are limited, many will see their banking activity closely monitored based on things like airline travel purchases and online payments through debit cards.

The software apparently builds profiles on bank customers based on periodicity of deposits and sources of those deposits, it will no doubt be busily building profiles on innocent depositors who simply don't fit the norm. Freelancing professionals receiving payments from widely ranging sources and for dramatically different amounts could be seen as terrorists by software trained to look for such things as irregular income and varying vendors.

Expect to be questioned by fed goons if you are not "normal" in your banking patterns.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:06 AM 0 comments

Monday, April 25, 2005

Florida Son of Matrix by Seisint


Florida Planning Son of Matrix, supposedly to gather information on potential terrorists. The program died when it ran out of funding and many states planning to participate pulled out of the project due to concerns about privacy and civil liberties. But now Florida is reviving Matrix (Multistate Anti-Terrorism Information Exchange) and is encouraging other states to join them in the privacy destructive scheme.

It's nearly incomprehensible that this project is being revived and can be counted as proof of the value of the sales force at Seisint and Lexis/Nexis, those who can't protect the data they already have and want to build even bigger databases as targets to hackers and identity thieves. Great idea.

Then Seisint can promote Matrix to all fifty states so that we have a defacto Total Information Awareness System like the one that was defeated by Congress. But it will be controlled by a commercial company that will then act in the interest of profit, rather than security and safety. Great idea.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 1:19 PM 0 comments

Sunday, April 24, 2005

Privacy Dangers to Job Seekers


Privacy watchdog warns job seekers to beware according to this Security Focus story at The Register.com. The issue appears to be that publicly posted resume's at job sites are mined for personal information to be sold to background check sites.

So now all job sites will no doubt lock down resumes and make certain that they are not liable to job seekers claims of losing personal information to identity thieves. Look for every site posting resumes publicly to shriek in panic and pull back to put those formerly public resumes behind encrypted and password protected sections of job sites.

Seems a rather obvious problem in hindsight. Where there is money to be made with publicly posted information, unethical bad guys will find a way to extract a buck from unsuspecting and naive job seekers (and every other person of the same ilk.)

Time to retreat from openness and honesty and move toward suspicion and alert awareness for self-protection in every possible public forum.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:12 PM 0 comments

Saturday, April 23, 2005

Lawmakers target identity theft


Lawmakers take aim at identity theft in Texas according to this Austin newspaper story. This article outlines the explosion of consumer protection laws regarding privacy, identity theft concerns and issues regarding data loss by corporations that maintain sensitive information on consumers. This can only grow in the near future and will inevitably lead to national laws and an explosion of class action lawsuits against data aggregators with access to personal and private information on consumers.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 1:22 PM 0 comments

Thursday, April 21, 2005

DSW Hacked Debit Cards Exposed to Identity Theft


DSW Privacy: Waiting for the other shoe to drop. This just can't continue at this rate without HUGE consumer backlash. Top story on the evening news tonight was this data loss to thieves who stole 1.4 million debit card transactions plus several thousand check transactions covering 25 states for Discount Shoe Warehouse. If this story follows the other recent data losses, we'll see them revise the cards compromised numbers upwards within the week.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:09 PM 0 comments

Latest Data Losses, Hacks, Thefts



  • Boston College fund-raising computer hacked. Personal data, including Social Security Numbers of 120,000 alumni compromised.
  • California State University food service and housing computer bares SSNs of 59,000 students, faculty, and staff.
  • ChoicePoint sold private data of 145,000 people to identity theft ring.
  • Bank of America theft of data tapes containing credit card records of 1,000,000 US government employees (including Senators).
  • UC, Berkeley laptop containing SSNs of 98,000 grad students and applicants lost.
  • Tufts University server broken into exposing 106,000 alumni and donors.
  • LexisNexis databases accessed 59 times using stolen passwords, exposing 310,000 people.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:30 AM 0 comments

Wednesday, April 20, 2005

ChoicePoint, LexisNexis raided many times


ChoicePoint, LexisNexis raided many times according to this story at TheRegister.com. Lexis/Nexis have now denied that they knew about the previous breaches since they just recently purchased Seisint.

But that doesn't allow previous company actions off the hook, just because the current parent company was not aware of those previous breaches. Someone had to know at the time of the breaches or they wouldn't be finding them now. It is common for hacking attacks to go unreported to avoid exactly this type of public furor.

The California disclosure laws are the only reason the many security breaches are coming to light and now that Congress has its claws in the issue, we'll definitely see legislation requiring nationwide disclosure of data breaches due to hacking or criminal activity within

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 5:37 PM 0 comments

IRS security flaws expose taxpayers GAO


IRS security flaws expose taxpayer data to snooping, GAO finds. This Reuters news story was posted on April 18, three days AFTER the US deadline for filing taxes. Very little has been publicized about this serious financial privacy leak by the IRS. Since law enforcement has access to financial data and must certainly know it since the story broke publicly, they may be using the information to illegally probe financial records of suspects and possibly others.

Police corruption may not play a large role in data security, but can the possibility be ignored that bad cops or unethical federal law enforcement officers be ruled out as a possible source of the next big privacy and indentity theft loss? If it isn't discovered and openly discussed, is it going on anyway and covered up or hushed up?

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 2:18 PM 0 comments

ChoicePoint Sued Eleven Times Before


Not the first time for ChoicePoint which has apparently been sued 11 times prior to the February 15th admission that it sold information compromising financial data of up to 145,000 consumers to an identity theft ring. This Atlanta Business Journal article by Justin Rubner discusses the ChoicePoint legal woes in Georgia, where they are based.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:58 AM 0 comments

Privacy: Your life exposed


Business: Your life exposed Great article by Dave Gussow of the St. Petersburg Times in Florida, which discusses the data mining and selling industry and Choicepoint in particular. People are fed up with identity theft and with their personal financial and medical information being compromised by data brokers like Choicepoint, Lexis/Nexis, Bank of America, The Nevada Department of Motor Vehicles and dozens of other recently reported losses of data. The losses come about through multiple methods, from insiders selling information, as in a recent banking customer service outsourcing firm Mphasis in India to so-called legitimate customers of data brokers BUYING information from Choicepoint to computer theft as in the Nevada DMV case, to simple inept "loss" of backup tapes as in the Bank of America case.

The fact is that larger and larger losses are beoming common and exposing more and more people to problems as difficult and painful as identity theft or as simple as a loss of personal privacy. Accountability for companies handling that data and profiting from its use, sale or storage is mandatory. Whether accomplished through legislation or legal remedies - data aggregators must be held accountable for losses to the full extent of monetary suffering of identity theft victims at the hands of crooks - and not just "free credit report monitoring" as offered by Choicepoint. Even the simple loss of privacy to those who suffer lifestyle damage when their private information is exposed to the world by careless data storage and loss should see some compensation. This will force those handling all sensitive personal information to gaurd that data as though it could hurt them as badly as those whose information is compromised or lost.

The Federal Trade Commission estimates annual identity theft losses above $50-billion, with 10-million victims yearly. That is too much. It must be stopped.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:03 AM 0 comments

Choicepoint Resource Blog Page


Choicepoint Archives from Adam Shostack on security, privacy, and economics. This blog covers the extensive developments over the monstrous ChoicePoint data loss and the ramifications.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:24 AM 0 comments

Tuesday, April 19, 2005

ID theft, new laws boost shredders


ID theft, new laws boost shredders, meaning commercial services that offer large scale document destruction to businesses. But I've also often wonedered about the increase of business to the makers of home shredding machines, which I've used for years and replaced several times.

I'm glad to see that privacy is increasing the bottom line of some companies, instead of simply eliciting moans and groans about compliance costs by other companies. Capitalizing on privacy compliance issues is something I'm happy to see is increasing. Hosptitals must destroy paper documents to protect consumer health privacy and financial institutions must destroy paper documents to protect consumer banking, insurance and loan privacy. Hooray.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 4:02 PM 0 comments

Forget Phishing - Bank Employees Will Rob You


Indian call center staff in $350,000 Citibank theft are likely to absolutely kill offshoring by financial institutions. When you trust your bank to hire employees who won't compromise your financial information, it appears that trust cannot be outsourced. Banks may be one of the first to lose customer trust and suffer a backlash against India call centers because customers were tricked by those bank representatives who belonged to a gang of goons who robbed them blind.

Of course, there is no reason to believe that US call center employees, often paid poorly and pushed relentlessly, will be any more honest or less likely to be lured into criminal activity through their jobs. They have access to customers who must trust them and reveal personal information to access their account information over the phone. They can easily trick customers into revealing PIN numbers and use that to steal from them, and as these Indian call center employees did, funnel their money into other accounts.

It will only take a few incidents like this to make banks stop using foreign call centers in an effort to save money, but when it happens at home, with local employees - we may see serious background checks required and higher pay for those employees to keep them honest. There truly is no free lunch for business. The outsourcing backlash has now hit home for banking.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:39 AM 0 comments

Surveillance cameras survey all life


Surveillance cameras survey all parts of daily life according to this USA Today story. Justified by the terrorist attacks of September 2001, unblinking video camera lenses seem to now stare at us from nearly every public place. It keeps some people from being themselves in public because they know they are being watched. If you act silly or playful under a security camera, your actions can be misinterpreted as sinister or even criminal.

The creepy part is that many surveillance cameras operated by public agencies are being networked for wide access by law enforcement and government officials, fed into facial recognition software to scan for known bad guys and archived for future use. It isn't beyond the limit of imagination that innocents could be erroneously connected to criminal activity because they were in a public place at the same time bad guys pass by. Assuming the bad guys can even be identified from the cameras in the first place.

Even most detectives in crime dramas seen in current popular entertainment seem to first resort to surveillance camera footage. Even though fictional and silly supposed "enhancement" technology is absurd beyond belief, the idea that video footage can solve a crime is foolish. That footage may show what happened, but not whodunnit (reliably).

Most of us feel offended if a human in a public place stares at us for any length of time. The fact that most of us DON'T feel offended when video cameras do the same is just strange. You can't avoid those cameras in public places (and even more creepy, in some private places) but the fact that we accept them so easily - without protest - is just sad.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:46 AM 0 comments

Monday, April 18, 2005

RFID Tagging Consumer Goods Cradle to Grave


Wired News: Time to Buy a New Shirt, Dave suggests this linked story headline referencing Hal, the computer, and Dave the Astronaut in 2001 a Space Odyssey. The story discusses how product manufacturers want to encourage consumers to feel good about RFID tagging of consumer goods, keep those tags intact on products after purchase and allow internet "Silent Commerce" to help us know when to replace our products. This will supposedly be done through internet connected devices throughout our homes, from refrigerator to closets. Judas! This is getting creepy! Are these guys actually serious?

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 2:29 PM 0 comments

Wednesday, April 13, 2005


First ChoicePoint, Now Lexis-Nexis - Your Identity Is For Sale

A few weeks ago when news of the ChoicePoint data-warehouse compromise broke, I wrote an article called "Identity Protection Is Up To You" (http://www.cafeid.com/art-choice.shtml). I suggested that the story that emerged was misleading in the way the central problem was framed to deflect criticism away from ChoicePoint and onto some shadowy group of people taking advantage of the gee-whiz high-tech Internet to defraud an upstanding corporate citizen and the people that corporation "serves". But the problem seems to be that your personal identity is for sale, and the problem is that you have no idea who's buying.

This week, it's information giant Lexis-Nexis, a division of an Anglo-Dutch publishing concern called Reed Elsevier, increasing its estimate of the number of potential victims (ten-fold, from 32,000 to 310,000). Once again, the security breach that led to the "misappropriation" of customers' names, addresses, Social Security numbers and driver's license information was human, rather than technical in nature. CNN reported that the thieves were able to fool the company into giving them working passwords on 59 occasions. This is "social engineering" at its finest, and it shows that it doesn't matter how much a company spends securing its network when its employees are able to be cajoled into giving out the passwords.

What's going on here?

ChoicePoint and Lexis-Nexis have several things in common: Both companies purchased existing companies that experienced these security breaches prior to their purchase. Both security breaches were the result of social engineering rather than computer hacking. Both companies were performing well financially dealing in the lucrative sale of this data. And, perhaps most interestingly, both of the companies that were purchased were previously founded by the same man, Hank Asher, a wealthy Boca Raton, FL business man and technophile who also became a government informant after being identified as an unindicted co-conspirator in a cocaine smuggling scheme.

One company he founded, DBT Online, Inc., the subsidiary of ChoicePoint whose data was compromised, was also the company hired to purge Florida's voter rolls of "ineligible" voters prior to the infamous 2000 election. The other, Seisint (the one purchased recently by Lexis-Nexis) was the company hired to architect the incredibly-named MATRIX (the Multi-State Anti-Terrorism Information Exchange), a secretive project funded largely by the federal government to do data mining in the name of national security. Seisint was the victim of the most recent massive database-compromise scandal. Check this link for more information on this project: http://www.aclu.org/Privacy/Privacy.cfm?ID=14894&c=130

This should give you pause even without taking the conspiracy theories into account (and there are some wild ones out there). This is far-reaching information and these companies are trusted by our government, by us, to get it right; and confidence men are able to get at this information out the back door while computer experts are busy boarding up the front to keep out the very people whose lives' details fill these databases.

What should you do?

With each of these news stories that breaks, it's becoming more evident that there's little you can do to protect your data. You no longer own it once it's in the databases of these companies, and you're dependent upon human beings to guard it, or at the very least not give out the passwords. There weren't that many points of vulnerability. Only a handful of Seisint employees, as few as 15, overseen by Florida state police, were responsible for maintaining records in the company's database.

The first thing you should do is write your representatives in government to demand oversight and accountability of these private concerns in whom so much trust is place. Write a real letter, on paper, seal it in an envelope and put it in the mail to your state and Federal representatives. Go to http://www.vote-smart.org and type your 9-digit ZIP code into the search box on the left in order to find detailed information, including contact addresses, for all your representatives. If you don't know your 9-digit ZIP code, you can find it by entering your address at http://www.usps.com/zip4

The next thing you should do is determine a way to keep an eye on your credit reports, since these are usually the first indicators of identity theft. New laws have been passed requiring each of the three major credit reporting agencies to provide you with a free copy of your report each year. This is only possible through a single website - http://www.annualcreditreport.com or by calling 877-322-8228 or writing Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You'll need to supply your name, address, Social Security number and date of birth, and if you've moved recently, a previous address.

The law requiring this service allows you to request your reports all at once or to stagger them, ordering one at a time throughout the year. We recommend this course, as it will allow you to view activity every four months and locate potential trouble sooner. This is all detailed at the Federal Trade Commission website at http://www.ftc.gov. The Electronic Privacy Information Center also maintains a valuable resource at http://www.epic.org.

Your Social Security number is a powerful entity, and you should take care to protect it. It has become a de facto universal identification number, used by financial and educational institutions among others on whom the idea that the number is not meant to be used as identification is lost. When asked to provide the number, always ask if the number is really required and when the eyes of the person you're asking glaze over, if there is an alternative number you can use.

Most people feel compelled to provide accurate information when filling out forms requesting personal information; but unless the information is truly required (i.e. they need a real address to deliver your order or your street address needs to match your file to make a credit card purchase) there's no real need to feed the beast.

In general, if you're receiving something for money, you should fill out the information accurately because there may be legal issues involved. For example, if you were registering your domain name at our website at cafeid.com, your contact information needs to be correct by law; but, on the other hand, there's no need to give out your real address to sign up to read an online newspaper article (at least one website, http://www.bugmenot.com, even makes it easy to use phony information!) The idea is that you should know who is asking for your personal information and why they need it before you hand it over.

Therein lies the biggest problem with these private information clearinghouses, and the one thing that will eventually bring about reform. The fact is that you cannot know what the company knows about you without becoming a customer (if that's even possible or affordable), but a skillful social engineer could pay Seisint a quarter ($0.25) for a basic report once they've finagled a password out of a gullible employee.

The credit reporting agencies played this game as long as they could and had to be forced to provide you with your credit information for free. You still have to pay if you're in the East or South! But the only solution to this ongoing and growing problem is a complete overhaul in the laws that allow these companies to collect and sell your personal information without protecting and informing you in the process. Millions of government dollars and reliance upon this information by the government itself is a good deal of inertia to overcome; but it has to start somewhere. Grab a pen.

-----

About the Author

Trevor Bauknight is a web designer and writer with over 15 years of experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at trevor@tryid.com. Stop by http://www.cafeid.com for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 7:07 PM 0 comments

Bush Admin demands banking data



Bush Admin demands more banking data
The furor over Total Information Awareness (TIA) proposals died away after congress smacked down the creepy plan proposed after the 2001 terrorist attacks. But Bushco is slowly building it anyway, piece by piece of data that was outlawed as a package, but is being approved as single regulations. This linked story points out how a national ID in the form of RFID driver licenses and tghe CAPPS II airline data mining info is being combined with retail privacy invaders like ChoicePoint to create a back-door Total Information Awareness system bit by bit and behind the public's back.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:40 AM 0 comments

Recording VOIP Calls Easy


VOIP Makes Recording Calls A Snap according to this Forbes magazine story. With only a couple of passing references to privacy concerns, writer David M. Ewaltf mentions how simple recording data packets is and how cheap storage of data is. He points to software that makes it easy and asks us to remember the ubiquitous "this call may be recorded for quality assurance" message you often get when speaking to support or billing at major company call centers.

So it's easy and cheap and possible with readily available software and now being discussed in the country's premier business magazine! Hmmm. Think any companies are recording every word ever said on their phone lines and archiving it for posterity? Think it's possible to link to other customer information, billing history, complaints, service calls, refund requests and generally any customer contact over a lifetime?

Think again. We'll soon see companies offering to sell us our life story transcripts before long - gathered from all business records, public records and eventually personal records. All on your very own permanent memory book that fits on the head of a pin. Tomorrow's sci-fi is not that far away. Privacy is dead and continues being battered and beaten. Ah well.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:07 AM 0 comments

Monday, April 04, 2005

Cookies and PIE - Flash Security Introduction


Cookies and PIE - An Introduction to Flash Security

by Trevor Bauknight © April 2005

Web-enabled consumers are tossing their cookies in greater numbers; and although this phenomenon is related to the stomach-churning activities of some Internet marketers and their offerings, it has more to do with taking back control of their Web browsing, and less to do with violent physiological reactions to bad snack food.

JupiterResearch reported that 58% of Internet users have deleted their cookies in the last year, and that 39% of consumers are deleting them monthly from their primary computers. And while I find these numbers suspect, the increased awareness and use of anti-malware software tools, which sometimes identify cookies as problematic, may be contributing heavily to the trend. So maybe the numbers are accurate, even if consumers are deleting cookies unwittingly.

Last week brought news (see http://www.internetweek.com/showArticle.jhtml?articleID=160400749) that a New York company called United Virtualities has begun offering technology that allows Internet marketers to undermine the increasing number of Internet-savvy consumers concerned enough about their privacy to take control of cookies, the little bits of text left behind by some websites to track your visits and preferences. They're offering PIE as a substitute.

What is PIE?

According to United Virtualities, a persistent identification element is a Flash object that a bit of JavaScript can tag to the browser of a visitor to a PIE-enabled website in order to restore deleted cookies and act as a cookie backup. It uses a Flash MX feature called local shared objects that are less familiar to browsers and, hence, not as likely to be disabled. Shared objects are, essentially, the Flash equivalent of cookies, and yet, being Flash, are a good deal more capable because of their ability to gather information from other websites and to communicate with other Flash applications that may be running.

Mookie Tanembaum, founder and CEO of United Virtualities, justifies his company's technology by suggesting that he's simply trying to help out consumers who are too stupid to know what they want to control: "The user is not proficient enough in technology to know if the cookie is good or bad, or how it works," he is reported to have said. He also said, apparently with a straight-face, that he discourages the abuse of PIE technology to thwart the end-user: "We believe people should use this technology responsibly. If people don't want cookies in place, then (their browsers) shouldn't be tagged." Uh-huh...I'm not sure who he thinks his market is. The company charges marketers $.03 per 1000 impressions (CPM) for use of its "platform".

Who's vulnerable?

Vulnerability, with regard to cookies, is relative. We actually support the responsible use of cookies to better serve visitors to your website; but that support begins and ends at your site and we recognize that cookies can be and have been abused by rogue Internet marketers and other website operators. With that in mind, let's take a look at who might be impacted by the use of PIE technology:

You, more than likely. The makers of Flash, Macromedia, Inc., claim that some 98% of Internet-enabled computers are equipped with the ability to view Flash, so security vulnerabilities associated with the technology should be a primary concern for anyone, especially as Flash seems to be emerging as the premier vehicle for building great user interfaces for rich Web applications.

Macromedia has established a website with a hideously long URL (http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html) dedicated to securing your local Flash-player installation, and even though we use Flash extensively here at Cafe ID http://www.cafeid.com for parts of our own application's user interface, we had never really explored checking to see that the security settings of our Flash Players were locked down until United Virtualities forced the issue. And because we use Flash, we're keenly interested in any abuse of Flash technology that may cause antipathy toward it and, by extension, us.

How do you avoid PIE?

One way to avoid having PIE attach itself to your browser is to simply jack up your security settings under IE to the highest level available. Unfortunately, this is less than desirable, as it will cause many other, non-PIE-enabled websites to become inoperable. This is like bricking up your windows and doors to keep out thieves.

You may have experienced a pop-up asking questions about privacy or storage space when visiting sites with Flash content, and this is the way most people see their Flash Player settings for the first time. But a visit to the Macromedia site above shows you how to access your Flash player's settings directly and describes the settings in some detail. That's a great place to start, so let's run through a few of the settings you may find particularly useful:

The Settings Manager tool that loads displays a five-tabbed interface across the top. Clicking on the tabs doesn't give you a great deal of feedback, but it does allow you to move between them. (Note that these panels allow you to control the behavior of the Flash Player in your future visits to Flash-based sites. To control the behavior of websites you have already specified settings for or are visiting currently, simply right-click in the window while the Flash application is running and choose Settings... from there.)

The first tab brings up the Global Privacy Settings Panel. Here, you can select whether websites will be allowed to ask you to use your computer's camera and microphone. At least there's no "Always Allow" setting -- that would make for some interesting viewing at the other end, no doubt.

The second tab brings up the Global Storage Settings Panel, on which you can specify how much of your local drive space you want to allow Flash applications to use to store information about you. Pushing the slider all the way to the left causes Flash to ask you each time an application wants to store information. Pushing it all the way to right gives Flash unlimited space to store information, and there are intermediate levels between the extremes. We recommend having Flash ask, if for no other reason than to make sure you know when information about you is being stored.

The third tab is the Global Security Settings Panel. Here, you can specify whether Flash authors are able to use an older technology to get information from other sites. The recommendation, as usual, is to always ask, as the other options either provide no control or no desired functionality.

The fourth tab is the detailed Website Privacy Settings Panel which works a good deal like your browser's cookie manager. It shows you all the websites that currently are storing information about you and allows you to set your camera and microphone preferences on a per-website basis. The fifth tab, similarly to the fourth, allows you to set your storage-space preferences on a per-website basis.

You can also access the Global Notifications Settings Panel via the link to it on the left, where you can control how often Flash checks with Macromedia to see if updates are available.

The Way Forward

For your part, it's just one more thing with which to concern yourself in your daily browsing. Ask yourself how much you want your online travels tracked and analyzed by Internet marketers and set your browser and Flash Players accordingly. There are plenty of resources available to show you how, and we try to maintain an up-to-date collection of them at cafeid.com.

Macromedia, for its part, is in discussion with both Microsoft and the Mozilla Foundation, makers of the wildly popular new Firefox browser, to provide an interface for controlling shared objects and cookies in one place in future versions of their respective browsers. After all, like cookies, shared objects are useful technology that carry the potential for being abused, and we'd hate to see either go away.

Macromedia's stance and actions on the matter are a welcomed step in the right direction; but what we'd like to see is the regulation of Internet marketers who seem to have inexplicably decided that the way to generate interest in the products and services they're marketing is to actively foil any and all consumer attempts to avoid that marketing. The suggestion that consumers are not technologically-savvy enough to determine whether or not they want to be tracked and monitored is nothing short of outrageous. Mookie Tanembaum ought to be ashamed; but shame isn't a strong motivator among the Internet's purveyors of malware.

-----


About the Author


Trevor Bauknight is a web designer and writer with over 15 years of experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at trevor@tryid.com. Stop by http://www.cafeid.com for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 4:08 PM 0 comments

Friday, April 01, 2005

RFIDKills.com Citizen comment by April 4th


RFIDKills.com is a web site that allows citizen comment to the appropriate federal agency without picking through the difficult to find and odd methods mandated by the US Department of State requiring specific subject lines and particular email addresses. Make yourself heard before the April 4th deadline for public comment!


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 2:32 PM 0 comments

Online ID theft hits travel industry


(USA Today Travel Section) ID theft hooks up with traditional scams, this time travel is being targeted by bad guys looking for suckers willing to enter personal information and credit card information without ever speaking to a human being.

Obviously you must protect yourself by dealing only with reputable and well-known sites when entering personal and financial information into travel web site pop-ups and responding to spam email. Phishing will go where the fish are and this time of year people are planning expensive vacations.

Take care and protect your information by speaking with travel representatives by phone or work only through well-known travel aggregators.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:19 AM 0 comments