Emergent ChaosWhile "other events" are causing me to prevaricate over data protection legislation in the US, it's great to see this Wall St Journal story (reprinted in the Contra Costra Times) on large software buyers pushing for liability clauses in their contracts.
"I'm paying the bill. Other companies are paying the bill," says Ed Amoroso, AT&T's chief information-security officer. "The software companies are not paying the bill." Amoroso says AT&T spends roughly $1 million a month just to patch its existing software. Testing and installing a single patch across AT&T's network can require as many as 30 people working full time for several days.I like to see companies working out these arrangements amongst themselves, because, when the externalities don't splash onto us, its a more efficient arrangement than new laws locking in a single set of liabilities for all parties. There may be issues of what clauses anyone can get into a Microsoft deal, but with increasing competition from Open Office, I expect those will get worked out over the next few years
...But everyone is treading cautiously. For example, technology and security executives at big companies talk about getting tough on software makers. But their bosses -- chief executives -- don't always agree. Instead, the Business Roundtable, an association of CEOs, has focused on reducing liability exposure for technology users, not increasing it for software vendors. The CEO group opposes mandatory reporting of security breaches and requirements that companies meet minimum computer-security standards, for fear such moves could expose their companies to legal liability.
...BJ's Wholesale Club Inc. last year filed suit against International Business Machines Corp. for providing software that allegedly allowed thousands of credit-card numbers of BJ's customers to be stolen by an organized-crime ring last spring.
Bookmark this post:
I have added a Choicepoint category, which is great if you want to see all my posts on Choicepoint on one long page, and I am no longer updating this roundup. I've been posting a lot on Choicepoint. I've done a number of roundup posts listing things I find interesting around the web, and a number of analysis posts.
Bookmark this post:
Having already posted a Feb 28th roundup a day early, I was forced to think about a new title for today's edition, and what better than the $16.6 million dollars that ChoicePoint CEO Derek Smith and President Douglas Curling have made selling 472,000 shares of CPS since the day before the first arrest in the case? (Use Bugmenot for a login to AJC.)
Bookmark this post:
I accidentally published this too early, but given the nature of trackbacks, and other such privacy-invasive technologies, its too late. You know my secret. I accumulate and then (try to) post in the morning.
Bookmark this post:
Pete Lindstrom suggests:
My proposal: List SSNs publicly. The Social Security Agency can notify all of its intent to publish all SSNs at some point in the future - enough time for organizations to absorb and react to this news.Firstly, banks already know that SSNs make lousy identifiers and authenticators. They won't admit that to you as a customer, but talk to bank security experts at a conference, and they're all searching for something that's better, as easy to use, hard to lose, and lets them transfer risk elsewhere.The net result is to eliminate the notion that perhaps SSNs are "secure enough" for some purposes given that they are at least slightly less-widely distributed than other identity demographics.
Lets continue considering the banker's perspective. They could try to use something other than an SSN as an identifier. But then they have to staff a help desk to recover lost passwords. The security of the system may go down because of the recovery mechanism, as it did with Paris Hilton using her dog's name as a password. So the banker's costs have gone up, and his security hasn't. Now let's say the SSN is public, and the banker chooses to not change his procedures.
What's going to happen to the banker? Is the fact that an SSN is public going to change anything? Will courts suddenly start ruling differently on it? The bankers will close ranks, and describe this as "standard industry practice." They will announce that, net of all the options, they all stink, and go home.
I remember a conversation at the first Financial Crypto with Michael Froomkin, about US crypto export controls. At some point, he said "All the neat technology demos in the world won't change the judge's mind." Publishing a list of SSNs is no different than publishing the source code to PGP. The courts will defer to Congress the creation of new liabilities.
Thus the right focus for reform is to ensure that the law Congress shall pass includes elements of California's 1386 (requiring disclosure of breaches), 116 (forbidding the use of SSNs as identifiers), and a new provision, forbidding the use of birthday, mother's maiden name, or social security number as an identifier or authenticator. The law should impose strict liability on anyone who does either of the latter two, or fails to disclose in a timely manner.
Bookmark this post:
A group that wants to assist free speech in authoritarian nations is looking for a technically savvy person -- a CTO or lead engineer type -- who can do a short term study, possibly leading to a longer-term job. This is a paying gig for the right person.(Via Dan Gillmor.)The project is intended, in its intitial form, to make possible blogging that is impossible (or at least extremely difficult) to trace. One of the people involved calls it an "anonymous, anti-tyranny blogging service."
Bookmark this post:
Blah blah, Choicepoint blather blah.
Bookmark this post:
"If a company this central to this [surveillance] process is this careless, I think we should definitely step back and wonder about data mining," he added.
Bookmark this post:
As Choicepoint's little error threatens to grow into a full-blown scandal, with Attorneys-General posturing, Congressional hearings, and daily press coverage in every state of the Union, it may be worth stepping back, and asking, "Why is this happening?" It's not just the size of the exposure, both Bank of America and PayMaxx are larger. It may be the nature of the exposure, where a company whose victims have never heard of it is trafficking in gossip about them, rather than providing them services. It may be Choicepoint's history, what with voting rolls problems in Florida, Mexico, and lord knows where else.
The largest reason that this is a problem is because Choicepoint can't get their heads around the story. The story is about 145,000 Americans at risk. Yet Choicepoint's press release is really about how inconvenient this is...for them.
ChoicePoint is actively engaged with local and federal law enforcement agencies in the continuing investigation of a fraud committed against us, through which a small number of very organized criminals posing as legitimate companies gained access to personal information about consumers. This incident was not a breach of ChoicePoint’s network or a “hacking” incident, and did not involve any of ChoicePoint’s customer information.(From Choicepoint's Response to Customer Fraud Litigation," linked on their home page.)
Why is it that Choicepoint can't say that they're sorry? (Dan Gillmor pointed to David Lazurus asking this question.)
The answer lies in the orientation of the company, that is, their worldview, which is coloring their glasses as they respond. In Choicepoint-land, they are a trusted provider of information, helping businesses and governments make better decisions about the unwashed masses who want to attack, cheat, and commit fraud. In this world, those unwashed masses, who aren't Choicepoint customers, aren't touched by this fraud. "No Choicepoint customer information was involved." In Choicepoint-land, the folks that matter are the business and government customers, not the "consumers" who are being discussed. And their press activity is centered on these folks. The cultural traditions of the company, the analysis they perform, and their prior experience have all combined to make them successful through focusing on these customers.
But American citizens -- not consumers, thank you very much -- are tired of being treated as lines in a database. We are individually and collectively outraged. Choicepoint has not only no experience in talking to us, they have actively sought to avoid it. And now, they are reaping what they have sown. A national dialog on data warehousing is happening, and they're not a participant. Now they know how we feel.
Bookmark this post:
I wasn't going to blog on BofA's little kerfuffle. But then Ian went and blogged about it, and I think he gets it partially right and partially very wrong. His actual conclusion is spot on:
In order to share the information, and raise the knowledge of what's important and what's not, we may have to get over the finger pointing. That may mean we have to go through several ChoicePoints, if only so that it can become routine and not scandalous. Bank of America is thus timely and expected; although I don't think anyone else is likely to see it that way.Ian is right about this: We need more routine disclosure of security incidents. We need to know what caused them, what mechanisms were used to get in, and how they were detected, so we can learn from them. This will be a slightly painful transition, but most companies with security issues are not facing a Choicepoint-scale scandal.
There's an important reason that Choicepoint and BofA are different in the consumer's mind. Everyone affected by this is carrying a BofA card in their wallet. They understand that BofA knows about them. In contrast, most of the stories on Choicepoint had to start out by explaining that this company exists, to spy on Americans, and oops, they can't keep track of their own customers. Choicepoint has also managed to totally mangle their public relations because of their orientation and world-view. I'll say more about that shortly.
Therefore, Bank of America, Maxxpay PayMaxx, and anyone else who's releasing their 1386 notices this week aren't really going to draw heat from Choicepoint. They're still going to be the focus of the story.
[I have lots more on Choicepoint, visit the main page, or the February archive.] [Update: I said Maxxpay, because I hadn't had enough coffee when I wrote this.]
Bookmark this post:
Bookmark this post:
Blog*on*Nymity looks really good. Thanks to Stefan Brands for the pointer.
Reason has an article on firearms and civil rights.
Bookmark this post:
This dialog box is modal. It has no "take me there" button. Even having taken notes, I couldn't figure out how to follow the instructions. You can "clear formatting" and make spell checking work again. A double-feh at Redmond. I take back all the mean things I said about Firefox this morning.
Bookmark this post:
So everyone seems to be accepting at face value the claim that Choicepoint was scammed by Olatunji Oluwatosin and colleagues not yet named. But let's step back, and ask, was there a scam? Why did these folks need to cheat? Was it habit, or necessity? What was really needed to get a Choicepoint account of this sort? (And given that they're changing it, wha will be needed?) Could I set up Adam's Background Checking tomorrow, and be able to access this data?
Choicepoint claims to traffic in public records, so really, what's stopping me? Why shouldn't they be selling me this stuff? Can I use the stuff they'd sell me for identity theft? Where are the non-public bits? What's the need for a scam?
Bookmark this post:
David Akin says CIBC is getting sued for faxing information around. Prior posts are "Privacy Lessons from CIBC and Canadian privacy law & CIBC.
19 days after the vulnerability was announced, Mozilla releases Firefox 1.01.
Bookmark this post:
Many victims are dumbfounded by the dearth of federal and state laws aimed at protecting their credit histories and other information about them that data brokers gather and sell to institutions including news organizations, banks and, increasingly, companies vetting prospective employees. Victims are also frustrated by the amount of time it takes to re-establish identities.
'California is the focus of the investigation and we don't have any evidence to indicate at this point that the situation has spread beyond California.' Is he the same guy that wrote their slogan?
Bookmark this post:
Roger McNamee has an article on how Sarbanes-Oaxley is hurting public companies by making their guidance more conservative than it should be.
It’s hard for executives to avoid providing some form of guidance – investors generally insist on it – but they have a big incentive to understate the outlook early in the fiscal year. As annoying as the recent sell-off must be to executives, it is the lesser of two evils. No executive wants to invite shareholder litigation by falling short of aggressive guidance, so most execs put out the lowest guidance they think they can get away with. As the year progresses, the guidance window gets shorter and shorter, and the trend line in fundamentals provides investors with greater confidence in the outlook for the year.When you combine that problem with the increased bar for a company to go public, which I wrote about in Sarbox and Venture Capital, the damage done by laws passed quickly becomes increasingly clear. Which is all the more reason to take our time and write a decent privacy law in the aftermath of Choicepoint.
Bookmark this post:
In Today's Choicepoint Roundup, I mentioned that Richard Smith had found a number of issues with Choicepoint's web sites. In discussion, Richard told me that the issues included (but were not limited to) robots.txt files and directory listings enabled.
The robots.txt standard is a way to tell search engines "please don't go here." That's useful, if you have a section of web that's database driven, and can result in infinite looping, of no value to either the search engine or your site. It can also be used to say, "please don't index these 'secret' documents." Now, those documents are not only not secret, but they're now being pointed to, so someone gathering data can find it. They're not an attacker, you chose to put that data on the web without any protection.
Similarly, directory listings being enabled may or may not be a security issue. You may want all users to be able to see all the documents in a directory. You might have made a mistake.
When building automated vulnerability scanners of any sort, these issues raise thorny questions. This applies across the spectrum, from Nessus-style credential-free scanners that look for known vulnerabilities, to Nikto, looking for classes of common implementation flaws, to static code analyzers like Splint. You'll always find things which may or may not be ok in context. A system running a web server may be running your corporate web server, or it may be running, forgotten, on a developers desktop, full of flaws. That strcpy(foo, bar) may never see attacker-provided data. The creators of these tools try to categorize and describe what they've found to help their users. Consultants offering a service around the tools can learn what questions to ask, to help sort through the issues faster, and focus on those that matter.
Similarly, an outsider looking at T-Mobile, Choicepoint, or PayMaxx suffers from trying to interpret what they see, perhaps trying to explain to a company that they're not trying to hack the site, but that they stumbled across the issue.
I often see things which make me question "Hey, is there a serious security issue here?" and the answer is usually determinable within 5 minutes. Since I'm trying to do business with the company (which is why I'm on their site), I'd like the issue fixed.
Mature disclosure models need to improve not only the researcher side, but the way vulnerability reports are received. ("Pre
