https://financialcryptography.com/ Where the crypto rubber meets the Road of Finance... en-us 2009-07-03T12:34:47-05:00 https://financialcryptography.com/mt/archives/001172.html Jim points to: China bans online 'gold farming' by Dave Rosenberg China has unveiled the first official rule on the use of virtual currency in the trade of real goods and services to limit possible impact on the real financial system. The Chinese government also spelled out the definition of "virtual currency" for the first time, which includes prepaid cards of cybergames, according to a joint announcement from the Ministry of Culture and the Ministry of Commerce Friday. It said: The virtual currency, which is converted into real money at a certain exchange rate, will only be allowed to trade in virtual goods and services provided by its issuer, not real goods and services. So effectively, the virtual currency is locked into one obvious thing, one scope, that we all feel good about. It is such a feeling of de ja vue that I feel I have to write about it. In the early 1990s there was a phenomena called digital cash that rode a wave of hype. Superficially it surrounded the DigiCash company and invention in the Netherlands, but it was also driven by the European smartcard invention. In response to the normal and baseless FUD, the Bundesbank (central bank of Germany) decided that digital cash in all its forms must be banned for all except banks. The reasons for this I won't go into at the moment. So, the Bundesbank led a project to create a Directive (European super-law) to reserve all issuance of money to the banks. It created a sort of exception that said "if you look like a bank, smell like a bank and taste like a bank, then you can be a money issuer." Nobody much was fooled. Digital money took off in the Americas and other places, where either the powers-that-be understood and left well alone, or they didn't notice, and ignored. Later on came the cleanup effort. After a decade of waiting, the Europeans realised they'd been tricked. So they rewrote the directive to be much friendly, in 2000. It still wasn't enough because they still thought they knew how to do this, and they still thought that banks had a reasonable case. Now, in 2008, they've just released another directive that significantly opens it up, and allows full virtual money to be issued by a non-bank. It's still tight, far too tight for innovation. But there are clear signs in there that they no longer believe this should be banking, and we can probably predict that by the time the 2015 directive is released, it will be workable. Now here comes China, around 15 years behind the Europeans: The ban is primarily aimed at "gold farming," an Internet-age phenomenon in which players in less developed countries collect and sell virtual gold (common to games like World of Warcraft) to wealthier gamers in the developed world. This enables gamers who have the means to buy virtual gold to get ahead in the games without actually having to accomplish the grunt work. One assumes that China is not regulating games at all, that would be beyond stupidity for China to say what is fair and what is not in a game. Clearly, this is about getting control of the virtual money market for economics and competition reasons. Likely it is the same old problem: the banks don't like it, and take their FUD to the central bank. But the banks won't play in it, so a devil's choice is given to the central bank: either you back us and get rid of our competition, or our competition is likely to undermine our control of payment systems. Which means that banks will be undermined, and although we just got through a global crisis brought on by those same banks, nobody much is thinking of a world in which banks are no longer the power. The trading of virtual currency for real cash generates between $200 million and $1 billion annually, according to a 2008 survey conducted by Richard Heeks at the University of Manchester. Not a huge market, but consider that everyone one of those fees represents a vote to take a payment away from a bank, a vote for freedom of trade. The unfortunate part of this is that any regulation against virtual money will take the virtual money away from the people. Which means that the people are being taxed to preserve the old banking infrastructure. This is why the European Commission is slowly realising that virtual money isn't the problem, banking is. And that the solution is found in how to shift the banks, not in how to protect them. Virtual money is part of the solution, not the problem. China may be a bit newer to this power game. OK, but in another way, it is a long way ahead of the Europeans. Although it is now making the same 1994 mistake that the EC made, it is making it in 2009, *after* the market took off. China's got a market that it can regulate to death, if it so chooses. In contrast, the EC has a bunch of corpses that it killed with regulation-at-birth, and now it's trying to resuscitate them with more of the same. I know which one I'd pick if I was a state planner. Well, it's an old story, it just happened to be more interesting because I'm reading the new 2008 directive on virtual money, payment systems providers, etc, right now. I'll leave you with this typical western hypocrisy: The average user will only partially care about this ban. They might be disappointed that they can't buy their way to higher status, but I assume that Tencent and other popular sites will figure out a way to do in-game trades and that eventually the farmers will figure out how to bypass the restrictions. The ban may scare off smaller shops, but the sophisticated organizations will continue on the same path. It reminds me of Japanese pachinko parlors where you can only win tokens (wink, wink) that you take next door for actual cash. While I'm not convinced that gold farming is good or bad, there is a very persuasive argument that it's driving economic development in China, and that anything that perpetuates economic stimulus is a good thing. Rich people playing games will pay more for getting up in the game! Shocking! Poor people will work to provide them the ability to play at a higher level. Exploitation! Why is it that the world's comfortable elite always bemoan apparent unfairness, and at the same time, are so quick to cut the poor people out of an honest job?... Value iang 2009-07-03T12:34:47-05:00 https://financialcryptography.com/mt/archives/001170.html Some prices on how much it costs to rent your PC, if infected: Prices vary greatly. Finjan said in Australia 1,000 infections have been sold for $100, while the same number can be picked up for as little as $5 in other countries, but mainly in the Far East. Although it doesn't say it, your PC is for rent in batches only if it is a Windows machine. Apples Macs are a bit tougher, although their market share must one day get to the point where they justify more attention: As TrendLabs' technical communications specialist Det Caraig points out in his research note on the attacks, Apple users are still far less likely to have their endpoints owned than their Microsoft Windows using peers. However, as proven over the last year in particular, Apple's growing PC market share has driven a subsequent upswell in the numbers of threats being created to target its OS. That day may be here soon. Note that the (2) threats mentioned above are based on the user downloading and installing dodgy software. That's generally considered not to be something that Apple Macs or Microsoft can protect a user against. A market-share comment only, not a security-share comment. Fans for either camp will twist the words whichever way. For my money, the #1 security tip -- buy a Mac -- is still intact.... Identity Cost iang 2009-06-21T06:14:42-05:00 https://financialcryptography.com/mt/archives/001169.html (Lynn and RAH point to) an article on the sad declines of e-gold, which I was involved with in some sense back in the period 1998 to 2000. Bullion and Bandits: The Improbable Rise and Fall of E-Gold Following his story, the picture that emerges of Jackson is not a portrait of a calculating criminal. Rather it is one of a naive visionary who thought his dream was bigger than any financial regulations, who got in over his head, and who finally struggled, too late, to make up for his missteps. “There was no indication at all that anyone had a problem with what he was doing,” says Richard Timberlake, a former economics professor at the University of Georgia and author of several books on U.S. banking. Timberlake visited Jackson at his E-Gold office in 1997 and vouches for Jackson’s innocent intentions. “He was always very honest and very forthright in what he was trying to do as a business. Even the Federal Reserve believed it was legitimate.” Well, in 1997, and indeed up until the end of 1999, it was indeed easy to believe that all was good. As we entered into 2000, the signs started popping up, and by the middle of that year, they were everywhere. It was this inability to deal with the changing makeup of the business, while always standing firm to the 1997 business model, that sewed the seeds of disaster. It is possible to say, "naive visionary." It's also necessary to say, "responsible director." Which is, at its core, the Founder's paradox: we need that Founder to get us this far, pass the unbeatable odds, beat the regs, bash the naysayers. Then, when he's done his job, how do we ease him aside to start running the business, as a business, and not as a mission from God? As Jackson envisioned it, E-Gold was a private, international currency that would circulate independent of government controls, and stand impervious to the market’s highs and lows. Brimming with evangelical enthusiasm, Jackson proclaimed it a cure for the modern monetary system’s ills and described it at one point as “an epochal change in human destiny” and “probably the greatest benefit to humanity that’s ever been thought of.”... Over the next few years, Jackson drained his retirement accounts, sold his medical practice and charged credit cards to raise more than $1 million to nurture the fledgling venture. Cynics might have considered him just another internet hustler looking to strike it rich, but those who knew him say he was a true believer. “He truly thinks that having a gold-backed currency is what’s needed in the world,” says James Clement, a libertarian attorney who met Jackson in 2003. “I don’t think anyone would have stuck with it … other than that he thinks it’s extremely important and somebody has to do this.” Something like that. We stuck with him (and really, many many of us committed a great deal to the community!) because it was a truly great idea, and he'd done the hard work to get it off the ground. We left when it became clear that Jackson's visionary focus was going to take e-gold to disaster. Jackson, who’d hocked his future to start E-Gold, now faced the potential of a federal prison term. He was frustrated and confused. “It never crossed my mind that anyone could seriously want people like us in prison,” he says. “But I guess my bigger fear was that we would go bankrupt, and there would be a train wreck of people that had trusted value to us who couldn’t get their money.” The worst part about it is that we were right, he was wrong, and the world lost the benefit of his great, original vision. The financial innovations that came out of the 1990s were extraordinary, and e-gold was one of them. Now they are all confined to the history books, perhaps with little footnotes such as "with this, the financial crisis might have been averted." Oh well. Learning is not humanity's strong suit.... Governance iang 2009-06-11T10:27:05-05:00 https://financialcryptography.com/mt/archives/001168.html I haven't been blogging much, because for the most part there isn't much that is new to say. I generally blog for my own reasons, like getting complex thoughts into a cohesive written form, as a discipline in reducing the crud. But sometimes the yearning comes back. Here's a funny one about iTunes: Gang arrested for buying own music online with stolen cards UK police have arrested nine people accused of using stolen credit cards to buy music they made themselves from iTunes and Amazon, fraudulently netting around $300,000 in royalties. The gang is accused of creating several songs before using an online US company to upload them to Amazon and iTunes for sale. Between September 2008 and January 2009 the group allegedly used around 1500 stolen or cloned British and American credit cards to buy $750,000 worth of songs. Apple and Amazon, who at the time were unaware of the plot against them, paid royalties totalling $300,000 out on the sales. OK, that's funny. On first blush it looks like a good way to launder the funds from stolen credit cards. The problem of course is that it leads back to the perpetrators, in a very strange and "sore thumb" way. When all these stolen credit cards start showing a high iTunes pattern, the logic is pretty easy to follow. Does a crook need to buy a song on iTunes? No, a crook has easier ways like cracking it or downloading it from any of a dozen open sites. So they don't want the song ... so follow the money. Which is easy to do with a bit of datamining software. With slightly more thought, then, this reveals a rather stupid bunch of crooks. What do we do when we catch a rather stupid bunch of crooks? Not much, because they will eliminate themselves one day or other from something else. Therefore this is nothing more than a funny story.... Pennies iang 2009-06-11T10:15:14-05:00 https://financialcryptography.com/mt/archives/001167.html Duane points to a Wired report that Savvis has been sued (also /., 1, 2). Savvis was the Auditor of the ill-fated payments operator CardSystems that was breached heavily, lost huge amounts of privacy data, and went bankrupt. This is significant. The audit business has invaded the IT field, now dominating the quality aspects with a stamp of approval over security and governance of all forms. I'm in one myself (at least today, not sure about tomorrow). The way it works is that we check the systems according to some metrics like criteria, management's disclosures, and other things that are called variously best practices (worst case) or common sense (better) or core competences (best case). Then we write up an opinion. Then others attempt to use that opinion in some sense or other: When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor’s report. In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before. The problem arises when something goes wrong -- see last week's post on the inverted pyramid. Is the auditor responsible for failure, and how much? The issue is murky, and here are two extremes: One view has it that the auditor's opinion is relied upon by others and that this is a fiduciary responsibility before the courts, deriving from the history and tradition of financial audits. These latter hold a privileged place in the legal system; others can rely on audits over financial statements, and they can sue the auditor if there were issues. This then applies to systems audits. A completely contrary view is that the auditor provides a useful service for whoever asks for it, and writes a limited opinion to that person. Others rely at their peril. The opinion is written in internal language, with limitations of liability, over a snapshot of time, and would not be a sound basis for reliance. The tests are closely guarded secrets, the interpretations are interesting but not revealed, and there is absolutely no indication in the process that it is oriented to the needs of the public. That is, an audit is worth practically nothing to any outsider (and insiders don't need it because they can see what's there themselves). My view is explored in the "Audit" series of essays (1, 2, 3). However the ultimate call may come before the judge, and whichever way it goes, I suggest it is bad news for the audit business. “We’re at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it,” says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School who specializes in information security issues. “For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits.” If the court rules that the auditor can be sued, and did wrong ... then the results will ripple through the field. Auditors will reach further into their bag of tricks to cover their backs, which will make audits more difficult to rely upon. This can be seen as an economic result, because likely the court's adverse ruling will break the firm that is doing the audit. No other audit firm will like that scenario of a random bankrupcy event, and we even have the data point to show it: walk the line from Arthur Anderson to Sarbanes-Oxley to the global financial crisis. In contrast, if the court rules that the Audit cannot be relied upon, then it is game over. Once a court rules that the process is not to be relied upon, then relying parties don't need it. The audit business collapses. Maybe we need to change jobs before the exodus...... Governance iang 2009-06-04T07:13:00-05:00 https://financialcryptography.com/mt/archives/001166.html Gunnar points to an interview that echos my "Audit" series (1, 2, 3). This time from Charlie Munger: Grundfest: As we look at the current situation, how much of the responsibility would you lay at the feet of the accounting profession? Munger: I would argue that a majority of the horrors we face would not have happened if the accounting profession developed and enforced better accounting. They are way too liberal in providing the kind of accounting the financial promoters want. They’ve sold out, and they do not even realize that they’ve sold out. Grundfest: Would you give an example of a particular accounting practice you Find problematic? Munger: Take derivative trading with mark-to-market accounting, which degenerates into mark-to-model. Two firms make a big derivative trade and the accountants on both sides show a large profit from the same trade. Grundfest: And they can’t both be right. But both of them are following the rules. Munger: Yes, and nobody is even bothered by the folly. It violates the most elemental principles of common sense. And the reasons they do it are: (1) there’s a demand for it from the financial promoters, (2) fixing the system is hard work, and (3) they are afraid that a sensible fix might create new responsibilities that cause new litigation risks for accountants. Yeah, I just copied Gunnar's post (including the crazy "Fi" HTML artifact!). Except this bit: This situation is very comparable to what happens in when auditors interview infosec. Auditor asks -do you have a firewall? Infosec says yes. Check. Its too bad but assumptions of yesteryear lead to building things on shaky foundations. The full interview is worth reading!... Governance iang 2009-05-28T08:07:17-05:00 https://financialcryptography.com/mt/archives/001165.html Let's talk about why we want Identity. There appear to be two popular reasons why Identity is useful. One is as a handle for the customer experience, so that our dear user can return day after day and maintain her context. The other is as a vector of punishment. If something goes wrong, we can punish our user, no longer dear. It's a sad indictment of security, but it does seem as if the state of the security nation is that we cannot design, build and roll-out secure and safe systems. Abuse is likely, even certain, sometimes relished: it is almost a business requirement for a system of value to prove itself by having the value stolen. Following the inevitable security disaster, the business strategy switches smoothly to seeking who to blame, dumping the liability and covering up the dirt. Users have a very different perspective. Users are well aware of the upsides and downsides, they know well: Identity is for good and for bad. Indeed, one of the persistent fears of users is that an identity system will be used to hurt them. Steal their soul, breach their privacy, hold them to unreasonable terms, ultimately hunt them down and hurt them, these are some of the thoughts that invasive systems bring to the mind of our dear user. This is the bad side of identity: the individual and the system are "in dispute," it's man against the machine, Jane against Justice. Unlike the usage case of "identity-as-a-handle," which seems to be relatively well developed in theory and documentation, the "identity-as-punishment" metaphor seems woefully inadequate. It is little talked about, it is the domain of lawyers and investigators, police and journalists. It's not the domain of technologists. Outside the odd and forgettable area of law, disputes are a non-subject, and not covered at all where I believe it is required the most: marketing, design, systems building, customer relations, costs analysis. Indeed, disputes are taboo for any business. Yet, this is unsustainable. I like to think of good Internet (or similar) systems as an inverted pyramid. On the top, the mesa, is the place where users build their value. It needs to be flat and stable. Efficient, and able to expand horizontally without costs. Hopefully it won't shift around a lot. Dig slightly down, and we find the dirty business of user support. Here, the business faces the death of a 1000 tiny support cuts. Each trivial, cheap and ignorable, except in the aggregate. Below them deeper down are the 100 interesting support issues. Deeper still, the 10 or so really serious red alerts. Of which one becomes a real dispute. The robustness of the pyramid is based on the relationship between the dispute at the bottom, the support activity in the middle, and the top, as it expands horizontally for business and for profit. Your growth potential is teetering on this one thing: the dispute at the apex of the pyramid. And, if you are interested in privacy, this is the front line, for a perverse reason: this is where it is most lost. Support and full-blown disputes are the front line of privacy and security. Events in this area are destroyers of trust, they are the bane of marketing, the nightmare of PR. Which brings up some interesting questions. If support is such a destroyer of trust, why is it an afterthought in so many systems? If the dispute is such a business disaster, why is resolution not covered at all? Or hidden, taboo? Or, why do businesses think that their dispute resolution process starts with their customers' identity handles? And ends with the lawyers? Here's a thought: If badly-handled support and dispute events are leaks of privacy, destroyers of trust, maybe well-handled events are builders of trust? Preservers of privacy? If that is plausible, if it is possible that good support and good dispute handling build good trust ... maybe a business objective is to shift the process: support designed up front, disputes surfaced, all of it open? A mature and trusted provider might say: we love our disputes, we promote them. Come one, come all. That's how we show we care! An imature and unstrusted provider will say: we have no disputes, we don't need them. We ask you the user to believe in our promise. The principle that the business hums along on top of an inverted pyramid, that rests ultimately on a small powerful but brittle apex, is likely to cause some scratching of technophiliac heads. So let me close the circle, and bring it back to the Identity topic. If you do this, if you design the dispute mechanism as a fully cross-discipline business process for the benefit of all, not only will trust go positive and privacy become aligned, you will get an extra bonus. A carefully constructed dispute resolution method frees up the identity system, as the latter no longer has to do double duty as the user handle *and* the facade of punishment. Your identity system can simply concentrate on the user's experience. The dark clouds of fear disappear, and the technology has a chance to work how the techies said it would. We can pretty much de-link the entire identity-as-handles from the identity-as-punishment concept. Doing that removes the fear from the user's mind, because she can now analyse the dispute mechanism on its merits. It also means that the Identity system can be written only for its technical and usability merits, something that we always wanted to do but never could, quite. (This is the rough transcript of a talk I gave at Identity & Privacy conference in London a couple of weeks ago.)... Governance iang 2009-05-25T15:45:40-05:00 https://financialcryptography.com/mt/archives/001164.html Adam asks: So I'm getting ready to head over to RSA, and I'm curious. If you believe that "security is about outcomes, not about process," what outcomes do you want from RSA? How will you judge if the conference was worthwhile? Many have commented that the world's premier security event is a worthless event from the point of view of security. So what's the point? An event is successful if you increase your marketing capabilities. Obviously, RSA does, and for this reason it is totally successful, for them. What about you? Security as a business is mostly about marketing; whether it be via books, blogs, personal contacts, conferences, or whatever. Quite why this is requires a deeper thrust into the economics into asymettric or imperfect information markets; in a market where neither the seller nor the buyer know what is to be done, then only signals are available as tools (c.f., silver bullets) and signals are the domain of marketing, not engineering. Hence the rise of marketing -- perception -- as the key factor in success in the security business. A conference is a good thing; if you can get enough people to go year after year, then it is presumably a signal of something. Which feeds the whole process, it generates a feedback loop that is at least self-sustaining. But in a crowded market for signals, one signal isn't enough. Hence, there is a tendency to pursue a range of signals. So far we've got: the blog, the book, the conference, the RFC, the job, the protocol, the project, the network, the paper, the award, the article, the government contract, the patent, the algorithm, the ... Any serious practitioner of security can pull together one of those (as an assumption). I can, you can too, if you are reading this. But, can you bring together 4 or 5? That's the battle, and in that battle, it becomes a simple marketing game of proving that you are more single-minded, more productive, and more strategic than the competition, and can drown out their signals with yours. (Hence, I am not posting that much these days... I simply haven't the time, because I'm concentrating on another signal :) The winner of this game is the one who generates enough resources to then feed those resources back into building the base of signals. Thus, a positive feedback loop in signals. And so, we see the tendency is for the biggest player to win, because more resources means more signals. Hence, RSA plus the conference. And so, security takes on more of an aspect like classical markets like soap powder or breakfast cereals. The commodity product underneath is not important, the structure of industry and the ability of the major players to build barriers to entry to newcomers becomes the battle ground. OK, that was all theory. What's the bottom line? If you want to win at security, study marketing.... Conferences and Publications iang 2009-04-26T11:04:49-05:00 https://financialcryptography.com/mt/archives/001163.html Best practices has always seemed to be a flaky idea, and it took me a long time to unravel why, at least in my view. It is that, if you adopt best practices, you are accepting, and proving, that you yourself are not competent in this area. In effect, you have no better strategy than to adopt whatever other people say. The "competences" theory would have it that you adopt best practices in security if you are an online gardening shop, because your competences lie in the field of delivering gardening tools, plants and green thumbs advice. Not in security, and gosh, if someone steals a thousand plants then perhaps we should also throw in the shovel and some carbon credits to ease them into a productive life... On the other hand, if you are dealing with, say, money, best practices in security is not good enough. You have entered a security field, not through fault of your own but because crooks really do always want to steal it. So your ability in defending against that must be elevated, above and beyond the level of "best practices," above and beyond the ordinary. In the language of core competences, you must develop a competence in security. Now, Adam comes along and offers an alternate perspective: Best practices are ideas which make intuitive sense: don't write down your passwords. Make backups. Educate your users. Shoot the guy in the kneecap and he'll tell you what you need to know. I guess it is true that best practices do make some form of intuitive sense, as otherwise they are too hard to propogate. More importantly: The trouble is that none of these are subjected to testing. No one bothers to design experiments to see if users who write down their passwords get broken into more than those who don't. No one tests to see if user education works. (I did, once, and stopped advocating user education. Unfortunately, the tests were done under NDA.) The other trouble is that once people get the idea that some idea is a best practice, they stop thinking about it critically. It might be because of the authority instinct that Milgram showed, or because they've invested effort and prestige in their solution, or because they believe the idea should work. What Adam suggests is that best practices survive far longer than is useful, because they have no feedback loop. Best practices are not tested, so they are a belief, not a practice. Once a belief takes hold, we are into a downward spiral (as described in the Silver Bullets paper, which itself simply applies the full _asymmetric literature_ to security) which at its core is due to the lack of a confirming test in the system that nudges the belief to keep pace with the times; if there is nothing that nudges the idea towards relevancy, it meanders by itself away from relevancy and eventually to wrongness. But it is still a belief, so we still do it and smile wisely when others repeat it. For example, best practices has it that you don't write your passwords down. But, in the security field, we all agree now that this is wrong. "Best" is now bad, you are strongly encouraged to write your passwords down. Why do we call the bad idea, "best practices" ? Because there is nothing in the system of best practices that changes it to cope with the way we work today. The next time someone suggests something because it's a best practice, ask yourself: is this going to work? Will it be worth the cost? I would say -- using my reading of asymmetric goods and with a nod to the systems theory of feedback loops, as espoused by Boyd -- that the next time someone suggests that you use it because it is a best practice, you should ask yourself: Do I need to be competent in this field? If you sell seeds and shovels, don't be competent in online security. Outsource that, and instead think about soil acidity, worms, viruses and other natural phenomena. If you are in online banking, be competent in security. Don't outsource that, and don't lower yourself to the level of best practices. Understand the practices, and test them. Modify them and be ready to junk them. Don't rest on belief, and dismiss others attempts to have you conform to belief they themselves hold, but cannot explain. (Then, because you are competent in the field, your very next question is easy. What exactly was the genesis of the "don't write passwords down" belief? Back in the dim dark mainframe days, we had one account and the threat was someone reading the post-it note on the side of the monitor. Now, we each have hundreds of accounts and passwords, and the desire to avoid dictionary attacks forces each password to be unmemorable. For those with the competence, again to use the language of core competences, the rest follows. "Write your passwords down, dear user.")... Economics iang 2009-04-03T05:19:28-05:00 https://financialcryptography.com/mt/archives/001162.html [Lynn writes somewhere else, copied without shame:] A repeated theme in the Madoff hearing (by the person trying for a decade to get SEC to do something about Madoff) was that while new legislation and regulation was required, it was much more important to have transparency and visibility; crooks are inventive and will always be ahead of regulation. however ... from The Quiet Coup: But there's a deeper and more disturbing similarity: elite business interests -- financiers, in the case of the U.S. -- played a central role in creating the crisis, making ever-larger gambles, with the implicit backing of the government, until the inevitable collapse. More alarming, they are now using their influence to prevent precisely the sorts of reforms that are needed, and fast, to pull the economy out of its nosedive. The government seems helpless, or unwilling, to act against them. From The DNA of Corruption: While the scale of venality of Wall Street dwarfs that of the Pentagon's, I submit that many of the central qualities shaping America's Defense Meltdown (an important new book with this title, also written by insiders, can be found here) can be found in Simon Johnson's exegesis of America's even more profound Financial Meltdown. ... and related to above, Mark-to-Market Lobby Buoys Bank Profits 20% as FASB May Say Yes: Officials at Norwalk, Connecticut-based FASB were under "tremendous pressure" and "more or less eviscerated mark-to-market accounting," said Robert Willens, a former managing director at Lehman Brothers Holdings Inc. who runs his own tax and accounting advisory firm in New York. "I'd say there was a pretty close cause and effect." From Now-needy FDIC collected little in premiums: The federal agency that insures bank deposits, which is asking for emergency powers to borrow up to $500 billion to take over failed banks, is facing a potential major shortfall in part because it collected no insurance premiums from most banks from 1996 to 2006. with respect to taxes, there was roundtable of "leading expert" economists last summer about current economic mess. their solution was "flat rate" tax. the justification was: eliminates possibly majority of current graft & corruption in washington that is related to current tax code structure, lobbying and special interests picks up 3-5% productivity in GNP. current 65,000 page taxcode is reduced to 600 pages ... that frees up huge amount of people-hrs in lost productivity involved in dealing directly with the taxcode as well as lost productivity because of non-optimal business decisions. their bottom line was that it probably would only be temporary before the special interests reestablish the current pervasive atmosphere of graft & corruption. a semi-humorous comment was that a special interest that has lobbied against such a change has been Ireland ... supposedly because some number of US operations have been motivated to move to Ireland because of their much simpler business environment. with respect to feedback processes ... I (Lynn) had done a lot with dynamic adaptive (feedback) control algorithms as an undergraduate in the 60s ... which was used in some products shipped in the 70s & 80s. In theearly 80s, I had a chance to meet John Boyd and sponsor his briefings. I found quite a bit of affinity to John's OODA-loop concept (observe, orient, decide, act) that is now starting to be taught in some MBA programs.... iang 2009-04-02T18:51:24-05:00 https://financialcryptography.com/mt/archives/001160.html Dani writes: Here is an in-depth analysis of one of the (if not THE) most advanced malware currently in circulation. Please note the wide selection of defensive and offensive measures, including extensive use of strong cryptography. we summarize the inner workings and practical implications of this latest malicious software application produced by the Conficker developers. In addition to the dual layers of packing and encryption used to protect A and B from reverse engineering, this latest variant also cloaks its newest code segments, along with its latest functionality, under a significant layer of code obfuscation to further hinder binary analysis. Its choice of crypto suite is RSA4096, RC4, MD6 (all designed by Ron Rivest, as the authors note). A fascinating read for all interested in information security.... Software Engineering iang 2009-03-21T14:02:53-05:00 https://financialcryptography.com/mt/archives/001159.html A canonical question in cryptography was about how much money you could put over a digital signature, and a proposed attack would often end, "and then Granny loses her house!" It might be seen as a sort of reminder that the crypto only went so far, and needed to be backed by institutional support for a lot of things. And now comes Darren with news that ">Granny is losing her house, proverbially at least. In a somewhat imprecise article (written by a lawyer?) in the Times: ... The ingenuity of the heists carried out ranges from “selling” property they do not own to “buying” property at inflated valuations and making off with the difference. Critical to many of these scams is the use of stolen identities. According to many solicitors specialising in the field, the key context for the problem was the dash into deregulation and e-commerce earlier this decade. “There was a view throughout the profession that the abolition of documents of title and reliance upon electronic records would contribute to fraud. And so it has proved,” Samson says. “All this information is open to view through the internet so a fraudster can see exactly who owns a property, assume his or her identity and then sell it.” While this may sound absurd for owner-occupied homes, it is all too easy, for example, with vacant properties. “What’s more the rightful owner won’t even know that it has happened,” he adds. So the basic fraud appears to be: find a property that is not cared for by its owner. Assume the owner's identity. Sell it. Or, To put the hat on what seems a complete botch-up by lawmakers and regulators, the effect of the Land Registration Act 2002 was that the fraudulent purchasers are given a legal title to their “purchase”. “If the fraudster succeeds in having title registered in his name he can mortgage the property,” Samson says. “The true owner may be able to have the transfer to the fraudster reversed by rectification but he will still take the property subject to the mortgage.” buy it! Now, within that article, there is no shortage of soliciters saying "we told you so!" But the real systemic causes of this fraud will need more digging. We can guess what the first cause is: identify theft. That is, high levels of dependency on the fictitious notion of identity as a protector of security. Yes, that will always get you, and it will likely take another decade before the British populace lose their current faith in identity. The second cause however is more subtle. As pointed out by Eliana Morandi in a 2007 article, "The role of the notary in real estate conveyancing," problems like that do not happen in continental Europe (see _Digital Evidence and Electronic Signature Law Review," 2007). What's the difference? Whereas the English common law system requires each party to have independent representation, the continental system requires one party, the notary to secure the entire deed for both the buyer and seller. And take the full responsibility, so issues such as this are solved easily: In cases where, for example, a lender whose mortgage is being paid off has no lawyer, the conveyancer may face claims for having not fully observed the Land Registry’s practice guide. And instead of the Land Registry paying compensation, it will look to the solicitors to reimburse the victims. Warren Gordon, of Olswang, who sits on the Law Society’s conveyancing and land law committee, protests that it is unrealistic to expect solicitors to do a comprehensive check on someone who is not their client. “It’s unfair to put all the risk on the solicitor, including asking him or her to sign off on the identity of someone he or she does not act for,” he says. Meanwhile, Paul Marsh, president of the Law Society, points the finger instead at the bankers who are providing fraudsters with the funds to perpetrate their dodgy deals. “At the top end we see vast bonuses being paid to bankers at board level for what turn out to be disastrous investments, while at the grass roots local bankers are under pressure to make loans — to sell money — without even the most basic procedures in place to prevent fraud,” he says. “The banks are refusing to take responsibility for this because they know that they can pin it on the solicitors.” The bottom line of course is which system is more efficient in the long run. The European Notary may charge more money for the perfect transaction. If the English solicitors can undercut that price, and reduce the fraud such that the result is still better, it is a good deal. Which is it? The abstract to Morandi's article gives a clue: The role of the notary in real estate conveyancing Eliana Morandi sets out the role of the civil law notary in the context of real estate conveyancing, illustrating how more effective and less costly it is when undertaken by civil law notaries. (Unfortunately my copy has conveyed itself into hiding.) If fraud rises in Britain, we will need changes. Now, we've seen with the rise of identity fraud in the USA that there has been zero incentive for the players to change the way identity is used, so we can predict that the Brits will not change the registry practice. Also, the likelihood of the soliciters giving up their lucrative representational practice is pretty low. However the complicated notarial versus solicitorial versus identity versus registry war pans out in the long run, it seems that solicitors are going to have to bear increased responsibility to check the identity of their counterparty. Perhaps they should pop into the Identity and Privacy forum, 14th 15th May over in London's Charing Cross Hotel? Probably a bargain if it saves them from granny's wrath.... Governance iang 2009-03-15T05:58:32-05:00 https://financialcryptography.com/mt/archives/001158.html Over on EC, Adam does a presentation on his new book, co-authored with Andrew Stewart. AFAICS, the basic message in the book is "security sucks, we better start again." Right, no argument there. Curiously, he's also experimenting with Twitter in the presentations as a "silent" form of interaction (more. It is rather poignant to mix twitter and security, but I generally like these experiments. The grey hairs don't understand this new stuff, and they have to find out somehow. Somehow and sometime, the only question is whether we are the dinosours or the mammals. Reading through the quotes (standard stuff) I came across this one, unattributed: I was pretty dismissive of "Black Swan" hype. I stand by that, and don't think we should allow fear of a black swan out there somewhere to prevent us from studying white ones and generalizing about what we can see. OK, we just saw the Black Swan over on the finance scene, where Wall Street is now turning into Rubble Alley. Why not on the net? Black swans are a name for those areas where our numbers are garbage and our formulas have an occasional tendency (say 1%) to blow up. Here's why there are no black swans on the net, for my money: there is no unified approach to security. Indeed, there isn't much or anything of security. There are tiny fights by tiny schools, but these are unadopted by the majority. Although there are a million certs out there, they play no real part in the security models of the users. A million OpenPGP keys are used for collecting signatures, not for securing data. Although there are hundreds of millions of lines of security code out there, now including fresh new Vista!, they are mostly ignored or bypassed or turned off or any other of the many Kerckhoffsian modes of failure. The vast majority of the net is insecure. We ain't got no security, we don't fear no black swan. We're about as low as we can get. If I look at the most successful security product of all time, Skype, it's showing around 10 million users right now. Facebook, Myspace, youtube, google, you name them, they *all* do an order of magnitude better than Skype's ugly duckling waddle. Why is the state of security so dire? Well, we could ask the DHS. Now, these guys are probably authoritive in at least a negative sense, because they actually were supposed to secure the USA government infrastructure. Here's what one guy says, thanks to Todd who passed this on: The official in charge of coordinating the U.S. government's cybersecurity operations has quit, saying the expanding control of the National Security Agency over the nation's computer security efforts poses "threats to our democratic processes." "Even from a security standpoint," Rod Beckstrom, the head of the Department of Homeland Security's National Cyber Security Center, told United Press International, "it is unwise to hand over the security of all government networks to a single organization." "If our founding fathers were taking part in this debate (about the future organization of the government's cybersecurity activities) there is no doubt in my mind they would support a separation of security powers among different (government) organizations, in line with their commitment to checks and balances." In a letter to Homeland Security Secretary Janet Napolitano last week, Beckstrom said the NSA "dominates most national cyber efforts" and "effectively controls DHS cyber efforts through detailees, technology insertions and the proposed move" of the NCSC to an NSA facility at the agency's Fort Meade, Md., headquarters. It's called "the equity debate" for reasons obscure. Basically, the mission of the NSA is to breach our security. The theory has it that the NSA did this (partly) by ensuring that our security -- the security of the entire net -- was flaky enough for them to get in. Now we all pay the price, as the somewhat slower but more incisive criminal economy takes its tax. Quite how we get from that above NSA mission to where we are now is a rather long walk, and to be fair, the evidence is a bit scattered and tenuous. Unsurprisingly, and the above resignation does not quite "spill the beans," thus preserving the beanholder's good name. But it is certainly good to see someone come out and say, these guys are ruining the party for all of us.... Risks & Security iang 2009-03-12T19:00:18-05:00 https://financialcryptography.com/mt/archives/001157.html Dave has announced the next Identity conference, now with added Privacy: [Dave Birch] Here's another date for your calendars: London, 14th and 15th May 2009. The Digital Identity Forum and the Enterprise Privacy Group will be hosting the first Identity & Privacy Forum, sponsored by Consult Hyperion with support from HP, Microsoft, Symantec, Verisign and VoicePay. The Forum will be held at the Guoman Charing Cross Hotel, London, and I'm looking forward to seeing you there. Toby Stevens and I will be sending out a detailed agenda in a couple of weeks, but just as a heads-up there are going to be four sessions: "a snapshot of electronic identity", "co-evolving privacy and consent", "sharing front line experiences" from the public sector and "catching up with biometrics". More details to follow it seems.... Conferences and Publications iang 2009-03-10T17:07:43-05:00 https://financialcryptography.com/mt/archives/001130.html Are Audits going to help at all? Are they worth the cost? Are they part of the problem or can they be part of the solution? Originally, I claim they can help, especially for an organisation that has never been audited. That's my experience of one data point. But that's surely not sufficient, we need more. We need to know whether we can rely on these things, we need to know how to rely on these things, and when. And in the aftermath of the failure of Sarbanes-Oxley, we need to dismiss the easy answer of "we'll all just work harder." In short, we need to know what it is we do know. Here is my view: we don't know enough. Let's see if I can sustain that claim. If we read through the background of the cases of failure before us, whether Madoff, Satyam, Bear-Stearns, Lehman Brothers or all the bailouts, we will (a) find the Auditor, (b) find why he didn't pick up the failure, (c) cry foul, and say it should be like this or that, and (d) be ">fooled again. Why is this? We need to look beyond the superficial (tweaks like changing the auditor, rewriting the rules, or collapsing all firms down to the Big One) and go deep. What actually do we the end-user really know about an audit? We can look at this several ways. We can read the audit opinion itself. That is, read any audit report of any bank-that-then-failed, and ask yourself what it says? Try these on for size: Is there any language in there tells us it is good? Or about to fail? Drill further. Do the criteria used for the examination advance your interests or not? Do you understand the criteria? Can you even find the criteria? Who was the audit report delivered to? If the opinion wasn't delivered to you how do you know that it is relevant to you? Are the opinions summarised, are critical disclaimers included? Did the auditor tell the client what was to be provided, or did the client tell the auditor what was wanted? Were the terms of the examination stipulated? Where does it say that? Where does it say it wasn't? Is it an audit, an opinion, a review, an attestation, or an attest? Is it a "trust service," an SAS70, or? Compatible with, or compliant with? Was it a compliance audit or chosen by discretion? Almost certainly, it was a compliance audit, but what was it in compliance with? How useful is that goal to you? Is there "audit language" in there that is only interpretable by another auditor? A "secret code," as it were, for other auditors? If you didn't quite follow the above, that is precisely the point. To cut a long story short, if you can successfully interpret an audit report, you are probably either very experienced, or in the business yourself. For the most part, the result of the audit is inscrutable to the outsider. There wider business issues in the audit. Some are well known signals, frequently commented on in the press: Is the auditor too small or under-resourced to do the job? Is the auditor too big to avoid the channeled result, to avoid being locked in his box? Is the reviewer licensed by a body, tested to some standard, trained to some degree or knowledgeable through street learning? Are any of these relevant? And some are more subtle, but well understood in the industry: whether there are conflicts of interest, whether the auditor was chosen for the result, or more blatantly, whether the auditor is in pocket or for hire, or an out-and-out crook? Just to ask that stress that last point, I asked a mate this seemingly innocent and easy question: "how do I find a dodgy auditor for hire?" Without a moment's thought, he came back with three recommendations: examine the regulatory filings, look for suspensions, and, ask a crooked lawyer. There followed a much more detailed explanation of how these things will help, which I won't bore people with here. Suffice to say, these dirty tricks reveal the existence of auditors who are easily for hire. Hopefully, they are the exception not the rule, but how do we know? It's probably also worth mentioning that the audit itself is only a very specific or narrow thing, yet most people like to think of the audit as a binary signal of saintliness. The public brand of the audit is still very good, indeed, almost unchallenged. The broader public likes to think of an audit as proof of goodliness, investment potential, security etc etc, when anyone who has been close to the situation knows that the gulf between perception and reality is so wide as to be at least wrong, definately troubling and possibly deceptive. Let me explain what I mean by that point. Auditors if pressed will reveal that their opinion is strictly limited by a number of caveats. Indeed, the opinion is rendered over layers of indirection, such as the management's procedures rather than the assets in question. See point 1 above. However, Auditors will not press home the real conclusions: you yourself do not understand it, nor will you spot when it is no longer useful to you. Meanwhile, those same Auditors are happy to let you believe as the wider public that the audit is a singular, all encompassing stamp of goodliness. In short, the Audit profession benefits by letting you believe in one very broad and saintly brand, but acts to reduce the scope of the result so far as to make that brand non-representative. To use a polite term, you understand ... the point to fixate on here is not why it is like this, or how far it is from the truth, but that this may explain why you don't really appreciate the limits of audit, let alone understand them. My claim in today's post then is that the user cannot tell whether an audit is any use or not. Which audit is good for you, and which not, even if good for others? Which audit is good, and which is plain bad? The crux of the matter is that you yourself cannot tell what any of those pronouncements mean, unless you are an insider. You don't know whether you can rely, when to rely or how to rely. Instead, you are offered a promise of a verified obscurity, within the comfort of a wonderful brand. In this situation, although there is a vague promise of positive results, there are also far too many circumstances in which the results can be positive for others, while negative for you, so obfuscated and confused as to be worthless, or, even as far as downright fraudulent. You will never know, and indeed, you probably can never know. To put it in terms of the popular security media, the Audit is fully compliant with security-by-obscurity. In the security world, we would say that a tool designed to that standard is generally brittle. Once cracked, it often fails completely, and badly. This is because, although the obscurity gave a measure of protection, that same obscurity hid other weaknesses which could have been easily fixed. For that reason, we in the security field do not advise security-by-obscurity. What that does to the concept of reliance on Audits is left for another post!... Governance iang 2009-03-01T16:35:27-05:00