Financial Cryptography

Nokia to trial integrated phone/RFID payment system

Reading an article on RFIDs, those wonderful little things that will surely be used for everything, next year (like smart cards), I came across this gem:

"Nokia (the largest cellphone manufacturer in the world) is about to release a cellphone that incorporates an RFID reader based on the ISO 14443 standard. The combination allows callers to scan posters and stickers that contain an embedded tag and buy the depicted products with the charge appearing automatically on their next phone bill."

Nokia have experimented with payment systems before, using their cellphones to bill for carwashes and cokes. This makes a lot of sense, as the mobile phone operators have the billing, the communications, and also a secure (to them) token in the hands of the consumer.

It's also in accord with Frank Trotter's observation that the three sectors best placed to develop new payment systems are telcos, couriers and ISPs. One to watch.

Encrypt everything...

AlertBox, the soapbox of one Jakob Nielsen, has had enough with nonsense security prescriptions. Its 25th October entry says:

"Internet scams cannot be thwarted by placing the burden on users to defend themselves at all times. Beleaguered users need protection, and the technology must change to provide this."

Sacrilege! Infamy! How can this rebel break ranks to suggest anything other than selling more crypto and certs and solutions to the users?

Yet, others agree. Cory Doctorow says Nielsen is cranky, but educating the users is not going to solve security issues, and "our tools conspire against us to make us less secure...." Mitch Wagner agrees, saying that "much security is also too complicated for most users to understand."

And they all three agree on Nielsen's first recommendation:

"Encrypt all information at all times, except when it's displayed on the screen. In particular, never send plaintext email or other information across the Internet: anything that leaves your machine should be encrypted."

Welcome to the movement.

Check 21 - "What's a check?"

An article from Seattle Post-Intelligencer (??) has a nice view on the changing scene in Bank retail payment systems. These institutional pets have been changing slowly around the world based on marginal improvements and the occasional invention like the ATM. Then, in the early 90s, the Internet surfaced, and a chap called David Chaum said he could do it better on the net. No more sleepy changes within the club, as we saw a rush into half baked solutions like SET, SSL and a string of 3-party closed systems.

Check 21 (century 21 - get it?) is the US effort modernise american retail payments. A decade late(r), the Economist calls the effort half-hearted. One question confronting the Americans with their new Check 21 initiative is whether the consumer gets his "check" back. Here's how Bill Virgin describes it:

Check 21, the new federal law on processing paper payments, takes effect Thursday, making this an appropriate moment to ask this generation-defining question:

Do you get your checks back?

If you are of a certain age, your response is more likely to be: "You bet I do. Having the checks is how I reconcile my statement and my checkbook every month, and in the event of a dispute, having the original check is crucial in proving that I made a payment and the check cleared."

Should your birthdays number a few less than those of the previous group, your response would be more along the lines of: "Oh, I used to, but it wasn't worth the bother and expense; I never used them, the information I need is on the statement and if I need a copy I can always order one."

Still younger, and the response would sound like: "You can get your checks back?"

And the youngest generational cohort, maybe one that hasn't reached banking age yet, might answer: "What's a check?"

To the rest of the world, this may need some explanation: American banking accounts deliver the stamped and settled cheques back in the mail, with the statement. It's a fat envelope, sometimes. So every month, you can use the original cheque to reconcile the statement.

Of course, the rest of world probably did that once, too, but it was before my memory. Which would put it before the 70s I'd guess.

Getting back to David Chaum and his invention of digital cash, with his system there are no cheques. Only coins, which once settled were of no value. Not only was he replacing the paper, he was replacing the whole settlement concept.

It doesn't have to be all that drastic. Ricardo uses cheques as a form, as well as coins. In the cheque form, there is a digitally signed instruction to move value. In the coin form, it is a withdrawn token of value, perhaps using a blinding formula, perhaps not. When the settlement is done, the server returns a receipt, which again is signed. Digitally, you can have your cake and eat it too, then.

Which leaves one question: do you get your cheques back?

Of course you do. We wouldn't have it any other way, as otherwise you don't know if the Issuer is telling the truth. The cheque, or the coins, are part of the signed receipt, providing an end-to-end confirmation in one packet.

"Customer who want the checks back want the piece of paper, clearing and routing stamps and all, in hand. If there's a dispute about whether a payment was made, or a check cleared, they've got the paper to prove it. And they don't have to pay a fee to retrieve that piece of paper."

Games being leaked by employees - where's the value?

In other gaming news, the New Scientist discusses the insider threats to gaming companies. In short, the employees may be leaking the games ahead of time. A moment's thought will make this a reasonable result, as the best employees are probably those from the 'underground' games scene, where hacking and copying are practiced as just another game.

So what do you do when your best employees are no respectors of intellectual property? My suggestion: stop thinking of them as employees and start thinking of them as partners. If they don't see the value in working to keep the product closely controlled until release date, maybe that's because there isn't any value in it?

Online gaming? How about online trading...

Gaming prodigy Jules Urbach has created a platform for instant-message-based video games and other applications that he plans to offer free to hobbyist developers and others. Urbach says the Otoy game engine is the key to leveraging instant messaging for a multitude of purposes, including huge multiplayer games that are free. "What I've always been most interested in is the idea of a virtual community, and AOL had the first chat room and IM," he says of his admiration for America Online's sometimes derided approach to the Internet. Urbach is a co-founder of video game firm Groove Alliance, which makes low-memory, online 3D games for clients such as Nickelodeon, Disney, Shockwave, and Electronic Arts; he is currently designing a Star Trek-like game for the Otoy platform that will be run in a window linked to the users' instant-messaging application, so that numerous players can be involved in the game simultaneously and use a separate window to chat with each other. Urbach says his Otoy games are highly componentized and could provide fertile ground for advertisers who could, for example, paste clickable billboards on virtual spaceships: "Each piece in a game can be a separate, encrypted stream," Urbach notes. Otoy will be made available as a free download next year, and Urbach hopes individual developers will use it to create applications that pull up Web browsers, MP3 files, Excel spreadsheets, or whatever other applications they can cook up. Urbach developed Hell Cab, one of the first CD-ROM games that became a best seller in 1992, and created the first 3D video game using Macromedia Director software.

FOR the past year, Jules Urbach has been crunching computer code in a converted bedroom on the second floor of his mother's house in Sherman Oaks, Calif., fine-tuning a piece of software that may well revolutionize online gaming. Mr. Urbach, whose words come in a caffeinated rush, is so excited about introducing his invention on the Web that he never stops working on it; his fingers dance across his Dell keyboard even as he delivers a frantic verbal sales pitch.

"I mean, there's really no telling what's going to happen with this thing," said the 30-year-old video-game designer. "Who knows what developers are going to do when they see this?"

Mr. Urbach hopes they will be inspired to irrevocably change the online gaming landscape. His invention, which he calls Otoy, is a game engine that piggybacks on instant messaging, and thus it is something of a Holy Grail in the software world. For years, developers have been trying to figure out ways to turn instant messaging into a multipronged medium that goes beyond mere chat to integrate games, e-mail and Web browsing; in the gloaming of a guest bedroom, Mr. Urbach believes he may well have come up with the skeleton key that will open IM to an era of hyper-functionality.

"I think a lot of people are going to be blown away by this," said Clay Sparks, a character designer and movie miniature artist ("The League of Extraordinary Gentlemen") who has designed games for Mr. Urbach's company, Groove Alliance.

Mr. Urbach is a video game prodigy. In 1992, shortly after graduating from Harvard-Westlake School in Los Angeles, he created one of the first CD-ROM games (the best-selling Hell Cab), then became the first developer to design a 3-D video game (Real Pool, www.shockwave.com) using Macromedia Director software, a feat that even Macromedia's executives had thought was impossible.

In 1998, Mr. Urbach founded Groove Alliance with Chris Kantrowitz and Peter Laufenberg. Groove was one of the first game companies that created 3-D products exclusively for online use, churning out dozens of titles for Nickelodeon, Disney, Shockwave and Electronic Arts, among others, and providing a healthy living for Mr. Urbach, who now pays the mortgage on his mother's house.

Yet despite his success, he was restless. He suspected that there was some unexplored online games frontier, and he wanted to get there first. Instant-messaging services already offered primitive elemental games like tic-tac-toe, but Mr. Urbach wanted to integrate his 3-D games into IM, which he believed could help spread them more widely. "I wanted multiplayer games to be available to everyone, and I wanted it to be free," Mr. Urbach said.

Mr. Urbach's inspiration for Otoy came from a unlikely source: America Online. AOL is regarded by many as an online dinosaur, but Mr. Urbach, who has maintained his original AOL account since the early 90's, is one of its fans.

"What I've always been most interested in is the idea of a virtual community, and AOL had the first chat room and IM," he said. "I love picking a character and going into a room and leading a virtual life. I love everything about AOL, actually."

Mr. Urbach is a populist; he wants his games to be played by casual gamers - thousands of them playing against one another, if all goes according to plan - and not necessarily the hard-core addicts who spend countless hours on pay-for-play online games. "I look at something like Everquest, which is very complex and very addictive, and I see that working for simpler games as well," Mr. Urbach said. "That desire to be part of a larger community is just part of human nature."

To that end, Mr. Urbach has figured out how to use compelling low-memory games, many of them Groove games that occupy less than 70 kilobytes of memory, for Otoy. Users will see a link in their instant-messaging windows that will open a second window, adjacent and slightly larger. This is Mr. Urbach's versatile Otoy IM portal.

Click on a game link and the window reveals a constellation of stars and spaceships operated by individual players, or a prehistoric tableau with treasure-seeking dinosaurs. A chat room window can be overlaid on the games so that players can converse as they play.

Each component in a game designed for Otoy can be added or eliminated by the players with a few simple command lines. "I can componentize everything," Mr. Urbach said. "Each piece in a game can be a separate, encrypted stream." Mr. Urbach hopes this feature will be manna for advertisers, who can paste a billboard on a spaceship as a hot link, and then have players send the ship virally - when gamers send a ship to other players, the ad will be imbedded on the ship - to thousands of other players, who can then click on the link to reach the advertiser's Web site.

Otoy, which Mr. Urbach plans to make available next year for free downloading, can also be used to pull up Web browsers, MP3 files or Excel spreadsheets, depending on the programmer's intent. Mr. Urbach also has Photoshop built into Otoy.

He is not certain how all of this is going to come together. Like a mad scientist unsure of what he has wrought, he is leaving that to the armchair developers and open-source programmers who he hopes will tap into Otoy's seemingly limitless potential. The code language for Otoy is streamlined and easily comprehensible - a kind of Esperanto script that Mr. Urbach hopes will spur innovation from unlikely sources.

As for Mr. Urbach's own content for Otoy, he is working on a potential Star Trek project. "I wish I had this technology when I was 17," he said. "This is just a fulfillment of a desire to do things like this when I was a kid."

Security Signalling - sucking on the lemon

Over on Adam's blog, he asks the question, how do we signal security? Have a read of that if you need to catch up on what is meant by signalling, and what the market for lemons is.

It's a probing question. In fact, it goes right to the heart of security's dysfunctionalism. In fact, I don't think I can answer the question. But, glutton for punishment that I am, here's some thoughts.

Signalling that "our stuff is secure" is fairly routine. As Adam suggests, we write blogs and thus establish a reputation that could be blackened if our efforts were not secure. Also, we participate in security forums, and pontificate on matters deep and cryptographic. We write papers, and we write stuff that we claim is secure. We publish our code in open source form. (Some say that's an essential signal, but it only makes a difference if anybody reads it with the view to checking the security. In practice, that simply doesn't happen often enough to matter in security terms, but at least we took the risk.)

All that amounts to us saying we grow peaches, nothing more. Then there are standards. I've employed OpenPGP for this purpose, primarily, but we've also used x.509. Also, it's fairly routine to signal our security by stating our algorithms. We use SHA1, triple DES, DSA, RSA, and I'm now moving over to AES. All wonderful acronyms that few understand, but many know that they are the "safe" ones.

Listing algorithms also points out the paucity of that signal: it still leaves aside how well you use them! For imponderable example, DES used in "ECB mode" achieves one result, whereas in "CBC mode" achieves a different result. How many know the difference? It's not a great signal, if it is so easy to confuse as that.

So the next level of signalling is to use packages of algorithms. The most famous of these are PGP for email, SSL for browsing, and SSH for Unix administration. How strong are these? Again, it seems to come down to "when used wisely, they are good." Which doesn't imply that the use of them is in any way wise, and doesn't imply that their choice leads to security.

SSL in particular seems to have become a watchword for security, so much so that I can pretty much guarantee that I can start an argument by saying "I don't use SSL because it doesn't add anything to our security model." From my point of view, I'm signalling that I have thought about security, but from the listener's point of view, only a pagan would so defile the brand of SSL.

Brand is very important, and can be a very powerful signal. We all wish we could be the one big name in peach valley, but only a few companies or things have the brand of security. SSL is one, as above. IBM is another. Other companies would like to have it (Microsoft, Verisign, Sun) but for one reason or another they have failed to establish that particular brand.

So what is left? It would appear that there are few positive signals that work, if only because any positive signal that arises gets quickly swamped by the masses of companies lining up for placebo security sales. Yes, everyone knows enough to say "we do AES, we recommend SSL, and we can partner with IBM." So these are not good signals as they are too easy to copy.

Then there are negative signals: I haven't been hacked yet. But this again is hard to prove. How do we know that you haven't been? How do you know? I know one particular company that ran around the world telling everyone that they were the toppest around in security, and all the other security people knew nothing. (Even I was fooled.) Then they were hacked, apparently lost half a mil in gold, and it turned out that the only security was in the minds of the founders. But they kept that bit quiet, so everyone still thinks they are secure...

"I've been audited as unhackable" might be a security signal. But, again, audit companies can be purchased to say whatever is desired; I know of a popular company that secures the planet with its software (or, would like to) that did exactly that - bought an audit that said it was secure. So that's another dead signal.

What's left may well be that of "I'm being attacked." That is, right now, there's a hacker trying to crack my security. And I haven't lost out yet.

That might seem like sucking on a lemon to see if it is sour, but play the game for a moment. If instead of keeping quiet about the hack attacks, I reported the daily crack attempts, and the losses experienced (zero for now), that indicates that some smart cookie has not yet managed to break my security. If I keep reporting that, every day or every month, then when I do get hacked - when my wonderful security product gets trashed and my digital dollars are winging it to digital Brazil - I'm faced with a choice:

Tell the truth, stop reporting, or lie.

If I stop reporting my hacks, it will be noticed by my no longer adoring public. Worse, if I lie, there will be at least two people who know it, and probably many more before the day is out. And my security product won't last if I've been shown to lie about its security.

Telling the truth is the only decent result of that game, and that then forces me to deal with my own negative signal. Which results in a positive signal - I get bad results and I deal with them. The alternates become signals that something is wrong, so anyway out, sucking on the lemon will eventually result in a signal as to how secure my product is.

New Tack Wins Prisoner's Dilemma

Here's a classic example of how a competition based on the economics problem known as the Prisoner's Dilemma has been exploited: A seemingly complete theory has once again been turned on its head. All's fair in love and war, and the best attacks come when we challenge the other guy's assumptions.

New Tack Wins Prisoner's Dilemma
By Wendy M. Grossman
Story location: http://www.wired.com/news/culture/0,1284,65317,00.html
02:00 AM Oct. 13, 2004 PT

Proving that a new approach can secure victory in a classic strategy game, a team from England's Southampton University has won the 20th-anniversary Iterated Prisoner's Dilemma competition, toppling the long-term winner from its throne.

The Southampton group, whose primary research area is software agents, said its strategy involved a series of moves allowing players to recognize each other and act cooperatively.

The Prisoner's Dilemma is a game-theory problem for two players. As typically described, two accomplices are arrested and separated for interrogation by the police, who give each the same choice: confess to authorities (defect) or remain silent (cooperate). If one defects and the other cooperates, the defector walks free and the cooperator gets 10 years in jail. If both cooperate, both get six months. If both defect, both get six years. Neither suspect knows the other's choice.

"The Prisoner's Dilemma is this canonical problem of how to get cooperation to emerge from selfish agents," said Nick Jennings, a professor in computer science at Southampton University and leader of the winning team along with his Ph.D. student, Gopal Ramchurn. "People are very keen on it because they can see so many parallels in real life."

Before Southampton came along, a strategy called Tit for Tat had a consistent record of winning the game. Under that strategy, a player's first move is always to cooperate with other players. Afterward, the player echoes whatever the other players do. The strategy is similar to the one nuclear powers adopted during the Cold War, each promising not to use its weaponry so long as the other side refrained from doing so as well.

The 20th-anniversary competition was the brainchild of Graham Kendall, a lecturer in the University of Nottingham's School of Computer Science and Information Technology and a researcher in game theory, and was based on the original 1984 competition run by a University of Michigan political scientist, Robert Axelrod.

The Iterated Prisoner's Dilemma is a version of the game in which the choice is repeated over and over again and in which the players can remember their previous moves, allowing them to evolve a cooperative strategy. The 2004 competition had 223 entries, with each player playing all the other players in a round robin setup. Because Axelrod's original competition was run twice, Kendall will run a second competition in April 2005, for which he hopes to attract even more entries.

Teams could submit multiple strategies, or players, and the Southampton team submitted 60 programs. These, Jennings explained, were all slight variations on a theme and were designed to execute a known series of five to 10 moves by which they could recognize each other. Once two Southampton players recognized each other, they were designed to immediately assume "master and slave" roles -- one would sacrifice itself so the other could win repeatedly.

If the program recognized that another player was not a Southampton entry, it would immediately defect to act as a spoiler for the non-Southampton player. The result is that Southampton had the top three performers -- but also a load of utter failures at the bottom of the table who sacrificed themselves for the good of the team.

Another twist to the game was the addition of noise, which allowed some moves to be deliberately misrepresented. In the original game, the two prisoners could not communicate. But Southampton's design lets the prisoners do the equivalent of signaling to each other their intentions by tapping in Morse code on the prison wall.

Kendall noted that there was nothing in the competition rules to preclude such a strategy, though he admitted that the ability to submit multiple players means it's difficult to tell whether this strategy would really beat Tit for Tat in the original version. But he believes it would be impossible to prevent collusion between entrants.

"Ultimately," he said, "what's more important is the research."

"What's interesting from our point of view," he said, "was to test some ideas we had about teamwork in general agent systems, and this detection of working together as a team is a quite fundamental problem. What was interesting was to see how many colluders you need in a population. It turns out we had far too many -- we would have won with around 20."

Jennings is also interested in testing the strategy on an evolutionary variant of the game in which each player plays only its neighbors on a grid. If your neighbors do better than you do, you adopt their strategy.

"Our initial results tell us that ours is an evolutionarily stable strategy -- if we start off with a reasonable number of our colluders in the system, in the end everyone will be a colluder like ours," he said.

The winners don't get much -- an unexpected $50 check and a small plaque. But, says Kendall, "Everybody in our field knows the name of Anatol Rapoport, who won the Axelrod competition. So if you can win the 20th-anniversary one, in our field there's a certain historical significance."

Austria issues 100,000 Euro coin

In a rather inspired marketing move for gold, the Austrian Mint has issued a EUR 100,000 coin. Its dimensions are 37cm across (nearly 15") and its weight is 31kg (68lb). Street value about half a million USD, so the dollar has a way to fall before it matches the face value.

And, to cap it off, the Austrians enlisted that quixotic supporter of gold, Robert Mundell, to present the oversized Philharmonic to Wall Street. What can one say, other than .. inspired!

Austria unveils on Fifth Avenue what bankers call world's biggest gold coin
By VERENA DOBNIK
Associated Press Writer

October 5, 2004, 9:33 PM EDT

NEW YORK -- It would take an Arnold Schwarzenegger to lift his native Austria's new coin: 68 pounds of 24-carat gold worth about $500,000.

On Tuesday at a Manhattan art gallery, the Austrian Mint unveiled Big Phil, calling it the world's biggest gold coin _ and a powerful investment tool for today.

"The world needs a common currency beyond each national one," said Robert Mundell, a Nobel laureate in economics whose ideas lay the groundwork for Europe's common currency, the euro.

The Columbia University professor joined the chairman of the Austrian Mint in Vienna, Wolfgang Duchatczek, in presenting the coin at a Fifth Avenue gallery, in a room where multimillion-dollar paintings by Gustav Klimt surrounded armed guards in civilian suits.

White gloves were handed to anyone in the invitation-only crowd who wished to touch or hoist the coin, which is almost 15 inches in diameter.

Two other such coins were introduced Tuesday in Tokyo and Vienna, and a fourth was to be unveiled Wednesday in Munich.

Investing in gold acts as a hedge against the roller-coaster global economy.

"You can buy a car these days with the value of about the same amount of gold as in, say, the 1960s," said Kirsten Petersen, an Austrian Mint spokeswoman. "Gold is truly a storehouse of value."

Only 15 of the gleaming discs were created this year by the 800-year-old Austrian Mint, each with a face value of 100,000 euros (about $121,000) and bearing a replica of the Vienna Philharmonic Orchestra's famed hall on one side and orchestral instruments on the other. (Hence the nickname Big Phil).

While a face value of 100,000 euros is etched into the coin, its retail price of about $500,000 reflects the price of an ounce of gold on any given day in London _ $415.40 on Tuesday _ plus a minting premium to cover the manufacturing cost.

On Tuesday, the Neue Galerie on Fifth Avenue, which houses entrepreneur Ronald Lauder's collection of Austrian art by Klimt and Egon Schiele, was busy with representatives of top Wall Street firms who came to see the financial novelty. Most of the limited-edition coins already have been sold to investors and institutions whose identities remain private, Petersen said.

A more common purchase is the 1 ounce denomination of the Austrian Philharmonic coins, now selling at $400-plus each. Roughly comparable to the American Gold Eagle and the Canadian Maple Leaf, the smaller Austrian gold coin was released in 1989 as Europe's first 24-carat legal tender bullion.

Most governments no longer base their treasuries on the so-called gold standard in effect for centuries. However, the United States, Austria and many other countries have kept a gold reserve.

"Gold doesn't yield dividends like bonds, and it fluctuates a lot," Mundell said. "But the other side of the coin is that gold is a measure of national reserves, more than ever."

With the U.S. dollar more "shaky" in today's world, the Nobel laureate said, countries like China, Taiwan and Japan are looking to buy more gold.

Besides, Mundell added, rubbing his fingers across the gleaming gold, "they look so nice."

On the Net: Austrian Mint: http://www.austrian-mint.com

Copyright © 2004, The Associated Press
http://www.newsday.com/news/local/wire/ny-bc-ny--mammothmoney1005oct05,0,4315269.story?coll=ny-ap-regional-wire

Other articles at:
http://www.iol.co.za/index.php?set_id=1&click_id=29&art_id=qw1097069941434A236
http://edition.cnn.com/2004/BUSINESS/10/06/austria.gold.ap/

Neal Stephenson on Money

Over on slashdot Neal Stephenson was interviewed on a range of slashdotters' questions. His relationship to FC is cemented in his classic novel on digital issuance, Crytonomicon (reviewed), which appeared around the same time as the first example was hitting critical mass.

7) Money - by querencia

One of the major themes in Cryptonomicon that carried over (in a big way) to The Baroque Cycle is money. You introduced some "futuristic" views of currency and of where money might be going in Cryptonomicon, and you skillfully managed to do the same thing, while explaining some of the history of modern monetary systems, in the most recent books.

You've obviously spent a lot of time thinking about money lately. Is there anything going on in the modern world with monetary systems (barter networks, for example) that you find particularly interesting?

What do you see on the horizon with respect to money?

Neal:

Actually, what's interesting about money is that it doesn't seem to change that much at all. It became fantastically sophisticated hundreds of years ago. Back before people knew about germs, evolution, the Table of Elements, and other stuff that we now take for granted, people were engaging in financial manipulations that seem quite modern in their sophistication. So if I had to take a wild guess---and believe me, it is a wild guess---I'd say that money and the way it works is going to be a constant, not a variable.

Phishing - companies are mostly powerless

The media is talking about some report that calls for companies to cooperate and not display information on web sites as an aid on phishing [1][2]. Yeah, that'll make a difference. Over in Korea they are reporting some little group arrested after selling an estimated 6 million user profiles [3].

That's one company that we don't want anywhere near our data; but unfortunately that's how it happens. Asking companies to get involved in phishing is like asking cops to get involved in crime. Sure, they can do something, but only afterwards. The phish happens between the phisher and the user. The only thing that's constant between the two is the browser. The thing that happens afterwards is that the company gets it in the neck.

So you have a choice of three possibilities. Educate the user, "educate" the phisher, or stop it at the browser. One doesn't need a PhD in security to recognise the company isn't present in that little equation, and education of the user is like telling the crime victim to stay clear of crime next time.

Only attention to the browser has any merit whatsoever, as its the only agent that can tell the difference. It's the only one with a security model that implementors can adjust. It's the only one with some crypto blah blah - stuff that could make a difference [4]. Luckily for phishers, the crypto is currently widely deployed pointing in the wrong direction.

One thing caught my eye. Markus Jacobsson (who must have been missreported) has submitted this report to the annual Financial Cryptography conference. Well, that makes sense. If phishing isn't a fraud involving finance, crypto, software engineering, governance of data, and a whole lot in between, then ... what else is FC?

( While we're on the depressing subject of phishing, here's an interesting report: most of the attacks come from a stable set of 1000 or so (hacked DSL) machines and it is claimed that there are only a very few groups, and maybe only one involved [5]. I don't believe it, but it's food for thought. )

[1] Identity thieves' 'phishing' attacks could soon get a lot nastier
[2] Identity thieves' "phishing" attacks could soon get a lot nastier
[3] Six Million People Have Personal Information Stolen
[4] See for example the work that Amir Herzberg and Ahmad Gbara are doing at
Protecting (even) Naïve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites
[5] Phishing attacks may be coming from your computer

The Arab Cryptanalysts

Simon Singh's The Code Book is a very readable account of the development of cryptography over the ages [1]. It seems to skate over much material, but Singh shows an ability to pick out the salient events in history, and open them up. Here is an extract entitled "The Arab Cryptanalysts [2]."

Curiously it mirrors the evolution of financial cryptography: only after a significant array of other disciplines were brought to bear by the enlightened scholars of the Islamic world, for a wide range of motives and interests, was the invention of frequency analysis discovered and applied to cryptograms. Thus, the monoalphabetic cipher fell, and cryptanalysis was born.

[1] Simon Singh, The Code Book, 1999
[2] Ibid, "The Arab Cryptanalysts", pp 14-20.

The Coordination Problem

Canny financial cryptographers know that connection-oriented protcools like TCP are not up to scratch if you really care about your packets. They are reliable, but that doesn't mean you can rely on them! TCP is only a reliable protocol until it stops, and then it becomes unreliable - there is no way for you to tell whether a dropped connection delivered the data or not. Or, indeed, how many times.

This problem is underwritten by what amounts to a law of computer science called the Coordination Problem. In trying to recall what this was called, I asked Twan van der Schoot, and predictably, he gave me the fullest answer. Here it is, somewhat edited:

The "Law" you are refering to [writes Twan] is the result of the attempt to solve the "Coordination Problem" or "Coordinated Attack Problem", failing in the attempt, and then proving that it cannot be solved. People generally say it is a "folk" problem in the distributed systems community. Paul Syverson attributes the original problem statement to Gray (1978).

Here's the proof. It is very simple and of a rare beauty. The only thing wrong with it is that it needs an indirect method using a reductio ad absurdum argument.

The problem setup:

We have two perfect processes (i.e. which do not fail), say Alice and Bob. Alice and Bob communicate bidirectionally over a channel with transient errors (i.e. an imperfect channel). Can you devise a protocol that guarantees that Alice and Bob both choose the same action a or b?

The proof:

1. Assume there is such a protocol. And, without loss of generality, assume that it is the shortest one (i.e. the one with the least communication exchanges in either direction).

2a. Assume that Alice just has sent its last message m in the last step of the protocol. At this point in the protocol, Alice's choice of action a or b must be independent of the message m. Alice will not receive any message thereafter. In other words, prior to sending m, Alice already committed to either action a or b independent of message m.

2b. The choice by Bob for either action a or b must be the same as the choice by Alice after receiving message m from Alice, whether Bob received message m or not (message loss). So Bob's commitment to action a or b is also independent of the received message m.

2c. But then sending message m in the last step of the protocol is redundant, and can be dropped. But then we have a protocol which is one step shorter;

4. But then we have a contradiction, because the protocol was the shortest (1). Hence there is no such protocol.

Conclusion: So there is no protocol which solves the coordination problem.

There are more formal proofs, but they require a lot of formal theory. This one I grabbed from "Distributed Systems, 2nd Edition. Sape Mullender ed. Addison-Wesley 1993".

Note, however, that the "coordination attack" fails in an "absolute" sense. If we allow for some probablity thinking, we can at least approximate a solution. And that is why, say, the Internet works :)

Paul Syverson wrote a little monopgraph in 2003 "Logic, Convention, and Common Knowledge; A Conventionalist Account of Logic". Syverson claims that the Coordination Attack can be solved using a combination of logic and game theoretical ideas. I've started reading the book recently and it is laden with philosophy, (epistemic) logic and game theory. So it will take a little time before I'll grasp the basic tennet of the underlying concepts.

gr

Twan

de Soto's _The Mystery of Capital_ afflicted by poor title

Hernando de Soto has done what I think is the most significant work in economics in the last decade. He has researched what makes people poor. Travelling many poor countries and looking at many impoverished economies, he believes he has found the answer: poverty of title.

de Soto's book, the Mystery of Capital, is about how the lack of clear and open title to assets is the rock that crushes the poor. Without good title, the poor cannot raise capital. Without good title, the poor have to sit on their assets, and resort to physical security at their own cost. Without good title, there is no possibility of economic and efficient allocation of resources.

It was then with some sadness that I saw this ironic development in some chat room on the net: the poverty of title over the book itself has been exploited. Ironically, someone has OCR'd the book and is now selling the electronic versions.

I would hope that Hernando would shrug his shoulders and carry on, realising that the fundamental title to books and knowledge is as weak already as the title a poor mother holds over her shack in a shanty town. That which we call intellectual property, which some claim to derive from the belief that man has the right to what was created in his own head, has over-extended itself, and technology is now in the process of destroying it.

Title is no such beliefs-based right. It is an economic practicality, we create title as a society to protect that which is naturally protectable. Law follows economics, and economics follows physics.

This sad path may well be the path to its future success, and I can think of no higher accolade for a work than to be sacrificed on its own altar. The Mystery of Capital is needed in any place where the poor have no strong title, and thus they lack the money to buy the book.

-------- Original Message --------
Subject: The Mystery of Capital, eBook
Date: Thu, 14 Oct 2004 09:28:36 00200 (CEST)
From: Nostra

I have recently completed the conversion of the excellent economics
book, The Mystery of Capital, by Hernando de Soto, to Adobe Acrobat
format. http://www.amazon.com/exec/obidos/ASIN/0465016154

The 8.91 MB book is available for download at a cost of 0.1 grams of
e-gold from the File Exchange at
https://www.meshmx.com/fe/download_get.php?file=FE:d7c1ecf8b3e460de8a2f9ce1003595f0c2344cb2

For instructions on funding a File Exchange Pay Token needed for
downloading the book, download the free Acrobat document at:
https://www.meshmx.com/fe/download_get.php?file=FE:ab2e4d29a46088a8c3ed4c21a8baf9041f93d29c

This conversion easily required over 80 hours of intense OCR, Photoshop
and MSWord editing. I ask that anyone downloading not post the eBook
or share with friends (you are, of course, as free to ignore this as I
have been in ignoring Mr. DeSoto's publisher's request that I honor
their copyright.) I intend to offer the author a share of the proceeds
should they become significant.

Discussion in Distributed City regarding this e-publication can be found
at
https://www.distributedcity.com/forums/?action=thread_view&thread_id=f304a9b748efdc04a3e5f949be30b277

Nostra

The Medici Effect

Frans Johansson on the Medici Effect

By exploring the intersections between different disciplines and cultures, one may discover the next groundbreaking ideas.

Frans Johansson is a consultant and author of the new book, "The Medici Effect," published by Harvard Business School Press. He was previously a cofounder and CEO of Inka.net, a Boston-based enterprise software company, and vice president of business development of Dola Health Systems, a company operating in Baltimore and Sweden. Born and raised in Sweden, he currently resides in New York City.

UBIQUITY: Let's start at the beginning: what is this "Medici Effect" you write about?

JOHANSSON: The book talks about the fact that we have the greatest chance of coming up with groundbreaking insights at the intersection of different disciplines or cultures. The Medici Effect refers to the exponential increase in ideas that you can generate when you combine two different fields.

UBIQUITY: Give us an example or two.

JOHANSSON: Let's take an example I'm particularly fond of — the example of ants and truck drivers, which I talk about in one of the chapters. So there is this telecommunications engineer that has been is trying to figure out how to efficiently route telecom messages through a haphazard routing system. And one day the communications engineer met an ecologist, who studies social insects, like wasps and ants. And they started talking, and the ecologist described how ants search for food. As it turned out, the ant's search strategy turned out to be very applicable to the routing of telecom message packets. Once the engineer realized this, he decided to explore this particular intersection between ant ecology and computer search algorithms, so he spent three years looking at the connection between the way social insects behave and the way you can use computers to optimize particular types of search algorithms. And that has now lead to an entirely new field called swarm intelligence, which essentially came out of the intersection of the study of social insects and computer search algorithms. This methodology has been used in everything from helping truck drivers find their way around the Swiss Alps to helping unmanned aerial vehicles search for terrorists in Afghanistan.

UBIQUITY: And you called it the "Medici Effect" for what reason?

JOHANSSON: The title alludes to what the Medici family accomplished in Florence during the 1500s: they sponsored people from lots of different disciplines — architects, painters, sculptors, philosophers, scientists — from all over Europe, even actually as far away as China, and brought them all together in Florence. And it's through their interactions that Florence essentially became the epicenter of one of the most creative eras in Europe's history, the Renaissance. One of the most famous innovators they sponsored was, of course, Leonardo Da Vinci, but there were many others in Florence who found connections between their various crafts, which ultimately allowed them to set off the creative explosion.

UBIQUITY: Tell us about your own education.

JOHANSSON: Undergraduate work at Brown University. Then I started a company and ran it for a couple of years, before going to Harvard Business School for an MBA.

UBIQUITY: Would it be accurate to say that Brown University — or any number of other universities — are attempts to emulate the Medici Effect?

JOHANSSON: Well, yes, Brown University is a particularly interesting example, I think. When I was there, I got the feeling that they were going out of their way to try to get their students to explore a field outside of their majors. Cornell University does a very good job of the same thing, and so do a lot of the other universities. It's sort of at the heart, if you will, of the philosophy for a Liberal Arts education — although things have changed greatly during this century. I mean if you really wanted to succeed in academia beyond an undergraduate education, you had to specialize in many ways. But at Brown, they gave you room to do things differently. And actually, while I was there, I started an interdisciplinary science magazine called The Catalyst, which became quite successful, and it's still around, very much so. I think the latest issue was sent to all the incoming students at the university, and I know one of the Deans said it's one of the things that best expresses the idea of Brown, because it essentially bridges the various sciences and also bridges the gap between the sciences and humanities.

UBIQUITY: Congratulations. That's quite a success.

JOHANSSON: Thank you. Actually, I look at that magazine today, and I think it has had a far greater impact than the software company I co-founded. Because people that have worked on that magazine — former editors, lay-out editors, or contributors — have gone on to work at places like Science magazine, the Discovery Channel, and so on. So in that sense, the influence extends further than it did with my years of heading up the software company.

UBIQUITY: Thinking for a moment not about the students, but about the faculty, is it not true that interdisciplinary collaboration can often be very difficult because of the way that universities are organized in terms of tenure systems that reward specialization?

JOHANSSON: Yes, I agree whole-heartedly. You have a system where in order to succeed, professors have to publish x number of papers. In order to do that, they publish in an ever-increasing plethora of hyper-specialized journals to satisfy this particular tenure demand. And also the way the funding system has worked in the past, a lot of it has been very specialized. But things are changing. Look at the NIH or NSF, for instance, how they are setting up their funding requirements. A lot of the new grants have to do with interdisciplinary work. And I think that over time, this is going to filter through to the academic world as well. It would have to, essentially, because universities need their professors to pull in money. And so if they have to work across fields to do it they will. This has already started to happen at an undergraduate level. I mentioned in the book that one of the big differences between a course catalog today and say thirty years ago, is that today it has many more hyphens. Undergraduates can major in not just physics, or applied math, or psychology, they can major in applied math-psychology, they can major in applied math-economics, they can major in geology-physics. These hyphens can even extend in to three-word combinations. So undergraduate programs have been leading the way, in that sense.

UBIQUITY: What was your own undergraduate major?

JOHANSSON: Environmental science, which is obviously a very interdisciplinary major. But when I came in, I was thinking I was going to major in fictional writing, actually.

UBIQUITY: Really.

JOHANSSON: Yeah, I had written a novel in high school. It got sold, but never got published, which just made me very sad. But it gave me the hunger to continue writing. But once at college I wanted to focus on something that leveraged the capabilities Brown had in the sciences, so I chose environmental science mostly because of my passion for fishing.

UBIQUITY: What kind of fishing?

JOHANSSON: All kinds. Fly fishing, deep sea fishing, even fishing in lakes and rivers. Eels at midnight and that type of stuff. There hasn't been much time to do that as of late, but yes, all kinds of fishing. I've always enjoyed it. So, I used to write articles on the science of fishing: there was a gap between scientists doing research and people interested in that research actually hearing about the results. I wanted to fill that gap.

UBIQUITY: Do you think that your interest in fishing has made any contributions to your ideas on innovation?

JOHANSSON: Oh, good question. Probably in the sense that it has allowed me to understand the importance of community. I think it's very easy when you're in business to disregard certain aspects of the community around you. But with an interest in fishing and environmental issues, you develop a sense that certain things clearly happen through grassroots activities — certain things can spread in that type of way doesn't necessarily happen in a planned corporate way. And so I think that has added to the ways I look at how to spread an idea.

UBIQUITY: You talk in the book about three driving forces for innovation. What are they? Start with computational power as a driving force for innovation. What does that add to the equation?

JOHANSSON: Computational power adds two things. One is that it has enabled us to communicate a lot more easily with people who are far away — and across disciplines. So you can connect with somebody that's on the other side of the world and you can work with them. If you're talking about a discovery that happened in a particular field, then within hours, if it's enticing enough, a lot more people can know about it than in the past — not just those around you or those within your field. This makes it possible for people to access ideas across disciplines and cultures and increases the possibilities of combining different concepts. So that's an obvious effect of increased computational power.

Another effect that's a little bit less obvious has to do with how computational power enables us to do things differently. The example I used in the book comes from the animation industry, where they use computers to draw the figures, for instance in movies like Shrek or in Finding Nemo. The interesting thing about this technology is that it has allowed these companies to hire animators that are not necessarily experts at drawing but that are great at acting. These new types of animators take acting lessons, rather than drawing classes.

Of course, you see such computational leaps in other fields as well — in biotechnology for instance, where people who couldn't have entered this field before can now be part of a team that explores new drug combinations. Computational power has essentially not just enabled us to do things faster, but to also to do things differently.

UBIQUITY: Talk about how it's possible for the actor to take over the role of the artist. How does it work?

JOHANSSON: Because of the added computational power, it's far, far easier for Pixar to create 3-D figures. Not only does that decrease the need for animators to continuously draw frame after frame since the computers can do some of that, but, these 3D characters have a much, much greater ability to display emotion. So in the case of Shrek, for instance, you're literally looking at a figure with feelings. You can follow the figure's eyeballs, eye wrinkles, you could follow the person's facial movements far more easily than in the 2-D animation. Computation has made it possible for these animators to add an acting quality to the animation, because they essentially draw this figure more realistically. And they do it far fewer times than was necessary in the traditional 2-D movie, and so what the animators focus on is: How can I make an impression with this figure? How can I enable this animated figure to display a truly human emotion?

UBIQUITY: Let's move on to the other two driving forces of innovation.

JOHANSSON: Yes. Another driving force is the convergence of science. In many ways traditional scientific fields have run their course where new discoveries now require huge resources or incredible specialization. Most physicists, for instance, find that it's essentially impossible for them to work without a huge team, sometimes hundreds of people, and to go in and explore a particular, very narrow aspect within their field . But those scientists who intersect physics with something else, let's say biology or psychology, have a far better chance of generating a new insight: they can become leaders in a new field that emerges from this intersection. And so scientists that want to lead the way are essentially going to have to merge or establish science fields with another one. Alan Leshner, the CEO of AAAS, says in the book that disciplinary science has died. Single-author papers are rare today. It's almost always multiple authors from different fields.

UBIQUITY: And your third driving force for innovation is the movement of people.

JOHANSSON: The movement of people has increased to a level where it was maybe about 100 years ago. And essentially, by doing that, it is creating diverse communities all over the world. And diverse communities provide huge opportunities for businesses and artists to tap in to whole new markets. And not just that — clever companies like L'Oreal or MTV make sure that their product innovations literally come from exploring the intersections between different cultures. You may not think that there are any connections between Latin music and country music. But instruments and the role of vocals play very similar roles in both types of music. What if one explored such an intersection? There could be something interesting coming out of it. The same with L'Oreal and how they go about launching new products where they bring very diverse teams together to try to come up with radically new ideas.

UBIQUITY: As the author of "The Medici Effect," how do you think you can help an individual reader see the world differently — or him- or herself differently? After reading the book, the person wakes up the next day and goes out the door and does, well, what?

JOHANSSON: That was probably one of the biggest things that I tried to make sure that this book did. I wanted to explain why stepping in to these intersections is effective. First, I think that the insight that stepping into an intersection between different fields can increase the chances of generating a groundbreaking idea is very important and affects a reader's way to view the world. Second, there's the question of how to execute these intersectional ideas. You have to prepare for failure, you have to be able to break away from your established networks, and you have to manage risks differently. The book talks about this in great detail. And then finally the third piece of the puzzle is to explain why all this works, so that when you wake up the next morning after you finish the book, ideally you will be thinking about the world a little bit differently. When you come in to the office, for instance, you will be more aware of the potentials of how other fields or other cultures could relate towards what you're doing — and if you saw an opportunity, you would have a better chance of executing it.

UBIQUITY: Let's do a thought experiment, and maybe an imagination experiment, and ask you to think of any 100 people that you can either pick from people you know or that you've known in the past, and then try to rate these people in terms of their ability to do the kinds of things you're recommending. How would they rate?

JOHANSSON: Also a very good question. I would be speculating here, so I'll just go with the flow on this one. This is not exactly from my research. But I think that the book deals with two types of recommendations, those that are more long-term in nature and those that are short-term. I think people's ability to do the things I recommend are related to how well they can stay committed to these two types of strategies. You can easily decide to go "intersection hunting", for instance, which is a tactic that can be done almost immediately upon reading the book. But will you go intersection hunting next month or the next year? Even if you were very successful you may forget such a tactic until you reread the book. On the other hand, long-term strategies such as broadening your cultural experience or learning differently require more forethought, but once you get into that mode of thinking you will probably stick with it since it becomes a way of life instead of an afternoon tactic to solve a specific problem.

UBIQUITY: Say something about execution issues.

JOHANSSON: I talk a lot about how you have to plan failure, and I do that to help the reader understand that it's okay for an idea not to work. But here again, people are different, just innately. Some people will become very depressed if they fail, whereas others will instead see it as a learning experience and move on. And I'm not sure, I think the jury's out on how easy it is to change that particular tendency — whether or not you're going to view a failure as a learning experience or are you going to view it as a depressing aspect of your life. My hope is that most people will view it as a learning experience and the book certainly makes that case very vividly. It also looks at how one should manage risks differently at the intersection of fields compared to within fields and what you need to do to break away from an established field. Readers that take these ideas to heart and consider the recommendations will have a better chance to execute intersectional ideas.

UBIQUITY: And having asked how the book will change the reader, let's end with this question: has the writing of the book changed the author?

JOHANSSON: Yes, it has, substantially. It's done a number of things. First of all, writing the book has been an individual effort but has helped me appreciate the differences in approach between individual and group efforts. I think that writing the book has just given me a lot better understanding of what that means. The second thing it has done for me is it has made me very interested in writing more books. I found the process of writing fascinating — I really enjoyed it, and I'm going to continue that. Finally, and most importantly, it has given me an incredible number of new ideas. I woke up one morning and realized that I've just always taken it as a truth that when you step into intersections and combine different cultures or disciplines, you have a greater chance of an insight. I wondered: is that really true? And so that was the whole reason for starting this project. I just wanted to know if it was true, and I did a lot of research for it, I did a lot of interviews. And yeah, it is true, that was my unabashed conclusion — it is absolutely, most positively true. And so with that, it has meant that the Medici Effect is in almost every aspect of my life now. I can't help but to see intersections everywhere — and that's pretty cool.

Source: Ubiquity, Volume 5, Issue 31, Oct. 6 - 12, http://www.acm.org/ubiquity/

Great intro to social engineering - "Catch me if you can"

Now appearing on the not-ridiculously-priced racks at your local supermarket, the film "Catch me if you can" follows the life of a young fraudster in the 1960s. Frank Abagnale followed his heart if not his elders and developed strong techniques in how to engineer his way into many a closed shop.

Systems that he breached: medical practice, law, airline pilots, family. All systems that owed their security more to their marketing and belief systems than to good technology. Oh, yes, and he "kited" a lot of checks along the way, as the Americans would say.

What strikes is the successful integration of different techniques into a concerted attack. Yes Abagnale presented a fraudulent cheque or two. And yes, the system was pretty darn bad in those days. But it was the way he integrated his different social engineering approaches together that made the difference, not the single issue of credit or reliance on pieces of paper.

The film is well worth seeing for the financial cryptographer. It's integrated, balanced, and it includes little or no crypto. Just like the real world! Oh, and it's also a fun film for all the family, which makes it shareable with those who exercise patience in our lives.

SANS - top 20 solutions confirms no solution for phishing yet!

Reading the new SANS list of top 20 vulnerabilities leaves one distinctly uncomfortable. It's not that it is conveniently sliced into top 10s for Unix and Microsoft Windows, I see that as a practical issue when so much of the world is split so diametrically.

The bias is what bothers. The Windows side is written with excrutiating care to avoid pointing any blame at Microsoft. For example, wherever possible, general cases are introduced with lists of competing products, before concentrating on how it afflcts Microsoft product in particular. Also, the word Microsoft appears with only positive connotations: You have this Microsoft security tool, whereas you have a buggy Windows application.

One would think that such a bias is just a reflection of SANS' use of institutions and vendors as the source of its security info. For example, "p2p file sharing" is now alleged to be a "vulnerability" which has to be a reflection of the FBI responding to the RIAA over falling sales of CD music.

But what did strike me as totally weird was that phishing wasn't mentioned!

Huh? Surely there can't be a security person on the planet who hasn't heard of phishing and realised that it's one of the top serious issues? Why would SANS not list it as a vulnerability? Is the FBI too busy worrying about Hollywood's bottom lines to concentrate on theft from banks and other payment operators?

The answer is, I think, that the list only includes stuff for which there is a solution. Looking at the website confirms that SANS sells solutions. Scads of them, in fact. Well, it can't sell a solution for phishing because ... there isn't a solution to be sold. Not yet, at least.

Which is to say that the list is misnamed, it's the top 20 solutions we can sell you: SANS says they are "The Trusted Source for Computer Security Training, Certification and Research" and it's unlikely that they can instill that trust in their customers if they teach about a vulnerability they can't also solve.

No doubt they are working on one, as are hundreds of other security vendors. But it does leave one wondering how we go about securing the net when security itself is coopted to other agendas.

Know your enemy - Interview with a hacker

"Knowing what makes your antagonist tick is the key to getting the result you want," says a hacker who's being pursued by journalists and the FBI. Computer Weekly interviewed him and he came out with some answers worth pondering.

Wednesday 6 October 2004
Know your enemy

A young Asian hacker who easily penetrated the databases of several large US corporations, and whose exploits made him a top target for the FBI, offers advice for dealing with foreign cybercriminals.

"Knowing what makes your antagonist tick is the key to getting the result you want," he says.

Do you think it is more difficult to hack into US corporate networks today than it was four years ago?

If we are talking about the network that existed four years ago and exists now, then it would probably be more difficult, especially if during those years a given target had experienced trespasses by hackers.

If it is a recently developed network, then chances to get access are probably better.

In general it is easier for hackers to get access to networks in countries with growing and well-developed economies, because such companies have resources to expand their networks.

In third-world countries the companies do not have the ability or resources to expand the networks, so they have to fine-tune them and work with what they have.

Should US companies worry about hackers in Russia and other countries?

Hackers from countries where the economy is less developed than the US are more motivated by money than by pride when they start trespassing on US companies - as opposed to US hackers, who are motivated more by pride than money. (There are many other ways that you can make money in the US.)

Also, money is a stronger motivator than pride. That's why people motivated by money are more dangerous. Hackers are businesspeople [if they are motivated by money]. In most cases, they are probably just having difficulties in their countries finding and exploring opportunities to work.

If a company that is hacked into can explore with a hacker his or her talents in a more peaceful way, the victim can only benefit. If these hackers are businesspeople, they can be redirected by being offered a better deal than the one they might get by creating pressure through hacking.

I deeply believe in this point. It is hard, however, to generalise too much because every case involves different kinds of people and different circumstances.

What security measures offer the best protection against hackers?

Keep the hackers occupied if you recognise them as a threat. This might be similar to what some countries have done with their nuclear scientists - Russia, for example, keeps them under close supervision and treats them well, but above all keeps them busy professionally.

Is there a certain type of network that is particularly easy to hack?

There are two types. First, those that develop custom software. They usually invest money in developing the features that software provides, but often forget about securing parts of this software.

The second type is where there is a breach in the company's infrastructure. It is not the hacking per se that is dangerous; what should concern the company is being taken advantage of by the use of that information.

For example, if one got account numbers of users of PayPal, the hacker could then contact the users in huge numbers and attempt various kinds of fraud.

Will security technologies ever be able to keep hackers out, or will hackers always find a way into corporate networks?

Software and hardware can be improved to protect against trespasses. But then hackers will concentrate on security breaches in the infrastructure of a company, or do "social engineering".

The ultimate goal is to obtain information for subsequent use, and hacking is just one of the many ways to obtain it.

Hurricanes reduce Spam

TechWeb reports that the hurricanes that gave Florida a good whipping over September seemed to drop the amount of spam seen on the net. The reason? It's suggested that "A lot of the biggest spammers are based in and around Boca Raton, Florida... When their power went out, they weren't able to spam."

Well, there you go. For once, I have no polite comment ...

The Uses of Corruption

Corruption and fraud are ever present. Either as opportunities or as activities, and no good is served by pretending to be above the study of their ways. In financial cryptography, we develop systems that do end-to-end cryptographically protected transactions not because crypto is cool, but because it protects the transactions from inside theft. And it protects the insiders from themselves.

Here's a surprising and contrarian article by Theodore Dalrymple on corruption in Italy. The author argues that the corruption of the leviathan state is the one determining factor that propels Italians to a greater standard of living than their uncorrupted British cousins.

It's well argued and well worth considering (albeit long). Can you unravel the justification and deconstruct the cognitive dissonance to place its views in balance? Just exactly when is corruption a good thing? A challenge!

offshore recovery - now with "local jurisdiction"

One of the issues in governance of issuance and other assets is where you site your servers. Just the act of siting your servers opens the business to jurisdictional effects. As the legal and regulatory status of independent issuance is uncertain, many issuers have gone to offshore regimes. This isn't for the popular reason of escaping harmful taxes, but for the more practical reason of seeking small and simple jurisdictions that are efficient to deal with.

By way of example, consider the US, where there is a broad range of agencies that have some sort of interest that could lead them into regulating issuance. Perversely, even though the US is one of the most friendly countries for issuance businesses, it is practically impossible to be in compliance because there are simply too many regulators. Witness the Paypal story, which includes many wrangles with many regulators. In Europe, where there is often a catch-all financial regulator, it's much easier to figure out who one should be in compliance with, but the environment is much less friendly towards issuance (see the eMoney directive for the "like-a-bank" approach).

Offshore islands are just so much simpler, and most of them are only worried about crooks and/or bad perception. Yet, siting offshore exposes you to other risks such as poor connectivity and poor governance. And then there are all the normal disaster issues that nobody likes to talk about.

The Isle of Man has thought about this, and come up with the concept of home jurisdiction recovery siting. If you use an Isle of Man firm to do your disaster recovery, it seems that they will permit you to retain your home jurisdiction.

It's a very curious concept! There are many curious angles to this, and it could well take off in directions they hadn't thought of. One to watch.

Isle Of Man Set For Role As Global IT Disaster Recovery Hub
by Jason Gorringe, Tax-News.com, London
13 September 2004

The Isle of Man government has been actively pursuing measures that could propel the Island towards assuming the mantle of the world’s IT disaster recovery hub in the field of financial services, the local media has reported.

In a bid to achieve this, the Island’s authorities are seeking to agree memoranda of understanding (MOU) with multiple offshore jurisdictions which would allow firms using an Island-based disaster recovery service to operate under the same regulations as in their home jurisdictions, according to the Isle of Man Online.

Legislation has been passed with the aid of the Financial Supervision Commission, and it is said that the measures are the first of their type anywhere in the world.

The report quotes Tim Craine, director of e-business, as noting: “It was a perfect example of government working very closely with the private sector. There was an opportunity for the Isle of Man to become a world leader for disaster recovery if we could make it simple and easy for offshore companies to use.”

He added: “The FSC was happy to comply as long as the businesses using the service were subject to adequate supervision in their own jurisdictions, in order to protect the reputation of the Island.”

The initiative is to target offshore jurisdictions that may be vulnerable to natural disasters, such

Amit Yoran - cybersecurity czar - resigns!

It was an impossible task anyway, and more kudos to Amit Yoran for resigning. News that he has quit the so-called "cybersecurity czar" position in the US means that one more person is now available to do good security work out in the private sector.

When it comes to securing cyberspace, we can pretty much guarantee that the less the government (any, you pick) does the better. They will always be behind the game, and always subject to massive pressure from large companies selling snake oil. Security is a game where you only know when you fail, which makes it strongly susceptible to brand, hype, finger pointing and other scams.

There is one thing that the government (specifically, the US federal government this time) could have done to seriously improve our chances of a secure net, and that was to get out of crypto regulation. There was no movement on that issue, so crypto remains in this sort of half-bad half-good limbo area of weakened regulatory controls (open software crypto is .. free, but not the rest). The result of the January 2000 easing was as planned (yes, this is documented strategy): it knocked the stuffing out of the free community's independent push, while still leaving real product skipping crypto because of the costs.

IMNSHO the reason we have phishing, rampant hacking, malware, and countless other plagues is because the US government decided back in days of post-WWII euphoria that people didn't need crypto. Think about it: we built the net, now why can't we secure it?

For about 60 years or more, any large company getting into crypto has had to deal with .. difficulties. (Don't believe me, ask Sun why they ship Java in "crippled mode.") This is called "barriers to entry" which results in a small group of large companies arising to dominate the field, which further sets the scene for expensive junk masquerading as security.

In the absence of barriers to entry, we'd expect knowledge dispersed and acted upon in a regular fashion just like the rest of the net intellectual capital. Yet, any specialist has to run the gauntlet of .. issues of integrity. Work on free stuff and starve, or join a large company and find yourself polishing hypeware with snake oil.

Of course it's not as bad as I make out. But neither is it as good as some claim it. Fact is, crypto is not deployed like relational databases, networking protocols, virtual machine languages or any of the other 100 or so wonderful and complex technologies we developed, mastered and deployed in the free world known as the Internet. And there's no good reason for that, only bad reasons: US government policy remains anti-crypto, which means US government policy is to not have a secure Internet.

==============================

'Frustrated' U.S. Cybersecurity Chief Abruptly Resigns

POSTED: 11:32 AM EDT October 1, 2004
WASHINGTON -- The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency.

Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave.

Yoran said Friday he "felt the timing was right to pursue other opportunities." It was unclear immediately who might succeed him even temporarily. Yoran's deputy is Donald "Andy" Purdy, a former senior adviser to the White House on cybersecurity issues.

Yoran has privately described frustrations in recent months to colleagues in the technology industry, according to lobbyists who recounted these conversations on condition they not be identified because the talks were personal.

As cybersecurity chief, Yoran and his division - with an $80 million budget and 60 employees - were responsible for carrying out dozens of recommendations in the Bush administration's "National Strategy to Secure Cyberspace," a set of proposals to better protect computer networks.

Yoran's position as a director -- at least three steps beneath Homeland Security Secretary Tom Ridge -- has irritated the technology industry and even some lawmakers. They have pressed unsuccessfully in recent months to elevate Yoran's role to that of an assistant secretary, which could mean broader authority and more money for cybersecurity issues.

"Amit's decision to step down is unfortunate and certainly will set back efforts until more leadership is demonstrated by the Department of Homeland Security to solve this problem," said Paul Kurtz, a former cybersecurity official on the White House National Security Council and now head of the Washington-based Cyber Security Industry Alliance, a trade group.

Under Yoran, Homeland Security established an ambitious new cyber alert system, which sends urgent e-mails to subscribers about major virus outbreaks and other Internet attacks as they occur, along with detailed instructions to help computer users protect themselves.

It also mapped the government's universe of connected electronic devices, the first step toward scanning them systematically for weaknesses that could be exploited by hackers or foreign governments. And it began routinely identifying U.S. computers and networks that were victims of break-ins.

Yoran effectively replaced a position once held by Richard Clarke, a special adviser to President Bush, and Howard Schmidt, who succeeded Clarke but left government during the formation of the Department of Homeland Security to work as chief security officer at eBay Inc.

Yoran cofounded Riptech Inc. of Alexandria, Va., in March 1998, which monitored government and corporate computers around the world with an elaborate sensor network to protect against attacks. He sold the firm in July 2002 to Symantec for $145 million and stayed on as vice president for managed security services.

Copyright 2004 by The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Addendum: 2004.10.07: The administration's rapid response: Cybersecurity expert Howard Schmidt returning to DHS

Identity theft - buy a Mac, download Firefox

In the "war on phishing" which has yet to be declared, there is little good news. It continues to increase, identity theft is swamping the police departments, and obscure efforts by the RIAA to assert that CD pirating is now linked to financing of terrorism grab the headlines [1]. Here's a good article on the victims, and the woe that befalls the common man of the net, while waiting for something to be done about it [2].

Meantime, what to do? Phishing won't stop until the browser manufacturers - Microsoft, Mozilla, Konqueror, Opera - accept that it's an attack on the browser. The flood of viruses on Microsoft's installed base won't change any time soon, especiallly underscored by the SP2 message: Microsoft has shown there is no easy patch for a fundamentally broken system.

Don't hold your breath, it will take years. In the meantime, the only thing I can think of for the embattled ordinary user is this: buy a Mac and download Firefox. That won't stop the phishing, but at least they are sufficiently inured against viruses that you won't have to worry about that threat.

[1] http://go.theregister.com/news/2004/09/28/terrorist_email_scams/
[2] http://www.theregister.co.uk/2004/09/24/identity_snatchers/

Invasion of the identity snatchers
By Kelly Martin, SecurityFocus (kel at securityfocus.com)
Published Friday 24th September 2004 11:32 GMT

Last year I was the victim of identity theft, a sobering reality in today's world. An unscrupulous criminal managed to social engineer his way past the formidable security checks and balances provided by my credit card company, my bank, and one of my investment accounts. He methodically researched my background and personal information until he could successfully impersonate me, and then subsequently set forth to change the mailing addresses of my most important financial statements.

It was a harrowing experience, and one worth explaining in the context of the online world. Numerous visits to the local police and the Canadian RCMP revealed some rather surprising things: identity theft is already so common that there are entire units within law enforcement that deal with this issue every day. They have toll-free numbers, websites and documents that clearly define their incident response procedures. But the reality is, law enforcement will respond to these issues just as you might expect: with phone calls, in-person interviews, and some traditional detective work. It's still very much an analog world around us.

The other thing that became crystal clear during the process of regaining my own identity is this: for as capable as they may be, law enforcement is woefully ill-equipped to track down identity theft that starts online. As a security professional with a healthy dose of paranoia, I was confident that my online identity had not been compromised - a more traditional approach had been used. But with the sophistication of today's viruses, millions of others cannot say the same thing.

While not all identity theft starts online, the fact is that online identity theft is now incredibly easy to do. The same methodical, traditional approach that was used to steal my identity by placing phone calls is being sped up, improved upon, and made ever more lethal by first attacking the victim online. Your banking and credit card information can come later.

We all know how commonplace these technologies already are: keyloggers, Trojans with remote-control capabilities and even webcam control, and backdoors that give access to all your files. There are millions of these installed on infected machines all over the world, lurking in the shadows.

Ever do your taxes on your home computer? All it takes is one Social Insurance Number (or Social Security Number in America), plus some really basic personal information, and you're sunk. Every nugget of information can be worth its weight in gold if, for example, that online banking password that was just logged enables someone to change your address and then, a month later, take out a loan in your name.

The rise of phishing scams over the past two years alludes to this growing menace: your personal information, especially your banking and credit card information, has significant value to a criminal. No surprise there.

Working in the security field, many of us know people who are regularly infected with viruses, worms, Trojans. When it gets bad enough, they reformat and reinstall. I can't count the number of times I've heard people tell me that they're not overly concerned, as they believe that the (often, minimal) personal information on their computer is not inherently valuable. They've clearly never had their personal information put to ill use.

As I was reading the new Threat Report from Symantec, which documents historical virus trends, only the biggest numbers jumped out at me. The average time from vulnerability to exploit is now just 5.8 days. Some 40 per cent of Fortune 100 companies had been infected with worms over a period of six months. There were 4,496 new Microsoft Windows viruses discovered in six months, or an average of 24 new viruses every day. Basically, the epidemic is out of control.

With a few exceptions, however, the most popular and most prominent viruses and worms are not the ones that will be used to steal your identity. It's that carefully crafted email, or that feature-rich and bloated Trojan, that will be used in covert attempts.

Perhaps a suitable solution to the epidemic is a rather old one, and one that I employ myself: encryption of all the personal data that is deemed valuable. I'm not talking about your pictures of Aunt Tilly or your music archive - I'm referring to your tax returns, your financial information, your bill payments, etc. This approach still won't avoid the keyloggers or that remote control Trojan that's sitting on your drive, but it does help to avoid new surprises and mistaken clicks.

And to those users out there whom we deal with everyday and who still say there's nothing important on their computer that requires them to care about today's worms, Trojans, viruses, and so on, the day their own information is stolen and used against them is growing ever more near.

Copyright © 2004, SecurityFocus logo (http://www.securityfocus.com/)