After receiving thousands of comments (98% of which were opposed to the idea), the US government has given privacy a hearty Bronx cheer and decreed that US passports will have RFID chips embedded. No longer does an identity thief need to open your mail or break into your bank, now he just needs to walk near you with a scanner. Thanks, Condoleezza.

SSL version 2, which suffers from known security flaws, will soon be dead. Microsoft will disable SSLv2 by default in Internet Explorer 7, which effectively means that web sites that still require SSLv2 will no longer be able to do so. It's about time.

The Chief Security Officer at Cisco says that the company user's have a "hygiene" problem. What he means is that not enough Cisco network administrators keep up to date on their software security patches. As the SANS editors point out, the problem is not that administrators don't want the latest version of IOS, it's just that installing a new version of IOS is such a pain in the neck that they are loath to do it. A single IOS vulnerability can mean weeks of upgrading for any large Cisco shop. The last time I upgraded IOS on a single Cisco access point it took over an hour. Granted, some of that time was spent re-reading the instructions (i don't do this very often, and keeping hardware up to date is not really part of my job description), but multiply even a fraction of that times several thousand access points, routers, switches, et. al., and you get an idea of the scale of the problem.

Andy Hertzfeld tells the story of Steve Jobs coming to his cube and telling him to make the Mac boot faster. Cisco can save dozens of lives by coming up with a better patch system — one that doesn't require taking the hardware out of service, uploading an entire new IOS image, and re-checking the configuration before returning the device to service.

"The professionalism of these rootkits is coming to another level," said Allen Schimel, chief strategy officer at StillSecure. He's talking about the latest wave of malware, which seems to be of a much higher quality. Rootkit authors have created generic tools to bypass detection software. All a script kiddie needs to do is to get one of these kits, wrap their own nefarious payload in it, and set it loose on the net to create their own spambots, DDOS zombies, or simply wreak havoc on users' hard drives. It's days like these that make me glad I'm primarily a Mac user (not that Macs are invulnerable, of course, though they do have a lot fewer incidents).

An SBC lineman who crashed his work van into a remote ravine was saved when other employees noticed he was missing and activated the van's GPS locator. It's nice to see that there is a use for these devices other than just spying on employees.

Microsoft has created a new piece of software called VirtualWiFi that allows a single Wi-Fi card to be connected to multiple networks simultaneously. I haven't downloaded the source, but reading the site suggests that it is implemented something like preemptive multitasking. That is, connections are made to multiple access points and the software rotates through them, sending and receiving data as necessary. The software deals with each acsess point individually, but by rotating through all access points quickly, it gives the appearance of simultaneity.

Is the joint Yahoo/MSN instant messaging initiative going to be a target for virus writers? Yes, but that doesn't mean that they shouldn't go through with it. According to the article, the two already account for a combined 69% of IM worms, so it really can't get much worse for them.

The Department of Homeland Security has started a program, "Build Security In", with best-practices security guidance for software developers. It's new, so a lot of the advice is pretty well known already ("strcpy() considered harmful"), but it shows a lot of promise. I've bookmarked the site.

An investigation by the European Commission will try to determine if Microsoft's new ant-virus and anti-spyware products violate anti-trust statutes. I have mixed feelings: one the one hand, as an ISV, I understand the concern about Microsoft stepping on the toes of other ISVs. On the other hand, many of the businesses complaining have made billions on the security holes present in Windows. If these holes are closed, that's not a bad thing for consumers. I suspect that Microsoft is reluctantly entering the desktop security space — they've wanted to stay out of it, close the holes at the OS level and leave the rest to Symantec and its ilk, but the situation just got too bad, the complaints too overwhelming. Windows is now synonymous with insecurity, and the only company that can rectify that is Microsoft.

The fussin' and feudin' between Level 3 Communications that led to Level 3 shutting down their peering connection last week has some in Congress upset. Just what the net doesn't need: a nice fat layer of bureaucracy. What dunderheaded move by Level 3, pissing off their customers ("you shut off a good portion of our internet connectivity because you're in a pissy mood?!?") and the folks in government with the power to make their lives unpleasant.

San Francisco Chronicle columnist Debra J. Saunders doesn't think that San Francisco should roll out municipal Wi-Fi because many of its children can't read. What's more, the network will be a "white elephant" because at some point in the future, newer Wi-Fi standards will make the current equipment obsolete. She also apparently believes that since the network hasn't yet been built, that it never will be built ("it's vaporware!"). Finally, because the mayor didn't return her phone call, she feels that he doesn't understand technology. It's impressive that Saunders could pack so many straw man arguments into such a short column.

Actually, phishing has always been illegal, but now you can sue for civil damages in California. Not that it will do much good: if the threat of going to prison didn't dissuade phishers, the threat of getting sued won't either. Plus, while you might win your lawsuit here in California, just try collecting your damages from the Romanian teenager you defeated in court.

Judge Richard Kramer San Francisco Superior Court doesn't think that people who have had their identity stolen need to know about it: "I don't see the emergency," he said. It seems that Judge Kramer has never had his identity stolen. The ruling stating that Visa is not responsible for notifying cardholders is based on a technicality. Because consumers are not not direct customers of Visa — they are customers of the bank that issued the card — it's the bank's responsibility to tell them that their identity has been compromised.

Fortunately for consumers, the CardSystems case involves the theft of credit card numbers, not additional identity information such as social security numbers, meaning any damage caused is likely to be easily reversible. As the article points out, the real losers are the merchants who unwittingly accept the stolen credit cards. They will be left on the hook for the cost of the goods sold. That's the way it works with the credit card companies: they claim to protect you from liability from fraudulent charges, but the cost is really borne by merchants.