Emergent ChaosAt least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the 1988 bombing of Pan Am 103 over Lockerbie.It's long been a truism of economics that the cost of anything is the foregone alternative. In this case, a huge amount of our air travel security spending goes into ensuring that you can't fly if your name and ID don't quite match (looking at you, Jim), rather than preventing convicted terrorists from getting aviation licenses.
Bookmark this post:
Brad DeLong has a FAQ up about Geithner's plan to purchase toxic assets on the theory that the market has undervalued them, and will in time price them properly. Among the items:
Q: What if markets never recover, the assets are not fundamentally undervalued, and even when held to maturity the government doesn't make back its money?A: Then we have worse things to worry about than government losses on TARP-program money--for we are then in a world in which the only things that have value are bottled water, sewing needles, and ammunition.
This response reminded me of a conversation I had over a beer with a banking regulator back in August 2006 or thereabouts. He reported on a IM conversation he had had with a colleague whose expertise lay in the area which subsequently imploded. After jokingly asking "Time to buy gold, huh?", there was a pregnant pause. Then came the response: "Buy ammunition".
I ordered another beer.
Bookmark this post:
Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email.and
We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.I wanted to bring this up, not to laugh at Coleman (that's Franken's job, after all), but because we frequently see assertions that "there's no evidence that..."
As anyone trained in any science knows, absence of evidence is not evidence of absence. At the same time, sometimes there really is sufficient evidence, properly protected, that allows that claim to be made. We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.
Bookmark this post:
Bookmark this post:
WHY is a beer better than a woman? Because a beer won’t complain if you buy a second beer. Oops. There go your correspondent’s chances of working for Barack Obama, America’s president-elect.(Ironically, the Economist's articles are all anonymous.)
Second, Fraser Speirs, "On the Flickr support in iPhoto ‘09:"
As you may guess, I was a little perturbed at this since I pay my mortgage by selling, er, a Flickr upload plugin for iPhoto.Fraser looks at his (excellent) product, FlickrExport, and finds that the value is now in privacy and control of what leaves your computer and how.
And finally, a follow-on to an aside in 'Lessons for security from "Social Networks',:"
In recent months, American Express has gone far beyond simply checking your credit score and making sure you pay on time. The company has been looking at home prices in your area, the type of mortgage lender you’re using and whether small-business card customers work in an industry under siege. It has also been looking at how you spend your money, searching for patterns or similarities to other customers who have trouble paying their bills.Apparently, that was just too creepy, even for American Express, who I've commented on in "American Express and Privacy."In some instances, if it didn’t like what it was seeing, the company has cut customer credit lines. It laid out this logic in letters that infuriated many of the cardholders who received them. “Other customers who have used their card at establishments where you recently shopped,” one of those letters said, “have a poor repayment history with American Express.”
It sure sounded as if American Express had developed a blacklist of merchants patronized by troubled cardholders. But late this week, American Express told me that wasn’t the case. The company said it had also decided to stop using what it has called “spending patterns” as a criteria in its credit line reductions. ("A (Very) Watchful Eye on Credit Card Spending," The New York Times.
Bookmark this post:
In closely related news, Maurizio d'Orlando lays out that U.S. debt approaches insolvency:
In 2007, public debt in the United States was 10.6 trillion dollars, compared to a GDP (gross domestic product) of 13.811 trillion dollars. Public debt in 2007 was therefore 76.75% of GDP. In just one year, direct and indirect public debt have grown to more than 100% of GDP, reaching 176.9% to 184.2%. These percentages exclude the debt guaranteed by policies underwritten by AIG, also nationalized, and liabilities for health spending (Medicaid and Medicare) and pensions (Social Security)[2]. By way of comparison, the Maastricht accords require member states of the European Union (EU) to reduce their public debt to no more than 60% of GDP. Again by way of comparison, in one of the EU countries with the largest public debt, Italy, public debt in 2007 was equal to 104% of GDP.[Update: I'd meant to include both Bruce Sterling, "2009 Will Be a Year of Panic" and Rob Sama, " The Federal Government Has Jumped The Shark."]
Bookmark this post:
In the Cryptography mailing list, John Gilmore recently brought up and interesting point. One of the oft-debated ways to fight spam is to put a form of proof-of-work postage on it.
Spam is an emergent property of the very low cost of email combined with the effect that most of the cost is pushed to the receiver, not the sender. The thinking goes that if you can trivially increase the cost to the sender, it disproportionately affects the spammer, and thus tilts the economics back to us from them.
The proposition has always been debatable. Laurie and Clayton wrote a paper in 2004 challenging the idea, and I've never seen a full refutation of it. Moreover, the balance may even be tipping more to the spammer. The major problem with proof-of-work is that legitimate senders are often on limited devices like smartphones and the spammers are on compromised servers. Systems to harness compute power in graphics cards such as OpenCL can unbalance the system.
There is also the related problem that the costs of power and cooling (which is another way to say power) of a computer over its life are often more than the hardware costs. This has been a huge fly in the ointment of grid computing.
Gilmore, however, says:
Computers are already designed to consume much less electricity when idle than when running full tilt. This trend will continue and extend; some modern chips throttle down to zero MHz and virtually zero watts at idle, waking automatically at the next interrupt.
The last thing we need is to deploy a system designed to burn all available cycles, consuming electricity and generating carbon dioxide, all over the Internet, in order to produce small amounts of bitbux to get emails or spams through.
I think he's got it spot on, and whatever we do, Proof-of-Work is now in the recycling bin.
Photo "Proof of Living" by yuankuei.
Bookmark this post:
Today is the 75th anniversary of the repeal of the blanket prohibition of alcohol sales in the United States.
Go pour some Champagne, Cava, or fine California bubbly and read Radley Balko's excellent "Lessons of Prohibition."
Photo: Jensen.Pernille. Thanks to Sama.
Bookmark this post:
I am one of the few people to have gotten a pretty good view of the invisible election, and the reality does not match the reports of a smooth, problem-free election that have dominated the national media. As part of Obama's election protection team, I spent 18 hours working in the "boiler room," the spare office where 96 people ran national election day operations. Obama's election protection efforts, organized by Bob Bauer, were more generously funded, more precisely planned, and better organized than any in recent memory. Over the course of the day, thousands of lawyers, field staff, and volunteers reported the problems they were seeing in polling places across the country. A sophisticated computer program allowed the lawyers and staffers in the boiler room to review these reports in real time.First, I'm a huge fan of transparency. I'm not going to advocate sweeping anything under the rug. But I do question if we really need to draw attention to the problems with voting systems before we have consensus on what to do about them?[...list of problems elided...]
I draw three lessons from the time I spent watching the invisible election unfold, all of which point to the need to make the invisible election visible to the public, to policymakers, and to election administrators themselves.
First, it is essential that the public see the invisible election. We are never going to get traction on reforming our election system until we have a means of making these problems visible to voters. Virtually every media outlet has reported that the election ran smoothly.
See, a working democracy is a tremendously valuable asset. It takes years to start up, and (when working) gives us a way to transition between legitimate governments. The thousand years of European wars of succession didn't allow for much liberty or wealth creation. Democracy has huge value, and it's under threat. In 2000, we had a real risk of a crisis. If Al Gore had contested the 5-4 vote in Washington, we had no real way to address it and choose a legitimate next leader. Gore understood this, which is why he was clear that we all had to respect the decision, "for the strength of our democracy." Despite the damage of the Bush years, it was the right call. Because a working democracy is a fragile thing. Trust that the election machinery has gotten the right result and will get the right result next time is an absolutely vital part of the legitimacy of government. Risking it should not be undertaken lightly.
I've been at occasional meetings between voting officials and computer scientists for about eight years now. There's a tremendous gap. The two groups don't understand each other well, although folks like Avi Rubin are working really hard to bridge that gap. Until there's a rough political and technological consensus that's inline with the 'Help America Vote act' or its replacement, we should be cautious about undercutting the system we have now.
I also wanted to juxtapose a little with Ryan Singel's story, "Chertoff: We're Closing that Boarding-Pass Loophole." There are now scanners which read a bar code off your boarding pass to make sure you haven't altered it, and the TSA folks can match your ID to the boarding pass. This was known for years, but driven heavily by Chris Soghoin's make your own boarding pass toy.
Between the airline software, the scanners and the training, we've probably spent tens of millions of dollars to fix the loophole. (Oddly, I haven't been able to find a statement of the costs.) But the truth is, it's a silly thing to fix. Good fake ID is easy to get, and will remain easy to get unless we choose a different balance between terrorism prevention, immigration and kids drinking.
Chris has some other entertaining discoveries, which I'm hoping he keeps to himself. I think they're worth not fixing. That is, the cost of the fix is too high. There are better things to spend money on.
The next few years are going to be rough for the United States. The costs of the Iraq war, our broken health care system, the financial melt-down, the bursting of the housing bubble, infrastructure that's starting to fail, and global climate change are all going to be competing for a slice of budgets while revenues are falling.
We need to ask ourselves which problems we need to fix, and what the costs of fixing it are really going to be. Not every problem needs a fix, and not every problem that needs fixing needs fixing now.
Bookmark this post:
Bookmark this post:
Via Paul Kedrosky. Feel free to use this as an open thread.
Bookmark this post:
Fast forward a few years, to a fellow who sends out cheques for bugs:
Leading banks and investment funds have been foundering, because of bad debts and lack of trust; and other, less well-known kinds of fiscal chaos are also on the horizon. For example, due to an unfixable security flaw in the way funds are now transferred electronically, worldwide, it is no longer safe to write personal checks. A criminal who sees the numbers that are printed at the bottom of any check that you write can use that information to withdraw all the money from your account. He or she can do this in various ways, without even knowing your name --- for example by creating an ATM card, or by impersonating a bank in some country of the world where safeguards are minimal, or by printing a document that looks like a check. The account number and routing information are all that international financial institutions look at before deciding to transfer funds from one account to another. (Donald Knuth, "Financial Fiasco.")
Bookmark this post:
This is interesting. Not sure how robust the finding is, but according to an analysis of LendingClub data on all past loans, including descriptions of the use for the money, applicants using certain words in their descriptions are much more likely to default.
For our purposes define a Delinquency as either being late in your payments or having defaulted completely. The 10 words with the greatest p-values are below. [...]"Words and Credit Scores", Social Science Statistics Blog
Word Loans With P(Delinquency|No word) P(Delinquency|Word) p-value also need business live already other bills bill interest
Not something I've studied, but I wonder if a neural network could successfully classify these loans?
Bookmark this post:
There was a very interesting article in the New York Times, "Fish Tale has DNA Hook," in which two high school students used DNA testing to discover that nearly 1/4 of the sushi they tested and identified was mis-labeled. The article only identifies one of the vendors:
Dr. Stoeckle was willing to divulge the name of one fish market whose products were accurately labeled in the test: Leonards’ Seafood and Prime Meats on Third Avenue. John Leonard, the owner, said he was not surprised to find that his products passed the bar code test. “We go down and pick the fish out ourselves,” he said. “We know what we’re doing.” As for the technology, Mr. Leonard said, “it’s good for the public,” since “it would probably keep restaurateurs and owners of markets more on their toes.”I was amused by this, but Robin Hanson had an interesting comment:
This is a huge fraud rate. Will diners continue to tolerate it? Probably, yes - I suspect diners care more about affiliating with impressive cooks and fellow diners than they do that fish is correctly labeled.I think that there's a related phenomenon in software security. It's hard to accurately identify secure or insecure software. It's usually easier to look at other elements of what makes a program useful. Which makes for a very fishy market.
Photo: "Dinner at Masa: O! Fishy fishy fishy fish" by mobil'homme.
Bookmark this post:
For all the show of toughness, the details suggest the US taxpayer got a raw deal. There is no comparison with the terms that Warren Buffett secured when he provided capital to Goldman Sachs. Buffett got a warrant - the right to buy in the future at a price that was even below the depressed price at the time. Paulson got for the US a warrant to buy in the future - at whatever the prevailing price at the time. The whole point of the warrant is so we participate in some of the upside, as the economy recovers from the crisis, and as the financial system starts to work.He also mentioned (as I recall) that Buffett got an end to dividend payments during the crisis and a higher deferred payment than Paulson imposed.The Paulson plan responded to Congress's demand to have something like a warrant, but as a matter of form, not substance. Buffett got warrants equal to 100% of the value of what he put in. America's taxpayers got just 15%. Moreover, as George Soros has pointed out, in a few years time, when the economy is recovered, the banks shouldn't need to turn to the government for capital. The government should have issued convertible shares that gave the right to the government to automatically share in the gain in share price.
Interesting listening.
Bookmark this post:
The Wall Street domino has toppled just about everything in sight: U.S. stocks large and small, within the financial industry and outside of it; foreign stocks; oil and other commodities; real-estate investment trusts; formerly booming emerging markets like India and China. Even gold, although it has inched up lately, has lost 10% from its highs earlier this year. Not even cash seems entirely safe, as money-market funds barely averted a "run on the bank."So reads the Wall St Journal's "Intelligent Investor" for September 30th. Me, I've paid off my car loan--I figure JPMorganChaseLehmanWashigtonMutual could really use some more cash, and it's a guaranteed 6% for me.
But that was my last debt, which means that I have no other safe returns. As I think about the crisis, one element that jumps out is how poorly the financial sector has matched money to risk. But I figure I might be able to do better. So I started looking at the well-publicized Kiva, to make loans, but it seems that these loans are all of the 'feel-good' variety, which is to say there's no premium or return. And while I might place some money through Kiva for feel-goodness, I don't want my best outcome for investing to be "and I don't lose money." So I'm looking at organizations like Prosper or Zopa (personal loans) or Fynanz (student loans).
I like the dis-intermediation aspects of these services and their chaotic and libertarian nature. Do any of our readers have experience with these, or services like them? Should I instead look to loan to people I know?
It seems that as the entire financial system of the US is consolidated into three institutions, there's room and demand for some interesting and new structures to emerge from the chaos.
Bookmark this post:
Works for me.
(Image via cs.colorado.edu, who sell T-shirts)
Bookmark this post:
What I did want to look at was the phrase "more regulation," and relate it a little to information security and risk management.
US banks are already intensely regulated under an alphabet soup of laws like SOX, GLB, USA PATRIOT and BSA. They're subject to a slew of additional contractual obligations under things like PCI-DSS and BASEL rules on capital. And that's leaving out the operational sand which goes by the name AML.
In fact, the alphabet soup has gotten so thick that there's an acronym for the acronyms: GRC, or Governance, Risk and Compliance. Note that two of those three aren't about security at all: they're about process and laws. In the executive suite, it makes perfect sense to start security with those governance and compliance risks which put the firm or its leaders at risk.
There's only so much budget for such things. After all, every dollar you spend on GRC and security is one that you don't return to your shareholders or take home as a bonus. And measuring the value of that spending is notoriously hard, because we don't share data about what happens.
Just saying that measurement is hard is easy. It's a cop out. I have (macro-scale) evidence as to how well it all works:
There's obviously immediate staunching to be done, but as we come out of that phase and start thinking about what regulatory framework to build, we need to think about how to align the interests of bankers and society.
If you'd like more on these aspects, I enjoyed Bob Blakley's "Wall Street's Governance and Risk Management Crisis" and Nick Leeson, "The Escape of the Bankrupt" (via Not Bad for a Cubicle. Thurston points out the irony of being lectured by Nick "Wanna buy Barings?" Leeson.)
I'm not representing my co-author Andrew in any of this, but at least as I write this, his institution remains solvent.
Bookmark this post:
It's actually sort of impressive how much hate and resentment the TSA has built in the few long years of its existence.
Bookmark this post:
While this may be terrifying on a number of levels, the situation becomes far more questionable with the release of a recent memo from the TSA in which such damaging and destructive actions are apparently ENCOURAGED. The memo clearly states that, "Aircraft operators are required to secure each unattended aircraft to make sure that people with bad intent cannot gain access to the planes. But during the inspection, TSA's inspector was able to pull himself inside of an unattended aircraft by using a tube that was protruding from the side of the plane. TSA encourages its inspectors to look for and exploit vulnerabilities of this type."There's a couple of things I want to say about this. The first is that TSA seems to be orienting their "inspectors" towards the idea that no indignity or stupidity is too large. This is a natural result of there being no accountability.
While it's fun to rage at the TSA like this, I don't want to be throwing stones from a glass house. In information security, we sometimes tend this way. Security risks are seen as accruing to the career of the CSO. Smart CSOs shift jobs often to avoid having the risk (I forget who pointed this out, or I'd give credit.)
Implementing controls for a set of rare, high impact risks is hard. TSA, DHS and the President ought to be telling Americans not to be scared, and to realize that these things may happen again, despite our best efforts. This was the lesson of societies including the UK, France, Germany and Japan, not to mention Israel.
Fortunately, in information security, we have lots of common risks to go after, if only we'd pay attention.
Bookmark this post:
I find it interesting that security people and foodies are strongly correlated. Or at least are strongly correlated among the ones I know. Very Good Taste has a list of things called The Omnivore's Hundred, a list of things worth trying, modulo this and that. You mark things you have tried, and mark things you would never try or try again.
I found it via Cygnoir, who also gave a pointer to an easy-to-fill-out web page that will give HTML.
My results of that page are below.
-----------------------------------------
To make the filling out of this form and generating the HTML for it a bit easier, ![[info]](http://stat.livejournal.com/img/userinfo.gif){kind=small}
reddywhp has played around with some PHP. Go to http://reddywhip.org/lj/foods/ and fill it out there. After filling it out, you will be given the code to copy and paste into your blog.
Livejournal users, remember to use your LJ-Cuts!
Bookmark this post:
Ian Angell from the London School of Economics gave a great keynote on complexity in systems and how the desire to categorize, enumerate, and add technology can break things in interesting ways.
An example of his: there's an increasing desire among politicians and law enforcement to create huge DNA databases for forensic purposes, to aid in crime fighting and whatever. This will work until criminals start collecting DNA samples and scatter them at a crime scene creating confusion.
Angell didn't mention a counter-measure, and I have one that I'm sure the politicos will want to use: make the possession of DNA a crime. There's the obvious exemption for your own DNA, but this brings new and important expansions of the old standby of "inappropriate contact."
This brings me to a complaint and irony about the "improvements" to Black Hat this year. The ironies occurred to me as Angell was speaking, talking about the ways added complexity brings new ways to fail.
One of the Black Hat improvements is that Black Hat is adopting a number of cool web-isms. There's a Twitter feed, for example. They're encouraging blogging by handing out blogging credentials for Defcon. This good and cool.
However, one of the other improvements is to move The Wall of Sheep from Defcon to Blackhat. Professor Angell's cat Oscar would have a thing or two to say about that. However, Nick Matthewson of Tor said it best, I think.
If you are not familiar with The Wall of Sheep, it is a project in which the shepherds run a protocol analyzer on the network looking people using insecure protocols, plaintext passwords, and the lot. They quasi-anonymize them and then offer them up for what in Puritan days would be a pillory.
Nick's comment about this, was that it's a very 1990s thing. Here we are in the late aughties, and you have assume that if someone is at a security conference and using a non-secure protocol, that it is a lot like not wearing pants. If you're at a conference in Vegas and someone there is not wearing pants, it's probably wise to assume that they know they're not wearing pants, and that they are not wearing pants for some reason.
I was paying enough attention at the time to note that Nick was wearing a kilt when he said that.
The Wall of Sheep is the Pants Police. They run a Pants Panopticon in which they rush around madly looking for people with no pants and posting them up on the Wall of No Pants. They've decided on their own that a lack of pants is a ridiculable offense, even for people who know they're not wearing pants, and don't care what you can see. Even moreso, they also post the mere rumor of pantslessness. I have heard tell that some people enjoy hacking the Pants Police by telnetting to some service and typing in usernames and passwords to be sniffed. I would never do that myself, but I've heard stories. They're actually more the Pants TSA than the Pants Police, but Pants TSA doesn't alliterate.
The Angell-quality irony here is that all these new communications systems that on the one hand we're being encouraged to use are -- questionable. Twitter looks a lot like knickers to me. And let's face it, Wordpress won a Pwnie award for the incredible number of vulns they've coded.
In short, you'd be a fool to use Twitter at Black Hat, or to blog, or -- well, use DNS. For Pete's sake, we're being told to set up manual arp entries. (Yes, I know. You can use a VPN, or you mobile, or something else. That's all very good, but once the Pants Police decide your Bermudas look like Speedos to them....)
The message of Black Hat that people should take away is that nothing is safe. That's not necessarily bad. If we wanted houses to be safe as houses, we'd take out the windows and turn off the electricity. Technology is risk, as Angell said eloquently and entertainingly.
This is just more of the security wags naming, shaming, and blaming the victims. Is the message that one should take away from Black Hat is not to use a computer there? Even Professor Angell isn't that pessimistic. He thinks that four ounces in an eight-ounce tumbler means you have too much glass.
Which is it at Black Hat? Web or no web? Pick one. Either Black Hat is (like Defcon) an open free-for-all in which griefing is just another way to spell 1337 and you're a fool to bring electronics, or it's an information exchange between smart people who blog, Tweet, and Plurk. Is a handshake a greeting, or a way to get a DNA sample? Are we using cutting edge or trailing edge technologies? If the former, remember that their security is going to suck until they get beat up -- cutting edge techs can make you bleed. To phrase it another way, pick a century we're in -- 20 or 21. It matters less which one you pick than that you pick.
I hope it's 21. I think Twitter is twee, but I've been using it and I smile when I do. (Plurk is much cooler, but I can hear The Good, The Bad, and The Ugly theme every time I go there.) I truly believe that blogging is just journalism in the cheapest free press civilization has ever had. AJAX is scary, but it's scary in the way that driving a go-cart is scary. I don't want to have to worry about the Pants Police, too, to make fun of me if I've misconfigured something I'm not as adept at as IRC. I'd like to deliver a live blog about the opening keynote on the day it was given, as opposed to while I'm still alive.
I think Black Hat is moving in a very good direction to make information flow better, more interesting, and more fun. Let's just leave the old school hectoring back in dot.com era, and find out how to fix the new things by using them.
Bookmark this post:
Transport for London is trying to get as many people as possible to use Oyster Cards. They are cheaper -- and theoretically easier to use -- than traditional tube / bus tickets. However, using one means that TfL has a record of your journeys on the transport system, which is something that not everybody is comfortable with.Photo: Voyeur by Jeff VC
Bookmark this post:
In 2000, a Harvard professor named Caroline Hoxby discovered that streams had often formed boundaries to nineteenth-century school districts, so that cities with more streams historically had more school districts, even if some districts had later merged. The discovery allowed Hoxby to show that competition between districts improved schools. It also prompted the Harvard students to wrack their brains for more ways in which arbitrary boundaries had placed similar people in different circumstances. ...In retrospect, I have come to see this as the moment I realized economics had a cleverness problem. How was it that these students, who had arrived at the country's premier economics department intending to solve the world's most intractable problems--poverty, inequality, unemployment--had ended up facing off in what sometimes felt like an academic parlor game?It's a very interesting article on the economics of academic economics, and some of the perverse incentives which exist in the field.
Me, I look forward to the day when we have so much data that we can start looking for arbitrary differences and boundaries. I look forward to the day when security has a cleverness problem. No doubt we'll end up calling it database pharming.
Bookmark this post:
Adam comments on Dave Maynor commenting on Blizzard selling authentication tokens.
Since I have the ability to comment here, I shall.
This isn't the case of a game having better security than most banks (as Maynor says). This is a game company leaping ahead of some banks, because they realize they have bank-like security issues.
It's been a year or so since I read on El Reg that on the black market, a credit card number sells for (as I remember) £5, but a WoW account sells for £7. I would look up the exact reference, but I'm not in the mood. Your search skills are likely as good as mine.
The exact reasons for this are a bit of a mystery, but there are some non-mysterious ones. There is a black market for WoW gold and (to a lesser extent) artifacts. That black market is shuddering because Blizzard has done a lot to crack down on it. (Blizzard's countermeasures are one main reason that the artifact market is low. Most artifacts become bound to one character when used, and so are not transferrable and so are not salable.) Nonetheless, many WoW players have gold in their pockets that would sell for hundreds to thousands of dollars on this black market.
(If you think from this, that WoW can be a profitable hobby, think again. That many players have gold worth some real change says more about the time they have spent playing than anything else. If you live in a first-world country, you can earn far more flipping burgers than playing WoW. It is only if you are in a third-world country that WoW is a reasonable career choice.)
This means that by putting a keylogger on someone's system, you can steal a pretty penny from them and sell it on the black market. A not-insignificant number of WoW players have logged into their accounts to find their characters naked and penniless. However, there's an interesting twist on this. Blizzard can and does restore the lost gold and items.
Presumably, Blizzard has a transaction log and can rewind it. However, this is work for them and annoyance for the victim. Two-factor authentication will lower Blizzard's costs but fear of robbery is high enough among the players that they're snapping these things up and are willing to pay for them.
Bank customers rightly think that increased security is something that the bank should pay for. So in the banking world, the cost-benefit calculation of two-factor authentication is complex. In the gaming world, it's pretty straightforward. Since Blizzard can shift the cost of the device to the customer base, it's easier to justify.
Bookmark this post:
Adam, and readers from Emergent Chaos, provided some good feedback on this idea. Even though the general response is that this wouldn't be a supportable approach, I appreciate the input! This helps me focus my research intentions on the most promising theories and technologies.I'm glad my readers helped with good feedback, but I think he's taking the wrong lesson. The lesson should be that there are lots of skeptics, not that the idea won't work.
And Adam from InklingMarkets has offered to help.)
Haft of the Spear points to an Inkling market, "Group Intel" who are taking bets on bin Laden's being captured or killed before the end of Bush II. There have only been a few trades with hefty price swings, but why not try it out for infosec? Maybe some chaos would emerge.
(Incidentally, new, interesting comments are still coming in on "Security Prediction Markets: theory & practice.")
Bookmark this post:
So having a book out, you start to notice all sorts of stuff about how Amazon works. (I've confirmed this with other first time authors.) One of the things that I just can't figure out is the pricing people have for The New School.
There's a new copy for 46.43. A mere 54% premium over list, and a whopping 234% of Amazon's discounted price. There's a used copy for $58.56. What the hell?
This isn't unique to us. It happens for every book I've looked at.
Is this some sort of scheme to hide money from the tax collectors? I mean, I liked Cohen's book, (incidentally reviewed here) but not to the tune of 600 bucks.
What's going on? Your thoughts are welcome.
Bookmark this post:
There are a lot of great comments on the "Security Prediction Markets" post.
There's a tremendous amount of theorizing going on here, and no one has any data. Why don't we experiment and get some? What would it take to create a market in breach notification prediction?
Dan Guido said in a comment, "In security, SOMEONE knows the RIGHT answer. It is not indeterminate, the code is out there, your network is accessible to me and so on. There's none of this wishy-washy risk stuff."
I don't think he's actually right. Often times, no one knows the answer. Gathering it is expensive. Translating from "there's a vuln" to "I can exploit it" isn't always easy. For example, one of my co-workers tried exploit a (known, reported, not yet fixed) issue in an internal site via Sharepoint. Something in Sharepoint keeps munging his exploit code. I've even set my browser homepage to a page under his control. Who cares what I think, when we can experiment?
What would be involved in setting up an experiment? We'd need, in no particular order:
Photo: "Better living..." by GallixSee media.
Bookmark this post:
Considering the contributors to this blog often discuss security in terms of economics, I'm curious what you (and any readers educated on the topic) think about the utility of using prediction markets to forecast compromises.So I'm generally a big fan of markets. I think markets are, as Hayek pointed out, a great way to extract information from systems. The prediction markets function by rewarding those who can make better predictions. So would this work for security, and predicting compromises?
I don't think so, despite being a huge fan of the value of the chaos that emerges from markets.
Allow me to explain. There are two reasons why it won't work. Let's take Alice and Bob, market speculators. Both work in banks. Alice thinks her bank has great security ("oh, those password rules!"). So she bets that her bank has a low likelihood of breach. Bob, in contrast, thinks his bank has rotten security ("oh, those password rules!"). So he bets against it. Perhaps their models are more sophisticated, and I'll return to that point.
As Alice buys, the price breach futures in her bank rises. As Bob sells, the price of his futures falls. (Assuming fixed numbers of trades, and that they're not working for the same bank.)
But what do Alice and Bob really know? How much experience does either have to make accurate assessments of their employers' security? We don't talk about security failures. We don't learn from each other's failures, and so failure strikes arbitrarily.
So I'm not sure who the skilled predictors would be who would make money by entering the market. Without such skilled predictors, or people with better information, the market can't extract the information.
Now, there may be information which is purely negative which could be usefully extracted. I doubt it, absent baselines that Alice and Bob can use to objectively assess what they see.
There may well be more sophisticated models, where people with more or better information could bet. Setting aside ethical or professional standards, auditors of various sorts might be able to play the market.
I don't know that there are enough of them to trade effectively. A thinly traded security doesn't offer up as much information as one that's being heavily traded.
So I'm skeptical.
Bookmark this post:
I was struck by this quote in the Economist special report on international banking:
There were navigational aids to help investors but they often gave false comfort. FICO scores, the most widely used credit score in America, were designed to assess the creditworthiness of individual borrowers, not the quality of pools of mortgages. “'Know your customer' is a staple of banking that has largely been forgotten because of the disaggregation of the supply chain,” says Mark Greene, the chief executive of Fair Isaac, the company behind FICO scores. ("Ruptured credit)"Know your customer" actually hasn't been forgotten, it's been co-opted. It's been co-opted by the "AML" (Anti-Money Laundering) crowd. (The Google search is also fascinating. Look at all those ads!) But "know your customer" has been co-opted by the surveillance state. The people who want to know where your money is going in case they need to investigate you.
Bruce Schneier has a 5 step process for evaluating security:
It used to be that part of getting a mortgage was talking to a banker. You talked to an officer of the bank who was going to be collecting money from you for twenty years. And he made a call. That's been replaced by the FICO algorithms and checking your ID. There's now a process and an audit trail. And there's no common sense. There's no senior person who can see trends. To be fair, with common sense, it's become harder to impose racist lending standards. That senior person can't imagine trends.
Back to the topic at hand, we've moved from "know your customer" as sage advice to trite bits of checklist faux diligence. We've lost something important.
Really, what we've done is substituted a knowing a person with a knowing their data shadow. That's not the only problem, but it's one of a set of synergistic changes that will cost us hundreds of billions to clean up.
(Data shadows is a great term, defined by Alan Westin. Bruce Schneier used it recently in his excellent essay "Our Data, Ourselves," which I hope to shadow shortly.)
Image: "Sinister," by Adactio.
Bookmark this post:
There's a story in the New York Times about a bike rental program in Washington DC. It's targeted at residents, not tourists, and has a subscription-based model.
Improved technology allows programs to better protect bicycles. In Washington, SmartBike subscribers who keep bicycles longer than the three-hour maximum will receive demerits and could eventually lose renting privileges. Bicycles gone for more than 48 hours will be deemed lost, with the last user charged a $200 replacement fee.$4,500 is 22.5 bikes. Put another way, they could buy 2,500 bikes, rather than the 120 they're buying. That would require a lot more space if you bought them all at once, but you might just buy them as bikes are stolen. Looking at it another way, if you took the $500,000 being spent on technology, and invested it at 5%, you would make $25,000 per year, enough to completely replace the fleet annually.That technology comes with a price, which is one reason cities and advertisers started joining forces to offer bike-sharing. The European programs would cost cities about $4,500 per bike if sponsors did not step in, Mr. DeMaio said. "Bicycle-Sharing Program to Be First of Kind in U.S."
This is (obviously) an incomplete analysis. But the cost of protection jumped out at me. Maybe it's typical for how people in Washington think about asset protection.
Bookmark this post:
And yet it's the bold ideas that generate the biggest returns. Any really good new idea will seem bad to most people; otherwise someone would already be doing it. And yet most VCs are driven by consensus, not just within their firms, but within the VC community. The biggest factor determining how a VC will feel about your startup is how other VCs feel about it. I doubt they realize it, but this algorithm guarantees they'll miss all the very best ideas. The more people who have to like a new idea, the more outliers you lose.Paul is absolutely right. The more people who have to like a new idea, the more outliers you miss. However, any really good new idea is likely a combination of one really good insight, and several bad ones. It's hard to dis-entangle them until you engage with the market. There's a real question of how expensive that will be. There's also the question of will a really bold new inventor listen enough to make the idea successful?
When I was at Zero-Knowledge, we spent a lot of time exploring ideas which have now come to fruition. Zero-Knowledge, under the name RadialPoint, is thriving. Selling security and privacy to consumers makes sense as part of an ISP package. Making it work, and figuring out what people were ready for, took a while. Some of the bits that they weren't ready for, and perhaps weren't ready for the market include the IP level privacy, a problem that the Tor Project is hard at work on. We also worked hard on 'private credentials, which Credentica launched as U-Prove, and has since been acquired by Microsoft.
We had lots of new ideas at Zero-Knowledge, and a set of happy outcomes (as shareholders know).
But Zero-Knowledge, while bold, wasn't even absolutely new. It was built on the ideas of the cypherpunks, and we even had a Chief Cypherpunk. Similarly, Google wasn't the first of the search engines. It was innovative in how it worked, but it was several years after Yahoo!, AltaVista, and Ask. The bold ideas took a while to become profitable ideas.
So I think that it's absolutely wonderful that we have a creative, chaotic froth of very little companies, and that Paul helps make that happen. I wish there were more. I love seeing what emerges from that chaotic experimentation. But that experimentation can be tremendously expensive, with people chasing many variations of the ideas.
Paul is chasing a variation on how funding happens. He believes passionately in that vision, and is putting his money where his mouth is. Will it work? Who knows? I'm glad there's chaotic experimentation, and if Paul succeeds, I'm sure he'll have many imitators.
Bookmark this post:
The mission of the Center is to conduct and facilitate innovative research and teaching on how new technologies impact global electronic markets, investment strategies, and the stability of the financial system.As Digicash was saying back in 1994, numbers are money now. Studying technology in its impact on information, without paying attention to now the information is money seems like studying how compression algorithms will allow us to deliver music to record stores, to be pressed on demand into fresh vinyl.The information people use to make financial decisions is changing. Brokers are disintermediated by electronic market access. Reporter/editor/reader relationships are disintermediated by web access to primary sources. Technology has provided the means to deliver a great deal of financially relevant information. It has lagged in providing the means to make sense of it in a timely manner. This is an important focus of CIFT research.
Bookmark this post:
One of the great things about having the full report is that we don't need to rely on Brian to interpret it for us. I love having data, and hate how rare it is for people who work in information security to have anything but summaries.
I found a couple of things interesting. At first they seem un-related:
An example is the "zippy" memo, where JPMorgan Chase employees traded information about how to fool the computer into approving loans. (See "How to Get an "Iffy" loan approved at JPM Chase," or "Chase mortgage memo pushes 'Cheats & Tricks.'" Chase fired at least one person for distributing it.)
The advice included:
As long as (as Martin Wolff says) "no industry has a comparable talent for privatising gains and socialising losses," we should expect to be unpleasantly surprised by reading about bank fraud. (A bit more context on the Wolff quote can be found in this excerpt.)
Bookmark this post:
“In this room are people who have built this firm and lost a lot, our fortunes,” one Bear executive said to Mr. Dimon with anger in his voice. “What will you do to make us whole?”Now, there's an easy slam on that exec, but I'd like to do better than that. There's a very real desire to not go from the mansion to the poorhouse overnight. Picking arbitrary numbers of shares, on Friday, this fellow might have held 10,000 shares, worth $300,000, representing a large fraction of his savings. Monday morning, it was worth $20,000. He's worried about how he's going to pay for his kid's education or his next vacation. (There's more excellent analysis in Jeffrey Lipshaw's "Exuberant Bulls, Rueful Bears, and Rational Frogs"The packed room of senior managing directors applauded.
Mr. Dimon responded gingerly. “You’re acting like it’s our fault, and it’s not. If you stay we will make you happy.”
But the Bear employee was not satisfied. “I think it’s galling you come into our house and you call this a ‘merger,’ ” the Bear executive went on.
People's concerns, first and foremost, are for themselves.
People who work in security are often deeply concerned with security, because it's the thing that makes or breaks their careers. They're focused on the impact of security on them, as well as their business. So sometimes they make choices which aren't perfect for the business, but take their perspectives into account. It's only human.
Nick Owen talks a bit about the motives of security chiefs in "On the short tenure of CISOs and low-frequency, high-impact events." (Damnit, Nick, I should have seen that. Now you're banned from the prom.) ((Which is yet another instance of a principal-agent problem. I'd like to appear smarter and more insightful than Nick, so I have to ensure I don't link to him.))
Economists call this set of issues principal-agent problems, with the classic example being Alice hiring Bob to sell a car that she doesn't have time to sell. How does she know that he's not selling it to a friend? Economists are generally worried about the CEO, but the thinking can and should be applied across a company. How do you ensure people's motives are well aligned with that of the business and it's shareholders?
Nick Szabo has some interesting points about "representation distances" in a political analysis of principal agent problems. I'm surprised that he talks about the distance from one agent to a group. I would think that the interesting questions involve average distances between various groups and agents, and the tensions between them.
Bookmark this post:
Reports are that JPMorgan just bought Bear Stearns for $236MM, a 93% discount to Friday's closing price, with $30BB of US taxpayer money thrown in (as guarantees) for good measure. Bloomberg also reports that the Bear Stearns headquaters are valued at $1.2 BB, which means that the firm's net market positions are a liability of about ($31BB).
Apparently, Bear Stearns owned less of the risk than the Fed. I wonder when the Fed knew that? According to the same New York Times story, Bear Stearns has known it all along:
Even up until last week, Alan "Ace" Greenberg, Bear Stearn’s chairman for more than 20 years and a champion bridge player, still regaled its partners over lengthy lunches about gambling with the firm’s money in its wood-paneled dining room.The firm's money, indeed.
Bookmark this post:
What is it about the word "quantum" that sucks the brains out of otherwise reasonable people? There has to be some sort of Heisenberg-Schödinger Credulity Principle that makes all the ideons in their brains go spin-up at the same time, and I'm quite sure that the Many Worlds Interpretation of it has the most merit. (In case you're a QM n00b, the ideon is the quantum unit of belief.) Fortunately, there seems to be some sanity coming to reporting about quantum computing.
Just about every quantum computing article has a part in it that notes that there are quantum algorithms to break public crypto. The articles breathlessly explain that this means that SSL will be broken and the entire financial world will be in ruins, followed by the collapse of civilization as we know it. Otherwise sensible people focus on this because there's very little to sink your teeth into in quantum computing otherwise. Even certified experts know that they don't know what they don't know.
Scott Aaronson has a good article in Scientific American called "The Limits of Quantum Computers" (only the preview is free, sorry) that gives a good description of what quantum computers can't do. I'm pleased to see this. SciAm has been a HSCP-induced quantum cheerleader over the last few years.
I have been doing some research on the claims of quantum computing. I decided to pick the specific factoring ability of quantum computers, and produce some actual numbers about how we might expect quantum computing to develop. In other words, I'm going to be a party pooper.
The crypto-obviating algorithms in question are Shor's algorithm for factoring and an algorithm he developed for discrete logs. I was surprised to learn that Shor's algorithm requires 72k3 quantum gates to be able to factor a number k bits long. Cubed is a somewhat high power. So I decided to look at a 4096-bit RSA key, which is the largest that most current software supports — the crypto experts all say that if you want something stronger, you should shift to elliptic curve, and the US government is pushing this, too, with their "Suite B" algorithms.
To factor a 4096-bit number, you need 72*40963 or 4,947,802,324,992 quantum gates. Lets just round that up to an even 5 trillion. Five trillion is a big number. We're only now getting to the point that we can put about that many normal bits on a disk drive. The first thing this tells me is that we aren't going to wake up one day and find out that someone's put that many q-gates on something you can buy from Fry's from a white-box Taiwanese special.
A complication in my calculations is the relationship between quantum gates and quantum bits. For small numbers of qubits, you get about 200 qugates per qubit. But qubits are rum beasts. There are several major technologies that people are trying to tease qubits out of. There's the adiabatic techlogies that D-Wave is trying. There are photon dots, and who knows how many semiconductor-based methods.
It isn't clear that any of these have any legs. Read Scott Aaronson's harumphing at D-Wave, more pointed yet sympathetic faint praise and these educated doubts on photonics. Interestingly, Aaronson says that adiabatic quantum computers like D-Wave need k11 gates rather than k3 gates, which pretty much knocks them out of viability at all, if that's so.
But let's just assume that they all work as advertised, today. My next observation is that probably looking at billions of q-bits to be able to get trillions of q-gates. My questions to people who know about the relationship between quantum gates and quantum bits yielded that the real experts don't have a good answer, but that 200:1 ratio is more likely to go down than up. Intel's two-billion transistor "Tukwila" chip comes out this year. Five trillion is a big number. We are as likely to need 25 billion qbits to factor that number as any other good guess. Wow.
The factoring that has been done on today's quantum computers is of a four-bit number, 15. If you pay attention to quantum computing articles, you'll note they always factor 15. There's a reason for this. It's of the form (2n-1) * ( 2n+1). In binary, 2n-1 is a string of all 1 bits. A number that is 2n+1 is a 1 bit followed by a string of 0s, and then a 1 again. These numbers are a special form that is easy to factor, and in the real world not going to occur in a public key.
This is not a criticism, it's an observation. You have to walk before you can run, and you have to factor special forms before you can factor the general case. Having observed that, we'll just ignore it and assume we can factor any four-bit number today.
Let's presume that quantum computers advance in some exponential curve that resembles Moore's Law. That is to say that there is going to be a doubling of quantum gates periodically, and we'll call that period a "generation." Moore's specific observation about transistors had a generation every eighteen months.
The difference between factoring four bits and factoring 4096 bits is 30 generations. In other words, 72*43 * 230 = 72*40963. If we look at a generation of eighteen months, then quantum computers will be able to factor a 4096-bit number in 45 years, or on the Ides of March, 2053.
This means to me that my copy of PGP is still going to be safe to use for a while yet. Maybe I oughta get rid of the key I've been using for the last few years, but I knew that. I'm not stupid, merely lazy.
I went over to a site that will tell you how long a key you need to use, http://www.keylength.com/. Keylength.com uses estimates made by serious cryptographers for the life of keys. They make some reasonable assumptions and perhaps one slightly-unreasonable assumption: that Moore's Law will continue indefinitely. If we check there for how long a 4096-bit key will be good for, the conservative estimate is (drum roll, please) — the year 2060.
I'm still struck by how close those dates are. It suggests to me that if quantum computers continue at a rate that semiconductors do, they'll do little more than continue the pace of technological advancement we've seen for the past handful of decades. That's no mean feat — in 2053, I doubt we're going to see Intel trumpeting its 45 picometer process (which is what we should see after 30 generations).
I spoke to one of my cryptographer friends and outlined this argument to him. He said that he thinks that the pace of advancement will pick up and be faster than a generation every eighteen months. Sure. I understand that, myself. The pace of advancement in storage has been a generation every year, and in flash memory it's closer to every nine months. It's perfectly conceivable that quantum computing will see horrible progress for the next decade and then whoosh off with a generation ever six months. That would compress my 45 years into 25, which is a huge improvement but still no reason to go begging ECRYPT for more conferences.
On the other hand, it's just as conceivable that quantum computing will end up on the Island of Misfit Technologies, along with flying cars, personal jetpacks, Moon colonies, artificial intelligence, and identity management.
But I also talked to a bigwig in Quantum Information Theory (that's quantum computing and more) and gave him a sketch of my argument. I heard him speak about Quantum Information and he gave the usual Oooooo Scary Quantum Computers Are Going to Factor Numbers Which Will Cause The Collapse of All Financial Markets And Then We Will All DIEEEEE — So That's Why We Need More Research Money boosterism.
He wouldn't let me attribute anything to him, which I understand completely. We live in a world in which partisanship is necessary and if he were seen putting down the pompoms, he'd be fired. Telling middle-aged technocrats that the math says their grandkids are going to see quantum computers shortly before they retire will cause the research money dry up, and if that happens then — well, the world won't end. And then where would we be?
Nonetheless, he said to me sotto voce, "There's nothing wrong with your math."
Bookmark this post:
Yesterday, the New York Times had a story, "States and Cities Start Rebelling on Bond Ratings:"
A complex system of credit ratings and insurance policies that Wall Street uses to set prices for municipal bonds makes borrowing needlessly expensive for many localities, some officials say. States and cities have begun to fight back, saying they can no longer afford the status quo given the slackening economy and recent market turmoil.Tolerable to whom, Ms. Woodell?...
At every rating, municipal bonds default less often than similarly rated corporate bonds, according to Moody’s... Colleen Woodell, chief quality officer for public finance, acknowledged that municipal debt had defaulted at lower rates than corporate issues, but she noted that the data covered a relatively benign 20-year period...Ms. Woodell said the disparity was “within a tolerable band” and would diminish over time.
The article goes on to explain that the financiers are taking enormous sums of money from taxpayers on what is really very safe debt.
Since most government bonds are repaid, there would be a very large chunk of identically rated bonds.
If you rate 95 percent of the issues the same, the ratings cease to be useful, and investors need and utilize these ratings to differentiate credits,” said John Miller, chief investment officer at Nuveen Asset Management in Chicago, which manages about $65 billion in mostly tax-exempt bonds.Really? If the bonds are safe, and 95% of them would get a AAA rating, maybe we could save a lot of money by removing a low-value information source.
It makes sense to look at the organizations who control credit data, and ask the age-old question: who benefits? These organizations aren't in it for their health.
Bookmark this post:
EBay has been struggling for some time with growing discontent among its members, and it has rolled out a series of new controls and regulations to try to stem the erosion of trust in its market. At the end of last month, it announced sweeping changes to its feedback system, setting up more "non-public" communication channels and, most dramatically, curtailing the ability of sellers to leave negative feedback on buyers. It turns out that feedback ratings were being used as weapons to deter buyers from leaving negative feedback about sellers.He goes on to rail against the usefulness of feedback loopss:
As these sites grow, keeping them in line requires more rules and regulations, greater exercise of central control. The digital world, it seems, is not so different from the real world.However, he doesn't question EBay's central decision. If the goal is to control retaliatory feedback, then require all feedback be given within N days (N might vary for transaction types, international shipping, etc), and don't reveal the feedback until both buyer and seller have finalized what they want to say.
(Personally, I think that some structure in the feedback--was the item as described? was it shipped quickly and as requested? was the interaction business-like, chatty, or rude? could enhance things a lot, as would displaying the value of the transactions. But that's an aside.)
What's important is that EBay is replacing a transparent and manipulated system with one that's going to be worse for their customers, and more expensive to operate. It will be interesting to see what emerges from this. Will a worse feedback system be enough to overcome the network effects and allow a strong competitor to emerge?
Thanks to Nicko van Someren for the pointer.
Bookmark this post:
Raymond Chen has an amusing blog post, "When computer programmers dabble in economics: Paying parking tickets." This is further dabbling in economics, and I hope you find it amusing.
I believe that parking meters--the old fashioned kind where you put coins in and hope to not get a ticket--are precisely the opposite of slot machines. With a slot machine, you put money in, and you hope, money comes out. I like not putting money in parking meters, and hoping none comes out of my pocket.
Photo: "Downtown Phillipsburg, NJ," by Peachhead.
Bookmark this post:
If you travel a lot, you're used to dealing with many network difficulties. For a while now, I've been traveling with an Airport Express, which has made life a lot easier. I set it up to use DHCP, plug it into the hotel Ethernet, and go. At the very least, it means I can work from the bed, rather than from a desk that is inevitably at the wrong height.
Even more so, I now travel with at least three devices that have WiFi -- my laptop, my phone, and my iPod. I travel about half the time with my SO, who also has a laptop and an iPod with a network. I said "at least" because I also have a Nokia slate, which is a specialized device (I lug it along when I don't want to lug a laptop, for example).
Also, for some reason the better the hotel you stay in, the more they charge you for Internet access. Sleep in a cheap hotel, and the network is free. Stay in an expensive one, and they charge you $10 to $15 a night. Stay in the UK, and you can face £18 a day for your net.
This is changing. Ramada and Radisson, are doing a lot of free Internet. Fairmont gives free Internet to their President's Club members (no better reason to join, for me). However, this still means that you have to figure out how to share your one obscenely expensive net connection with the coalition of devices in your room.
However, another way that this is changing is that there's more and more wireless going into hotel rooms, and less wired. For us, wired is good, because you just plug a basestation into the net and you go. But with wireless, you need a basestation that listens on a wireless connection while re-broadcasting another.
For quite some time, I've been complaining that the appropriate router doesn't exist. A few weeks ago, however, a friend told me about the D-Link DWL-G730AP, which purports to do what I want. I also found on my own research the Linksys WTR54-GS. They appear on the surface to be mostly equivalent. The Linksys comes in a compact package that has an AC plug bundled into the unit. The D-Link has a separate transformer, but can also be powered from USB. I ended up getting the Linksys. The deciding factor was that both units have manuals on the web, and the D-Link manual is a high-level installation guide that describes several possible configurations, but the one I want is missing. The Linksys has a detailed manual that tells how to set it up from its internal web server, do MAC address spoofing, port mapping and redirection, and so on. A manual that told how to set up what I want was the clincher. I bought it right before a trip to the UK, and wanted to avoid buying wireless access. There are a couple of annoying things about the Linksys. It cannot be a client onto a secured network, which meant that I didn't set it up before I left. I would have taken time I didn't have to pull the "security" off of my my G network to experiment. (It's just WEP, hence the quotes around "security." I consider it a no-tresspassing sign.) Once in a hotel, I have not yet figured out how to put a password on the network it broadcasts. Each of my attempts resulted in having to hard-reset the device. It has a nice, convenient hard-reset button. On the other hand, I've been busy and in various stages of sleep-deprived brain damage, so I don't know that it's their fault that I haven't figured it out. I settled for hiding the SSID. I don't actually care if someone mooches on my hotel wireless, if they leave enough bandwidth for me. If the D-Link will work as a wireless-to-wireless router, it has an advantage over the Linksys in being USB-powered. That means you can easily plug it in to your laptop while using paid wireless, and rebroadcast for your phone or iPod or SO. I just don't know that you can. If someone has a definitive answer, place a comment below. If you're from D-Link and reading this, make a note that you lost a sale solely because your manual confused me.
Bookmark this post:
I've been thinking about Franklin, Perrig, Paxson, and Savage's "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants" for about three weeks now.
This is a very good paper. For the infosec empiricist, the dataset itself is noteworthy. It consists of 13 million public IRC messages (that is, in-channel stuff, not PRIVMSGs) obtained from several networks and channels, collected over a 7 month period. These messages contain sensitive information (such as PII) and offers to sell various illicit goods. The authors provide no information concerning the process by which the IRC networks and channels were selected for monitoring, a matter which may be relevant for those seeking to replicate their findings. For the CS crowd, they use a nifty machine-learning technique to identify and categorize messages which are advertisements.
The authors are able to present a number of fascinating descriptive statistics about the market they study, including the number and activity level of market participants, price history, measures of flow of goods into the market, statistics on which goods are offered for sale most often, etc.
This paper has gotten some attention in the trade press because it discusses methods which could potentially be used to disrupt this IRC-based underground economy. In a nutshell, the key is to make it impossible to tell good sellers from bad, thereby deliberately creating a market for lemons and driving out customers.
Ultimately, there are way more questions than answers. This has nothing to do with the paper, which is excellent. It has to do with disciplinary maturity, which we in information security lack, and with quality data, which we lack even more.
But dwelling on the positive for a moment, it is interesting to consider what we might be able to investigate using a dataset like this. At a macro level, we might be able to observe the price reaction given a sudden increase in supply. For example, if we have independent confirmation that at a particular time 100 million credit card numbers became available for sale, it would be interesting to see if this was followed by a drop in the asking price, and if so, how large a drop.
Even more interesting: if we already have an idea about the elasticity of price with respect to supply, we can estimate the size of the market based on observed price movements given a supply shock of known size. If, similarly, we observe an unexplained drop in price, we may presume that an unreported supply shock has taken place. This is an indirect estimator of the amount of the personal information iceberg existing below the waterline. Cool!
There's also a certain practical value. Consider the recent UK data breach. Already, there are reports that personal information from this incident are appearing on the underground market. Franklin, et. al. have provided us with an estimate of how much traffic in UK PII existed prior to this breach. The same surveillance techniques which informed their analysis are undoubtedly still under way today. Perhaps three, six, or twelve months from now a second analysis will show a dramatic increase in the amount of UK PII flowing through the market. The policy ramifications of knowing how great the lag is between PII being pilfered and its appearance on the market are significant. What use is a twelve month credit freeze, for example, if the lag is 24 months?
A final question that data like this can help answer concerns the relationship between breaches and identity theft. Since British banks reportedly are balking at monitoring all the accounts involved for fraud, this opportunity may be squandered. I commented on the important role banks could play back in June:
(emphasis added)
One way to estimate the extent to which having your PII exposed in a breach increases the probability of your becoming an identity theft victim is to watch for the exposed data elements using a fraud detection network
[...]
Other than using banks as a focal point and having them report on fraud using these stolen elements, I cannot think of another way.
[...]
I suppose one could try to determine whether the stolen elements were in the inventory of any black-market sellers, but I do not see how one can gain access to their inventory information. It's clear that the illicit trade in this stuff is non-trivial, but I honestly do not know that we have anything approaching a comprehensive picture of the landscape.
I now see that I was overly pessimistic in my last two sentences, and I am thankful for that.
Let me close with a quotation about price data which reflects my current mood:
Certainly they tell us a great deal, some but not all of which is reflected in policy debates.At the same time much remains unknown. Given the number of instances in which deductive
arguments have been promulgated with great confidence only to be refuted by empirical
evidence, it seems wise to be somewhat cautious in drawing conclusions that go beyond the
scope of the data.Although some of what is not known is probably unknowable--at least in the medium term--there
are considerable opportunities for expanding the range of questions that have been addressed
empirically. Price data are much more accessible than data pertaining to prevalence or quantity.A relatively modest investment of resources could substantially increase both the quantity and the quality of the price data available for analysis.
This observation is from "What price data tell us about drug markets", a 1998 paper. I fervently hope its applicability to the information security world is demonstrated by a stream of papers stimulated by Franklin, et. al.
Bookmark this post:
I don't think this is a trouble-free idea. There are lots of complexities. As one example, are open source vendors going to be liable? Fyodor, who writes and gives away nmap? RedHat.com? What about Apple, when they include a package, say bind or bzip, both of which were included in their latest security update. Including such third party software allows Apple to provide basic functionality at lower cost.
Now, the UK Information Commissioner has proposed that doctors who lose laptops with patient data could be subject to a £5,000 fine.
Mr Thomas said: “If a doctor, or hospital [employee] leaves a laptop containing patients’ records in his car and it is stolen, it is hard to see that is anything but gross negligence.”I'm with Lord Lyell here, and think that there's a great deal of specific thinking to be done before we should impose more liability for software flaws. Software creators, including Mozilla, know that it's hard to make bug-free software, so my employer probably thinks similar things.The commission can currently issue enforcement notices but these “do not impose any element of punishment for wrongdoing”. But Lord Lyell of Markyate, a former Attorney-General, said it would be disproportionate to criminalise doctors for losing a laptop.
Mr Thomas said the intention was not to prosecute for a single incident, but that for gross negligence there was “a need to have some deterrent in place”. He said anyone holding personal data should know the basics of “encryption” to protect that material. ("Doctors may be prosecuted if their laptops are stolen," Times Online, UK)
Possibly related, "Government ignores Personal Medical Security."
Via PogoWasRight.
Bookmark this post:
http://plato.stanford.edu/entries/economics/
http://faculty.fuqua.duke.edu/~rnau/choice/whoswho.htm
(Also useful as a reading list for a possible upcoming cage match between Hutton and Bejtlich ;^))
Bookmark this post:
However, the above is not the end of the information security story from an economics perspective. If an organization can distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” (at least in short-run, until competing firms catch-up in terms of security) that results in increased demand for the organization’s physical product(s) and/or service(s).While I'm sympathetic to the claim, let's ask how an organization "can distinguish itself as having better information security than its competitors." (In this post, I'm explicitly not speaking for or about my employer, who I think is doing a great job investing in security, eg, by paying me.)
How can a potential customer make a decision about security? As a consumer, I might look to funny television advertising, or other forms of marketing. But marketing isn't a good signal: it's equally easy for a firm to invest in marketing their security effort if they do little, or nothing as it is to market if they invest in a security development lifecycle. As an enterprise, I might consider spending a little money on a critical analysis of the software under consideration, but that's expensive, and I might cynically believe that the results will all be on the order of "this stinks!"
Even if I could analyze security, security is likely only one of several factors that contribute to my buying choices. It's not clear that it's a great source of competitive advantage. For example, in their early days, ebay and paypal invested in things other than security, and did spectacularly well on that decision.
See Ken Belva, "Dr. Gordon: Information Security can have a positive return."
Lastly, I'll mention series here in 2004 on the value of signaling as a means to address information asymmetry in "Security Signaling," "Signalling by Counting Low Hanging Fruit," and "Ratty Signals." There's some great comments.
Bookmark this post:
Or perhaps more correctly, did not internalize Descartes when he heard of him. In "Our Lives, Controlled From Some Guy’s Couch," John Tierney writes:
Until I talked to Nick Bostrom, a philosopher at Oxford University, it never occurred to me that our universe might be somebody else’s hobby. I hadn’t imagined that the omniscient, omnipotent creator of the heavens and earth could be an advanced version of a guy who spends his weekends building model railroads or overseeing video-game worlds like the Sims.
It is for occasions such as these that the expressions "gobsmacked" and "WTF" were created. How could you survive to adulthood, let alone get a degree in what I presume was some sort of liberal arts, let alone get a job at The Paper of Record, and not once wonder about whether reality is real? This also suggests that the poor thing's youth was insufficiently misspent.
Perhaps the real interesting work in this sort of liberal arts has moved to the likes of Edward Fredkin at MIT.
It's a great article, and I'm happy that serious newspapers are talking about things like this. But in World of Warcraft, a simulation that he gives as a comparison, the characters there have a repertoire of jokes. One of the jokes that a woman might say is, "Do you feel that you aren't in control of your own destiny -- like -- you're being controlled by an invisible hand?"
I'm pleased that Oxford philosophers think about this, and I'm glad that professional journalists are paying attention to it rather than the usual fluff. For our children, however, this is just part of popular culture.
Photo courtesy of denzilm.
Bookmark this post:
In it, they present the results of a survey of 647 people with regard to a number of privacy hypotheses. Their results include:
It's a good short paper, and I'm glad to see research prising apart the ways people think about privacy.
- Contrary to some research, the chief privacy concern appears based on data use, not data itself.
- There is consumer demand for social control that focuses on data use.
- Sophisticated consumers care about economic context and indirect economic effects.
I'd love to know if the authors attempted to extract any initial (qualitative) reactions to the scenario they presented. I'm also curious how long people took, and if their results would be different under time pressure. Both of these questions are related to my belief that transactional costs are dominant in many privacy scenarios, and that people choose defaults to avoid the costs of considering many questions about privacy: they'll often say either yes or no without a lot of consideration.
Update: s/per/pir/g in title [cw][as]
Bookmark this post:
There's a war on cash? Who knew? Dave Birch uses the phrase in "More from the war on cash" without a whole lot of surprise. Here he's quoting a McKinsey study. (Unsurprisingly, you need to login to read it.)
I liked this gem:
Cash needs to be priced appropriately. The fact is that, today, the pricing of cash is not in line with its costs. Consumers and merchants in most countries do not pay the real cost of cash, and so merchants and consumers have no reason to reduce their use of cash. One problem is that there is no clear ownership of cash. Another is that governments often position cash as a public good -- to be offered free by banks -- thereby inhibiting an economic debate on cash versus other instruments.That's a problem now, is it? While I agree that cash having government backing creates a barrier to entry, cash is also a highly evolved product, and the risks are assigned reasonably efficiently. This is in stark contrast to some newer payment methods, like credit cards, which may be "efficient," but carry surprising side effects, like "Buy Gas, Get Busted for Pedophilia."
Having the government provide a means for a reasonable functioning economy, and removing the costs of worrying about the gold content of a coin, or the solvency of DavidBucks adds huge efficiencies. There's quite a few things that I'd take the government out of before I took them out of coining currency. (Know thy customer regulations, for example.)
To put it another way:
...we believe that the right to coin money and issue money is a function of government. We believe it. We believe it is a part of sovereignty and can no more with safety be delegated to private individuals than can the power to make penal statutes or levy laws for taxation.Photo: Cross of gold, courtesy of Ewtn Religious
[Updated: Clarified that the quote was McKinsey, not David Birch.]
Bookmark this post:
Drumming up business would seem to be an easy task for those who sell encrypted cellphones in Italy. All they have to do is browse the major newspapers for likely customers.Of course, selling phones one off misses the (ahem) fax effect, where the more people you can use your encryption with, the more valuable it becomes. Also, the phones are still pretty expensive:Piero Fassino, national secretary of the Democratic Left Party, could have benefited from an encrypted phone before comments he made regarding a sensitive bank takeover made the front pages.
The high-end package, which runs about $2,200 at both companies, includes a phone, which must be a model capable of using the encryption software.
Bookmark this post:
One-third of companies said in a recent poll that a major security breach could put their company out of business, according to a report from McAfee.The number of companies that have gone under because of a breach is statistically indistinguishable from zero. That's the case if you express it as a percentage of companies breached, or as a percentage of companies going out of business. McAfee should do better than spread this sort of FUD, especially when we can measure what's really happening.The security company unveiled a study Tuesday showing that 33% of respondents said they believe a major data-loss incident involving accidental or malicious distribution of confidential data could put them out of business. The study, called Datagate, is based on a survey of more than 1,400 IT professionals at companies with at least 250 employees in the United States, the United Kingdom, France, Germany, and Australia.
If you're a customer, you should call your McAfee salesperson, and ask for examples, and ask why they're spreading this FUD.
Bookmark this post:
"Don't Mess With Our Chocolate," says Guittard.
Summary: the FDA is considering changing the definitions of "chocolate" and "chocolate flavored" and "chocolaty" so that they don't have to put as much cocoa solids in it to make it be "chocolate."
The FDA is soliciting comments, and the cutoff is April 25, so that's not much time. It's uh, like today.
Speaking for the President of the United States, we suggest commenting in favor of the change. There's nothing like the government empowering companies to engage in fair and deceptive trade practices. That also means more 70% to 80% Scharff, Valhrona, etc. for us.
The nice people at Guittard have links to a web page at the FDA that you can use to comment. Do it now! I have.
Update: The FDA has extended the comment period by a month. Do it today anyway.
Bookmark this post:
Bookmark this post:
Micropayments company Peppercoin, started with technology by Rivest and Shamir has been bought by Chockstone, a company doing loyalty programs. Supposedly, they bought Peppercoin because it will "increase consumer 'stickiness' and brand affinity" and "increase average ticket price more than 12%." Okay.... I thought that the reason for bearer-level micropayments was the opposite. Right here on the label that the payment-punks have been pushing, it says that you get increased market efficiencies, lower costs, and liberty for the end user. We'll have to see how this one turns out. I suppose if this lets you buy books with airline miles, or something like that, you could get both.
Bookmark this post:
El Reg reports that Microsoft claims to be sticking to its timetable for shutting down XP.
No fewer than three people told me yesterday, "This means I have to buy that Mac Book Pro this year. They can't be alone. I have several co-workers running Vista running on laptops, and even without the overhead of a VM, it's slow.
Thus, an investing opportunity presents itself -- buy a number of copies of XP this year, and then resell them at a profit. There are, of course, many risks in this strategy too obvious to name, but hey, money is risk.
If during the holiday shopping season, you see a run on copies of XP, take note.
Bookmark this post:
If you haven't read Steven Johnson's The Ghost Map, you should. It's perhaps the most important book in print today about the next decade of computer security.
John Snow was a physician who was a pioneer in anaesthesia who turned his attention to cholera when the worst epidemic hit the London where he lived in 1854. It's not just about Snow, however, it's about theories, information, and how to select the right model.
The prevailing model at the time (this was pre-germ-theory) was that cholera was airborne, carried by "miasma," namely stink. If it smelled bad, it was probably disease-ridden. It's not a bad theory, actually, it's just wrong. Snow came to the belief that cholera was waterborne, despite the fact that the suspect wells in London were known to be largely sweet-tasting.
Despite the fact that I'm giving away the plot (spoiler -- we beat cholera and major cities in Europe no longer have epidemics), Snow got there by examining data and coming up with the proper visualization of the data (the Ghost Map) to show that cholera spread along water flow not along air flow.
Before Adam used Snow and Johnson's book in his recent "Why Security Breaches Are Good For You," I read the book and was thinking about it and security.
I believe that our security problems need to be looked at both from the viewpoint of public health issues, but also from the viewpoint of quality. Snow beat cholera because he was fortunate enough to have the right insight, but insight isn't enough. You need data. Fortunately, there was lots of data available, and the data was available to him and the people who disagreed with him. Data was also part of the problem, as Johnson points out, because the larger problem was sorting through the data. However, when it comes to computer security, we don't yet have the luxury of too much data.
Everyone's data center has its own little cesspool. Mine does, yours does. We have to figure out how to clean them up. We need to have more data. We therefore need to remove the stigma of disclosing data as well as insisting on it. This is why The Ghost Map is an important book for computer security, it will take you back a sesquicentury to the problems of creating cities with millions of people in them, and in that history you can think about the problems of making networks with billions of people in them.
Johnson himself has a chapter on the future of cities and urbanization, which I wasn't as impressed with. The book shifts from being a page-turner to a page-flipper when he gets away from the past and considers the future. Nonetheless, read it and think.
I was fortunate enough to be in London recently and made a pilgrimage to Broad Street (now Broadwick Street) and the pub in his honor. I also made a point to use the modern public convenience on Broadwick Street and was amused by the washing gizmo that soaps, waters, rinses, and dries one's hands without one having to touch anything.
Photo of the pub sign for the John Snow pub courtesy of Mordaxus. I apologize for leaving the decent camera at home, and thus having to make do with the camera in my mobile.
Bookmark this post:
I also don't buy the bad management argument. Allocating resources to security is an art, not a science. I'll offer up a simple experiment to illustrate that shortly.So here's the experiment. It works better in person than in blog comments. Ask two experts to write down how they'd allocate $100 to secure information. Pick a business that both know. Compare. Then watch them argue.
Now imagine that you're a CEO, and ask yourself what you'd do to resolve this debate.
Bookmark this post:
Adam comments on some breach commentary, and quotes Nick Owen saying that breaches are a sign of incompetence.
I can't let this stand un-commented-upon. I believe that that is a dangerous comment, and one that needs to be squashed early. It's like saying that a bug tracking system with lots of bugs in it is a sign of engineering incompetence. It actually means the opposite. A truly incompetent management team wouldn't know they'd been breached. A slightly less incompetent team would bury it under the rug. This is true for software developers as well as operations people.
This is a very dangerous comment because it rewards the truly incompetent who don't know how screwed up they are. It is a dangerous comment because it rewards the mendacious, who hide that they've been breached -- or who design their operations so they won't know when they're breached. Stop. You're going to set us backwards if you keep that up.
It doesn't matter how good you are, some day you will be breached. Accept that. As a consumer, that's a mildly unpleasant thing to think of, but it's true. However, you want people who lose your data to have the wit to know they've lost it, and the morality to own up to it.
I also want to comment on Allan Friedman's comment about Iron Mountain, as I've noticed the same thing, that many breaches involved Iron Mountain losing tapes. But I'm not an economist, I'm a guy who's spent times in operational groups, and I have an alternative hypothesis.
Let us assume an organization that makes daily backups and sends them to a data warehouse. Let us suppose that the tape monkeys have a Very Bad Day. Sam's on vacation. Ginger broke up with her boyfriend and came in late. Two tapes verified bad and had to be re-done, Networking misconfigured something and you couldn't get to C Building at all. The Iron Mountain guys come in to get the tapes from you, and you tell them the horror story. They say hey, no problem, just give them what you have. They'll take it off to the warehouse, and as long as there's no disaster tomorrow, it'll all be taken care of in the next incremental. The CIO never has to know. Whew! Thanks, Iron Mountain! You're a life saver.
Iron Mountain is being smart. The real customer is the supervisor of the tape monkeys, and if you help him shine, he helps you shine. Alas, they're being smart until lost data is not simply a gap in the backup history, it's a breach. Then this habit of mutual back-scratching all falls apart. If someone does an audit and finds out that a backup of the Order Database is missing, Iron Mountain takes the fall. All the paperwork says that the database was backed up, put onto tape 1723-A5, and sent to the warehouse. And therefore, so it was. Iron Mountain can't say, "Um, actually, for years now, we've been covering for our customers and letting them claim data was in the warehouse when we all know it wasn't." They just have to take it on the chin.
You know what? The real customers, the tape monkeys who have been let off the hook yet again know that Iron Mountain kept them out of even bigger trouble. They know that the Iron Mountain guys can't let them hand over an empty box any more. But they aren't going to switch to another company, either.
My hypothesis could be wrong. I don't know if it is. I can't admit to ever having been in a situation like my hypothesis. I am, however, a cynic, and I know that if Iron Mountain were in the habit of losing tapes, it may or may not show up in their stock price. But if they were in the habit of making the tape monkeys look more competent than they actually are, it is consistent with observed phenomena. It doesn't mean my hypothesis is right; heck, the magic blue smoke theory of semiconductor physics is consistent with observed phenomena. But when I noticed Iron Mountain showing up in a number of breaches, the smoke I smelled seemed to have a hint of electrolytic capacitor in it, and whiff of insulation.
Bookmark this post:
Or so "Shipcompliant" would have us believe, with a blog post entitled "Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices."
The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions (Internet, phone, mail, fax, etc.). This can be done either by obtaining a photocopy of the purchaser’s drivers license or by using an approved online age verification vendor such as ChoicePoint or IDology.So to protect themselves from liability, wine merchants who sign up for this code will be putting their customers at risk. Of course, the code already says:
Free the Grapes! encourages licensees to contract only with shippers who check the identification of recipients at the time of delivery to ensure that the recipient is 21 years of age or older.So there's no reason to add this step. The very next step ensures that wine won't get into the hands of our corruptable youth.
This is two steps backwards: We're creating more work for the wineries and wine sellers, exposing their customers to increased risk of privacy violations, and all to cover a risk that's already covered.
Free the grapes? How about free the people from this nonsense?
Photo: "A sculpture commemorating the wine press and its importance to California history in Golden Gate Park near the De Young Museum of Fine Arts (6)" by mharrsch.
Bookmark this post:
Bookmark this post:
eBay is stopping all sales of "virtual artifacts." Maybe.
This story comes from a Slashdot article in which Zonk talks to Hani Durzy, of eBay about it. They are handling this by merely enforcing an existing policy which says:
"The seller must be the owner of the underlying intellectual property, or authorized to distribute it by the intellectual property owner."
This leaves into question some virtual artifacts where the seller is the owner of the intellectual property, but is clearly a virtual artifact. Expect debate.
I can't say as how I blame them. It's disappointing, but there are headaches that I wouldn't want either. Some virtual artifacts, like things in Second Life, arguably fall outside that rule. Nonetheless, what resembles an economy in Second Life is hard to understand. The media love affair with Second Life seems to be turning into a hangover. Valleywag is a great place to see some of the backlash. Subscription numbers may be overstated. What passes for an economy isn't as efficient as people might like. It isn't very fun. Maybe it's too much fun.
Some virtual artifacts fall into the eBay ban rule, but might still be okay to sell. Some games permit the resale of objects, but you can claim the people aren't authorized to distribute, because there's no explicit authorization of them as a sales channel. It's definitely a gray area, especially if we consider the first-sale doctrine, but stores are not obligated to sell things they don't want, and if eBay wanted to stop the sale of used books and records, it would also be disappointing, but within their liberty.
Some other virtual artifacts are not supposed to be sold. World of Warcraft, for example, has it as part of their terms of service that you're not supposed to sell the game's virtual artifacts. I think that such bans are not only ineffective, but the best way to fight a black market is to set up your own that undercuts it. But it's their concern.
The real problem that eBay has to deal with is that when you're selling stuff, as opposed to merchandise, the major problem is that of provenance. You have to know where those jewels came from. Did those artifacts leave the country legally?
There are a number of cases where bad people have hacked into VR accounts and sold the virtual goods. I can understand eBay's conundrum. If someone wants to sell five sheep, a gnome, and a staff of domination, how do you know they have the right to do that, whatever the heck that means? I don't blame eBay for deciding that it's just too hard and they opt out. It's a pity that they aren't stepping up to figure it out, but I don't blame them. Pioneers are the ones with the arrows in their backs, and after being a pioneer for a while, farming looks good. Of course, the problem is that software is a virtual artifact, even when it comes on a CD. So this is far from settled. photo is Egyptian Temple, courtesy of iconolith.
Bookmark this post:
First, you take a business away from legitimate enterprises, claiming only the state can run it without it sinking into a wretched hive of scum and villany. Then, you ban competition. Then, you decide that you're better off selling the monopoly rights to the highest bidder.
It's what Illinois is doing with their state lottery.
I was going to talk about the history of corporations as monopolies, and the issues with government run business, but Larry Ribstein said almost everything I wanted to say in "Selling State Lotteries."
Maybe the state could do the same with health care?
Image credit: Emergent Chaos.
Bookmark this post:
A criminal enterprise comprised of 10 individuals who drained the accounts of 10,580 customers by sending virus-infected e-mails was busted in Istanbul.That's a hit rate of 0.314%. Which I'm not going to analyze today....
The suspects reportedly sent virus-infected emails to 3,450,000 addresses, and subsequently drained 10,850 bank accounts.
Additional resources, all in Turkish: "İnternet dolandırıcıları yakalandı," "İnteraktif banka dolandırıcılığı" both seem to be "TSI" agency stories, and "10 bin müşteri hesabını boşalttılar" seems to be a gov.tr site with additional details. Do any readers speak Turkish?
Bookmark this post:
It's the MLK Day holiday weekend. That means that one's headache has subsided to the point that one can no longer hear one's nose hair growing, and the cat is padding rather than stomping. It also means that it's time for New Year's Resolutions!
If yours is to get better control over your information privacy, particularly as it relates to identity theft, here are some effective steps you can take:
Bookmark this post:
In the Christmas double issue of The Economist, there is an interesting article about Google's new domain-level email services and their applicability to business. I'm traveling, so I listened to the podcast version.
I'm not going to criticize Google today. I think Gmail is a good service. I have several Gmail accounts. I am personally tempted by the service for some of my own domains.
The Economist also thinks it's a good idea, so much so that they slur us in IT security:
IT bosses tend to argue that web-based software is not secure. Their real fear, probably, is that web-based software will mean fewer jobs in corporate IT. But the trend will be hard to resist. Trusting the web with your software is not so very different from trusting the bank with your money, instead of keeping under the mattress at home.
There are several things to object to here. The first is the smug attack on the professionalism of corporate IT people. I find it all the more obnoxious for hiding behind the word "probably" which is one of the oldest rogue's tricks in journalism. I won't dwell on that too much, because it is unusual for The Economist to have such a lapse, and this one is forgivable because it is probably caused by the onset of tertiary syphilis in the responsible editor. (I'll apologize for my counter-slur if a paper supporting the claim that the probability that "security" concerns are actually about budgets is greater than 0.5 is accepted at WEIS this year.)
The next thing to object to is the confusion between software and data. Email, and any concerns with it, are not about the software, they're about the data. Anyone who has qualms about outsourcing to Google most likely has it about the data, not about the software.
Another confusion The Economist makes is between money and information. There are a number of differences between money and information, but one that is relevant here is that if my bank is robbed, I still have my money (which is one of many reasons why banks are better than mattresses). This is not true with information. If information is stolen, you can't pull it back. Furthermore, Google isn't going to insure or indemnify against information loss the way that governments and banks indemnify depositors. If an outsourcer gets broken into, it's still my breach, and breaches are not cheap.
Not only are emails information, but they are corporate documents. They can be subpoenaed or discovered. I have no idea what would happen if I were in a lawsuit and Google were asked to turn my email that they host over. I would hope that Google would refuse, but what happens if a judge disagrees? Let us also not forget that any such dispute would happen in the US courts. It would also be subject to US national security laws, and these laws not only require your service provider to turn over your emails, but require them not to tell you about it. Additionally, some assert that emails lose their status as protected communications after they've been aged for 180 days. My eyebrow is raised, as I am an equal-opportunity cynic, but that's hardly tin-foil-hat territory.
The last thing to remember is that despite what The Economist seems to think, rarely does one find a free lunch. Google does not offer email services for free. It sells them to you, and you pay by letting them use your data to sell adverts. Google's payment is exactly the advertising value of scanning all your email. You may think it's worth it, but you may not. I think this is something about which gentlebeings can disagree.
There are situations in which outsourcing one's documents may make sense. If, for example, you're a state university and your documents are ultimately the property of the taxpayers, then some of the security concerns go away. But not all of them. To get rid of the risks, an outsourcer would have to secure the data so that they can't lose it or be compelled to release it. Unfortunately, that would most likely change the economics of the bargain and make it so that the outsourcer would be giving out a free lunch.
None of this means that outsourcing your domains to Google is a bad idea, it just means that there are costs, benefits, and risks. The cost of a Gmail-hosted domain is the value of the use of your information. This might be analogous to letting the bank use your money, and may be worth it. However, implying that managing your own information is like keeping your money in a mattress is wrong. It's more like buying your own shares rather than letting a fund manager do it. It's a tradeoff of many things: time, money, effort, etc. Surely an economist can understand the difference between saving and investing.
Bookmark this post:
Saar Drimer and Steven Murdoch will be getting lumps of coal from the banking industry, and amused laughter from the rest of us:
It is important to remember, however, that even perfect tamper resistance only ensures that the terminal will no longer be able to communicate with the bank once opened. It does not prevent anyone from replacing most of the terminal’s hardware and presenting it to customers as legitimate, so freely collecting card details and PINs.See "Chip & PIN terminal playing Tetris" at Light blue touchpaper, along with the video link.
Bookmark this post:
Topping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. "Greek Scandal Sees Vodaphone fined" at the BBC, via Flying Penguin.On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers in the US. None of that money would go to those whose privacy was invaded. ("Driver Data Lawsuits Settlement Proposed.")
Pop quiz: Which do you think will influence behavior more?
Photo: Peeping Dog, by ErinV.
Bookmark this post:
On the other hand, the MySpace demographic is pretty young. Another password study (.pdf) in November looked at 200 corporate employee passwords: 20 percent letters only, 78 percent alphanumeric, 2.1 percent with non-alphanumeric characters, and a 7.8-character average length. Better than 15 years ago, but not as good as MySpace users. Kids really are the future.I'd like to offer up a different reason: MySpace users have a reason to care about the security of the information they offer up to MySpace that's more compelling than policies and cajoling from the security folks, and it shows. How can we learn from that?
(After I wrote this, I noticed some similar comments on the version on Bruce's blog.)
Bookmark this post:
In this paper we discuss a simple and general model for evaluating optimal investment level in information security proposed by Gordon and Loeb. The authors leave an open question, whether there exists some universal upper limit for the level of optimal security investments compared to the total cost of the protected information set. They also conjecture that if such a level exists, it could be 1/e ~= 36.8%. In this paper, we disprove this conjecture by constructing an example where the required investment level of up to 50% can be necessary. By relaxing the original requirements of Gordon and Loeb just a little bit, we are also able to show that within their general framework examples achieving levels arbitrarily close to 100% exist.So here's the first problem -- that it may behoove one to spend more than 37%. The next problem that I see is the whole nature of an expected loss. How do I know what to expect? I'm a cynic, so I can see using some math. If there is a 2% chance that any of my employees will lose a laptop, there's a 40% chance that a laptop has personal data on it, and I have 10,000 employees, then I expect to have 200 employees lose laptops, and 80 of them are going to cause me a problem. That's bad. It is only another matter to take the Ponemon $182/name number and multiply that by the number of names, and I have a dollar figure. To me, the right way to solve this problem is to put some sort of disk encryption on those laptops. Just (heh, just) deploy that and Alice is your auntie. No incentive plan needed. As a last problem, do I really want to deal with an incentive plan? Incentive plans have evil senses of humor. The people affected by them will inevitably do things based not on what is good for the company, but what affects their incentive plan. If we also assume 100 people in the security department, if they come to my conclusion -- encrypt those laptops -- they will see $100 in their own pocket for every $1 they save on the software. If they buy software that is cheaper, but less reliable, it can cost the company Even better for them would be to ban all dangerous data on laptops. We've all worked where there were asinine, dictatorial decrees on security. Decrees are cheap. They are, however, not good for the company because the company wants people to be able to work flexibly. It gets worse, though. Here's another suggestion:
Here's the kicker: If there is a breach, the costs come out of the bonus pool first. This would be a bummer, but it would also give you first hand data for budgeting ;).It also creates in incentive to ignore breaches. If you're an admin looking over logs at a major university, and you think you see a breach, but aren't sure -- what do you do? Very likely, it's hope it isn't a breach, not investigate further. And how are you going to feel when the bonus you were counting on sublimates when Bob over there finds a breach two weeks before the end of the year. Thanks, Bob. Couldn't you have at least waited until January? Creating a system where the security team is not looking at security, but how little they spend is not good for security, nor is it good for the company. It has been an encouraging trend in security that we're starting to think of how good security can be liberating. Security that liberates people is a cost on the security end, but a benefit somewhere else. It might even have indirect benefits, like lowering turnover and making it easier to hire good people. It is also not good when the incentives reward bureaucratic stiffness, See-No-Evil behavior, and punish people for the conscientious behavior of their co-workers. Always, always beware when you set up incentives. People will act according to the incentive. (If they didn't, it wouldn't be an incentive.) The incentive distracts from the goal. If the incentive points in the direction of the goal, it might be a reasonable approximation of the goal, but it is not the goal. From here we get unintended consequences.
Bookmark this post:
First, assume that you believe, as discussed in Gordon & Loeb's book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37% of their expected loss on information security. Second, assume that you agree with the Ponemon Institute on the cost of business data breaches: $182 per record. Then, as I have pointed out, you have enough info to figure out what your info sec budget should be, or at least it's cap.A few thoughts:
Bookmark this post:
Apparently hedge fund Citadel is trying to purchase data from bankrupt Plusfunds that would detail trading strategies at some of its major competitors. The latter company had run a hedge fund index underlying which were trading strategies run by various well-known hedge funds, like Bridgewater, Vega Asset, and so on. By buying the data -- at a price of $75,000 -- Citadel would have access to detailed data on how some of its competitors trade stocks.I've long believed that Long Term died when their banks started trading against them.
Bookmark this post:
At MSNBC, Bob Sullivan writes about Gift Cards: Why Cash is Still Better:
I’ll show you how a $50 bank card will cost you $60We know, it's the practical tips that keep you coming back day after day.
and could easily be worth only $40 to the recipient.
Image by rgluckin.
Bookmark this post:
If you've ever lived in Cambridge, Mass, you've probably seen the sign. I recognized it instantly, seven years after I left Boston. It's on Cambridge St, in East Cambridge. Boston's Weekly Dig dug in:
It’s one of the more puzzling quirks of the local cultural consciousness that Gould’s shop is almost universally known, yet few know what actually happens inside or what “Live Poultry Fresh Killed” even means.Now I'm sad I never went in. Back then, the idea of fresh killed made me slightly queasy. Now? It makes me hungry. The article is a very interesting look at a practical way in which markets have re-shaped the way we eat.What it means is this: Mayflower Poultry kills chickens on-site. They kill lots of them. They do this because fresh poultry—meat that, a few hours before, was live poultry—tastes a whole lot better than the shrink-wrapped garbage you buy at the grocery store.
But Mayflower Poultry’s famous sign doesn’t just alert pedestrians to the fact that several hundred animals a week are getting slaughtered in the middle of a dense residential neighborhood—a modern zoning curiosity if there ever was one. In many ways, Mayflower is a throwback to a commercial model that’s 30, 40 or 50 years in the past—when modestly appointed specialty stores formed the backbone of the consumer economy.
Via Samablog.
Bookmark this post:
Amidst the to and fro over insider v. outsider threats, whether security metrics can be "gamed", and so on, and in recognition of the best buddies that security geeks and economists have now become, I offer the following.
Frank H. Knight, "'What is Truth' in Economics?"The saying often quoted from Lord Kelvin (though the substance, I believe, is
much older) that "where you cannot measure your knowledge is meagre and
unsatisfactory," as applied in mental and social science, is misleading and pernicious.
This is another way of saying that these sciences are not sciences in the sense
of physical science, and cannot attempt to be such, without forfeiting their
proper nature and function. Insistence on a concretely quantitative economics
means the use of statistics of physical magnitudes, whose economic meaning and
significance is uncertain and dubious. (Even "wheat" is approximately
homogeneous only if measured in economic terms.) And a similar statement would
apply even more to other social sciences. In this field, the Kelvin dictum very largely means in practice, "if you cannot measure, measure anyhow!" That is,one either performs some other operation and calls it measurement or measures something else instead of what is ostensibly under discussion, and usually not a social phenomena. To call averaging estimates, or guesses, measurement seems to be merely embezzling a word for its prestige value.
Bookmark this post:
If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better?Now, I was actually tweaking F-Secure a little, in a post titled "It's Getting Worse All The Time?" I didn't expect Halvar Flake would demonstrate that the answer is yes. Attacks getting worse may well mean that things are getting bette
