Why is the market for certs so moribund? Well, one reason is that it lacks discrimination - a critical component as all marketeers know. This essential ingredient can be added easily with a dose of self-signed certificates and servers that help you to SSL protection. And, CAs stand to reap the benefits, as do users.
A new rant in the SSL series at: http://iang.org/ssl/dr_self_signed.html, or read on.
From: iang@systemics.com
Subject: Dr. Self-signed or How CAs Learned to Stop Worrying and Love the Cert
Date: Tue, March 30, 2004 12:59
To: mozilla-crypto@mozilla.org
Duane wrote:
> Nope I'm not proposing self-signed, that was Ian.
Guilty as charged!
In time, however, I fully expect all CAs to
promote self-signed certs, as aggressively I
do.
One day, Certificate Authorities ("CAs") will
defend our right to use self-signed certs, and
deny ever having said anything to the contrary.
It will be the thought crime of the age to think
in any other terms, a failure of your patriotic
duty, the denial of purity and essence of our
natural ... yadda yadda....
But, today, it's a different world. Most CAs,
today, think that a self-signed cert is bad, as,
in their minds, it reduces their possibilities
of selling another cert.
Which has gotta be bad, right?
Er, no!
Apologies in advance, but that couldn't be more
wrong.
Big CAs have as much understanding of marketing as
children do of the tooth fairy. That's why they
labelled the self-signed cert as "snake oil,"
they were thinking in terms of monsters in the
closet and other gremlins in the dark, bogeymen
their bigger badder siblings had told them about,
and stories of slippery slimy things they were
going to pass on to their smaller siblings.
But, that's not marketing, and not the market,
that's simply what they've been told to believe.
A story about selling: Two salesman went to
Africa in the 19th century to sell shoes.
The first one saw that everyone walked barefoot.
He booked passage back the next day, totally
despondent, muttering to himself, "I can't sell
shoes in Africa, nobody wears them." :-(
The second salesman saw all these unshod people,
and cabled back on the newfangled wire service
"hurry, send shoes, *nobody* wears them, the
market is wide open, it's HUGE..." :-)
The second guy knew what a market was.
My prediction is this: when the browsers stop
worrying and learn to love the increased security
of a self-signed cert, and when servers start
automagically bootstraping with self-signed
certs, then CAs will double their sales of certs.
If it's not double, it'll be triple. Or more.
It works this way. Currently, it is really
hard to sell certs, the problem being that
sales come to the CA, not the other way around.
One is stuck with pretty poor marketing tools
like banner ads and brand name (and even they
don't work because of the commoditisation of
the product that was created by the by the
"one size fits all" rule) and relying on rules
and regs and cartels.
However, if servers automatically installed
with SSL (up and running, self-signed cert
enabled, such that https://myfunsite.com/
worked immediataly) and, users could browse
(sans warnings, but with congratulations on
their choice of fine crypto), then, several
things would happen:
Firstly, CAs would now be able to see who was
using certs and thus who cared. I.e., what
sites care enough to actually promote and use
their easy crypto install, and what sites just
let it lie fallow.
That is, they would now be able to CONVERT sites
from self-signed over to CA-signed. Conversion
is an active selling process and is much more
successful than advertising.
Recall the phrase, "shares are sold, not bought!"
Secondly, the CA would be able to upgrade the
existing certificate - the self-signed one -
based on net-only DD (due diligence) in advance
of any sale.
That is, take the self-signed one and replace
its sig with the CA sig (sadly, x.509 doesn't
support multiple sigs like OpenPGP, it's pretty
useless rubbish, really, but it's the useless
rubbish that we have to deal with.)
Oh, and do some quick DD: check out the whois,
check out the web site, check out a few other
things (isn't competition wonderful...).
A lot of this could be automated, and thus done
for a very low price. A CA-signed cert written
at this lowest grade could then be presented and
sold to the site. $10 or so, who knows, maybe
even free under some circumstances. Digital
signatures are cheap, after all.
Thirdly, the act of upgrading to a CA-signed
cert would be immeasurably simpler - it would
become a drop-in replacement of a single file
and a restart, rather than having to set up all
this Apache SSL config blah blah and trying to
sort out all the whole cert DD and access and
so forth nonsense that drives people spare with
the number of little steps that can muck up.
Each of these factors has the capacity to DOUBLE
the market for CA-certs. Says I!
Why does this work? Simple. Right now and here,
there is a binary market. You either do or you
don't. To encrypt or share, to SSL or not.
There is no in between, no halfway house. No
compromise, no room to manouvre.
Marketeers know that this is the very model of a
primitive, undeveloped, near-worthless market,
with only a tiny number of "do's" because the
barrier is too high.
Check the stats. It's about 1% of the market,
less or more, depending on how you count them.
E.g., totally wide open, untapped, unless you
are like our first shoe salesman, already on
the boat heading home.
However, if we can turn the cliff of DON'T to
DO, into a number of smaller jumps, a climb
up a hill, as it were, this would enable people
to move up and down the slope more efficiently.
Which encourages more people to enter into the
market, and raises the size, and makes for more
security.
(A bit like selling thongs or flip flops to
people who've never worn shoes, this year, and
sandals next year, leather shoes the year after,
and high tech trainers with air cushions and
flashing leds the next year...)
A mature market doesn't overwhelm the customer,
it leads him or her along. We would be creating
a market for certificates that would travel like
this:
NONE -> self -> auto -> minimal -> MAXIMAL
The step from one gradation to the next is
much much smaller, and thus cheaper and easier
on the thought process of our currently unshod
masses. Five small steps replace one huge leap
(and any number of additional steps could be
added to smooth out the slope in future years).
More sites would find the first step easy, and
as they grow in size and value, they would be
encouraged to spend the little needed to go up
the next step. They could walk as high as they
wanted, at their own pace, instead of being
daunted by the size of the cliff.
There's no real reason why a premium CA
couldn't sell a real DD package that cost
tens of thousands, capped off by a solid
platinum grade cert - unless that reason
is a cliff that shrinks the size of the
market to next to nothing.
In marketing terms, this concept is known as
"discrimination" (nothing to do with other
uses of the word). The user is more finely
discriminated as to their needs and their
desires to pay. Consumer advocates would
call this "consumer choice." (If we were
to ask economists, they would refer to the
"consumer surplus," but I'd really advise
caution when letting any econowhatsits into
the market process.)
It's all well known stuff. Anyone who's done
marketing would know this, it's standard in
b-school and sales class. Question is, how
to tell the CAs this? And then stand out of
the way as the stampede to snap up all the
available self-signed certs...
iang
PS: so, what does all this do to security,
especially, of the users?
It increases it immensely. I'd say that this
could multiply by 10-fold the number of sites
doing crypto, using self-signed and auto-signed
certs. It could result in almost all sites
that need crypto using it, instead of the hit
and miss "merchant" approach we have now.
For the CIP (critical infrastructure protection)
people, this would be a godsend, as the one thing
that without a doubt helps net protection is
crypto (authenticated or not, and plenty of it)
and what's even more wonderful is that this could
be done at almost no cost!
PPS: this month's stats on just how wide open
the market is, are at:
http://www.securityspace.com/s_survey/sdata/200402/certca.html
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
Story on how the "free email leads to spam" equation is being changed with massive private litigation:
Internet giant AOL has ratcheted up the war against unsolicited e-mail with a publicity-grabbing coup - an online raffle of a spammer's seized Porsche.
AOL won the car - a $47,000 Boxster S - as part of a court settlement against an unnamed e-mailer last year.
"We'll take cars, houses, boats - whatever we can find and get a hold of," said AOL's Randall Boe.
According to Mr Boe, the Porsche's previous owner made more than $1m by sending junk e-mail.
Hitting them where it hurts
AOL is one of the noisiest opponents of the evasive spam trade, and this month joined forces with Microsoft, Yahoo and Earthlink to sue hundreds of spammers.
Seizure of property is becoming a major tactic in these lawsuits, since guilty spammers often protest their inability to pay large fines.
The Porsche-owning spammer, whose identity remains confidential, was one of a group sued last year for having sent 1 billion junk messages to AOL members, pitching pornography, college degrees, cable TV descramblers and other products.
Mr Boe said the Porsche was seized mainly for its symbolic value, as the obvious fruit of an illegal trade.
The Porsche sweepstake lasts until 8 April, and will be open only to those who were AOL members when it was first announced.
Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/business/3581435.stm
Published: 2004/03/30 07:20:09 GMT
© BBC MMIV
Mozilla Foundation (MF) has moved further forward in its debate on CA policy. In essence, the policy states that MF will distribute CA's root keys where the CA has implemented sufficient controls, in the view of MF, and doing so would serve the users of Mozilla. Point 4 of the policy pertains:
4. The Mozilla Foundation will consider adding certificates for additional CAs to the default Mozilla certificate set upon request. The Mozilla Foundation requires that all such CAs:
- provide some service relevant to typical Mozilla users;
- publish information about the CA and its policies and procedures; and
- provide CA certificate data in a form suitable for inclusion in Mozilla.
The process is still in draft, but is encouraging. They are leaving a way open for smaller, more focused CAs to get in to the game, without having to go through some committee idea of safety and security (such as an audit or other pure blooded means). Several CAs are champing at the bit to get in, presumably because they've already found out how hard it is to get accepted by other browser publishers.
Frank Hecker has writen a core policy proposal, supported by implementation details and a meta-policy:
http://www.hecker.org/mozilla/ca-certificate-policy
http://www.hecker.org/mozilla/ca-certificate-faq/policy-details/
http://www.hecker.org/mozilla/ca-certificate-metapolicy/
This article by Professor Burke, of the Riga Graduate School of Law, explains how the common law tradition creates a framework of contracts based on negotiation by equal parties, and tries to squeeze all agreement into its framework. Yet, form contracts do not squeeze so readily, and only the presence of legal fictions - ones fraught with potential for flaky rulings - can make these form contracts work under the regime of the classical negotiated contract.
Standard form contracts are those written by a vendor, for their clients, to create the terms and conditions for some product.
The difference is in the absence of negotiation, consideration of terms, and meeting of the minds. A form contract is presented, and there is no discussion as to terms. Indeed, Burke says, the counterparty, the customer, has no necessary appreciation of the terms, and not even any especial knowledge that there are terms to consider!
Thus, as an inescapable conclusion, there can be no meeting of the minds in a form contract. Yet, form contracts are totally legal, totally acceptable, and people travel to work every day on them: we derive huge economic benefit from them, from bus and airline tickets to dry cleaning stubs, from insurance contracts to software licences...
In fact, Burke proposes that form contracts are 99% of all contracts (albeit with recognition that there is no empirical study to back this up). Whereas 99% of the tradition of contract law is negotiated contracts. This is, to my layman's eye, a huge criticism of the state of the law, but we must drag ourselves back to the here and now.
Ricardian Contracts are Form Contracts. In this sense they are like airline tickets. The user acts according to a purchase of a product. The product is a payment, a transaction, and the product is "purchased" as a whole entity, including the terms and conditions that apply.
What the user does not do is negotiate the contract. The user of a Ricardo transaction doesn't enter into a bargain, nor examine the terms, nor suggest their own terms. They simply buy a product called a payment.
Indeed, in a form contract, as there is no meeting of the minds, there is no symbol to record that event - so, there is no "need" of signatures.
We've known for a long time that the digital signature of the Issuer was ... an act of some pretence, in the sense that it was completely overdone: the hash entanglement, the publication of the document, and original sales create far more of a record of the intent of the Issuer than any mathematical nonsense dressed up as a signature. But we have puzzled over the question of the user's intent.
Surely, goes classical contract logic, we needed the user's signature to record their intent and act of entering into the contract? No, it appears not, if Burke's critique is to be taken at face value. This is a form contract, and the usage of the product is as much as we can expect, and as much as we need.
This discovery doesn't solve every unanswered question about Ricardian Contracts, but it does shift emphasis away from trying to craft a user's signature as a legal symbol (a task of some contortion, if you know your digsig politics). In the general case, the Issuer of a Ricardian Contract needs a signature from the user no more than an auditorium owner needs a signature from members of the audience, as they walk in.
Both are still covered by terms and conditions of the contract for admittance. It may be that a signature is collected for entrance to a shareholders' meeting, as opposed to a concert, but that's a matter of content, not form.
DSR is a historical pre-commercial (circa 1994) shared accounting architecture that was proposed to compensate router owners for passing the packets of other entities.
Cooperating router nodes would count packets passed between them, and occasionally, they would send "number" money packets back and forth to reset the counters. These paid-for resets would cause charges to trickle across to big users, and money towards working routers. Defences against cheating/fraud were limited to signed notifications of balances and a simple payment system.
DSR is like LETS for routers. As a thought experiment in multi-agent accounting, it is interesting for its influence on later micropayment systems (Mojo Nation?), but it assumes pre-commercial net-style honest behaviour and the absence of competition. It also suffers somewhat from the cool engineering approach ("the silk road was so cool, let's rebuild it") that always gets steamrollered by markets and marketing.
E.g., FedEx beats the original silk road, as does a host of other transport innovations such as trains, bulk container ships and blind men with canes. In today's Internet world, large corporations achieve internal Coasian efficiencies by owning thousands of routers and not doing internal charging, but collecting flat fees from customers.
Online Poker: Hold 'Em and Hide 'Em
By IAN URBINA Published: March 19, 2004
Ben sleeps five hours a night; the rest of the time he sits at his desk in his Brooklyn apartment playing online poker. He won $55,000 one recent evening, but in his tireless ambition for the $2.5 million world championship, this mild-mannered college graduate has become an outlaw in hiding and a twisting thorn in the side of Eliot Spitzer, the New York attorney general.
Ben quit his teaching job five months ago and now makes around $100 an hour. Five days a week, he clocks 10-hour shifts of Texas Hold 'Em on his Dell laptop computer. With reggae in the background and coffee mug in hand, he studies his competitors who sit in London, Copenhagen, Los Angeles and elsewhere, while the dealer in Costa Rica tosses cards.
A couple of blocks away, a slightly less-skilled friend of Ben's named Jimmy also works busily. While Ben plays high-stakes tournaments with pots topping $70,000, Jimmy is what is known as a "grinder" - he works the smaller virtual tables, specializing in cheaper and less risky play, but keeping three games going at all times, nickel and diming his way to decent earnings. In the past four months, Jimmy says that he made $30,000.
Ben and Jimmy would only speak to a reporter if their last names stayed out of the newspaper. That's not surprising, because they are the human faces on the wrong end of Mr. Spitzer's public campaign to shut down the hugely profitable online gambling industry.
Although they asked for anonymity, the two men say they are not hugely worried about Mr. Spitzer's campaign, despite the attorney general's relative success.
To spend the afternoon with these players is to enter a world where, at any hour and with a little luck and a touch of skill, decent wages can be had without ever changing out of one's pajamas or leaving the comfort of one's own couch. But to get there means venturing just across the border of legality. Since 2002, Mr. Spitzer has succeeded in getting more than 10 major financial institutions, including Citibank and PayPal, one of the largest Internet money transfer companies, to stop processing gambling transactions. But he has been unable to prosecute the Web site operators, most of whom are offshore, and hard pressed to arrest online gamblers because they are dispersed all over. Instead, he has tried to seal off the financial pipeline connecting the two.
In recent months, federal prosecutors from around the country have joined the effort by threatening to prosecute on charges of aiding and abetting any businesses in the United States that provide advertising and financial services to illegal Internet casinos. As a result of the pressure, several large media operations - including Infinity Broadcasting, Clear Channel Communications and the Discovery Networks - have stopped running advertisements for offshore Internet casinos.
Jimmy said the attorney general's efforts have made his life a tiny bit more complicated. "It used to take me one mouse click; now it takes two," he said. He simply shifted to Net Teller, a Canadian equivalent of PayPal, to buy chips. Ben mails a cashier's check to his poker Web site in Antigua.
Lee Jones, online manager of one of the most popular sites, Pokerstars .com, says 10,000 players can be found on the site at any given time. "Our players tend to be a pretty loyal bunch," he said.
Some are more addicted than loyal. Steve, a Long Island lawyer who like the others did not want to give his last name, said he still owed a $15,000 credit-card debt to an online poker site. Having already kicked a 10-year gambling habit, Steve fell back into poker after his wife bought a computer.
"It's not a temptation you want in my living room," he said.
Willie J., a Manhattan businessman, began attending Gamblers Anonymous meetings two years ago, after finding himself $45,000 in the red. "I had 12 credit cards and had memorized all their numbers and expiration dates," he said. "That's when I knew I was in serious trouble."
As an industry, online gambling has obvious profit potential. While casinos in Las Vegas pour hundreds of millions of dollars into show-stopping hotels, Web sites require not a drop of mortar nor one cent for lounge acts and cheap buffets. What Web sites lack in pizazz, they make up in convenience, as customers can play a quick round of $100 blackjack seconds after rolling out of bed.
Mr. Spitzer decided to clamp down on the industry in 1999 after his office won a precedent-setting case involving an Internet casino. The Web site's operators, World Interactive Gaming Corporation, based in Suffolk County, claimed they should not be subject to New York gambling laws, since their Internet servers were licensed in Antigua. However, the State Supreme Court ruled that the Caribbean location was irrelevant, since the actual transmission of information from New York via the Internet constituted gambling activity within the state.
This ruling may, in the long run, doom New York online bettors, said Ken Dreifach, chief of the state attorney general's Internet bureau.
On the federal level, online gambling remains uncharted legal territory. Many legal scholars point to the 1961 Wire Act, which makes it a crime to use a wire for transmitting betting information across state or national boundaries. But it makes no mention of the Internet and is typically viewed as being limited to sports betting. Legislation pending before Congress could amend the Wire Act to include restrictions on Internet gambling, said I. Nelson Rose, a law professor at Whittier Law School in California.
Historically, gambling regulation has fallen to the states, but few besides New York have aggressively confronted its online form, perhaps because of enforcement difficulties. Bradley J. Gibbs, a lawyer with Heller Erhman, a law firm that has handled online gambling litigation, said "arresting grandmothers and 12-year-old computer users is a sure public-relations disaster."
Mr. Dreifach says his office found an effective weak spot when it focused on the flow of online funds. The tactic also made sense, he said, because most credit-card companies processing these transactions are in New York City.
By reprogramming a couple of lines of software, Mr. Dreifach said, the code corresponding to these sites was blocked. But the effectiveness of such blocks remains to be seen. "If money is flowing, tunnels dig themselves," Professor Rose said.
Mr. Dreifach is confident his work has made its mark. In 1999 profits from online gambling were estimated at $3 billion, with indications that the number would double within three years, Mr. Dreifach said. The estimate still lingers around $3 billion, he said.
"I think we had a big part in cutting off the growth," he said.
Some poker players actually support the idea of making online gambling illegal. But they do not believe poker is a form of gambling.
"It's a game of skill, not of chance," Jimmy said.But in the eyes of the law, Mr. Dreifach said, gambling includes all games in which chance outweighs skill. "I don't know about you," he said, "but for most of us, poker is certainly a game of chance."
"Emerging economic P2P applications share the common need for an efficient, secure payment mechanism. In this paper, we present PPay, a micropayment system that exploits unique characteristics of P2P systems to maximize efficiency while maintaining security properties. We show how the basic PPay protocol far out performs existing micropayment schemes, while guaranteeing that all coin fraud is detectable, traceable and unprofitable. We also present and analyze several extensions to PPay that further improve efficiency."
I wouldn't normally bother with a micropayments scheme, as the economics are generally woeful. This design would be in the same basket of microeggs ("even if they hatch, they ain't worth counting") as it has a fairly impractical hack in it to achieve scaleability where other micropayment schemes allegedly fall short (!!).
Ricardo does much better, as it scales down to all known applications, as well as up. But, there is one aspect in there that Ricardo afficionados will recognise, and, dare I say it, drool over, so I'm adding FTR ("for the record").
A good article on the tracking of terror cells, drawing from some weaknesses in cell commsec. The article appears, and purports, to be complete, only because the methods described have already been rendered useless: A new weapon, a new defence. Anti-terror battles are like that; this shows how much more police-style investigation is effective against terrorism than a military posture.
http://www.iht.com/articles/508783.html
Terror network was tracked by cellphone chips
Don Van Natta Jr. and Desmond Butler/NYT
Thursday, March 4, 2004
How cellphones helped track global terror web
LONDON The terrorism investigation code-named Mont Blanc began almost by accident in April 2002, when authorities intercepted a cellphone call that lasted less than a minute and involved not a single word of conversation.
Investigators, suspicious that the call was a signal between terrorists, followed the trail first to one terror suspect, then to others, and eventually to terror cells on three continents.
What tied them together was a computer chip smaller than a fingernail. But before the investigation wound down in recent weeks, its global net caught dozens of suspected Qaeda members and disrupted at least three planned attacks in Saudi Arabia and Indonesia, according to counterterrorism and intelligence officials in Europe and the United States.
The investigation helped narrow the search for one of the most wanted men in the world, Khalid Shaikh Mohammed, who is accused of being the mastermind of the Sept. 11 attacks, according to three intelligence officials based in Europe. The U.S. authorities arrested Mohammed in Pakistan last March.
For two years, investigators now say, they were able to track the conversations and movements of several Qaeda leaders and dozens of operatives after determining that the suspects favored a particular brand of cellphone chip. The chips carry prepaid minutes and allow phone use around the world.
Investigators said they believed that the chips, made by Swisscom of Switzerland, were popular with terrorists because they could buy the chips without giving their names.
"They thought these phones protected their anonymity, but they didn't," said a senior intelligence official based in Europe. Even without personal information, the authorities were able to conduct routine monitoring of phone conversations.
A half-dozen senior officials in the United States and Europe agreed to talk in detail about the previously undisclosed investigation because, they said, it was completed. They also said they had strong indications that terror suspects, alert to the phones' vulnerability, had largely abandoned them for important communications and instead were using e-mail, Internet phone calls and hand-delivered messages.
"This was one of the most effective tools we had to locate Al Qaeda," said a senior counterterrorism official in Europe.
The officials called the operation one of the most successful investigations since Sept. 11, 2001, and an example of unusual cooperation between agencies in different countries. Led by the Swiss, the investigation involved agents from more than a dozen countries, including the United States, Pakistan, Saudi Arabia, Germany, Britain and Italy.
In 2002, the German authorities broke up a cell after monitoring calls by Abu Musab al-Zarqawi, who has been linked by some top U.S. officials to Al Qaeda, in which he could be heard ordering attacks on Jewish targets in Germany. Since then, investigators say, Zarqawi has been more cautious.
"If you beat terrorists over the head enough, they learn," said Colonel Nick Pratt, a counterterrorism expert and professor at the George C. Marshall European Center for Security Studies in Garmisch-Partenkirchen, Germany. "They are smart."
Officials say that on the rare occasions when operatives still use mobile phones, they keep the calls brief and use code words.
"They know we are on to them and they keep evolving and using new methods, and we keep finding ways to make life miserable for them," said a senior Saudi official. "In many ways, it's like a cat-and-mouse game."
Some Qaeda lieutenants used cellphones only to arrange a conversation on a more secure telephone. It was one such brief cellphone call that set off the Mont Blanc investigation.
The call was placed on April 11, 2002, by Christian Ganczarski, a 36-year-old Polish-born German Muslim who the German authorities suspected was a member of Al Qaeda. From Germany, Ganczarski called Khalid Shaikh Mohammed, said to be Al Qaeda's military commander, who was running operations at the time from a safe house in Karachi, Pakistan, according to two officials involved in the investigation.
The two men did not speak during the call, counterterrorism officials said. Instead, the call was intended to alert Mohammed of a Qaeda suicide bombing mission at a synagogue in Tunisia, which took place that day, according to two senior officials. The attack killed 21 people, mostly German tourists.
Through electronic surveillance, the German authorities traced the call to Mohammed's Swisscom cellphone, but at first they did not know it belonged to him. Two weeks after the Tunisian bombing, the German police searched Ganczarski's house and found a log of his many numbers, including one in Pakistan that was eventually traced to Mohammed. The German police had been monitoring Ganczarski because he had been seen in the company of militants at a mosque in Duisburg, and last June the French police arrested him in Paris.
Mohammed's cellphone number, and many others, were given to the Swiss authorities for further investigation. By checking Swisscom's records, Swiss officials discovered that many other Qaeda suspects used the Swisscom chips, known as Subscriber Identity Module, or SIM cards, which allow phones to connect to cellular networks.
For months the Swiss, working closely with counterparts in the United States and Pakistan, used this information in an effort to track Mohammed's movements inside Pakistan. By monitoring the cellphone traffic, they were able to get a fix on Mohammed, but the investigators did not know his specific location, officials said.
Once Swiss agents had established that Mohammed was in Karachi, the U.S. and Pakistani security services took over the hunt with the aid of technology at the U.S. National Security Agency, said two senior European intelligence officials. But it took months for them to actually find Mohammed "because he wasn't always using that phone," an official said. "He had many, many other phones."
Mohammed was a victim of his own sloppiness, said a senior European intelligence official. He was meticulous about changing cellphones, but apparently he kept using the same SIM card.
In the end, the authorities were led directly to Mohammed by a CIA spy, the director of central intelligence, George Tenet, said in a speech last month. A senior U.S. intelligence official said this week that the capture of Mohammed "was entirely the result of excellent human operations."
When Swiss and other European officials heard that U.S. agents had captured Mohammed last March, "we opened a big bottle of Champagne," a senior intelligence official said.
Among Mohammed's belongings, the authorities seized computers, cellphones and a personal phone book that contained hundreds of numbers. Tracing those numbers led investigators to as many as 6,000 phone numbers, which amounted to a virtual road map of Al Qaeda's operations, officials said.
The authorities noticed that many of Mohammed's communications were with operatives in Indonesia and Saudi Arabia. Last April, using the phone numbers, officials in Jakarta broke up a terror cell connected to Mohammed, officials said.
After the suicide bombings of three housing compounds in Riyadh, Saudi Arabia, on May 12, the Saudi authorities used the phone numbers to track down two "live sleeper cells." Some members were killed in shootouts with the authorities; others were arrested.
Meanwhile, the Swiss had used Mohammed's phone list to begin monitoring the communications and activities of nearly two dozen of his associates. "Huge resources were devoted to this," a senior official said. "Many countries were constantly doing surveillance, monitoring the chatter."
Investigators were particularly alarmed by one call they overheard last June. The message: "The big guy is coming. He will be here soon."
An official familiar with the calls said, "We did not know who he was, but there was a lot of chatter." Whoever "the big guy" was, the authorities had his number. A Swisscom chip was in the phone.
"Then we waited and waited, and we were increasingly anxious and worried because we didn't know who it was or what he had intended to do," an official said.
But in July, the man believed to be "the big guy," Abdullah Oweis, who was born in Saudi Arabia, was arrested in Qatar. "He is one of those people able to move within Western societies and to help the mujahedeen, who have lesser experience," an official said. "He was at the very center of the Al Qaeda hierarchy. He was a major facilitator."
In January, the operation led to the arrests of eight people accused of being members of a Qaeda logistical cell in Switzerland.
Some are suspected of helping with the suicide bombings of the housing compounds in Riyadh, which killed 35 people, including eight Americans.
Later, the European authorities discovered that Mohammed had contacted a company in Geneva that sells Swisscom phone cards. Investigators said he ordered the cards in bulk.
The New York Times
Copyright © 2003 The International Herald Tribune
What surprises me is that no-one is asking why we think the government can do a better job with centralised security than the rest of us can do by ourselves. Whoops! Spoke to soon - Bruce Schneier writes about exactly that in
Security Risks of Centralization.
Security Risks of Centralization
In discussions with Brill, he regularly said things like: "It's obviously better to do something than nothing." Actually, it's not obvious. Replacing several decentralized security systems with a single centralized security system can actually reduce the overall security, even though the new system is more secure than the systems being replaced.
An example will make this clear. I'll postulate piles of money secured by individual systems. The systems are characterized by the cost to break them. A $100 pile of money secured by a $200 system is secure, since it's not worth the cost to break. A $100 pile of money secured by a $50 system is insecure, since an attacker can make $50 profit by breaking the security and stealing the money.
Here's my example. There are 10 $100 piles, each secured by individual $200 security systems. They're all secure. There are another 10 $100 piles, each secured by individual $50 systems. They're all insecure.
Clearly something must be done.
One suggestion is to replace all the individual security systems by a single centralized system. The new system is much better than the ones being replaced; it's a $500 system.
Unfortunately, the new system won't provide more security. Under the old systems, 10 piles of money could be stolen at a cost of $50 per pile; an attacker would realize a total profit of $500. Under the new system, we have 20 $100 piles all secured by a single $500 system. An attacker now has an incentive to break that more-secure system, since he can steal $2000 by spending $500 -- a profit of $1500.
The problem is centralization. When individual security systems are combined in one centralized system, the incentive to break that new system is generally higher. Even though the centralized system may be harder to break than any of the individual systems, if it is easier to break than ALL of the individual systems, it may result in less security overall.
There is a security benefit to decentralized security.
Bruce Schneier's cryptogram pointed at the controversial new program that encourages US companies to share their vulnerability information with the Department of Homeland Defense.
It's a bit long to post, but it's well worth reading if one is interested in public & critical infrastructure protection. The bottom line: the new legal protection will probably cause more trouble than its worth, and may make things more insecure:
U.S. info-sharing program draws fire
By Kevin Poulsen, SecurityFocus Feb 20 2004 6:08PM
A long-anticipated program meant to encourage companies to provide the federal government with confidential information about vulnerabilities in critical systems took effect Friday, but critics worry that it may do more harm than good.
The so-called Protected Critical Infrastructure Information (PCII) program allows corporations who run key elements of U.S. infrastructure -- energy firms, telecommunications carriers, financial institutions, etc. -- to submit details about their physical and cyber vulnerabilities to a newly-formed office within the Department of Homeland Security, with legally-binding assurances that the information will not be used against them or released to the public.
The program implements controversial legislation that bounced around Capitol Hill for years before Congress passed it in the wake of the September 11 attacks as part of the Homeland Security Act of 2002. Security agencies have long sought information about vulnerabilities and likely attack points in critical infrastructures, but have found the private sector reluctant to share, for fear that sensitive or embarrassing information would be released through the Freedom of Information Act (FOIA).
As of Friday, federal law now protects that vulnerability information from disclosure through FOIA, and makes it illegal for government workers to leak it, provided companies follow certain procedures and submit the data to the new PCII office.
....
Convergence of accounting standards by 2005 is anything but a sure thing, thanks to opposition by Europe's banking sector.
Ed Zwirn, CFO.com February 20, 2004
Will opposition from Europe's banking sector leave the world's two biggest markets operating by different rules?
The International Accounting Standards Board (IASB) is apparently digging in its heels on marking derivatives to market. But the European Union may refuse to go along. Companies needing to access capital markets in both the United States and Europe, as a result, might have to continue to account for their business by using both U.S. GAAP and International Financial Reporting Standards beyond the Jan. 1, 2005 deadline for convergence.
On Wednesday, the IASB rejected calls from bankers that IAS39 either be scrapped or substantially revised. IAS39 is Europe's answer to FAS133, the U.S. accounting standard, which requires derivatives be marked to market. EU officials have cast doubt on whether they will make the standard mandatory when it makes IFRS mandatory on Jan. 1.
IASB has issued a standard on another controversial issue, ruling that EU companies must expense stock options. Another apparent sticking point for convergence is how to best record tax benefits for employee stock-based compensation.
Earlier this month, Fritz Bolkestein, internal market commissioner of the EU, warned that the EU might have to shelve mandatory compliance of IAS39 when IFRS becomes mandatory at the beginning of 2005 if the IASB does not reach some kind of agreement with the EU.
Donald Nicolaisen, the SEC chief accountant, said the IASB proposals already on the table were of "high standard" and that he would withdraw his support for accepting the IASB filings of companies listing in the United States if they were not adopted. "Derivatives are widely used today and you need a way to account for them," he said after Bolkestein's comments. "Without that, the [accounting] standards are not complete and I wouldn't be in support of accepting filings where they don't have it."
Despite heavy lobbying from European banks and the EU's European Commission on derivatives, the board refuses to change its position. As a result, sources cited by EUPolitix.com say, banks will still manage their risk portfolios as they always have. But they will be forced to make figures fit IASB requirements ? a development that will be more costly and will reduce the reliability of accounting figures.
Over on the DGCChat list, where new currency engineers haunt, squabble, and rebuild the financial system every Sunday, the question of "backing" has arisen.
Economists in the field of money issuance have long known that "backing" is an imprecise term, and they insist on definitions whenever they feel dialogue becomes contaminated by the word.
One plausible response is to avoid use of the word, but, as frequently pointed out, the rest of the world declines the forebearance. For this reason, I use the following definition:
Backing is the sum total of all assets that give rise to value in an issue.
Assets, in the context, include physicals (metals) and balances (cash) held at institutions, as well as intangibles like reputation, and non-physicals like future cash flow.
Reserves, then, are tangible or accountable assets that are held in escrow for the sole purpose of backing an issue. E.g., the gold held by a DGC counts as reserves, and these reserves are perhaps the major component of backing for a DGC.
Additional components of backing include reputation, faith in governance structures, law, and various derivatives such as tax receipts or a book of business. Also included might be network effects such as customers holding an issue and using it for that purpose - their expectations have momentum, and that helps the value, albeit in a fashion that might be thought of as circular.
It is, then, right and proper to say that the US dollar is backed by the-full-faith-and-credit-of-the-United-States-government (said very fast), as well as by an expectation of future receipts (which might be the same thing!).
Pelle writes: The old NeuClear web site has been replaced by a much improved collaborative wiki style web site.
I am trying to document the concepts, applications as well as legal and governance aspects of NeuClear.
Please feel free to register, comment and even write articles or snippets.
If there is interest I will setup a general purpose financial cryptography space within the site.
Civilian Capital has entered the market for Hollywood film productions as IPOs. In Civilian's case, each film is produced by a single-film company that lists on the over-the-counter bulletin board market run by the NASD (a sort of basic NASDAQ, called OTCBB).
Originally, doing such projects as IPOs was mooted in discussions surrounding Idea Futures, Eric Hughes' piracy talk, and my own task market.
The basic assumption was that most tasks of interest can't cover the 1/2 million dollar surcharge that the regulated markets impose on access to the public. Our new breed of digital issuances reduces that cost by an order of magnitude or more, depending on the details.
That assumption's not challenged by Civilian - they are simply providing a brokerage which promotes and retails these special purpose IPOs to film entrepreneurs. It will be interesting to see how low the listing cost of Civilian's film IPOs go, via the conventional markets and regulatory filings.
For those obsessed by celluloid, check out the SEC filing for the first film/IPO: Billy Dead, Inc.
John Snow, the US Treasury Secretary, has stated that the US Government no longer stands behind Fannie Mae and Freddie Mac. (1, below, 2, 3)
This takes me back to the late eighties, when the old Lady's Governor announced that the Bank of England would no longer necessarily bail out a bank just because it was a bank. Many years later, driving back after b-school, I heard Eddie George on the radio announcing the bankrupcy and immediate wind-up of Barings Bank.
Barings was old and venerable, but tiny. A ripple in the pond. Fannie Mae and Freddie Mac are ... none of that!
WASHINGTON (Reuters) - U.S. Treasury Secretary John Snow took direct aim Tuesday at mortgage finance firms Fannie Mae and Freddie Mac, repeating previous warnings to investors that government-sponsored enterprises are not financially backed by the U.S. government.
"We don't believe in a 'too big to fail' doctrine, but the reality is that the market treats the paper as if the government is backing it. We strongly resist that notion," he said in prepared remarks before a bankers group here.
"You know there is that perception. And it's not a healthy perception and we need to disabuse people of that perception. Investments in Fannie (FNM: Research, Estimates) and Freddie (FRE: Research, Estimates) are uninsured investments," he said.
...
I just received my first well written, properly spelt, nigerian fraud letter - and they've moved to Britain! Of course it is the same old same old concept. Text is below if you are even the slightest bit interested.
My name is Becky J. Harding, I am a senior partner in the firm of Midland Consulting Limited: Private Investigators and Security Consultants. We are conducting a standard process investigation on behalf of HSBC, the International Banking Conglomerate.
This investigation involves a client who shares the same surname with you and also the circumstances surrounding investments made by this client at HSBC Republic, the Private Banking arm of HSBC. The HSBC Private Banking client died intestate and nominated no successor in title over the investments made with the bank. The essence of this communication with you is to request you provide us information/comments on any or all of the four issues:
1-Are you aware of any relative/relation who shares your same name whose last known contact address was Brussels Belgium?
2-Are you aware of any investment of considerable value made by such a person at the Private Banking Division of HSBC Bank PLC?
3-Born on the 1st of October 1941
4-Can you establish beyond reasonable doubt your eligibility to assume status of successor in title to the deceased?
It is pertinent that you inform us ASAP whether or not you are familiar with this personality that we may put an end to this communication with you and our inquiries surrounding this personality.
You must appreciate that we are constrained from providing you with more detailed information at this point. Please respond to this mail as soon as possible to afford us the opportunity to close this investigation.
Thank you for accommodating our enquiry.
Becky J. Harding.
For: Midland Consulting Limited.
10/03/2004
Not very, if the Iowa Electronic Markets following the Iowa "primary" for the US election are to be believed.
Barry L. Ritholtz's Big Picture blog observed recently that the Iowa market didn't converge on the right answer until the last 24 hours. Hence these markets have no real predictive power ... goes the conclusion - they are only act as an opinion poll of another flavour.
To some extent this is true - but the presence of money makes for a much more immediate feedback loop than is otherwise present in representative democratic voting. Few people can quantify the direct benefits to their pockets from voting in one or other choice, while everyone can quantify the result of being paid for being correct.
The continual opportunity to measure ones own prediction as against the end result, for money, makes every voter into a profit maker. That's what makes the "market poll" idea special - suddenly, the voters have an incentive to recognise even their own party is on the way out.
And that's what I'd suspect happened - looking at that graph, I wonder if the Dean supporters decided to let their monatery interests rule over their political preferences, and sold out as they got close to the day.
(practical comment: idea markets should be interpreted as contract trading markets in the FC sense, and then they make much more sense.)
Spitzer: PayPal to better disclose Internet buyers' rights
By MICHAEL GORMLEY
Associated Press Writer
March 8, 2004, 5:33 PM EST
ALBANY, N.Y. -- PayPal, the nation's largest online payment service, has agreed to start making sure Internet consumers get credit when their merchandise doesn't arrive, New York Attorney General Eliot Spitzer said Monday.
PayPal will pay New York state $150,000 in penalties and the cost of the investigation. The online payment service also will clearly describe consumer rights to its more than 25 million account members including conditions or limitations of the rights and reversals or refund policies.
Without the agreement, consumers using their credit cards for Internet purchases through payment services would not have been protected by the federal Fair Credit Billing Act and similar state laws. For example, consumers who didn't receive merchandise purchases through PayPal were often denied credit from either PayPal or American Express or Discover credit cards.
The credit card firms agreed to properly credit consumers in an agreement with Spitzer late last year. The firms are issuing "chargeback" credits to those who didn't receive credit for undelivered items
"Protecting consumer rights in online transactions is the best way to establish and maintain confidence in electronic commerce," Spitzer said. "As with any new industry, it is essential that consumers making e-payments receive full disclosure of their rights and liabilities."
...
PayPal Probed for Anti-Fraud Efforts
Monday March 8, 11:51 am ET
WASHINGTON (Reuters) - Federal and state investigators are examining whether online payment service PayPal violated consumer-protection laws in its fight against online fraud, parent company eBay Inc. (NasdaqNM:EBAY - News) said on Monday.
PayPal sometimes freezes customer accounts while it investigates suspicious transactions, a practice that has generated complaints to consumer-protection authorities, the online auctioneer said in its annual report.
"As a result of customer complaints, PayPal has ... received inquiries regarding its restriction and disclosure practices from the Federal Trade Commission and the attorneys general of a number of states," the report said.
"If PayPal's processes are found to violate federal or state law on consumer protection and unfair business practices, it could be subject to an enforcement action or fines."
An FTC spokeswoman declined initial comment.
PayPal handled more than $12.2 billion in transactions in 2003 and has 40 million customer accounts, according to the annual report.
The rate of fraudulent PayPal transactions is less than one-half of one percent, eBay has said.
An eBay spokesman was not immediately available for comment.
© 2004 Reuters
A new Group of Thirty (G30) report, Enhancing Public Confidence in Financial Reporting, commissioned after the last few years' spate of corporate failures has stated that it is Governance that has failed, not Accounting.
It is true that governance was the core failure in these cases. But, accounting is sleeping at the wheel, and asking to be not woken up right now is hardly useful.
Accounting, according to the G30 team, has integrity. Which, they drill down to mean these five criteria (see the doc for their definitions):
These things can be done better. Consistency and Neutrality are achieved by more and deeper automation - this is widely known.
Building on the former two, Reliability is then created by liberal dashes of crypto - sign and hash everything in site.
Once these three things are in place, Relevance and Understandability follows with public disclosure: not the sort that the accountants are thinking about - regulated, limited, formally filed reports - rather the new, open and dynamic engagement with the scrutinising public. Detail that is *outside* the regulatory environment, records that are in excess of requirements, but contribute to making a fair and open picture of a corporation.
Not, as the accountants think, by reducing the amount and simplicity of information so that the public can understand it, but, the total reverse: More quantity and more quality, so the public can ascertain for themselves what is important.
Why don't accountants think in these terms? I'd stab at this: they can't move because of the momentum of current practice and regulations. Which explains why the new trends appear in unregulated sectors such as DGCs, or previously unlisted companies such as eBay which reveals detailed statistics of its auction business.
A working group on anti-phishing was formed late last year, and now publishes the first attempts (that I have seen) at hard statiscs on the epidemic in their monthly Phishing Attack Trends Report on the epidemic.
The report has one salient number: 176 unique phishing attacks in January, up from 116 the previous month. Another document listed on that site (FTC's National and State Trends in Fraud and Identity Theft) showed a figure of $200 million lost in Internet related fraud over the year 2003.
Worth a read, if looking for hard info on phishing. As the WG has just been formed, and stats only go back a few months, it's too early to tell whether this is the collection ramping up, or we are in the middle of an explosion. The FTC's $200m doesn't drill down any further, so phishing will be some small percentage of that number.
(I'm not sure why the WG publishes in PDF, instead of HTML. It seems that they are reaching to bureaucrats and marketeers rather than techies, which is a worrying sign.)
A "solution" to Phishing called PassMarks has been proposed.
The solution claims that the site should present an individualised image, the PassMark, to each account on login. Unfortunately, this won't work.
Phishing involves interposing the attacking site as a spoof between the client's browser and the target site. The spoofing site simply copies the registration details across to the main website, and waits for the PassMark image to come back. And then copies the image back to the user's browser.
The flaw in their analysis may have been that they didn't realise that almost all phishing totally bypasses SSL. Of course. Or, maybe they didn't realise that the attackers are intelligent, and modify their approach to cope with the system under attack. Easy mistake to make, one supposes.
The analysis we've done still stands - what is needed to secure browsing against (current day, validated) threats like phishing is to modify the existing underutilised SSL infrastructure in these fairly minor ways:
The analysis is long, complex and not written down in full. You can see something of the story on the SSL page.
Further references: The anti-phishing WG's resources page has some potentially useful stuff. Simon's blog entry on PassMark put me on to this product, and also this fair overview by Scott Loftesness.
In the chinese curse department, Simon's blog also reports that the Dutch tax authorities are now charging to accept cash for tax payments.
As he points out, this is the thin end of the wedge; when the government stops supporting its own free loans from the people, they start thinking about alternates.
This is like that old chinese curse - be careful with what you wish for, you might get it... This is not the first step. For a long time, governments have been adding barriers and restrictions to cash transactions of larger value.
Great news for alternate currency fans.
PrisonPlanet reports that RFIDs are being used in new US notes! Read on for suprising results.
Is this a spoof or the birth of a new urban legend? If you have nothing better to do, read slashdot's opinion, which amongst much chit chat suggests that this is not RFIDs:
RFID Tags in New US Notes Explode When You Try to Microwave Them
Adapted from a letter sent to Henry Makow Ph.D.
Want to share an event with you, that we experienced this evening.. Dave had over $1000 dollars in his back pocket (in his wallet). New twenties were the lion share of the bills in his wallet. We walked into a truck stop/travel plaza and they have those new electronic monitors that are supposed to say if you are stealing something. But through every monitor, Dave set it off. He did not have anything to purchase in his hands or pockets. After numerous times of setting off these monitors, a person approached Dave with a 'wand' to swipe why he was setting off the monitors.
Believe it or not, it was his 'wallet'. That is according to the minimum wage employees working at the truck stop! We then walked across the street to a store and purchased aluminum foil. We then wrapped our cash in foil and went thru the same monitors. No monitor went off.
We could have left it at that, but we have also paid attention to the European Union and the 'rfid' tracking devices placed in their money, and the blatant bragging of Walmart and many corporations of using 'rfid' electronics on every marketable item by the year 2005.
Dave and I have brainstormed the fact that most items can be 'microwaved' to fry the 'rfid' chip, thus elimination of tracking by our government.
So we chose to 'microwave' our cash, over $1000 in twenties in a stack, not spread out on a carasoul. Do you know what exploded on American money?? The right eye of Andrew Jackson on the new twenty, every bill was uniform in it's burning... Isnt that interesting?
Now we have to take all of our bills to the bank and have them replaced, cause they are now 'burnt'.
We will now be wrapping all of our larger bills in foil on a regular basis.
What we resent is the fact that the government or a corporation can track our 'cash'. Credit purchases and check purchases have been tracked for years, but cash was not traceble until now...
Dave and Denise
I took the brave jump recently and stored all my DVDs in a caselogic case. For pure personal convenience, you understand.
232 was the final count. As I did this, I took the opportunity to weigh the cases (in their garbage bags, 60 per bag), with the notion of figuring out how much a film weighs. The less it weighs, the more convenient as a travelling companion!
This gave me a total mass of 78 grams per film, including standard cases. That's just the 20cm high case, not the battleship containers they come in, all well disposed of, mere minutes after purchase.
Toying around with these numbers, that gave me a collection mass of 18 killograms (about 40 of those imperial pounds). But, by throwing out the packaging and sticking to sleeve books, this came down to 3.2kg, or, on a per DVD basis, a mass of 13.7g.
That's better than a 80% compression, mass-wise. Which got me thinking, what's the mass of a DVD on a hard drive? Uncompressed, you can get about 40 films on a 240G drive. The bathroom scales wouldn't budge with the drives I had to hand, so I stacked up 10 of them, and averaged back to about 400g (just under a pound), giving a per-film mass of about 10 grams.
But, if we add a compression ratio, we can get that right down! Say, 5 to 1 compression, which exists, so I'm told, and I can get the whole collection onto one single disk drive. Which leads to a DVD mass of about 1.7g per.
Putting an entire collection on a single drive makes a lot of sense. One can imagine the day when one wonders why PCs weren't the primary interface to movies. Selection of movie, display of the information, quick flick through the scenes, all this stuff makes much more consumer sense when considered magnetically, not with optics.
Which means that the PC takeover will happen, given time, and the patient efforts of programmers around the world.
(Veteren FCers will recognise the DRM link to FC here.) One of the things that I thought would give the film industry a breathing space to work out a DRM architecture was the brute data size of films. That coupled with the lack of fat pipes for consumers meant that copying DVDs was a marginal activity.
No longer. It may well be that Hollywood, as it is structured, is already caught in the trap that the music industry got itself stuck in (MP3s, ages ago). Which makes the news from tinsel town even more amusing: on the one hand we have the Passion's innovative channels, and $20 DVDs of interviews !!!
On the other, the FBI claims that DRM is priority number 3 for them. Who's thinking over there, and who's just changing the colour of the pretty lights? Hollywood can't even claim that their way is more convenient - retail DVDs are just too heavy to compete against the net.
| collection size | number of DVDs |
in original packaging |
in sleeved caselogic book |
in disk drives | comments... |
| Total collection | 232 | 18. kg | 3.2 kg | (400g) | All of them... |
| single big drive worth of DVDs | 40 | 3.1 kg | 548 g | 400g | 240Gb - would need 5 drives |
| single drive, compressed | 240 | 18.6 kg | 3.2 kg | 400g | 240Gb @ 5:1 compression |
| per single DVD | 1 | 77.6g | 13.7g | 1.7g | mass per film |