May 06, 2005

Damaged Pennies

Netcraft publishes the top phishing hosters - and puts Inktomi in pole position. Think class-action, damages, lack of due care, billion dollar losses ... we need more of this naming and shaming.

Rumours abound that Microsoft is about to be dragged into the security mess. I had thought (and wrote occasionally to effect) that the way phishing would move forward would be by class-action suits against software suppliers, following the lead of Lopez v. Bank of America ([1], [2]). But there is another route - that of regulators deciding to lean on the suppliers. Right now, that latter path is being explored in smoke-filled rooms, or at least that's what those who smoke say.

These two routes aren't exactly in competition, they are more symbiotic. Class-action suits often follow on the judgments of regulatory settlements, so much so that the evidence one side discovers is used by the other side to advance. In this way they work as a team.

Over on CACert, Duane alerts me to a blog that they run, and an emotional cry for help by an auditor from Coopers and Lybrand (now PriceWaterhouseCoopers). Like my own observations, the briefly named 'Gary' points out that CACert's checking procedures are as good or better than the others. He also breaks ranks and wiggles the finger at immoral and probably illegal practices at auditors in security work. I am not surprised, having heard stories that would make your faith in public auditors of security practices wilt and expire forever more. Basically, any *private* audit can be purchased and it costs double to write it yourself. Trust only what is published, and even then cast a skeptical eyebrow skywards.

Speaking of Microsoft and car wrecks to come, this factoid suggests that "25 car models run Microsoft software" ... unfortunately or perhaps luckily there is no reference.

In more damages of the other kind, RIAA File-Sharing Lawsuits Top 10,000 People Sued. In the Threats department: One-Third Of Companies Monitoring Email. Also, a nice discussion on fraud by fraudsters. A Newspaper interviews two fraudsters behind bars for what we now know as identity theft. Good background material on why and how easy.

AOL in Britain reports that one in 20 report that they have been phished. I find these sorts of surveys somewhat "phishy" given that if one in 20 of the population has been phished, we'd have rioting in the streets and politicians and phishers alike strung from lamposts. But, it's important to keep an eye on these datapoints as we want to know whether the status of phishing as primarily an "american disease" is likely to go global.

And in closing, a somewhat meanandering article that links Sarbanes-Oxley, IT and security products. It asks:

"But here is the fundamental question - has there ever been a pervasive and material financial fraud which has resulted directly or indirectly from a failure of an IT security control? Would IT controls have prevented or detected the frauds at Enron, WorldCom, Tyco, and the like?"

The author might be a closet financial cryptographer.

And, if you got this far, it is only fair to warn you that you've now lost 10 points of your IQ level. (Sorry, no URL for the following ...)

It's the technology, stupid
By Michael Horsnell in London
April 23, 2005

THE regular use of text messages and emails can lower the IQ more than twice as much as smoking marijuana. Psychologists have found that tapping away on a mobile phone or computer keypad or checking them for electronic messages temporarily knocks up to 10 points off the user's IQ.

This rate of decline in intelligence compares unfavourably with the four-point drop in IQ associated with smoking marijuana, according to British researchers, who have labelled the fleeting phenomenon of enhanced stupidity as "infomania".

Research on sleep deprivation suggests that the IQ drop caused by electronic obsession is also equivalent to a wakeful night.

The study, commissioned by technology company Hewlett Packard, concludes that infomania is mainly a problem for adult workers, especially men.

The noticeable drop in IQ is attributed to the constant distraction of "always on" technology, when employees should be concentrating on what they are paid to do. They lose concentration as their minds remain fixed in an almost permanent state of readiness to react to technology instead of focusing on the task at hand.

The brain also finds it hard to cope with juggling lots of tasks at once, reducing its overall effectiveness, the study has found. And while modern technology can have huge benefits, excessive use can be damaging not only to a person's mind, but also their social life.

Eighty volunteers took part in clinical trials on IQ deterioration and 1100 adults were interviewed.

Sixty-two per cent of people polled admitted that they were addicted to checking their email and text messages so assiduously that they scrutinised work-related ones even when at home or on holiday. Half said they always responded immediately to an email and 21 per cent would interrupt a meeting to do so.

Furthermore, infomania is having a negative effect on work colleagues, increasing stress and dissenting feelings. Nine out of 10 polled thought that colleagues who answered emails or messages during a face-to-face meeting were extremely rude. Yet one in three Britons believes that it is not only acceptable to do so, but actually diligent and efficient.

The effects on IQ were studied by Glenn Wilson, a University of London psychologist, as part of the research project.

"This is a very real and widespread phenomenon," he said. "We have found that infomania, if unchecked, will damage a worker's performance by reducing their mental sharpness."

The report suggests that firms that give employees gadgets and devices to help them keep in touch should also produce guidelines on use. These "best-practice tips" include turning devices off in meetings and using "dead time", such as travelling time, to read messages and check emails.

David Smith, commercial manager of Hewlett Packard, said: "The research suggests that we are in danger of being caught up in a 24-hour, always-on society.

"This is more worrying when you consider the potential impairment on performance and concentration for workers, and the consequent impact on businesses.

"Always-on technology has proven productivity benefits, but people need to use it responsibly. We know that technology makes us more effective, but we also know that misuse of technology can be counter-productive."

>From The Times of London in The Australian

Posted by iang at May 6, 2005 08:02 AM | TrackBack

Escape from the traps we have built ourselves. Well in the good old days when corporations hired bright young folks with shinny degrees there was a belief that if you hire enough you could garner protection. That yuppy lad from Kirkland Washington known as Sir William Gates was the kind of dude you wouldn't mind dating your daughter. So if they can date your prized offspring why not allow the bastard to do the corporate security. As luck would have it they preached the security of the SSL and the CA and in time the gospel of the secure grew amoungst the faithful. Rev/Sir Bill leveraged the word and the word became micro Amen Brothers and Sister and the word was made micro. But slowly ever so slowly a serpent crept into this garden of self back slapping fools. The serpent was called reality and before our very eyes Sir Bill turned into anti-savior. I happened just that quick because we still believe in magic all them colors and numbers a flickering on the screen it simply must be magic y'all. The truth is a flawed scenario for security and a number of other ideas where sold not bought. People cannot be told anything they must be sold they never buy anything they are sold. Once upon a time is a heart beat away from corporate policy and technology choices. This once upon a time is a nightmare when left in the hands of regulators who do not even know how to use email they have staff for that purpose. These blithering idiots couldn't even run a Food for Oil program or fund a war in Iraq without misplacing $100 Million USD. So what made any of us believe that the systemic failure of security for consumer usage was not destiny. The current cyclical bear market the equities exchanges are facing will not be officially over until a one day 10%or greater downward correction happens. This is human nature to wait until the situation gets utterly unlivable before anything gets done properly. So the rally should be for bad news lots of bad news the bader the better. People fall asleep at the wheel because we suffer from OCD and yern for a world on autopilot. It is the once upon a time dream not reality that we buy daily. So if one can feed the masses some form of opium they will gladly pay for their own destruction. I have a great concept lets brand and package Chinese slave labor as development and advancement and pretend we support using economic methods rather than politically oppressive boycotts. When we wake up with a Blue Water Navy built by the slave labor, funded with small items purchased at Walmart then and only then will we say Boy did we screw our selves why didn't we see this coming. I come from a long line of people screwed by blinded self indulgence we cannot get out of our own way half the time. At some point the western cultures must admit they cannot get things right ever and must build things with failure as the assumption it might keep us rational. Think of the worst things imaginable and they will happen, have happened, and will continue to happen. This struggle to over come shortcomings is a bloody process and it rarely ends well. So what will really happen nothing my friend called me today he recieved emails from his online trading account that he did not authorize. He contacted the brokerage firm and found the routing for the funds was changed to a different bank account with a different name. The brokerage firm did not call the bank because their understanding of the law was they where not required to. So my friend called the bank they told him they had to protect the privacy of the account nothing happened. The Privacy Act and the Anti-Money Laundering Act Conflict. Now the class action world will sue the software manufacturers, the banks, and the brokers while the people screwed get nothing they simply pay a higher price for the services, loose funds, and pay higher premiums for insurance all because one little bastard called Sir William Gates looked like he might be a good suitor for some fat bastards daughter. I hate Sir William . I suggest we change his name to Sir Rodger since he has rodgered us all.

Posted by: Jimbo at May 5, 2005 10:22 PM

What short memories people have.

While I don't have a reference handy, I recall much of Nick Leeson's fraud at Barings Bank was directly abetted by his ability to directly manipulate the database backends of the Risk Reporting and Cashflow/P&L Reporting systems, then approve the fraudulent reports.

Yes, the complete segregation of duties breakdown putting him in charge of both Trading and Risk Management was the key enabler of his fraud. Still, the fact that he was able to manipulate the IT back-end, which folks back at the mothership in London trusted implicitly even when the reports shouldn't have made sense (We're making tons of money over here! Send us more money so we can make even more!) was a major piece of his ability to hold the fraud together as long as he did.

Posted by: Chandler Howell, aka Cubicle at May 6, 2005 01:58 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.