Emergent Intelligence

John Robb has a fascinating post on how networked organizations learn and improve their orientation as they engage with their worlds. In “Emergent Intelligence,” Robb focuses on the Iraqi insurgency, but draws important and general lessons. He says there are five factors needed for emergent intelligence:

  • A critical mass of participation. I’d suggest that a critical mass is needed not only for the reasons that he suggests, but also to bring a diversity of experiences and the orientations through which they are perceived.
  • Local focus. I agree completely that focus is needed, or the experiences feeding the learning will be insufficiently similar.
  • Chaos! Mmm, chaos.
  • Pattern matching from stigmergic communication. I’m not sure I fully understand this, and hope Robb expands on it.
  • An openness to interaction. If the grand poobah leader knows all, and doesn’t listen, none of the rest of this matters.

There’s a distinctly Boydian nature to his list of factors, which map reasonably well to Boyd’s model of a learning organization with implicit control, acceptance of friction, and local decision making. I think Robb’s terminology is (pace stigmergicism) is easier to understand.

A final comment, on Robb’s final point: “It is impossible to discern the motives of this movement until it fully matures.” I see no reason to believe such a movement ever ‘fully matures.’ As long as these principles are followed, the organization will continue to change for as long as the external factors which reward cooperation exist. When those factors no longer exist, it will both stagnate and fragment, and those who consciously apply the rules will emerge elsewhere.

The 4th Amendment is Nice to Have

Cities can require stores to send customers’ identification to an electronic database for police to monitor, judges in two [Canadian] provinces have ruled this week.
Cash Converters Canada Inc. and British Columbia’s largest pawn shop have each failed to persuade judges that a new generation of city bylaws is trampling customers’ legal rights.

From “Courts Okay Database Bylaw” in the Toronto Star.

There’s another interesting bit in there, about a requirement for three bits of government issued ID. You might think that the government realizes that their ID schemes are unreliable. Maybe they’re being relied apon too broadly? Someone should mention that to Labour.

Free advice for merchants accepting payment cards

3. Protect Stored Data
3.1 	Keep cardholder information storage to a minimum.  Develop a data
retention and disposal policy.  Limit your storage amount and retention
time to that which is required for business, legal, and/or regulatory
purposes, as documented in the data retention policy.
3.2 	Do not store sensitive authentication data subsequent to authorization
(not even if encrypted):
3.2.1 Do not store the full contents of any track from the magnetic
stripe (on the back of a card, in a chip, etc.).
3.2.2 Do not store the card-validation code (CVC) (Three-digit or
four-digit value printed on the front or back of a payment card
(for example, CVV2, and CVC2 data).
3.2.3 Do not store the PIN Verification Value (PVV).

Payment Card Industry Data Security Standard, (Jan. 2005) p. 6

Here’s a name: Wal-Mart

Via lyger of the Dataloss mailing list, I learned of an article claiming that Wal-Mart may be the big-box retailer involved in several high-profile card reissues stemming from a breach which led to an international series of card frauds.

In what appears to be a widening incident, Bank of America, MasterCard and Visa all announced this week that they have been informed of a potential security breach at a U.S.-based retailer.
The companies refused to name the retailer involved, but at least one bank said that systems belonging to Wal-Mart Stores, the world’s largest retailer, may be to blame.
A spokeswoman for Regions Financial Corp. confirmed that the bank reissued debit cards in late January after being informed by credit card processor CardSystems Inc. in November that some customer accounts were compromised in a security breach at Wal-Mart and Sam’s Club Stores.
[…]
MasterCard International is also aware of a potential security breach at a U.S.-based retailer, the company said in an e-mail statement.
The company notified banks that issue MasterCard cards to monitor for any suspicious account activity and take the necessary steps to protect cardholders, according to the statement.
However, it was unclear on Feb. 10 whether a breach at Wal-Mart was also behind reissues at the other financial institutions. A Wal-Mart spokesman said he was unaware of an information breach linked to Regions.
Calls to CardSystems Inc. were not returned.
Details of the problem remained scant, with banks and credit card companies refusing to offer details as to how the customer data was exposed or which of its partners was responsible for the situation.
Riess at Bank of America declined to name the retailer or discuss the timing of the breach. She referred questions to Visa and MasterCard. Officials at those companies did not immediately respond to requests for comment.
MasterCard declined to discuss the details of the incident, citing an “ongoing law enforcement investigation.

SecurityIT Hub
Wow. Wal-Mart. To be specific, is it Sam’s Club, which was reported as being breached in early December 2005, and where Wal-Mart denied that a computer system of theirs had been compromised? Where Gartner and American Banker chided Visa and MC for hordeing info and playing favorites? Where PCI standards were not followed and stripe data stored?
The connection between the BofA/Wamu/Wells Fargo card reissues, and the earlier one by Regions Bank, and the months earlier ones by the Alabama Credit Union, et. al. is one I semi-drew last night. I didn’t think there was enough to pin it on Sam’s Club, especially since BofA said a processor wasn’t involved. How would a retailer lose so much info, especially since reports in December were that the detected frauds likely were from customers who bought gasoline at Sam’s Club?
Sam’s Club said this in a press release on 12/2/2005:

SAM’S CLUB stressed that the electronic systems and
databases used inside its stores and for http://samsclub.com are not involved.

So, databases “inside its stores” and the web site didn’t get penetrated. That leaves, uh, POS devices, and….dare I say it…wireless? If we find out that they got p0wned via wireless (a la Lowes, back in 2004?) I will fall off my chair.
This could be huge. Wal-Mart wants to get into the banking business, and (if true) this isn’t exactly a ringing endorsement.
Early in December, I had some fun with ID Analytics and used their numbers to argue that this breach would have exposed 600,000 accounts. It doesn’t seem like fun, now.
Update 2/19/2006: More recent reports are saying OfficeMax go hit, and the Sam’s Club tie-in is unlikely. Non-blog events will postpone further consideration of this, by yours truly, so those seeking additional speculation (Hi, Pete!) may need to wait ;^).

The Wallet Game

wallet.jpg
At lunch after Shmoocon, Nick Mathewson said he’d like to pay something between zero and the amount of money in his wallet. I think this suggests a fascinating game, which is that Alice asks Bob for some amount of money. If Bob has that much money in his wallet, he pays. Otherwise, Alice pays him the amount asked for. How much should Alice ask for?

The more she asks for, the more likely she is to pay that amount. [Updated: That used to say ‘less likely.’] The more information Alice has about Bob, the better off she is. (If she has just seen Bob take a fat wad of bills for the ATM, for example.)

R.G., R.D., and noise suggested that if Alice challenges Bob to the game, Bob should be able to choose if he will ask or be asked.

What is Alice’s optimal strategy, absent special information about Bob’s circumstances? Does the non-continuous nature of US currency change things? What if everyone were carrying coins of a single denomination? Does iteration change things?

(Jenlight’s Duct tape wallet is from Flickr.)

SarBox and Breaches

Earlier today Chris wrote (“Naming names isn’t always bad“):

A quick aside to optionsScalper, since you mentioned a firm’s duty to shareholders: when it comes to thinking about breach notices, I think about the efficient markets hypothesis, and whether investors might rationally think that failure to protect data might impact future profitability.

Bugger efficient markets! What does a breach say about your attestation to the effectiveness of your controls? Sure, breaches can happen even if you have effective controls in place. However, a breach may be the sort of material event which a public company ought to disclose, even if the plethora of personal information laws don’t require it.

Crispier Breach Disclosure (Cooks Illustrated, unknown # CCs)

A good breach disclosure fills you up with what happened, how, and what the company is doing for you. But too often, such notices are soggy and imprecise. Want more precision in the recipe? Beefier response? Cooks Illustrated set out to see what could be done, in “What Happened To Your Website.” Unfortunately, the disclosure ended up, like a good souffle, full of hot air, but not a lot of substance. At least it was only subscriber credit cards.

Maybe they’ll see what can be done to improve the recipe.

(Via Jericho, posting to Dataloss mail list.)

Naming names isn’t always bad

In a comment to an earlier blog entry concerning a ‘he who must not be named’ policy for card processors and others who get breached , optionsScalper asks “given Adam’s recent series on “Disclosure” (at least five posts back to the BofA post on 1/21/2006), how do you (or Adam) assess the disclosure in this case?”
My answer is that I think the disclosure optionsScalper refers to, which involved Regions Bank customers, but where the breach was reportedly at a processor rather than at Regions Bank, is insufficient. It is high time that names be named.
I also think this incident is related, at least conceptually, to a breach involving BofA debit cards reported by the San Francisco Chronicle here and here, also strongly implying that Wells Fargo account holders were involved as well.
The upshot is that a major big-box retailer (see report here) got hit, and now not only BofA, but also Washington Mutual are taking action to protect account holders. Of course, neither is saying anything about which retailer was hit, just like Nations Regions Bank [“I regret the error” – cw] didn’t do any talking.
The ZDnet article above reports Visa as not naming names because there’s an ongoing investigation. In another breach, this time reportedly involving Sam’s Club, it was Visa and MasterCard not naming names (and being criticized for it by the notoriously anti-capitalist American Banker — excerpt here).
It’s time for reporters to start asking the FBI and the Secret Service whether they feel that merely identifying the retailer would compromise the investigation.
More (and more cogent) thoughts about this situation will be forthcoming, but I wanted to at least get this much out.
A quick aside to optionsScalper, since you mentioned a firm’s duty to shareholders: when it comes to thinking about breach notices, I think about the efficient markets hypothesis, and whether investors might rationally think that failure to protect data might impact future profitability.
Along those lines, tt might be interesting to see which big-box retailer’s insiders are selling right now, if we only could.

On Treatment of Prisoners and the Face of Evil

Establishing villainy is hard work. Too little, and your villains seem pathetic. Too much, and they’re over the top. Even drawing deeply on Joseph Campbell and with the music of John Williams, Lucas still needs actions to show that Darth Vader is the embodiment of evil. What does he choose? The first time we see Vader act, he is strangling a rebel captive, looking for information.

darth-strangles-framed.jpg

The scene is carefully arranged, and no storm trooper blocks the camera’s view of the strangling. There are rebels in the background, being allowed to observe what is being done. Moments later he orders that his officers lie to the Senate about there being no survivors. The next time we see him, he is strangling a member of the Death Star’s executive committee. He leaves there to “discuss” the location of the rebel base with Princess Leia. The camera lingers on the torture droid and its syringe, while Vader looms.

darth-leia-framed.jpg

Establishing moral authority is also hard work. Too little, and no one trusts you, too much and you can seem like a cartoon. Once it’s established, it can be quickly lost by treating your prisoners as Darth Vader does. I was going to talk about intercepted communications and plans because that’s in the news. Then I realized that while wiretaps are in the news, we’re still hiding prisoners at black site prisons, we’re still quibbling over when the Geneva Conventions apply, and no senior officer has been court-martialed for mistreating prisoners, or allowing the mistreatment of prisoners on their watch.

How you treat prisoners, people who are helpless and at your mercy, says quite a bit about you. That’s why Lucas uses it to define Vader. It’s a pity that such behavior can be used to define the United States.

Selling Your Phone Records

Buried in your wireline and wireless telephone subscriber agreement is a notice concerning “customer proprietary network information” (CPNI). CPNI is your calling records. CPNI shows the phone numbers you called and received and for how long you talked.

Privacy Rights Clearing House has a guide to “opting out of CPNI sharing.” This is great, because after three phone calls, Cingular was unable to tell me how to opt-out of CPNI. It turns out it’s buried in a general opt-out form. Via “Your Phone Company Sells Your Call Records. Opt Out Now!” from EPIC West.

Ka-Ping Yee on Phishing

In “How to Manage Passwords and Prevent Phishing,” Ping writes:

So, right up front, here is the key property of this proposal: using it is more convenient than not using it.

This property makes this proposal unique (as far as I am aware). All the other proposals I have seen require the user, on each login, to do more work than they previously had to do. And that, in my mind, instantly dooms a solution to failure, or at the very least creates a stiff barrier to its adoption.

The full passpet proposal is really good, as you’d expect. It entails extending the browser to use nicknames, and key those names to domains, and strong password storage.

I think there are a few issues to be considered.

  • How does the user decide if they’re at the right site to start with? Passpet works for the user if they’re setting up accounts, but if they’re transferring accounts into passpet, they’re vulnerable to phishing. (That is, if I have a password for Citibank, and I enter it into a fake site, then fake site now knows my Citibank password.)

  • The user needs to install software.
  • The bank doesn’t have any indication of the user’s password safety. This is easily corrected if the browser sets an ‘X-Passpet-Version:’ header.

In comparison to my “Preserving the Internet Channel Against Phishers” proposal, it requires that the user install software, but allows the bank to continue sending HTML email, and using dodgy hostname constructions. It has the possibility of communicating additional detail about user security to the bank.

Sending HTML email is seen as very worthwhile by banks’ marketing departments. The security risk of a user setting up an account in the wrong place is a risk that banks will be happy to encourage you to take. The big questions will be the install cost of passpet versus other “strong authentication” systems that are being put forth to satisfy new Federal regulations.