Going the extra mile

As a control against identity theft, firms operating on-line often send snail mail confirmations to their customers when such things as site passwords, beneficiaries, or customer addresses have been changed. This allows the customer to review such changes and catch any that may have been unauthorized.
I was the recipient of two such pieces of mail today, pertaining to a single financial account.
It seems that a change of address was made!
I do not recall making such a change. I haven’t moved, so why would I?
The great thing about the notices, and the reason for the title of this post, is that the change being reported to me was that my new address is simply my old address in ALL CAPS.
I cannot think of a how a case-insensitive comparison would lead to problems. In fact, the US Postal Service guidelines for business mail addressing say to use all caps.
So, to the folks who mailed me, thanks for going the extra mile, and on behalf of the USPS, thanks for using the address format they prefer.

Credit Card Data Over AOL IM

From the files of “too good to make up”, DavidJ.org reports a story from a couple of years ago about his credit card data being sent over AOL Instant Messenger. Essentially he bought some merchandise at a shot which didn’t have a point of sale terminal so the clerk was IMing all credit card data to a friend who had one who would then run the credit card info for him.
[Via NoticeBored]

Full Disclosure == Torture

Or so says the Mogull over at Securosis. This particular section sums up my own feelings about the necessity of full disclosure quite well.

I think we need full disclosure as a tool in our arsenal, and that most of the researchers dropping these vulnerabilities think they’re doing good, but full disclosure needs to be a last resort- not a first strike. It’s more powerful as an ever-present threat hanging over the heads of the most unresponsive of vendors. Dropping vulnerabilities and proof of concept code on a daily basis just hardens the vendors and lets them paint you as an out of control rogue.

At this point, I’m pretty much a fanboy of Rich’s anyways after his posts of “February is “Month of No Bugs”” and “SAS 70 Has Nothing To Do With Security”, the later of which I’ll post more about next week.

Robert Anton Wilson Defies Medical Experts

Καλλστι

Robert Anton Wilson Defies Medical Experts and leaves his body @4:50 AM on binary date 01/11.
All Hail Eris!
On behalf of his children and those who cared for him, deepest love and gratitude for the tremendous support and lovingness bestowed upon us.
(that’s it from Bob’s bedside at his fnord by the sea)
RAW Memorial February 07

date to be announced

There are too many reasons why RAW was important. One of the ones most relevant to this jazz combo is that in Illuminatus! he and Robert Shea concern themselves with the problem of loss of liberty in the face of terrorist threat. (And they even use those words.) One of the things they discuss as part of the plot is the unwitting alliance between the authorities and the terrorists. It is only because of the terrorists that repressive authority can make repression palatable. And the repression itself makes the terrorists more than mere whackos.

It’s a roller-coaster ride of a book (meaning bumpy and thrilling), but every bit as important as We, Gravity’s Rainbow, or Animal Farm.
Edit (11 Jan 2007, 17:57):
See also Quinn Norton’s missive on 27B Stroke 6.

A Pleasure Doing Business With You!

The BBC reports that the United Kingdom’s 1945 war debt to US [is] ‘almost paid’ and [was] paid off at the end of last year:

The final payment of £45m will be made by the 31 December, meeting a 1945 obligation to repay the debt in full.

In unrelated news, I’m told that neither the United States nor the Sons of Liberty have made any payment whatsoever to Davison, Newman, tea merchants.

I’d meant to post this at the end of last year. Mordaxus’ post on loans reminded me.

What Congress Can Do To Prevent Identity Theft

Larry The Lender
Seventy Percent of Americans think we need more laws to protect them from identity theft and all that.

I can think of a situation we need protection from. Here is a scenario. Let us take the case of a lender, Larry. We need a law to make it so that if Larry lends money to Alice, he cannot try to collect it from Bob. That’s all we need. If we have that, we’ll have all the legal protection we need to solve identity theft.

The threat of identity theft comes from Larry’s business practices. Larry wanders around hawking credit. “Yo, Alice, Bob, either of you want to borrow some money for lunch? A car?” There are a lot of advantages to easy credit, but disadvantages as well. In addition to the usual ones of people amassing too much debt (whatever that means), identity theft is actually the result of easy credit.

Perhaps Larry is nearsighted, perhaps Larry is stupid. Perhaps Larry is dumb like a fox. However, what happens is that Alice borrows money from Larry and says, “I’m Bob.” Larry marks that down, and then goes and hits up Bob for payment. Bob is understandably confused.

That’s it, that’s the security scenario of identity theft. We’re going about solving it the wrong way, because the real cause of identity theft is Larry’s business practices. I can (and probably will, in a future post) tell you how to reduce the chances of identity theft. These are actionable suggestions; they are things you can actually do. None of us can presently deal with the real problem, so we have to make do.

There is nothing in law, morality, or ethics that requires Bob to pay up when Larry lends to Alice. Unfortunately, we’ve all let Larry get away with it. We’ve made it be Bob’s problem, when it isn’t. Let’s make no mistake here, Alice is committing fraud. But Larry is the enabler, and really not only owes Bob setting the record straight, but reimbursement for the trouble Bob had to go to because Larry is stupid (even if it’s stupid like a fox).

If Congress wants to do something for consumers, it would be to require lenders to be responsible. Yes, this would crimp their style. For example, one bank sends my household mail for pre-approved credit cards at a rate of more than one per day. We used to shred them, but now we package everything up in the business reply envelope and send it back to them. Perhaps it would be part of the slow slide into tyranny for the nanny-state to effectively prevent banks from sending 400 credit-card offers to a single household per year, but the right to swing your arm stops at my nose, and the right to beg, plead, whine, and wheedle me to borrow more stops when you can’t tell Alice from Bob.

An alternative solution would be for some ambulance-chaser to file a class action lawsuit. I think that it could be extremely successful, properly done. Contract law covers these cases, or at least it’s mystifying to me why it doesn’t.

Apparently, however, it seems that our current legal system does not support this intuitively obvious notion that bad business decisions do not create liability on some third party. If Congress wants to help people, it will do something simple and sane. It’s not Bob’s fault that Larry is stupid.
Photo of Larry The Lender courtesy of jonmc.

Bay Area Security Incident Exercise

For those who are located in the SF Bay Area (or will be there on February 21st), the Silicon Valley ISSA Chapter is hosting a one day mock security incident exercise.

The goal of the exercise is to explore how different organizations and industries must work together to respond to events based on their organizational mission or needs, and how their actions and decisions could conflict or mesh with the plans of others in their industry or local community. During this event, the industry breakout sessions will be separated and only provided scenario details specific to their industry. Participants in each industry group may communicate electronically with the other industries’ participants, but won’t know to what information the other has been exposed—except for the media reports seen by all industries. These events will play out over multiple “virtual” days; participants will need to work together within their industry and in communicate with other industries to attempt to maintain operations and take care of the community, their customers, and staff.

The exercise is being conducted by Verizon Security Services, who I don’t have any personal experience with, but who has done similar events in the past. Have any of you gone to one of these events and speak to the quality?

FTC Accepting Comments on ID Theft

The President’s Identity Theft Task Force announced that it is seeking public comment on various possible recommendations to improve the effectiveness and efficiency of the federal government’s efforts to reduce identity theft. The Task Force is chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras and participants include the Securities and Exchange Commission and other federal agencies.

Although there is no legal requirement that the Task Force solicit public comment on its recommendations, the Task Force agencies believe that seeking comment on these issues will supplement the research and analysis already conducted, provide further information about the proposals it is considering, and identify areas where additional recommendations may be warranted. Comments must be filed on or before Friday, Jan. 19, 2007.

So reports Exchange Handbook, via Pogo Was Right.

Secret Laws, Obnoxious Laws … No Law’s Not Looking So Bad

First, from 27B/6, we learn that “Supremes Won’t Hear Secret Law Challenge,” and that the administrative agencies such as TSA are free to propogate laws and regulations we can’t see or challenge.

Second, via Kansas City Newzine, we learn about the totally screwed up set of rules which are ‘REAL ID,’ featuring this chilling quote:

Still, even lawmakers who voted for the new ID bill said they will consider tweaking it when the Legislature goes back into session in January. “We need to sit down and make sure that we’re not blocking services to those entitled to them and that we’re protecting our freedom to live under an efficient and effective government,” Colorado state Rep. Bernie Buescher (D) told Stateline.org.

Got that comrade? You’re free to live under an efficient and effective government whose powers trump any rights it chooses not to take from you. And if you don’t like it, move to friggin’ Russia!

Finally, The New York Times reports “Islamists Out, Somalia Tries to Rise From Chaos:”

“After nearly two decades of anarchy,” said Abdi Artan Adan, a retired diplomat in Kismayo, “people just don’t want to be ruled.”

Go figure.

Choicepoint reports $50M more expenses, some due to breach

The Atlanta Business Chronicle reports that “ChoicePoint tumbles to third-quarter loss:”

ChoicePoint Inc. went into the red in the third quarter, hurt by about $50 million in charges related to asset impairment, stock expenses and legal fees from a data breach in 2005.

Choicepoints losses are a severe outlier. As I said in March, 2005, “Why Choicepoint Resonates:

It’s now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I’d like to think back, and ask, why does this story have legs? Why are reporters still covering it?

There are a couple of important trends which combine to make this a perfect storm, attractive to editors and readers.

I still think my analysis is decent, and that any serious statistical analysis of breach costs must show “without Choicepoint” numbers.

[Update: Clarified title, which attributed all expenses to the breach.]

That’s Funny….

picture of chopped sock that is illustrative of non-amputated foot
Over the last week, I’ve read several things involving poor Lind Weaver. In case you missed it, she’s a 57-year-old owner of a horse farm. She got a bill for the amputation of her right foot. As you should expect if you’re a regular reader here, it wasn’t her. Comic hijinks ensue which conclude with

After weeks of wrangling with the hospital’s billing reps, Weaver finally stormed into the facility and kicked her heels up on the desk of the chief administrator. “Obviously, I have both of my feet,” she told him.

She’s either the victim of an incredible records screw-up, or (cue dramatic organ chords) Healthcare Identity Theft. The articles I’ve read state that it’s the latter, and in fact while it may be comic, it’s no laughing matter. This sort of thing is going to get someone killed.

Many years ago, Stan Kelly-Bootle told us that GIGO means Garbage In, Gospel Out. This is the tendency that data, having passed through a computer, is sanitized and made holy and incorruptible. The Pope is only infallible when he’s speaking ex cathedra, but the an Excel spreadsheet — there’s no arguing with that.

I just have to blink several times that in this day and age when a middle-aged woman calls a hospital up and says, “excuse me, there must be a mistake in this bill for an amputation” that no one thought there might be something wrong. This is the power of the GIGO principle. The old saw that the computer doesn’t make mistakes is still there, people just bite their tongues when they think it.

We also have a Digital Confidence Survey from the Cyber Security Industry Alliance (CSIA) that has lots of pretty graphs and things that I have trouble making sense of.

The Digital Confidence Index is 57. Um, okay. I’m not sure what that means. The CSIA thinks that that means people want more laws about this. I’m not disagreeing, I have my own ideas on what those ought to be.

There’s a nice chart there that tells us that 50% of Internet users “avoid making purchases because I’m afraid my information could get stolen.” There isn’t enough context here. There are plenty of times I have avoided buying something on line for more or less that reason. But if you dig deeper, it was because they wanted me to register and create an account, not because of my personal information itself. I don’t want to have a relationship with them, I want to buy something. Maybe if I buy a number of things, I’ll want to proceed with a relationship, but not on the first date.

Nonetheless, I don’t think this is exactly what is behind that datum. People are still being afraid of the wrong things. Network security could be a lot better, but the best thing you can do to avoid identity theft is to buy a shredder. I don’t have the reference at hand, but last year, 90% of identity theft was from dumpster-diving and so on, not computer problems.

As bad as network security is, the real danger is elsewhere. It’s the same problem as worrying about airline safety as you drive without a seat belt.

But really, isn’t it better that people lose confidence in computers and networks? The way I see it, we have a surfeit of belief that whatever that screen says is right. Identity theft problems can be helped more by realizing that every business process in the world is screwed up and the ones that are computerized are going to be screwed up in zanier ways because there is no human oversight.

Discoveries don’t from from flashes of insight, but from a mutter that starts with, “that’s funny….” We need fewer people in charge of these systems saying not, “our records show you had an amputation on April 31st” and more people saying, “that’s funny….”

Photo courtesy of drea.renee.

Pragmatic Redux

Late on Friday night, Mike Rothman finally posted a response to some of my questions from last week. Most notably he reveals who the Mike in his “Ad” is:

The answers are pretty straightforward. Mike, the Pragmatic CSO, is a fictional character. For those of you a little slow on the uptake, that means he doesn’t exist. Well, not really. Mike is a representation (some would say a caricature) of the thousands of CSOs and security professionals I’ve met through the years. Both the good traits, and not so good traits.

I was all set to ask Mike how a fictional character could spend $97 on a book let alone drink that much product from Starbucks, only to discover that Rothman had edited the website. It now says:

think buying the Pragmatic CSO book will be the best $97 you’ll spend all year. For less than you probably spend at Starbucks a month, you’ll be able to get back in control of your security environment. Dare I say it, but it’s worth 20 times the price. Even better, YOU HAVE NOTHING TO LOSE. If you don’t like the book, just ask Mike Rothman for your money back within 30 days – no questions, no heartburn.

While I appreciate the corrections, I do find the silent revisions somewhat worrisome. I guess that comes under the not so good traits Rothman refers to above…
Mike closes out with:

He [Arthur] also wondered a bit if he could meet Mike, the Pragmatic CSO at RSA. Maybe I’ll get a life size poster of Mike, and then Arthur can have a conversation with him.

I have to say I’ve certainly had worse conversations on the vendor floor at RSA than I would have with a cardboard cutout, so bring it on. I can out-argue a cardboard-cut out any day.

A Pledge

Having thought about my previous post, “On airport advertising,” I’d like to see what content-based restrictions are in place. If the ACLU applies and is accepted, I’ll donate $500 for the ACLU to buy bins that advise people of their rights when passing through airport screening.

[Update/clarification: I’ll pay for the ACLU to inform travellers of their rights while being screened, of other rights, and to ask for money in ways which they see fit.]

[Update 2: “Interested parties will have to partner with Airport Operators to develop a proposal for TSA review. Only Airport Operators can submit proposals for use of the Passenger Screening Checkpoints for advertising.” So says “Federal Business Opportunities website. Anyone know any airport operators?]

[Update 3: Welcome boingboing readers, and thanks to all who are offering to match. I’m ok with donating that; please don’t feel you have to match or not donate.]

On airport advertising

airport-security.jpgVia Eric Rescorla, who has insightful comments, and Boingboing, we learn that “TSA Pilot Would Offer Ads at Airport Security Checkpoints.”
A few chaotic comments:

  • What authority does TSA have to sell advertising? Isn’t Congress supposed to fund their operations? The advertisers will “who will provide divestiture bins, divestiture and composure tables, and metal-free bin return carts at no cost to TSA.”
  • What company wants to be associated with treating the public like that? (Obvious answer: the cell phone companies, maybe the credit agencies, and used car salesmen.)
  • Will they accept advertising from the ACLU saying “Tired of intrusive searches? Please donate!”
  • How about the Libertarian party?
  • If this is acceptable, what level of advertising isn’t acceptable? Can Allstate fund police cars?

Photo, less tasteless than this proposal, is a RyanAir ad, which we covered in “New airport security procedures.”

[Update: new picture.]