Emergent Chaos
Certainly manageable numbers, but I think the report underplays both the potential growth in these markets prior to these incidents and the rising costs due to increasing regulation of the data brokers.There's also an interesting post rounding up the SIA Anti-Money Laundering conference.
"You will receive the reports that we have on you," Don McGuffey, the firm's vice president for data acquisition, told the state's Senate's Banking, Finance and Insurance Committee on Wednesday.It doesn't seem that they'll be moving towards the right of correction. Rather, you need to convince whoever reported bad data to correct it, and they will update Choicepoint. (Based on past evidence.) Compare this to credit reporting agencies, who have to include your corrections or disputes. Michael Zimmer has comments as well.
Sadly, Congress's response has been to increase the penalties for identity theft, rather than to regulate access to, and use of, personal data by merchants, marketers, and data miners. Incredibly, the only person with absolutely no control over the collection, storage, security, and use of such sensitive information is its actual owner.For this reason, it's literally impossible for an individual to prevent identity theft and credit card fraud, and it will remain impossible until Congress sees fit to regulate the privacy invasion industry.
Executive Alliance, Inc., the premier provider of leadership-recognition forums, today announced that it has named the Distinguished Panel of Judges for the first annual Information Security Executive of the Year (ISE) Midwest Awards(TM) 2005The judges panel includes:
Rich Baich, Chief Information Security Officer Winner of the 2004 ISE in Georgia Award™ ChoicePoint ... Leo Cronin, Senior Director, Information Security Finalist of the 2004 ISE National Awards™ LexisNexis GroupApparently, UC Berkeley doesn't have a CSO.
Bookmark this post:
Screendiscussion makes a case for criminal records searching as an adjunct to a background check:
One of the biggest downsides is that the records can only be searched by name, an occurrence that is becoming more common even at the lower courts. This might not be a problem if the name being searched is pretty unique, but if someone has been cursed with a common name then look out.I think the problem with this is that it's a self-fulfilling prophesy: As national criminal background checks become possible, for liability-avoidance, they become mandatory. As they become mandatory, more and more data is made public. But they'll never be perfect. So should we be going in that direction, or choosing to keep background checks expensive, so that employers are less tempted to perform them?...
While it makes sense to curb identify theft by not providing a person’s name, date of birth and Social Security Number to the general public, in practice it’s a double-edged sword. Identity theft is limited, but it also means that an employer has to deal with how to use the information in deciding whether or not to make a job offer. There have been plenty of situations where a person wasn’t offered a job because of faulty information retrieved in a background check, and this newer practice doesn’t help things much.
Bookmark this post:
With the announcement yesterday of a stolen laptop with 30 years of alumni social security numbers on it, and the October break-in that led to 1.4 million people being exposed, how long until California forbids the University from holding such numbers? Clearly, they're not to be trusted; students have no choice but to provide that information; government action is called for.
Bookmark this post:
The other day, Samablog and I did some P2P mining, after Michelle Malkin blogged about it. She links to P2P Provides Safe Haven For Pedophiles. There, Rick shows screen captures of extremely disgusting file names ("2 yo getting raped during diaper change"). He doesn't download any files, but takes this as evidence for his title.
I don't want to defend such sick behavior, but there are some things worth thinking about. First, are these files what they purport to be? That is, are they child porn, or are they trojan horses carrying spyware or viruses? (They could also be 5 minutes of someone screaming "You sick, sick bastard! Go get help!") Second, are they being distributed by law enforcement or investigative agencies, who log every search and transfer?
So, it's pretty quick and easy to come up with interpretations of the evidence that aren't "P2P Provides Safe Haven For Pedophiles." I have no interest in downloading such files to test the "alternate content" theories. An interesting test would be to run such searches, and dig into the IP addresses sharing such files. Maybe they are law enforcement?
Bookmark this post:
I was talking to someone about a New York Times story "U.S. Is Examining a Plan to Bolster the Rights of Detainees." The story contains the line:
Those changes include strengthening the rights of defendants, establishing more independent judges to lead the panels and barring confessions obtained by torture, the officials said.I made a snide comment about just including those confessions in the secret evidence that we won't show defense attorneys. He commented that it's actually a step forward, and he's right. I am deeply saddened that the United States is taking a step forward to exclude torture-derived evidence, but glad that things are heading back towards normal.
The pessimist in me says that there are liberties that we'll never regain. The banking system is probably a permanently tied to "know thy customer" rules. Air travel will never again be as easy as it was. Tourism will never get back to where it was. The psychological intrusiveness of measures chosen for the US Visit program deter visitors from coming to the US. Even if you think the program is useful, it could have been better implemented. Poor choices include fingerprinting vs other biometrics such as hand geometry which aren't associated with criminality, and the extensive secondary uses of data, so that it continues to track you through your entire life, not just your entry and exit to the US.
We don't know what great things might have happened with the liberty that we've lost. We've chosen to accept fear over hope. To allow fear and pessimism to infect our thinking. I'll try to do better. To laugh at the fearmongers, rather than cry. To pursue happiness.
Bookmark this post:
... reveal that Choicepoint proposed the sale of detailed personal information to the Bureau for law enforcement purposes. The documents show an extraordinary range of data sources, including e-mail registration, cookies, spyware, employment screening reports, motor vehicle records, drug screening results, professional licensing, Social Security Numbers, wireless phones records, and calling card data. One memo also discussed the availability of information on Europeans, Latin Americans, Asians, and Africans.(Via McGeek) Choicepoint, meanwhile denies that this is against the law, but not that the offer was on the table.
"A big part of why I settled the case is it would take three, four, five years to litigate," Asher said. "I don't know how much will be left of them [ChoicePoint]."
Bookmark this post:
Bookmark this post:
Juan Carlos Merida is an unusual victim of the watch lists. He knows why he's on one. As the New York Times reports, while a volunteer at the Airman Flight School, he gave rides to lots of students. The students he gave rides to included Zacarias Moussaoui, who is currently awaiting trial on suspicion of being a part of the Sept 11th attacks.
But even knowing why he's on the lists isn't helping him clear his name.
Update: Michael Froomkin caught a detail I skimmed over, and it's implications in "The Insidious Effects of Security State Blacklists."
I've discussed the concept of watch lists before.
Bookmark this post:
The US Government is pushing a plan to add radios to every passport in the world. These radios will broadcast all the information in your passport to any immigration officer, id thief, or terrorist who wants it.
Want to see if there are more Americans on the right or left side of the plaza? No problem. Uncle Sam is helping the terrorists. There is no good reason for this. Canada, Germany, the Netherlands and Britain have all opposed this. The technical term for these chips is RFID, but really, they're just small radios that invite thugs and terrorists to attack you as you travel abroad. If we need electronic chips in passports, they don't need to include radios. I've never even seen anyone make an argument for the radios.
I've covered this in RFID Passport data won't be encrypted and The Open Passport, and in small bits have pointed to articles by Ian Grigg and Ryan Singel.
Bill Scannell has set up a web site to make it easy to send your comments to Uncle Sam. Take five minutes and tell them: No RFID chips in passports. They don't make sense, and RFID Kills.
Bookmark this post:
Michael Howard mentions that Microsoft has published their Software Development Lifecycle for security.
Slag all you want, but I don't see a lot of other vendors doing this. And now, if you need leverage to get buy in, you can either say, "We should emulate Microsoft..." or "Even Microsoft does..." It's a win. Thanks for making it available.
Bookmark this post:
Framing effects are what a variety of types of academics call the variety of contextual effects on perception. For example, six months ago, this laptop went for $4800, and now it's just $3,500! Similarly, law reviews, where lawyers write for each other, are usually exceptionally long, from my perspective. And so we get Orin Kerr saying:
Fun, Entertaining, Clever, and Short: Believe it or not, that's a description of a forthcoming law review article. Yes, a law review article. Check out The Perfect Crime, by law prof Brian C. Kalt, forthcoming in the Georgetown Law Journal. It clocks in at 22 amusing double-spaced pages...Yes, in law review-world, that's short. In my world, this is slightly fun, mildly entertaining, clever in a sort of self-referentially post-modern fashion and short, at slightly over 22 words.
Bookmark this post:
It's tempting to become cynical about so sensitive a subject, but the blunt truth is that Americans care more about the ultimate outcome of "American Idol" than they do about repairing the nation's IT infrastructure. Outside of the confines of the security nerds who live and breathe this stuff, most folks are bored silly by the subject.
Bookmark this post:
Ryan Singel reports that lying to Congress is now legal, at least according to TSA spokeswoman Amy Von Walter. "Von Walter also indicated the agency is working to make sure that the public and Congress are better informed about the agency's actions."
In other news, the Pentagon will ignore the recommendation of the Army Criminal Investigation Command to try the soldiers responsible for the deaths of detainees. Michael Froomkin has commentary.
Next up, sending prisoners to Egypt, and then seven or eight other things.
Bookmark this post:
One problem that critics point out: Consumers might also limit their own ability to obtain credit. But that's a small price to pay for privacy and a more secure online identity.
Bookmark this post:
Screendiscussion responds to my comments about "Three Privacy Breaches" in Security In a Changing Nation. He sums up his argument as "Why? The reason is that we, as a nation, have become extremely security conscious in the past few years." I think this is only partially correct. I suspect that this is part of it. Perhaps that consciousness also entails an understanding that no one is perfect? That the attacker only needs to win once? That a cover-up is a worse sin than a mistake?
I suspect its the last bit: We're coming to see security mistakes as mistakes, that will happen. I think we need to start designing systems with that in mind.
Bookmark this post:
Bookmark this post:
A man who pleaded guilty to hacking into an Arkansas data company's computer system and stealing personal identification files was sentenced Wednesday to nearly four years in federal prison.According to Robert O'Harrow's "No Place to Hide," pp72, the company chose not to notify: "A company official said that the information was simply not that sensitive and 'did not meet a threshold that would require customer notification.'" (Update: Try this Google Print link.)Daniel J. Baas, 26, of suburban Milford, entered his plea in December 2003, after being indicted that August.
Baas was a systems administrator for Market Intelligence Group, which had an agreement to analyze data for Acxiom Corp., of Little Rock, Ark., when he exceeded his authorized access and downloaded encrypted password files, prosecutors said.
In a plea agreement, Baas admitted that he stole the data between January 2001 and January 2003 and stored it on computer disks at his home, prosecutors said. On Wednesday, U.S. District Judge Susan Dlott sentenced Baas to 45 months in prison.
Acxiom's clients include credit card issuers, banks, auto manufacturers, telecommunications companies and retailers. Baas bragged to other hackers that he had the files, but didn't share them with anyone, prosecutors said.
Acxiom's data would be covered under California law, the new laws that a number of states are putting in place after Choicepoint, but not the FDIC, FRB, or OCC regulations that have been put forth.
Bookmark this post:
Declan McCullagh writes about new rules requiring banks to disclose breaches, as promulgated by an alphabet soup of federal regulators.
A brief digression: The new guidelines seem to make sense, but it's difficult to figure out whether they go too far or not far enough. Normally consumers can shop around and choose products based on a whole range of different options.I'll suggest that the new rules don't go far enough. As the Washington Post story (archived here) explains: "If the organization determines that misuse is unlikely, it need not report the breach to its customers." So CheapDiscountBank might have one criteria for determination, while BankSuperSecure has another. But consumers won't be able to compare those. As the regulation says "It also should generally describe what the institution has done to protect the customers' information from further unauthorized access." Generally describe? How can I assess a general description? (A non expert consumer might have difficulty, but could turn to Consumer Reports, or other trusted sources, for advice.)For instance, a hypothetical BankSuperSecure might employ only bonded employees with government security clearances and hire armed guards to watch these employees all the time. Those security measures would probably reduce the chance of insider shenanigans -- but would come at a substantial cost that would be passed on to consumers in the form of lower interest rates on savings accounts and higher interest rates on loans and credit cards.
Its hypothetical competitor CheapDiscountBank might take less rigorous security mechanisms but offer far better terms on savings accounts and loans. In this scenario (let's assume that the banks were required to disclose their respective approaches to security), consumers could choose what risks they're willing to take and companies could experiment. Because that process doesn't exist today, we end up with a one-size-fits-all rule that sets both a security floor and also a de facto ceiling that banks seem unwilling to exceed. It's difficult to know whether that security "level" is the best one for consumers.
Also, federally mandated "know thy customer" regulations require banks to gather, authenticate, and store everything an ID thief needs to go about their business. SuperSecureBank might promise to throw away all the non-essential data, so that they can't have a breach. SuperSecure could thus lower their costs and increase their security. It's too bad that a mere $50 billion in annual losses doesn't prompt a review of how we've organized the regulatory regime.
Bookmark this post:
Brad Feld pointed to an essay by Paul Graham, entitled "A Unified Theory of VC Suckage." (VC is short for venture capitalist, the folks who invest in certain types of startup companies.)
I used to take it for granted that VCs were like this. Complaining that VCs were jerks used to seem as naive to me as complaining that users didn't read the reference manual. Of course VCs were jerks. How could it be otherwise?What I really like about Paul's essay is that it talks about some of the economic pressures on VC funds, and how those pressures get pushed to startups.But I realize now that they're not intrinsically jerks. VCs are like car salesmen or petty bureaucrats: the nature of their work turns them into jerks.
This is a strange thing for a startup guy to say, but I have a lot of sympathy for venture capitalists. In some ways, a VC fund is like a startup. You have some guys who know something about business. They go out looking for money. If they get the money, they have 10 years to make good on it. I'm might get pilloried for this next sentence, by people who skim through why I'm saying it: Unlike a startup, most VC have relatively little in the way of compelling advantages. That's not to say that investors are indistinguishable, only that it's even harder for a VC firm to create, maintain, and communicate a compelling advantage over the other firms.
Most investors don't get to build disruptive technology. They get slight first mover advantages. Most VC are in cutthroat competition with other VC for the ability to put cash into a few good companies, and a lot of 'maybes.' A good investor brings good strategic advice, and a big rolodex, and a willingness to work for you. Well, so does that other fund. Compare to a startup which can get a strong first mover advantage, building, say, a database that's 10 times faster, or with six signed customers in the fortune 500.
So I think, to extend Paul's economic analysis of why investors and startups clash, it goes back to the limited partners who invest in venture capital funds, and the way they need to behave.
As a side comment, Rick Segal asks:
And what is this issue with a liquidity event. Why is that evil? What's wrong with making some coin, selling companies, IPOs, mergers, whatever. I've yet to see anybody, Paul included, to give me a compelling reason why this aspect of venture capital means we all suck.Let me start by reiterate that I don't buy the suckage claim. At the same time, there are businesses which may look like VC-fundable businesses, and, to everyone's surprise, turn out to be organic growth sorts of businesses. For these companies, who need to contort to give their investors an exit, the liquidity requirement can suck. If the investors and CFO are good, I think there are usually options, such as a management-lead leveraged buyout, converting equity to debt, and giving the cash to the investors. But, really, the issue is that VC firms are on a ten year schedule, and that creates pressure on the startups to be on (at most) a 5-6 year schedule. If you don't know this going in -- if you're starting a startup to build a great business like your grandparents did -- then you can find a world of hurt.
