It would be funny if the CHP hadn't actually issued a ticket to a Geek Squad employee for impersonating an officer.

Gmail started out limiting accounts to people who had been invited by other Gmail account holders. Now they've opened up access to everyone (well, everyone in the US for now), but with a twist: before you can create an account, you must register your cell phone number with Google. After entering your number, Google will send you an SMS message with a number that has to be entered at the Gmail web site to complete the account creation. The apparent idea is to prevent fraudsters from getting anonymous email accounts — at a minimum, Google has a valid cell phone number to verify a user's identity.

A thief used an unsuspecting user's unsecured home Wi-Fi network to break in to a Finnish bank's computer system and steal about $245,000. According to the article, "Finland called on its citizens to take more care securing their Wi-Fi networks." I'd also recommend that Finnish banks take more care in their hiring practices, as the heist was pulled off by an insider.

The way the thief was caught shows that not only is he dishonest, but incompetent as well: as the "head of data security" for the bank, he should have known that he hadn't covered his tracks. The police tracked the break-in back to the unsecured network, and then checked the Wi-Fi access point's logs for a record of the MAC addresses that had recently been connected. The thief's MAC address had been logged, and when the bank checked its records, it discovered that the MAC address corresponded to the laptop that had been issued to the thief.

The link whoring in it suggests that I shouldn't give this article on "The Laws of Identity" much credence, but it's still an interesting read. The most important law of identity is number two ("Minimal Disclosure for a Constrained Use"), and it's also the reason that the laws are mostly pointless. Yes, organizations should collect only the information they need, the problem is, there is a lot more information they want.

The problem with most identity system proposals (including any based on the ideas in the article) is that they aren't designed with the intention of benefiting consumers. The systems are designed to benefit businesses, and then are used to sell the systems to consumers. If Microsoft keeps a file on me, that's to their benefit, not mine. All I get out of the deal is some vague assurances that they'll try not to sell the information identity thieves. My own policy is to not give out any unnecessary information rather than trust a website's promise.

A few months ago, Glenn Fleishman examined the problem coffeehouse owners are seeing with logged-in-but-socially-disconnected Wi-Fi users. Since then, researchers have begun to look into the problem. They are beginning to work on ways to use free Wi-Fi access to involve users with each other rather than having it isolate individual users. I'm a dedicated Wi-Fi user, but I still think the best way to interact with others is simply to close the lid on the laptop.

Back in February, a Chinese research team reported a practical attack on SHA-1, a significant breakthrough showing weaknesses in the most common internet security protocols (including TLS, the basis for WPA Enterprise security). At this week's Crypto conference, the researchers showed some new improvements in their attack: prior to the February announcement, the best attack was brute force, which took (on average) 2⁸⁰ steps. In February, that was reduced to 2⁶⁹ steps (each time you knock off a power of 2, the attack is twice as easy). Now, they are reporting they can do it in 2⁶⁴ steps — well within the realm of the practical. Expect there to be a lot of work on crypto protocols in the coming months to come up with replacements for SHA-1

Apple released an update (Security Update 2005-007 v1.1) to its update today. They forgot to add 64 bit support, meaning that 64 bit applications failed to work after the update. Most notably, Mathematica stopped working.

Is it that so few Mac OS X applications are 64 bit that Apple forgot to include support? I discussed moving Elektron to 64 bits back in February, and concluded that it wasn't possible due to limited system support. Only one system framework is 64 bit (the central framework against which all apps link, System.framework), leaving all subsidiary frameworks 32 bit. This means that until Apple moves forward with making subsidiary frameworks 64 bit (Elektron uses the LDAP, Cocoa, Carbon (yes, both of those last two), DirectoryService, SystemConfiguration, Security, and CoreFoundation frameworks), you won't see many 64 bit applications shipping. As a result, not many people were affected by this bug, but if you were, the fix is available now via Software Update.

The University of Oxford has developed a wireless networking system based light transmissions. I'm hardly an expert, but it sounds like they've created a fiber optic system that does away with the fiber. They're pitching it as a security measure — it requires line of sight — but I'm at least as interested in the transmission speed: 155 Mbps.

A man with a conviction for identity theft got a job making identity cards for the military. Unsurprisingly, he used his position to create fraudulent ID for — among at least 30 other people — a Pakistani arrested for a felony while carrying a card identifying him as U.S. Army specialist.

A follow-up story makes the point about the insidious nature of the ID cards created: they aren't fake IDs, they are real IDs, but fraudulently obtained. That means in the absence of any other information, a check of the ID card would show it as being legitimate. This is one of the tools the 9/11 terrorists used to limit scrutiny of their actions. A number of them were carrying real, albeit fraudulently obtained, Virginia driver's licenses when they boarded their planes. There's no indication that any terrorists obtained IDs from the man arrested in this case, but hopefully his superiors will perform some background checks before hiring his replacement.

Apple released Security Update 2005-007 today. Lots of updates touching on all aspects of the OS — including nasties like a fix for an AppKit bug that allows specially crafted RTF files to execute code. It's available now via Software Update (Apple Menu->System Preferences->Software Update->Check Now).

From the it-would-funny-if-it-weren't-true department: a program intended to speed travelers through security checkpoints — a laudable goal — has one consequence its designers didn't consider: giving terrorists advanced warning that they are under suspicion. Oops. From the essay:

According to Microsoft, an incriminating piece of evidence in their case against an employee who defected to Google was found in the Recycle Bin of the employee's Microsoft-owned computer. If this guy is so brilliant, why didn't he know that dragging a file to the Recycle Bin doesn't actually delete it? Even after emptying the Recycle Bin, the file is still around on the hard drive and can be recovered by computer forensics tools. An really, what was he doing talking to his employer's competitor using his employer's hardware?

The best defense against having your files read is to maintain control of your PC, both from a software perspective and retaining physical possession of the hardware. If you must give up control, there are literally dozens of tools available that will securely erase files on your hard drive by overwriting their bits on the disk. I personally use PGP, but the brilliant search engine scientist could have used a search engine to find a number of others.

MicroPatent, a intellectual property firm, found itself being extorted by a cyber criminal demanding millions in exchange for not releasing the company's private, proprietary information. The thief masked his whereabouts by using the unsecured Wi-Fi networks of unsuspecting homeowners.

Hopefully I'm wrong, but it's cases like these that make me think that sometime in the future Wi-Fi network owners could be held liable for the malicious use of their networks. We've seen cases of open Wi-Fi networks being accessed for sending spam, downloading child pornography, and now extortion. Since the actual criminals can be difficult to track down, it wouldn't be surprising to see civil or criminal suits brought against an easier target, the owners of the networks used by criminals. Of course, the easiest way to avoid this is to simply enable WPA Personal on your home network. It's simple, it's secure, and it's supported by most everything out there (OK, not by pre-XP Windows or pre-Panther Mac OS X, but this gives you a good excuse to upgrade!)

A company called Sunbelt Software has discovered a wide-ranging identity theft ring based on the infamous CoolWebSearch spyware. The program logs keystrokes and uploads the collected information to a public website. The data collected includes credit card numbers, social security numbers, PINs, and passwords. Normal website SSL security was bypassed because the program recorded directly was typed on the keyboard.

Perhaps worst of all, the information was uploaded to a web server where it was left in a public directory accessible to anyone on the internet. By watching the malware's behavior, the researchers were able to find the website address and view some of the purloined personal information. Among the information available was an account number and password usable to access one bank account that contains US$350,000.

Spyware is getting scarier everyday. It is moving from the realm of mere annoyance and is becoming a real threat. Fortunately, the FBI has responded in this case, and will hopefully be able to arrest and prosecute the offenders.

Following the arrest of a man in Florida for stealing Wi-Fi comes the conviction of a man in London for doing the same. He has been fined £500 and received a 12 month suspended sentence. London is a notoriously expensive city, but that's still a pretty significant amount of money for casual use of open Wi-Fi networks.

As in the Florida case, the man was arrested after complaints from neighborhood residents. And again like the Florida case, it appears the residents were more concerned about a prowler than about Wi-Fi theft.

Elektron 1.1.3 is available for download. It includes some bug fixes, most notably for a problem with case-sensitivity in usernames.

At Defcon this week, passwords of users accessing the internet through the unsecured Wi-Fi connection has their usernames and part of their passwords displayed on “The Wall of Sheep.” I'm sorry I missed the conference, it sounds like there were a lot of interesting sessions: an RFID exposé, ATM hacking, Phil Zimmermann calling the internet a "crime ridden slum", and — of course — the infamous Cisco vulnerability talk.

I'm not sure what the point of this effort was, other than to simply see if it could be done, but a group from Ohio set a record for the longest unamplified Wi-Fi link at 125 miles. The link required a 12 foot wide satellite dish to achieve, so don't expect to be stuffing this hardware into your laptop bag anytime soon.

That was fast (and easy!): there's a trivial way to get around the "Windows Genuine Advantage" check to update your copy of Windows XP. As you'll recall, Windows Genuine Advantage checks the validity of your Windows XP license before allowing you to access the Windows update site.

In case you're wondering, the Javascript command you need is javascript:void(window.g_sDisableWGACheck='all')

There's a discussion on Slashdot about Mac OS X-on-Intel's use of TCPA DRM, with the usual Slashdot hyperbole about the end of the world when someone mentions "DRM". We don't yet have one of the Mactel developer machines for me to check this out myself, but based on the information circulating around the net, it looks like Apple is using TCPA to lock Mac OS X to Apple hardware. This is hardly surprising, given that most of Apple's revenue derives from hardware sales.