In the wake of yesterday's dramatic drop in many world stock markets:
U.S. Dollar Drops Against Counterfeit U.S. Dollar
February 25, 2007NEW YORK-At the close of trading Monday, the U.S. dollar dipped to a record low of $.60 against the counterfeit U.S. dollar, which also outpaced the dollar against the euro and the yen.
"We don't even accept regular U.S. dollars anymore," said Union, NJ 7-Eleven manager Rick Grove, echoing the sentiments of merchants nationwide. "We've gotten stung a few times taking in the real ones. I always tell my cashiers, if it feels fake to the touch, and you can't see both sides when you hold it up to the light, it's fine."
Concerned about further devalutation of standard U.S. currency, Federal Reserve Chairman Ben Bernanke has suggested that Congress outlaw counterfeit bills entirely.
© Copyright 2007 Onion Inc. All rights reserved.
The onion's satire aside, the way the US dollar and its counterfeits compete ... and cooperate ... around the world is fascinating stuff, and is food for thought for us FCers seeking to protect our system. We will meet our enemy, and...
Insider fraud is like an evil twin of security. From the "it could be you" department...
There has been an internal feud at the company for some time between joint owners Kevin Medina, CEO, and John Naruszewicz, vice president, which culminated in a February 12 lawsuit.Naruszewicz sought, and received, a preliminary court injunction preventing Medina from accessing the company's funds. Naruszewicz claimed that Medina had been using corporate money to pay for a life of luxury, at the expense of the company and its customers.
Among the allegations were claims that Medina has used Registerfly's money to pay for a $10,000-a-month Miami Beach penthouse, a $9,000 escort, and $6,000 of liposuction surgery.
Many "security people" from the new, net-based culture only discover what older value institutions have known for centuries -- and then only when it happens to them.
The overall lesson that we need to bear in mind is that the twins should be kept in balance: cover the external security to the same extent as the internal security. Security proportional to risk, in other words, as having perfect security in one area is meaningless if there is a weak area elsewhere.
That's a case from the computer industry: It could be you... We can imagine that it all started out as an innocent need to network with some important clients.
(Note that the unsung hero here, the VP who challenged the fraud, will probably never be rewarded, thanked, or protected from counter-attacks.)
Paul Crowley rants in anguish over the status of current day cryptoplumbing, and attacks the usual suspects (SSL, SSH, *pgp*, IPSec). They are easy targets so I'll let you read them there. (Where Paul goes further is that he actually attacks SSH, which takes it beyond the norm. I like.)
Leaving aside that, what is it that Paul really interested in? He needs a protocol.
I'm now in the position of wanting to make crypto recommendations for the next generation of the Monotone revision control system. I wish I had a better idea what to tell them. They need transport-level crypto for server-to-server connections, but I hesitate to recommend SSL because the poison that is X.509 is hard to remove and it makes all the libraries for using SSL ugly and hard to use. They need to sign things, but I don't want to recommend OpenPGP: it's hard to talk to and the Web of Trust is a truly terrible fit for their problem; on top of which, OpenPGP has no systematic way to assert the type of what you're signing. They need a way for one key to make assertions about another, and we're going to invent all that from scratch because nothing out there is even remotely suitable.
After long hard thought ... Paul says he has problems with what is offered. Here's what I think, and in my scratch pad of Hypotheses, I call this
Hypothesis #6: It's your job. Do it.
(It's your job to click. Click on ... thanks to Zooko for the pointer! Oh, and the editor reminds that Hypothesis #3 was introduced earlier.)
Sometimes someone writes a sweeping article that just happens to include why Financial Cryptography is so important, and also so misunderstood. Here's an article by Reuven Brenner (posted by RAH):
What happens when societies either do not have or destroy their financial markets? Even today very few societies have developed the institutions that can enable the development of deep financial markets - a solid legal infrastructure and free media among them. In this scenario, most people wanting access to capital have no other option but to turn to government, which will raise the money - either through taxes or borrowing - and then distribute it.
FC at its core is about all forms value. That means markets, and the forms of markets that FC just happen to excel in are capital markets.
The alternative to access to capital (in other words, FC) is unprintable, at least on this forum, as we are sensitive to the reader's desires for a cosy Sunday and our own desire to believe we are doing the right thing.
Frederich Hayek called it the Fatal Conceit, and Muhammad Yunus showed how it caused poverty. Maggie Thatcher didn't hand it over to Brussels, and more recently, Hernando de Soto said that the Mystery of Capitalism was why they don't have it and we do.
Wherever you stand on mad mullahs, the rise of totalitarianism, wars over trade or gun-ship diplomacy, we would all be well served by liquid markets for capital in emerging markets. This seems to trump everything, or have I missed something?
The National Review
December 19, 2006, 8:42 a.m.
The Economics of the Rise of Ahmadinejad
Capital markets (or their absence) are central to the emergence of evil and the one-party state.
By Reuven Brenner
When Iranian President Mahmoud Ahmadinejad visited the U.S. recently, he didn’t say explicitly that the Holocaust was a myth. Instead he asked why so much emphasis is put on the 6 million Jews who died during WWII rather than the 60 million people who perished during the conflict. Then, at a Tehran conference where Holocaust deniers congregated with Orthodox rabbis who apparently believe the state of Israel should not exist, Ahmadinejad offered a message satisfying each camp. He told the delegates that the Holocaust should be questioned and that Israel’s days are numbered.
One wonders, with the terrible lessons of 20th century totalitarianism still so ripe, how history could repeat itself so blatantly and so soon. I hold that the answer lies in just how one-party states such as modern Iran emerge, and of what happens when the access to capital is limited within societies.
Of course, the systematic extermination of the Jews started in the early 1930s. By then, Germany had rebuilt itself from the ruins of WWI and the devastating hyperinflation of the 1920s into a powerful, educated, industrialized nation, where science and technology thrived. True, all this occurred within a one-party state. Yet, if such apparent prosperity can lead to murderous instincts not being suppressed, where is the advantage of Western Civilization, which is built on the concept of prosperity? In a recent op-ed in the Wall Street Journal, Mark Bowen asked, Why is the Holocaust haunting the collective memory of the West? Bowen concluded, “what the Holocaust demonstrates is the danger of a one-party state.”
This conclusion is partially correct, but it begs the question: How did Germany get from the Weimar Republic, a democracy, to the one-party state? And why did the Germans tolerate such a state and accept its murderous ideology? Whether the Germans agreed deep down with Hitler & Co. is irrelevant. Actions — or, in this case, the lack of actions — matter.
During the 1920s, Germany, Austria, Hungary, Poland, and Russia each printed money with abandon. This brought about hyperinflation, which weakened or destroyed the capital markets in these countries. Banks failed, markets crashed, unemployment rose, and the middle classes lost their lifetime savings.
People want to live first and philosophize a bit later. With their savings gone, these Europeans turned to two other ways of accessing capital: government and crime. Predictably, each of these countries moved toward centralization — that is, government become the main financial intermediary.
When the citizens of these countries looked abroad, there was little to admire. England and the U.S. were each suffering through depressions (in the U.S., due to mistaken fiscal and monetary policies). These governments too moved toward centralization, though to a much different degree. Up sprung the jargon of “public works” and, eventually, the Keynesian term “aggregate demand.” Here the governments also would become intermediaries, charged with raising and then allocating capital. Importantly, however, this was done without England or the U.S. ever becoming one-party states.
Power is dispersed within democracies, and democracies are always weakened when more money flows through government hands. This is true even when the facade of democracy persists. When more capital sifts through the government, more groups depend on government handouts and have less access to sources of capital that are independent from the ruling political parties. But the U.K. and the U.S. retained many more independent sources of capital than did Germany, Austria, Hungary, or Russia during the 1930s.
The dangers come when a country either does not develop its capital markets or destroys them on purpose or inadvertently. When this is the case, the chances of one party taking power and imposing its ideology increase.
Conversely, when capital markets are opened, the risk that one-party states will emerge diminishes. As independent sources of capital surface, political power is dispersed and lasting prosperity follows. Thus, it is a mistake to promote democracy without first establishing the ground for letting people have access to capital and collateral — or at least coordinating such access with political change. After all, prosperity is the result of matching people with capital, while holding both sides accountable.
What happens when societies either do not have or destroy their financial markets? Even today very few societies have developed the institutions that can enable the development of deep financial markets — a solid legal infrastructure and free media among them. In this scenario, most people wanting access to capital have no other option but to turn to government, which will raise the money — either through taxes or borrowing — and then distribute it.
That’s how one-party states such as Ahmadinejad’s Iran emerge: People bet on crazy ideologies when their customary ways of living suddenly crumble and capital markets close. Capital markets are the unique feature of the West, and their democratization is the key to the civilizing process and the best insurance against the emergence of one-party states. Indeed, that’s what the U.S. should have been “exporting” all along in the Middle East, coordinating the promotion of capital markets with the necessary political changes in Iraq.
— Reuven Brenner holds the Repap chair at Desautels’ Faculty of Management, and is partner in Match Strategic Partners. The article draws on his books Force of Finance (2002) and History: The Human Gamble (1983).
The Mozilla governance debate is running hot, rejoinders flowing thick and fast. Here is a seriously good riposte by James Donald:
A successful open source project has a large effect on what large numbers of people do. The effect has a large indirect effect on various for-profit ventures, who then proceed to give handouts to the non profit open source project. Thus, for example, linux was the beneficiary of vast amounts of work by engineers employed by corporations who feared that they would be screwed by Microsoft or wintel, and urgently wanted to have an alternative, or, in the case of Sun, had to ensure that their customers had an alternative.In that case, the big corporations were the good guys, reacting against the dangerous power of a particular big corporation, protecting everyone in the course of protecting themselves.
More nefarious activities are common: For example OpenID is backed by XRI, and tends to do things that are more in the interests of XRI rather than support the objectives of OpenID - but then there is nothing terribly wicked or nefarious about the objectives of XRI.
Getting back to the case in dispute, the various browser responses to phishing, to the internet crisis of identity and security, make more sense as a Verisign business plan than as a response to phishing, and in so doing harm security, in the sense that they are disinclined to take any effective action, for any effective action would compete with the services provided by Verisign.
We don't need to worry about governance with linux, for the interests of the contributors are well aligned - they all want free software ("free" as in "free speech", not just "free" as in "free beer") that does all the things that Microsoft's unfree software does) So we just proclaim Torvalds dictator and let him get on with it. No one cares about linux governance.
Trouble is that some of the contributors to Mozilla want to paid for security, which means that they do not want Mozilla to provide free security - neither in the sense of free speech, nor in the sense of free beer.
And Mozilla really should provide free security.
Now, we might not agree with everything written above ... but James does raise the rather good point that there is a big difference between the Linux community and the Mozilla community.
Superficially, there is tight control over both projects. In the first case by Linus, Grand Vizier and Despot Over all his Kernels and Dominions. In the second, MoFo developers are Most Benevolent and Principled Dictators, Defenders of the Freedom of all our Code in all our Repositories. To paraphrase.
Both despots, both dictators. Here is the difference. Linus only rules over the kernel; which is then fed to 100 or more secondary tier distributors, within the freedom granted by GPL. They then feed it to users.
In contrast, Mozo rules over the whole show. The user interface ("UI") is controlled by the Mozo developers, but not by Linus in his project. For Mozo the money comes flooding in like the spring melt because they have a vast user base wanting to access the lodestone of net commerce: search engines.
For the linux kernel there is no such centralised opportunity, as the UI is controlled at the remote distro level. In practical terms, the Linux commercial opportunity has been outsourced into the free market of Redhat, Ubuntu, Suse, Debian and a hundred others.
The reason that no-one cares about Linux governance is that the very structure of the Linux industry is the governance. The governance issue of regulating benefits and opportunities is solved by placing it were it is best dealt with: in the market place.
Expressed as a principle, Linus says it's ok to be a systems despot, but, please, let the UI go free.
Over on anti-fraud, Gervase asked:
>> Perhaps you should define "stakeholder" while you are here.
Ok, fair question. I received a huge tome entitled Phishing and Countermeasures in the post a week or so ago, and it includes lots of academic articles. In one, in a discussion of behavioural studies of phishing, it says:
As previously stated, Smetters and Grinter [39] have made the claim that there are three groups of stakeholders to consider in the design of security technologies, namely developers, administrators, and end-users. They claim also that the latter two groups are the primary focus of most security-related research. Finally, they claim that end-users are more frequently forced to be their own systems administrators nowadays, leading to an undesirable condition in which managing security is more complex for end-users than ever.The notion that the stakeholders are developers, administrators, and end-users is perhaps the most obvious inventory. In a larger sense, all of society is affected by the security and trustworthiness of the online world, and we should not here discount the effects on all of society that arise when the security rights of individuals are violated. In global terms, the very notion of transactions between people and societies can be effected by the level of collective trust that depends on the reported experience of individuals.
[discussion of personas, snipped] ... it is not enough to design a system that makes it easy for security experts to manage the security of their transactions systems, but also it is necessary to design systems that make it possible for other kinds of people to easily become aware and act compliantly.
The full article is "Behavioural Studies," Jeffrey Bardzell, Eli Blevis, and Youn-kyung Lim.
To complete the discussion, "stakeholder" is a term that sits in opposition to "shareholder;" it both identifies others who are important, and also asks organisations without shareholders to go through the same exercise as those with.
See also the 2nd (managament) definition on wikipedia.
A debate is bubbling over in securityland about the (shock, horror) service of typing in your SSN to get a seen-in-the-wild check. You can try yourself
I tried typing in 123 456 789 and it told me to p**s off ... drats, it's clever!
But meanwhile, I spotted down at the bottom that there is a "Verisign secured" seal at the bottom. Oh, that means something, doesn't it? So I clicked it. It took me to Verisign. (Don't believe me ... click on the seal yourself ... PLEASE... and spot the <ahem> slight flaw :)
But anyways, ==> Verisign <== then says:
1/2/2007 23:02 www.stolenidsearch.com uses VeriSign services as follows:SITE NAME: www.stolenidsearch.com
SSL CERTIFICATE
STATUS: Valid (13-Jan-2007 to 13-Jan-2008)COMPANY/
ORGANIZATION: TRUSTEDID INC
Redwood City
California, USEncrypted Data Transmission This Web site can secure your private information using a VeriSign SSL Certificate. Information exchanged with any address beginning with https is encrypted using SSL before transmission.
Identity Verified TRUSTEDID INC has been verified as the owner or operator of the Web site located at www.stolenidsearch.com. Official records confirm TRUSTEDID INC as a valid business.
For your best security while visiting sites, always make sure the address of the visited site matches the address you are expecting to see. Make sure that the URL of this page begins with "https://seal.verisign.com"
>>REPORT SEAL MISUSE
(highlighting the interesting bit there ...)
So, there we have it. Verisign says that TrustedId Inc, d.b.a. "StolenIdSearch" are a valid business. If they misuse your SSN, go after them.
What was the need for EV then, again?
Addendum: The site responds to criticism.