The Universal Product Code (UPC) Barcode is a 12-digit code originally introduced to retailers in the 1970's. It is a simple technology that provides an effective method of managing groups of items in a stores inventory. We're all familiar with barcodes, they've become ubiquitous. Nearly every product has one; from penny candy, to a $30,000 flat screen TV.

The problem with barcodes is how easy they are to create, or more importantly how easy they are to forge. All one must do is download a standard UPC barcode font from the internet and install it on their home computer.

An individual could walk into a store and write down the UPC code off of - lets say a 15" flat screen monitor that costs $245. This would-be criminal then goes home and prints up a UPC code on a label from his home computer. Our criminal then returns to the store, places the label on a 21" flat screen computer monitor that retails for $995 and proceed to the checkout counter.

When the would-be thief passes through the checkout stand, the cashier scans the product, rings up the sale and the criminal passes right through the front door with his thousand dollar monitor that he just bought with a $750 "instant rebate".

You have just witnessed the latest technological innovation in shoplifting, a crime I have termed "Barcode Scamming". The amount of damage a single criminal could do is staggering.

It doesn't have to be a thousand dollar transaction. A barcode scammer could simply take the code from a small box of XYZ Laundry detergent and place it on the Jumbo box. The cash register still displays "XYZ Laundry detergent" but the price isn't right, and who's going to notice?

This new crime has me up at nights because unfortunately this type of crime is on the rise. As this crime grows, it has the potential to completely destabilize our entire nation's economy. Barcode Scamming is very difficult to catch as it is impractical to expect cashiers to inspect the barcode on every product that passes through the register.

Businesses are already losing untold billions of dollars per year because of shoplifters, a cost that is then passed to the honest consumer. Right now, shoplifters get away with whatever they can hide on their person, or sneak out the front door. Now, with the use of technology, these five finger discounters can pass through any register, pay for the 'discounted' merchandise and walk right past the security guard on the way out the door.

This is precisely why we need to replace the venerated UPC barcode with newer technologies such as the RFID tag or the recently unveiled "EPC Network" which is reported to be the next generation of barcodes, able to store 96 bits of information on a printed 'barcode'. EPC stands for Electronic Product Code and is currently being developed by the Massachusetts Institute of Technology, set to debut in Chicago at the EPC Symposium on September 15, 2003.

Radio Frequency Identification (RFID) technology uses a tag that contains a microchip that stores a products ID number and serial number. RFID tags are similar to theft deterrent tags that are attached to merchandise that trigger alarms at the gates of a store if they haven't properly been deactivated.

When scanned by a RFID scanner, the tag will wirelessly transmit its unique RFID number back to the scanner. This enables retailers to scan in an entire pallet of merchandise into inventory without having to open a single box. Consumer privacy advocates are concerned that the technology could be abused by retailers to track products from the store shelf to the individual's home.

Retailers have been slow to adopt RFID tags due to the cost of the tags themselves. Tag manufacturers have been charged with bringing the cost down to 5 cents apiece. At that price, it becomes economical for distributors and retailers to deduct that nickel from their respective profit margins. The savings obtained by easier inventory management will be enough to compensate.

Of particular concern to me is a technology that is being developed by RSA Security to disrupt the transmission of information transmitted back from the RFID tags. RSA Security states that the purpose is not to disable the use of the tags, but to protect the privacy concerns of the customer. Regardless of its intended purpose, I am concerned by the development of any technology that could compromise the integrity of the RFID tag.

Regardless of the next generation of technology used, we must replace the venerated 12 bit barcode with a technology that can insure the integrity of each retail transaction. Just like a nation must insure the integrity of its national currency, product manufacturers and retailers alike must insure the integrity of each retail transaction.

I say that the concerns voiced by the privacy advocates are unwarranted. The benefits provided by the use of these new technologies are far outweighed by the economic threat posed by keeping with the obsolete UPC code. Consumers aren't stupid; they'll steer clear of retailers that keep track of too much of their personal information. Grocery stores learned this lesson when they began losing customers once they started tracking customer purchases through the use of store discount cards.

Retailers simply want to increase the efficiency of managing their inventory, while at the same time maintain the integrity of the products for sale in their store. RFID tags provide the necessary solution to this problem. In this case, the cost of not implementing the technology will soon far outweigh the costs associated with its implementation.

It seems there is confusion as to what makes a virus, and what makes a worm, what distinguishes the two and why any of this matters. There is a very clear and simple distinction between the two, and it astonishes me that 'industry experts' continually fail to properly distinguish them.

Simply stated: Viruses require user interaction to spread whereas worms exploit vulnerabilities in operating systems to spread and do not require any user interaction.

Put in its most simplistic terms:
To protect yourself from a virus, do nothing. To become infected by a worm, do nothing.

Allow me to explain.

Viruses require user interaction to spread. A virus can infect a file, being parasitic in nature, or it can be a free standing application. If it is a free standing application it is most commonly a Trojan horse - a malicious application whose true purpose is disguised until the user has been tricked into launching the application. Trojan horses are often used to install backdoors on machines, but all of these are clearly viruses.

The way to defend yourself from viruses is to either use an anti-virus program, or remain alert to the various malicious programs that exist out there and DONT CLICK ON THEM.

I currently have several hundred viruses, Trojan horses and backdoors on my computer. They are all there for research purposes. I know they're there, I don't click on them, and I am not infected by any of them.

Similar to the researchers at the Center for Disease Control (CDC) in Atlanta; They work with the Ebola virus every day, does that mean they're infected with it? Of course not! They know the danger of the substances with which they work on a daily basis, and so do I.

A worm is a much different animal. The way you protect yourself from a worm is to patch the holes in your operating system. If you do nothing, and you remain connected to other computers on a network, you will become infected. Worms spread through vulnerabilities that exist in operating systems. If you patch your system, you have essentially become inoculated against the worm.

Folks are labeling the Swen virus as being a worm. While Swen does have some characteristics of a worm, its primary method of spreading is by user interaction, thereby making it a virus.

If you have failed to patch yourself against the MS01-020 vulnerability, then the Swen virus will spread simply by viewing the email. The user interaction here is the viewing of the message. The MS01-020 vulnerability was discovered in 2001. Personally, if you haven't patched your computer since then, you've earned that victim status.

Original Discussion