100.3 FM "The River" is shutting down on Thursday. It was the number four station in town. Just two years ago they were number 11. A change to the Triple A format brought them legions of new listeners. Citadel bought 100.3 and its sister channels and decided The River's format didn't fit the company's needs, so they're closing the station, despite protests from local fans and musicians. More background info is available at Save 100.3 The River

Melissa and I have our clock radio tuned to The River. We don't get out of bed until we've heard David Henley News or the Frank Files, and we love Phil Williams and "Dr. Phil." You guys are the most human voices on Knoxville radio.

The River is one of the few stations that promotes local concerts. You've been sponsors and enthusiastic promoters of the free Sundown in the City concert series and Rockin' on the River. We also appreciate that 100.3 is the home of Titans Radio, House of Blues, E-Town, and the Americana Cafe.

The morning crew has been worried about the loss of the files on their web site. Some of those files will be available on the Internet Archive. Here's a link to what's currently available at Archive.org. I hope that helps a little.

To Dave, Frank, and Phil: we love you, we hope to hear from you again soon, and remember that it wasn't you, it was the suits. You guys have heard of Murphy's Law: if anything can go wrong, it will go wrong. There's another one called Herblock's Law: if it's any good, they'll quit making it. The River is good, and so are you.

Best wishes,
Les and Melissa Jones
Louisville, TN

The recent hijacking of customer passwords at Kinko's in New York City illustrates the need for a security technology that most people have never heard of: RSA Security's SecurID.

(Disclaimer: I work for a network security services and products company, and one of the products on our line card is RSA Security. Another disclaimer: I'm in charge of our online sales and I'm familiar with the product lines, but that does not make me an expert on security.)

Here's what happened in the Kinko's case in a nutshell. A man named Juju Jiang installed keylogging software on rental computers at 14 Kinko's stores. The software - a commercial package called Keylogger - monitors keyboard input and records it to a log file which can be retrieved later to be scanned for usernames and passwords. Using this technique, Jiang captured login information from 450 people, including online banking logins. He plead guilty and awaits sentencing.

How could this have been prevented? In the discussion on Slashdot, someone recommended smart cards. Jester99 responded with sensible reasons why smart cards and biometrics aren't much better than simple passwords. Here's the money quote:

Card, biometrics, passwords... when it comes down to it, they're all just numbers on a wire. And no one of them is any more secure than any other.

Smart cards and biometrics have their uses. An ATM card and a PIN is more secure than a PIN alone, but part of the reason is that the bank controls the computers in that situation.

Juju Jiang installed a keystroke logger on Kinko's rental PCs. General purpose PCs aren't very secure. They have limited controls over software installation, input devices and output devices. Jiang could have installed a sniffer or a replacement hardware driver that logged signals from a fingerprint scanner, smart card, or other hardware token. If the fingerprint scanner was external, he could have replaced it with one of his own that recorded input to a flash memory card.

The key here is something called a replay attack. If I observe you enter your username and password (using a keystroke logger, network sniffer, video camera, or the naked eye) I can replay your authentication data by typing your username and password at a later time on my computer. If I monitor the signals coming from your smart card or fingerprint scanner I can likewise replay those at a later time on my computer, even if it's a bit more difficult. The fundamental problem is that the authentication data is always the same. What you need is a form of time-dependent authentication that has no potential for replay: a passcode with a built-in expiration.

The RSA SecurID

Enter RSA Security's SecurID. SecurIDs have a microchip, a numerical seed value unique to each device, a clock, and a battery. The devices come in several formats, including smart cards and keychain fobs, as well as software versions for Windows, Palm OS, and some Ericsson and Nokia mobile phones.

Every 60 seconds (30 seconds on some models) the device calculates a new passcode, based on the time of day and the seed value. When you log in to the remote office using your username, password, and passcode, an RSA ACE/Server at the remote office looks up your seed value in its database and performs the same calculation, based on the time of day, and verifies that you entered the correct passcode.

Even if I observe you entering the passcode, it does me no good. The passcode expires in 60 seconds (30 seconds on the more secure models), preventing replay attacks.

The downside? None, if cost is no object. The hardware tokens are about $60 per user, and the ACE/Server software runs about $100-$150 per user, depending on the version and the support package. So figure about $200 per user. So far, that price has kept the technology in the domain of the Feds, banks, and large corporations. RSA just introduced a starter kit for about $3,000 that includes the ACE/Server software, phone support, and key fobs for 25 users, and that may increase their customer base.