Emergent ChaosHe digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that their privacy policy is at least honest. They make no claim that they care about your privacy, nor any that they apply the highest standards of security to your information.
Bookmark this post:
PARIS — Jérôme Kerviel, the Société Générale trader who used his knowledge of the French bank’s electronic risk controls to conceal billions in unauthorized bets, has a new job — at a computer consulting firm.First let me say that I'm fond of the phrase "paid his debt to society." It's out of fashion, but it used to mean that someone, after their sentence was carried out, was done. That they ought to be allowed to get on with their lives. I've publicly commented on Frank Abagnale being in this class.Mr. Kerviel, who was given a provisional release from prison on March 18, started work last week as a trainee at Lemaire Consultants & Associates, which specializes in computer security and system development, a spokesman for the former trader, Christophe Reille, confirmed on Friday. (" After Trading Scandal, Banker Gets I.T. Job," The New York Times.)
Kerviel clearly understands how to get around IT controls. I expect that there's a great deal which he might be able to teach people about what's important in security design, and some about what isn't. (His ability to generalize his approach hasn't been tested yet.)
At the same time, he hasn't yet been tried for his actions. What would be the right framework for making a hiring decision like this?
Photo: REUTERS/Benoit Tessier
Bookmark this post:
As part of its regular "risk management" service, which provides screening, tracing, and identity and background checks on potential clients or trading partners, MicroBilt will now offer a "watch list" service that checks these individuals against 63 different lists from 35 sources, including OFAC, the FBI, and Interpol, Bradley says. ("Companies May Be Held Liable for Deals With Terrorists, ID Thieves", DarkReading)I say more than 63 because some unknown number are secret. The poor souls who find themselves on these lists have, in essence, no recourse. Convincing 35 or more agencies that their presumption of your guilt is incorrect might, in theory, be possible. In reality, the agency has no reason to do anything but drag its feet: there are no penalties to them for declaring you guilty. In contrast, a failure to put your name on the list risks them not having prevented you from your future thoughtcrime.
But there's hope. And it's not in MicroBilt's stock price (MicroBilt is a subsidiary of First Advantage). Rather, it's in the courage of a judge, who ruled that any American who has been routinely detained because they are on a watch list knows that they are on a list, and thus the government's 'State Secrets' privilege isn't applicable:
since the government admits it has stopped the six men and two women more than 35 times, federal Magistrate Judge Sidney Schenkier of the United States Northern Illinois District Court dismissed that argument. Instead he found that the government "failed to establish that, under all the circumstances of this case, disclosure of that information would create a reasonable danger of jeopardizing national security." (" Court: Government Must Reveal Watch-List Status to Constantly Detained Americans," Wired's excellent 27B-6 Mk IIa blog)
Bookmark this post:
Or something like that. You have to know how to use a Mac and be British. Her Majesty needs you.
Bookmark this post:
Each category is analyzed to determine patterns of ordinary behavior. Every single transaction by customers in these groups, and even patterns of transactions stretching back as far as a year, are then scrutinized for evidence of deviation from this norm using measures such as the number, size, or frequency of transactions, among others.When "not behaving normally" is considered grounds for investigation, there's an inevitable chilling effect. The willingness of people to do new, exciting things is reduced by the risk that they'll get on some financial blacklist, and be unable to buy a house or a car.
(Via Paul Kedrosky)
Bookmark this post:
Adam writes about the brouhaha at NASA over HSPD-12 background checks.
A friend of a friend who is in the business of implementing HSPD-12 sent me a tidbit about it, along with a link so that you can read the primary source — something always needed when you get emails from FOAFs.
In paragraph 3, there is the interesting statement:
The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application.
The FOAF was incredulous at the report, because there it is in paragraph three that it's okay to have different levels of security, and that which was good enough to defend us against the Godless Commies oughta be good enough to defend us against the Godful Beard-Dyers.
Let's look down a little further. HSPD-12 is short, it's only eight paragraphs. What's that in paragraph 6?
(6) This directive shall be implemented in a manner consistent with the Constitution and applicable laws, including the Privacy Act (5 U.S.C. 552a) and other statutes protecting the rights of Americans.
Which gives the protesters a lot of ammo right there. But wait, there's more. The HSPD-12 FOAFs say that the hardware JPL has ordered can only support a low-security ID system anyway, not a high-security one, so even if it were reasonable, they can't implement the high-value security checks anyway. The FOAF gives this site as a reference.
So there you have it, not only abuse at JPL, but waste, too.
Bookmark this post:
From the press release:
The plaintiffs include highly placed engineers and research scientists at JPL who have been involved in critical roles in NASA's most successful recent programs, including leading engineers and scientists on the Mars Exploration Rovers program. All are long term employees of Caltech who have never had to submit to the incredibly intrusive check that the Bush Administration desires. None of the plaintiffs have classified or sensitive positions. Plaintiffs challenge Bush's decision to require that all JPL employees submit to a "National Agency Check with Inquiries" and sign a broad written waiver, permitting investigators to obtain records from their past employment files, and to question their friends and associates about their emotional health, financial integrity, and general conduct, including whether they've ever had sex and, if so, what type.Or, "the more you tighten your grip, the more national labs will slip through your fingers."
Bookmark this post:
The BBC reports "Motorists hit by card clone scam:"
Thousands of motorists who use a bank card to buy petrol are thought to have lost millions of pounds in an international criminal operation. It is believed cards are being skimmed at petrol stations, where the card details and pin numbers are retrieved and money withdrawn from the account.That's impressive if the thieves have gone to the stations one by one, less so if they cracked a central billing computer. Hard to tell, because the U.K. doesn't (yet) require breach notification.About 200 of the UK's 9,500 petrol stations are thought to have been hit.
As to the effects of credit card theft, which I said were low, Ross Anderson has an article at Light Blue Touchpaper, "Extreme Online Risks:"
An article in the Guardian, and a more detailed story in PC Pro, give the background to Operation Ore. In this operation, hundreds (and possibly thousands) of innocent men were raided by the police on suspicion of downloading child pornography, when in fact they had simply been victims of credit card fraud. The police appear to have completely misunderstood the forensic evidence; once the light began to dawn, it seems that they closed ranks and covered up.See Ross's story for links and more details.
What I'd like to know is, are all those cameras helping reduce crime over in the UK?
Bookmark this post:
Tom Kubbany is neither a terrorist nor a drug trafficker, has average credit and has owned homes in the past, so the Northern California mental-health worker was baffled when his mortgage broker said lenders were not interested in him. Reviewing his loan file, he discovered something shocking. At the top of his credit report was an OFAC alert provided by credit bureau TransUnion that showed that his middle name, Hassan, is an alias for Ali Saddam Hussein, purportedly a "son of Saddam Hussein."Sounds like the same guy, unable to solve his problem. From Free Internet Press, "Private Businesses Flag Ordinary Customers As Terrorists." Different first and last names. Different years and days of birth. Different countries of birth. Should TransUnion be held accountable for inserting that OFAC alert? When?
Bookmark this post:
A LEADING Chinese matchmaking Website is to check the age, marital status and other personal details of prospective cyber daters against an official database to prevent deception.See, that's pressure. Not getting a passport is one thing, not getting a date? Different place in Maslow's hierarchy, as Alessandro Acquisti and Ralph Gross pointed out in a paper on the social pressure to join Facebook and Myspace.Beginning today, Baihe.com will screen its eight million online daters against an ID authentication system it jointly developed with the Ministry of Public Security, said Jason Tian, CEO of the online service that uses extensive personality profiles to match couples.
"In the long run, we'll arrange dates only for those who are proven to be telling the truth," he said.
We'll get off the dating kick shortly. I found the extension of the official identity database to be interesting and scary.
Bookmark this post:
My friend Shimrit saw Cluechick's post on the dating ("Emerging Dating Paranoia") and wanted to add a bit herself. She works for the UK’s biggest online dating provider. She has a new book coming out, and a blog at "Everyone's Guide to Online Dating." She writes:
With all the current craziness surrounding online dating background checks, I asked Adam if I could offer my 2P’s worth and give a view of things as they are in the UK at the moment. I need to point out that the views expressed below are my own and do not represent the company I work for in any way.At the moment, there is no demand for background checks on UK dating sites.
There haven’t been many heavily-publicised cases of online dating foul play here and the UK market is still going strong, so there is not yet a need for companies to create a demand for such a service to make themselves stand out. I think much of the fear-mongering in the US at the moment has more to do with online dating companies needing to draw more customers than with any actual security concerns. I don’t know what personal information companies can get about people in the US, but in the UK it’s a joke.
We were recently approached by a sales agent for some background checking company and the information the guy said they could provide for us was sparse and not in any way guaranteed. They could basically do basic electoral roll checks and credit checks. It’s worth pointing out that the electoral roll here is by no means a foolproof way of proving someone’s age, place of residence or even real name.
While telling people you’re going to run a check on them is likely to put them off using your site, the information you would get is not likely to be very relevant to their needs.
You could potentially find out whether someone has a mortgage or a joint bank account with someone else, but this would be expensive to do and would not necessarily show that the person is married or attached. The sales guy pushing this stuff kept making it very clear that we must never ever use the word “guaranteed” and yet he was talking about adding an element of trust to our sites. I fail to see how you could trust something that is not guaranteed. Unfortunately, I can see clever marketers giving people the impression they can guarantee safety without actually using these words, which is very very bad. If you did want to go the extra mile and check for a criminal record (assuming you want to open that can of worms: should people with a criminal records not be allowed to date?) you would need to put the onus of proving integrity on the potential members. They would be charged money for a police reference, which is, again, far from foolproof as it’s easy and free to change your legal name in this country. Unless there is a real demand for such a service, nobody would want to sign up for it and it would take a lot of fear-mongering to make people demand something so costly and annoying. In the UK, I reckon it would take a case of some paedophile hooking up with a single parent online and then molesting the children. Either that or a very quick succession of online dating rapes and murders within a short period of time and a whole load of PR work. Of course, even if you did criminal record checks, there is no guarantee someone with a clean record isn’t going to one day freak out and kill someone. There’s a first time for everything.
Background checks are basically just the latest round of hype, aimed at giving people the illusion they are safer dating on a particular site when actually they’re not any safer at all. As far as I’m concerned, they are bad for two reasons. The obvious one is the breach of privacy and the other one is that the illusion of safety can make people complacent to the point where they relax the basic safety issues we constantly try to drill into their heads. The best way to ensure people’s online safety is education. Anything else is marketing. Sadly, with the growth rate of the American online dating market slowing down, we’re going to be seeing plenty more unnecessary services being touted as essential.
Bookmark this post:
