Financial Cryptography

Breaches not as disclosed as much as we had hoped

One of the brief positive spots in the last decade was the California bill to make breaches of data disclosed to effected customers. It took a while, but in 2005 the flood gates opened. Now reports the FBI:

"Of the thousands of cases that we've investigated, the public knows about a handful," said Shawn Henry, assistant director for the Federal Bureau of Investigation's Cyber Division. "There are million-dollar cases that nobody knows about."

That seems to point at a super-iceberg. To some extent this is expected, because companies will search out new methods to bypass the intent of the disclosure laws. And also there is the underlying economics. As has been pointed out by many (or perhaps not many but at least me) the reputation damage probably dwarfs the actual or measurable direct losses to the company and its customers.

Companies that are victims of cybercrime are reluctant to come forward out of fear the publicity will hurt their reputations, scare away customers and hurt profits. Sometimes they don't report the crimes to the FBI at all. In other cases they wait so long that it is tough to track down evidence.

So, avoidance of disclosure is the strategy for all properly managed companies, because they are required to manage the assets of their shareholders to the best interests of the shareholders. If you want a more dedicated treatment leading to this conclusion, have a look at "the market for silver bullets" paper.

Meanwhile, the FBI reports that the big companies have improved their security somewhat, so the attackers direct at smaller companies. And:

They also target corporate executives and other wealthy public figures who it is relatively easy to pursue using public records. The FBI pursues such cases, though they are rarely made public.

Huh. And this outstanding coordinated attack:

A similar approach was used in a scheme that defrauded the Royal Bank of Scotland's (RBS.L: Quote, Profile, Research, Stock Buzz) RBS WorldPay of more than $9 million. A group, which included people from Estonia, Russia and Moldova, has been indicted for compromising the data encryption used by RBS WorldPay, one of the leading payment processing businesses globally.

The ring was accused of hacking data for payroll debit cards, which enable employees to withdraw their salaries from automated teller machines. More than $9 million was withdrawn in less than 12 hours from more than 2,100 ATMs around the world, the Justice Department has said.

2,100 ATMs! worldwide! That leaves that USA gang looking somewhat kindergarten, with only 50 ATMs cities. No doubt about it, we're now talking serious networked crime, and I'm not referring to the Internet but the network of collaborating, economic agents.

Compromising the data encryption, even. Anyone know the specs? These are important numbers. Did I miss this story, or does it prove the FBI's point?

Timeline for an SSL protocol breach -- what's the size of your OODA loop?

SSL is a protocol that gives a point-to-point connection with some protection against MITM (man-in-the-middle). Attacks against SSL as a security paradigm can be characterised in three levels:

• within the protocol,
• within the application (but outside the protocol), and
• within the business (outside the application, but inside the personal relationships).

The reason we have to see this holistically, and include all three levels, is that SSL as a tool is worthless if the wider attacks are not dealt with, SSL is only valuable to the extent that they are dealt with, and SSL gets in the way to the extent that it imposes unreasonable responsibilities or expectations on the application or user.

Classical Phishing is the latter case, in that an email is sent to a user, who then clicks on a link. The application is not attacked, the "business" is. This is the MITM that caused the explosion in phishing around 2003. MITB (man-in-the-browser) is the next level down, attacking the application directly. The perverse linkage to the MITM of phishing is that the phishing explosion financed the move into application-level attacks.

Now, all of that is security as it is delivered to users. There is then protocol security, and here SSL has generally excelled. It meets its internal protocol goals very well, and always has done so. Now news has surfaced of a rare thing: an in-protocol attack against SSL:

Members of an industry-wide consortium had been meeting in secret since late September to hash out a fix that will be rolled into thousands of individual pieces of hardware and software that implement the TLS protocol. The bug became public when it was disclosed by a researcher not involved in the project. So far, OpenSSL is the only provider that is close to releasing a patch, according to this status page.

How serious is this? Initial comments were that it was hard to exploit, but now news is filtering through that Anil Kurmus has written an exploit against Twitter.

It's an evolving topic. What I find interesting however is that this represents a good event to make some OODA observations. Here's what I've gathered so far:

The interesting conclusion to draw here is we can possibly measure the size of the OODA loop for the SSL industry, at least in this one event.

And here is what is emerging over time:

(Editor's note: Second table added and augmented after original publication.)

FC: better than freedom?

The Economist writes:

Better than freedom?

Nov 12th 2009 | BAGHDAD
From The Economist print edition
Why Iraqis cherish their mobile phones

ASKED to name the single biggest benefit of America’s invasion, many Iraqis fail to mention freedom or democracy but instead praise the advent of mobile phones, which were banned under Saddam Hussein. Many Iraqis seem to feel more liberated by them than by the prospect of elected resident government.

In the five years since the first network started up, the number of subscribers has soared to 20m (in a population of around 27m), while the electricity supply is hardly better than in Mr Hussein’s day....

Good news for them! It gets better:

During recent years of civil strife, when many stayed indoors, mobile phones were the lifeline. They also became a tool of commerce. Reluctant to risk their lives by visiting a bank, many subscribers transferred money to each other by passing on the serial numbers of scratch cards charged with credit, like gift vouchers. Recipients simply add the credit to their account or sell it on to shops that sell the numbers at a slight discount from the original. This impromptu market has turned mobile-phone credit into a quasi-currency, undermining the traditional informal hawala banking system.

Practically every financial cryptographer I know has made this observation. Phones can be used to ship money. Mobile minutes are a fantastic demand base for money. They've been traded at face value for a long time. And, visiting banks is dangerous in some contexts, something we rich fat&happy westerners often forget.

This is pure financial cryptography: the turning of a simple technical architecture based on some security (some crypto) into a network capable of moving value for people. If there is any doubt left...

The market’s growing size is making some bankers wonder if phone credit should be traded on a public exchange. This may not be practical, but more regulation would be welcome. ... Prostitutes get regular customers to send monthly retainers to their phones, earning them the nickname “scratch-card concubines”, while corrupt government officials ask citizens for $50 in phone credit to perform minor tasks.

We got it all: markets to trade phone credit, crime, so we've crossed that GP thing, and booming trade where the worry-worts in government would normally blush and ban.

Of course, those same people will rant on about how this is promoting crime, and it must be banned.

Criminal rings are among the parallel currency’s busiest users. Kidnap gangs ask for ransom to be paid by text messages listing a hundred or more numbers of high-value phone cards. ... Viewed as cash substitutes, scratch cards have also drawn the attention of armed robbers. In one case, a gang emptied out the card storage of Iraq’s biggest mobile operator, Zain, which is based in neighbouring Kuwait.

Serious architects of money systems know that *all* such electronic systems also work to seriously track the crook (even the much-hyped DigiCash was not exactly as it seems). The notion that you can send a ransom over a phone is just press-headlines and FUD. Remember, the cell towers can track the phone bearer to 10m or so, so if you do that, it's because the police aren't doing their job.

Still, it remains popular political policy to shoot the messenger, as was done in Europe in the 1990s, and now is popular in other countries. But we've also learnt that when a need is big enough, even the normal worries are swept away:

Not to be left out of the bonanza, Iraq’s cash-strapped government now says it will sell a fourth mobile-operating licence, after raising $1.25 billion from each of the last three. That is less than its vast oil reserves promise to put into the state’s coffers but a lot easier to negotiate. And Baghdad is not the only place where mobile-phone commerce thrives. The UN says it has plans to deliver aid to Iraqi refugees in Syria in the same way.

Is the mobile phone better than freedom? Only when free enough to allow freedom to develop. In this case, financial cryptography is the general rubik, but economists would recognise the real linkage here: Free trade is freedom; the ability of Iraqis to avoid "going to the bank" when there's shooting outside is a life saver.

Literally, phone money saved their lives. In our fat&content western society, freed up payments won't save anyone's life, we're not in Mexico yet. But financial cryptography can shave a percentage point or two off of the price of *everything* because payments cost money and FC delivers those same things for a fraction of the costs.

And that you can take to the bank, or more importantly, back to the economy. Got a problem with growth? Install an FC plugin into your economy, and watch.

my War On SQL

Around three weeks ago, I had a data disaster. In a surprise attack, 2 weeks worth of my SQL DATABASE was wiped out. Right after my FIRST weekend demo of some new code. The horror!

On that Monday morning I went into shell-shock for hours as I tried to trace where the results of the demo -- the very first review of my panzer code -- had disappeared to. By 11:00 there was no answer, and finger-of-blame pointed squarely at some SQL database snafu. The decision was reached to replace the weaponry with tried and trusty blades of all wars previous: flat files, the infantry of data. By the end of the day, the code was written to rebuild the vanguard from its decimated remains, and the next day, work-outs and field exercises proved the results. Two tables entirely replaced, reliably.

That left the main body, a complex object split across many tables, and the rearguard of various sundry administrative units. It took another week to write the object saving & restoring framework, including streaming, model-objects along the lines of MVC for each element, model-view-controller conversions and unit-testing. (I need a name for this portable object pattern. It came from SOX and I didn't think much of it at the time, but it seems nobody else does it.) Then, some days of unit tests, package tests, field tests, and so forth. Finally, 4-5 days of application re-working to use object database methods, not SQL.

16 days later, up and going. The army is on the march, SQL is targetted, acquired, destroyed. Defeated, wiped off the map, no longer to blot on the territory of my application. 2 days of mop-up and I'm back to the demo.

Why go on a holy crusade against SQL? There are several motives for this war:

• Visibility. Like all databases, SQL is a black box. How exactly do you debug an application sitting on a black box?
• Visibility #2. When it goes wrong, the caller/user/owner is powerless to fix it. It's a specialist task to even see inside.
• Generalist. This database is lightweight, indeed it's called SQLite. The point isn't that it is "worse" than the rest, but that it'll have to be replaced one day. Why? All of these things are generalists and cannot cope with narrow, precise requirements. In other words, they look good on the parade ground, but when the shooting starts, the only order is "retreat!"
• Achilles heel: backups have to manually created, recovered, tested on a routine basis. Yet this never gets done, and when the data corrupts, it is too late. Making backups easy is the #1 priority of all databases. Did you know that? Funnily enough, neither did any of the database providers.

And then there's the interface. Let us not shame the mere technical _casus belli_ above, let us put the evil that is SQL in a section of abomination, all of its own:

SQL is in the top 5 of the computing world's most awful anachronisms. It's right up there with ASN1, X.509, LDAP, APL, and other embarrassments to the world of computer science. In this case, there is one reason why SQL stands out like the sideways slice of death of a shamed samurai: data! these things, SQL included, were all designed when data was king, we all had to bow before the august power of our corporate bytes, while white-suited priests inserted the holy decks and the tapes of glory into bright shining temples of the mainframe of enlightenment.

But those imperial times are over. The false data-is-god was slain, discarded and buried, in the glorious & bloody revolution of the Object, that heathen neologism that rose up and slew and enslaved data during the early 1980s. Data-only is slain, data is dead. Data is captured, enslaved, owned. It is now objects, objects, objects. Data is an immoral ghost of its former self, when let out from its rightful context of semantic control.

These are the reasons why I leapt to the field to do battle to the death with the beast that is SQL. My report from the field is as follows:

• operating from a flat files data store is slower and faster, depending on the type of action. Direct actions by my code are slower than SQL, but complicated actions are quicker. Overall, we are talking 10 - 50ms, so it is all in the "whatever" rating.
• Code overall is dramatically simpler. There is no need to emasculate the soul of ones object model. Simply store the object, and get back to the fight. The structure of the code, the design, is simplified as the inherently senseless interface of OO to SQL is gone, it is now more OO, more top-to-bottom.
• Joins have to be done in main code. This is an advantage for the coder, because the coder knows the main code, and the main language.
• debugging is much easier because the data can be read, those times that is necessary, and the data can be seen, which is necessary all the time.
• object transactions are trivial. Cross-object transactions are tricky. This forces the general in the field to be much more balanced.
• no data is ever lost. At least, in my design, it can't be lost by action of the code, as everything is append-only.
• it is uses about 5 times more space on the battlefield of your diskspace. Another "whatever..."
• The code length is about the same. What was additionally required in database code (1kloc) was taken away in awfully complicated SQL interfacing code that melted away. The "Model" code, that is, the objects to be saved is an additional 1kloc, but required anyway for clean OO design.

I continue to mop up. What's the bottom line? Control. The application controls the objects and the objects control their data.

So what went wrong with SQL? Fundamentally it was designed in a day when data was seriously different. Those days are gone, now data is integrally related to code. It's called "object oriented" and even if you don't know how to do it, it is how it is doing it to you. The object owns the data, not the database. Data seen naked is an abomination, and SQL is just rags on a beast; it's still a beast.

Sadly, the world is still a decade or two away from this. And, to be fair, hattip to Jeroen van Gelderen for the OO database he designed and built for Webfunds. Using that was a lesson in how much of a delight it was to be OO all the way down to the disk-byte.

The War on Drugs moves to endgame: the War on US Americans

The decision to conduct a war on drugs was inevitably a decision to hollow-out Mexico. The notion of hollowing-out states is a time-honoured tradition in the Great Game, the way you control remote and wild places. The essential strategy is that you remove the institutions that keep places strong and stable, and bring them to a chaos which then keeps the countries fighting each other.

While they fight each other they are easier to control and extract value from. This is the favourite conspiracy theory behind the middle east and the famous Kissinger Deal: The Sheiks are propped up and given control of weak states as long as they trade their oil in dollars, and use the money to buy American goods. Of course we only speculate these details, and sometimes things look a little loose.

There are weaknesses in the strategy. Obviously, we are playing with fire when hollowing out a state ... so this is quite a lot of danger to the nearby states. (Which of course leads to the next part of the strategy, to play fire against fire and undermine an entire region.)

Which brings us to the War on Drugs and the decision to place Mexico into the role of hollowed-out state. John Robb points to this article:

Beheadings and amputations. Iraqi-style brutality, bribery, extortion, kidnapping, and murder. More than 7,200 dead-almost double last year's tally-in shoot-outs between federales and often better-armed drug cartels. This is modern Mexico, whose president, Felipe Calderón, has been struggling since 2006 to wrest his country from the grip of four powerful cartels and their estimated 100,000 foot soldiers.

So, quite obviously if one understands the strategy, don't do this nearby. Do it far away. Reagan's famous decision to do this must have been taken on one his less memorable days ... no matter how the decision was taken on Mexico, now Reagan's chickens have cross the border to roost in mainland USA:

But chillingly, there are signs that one of the worst features of Mexico's war on drugs - law enforcement officials on the take from drug lords - is becoming an American problem as well. Most press accounts focus on the drug-related violence that has migrated north into the United States. Far less widely reported is the infiltration and corruption of American law enforcement, according to Robert Killebrew, a retired U.S. Army colonel and senior fellow at the Washington-based Center for a New American Security. "This is a national security problem that does not yet have a name," he wrote last fall in The National Strategy Forum Review. The drug lords, he tells me, are seeking to "hollow out our institutions, just as they have in Mexico."

Quite what is going on in these people's minds is unclear to me. The notion that it "has no name" is weird: it's the standard strategy with the standard caveat. They overdid the prescription, now the disease bounces back stronger, more immune, with a vengeance! Further, I don't actually think it is possible to ascribe this as a deliberate plot by the Mexican drug lords, because it is already present in the USA:

Experts disagree about how deep this rot runs. Some try to downplay the phenomenon, dismissing the law enforcement officials who have succumbed to bribes or intimidation from the drug cartels as a few bad apples. Peter Nuñez, a former U.S. attorney who lectures at the University of San Diego, says he does not believe that there has been a noticeable surge of cartel-related corruption along the border, partly because the FBI, which has been historically less corrupt than its state and local counterparts, has significantly ratcheted up its presence there. "It's harder to be as corrupt today as locals were in the 1970s, when there wasn't a federal agent around for hundreds of miles," he says.

But Jason Ackleson, an associate professor of government at New Mexico State University, disagrees. "U.S. Customs and Border Protection is very alert to the problem," he tells me. "Their internal investigations caseload is going up, and there are other cases that are not being publicized." While corruption is not widespread, "if you increase the overall number of law enforcement officers as dramatically as we have| - from 9,000 border agents and inspectors prior to 9/11 to a planned 20,000 by the end of 2009 - "you increase the possibility of corruption due to the larger number of people exposed to it and tempted by it." Note, too, that Drug Enforcement Agency data suggest that Mexican cartels are operating in at least 230 American cities.

By that I mean, the drug situation has already corrupted large parts of the USA governance structure. I've personally heard of corruption stories in banks, politics, police and as far up the pecking order as FINCEN, intel agencies and other powerful agencies. As an outside observer it looks to me like they've made their peace with the drugs a long time ago, heaven knows what it looks like to a real insider.

So I see a certain sense of hubris in these writings. This feels to me that the professional journalist did not want to talk about the corruption that has always been there (e.g., how else did the stuff get distributed before?). What seems to be happening is that now that Mexico is labelled in the serious press (*) as hollowed-out, it has become easier to talk about the problem in mainstreet USA because we can cognitively blame the Mexicans. Indeed, the title of the piece is The Mexicanization of American Law Enforcement:

And David Shirk, director of the San Diego-based Trans-Border Institute and a political scientist at the University of San Diego, says that recent years have seen an "alarming" increase in the number of Department of Homeland Security personnel being investigated for possible corruption. "The number of cases filed against DHS agents in recent years is in the hundreds," says Shirk. "And that, obviously, is a potentially huge problem." An August 2009 investigation by the Associated Press supports his assessment. Based on records obtained under the Freedom of Information Act, court records, and interviews with sentenced agents, the AP concluded that more than 80 federal, state, and local border-control officials had been convicted of corruption-related crimes since 2007, soon after President Calderón launched his war on the cartels. Over the previous ten months, the AP data showed, 20 Customs and Border Protection agents alone had been charged with a corruption-related crime. If that pace continued, the reporters concluded, "the organization will set a new record for in-house corruption."

Well, whatever it takes. If the US-Americans have to blame the Mexican-Americans in order to focus on the real problems, that might be the cost of getting to the real solution: the end of Prohibition. Last word to Hayden, no stranger to hubris:

Michael Hayden, director of the Central Intelligence Agency under President George W. Bush, called the prospect of a narco-state in Mexico one of the gravest threats to American national security, second only to al-Qaida and on par with a nuclear-armed Iran. But the threat to American law enforcement is still often underestimated, say Christesen and other law enforcement officials.

* Mind you, I do not see how they are going to blame the Mexicans for the hollowing-out of the mainstream press. Perhaps the Canadians?

Gold bullion market set to implode?

I don't normally follow the gold talk because on the one hand it is the goldbugs saying "gold is set to explode" and on the other is a bunch of bankers that insult the noble metal, while on the backside buying & selling it short, naked and happy as fast as they can. That is, the story never changes.

Which in some senses is good. There has always been an expectation that gold would survive. So far nothing has changed to keep that expectation solid, with gold at $1000 an ounce, up from around $250 8 or 9 years ago.

But there is another aspect beyond the price: the market itself. As it happens, this is founded on a thing called "good delivery" bars run by LBMA (London Bullion Market Association), London being the center of the physical gold trading world. This is a good efficient and simple system which works like this: once your gold is "in" the LBMA good delivery programme, you can reliably ship it to any one of the vaults that are in, and sell it within. Deliver it out of LBMA-territory, and your gold loses its status. To put it in, it has to be tested, at some cost.

So, most of the physical retail gold that is traded (in bars) is inside the LBMA system. It's just easier to buy and sell when someone guarantees it. Which brings me to the point: Obviously, the guarantee can be wrong.

About 10 years ago the debate of unreliable LBMA bars erupted in the digital gold community, and we discovered at that time that the gold is not routinely checked in any way once it is in the system (not this). At all! I predicted then that this would mean the gold would slowly lose its integrity, as insiders raided it sliver-by-sliver, over the many many decades of its operation. It looks like I was right, from this post that JPM sent:

C) In an Asian depository, they've found "Good Delivery" bricks that had been gutted and filled with tungsten.

And predictably, the writer goes on to report "B) A number of large interests have demanded audits of gold stored in London."

If you hold gold in the LBMA system, be worried. If you are an issuer of digital gold be very worried. Why? Because it looks like the gold markets are about to be tested. Not in price terms but in delivery terms. To summarise the long anti-markets rant by "marketskeptics" (a.k.a. Eric deCarbonnel):

• Indians are shifting from buying gold jewellry to gold coins.
• China now actively promotes selling and holding of physical gold. That's the government, and every bank!
• Hong Kong and Dubai are pulling their physical gold out of London. German and Swiss investors and funds, likewise, and also demanding delivery out of the USA.
• There is now an overall trend to take physical delivery from metals facilities (vaults, exchanges, etc).
• Which has resulted in a rash of complaints ... which quickly become fingers pointed at possible collapse: delays, "complications", wrong bars, wrong weights, "restrictions", costs blossoming, etc.
• New York and Tokyo commodity exchanges are now permitting their gold futures contracts to be settled not in real metal but in shares of gold exchange-traded funds (ETFs)... NYSE-Liffe arbitrarily switched delivery of 1kg bars to ... notes on 1/3 interests in 100 ounce bars. If you can get three notes, you can take a 100 ounce!
• irregularities in bar amounts have surfaced at different places (e.g., Canadian Mint)
• Deutsche Bank may have recently closed out a gold shortage by buying it from the ECB and delivering it. Apparently, to the tune of 35.5 tons of gold, in one day! 12 days earlier someone shorted the same amount...
• gold banks (those big in the trade) are offering 25% over spot to settle in anything but physical gold.

Have we got the message that physical gold now counts? If so, then one could wonder why open interest in gold trading on COMEX has since exploded? From August this year, it's jumped from a stable 1000-1100 tons band to around 1450. That's 40% up in a virtually traded commodity that is increasingly being demanded to convert to physical delivery! And, according to their reserves, it cannot be delivered: COMEX only holds 250t.

I wouldn't rule out a run on COMEX, and if so, it will likely collapse. That's because its reserves are a fraction of the open interest, so it looks highly vulnerable to being squeezed by the open traders (the "shorts") on one hand and the retail demands for physical delivery. Why won't the former deliver? Because for the most part they haven't got it; a short sale is generally a promise to acquire it when needed. In trading parlance, a lot more of the shorts are "naked shorts" which means they rely on a falling market (it's supposed to be illegal to be naked in a public trading, but a lot of markets look more like a nudist convention than a church meeting).

And we have a rising demand for physical, and a rising price in gold. So the squeeze happens this way: first the COMEX warehouse gets cleaned out. Then COMEX puts the squeeze on the short sellers to deliver their promise. Gold, physical, now. Which shorts then suddenly fold their cards, reveal their nakedness and declare mea culpa, I'm a nudist, so chase me. At some point, when enough of this goes on and is reported, the whole pyramid of cards collapses.

What's the likelihood of this happening? I feel it is being tested at the moment. It will probably take a rash of more bad financial news to make it happen, faster than we can react. E.g., a couple of months of CITs or European unemployment figures. But it is possible, because the gold markets have not been divorced from the decades of corruption that brought down the other markets. More likely we will see a gradual shift out of COMEX, out of London and across to other gold exchanges; preferably ones outside the western/toxic asset belt, and ones that can more easily prove their reserves. Meanwhile, those who hang on will lose value. Someone has to pay for the frauds of the past.

It's definitely not easy to predict when something will happen. But it is possible to point to fundamental and powerful contradictory forces. And that's the situation right now with the markets in gold, if that post is reliable (it might not be, it's from a goldbug, after all!). I would suggest that if people want to speculate in the gold of any form right now, hold physical only. The rest is ... too uncertain in value. That's beyond speculation, that's gambling, only do that if you really enjoy the thrill of losing bar-worths of value.

(Note: one thing I loosely follow is goldmoney's blogs and posts from founder James Turk. He's just announced that Turk's long-running newsletter is now migrated online only, and for free.)