Zabbo Blogs (again!)

I’m very excited to discover that my friend Zach Brown is blogging again. Zach was one of a group of friends who introduced me to blogs in, maybe late ’99? Early 2000? He’d been on haitus, and I’m glad he’s back. But I realized that my excitement felt a little odd, and so I’ve been thinking about it.

About a year ago, I actually read Alvin Toffler’s Future Shock, which is a classic in the sense that everyone pretends to have read it. One of the themes that resonates with me is the psychological impact of of repeatedly changing jobs and cities, in leaving people with a lack of grounding in the place they live. Toffler discusses professionals who are more in touch with, and at home with, a distributed network of professional colleagues who they see at conferences than they are with their neighbors.

He also discusses the difficulties involved in staying in touch with increasingly scattered groups of friends, when the things we do to stay friends are harder to accomplish as it becomes hard to coordinate a group of friends to be in the same place at the same time.

I suspect that deep down, the psychological benefits of physical proximity for relationship management help people trump the awful commutes, taxes, and other disadvantages of living in Silicon Valley.

I can’t help but mention that Chris Allen has been writing quite insightfully about these issues in posts like “Dunbar Triage: Too Many Connections
Arriving here, I’m forced to examine my excitement that Zach is blogging again. On the one hand, I am genuinely happy to have insight, however small, into his life. At the same time, I miss having dinner with him and others whose company I enjoyed in Montreal.

PS: I’ve discovered that an acquaintance has set up an Amazon Associates account to contribute to my Alma Mater. Does anyone know how I can construct book URLs so that they take advantage of that account?

Small Bits of Chaos all Starting with Names

  • Mike Solomon, of PithHelmet fame, comments on RSS spam, and promises to do something about it. (Incidentally, I’ve been wondering about NetNewswire’s cookie behavior when you load pages, but some rummaging in it’s files didn’t seem to turn up cookies, and I needed to go blog earn money.)
  • Alan Chapell (whose blog is looking much nicer, but still needs RSS and individual post links) discusses (Thurs, April 28 entry) :

    When I confirmed that I’d been enrolled as a result of a purchase I’d made on the travel web site, I decided to end my relationship with the travel web site. Here’s where the fun started…

    I sent an email to the travel web site’s CS group – asking them to remove all my personal information from their records. One would figure that this isn’t a very big deal as their web site privacy policy states:

    “If a visitor’s personally identifiable information (for example, their zip code, phone, email or postal address) changes or if a user no longer desires our service, we provide a way to correct, update or delete/deactivate visitor’s personally identifiable information.” ([Chapell] paraphrased this to protect the company)

    [Frustration, frustration elided.]
    As a consumer, this is beyond frustrating. Btw, this is not some tiny website – it is a nationally advertised site owned by a fairly large company.

    Perhaps its time to involve their seal program…

    No, sir, it’s time to name names. Why are you protecting them? Shame them. Call them out. Use them as an example when you speak. Tell them that you’ll continue doing so until you believe that they comply with the terms and conditions they had on display when you signed up.

  • Kurt Voelker has an insightful post about “Lessons for Online Community in ChoicePoint Failures:”

    Think about credit agencies. When it comes to our digital reputations, systems like ChoicePoint and Equifax are reviled, while ranking and endorsing systems like eBay’s thrive. Why? Transparency. The eBay community incents its members to participate because they can see exactly who is saying what about whom. And interestingly, this transparency lets my digital reputation be as much about what I say of others, as it is about what other say about me.

  • Zach Brown (hi Zach!) has a great post in which he goes from C code to the philosophy of programming, entitled: Sloppy Systems Programming:

    It wasn’t that stat() failed, it was that suEXEC saw that it had just performed stat() on a link. It apparently decides that this is fatal, because it knows more about the security trade-offs of your environment than you do, and that when it sees this policy violation it will fail and lie to you about why it failed.

    Now, I’ll be the first to admit that this in itself is a very minor detail. The rub is that this sort of misleading behaviour isn’t rare at all. I think this struck a chord with me because it made me focus on my changing thoughts about what it is that I do. There was a time when I loved having a catalogue of this kind of behaviour in my head so that I could use all kinds of software and predict the ways in which I would have to work around its behaviour. It was super-fun to be an expert in so many details.

    But these days, and I won’t admit to a decade having passed, it all seems like so much wasted time. People who use this software should be focusing on solving their problems instead of spending time discovering that “cannot stat program:” can sometimes mean “I refuse to work with this file because it is a link.”

    It seems like after a few decades of building these kinds of software systems we could be doing a better job of it.

    The profusion of such issues, along with the social awareness that they’re ok, helped drive me to a Mac. On the Mac, they are distinctly not ok, and once you adjust your pain threshold downwards, its hard to remember why you put up with them.

Portland Withdraws Support from Terror Task Force

Mayor Potter, a former Portland police chief, earlier this year requested that the federal government grant him, the police chief and the city attorney top-secret security clearance — the same as task force officers — so that city leaders could have access to case files and more frequent updates. Potter said he wanted the ability to monitor investigative activities involving the city’s officers in order to make sure they obeyed state laws barring them from monitoring people solely because of their religious or political beliefs.

This case raises major issues of democracy. If the people of Portland have seen fit to elect Mr. Potter Mayor, what gives the FBI the right to say he can’t do his job, which includes overseeing his employees?

(“Portland, FBI Unit to Part Ways” in the LA Times, Via CSO Magazine “Security Feed.” Badge from the impressive police badges collection at )

Drivers License Fraud

As the trust and reliance people place in drivers licenses, the greater the incentive to get fraudulently issued ones. FoxNews reports on “Workers Charged With Taking Payoffs for IDs
” (via JihadWatch.)

“With a valid driver’s license, you establish an identity,” said Michael Garcia, assistant secretary of the Homeland Security Department.

The three Florida driver’s license examiners charged between $100 and $200 to falsely certify U.S. citizenship for the illegal immigrants, authorities said. Five accomplices recruited immigrants for up to $3,000 per license, officials said.

I have three comments: Firstly, I have an identity. Mr. Garcia demonstrates the stunningly introverted view of too many in law enforcement, that my identity stems from my documents, my existence in their databases, or the ability of those we used to call ‘civil servants’ to check my papers. My identity stems from me, not my papers.

Secondly, at $100 per false certification, it seems that there’s quite a supply of folks willing to wink and nod.

Finally, when the facilitators are making $3,000 and $200 is going to the fellow behind the counter, it becomes more clear why some people work for the state and others are entrepreneurs.

I’ve previously touched on this in posts like ““Economics of Fake IDs“, More on Nevada DMV” (about the truck crashing through the wall), or “SSNs and Drivers Licenses,” as well as a talk I gave at the Blackhat briefings, “Identity and Economics: Terrorism and Privacy.”

Way To Debate!

Since Choicepoint demonstrated that screening is hard, they’ve been repeating the phrase “We look forward to a national debate.” But at yesterday’s annual meeting, they once again failed to engage in that debate. The LA Times has an AP story “No Answers for ChoicePoint Shareholders” (Bugmenot, because no other paper has picked up the story, according to Google News.)
Or, The Atlanta Journal Constitution, “ChoicePoint boss deflects scam queries.” (Bugmenot)

In a quick and scripted annual shareholder meeting, ChoicePoint executives turned away any questions about the invasion of the company’s database by fraud artists.

But Smith said that because of investigations into the database scam, “we will not be taking questions relating to those matters in this annual meeting.”

It seems to me that understanding how management is handling these issues would be important to a shareholder.

Choicepoint Annual Meeting


But today, the chairman and chief executive of Alpharetta-based ChoicePoint is likely to get a feel for his standing on a smaller stage: whether he is held in esteem by ChoicePoint shareholders.

Lauren Waits, who oversaw ChoicePoint’s charitable giving program before leaving earlier this year, describes her former boss as a visionary who also can be intense and “quite hard on other people.” He has been impatient for government to act on ideas, such as storing DNA profiles on all felons in a central database that could be used to catch repeat offenders.

But the most difficult thing for ChoicePoint’s CEO hasn’t been the criticism or a grilling before Congress, said Rod Dowling, an investment banker who has worked with ChoicePoint. What Dowling said got to Smith most in the wake of the scam was that an Atlanta publication, Creative Loafing, published his home phone number and address.

That’s just a smidgen of the kind of information ChoicePoint supplies to clients every day. But Smith worried about his family’s safety and quickly changed his phone number, said Dowling, CEO of SunTrust Robinson Humphrey.

If only we could do the same when our data gets into untrustworthy hands.

From the Atlanta Journal Constitution, “Embattled CEO must take stage.”

Hofmeyr on Legislation

1386 provides a huge incentive for companies to secure their systems, without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way. This encourages innovation in defense, because should new, more effective defense strategies become available, companies are more likely to adopt them, whereas if they are restricted to using specific technologies and practices, they won’t be able to take advantage of new developments.

So, having said all that, my suggestion to the credit card companies would be to impose heavy penalties on merchants that get compromised, but not to specify what exactly those merchants should do to make themselves secure. And to offset the impact of losses, they should continue to incorporate the notion of quarterly scans by independent assessors, which is one of the few good things about the PCI Data Security Standard.

So writes Steven Hofmeyr in “The effect of legislation.” I’m in general agreement. I suspect that the 12 step programs being promoted by Visa and Mastercard are there because of demands from their smaller customers. Even larger customers would like to constrain their investment, by being told when they can stop spending on security to avoid fines from Visa or Mastercard.

Blockbuster, 65, Employee Miles N. Holloman

A former employee of a Blockbuster video store in Washington, D.C., has been indicted on charges of stealing customers’ identities, then using them to buy more than $117,000 in trips, electronics and other goods. Miles N. Holloman is charged with stealing credit card numbers, Social Security numbers and other private financial information from the application files of 65 customers, then using the data to open retail store and credit card accounts.

(From The Washington Post, via

Victory Against RFID Passports is Near

“The State Department seems to be putting down the purple Kool-Aid and looking at the serious problem this technology presents,” said Mr. Scannell, who runs an Internet site called; the first part of the name stands for radio frequency identification chips. “But no matter how much stuff you layer on the technology, it is still inappropriate.”

So says the New York Times, in “Bowing to Critics, U.S. to Alter Design of Electronic Passports.” So raise a glass and celebrate victory!

(Of course, these programs have a bad habit of coming back if we stop watching closely.)

Small Bits: Labelling Software, People, Aaron Weisburd’s Foreign Policy

  • softwarefacts.jpg
    Gunnar Peterson offers up a label for software that he stole from Jeff Williams.

  • I had a good, if short, back and forth with Geoff, of Screen Discussion, in his comments, on using photographs to enhance criminal background checks, by including photos with the records of criminals, so the viewer of a report can compare.
  • When not tossing off new business ideas, Ryan Singel muses on a Washington Post article on Internet Haganah:

    A. Aaron Weisburd is a freelancer.

    But he specializes in targetting Islamic radicals on the web, according to Ariana Eunjung Cha’s article in the Washington Post.

    If your goal is eradicating hate and terrorism, is it better to allow hatred and incitement to happen publicly in order to better fight it or to drive it back to the fringes?

    What is the difference, if any, between speech and action?

    Would you feel differently if Weisburd were targetting spammers and identity thieves?

    I don’t know the answers to any of these questions, but more and more, power that used to be very hard to come by, to affect people around the world, is becoming easier to obtain, use, and abuse. Overall, I think its a good thing, but there’s going to be a series of unfortunate incidents which define the boundaries.

    I hope that those events occur in the context of enough positive action that the good doesn’t get obscured.

Banks as Big Brother

“AML software will change international banking forever,” said Suheim Sheikh of SDG Software, an Indian software firm hoping to tap into the big new market.

“Governments across the world will have their eyes on bank customers,” he added. “Since the software can monitor so many accounts, so many transactions, all kinds of people will be scrutinized, even those who in theory are just regular people. By default, not just money laundering but anything that violates the law, like tax evasion, will be hard to hide.”

“Any unexplained deposit will get you calls from the bank or the authorities, and you better have the correct answers,” said Cherian Varghese, chairman of Union Bank of India.

“It will study the profiles of other engineers in the same age group and build a pattern based on common traits like, say, the monthly periodicity of salary,” said Tripathi. “If another customer comes along, says he is an engineer and receives deposits every week, the software will raise what we call a red flag. He is suspect.”

(From “Your Money Under More Scrutiny” in Wired News.
“I, for one, welcome our new robot masters.” I hear saying that a lot gets you out of trouble for having a weekly paycheck.

Is this really the sort of world in which we want to live? One in which banks waste money nosing into your business, while ignoring the criminals who will take pains to hide their activity? Where using a bank is as pleasant as getting on an airplane?

Usability as a Security Concern

Building new technologies involves making tradeoffs. A programmer can only develop so many features in a day. These tradeoffs are particularly hard in building privacy enhancing technologies. As we work to make them more secure, we often want to show the user more information to help them make better decisions. This impacts usability. The security of network anonymity systems like the Freedom Network or TOR depends on routing traffic through several nodes. Even if processing on the node is close to instantaneous, the transit between them is not. Security of these networks gets better the more latency[1] you’re willing to tolerate. That latency makes it harder to be sure your message is getting through, and it can make it impossible to do things like browse the web.

These usability concerns can keep users away from the system. When the system doesn’t have lots of users, it is less secure. In “Anonymous blogging made simple,” Justin Mason writes:

Now, quinn at quotes a review of EFF’s recent ‘anonymous blogging’
, which largely comes up with one conclusion: it’s a
usability nightmare. The problem is, the EFF
recommends using
, which in turns uses the Mixmaster remailers. Those things
are awful, and I doubt anyone but their authors could possibly know how to use them 😉

I am quite sympathetic to these concerns. But I’m forced to question Justin’s claims that Tor is substantially more understandable. Understanding Tor, and why it helps protect you is hard enough. (Actually, Ethan Zuckerman agrees on usability, but disagrees on Tor, but Ethan is a smart, technically savvy guy who uses PGP, not a dissident. My experience trying to explain the difference between no hop, one hop, and three hop systems while at Zero-Knowledge Systems taught me that it’s really, really challenging to bring people up to speed on how networks work well enough that they can understand monitoring. It’s then again challenging to bring them up to speed on Mixes enough that they understand how to distinguish the different systems. Maybe there’s a different route to take, but understanding the problem, and how to address it seems like the right approach.

[1] Technically, pooling and mixing give you that security, and latency is irrelevant. Because that latency is the price you pay for security, and it is user-visible, I pretend it’s what counts.

What Are You Hiding, Democrat?

Time Magazine reports:

The State Department has traditionally put together a list of industry
representatives for these [Inter-American Telecommunication Commission] meetings, and anyone in the U.S. telecom
industry who had the requisite expertise and wanted to go was generally
given a slot, say past participants. Only after the start of Bush’s
second term did a political litmus test emerge, industry sources say.

The White House admits as much: “We wanted people who would represent
the Administration positively, and–call us nutty–it seemed like those
who wanted to kick this Administration out of town last November would
have some difficulty doing that,” says White House spokesman Trent
Duffy. Those barred from the trip include employees of Qualcomm and
Nokia, two of the largest telecom firms operating in the U.S., as well
as Ibiquity, a digital-radio-technology company in Columbia, Md. One
nixed participant, who has been to many of these telecom meetings and
who wants to remain anonymous, gave just $250 to the Democratic Party. (Emphasis added.)

It’s a little late for that, traitor-boy. Next time, protect your privacy before doing something crazy like contributing money to a political party. (Via Farber’s IP.)

Choicepoint: April 24

  • The Privacy Law Site posted on the Schumer-Nelson Comprehensive Privacy bill on April 13, but I just found it. The author summarizes the bill.
  • Richard Clarke has a column in the New York Times, “You’ve Been Sold,” in which he outlines some reasonable parts of a new law. [Added shortly after first posting.]
  • The Seattle Times covers “Bills sent to governor aim to fend off identity thieves:”

    A security-breach bill, Senate Bill 6043, will require consumers to be notified by credit-reporting and consumer-data agencies if a security breach compromises their personal information.

    And a security-freeze bill, Senate Bill 5418, will let victims of identity theft — or those whose personal data have been stolen — place a security freeze on their credit files with credit-reporting agencies to lock out potential thieves.

    One of the state’s top consumer groups, the Washington Public Interest Research Group, dropped its support for the security-breach bill when amendments were added letting companies decide whether to notify customers when their data are stolen. If the companies consider it a “technical breach” that doesn’t seem reasonably likely to subject customers to criminal activity, they’re not required to tell customers.

    Look for blowback on that loophole. Washington banks are going to have to go through two compliance programs over the next few years after a big bank abuses this, and a more stringent law shows up.

  • It’s been a little while, and I feel a need for release. Today’s Two Minutes Hate comes to you from The Nashua Telegrah, who asks, Didn’t ChoicePoint learn anything from murder of Nashua’s Amy Boyer:

    Amy Boyer was a 21 year-old college student working part-time as a dental assistant in downtown Nashua. Amy was shot nine times in the head as she left work on Oct. 15, 1999, by a stalker who bought Amy’s Social Security number and work address on the Internet from an “information broker” named Docusearch.

    Docusearch purchased Amy’s Social Security number from IRSC, an information broker that folded into the ChoicePoint conglomerate.