From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 09/27/01 Clipped from: http://www.stratvantage.com/news/092701.htm

The News – 09/27/01

In this Issue:

National ID Cards As A Solution?

Oracle boss Larry Ellison recently called for the establishment of national ID cards as a curb to terrorist attacks. He’s also put his money where his (rather large ) mouth is by offering to donate the Oracle software to implement the scheme.

If you’ve been following SNS recently, you can probably guess I don’t think much of this idea. The terrorists had ID cards, after all. The Boston Globe reported that five of the hijackers had recently obtained Florida licenses. Ellison proposes that Americans be fingerprinted and that the information be placed on a database used by airport security officials to verify identities of travelers at airplane gates. He brushes aside civil libertarians’ concerns about the possible use of such a system to infringe on the privacy and other civil rights of law-abiding citizens. Echoing Sun Microsystems CEO Scott McNealy’s famous “get over it” pronouncement , Ellison said: “Well, this privacy you’re concerned about is largely an illusion. All you have to give up is your illusions, not any of your privacy. Right now, you can go onto the Internet and get a credit report about your neighbor and find out where your neighbor works, how much they earn and if they had a late mortgage payment and tons of other information.”

Doesn’t that make you feel better? I wonder how easy it would be to get Larry Ellison’s credit report and other private information.

Anyway, the business effect of Ellison’s offer could be chilling to not only the database industry Oracle competes in, but also the employee identification and airport security industries. If the government gets into the business of assuring identity, many companies in these industries will go the way of the airport skycaps.

SiliconValley.com

Briefly Noted

• Shameless Self-Promotion Dept.: I’ve added a new directory to the Directories section of the StratVantage Web site: Email Newsletters. After conducting a fruitless search for a central place listing various email newsletters, I decided to establish one myself. I’ve seeded it with newsletters I receive and find useful. If you’ve got a favorite, send it along and I’ll add it.
  StratVantage Directories
• Random Web Usage Tip: eMazing has a nice tip of the day service you can subscribe to. Even a Web junkie like myself can learn a thing or two from their service. Their latest tip about Internet Explorer is a good example: “When a page is taking forever to download all of its graphics, press the Spacebar to stop the graphics and allow you to read the text. Another trick is to click Stop and then click Refresh. Sometimes starting over will get you a faster download.” I knew the second tip, but not the first, which is very useful when some huge gratuitous image file is downloading and preventing me from getting on with it.
  eMazing
• Expanded Wiretap Authority Analyzed: Alert SNS Reader Jeff Ellsworth sends along a pointer to an article written by Georgetown University law professor and former Clinton chief of staff John Podesta. It’s a very easy to read consideration of the problems facing law enforcement in the digital age and the threats to freedom that could be involved if we help them do their job better.
  WashTech.com
• YAMV (Yet Another Microsoft Virus) Report: I’m thinking of making this a regular feature. A new Visual Basic script-based worm, dubbed Vote, is a mass mailer which sends itself to e-mail addresses harvested from the Windows address book of infected systems. It is an email file with the subject line “Peace between America and Islam,” and it not only sends large amounts of e-mail, but also overwrites HTML (Web) files on the infected computer and can delete the system’s Windows directory and reformat the hard drive when the machine is restarted. The e-mail includes an attachment document called WTC.exe, which, when double-clicked, infects the computer. This makes Vote unlike the Nimda worm, which can infect without double-clicking, and thus experts consider the virus low risk. Nonetheless, businesses should make sure all employees know not to double-click attachments from unknown emailers. In addition, businesses should make sure antivirus protection is up to date on all computers.
  The Standard (Australia)
• Unmanned Aircraft May Be Key: In this war unlike any other, automated flying drones may be essential to gathering intelligence in mountainous Afghanistan. One possible problem: These unmanned aerial vehicles (UAVs) are largely untested. The Predator UAV has been flying reconnaissance missions over Iraq, and the military has other tactical UAVs including the Global Hawk, Pioneer and Hunter. Chances are good that the Defense Advanced Research Projects Agency (DARPA, the fathers of the Internet) will step up production of the “micro-UAVs” that are currently on the drawing board. Deploying untested, leading edge battletech has a precedent. The military first deployed an experimental airborne battlefield-management system, the Joint Surveillance and Target Attack Radar System, in the Gulf War. The bad news is control stations for UAVs would need to be close to the front lines, probably in Pakistan.
  EE Times
• Background Check Business Booming: Many companies are benefiting from the recent tragedy, including those that specialize in performing pre-employment background checks. The company behind Pre-employ.com and MyBackgroundCheck.Com reports they are fielding 2,000 queries a day, double the normal number, since September 11.
  LA Times
• Nokia and Visa Piloting Dual Chip Mobile Payment Service: One of the dreams of mobile commerce is the ability to quickly and wirelessly pay for goods and services using a mobile device. Nokia and Visa took a step closer to realizing the dream recently when they announced a pilot in Finland of Nordea’s Open Plaform chip card. Nordea’s card will be installed in 150 Nokia phones to be distributed to customers in Helsinki. These customers can only buy groceries and movie theater tickets, so the pilot is quite limited. Nonetheless, it will offer good data on the use of the dual chip concept, which relies on a chip card issued by a bank and a separate chip running the Wireless Identity Module (WIM) application in a Wireless Application Protocol (WAP) cell phone. If the pilot is successful, look to see the technique rolled out in Northern Europe and the rest of Europe before it arrives in the US. But be careful: Don’t lose your phone!
  Nokia
• Visualization As Decision Support: Sun and Landmark Graphics have combined to offer a data visualization solution for Unocal, which will use it to help improve departmental-level collaboration and decision-making in oil and gas exploration and production. Oil companies use massive amounts of seismic information to find pockets of oil and gas. Unocal will use Landmark’s 2003 versions of Earthcube™ and OpenVision™ graphics applications to visually inspect the data and detect telltale patterns. Up to now, such data visualization techniques involved very expensive installations. Sun and Landmark’s solution promises to bring such high-end capabilities within reach of smaller companies.
  Sun
• Inventor of Popular Crypto Program Clarifies: Phil Zimmerman invented a cryptographic program called PGP (Pretty Good Privacy) in 1991. The program allows its users to take emails or other documents and transform them into a virtually unbreakable set of codes that only the intended recipient can decode. In this way, users can communicate with others without law enforcement officials being able to understand the communication. Zimmerman was widely quoted – he now says misquoted – recently as being full of remorse due to the likelihood his program was used by the terrorists. After the article was published, Zimmerman clarified his statement on the Cypherpunks discussion list for cryptographers:The journalist slightly misinterpreted my remarks, and missed the shades of grey in some of what I said. I did *not* say that I was overwhelmed with guilt over PGP. I told her about my crying, just as everyone else I knew had cried over what had happened. I also told her about the hate mail, and that I “felt bad” that the terrorists may have used PGP. Indeed I do feel bad about that. But feeling bad about them using it is not the same as feeling that PGP was a mistake, or that I have changed my principles about human rights and crypto. I thought I had also made it clear that I had no regrets about developing PGP. She did not report any individual facts incorrectly in her article. But I think she connected the dots in a slightly different way, and seemed to conclude that I was wallowing in guilt over PGP. I’m sure she meant no harm. I am still very much aware that PGP was a good thing, and that strong crypto helps more than hurts. I have been saying that to the press all week. I just said it again in two more interviews I had before breakfast this morning, and will continue to say it. It seems I have to say it more forcefully. I will prepare a statement on this later today. In the meantime, feel free to let our colleagues know that I have not gone soft on civil liberties.

  To stop terror, you must stop terrorists, not abridge the rights of the rest of us.
  Cypherpunks

Return to Mike’s Take

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 09/21/01 Clipped from: http://www.stratvantage.com/news/092101.htm

The News – 09/21/01

In this Issue:

Guns On Planes As A Solution?

What’s Wrong With This Picture? I don’t know about you, but I worry about recent statements recommending that Federal marshals with guns be stationed on airplanes. I always assumed that the risk of catastrophic decompression or other really bad outcome due to discharging a firearm on a plane was quite high.

According to the site, KeepAndBearArms.com (now, let’s consider the source here), it ain’t necessarily so. First of all, you could use pre-fragmented “safety slugs” designed not to penetrate walls or ricochet from hard surfaces. Great. But even if you put a hole or two in the side of the fuselage, you could plug it with an airplane pillow, according to the site, which quotes a couple of self-identified aircraft engineers on the subject. They say the risk of a single bullet causing massive structural failure of these “bulldozers in the sky” is very slim. Of course, they don’t worry too much about what would happen if the bullet happened to shoot out a window or penetrate the fuel tanks in the wings. One of the “engineers” says that he “read someplace” that a 747 could keep flying with four windows blown out. Of course, several passengers might get “extruded” in the process, but I guess you should learn to accept that kind of collateral damage. Anyway, the site seems to be advocating that normal folks be able to fly while armed, arguing, “Concealed carry permit holders are among the most lawful people in our society.” OK, now I’m really scared.

Let’s not take leave of our senses here, folks. It’s OK with me if you’re a gun advocate. But get a clue: Arming all air passengers would arm the stinking bad guys, too! Hello? All a terrorist has to do in this scenario is get a conceal carry permit, perhaps with stolen credentials. The idea of arming passengers is looney, and typical of the type of knee jerk overreaction we’ve heard a lot of since the disaster. Never one to be outdone in the knee jerk category, our Congress has proposed a bill named H.R. 2896 — Anti-Terrorism Act of 2001 that would allow pilots to be armed. Now I feel safer. Let’s see. Who was it that brought down EgyptAir 990 into Long Island Sound? Could it have been the pilot?

Don’t get me wrong. I’d much rather have pilots armed than passengers, but, let’s face it: Pilots are not immune to mental illness, marital problems, depression, bigotry, hatred, or other antisocial behaviors. Some have even flown drunk . Nevertheless, we do entrust them with our lives, and the vast majority of the time they come through. I’m not saying pilots shouldn’t have the ability to respond to a hijacking situation, but placing a very dangerous weapon in their hands (one that can be stolen and used against them) while they are dealing with flying the plane and keeping the crew and passengers calm may not be the smartest thing. Has anyone ever heard of sub-lethal weapons , for crying out loud? Please write Republican Representative Ron Paul of Texas, who sponsored the bill, and express your feelings. I’d like to suggest that it be amended to allow the carrying of sub-lethal weapons designed to protect against a terrorist attack.

While we’re on the subject of preventing skyjacking, wouldn’t it make more sense if, instead of the primitive tech of a bullet, we used the modern technology called fly-by-wire (FBW)? Modern passenger jets such as the Airbus A320 and the Boeing 777 (as well as many modern fighter jets) utilize FBW technology. What it means is the plane’s controls are not mechanically connected to the control surfaces of the plane, and all pilot actions can be modified by computers. In the case of the Airbus , hard limits are placed on what the pilot can ask the plane to do. If the pilot tries to take an action that would make the plane stall or crash into a building, for example, computers override the action and attempt to carry it out within acceptable limits of control. Boeing allows the pilot to override the computer, believing that the human has a better grasp on the situation. Well, what if there was a ground override that would enable airline officials to cause the plane to land and not respond to cockpit inputs? Or perhaps just programming a building avoidance routine would do the trick. Wouldn’t that take care of the hijacking problem?

Of course, such as system would need to be completely hacker-proof or it could be neutralized or co-opted by terrorists or antisocial script kiddies. Despite my misgivings about the security of secure systems, I for one would feel much more comfortable with such a system than with guns on board. Of course, having said that, the folks at KeepAndBearArms.com might want to put my picture in their rogues’ gallery of gun opponents, right next to Stalin and Hitler.

KeepAndBearArms.com

Briefly Noted

• Shameless Self-Promotion Dept.: CFO Magazine quoted me for a story they ran on the SirCam worm and peer-to-peer networks. Like most media contacts, I said a great many brilliant, insightful, impactful things, but they only used two quotes. It’s online now, but I don’t think it gets into print until next month.
  CFO Magazine
• Vigilante Crackers Warned: A loose knit-group of hackers known as the “Dispatchers” vowed shortly following last week’s terrorist attacks to damage and destroy Internet service providers, Web sites and networks operated by terrorist organizations. The Dispatchers said that they would target ISPs in Palestine, Afghanistan and other countries that support terrorism. The FBI doesn’t think this is such a good idea. “There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place,” the FBI’s National Infrastructure Protection Center (NIPC) said. “The Dispatchers claim to have over 1,000 machines under their control for the attacks. It is likely that the attackers will mask their operations by using the (Internet protocol) addresses and pirated systems of uninvolved third parties.” This type of attack might work against a country, but is likely to be a mere annoyance to terrorist groups, who can switch providers or adopt alternative means of access. Unless hackers take down all ISPs in the target countries, very little good is likely to come from such an exploit.
  NationsAtWar
• Taleban.com Cracked: A cracker with the handle RyDen defaced the Afghan Taleban Mission to the UN website, taleban.com. The site is now down, but as of last Sunday it read: “Own3d by RyDen.” The site was apparently first defaced in March and this is the third time in six months that RyDen has attacked the Taleban site.
  NationsAtWar

Return to Mike’s Take

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 09/18/01 Clipped from: http://www.stratvantage.com/news/101601.htm

The News – 10/16/01

In this Issue:

Web Services On the Radar Screen

According to a July InfoWorld survey of 500 readers involved with technology strategy and technology buying, although only 6.4 percent are extremely familiar with Web services, 75 percent of them rank Web services as a moderate-to-critical IT priority for the next two years, and 66 percent will develop a Web services strategy within a year. These findings seem to indicate that Web services are more buzz than substance: Few of those surveyed really knew what they were talking about, but most were ready to make plans.

The Web services concept is still ill defined, but in general it refers to the ability to assemble applications from component services that are available over the Web. Web services are the glue that can integrate a legacy system, for example, with new capabilities. Suppose you want to set up an intranet service to let employees find out how much vacation time they’ve accrued. If the information is on a mainframe, you can employ a Web service to interact with the mainframe database, and another to format the data as a Web page. If later you want to add an application to calculate sick days, you can reuse one or both components. And if you decide to jazz up the service by adding a stock ticker, you just plug in the appropriate Web service. Sounds great, but there’s much to be done before application development is that easy.

The biggest problem with Web services involves a lack of standards and a generally fuzziness of the concept. For example, 30 percent of the respondents in InfoWorld’s survey claim to have already reaped the benefits of Web services. This is odd, because only 6.4 percent are extremely familiar with them. The various competing standards form a confusing alphabet soup: XML (eXtensible Markup Language), DCOM (Distributed Component Object Model), RMI (Remote Method Invocation), SOAP (Simple Object Access Protocol), WSFL (Web Services Flow Language), ONE (Open Net Environment), UDDI (Universal Description, Discovery, and Integration – see the TrendSpot for more info), WSDL (Web Services Description Language), and CORBA (Common Object Request Broker Architecture). There are other problems as well, most notably the question of security and enforcement of business rules.

Perhaps the biggest problem with Web services is the hype. The concept is being sold as a new way to create applications rather than an easy way to integrate some valuable services into an application. So far with Web services, there’s really no groundbreaking going on in the way an application is built. Currently, Web services are unlikely to be interchangeable Legos you can use to snap together an application. You still need to do hard stuff like understand what the problem is, what the users want, and how your system will flow and hang together.

The list of existing Web services at XMethods.com serves to prove this point. You might be underwhelmed by the array of services offered. Among the stupidest services are those that translate inches to millimeters or Fahrenheit to Celsius. If you’re a programmer, and you’re too lazy to look up the formulas for such simple transformations, I guess you’d be stupid enough to solve the problem by making an inefficient Web request to get the answer. Other Web services simply automate the retrieval of readily available information, like stock quotes, newsgroup postings, or zip codes. Still others seem to offer a little value, like a nucleotide sequence lookup or a credit card validator. But there aren’t services that really provide snappable application parts, like: Accept user’s login and password; Validate against corporate LDAP database; Establish Virtual Private Network and session credentials; and open a session log. That Web service might be useful, at least more useful than one that “Provides Internet Time (ITime ), as defined by Swatch.” (Oh, don’t ask. If you don’t already know what ITime is, you really won’t care to know.)

So, while Web services are getting a lot of ink, it’ll probably be a while before the reality lives up to the hype. Businesses should be wary of anyone selling this snake oil as a panacea. Developing applications remains hard work, best left to professionals. Web services can be a part of an application development effort, and may even bring real value, but we’ve been around this block before with other reusable code schemes. It remains to be seen if Web services can truly accelerate the development process.

InfoWorld

Briefly Noted

• Shameless Self-Promotion Dept.: I’ve added a security news ticker to the StratVantage Security Web page. It scrolls up to date information about viruses, worms, hoaxes and other items of interest regarding computer security. Check it out.
  StratVantage Security Resources
• Manufacturers Move to Protect Critical Infrastructures: The National Center for Manufacturing Sciences (NCMS) and the National Infrastructure Protection Center InfraGard Program have established the first InfraGard Industry Association. I wrote about InfraGard in the last SNS. The new association, called the InfraGard Manufacturing Industry Association (IMIA), aims to provide manufacturers and their supply chain partners with communications, education, and collaborative project services to help assure the security of critical business information and manufacturing infrastructures.
  NCMS
• Microsoft Finally Serious About Security? I’ve got to give our buddies in Redmond credit. After thousands of bugs and hundreds of virus attacks, they finally appear to understand that security is important. However, their marketing spin makes it seem like they’ve recently uncovered serious security threats: “Internet security and the increased threat from computer viruses are serious and growing issues that impact businesses around the globe, regardless of platform.” Very true, and in the spirit of helping address these threats and to benefit humanity, Microsoft announced the Strategic Technology Protection Program, “to help customers get secure and stay secure.” “Part of the company’s ongoing security commitment, this program marks an unprecedented mobilization of Microsoft’s people and resources to proactively assist customers of any size to secure their computing environments.” No, no, silly person, they’re not paying to convert people to Linux! They’re going to help people get current and stay current with the bewildering array of security bug fixes they issue each month. Hey, it’s a start!
  Microsoft
• Spears Hoax: Pranksters are getting cleverer and cleverer. Tim Fries, a Saginaw, Mich.-based online comic strip artist used a trick to make it look like CNN.com had a scoop: Singer Britney Spears Killed in Car Accident. Fries claimed he was conducting research as to how far and fast misleading information travels on the Web. “With the recent terrorist attacks and such an increasing reliance on the Internet as a trusted news source, misinformation could prove to be a powerful weapon,” said Fries. The cartoonist used a quirk in the way Web browsers handle URLs to direct users to mock-up of a CNN.com Web page at an external site. Incredibly, the distribution of the special URL to just three users of AOL’s Instant Messenger chat software resulted in more than 150,000 hits to the fake site. The URL began with the characters http://www.cnn.com, followed by "@" and the IP address of the fake site Web site. Since browsers ignore anything to the left of an "@" in a Web address, users were taken to the phony article but assumed they were going to CNN.com. In this time of ever more outrageous sounding real news, the ability of just one joker to spread disinformation could move from merely annoying to incitement to riot.

  Please, before forwarding any incredible news, check the source, and check the Urban Legends Reference pages at www.snopes.com . And no, blue envelopes are not contaminated, and no mysterious Arab ex-boyfriend forecast September 11 and a mall attack on Halloween. Let’s keep it together, people.
  Security News Portal

• Gartner Says Ditch IIS or Face Risk: GartnerGroup has taken a very strong position against using Microsoft’s Web server, Internet Information Server (IIS), either on the Internet or even inside the enterprise. The analyst firm has faced the fact that using the buggy, security hole-riddled IIS instead of readily available and free alternatives increases the cost of ownership.

Code Red also showed how easy it is to attack IIS Web servers. Thus, using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft’s IIS Web server software have to update every IIS server with every Microsoft security patch that comes out—almost weekly. However, Nimda (and to a lesser degree, Code Blue) has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft’s frequent security patches. Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications from other vendors to Web server software, such as iPlanet and Apache. Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers.

Sun has taken advantage of these recommendations to announce a “trade up” program to help businesses transition off IIS and onto its iPlanet Web server. It even offers free software that allows programs written to IIS’ Active Server Pages (ASP) API to run on Sun equipment. Sun has knocked $500 off its normal iPlanet pricing as an incentive. As reported in a previous SNS, even the insurance industry has taken notice of the problems with IIS, with one insurer charging higher premiums for disaster insurance to businesses using IIS.
TechRepublic

• Making Copies to Ensure Availability: Sun Microsystems and Stanford University said recently that the LOCKSS (Lots of Copies Keep Stuff Safe) program – designed to protect the integrity of valuable electronic content – is performing well in large-scale tests at 47 global locations. The LOCKSS system is an open-source, Java-based, distributed content mirroring system, designed to run on low-cost computers without central administration. Computers continually monitor files on their hard disks at random intervals. If files have been corrupted or altered, an automatic caching system replaces them with intact copies derived from redundant copies on other machines. This enables content providers to maintain access to critical information.
  Sun
• Too Much Sun? At the risk of overloading you on news from our buddies at Sun Microsystems, I have to let you know about their collaborative effort with Lucent to deliver unified communications via a mobile portal. Unified communications has been the next big thing for a couple of years now. It promises to allow you to access all your communications in whatever form you want. For example, you can get your email, voicemail, and faxes all via the telephone. The new service will allow users to browse the Web, check and send voice and e-mail messages, initiate calls from their address book via voice command, hear faxes, and attach e-mail to voicemail messages (and vice versa) all via their cell phones. Messages can also be bookmarked by voice command so users can easily jump back to them later. Sounds pretty cool. Let’s see if it can fly in real life. (Disclaimer: I do indeed own stock in Sun and would love to see it come up from under water.)
  Sun
• 

  I Want This Phone: Nokia has come out with another cool phone. The Nokia 5510 is a music player, FM radio, messaging machine, games platform and phone. It includes (of course) an Internet browser as well as 64 MB memory to store up to 2 hours of music, the ability to answer and end phone calls with the stereo headset while listening to music, voice dial for 8 names, and 5 built-in games. The game controller-like form factor will certainly attract the kids, while business people will like the full keyboard (for two-fisted typing) and the ability to send longer messages. Unfortunately, the phone won’t be available in the US. Drat. (Pet Peeve, part XXIII: I’ve complained before about Nokia’s Web site. Now wouldn’t you think when they announce a new phone you could use their search capability, type in the model number, and find the appropriate page? Nope.)
  Nokia

• Stupid Quote Alert: I get eMazing’s Stupid Quote of the Day email service, and most of the quotes aren’t real winners. But last Wednesday’s brought a smile to my face:

  "The department takes very seriously its responsibility to protect the privacy interests of Americans who have been the subject of investigative scrutiny."
  – Justice Dept spokeswoman Susan Dryden, explaining that the Justice Department invading your privacy and other people invading your privacy are two completely different things.
  PBS

Return to Mike’s Take

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 09/18/01 Clipped from: http://www.stratvantage.com/news/091801.htm

The News – 09/18/01

In this Issue:

Can Freedom and Security Coexist?

My heart, like every American’s, is broken due to the horrific acts of a few fanatics a week ago. Commentators are fond of saying nothing will ever be the same again, but I hope that’s not true. Nonetheless, there are elements in the government that are trying to make some pretty important things change. Things like freedom. Attorney General John Ashcroft wants sweeping new wiretap powers that would essentially allow the government to eavesdrop on any conversation anywhere as long as they have a “reasonable” expectation that a suspected criminal is involved in the conversation. Rather than wiretaps being associated with a particular telephone, Ashcroft wants them to be associated with the suspect. While I agree police need more freedom to intercept communications in this age of disposable cell phones, I worry that the Feds will end up listening to a lot of conversations that don’t involve the suspects in question. What happens if they turn up evidence of other wrongdoing as a result?

Personally, I’m sick to death of the usual response I get when I bring up potential threats to freedom like this. The average person responds, “I’ve got nothing to hide, so I don’t care if the authorities can [wiretap my house, search it without a
warrant, confiscate my nail clippers at the airport, read all my email, know
whenever I travel on the tollway, and so on]. My usual response is to point out that the listener is not a criminal, yet. Until recently, it wasn’t a crime to post a link on your Web page to a site that hosted software to break copy protection schemes. Today it is a crime. So you’re not a criminal now, but in the future you could be criminalized.

One company that stands to make a lot of money over the hysteria over airport security is Visionics , a maker of face-recognition equipment and other security products that use biometrics

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 09/04/01 Clipped from: http://www.stratvantage.com/news/091001.htm

The News – 09/10/01

In this Issue:

The Right to Privacy?

Recently, in a discussion group I participate in, someone asked, “What happened to our right to privacy?” He was appalled at a recent judicial decision that, he claimed, stated “that phone calls you place and take in your own home cannot be considered private.”

While I certainly agree with the sentiment, I must point out that there’s nothing in the Constitution that guarantees privacy. The 4th Amendment guarantees citizens’ security of “persons, houses, papers, and effects, against unreasonable searches and seizures,” but doesn’t guarantee privacy. In fact, the word doesn’t appear anywhere in the Constitution or the amendments.

There are some laws on the books regarding privacy, however, but most only concern the federal government. In 1998 the White House issued a memorandum on Privacy and Personal Information in Federal Records, saying: “Privacy is a cherished American value, closely linked to our concepts of personal freedom and well-being. At the same time, fundamental principles such as those underlying the First Amendment, perhaps the most important hallmark of American democracy, protect the free flow of information in our society.” The memorandum directs Federal agency heads to “assure that their use of new information technologies sustain, and do not erode, the protections provided in all statutes relating to agency use, collection, and disclosure of personal information,” and that they follow the Privacy Act of 1974. One wonders why it was necessary to direct government agencies to obey the law!

There is one bill, the Gramm-Leach-Bliley Act , enacted in late 1999 with a compliance date of July of this year, that does regulate what financial institutions can do with non-public information about you. It’s because of this law that you’ve been receiving the privacy policies of the various financial institutions in your life. These institutions must, “Provide an opt-out notice, with the initial notice or separately, prior to a financial institution sharing nonpublic personal information with nonaffiliated third parties.” So now’s your chance to opt out.

Also this year, the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 became effective, with a compliance date of April 14, 2003. The original 1996 law gave Congress until August 21, 1999, to pass comprehensive health privacy legislation. When Congress did not enact such legislation after three years, the law required the Department of Health and Human Services (HHS) to craft such protections by regulation. The regulations basically protect your health information from being disclosed without your consent. However, since medical establishments share information all the time in the process of caring for you, this gets a bit sticky. The rules are expected to cost $17.6 billion over 10 years to implement, while generating significant offsetting savings.

Despite some recent advances, and despite the cherished nature of privacy, there are few rules is binding on non-financial or non-health institutions. Private citizens really have no right to privacy in other arenas. Sure there’s a lot of talk about privacy, and about the EU privacy rules, but, as you can see from Congress’ HIPAA foot dragging, our government really has little interest in proactively enacting laws to protect our privacy from non-governmental entities. The FTC has created the elements of fair information practices (notice, choice, access, security, and contact), but there’s no enforcement mechanism. There’s a lot of interest in trading in online information (failed dot-coms trying to sell client lists), but these challenges tend to stand on the concept of the contractual nature of a site’s voluntary privacy policy.

Sun CEO Scott McNealy said a couple of years ago, “You have no privacy. Get over it.” Is this our fate? Must we stand by while private companies amass tremendous databases of information (don’t get me started on Microsoft’s Passport!) on us? Or should we make our elected representatives aware that we’d just as soon keep our private matters private? Will it take being turned down for a job because you have a genetic predisposition to cancer to bring the point home? And while we’re at it, as marketers, what is our responsibility to refrain from infringing on privacy? We need answers to these questions soon, IMHO. I’m interested in your thoughts on these matters. Send them in and I’ll publish them in a future SNS.

Privacy Backgrounder

Briefly Noted

• Shameless Self-Promotion Dept.: I’ve added some functionality to the Marketing section of the StratVantage Web site. Among other things, you can now track airline flights. I’m planning on making this page a dumping ground, er, demonstration area for the best (and some of the worst) of the online marketing techniques around. After all, any traffic to your Web site is good traffic, right? Wrong, spam-breath! If you have a hosting company that throttles your Web site if you have too many visitors (like I do), you don’t need lots of lookie-Lou’s. And speaking of Web site throttling, my hosting company has finally admitted that they’ve been turning away users of the StratVantage Web site erroneously, due to a bug in their traffic monitoring software. Consequently, they’re moving the site to their new UNIX servers, and that will solve the problem (yeah it will!). So if you can’t get to my site over the weekend or early next week, that’s what’s happening.
  StratVantage Marketing
• Web Site Liability: Alert SNS Reader Andrew Hargreave sends along this item: According to Margaret Jane Radin, director of Stanford’s Program on Law, Science and Technology, the owners of a hacked Web site could be liable for whatever problems arise from the malfunction or downtime of the site. Radin concludes that “there is a ‘significant risk’ that in the near future targeted Web sites will be held liable to their customers for harm arising from distributed denial-of-service attacks.” Since most Web hosters have some sort of Service Level Agreement (SLA), make sure they don’t wiggle out of their share of responsibility for downtime.
  NWFusion
• Get ‘Em While They’re Young: The state of Arizona is planning on delivering more than 7,000 software titles to 850,000 students in all 1,200 of its schools statewide using an Application Service Provider (ASP) approach. Access to the applications will cost $8.16 per student per year. The ASP deal involves an unprecedented agreement concerning the use of Microsoft Office: Students can use the both in school and at home on a round-the-clock basis. “Typically, if you want to use [Office] in two places, they want to charge you for that privilege,” according to Gartner analyst Neil MacDonald. As great an idea as this is, it will be difficult to run applications like Excel or Word over 56Kbps dialup connections. Enter Cox Business Services, which plans to push high-speed cable modem service to the home to provide students with the required bandwidth. Alert SNS Reader Andrew Hargreave also sent this item.
  ComputerWorld
• A Sneaky Way to Increase Wireless Revenue: Australian telecom Telstra sent voice messages to millions of its mobile phone customers promoting a new service. Innovative marketing, you say? Well, perhaps, but the company charged its customers to retrieve the message. Any time you can get your customers to pay for your marketing efforts, that’s a good thing, right? Wrong again, direct marketing breath! This sort of thing is not unprecedented, however, as many dialup Internet users have to pay to receive spam email, a fact that has spawned many different bills in Congress aiming to clean up spam. I guess our representatives better worry about voice spam as well.
  Australian Broadcasting Corporation
• Signs You Live in the Year 2001: Here’s a bit of a giggle. I particularly like reason number 11: “Leaving the house without your cell phone, which you didn’t have the first 20 or 30 years of your life, is cause for panic and turning around to go get it.” I’ve been there.
  Big Muddy
• New Times, New Art: I don’t know if the Surveillance Camera Players are still a going concern, but I just love the concept: a troupe of players who put on little dramas in front of surveillance cameras. Talk about narrowcasting! This is performance art at its finest. Unfortunately, all the links to movies of their performances, such as Samuel Beckett’s Waiting for Godot, performed at the Astor Place subway station, Manhattan, don’t appear to work. But their Web site was updated at the end of August, so perhaps we can hope that the troupe is still out there keeping it real.NotBored
• Loudcloud Makin’ Some Noise: Qwest Communications and Loudcloud inked a five year preferred partner deal to co-market and sell each other’s services. Loudcloud will host in Qwest CyberCenters and use Qwest’s network. Qwest expects the alliance to generate about $260 million of service sales during the next five years. As I have said in the past , I don’t think telecoms will succeed in the ASP space without a lot of help. Despite their considerable potential and many relevant capabilities, telecoms lack several key assets, like customer service and an understanding of business applications other than voice. Qwest is one of the most clueful Baby Bells, having been an entrepreneurial long distance competitor before taking the baffling step of acquiring one of the most clueless RBOCs, USWest. Loudcloud makes a good match, and I think they’re feeling the heat of sky-high expectations (founded by Marc Andreesen) and diminished accomplishments (after debuting at $6, Loudcloud is now trading under two bucks). It remains to be seen whether this alliance will succeed, but it looks like a smooth move for Qwest.
  InternetWeek
• VoiceXML 2 held up for intellectual property issues: The more than 500 Voice XML Forum members need to work out some way to cross license the technology. The forum was started by AT&T, IBM, Lucent and Motorola two and a half years ago to create a common specification for writing applications that respond to voice control.
  InfoWorld
• Report from Burning Man: Alert SNS Reader Andy Stevko took the plunge and visited the Burning Man festival, a bustling temporary city of some 25,000+ people in the middle of the Black Rock Desert in Nevada that has become the techies’ pilgrimage/Disneyland/end of summer bacchanal. Just like the bikers return to Sturgis each year, so do techies, artists, and fellow travelers return to the stinking alkali desert to be “part of an experimental community, which challenges its members to express themselves and rely on themselves to a degree that is not normally encountered in one’s day-to-day life.” The result is temporarily Black Rock City, home to the Burning Man event. Frankly, the experience can’t really be described, although Bruce Sterling took a great stab at it, but Andy’s got pictures, at the link below.
  Hotu-Matua

Return to Mike’s Take

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 09/04/01 Clipped from: http://www.stratvantage.com/news/090401.htm

The News – 09/04/01

In this Issue:

Cybersquatting Is Legal – For Some

There’s nothing like a monopoly. You get to make your own rules and wield power however you want. So I guess it’s not surprising that, when ICANN gave monopolies to the registrars for the seven new top level domains (.biz, .name, .pro, .museum, .info, .aero, and .coop), there’d be opportunities for abuse. Turns out abuse is practically mandated in the new domain operators’ contracts, which entitles them to register up to 10,000 domains for themselves before allowing anyone else access. This means that 10,000 of the most valuable, juiciest domain names are likely to not be available to all comers. Names like business.biz, museum.museum and the like could be controlled by the domain registrar, who could auction them to the highest bidders. Afilias, a consortium of 18 companies and domain registrar for the .info domain, has registered search.info, for example. ICANN argues that a registry operator will need a wide range of addresses on that registry in order to work effectively. Here’s a list of names reserved by NeuLevel, the administrator of the .biz gTLD (generic Top Level Domain).

As if that’s not bad enough, other registrants have taken many desirable domain names in the early registration period, which is supposed to be available only to trademark owners. So if you had your heart set on getting sports.info, computer.info, bank.info, or finance.info, you can forget it. All have been snapped up by registrants who did not hold legitimate trademarks. Afilias says they’ll take action in December, after their review of the early registration period ends. One study found that of 11,000 .info registrations, between 15 and 25 percent were bogus. My personal favorite bogus registration was for bible.info, which claimed its trademark number was “1”. Not according to the USPTO, it’s not. With all this potential cybersquatting, Afilias has its work cut out for it if it hopes to clear it all up by yearend.

Domain registrar NeuLevel, which was awarded the .biz monopoly, has been accused by Amazon of running an illegal lottery, and has filed suit to defend itself. At issue is the pre-registration period NeuLevel established in which applicants pay a small fee to reserve the rights to a name. On September 17, the company will randomly award contested names. I don’t know about you, but that sounds an awful lot like a lottery to me. However, I don’t really know how else a registrar can resolve multiple claims for a single name, unless there’s trademark or other intellectual property rights at stake (like in cocacola.biz). Amazon supposedly has said in a letter to the company, “NeuLevel is deriving enhanced revenues by selling chances to register or to challenge registration of domain names that incorporate famous trademarks such as AMAZON.COM.” NeuLevel counters with a reasonable-sounding point: other firms, such as Amazon Imaging Inc., might reasonably stake a claim to the address www.amazon.biz. “Because amazon.com and amazon.biz exist in different top-level domains, they resolve to different and unique Internet addresses and thus can function and coexist without collision,” the suit says. Where’s Solomon when we need him?

The bottom line on all of this is, as I’ve said before , the new domain names will not provide any relief to the overcrowding of the .com top level domain. In a random check of .info registrations, the usual suspects held the domains coke.info, pepsi.info, nike.info, and nbc.info. How exactly is this better? If Amazon is insisting on getting Amazon.biz, even though they are by far not the only Amazon in the world, what can we expect of names like “Excel,” which are applied to various businesses in various industries. Trademark law allows this because a trademark only applies to a class of trade. The new gTLDs are not industry-specific, and so chaos will again reign, and the big companies will scoop up all the good names.

That being said, businesses need to evaluate the need for representation in the new gTLDs. Do you want your competition to register your name? Most businesses have no choice other than registering in all the gTLDs possible. It’s a shame ICANN has not come up with a better solution. Heck, at this point, we may not ever see a better solution.

IT Analysis

Briefly Noted

• Shameless Self-Promotion Dept.: StratVantage’s P2P4B2B – Peer to Peer for Business Directory was featured in the July 16th issue of Network World File Sharing newsletter, along with some nice mentions of white papers I’ve done. Even more impressive is the fact that a search for “StratVantage” on Google now gets you two pages of hits! Hoohoo!
  NWFusion

• New Wireless SIG: Geneer has created the Midwest Wireless Application Developers Special Interest Group (SIG) a non-commercial group designed to promote discussion of wireless developer tips and tools. The first meeting is Tuesday, Sept. 18, 2001, and features Guest Presenter Rod Massie of Motient Corp., provider of eLinkSM and BlackBerry™ by Motient wireless email services. Rod’s topic is Developers’ Tips & Secrets for Motient’s Terrestrial Network and Motorola’s DataTAC Technology. The free meeting runs from 6:00 PM to 8:30 PM at the Marriott Suites, 8535 W. Higgins Road, Chicago, Illinois.
  SIG Signup
• I Want This Gadget: In the Cool Tools Department this issue is the Clever Cam 360, a digital camera, Webcam and camcorder combination that is the size of a pen. The device captures 45 seconds of streaming video and can store up to 360 digital stills. Plus, with its USB interface, you can attach it to your laptop and send the family a live video stream from your lonely hotel room. Plus, kids, it’s under $90!
  TechnoScout

• Fighting Back Against Code Red: Alert SNS Reader Andrew points out that there are more benign ways to fight back against the Code Red worm. Some server administrators use a script that “simply exploits the ability to run an executable to fire up the NT command ‘net send’ to send a pop-up message box on every machine in that domain with the text ‘Your Webserver is infected with the Code Red Virus! Please remove it from the Internet and apply the Microsoft Hot Fixes to correct this!’ This is not nearly as bad as rebooting some other person’s server randomly. Rebooting a CodeRed II infected server does no good as the worm installs a backdoor allowing a cracker to come in at any time.” This is indeed a more benign solution, but it still involves running a program on a server without authorization. However, it could be argued that this solution is no more invasive than sending an email. Your opinion?
  The URL listed below this item takes you to a page of possible FightBack responses that also includes the log of attacks on just one Web server. Two things are notable about this log. First, it represents more than 7,000 attacks since July 19th from more than 2,500 hosts. That’s amazing. Second, many, if not most, of these attacks are coming from people with cable modems. In fact, Cox Cable, Las Vegas, represented more than 4,000 of the attacks compared with roughly 700 for Excite@Home and 500 for RoadRunner. What makes this interesting is the fact that most cable modem and DSL companies forbid their users from running any kind of server.

One very confusing aspect about all the Code Red coverage involves whether or not Microsoft’s Personal Web Server is vulnerable. Microsoft requires you to install PWS when you install FrontPage, their Web authoring tool. Many FrontPage users probably did the install back when they were still learning about the Web and have forgotten that they are running a Web server on their computers. However, neither Microsoft nor CERT nor Information Warfare thinks PWS is vulnerable. Some reports claim PWS is vulnerable to Code Red when run on Windows NT or 2000, but Information Warfare says it doesn’t even run on 2000, and indeed I couldn’t install it on my Windows 2000 machine. PWS does run on Windows NT Workstation, according to the site. Whatever the real deal is, it just may be possible that some of these attacks are coming from people who do not know they are running PWS or Internet Information Server (IIS). However, your machine is not vulnerable unless you are running Windows NT or 2000.

Regardless of the possible Code Red vulnerability, you should probably not be unintentionally running a Web server, as they can expose you to threats without your knowledge. You can check to see if PWS or IIS is running on your machine. One easy way is to see if you have either of the following directories: C:/Webshare/Wwwroot or C:/InetPub/Wwwroot. These are the default root directories of various versions of PWS and IIS. Another way is to go to Control Panel and see if you have a Personal Web Server icon. If you are running PWS, I recommend uninstalling it just to be safe. If you are running IIS, a patch is available on Microsoft’s Code Red page . By the way, it is important to note that the Microsoft patch that fixes the vulnerability only prevents future infections. If you are infected, you need to remove the file /inetpub/scripts/root.exe in order to disable the backdoor installed by Code Red.

Finally, system administrators can get a scanning tool to identify vulnerable computers from eEye . And Microsoft has released Personal Security Advisor , which takes a look at your NT or 2000 system and finds common misconfiguration problems.
FightBack Script

• Insurer Charges Premium for Using Microsoft: Insurance broker J.S. Wurzler Underwriting Managers has started charging up to 15 percent more in hacker insurance premiums to clients that use Microsoft’s Internet Information Server software. Oddly, they made this decision before Code Red caused an estimated $2 billion in damage. They based their action on Wurzler their finding that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software. Thus bug patches are more likely to be applied.
  ZDNet

Return to Mike’s Take