Sony, Respecting Their Customer

sony.jpgOver at Sysinternals, Mark posts “Sony, Rootkits and Digital Rights Management Gone Too Far.” [Update: If that doesn’t work, try Sysinternals Blog; when I checked, it was the first post.] If you’re at all technical, read it closely. If you’re not, you should at least skim it. The story is that Mark (who knows more about Windows internals than many people at Microsoft) finds evil software on his hard drive, and it turns out that Sony put it there. As you read, look at chunks like:

A look at the Services tab of its process propertieds dialog showed it contains a service named “Plug and Play Device Manager”, which is obviously an attempt to mislead the casual user that stumbles across it in the Services MMC snapin (services.msc) into thinking that it’s a core part of Windows.

Ask yourself, is this the way you want someone to be treating you? Is this the way you want to be treated, as a Sony customer?

Also, how could I have missed “Use Sony DRM, Format Your Hard Drive?”

American Express and Privacy

There’s a fascinating story at imedia connection, “Why Consumers Trust American Express:”

How has American Express retained its position? Kimberly Forde, an American Express spokesperson, told me that “American Express is very pleased to be recognized by consumers for its ongoing and strong commitment to privacy.” Moreover, she felt that American Express had done a lot to build consumer trust: “Trust and security have been the hallmarks of the American Express brand for more than 150 years. Our privacy program is a robust one that addresses the landscape of consumer concerns.”

American Express sees a return on promoting consumer privacy — that is, in making “trust and security” a hallmark of the brand. What we can take away from this is that consumer privacy is becoming an added value for a company. This is to say that some organizations are starting realize that they can build customer bases by saying “we protect you from identity theft.”

I find this fascinating because its a company that’s using privacy to their advantage. I’ve expected that to happen for a while, and its nice to see it being presented in the media. It’s also fascinating because privacy here seems to be an assertion without data. Where are the supporting facts that show American Express cares about privacy?

But most interesting (to me) is that I see American Express as horribly anti-privacy. I remember when they bought Connection Machines to do data mining on their customers. I recall being turned down by Amex for a card because my address (a mail service) didn’t match their database of acceptable residential addresses. They wanted to see utility bills, or other things that told them where I really lived. Nah.
So my perception of Amex is quite different.

I’m guessing that this is another instance of different meanings of privacy: That consumers believe that Amex doesn’t sell data about their purchasing habits, where I’m concerned about what they collect, and the shadows of me that they confuse with the real me in making judgments. My data shadow wasn’t crisp enough for them, and so they wouldn’t loan me money. (It was decidedly crisp enough for others to extend credit on fine terms.)

(Via Chapell.)

Imperial Ambition, Poor Execution

In “The endgame on Iraq began a long time ago,” Thomas Barnett writes some shocking things:

This is Musab al-Zarqawi’s worst nightmare: the Americans safe behind their compound walls and everyday he’s doing battle against Iraqis, or-more to the point-against Shiites increasingly backed by Iran, no friend to the global Salafi jihadist movement, being as it is exclusively Sunni in make-up. Meanwhile Kurdistan gets stronger and the ‘failed state’ scenario for Iraq is reduced to its irreducible one-fifth outcome: the 20% of the population that’s Sunni live an existence you wouldn’t wish upon your worst enemy.

How on earth is this Zarqawi’s worst nightmare? Zarqawi will portray this as the US being unable to fight, unable to prevent chaos, and its all because of his guys with improvised weapons. The US will be humbled, and al-Qaeda will have notched its second superpower.

And lets have pity for, and apologize to, that 20% of Iraqis, and think about, right or wrong, who they’re going to blame. I think Zarqawi and company are to blame. I think the US had an obligation, after invading, to prevent the country from falling into civil war. George Bush knew that a civil war was likely. If only his son had listened to him. Continuing to quote Barnett:

Pretty it ain’t, but realistic it was always. Bush’s critics may crow about the ‘failure’ of ‘Jeffersonian democracy,’ but that asinine point won’t be remembered by history. What will be remembered is that Saddam was taken down, the pretend state of Iraq returned to its constituent parts, and the Middle East was never the same again.

We got what we wanted in Iraq, and we triggered plenty of tumult and change in the region. Now that the endgame becomes obvious to critics and supporters alike, the real question we need to ask ourselves is, What do we seek to accomplish next in the region?

Accomplish next? What did we accomplish? Iraq has been ripped apart, our allies in Turkey are focused on the Kurish state we built next door, and the Sunnis “live an existence you wouldn’t wish upon your worst enemy.” It’s true that Iraq was the product of Imperial Britian drawing lines on a map, but that doesn’t justify Imerpial America coming in and ripping it apart.

Now, Barnett has an interesting theory of a common set of perspectives which he calls “the core.” (Everything else is “the gap.”) Part of his theory is that the core should “pertube” the gap, that’s always riled me. Now I know why. He has no goal. He’s an imperialist, and, not liking the Bathist dictatorship, knocks it over, declares we’ve accomplished something, and thinks that more US meddling is a good idea?

Not, Who do we invade next? Or what do we seek to prevent? But what do we seek to accomplish? What better Middle East are we working toward?

Ummm, how about, and you know, just a thought…maybe we should have figured that out before “perturbing” things. Maybe we should fix what we broke before we go off and think “What better Middle East are we working toward?” Because with friends like this, I don’t know that you need enemies.

Now, I do think that we need to be working towards a better middle east. Except, following our stellar “wouldn’t wish upon your worst enemy” performance, maybe we don’t get to imagine that. Unfortunately, the people of the region really don’t get to either. Their dictators and clerics do.

Raw, naked exercise of power is not going to win friends for anyone. Perturbation for its own sake, with “the Americans safe behind their compound walls,” is going to become the core answer to “why do they hate us?” It may become because we perturb their lives for our own purposes.

First Hand Report about New TSA Indignities

In “GE Puffer Stinks of Dr. Strangelove,” Kim Cameron writes about his experiences with the new explosive detection machines:

People, I really hated the GE product. It is tiny, and closes around you. I felt seriously claustrophobic. Then it shot bursts of air at me so hard it actually hurt.

I had been told there would be “puffs of air”, but these were not, by any definition, puffs.

“Puffs” make me think of cigar smoke. Or “Puff the magic dragon”. Puffs of wind. But these were hurricane strength blasts.

Meanwhile the machine barks orders like a concentration camp commandant. Where did they get the voice? It speaks in a chilling metallic imperative borrowed from a really bad science fiction movie. In fact it was barely believable that adults would unleash this contraption on anyone.

I have a number of quick thoughts and questions:

  • Doubtless, TSA will be rolling these out nationwide shortly.
  • Did they make you take off your shoes? Of course. The indignities are never reduced, or tested for efficacy.
  • Wait till you see what they mean by “consent to search.”
  • Private to Kim: If you find this happening again, you might print your own backup boarding passes. It’s what all the cool (and uncool) kids do.

(Thanks to Gunnar Peterson for the pointer.)

Fall Back

Its that time of year again, when Congress decrees that you shift your clock back an hour to save miniscule amounts of energy. The fine folks of Arizona and Indiana have noticed that Congress doesn’t really have the power to regulate time, and don’t like playing along.

But if you think about it, time is an essential part of measurement. The official definition of a meter is “length of the path traveled by light in vacuum during a time interval of 1/299,792,458 of a second.” Congress actually does have the power (Article 1, section 8) to establish standards of weights and measures. So, given that time is an essential part of how things are measured, and that measurements need to be in alignment with other parts of the solar system, it is actually proper for Congress to muck with the clocks occasionally. They should remember that the computer systems that track time may not be as clever as they would like to be, and be careful.

Anyway, I hope you all enjoyed an extra hour of sleep, and dreamt of a world in which Congress stopped to ask if time is a proper subject of regulation.

Porsches make you healthy

Well, I don’t know that for sure. But I am pretty sure that Porsche owners overall are healthier than those who don’t own Porsches. Maybe you have to control for age.
Similarly, it seems that being a customer of certain companies apparently somehow causes less nastiness to befall ones computing infrastructure.
Jaquith handily, yet unwittingly, summarizes my opinion, and is more polite about it than I am inclined to be at the moment.

Ahmadinejad and Wiping Israel Off The Map

Posted by Adam

It seems that most everything that one could say about the President of Iran calling for Israel to be wiped off the map has been said. Good articles include Daniel Drezner’s “How crazy is Mahmoud Ahmadi-Nejad?” (about the strategy behind the statement), Hossein (Hoder) Derakhshan’s “The fundamentalist minority” (about how Iranians feel about the US, and perhaps also Israel), or even an extended discussion of “The Video Game War
,” by Jim MacDonald.

To what Hoder says, I’ll add that a great many Israelis remember leaving Iran, including Israel’s president, Moshe Katsav who was born in the same city as the former Iranian president Mohammad Khatami. (This detail from the New York Times story, “Iran’s President Says Israel Must Be ‘Wiped Off the Map’.”)

In light of all of that, I’d like to compare and contrast the United States to Iran. As I pointed out in As I explained in “Critical Map of Alaska Disappears,” when we wipe something off the map, we’re talking about maps and wildlife refuges, not people.

The Importance of Attitude

Tom Peters has a blog, and in “The Days of Our Lives,” writes about the importance of being present for your customers, not for yourself. I really like his blog. It has a good mix of hubris and humility:

This may be day 45 and mile 76,000 for me, but for the Client it is D-Day for an Important Event (often their year’s #1 event, for God’s sake); hence my exhaustion and accompanying short temper must be thrust aside … and downright cheeriness and spirited engagement must become the invariant orders of the day. Besides, such cheeriness, even if feigned, cheers me up first and foremost!

(Via Paul Kedrosky’s Infectious Greed.)

Star Wars: Economy Of Mechanism

Before I start on the Star Wars part of today’s Friday Star Wars Security blogging, I need to explain who Saltzer and Schroeder are, and why I keep referring to them. Back when I was a baby in diapers, Jerome Saltzer and Michael Schoeder wrote a paper “The Protection of Information in Computer Systems.” That paper has been referred to as one of the most cited, least read works in computer security history. And look! I’m citing it, never having read it.

If you want to read it, the PDF version (484k) may be a good choice for printing. The bit that everyone knows about is the eight principles of design that they put forth. And it is these that I’ll illustrate using Star Wars. Because lets face it, illustrating statements like “This kind of arrangement is accomplished by providing, at the higher level, a list-oriented guard whose only purpose is to hand out temporary tickets which the lower level (ticket-oriented) guards will honor” using Star Wars is a tricky proposition. (I’d use the escape from the Millennium Falcon with Storm Trooper uniforms as tickets as a starting point, but its a bit of a stretch.)

On to the principle:

Keep the design as simple and small as possible.
This well-known principle applies to any aspect of a system, but it deserves emphasis for protection mechanisms for this reason: design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential.

And so lets look at the energy shield which protects the new Death Star. It is, as General Akbar tells us, projected from a base on the nearby forest moon of Endor. And as you may recall, there were not only extra access paths which required reinforcement, but additional threats which hadn’t been considered.

Firstly, why is it on the forest moon at all? Presuming that energy shields follow some sort of power-absorbtion law, the closer the shield is, the less power it will draw. But more importantly, being on the moon means that it is surrounded by forest, rather than cold, hard vacuum. The shield generator becomes harder to protect, meaning that additional protection mechanisms, each of which can fail, are needed.

Presumably, the Empire has power generation technology which drives the Death Star, and also the Star Destroyers. There’s no need to rely on a ground-based station. The ideal placement for the energy shield is inside the Death Star, and traveling with it.

But instead, there’s this bizarre and baroque arrangement. It probably comes from a fight between the Generals and the Admirals. The Generals wanted a bit of the construction process, and this was the bureaucratic bone thrown to them.

Expensive it was. mmm?

Check images increase forgery and ID theft risks?

The October 26 on-line edition of American Banker (gotta pay to see it, so no link from me) discusses new technologies as possible enablers of check forging, in an article by Daniel Wolfe, “The Tech Scene: Check Images A New Frontier For Forgery?”
The overall point is that since banks store check images and provide them to customers (thanks in part to Check 21), bad guys can also get their hands on them, increasing the chances of forgery.

Avivah Litan, a vice president and research director at the Stamford,
Conn., market research company Gartner Inc., said that an online archive
of check images can be a treasure trove for criminals – potentially more
valuable than a checkbook or a few cancelled checks. Criminals can see a
months-long spending history that could help them use forgeries to emulate
a person’s spending habits or estimate what check number a victim would be
using at a specific time, she said.
Banks have underestimated the potential of digital images as a forgery
tool, Ms. Litan said. Banks are more focused on preventing criminals from
using online payment services, such as wire transfers and bill payments,
to steal money from a customer’s account.
“They just haven’t realized that online criminals would resort to check
forgery,” she said. “Crooks come in to look at your imaged checks to see
what your signature’s like. They study the checks, and then they copy the

Maybe I’m not sufficiently old-school, but I’m more concerned about identity theft being facilitated here. After all, these images often contain exactly the kind of identity-related info crooks want, such as driver’s license numbers, since these are often added to the checks by merchants at the time of purchase. Something tells me that these images aren’t all encrypted as stored, so from a Bank’s point of view there’s the reputational hit from having to send out breach notices.

White Sox futures market

For the last couple of weeks, peddlers have set up shop just outside Chicago’s Union Station to sell White Sox paraphernalia. Once the Sox were in the Series, I noticed an interesting phenomenon.
Hats were selling for $10.00 after game two of the series. After game three, they were down to $5.00. After game 4 (the final game, thereby halving the Windy City’s exposure to the terrorist threat), they were up to $20.00.
The jump to twenty bucks I understand, but what surprised me was the precipitous drop from $10.00 to $5.00 earlier in the week. Does this mean that the vendor expected a Sox loss, and the subsequent decline in the desirability of his merch? That’s a mighty dismal view, for a guy whose team was up two games to none at the time.

Dog bites man really is boring

Red Herring reports on a claim by Cybertrust that recovering from Zotob cost the average infected company $97,000.
Sounds moderately interesting, until you learn that the industry hardest hit, healthcare, had 74% of its respondents totally unaffected. For financial firms, 93% were totally unaffected. Overall, nearly 90% of firms had no impact. Nada.
Alternative headlines that aren’t as spooky?
How about: “Hardest hit firms lose $25,000 to Zotob” or maybe “At $7K, typical finance firm’s loss to Zotob barely noticeable”.