June 30, 2004
Question on the state of the security industry
A question I posed on the cryptography mailing list: The phishing thing has now reached the mainstream, epidemic proportions that were feared and predicted in this list over the last year or two. Many of the "solution providers" are bailing in with ill- thought out tools, presumably in the hope of cashing in on a buying splurge, and hoping to turn the result into lucrative cash flows.
Sorry, the question's embedded further down...
In other news, Verisign just bailed in with a service offering [1]. This is quite cunning, as they have offered the service primarily as a spam protection service, with a nod to phishing. In this way they have something, a toe in the water, but they avoid the embarrassing questions about whatever happened to the last security solution they sold.
Meanwhile, the security field has been deathly silent. (I recently had someone from the security industry authoritively tell me phishing wasn't a problem ... because the local plod said he couldn't find any!)
Here's my question - is anyone in the security field of any sort of repute being asked about phishing, consulted about solutions, contracted to build? Anything?
Or, are security professionals as a body being totally ignored in the first major financial attack that belongs totally to the Internet?
What I'm thinking of here is Scott's warning of last year [2]:
Subject: Re: Maybe It's Snake Oil All the Way Down At 08:32 PM 5/31/03 -0400, Scott wrote: ... >When I drill down on the many pontifications made by computer >security and cryptography experts all I find is given wisdom. Maybe >the reason that folks roll their own is because as far as they can see >that's what everyone does. Roll your own then whip out your dick and >start swinging around just like the experts.
I think we have that situation. For the first time we are facing a real, difficult security problem. And the security experts have shot their wad.
Comments?
iang
[1] Lynn Wheeler's links below if anyone is interested:
VeriSign Joins The Fight Against Online Fraud
http://www.informationweek.com/story/showArticle.jhtml;jsessionid=25FLNINV0L5DCQSNDBCCKHQ?articleID=22102218
http://www.infoworld.com/article/04/06/28/HNverisignantiphishing_1.html
http://zdnet.com.com/2100-1105_2-5250010.html
http://news.com.com/VeriSign+unveils+e-mail+protection+service/2100-7355_3-5250010.html?part=rss&tag=5250010&subj=news.7355.5
[2] sorry, the original email I couldn't find, but here's the thread, routed at:
http://www.mail-archive.com/cpunks@minder.net/msg01435.html
Peppercoin - credit card facilitations
This article has finally pointed me into the right direction with Peppercoin. Call me slow, but the trick is to totally ignore the tech. Being a techie by nature, this does not come naturally, one keeps searching for a modicum of sense behind it.
Peppercoin are positioning themselves as yet another credit card facilitation company. Like Paypal. In fact they are duplicating Paypal's business model to a T: First swamp the space with lots of "cool tech" noise and bring out some versions. For Paypal, this was their long forgotten Palm Pilot money feature, and for Peppercoin it is some statistically inspired token scheme. Second, buy customers. Paypal paid $10, then $5, using what looked like half their investment money to do this.
Third, migrate users from the cool tech to the basic tech and from the credit card to the debit card: web front end, everyone has an account, everyone feeds their account from their bank account. (Actually there's another step in there, between 2 and 3, but it doesn't add any to the explanation.)
Hey presto, we have a user base and a transaction flow and we're set for the billion dollar buyout.
It's not as silly as it seems. Banks have shown they can't do this, as have the credit card companies. Why not copy what worked in the past? Paypal did when they copied First Virtual and rectified their mistakes, and their recent actions leave them wide open for an alternate.
Yahoo! News
Credit Cards Enter the Micropayment Game
http://story.news.yahoo.com/news?tmpl=story&cid=528&e=2&u=/ap/20040628/ap_on_hi_te/micro_paying_with_plastic
Mon Jun 28,10:24 AM ET
By MARK JEWELL, AP Business Writer
BOSTON - If your image of a typical video-game arcade customer is a teenager emptying quarter-filled pockets into a machine to do battle with space aliens, think again. Today's high-tech games increasingly appeal to an older set. And soon those customers will be able to use credit or debit cards as a payment option.
These so-called "micropayments" are gaining currency on the Internet (news - web sites) as a way to perform small-ticket transactions such as downloading a song or accessing other online content.
But most micropayment systems require customers to establish prepaid accounts, to get around the hassle and transactional costs of entering card information for each purchase.
Now, however, one player in the micropayments market, Peppercoin Inc., has come up with a system that also facilitates the more familiar way of buying things - by credit or debit card at the time of service.
One early customer is Incredible Technologies Inc., a manufacturer of coin-operated video games like the Golden Tee golf game. It has selected Peppercoin 2.0 to process credit card transactions in its future lineup of games, which will be able to take credit card swipes.
Peppercoin expects customers offering online music and other products will sign up for the service as well, said co-founder Perry Solomon.
The biggest obstacle to using credit cards for micropayments is the cost of transaction processing. Typically, a transaction costs 20 cents to a quarter, plus 2 percent to 3 percent of the price of the item being sold. For very inexpensive products, the transaction expense can wipe out any profit.
Peppercoin 2.0 has reduced the transaction expense to less than 10 cents, Solomon said.
With some sophisticated games costing a dollar or more to play, that cost structure is affordable.
The cost reduction is possible, he said, because of a patent-pending method of lumping together individual transactions into one transaction to reduce the cost to the merchant.
The method was devised by Ron Rivest and Silvio Micali, two Massachusetts Institute of Technology (news - web sites) faculty members who are Peppercoin investors and board members.
With the average American's wallet now holding five credit cards, the micropayments market could increasingly turn in the direction Peppercoin is heading, said Ed Kountz, a technologies analyst at the research firm TowerGroup in Needham, Mass.
"Clearly, the ability to leverage an existing consumer habit - the credit card - we think is an important one," Kountz said.
June 28, 2004
Proceedings of 1st Annual BuggyWhip Conference
Not very much to do with FC, except perhaps a belated message to the conference of the same name, but the NYT has published a pre-mortem on the dying Journals trade [1]. Of course, long predicted (I forget when), it should come as no surprise to anyone with an email address that expensive, published, peer-reviewed journals of academic papers are going the way of the buggy whip.
[1] http://www.nytimes.com/2004/06/26/books/26PUB.html
The New York Times June 26, 2004
A Quiet Revolt Puts Costly Journals on Web
By PAMELA BURDMAN
When Dr. Miguel Nicolelis, a neurobiologist at Duke University, decided to release a groundbreaking study in an upstart online journal, his colleagues were flabbergasted. The research, demonstrating how brain implants enabled monkeys to operate a robotic arm, was a shoo-in for acceptance in premier journals like Nature or Science.
"Usually you want to publish your best work in well-established journals to have the widest possible penetration," Dr. Nicolelis said. "My idea was the opposite. We need to open up the dissemination of scientific results." The journal Dr. Nicolelis chose - PLoS Biology, a publication of the Public Library of Science - aims to do just that by putting peer-reviewed scientific papers online free, at the Web site www.plosbiology.org.
The high subscription cost of prestigious peer-reviewed journals has been a running sore point with scholars, whose tenure and prominence depend on publishing in them. But since the Public Library of Science, which was started by a group of prominent scientists, began publishing last year, this new model has been gaining attention and currency within academia.
More than money and success is at stake. Free and widespread distribution of new research has the potential to redefine the way scientific and intellectual developments are recorded, circulated and preserved for years to come.
"Society pays for science," said Dr. Nicolelis, whose article in the October issue of PLoS got worldwide attention. "We have the technology, we have the expertise. Why is it that the only thing that has remained the same for 50 years is the way we publish our results? The whole system needs overhaul."
At the big-sticker end are publications like The Journal of Comparative Neurology, for which a one-year institutional subscription has a list price of $17,995. Access to Brain Research goes for $21,269, around the price of a Toyota Camry XLE.
According to the Association of Research Libraries, journal prices went up 215 percent from 1986 to 2003, while the consumer price index rose 63 percent.
Though the highest-priced journals are in the sciences, libraries have had to offset those price increases by buying fewer books, often in other disciplines like literature and the humanities, association officials and librarians at the University of California said.
For those plotting end runs around for-profit publishers, a prime target is the Amsterdam-based Elsevier, which publishes some 1,800 journals in science, medicine and technology, including Brain Research.
"Elsevier doesn't write a single article," said Dr. Lawrence H. Pitts, a neurosurgeon at the University of California at San Francisco and chairman of the faculty senate of the 10-campus system. "Faculty write the articles for them, faculty review the articles for them and faculty mostly edit the journals for them, and then we get to buy the journals back from a company that makes a very large profit."
Similar sentiments motivated the editors and entire editorial board, 27 people in all, of Elsevier's Journal of Algorithms to defect en masse recently to start a nonprofit competitor, ACM - Transactions on Algorithms - said David S. Johnson, one of the editors.
Elsevier's managing director, John Regazzi, says the problem is not Elsevier's prices, but tight university budgets that can't meet the increasing volume of research worthy of publication. "Very few of our customers pay list price across all of their collections," he said. "If you look at the full cost of what an institution pays and you look at the number of downloads by users of the system, you're basically looking at $2 to $3 articles. We have a wide range of options for how universities can decide to subscribe." The company's pretax profit for the last three years has been between 30 and 34 percent, Mr. Regazzi said.
But more and more academics are viewing traditional publishers as obstacles to wide dissemination of studies paid for by public monies. Several open access alternatives are being hotly debated in academic online discussion groups and in the mainstream science press. The criticism even extends to some nonprofit publications, like the journal Science, which nearly tripled prices for its largest subscribers over the last two years.
Late last year, two scientists at the University of California at San Francisco called for a global boycott by authors and editors of six molecular biology journals published by Elsevier. They timed the campaign to coincide with the moment that the the University of California system was renegotiating its contract with the company.
"The mission and mandate of scientific publishing is to provide a formal record of scientific discovery, not to make publishing companies rich or editors famous," said one of the organizers, Keith R. Yamamoto, a prominent microbiologist and the vice dean for research.
Since University of California professors write, vet and edit a significant portion of Elsevier's wares, a deal was struck. The public university system reduced its bulk cost for online and print access to about 1,200 journals from $10.3 million last year to just $7.7 million annually for the next five years, according to published reports confirmed by Daniel Greenstein, the librarian of the university system. Other prestigious, but smaller universities are pursuing a different strategy.
"We have been cutting Elsevier journals and other for-profit journals as their prices have risen higher than inflation," said Michael Keller, the university librarian at Stanford. "The result is a fairly limited list - 400 Elsevier subscriptions."
PLoS became a publisher last year following a failed campaign to persuade journals to open up articles within six months of publication, said Michael B. Eisen, a computational biologist at Berkeley. Mr. Eisen is a co-founder of PLoS, with the biologist Dr. Patrick O. Brown of Stanford and Dr. Harold E. Varmus, a Nobel laureate who is chief executive of Memorial Sloan-Kettering Cancer Center in New York and former director of the National Institutes of Health.
The editors of PLoS follow normal peer review procedures. For revenue, they rely on author fees of up to $1,500 per article (typically drawn from research monies), voluntary university memberships, and grants. Although these voluntary university memberships can run into the thousands, Mr. Eisen said, the advantage is unlimited public access to priceless intellectual heritage.
But Mr. Keller of the Stanford libraries, who produces the online versions of Science and about 360 other nonprofit journals through Stanford's HighWire Press, argues that the voluntary memberships are just subscriptions in disguise.
Dr. Nicolelis's appearance in PloS Biology's debut issue helped vindicate this new model. PLoS has since attracted papers from leading lights in science like Dr. Robert Sapolsky, a Stanford researcher and a winner of a MacArthur "genius" award. Wired magazine also favored the founders with an award in April for "cracking the spine of the science cartel."
Traditional publishers hint that despite their new cachet, open access publications aren't sustainable in the long run. PLoS Biology and the new PLoS Medicine, due out this fall, are heavily subsidized by grants.
Dr. Alan I. Leshner, chief executive of the American Association for the Advancement of Science, says his publication, Science, already coping with the loss of print subscribers and advertisers, would have to charge authors $10,000 an article to survive in the open access mode. He also noted that revenues from Science - which was started by Thomas Edison - support some of association's programs, including one to provide free access to scientists in the developing world.
"I agree with the motivation," Dr. Leshner said, but added, "We just can't throw away a business model developed by Thomas Edison in 1880 based on `Trust me, it will work.' "
But to others, old models are precisely the problem. "Surely the combination of uncertainty and hope associated with this unproved model is vastly superior to the certainty and hopelessness that surrounds the current and failed commercial one," Mr. Greenstein of the University of California system wrote as part of a running debate about open access publishing on nature.com.
The pressure is beginning to have an effect. More publishers have begun opening their archives 6 to 12 months after publication. Molecular Biology of the Cell, published by the American Society for Cell Biology, now opens up its archives after two months, and as its editor-in-chief, Mr. Yamamoto hopes to convert the journal to open access soon. Even Elsevier made a recent concession to university libraries that are moving into digital publishing and archiving, offering blanket permission for authors to post their journal articles on their own institutions' Web sites.
"We're watching open access very carefully," Mr. Regazzi said. "We're trying to learn from it."
The Legacy of ASCII
The creator of ASCII, Bob Bemer, has died [1]. I didn't even know who he was, until he was dead, but I certainly knew what ASCII was. And is.
The effect of the creation of ASCII is hard to exaggerate. Growing up as a boy with toys in the 70s, there were many new machines with strange ways of doing things. HP calculators, big desktop calculating machines with multilayered neon numbers, hobby kits owned by mad professors, and apple IIs; these all had their quirks. As late as the early 80s, the big supercomputer at my University used 60 bit words, into which 10 characters were packed. Yes, String instructions for modern languages had "pack" and "unpack" in them, an acknowledged compromise, but the Cyber engineers knew better.
ASCII, and the power of 2, changed all that. It took a while, but slowly, everything became multiples of 8 bits, and all text became straight ASCII. EBCDIC became a bad joke and others were used as trivia questions at hacker gatherings (yes, we were all called hackers in those days). RS232 followed, and we found ourselves in a world where any computer could talk to any other. Albeit, slowly, via a 2400 baud cable soldered to 25 pins, or a tape calculated in 3/4 inch stop blocks. But it could be done with a 50 line program (typed from memory) or a blocking conversion routine (written from scratch, or using some learnt-by-heart parameters for a strange program).
Following on from this slow revolution in compatibility, there have been few standards developments as impressive. Here's a stab at a few:
- The IBM PC
- IP - being Internet Protocol, not intellectual property
- WWW
- DOC.
- the mobile or cellular phone
- C
Yes, DOC files are in there as the ubiquitous poor man's text transmission method. It's impossible to tell people that they don't need to attach a file to an email, the 10 line email as a 100k Word attachment has achieved ubiquity. Maybe it's just some secret popup I haven't found yet "Microsoft believes the email you are about to send is too efficient, do you wish to send a Word Attachment instead?"
Note that which is not in the list: PDF, IM/chat, ISO networking, Windows (Microsoft or X), Google, PDAs, smartcards, XML, ... YMMV, but these haven't really made it to the level of pervasiveness that the above list expresses. Comments please, but be prepared to argue your case!
[1] Key computer coding creator dies
http://www.zeropaid.com/news/articles/auto/06252004b.php
P2P's Tragedy of the Commons
Nightblade [1], a coder on p2p netrworks, wrote about the "tragedy of the commons" and how it tended to destroy systems. His words were too dangerous, as now the site is down. I've scraped the google cache, below [2].
Tragedy of the Commons is something we've all known about [3]. I recall Bob H going on about it all the time. The solution is simple - property where there is scarcity. Unfortunately, property requires rights allocation, and payments, and methods of exchange.
Now, we've built all these things, but those building the p2p systems have not. Instead of going that distance - admittedly way beyond the expectation - comments in reply to his problem description (unpreserved) have stressed that there is a social element to this and if only the right social engineering approach can be found, it will all work. Which of course will not work, but it's a timely reminder of the sort of soft social thnking that has spread from the legacy of GPL.
Then, in our world, we've built the superlative rights allocation mechanisms. We've created strong payment systems (the field is littered with these), and we've done the exchange mechanisms. I've seen these things in operation, and when they are humming, the world moves dangerously quicker. Yet our application side has never carried it far enough.
So we have two worlds. One world knows how to build p2p. The other world knows how to solve the resource allocation problem. The question is, when do the worlds start colliding?
This was the central message of FC7 [4]: Don't underestimate the complexity of the words. It is a multidisciplinary problem, which means there is a huge need to reach across to the other disciplines (I identified 7 core areas, and that's a lot to deal with. In brief, p2p chat would be a layer 7 application, and the above rights, payments, exchange are all layers 1 through 6.)
But FC7 was widely ignored, and in my discussions on many (other) issues, I've come to the conclusion that we as a species don't like multidisciplinary concepts. We want the whole solution to live in our space of expertise. We get all woolly and nervous when we're asked to dwell into unfamiliar territory, as seen by the desire to cast the tragedy of the commons into the familiar "social" context of the GPL crowd.
Our Internet Commons of Ideas and Potential Applications seems hardly in danger of over-grazing. More, we have a group of deaf dumb and blind developers sitting at the edge of the commons, occasionally falling over dead from starvation, while in the middle there is good grazing.
[1] Nightblade - dead link:
http://www.i2p.net/user/view/13?PHPSESSID=077353367d123d3309d79f4837895bee
[2] Google cache
http://216.239.59.104/search?q=cache:5T_lYTAG1HIJ:www.i2p.net/node/view/215+I2P+P2P+IIP+chat&hl=en&ie=UTF-8
[3] Tragedy of the commons
http://en.wikipedia.org/wiki/Tragedy_of_the_commons
[4] Financial Cryptography in 7 layers
http://iang.org/papers/fc7.html
Why P2P Networks Fail
Submitted by Nightblade on May 16, 2004 - 19:35.
This is something I have been thinking about for a long time. I believe it is one the main reasons P2P networks fail. (Another related theory is called the "prisoner's dilemma")
Here is an example from my own experiences:
A long time ago, I had a freesite on Freenet. Initially I was able to insert the site with no difficulty. However, as the network conditions grew worse over the weeks and months I found it more and more difficult to insert new editions of my site.
When I had inserted the first editions of my site, I used HTL values like 10 to 13 and only inserted the site once. I figured that would be enough to make it so people could see it, and they could. However as the network degraded I had to increase my HTL value to the maximum of 25, and perform multiple inserts over several hours before my site became viewable to other Freenet users. Part of this was prompted by Freenet coding bugs, but I think part of it was also caused by "overcrowding" - too much data was being inserted, causing sites to be lost too quickly as Freenet became more popular.
At the same time, I imagine other freesite authors were doing the exact same thing as I was, increasing their HTL and doing multiple inserts, possibly from multiple locations. While in the short term this solved the problem, it eventually turned into an "arms race." I remember just before I gave up on Freenet I was spending the entire day - 12 hours or more - continually ramming my site into the network with FIW, hoping it would work!
In addition to this madness there was Frost, which was a very heavy user (some would say abuser) of Freenet network resources. The end result was that the "commons" of Freenet - bandwidth and data stores, were overused and became nonfunctional.
Lest someone say that such problems in Freenet were caused by Freenet itself (i.e. bugs) rather than commons-overuse, let me give another example.
Take for instance Gnutella. At one time I shared about half my hard drive on Gnutella, but over the months and years I used Gnutella I got pissed off at all the "freeloaders" (people who download but don't share much), and I started reducing the number of files I shared. Other Gnutella users have done the same thing as I did. Now when I go on to Gnutella (or any other popular file sharing network) I find it very difficult to find anyone sharing files. Nobody shares anymore, they just leech. This is because the "commons" - bandwidth - was "overgrazed" by a few people, and those who were sharing stopped and began to leech instead, thus destroying the commons of Gnutella.
I also see this same problem potentially occuring in I2P.
At the moment, everyone is friendly and does not overuse the commons (bandwidth), but what will happen when I2P becomes more popular? Those without such altruistic behaviour as ourselves will begin wasting valuable I2P bandwidth.
Define "waste", you say? Suppose I develop a filesharing application which runs on I2P. People use my application to pirate the latest software, for example, Microsoft Office. Suddenly I2P becomes painfully slow. What do we do? We do not know which tunnels carry pirated software, because they are encrypted and anonymous. We can only sit and hope for the software pirates to become bored and go somewhere else.
Perhaps you do not find software piracy a wasteful activity.... then instead consider a government agency which creates multiple I2P routers and sends millions of gigabytes of garbage data across the network (WAV files of white noise, for example). That would have the same effect as the pirates would.
What is the solution to the "Tragedy of the Commons Attack?" This is what I have been thinking about, and so far I have come up with some solutions - private members-only networks in the style of WASTE seem to be the most promising.
What do you think?
June 27, 2004
Taxing Issuers
G&SR/e-gold, an issuer of digital gold currencies, faces a new tax from the Florida state within which it has located its network operations [1]. (Or, an old tax, newly applied?) It's hard to see the logic of this one, but I suppose one has to bear in mind that Florida is one of the small handfull of states in the USA that has no state income tax.
Governments will tax, and one has to accept, grudgingly, that they a) exist and they b) provide some modicum of services that are quite convenient and well utilised, even by the most rabid of anti-government types. Given that premise, a question much debated in economics circles is what is the best way to raise taxes? Skipping the difficult questions of what goals we are seeking, and how we measure, it does seem that most thought these days has moves from income based taxation to transaction based taxation.
I.e., VAT, where hopefully it is used to displace other forms of taxation. (And, Russia, Slovakia and other countries successes in levying flat income taxes also count as a move in that direction.)
How then to tax Issuers? Any tax should be proportional to the activity, so it would seem that the fee based value is the place to look. Most taxes are based on the total value of the transaction, but this is insufficiently precise, as the company never sees the total value of the transaction, it only sees its component. Hence, VAT is constructed in a waterfall of adding and subtracting down the value chain. It results as a netted small slice that is proportional to each supplier's activity, which is a good thing. Against this, the bad thing about VAT is that it is a nightmare to administer.
No such need exists with Issuers - the fee income is quite clear and easily calculable. Issuers therefore should think in terms of negotiating a transaction tax on the basis of a percentage of all the fees collected. In this way, Issuers are free to lower and raise fees according to business perogatives, and they won't be so easily tempted to move operations to some lesser jurisdiction that offers no transaction tax.
Still, the day when transaction taxes apply to Issuers is far off. First, they have to be successful enough to be household names, and the legislators take notice. Which means we have to get some size and some robustness, both things lacking in the current IG market.
[1] Wired News - Florida to Tax Home Networks
By Michelle Delio
Story location: http://www.wired.com/news/business/0,1367,63962,00.html
02:00 AM Jun. 24, 2004 PM
Florida state officials are considering taxing home networks that have more than one computer, under a modified 1985 state law that was intended to tax the few businesses that used internal communication networks instead of the local telephone company.
Officials from Florida's Department of Revenue held a meeting on Tuesday to see whether the law would apply to wired households, and exactly who would be taxed. About 200 people attended, including community and business representatives.
In 1985 the state passed a law to tax businesses using their own communications networks, because otherwise the state could not collect tax revenue on the businesses' local telephone service. In 2001, that law was expanded to make "any system that is used for voice or data that connects multiple users with the use of switching or routing technology" taxable up to 16 percent.
The law is so broad that it would apply to networked computers, wireless services, two-way radios and even fax machines -- or "substitute communications systems," as the state calls them. The tax would be applicable (PDF) to the costs of operating such a substitute communications system, not to the purchase of the system's components.
In some cases, it appears the tax would be collected by the providers of communications services such as wireless companies or voice-over-IP firms. The tax would be added to the user's bill and then turned over to the Department of Revenue.
But some substitute communications services don't require a service plan. For those, the state could take the tax from the amount deducted on business, and perhaps personal, tax filings.
"According to my accountant, the way the law is written, if my tax filing includes deductions for the repair or maintenance of my two computer and one printer network, those costs will be subject to state communication taxes," said graphic artist Linda Kellman, who works from home. "Self-employed people get slammed with insane taxes everywhere, and I've sadly but grudgingly accepted that. But this tax, if they ever try to collect it, would be the last straw. Can I outsource my network to a more sensible state, do you think?"
Florida businesses and residents -- and even some officials in the Florida Department of Revenue -- agree that the wording of the law is too broad.
In May, the Florida Senate unanimously passed a bill that would have prevented collection of the tax until 2006, during which time the law could be carefully reviewed. The bill was then sent to the House, but wasn't voted on before the summer break, clearing the way for officials to begin collecting the tax.
As a result, the Florida Department of Revenue, which, according to local newspaper reports, was in favor of the bill to delay the collection of the tax, must now begin to address how the tax should be implemented.
"The tax language is so broad that virtually any communication technologies in your home or office could be subject to this tax," said Chris Hart, spokesman for ITFlorida, a not-for-profit industry organization for the state's technology professionals. "It's difficult to imagine a more anti-technology, anti-business tax. It directly attacks the efficient use of information technology."
Florida businesses aren't in favor of the tax.
It also could tax almost any Florida resident who uses any sort of modern communications technology, something that Florida's battalions of retirees on fixed incomes have just begun to become aware of, according to Hart.
"Information on this issue is starting to reach the general public, and it probably isn't widely understood just yet," he said. "However, once people do realize how this tax could impact them on a personal level, they wake up very fast."
"All my life, I've willingly paid my fair share of taxes in exchange for community services," said 73-year-old George Fedoro, a retired engineer who now lives in Boca Raton. "But this tax is not fair and could turn senior citizens into criminals, because no one that I know can or will pay it."
Florida Gov. Jeb Bush would have to approve any rule the tax department suggests. Bush has said he isn't in favor of the tax, but many fear he may be swayed by city and county government officials. The tax would go, in part, toward school construction and other projects.
Additional meetings on the proposed rules for the tax will be held in other locations around the state later in the year, Department of Revenue officials said.
If the law is implemented, Florida would have the most wide-reaching state tax on technology. But it may not be the last -- state officials estimate enforcement of the tax could bring in more than $1 billion a year in revenue for the state.
June 25, 2004
Micropayments, Nanoprofits, Macrolosses
Craig Spencer has created a live fee revenue calculation page for e-gold. This is the sort of analysis we need for the next stage of maturityfor DGCs: taking the live data feeds of the major parties, and extracting the business intelligence that creates confidence.
It's also a major governance asset to be able to collect the information and lock down the issuer into lesser and more complex opportunities for fraud. We can see this simply from the fact that Craig has been collecting these pages for many months now, which ensures an auditable trail of activity in an open governance sense, not a rules-based sense. In comparison, we just don't know how many transactions the other systems did, so who can tell if the issuer decides to back date some?
We can get lots out of these tables? See below for today's example (which for some reason is stuck a long way down the page, anyone know why?):
6/25/04 6:25:48 PM GMT
from the e-gold site.
| e-gold Fee Structure (new as of 1/1/2004) | Range | Count | Weight | Revenue |
|---|---|---|---|---|
| 5% + 0.0002g | 0 mg - 1 mg | 3405 | 2.85 g | 0.823 g |
| 1 mg - 10 mg | 6324 | 25.91 g | 2.560 g | |
| 10 mg - 100 mg | 7142 | 272.04 g | 15.030 g | |
| 0.1g to 0.5g: 1.25% + 0.00375g 0.5g to 1g: 0.01g | 100 mg - 1 g | 3894 | 1.52 kg | 31.373 g |
| 1g to 5g: 1% 5g to 10g: 0.05g | 1 g - 10 g | 2771 | 10.06 kg | 92.316 g |
| 0.05g | 10 g - 100 g | 832 | 26.93 kg | 41.600 g |
| 100 g - 1 kg | 198 | 57.84 kg | 9.900 g | |
| 1 kg - 10 kg | 24 | 57.83 kg | 1.200 g | |
| Total Spend Fee Revenue for the previous 24 hours | 194.803 g | |||
This is the best evidence of micropayments seen so far. If we arbitrarily say that a micropayment is anything less than a penny, then we can see the top column giving us revenue of 0.823g from 3405 payments (my italics above). What does that mean? Micropayments suck - after 8 years in operation, sub-penny payments are doing about 1 gram a day. What's worse - the infrastructure requirements for micropayments are the same as for any other form of payment. More or less.
So, sell any stock in startups doing micropayments. Faster than anyone else does, hopefully, but if you get stuck holding the baby, then you move to where the smart money is: Payments. If you are going to put that infrastructure in place, make it work for *all* value payments, and don't get caught looking like you stole your business plan from an old copy of Wired magazine.
What else can we extract? Well, we can see the cash flow to the organisation. So a competitor can work out how much money e-gold are making, which is why companies generally don't like doing this. (But, don't kid yourself, a savvy business plan writer can work it out anyway, close enough.)
Great page, Craig! Now if we can only figure out a way to get sector by sector merchant numbers, our cup would runneth over.
Forging the Euro
Anecdotally, it seems that now Europe has a world class currency, it's attracted world class forgers [1]. Perhaps catching the Issuer by surprise, the ECB and its satellites is facing significant efforts at injecting false currency. Oddly enough, the Euro note is very nice, and hard to forge. Which makes the claim that only the special note departments in the central banks can tell the forgeries quite a surprise.
Still, it is tiny amounts. I've heard estimates of 30% of the dollar issue washing around the poorer regions is forged, so it doesn't seem as though the gnomes in Frankfurt have much to complain about as yet.
And, it has to be taken as an accolade of sorts. If a currency is good, it is worth forging. Something we discovered in the digital cash world was that attacks against the system don't start until the issuer has moved about a million worth in float, and has a thousand or so users. Until then, the crooks haven't got the mass to be able to hide in, it's the case with some of these smaller systems that "everyone knows everyone" and that's a bit limiting if you are trying to fence some value through the market makers.
[1] http://www.dw-world.de/english/0,3367,1431_A_1244689_1_A,00.html
Independent Chairmen
In the governance soap opera known as the mutual funds scandal, the SEC voted narrowly to insist on Chairmen being Independent [1]. This was a hard fought battle, and quite rightly - it is hard to see just how this is going to make a difference.
It doesn't take a doctorate to realise that those funds that have insiders as chairmen - 80% of them - can simply find a mate who is nominally independent. This reminds me of the George Bernard Shaw joke about how any woman can be a prostitute, we just have to establish the price. For money, most will claim whatever they are told to say, including independence.
The core issue seems to come down to the conflict of interest. It's pretty clear that any appointees of the management company have two masters - the investors and the management company. But, this is generally resolved by aligning their incentives, not by making up yet another rule.
And here's the clanger: mutual funds are set up by the management company, and they take a fee for service. There's no getting around the fact that the management company's incentive is aligned towards egregious fee inflation (Elliot Spitzer's 1st complaint) and insider fraud (2nd complaint).
So, mucking around at the titular notion of independence will have little or no beneficial effect on the core issue. It's the incentives that are mucked up, and the only question is, where next will the fire break out?
Having said that, it's hard not to have sympathy with the SEC. It has to do something, but what? The shrill apologists for the mutual funds aren't exactly offering a solution [2]. Instead, what they appear to be saying is "we don't want any changes so we can get back to raiding the funds..."
The only thing I've heard so far that makes any sense (other than our own RTGS solutions of course) is Fidelity's push to have DTCC take over the settlement. Yet, they are embroiled in the Stockgate scandal, so the shine is certainly off that idea [3].
[1] SEC Says Mutual Funds Must Have Independent Chairmen
http://www.accountingweb.com/cgi-bin/item.cgi?id=99395&d=815&h=817&f=816&dateformat=%25B%20%25e,%20%25Y
[2] Mutual Fund Folly By JAMES K. GLASSMAN
sorry, no URL, but seems to be the Wall Street Journal.
[3] DTCC accused of counterfeiting shares
http://www.financialcryptography.com/mt/archives/000157.html
June 23, 2004
Phishing II - Front Page News
As well as the FT review, in a further sign that phishing is on track to being a serious threat to the Internet, Google yesterday covered phishing on the front page. 37 articles in one day didn't make a top story, but all signs are pointing to increasing paranoia. If you "search news" then you get about 932 stories.
It's mainstream news. Which is in itself an indictment of the failure of Internet security, a field that continues to reject phishing as a threat.
Let's recap. There are about three lines of potential defense. The user's mailer, the user's browser, and the user herself.
(We can pretty much rule out the server, because that's bypassed by this MITM; some joy would be experienced using IP number tracking, but that can by bypassed and it may be more trouble than it's worth.... We can also pretty much rule out authentication, as scammers that steal hundreds of thousands have no trouble stealing keys. Also in the bit bucket are the various strong URL schemes, which would help, but only when they have reached critical mass. No hope there.)
In turn, here's what they can do against phishing:
The user's mailer can only do so much here - it's job is to take emails, and that's what it does. It has no way of knowing that an email is a phishing attack, especially if the email carefully copies a real one. Bayesian filters might help here, but they are also testable, and they can be beaten by the committed attacker - which a phisher is. Spam tech is not the right way of thinking, because if one spam slips through, we don't mind. In contrast, if a phish slips through, we care a lot (especially if we believe the 5% hit rate.).
Likewise, the user is not so savvy. Most of the users are going to have trouble picking the difference between a real email and a fake one, or a real site and a fake one. It doesn't help that even real emails and sites have lots of subtle problems with them that will cause confusion. So I'd suggest that relying in the user as a way to deal with this is a loser. The more checking the better, and the more knowledge the better, but this isn't going to address the problem.
This leaves the browser. Luckily, in any important relationship, the browser knows, or can know, some things about that relationship. How many times visited, what things done there, etc etc. All the browser has to do then is to track a little more information, and make the user aware of that information.
But to do that, the browsers must change. The'yve got to change in 3 of these 4 ways:
1. cache certificate use statistics and other information, on a certificate and URL basis. Some browsers already cache some info - this is no big deal.
2. display the vital statistics of the connection in a chrome (protected) area - especially the number of visits. This we call the branding box. This represents a big change to browser security model, but, for various reasons, all users of browsers are going to benefit.
3. accept self-signed certs as *normal* security, again displayed in the chrome. This is essential to get people used to seeing many more cert-protected sessions, so that the above 2 parts can start to work.
4. servers should bootstrap as a normal default behavoiur using an on-demand generated self-signed cert. Only when it is routine for certs to be in existance for *any* important website, will the browser be able to reliably track a persistency and the user start to understand the importance of keeping an eye on that persistency.
It's not a key/padlock, it's a number. Hey presto, we *can* teach the user what a number means - it's the number of times that you visited BankofAmerica.com, or FunkofAmericas.co.mm or wheresover you are heading. If that doesn't seem right, don't enter in any information.
These are pretty much simple changes, and the best news is that Ye & Smith's "Trusted Paths for Browsers" showed that this was totally plausible.
Phishing I - Penny Black leads to Billion Dollar Loss
Today, the Financial Times leads its InfoTech review with phishing [1]. The FT has new stats: Brightmail reports 25 unique phishing scams per day. Average amount shelled out for 62m emails by corporates that suffer: $500,000. And, 2.4bn emails seen by Brightmail per month - with a claim that they handle 20% of the world's mail. Let's work those figures...
That means 12bn emails per month are scams. If 62m emails cause costs of half a million, then that works out at $0.008 per email. 144bn emails per year makes for ... $1.152 billion dollars paid out every year [2].
In other words, each phishing email is generating losses to business of a penny. Black indeed - nobody has been able to show such a profit model from email, so we can pretty much guarantee that the flood is only just beginning.
(The rest of the article included lots of cartels trying to peddle solutions, and a mention that the IETF things email authentication might help. Fat chance of that, but it did mention one worrying development - phishers are starting to use viral techniques to infect the user's PC with key loggers. That's a very worrying development - as there is no way a program can defeat something that is permitted to invade by the Microsoft operating system.)
[1] The Financial Times, London, 23rd June 2004,
"Gone phishing," FT-IT Review.
[2] Compare and contrast this 1 billion dollar loss to the $5bn claimed by NYT last week:
"Phishing an epidemic, Browsers still snoozing"
http://www.financialcryptography.com/mt/archives/000153.html
Addendum 2004-07-17: One article reports that Phishing will cost financial firms $400m in 2004, and another article, Firms hit hard by identity theft reports:
"While it's difficult to pin down an exact dollar amount lost when identity thieves strike such institutions, Jones said 20 cases that have been proposed for federal prosecution involve $300,000 to $1 million in losses each."
This matches the amount reported in the Texas phishing case, although it refers to identity theft, not phishing (yes, they are not the same).
Addendum 2004-07-27: Amir Herzberg and Ahmad Gbara report in their draft paper :
A study by Gartner Research [L04] found that about two million users gave such information to spoofed web sites, and that "Direct losses from identity theft fraud against phishing attack victims -- including new-account, checking account and credit card account fraud" cost U.S. banks and credit card issuers about $1.2 billion last year.
[L04] Avivah Litan, Phishing Attack Victims Likely Targets for Identity Theft, Gartner FirstTake, FT-22-8873, Gartner Research, 4 May 2004
Addendum 2008-09-03 Fighting Phish, Fakes and Frauds talks about additional support calls costs and users who depart from ecommerce.
June 22, 2004
Semblance of order amid the chaos
Finally, some good news amid the scandals and disasters... The Banker reports that the Bank of England led a project to put in place a new payment system into Iraq [1]. Two companies, Visa and E-Go, were selected by the Old Lady to put in place a network of 80 laptops and Inmarsat satellite linkups. On the laptops were Visa's software, although details are scant as to how that works.
The Bank of England continues to impress in the lacklustre world of central banking.
Semblance of order amid the chaos
Published on: 03 May, 2004
The exchange desk for the new Iraqi currency at a branch of Rafidain Bank
An improbable mix of coincidence, personal ingenuity and innovative technology gave Iraq a sorely needed payments system.
Stabilising the political environment in post-war Iraq is one issue; rebuilding its wrecked financial infrastructure is quite another. Amid the carnage and devastation, a little known tale of extraordinary innovation and ingenuity has defied the logic of logistics and produced a payments system for Iraq which may have provided, in its own way, more stability for the country than much of the military hardware.
In July last year, the embattled Central Bank of Iraq produced an ambitious goal but with little idea how it could be achieved. On October 15 the launch of the new Iraqi dinar (without Saddam Hussein on the note) was planned. Getting the notes printed abroad was not the problem - De La Rue obliged. But to enable the re-emergence of Iraq as a self-supporting economy, a secure currency and trading backbone was essential and far from easy to implement.
Impossible task
With no telecommunications infrastructure, nor a reliable power grid, the Iraqi banks were looking for a solution which would provide them with the ability, reliability and security to network their banks' branches country-wide. A network of 80 sites throughout the country was required. And this was before personal security, attacks and all military aspects were considered.
Solution emerges
The Central Bank of Iraq called on the Bank of England for help last July and through an extraordinary series of coincidences, personal initiatives and creative use of technology, a solution emerged.
Key to putting together the initial core network package was Kathleen Tyson-Quah, who had broad global experience in developing banking systems and who acted as 'solution architect' for the project. Given the unique nature of the Iraqi situation and the extremely tight October deadline, traditional approaches were not possible. A project that could take years under normal conditions was desperately needed in less than three months, and conditions in Iraq were far from normal.
Ms Tyson-Quah needed providers who not only could do the job but were already active in the area; there was no time to acclimatise. Post-war Iraq had no countrywide commercial communications network. What telecoms and IT systems existed had not been updated for years, and relied on DOS-based systems. It was clear that a major technology gap existed. "With the 10-week deadline many people thought I was insane," she noted, but some were willing to rise to the challenge.
In July 2003, a tender from Iraq's three leading banks was issued for a new infrastructure and payments system, and 16 companies responded. In August, in Baghdad, the order was signed for Visa International and E-Go Solutions, a partnership between NSSL and TET Satellite Solutions, to deliver the system.
Technology
Visa International and E-Go proposed a network solution based on the regional BGAN system operating via Inmarsat. Each of the 80 bank branches would need nothing more than a safe with cash, a dual language laptop carrying applications based on VISA software and a regional BGAN satellite modem to run operations. High-integrity customised security was built into both hardware and software, as well as over the network via VPN. The UK-based server supplied and maintained by E-Go offered full redundancy, using Cisco and HP systems with uninterrupted power supplies and tape back-up.
Against all odds, the 80-laptop system was up on time and its benefits are now beginning to be felt. Visa's Stuart Brocklehurst, who played a critical role in pulling the project together, says: "The ability to transfer wages and payments electronically gives the banks greater control and security. As more people gain confidence in the banks as a safe place to leave their money, they will be able to save. As a result more money stored in the banks will give the institutions the opportunity to lend money, thus allowing the Iraqi economy to grow more quickly." Since March, Mr Brocklehurst adds, most banks, including the 19 private banks, have come onstream with the payments system.
The new network ensured the smooth introduction of the new currency. The VisaNet/E-Go solution provides not only a viable system for Iraq but also a model for other countries with complicated payments needs.
DTCC accused of counterfeiting shares
I had heard about Stockgate a while back when the Nanopierce lawsuit was filed. At the time, it looked like a hopeful settlement deal, but now more details have come to light [1].
And what details! This may well be bigger than the mutual funds scandal, which was the biggest scandal of all time as far as I can see. The Nanopierce class action team has 65 lawyers in it! They have (allegedly) uncovered 1200 funds and 150 broker dealers in naked short selling.
Here's how it works. Short selling is supposed to involve borrowing the stock, then selling the borrowed stock on the market, anticipating a drop in price. It's "good" because it moves information more quickly. It's "bad" because someone with a lot of time and money on their hands can just dump the stock and then buy it back at a cheaper price. Like all things valued by people over the age of 12, there are goods and bads in it.
Where it gets egregious is if the stock is not borrowed at all, and simply "sold" on a promise. Now, if you are a big bad player and you can "not borrow" enough of it, and "sell" enough of what you don't have, then the price has to go down. Supply and demand, and all that. Then you can "buy" it on the cheap, transfer a few things around in the accounts, and end up with a profit.
Having the actual stock on hand is supposed to put a brake on this practice. And, when the DTCC - the single depository and clearing agency in the US - set up its stock lending facility, it was quite popular, as it was relatively easy to just borrow the shares from DTCC, and dump them on the market.
All supposing that DTCC had acquired them from somewhere. Now it transpires that DTCC took a fee for this activity, and worked out that they could over-lend. That is, they could simply counterfeit the shares. It's alleged by the lawsuit that DTCC turned off its governance, and turned on the equity tap. Anyone who wanted to borrow, presumably could - even if there were none to borrow.
"The Stock Borrow Program was purportedly set up to facilitate expedited clearance of stock trades. Somewhere along the line, the DTCC became aware that if it could lend a single share an unlimited number of times, it could collect a fee each time, according to Burrell. "There are numerous cases of a single share being lent ten or many more times," giving rise to the complaint that the DTCC has been electronically counterfeiting just as was done via printed certificates before the Crash."
"Such re-hypothecation has in effect made the potential 'float' in a single company's shares virtually unlimited and the term 'float' meaningless. Shares could be electronically created/counterfeited/kited without a registration statement being filed, and without the underlying company having any knowledge such shares are being sold or even in existence." ...
But, says the cunning governance observer, what happens if the price moves against the naked short seller? Surely he's then caught with his pants down? No. Here's the game: DTCC, instead of taking a clearing agency role as they are supposed and covering the particpants, simply refers the dispute to arbitration between the parties! And, they leave an open position book until it has been resolved.
If true, this makes a mockery of governance, regulation, the system, and any sense of investment. What is the point in investing in shares in a small company if the big players are naked short selling it out of existance, simply to transfer wealth from your pocket into their pocket?
The mutual funds scandal was pretty rude - big players conspired with insiders to strip out percentage points worth of value every year. This sort of salami scam works as long as the amounts taken out don't appear too large. 1% per annum is fine ... always remembering that we are talking about 1% of a 7 trillion dollar amount here.
But stockgate is a whole other ballgame, as the Americans would say - here, broker dealers and investment banks were conspiring allegedly to transfer the *whole* value of small companies to them. One expert claims that 7,000 public companies and from one to three trillion dollars have been raided.
[1] http://www.investors.com/breakingnews.asp?journalid=21660437&brk=1
StockGate: London Companies on Berlin Exchange Ask for Investigation, Reg SHO Hearing Reset
June 18, 2004
FBI asks US Congress to repeal laws of physics
In our world, we are very conscious of the natural order of life. First comes physics. From physics is derived economics, or the natural costing of things. And finally, law cleans up, adding things like dispute resolution (us techies call them edge cases). Notwithstanding that this ordering has been proven over any millenium you care to pick, sometimes, more often than one would merit, people ask for lawmakers to ignore the reality of life and to regulate certain inevitable behaviours into some sort of limbo of illegal normality.
Such it is with Internet telephony, also known as VOIP (voice over IP): Internet machines are totally uncontrollable, at a basic fundamental physical level. It was designed that way, and the original architects forgot to include the flag for legislative override. Further, Internet machines can do voice communications.
From those two initial assumptions, we can pretty much conclude that any attempt to regulate VOIP will fail. And that all the perks now enjoyed by large dominating parties of power (e.g., governments) will fade away.
Yet, the US Department of Justice is asking Congress to regulate wire taps on VOIPs [1]. This looks like a repeat of the crypto wars in the 90s. Almost lost and definitely bungled by the FBI, the crypto wars were won by the NSA and its rather incredible sense of knowing when to ease off a bit.
Reading the below article, one of two by Declan McCulloch, it is at least hopeful to see that Congressmen are starting to express a bipartisan skepticism to the nonsense dished up in the name of terrorism. Why doesn't the DoJ and its primary arm, the FBI "get it?" It's unsure, but when a police force decides that protection of the faltering revenues of Hollywood is its 3rd biggest priority [2], another unwinnable battle against physics, one can only expect more keystone cops action in the future [3].
Here's the pop quiz of the week - what technologies can be thought to "aid, abet, induce, counsel or procure" violation of copyright? There is no prize for photocopying, laser printers, cassette recorders, CD and DVD burners, PCs, software, cameras, phones, typewriters ... Surely we can come up with something that is an innovative inducer of the #3 crime - copyright violation?
[1] Declan McCullagh, Feds: VoIP a potential haven for terrorists
http://zdnet.com.com/2102-1105_2-5236233.html?tag=printthis
[2] http://www.financialcryptography.com/mt/archives/000072.html does record where:
FBI weighs into anti-piracy fight
http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/1/hi/entertainment/music/3506301.stm
[3] Declan McCullagh, Antipiracy bill targets technology
http://news.com.com/2102-1028_3-5238140.html?tag=st.util.print
Feds: VoIP a potential haven for terrorists
By Declan McCullagh CNET News.com June 16, 2004, 10:54 AM PT
WASHINGTON--The U.S. Department of Justice on Wednesday lashed out at Internet telephony, saying the fast-growing technology could foster "drug trafficking, organized crime and terrorism."
Laura Parsky, a deputy assistant attorney general in the Justice Department, told a Senate panel that law enforcement bodies are deeply worried about their ability to wiretap conversations that use voice over Internet Protocol (VoIP) services.
"I am here to underscore how very important it is that this type of telephone service not become a haven for criminals, terrorists and spies," Parsky said. "Access to telephone service, regardless of how it is transmitted, is a highly valuable law enforcement tool."
Police been able to conduct Internet wiretaps for at least a decade, and the FBI's controversial Carnivore (also called DCS1000) system was designed to facilitate online surveillance. But Parsky said that discerning "what the specific (VoIP) protocols are and how law enforcement can extract just the specific information" are difficult problems that could be solved by Congress requiring all VoIP providers to build in backdoors for police surveillance.
The Bush administration's request was met with some skepticism from members of the Senate Commerce committee, who suggested that it was too soon to impose such weighty regulations on the fledgling VoIP industry. Such rules already apply to old-fashioned telephone networks, thanks to a 1994 law called the Communications Assistance for Law Enforcement Act (CALEA).
"What you need to do is convince us first on a bipartisan basis that there's a problem here," said Sen. Ron Wyden, D-Ore. "I would like to hear specific examples of what you can't do now and where the law falls short. You're looking now for a remedy for a problem that has not been documented."
Wednesday's hearing was the first to focus on a bill called the VoIP Regulatory Freedom Act, sponsored by Sen. John Sununu, R-N.H. It would ban state governments from regulating or taxing VoIP connections. It also says that VoIP companies that connect to the public telephone network may be required to follow CALEA rules, which would make it easier for agencies to wiretap such phone calls.
The Justice Department's objection to the bill is twofold: Its wording leaves too much discretion with the Federal Communications Commission, Parsky argued, and it does not impose wiretapping requirements on Internet-only VoIP networks that do not touch the existing phone network, such as Pulver.com's Free World Dialup.
"It is even more critical today than (when CALEA was enacted in 1994) that advances in communications technology not provide a haven for criminal activity and an undetectable means of death and destruction," Parsky said.
Sen. Frank Lautenberg, D-N.J., wondered if it was too early to order VoIP firms to be wiretap-friendly by extending CALEA's rules. "Are we premature in trying to tie all of this down?" he asked. "The technology shift is so rapid and so vast."
The Senate's action comes as the FCC considers a request submitted in March by the FBI. If the request is approved, all broadband Internet providers--including companies using cable and digital subscriber line technology--will be required to rewire their networks to support easy wiretapping by police.
Wednesday's hearing also touched on which regulations covering 911 and "universal service" should apply to VoIP providers. The Sununu bill would require the FCC to levy universal service fees on Internet phone calls, with the proceeds to be redirected to provide discounted analog phone service to low-income and rural American households.
One point of contention was whether states and counties could levy taxes on VoIP connections to support services such as 911 emergency calling. Because of that concern, "I would not support the bill as drafted and I hope we would not mark up legislation at this point," said Sen. Byron Dorgan, D-N.D.
Sen. Conrad Burns, R-Mont., added: "The marketplace does not always provide for critical services such as emergency response, particularly in rural America. We must give Americans the peace of mind they deserve."
Some VoIP companies, however, have announced plans to support 911 calling. In addition, Internet-based phone networks have the potential to offer far more useful information about people who make an emergency call than analog systems do.
Antipiracy bill targets technology
By Declan McCullagh Staff Writer, CNET News.com
A forthcoming bill in the U.S. Senate would, if passed, dramatically reshape copyright law by prohibiting file-trading networks and some consumer electronics devices on the grounds that they could be used for unlawful purposes.
A bill called the Induce Act is scheduled to come before the Senate sometime next week. If passed, it would make whoever "aids, abets, induces (or) counsels" copyright violations liable for those violations.
Bottom line:If passed, the bill could dramatically reshape copyright law by prohibiting file-trading networks and some consumer electronics devices on the grounds that they could be used for unlawful purposes.
The proposal, called the Induce Act, says "whoever intentionally induces any violation" of copyright law would be legally liable for those violations, a prohibition that would effectively ban file-swapping networks like Kazaa and Morpheus. In the draft bill seen by CNET News.com, inducement is defined as "aids, abets, induces, counsels, or procures" and can be punished with civil fines and, in some circumstances, lengthy prison terms.
The bill represents the latest legislative attempt by influential copyright holders to address what they view as the growing threat of peer-to-peer networks rife with pirated music, movies and software. As file-swapping networks grow in popularity, copyright lobbyists are becoming increasingly creative in their legal responses, which include proposals for Justice Department lawsuits against infringers and act
ion at the state level.
Originally, the Induce Act was scheduled to be introduced Thursday by Sen. Orrin Hatch, R-Utah, but the Senate Judiciary Committee confirmed at the end of the day that the bill had been delayed. A representative of Senate Majority Leader Bill Frist, a probable co-sponsor of the legislation, said the Induce Act would be introduced "sometime next week," a delay that one technology lobbyist attributed to opposition to the measure.
Though the Induce Act is not yet public, critics are already attacking it as an unjustified expansion of copyright law that seeks to regulate new technologies out of existence.
"They're trying to make it legally risky to introduce technologies that could be used for copyright infringement," said Jessica Litman, a professor at Wayne State University who specializes in copyright law. "That's why it's worded so broadly."
Litman said that under the Induce Act, products like ReplayTV, peer-to-peer networks and even the humble VCR could be outlawed because they can potentially be used to infringe copyrights. Web sites such as Tucows that host peer-to-peer clients like the Morpheus software are also at risk for "inducing" infringement, Litman warned.
Jonathan Lamy, a spokesman for the Recording Industry Association of America, declined to comment until the proposal was officially introduced.
"It's simple and it's deadly," said Philip Corwin, a lobbyist for Sharman Networks, which distributes the Kazaa client. "If you make a product that has dual uses, infringing and not infringing, and you know there's infringement, you're liable."
The Induce Act stands for "Inducement Devolves into Unlawful Child Exploitation Act," a reference to Capitol Hill's frequently stated concern that file-trading networks are a source of unlawful pornography. Hatch is a conservative Mormon who has denounced pornography in the past and who suggested last year that copyright holders should be allowed to remotely destroy the computers of music pirates.
Foes of the Induce Act said that it would effectively overturn the Supreme Court's 1984 decision in the Sony Corp. v. Universal City Studios case, often referred to as the "Betamax" lawsuit. In that 5-4 opinion, the majority said VCRs were legal to sell because they were "capable of substantial noninfringing uses." But the majority stressed that Congress had the power to enact a law that would lead to a different outcome.
"At a minimum (the Induce Act) invites a re-examination of Betamax," said Jeff Joseph, vice president for communications at the Consumer Electronics Association. "It's designed to have this fuzzy feel around protecting children from pornography, but it's pretty clearly a backdoor way to eliminate and make illegal peer-to-peer services. Our concern is that you're attacking the technology."
U.S. banks fail to attract immigrant remittance business
As I've frequently observed, the worst companies to encourage into new money businesses are banks. Frank Trotter, now the Chairman of the highly successful Internet bank, Everbank, once famously observed that the companies best placed to enter the new money business were mass transits, telcos and couriers. I think he was dead right; and he's been proven correct, 2 out of 3 so far.
Here's a report about banks failing to get into the remittances business. The reasons should be fairly easy to spot, so I'll not bore with yet another list of critical factors.
U.S. banks fail to attract immigrant remittance business
Eduardo Porter NYT
Tuesday, June 08, 2004
The entry of big U.S. banks into the business of handling immigrants' remittances of money back home was expected three years ago to produce a financial revolution with potentially powerful policy implications for the United States and Latin America.
So far, the revolution does not seem to have panned out.
According to a report that was set for release on Monday by the Pew Hispanic Center, a nonprofit research group, banks have captured only a trifling share of the money flow. And the price of remitting money - which fell sharply in the late 1990s - has leveled off.
For the 10 million Latin American immigrants in the United States who last year sent $30 billion to their families back home, linked bank accounts and international cash-machine networks offer a cheaper way to send money than using traditional cash-based services like Western Union, a subsidiary of First Data, and Moneygram, which is owned by Viad. Through remittance services, banks also hoped to draw these immigrants - more than half of whom do not have U.S. bank accounts - into the formal financial sector.
Treasury Secretary John Snow has been a major promoter of this cause. In April, he joined finance ministers and central bank governors of the Group of 7 industrialized nations in a statement promising to continue working on ways to make it easier and cheaper for immigrants to send money to their home countries and "to integrate remittance services in the formal financial sector."
The fee for sending small amounts, after dropping from about 15 percent in the late 1990s to 9 percent in 2001, has not fallen much further. The average fee for sending around $200 to Latin America this year is 7.6 percent of the amount sent, according to the study.
"The banks have gone through all this effort; it's still early, but the numbers are still fairly small, given the size of the operation and the extent of their investment," said Roberto Suro, director of the Pew center. "Prices have stabilized, especially in Mexico, the biggest market, despite very substantial increases in volume and competition."
Today, some 50 companies vie for a slice of the roughly $1.2 billion a month that flows to Mexico. And banks have focused on the Mexican market. It was the Mexican government's decision to issue new identity cards for its expatriates in the United States, and the U.S. Treasury's decision to allow banks to accept the cards as identification when opening accounts, that drew many banks into the remittance business three years ago.
But despite hefty marketing efforts, the banks still have only a meager share of the business. According to the Pew report, the four largest banks in the business - Citibank, Wells Fargo, Bank of America and Harris Bank - together handle about 100,000 transfers a month. That is less than 3 percent of the 40 million remittance transactions to Mexico each year. And banks' effect on prices also seems muted. The average fee to send $200 to Mexico is 7.3 percent, compared with 8 percent in 2001.
Offerings from the banks have changed the market to some extent. Flat-fee structures make it less expensive to transfer larger sums of money: The average fee to send $400 to Mexico is 4.4 percent. And some of their products and services are cheaper than other transfer methods. But the banks remain hampered by many immigrants' lack of familiarity with formal banks and financial services as well as by other obstacles - like the small cash-machine networks and bank branch systems of Mexico and other Latin American countries, which seldom extend into rural areas.
Manuel Orozco, a remittance expert at Georgetown University who put together the report for Pew, said that U.S. banks had been aggressively pursuing the business for only about three years and were still learning how to gain new customers.
"The cost will fall," Orozco said, "as banks attract more customer deposits and so they can finance the transfers."
The New York Times
June 17, 2004
Not news - AV producers slip as Microsoft "competes"
Sometimes you see a business pattern like this: A company or government doesn't do its job. So up springs a service sector to fill the gap. After a while, everyone starts to think that's the natural state of affairs, but the canny business types know that these service providers are very vulnerable.
Such is the case here [1]. When Microsoft started talking about providing its own anti-virus product, shares in Symantec and presumably other anti-virus (AV) producers started sliding.
Hey ho, where's the news? Microsoft delivers a product that is weak on the security side, and strong on the user side. Now they've started working on security, and the turnaround has been painful and noisy, if not exactly measurable in progress terms.
Any investor in Symantec and any similar anti-virus producer must have been able to connect the dots in Bill Gates famous memo from security to viruses. Of course the mission would include reducing the vulnerabilty to viruses, and of course there would be some serious thought to two possibilities: writing the code such that viruses aren't a threat (why do we need to say this?) and creating an in-house AV product so the synergies could be exploited.
The latter is a stop-gap measure. But so is Symantec's anti-virus division: it's only there because Microsoft don't write good code. The day they stop this egregious practice is the day that we no longer need Symantec to take $100 out of our pocket for Microsoft's laziness.
Of course, the state of understanding in the security industry is woefully underscored by the claim that Microsoft needs to sell it separately rather than bundle it. Since when is it anti-trust to deliver a secure product? And, who in Microsoft legal hasn't worked out that if they sell on the one hand a broken product, and on the other a fix for the same, the class action attornies are going to skip breakfast to get that one filed?
[1] http://www.thestreet.com/tech/ronnaabramson/10166284.html
Symantec Wobbled by Microsoft Threat
Symantec Wobbled by Microsoft Threat
By Ronna Abramson TheStreet.com Staff Reporter 6/16/2004 2:47 PM EDT
Shares of Symantec (SYMC:Nasdaq - news - research) continued their recent slide Wednesday amid more definitive news that Microsoft (MSFT:Nasdaq - news - research) plans to enter its thriving antivirus software market.
Shares of security titan Symantec were recently down $1.60, or 3.8%, to $40.82. The stock has shed about 7% since Friday's close, while the Nasdaq Composite has inched down less-than 0.5% during the same period.
Shares of security rival Network Associates (NET:NYSE - news - research), another beneficiary of virus outbreaks, have declined 2.6% since Friday. Shares were recently down 20 cents, or 1.2%, at $16.72. Microsoft stock was recently off 17 cents, or 0.6%, to $27.24.
Thanks to the anti-virus market, Symantec defied the economic downturn as other tech names were struggling. In April, the company's stock hit an all-time intraday high of $50.88.
But Symantec shares began to tumble Monday after wire services wrote that Mike Nash, chief of Microsoft's security business unit, said at a dinner with reporters that the world's largest software maker is developing its own anti-virus products that will compete against Symantec and Network Associates.
"We're still planning to offer our own [antivirus] product," Reuters quoted Nash as saying.
Those comments came just two weeks after another Microsoft executive, Rich Kaplan, corporate vice president of security business and technology marketing, said the company was still undecided about what it would do with antivirus technology acquired last year from a Romanian security firm.
Kaplan was not available for comment Wednesday. Instead, Amy Carroll, director of Microsoft's security business and technology unit, confirmed Nash's comments and Microsoft's intentions to enter the antivirus space in a telephone interview Wednesday.
"What Mike said is not new," Carroll said. "Our plan is to offer an AV [antivirus] solution." The company has not yet announced a timeline for when the antivirus product will debut or details on exactly what shape it will take.
Microsoft plans to offer an antivirus product or service for a fee, but will not bundle it with its ubiquitous Windows operating system, she added.
Analysts have suggested that such bundling would undoubtedly raise antitrust eyebrows, given that Microsoft has been the subject of suits both in the U.S. and Europe, where regulators are still fighting the software behemoth over the bundling of its media player with Windows.
Observers have offered plenty of reasons why they believed Microsoft would not enter the field. Chris Bonavico, a portfolio manager with Transamerica Investment Management, has suggested one reason Microsoft will not jump into the space is because security is a services business that requires around-the-clock responses to new attacks, and Microsoft isn't a services company.
But Carroll said Wednesday that Microsoft already has a team called the Microsoft Security Response Center that monitors potential security threats to customers 24 hours a day, seven days a week.
Meanwhile, other have suggested consumers and enterprises will stick with third-party antivirus vendors even if Microsoft launches its own competing product, especially given Microsoft's spotty security record to date.
"In the consumer market, they [customers] may not be as savvy," said Tony Ursillo, an analyst with Loomis, Sayles & Co., which holds Symantec shares. But "I don't know if at least corporate customers will want to buy a product that patches the holes of another product sold by the same company."
"I think it will be tricky" for Microsoft, Ursillo added.
June 15, 2004
Phishing an epidemic, Browsers still snoozing
Phishing, the sending of spoof emails to trick you into revealing your browser login passphrase, now seems to be the #1 threat to Internet users. A dubious award, indeed. An article in the New York Times claims that online identity theft caused damages of $5 billion worldwide, while spamming was a mere $3.5 billion [1]. That was last year, and phishing was just a sniffle then. Expect something like 20-30 billion this year in phishing, as now, we're facing an epidemic [2].
That article also mentions that 5-20% of these emails work - the victim clicks through using that nice browser-email feature and enters their hot details into the bogus password harvesting site.
Reported elsewhere today [3]:
"Nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months, according to a soon-to-be released survey by market research group Gartner. Consumers reported an average loss per incident of $1,200, pushing total losses higher than $2 billion for the year."
"Gartner researcher Avivah Litan blamed online banking for most of the problem."
A recent phishing case in a Texas court gave something like $200 damages per victim [4]. That's a court case - so the figures can have some credibility. The FTC reports an average loss rate of about $5300 per victim for all identity theft [5].
So we are clearly into the many many millions of dollars of damage. It is not out of the question that we are reaching for the billion dollar mark, especially if we add in the associated costs. The FTC reported about $53b of losses last year; while most of identity theft is non-Internet related, it only needs to be 10% of total identity theft to look like the NYT's figure of $5bn, above.
Let's get our skepticisms up front here: I don't believe these figures. Firstly, they are reported quite loosely, with no backing. There is no pretence at academic seriousness. Secondly, they seem to derive from a bunch of vested interest players, such as mi2g.com and AFWG.org (both being peddlers of some sort of solution). Oh, and here's another group [6].
We know that there is a shortage of reliable figures to go on. Having said that, even if the figures are way off, we still have a conclusion:
This is real money, folks!
Wake up time! This is actual fraud, money being taken from real average Internet users, people who download the email programs and browsers and web servers that many of us worked on and used. Forget the hypothetical attacks postulated by Internet security experts a decade or so back. Those attacks were not real, they were a figment of some academic's imagination.
The security model built in to standard browsing is broken. Get over it, guys.
Every year, since 2003, Americans will lose more money than was ever paid out to CAs for those certificates to protect them from MITM [7]. By the end of this year, Americans will have been defrauded - I predict - to the same extent as Verisign's peak in market cap.
The secure browser falls to the MITM three ways that I know of - phishing, click thru syndrome, and substitute CA.
The new (since 2002) phishing attack is a classical MITM that breaches secure browsing. This attack convinces some users to go to an MITM site. It's what happens when a false sense of security goes on to long. The fact that secure browsing falls to the MITM is unfortunate, but what's really sad is that the Internet security community declines to accept the failure of the SSL/CA/secure browsing model.
Until this failure is recognised, there is no hope of moving on: What needs to be done is to realise that the browser is the front line of defence for the user - it's the only agent that knows anything about the user's browsing activity, and it's the only agent that can tell a new spoof site from an old, well-used and thus trusted site.
Internet security people need to wind the clock forward by about a decade and start thinking about how to protect ordinary Internet users from the billions of dollars being taken from their pockets. Or not, as the case may be. But, in the meantime, let's just accept that the browser has a security model worth diddly squat. And start thinking about how to fix it.
[1] New York Times, Online crime engenders a new hero: cybersleuth, 11th June 2004. (below)
[2] Epidemic is defined as more than one article on an Internet fraud in Lynn Wheeler's daily list.
http://seattlepi.nwsource.com/business/apbiz_story.asp?category=1310&slug=Japan%20Citibank
http://www.epaynews.com/index.cgi?survey=&ref=browse&f=view&id=1087301938622215212&block=
florida cartel stole identities of 1100 cardholders
http://www.msnbc.msn.com/id/5184077/
[3] http://www.msnbc.msn.com/id/5184077/
Survey: 2 million bank accounts robbed
[4] http://www.financialcryptography.com/mt/archives/000129.html
"Cost of Phishing - Case in Texas"
[5] http://www.ftc.gov/opa/2003/09/idtheft.htm
FTC Releases Survey of Identity Theft in U.S.
[6] http://www.reuters.com/financeNewsArticle.jhtml?type=governmentFilingsNews&story
ID=5429333§ion=investing
Large companies form group to fight "phishing"
[7] Identity Theft - the American Disease
http://www.financialcryptography.com/mt/archives/000146.html
Online crime engenders a new hero: cybersleuth
Christopher S. Stewart NYT
Friday, June 11, 2004
A lot of perfectly respectable small businesses are raking in money from
Internet fraud.
From identity theft to bogus stock sales to counterfeit prescription drugs,
crime is rife on the Web. But what has become the Wild West for savvy
cybercriminals has also developed into a major business opportunity for
cybersleuths.
The number of security companies that patrol the shady corners of the
virtual world is small but growing.
"As more and more crime is committed on the Internet, there will be growth
of these services," said Rich Mogull, research director for information
security and risk at Gartner, a technology-market research firm in Stamford,
Connecticut.
ICG, a Princeton, New Jersey, company founded in 1997, has grown to 35
employees and projected revenue of $7 million this year from eight employees
and $1.5 million in revenue just four years ago, said Michael Allison, its
founder and chief executive.
ICG, which is licensed as a private investigator in New Jersey, tracks down
online troublemakers for major corporations around the world, targeting
spammers and disgruntled former employees as well as scam artists, using
both technology and more traditional cat-and-mouse tactics.
"It's exciting getting into the hunt," said Allison, a 45-year-old British
expatriate. "You never know what you're going to find. And when you identify
and finally catch someone, it's a real rush."
According to Mi2g, a computer security firm, online identity theft last year
cost businesses and consumers more than $5 billion worldwide, while spamming
drained $3.5 billion from corporate coffers. And those numbers are climbing,
experts say.
"The Internet was never designed to be secure," said Alan Brill, senior
managing director at Kroll Ontrack, a technology services provider that was
set up in 1985 by Kroll Associates, an international security company based
in New York. "There are no guarantees."
Kroll has seven crime laboratories around the world and is opening two more
in the United States because of the growing demand for such work.
ICG clients, many of whom Allison will not identify because of privacy
agreements, include pharmaceutical companies, lawyers, financial
institutions, Internet service providers, digital entertainment groups and
telecommunication giants.
One of the few cases that ICG can talk about is a spamming problem that
happened a few years ago at Ericsson, the Swedish telecommunications
company. Hundreds of thousands of e-mail messages promoting a telephone-sex
service inundated its servers hourly, crippling the system.
"They kept trying to filter it out," said Jeffrey Bedser, ICG chief
operating officer. "But the spam kept on morphing and getting around the
filter."
Bedser and his team plugged the spam message into search engines and located
other places on the Web where it appeared. Some e-mail addresses turned up,
which led to a defunct e-fax Web site. And that Web site had in its registry
the name of the spammer, who turned out to be a middle-aged man living in
the Georgetown section of Washington.
Several weeks later, the man was sued. He ultimately agreed to a $100,000
civil settlement, though he didn't go away, Bedser said.
"The guy sent me an e-mail that said, 'I know who you are and where you
are,'" Bedser recalled. "He also signed me up for all kinds of spam and I
ended up getting flooded with e-mail for sex and drugs for the next year."
Allison says ICG's detective work is, for the most part, unglamorous,
involving mostly sitting in front of computers and "looking for ones and
zeros." Still, there are some private-eye moments. Computer forensic work,
for instance, takes investigators to corporate offices all over America,
sometimes in the dead of night.
Searching through the hard drives of suspects - always with a company lawyer
or executive present - the investigators hunt for "vampire data," or old
e-mails and documents that the computer users thought they had deleted long
ago.
In some cases, investigators have to be a little bit sneaky themselves.
Once, an ICG staffer befriended a suspect in a "pump-and-dump" scheme - in
which swindlers heavily promote a little-known stock to get the price up,
then sell their holdings at artificially high prices - by chatting with him
electronically on a chess Web site.
The Internet boom almost guarantees an unending supply of cybercriminals.
"They're like mushrooms," Allison said.
Right now, the most crowded fields of criminal activity are the digital
theft of music and movies, illegal prescription-drug sales and "phishers,"
identity thieves who pose as representatives of financial institutions and
send out fake e-mails to people asking for their account information. The
Anti-Phishing Working Group, an industry association, estimates that 5
percent to 20 percent of recipients respond to these phony e-mails.
In 2003, 215,000 cases of identity theft were reported to the Federal Trade
Commission, an increase of 33 percent from the year before.
This bad news for consumers is a growth opportunity for ICG. "The bad guys
will always be out there," Allison said. "But we're getting better and
better. And we're catching up quickly."
The New York Times
June 12, 2004
WYTM - who are you?
The notion of WYTM ("what's your threat model?") is the starting point for a lot of analysis in the cryptographic world. Accepted practice has it that if you haven't done the WYTM properly, the results will be bad or useless.
Briefly, the logic goes, if you don't understand the threats that you are trying to secure against, then you will likely end up building something that doesn't cover those threats. Because security is hard, it's complex, and it is so darn easy to get drawn down the wrong path. We saw this in secure browsing, and the results are unfortunate [1].
So we need a methodology to make sure the end result justified the work put in. And that starts with WYTM: identify your threats, categorise and measure their risks & costs. Then, when we construct the security model, we decide what risks we can afford to cover, and which ones we can't.
But some systems seem to defy that standard security modelling. Take, for example, email.
It is difficult to identify a successful email security system; it's one of those areas that seems so obvious it should be easy, but email to date remains deplorably unprotected.
It could well be that the fault for this lies in WYTM. The problem is rather blatent when pointed out: who is the "you" in "what's your threat model?"
Who are is it we are talking about when we decide to protect someone? All systems of computing include lots of users, but most of them generally have something in common: they work in a firm or they are users of some corporate system, for example. At least, when going to the effort of building a crypto system, there is generally enough commonality to construct a viable model of who the target user is.
This doesn't work for email - "who" changes from person to person, it includes near a billion parties, and many more combinations. What's more, the only commonality seems to be that they are humans, and even that assumption is a little weak given all the automatic senders of email.
The guys who wrote the original email system, and indeed the Internet, cottoned on to one crucial point here: there is no permission needed and no desire to impose the sort of structure that would have made profiling of the user plausible.
No profile of "who" may mean no WYTM.
For example, when Juan sends sexy email to Juanita, it has a very different threat model to when legal counsel sends email to a defendent. Consider contracts fly between trading partners. Or, soon-to-be-divorcees searching for new partners via dating agencies.
Or ... the list goes on. There is literally no one threat model that can deal with this, as the uses are so different, and some of the requirements are diametrically opposed: legal wants the emails escrowed, and authenticated, whereas dating women consider their anonymity and untraceability valuable.
Seen in this light, there isn't one single threat model. Which means either we develop the threat model to end all threat models (!) or we have lots of different threat models.
It is clearly intractable to develop one single threat model, and it quite possibly is intractable to develop a set of them.
So what is a poor cryptoplumber to do? Well, in the words of Sherlock Holmes, "when you have eliminated the impossible, whatever remains, however improbable, must be the truth."
For some systems, WYTM is simply inadequate. What then must we do? Design without WYTM.
With no threat model, to hand, we need a new measure to judge whether to include a given protection or not. About the only answer that I can come up with is based on economic criteria.
In building email security, nobody is paying us for it, so whatever is good and free should be used. This is is opportunistic cryptography: protect what you can for free, or for cheap, and worry about the rest later.
In email terms, this would involve:
* tunnelling over SSH to SMTP servers,
* implementing START/TLS, with self-signed certs
* implementing PGP-enabled gateways like the "Universal" product and many forerunners
* and more...
By definition, there are gaps. But with opportunistic cryptography, we don't so much worry about that, because what we are doing is free anyway.
[1] WYTM?
June 10, 2004
Big and Brotherly
The White House administration has apparently defied the US Congress and kept the controversial "Total Information Awareness" going as a secret project. A politics journal called Capitol Hill Blue has exposed what it claims is the TIA project operating with no change.
Whether this is all true, or just another anti-Bush story by Democrat apologists in the leadup to the election, is all open to question. Republican apologists can now chime in on cue. While they are doing that, here are some of the impressive claims of monitoring of the US citizen's habits:
- cellphone calls, indexed by serial numbers, matched with billing records
- key word monitoring - the old echelon thing
- use of private contractors to get around prohibitions on federal spying
- trains, planes, and automobiles. Oh, and hotels reservations.
- satellite TV - program purchases on adult movies reported to DOJ.
If you're looking for the fire, that's an awful lot of smoke. What does all this mean? Well, for one, it should start to put pressure on the open source crypto community to start loosening up. Pretty much all of that can be covered using free and easy techniques that have otherwise been eschewed for lack of serious threat models. I speak of course of using opportunistic cryptography to get protection deployed as widely as possible.
This could take as back to the halcyon days of the 90s, when the open source community fought with the dark side to deploy crypto to all. A much more noble battle than today's windmill tinting against credit card thieves and other corporately inspired woftams. We didn't, it seems, succeed in protecting many people, as crypto remains widely undeployed, and where it is deployed, it is of uncertain utility. But, we're older and wiser now. Maybe it's time for another go
From Capitol Hill Blue
What Price Freedom?
How Big Brother Is Watching, Listening and Misusing Information About You
By TERESA HAMPTON & DOUG THOMPSON
Jun 8, 2004, 08:19
You're on your way to work in the morning and place a call on your wireless phone. As your call is relayed by the wireless tower, it is also relayed by another series of towers to a microwave antenna on top of Mount Weather between Leesburg and Winchester, Virginia and then beamed to another antenna on top of an office building in Arlington where it is recorded on a computer hard drive.
The computer also records you phone digital serial number, which is used to identify you through your wireless company phone bill that the Defense Advanced Research Projects Agency already has on record as part of your permanent file.
A series of sophisticated computer programs listens to your phone conversation and looks for "keywords" that suggest suspicious activity. If it picks up those words, an investigative file is opened and sent to the Department of Homeland Security.
Congratulations. Big Brother has just identified you as a potential threat to the security of the United States because you might have used words like "take out" (as in taking someone out when you were in fact talking about ordering takeout for lunch) or "D-Day" (as in deadline for some nefarious activity when you were talking about going to the new World War II Memorial to recognize the 60th anniversary of D-Day).
If you are lucky, an investigator at DHS will look at the entire conversation in context and delete the file. Or he or she may keep the file open even if they realize the use of words was innocent. Or they may decide you are, indeed, a threat and set up more investigation, including a wiretap on your home and office phones, around-the-clock surveillance and much closer looks at your life.
Welcome to America, 2004, where the actions of more than 150 million citizens are monitored 24/7 by the TIA, the Terrorist Information Awareness (originally called Total Information Awareness) program of DARPA, DHS and the Department of Justice.
Although Congress cut off funding for TIA last year, the Bush Administration ordered the program moved into the Pentagon's "black bag" budget, which is neither authorized nor reviewed by the Hill. DARPA also increased the use of private contractors to get around privacy laws that would restrict activities by federal employees.
Six months of interviews with security consultants, former DARPA employees, privacy experts and contractors who worked on the TIA facility at 3701 Fairfax Drive in Arlington reveal a massive snooping operation that is capable of gathering - in real time - vast amounts of information on the day to day activities of ordinary Americans.
Going on a trip? TIA knows where you are going because your train, plane or hotel reservations are forwarded automatically to the DARPA computers. Driving? Every time you use a credit card to purchase gas, a record of that transaction is sent to TIA which can track your movements across town or across the country.
Use a computerized transmitter to pay tolls? TIA is notified every time that transmitter passes through a toll booth. Likewise, that lunch you paid for with your VISA becomes part of your permanent file, along with your credit report, medical records, driving record and even your TV viewing habits.
Subscribers to the DirecTV satellite TV service should know - but probably don't - that every pay-per-view movie they order is reported to TIA as is any program they record using a TIVO recording system. If they order an adult film from any of DirecTV's three SpiceTV channels, that information goes to TIA and is, as a matter of policy, forwarded to the Department of Justice's special task force on pornography.
"We have a police state far beyond anything George Orwell imagined in his book 1984," says privacy expert Susan Morrissey. "The everyday lives of virtually every American are under scrutiny 24-hours-a-day by the government."
Paul Hawken, owner of the data information mining company Groxis, agrees, saying the government is spending more time watching ordinary Americans than chasing terrorists and the bad news is that they aren't very good at it.
"It's the Three Stooges go to data mining school," says Hawken. "Even worse, DARPA is depending on second-rate companies to provide them with the technology, which only increases the chances for errors."
One such company is Torch Concepts. DARPA provided the company with flight information on five million passengers who flew Jet Blue Airlines in 2002 and 2003. Torch then matched that information with social security numbers, credit and other personal information in the TIA databases to build a prototype passenger profiling system.
Jet Blue executives were livid when they learned how their passenger information, which they must provide the government under the USA Patriot Act, was used and when it was presented at a technology conference with the title: Homeland Security - Airline Passenger Risk Assessment.
Privacy Expert Bill Scannell didn't buy Jet Blue's anger.
"JetBlue has assaulted the privacy of 5 million of its customers," said Scannell. "Anyone who flew should be aware and very scared that there is a dossier on them."
But information from TIA will be used the DHS as a major part of the proposed CAPSII airline passenger monitoring system. That system, when fully in place, will determine whether or not any American is allowed to get on an airplane for a flight.
JetBlue requested the report be destroyed and the passenger data be purged from the TIA computers but TIA refuses to disclose the status of either the report or the data.
Although exact statistics are classified, security experts say the U.S. Government has paid out millions of dollars in out-of-court settlements to Americans who have been wrongly accused, illegally detained or harassed because of mistakes made by TIA. Those who accept settlements also have to sign a non-disclosure agreement and won't discuss their cases.
Hawken refused to do business with DARPA, saying TIA was both unethical and illegal.
"We got a lot of e-mails from companies - even conservative ones - saying, 'Thank you. Finally someone won't do something for money,'" he adds.
Those who refuse to work with TIA include specialists from the super-secret National Security Agency in Fort Meade, MD. TIA uses NSA's technology to listen in on wireless phone calls as well as the agency's list of key words and phrases to identify potential terrorist activity.
"I know NSA employees who have quit rather than cooperate with DARPA," Hawken says. "NSA's mandate is to track the activities of foreign enemies of this nation, not Americans."
© Copyright 2004 Capitol Hill Blue
June 09, 2004
Compliance Persons Of The Year
I'm not one for awards, as I usually see them as a career destroyer. But these ones are fun - their careers are already destroyed in the name of truth, justice, etc.
I refer of course to the mutual funds scandal. It has been a bit of an eye-opener for me, partly because of the dirt that was exposed, and partly because there are so many forces were against fixing the mess. It's known, for example, that regulators knew the game, but "could not do anything about it."
In a surprise move, Compliance Reporter, an industry governance magazine, has decided to give the so-called whistleblowers - Harrington, Nesfield and Goodwin - their award of "Compliance Persons of the The Year." While the press were busy digging up dirt on these guys to make them appear like evil participants (in some cases, to directly move attention away from the real evil participants, and in others, because it just made for a better story and they didn't understand the scam anyway) here is a group that recognises the rot in the system, and says:
"Though not compliance officers, Harrington, Nesfield and Goodwin's actions had more impact on the mutual fund industry than anyone's ..."
Elliot Spitzer also picked up the award for "Regulator of the Year." Equally controversial, and equally poignant. You have to hand it to these Compliance Reporter guys - they know how to point out that the rest of the industry ain't worth diddly squat when it comes to governance.
Fuller blurbs follow, FTR:
Compliance Persons Of The Year May 21, 2004 Noreen Harrington, James Nesfield, Andrew Goodwin, informants, The Canary Capital Partners case |  |
Harrington, Nesfield, and Goodwin sounded the alarm on mutual fund trading abuses by bringing the massive improprieties at Canary Capital Partners to light. By doing so they opened the door for New York Attorney GeneralEliot Spitzer, and eventually the Securities and Exchange Commission, to cast their nets on the mutual fund industry. Harrington is a "gutsy gal," said a Washington, D.C.-based securities lawyer. Though not compliance officers, Harrington, Nesfield and Goodwin's actions had more impact on the mutual fund industry than anyone's, the lawyer said. The informants are credited with being the catalysts for a complete ethical makeover of the entire industry. As Vanguard Group founder and former CEO John Bogle put it in a recent speech, "The shareholder is the raison d'etre for this industry's existence."
Harrington, whose job at Stern Asset Management was to distribute the Stern family's money to other investment funds, was the first to tell Spitzer's office about Canary Capital's trading irregularities. In June, she informed the Attorney General that Canary was parking investments in mutual funds in exchange for being allowed to rapidly trade other funds--also known as market timing. She also told the Attorney General's office that Canary had engaged in illegal late trading--the practice of executing trades at same day-prices after the 4 p.m. close.
Goodwin was a senior trader at Canary Capital, and Nesfield was a back-office consultant hired by Canary to recruit mutual fund companies that would let the hedge fund market-time their funds. Neither was on Canary's payroll when Harrington contacted Spitzer. Nesfield and Goodwin became informants in detailing Canary's abuses once Spitzer launched the investigation, and Spitzer's office acknowledged Harrington's and the informants' roles in the probe.
Harrington, Nesfield, and Goodwin's actions have opened the door to reforms that will keep continuing, said Donald Weiss, partner at Bell, Boyd & Lloyd in Chicago. As another lawyer added, there is just nothing like "a good squeal." Harrington and Goodwin's whereabouts are unknown. Nesfield lives in North Carolina and makes a living installing piers and working on fishing boats.
| Regulator Of The Year May 21, 2004 Eliot Spitzer, New York Attorney General |  |
In early September, Spitzer grabbed the mutual fund industry by the horns and ushered in an age of regulation the likes of which the industry had not seen in more than half a century. "The mutual fund industry is presently undergoing its most thorough transformation since the enactment of the 1940 Act," said Mitch Herr, partner at Holland & Knight in Miami and a litigator who represents securities firms. "No one could reasonably disagree that this entire process arises out of Spitzer's seminal investigation into Canary Capital [Partners] and the various market participants who allowed it to engage in late trading and market timing," said Herr. "Spitzer has been instrumental in identifying systemic problems in the securities industry that need to be addressed by the entire regulatory community."
In early September, Spitzer's office brought a case against hedge fund Canary Capital for market timing and late trading in several mutual funds. It was a case that will live in financial history as the opening battle in the war on fraudulent mutual fund trading practices. "There is no doubt that Eliot Spitzer was the primary catalyst in what resulted in the biggest mutual fund scandal and reform effort in history," said David Tittsworth, executive director of the Investment Counsel Association of America. After the Canary case, the Securities and Exchange Commission, the NASD and the Attorney General of Massachusetts brought charges against mutual funds and individuals who engaged in the trading practices.
"Spitzer certainly deserves recognition for his vigorous intervention into the securities enforcement arena," said C. Evan Stewart, partner with Brown Raysman Millstien Felder & Steiner in New York. "Whether all of his efforts are consistent with the primacy of the federal securities laws and whether all of his prosecutions have been interposed consistent with public policy, however, remain to be seen." Spitzer has received his share of criticism for attempting to regulate mutual fund fees and for not acting in concert with federal regulators such as the SEC. In spite of the controversy, many feel Spitzer has succeeded in his crusade to improve the markets and investor confidence. "[Whether you] agree with him or not, the fact is the public investor sleeps better at night as a result of Spitzer's recent actions," said Bill Singer, partner with Gusrae Kaplan & Bruno in New York.
June 07, 2004
New public DRM technique from the Central Banks
Over in the UK, Bob Hettinga reports on an article in the Observer about how the EU legislators are preparing to mandate software and hardware to reject images of banknotes. Ya gotta hand it to the Europeans, they love fixing things with directives. Here's the technique:
"The software relies on features built into leading currencies. Latest banknotes contain a pattern of five tiny circles. On the £20 note, they're disguised as a musical notation, on the euro they appear in a constellation of stars; on the new $20 note, the pattern is hidden in the zeros of a background pattern. Imaging software or devices detect the pattern and refuse to deal with the image."
I think this is a great idea. I think we should all adopt this DRM technique for our imagery, and use the 5 circle pattern to stop people copying our logos, our holiday snaps, and our bedroom pictures posted on girlfriend swap sites.
The best part is that, as the pattern is part of the asset base of the governments, we the people already own it.
Security clampdown on the home PC banknote forgers
Banks win EU support for software blocks to tackle the cottage counterfeiters
Tony Thompson, crime correspondent - Observer
Sunday June 6, 2004
Computer and software manufacturers are to be forced to introduce new security measures to make it impossible for their products to be used to copy banknotes.
The move, to be drafted into European Union legislation by the year end, follows a surge in counterfeit currency produced using laser printers, home scanners and graphics software. Imaging software and printers have become so powerful and affordable that production of fake banknotes has become a booming cottage industry.
Though counterfeiters are usually unable to source the specialist paper on which genuine banknotes are printed, many are being mixed in with genuine notes in high volume batches. The copies are often good enough to fool vending machines. By using a fake £20 note to purchase a £2 rail fare, the criminal can take away £18 in genuine change.
Although the Bank of England refuses to issue figures for the number of counterfeit notes in circulation and insists they represent a negligible fraction of notes issued, it also admits fakes are on the increase.
Anti-counterfeiting software developed by the Central Bank Counterfeit Deterrence Group, an organisation of 27 leading world banks including the Bank of England, has been distributed free of charge to computer and software manufacturers since the beginning of the year. At present use of the software is voluntary though several companies have incorporated it into their products.
The latest version of Adobe Photoshop, a popular graphics package, generates an error message if the user attempts to scan banknotes of main currencies. A number of printer manufactures have also incorporated the software so that only an inch or so of a banknote will reproduce, to be followed by the web address of a site displaying regulations governing the reproduction of money.
The software relies on features built into leading currencies. Latest banknotes contain a pattern of five tiny circles. On the £20 note, they're disguised as a musical notation, on the euro they appear in a constellation of stars; on the new $20 note, the pattern is hidden in the zeros of a background pattern. Imaging software or devices detect the pattern and refuse to deal with the image.
Certain colour copiers now come loaded with software that detects when a banknote has been placed on the glass, and refuses to make a copy or produces a blank sheet.
Researchers at Hewlett Packard are to introduce technology that would allow printers to detect colours similar to those used in currency. The printer will automatically alter the colour so that the difference between the final product and a genuine banknote will be easily detectable by the naked eye.
Adobe acted after it emerged that several counterfeiting gangs had used Photoshop to manipulate and enhance images. The security feature, which is not mentioned in any product documentation, has outraged users who say it could interfere with genuine artistic projects. There were also concerns that the software would automatically report duplication attempts to the software company or police via the internet.
A spokesman for the National Criminal Intelligence Service said criminals traditionally used offset lithographic printing for counterfeiting. 'Developments in electrostatic photocopying equipment, together with advances in computer and reprographic technology, have led to a rise in the proportion of counterfeit notes produced in a domestic environment. The use of this technology generally results in a lower quality counterfeit, although this varies according to the skill of the counterfeiter and the equipment and techniques used.'
Although some countries, most notably America, allow reproduction of banknotes for artistic purposes if they are either significantly larger or smaller than the real thing, in the UK it is a criminal offence to reproduce 'on any substance whatsoever, and whether or not on the correct scale', any part of any Bank of England banknote.
Guardian Unlimited © Guardian Newspapers Limited 2004
June 04, 2004
Trust Cannot be Outsourced
The PKI sector successfully pushed the notion that trust could be outsourced. This was a marketing claim that was never quite shown to be the case, in that PKI itself never delivered a workable business model. So maybe the PKI vendors will bounce back in another life, and show us what they meant.
I think not. Outsourcing trust to a PKI vendor is like outsourcing taste to a brewery, you may as well let the brewer drink the beer for you.
This conundrum should be obvious to any serious business person. It is possible to outsource process, and it is possible to outsource substantial elements of due diligence (DD). But in the end, you make the decision, and the document you get from some rating agency is just one input into the full process.
The credit ratings agencies are perhaps the best example. Do they do your trust for you? No, not really. They provide a list of the customer's credit events. As well as that useful input to the process, a good business conducts other checks. A forecourt - car seller - might check the driver's licence, and it might pay more attention to some things on the credit report than others. Car dealers make assessments of integrity by looking and talking to the person. And ultimately they trust in the courts, police and driver and vehicle registration people to provide limits.
There's an easy test. If the trust is outsourced to a firm, the firm can make the decision for you. Does the credit agency decide to sell a car on credit? No chance. Does a third party PKI decide to let the customer in to transfer her life's savings? No way.
There are cases where decisions of trust are made entirely by other organisations. In which case, I'd suggest, the model is back to front. What's happened is that you've outsourced your business to the trust provider. Or, the decision maker has outsourced customer acquisition to you. That which owns the customer, is the business. You're now in the business of providing leads.
So if all this is true, why did PKI vendors make such a big deal of outsourcing trust? They weren't trying to put their customers out of business by acquiring their customers, that's for sure. No, it seems as if was just another powerful image of marketing. Also, as an evocative reason with no substance, it was a qualifier. If a customer "bought" the message that trust could be outsourced, they were likely to buy into PKI, also.