« January 2006 |
Main
| March 2006 »
WESTLAKE VILLAGE, Calif., Feb. 28 /PRNewswire/ -- With transaction times of nearly three times faster than interacting with a branch teller, online banking is the preferred transaction method among banking customers, according to the J.D. Power and Associates 2006 Retail Banking Satisfaction Study(SM) released today.
The inaugural study, which focuses on performance among the nation's
largest banks, analyzes the retail banking experience from two points of
view -- customer satisfaction and customer commitment.
The study finds that transactions have the greatest impact on a customer's
overall satisfaction with their bank. The average online transaction takes
just 2.8 minutes to complete, compared to 7.7 minutes of combined wait and
transaction time with a branch teller. Overall, in-person branch transactions
are conducted most frequently and are next highest in satisfaction, followed
by ATM and online transactions.
"Banks certainly face a challenge in today's extremely competitive market
in that customers crave the convenience of banking online, yet still also
require a personal touch," said Jeff Taylor, director of the banking practice
at J.D. Power and Associates. While customers appreciate the convenience of
banking online, those who visit the branch less often tend to demonstrate
lower satisfaction levels.
The study also finds that while bank products are viewed as a commodity to
many customers, products that once helped attract new customers, such as free
checking, are now widely offered and expected from customers. Currently
90 percent of banking customers indicate having free checking, and 94 percent
of banks offer free online banking and free debit cards.
"As it becomes increasingly difficult for banks to differentiate
themselves from their competitors, they constantly have to find opportunities
to be innovative in attracting the attention of potential customers," said
Taylor. "Online products and services represent a clear opportunity for banks
to differentiate themselves to potential customers."
The second dimension of the study, which analyzes customer commitment,
gives the industry a more complete picture of a customer's revenue potential
to the bank. Customer satisfaction is a major aspect influencing customer
commitment to the bank, in addition to brand image and a customer's propensity
toward loyalty.
The study finds a strong positive relationship between customer commitment
levels and the number of revenue-generating banking products a customer
utilizes, as well as the number of times a customer recommends the bank to
others. Customers with commitment levels in the top 25 percent use an average
of 3.3 banking services, compared to 2.5 for those in the bottom 25 percent.
Fifty-five percent of highly committed customers also have loans with their
primary bank and make 6.6 recommendations of the bank to others. Among those
with low commitment, just 31 percent have loans with the bank, and they
average fewer than one recommendation. Overall, the retail banking industry
enjoys a commitment level of 28 percent, compared to 13 percent, on average,
in other industries measured by J.D. Power and Associates.
Commerce Bank, Downey Savings and Loan and USAA are among banks that
record particularly high levels of both customer satisfaction and customer
commitment.
"We find that banks with strong brand image can have highly committed
customers, despite lower satisfaction scores, and vice versa," said Taylor.
"But overall, customer satisfaction and commitment are closely entwined.
Satisfaction is what banks can control, while brand image and commitment is
developed over time. Banks that understand and analyze this relationship are
better equipped to develop strategies to attract and retain customers."
The 2006 Retail Banking Satisfaction Study is based on responses from
12,904 households regarding their experiences with their primary banking
provider. The study was fielded in October 2005. Complete customer
satisfaction rankings of banks in the New York Metro area and the state of
California will be released in late March and late April, respectively.
About J.D. Power and Associates
Headquartered in Westlake Village, Calif., J.D. Power and Associates is an
ISO 9001-registered global marketing information services firm operating in
key business sectors including market research, forecasting, consulting,
training and customer satisfaction. The firm's quality and satisfaction
measurements are based on responses from millions of consumers annually.
J.D. Power and Associates is a business unit of The McGraw-Hill Companies.
About The McGraw-Hill Companies
Founded in 1888, The McGraw-Hill Companies is a leading global information
services provider meeting worldwide needs in the financial services, education
and business information markets through leading brands such as Standard &
Poor's, McGraw-Hill Education, BusinessWeek and J.D. Power and Associates.
The Corporation has more than 290 offices in 38 countries. Sales in 2005 were
$6.0 billion. Additional information is available at
http://www.mcgraw-hill.com.
J.D. Power and Associates Media Relations Contacts:
John Tews Peter Dadlani
Director, Media Relations Supervisor, Media Relations
Troy, Mich. Westlake Village, Calif.
(248) 312-4119 (805) 418-8103
john.tews@jdpa.com peter.dadlani@jdpa.com
No advertising or other promotional use can be made of the information in
this release without the express prior written consent of J.D. Power and
Associates. http://www.jdpower.com
February 28, 2006 at 11:01 AM in Education | Permalink | TrackBack (531) | Top of page | Blog Home
The emergence of service-oriented architecture and grid computing offers banks the promise of a flexible, scalable IT infrastructure. But creating an open architecture doesn't come without challenges, such as upgrading legacy systems and changing established behaviors.
By Peggy Bresnick Kendler
February 27, 2006
Q: What is driving the adoption of service-oriented architecture (SOA) by banks?
Alan Goldstein, Bank of New York: The way we measure the business value of an application is changing as IT gets more aligned with and accountable to business drivers. As a result, the tolerance once exhibited by business sponsors in accepting solutions that cannot be broadly leveraged is waning. This has created a greater impetus within the technology world to attempt to answer some of the challenges that inhibit broad reuse. The current industry iteration of SOA is perhaps the first genuine attempt to solve some of the perennial challenges (legacy reuse, interoperability, better ROI) in a united way. SOA is one of the first steps in addressing the necessity to modernize business capability using technology as opposed to making the capability fit within the constraints of technology.
Manuel Barbero, BearingPoint: SOA enables faster, cheaper application integration. It exists thanks to the adoption of Web-related technologies and constructs that make applications talk to one another in a standardized manner. Moreover, SOA makes the creation of enterprisewide, reusable services possible, and accelerates the creation of new applications as well as their integration with the plethora of disparate applications performing overlapping functions and storing redundant data.
Jim Gahagan, webMethods: The main driver for SOA adoption is the desire by banks to overcome the limitations of their legacy systems as well as their need to eliminate the operational silos separating various business units. By employing an SOA, banks are realizing greater reuse of existing IT assets while also reducing the cost to develop and implement new systems. SOA also allows banks to readily create and implement dynamic business processes that span disparate business units and more closely mirror actual customer requirements.
Q: What challenges and risks do banks face when pursuing SOA?
Goldstein, Bank of New York: Some of the initial challenges are getting familiar with the concept of a service, understanding the boundary conditions around what constitutes a service, implementing the processes to manage this orientation and associated service levels, and working through the underlying technology issues. Many of the obstacles are not technology related. Providing a suite of network-available services that comprehensively represent our business capabilities requires a holistic view of business services and how they translate to technical services. This requires a level of technical and business architectural maturity that is often difficult to achieve.
Our strategy to manage the risk around SOA is to try to understand the fundamental strengths and the value-add of this model as it relates to our business services. Clearly, not all business capabilities in their current forms can be objectively justified for SOA enablement. We go through a due-diligence process of assessing the current capabilities, identifying the needs and benefits to see what services fit into this model, augment the services if necessary and then finally orchestrate them using an SOA paradigm.
This also requires a mind-set change among the providers of the technology services. Once you start delivering capabilities broadly across many business lines, you encounter issues in which there is no obvious ownership. Long-term strategic planning requires business and technology unit managers to think as service owners, and offer a comprehensive service-level agreement for their services including enhancements, support and planning. Critical success factors include establishing a strong operational service infrastructure (service bus), and establishing a culture of ownership, service engineering, responsiveness and collaboration among the service owners.
Gahagan, webMethods: Many banks maintain a number of disparate and redundant systems. Culturally, banks often are unable or unwilling to share data, objectives or processes across siloed organizations. As banks move forward with SOA, they risk creating multiple "islands of SOA," effectively creating new silos within the IT infrastructure that require another layer of complex middleware to overcome. To minimize these risks, banks should employ a pragmatic, targeted SOA strategy and road map, with clear benchmarks for return-on-investment as the strategy unfolds.
Jamie Bernardin, DataSynapse: The primary risk to any application that is constructed by assembling these discrete services is that those services won't be available when the application must execute them. Web services tell us how to manage the interaction between client request and service response. However, if the services aren't there or don't respond in an appropriate amount of time, the application is at risk. Given this, organizations that are exposing services must take care to ensure that their services are always available and able to scale with demand.
Q: In what processes/applications have banks had the most success in deploying grid computing?
Goldstein, Bank of New York: Banks have had the greatest success in deploying grids in capital markets, fixed-income and currency derivatives applications. These high-performance computing applications use mathematically intensive calculations that require massive processor compute resources. Grid is the right solution for these because it's much cheaper to scale capacity horizontally using many low-cost small servers than to scale vertically using a single high-cost large server.
Bernardin, DataSynapse: The initial successes of grid computing were in the area of computationally intense applications. For instance, Monte Carlo simulations are easily parallelized and distributed to every compute node participating in the grid. The advantage should be clear—instead of executing these simulations on one server and grinding away for, in some instances, days, they now can be broken apart and distributed across hundreds or even thousands of compute nodes, resulting in dramatic reductions in the amount of time taken to complete. The result is that organizations using this technology are gaining a competitive edge. In the area of SOAs, the grid is the ideal platform on which to execute services because of its ability to virtualize the actual execution of the service away from the physical host on which the service is to be executed.
Q: How will SOA and/or grid change banks' computing environments, and what impacts will they have on IT organizations and end users?
Barbero, BearingPoint: Imagine being a credit risk analyst not having to log into six applications to get a single view of your client exposure. You run a risk model on your entire portfolio and get results within seconds, not minutes. As an end user, you just leveraged SOA, and grid computing helped you quickly marshal enormous computing resources. The IT group developed the application at a fraction of the cost and time it would otherwise need—that's what SOA and grid make possible.
Bernardin, DataSynapse: SOA and grid computing are natural partners. SOAs give organizations the ability to respond rapidly to evolving business requirements by leveraging existing value-add processes as discrete services; grid computing provides the virtual service infrastructure that will guarantee the availability of these services regardless of the demand placed upon them.
The impact that grid computing has on the IT organization cannot be overstated. Services executing on the grid are not tied to any particular host, so removing any one node (for hardware upgrades, for instance) has no impact on service execution. Adding new hardware to the grid is just as easy because it is the responsibility of the grid itself to ensure that nodes are appropriately provisioned with all of the services that are being managed on the grid. As for the end users, they benefit from increased response times and a wider array of available application services. --Peggy Bresnick Kendler
February 27, 2006 at 10:52 PM in Financial Services | Permalink | TrackBack (15) | Top of page | Blog Home
Technology News: Internet : Internet Subscriber Growth May Be Stalling, Report Suggests
By Jennifer LeClaire
TechNewsWorld
02/27/06 11:41 AM PT
The study found only 2 million offline homes are planning to get Internet services in 2006. Another 300,000 homes said they might subscribe if offered a cheaper service. At the same time, 14 million U.S. households do not have Internet service at home but access the Web at work or other locations, such as a library or an Internet cafe.
Most households that are not on the Web already have little intention of logging on. So says a study released by market researcher Parks Associates Latest News about Parks Associates on Friday.
The study found few new households willing to subscribe to Internet services, which, the study predicted, would limit 2006 growth in overall Internet penetration to a meager 1 percent -- from 63 percent to 64 percent by year's end.
"We are clearly facing a problem of demand, not supply," said John Barrett, director of research at Parks Associates. "Computers and Internet service have never been cheaper, yet many households still show little enthusiasm for the technology."
Won't Subscribe at Any Price
According to Parks' latest National Technology Scan, a survey of 1,000 U.S. homes, there are currently an estimated 39 million homes without Internet access. Among these, only 8 million have a computer, an obvious prerequisite for Internet adoption. Moreover, the majority of these PC households will not subscribe to an Internet service at any cost, the study said.
Only 2 million offline homes are planning to get Internet services in 2006, according to Parks Associates' report. Another 300,000 homes said they might subscribe if offered a cheaper service. At the same time, 14 million U.S. households do not have Internet service at home but access the Web at work or other locations, such as a library or an Internet cafe.
Just Not Interested
Reasons given for the lack of interest vary. "We present them with several possible reasons, and their response is typically 'none of the above,'" Barrett said.
Among households that will not subscribe to an Internet service at any price, 31 percent said having access at work is sufficient for their Internet needs.
Another 18 percent simply claimed, "I am not interested in anything on the Internet." Thirty-nine percent of households cited "other" reasons for their lack of interest.
In other findings, 42 percent of U.S. households currently have dial-up connections, and 4 percent plan to upgrade this year. Eighteen percent of those households with dial-up connections, however, said they do not intend to upgrade.
Some Skepticism
Some analysts aren't buying the numbers. "I have not seen any slowing reported by the major ISPs. Eventually it will slow down because there are only a certain number of users in the country, but I don't see it happening yet," telecom analyst Jeff Kagan told TechNewsWorld.
The Internet is becoming more accessible, more user-friendly and more desirable to more people, Kagan said. Today, consumers are able to download songs, movie clips and television shows, thanks to broadband access that was unheard of 10 years ago.
"The Internet is quickly becoming a broadband tool. Most people do not get value in a dial-up world anymore," Kagan said, noting that broadband adoption continues to increase while prices decrease.
The Rise of Broadband
Prices appear to be falling steadily for broadband access. AT&T (NYSE: T) Latest News about AT&T launched an online-only offer that provides high-speed home Web access for US$12.99 a month. Market broadband rates are currently holding at around $29 a month, putting AT&T's marketing ploy in line with dial-up rates.
Broadband penetration continues to climb, though analysts have said the double-digit growth of recent years will slow as the numbers grow. According to Nielsen//NetRatings, more than 42 percent of Americans now have broadband access at home, with some 60 percent of the Web site Get Linux or Windows Managed Hosting Services with Industry Leading Fanatical Support. visits in the U.S. before the holiday season of 2005 coming from broadband connections.
"What Parks is reporting makes sense if you are thinking about the Internet from today's perspective of speed, service and price," Kagan said. "The Internet, though, is evolving, with new services, lower prices and faster speeds. I see continued growth."
February 27, 2006 at 10:00 PM in Internet evolution | Permalink | TrackBack (10) | Top of page | Blog Home
SECURITY OF PUBLIC WEB SERVERS
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Electronic mail (email) is an essential communications tool for many industry, government, and academic organizations. Email is popular and convenient for exchanging messages, data files, images, and sound clips over computer networks and especially over the Internet. Two principal components, mail servers and mail clients, support the email processes. The mail server is the computer host that delivers, forwards, and stores the mail. Users interface with the mail client software to read, compose, send, and store email messages.
Because they are vulnerable targets for attack by malicious intruders, both mail servers and mail clients must be protected. In September 2002, the National Institute of Standards and Technology (NIST) issued NIST Special Publication (SP) 800-45, Guidelines on Electronic Mail Security, by Miles Tracy, Wayne Jansen, and Scott Bisker, to help federal agencies improve the secure design, implementation, and operation of their electronic mail servers and clients.
NIST SP 800-45 describes secure practices for the installation, configuration, and maintenance of mail servers and clients. Topics discussed in the guidelines include the security aspects of email standards, use of encryption standards, the security of the underlying operating systems, and the filtering of email content. The publication gives details on the use of devices such as firewalls, routers, switches, and intrusion detection systems to protect networks, and offers recommendations for managing the mail server in a secure manner using backups, tests, updates, patches, log reviews and records management practices. The appendices provide a glossary and information on mail-related standards and security tools. Also included in the appendices are discussions of the secure use of Microsoft, UNIX, and LINUX mail systems, references that are available in print and electronic format about protecting email systems, and a security checklist.
Along with other guidelines and recommendations, NIST SP 800-45 provides agencies with comprehensive information about protecting the computer and network systems that interact with and serve the public. NIST publications are developed primarily for the federal community, but should be useful to individuals, the private sector, and other public sector organizations. Other recent publications covering the security of publicly accessible systems include NIST SP 800-44, Security of Public Web Servers, and NIST SP 800-46, Security for Telecommuting and Broadband Communications. Summaries of these publications were featured in the November and December bulletins in this series. Information technology security publications and ITL bulletins are available in electronic format from the NIST website:
http://csrc.nist.gov/publications/
Vulnerabilities of Mail Servers and Clients
After web servers, an organization’s mail servers are typically the most frequent targets of attack as both mail servers and public web servers communicate to some degree with unknown parties, who may or may not be trustworthy. Attackers, with their thorough understanding of the supporting computing and networking technologies, have been successful in exploiting weaknesses in mail servers and clients.
Mail servers and clients can be vulnerable to events such as:
· Denial of service (DoS) attacks that are directed to the mail server or its supporting network which can deny or hinder access to the mail server by valid users.
· Sensitive information on the mail server may be disclosed or changed in an unauthorized manner.
· Sensitive information that is transmitted unencrypted between mail server and email client may be intercepted. For example, the email software may default to sending usernames, passwords, and the email message itself without the protection of encryption.
· Information within the email message may be altered at some point between the sender and recipient.
· A successful attack on a mail server can be used to gain unauthorized access to resources elsewhere in the organization’s computer network, including user passwords and other computers on the network.
· A mail server that has been attacked can be used to attack another organization’s network, perhaps creating liability for damages to the sending organization.
· Attackers may use the organization’s mail server to send email-based advertisements (commonly referred to as spam).
· Viruses and other types of malicious code may be distributed to computers throughout an organization via email.
· Users may send inappropriate, proprietary, or other sensitive information via email. This could expose the organization to legal actions.
What Can Be Done to Improve Email Security
Mail servers, mail clients, and the network infrastructure that supports them must be protected to avoid the conditions that can lead to damage, compromise of information, and inconvenience. With good planning and rigorous implementation of secure configurations and operational procedures, organizations can operate successful electronic mail operations while protecting their networks and information resources.
The following actions will help organizations to improve their email security:
· Plan carefully and address the security aspects of the deployment of a mail server.
Careful planning is the essential first step to assuring that mail servers have been installed, configured, and implemented in a secure manner. It is more difficult to address security issues once deployment and implementation have been completed. A detailed and well-designed deployment plan enables the organization to make prudent decisions regarding the tradeoffs between usability, performance, and risks. A deployment plan makes it possible to maintain secure configurations and identify security vulnerabilities.
All mail server activities should be carried out in compliance with the organization’s plans and policies. Plans and policies should support the application of consistent management controls across the entire organization. This is essential in order to avoid variations in controls that can result when the information technology support staff becomes fragmented within the organization.
The following items should be considered when planning a mail server:
· Identify the purpose of the mail server and the information to be processed on or transmitted through the mail server.
· Identify the security requirements of the information.
· Identify other services to be provided by the mail server and their security requirements.
· Identify the location of the mail server, the network services to be provided, and the network service software on both the clients and the server.
· Identify the users or categories of users of the mail server and any support hosts.
· Determine the privileges that each category of user will have on the mail server and support hosts.
· Consider issues such as authentication methods, enforcement of access rules, cost, and compatibility with the existing infrastructure, employee skills, and vulnerabilities.
· Work closely with vendors in the planning stage.
The deployment plan should address the human resource requirements for both the deployment and the operational phases of the mail server and its supporting infrastructure. The following issues should be covered in the deployment plan:
· The types of personnel required, including the system and mail server administrators, network administrators, and information systems security officers (ISSOs).
· The skills and training required by assigned personnel.
· The levels of effort required of specific individuals and of the entire staff involved in deploying and operating the mail server.
· Implement appropriate security management practices and controls to assure that the mail server is maintained and operated securely.
Protecting the operating system helps to protect the mail server from exposure to danger. Appropriate management practices are essential to operating and maintaining a secure mail server. Security practices include the identification of an organization’s information system assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines. The goal is to ensure the confidentiality, integrity, and availability of information system resources.
The following practices are recommended.
· Create an organizational-wide information system security policy that states the basic policy and outlines responsibilities within the organization for carrying out the policy.
· Control and manage the modifications to a system’s design, hardware, firmware, and software to assure consistency in handling changes and protection against improper modifications.
· Establish risk assessment and management procedures to collect and analyze data about assets, threats, and vulnerabilities. Based on the analysis of risks, select and implement controls to reduce risks to a level acceptable to the organization.
· Develop standardized software configurations for widely used systems and applications. This will provide guidance to mail server and network administrators on secure configurations that satisfy the information system security policy of the organization.
· Use security awareness and training programs to make users and administrators aware of their security responsibilities, correct practices, and individual accountability.
· Carry out contingency planning, continuity of operations, and disaster recovery planning to maintain operations if there are disruptions.
· Apply certification and accreditation techniques to analyze how well a system meets its security requirements. Document management acceptance of the analysis and the extent to which the system meets the technical requirements for security.
· Ensure that the mail server operating system is deployed, configured, and managed to meet the security requirements of the organization.
The operating system that supports the mail servers must be secure. It is important to check the hardware and software configurations, which may have been set originally to emphasize features, functions, and ease of use, rather than the security of the system. Since each organization has unique security needs, the mail server administrator should configure new servers to meet the organization’s requirements. As requirements change, systems should be reconfigured. NIST SP 800-45 provides references and information about automated tools to help mail server administrators develop and maintain operating system security. To secure the operating system, follow these steps:
· Patch and upgrade the operating system to correct known vulnerabilities.
· Remove or disable all unnecessary services and applications, and enable only those services that are required by the mail server.
· Configure the operating system to authenticate users.
· Configure access controls to specify access privileges to files, directories, devices, and other resources.
· Test the security of the operating system periodically to identify vulnerabilities and to validate the effectiveness of security measures.
· Be sure that the mail server application is deployed, configured, and managed to meet the security requirements of the organization.
In general, the same steps that are recommended for protecting the operating system also apply to the secure installation and configuration of the mail server application. The goal is to install the minimal amount of mail server services required and to eliminate any known vulnerabilities through patches or upgrades. The following steps should be followed to secure the mail server application:
· Patch and upgrade the mail server application to correct for any known vulnerabilities.
· Remove or disable unnecessary services, scripts, applications, and sample content.
· Configure mail servers to require authentication of users.
· Configure mail servers to implement the same or more restrictive controls on access to resources as those enforced by the operating system.
· Test the security of the mail server application.
· Consider implementing and using cryptography to protect user authentication and mail data.
Cryptographic functions have been added to standard email protocols to allow for encryption of the message, authentication of sending party, non-repudiation of the message, and integrity of the message. Mail protocols can be attacked when they default to unencrypted user authentication and send email data in the clear (unencrypted). Attackers can intercept this data, compromise a user’s account, and alter unencrypted messages. At a minimum, organizations should consider encrypting the user authentication information even if they do not encrypt the email message. Encrypted user authentication is now supported by most standard and proprietary mailbox protocols.
There are many issues to be considered regarding the encryption of email. Encrypting email places a greater load on the user’s computer and on the organization’s network infrastructure. Encryption may complicate virus scanning and mail content filtering, and usually entails significant administrative overhead. However, for many organizations, the benefits of email encryption will outweigh the costs.
· Use the network infrastructure to protect the mail servers.
The network infrastructure, including the firewalls, routers, and intrusion detection systems that support the mail server, plays a critical role in maintaining the security of the mail server. In most configurations, the network infrastructure will be the first line of defense between potential attackers using the Internet and the mail server. Network design alone, however, cannot protect a mail server. Attacks have been too frequent, sophisticated, and varied. The best defense is through the application of diverse and layered protection mechanisms.
· Continue to maintain the security of mail servers in an ongoing process.
Maintaining a secure mail server requires continued effort, resources, and vigilance from an organization. Daily attention to the administration of a mail server is essential. The following steps are recommended for maintaining the security of mail servers:
· Configure, protect, and analyze the log files of information about access and use of the mail server.
· Back up the data on the mail server frequently.
· Analyze intrusions and protect against malicious code (e.g., viruses, worms, Trojan horses).
· Establish and follow procedures for recovering from compromise.
· Test and apply patches in a timely manner.
· Test the security of the system periodically.
About Standards for Secure Electronic Mail
Standards are critical to the successful exchange of email. Standards for electronic mail have been developed by the Internet Engineering Task Force (IETF), a large open international community of network designers, operators, vendors, and researchers, who are concerned with the evolution and operation of the Internet architecture. The standards cover the composition, formatting, transmission, delivery, and storage of email, and they often reference other standards issued by the International Organization for Standardization (ISO) and the International Telecommunication Union (ITU). The handling of an email message involves many complex steps, and the use of standards makes it possible for different systems to interchange messages. The relevant IETF documents for standard electronic mail are listed in Appendix B of NIST SP 800-45.
· Standards for Encryption
Pretty Good Privacy (PGP) and the Secure Multipurpose Internet Mail Extensions (S/MIME) are the principal mechanisms used to secure email content from end to end. Both techniques are based, in general, on public key cryptography processes. A user has a pair of related keys: a public key that is available openly and a private key that is held exclusively by its owner. The recipient’s public key is used to send encrypted information that can be decrypted only with the private key. The sender’s private key is used to send digitally signed information that can be verified for authenticity by anyone holding the corresponding public key. Digital signature techniques use a cryptographic hash function to create a digest of the message being sent. This digest can be signed more efficiently than the entire message.
PGP and S/MIME differ in their approach to key management. Some versions of PGP have no central key issuing or approving authority, and its users exercise management and control. S/MIME and newer versions of PGP use a hierarchical model involving a master registration and approving authority, and subordinate local registration authorities. This Public Key Infrastructure (PKI) provides a mechanism to authenticate users and protect the confidentiality of email. See Chapter 3 of NIST SP 800-45 for details about the advantages and disadvantages of PGP and S/MIME systems.
NIST SP 800-49, Federal S/MIME V3 Client Profile, issued in September 2002, provides specifications for adding cryptographic security services to the standard mail protocol. Based on the Multipurpose Internet Mail Extensions (MIME) standard, S/MIME allows for the addition of services, such as authentication, non-repudiation of origin, message integrity, and message privacy.
· Federal Information Processing Standards
Standards for the cryptographic techniques used for encryption, key management, and digital signatures within the secure email end-to-end process include the following Federal Information Processing Standards (FIPS):
· FIPS 46-3, Data Encryption Standard (DES), in triple DES mode (3DES) for data encryption.
· FIPS 197, Advanced Encryption Standard (AES), for data encryption.
· FIPS 186-2, Digital Signature Standard (DSS), for digital signatures. The DSS specifies the Digital Signature Algorithm (DSA) and allows the use of digital signature techniques specified in American National Standards Institute (ANSI) X9.31, Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), and ANSI X9.62, Elliptic Curve Digital Signature Algorithm (ECDSA).
· FIPS 180-2, Secure Hash Algorithm (SHA-1), for hashing (effective February 2003).
Information about these and related FIPS is available at:
http://csrc.nist.gov/publications/fips/index.html
Summary
Organizations and individuals benefit when electronic mail and mail systems are protected. Mail systems available to public access can be vulnerable to misuse, unauthorized access, and denial of services. However, the risks of operating, implementing, and maintaining electronic mail systems can be managed through careful planning, secure configuration of systems, and continued attention to implementation and maintenance.
Disclaimer
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.
February 24, 2006 at 11:13 AM in email | Permalink | TrackBack (514) | Top of page | Blog Home
Finextra: Corillian and StrikeForce team for Web banking authentication service
Corillian Corp. (NASDAQ: CORI), the top provider of online banking, online payments and anti-fraud solutions to the financial services industry, and StrikeForce Technologies, (OTCBB: SKFT), experts in identity assurance, today announced a joint offering to help financial institutions proactively prevent identity theft and fraud, strengthen online banking authentication and comply with FFIEC guidance.
Corillian and StrikeForce will protect financial institutions' online users with a comprehensive authentication service combining Corillian's Intelligent Authentication with StrikeForce's "Out-of-Band" authentication platform, ProtectID. The joint offering helps to proactively detect fraudulent online activity and prevent illegitimate users from accessing accounts.
Benefits include:
* Easy implementation - no software downloads
* Easy-to-use, uninterrupted online banking experience
* Strong authentication with multiple layers and multi factors
* Device flexibility for financial institutions and their customers
"Online banking is undergoing a permanent shift that requires secure and user-friendly technology, affordable prices, and rapid deployment," said Mark L. Kay, CEO of StrikeForce Technologies. "The FFIEC guidelines present a marked adjustment for the online user and the financial institutions that offer very flexible and streamlined solutions will attract and retain these online customers."
"Financial institutions are looking for strong online authentication methods that don't disrupt the online banking experience that customers are used to," said Alex Hart, president and CEO of Corillian. "The multiple layers of Intelligent Authentication were designed with the online banking user in mind - to provide ultimate protection of online accounts without compromising the convenience of online banking. StrikeForce's "Out-of-Band" authentication process complements Intelligent Authentication and provides financial institutions with additional layers of multi-factor protection for their online customers."
StrikeForce's patent-pending ProtectID is the first and only "Out-of-Band" identity authentication solution that creates a separate pathway for users to enter a PIN over the telephone that takes seconds to authenticate the identity of the online customer. Biometric devices, such as fingerprint and iris scanners, as well as one-time passwords (OTPs) can be added or substituted for additional versatility and layers of security. The different multiple methods of authentication eliminate the need to carry or purchase new technology, making two-factor authentication affordable and quickly deployable.
Intelligent Authentication employs a behavioral approach to authentication by building a history of "access signatures" for individual users. This is accomplished by collecting and validating information about each user's computer and method of Web site access without collecting personally identifiable information or requiring participation of the end user in the data collection process. An electronic access signature is created by combining a number of key identification points, such as IP address, Internet service provider, PC and browser settings, time of day and geographic location. It is a zero footprint authentication solution that does not require client hardware or software, is not dependent on the existence of any special marker or cookie on the user's PC, and does not require interrogation of the user's PC via downloaded software.
February 23, 2006 at 05:12 PM in Financial Services | Permalink | TrackBack (35) | Top of page | Blog Home
Some companies helped the NSA, but which? | CNET News.com
By Declan McCullagh and Anne Broache
Staff Writer, CNET News.com
Published: February 6, 2006, 4:00 AM PST
Tell us what you think about this storyTalkBack E-mail this story to a friendE-mail View this story formatted for printingPrint
This is the first in a two-part series. Part two offers a glimpse at the technical details of how the National Security Agency's electronic surveillance system seems to work.
Even after the recent scrutiny of the National Security Agency's domestic surveillance project approved by President Bush, an intriguing question remains unanswered: Which corporations cooperated with the spy agency?
Some reports have identified executives at "major telecommunications companies" who chose to open their networks to the NSA. Because it may be illegal to divulge customer communications, though, not one has chosen to make its cooperation public.
Under federal law, any person or company who helps someone "intercept any wire, oral, or electronic communication"--unless specifically authorized by law--could face criminal charges. Even if cooperation is found to be legal, however, it could be embarrassing to acknowledge opening up customers' communications to a spy agency.
A survey by CNET News.com has identified 15 large telecommunications and Internet companies that are willing to say that they have not participated in the NSA program, which intercepts e-mail and telephone calls without a judge's approval.
Twelve other companies that were contacted and asked identical questions chose not to reply, in some cases citing "national security" as the reason.
Those results come amid a push on Capitol Hill for more information about the NSA's wiretapping practices. On Monday, Attorney General Alberto Gonzales is expected to testify at a Senate Judiciary Committee hearing, and President Bush and his closest allies have been stepping up their defense of the program in preparation for it.
To be sure, there are a number of possible explanations for the companies' silence. In some cases, a company's media department could have been overworked. Another possibility is the company's lawyers were unavailable or chose not to reply for unknown reasons.
Also, some survey recipients, such as NTT Communications, responded with a general statement expressing compliance "with law enforcement requests as permitted and required by law" rather than addressing the question of NSA surveillance.
A lawsuit that could yield more details about industry cooperation is winding its way through the federal courts. Last week, the Electronic Frontier Foundation, a civil liberties group based in San Francisco, sued AT&T after a report that the company had shared its customer records database--though not its network--with the NSA.
AT&T would not respond when asked whether it participated. An AT&T spokesman, Dave Pacholczyk, said: "We don't comment on matters of national security."
The News.com survey, started Jan. 25, found that wireless providers and cable companies were the most likely to distance themselves from the NSA. Cingular Wireless, Comcast, Cox Communications, Sprint Nextel and T-Mobile said they had not turned over information or opened their networks to the NSA without being required by law.
Companies that are backbone providers, or which operate undersea cables spanning the ocean, were among the least likely to respond. AT&T, Cable & Wireless, Global Crossing, Level 3, NTT Communications, SAVVIS Communications and Verizon Communications chose not to answer the questions posed to them.
The New York Times reported on Dec. 24 that the NSA has gained access to switches that act as gateways at the borders between the United States' communications networks and international networks. But "the identities of the corporations involved could not be determined," the newspaper added.
At the water's edge
Analysts and historians who follow the intelligence community have long said the companies that operate submarine cables--armored sheaths wrapped around bundles of fiber optic lines--surreptitiously provide access to the NSA.
"You go to Global Crossing and say...once your cable comes up for air in New Jersey or on the coast of Virginia, wherever it goes up, we want to put a little splice in, thank you very much, which NSA can do," said Matthew Aid, who recently completed the first volume in a multiple-volume history of the NSA. "The technology of getting access to that stuff is fairly straightforward."
Aid was citing Global Crossing as an example, not singling it out. Global Crossing describes itself as an Internet backbone network that shuttles traffic for about 700 telecommunications carriers, mobile operators and Internet service providers. According to the International Cable Protection Committee, the company has full or partial ownership of several trans-Atlantic and trans-Pacific cables.
Global Crossing spokesman Tom Topalian said "99 percent of wiretapping is done at a local phone company level" instead of at backbone providers. Topalian declined to answer questions about NSA access, and added: "All U.S. carriers have to comply with the CALEA act, and Global Crossing complies with CALEA." (CALEA is a 1994 federal law requiring certain telecommunications providers to make their networks wiretap-friendly for domestic law enforcement, not intelligence agencies.)
Rep. John Conyers, D-Mich., last month sent a letter (click for PDF) to companies including Google, Yahoo, EarthLink, Verizon and T-Mobile asking them if they cooperated with the NSA. News.com asked similar questions, but expanded the number of companies to include backbone and submarine cable providers.
Among the companies that responded, some offered far more detail than others. Les Seagraves, EarthLink's chief privacy officer, said: "We've never even been asked to give information without the benefit of a subpoena or a court order behind it. And our policy is to require a subpoena or court order, basically to require a court of law behind the inquiry."
"We're very interested in protecting our customers' privacy and balancing that with our duties to comply with the law," Seagraves added. "Our way to balance that is to definitely make sure we have a valid legal request before we release any information."
Comcast spokesman Tim Fitzpatrick said the company "will only provide customer information pursuant to a valid court order and only if Comcast's records contain information sufficient to identify the customer account on the (date or dates) listed in the court order."
A representative of Cox Communications, David Grabert, said: "Cox has never received a request for information or a wiretap that was not accompanied by a warrant."
NSA's history of industry deals
Louis Tordella, the longest-serving deputy director of the NSA, acknowledged to overseeing a similar project to intercept telegrams as recently as the 1970s. It relied on the major telegraph companies including Western Union secretly turning over copies of all messages sent to or from the United States.
"All of the big international carriers were involved, but none of 'em ever got a nickel for what they did," Tordella said before his death in 1996, according to a history written by L. Britt Snider, a Senate aide who became the CIA's inspector general.
The telegraph interception operation was called Project Shamrock. It involved a courier making daily trips from the NSA's headquarters in Fort Meade, Md., to New York to retrieve digital copies of the telegrams on magnetic tape.
Like today's eavesdropping system authorized by Bush, Project Shamrock had a "watch list" of people in the U.S. whose conversations would be identified and plucked out of the ether by NSA computers. It was intended to be used for foreign intelligence purposes.
Click for info-graphic
Then-President Richard Nixon, plagued by anti-Vietnam protests and worried about foreign influence, ordered that Project Shamrock's electronic ear be turned inward to eavesdrop on American citizens. In 1969, Nixon met with the heads of the NSA, CIA and FBI and authorized a program to intercept "the communications of U.S. citizens using international facilities," meaning international calls, according to James Bamford's 2001 book titled "Body of Secrets."
Nixon later withdrew the formal authorization, but informally, police and intelligence agencies kept adding names to the watch list. At its peak, 600 American citizens appeared on the list, including singer Joan Baez, pediatrician Benjamin Spock, actress Jane Fonda and the Rev. Martin Luther King Jr.
Details about Project Shamrock became public as part of a Senate investigation of the NSA. Telegraph companies participating in the program initially balked when questioned by Senate investigators. But documents turned over by the NSA "cast doubt on the veracity of the companies' claims that they could find no documentation pertaining to Shamrock," wrote Snider. "After all, this had concerned the highest levels of their corporate management for at least four years."
Another apparent example of NSA and industry cooperation became public in 1995. The Baltimore Sun reported that for decades NSA had rigged the encryption products of Crypto AG, a Swiss firm, so U.S. eavesdroppers could easily break their codes.
The six-part story, based on interviews with former employees and company documents, said Crypto AG sold its compromised security products to some 120 countries, including prime U.S. intelligence targets such as Iran, Iraq, Libya and Yugoslavia. (Crypto AG disputed the allegations.)
"Only a very few top executives"
The extent of the NSA's surveillance project in operation today remains unclear. Attorney General Gonzales has stressed that the program intercepts e-mail and phone conversations only when "one party to the communication is outside the United States."
In his book titled "State of War," New York Times reporter James Risen wrote: "The NSA has extremely close relationships with both the telecommunications and computer industries, according to several government officials. Only a very few top executives in each corporation are aware of such relationships."
Tapping into undersea copper and fiber-optic cables where they make landfall would be one way to create a virtual web of surveillance that can snare Internet packets or voice communications when they traverse U.S. borders. One benefit for the government is that one participant in the conversation is likely to be overseas--permitting Gonzales and the NSA to stress the interception's international nature.
In other news:
* Capitol Hill's fury on China
* Power lunching with wizards, warriors
* RSA coverage: A deeper level of security
* Open source's musical chairs
Another method would be to seek the cooperation of backbone providers with networks entirely within the United States. That could be done with a tap hooked up to the switches at a telephone company or backbone provider, said Phill Shade, a network engineer for WildPackets who is the company's director of international support services. WildPackets sells network analysis software.
"The tap essentially splits off a copy of the traffic--it would literally take a copy of all the traffic as it moves through the wire," Shade said. "Picture a capital letter 'Y' in your head...One copy goes back out the regular wire on the right side of the wire, and the copy you're interested in splitting goes off the left side of the Y to you. These are very common networking devices, used in networks all over the world."
The tap's exact location may matter. Sen. Arlen Specter, a Pennsylvania Republican who is convening Monday's hearing, has asked Gonzales to respond to a series of questions about the legality of the program. One question Specter is posing: If intercepted calls are "routed through switches which were physically located on U.S. soil, would that constitute a violation of law or regulation restricting NSA from conducting surveillance inside the United States?"
Who's helping the NSA?
CNET News.com asked telecommunications and Internet companies about cooperation with the Bush administration's domestic eavesdropping scheme. We asked them: "Have you turned over information or opened up your networks to the NSA without being compelled by law?"
Company Response
Adelphia Communications Declined comment
AOL Time Warner No [1]
AT&T Declined comment
BellSouth Communications No
Cable & Wireless* No response
Cablevision Systems No
CenturyTel No
Charter Communications No [1]
Cingular Wireless No [2]
Citizens Communications No response
Cogent Communications* No [1]
Comcast No
Cox Communications No
EarthLink No
Global Crossing* Inconclusive
Google Declined comment
Level 3* No response
Microsoft No [3]
NTT Communications* Inconclusive [4]
Qwest Communications No [2]
SAVVIS Communications* No response
Sprint Nextel No [2]
T-Mobile USA No [2]
United Online No response
Verizon Communications Inconclusive [5]
XO Communications* No [1]
Yahoo Declined comment
* = Not a company contacted by Rep. John Conyers.
[1] The answer did not explicitly address NSA but said that compliance happens only if required by law.
[2] Provided by a source with knowledge of what this company is telling Conyers. In the case of Sprint Nextel, the source was familiar with Nextel's operations.
[3] As part of an answer to a closely related question for a different survey.
[4] The response was "NTT Communications respects the privacy rights of our customers and complies fully with law enforcement requests as permitted and required by law."
[5] The response was "Verizon complies with applicable laws and does not comment on law enforcement or national security matters."
February 16, 2006 at 08:25 AM in Security | Permalink | TrackBack (20) | Top of page | Blog Home
Yahoo on NSA surveillance: No comment | CNET News.com
By Declan McCullagh
Staff Writer, CNET News.com
Published: February 15, 2006, 1:55 PM PST
Tell us what you think about this storyTalkBack E-mail this story to a friendE-mail View this story formatted for printingPrint
Under cross-examination during a congressional hearing, Yahoo's top lawyer refused on Wednesday to say whether the company opens its records for government surveillance without a court order.
Michael Callahan, Yahoo's senior vice president and general counsel, declined five times to answer that question from Rep. Brad Sherman, a California Democrat who was probing whether the Internet company had cooperated with the National Security Agency's domestic surveillance efforts.
"It wouldn't be appropriate for me to comment," said Callahan, who was testifying under oath. He added that Yahoo would "only turn over information if it's required by law."
But Callahan refused to say whether a demand from the NSA--not backed by a court order--qualifies as required by law.
No law or regulation prohibits Yahoo from answering the question. In a survey published last week by CNET News.com, companies as varied as BellSouth, Comcast, EarthLink and T-Mobile answered in the negative. Rep. John Conyers, a Michigan Democrat, has posed similar questions to those companies, and AT&T has been sued for allegedly turning information over to the NSA in violation of privacy laws.
Sherman, who represents the San Fernando Valley near Los Angeles, is a Harvard Law graduate who was known as a stickler for detail while a lawyer in private practice. He's been critical of the NSA surveillance program, and said last week that President Bush's recent claims about terrorists planning to attack a Los Angeles skyscraper were a political stunt.
Click here to Play
Video: Can the NSA look at your e-mail?
During a House hearing on Wednesday, Rep. Brad Sherman, D-Calif., asks Yahoo general counsel Michael Callahan if the NSA can access the e-mail of private American citizens.
Below is a transcript, edited for clarity, of Wednesday's exchange that took place during a House of Representatives hearing about China and the Internet.
Rep. Brad Sherman: Let's say you get a call from the NSA saying they want you to give them a copy of all my e-mails. Can I rely on your privacy policy that you're not going to give those e-mails to the NSA unless you get a court order?
Yahoo General Counsel Michael Callahan: We would only disclose information in compliance with law and our privacy policy.
Sherman: Does that include a court order or letter from the NSA?
Callahan: I wouldn't be able to comment.
Sherman: The attorney general says the executive branch, without any OK from either of the other two branches, has the right to read everything you have in your files about me. You might very well agree?
Callahan: It wouldn't be appropriate for me to comment.
Sherman: How can I be a Yahoo user?... If you tell me you'll decide later if a sheriff in some obscure county (that I've never visited can obtain access to my files based on a simple request?)
Callahan: We only turn over information if it's required by law.
Sherman: An investigation from some county that I've never been to?
Callahan: If we were served with proper legal process, we would have to give it.
Sherman: Sir, you're assuming the answer to the question and pretending that's an answer. I'm asking you, as the chief lawyer from Yahoo, is e-mail from some sheriff...is that a requirement that you would adhere to or would you fight it in court?
Callahan: That is not something we would provide.
Sherman: How about if it came from the NSA?
Callahan: (I can't comment on that.)
February 16, 2006 at 08:23 AM in Security | Permalink | TrackBack (55) | Top of page | Blog Home
Study: Value of Online Business Outweighs Security Concerns - Yahoo! News
By Antone Gonsalves
TechWeb.com Tue Feb 14, 5:41 PM ET
The willingness of companies and consumers to do business online has outpaced the trust both entities have in the Internet, a study released Tuesday showed.
The report, which establishes an "Internet Confidence Index" for the United States and Europe, found a security index of 22 and a transaction index of 55 for businesses, said RSA Security Inc., which released the study at its user conference in San Jose, Calif. For consumers, the security index was 5 and the transaction index 37. An index of 100 would be the highest confidence score.
The numbers showed that companies and consumers are willing to accept security risks in order to conduct business online, RSA, based in Bedford, Mass., said.
“It is not surprising that business users feel more secure online than consumers, with an array of firewalls and other defensive measures in place around them, but it is astonishing to see the extent to which both groups are willing to assume some level of risk in their transactions,” Art Coviello, president and chief executive of RSA, said in a statement.
The study also found that the volume of transactions is growing in all the countries surveyed. Only 1 percent of businesses said they were doing fewer online transactions today than 12 months ago.
The study was based on a 39-question survey that focused on issues of confidence and trust in secure online transactions. The survey was given to 601 business respondents and 603 consumers in the United States, United Kingdom, Germany and France.
February 15, 2006 at 09:29 PM in Consumer trends | Permalink | TrackBack (58) | Top of page | Blog Home
Microsoft plans virtual information wallet: Gates - Yahoo! News
Tue Feb 14, 6:39 PM ET
SAN JOSE (Reuters) - Microsoft Corp. (Nasdaq:MSFT - news) Chairman
Bill Gates on Tuesday showed off a new software tool aimed at giving consumers a virtual wallet to securely store their personal information for Internet transactions.
As part of that effort, Gates said the virtual personal information wallet, code-named "InfoCard," would allow consumers to safely manage their identities online. It seeks to provide better security by reducing reliance on usernames and passwords which are often the target of computer criminals.
This time around, however, Microsoft puts the power in the hands of the user, Gates said. In a demonstration, Microsoft showed how easily a consumer logged onto a car rental site to quickly reserve and pay for an automobile using a card from the virtual wallet.
Speaking at the annual RSA computer security conference, Gates provided a broad overview of how the industry needs to meet what he said were growing cyber threats and that consumers would not embrace technology which is not simple to use.
Microsoft first offered identification and authentication with its Passport service, but that technology failed to win wide acceptance because consumers did not embrace the idea of having the software maker manage their information.
Microsoft also said because InfoCard runs isolated from other programs on the desktop it makes it harder for hackers to install malicious software on the system.
The company plans to release the technology later this year, which will support the upcoming Internet Explore 7 on Windows Vista
Windows XP with Service Pack 2 and Windows server 2003.
February 15, 2006 at 01:24 PM in Financial Services | Permalink | TrackBack (4) | Top of page | Blog Home
PayPal, eBay and Yahoo! To Join Shared Authentication Network As Strategic Anchor Tenants; Motorola and SanDisk To Lend Technology Support
MOUNTAIN VIEW, CA., February 13, 2006 – VeriSign, Inc., (NASDAQ: VRSN), the leading provider of intelligent infrastructure services for Internet and telecommunications networks, today announced the launch of VeriSign® Identity Protection (VIP), a comprehensive solution that will help provide identity protection for consumers who conduct business online. VIP is supported by several leading online companies, including PayPal, eBay and Yahoo!. In addition, technology partner SanDisk has announced plans to support VIP by manufacturing and distributing OATH compliant USB mass-storage and trusted flash devices, while Motorola plans to lend its support in enabling this technology on consumer mobile devices.
A recent report by the Federal Trade Commission found that 37 percent of all Internet Fraud complaints filed dealt with identity theft. Additionally, Gartner research vice president Avivah Litan noted in her report “Credit Report and Internet Data Theft Results in More Fraud in 2005” that of those surveyed, financial losses resulting from information stolen of the Internet was $2.7 Billion.
VIP is a modern approach to combating digital identity theft targeted for both consumers and online services that demand better identity protection without sacrificing the convenience of everyday Web lifestyles. VIP will allow consumers to use a single security device to authenticate themselves across any future VIP-enabled Web site of network members, such as PayPal, eBay or Yahoo!. VIP will make it simpler and more cost-effective for online companies such as financial institutions, ISPs or e-commerce sites to implement stronger authentication by leveraging a shared infrastructure and enabling everyday devices to become authentication devices.
VIP will take a layered approach to Identity Protection by providing a comprehensive set of services enhanced by network intelligence. It will include the following components:
o Shared Authentication Network: Operated by VeriSign, the VIP Network will allow online service providers and enterprises to accept the same VIP authentication credentials as other participating members of the network. The VIP Network will enable consumers to utilize a single, OATH-compliant strong authentication credential, no matter the form, across any of the VIP-enabled Web sites of network members.
o Multi-factor Authentication: The VIP Authentication Service is a flexible, easy-to-deploy two-factor authentication solution that will facilitate the management of devices distributed to end-users. It will be based on open standards defined by OATH, an industry-wide working group for authentication. These open standards will allow VIP authentication to deliver an unprecedented array of credential choices for consumers.
o Fraud Detection: Using advanced anomaly detection technology, the service will monitor and detect fraudulent login and transactional fraud in real-time to enable risk-based authentication. To catch known and unknown fraud, the service will combine both a policy and a self-learning anomaly detection engine. This non-intrusive approach will not require any change to a Web site and will remain invisible to the consumer until a fraud is detected.
o Fraud Intelligence Network: The fraud intelligence network, which VeriSign intends to make available in the summer of 2006, will allow the sharing of critical fraud data and signatures across VIP-enabled Web sites of network members. The VIP Fraud Intelligence Network will leverage VeriSign’s unique visibility gleaned from the operation of core Internet technologies.
VeriSign intends to add additional services in the summer of 2006 including the VeriSign VIP portal, which will allow consumers to obtain, for VIP-enabled authentication devices, first-level support directly from VeriSign.
In addition to VeriSign, PayPal has agreed to become the first device issuers for the VIP network. Yahoo! plans to join the VIP network as founding members and anchor tenants, enabling the use of VIP devices on any of their VIP-enabled Web sites. In order to deliver strong authentication devices across a large user base, VeriSign has also signed key technology partnerships that will embed one-time password algorithms into common, everyday devices. SanDisk intends to embed OATH-compliant One Time Passwords (OTP) into their mass-storage and trusted flash devices, while Motorola is endorsing VIP’s unique shared network authentication approach to protecting online identities and its proliferation to consumers.
“With the increase in both the frequency and sophistication of malicious online activities such as phishing and identity theft, a fresh approach is needed to protect consumers as they conduct business online,” said Judy Lin, executive vice president and general manager, VeriSign Security Services. “VeriSign Identity Protection will provide a new means to protect consumer identities, combining multi-factor authentication, a shared network of information and intelligence and actionable fraud monitoring. With our partners, the VIP service will provide end-users with easy-to-purchase and easy-to-deploy multi-factor authentication.”
VIP will be available directly from VeriSign, or through any of the service providers participating in the VIP Network. Elements of VIP, including strong authentication and shared authentication network capabilities are available today, with additional capabilities being added this summer. For more information, please go to: http://www.verisign.com/dm/vip
SUPPORT QUOTES FOR VIP
eBay/PayPal
“Online security is central to everything we do at eBay and PayPal, so we are pleased to be working with VeriSign as one of the first members of the VIP Network”
– Rob Chesnut, Senior Vice President of Trust and Safety, eBay and PayPal.
Yahoo!
“Yahoo! has always been focused on providing consumers with the safest Internet experience possible. We continuously look for ways to meet our users’ evolving needs and are proud to participate in the VIP Network. We look forward to delivering added security for our customers through this innovative industry standard solution.”
-- Ash Patel, Chief Product Officer, Yahoo!
Motorola
“As mobile data experiences increase in richness and complexity, so does the need to protect them. No one wants to suffer the consequences of identity theft, so security is critical to gaining consumer acceptance of new mobile data services. VeriSign and Motorola share a vision for mobile security, and we look forward to supporting VIP and working together to bring consumers stronger protection for their online identities in the mobile world.”
-- Christy Wyatt, Vice President, Ecosystem and Market Development, Motorola.
SanDisk
“The addition of strong authentication services from VeriSign will greatly augment the extensive storage capabilities of our SanDisk devices and provide a level of ‘out of the box’ consumer online identity protection. Through our partnership with VeriSign, our flash devices will contain a capability previously unavailable – at no additional cost to consumers.”
-- Carlos Gonzalez, Senior Director of Consumer Marketing, SanDisk Corporation
About VeriSign
VeriSign, Inc. (Nasdaq: VRSN), operates intelligent infrastructure services that enable and protect billions of interactions every day across the world’s voice and data networks. Additional news and information about the company is available at www.verisign.com
For more information, contact:
VeriSign Media Relations: Brendan P. Lewis, brlewis@verisign.com, 650-426-4470
VeriSign Investor Relations: Tom McCallum, tmccallum@verisign.com, 650-426-3744
Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as the risk that VeriSign's announced strategic relationships, including the relationships with PayPal, eBay, Yahoo!, SanDisk and Motorola, may not result in additional products, services, customers, profits or revenues; and increased competition and pricing pressures. More information about potential factors that could affect the company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the company's Annual Report on Form 10-K for the year ended December 31, 2004 and quarterly reports on Form 10-Q. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.
February 14, 2006 at 12:59 PM in Security | Permalink | TrackBack (9) | Top of page | Blog Home
Finextra: Westpac bids to thwart keyloggers with onscreen keypad
Westpac has introduced a mouse-activated keypad for users logging on to its Internet banking service. The move comes just months after Australian police busted an online crime syndicate suspected of stealing funds from Web banking customers through the use of keylogging malware.
Westpac says the onscreen keypad scrambles customers IDs and passwords and renders keylogging Trojans ineffective.
The bank says it is the first to introduce the technology in Australia, although similar programmes have been implemented by other banks worldwide, including Citibank, Standard Bank of South Africa and ING in Holland.
Westpac's move comes just months after police in Perth smashed a crime ring that had allegedly used keylogging software to steal "significant" sums of money from victim's bank accounts. Multiple banks had been targeted but names of specific financial institutions were not disclosed.
The security and effectiveness of graphical keypads has been questioned recently following revelations that fraudsters are increasingly using sophisticated "screenscraper" software to neutralise these programmes. Rather than tracking keystrokes, the screenscraper takes takes a snapshot of the user screen each time the mouse is clicked and sends it to the phishers' server for inspection.
Dan Hubbard, senior director of security for Websense and an analyst with the Anti Phishing Working Group, says crimeware continues to evolve and advanced techniques are now being used to steal information: "These Trojan horses are moving beyond keylogging to now capture screenshots to obtain end-user credentials."
February 13, 2006 at 08:57 AM in Financial Services | Permalink | TrackBack (6) | Top of page | Blog Home
I have tried to work with wiki's but its just too hard and too much coding to learn. I know a little html, but I want to create, not code. So when I looked at this new app, stikipad I was blown away.
Welcome to Your StikiPad.
StikiPad is a hosted wiki solution (What's a Wiki?) that gives you an easy way to organize and share information with others. We run completely in your browser with no downloads and easy administration, letting you take your StikiPad wherever you have access to the Internet. But don't be fooled by the word easy - it's only as easy as you want, and as powerful as you want it to be. StikiPad is like a blank piece of paper - you decide what you're going to make of it.Whatever Web 2.0 is and whether you agree with the nomenclature, this is a brilliant example of Web 2.0. Its a simple easy yo use hosted application that seems at first glance to eliminate the coding frustration, and allow you to get on with creating your wiki.
February 12, 2006 at 08:00 PM in @ My Views @ | Permalink | TrackBack (6) | Top of page | Blog Home
Scotsman.com News - Banks' silence is golden for booming internet fraud
MURDO MacLEOD mmacleod@scotlandonsunday.com
FRANK Duns believed he was being ultra-cautious. He used his credit card only when he had to, including to pay a restaurant bill while on holiday in the Isle of Man.
Just weeks later, the businessman from Penicuik, Midlothian, discovered to his horror that his card had been used to buy a £4,000 motorcycle. The card had been cloned and the details handed to an Ireland-based fraudster.
"I am still absolutely stunned how anyone could have made a transaction for so much money just like that," Duns said. "No security checks or anything. I got a full refund from the card company, but never an explanation of how this happened."
Duns is just one of the rapidly growing number of Scots falling victim every year to scams and thefts involving credit cards and bank accounts, most of which take place in cyberspace. A new branch of the English language has emerged to describe the shady practice, with phishing, pharming, keylogging and spyware among the recently coined words.
Banks acknowledge about £500m of such fraud a year in the UK - up from £213m in 2000 and £62m in 1995. But banking insiders have told Scotland on Sunday that as much as another £500m was discovered by the industry but never reported to police, under a controversial policy of dealing in-house with any theft of £2,000 or less.
It's the bigger cases that do come to light, such as the £280,000 stolen by fraudsters from comedian Harry Hill, as reported last week. Politicians and police fear that by "hushing up" such large numbers of crimes, the banks could be inadvertently encouraging more theft.
Pauline McNeill, the convener of the Scottish Parliament's Justice 1 Committee, said: "This needs to be investigated. It's important to get an accurate picture of what is happening in order to fight crime. I am concerned that by only focusing on the larger frauds we might be missing the opportunity to link crimes together and so solve more of them."
A police insider said: "From one point of view we might quite like it if the figures seem lower than they really are, because that gives us less crime to chase up. But ultimately the most effective way to stamp this out starts by knowing the full picture of what is going on."
Detectives say criminal gangs have turned to internet and card fraud as an easy alternative to "traditional" crimes such as armed robbery. Criminals calculate that even if they are caught, there is less risk of receiving the hefty sentences they would get for using guns or knives.
As a result, banks and detectives are now locked in a technological arms race against fraudsters, culminating in Chip and Pin, which will come fully into force this week. The new system will mean that customers who do not know their numbers might have their cards refused. But the system risks descending into chaos, as millions have still not received their code numbers.
And Scotland on Sunday can reveal that the latest gadget in the thieves' technological armoury "tunes in" on the new portable Chip and Pin readers as they are used - typically in restaurants.
Detective Inspector Duncan Hamilton, of the Strathclyde Police fraud squad, said: "Chip and Pin has been very effective at stopping fraud at the point of sale. But there is evidence that criminals have been using special receivers which can pick up information from a portable chip card reader."
The crime has been uncovered in continental Europe and police believe if it is not here already, it is only a matter of time.
Hamilton says the biggest cybercrime threat in his force area is gangs targeting bank and call centre workers in order to bribe or force them to reveal confidential bank information.
He said: "The gangs approach the staff in the pub or somewhere and typically offer about £200 for each set of details. If the person refuses, the promises turn to threats. But let's face it, call centre workers are not brilliantly paid and there's a high turnover and not much loyalty."
Meanwhile, the potential financial perils of using a home PC become ever more pressing. Fraudsters are firing out bogus e-mails, purportedly from banks, in an effort to get consumers to enter their account details - a practice known as "phishing".
A variation is "pharming". Software is installed on a computer which diverts the user from common retail internet sites to fake web pages which look like shopping sites. The unwitting user keys in vital details in the belief that he is buying something online, but is actually sending credit details to criminals.
Conmen also hide "spyware" programs in innocent-looking files downloaded from the internet, such as free software.
Peter Craig, of the security software company Trend Micro, said: "About 60% of UK computers are infected with spyware, and it's tremendously difficult to avoid. I visited a website with a clean PC, turned off all anti-virus protection, downloaded a free program, scanned the PC again and found 418 items of spyware."
So who is behind the new crimewave? Detective Chief Superintendent Stephen Ward, crime coordinator for the Scottish Drug Enforcement Agency, said: "We are seeing a number of organised criminal gangs from Eastern Europe moving into Scotland.
"They seem to believe that there is a lot of potential here to make money. It's not all from outside - there are the gangs from here in Scotland at it too."
Andrew Goodwill, the managing director of Early Warning, a company which develops anti-fraud databases, said: "Gangs target graduation lists and universities in the former Soviet Union for the best maths and IT graduates. They face the choice of not much money in honest work or quite a lot of money working for criminals."
A police insider in the former Soviet Union said: "The gangs here think you in the West have too much money and that you are not careful with it. We were told for decades that you were decadent capitalists and that you were weak. That message had its effect even on our criminals."
Meanwhile, the banking industry generally prefers to compensate customers - to the tune of around £1bn a year - rather than tell the police of every case and suffer a public crisis of confidence.
A banking industry source confirmed: "We don't report the smaller ones because of the impact on the image of the bank. Customers' confidence would be affected.
"Banks also hate having their staff on the witness stand. You don't know what a defence lawyer might ask, and you might be forced to reveal information about procedures which you wouldn't want people outside the company to know about."
Paul Leckie, a partner in Unisys global financial services, which provides security analysis to the industry, added: "If it's under £2,000 then they don't bother reporting it."
But while they may be reluctant to involve the police, the banks cannot be accused of doing nothing. Based in Northampton, Barclaycard's anti-fraud centre has a rogues' gallery of wanted fraudsters and figures charting the team's progress in the never-ending battle with the conmen.
Rebecca Mckee, the anti-fraud team leader, said: "When you speak to a customer, having detected a fraud, it's quite a shock to them and they need reassurance."
Sometimes the work involves talking to the people who will ultimately be snared by the team's investigations. "It's exciting. You get a buzz," Mckee said.
But Duns remains surprised at what he sees as the lack of control over card use. He said: "I recently bought a car with my debit card and no security checks were done.
"I find it worrying that considerable sums can go through electronic machines with no questions asked."
HOW THE CARD CHEATS CAN TARGET YOUR IDENTITY
ID THEFT - Criminals steal personal details, for example through discarded bills and use the information to divert credit cards and cheque books to an alternative address and even get loans in the victim's name.
CLONING - A card is swiped through an electronic reader to retain the details. A copy of the card is then produced which can be used by a fraudster.
PHISHING - A rogue email, usually purportedly from a bank and requesting financial details.
PHARMING - An email invites users onto a computer link to divert a computer from shopping websites to fake retail pages set up by criminals for bank details.
SPYWARE - Computer programmes keep a log of what a user does at their computer and which internet sites they visit. Commonly used by marketing companies.
How to stop the cheats from grabbing your cash
The top tips to keeping your money safe include:
• Never let your cards out of your sight - their details could be written out by hand and swiped through a reader in a matter of seconds, leaving you potentially vulnerable.
• Narrow down your pack of cards so you keep tabs of each one. It will also make it simpler if you have to remember fewer numbers.
• Do not write down your personal identification numbers. Banks allow you to change them to something a bit more memorable.
• Never use a cash dispenser which looks in any way unusual. Some have sniffing devices on the front and some are actually 100% fake.
• Join a card protection scheme, such as Sentinel, which insures you against all losses, keeps a track of your plastic and does all the work cancelling the cards if you become a victim.
• Shop in outlets set up for chip and pin rather than card and signature - there is less chance that you and your card can be parted.
• Shred all your documents, or rip them up into very small pieces if a shredder seems melodramatic. If you have a home fire you could even consider burning them.
• Make sure no one is looking over your shoulder when you use your card. Gangs operate in teams - one checking the number and others angling to steal or clone the card, maybe much later.
• If someone phones up purporting to be from your bank, offer to call back. No bank staff will ever have a reason to ask you for your PIN number. Most banks do not e-mail customers, and those that do will address you by name.
• Install spyware protection on your computer in addition to anti-virus and firewall software. And keep it up to date. Unlike anti-virus programs you can operate more than one spyware killer. Use it regularly.
• Ignore spam e-mails with offers that are too good to be true. You have not won the Canadian Lottery - there is no Canadian Lottery to win. And no one is offering you the latest iPod for nothing.
• If your children use your computer for instant messaging teach them not to click on strange links or to tell you if they have.
• Police recommend checking out www.getsafeonline.com for the latest advice. A tip for connoisseurs of junk e-mail: the word 'the' appearing in odd places means it is likely to be from eastern Europe. Most Slavic languages have no definite article and placing 'the' wrongly is a common mistake.
TERESA HUNTER
PERSONAL FINANCE EDITOR
February 12, 2006 at 01:28 PM in Financial Services | Permalink | TrackBack (5) | Top of page | Blog Home
Scotsman.com News - Banks hide true level of card crime
MURDO MACLEOD POLITICAL CORRESPONDENT
HALF a billion pounds stolen from bank and credit card accounts each year is not being reported to the police by financial institutions, a Scotland on Sunday investigation has found.
Banking industry sources have confirmed that any cyber-theft of less than £2,000 is not reported to outside authorities as a matter of policy. This means that at least half of the estimated £1bn pilfered from bank customers annually is being written off, fuelling fears that criminal gangs are being emboldened to steal even more.
MSPs and MPs have called for an inquiry into how widespread bank and credit card crime really is, amid concern that by not flagging up all incidents, the battle against fraud is being harmed.
Senior police officers have warned that Scotland has become the target of a new wave of organised crime gangs from eastern Europe, who believe that unwary Scots offer rich pickings and who target bank call-centre workers.
Officers also warn that thieves are acquiring new radio devices which can snoop on the signals from chip and pin card readers in restaurants and log them.
An informed insider in the banking industry said: "The figure for losses due to credit card and ID theft fraud is in the region of £1bn. That is about twice the amount which is typically reported, so about half is never flagged up to police."
The typical amount below which individual losses are not reported is £2,000, a figure cited by banking security analyst Paul Leckie, a partner in Unisys Global Financial Services, which provides security analysis to the industry.
An insider explained: "We would only report something under £2,000 if it were clear that it was a part of a much larger fraud. It may seem a lot to you, but for the bank it costs more in the time taken up by speaking to police and lawyers."
Police officially deny that they believe banks are failing to pass on information to them and praised the co-operation of financial institutions. But a number of police sources said that the lack of information prevented them getting a true picture of the scale of fraud.
Margaret Mitchell, the Scottish Tory justice spokeswoman, said: "Obviously the banks do work closely with the police on major cases and get results. But I think that if more smaller cases were flagged up then we would be able to fight against bigger fraudsters more effectively."
Nationalist MSP Stewart Stevenson, the deputy convener of Holyrood's Justice I Committee, said: "There should be an investigation into this. The question is whether we have the time to carry it out because we have so many bills to deal with. But this is a serious issue which needs to be looked into."
Scottish police say that gangs are increasingly targeting bank and call-centre staff to get confidential bank details from them, and "planting" moles within branches and centres.
In order to foil criminals such as these, who use bribery or threats to get workers to divulge information, banks are developing new software which can analyse suspicious transactions and also alert them to the activities of dishonest staff.
They are also developing sophisticated background checks, and some are even pondering scrapping staff uniforms to avoid targeting of employees after work.
February 12, 2006 at 01:27 PM in Financial Services | Permalink | TrackBack (7) | Top of page | Blog Home
Although social uses are important to the the telephone industry, a glance at Table 1 shows that most of the revenues come from businesses. Household spending on phone service brings in only about a third of the total revenues. (The figures for total revenues, $256 billion in 1997, and consumer spending, $85 billion, come from different sources. It is possible that consumers spend somewhat more, especially for cell phones, than is reported in the $85 billion figure. However, even if one makes the most likely adjustments, it still appears that business spending on telephony is far larger than that of households.) That has been the historical trend, and many communication services, including the phone, were initially devoted almost totally to business uses. Traditionally, commercial users have subsidized residential ones. Sometimes this was done involuntarily, as in higher rates dictated by carriers or by government regulators, and sometimes voluntarily, as in paying for toll-free 800 numbers. It appears probable that similar subsidies will also play a large role on the Internet. (That is also why toll-free numbers for wireless calls may be very important.) We may very well end up with a system in which the largest monetary contribution will come from commercial users, the second largest for households paying for point-to-point communication, and the smallest by the transport component of charges for content.
On the other hand, if point-to-point communications were to dominate, and if Metcalfe's Law were to hold, there would be strong economic incentives to a unified network without barriers. This is considered more fully in Section 4 of [Odlyzko3]. The general conclusion there is that even though Metcalfe's Law is not fully valid, the incentives to maintain an open network are likely to be very strong. This will be largely because content is not king, and effective point-to-point communication will demand easy interconnection.
An extreme form of the "content is king" position, but one that is shared by many people, and not just in the content industry, was expressed recently by the head of a major music producer and distributor:
What would the Internet be without "content?" It would be a valueless collection of silent machines with gray screens. It would be the electronic equivalent of a marine desert - lovely elements, nice colors, no life. It would be nothing. [Bronfman]
The author of this claim is facing the possible collapse of his business model. Therefore it is natural for him to believe this claim, and to demand (in the rest of the speech [Bronfman]) that the Internet be designed to allow content producers to continue their current mode of operation. However, while one can admire the poetic language of this claim, all the evidence of this paper shows the claim itself is wrong. Content has never been king, it is not king now, and is unlikely to ever be king. The Internet has done quite well without content, and can continue to flourish without it. Content will have a place on the Internet, possibly a substantial place. However, its place will likely be subordinate to that of business and personal communication.End of article
About the Author
Andrew Odlyzko is Head of the Mathematics and Cryptography Research Departments at AT&T Labs. His professional interests include computational complexity, cryptography, number theory, combinatorics, coding theory, analysis, and probability theory, as well as data networks, electronic publishing, and electronic commerce.
E-mail: amo@research.att.com
Web: http://www.research.att.com/~amo
Note
For more detailed arguments, data, and references, see the longer manuscript [Odlyzko3].
Acknowledgements
I thank Frances Cairncross, Bob Frankston, Alan Kotok, Monica Marics, Mike Noll, Hal Varian, and Mark Wolfe for comments and useful information.
Bibliography
J. Abbate, 1999. Inventing the Internet. Cambridge, Mass.: MIT Press.
L.A. Adamic and B.A. Huberman, "The nature of markets in the World Wide Web," available at http://www.parc.xerox.com/spl/groups/dynamics/topics/internetecologies.shtml
S. Baker, 2000. "Telefónica: Takeover escape artist? It's fending off predators with spin-offs that boost market cap," Business Week(10 April).
E. Bronfman, Jr., 2000. "Remarks as prepared for delivery at the Real Conference 2000, San Jose," (26 May), available as a Seagram press release at http://www.mpaa.org/copyright/EBronfman.htm
K.G. Coffman and A.M. Odlyzko, 1998. "The Size and growth rate of the Internet," First Monday,volume 3, number 10 (October), at http://firstmonday.org/issues/issue3_10/coffman/. Also available at http://www.research.att.com/~amo
K.G. Coffman and A.M. Odlyzko, 2001. "Internet growth: Is there a "Moore's Law" for data traffic?," In: J. Abello, P.M. Pardalos, and M.G.C. Resende, (editors). Handbook of Massive Data Sets.Boston: Kluwer; available at http://www.research.att.com/~amo
CTIA (Cellular Telecommunications & Internet Association), 2000. "CTIA Reports 1999 Survey Results," press release (11 April), available at http://www.wow-com.com/news/ctiapress/body.cfm?record_id=857
T.S. Denison, 1901. "The telephone newspaper," p. 640 of World's Work, April 1901 edition. Reproduced at http://www.ipass.net/~whitetho/part1.htm
I. de Sola Pool (editor), 1977. The Social Impact of the Telephone.Cambridge, Mass.: MIT Press.
I. de Sola Pool, 1983. Forecasting the Telephone: A Retrospective Technology Assessment.Ablex.
I. de Sola Pool, H. Inose, N. Takasaki, and R. Hurwitz, 1984. Communications Flows: A Census in the United States and Japan.Amsterdam: North-Holland.
S.J. Douglas, 1987. Inventing American Broadcasting.Baltimore: Johns Hopkins University Press.
J.S. Ettema, 1989. "Interactive electronic text in the United States: Can videotext ever go home again?," In: J. L. Salvaggio and J. Bryant (editors). Media Use in the Information Age: Emerging Patterns of Adoption and Consumer Use.Hillsdale, N.J.: Lawrence Erlbaum Associates, pp. 105-123.
C.S. Fischer, 1992. America Calling: A Social History of the Telephone to 1940.Berkeley: University of California Press.
S. Garfinkel, 2000. Database Nation: The Death of Privacy in the 21st Century.Sebastopol, Calif.: O'Reilly & Associates.
B.S. Greenberg, 1989. "Teletext in the United Kingdom: Patterns, attitudes, and behaviors of users, In: J. L. Salvaggio and J. Bryant (editors). Media Use in the Information Age: Emerging Patterns of Adoption and Consumer Use.Hillsdale, N.J.: Lawrence Erlbaum Associates, pp. 87-101.
D.C. Jackson, W.H. Crumb, and G.W. Wilder, 1907. Report on the Telephone Situation in the City of Chicago; In Respect to Service, Rates, Regulation of Rates, etc.; submitted to The Committee on Gas, Oil and Electric LIght of the City Council of the City of Chicago.Chicago: Gunthorp-Warren Printing Co.
R.R. John, 1995. Spreading the News: The American Postal System from Franklin to Morse.Cambridge, Mass.: Harvard University Press.
J. E. Katz and P. Aspden, 1997. "A Nation of strangers?," Communications of the ACM,volume 40, number 12, pp. 81-86.
B. Klopfenstein, 1989. "Problems and potential of forecasting the adoption of new media," In: J. L. Salvaggio and J. Bryant (editors). Media Use in the Information Age: Emerging Patterns of Adoption and Consumer Use.Hillsdale, N.J.: Lawrence Erlbaum Associates, pp. 21-41.
J. Krause, 2000. "Global Crossing plans its media play," The Standard(27 March), at http://www.thestandard.com/article/display/0,1151,13209,00.html
M. Lesk, 1997. "How much information is there in the world?," unpublished paper, at http://www.lesk.com/mlesk/ksg97/ksg.html
J.C.R. Licklider, 1965. Libraries of the Future.Cambridge, Mass.: MIT Press.
J.C.R. Licklider and A. Vezza, 1978. "Applications of information technology," IEEE Proceedings,volume 66, pp. 1330-1346.
P. Lyman and H. R. Varian, 2000. "How much information?," at http://www.sims.berkeley.edu/how-much-info/
M. Margolis and D. Resnick, 1999. "Third Voice: Vox Populi Vox Dei?," First Monday,volume 4, number 10 (October), at http://firstmonday.org/issues/issue4_10/margolis/
A.M. Noll, 1997. Highway of Dreams: A Critical Appraisal of the Communications Superhighway.Mahwah, N.J.: Lawrence Erlbaum Associates.
A.M. Odlyzko, 1997. "The Slow evolution of electronic publishing," In: F. Rowland and A.J. Meadows (editors). Electronic Publishing '97: New Models and Opportunities: Proceedings of an ICCC/IFIP conference held at the University of Kent at Caterbury, England, 14-16 April 1997.Washington, D.C.: ICCC Press, pp. 4-18; and at http://www.research.att.com/~amo/
A.M. Odlyzko, 2000. "The Internet and other networks: Utilization rates and their implications," presented at the 1998 Telecommunications Policy Research Conference. Information Economics & Policy,volume 12, pp. 341-365; and at http://www.research.att.com/~amo/
A.M. Odlyzko, "The History of communications and its implications for the Internet," at http://www.research.att.com/~amo/
U.K. Office of Telecommunications, 2000. "November 2000 Market Information Update," at http://www.oftel.gov.uk/market/miu1100.pdf
Pew Internet & American Life Project, 2000. The holidays online: Emails and e-greetings outpace e-commerce,at http://63.210.24.35/reports/pdfs/PIP_Holiday_Report.pdf
B. Schlender, 2000. "Sony plays to win," Fortune,volume 141, number 9 (1 May), pp. 142+, at http://www.fortune.com/fortune/2000/05/01/mak.html
S. Smulyan, 1994. Selling Radio: The Commercialization of American Broadcasting, 1920-1934.Washington, D.C.: Smithsonian Institution Press.
B. St. Arnaud, 1997. "The Future of the Internet is NOT multimedia," Network World(November), at http://www.canarie.ca/~bstarn/future_internet.html
T. Standage, 1998. The Victorian Internet: The Remarkable Story of the Telegraph and the Nineteenth Century's On-line Pioneers.New York: Walker.
U.S. Census Bureau, 1999. Statistical Abstract of the United States 1999. Washington, D.C.: U.S. Government Printing Office, and at http://www.census.gov/prod/www/statistical-abstract-us.html
B. Winston, 1998. Media Technology and Society: A History: From the Telegraph to the Internet.New York: Routledge.
Editorial history
Paper received 8 January 2001; accepted 29 January 2001.
Contents Index
Copyright ©2001, First Monday
Content is Not King by Andrew Odlyzko
First Monday, volume 6, number 2 (February 2001),
URL: http://firstmonday.org/issues/issue6_2/odlyzko/index.html
February 12, 2006 at 11:00 AM in Telecommunications | Permalink | TrackBack (42) | Top of page | Blog Home