Financial Cryptography

How to make scientifically verifiable randomness to generate EC curves -- the Hamlet variation on CAcert's root ceremony

It occurs to me that we could modify the CAcert process of verifiably creating random seeds to make it also scientifically verifiable, after the event. (See last post if this makes no sense.)

Instead of bringing a non-deterministic scheme, each participant could bring a deterministic scheme which is hitherto secret. E.g., instead of me using my laptop's webcam, I could use a Guttenberg copy of Hamlet, which I first declare in the event itself.

Another participant could use Treasure Island, a third could use Cien años de soledad.

As nobody knew what each other participate was going to declare, and the honest players amongst did a best-efforts guess on a new statically consistent tome, we can be sure that if there is at least one honest non-conspiring party, then the result is random.

And now verifiable post facto because we know the inputs.

Does this work? Does it meet all the requirements? I'm not sure because I haven't had time to think about it. Thoughts?

(B) The Business Choice of making a Business Investment in Bitcoin (part B of ABC)

Last month, I launched a rocket at those who invest in Bitcoin as the Coin or the Currency. It's bad, but I won't repeat the arguments against it.

For those of you who've survived the onslaught on your sensitivities, and are genuinely interested in how to make an investment into the cryptocurrency world, here is part B: the Business! The good news is that it is shorter.

---

If one was to look for a good Bitcoin investment in a business, what would it be? I think you should be asking questions like these:

• The business in question has a regulatory model. It doesn't need to be right or sustainable, more that the business owners just need to understand the word. That's because, whether they know it or not, the word is coming for them one day.
• hey have a governance model. Ditto.
• You as investor understand the difference. This is where it gets messy. Most people think the above two terms are the same thing, but they are not. A regulatory model is imposed by a regulator, and is mostly about compliance with something that protects others such as the regulator or their flock (banks). Whereas a governance model is imposed by yourself, over your own operations, to protect your assets and the assets of the customer. Completely different, and completely misunderstood in the eyes of the external stakeholder community. Therefore, likely misaligned in the eyes of the Bitcoin CEO. Do you see where this is going?
• They have a Sean Parker. By this, I mean the person with real experience of this broad Internet / money / social networking business space, the guy who's been there twice before, and this time, *he's there* at the critical juncture to that 2 kids and a fridge full of beer all the way to a big business. See the Facebook movie if this doesn't make any sense.

---

Signs of a bad investment:

• Wanting to be the next big exchange.
• No relevant experience in the chosen direct business model. This is distinct from the Sean Parker point above. By this I mean, if wanting to do an exchange, the people have / do not have (select one) prior experience in what a daily trading model is, what 5PM is, what governance is, what an internet security model is. E.g., Mt Gox, which traded without understanding any of these things.
• Belief that tech solves all problems.
• No knowledge of what came before the Bitcoin paper.
• Deal hinges in part on banks or regulators. For example, these guys are DITW:

  Part of laying the groundwork is bringing the establishment on board, Malka said. “We need more banks participating in this. We need regulators. I’m part of the Bitcoin Foundation – we are out there trying to educate regulators.” Getting regulators on board will help get the banks to come along, Liew predicted. “If the regulators explicitly set forth rules that say, ‘Bright line, do this, you will find a bank that is willing to take on bitcoin customers,’” Liew said.

---

That's my B list so far. You'll note that it includes no conventional things, because you already have those. All it includes is pointers to the myths-of-doom peddled in the current bitcoin world as business talk. It's designed to separate out the happy hopefuls from the actual business possibilities, in a world where talking is deeper than walking.

Next up, when I get to it, is my A list: a point I believe so important I saved it for another post. Watch this space.

The IETF's Security Area post-NSA - what is the systemic problem?

In the light of yesterday's newly revealed attack by the NSA on Internet standards, what are the systemic problems here, if any?

I think we can question the way the IETF is approaching security. It has taken a lot of thinking on my part to identify the flaw(s), and not a few rants, with many and aggressive defences and counterattacks from defenders of the faith. Where I am thinking today is this:

First the good news. The IETF's Working Group concept is far better at developing general standards than anything we've seen so far (by this I mean ISO, national committees, industry cartels and whathaveyou). However, it still suffers from two shortfalls.

1. the Working Group system is more or less easily captured by the players with the largest budget. If one views standards as the property of the largest players, then this is not a problem. If OTOH one views the Internet as a shared resource of billions, designed to serve those billions back for their efforts, the WG method is a recipe for disenfranchisement. Perhaps apropos, spotted on the TLS list by Peter Gutmann:

Documenting use cases is an unnecessary distraction from doing actual work. You'll note that our charter does not say "enumerate applications that want to use TLS".

I think reasonable people can debate and disagree on the question of whether the WG model disenfranchises the users, because even though a a company can out-manouver the open Internet through sheer persistence and money, we can still see it happen. In this, IETF stands in violent sunlight compared to that travesty of mouldy dark closets, CABForum, which shut users out while industry insiders prepared the base documents in secrecy.

I'll take the IETF any day, except when...

2. the Working Group system is less able to defend itself from a byzantine attack. By this I mean the security concept of an attack from someone who doesn't follow the rules, and breaks them in ways meant to break your model and assumptions. We can suspect byzantium disclosures in the fingered ID:

The United States Department of Defense has requested a TLS mode which allows the use of longer public randomness values for use with high security level cipher suites like those specified in Suite B [I-D.rescorla-tls-suiteb]. The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient.

Assuming the story as told so far, the US DoD should have added "and our friends at the NSA asked us to do this so they could crack your infected TLS wide open in real time."

Such byzantine behaviour maybe isn't a problem when the industry players are for example subject to open observation, as best behaviour can be forced, and honesty at some level is necessary for long term reputation. But it likely is a problem where the attacker is accustomed to that other world: lies, deception, fraud, extortion or any of a number of other tricks which are the tools of trade of the spies.

Which points directly at the NSA. Spooks being spooks, every spy novel you've ever read will attest to the deception and rule breaking. So where is this a problem? Well, only in the one area where they are interested in: security.

Which is irony itself as security is the field where byzantine behaviour is our meat and drink. Would the Working Group concept past muster in an IETF security WG? Whether it does or no depends on whether you think it can defend against the byzantine attack. Likely it will pass-by-fiat because of the loyalty of those involved, I have been one of those WG stalwarts for a period, so I do see the dilemma. But in the cold hard light of sunlight, who is comfortable supporting a WG that is assisted by NSA employees who will apply all available SIGINT and HUMINT capabilities?

Can we agree or disagree on this? Is there room for reasonable debate amongst peers? I refer you now to these words:

On September 5, 2013, the New York Times [18], the Guardian [2] and ProPublica [12] reported the existence of a secret National Security Agency SIGINT Enabling Project with the mission to “actively [engage] the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs.” The revealed source documents describe a US $250 million/year program designed to “make [systems] exploitable through SIGINT collection” by inserting vulnerabilities, collecting target network data, and influencing policies, standards and specifications for commercial public key technologies. Named targets include protocols for “TLS/SSL, https (e.g. webmail), SSH, encrypted chat, VPNs and encrypted VOIP.”
The documents also make specific reference to a set of pseudorandom number generator (PRNG) algorithms adopted as part of the National Institute of Standards and Technology (NIST) Special Publication 800-90 [17] in 2006, and also standardized as part of ISO 18031 [11]. These standards include an algorithm called the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC). As a result of these revelations, NIST reopened the public comment period for SP 800-90.

And as previously written here. The NSA has conducted a long term programme to breach the standards-based crypto of the net.

As evidence of this claim, we now have *two attacks*, being clear attempts to trash the security of TLS and freinds, and we have their own admission of intent to breach. In their own words. There is no shortage of circumstantial evidence that NSA people have pushed, steered, nudged the WGs to make bad decisions.

I therefore suggest we have the evidence to take to a jury. Obviously we won't be allowed to do that, so we have to do the next best thing: use our collective wisdom and make the call in the public court of Internet opinion.

My vote is -- guilty.

One single piece of evidence wasn't enough. Two was enough to believe, but alternate explanations sounded plausible to some. But we now have three solid bodies of evidence. Redundancy. Triangulation. Conclusion. Guilty.

Where it leaves us is in difficulties. We can try and avoid all this stuff by e.g., avoiding American crypto, but it is a bit broader that that. Yes, they attacked and broke some elements of American crypto (and you know what I'm expecting to fall next.). But they also broke the standards process, and that had even more effect on the world.

It has to be said that the IETF security area is now under a cloud. Not only do they need to analyse things back in time to see where it went wrong, but they also need some concept to stop it happening in the future.

The first step however is to actually see the clouds, and admit that rain might be coming soon. May the security AD live in interesting times, borrow my umbrella?

How Bitcoin just made a bid to join the mainstream -- the choice of SSL PKI may be strategic rather than tactical

How fast does an alternative payment system take to join the mainstream? With Paypal it was less than a year; when they discovered that the palm pilot users were preferring the website, the strategy switched pretty quickly. With goldmoney it was pretty much instant, with e-gold, they never achieved it.

With Bitcoin's new announcement, we can mark their intent as around four years or so. Belated welcome is perhaps due, if one thinks the mainstream is actually the place to be. Many do, although I have my reservations on this point and it is somewhat of a surprise to read of Bitcoin's choice of merchant authentication mechanism:

Everyone seems to agree - the public key infrastructure, that network of certificate authorities that stands between you and encrypting your website, sucks.

It’s too expensive. CA’s don’t do enough for the fees they charge. It’s too big. There isn’t enough competition. It’s compromised by governments. The technology is old and crusty. We should all use PGP instead. The litany of complaints about the PKI is endless.

In recent weeks, the Bitcoin payment protocol (BIP 70) has started to roll out. One of the features present in version 1 is signing of payment requests, and the mechanism chosen was the SSL PKI.

Mike Hearn then goes on to describe why they have chosen the SSL PKI. The description reads like a mix between an advertisement, an attack on the alleged alternates (such as they are) and an apology. Suffice to say, he gets most of the argumentation as approximately right & wrong as 99% of the experts in the field do.

Several things stand out. I read from the article that there was little attempt to explore what might be called the "own alternative." From this I wonder if what is happening is that a conservative inner group are actually trying to push Bitcoin faster into the mainstream?

Choosing to push merchants to SSL PKI authentication would certainly be one way to do it. However, this is a dangerous strategy, and what I didn't see addressed was the vector of control issue. This was a surprise, so I'll bring it out.

A danger with stated approach is that it opens up a clear attack on every merchant. Right now, merchants deal under the radar, or can do so, and caveat emptor widely rules in Bitcoinlandia. Once merchants are certified to trade by the CAs however, there is a vector of identification, and permission. There is evidence. Requirements for incorporation. There are trade records and trade purposes.

And, there is a CA which has ... what?

Terms & conditions. Unfortunately, T&C in the CA industry are little known, widely ignored, and not at all understood. Don't believe me? Ask anyone in the industry for a serious discussion about the legal contracts behind PKI and you will hear more stoney silence than if you'd just proven to the UN that global warming was another malthusian plot to prepare the world for the invasion of Martians. Still don't believe me? Check what CABForum's documents say about them. Stoney silence, in words.

But they are real, they exist, and they are forceful. They are very intended, as even when CAs don't understand them themselves, they mostly end up copying them.

One thing you will find in them is that most CAs will decline to do business with any person or party that does something illegal. Skipping the whys and wherefores, this means that any agency can complain to any CA about a merchant on any basis ("hasn't got a license in my state to do some random thing") and the CA is now in a tricky position. Tricky enough to decide where its profits come from.

Now, we hope that most merchants are honest and legal, and as mentioned above, maybe the strategy is to move in that direction in a more forceful way. The problem is that in the war against Bitcoin, as yet undeclared and still being conducted under diplomatic cover, any claim of illegality will take on a sort of state-credibility, and as we know when the authorities say that a merchant is acting against the law, the party is typically seen to be guilty until proven innocent &/or bankrupt. Factor in that it is pretty easy for an agency to take a line that Bitcoin is illegal per se. Factor in that all commercial CAs are now controlled via CABForum and are all aligned into one homogoneous equivalency (forget talk of competition, pah-lease...). Factor in that one sore thumb isn't worth defending, and sets a precedent. We should now see that all CAs will slowly but surely feel the need to mitigate against the threat to their business that is Bitcoin.

It won't be that way to begin with. One thing that Bitcoiners will be advised to do is to get a CA in a safe and remote country, one with spine. That will last for a while. But the forces will build up. The risk is that one day, the meme will spread, "we're not welcoming that business any more."

In military strategy, they say that the battle is won by the general that imposes his plan over the opponent, and I fear that choosing the SSL PKI may just be the opponent's move of choice, not Bitcoin's move of choice, no matter how attractive it may appear.

But what's the alternative, Mike Hearn asks? His fundamental claim seems to stand: there isn't a clear alternative.

This is true. If you ignore Bitcoin's purpose in life, if you ignore your own capabilities and you ignore your community, then ... I agree! If you ignore CAcert, too, I agree. There is no alternate.

But what would happen if you didn't ignore these things? Bitcoin's community is ideally placed to duplicate the system. We know this because it's been done in the past, and the text book is written. Indeed, long term readers will know that I am to some extent just copying the textbook in my current business, and I can tell you it certainly isn't as hard as getting Bitcoin up and rolling.

Capabilities? Well, actually when it comes to cryptographic protocols and reliable transactions and so forth, Bitcoin would certainly be in the game. I'm not sure why they would be so shy of this, as they are almost certainly better placed in this game than all the other CAs except perhaps the very biggest, and even that's debatable because it's been a long time since the biggest actually had the staff and know-how to do any game-changing. Bitcoin has got the backing of google who almost certainly have more knowledge about this stuff than all the CAs combined, and most of the vendors as well (OK, so Microsoft might give them a run for their money if they could get out of the stables).

They've got the mission, the community, the capabilities and the textbook. Why then not? This is why I think that Bitcoin people have made a strategic decision to join the mainstream. If that's the case, then good luck, but boy-oh-boy! are they playing high-stakes poker here.

Old Chinese curse: be careful what you wish for.

How MtGox Failed the Five Parties Governance Test

This was a draft of an article now published in Bitcoin Magazine. That latter is somewhat larger, updated and has some additional imagery.

MtGox, the Bitcoin exchange, is in the news again, this time for collapsing. One leaked report maintains that MtGox may only have 2,000 Bitcoins in reserve over against 744,408 BTC in liabilities - which indicates a reserve of less than 1%.

MtGox originally claimed that their troubles stem from a long-term exploit of the evil malleability bug, which was exploited by means of repeated double spending through an algorithm. However a loss of 99.7% of their reserves cannot be attributed to some mere market timing bug. It is clear that the failure of MtGox is a failure of governance.

Trust Shall Not Live by Tech Alone

One of the temptations for applied cryptographers is to think that we can solve all problems with clever mathematics and inspired code. Thus there has been much discussion over the past two decades about using cryptography to build trust models that work for untrusted parties over the Internet.

This hope in cryptography is misplaced, and often dangerously so. In the first generation of the Internet, SSL was promoted to solve the trust and security problem. However, it failed to do that. Although it secured the line of communications, it left the end-points open to attack, and failed to solve the problem of knowing who the person at an end-point really is.

As history shows, and MtGox confirms, the end-point security question is by far the dominating one, and thus we saw the rise of phishing attacks, "man in the browser" attacks, and server breaches throughout the 2000's. Yet, SSL remains synonymous with Internet e-commerce security, and its very domination is a blindness that attackers benefit from.

Bitcoin can be broadly described as an attempt to solve the problem of governance of a centralised issuer of currency through technology. By using a common protocol to manage a public blockchain, we can make sure everyone follows the rules and make it technically impossible to issue more Bitcoins than the protocol has decreed shall ever exist.

However, like SSL, Bitcoin's solution to the issuance problem has left open the weaker parts of the system to continued attack. In order to provide useful Bitcoin services, businesses must hold the users' Bitcoins and/or their cash in trust. These businesses, such as exchanges, brokerages, online wallets, retail, etc, are at risk from insider theft, external hacking and loss through poor accounting.

Bitcoin's brilliant design for issuance governance may have obscured a complete lack of protection for end-point governance.

How can a user trust a person to protect his or her value?

This is not a new problem for finance. It is called the "agency problem" in reference to the fact that an agent acts for the user as a trusted intermediary. Institutions in the finance space have been dealing with the issue of trusted intermediaries for millennia. This field is broadly called "governance" and has many well known methods for achieving accountability and reliability for fiduciary institutions.

Drawing from "Financial Cryptography in Seven Layers," Governance includes the following techniques:

• Escrow of value with trusted third parties. For example, funds underlying a dollar currency would be placed in a bank account.
• Separation of powers: routine management from value creation, authentication from accounting, systems from marketing.
• Dispute resolution procedures such as mediation, arbitration, ombudsman, judiciary, and force.
• Use of third parties for some part of the protocol, such as creation of value within a closed system.
• Auditing techniques that permit external monitoring of performance and assets.
• Reports generation to keep information flowing to interested parties. For example, user-driven display of the reserved funds against which a currency is backed.

As technologists, we strive to make the protocols that we build as secure and self-sustaining as possible; our art is expressed in pushing problem resolution into the lower layers. This is an ideal, however, to which we can only aspire; there will always be some value somewhere that must be protected by non-protocol means.

Our task is made easier if we recognise the existence of this gap in the technological armoury, and seek to fill it with the tools of Governance. The design of a system is often ultimately expressed in a compromise between Governance and the lower layers: what we can do in the lower layers, we do; and what we cannot is cleaned up in Governance.

The question then is how to bring those practices into a digital accounting and payment system.

To address this weakness of customer escrowed funds, back in the late 1990's we developed a governance technique for digital currency that we called the "Five Parties Governance Model." (This model was built into the digital currency platform that we designed for exchange, called "Ricardo".)

The five parties model shares the responsibility and roles for protection of value amongst five distinct parties involved in the transactions. Although originally designed to protect an entire digital issuance, a problem that Bitcoin addressed with its public blockchain and its absence of an asset redemption contract, this technique can be broadly applied to many problems such as that which has brought MtGox down.

The Five Parties Model (5PM)

In terms of a cryptocurrency issuance with a single issuer (Ricardo model), the Five Parties Model looks like this (Figure 1).

Figure 1. Simple Five Parties Model

Issuer. The Issuer is the institution guaranteeing the contract with the User. This is the person or entity ultimately responsible for the assets and whether the governance succeeds or fails.

In the present case, MtGox is the contractual party that is guaranteeing to deliver an exchange of value, and in the mean time keep those values secure. In Ricardo the Issuer is the party who defines and offers the contract for a particular issuance, which contract creates the rules that govern the five parties.

As can be seen from the following screen capture taken from the Internet Archive, MtGox did in fact have a contract with the users to fully reserve their internal Bitcoin and currency accounts:

Figure 2. Mt. Gox Terms & Conditions

However, as an Issuer, MtGox appears to have failed to implement internal controls to put the other four parties into place.

Trustee. In a digital value scenario, there is always a Trustee role that controls creation or release of long-term funds. For MtGox, this Trustee might be the person who signs off on outgoing wires and outgoing Bitcoin payments, or it might be the person who creates or deletes the derivative monetary units (BTC,LTC,EUR,USD,etc) inside the exchange's books.

For a cryptocurrency that contracts to an underlying asset, the Trustee's account, sometimes known as the Mint account, is the only one that has the ability to create or destroy digital units of value, as that underlying asset pool increases or decreases. For a cryptocurrency without a contractual underlying, the protocol itself can stand in the person's stead by employing an algorithm such as Bitcoin's mining rewards program.

Manager. The manager is the person or entity, usually an employee of the Issuer, who asks the Trustee to perform the big controlled operations: create or destroy digital assets, or deposit or withdraw physical ones, in order to reflect the overall pattern of trading activities.

The Manager typically works on a daily trading basis. As funds come in and go out, some of these request match each other. For a perfect balance, nothing needs to be done, but normally there is an overall flow in one direction or another. As trading balances build up or draw down, the Manager asks the Trustee to authorise the conversion of daily trading assets against the long-term reserves.

In the MtGox context, when BTC is flowing out and cash is flowing in, the Manager would ask the Trustee to release the BTC from the cold wallets, and would deliver cash into the long-term sweep accounts held at bank under the Trustee's control. The Trustee would control that action by looking at the single transfer into the sweep account to confirm the transaction is backed by assets.

In the context of an issuance of digital gold, the Manager might receive an inflow of a 1kg physical bar. The Manager must bail the physical gold into the vault, and present the receipt to the Trustee. With that receipt in hand, and any other checks desired, the Trustee can now release 1kg of freshly-minted digital gold to the Manager's Account.

The Manager is in this way guarded by the Trustee, but it works the other way as well. In a well-governed system, the Trustee can only direct value to be sent to the Manager. In this way, the Trustee cannot steal the value under trust, without conspiring with the Manager; a well-run business will keep these two parties at a distance and bound to govern each other by various techniques such as professional conduct codes.

For example, Ricardo has an ability to lock the Mint's account together with the Manager's account in this fashion. Bitcoin lacks account-control features, but there is no reason that MtGox could not have implemented account-control for their internal Bitcoin accounts.

Operator / Escrow / Vault. For a cryptocurrency, the operator is the part of the business ensuring that the servers and the software are running and properly doing their job. By outsourcing this to a third party, we add another degree of separation of powers to the governance model.

In the case of Ricardo and similar contractually-controlled issuances, there is generally a single server cluster that maintains the accounts. The sysadmin for this server controls the accounts and ensures that no phantom accounts or transactions are let in; software designs assist by including techniques such as triple entry accounting, which guarantees that only original users can create signed instructions to transfer value with their private keys.

For the physical side of a digital issuance such as gold, a vault fills the operator role. In the case of GoldMoney.com the vault operator is ViaMat. They don't do anything with the client's gold unless they receive a signed instruction from the Trustee. They just keep thieves from physically stealing it.

Bitcoin is very different in this respect in that it creates the public blockchain as the accounting mechanism. In this case, the operator role is not outsourced to one party, rather it is spread across the miners, the software and the development team, presenting a very strong governance equation over operator malfeasance.

For a business such as MtGox, the operators or escrows are two-fold. On the one part is the bank providing accounts, and especially the primary account holding long term cash reserves. On the other part, as an exchange provider, is the set of cold wallets holding long term BTC.

The Fifth Party - The Public as Auditor. The final and most important element of the Five Parties Model is the role of the Public as auditor.

Typically, the role of audit is to examine the books to validate that the other parties are indeed doing their job. As is covered elsewhere (Audit), paid auditors have a long-term conflict of interest, which has been at the root of several notable disasters in the last decade - the failure of Enron, the wholesale bankruptcy of banking in 2007 financial crisis, the collapse of AIG, none of which auditors rang the bell for.

Auditors, as well as being conflicted, are also expensive, which leads to the search for alternates. Once we have mined the cryptographic techniques available to us, we are still left with a set of things we cannot control so easily. What then?

Introducing you, the user, or the Public. You do not have a conflict of interest, in that it is your value at risk, and you have a strong interest in seeing that the other four parties are doing their job properly. Which then begs the question of how you, the public, can audit anything, when audit almost by definition means seeing that which cannot be seen?

The answer is to make that which was previously unseen, seen. Some examples of digital currencies that have supported audit by you the Public include:

• e-gold.com published a real time balance sheet of their digital issuance.
• Goldmoney.com publishes their physical gold as held by their vault operators, and auditors publish the monthly report.
• Bitcoin publishes the blockchain.
• Ricardo publishes the balances of the Trustee and Manager accounts.

Two-Sided Variation on the Five Parties Model

The Five Parties Model is just and exactly that - a model. Which means there are variations and limitations, and a business must modify it to suit. For example, many businesses in the space have not one but two bases of value to control: an underlying asset and a digital issuance. Bitcoin Exchanges fall into this category, for example.

When an Issuer is backing the digital currency with a reserve asset, both of these assets need to be protected. To do this, we utilise two instances of the Five Parties Model in a mirrored pair. In each, the Issuer and the Public act as parties on both sides, whereas the Trustee, the Operator and the Manager may be duplicated (or not). Figure 3 shows an arrangement where a single Manager works with mirrored Operators and Trustees.

Figure 3. Two-Sided or Mirrored Variation of the 5 Parties Model

An exchange such as MtGox would have had an even more complicated regime. For every one of their assets - BTC, Altcoins, USD, EUR, JPY, etc, they would have needed to delegate operators, trustees and managers. We as users expect they did that, which then leaves us with a question -- what went wrong?

MtGox Failed Because Nobody Was Watching Them

We can now measure MtGox against the governance picture drawn above. Although originally developed for an issuance, the model applies wherever there is an important asset to protect.

As a business, the role of Issuer is relatively easy to identify - the company MtGox itself. Their terms and conditions constituted a clear contract between themselves and the users, where MtGox would hold the user's Bitcoin assets in reserve.

Likewise, the Operator for cash is clear: the banks holding the long-term value are presumably identifiable via incoming and outgoing wires. MtGox had transactions going in and out for some time, so Managers are in evidence. The Operator for the long-term BTC cold wallets is the Bitcoin network itself.

What about Trustees? Although MtGox has repeatedly placed blame on their in-house operations team for various hacks and bugs, it is rather more likely that they fell short on the appointment and management of Trustees.

Somehow, the Management created for themselves 744,408 BTC on their internal books against an underlying reserve of only 2,000 actual Bitcoins, which should have been an obvious disaster to all. If this is the case, this suggests that no Trustees were appointed at all, and Managers were essentially uncontrolled.

Finally, the Public as auditor is not in evidence. MtGox on their website did not show the balances of any of their major asset classes, nor provide any easy way to ensure that their parties are doing their job.

Ideally, MtGox would have displayed a balance sheet with references to cold wallets on one side, and their internal Bitcoin/Altcoin balances on the other side. The former is checkable via the blockchain, the latter could be made available by the operator, and periodically audited to ensure the code providing the balance query was accurate.

With this information, you the Public as individuals or as media or other observers can verify that things are as they should be, and if not, sound the alarm! That's what Twitter is for, that's what sites such as DGCMagazine.com, CoinDesk.com and Bitcoin Magazine are for.

Under such circumstances failure might be expected and indeed may be inevitable. As MtGox did not have a sufficient governance model in place, we might have been disconcerted to learn that more than $300 million worth of Bitcoin managed to disappear, but we should also be aware that we may ultimately blame our own failure to insist on good governance.

What other players in the Bitcoin world will fall for the same lack of care? You, the fifth party, the auditing Public would be well advised to review all of your Bitcoin partners to see what forms of governance they use, and to choose wisely. It is your value at risk, and demanding quality governance such as is outlined above is your right.

If you only read one thing this weekend, read about the Vampire Squid

If you read only one thing this weekend, read this.

This is why the 2007 crisis was not resolved. This is why we now socialize their losses, but leave them their profits. This is why it is impossible to fix, and the only game in town is predicting which economy is toast, this weekend, and which investment bank is making monopoly profits while being technically bankrupt.

It is likely impossible to roll back the USA's lifting of the Glass-Steagall barrier, which is in other places known as sound banking. How one deals with a world in which banking is morphing into industrial combines with infinite and free capital is beyond my small brain; we need something like bitcoin, but much stronger.

Hack on, your code may save society as we know it.

Digital Evidence journal is now open source!

Stephen Mason, the world's foremost expert on the topic, writes (edited for style):

The entire Digital Evidence and Electronic Signature Law Review is now available as open source for free here:

Current Issue         Archives

All of the articles are also available via university library electronic subscription services which require accounts:

EBSCO Host         HeinOnline         v|lex (has abstracts)

If you know of anybody that might have the knowledge to consider submitting an article to the journal, please feel free to let them know of the journal.

This is significant news for the professional financial cryptographer! For those who are interested in what all this means, this is the real stuff. Let me explain.

Back in the 1980s and 1990s, there was a little thing called the electronic signature, and its RSA cousin, the digital signature. Businesses, politicians, spooks and suppliers dreamed that they could inspire a world-wide culture of digitally signing your everything with a hand wave, with the added joy of non-repudiation.

They failed, and we thank our lucky stars for it. People do not want to sign away their life every time some little plastic card gets too close to a scammer, and thankfully humanity had the good sense to reject the massively complicated infrastructure that was built to enslave them.

However, a suitably huge legacy of that folly was the legislation around the world to regulate the use of electronic signatures -- something that Stephen Mason has catalogued here.

In contrast to the nuisance level of electronic signatures, in parallel, a separate development transpired which is far more significant. This was the increasing use of digital techniques to create trails of activity, which led to the rise of digital evidence, and its eventual domination in legal affairs.

Digital discovery is now the main act, and the implications have been huge if little understated outside legal circles, perhaps because of the persistent myth in technology circles that without digital signatures, evidence was worth less.

Every financial cryptographer needs to understand the implications of digital evidence, because without this wisdom, your designs are likely crap. They will fail when faced with real-world trials, in both senses of the word.

I can't write the short primer on digital evidence for you -- I'm not the world's expert, Stephen is! -- but I can /now/ point you to where to read.That's just one huge issue, hitherto locked away behind a hugely dominating paywall. Browse away at all 10 issues!

Research on Trust -- the numbers matter

Many systems are built on existing trust relationships, and understanding these is often key to their long term success or failure. For example, the turmoil between OpenPGP and x509/PKI can often be explained by reference to their trust assumptions, by comparing the web-of-trust model (trust each other) to the hierarchical CA model (trust mozilla/microsoft/google...).

In informal money systems such as LETS, barter circles and community currencies, it has often seemed to me that these things work well, or would work well, if they could leverage local trust relationships. But there is a limit.

To express that limit, I used to say that LETS would work well up to maybe 100 people. Beyond that number, fraud will start to undermine the system. To put a finer point on it, I claimed that beyond 1000 people, any system will require an FC approach of some form or other.

Now comes some research that confirms some sense of this intuition, below. I'm not commenting directly on it as yet, because I haven't the time to do more than post it. And I haven't read the paper...

---

'Money reduces trust' in small groups, study shows
By Melissa Hogenboom Science reporter, BBC News

People were more generous when there was no economic incentive

A new study sheds light on how money affects human behaviour.

Exchanging goods for currency is an age old trusted system for trade. In large groups it fosters co-operation as each party has a measurable payoff.

But within small groups a team found that introducing an incentive makes people less likely to share than they did before. In essence, even an artificial currency reduced their natural generosity.

The study is published in journal PNAS.

When money becomes involved, group dynamics have been known to change. Scientists have now found that even tokens with no monetary value completely changed the way in which people helped each other.

Gabriele Camera of Chapman University, US, who led the study, said that he wanted to investigate co-operation in large societies of strangers, where it is less likely for individuals to help others than in tight-knit communities.

The team devised an experiment where subjects in small and large groups had the option to give gifts in exchange for tokens.

The study

• Participants of between two to 32 individuals were able to help anonymous counterparts by giving them a gift, based solely on trust that the good deed would be returned by another stranger in the future
• In this setting small groups were more likely to help each other than the larger groups
• In the next setting, a token was added as an incentive to exchange goods. The token had no cash value
• Larger groups were more likely to help each other when tokens had been added, but the previous generosity of smaller groups suffered

Social cost

They found that there was a social cost to introducing this incentive. When all tokens were "spent", a potential gift-giver was less likely to help than they had been in a setting where tokens had not yet been introduced.

The same effect was found in smaller groups, who were less generous when there was the option of receiving a token.

"Subjects basically latched on to monetary exchange, and stopped helping unless they received immediate compensation in a form of an intrinsically worthless object [a token].

"Using money does help large societies to achieve larger levels of co-operation than smaller societies, but it does so at a cost of displacing normal of voluntary help that is the bread and butter of smaller societies, in which everyone knows each other," said Prof Camera.

But he said that this negative result was not found in larger anonymous groups of 32, instead co-operation increased with the use of tokens.

"This is exciting because we introduced something that adds nothing to the economy, but it helped participants converge on a behaviour that is more trustworthy."

He added that the study reflected monetary exchange in daily life: "Global interaction expands the set of trade opportunities, but it dilutes the level of information about others' past behaviour. In this sense, one can view tokens in our experiment as a parable for global monetary exchange."

'Self interest'

Sam Bowles, of the Santa Fe Institute, US, who was not involved with the study, specialises in evolutionary co-operation.

He commented that co-operation among self-interested people will always occur on a vast scale when "helping another" consists of exchanging a commodity that can be bought or sold with tokens, for example a shirt.

"The really interesting finding in the study is that tokens change the behavioural foundations of co-operation, from generosity in the absence of the tokens, to self-interest when tokens are present."

"It's striking that once tokens become available, people generally do not help others except in return for a token."

He told BBC news that it was evidence for an already observed phenomenon called "motivational crowding out, where paying an individual to do a task which they had already planned to do free of charge, could lead people to do this less".

However, Prof Bowles said that "most of the goods and services that we need that make our lives possible and beautiful are not like shirts".

"For these things, exchanging tokens could never work, which is why humans would never have become the co-operative species we are unless we had developed ethical and other regarding preferences."

PRISM Confirmed: major US providers grant direct, live access to the NSA and FBI

In an extraordinary clean sweep of disclosure from the Washington Post and the Guardian:

The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.

The process is by direct connection to the servers, and requires no intervention by the companies:

Equally unusual is the way the NSA extracts what it wants, according to the document: “Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.”

....
Dropbox, the cloud storage and synchronization service, is described as “coming soon.”

From outside direct access might appear unusual, but it is actually the best way as far as the NSA is concerned. Not only does it give them access at Level Zero, and probably better access than the company has itself, it also provides the victim supplier plausible deniability:

“We do not provide any government organization with direct access to Facebook servers,” said Joe Sullivan, chief security officer for Facebook. ....

“We have never heard of PRISM,” said Steve Dowling, a spokesman for Apple. “We do not provide any government agency with direct access to our servers, ..." ....

“Google cares deeply about the security of our users’ data,” a company spokesman said. “We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”

Microsoft also provided a statement: “.... If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”

Yahoo also issued a denial. “Yahoo! takes users’ privacy very seriously,” the company said in a statement. “We do not provide the government with direct access to our servers, systems, or network.”

How is this apparent contradiction possible? It is generally done via secret arrangements not with the company, but with the employees. The company does not provide back-door access, but the people do. The trick is to place people with excellent tech skills and dual loyalties into strategic locations in the company. These 'assets' will then execute the work required in secret, and spare the company and most all of their workmates the embarrassment.

Patriotism and secrecy are the keys. The source of these assets is easy: retired technical experts from the military and intelligence agencies. There are huge numbers of these people exiting out of the armed forces and intel community every year, and it takes only a little manipulation to present stellar CVs at the right place and time. Remember, the big tech companies will always employ a great CV that comes highly recommended by unimpeachable sources, and leapfrogging into a stable, very well paid civilian job is worth any discomfort.

Everyone wins. It is legal, defensible and plausibly deniable. Such people are expert at keeping secrets -- about their past and about their current work. This technique is age-old, refined and institutionalised for many a decade.

Questions remain: what to do about it, and how much to worry about it? Once it has started, this insertion tactic is rather difficult to stop and root out. At CAcert, we cared and a programme developed over time that was strong and fair -- to all interests. Part of the issue is dealing with the secrecy of it all:

Government officials and the document itself made clear that the NSA regarded the identities of its private partners as PRISM’s most sensitive secret, fearing that the companies would withdraw from the program if exposed. “98 percent of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources,” the briefing’s author wrote in his speaker’s notes.

But for the big US companies, is it likely that they care? Enough? I am not seeing it, myself, but if they are interested, there are ways to deal with this. Fairly, legally and strongly.

How much should we worry about it? That depends on (a) what is collected, (b) who sees it, and (c) who's asking the question?

There has been “continued exponential growth in tasking to Facebook and Skype,” according to the PRISM slides. With a few clicks and an affirmation that the subject is believed to be engaged in terrorism, espionage or nuclear proliferation, an analyst obtains full access to Facebook’s “extensive search and surveillance capabilities against the variety of online social networking services.”

According to a separate “User’s Guide for PRISM Skype Collection,” that service can be monitored for audio when one end of the call is a conventional telephone and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms.

Firsthand experience with these systems, and horror at their capabilities, is what drove a career intelligence officer to provide PowerPoint slides about PRISM and supporting materials to The Washington Post in order to expose what he believes to be a gross intrusion on privacy. “They quite literally can watch your ideas form as you type,” the officer said.

Live access to everything, it seems. So who sees it?

My rule of thumb was that if the information stayed in the NSA, then that was fine. Myself, my customers and my partners are not into "terrorism, espionage or nuclear proliferation." So as long as there is a compact with the intel community to keep that information clean and tight, it's not so worrying to our business, our privacy, our people or our legal situation.

But there is no such compact. Firstly, they have already engaged the FBI and the US Department of Justice as partners in this information:

In exchange for immunity from lawsuits, companies such as Yahoo and AOL are obliged to accept a “directive” from the attorney general and the director of national intelligence to open their servers to the FBI’s Data Intercept Technology Unit, which handles liaison to U.S. companies from the NSA. In 2008, Congress gave the Justice Department authority for a secret order from the Foreign Surveillance Intelligence Court to compel a reluctant company “to comply.”

Anyone with a beef with the Feds is at risk of what would essentially be a corrupt bypass of the legal justice system of fair discovery (see this for the start of this process).

Secondly, their credibility is zero: The NSA has lied about their access. They have deceived most if not all employees of the companies they have breached. They've almost certainly breached the US constitution and the US law in gaining warrant-free access to citizens. Dismissively. From the Guardian:

"Fisa was broken because it provided privacy protections to people who were not entitled to them," the presentation claimed. "It took a Fisa court order to collect on foreigners overseas who were communicating with other foreigners overseas simply because the government was collecting off a wire in the United States. There were too many email accounts to be practical to seek Fisas for all."

The FISA court that apparently governs their access is evidently ungovernable, as even members of Congress cannot breach its secrecy.

And that's within their own country -- the NSA feels that it is under no such restrictions or niceties outside their own country.

A reasonable examination of the facts and the record of the NSA (1, 2, 3) would therefore conclude that they cannot be trusted to keep the information secret. American society should therefore be worried. Scared, even. The risk of corruption of the FBI is by itself enough to pull the plug on not just this programme, but the system that allowed it to arise.

What does it mean to foreign society, companies, businesses, and people? Not a lot different as all of this was reasonable anyway. Under the history-not-rules of foreign espionage, anything goes. The only difficulty likely to be experienced is when the NSA conspires with American companies to benefit them both, or when American assets interfere with commercial businesses that they've targetted as assisting enemies.

One thing that might now get a boost is the Internet in other countries:

The presentation ... noted that the US has a "home-field advantage" due to housing much of the internet's architecture.

Take note, the rest of the world!

MayDay! MayDay! British Banking Launches new crisis of titanic proportions...

Yes, it's the first of May, also known as May Day, and the communist world's celebration of the victory over capitalism. Quite why MayDay became the international distress message over radio is not known to me, but I'd like to know!

Meanwhile, the British Banking sector is celebrating its own version of MayDay:

The bank went through their customer base and identified which businesses were asset rich and cash poor.

Typically, the SME (small to medium enterprise) would require funding for expansion or to cover short term exposures, and the bank’s relationship manager would work with the business owner on a loan funding cover.

The loan may be for five or ten years, and the relationship manager would often call the client after a short time and say “congratulations, you’ve got the funding”.

The business owner would be delighted and would start committing the funds.

Only then would the relationship manager call them back and say, “ah, we have a concern here about interest rates”.

This would start the process of the disturbance sale of the IRSA.

The rest you can imagine - the bank sold an inappropriate derivative with false information, and without advising the customer of the true costs. This time however the costs were more severe, as it seems that many such businesses went out of business in whole or in part because of the dodgy sale.

In particular, the core issue is that no-one has defined whether the bank will be responsible for contingent liabilities.

The liabilities are for losses made by those businesses that were mis-sold these products and, as a result, have now gone into bankruptcy or been constrained so much that they have been unable to compete or grow their business as they would have if they had not taken these products.

Ouch! I have to applaud Chris Skinner and the Financial Services Club here for coming forth with this information. It is time for society to break ranks here and start dealing with the banks. If this is not done, the banks will bring us all down, and it is not clear at all that the banks aren't going to do just that.

Meanwhile back to the scandal du jour. We are talking about 40k businesses, with average suggested compensation of 2.5 million quid - so we are already up to a potential exposure of 100 billion pounds. Given this, there is no doubt that even the most thickest of the dumbest can predict what will happen next:

Mainly because of the Parliamentary investigation, the Financial Services Authority was kicked into action and, on June 29 2012, announced that it had found "serious failings in the sale of IRSAs to small and medium sized businesses and that this has resulted in a severe impact on a large number of these businesses.”

However, it then left the banks to investigate the cases and work out how to compensate and address them .

The banks response was released on January 31 2013, and it was notable that between the June announcement and bank response in January that the number of cases rose from 28,000 to 40,000. It was also noteworthy that of those 40,000 cases investigated, over 90% were found to have been mis-sold. That’s a pretty damning indictment.

Even then the real issue, according to Jeremy [of Bully Banks], is that the banks are in charge of the process.

Not only is the fox in charge of the chickens, it's also paying off them off for their slaughter. Do we really need to say more? The regulators are in bed with the banks in trying to suppress this scandal.

Obviously, this cunning tactic will save poor banks money and embarrassment. But the emerging problem here is that, as suggested many times in this blog (e.g., 2, 3, 4, ...) and elsewhere, the public is now becoming increasingly convinced that banks are not healthy, honest members of society.

Which is fine, as long as nothing happens.

But I see an issue emerging in the next systemic shock to hit the financial world: if the public's patience is exhausted, as it appeared to be over Cyprus, then the next systemic shock is going to cause the collapse of some major banks. For right or wrong, the public is not going to accept any more talk of bailouts, taxpayer subsidies, etc etc.

The chickens are going to turn on the foxes, and they will not be satisfied with anything less than blood.

One hopes that the old Lady's bank tear-down team is boned up and ready to roll, because they'll be working hard soon.

Auditors All Fall Down; PFGBest and MF Global Frauds Reveal Weak Watchdogs

Without much comment, from Francine McKenna:

Auditors All Fall Down; PFGBest and MF Global Frauds Reveal Weak Watchdogs

[snip]

The made-for-TV drama is instead unfolding in Cedar Falls, Iowa and Chicago where, in “truth is stranger than fiction” style, PFGBest’s Russell Wasendorf Sr. says he used his “blunt authority” as sole owner and CEO to falsify bank statements sent to regulators for twenty years using Photoshop, Excel, scanners and laser printers.

Instead of MF Global’s world-renowned auditor PwC, we’ve got a one-woman show, Jeannie Veraja-Snelling, signing the audit opinion accompanying the financial statements for PFGBest. Not that there’s much less apparent incompetence when a global firm like PwC misses increased risk and deteriorating controls at MF Global and signs off on a clean annual audit opinion as recently as March 31, 2011, seven months before MF Global was forced into bankruptcy. PwC also signed off on a 10-Q review at the end of June, and a bond issue in August of 2011.

Wasendorf’s suicide note said that he duped his first-response regulator, the National Futures Association, by intercepting its request for confirmation of his bank balances, including funds segregated and safeguarded for customers, by using a P.O. Box he set up in the name of US Bank. He simply wrote whatever he wanted on those confirmation requests and signed in the name of the bank. His doctored banks statements with matching figures were sent along with the confirmation request back to the regulator.

“I was forced into a difficult decision: Should I go out of business or cheat?” he wrote. “I guess my ego was too big to admit failure. So I cheated,” his suicide note said.

Regulators, auditors and internal controls can not prevent a psychopath from lying, cheating and stealing to perpetuate a myth and sustain a lavish lifestyle, but they can and should detect the fraud much sooner if not immediately.

Wasendorf’s admission does not explain how he also duped the independent auditor. One of the cornerstones of an independent audit is an independent confirmation of bank balances. PFGBest’s auditor was either duped for twenty years or complicit in the fraud. Neither conclusion is a good one for her. Auditors are forbidden to use company personnel to obtain or process bank balance confirmations. Of course, that hasn’t prevented auditors from falling down on this critical part of their job anyway, leading recently to some of the biggest and most notorious fraud cases in years.

Deloitte’s audit client Parmalat gave that firm falsified bank confirmations. Deloitte’s Milan firm and its international coordinating firm eventually settled the 2003 case with Parmalat bondholders and shareholders for almost $200 million total. Price Waterhouse India partners are still facing criminal charges and the firm is being sued by its former audit client Mahindra Satyam for the fraud revealed by Satyam’s CEO who admitted to falsifying $1 billion in bank balances. Price Waterhouse India paid fines to the SEC, PCAOB, and settled with shareholders. Regulators said Price Waterhouse India’s audits were negligent because they failed to obtain confirmations of bank balances directly from banks and instead accepted management’s representations without independent verification. Several of the current Chinese frauds allege bank confirmation fraud, including accusations of collusion with executives by bank officials and negligence by auditors Deloitte China and others.

What’s even more troubling to me is PFGBest’s auditor, and many others who audit only SEC-registered broker-dealers, may be breaking laws as well as being negligent in their public duty to the capital markets.

(Big Snip)

On that latter, read the article for detail...

Banks will take responsibility for online fraud

Several cases in USA are resolving in online theft via bank account hackery. Here's one:

Village View Escrow Inc., which in March 2010 lost nearly $400,000 after its online bank account with Professional Business Bank was taken over by hackers, has reached a settlement with the bank for an undisclosed amount, says Michelle Marsico, Village View's owner and president.

As a result of the settlement, Village View recovered more than the full amount of the funds that had been fraudulently taken from the account, plus interest, the company says in a statement.

And two more:

Two similar cases, PATCO Construction Inc. vs. Ocean Bank and Experi-Metal Inc. vs. Comerica Bank, raised questions about liability and reasonable security, yet each resulted in a different verdict.

In 2010, PATCO sued Ocean Bank for the more than $500,000 it lost in May 2009, after its commercial bank account with Ocean Bank was taken over. PATCO argued that Ocean Bank was not complying with existing FFIEC requirements for multifactor authentication when it relied solely on log-in and password credentials to verify transactions.

Last year, a District Court magistrate found the bank met legal requirements for multifactor authentication and dismissed the suit.

In December 2009, EMI sued Comerica after more than $550,000 in fraudulent wire transfers left EMI's account.

In the EMI ruling, the court found that Comerica should have identified and disallowed the fraudulent transactions, based on EMI's history, which had been limited to transactions with a select group of domestic entities. The court also noted that Comerica's knowledge of phishing attempts aimed at its clients should have caused the bank to be more cautious.

In the ruling, the court required Comerica to reimburse EMI for the more than $560,000 it lost after the bank approved the fraudulent wire transfers.

Here's how it happens. There will be many of these. Many of the victims will sue. Many if the cases will lose.

Those that lose are irrelevant. Those that win will set the scene. Eventually some precedent will be found, either at law or at reputation, that will allow people to trust banks again. Some more commentary.

The reason for the inevitability of this result is simple: society and banks both agree that we don't need banks unless the money is safe.

Online banking isn't safe. It behoves to the banks to make it safe. We're in the phase where the court of law and public opinion are working to get that result.

What's the takeaway on Audit?

OK, so I edited the title, to fit in with an old Audit cycle I penned a while ago (I, II, III, IV, V, VI, VII).

Here's the full unedited quote from Avivah Litan, who comments on the latest 1.5m credit card breach in US of A:

What’s the takeaway on PCI? The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.

Just a little emphasis, so audit me! PCI is that audit imposed by the credit card industry on processors. It's widely criticised. I imagine it does the same thing as most mandated and controlled audits - sets a very low bar, one low enough to let everyone pass if they've got the money to pay to enter the race.

For those wondering what happened to the audits of Global Payments, DigiNotar, Heartland, and hell, let's invite a few old friends to the party: MFGlobal, AIG, Lehman Brothers, Northern Rock, Greece PLC, the Japanese Nuclear Industry disaster recovery team and the Federal Reserve.... well, here's Avivah's hint:

In the meantime, Global Payments who was PCI compliant at the time of their breach is no longer PCI compliant – and was delisted by Visa – yet they continue to process payments.

That's a relief! So PCI comes with a handy kill-switch. If something goes wrong, we kill your audit :)

Problem solved. I wonder what the price of the kill-switch is, without the audit?

one week later - chewing on the last morsel of Trust in the PKI business

After a week of fairly strong deliberations, Mozilla has sent out a message to all CAs to clarify that MITM activity is not acceptable.

It would seem that Trustwave might slip through without losing their spot in the root list of major vendors. The reasons for this is a combination of: up-front disclosure, a short timeframe within which the subCA was issued and used (at this stage limited to 2011), and the principle of wiser heads prevailing.

That's my assessment at least.

My hope is that this has set the scene. The next discovery will be fatal for that CA. The only way forward for a CA that has issued at any time in the past an MITM-enabled subCA would be the following:

+ up-front disclosure to the public. By that I mean, not privately to Mozilla or other vendors. That won't be good enough. Nobody trusts the secret channels anymore.
+ in the event that this is still going on, an *fast* plan, agreed and committed to vendors, to withdraw completely any of these MITM sub-CAs or similar arrangements. By that I mean *with prejudice* to any customers - breaching contract if necessary.

Any deviation means termination of the root. Guys, you got one free pass at this, and Trustwave used it up. The jaws of Trust are hungry for your response.

That is what I'll be looking for at Mozilla. Unfortunately there is no forum for Google and others, so Mozilla still remains the bellwether for trust in CAs in general.

That's not a compliment; it's more a description of how little trust there is. If there is a desire to create some, that's possibly where we'll see the signs.

the emerging market for corporate issuance of money

As an aside to the old currency market currently collapsing, in the now universally known movie GFC-2 rolling on your screens right now, some people have commented that perhaps online currencies and LETS and so forth will fill the gap. Unlikely, they won't fill the gap, but they will surge in popularity. From a business perspective, it is then some fun to keep an eye on them. An article on Facebook credits by George Anders, which is probably the one to watch:

Facebook’s 27-year-old founder, Mark Zuckerberg, isn’t usually mentioned in the same breath as Ben Bernanke, the 58-year-old head of the Federal Reserve. But Facebook’s early adventures in the money-creating business are going well enough that the central-bank comparison gets tempting.

Let's be very clear here: the mainstream media and most commentators will have very little clue what this is about. So they will search for easy analogues such as a comparison with national units, leading to specious comparisons of Zuckerberg to Bernanke. Hopeless and complete utter nonsense, but it makes for easy copy and nobody will call them on it.

Edward Castronova, a telecommunications professor at Indiana University, is fascinated by the rise of what he calls “wildcat currencies,” such as Facebook Credits. He has been studying the economics of online games and virtual worlds for the better part of a decade. Right now, he calculates, the Facebook Credits ecosystem can’t be any bigger than Barbados’s economy and might be significantly smaller. If the definition of digital goods keeps widening, though, he says, “this could be the start of something big.”

This is a little less naive and also slightly subtle. Let me re-write it:

If you believe that Facebook will continue to dominate and hold its market size, and if you believe that they will be able to successfully walk the minefield of self-issued currencies, then the result will be important. In approximate terms, think about PayPal-scaled importance, order of magnitude.

Note the assumptions there. Facebook have a shot at the title, because they have massive size and uncontested control of their userbase. (Google, Apple, Microsoft could all do the same thing, and in a sense, they already are...)

The more important assumption is how well they avoid the minefield of self-issued currencies. The problem here is that there are no books on it, no written lore, no academic seat of learning, nothing but the school of hard-knocks. To their credit, Facebook have already learnt quite a bit from the errors of their immediate predecessors. Which is no mean feat, as historically, self-issuers learn very little from their forebears, which is a good predictor of things to come.

Of the currency issuers that spring up, 99% are destined to walk on a mine. Worse, they can see the mine in front of them, they successfully aim for it, and walk right onto it with aplomb. No help needed at all. And, with 15 years of observation, I can say that this is quite consistent.

Why? I think it is because there is a core dichotomy at work here. In order to be a self-issuer you have to be independent enough to not need advice from anyone, which will be familiar to business observers as the entrepreneur-type. Others will call it arrogant, pig-headed, too darned confident for his own good... but I prefer to call it entrepreneurial spirit.

*But* the issuance of money is something that is typically beyond most people's ken at an academic or knowledge level. Usage of money is something that we all know, and all learnt at age 5 or so. We can all put a predictions in at this level, and some players can make good judgements (such as Peter Vodel's Predictions for Facebook Credits in 2012).

Issuance of money however is a completely different thing to usage. It is seriously difficult to research and learn; by way of benchmark, I wrote in 2000 you need to be quite adept at 7 different disciplines to do online money (what we then called Financial Cryptography). That number was reached after as many years of research on issuance, and nearly that number working in the field full time.

And, I still got criticised by disciplines that I didn't include.

Perhaps fairly...

You can see where I'm heading. The central dichotomy of money issuance then is that the self-issuer must be both capable of ignoring advice, and putting together an overwhelming body of knowledge at the same time; which is a disastrous clash as entrepreneurs are hopeless at blindspots, unknowns, and prior art.

There is no easy answer to this clash of intellectual challenges. Most people will for example assume that institutions are the way to handle any problem, but that answer is just another minefield:

If Facebook at some point is willing to reduce its cut of each Credits transaction, this new form of online liquidity may catch the eye of many more merchants and customers. As Castronova observes: “there’s a dynamic here that the Federal Reserve ought to look at.”

Now, we know that Castronovo said that for media interest only, but it is important to understand what really happens with the Central Banks. Part of the answer here is that they already do observe the emerging money market :) They just won't talk to the media or anyone else about it.

Another part of the answer is that CBs do not know how to issue money either; another dichotomy easily explained by the fact that most CBs manage a money that was created a long time ago, and the story has changed in the telling.

So, we come to the the really difficult question: what to do about it? CBs don't know, so they will definately keep the stony face up because their natural reaction to any question is silence.

But wait! you should be saying. What about the Euro?

Well, it is true that the Europeans did indeed successfully manage to re-invent the art and issue a new currency. But, did they really know what they were doing? I would put it to you that the Euro is the exception that proves the rule. They may have issued a currency very well, but they failed spectacularly in integrating that currency into the economy.

Which brings us full circle back to the movie now showing on media tonight and every night: GFC-2.

Audit redux.2 - and what happened to the missing MF Global client funds?

As we all know by now, MF Global crashed with some many billions of losses, filing for bankrupcy on 31st October. James Turk wonders aloud:

First of all investors should be concerned because everything is so inter-connected today. People call it contagion and this contagion is real because the MF Global bankruptcy is going to have a knock on effect, just like Lehman Brothers had a knock on effect.”

The point being that we know there is a big collapse coming, but we don't know what it will that will trigger it. James is making the broad point that a firm collapsing on the west side of the Atlantic could cause collapse in Europe. But wait, there's more:

So the contagion is the first reason for concern. The second reason for concern is it’s taking so long for them to find this so called missing money, which I find shocking. It’s been three weeks now since the MF Global bankruptcy was declared and they started talking about $600 million of missing funds.

So I’m not too surprised that now they are talking about $1.2 billion of missing customer funds. I think they are just trying to delay the inevitable as to how bad the situation at MF Global really is.

And more! Chris points to an article by Bloomberg / Jonathan Weil:

This week the trustee for the liquidation of its U.S. brokerage unit said as much as $1.2 billion of customer money is missing, maybe more. Those deposits should have been kept segregated from the company’s funds. By all indications, they weren’t.

Jonathan zeroes in on the heart of the matter:

Six months ago the accounting firm PricewaterhouseCoopers LLP said MF Global Holdings Ltd. and its units “maintained, in all material respects, effective internal control over financial reporting as of March 31, 2011.” A lot of people who relied on that opinion lost a ton of money.

So when I asked:

Let's check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?

we now know that PricewaterhouseCoopers LLP will not be stepping up to the podium with MF Global! Jonathan echoes some of the questions I asked:

What’s the point of having auditors do reports like this? And are they worth the cost? It’s getting harder to answer those questions in a way the accounting profession would favor.

But now that we have a more cohesive case study to pick through, some clues are emerging:

“Their books are a disaster,” Scott O’Malia, a commissioner at the Commodity Futures Trading Commission, told the Wall Street Journal in an interview two weeks ago. The newspaper also quoted Thomas Peterffy, CEO of Interactive Brokers Group Inc., saying: “I always knew the records were in shambles, but I didn’t know to what extent.” Interactive Brokers backed out of a potential deal to buy MF last month after finding discrepancies in its financial reports.

That's a tough start for PricewaterhouseCoopers LLP. Then:

For fiscal 2007, MF Global paid Pricewaterhouse $17.1 million in audit fees. By fiscal 2011, that had fallen to $10.9 million, even as warning signs about MF’s internal controls were surfacing publicly.

In 2007, MF and one of its executives paid a combined $77 million to settle CFTC allegations of mishandling hedge-fund clients’ accounts, as well as supervisory and record-keeping violations. In 2009, the commission fined MF $10 million for four instances of risk-supervision failures, including one that resulted in $141 million of trading losses on wheat futures. Suffice it to say, Pricewaterhouse should have been on high alert.

On top of that, Pricewaterhouse’s main regulator, the Public Company Accounting Oversight Board, released a nasty report this week on the firm’s audit performance. The agency cited deficiencies in 28 audits, out of 75 that it inspected last year. The tally included 13 clients where the board said the firm had botched its internal-control audits. The report didn’t name the companies. One of them could have been MF, for all we know.

In a response letter to the board, Pricewaterhouse’s U.S. chairman, Bob Moritz, and the head of its U.S. audit practice, Tim Ryan, said the firm is taking steps to improve its audit quality.

Ha! Jonathan asks the pointed question:

The point of having a report by an independent auditor is to assure the public that what a company says is true. Yet if the reports aren’t reliable, they’re worse than worthless, because they sucker the public with false promises. Maybe, just maybe, we should stop requiring them altogether.

Exactly. This was what I was laying out for the reader in my Audit cycle. But I was doing it from observation and logic, not from knowing about any particular episode. One however was expected to follow from the other...

The Audit brand depletes. Certainly time to start asking hard questions. Is there value in using a big 4 auditor? Could a firm get by on a more local operation? Are there better ways?

And, what does a big N auditor do in the new world? Well, here's one suggestion: take the bull by the horns and start laying out the truth! KPMG's new Chairman seems to be keen to add on to last week's revelation with some more:

KPMG International LLP’s global chairman, Michael Andrew, said fraud was evident at Olympus Corp. (7733) and his firm met all legal obligations to pass on information related to Olympus’s 2008 acquisition of Gyrus Group Ltd. before it was replaced as the camera maker’s auditor.

“We were displaced as a result of doing our job,” Andrew told reporters at the Foreign Correspondents’ Club in Hong Kong today. “It’s pretty evident to me there was very, very significant fraud and that a number of parties had been complicit.”

Now, if I was a big N auditor, that's exactly what I'd do. Break the cone of silence and start revealing the dirt. We can't possibly make things any worse for audit, so let's shake things up. Go, Andrew.

Audit redux - KPMG reveals... FRAUD? You be the Jury!

I like a guy who picks a fight. Especially, if he's an auditor!

New KPMG global chairman Michael Andrew says global regulators are hell-bent on breaking the dominance of large global audit firms without regard for the impact on stability of financial makerts and employment. "This is the worst time to be reforming the profession. You want financial stability. You want large employers in the marketplace taking on graduates. Why an earth is this an imperative right now?"

Australian Financial Review's article, "Global Chief blasts audacious attack on audit" of 21st November 2011, brings us some of the worst sort of self-serving excuses - saying that Auditors are part of the solution, not part of the problem.

I'm not buying it. Back in February of 2009 I asked of the auditors:

Let's check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?

No. Not one, not even a single one!

KPMG's Chairman is going to need a better set of excuses. Indeed, belatedly, it seems that others are asking too. From the same article, behind a paywall it seems:

The move against the big four is a backlash to the global financial crisis. The whole premise of audit is to inform capital markets. So why didn't they foresee, or prevent, the financial crisis and Europe's currency problems?

Now, I'm not going that far. I don't think audit could or should have prevented the GFC1 or GFC2, and it is the economist that foresees crises, not auditors. Rather, I'm saying:

Yet, the basic failures in the financial crisis are so blatant that surely, even by accident at least one audit should have picked up at least one pending failure, and fixed it?

Surely an easier test: not a single auditor has rung the bell on a single bad bank, that we know of. So what went wrong? I suggest the cause of failure by examination of the basic product of audit, and I conclude, in short words, you the public cannot rely on it. To you, the public, audit is an unknown unknown, you don't even know enough to know what it is. And in that environment, auditors shifted it somewhere else.

However, Michael Andrew brings a new causality to the court of public appeal:

One of the US's major criticisms of IFRS (International Financial Reporting Standards) is that it is subject to political intervention.

They're right to be concerned, said Mr Andrew. "We had regulators and governments telling us not to write down Greek debt in certain countries. They were refusing to allow accounting firms to adjust, saying they would underwrite a portion of the debt but refusing to put [that commitment] in writing," he said.

Whoa! Did he just say that? Did I just write out those words, taken from a scrappy photocopy of a print-only article? Yes indeed, word for word.

Haven't we seen that before? Let's ask Joseph T. Wells for the definition of fraud:

Under common law, three elements are required to prove fraud: a material false statement made with an intent to deceive (scienter), a victim's reliance on the statement and damages.

Now, I don't want to be sued back into the dark ages by accusing auditors of fraud, so let's test it in the court of the informed observer:

1. Intent?!
   1. Was failing to write down the greeks a bad?
   2. Did the Auditors deliver reports saying the banks' accounts were good?
   3. Would good reports over bad greeks be materially false?
   4. Was there an intent to deceive the audit-relying public?
   5. Who by?
2. Did the victims of the worlds financial markets rely on rosy audit reports? and
3. Were there damages?

Now, I'm no lawyer. And, the Auditor's defence will clearly be "the government told us to do it!" Which might even get them off, who knows? Or it might just bring the governments in on the act -- have they defrauded the entire planet by some act of conspiracy or abuse? Or, or or...

I don't know. But this is a question that simply must be answered.

I call for a jury of victims! Over to you. What is your verdict?

PS: before the papparazzi and the bureaucrats get too excited: Michael Andrew did the right thing by blowing the lid on the intervention. We need more facts, more causes, not more coverups.

PPS 2017: finally 6 years later, the system may be brought to trial.

Regulating the future financial system - the double-entry headache needs a triple-entry aspirin

How to cope with a financial system that looks like it's about to collapse every time bad news turns up? This is an issue that is causing a few headaches amongst the regulators. Here's some musings from Chris Skinner over a paper from the Financial Stability gurus at the Bank of England:

Third, the paper argues for policies that create much greater transparency in the system.

This means that the committees worldwide will begin “collecting systematically much greater amounts of data on evolving financial network structure, potentially in close to real time. For example, the introduction of the Office of Financial Research (OFR) under the Dodd-Frank Act will nudge the United States in this direction.

“This data revolution potentially brings at least two benefits.

“First, it ought to provide the authorities with data to calibrate and parameterise the sort of network framework developed here. An empirical mapping of the true network structure should allow for better identification of potential financial tipping points and cliff edges across the financial system. It could thus provide a sounder, quantitative basis for judging remedial policy actions to avoid these cliff edges.

“Second, more publicly available data on network structures may affect the behaviour of financial institutions in the network. Armed with greater information on counterparty risk, banks may feel less need to hoard liquidity following a disturbance.”

Yup. Real time data collection will be there in the foundation of future finance.

But have a care: you can't use the systems you have now. That's because if you layer regulation over policy over predictions over datamining over banking over securitization over transaction systems … all layered over clunky old 14th century double entry … the whole system will come crashing down like the WTC when someone flies a big can of gas into it.

The reason? Double entry is a fine tool at the intra-corporate level. Indeed, it was material in the rise of the modern corporation form, in the fine tradition of the Italian city states, longitudinal contractual obligations and open employment. But, double entry isn't designed to cope with the transactional load of of inter-company globalised finance. Once we go outside the corporation, the inverted pyramid gets too big, too heavy, and the forces crush down on the apex.

It can't do it. Triple entry can. That's because it is cryptographically solid, so it can survive the rigours of those concentrated forces at the inverted apex. That doesn't solve the nightmare scenarios like securitization spaghetti loans, but it does mean that when they ultimately unravel and collapse, we can track and allocate them.

Message to the regulators: if you want your pyramid to last, start with triple entry.

PS: did the paper really say "More taxes and levies on banks to ensure that the system can survive future shocks;" … seriously? Do people really believe that Tobin tax nonsense?

Lords: Auditors guilty of 'dereliction of duty'

I had thought I was a voice in the wilderness on the question of criticising Audit as having left the party by the back door before the cops arrived. But, no, it seems that some have noticed. The Economist reports:

THE average divorce in Britain comes after 11 years of marriage. Compare that with the fidelity of a big British company to its auditors: 48 years on average, according to the Financial Reporting Council, Britain’s accounting watchdog, which tallied the figures for Britain’s biggest firms, the constituents of the FTSE 100. The reason is increasingly obvious, and worrisome, to regulators in Britain and elsewhere: the concentration of big accounting engagements in just four firms’ hands: PwC, Deloitte, KPMG and Ernst & Young.

The “Big Four” audit 99 of the FTSE 100, and 240 of the FTSE 250. ...

OK, that's really a follow-on from the Arthur Anderson and KPMG story of too big to fail. Yes, the Audit industry is now totally concentrated, which indicates to the economists amongst us that fees will have risen and the product will have drifted. Note that I didn't say quality, as in some cases the quality might have gone up -- including to well beyond reasonable, where we are paying for something we don't get a benefit from.

Which point I made in that Audit cycle; Auditors no longer serve society, society serves Auditors. Which came to a head with the financial crisis of 2007:

This caught the attention of the House of Lords, which in March pinned the firms’ “dereliction of duty” in the financial crisis, in part, on their oligopoly. (To make matters worse, only three of the four audit banks in Britain.) The Lords recommended that the Office of Fair Trading take a look at the problem. On May 17th the OFT announced that it was opening formal investigations into whether to refer the issue onto the Competition Commission, which could force changes on the industry.

So an investigation is being opened. This is one of those sticky areas where the Auditors police themselves, so what happens when that fails? Who do you go to? Well, the answers are somewhere between nobody and everyone. In this case, everyone includes the Lords, the OFT and the Competition Commission.

Which brings up the next sticky point. Are we really saying that this is a competition issue?

The firms insist that removing experienced audit firms from their clients would be inefficient and expensive. But regulators will weigh that potential expense against the expense of another systemic “dereliction of duty” by the auditors. The disappearance of one of the Big Four—recalling how quickly Arthur Andersen evaporated in the Enron scandal—would be more expensive still.

Apparently we are at least weighing competition issues with the systemic problem of the collapse of 2007. I don't know quite how the Economist came to that conclusion, but to me, the big question is this: how did the Auditors completely miss that all the big firms in Wall Street were about to cross into bankrupcy (declared or otherwise)? As the UK parliament summarised this question:

‘The breakdown of dialogue between bank auditors and regulators made the financial crisis worse’

Auditors were either unaware of the mounting dangers in the banks or, if they were aware, failed to alert the supervisory authority. The paucity of meetings between bank auditors and the supervisor was a “dereliction of duty” by both auditors and regulators. The Committee recommends legislation to re-establish mandatory two-way confidential dialogue between bank auditors and supervisors to help avoid a similar crisis in future.

Here's one suggestion of an answer:

...the UK House of Lords’ Economic Committee [...] recently asked UK leaders of all of the Big 4 audit firms – Deloitte, Ernst & Young, KPMG and PricewaterhouseCoopers – about the absence of warnings or “going concern” qualification for banks that failed or were bailed out.

The auditors’ response: The Bank of England told us, in confidence, that they would support the banks financially.

That's a really interesting answer! But I for one am not ready to call that a *good answer*. And if we don't have a good answer to that question, do we have a need for a good Audit?

ICAEW chief executive Michael Izza rejected the argument that auditors were culpable in the banking crisis, stating: “They did the job that they were expected to do - provide an audit opinion on banks' financial statements.”

But that isn't it! Audit has shifted from "opinion over financial statements" to being a small cog in a huge consulting machine. So we seem to be getting to the nub of the question: can the Auditors have their cake and eat it to?

This is a question that is slowly being asked. Amongst leading cases against audit is this:

Cuomo’s final act as NYAG last [December] was suing Ernst & Young for fraud for allowing Lehman Brothers to cook its books using “Repo 105.” That accounting practice, which may have been used by other Wall Street firms during the subprime binge, allowed Lehman to take billions of its toxic assets off its balance sheet for a few days at the end of the crucial 2nd and 3rd quarters of 2008, months before it filed for bankruptcy.

By moving toxic assets first off and then back on its books, Lehman was effectively dressing up its balance sheet in a deceptive manner. The lawsuit essentially alleges that Ernst & Young was aware of the practice, starting when it became Lehman Bros.’ auditor in 2001 until the firm’s death in 2008.

Lehman Bros.’ actions, and Ernst & Young turning a blind eye to them, stink to high heaven. Investors suffered devastating losses from the accounting chicanery. But one, huge question remains unanswered: As the financial and subprime crisis unfolded, where were the auditors who were the “gatekeepers” charged with protecting shareholders?

Or, more on point to whether Auditors do indeed provide an audit opinion, the Lehman Brothers bankrupcy report said:

(3) Ernst & Young Would Not Opine on the Materiality of Lehman’s Repo 105 Usage

Don't hold your breath that Auditors will be brought to account before the judge, though.

"Every time somebody comes up with a new fraudulent scheme, auditors miss it," said Andrea Kim, a partner at law firm Diamond McCarthy LLP in Houston who represents plaintiffs in auditor lawsuits. "The historical pattern is that they find a way to manage the litigation to limit their liability."

The credit crisis, which pushed the U.S. financial system to the brink of collapse, led to a wave of investor litigation against banks, lenders and others. Auditors are prime targets because investors try to rope in as many defendants as possible to increase recoveries. Auditors also may have the deepest pockets if the company they audited files for bankruptcy.

So we are now seeing a big lesson unfold. So far the Auditors are securing many dismissals and some settlements. The lesson then is more for us than them.

"Members of the media are not included."

In yet more confusing evidence, Wired reports on the Boeing Audit Whistleblowing case:

The 9th U.S. Circuit Court of Appeals set aside the appeal of two former Boeing auditors who claimed their leaks to the media were protected by the Sarbanes-Oxley Act of 2002, adopted to protect shareholders against fraud. A three-judge panel of the San Francisco-based appeals court sided with Boeing, saying a provision in the act only protects those who notify the authorities, not the media, of alleged wrongdoing.

What appears to be the cause of this is that auditors, frustrated at trying to get attention in Boeing for Sarbanes-Oxley compliance, decided to leak some documents. Claiming immunity under Sarbanes-Oxley is novel, but leaking documents to the media in order to put pressure on the company is not novel - it's just not done. And, this is not a case of "should have known better." Auditors know better, they knew they are given the keys to the castle, so it is unclear why they were just fired.

The law protects employees from discrimination if they deliver the information to a federal regulatory or law enforcement agency, a member or committee of Congress or or a work supervisor.

“Members of the media are not included,” Judge Barry Silverman wrote for the unanimous court.

Anyway, that all aside, we benefit by a unique insight into the traumas of audit. Referring to the original article from Seattle-Post Intelligencer:

Sarbanes-Oxley is a wide-ranging law aimed at preventing stockholder rip-offs such as the Enron scandal from happening again. Among its requirements, it forced public companies such as Boeing to shine a light on their internal controls. It must show it has checks and balances on people and computer systems to guarantee accuracy of financial statements. ....

The federal guidelines for computer controls are unclear, and where the law is murky, auditors and company officials are left to fill in the gaps — facing criminal penalties if they are wrong. Companies are hungry for clarification on how to handle the information technology portion of Sarbanes-Oxley, according to The Institute of Internal Auditors, a leading professional association.

In step the Auditors, the cash-machine bells spinning in their eyes, and havoc reigns:

But Boeing’s information technology staff suffered. “They weren’t used to being involved in a finance-related audit,” McGee said in a June interview at Chicago headquarters. “We drove process discipline pretty hard.”

One person involved in the compliance effort, who asked not to be identified, told the P-I that information technology managers thought the new rules would blow over and that workers were “openly hostile” to the audits. The level of rigor — for example, documenting every single approval for a coding change — was foreign to the get-things-done culture of Boeing’s computer professionals.

The employee described the first two years as “pure hell” for the information technology staff. Colleagues agreed. Even auditors were unhappy, leading to infighting last year between consultants at PricewaterhouseCoopers and Jefferson Wells — the two firms contracted to help Boeing with internal audits.

Infighting in consultants is nothing special, as they defend their billings to the death. There's a huge incentive in replacing another contractor that turns them against each other. This sometimes ends up badly for a consultant, but it always ends up badly for the client:

Meanwhile, the experts at Jefferson Wells and PricewaterhouseCoopers spent hours — billed to Boeing — disputing each other’s findings.

What appears to be at the heart of this is that audit hasn't really served the corporation well. We know that Sarbanes-Oxley was a good effort at tightening up controls. But to what end? In this case, Boeing wasn't an Enron. It's easy to measure its progress. Planes come off the line at regular intervals, they are huge and easily countable, and if they don't work, it's spectacularly obvious.

So we have the possibility of over-measurement -- measuring something that costs more to measure than it delivers in benefits to the stockholder. What might be needed for the Enrons and the banks of the world, which deal in virtual product, isn't so clear for the physical sector.

“This sounds really, really messy,” Heriot Prentice, director of technology practices at the Institute of Internal Auditors, said upon hearing all of the charges and countercharges without knowing that he was speaking about Boeing, specifically. “This sounds like a big mess.”

Companies have been monitoring their computer systems for years — but under Sarbanes-Oxley, it was the first time that all public companies were required by law to do so as a part of a company’s “internal control over financial reporting.”

That control requirement, often nicknamed “404 compliance” after its corresponding part of the law, has been the most controversial and expensive aspect of Sarbanes-Oxley — and federal rules are now under review. Many executives bristled at the soaring costs of information technology compliance.

Control over financial reporting starts with control over financial transactions ... perhaps this was a simple case where they should have used SOX not SOx and triple entry accounting not double entry auditors?

Did you read your adverse Audit Review?

Twans asks what happened to the blog, and the short answer is, like the US Patent Office in the early 1900s, there's nothing new worth writing.

Here's a small piece of evidence from the financial crisis, which I covered in much depth in my Audit cycle:

At one point, the lack of quality control at Deutsche Bank’s mortgage lending unit, MortgageIT, prompted the hiring of an outside vendor to conduct reviews of the mortgages the bank approved for FHA insurance.

According to the suit, when the outside vendor found violations in the way it was approving mortgages for FHA insurance it sent letters to MortgageIT making them aware of the problems. Unfortunately, those letters weren’t read because employees there “stuffed the letters, unopened and unread, in a closet in MortgageIT’s Manhattan headquarters,” according to the suit.

Short version: In order to get some form of subsidy in the securitization business, Deutschebank hired an external auditor to review its lending practices. Then, didn't read the results. Which of course were adverse.

What does it mean for the mortgage lending industry? Sabino speculates that there’s a 50/50 chance that the allegations made by the U.S. Attorney’s office are not unique to Deutsche Bank.

In my Audit cycle I speculated that the Audit industry is so filled with errors at many and different points that at this time in history, it is useless to society. That is, it cannot be relied upon to deliver the result. This is evidence supporting that hypothesis.

VeriSign takes the "Trust" out of "SSL certificates"

In a funny little announcement that will have CA industry fans scratching their heads for a year or so, Verisign announces a one day sale of its "Trust seals":

According to VeriSign, "The VeriSign Trust seal shows the world that VeriSign has confirmed your identity and your site has passed the VeriSign malware scan."

A year's worth of service for a VeriSign Trust seal normally sells for $299. During the "Dollar Day" sale, which will run from 12:01AM PST to 11:59PM -- "from midnight to midnight," said Tim Callan, head of marketing for VeriSign trust services at Symantec -- VeriSign is offering a $298 discount on one year's worth of Trust seal.

A comment of background. VeriSign recently closed a deal to sell its CA (Certification Authority) to Symantec. For CAs, this was a big development, because VeriSign has about three quarters of the market, it would be like General Motors selling its car division to some random dude with a car parts shop.

The big issue then for VeriSign and Symantec is how to slice and dice the various brands and assets up to maintain the integrity of the deal [1]. VeriSign more or less pioneered the use of the word "Trust" as with a lot else, hence the term "Trust Business." A curiosity that arose from the sale was whether Symantec was to be Trusted with the Business, as it were. Apparently they are:

Available since April 2010, the VeriSign Trust seal is an alternative to the company's older seal. "The 'VeriSign Secured' circle-and-check VeriSign Seal has historically been yoked to our VeriSign SSL certificate, which meant that you had to be using VeriSign SSL Certificates to get a seal," said Callan.

"But many small businesses outsource their shopping cart to a third party like Yahoo or eBay, where they can't get SSL," said Callan. These third-party shopping carts are typically secured with SSL on their own, as indicated by the URL starting with HTTPS or SHTTP. "This means that credible businesses are penalized for being too small. So we are creating a standalone version of the seal. Businesses have to be secure, and have their identify confirmed... but they don't have to be using SSL."

Is that for real? Yes it is. Indeed, over at CAcert (where I do lots) we have long recognised that the use of these words in the context of the overall certificate business was confusing and could present substantial difficulties if challenged in court [2].

The word "Trust" is more or less taboo in CAcert, and has been for many years; instead, we do other things that IMNSHO are far more sustainable, useful and justifiable. These are loosely grouped under the term RELY, generally written in caps to signal its special status as a word of much meaning.

Using the opportunity at hand, the new manager has wisely firewalled the issue as a separated brand and business. Which leaves the rest of the CA business to swing back into line in their own time.

---

[1] this is a standard business problem. For example, IBM had to do the same when it sold its market-leading laptops to Lenova, giving them a 5 year franchise on the use of the IBM brand.

[2] That's euphemistic code for "open to charges of deceptive trading practices" or other salacious troublemongering by an aggrieved plaintiff. I also hasten to point out that I have from time to time warned CAs about sailing too close to the wind, and VeriSign to its credit had become more careful about using the term too aggressively. Which is to say, I claim voce piano, there's more to this than idle grumbling about a successful competitor's annoyingly successful brand.

Crypto-plumbers versus the Men in Black, round 16.

Skype, RIM, and now CircleTech v. the governments. This battle has been going on for a while. Here's today's battle results:

BIS [Czech counter-intelligence] officers first offered to Satanek that his firm would supply an encryption system with "a defect" to the market which would help the secret service find out the content of encrypted messages. "This is out of question. It is as if we were proclaiming we are selling bullet-proof vests that would actually not be bullet-proof," Satanek told MfD.

This is why BIS offered a deal to the firm's owners. BIS wanted CircleTech to develop a programme to decipher the codes. It would only partially help the secret service since not even CircleTech is capable of developing a universal key to decipher all of its codes. Nevertheless, software companies are offering such partial services, and consequently it would not be a problem for CircleTech to meet the order, MfD notes.

However, BIS officers said the firm need not register the money it would receive from BIS for the order, the paper writes. "You will have on opportunity to get an income that need not be subject to taxation," MfD cites the secret recording of a BIS officer at a meeting with the firm. Satanek rejected the offer and recorded the meetings with BIS.

BIS then gave it up. However, two months ago it contacted Satanek again, MfD writes. "They told me that we are allegedly meeting suspicious persons who pose a security risk to the state. In such a case we may not pass security vetting of the National Security Office (NBU)," Satanek told MfD.

Subversion, bribes, and threats, it's all in there! And, no wonder every hot new code jockey goes all starry-eyed at the thought of working on free, open encryption systems.

What would the auditor say to this?

Iran's Bushehr nuclear power plant in Bushehr Port:

"An error is seen on a computer screen of Bushehr nuclear power plant's map in the Bushehr Port on the Persian Gulf, 1,000 kms south of Tehran, Iran on February 25, 2009. Iranian officials said the long-awaited power plant was expected to become operational last fall but its construction was plagued by several setbacks, including difficulties in procuring its remaining equipment and the necessary uranium fuel. (UPI Photo/Mohammad Kheirkhah)"

Click onwards for full sized image:

Compliant? Minor problem? Slight discordance? Conspiracy theory?

(spotted by Steve Bellovin)

Why Open + Internet + Brand can changes the Governance map for CAs

Daniel wrote in comments a month or so back about the need to put the CA's brand on the chrome, so all can see who makes the statement:

Assume for the moment that there is a real interest in fixing this issue (there isn't, but I'll play along). Andy is right that it isn't going to do much good because, in essence, users don't care.

The fundamental problem with this security scheme is that it requires some action of the part of the consumer. But consumers aren't interested in the bother.

This is the accepted wisdom of the community that builds these tools. Unfortunately it is too simple, and the sad reality is that this view is dangerously wrong, but self-perpetuating. Absence of respect is not evidence that the actors are stupid. For a longer discussion, see this paper: "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users." The title is maybe self-referential; if it takes you a while to work out what it is saying, you'll appreciate how consumers feel :-)

In short, it is not that consumers aren't interested in the bother, it's that they reject bad advice. And they're right to do so.

So there are two paths here, one is to improve the advice /up to the point where it is rational for users to pay attention/ which you'll recognise is a very hard target. Or, remove the advice entirely and fix the model so that it represents a better trade-off (e.g., there is only one mode, and it is secure). As far as the secure browser architecture goes, that second path is pretty much impossible because it relies on too many external components, ones which will not move unless we've also figured out how to start and stop earthquakes, volcanoes and tsunamis at whim.

So we are left with improving the advice, itself a very hard target. Let's try that:

Imagine the following situation. You walk into your local bank but in order to withdraw any money you needed to do the following: interview the guard at the door to make sure he really worked for the bank, interviewed the teller to make sure he really worked for the bank, and then set at least 10% of the money you withdrew from the bank on fire so you could watch it burn and see if it was fake or not.

Right, this is a common problem. The mistake you are making is that the majority view is how to design the product. In this case, if the majority ignore the information, we don't need to follow their view in order to redesign the product.

The reason for this is that the minority can have a sufficient effect to achieve the desired result. This is what we call Open Governance: the information is put out there, but only a small minority look at any particular subset. The crowd in aggregate looks at all, but individually, specialisation takes root and becomes the norm.

Let's step outside that context and try another. Consider a police officer's badge. It's got a number on it. Often a name, as well. When the police officer busts some trouble maker, likely the perp does not notice the badge, nor the number. 99% likely, because the perp doesn't need to know, he's busted, and it matters little by whom. So what's the point?

The point is, 1% will notice the badge number! And that's enough to cause the police -- that officer and all others -- to be cautious. To follow the rules. They don't know beforehand who's noting these things down, or not, and they don't need to. The just need to know that bad behaviour can be spotted, and as we get closer to routine bad behaviour, it is more likely that the number will be noted.

Same with your bank guard. You don't have to interview him because the teller will. And if not, someone else in the branch. And if not them, some other customer will look.

Welcome to Open Governance. This is a concept where the governance of the thing, whatever it be (a CA, a bank, a government, a copper) is done by all of us, the world, not by "some special agency." Each of us on the net has the same chance to play in this game -- to govern the big bad player -- but only a very few of us actually govern any particular thing in question.

Let's go back closer into context and consider CAs. How are these governed? Well, they publish CPSs, they get audited by auditors, and they audit is checked over by third party vendors.

For example, we've seen audit reports that totally exclude important issues from consideration. And, nobody noticed beforehand! Which indicates that whatever is being done, whatever is being written, it isn't being verified nor understood. Which more or less casts in doubt all the prior due diligence done over CAs.

This is one reason why Mozilla decided to bring in more open governance ideas. There was a recognition that the old mid-1990s CA audit model wasn't providing a reliably solid answer. There was at least some smoke and mirrors, some criticism of abuse, and these criticisms weren't getting answered. More was needed, but not more of the same, more alternate governance.

So Mozilla put in place an open list (you can join), published all new requests from CAs, and proposed them for open review (section 16 of the policy). There are a few people who read these things. Not many, because it is hard work, and it takes a lot of time. But it's a start, we can't grow these things on trees. A forest starts with a single tree.

The brand name on the chrome is the same thing. We might predict that 99% of the users won't look at it. But 1% will. And, we also know that most all computer users have someone experienced they turn to for help, and those people have a shot at knowing what the brand is about.

The effect of the brand on the chrome as a security feature is then highly dependent on that effect: the CA doesn't know who is looking, but it knows that it is now totally tied to the results in the minds of those who are looking. This is powerful. Any marketing person will tell you that a threat to the brand is far more important than a deviation from a policy. CAs will fiddle their policies and practices in a heartbeat, but they'll not fiddle their brand.

There is an old saying "trust but verify". The problem is that this is a contradiction in terms. Trust means precisely that I don't have to verify. If I have to verify every transaction to see if the money is good, that's not trust. If I have to spy on my wife all the time to see if she's cheating, that's not trust.

Asking the user to verify, when what the user wants to do is trust, is design failure that no amount of coding is going to fix.

Actually, the expression is dead-right; trust can only come from verification, and repeated verifications at that. However, those verifications will have happened in the past; we might for example point to the fact that 99.999999% of all certificates issued have never caused a problem. That's a million verifications, right there.

When you say you don't have to verify, you're really saying you can take a risk this time. But there will come a time when that will rebound. Trust without verification is naïveté.

But, what we can do is outsource and share who does the verifying. And that's what Brand on the Chrome is about; outsourcing and sharing the verification of the CAs' business practices to the crowd.

The Python and the Mongoose: it helps if you know the rules of engagement

NYT suggests that the SEC changes mentioned yesterday are approved:

The proposed changes, approved in a 5-0 vote despite misgivings expressed by two commissioners, now enter a 90-day period for public comment before coming back to the commission for revision and final approval.

but more importantly,

The bond issuers would also be required to keep a chunk of the securities in their own portfolios so that they retain some of the bonds’ risk, under the S.E.C.’s plan. ... The changes would “represent a fundamental revision to the way in which the asset-backed securities market would be regulated,” the S.E.C.’s chairwoman, Mary L. Schapiro, said. “I think changes are both necessary and critical components of restoring investor confidence.”

Aha! Someone knows the definition of banking:

Banking is the borrowing of /demand deposits/ from the public, and the lending of those same deposits, /at term/ to the public.

Banking is special for one and only one reason. Because the funds are borrowed as deposits, they can be returned today, immediately. That's what "on demand" means, and also that's what deposits mean.

Yet the loans are "at term" or to be repaid in the future. 30 years away, in the case of modern western mortgages.

And that is the crux of banking. The loans out on houses can't be called in under normal circumstances, but the public can call in its deposits now, today. Ordinarily this would be called fraud, because the bank is entering into a contract that it knows it is impossible to guarantee. For this reason, a bank charter is like a specialised permission to undergo a certain sort of fraud, or more kindly, to turn this specialised contract into something that isn't a fraud.

This arrangement is delicate. Change one word above and it is no longer banking (and in this statement you can find much of the ills of modern banking). Which leads us to securitization.

Securitization is the process of creating the at-term loans, with demand deposits, and then packaging them and selling them onto the bond market. A bond issue might collectively handle thousands of similar properties, and gets sold into the market maybe 100 days after the mortgages are sold.

Securitization breaks banking. It breaks banking because the loans are no longer at term, or they are, but they are no longer in the hands of the banks, they are on the market! So the investors in the bond market are lending at term to the house owners, and the magic link of banking has been broken.

Regulators say the financial companies that created the bonds had little incentive to ensure that the bonds were backed by reliable loans. When large portions of the borrowers began to default on the loans, the holders of the securities had big losses.

Right, exactly. As, in theory the banks no longer owned the bonds, having sold them on the market, they no longer had an incentive to manage the loans. And this is the implicit, unwritten corollary in the definition of banking: in order to get the charter, you have to look after the loans for their entire term. That's what it means, to be a bank, guard the deposited funds, out on loan, for their entire life!

The proposed rules, which would affect a large portion of new offerings in the $9.5 trillion market for securities backed by consumer loans, would in many cases require financial companies to retain 5 percent of each offering, a move that Ms. Schapiro said would “better align” the interests of investors and the securities firms.

Financial reform bills winding their way through Congress contain similar requirements that financial companies “keep skin in the game,” as the commission put it. So does a proposal by the Federal Deposit Insurance Corporation, which regulates some asset-backed securities originated by banks.

Skin in the game! Which the Python can only shed, as it outgrows model after model, leaving investors more and more confused. Models can only approximate risks of defaulting borrowers, and aren't a substitute for attentive bankers.

The big message to take away is this: Securitization breaks the fundamental law of banking. Is this good or bad? We should probably know this, because practically everything is done with securitization these days. And why not? It is decidedly more efficient, saving the occasional global meltdown.

The answer is, that securitization is decidedly good, but it renders banking no longer "special." This has a lot of ramifications: it means we no longer need banks. But we've got banks, so there is going to be a huge hangover period while society shifts from banking to market-oriented facilitation. And likely a few more crises.

It also means we don't need central banks; or at least partly, we don't need that part which regulates the banks, because standard competition and exchange regulators should be able to do the job. It's all consumer products called bonds, after all.

Yeah, sure, I hear you say, "we don't need banks..." chortle chortle. Admittedly the hangover from the century of central banking will be with us for a long time, and we can only move forward slowly. But watch: slowly but surely the move will be to open the market for loans origination.

Under the new rules, bond underwriters would not be required to receive a credit rating; rather, the chief executive of the bond issuer would have to certify that the assets were likely to produce the expected cash flows. ... Moody’s, in a statement, said, “We believe the market benefits when ratings agencies compete on the basis of the quality of their credit analysis, and we have long supported the removal of ratings from regulation.”

Baby step by baby step, the business of banking is moving over to the marketplace.

When the Python meets the Mongoose ... the SEC and programming Asset Backed Securities

Twan points to an odd thing from the Securities and Exchanges Commission in USA:

We are proposing to require that most ABS issuers file a computer program that gives effect to the flow of funds, or “waterfall,” provisions of the transaction. We are proposing that the computer program be filed on EDGAR in the form of downloadable source code in Python. … (page 205)

Under the proposed requirement, the filed source code, when downloaded and run by an investor, must provide the user with the ability to programmatically input the user’s own assumptions regarding the future performance and cash flows from the pool assets, including but not limited to assumptions about future interest rates, default rates, prepayment speeds, loss-given-default rates, and any other necessary assumptions … (page 210)

An ABS or asset backed security is a basically a financial instrument that has or "owns" a lump of property. In short, instead of owning the property yourself, you own a security (or instrument or contract) that has an interest in the property. At the simplest, trivial level of own house, one instrument, this is mostly meaningless, because the instrument owns the property so you may as well own it directly.

But it allows for more complexity. What they are talking about here is securitized home loans and the like, essentially the instruments that blew up in the recent financial crisis. In this case, your instrument has an interest in 1000 properties, but also this is the same interest that another 10,000 instruments have. So you don't own a house, or a tenth of a house, you own a share in the revenues of a combined 1000 houses.

What is that revenue? Well, it is probably the mortgage payments on the 1000 houses. Every month, the mortgage payments are collected, aggregated, fees taken, then the payments out are sent to the instrument holder.

So what the SEC is on about is complicated formulas. Also, they change. If 10 of the houses are delinquent this month, then 20 next month, the money changes. If interest rates go up, again it changes. If fees change, more change. Indeed, it's pretty clear that there is much more complexity and change than there is stability.

So the SEC is seeking to encourage the manager to show the formulas. In a computer program, so we can plug in the numbers, and investors can play around to isolate their preferred situations. On the surface it is a good idea. It gives the investor more power, and it sets up a key disclosure which can likely be challenged in the event of trouble. But it is unlikely to work as a mandated thing.

There are several things against this. Complexity is the enemy here. There are two ways of looking at it, as too complex, and as not complex enough. Initially, the models will be simple, but this will just set the scene for disputes, and the models will get more complex. And then more complex again because the hidden-by-complexity bug will strike -- managers will realise that if they make the models so complex that nobody can deal with them except real experts, then they'll be both compliant and impenetrable, and can get back to their normal games. If you look long enough at the financial crisis, you'll see that one important factor is complexity, and worse, deliberate complexity. This is an old game.

Further, there is a bit of a trap for young players here (as explained to me by Jim). The model will display the "flow of funds" which is in turn dictated by the instrument (the contract). Servicing and pooling provisions in the contract will mandate the manager's actions, and therefore the cash flow. So measuring & comparing the cash flow in this way tells us the manager is meeting targets, etc, *but it tells us nothing about the underlying collateral* which is the true asset in the picture. Recall, again, the financial crisis: meeting targets and bonuses was part of the problem, not the solution. These agreements are written to provide plenty of scope for this sort of trouble, and the SEC's invention runs the risk of making this worse, not better.

What's the solution? Well, the real health of the fund to which your instrument draws on is based on the collateral, and the revenues from it. That is, the real information you want is detailed income, not aggregated outgoings. So if the SEC were to want to make a difference, what it should do is mandate that the anonymised income transactions be made available (FCers will know what that means). That is, any time a house-owner makes a payment into the fund, that transaction be published to the fund investors. By tracking month to month the payments, and matching that to what the investors get, we have some data of value.

Would they do this? The SEC is not going to propose this, because of the complexity argument. The industry will not give up any of its treasured complexity, because that's how it makes money. If you could see what was going on, the prices would be beaten down.

But it could be done voluntarily. A private player could set this up; we have all the tech and understanding to do this. So what could the SEC do? Expand its proposal slightly, and create a format for a fund to reveal the anonymised flow of incomes from the collateral. And provide a program to deal with that. And see if anyone bites...

Meanwhile, two postcripts on spotted observations. One: a group of language specialists think the SEC are trying to give formal definition to the instrument; by means of Python. No, they're on the wrong track. Firstly, that isn't what the SEC is trying to do. Secondly, it won't work because bonds by their nature are contracts, and formal proofs of contracts are the domain of the courts, not compilers. Although this concept has been explored, real world bonds still have more to do with my Ricardian Contract form than esoterica like Nick Szabo's smart contracts.

Two: another group of developers are arguing whether Python is the right language. No need to comment :)

And Three, added from next post, maybe this is to happen:

The companies selling the bonds would also have to give the government extensive information, in a form that is easily searchable, on all of the individual loans that make up the portfolio behind the bond offering, and update it on a continuing basis. Previously, reports were required only on the overall credit quality of the pool of loans, and for some bonds, updates were suspended after about a year. .... Ms. Casey also expressed concerns about the impact of the rules on personal privacy, asking whether “data miners” might be able to use the information on individual loans to determine the identification of loan holders.

Spotted in NYT article.

Ernst & Young staring down the barrel that shot Arthur Andersen

The report on Lehman Brothers' collapse is out, and it apparently includes a smoking gun against the auditor. Prison Planet alleges that "The firm’s auditor, Ernst & Young, one of the four biggest auditing firms in the world, failed in its oversight role:"

In May 2008, a Lehman Senior Vice President, Matthew Lee, wrote a letter to management alleging accounting improprieties; in the course of investigating the allegations, Ernst & Young was advised by Lee on June 12, 2008 that Lehman used $50 billion of Repo 105 transactions to temporarily move assets off balance sheet and quarter end.The next day -- on June 13, 2008 -- Ernst & Young met with the Lehman Board Audit Committee but did not advise it about Lee’s assertions, despite an express direction from the Committee to advise on all allegations raised by Lee.

Ernst & Young took virtually no action to investigate the Repo 105 allegations. Ernst & Young took no steps to question or challenge the non-disclosure by Lehman of its use of $50 billion of temporary, off-balance sheet transactions.

Colorable claims exist that Ernst & Young did not meet professional standards, both in investigating Lee’s allegations and in connection with its audit and review of Lehman’s financial statements.

Now, I haven't read it in depth. But, on first blush, that looks directly analogous to the conditions that wiped out Arthur Andersen. (Agreement on Business Insider.)

The Audit industry will now feel the old Chinese curse: to live in interesting times...

pushback against the external auditor (if they can do it, so can you!)

Lynn in comments points to news that Mastercard has eased up on the PCI (association for credit card issuers) standard for merchant auditing:

But come Dec. 31, 2010, MasterCard planned to require that all Level 1 and, for the first time, Level 2 merchants, use a QSA for the annual on-site PCI assessment.

(Level 1 merchants are above 6 million transactions per year, with 352 merchants bringing in around 50% of all transactions in the USA. Level 2 merchants are from 1 to 6 million, 895 merchants and 13% of all merchants.)

Now, this rule would have cost your merchant hard money:

That policy generated many complaints from Level 2 merchants, who security experts say would have to pay anywhere from $100,000 to $1 million for a QSA’s services.

These Qualified Security Assessors (QSA) are certified by the PCI Security Standards Council for an on-site assessment, or audit. Because of kickback, complaints, etc, MasterCard backed down:

This month, however, MasterCard pushed back the deadline by six months, to June 30, 2011. And instead of requiring use of a QSA, MasterCard will let Level 2 merchants do the assessments themselves provided they have staff attend merchant-training courses offered by the PCI Council, and each year pass a PCI Council accreditation program. Level 2 merchants are free to use QSAs if they wish. Come June 30, 2011, Level 1 merchants can use an internal auditor provided the audit staff has PCI Council training and annual accreditation.

That's you, that is. Or close enough that it hurts. Your company, being a retail merchant bringing in say 100 million dollars a year over 1 million transactions, can now save itself some $100,000 to $1 million. You can do it with your own staff as long as they go on some courses.

If a merchant with millions to billions of direct value on the line, and measurable losses of say 1% of that (handwave and duck) can choose to self-audit, why can't you?

Audits VII: the future of the Audit is in your hands

I established in a series of posts that Audit is in a crisis (I, II, III, IV, V, VI). It didn't perform during the financial crisis, and even if it had, we wouldn't know it. Audit has entered a phase of life where it can not deliver its brand-promise to the buying public, but the cost of the brand is delivered frequently in invoices to us, the buying public. Worse, the cost will go up and the relevance will go down, the machine they built ensures it.

What then do we do in the future? How do we live in a world of Audits without Control? How do we reclaim the control that works to our real needs?

As a user, as a (systems not financial) auditor, as a builder of systems, both financial and Internet, as an investor, as a financial player and as a party reading and relying on audits, I've come across only one person that will provide for your auditing needs. That person is:

You.

In a maxim, it is this: if you the user cannot see it, it is worthless. To you.

It is not entirely true that Audit is worthless, per se, in absolute terms. Many checks and balances can help, and this is the spirit that the audit profession alludes to. These checks and balances are good; we call them governance. But the problem for you is, you can't tell from the outside whether these checks, this audit, are useful or useless. Whether they are coded positively or negatively, whether they are purchased or perverted.

And therefore, your only good strategy is to label an opaque process as useless.

Which leads to a first step: Let's call for an open audit process, not a closed audit process. We know that "open" works from the Internet world, and the claim of many is that "open" can work in many more scenarios than we believed. I emphasise this in a presentation on An Open Audit (which, to close the loop back to the first post of the Audit series, was immediately after Bruce Schneier's apropos talk on the psychology of security).

But, please note, openness is only a first and intermediate step: once we get across the brave step of opening up the entire process, we are inexorably drawn to the fact that if an audit is really open, then the user can do it, herself. An open audit is an audit over open data; if the data is open, she can also audit the data herself.

All of it, or most of it, as much as the user can handle. Which is to say, even my meager attempt at open audit is not going far enough; what you really want is to openly audit the entire system yourself. I as auditor might simply lay the guide posts for you to follow, and in future, you can follow them better than I can.

Say hello to open governance . Yes, this way means more work for the user. But, this is work we already proved we could do. The wider Internet musters thousands of communities of thousands and millions, and a few of those people -- call them the 1% -- are the self-appointed guardians of truth and justice within their communities. Open governance harnesses the vigilantes of Wall Street, the crypto-jihadists of the security world, the peer-to-peer rebels of the intellectual property world, all, as the leaders in a process of checking for everyone else.

What then is the part of the professional auditor? We already recognised over the past couple of years that the proper role of the security expert is to educate programmers and architects to employ more security techniques. Likewise, the proper role of the auditor may be to teach the mechanisms of open governance; rather than opine on their results themselves. To teach, rather than to measure. To lead, rather than to do. To participate, rather than bill.

How would this work? Well, here's one idea. I haven't implemented it, but I want to. Over at the audit I participated in, there is a set of criteria which have to be audited against. Some have green ticks, others have red crosses, signifying OK and not OK. Classical audit process would call for me to investigate all those criteria, find evidence of controls over the criteria, and report on each. That's a lot of work. A lot of billable hours.

Open governance would call for each individual of the body-public to do that instead; in tech terms, each criteria would become a blog post, with comments added by the public, including comments of reliance. In effect, mini-opinions. If you the member-public post that the criteria is good and covered, and you put your monika on to that statement (which is easy to do because it is a CA and client-certs are its business), then that becomes reliable evidence. Once the set of criteria meets some watermark (say 95% green ticks), the audit is done.

By you.

That's just one idea. I know a dozen or so others; but their essence is all the same. Instead of having one person look and attest, have our entire net community look, and share notes. Travelling long distances, checking technical things and making clear reports is now trivial with the net, with cryptography, with protocols, with communities. We no longer need the single trusted third party to do this, we have the trusted members, we have our own stakeholders, we have customers.

It may be that the evolution of open governance, an invention from the world of digital cash, has come just in time to save us. We'll see.

Bowles case is more evidence: Britain takes another step to a hollowed-out state

In the very sad story of the Justice System as we know it, a British courts has ruled the beginning of the end.

He went to jail this week, protesting his innocence. Speaking to The Times, he said: "There are no missing millions, there's no villa in the Virgin Islands, there has been no fraud. I am not allowed to earn any money, my assets were restrained so I couldn't use them to defend myself - it's a relentless, never-ending, vicious, cruel and wicked system.

Of course, all mobsters say that. So what was the crime?

Bowles was convicted by a jury in June of cheating the Revenue of £1.2 million in VAT but sentencing had been adjourned on three previous occasions. He had been found guilty of failing to pay VAT on a BIG land sale and diverting money due to the taxman to prop up Airfreight Express, his ailing air-freight company.

Now we have come full circle, and the evidence is presented: the Anti-money-laundering project of the OECD (known as the Financial Action Task Force, a Paris-based body) is basically and fundamentally inspired by the desire to raise tax. Hence, we will see a steady progression of government-revenue cases, occasionally interspersed with Mr Big cases. This is exactly what the OECD wanted. Not the mobsters, murderers, drug barons and terrorists pick up, but:

Bowles is a divorced, middle-aged company director from Maidenhead who has been transformed from successful entrepreneur to convicted fraudster.

A businessman, from the very heartland of English countryside. Not a dangerous criminal at all, but someone doing business. Not "them" but us. POCA or Proceeds of Crime Act is now an important revenue-raising tool:

It was not suggested that Bowles, who has no criminal record, had used the money to fund a luxury lifestyle. Nevertheless, when the Revenue began a criminal investigation into his affairs in 2006 all his assets were frozen under the powers of the Proceeds of Crime Act.

Bowles was required to live on an allowance and rely on legal aid for his defence rather than pay out of his own resources. Defence lawyers claimed that preparation of Bowles's defence case was hampered further because his companies' financial records were in the hands of administrators.

The accounts were not disclosed until a court hearing in February this year, at which point Bowles sought permission to have a forensic accountant examine them to determine the VAT position. He was refused a relaxation of the restraint order to pay for a forensic accountants' report. The Legal Services Commission also declined to fund such a report from legal aid.

After the court was told that the records "could be considered by counsel with a calculator" the trial went ahead. Bowles was cleared of two charges but found guilty of a third.

It works this way. First the money is identified. Then, the crime is constructed, the assets are frozen, legal-aid is denied, and the businessman goes to jail. By the time he gets out of that, he probably cannot mount a defence anyway, and rights are just so much confetti. This stripping of rights is a well-known technique in law, as only 1 in 100 can then mount a recovery of rights action, it is often done when the job of the prosecutor is more important than rights.

Let's be realistic here and assume that Bowles was guilty of tax fraud. His local paper certainly thinks he was guilty:

A tax cheat from Maidenhead who dodged paying £1.3m in VAT has been jailed for three-and-a-half years. ... The court heard between October 2001 and July 2006 Bowles failed to submit VAT returns to HM Customs and Excise (HMCE) and then HM Revenue & Customs (HMRC). The VAT related to the sale of land for commercial development in Cardiff worth £7.5m.

Following an HMRC criminal investigation Bowles, from Sandisplatt Road, was charged on three counts of 'cheating the revenue'. Peter Avery, assistant director, HMRC Criminal Investigations, said: "This sentence will serve as a deterrent to anyone who thinks that tax fraud is a risk worth taking."

Firstly, this is quite common, and secondly, tax is the most complicated thing in existence, so complicated that most ordinary lawyers don't recognise it as law by principle. It's the tax code, it's special. It's actually very hard not to be guilty of it, when you have a fair-sized business (whoever heard of a value-added-tax on a land sale?)

But even assuming that the guy was guilty, there was rather stunning evidence to the contrary, which underscores the point that this was revenue raising, not the bringing down of a Mr Big:

A financial report has since been prepared, free of charge, by a firm of chartered accountants. A draft copy was presented to the judge two months ago and a full version handed to him this week. Its analysis concludes that rather than owing tax, Bowles's companies had actually overpaid their taxes.

The report stated: "In our opinion, none of the evidence points to Philip Bowles fraudulently evading or concealing VAT due to HMRC ... It would have been reasonable to conclude that no fraud has taken place."

Lawyers for Bowles claimed in court that matters were compounded by a failure to explain VAT law properly. They alleged the jury were wrongly informed that companies in the same group could not assign tax liabilities and credits between each other.

When a firm of *chartered accountants* utters _an opinion_ over finances, this is a legally imposing evidence. It is given a special status in court, in that the court may rely on it, and so might all others; this special status is awarded for the purposes of public companies that need to impress others such as creditors and shareholders that the company is sound. This form of reliance is not available outside the accounting profession, and only available in an accounting context (e.g., when a firm of accountants audits a certification authority, we do not get a special right to rely on it without further ado).

When a firm of chartered accountants does this for free, this is beyond surprising, this is a shock. The natural order of things is now upset. When the accountants are working for free, this might mean that the professions are mounting a last-ditch effort to preserve the Justice System in Britain, as I predicted:

It took 20 years to hollow out Mexico, we have a bit longer in other countries, because the institutions are staffed by stiffer, better educated people.

Those stiffer, better educated institutions realise that we all are poorer when the justice system is used to raise revenue. Or perhaps they realise their turn is next?

Audits VI: the wheel spins. Until?

We've established that Audit isn't doing it for us (I, II, III). And that it had its material part to play in the financial crisis (IV). Or its material non-part (II). I think I've also had a fair shot at explaining why this happened (V).

I left off last time asking why the audit industry didn't move to correct these things, and especially why it didn't fight Sarbanes-Oxley as being more work for little reward? In posts that came afterwards, thanks to Todd Boyle, it is now clear that the audit industry will not stand in front of anything that allows its own house to grow. The Audit Industry is an insatiable growth machine, and this is its priority. No bad thing if you are an Auditor.

Which leaves us with curious question: What then stops the Audit from growing without bound? What force exists to counterbalance the natural tendency of the auditor to increase the complexity, and increase the bills? Can we do SOX-1, SOX-2, SOX-3 and each time increase the cost?

Those engineers and others familiar with "systems theory" among us will be thinking in terms of feedback: all sustainable systems have positive feedback loops which encourage their growth, and negative feedback loops which stop their growth exploding out of control. In earlier posts, we identify the positive feedback loop of the insider interest. The question would then be (for the engineers) what is the negative feedback control?

Wikipedia helpfully suggests that Audit is a feedback control over organisations, but where is the feedback control over Audit? Even accepting the controversial claim that Sarbanes-Oxley delivered better reliability and quality in audits, we do know there must be a point where that quality is too expensive to pay for. So there must be a limit, and we must know when to stop paying.

And now the audit penny drops: There is no counterbalancing force!

We already established that the outside world has no view into the audit. Our chartered outsider has taken the keys to the citadel and now owns the most inner sanctums. The insider operates to standard incentives which is to improve own position at the expense of the outsider; the Auditor is now the insider. Which leads to a compelling desire to increase size, complexity and fees of Audit.

Yet the machine of audit growth has no brake. So it has no way to stop it moving from a useful position of valuable service to society to an excessive position of unsustainable drain on the public welfare. There is nothing to stop audit consuming the host it parasites off, nor is there anything that keeps even the old part of the Audit on the straight and narrow.

And this is more or less what has happened. That which was useful 30 years ago -- the opinion of financial statements, useful to educated investors -- has migrated well beyond that position into consuming the very core of the body corporate. IT security audits, industry compliance audits, quality audits, consulting engagements, market projects, manufacturing advice, and the rest of it now consume far more of their proper share.

Many others will point at other effects. But I believe this is at the core of it: the auditor promises a result for outsiders, has taken the insiders' keys and crafted a role of great personal benefit, without any external control. So it follows that it must grow, and it must drift off any useful agenda. And so it has, as we see from the financial crisis.

Which leads to a rather depressing conclusion: Audit cannot regulate itself. And we can't look to the government to deal with it, because that was part & parcel of our famous financial crisis. Indeed, the agencies have their hands full right now making the financial crisis worse, we hardly want to ask them to fix this mess. Today's evidence of agency complicity is only just more added to a mountain of depression.

What's left?

taking phishing to the next level

Phishing has come a long way. It is now no longer characterised by its email lure to get you to click on a different website. The phishers have moved on from the basic MITM that cracked secure browsing ... and are now concentrating on takeover of the machine. MITB, and the email is one of their weaker hooks.

Defences have also moved on, too. In some places they relied on two-factor auth, and in others a series of barriers. One common barrier was to make transactions to the country easy, and outside hard, on the basis that all phishers come from another country.

Phishers responded by employing Mules, being people who are in the country, and are well-paid to just re-transmit the money. People, it turns out, can easily send the money abroad, but trojans or MITBs couldn't.

But a problem with Mules is that they are slow. They might take a day or two to get around to it, because they are busy people. And in that time, the victim often spotted the fraudulent transaction ... and complained to the Mule! At which point the latter often realised he had been duped, was not part of the new International trading world, but was instead an essential cog in an international conspiracy to launder money etc et al ad nauseum.

Now phishers have gone to the next step:

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

The ruse buys the crooks time before a victim discovers the fraud, though won’t work if a victim uses an uninfected machine to check his or her bank balance.

The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan

This is the man in the middle, par exellence. Not only does Mallory steal the information and use it, he rewrites the evidence to hide the crime. Note, this was back in August. More claimed facts, ftr, and also and here:

The researchers also found statistics in the command tool showing that out of 90,000 visitors to the gang’s rogue and compromised websites, 6,400 were infected with the URLZone trojan. Most of the attacks Finjan observed affected people using Internet Explorer browsers, but Ben-Itzhak says other browsers are vulnerable too.

Which juxtaposes with a question that Stephen asked me a few days ago: how can we presume that the system is operating correctly? He was asking this hypothetical from the legal tradition, where it is common for banks to assert the presumption. In the above case, it is quite interesting, because from both points of view, the evidence is clear: correct operation.

The user sees the correct balances and transactions. The bank sees the correct authentication procedures. But we have a case here were neither side is correct, and the system is not operating correctly.

Why is this a problem? Because security commerce has it that a security system is secure. It has to be completely secure, otherwise it is impossible to sell. Nobody buys a partly-secure system, they want the fully-secured model. So what tends to happen is a form of society-wide cognitive dissonance where we sell the partly-secured as fully-secured. Hence, by the time the banks get around to being the defendents in some case against their "fully-secured" system, they are compelling in their belief that it is secure. The presumption that it operates correctly is part of that cognitive dissonance.

Which reminds us of a German case where the presumption that DES was secure was knocked out, because there were things like DeepCrack out there. The role of the courts in breaking this dissonance is important; I can't recall the case precisely, but here is another case from German courts, this time over the famous Sony rootkit:

According to Germany’s Heise, a district court has just ruled in a case where an individual claimed that the presence of the Sony rootkit caused him financial losses.

After purchasing an Anastacia CD, the plaintiff played it in his computer but his anti-virus software set off an alert saying the disc was infected with a rootkit. He went on to test the CD on three other computers. As a result, the plaintiff ended up losing valuable data.

Claiming for his losses, the plaintiff demanded 200 euros for 20 hours wasted dealing with the virus alerts and another 100 euros for 10 hours spent restoring lost data. Since the plaintiff was self-employed, he also claimed for loss of profits and in addition claimed 800 euros which he paid to a computer expert to repair his network after the infection. Added to this was 185 euros in legal costs making a total claim of around 1,500 euros.

The judge’s assessment was that the CD sold to the plaintiff was faulty, since he should be able to expect that the CD could play on his system without interfering with it. The court ordered the retailer of the CD to pay damages of 1,200 euros.

Which strangely echoes this case:

Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an "online community" for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable.

To join the "My SHC Community," users downloaded software that ended up grabbing some members' prescription information, emails, bank account data and purchases on other sites. Sears called the group that participated "small" and said the data captured by the program was at all times secure and was then destroyed.

The FTC filed a complaint against Sears, accusing the retailer of deceiving those who signed up for the service and downloaded the software.

"(Sears) failed to disclose adequately that the software application, when installed, would: monitor nearly all of the Internet behavior that occurs on consumers' computers, including information exchanged between consumers and websites other than those owned, operated, or affiliated with respondent, information provided in secure sessions when interacting with third-party websites, shopping carts, and online accounts, and headers of web-based email; track certain non-Internet related activities taking place on those computers; and transmit nearly all of the monitored information (excluding selected categories of filtered information) to respondent's remote computer servers," the FTC concluded.

Which all seems to lead to a rather heavy presumption of rightness in favour of the larger party. Sony was safe in installing rootkits, and only got slapped for the direct costs that this unexpected behaviour caused. Sears was safe for the same practice, except it got a tap on the wrist for not disclosing it fully.

Which leads to class action. The obvious asymmetry here is that the large parties (allegedly) did a lot of small damages to many parties. Yet, in each case, they do not get more than a light tap, for various reasons. So the message is clear: if there is profit, take on that risk, because the downside is small.

Which leads me to an old observation I made many times in the original phishing days: the issue of fundamental liability allocation will only be sorted out when class action suits redress the imbalance in power (to avoid adverse judgement).

This solution of course is only applicable in the USA where class-action is popular. And it probably doesn't apply to continental banking where the banks tend to take more care and absorb more of the liabilities directly (hence their losses are much lower). Which is bad news for UK, Australia, Canada, where the banking models tend to follow liability-dumping models, but don't have the ultimate backstop of the class-action suit.

Closing remark: all of these articles were spotted in Bruce Schneier's cryptogram, and all seemed to resonate. There is one hilarious thread about the DHS in USA deciding to "employ 1000 cyber-security experts." Frequent readers of this blog will see the error at multiple levels. But Bob Cringley took the claim at face value and did some research. He asked 6 people who he thought were experts, and this one was the closest:

“Define ‘expert,’ said another friend from behind Door Number Three, who comes from the security software business. “(An expert is) a person with a high degree of skill in or knowledge of a certain subject. Great, but the question is all about scope. I may be an expert cook – but can I run a kitchen? Same thing with security there are tons of experts – in specific areas. I was an expert in AV, IDS, and other areas. But I was not the all knowing security guru. (even though my knowledge base was very broad). This is where we run into unintended actuated consequences. An expert will make a choice and take an action. The end result may not be what they had anticipated because of other factors beyond the realm of their expertise caused an unanticipated consequence.

Which is to say, the word expert simply doesn't work for us. The field is too big so you are either a generalist like myself (and make frequent detailed mistakes, but hopefully survive in the big picture) or you are a deep specialist who gets the detail correct, but ends up on the wrong mapboard.

But this guy also hit the nail on the head:

So this is the wrong approach entirely. It won’t work, the DHS probably knows it won’t work (if they don’t know that, well God help us all) but they see it as better than nothing. That doesn’t worry me so much, though. What really worries me is the point brought up by cybersecurity expert number six, who himself came in from the cold:

“Sure there are 1,000 (cybersecurity experts),” he said, ” but they are already employed… as hackers.”

And, looking at our "presumption of security" question in the big picture, we can understand why. Because of liability dumping, your country's banks are cooperating with the world's 1000 cybersecurity experts. Who's engaged in a criminal conspiracy now?

Where does the accounting profession want to go, today?

So, if they are not doing audits and accounting, where does the accounting profession want to go? Perhaps unwittingly, TOdd provided the answer with that reference to the book Accounting Education: Charting the Course through a Perilous Future by W. Steve Albrecht and Robert J. Sack.

It seems that Messrs Albrecht and Sack, the authors of that book, took the question of the future of Accounting seriously:

Sales experts long ago concluded that "word of mouth" and "personal testimonials" are the best types of advertising. The Taylor Group1 found this to be true when they asked high school and college students what they intended to study in college. Their study found that students were more likely to major in accounting if they knew someone, such as a friend or relative, who was an accountant.

So they tested it by asking a slightly more revealing question of the accounting professionals:

When asked "If you could prepare for your professional career by starting college over again today, which of the following would you be most likely to do?" the responses were as follows:

Type of Degree	% of Educators Who Would	% of Practitioners Who Would
Who Would Earn a bachelor's degree in something other than accounting and then stop	0.0	7.8
Earn a bachelor's degree in accounting, then stop	4.3	6.4
Earn a Master's of Business Administration (M.B.A.) degree	37.7	36.4
Earn a Master's of Accountancy degree	31.5	5.9
Earn a Master's of Information Systems degree	17.9	21.3
Earn a master's degree in something else	5.4	6.4
Earn a Ph.D.	1.6	4.4
Earn a J.D. (law degree)	1.6	11.4

These results are frightening,...

Well indeed! As they say:

It is telling that six times as many practicing accountants would get an M.B.A. as would an M.Acc., over three times as many practitioners would get a Master's of Information Systems degree as would get an M.Acc., and nearly twice as many practitioners would get a law degree instead of an M.Acc. Together, only 12.3 percent (6.4% + 5.9%) of practitioners would get either an undergraduate or graduate degree in accounting.2 This decrease in the perceived value of accounting degrees by practitioners is captured in the following quotes:

We asked a financial executive what advice he would give to a student who wanted to emulate his career. We asked him if he would recommend a M.Acc. degree. He said, "No, I think it had better be broad. Students should be studying other courses and not just taking as many accounting courses as possible. ...

My job right now is no longer putting numbers together. I do more analysis. My finance skills and my M.B.A. come into play a lot more than my CPA skills.

.... we are creating a new course of study that will combine accounting and
information technology into one unique major....

...I want to learn about information systems.

(Of course I'm snipping out the relevant parts for speed, you should read the whole lot.) Now, we could of course be skeptical because we know computing is the big thing, it's the first addition to the old list of Reading, Arithmetic and Writing since the dark ages. Saying that Computing is core is cliche these days. But the above message goes further, it's almost saying that Accountants are better off not doing accounting!

The Accounting profession of course can be relied upon to market their profession. Or can they? Todd was on point when he mentioned the value chain, the image in yesterday's post. Let's look at the wider context of the pretty picture:

Robert Elliott, KPMG partner and current chairman of the AICPA, speaks often about the value that accountants can and should provide. He identifies five stages of the "value chain" of information. The first stage is recording business events. The second stage is summarizing recorded events into usable data. The third stage is manipulating the data to provide useful information. The fourth stage is converting the information to knowledge that is helpful to decision makers. The fifth and final stage is using the knowledge to make value-added decisions. He uses the following diagram to illustrate this value chain:

This five-stage breakdown is a helpful analysis of the information process. However, the frightening part of Mr. Elliott's analysis is his judgment as to what the segments of the value chain are worth in today's world. Because of the impact of technology, he believes that:

• Stage 1 activity is now worth no more than $10 per hour
• Stage 2 activity is now worth no more than $30 per hour
• Stage 3 activity is now worth $100 per hour
• Stage 4 activity is now worth $300 per hour
• Stage 5 activity is now worth $1,000 per hour

In discussing this value chain, Mr. Elliott urges the practice community to focus on upper-end services, and he urges us to prepare our students so they aim toward that goal as well. Historically, accounting education has prepared students to perform stage 1- and stage 2-type work.

Boom! This is compelling evidence. It might not mean that the profession has abandoned accounting completely. But it does mean that whatever they do, they simply don't care about it. Accounting, and its cousin Audits are loss-leaders for the other stuff, and eyes are firmly fixed on other, higher things. We might call the other stuff Consulting, and we might wonder at the correlation: consulting activities have consumed the major audit firms. There are no major audit firms any more, there are major consulting firms, some of which seem to sport a vestigial audit capability.

Robert Elliot's message is, more or less, that the audit's fundamental purpose in life is to urge accountancy firms into higher stages. It therefore matters not what the quality (high?) is, nor what the original purpose is (delivering a report for reliance by the external stakeholder?). We might argue for example whether audit is Stage 2 or Stage 3. But we know that the auditor doesn't express his opinion to the company, directly, and knowledge is the essence of the value chain. By the rules, he maintains independence, his opinion is reserved for outsiders. So audit is limited to Stages 3 and below, by its definition.

Can you see a "stage 4,5 sales opportunity" here?

Or perhaps more on point, can you avoid it?

It is now very clear where the auditors are. They're not "on audit" but somewhere higher. Consulting. MBA territory. Stage 5, please! The question is not where the accounting profession wants to go today, because they already got there, yesterday. The financial crisis thesis is confirmed. Audits are very much part of our problem, even if they are the accounting profession's solution.

What is less clear is where are we, the business world? The clients, the users, the reliers of audit product? And perhaps the question for us really is, what are we going to do about it?

TOdd on Audits V: why oh why?

Editor's note: TOdd wrote this long comment to Audits V and I thought it had to be a post:

---

Regarding the failure of financial auditing, or statutory audits, there is probably a body of knowledge to be found in academia and business journals. There is certainly a lot of wisdom and knowledge among the accounting profession, although it is heavily suppressed, and auditors, like bankers, start out opaque and unself-aware. All three of these things grow deeper over lifelong habit (lack of honest self appraisal, lack of communication skills to talk about their business in anything but literal terms, and lack of any motive or impulse to be honest or candid even if they wanted to.) So, you'll find the best research on this problem in the business schools and press, for whom auditors are a business problem to be understood, and in the accountancy schools who still harbor a lot of great minds, with too much integrity to survive in the global audit firms. The audit profession took root in the 1930s and I would have to guess that it was captured from day one, by the publicly listed companies they were supposed to be auditing.

Accountants have had the choice to improve themselves at several historic points in time; the 1929 crash, the end of WW2, when every other economy was demolished, and the end of the Soviet threat. What they've actually done was continue fiddling with their false definitions of economic substance, called GAAP, which is really intended to modulate the lies and maintain as much opaqueness as the public would tolerate.

The greatest opportunity to improve business reporting, if that were the intention, has come from improvements in database, computing, and the internet. Internally of course, companies have built information tools to navigate and understand their customers, suppliers, financial structures and inner working. All of it conceived, developed and maintained for the benefit of senior executives. The host-centric, server-centric architecture of the dominant computing architectures (ibm, att, dec, sun, microsoft etc) reflect this.

There is nothing that reveals the intent and will of the AICPA more clearly than its design choices in XBRL. And I doubt if anybody will ever write the book about XBRL, since the people who realized what a betrayal it was, while it was being cooked up, were physically nauseated and left the standards bodies, myself included. Outside the meeting room and convention halls, there were more than a few people who saw what was happening-- and why would they pay annual dues of $thousands, plus travel costs, to attend the next XBRL conference, unless they were part of the corrupt agenda themselves?

I am reminded of the State of Washington democratic party convention I attended a few years ago-- more than 2/3s of the 1000 delegates from the precincts, statewide had never been to a convention before. And, by the end of the convention, a percentage even larger than that, was in open rebellion against the selection of candidates and railroading of the platform and agenda, by top party officials. So, 2/3s of them would never bother participating in the Democratic Party in the next election cycle either.

The people responsible for the sabotage and corruption of the AICPA's XBRL and other technologies, are Barry Melancon, working on behalf of opaque interests in the audit firms and wall street, and, the young turks they hired, Charlie Hoffman and Eric Cohen. Hoffman bubbled up in the Seattle area as an evangelist for microsoft technologies in accounting firms and probably never understood where the money and support for his magic carpet ride was coming from. Microsoft itself being a front-end for IBM and wall street. There have been a few, who try from time to time, to make these technologies honest, such as David RR Weber, Glen Gray, Bill McCarthy...

A more hopeful technology, ebXML emerged shortly after XBRL, and again the history is so vast, somebody should write a book---indeed would write a book-- if they had the stomach for it. Now, here, we ran into a different set of entrenched interests, the EDI industry and adjacent companies and interests. It was a fabulous project, with at least ten different workgroups, each with a lot of dedicated people, supported by many great companies.

To sum it all up-- there are people who want to use the power of computers and communications to reach process improvements, labor savings, AND transparency for all stakeholders. These people have developed over many years, a very complete understanding of business processes in their industries and somewhat less completely, a generalized architecture for all economic transactions. However, there are a plutocracy who own all their companies and make all of the hiring and firing decisions. Obviously, these people at the very top, have leaned hard on the tiller, since the early days.

And the accounting and auditing profession knows where its bread is buttered, see Bob Elliot's diagram of "five stage value chain."

---

Iang responds in the next post.

OSS on how to run a business

After a rather disastrous meeting a few days ago, I finally found the time to load up:

The Office of Strategic Services was the USA dirty tricks brigade of WWII, which later became the CIA. Their field manual was declassified and published, and, lo and behold, it includes some mighty fine advice. This manual was noticed to the world by the guy who presented the story of the CIA's "open intel" wiki, he thought it relevant I guess.

Sections 11, 12 are most important to us, the rest concentrating on the physical spectrum of blowing up stuff. Onwards:

(11) General Interference with Organizations and Production (a) Organizations and Conferences (1) Insist on doing everything through "channels." Never permit short-cuts to be taken in order to, expedite decisions. (2) Make "speeches." Talk as frequently as possible and at great length. Illustrate your "points" by long anecdotes and accounts of personal experiences. Never hesitate to make a few appropriate "patriotic" comments. (3) When possible, refer all matters to committees, for "further study and consideration." Attempt to make the committees as large as possible - never less than five. (4) Bring up irrelevant issues as frequently as possible. (5) Haggle over precise wordings of communications, minutes, resolutions. (6) Refer back to matters decided upon at the last meeting and attempt to reopen the question of the advisability of that decision. (7) Advocate "caution." Be "reasonable" and urge your fellow-conferees to be "reasonable" and avoid haste which might result in embarrassments or difficulties later on. (8) Be worried about the propriety of any decision -raise the question of whether such action as is contemplated lies within the jurisdiction of the group or whether it might conflict with the policy of some higher echelon.

Read the full sections 11,12 and for reference, also the entire manual. As some have suggested, it reads like a modern management manual, perhaps proving that people don't change over time!

Audits V: Why did this happen to us ;-(

To summarise previous posts, what do we know? We know so far that the hallowed financial Audit doesn't seem to pick up impending financial disaster, on either a micro-level like Madoff (I) or a macro-level like the financial crisis (II). We also know we don't know anything about it (III), trying harder didn't work (II), and in all probability the problem with Audit is systemic (IV). That is, likely all of them, the system of Audits, not any particular one. The financial crisis tells us that.

Notwithstanding its great brand, Audit does not deliver. How could this happen? Why did our glowing vision of Audit turn out to be our worst nightmare? Global financial collapse, trillions lost, entire economies wallowing in the mud and slime of bankruptcy shame?

Let me establish the answer to this by means of several claims.

First, complexity . Consider what audit firm Ernst & Young told us a while back:

The economic crisis has exposed inherent weaknesses in the risk management practices of banks, but few have a well-defined vision of how to tackle the problems, according to a study by Ernst & Young.

Of 48 senior executives from 36 major banks around the world questioned by Ernst & Young, just 14% say they have a consolidated view of risk across their organisation. Organisational silos, decentralisation of resources and decision-making, inadequate forecasting, and lack of transparent reporting were all cited as major barriers to effective enterprise-wide risk management.

The point highlighted above is this: This situation is complex! In essence, the process is too complex for anyone to appreciate from the outside. I don't think this point is so controversial, but the next are.

My second claim is that in any situation, stakeholders work to improve their own position . To see this, think about the stakeholders you work with. Examine every decision that they take. In general, every decision that reduces the benefit to them will be fiercely resisted, and any decision that increases the benefit to them will be fiercely supported. Consider what competing audit firm KPMG says:

A new study put out by KPMG, an audit, tax and advisory firm said that pressure to do "whatever it takes" to achieve business goals continues as the primary driver behind corporate fraud and misconduct.

Of more than 5,000 U.S. workers polled this summer, 74 percent said they had personally observed misconduct within their organizations during the prior 12 months, unchanged from the level reported by KPMG survey respondents in 2005. Roughly half (46 percent) of respondents reported that what they observed "could cause a significant loss of public trust if discovered," a figure that rises to 60 percent among employees working in the banking and finance industry.

This is human nature, right? It happens, and it happens more than we like to admit. I suggest it is the core and prime influence, and won't bother to argue it further, although if you are unsatisfied at this claim, I suggest you read Lewis on The End (warning it's long).

As we are dealing with complexity, even insiders will not find it easy to identify the nominal, original benefit to end-users. And, if the insiders can't identify the benefit, they can't put it above their own benefit. Claims one and two, added together, give us claim three: over time, all the benefit will be transferred from the end-users to the insiders . Inevitably. And, it is done naturally, subconciously and legally.

What does this mean to Audits? Well, Auditors cannot change this situation. If anything, they might make it worse. Consider these issues:

• the Auditor is retained by the company,
• to investigate a company secret,
• the examination, the notes, the results and concerns are all secret,
• the process and the learning of audit work is surrounded by mystique and control in classical guild fashion,
• the Auditor bills-per-hour,
• the Auditor knows what the problems are,
• and has integral consulting resources attached,
• who can be introduced to solve the problems,
• and bill-per-hour.

As against all that complexity and all that secrecy, there is a single Auditor, delivering a single report. To you. A rather single very small report, as against a rather frequent and in sum, huge series of bills.

So in all this complexity, although the Audit might suggest that they can reduce the complexity by means of compressing it all into one single "opinion", the complexity actually works to the ultimate benefit of the Auditor. Not to your benefit. It is to the Auditor's advantage to increase the complexity, and because it is all secret and you don't understand it anyway, any negative benefit to you is not observable. Given our second claim, this is indeed what they do.

Say hello to SOX, a doubling of the complexity, and a doubling of your auditor's invoice.

Say thank you, Congressmen Sarbanes and Oxley, and we hope your pension survives!

Claim Number 4: The Auditor has become the insider. Although he is the one you perceive to be an outsider, protecting your interests, in reality, the Auditor is only a nominal, pretend outsider. He is in reality a stakeholder who was given the keys to become an insider a long time ago. Is there any surprise that, with the passage of time, the profession has moved to secure its role? As stakeholder? As insider? To secure the benefit to itself?

Over time, the noble profession of Auditing has moved against your interests. Once, it was a mighty independent observer, a white knight riding forth to save your honour, your interest, your very patrimony. Audits were penetrating and meticulous!

Now, the auditor is just another incumbent stakeholder, another mercenary for hire. Test this: did any audit firm fight the rise of Sarbanes-Oxley as being unnecessary, overly costly and not delivering value for money to clients? Does any audit firm promote a product that halves the price? Halves the complexity? Has any audit firm investigated the relationship between the failed banks and the failed audits over those banks? Did any audit firm suggest that reserves weren't up to a downturn? Has any audit firm complained that mark-to-market depends on a market? Did any auditor insist on stress testing? Has ... oh never mind.

I'm honestly interested in this question. If you know the answer: posted it in comments! With luck, we can change the flow of this entire research, which awaits ... the NEXT post.

trouble in PKI land

The CA and PKI business is busy this week. CAcert, a community Certification Authority, has a special general meeting to resolve the trauma of the collapse of their audit process. Depending on who you ask, my resignation as auditor was either the symptom or the cause.

In my opinion, the process wasn't working, so now I'm switching to the other side of the tracks. I'll work to get the audit done from the inside. Whether it will be faster or easier this way is difficult to say, we only get to run the experiment once.

Meanwhile, Mike Zusman and Alex Sotirov are claiming to have breached the EV green bar thing used by some higher end websites. No details available yet, it's the normal tease before a BlabHat style presentation by academics. Rumour has it that they've exploited weaknesses in the browsers. Some details emerging:

With control of the DNS for the access point, the attackers can establish their machines as men-in-the-middle, monitoring what victims logged into the access point are up to. They can let victims connect to EV SSL sites - turning the address bars green. Subsequently, they can redirect the connection to a DV SSL sessions under a certificates they have gotten illicitly, but the browser will still show the green bar.

Ah that old chestnut: if you slice your site down the middle and do security on the left and no or lesser security on the right, guess where the attacker comes in? Not the left or the right, but up the middle, between the two. He exploits the gap. Which is why elsewhere, we say "there is only one mode and it is secure."

Aside from that, this is an interesting data point. It might be considered that this is proof that the process is working (following the GP theory), or it might be proof that the process is broken (following the sleeping-dogs-lie model of security).

Although EV represents a good documentation of what the USA/Canada region (not Europe) would subscribe as "best practices," it fails in some disappointing ways. And in some ways it has made matters worse. Here's one: because the closed proprietary group CA/B Forum didn't really agree to fix the real problems, those real problems are still there. As Extended Validation has held itself up as a sort of gold standard, this means that attackers now have something fun to focus on. We all knew that SSL was sort of facade-ware in the real security game, and didn't bother to mention it. But now that the bigger CAs have bought into the marketing campaign, they'll get a steady stream of attention from academics and press.

I would guess less so from real attackers, because there are easier pickings elsewhere, but maybe I'm wrong:

"From May to June 2009 the total number of fraudulent website URLs using VeriSign SSL certificates represented 26% of all SSL certificate attacks, while the previous six months presented only a single occurrence," Raza wrote on the Symantec Security blogs.

... MarkMonitor found more than 7,300 domains exploited four top U.S. and international bank brands with 16% of them registered since September 2008.
.... But in the latest spate of phishing attempts, the SSL certificates were legitimate because "they matched the URL of the fake pages that were mimicking the target brands," Raza wrote.

VeriSign Inc., which sells SSL certificates, points out that SSL certificate fraud currently represents a tiny percentage of overall phishing attacks. Only two domains, and two VeriSign certificates were compromised in the attacks identified by Symantec, which targeted seven different brands.

"This activity falls well within the normal variability you would see on a very infrequent occurrence," said Tim Callan, a product marketing executive for VeriSign's SSL business unit. "If these were the results of a coin flip, with heads yielding 1 and tails yielding 0, we wouldn't be surprised to see this sequence at all, and certainly wouldn't conclude that there's any upward trend towards heads coming up on the coin."

Well, we hope that nobody's head is flipped in an unsurprising fashion....

It remains to be seen whether this makes any difference. I must admit, I check the green bar on my browser when online-banking, but annoyingly it makes me click to see who signed it. For real users, Firefox says that it is the website, and this is wrong and annoying, but Mozilla has not shown itself adept at understanding the legal and business side of security. I've heard Safari has been fixed up so probably time to try that again and report sometime.

Then, over to Germany, where a snafu with a HSM ("high security module") caused a root key to be lost (also in German). Over in the crypto lists, there are PKI opponents pointing out how this means it doesn't work, and there are PKI proponents pointing out how they should have employed better consultants. Both sides are right of course, so what to conclude?

Test runs with Germany's first-generation electronic health cards and doctors' "health professional cards" have suffered a serious setback. After the failure of a hardware security module (HSM) holding the private keys for the root Certificate Authority (root CA) for the first-generation cards, it emerged that the data had not been backed up. Consequently, if additional new cards are required for field testing, all of the cards previously produced for the tests will have to be replaced, because a new root CA will have to be generated. ... Besides its use in authentication, the root CA is also important for card withdrawal (the revocation service).

The first thing to realise was that this was a test rollout and not the real thing. So the test discovered a major weakness; in that sense it is successful, albeit highly embarrassing because it reached the press.

The second thing is the HSM issue. As we know, PKI is constructed as a hierarchy, or a tree. At the root of the tree is the root key of course. If this breaks, everything else collapses.

Hence there is a terrible fear of the root breaking. This feeds into the wishes of suppliers of high security modules, who make hardware that protect the root from being stolen. But, in this case, the HSM broke, and there was no backup. So a protection for one fear -- theft -- resulted in a vulnerability to another fear -- data loss.

A moment's thought and we realise that the HSM has to have a backup. Which has to be at least as good as the HSM. Which means we then have some rather cute conundrums, based on the Alice in Wonderland concept of having one single root except we need multiple single roots... In practice, how do we create the root inside the HSM (for security protection) and get it to another HSM (for recovery protection)?

Serious engineers and architects will be reaching for one word: BRITTLE! And so it is. Yes, it is possible to do this, but only by breaking the hierarchical principle of PKI itself. It is hard to break fundamental principles, and the result is that PKI will always be brittle, the implementations will always have contradictions that are swept under the carpet by the managers, auditors and salesmen. The PKI design is simply not real world engineering, and the only thing that keeps it going is the institutional deadly embrace of governments, standards committees, developers and security companies.

Not the market demand. But, not all has been bad in the PKI world. Actually, since the bottoming out of the dotcom collapse, certs have been on the uptake, and market demand is present albeit not anything beyond compliance-driven. Here comes a minor item of success:

VeriSign, Inc. [SNIP] today reported it has topped the 1 billion mark for daily Online Certificate Status Protocol (OCSP) checks.

[SNIP] A key link in the online security chain, OCSP offers the most timely and efficient way for Web browsers to determine whether a Secure Sockets Layer (SSL) or user certificate is still valid or has been revoked. Generally, when a browser initiates an SSL session, OCSP servers receive a query to check to see if the certificate in use is valid. Likewise, when a user initiates actions such as smartcard logon, VPN access or Web authentication, OCSP servers check the validity of the user certificate that is presented. OSCP servers are operated by Certificate Authorities, and VeriSign is the world's leading Certificate Authority.

[SNIP] VeriSign is the EV SSL Certificate provider of choice for more than 10,000 Internet domain names, representing 74 percent of the entire EV SSL Certificate market worldwide.

(In the above, I've snipped the self-serving marketing and one blatant misrepresentation.)

Certificates are static statements. They can be revoked, but the old design of downloading complete lists of all revocations was not really workable (some CAs ship megabyte-sized lists). We now have a new thing whereby if you are in possession of a certificate, you can do an online check of its status, called OCSP.

The fundamental problem with this, and the reason why it took the industry so long to get around to making revocation a real-time thing, is that once you have that architecture in place, you no longer need certificates. If you know the website, you simply go to a trusted provider and get the public key. The problem with this approach is that it doesn't allow the CA business to sell certificates to web site owners. As it lacks any business model for CAs, the CAs will fight it tooth & nail.

Just another conundrum from the office of security Kafkaism.

Here's another one, this time from the world of code signing. The idea is that updates and plugins can be sent to you with a digital signature. This means variously that the code is good and won't hurt you, or someone knows who the attacker is, and you can't hurt him. Whatever it means, developers put great store in the apparent ability of the digital signature to protect themselves from something or other.

But it doesn't work with Blackberry users. Allegedly, a Blackberry provider sent a signed code update to all users in United Arab Emirates:

Yesterday it was reported by various media outlets that a recent BlackBerry software update from Etisalat (a UAE-based carrier) contained spyware that would intercept emails and text messages and send copies to a central Etisalat server. We decided to take a look to find out more.

...
Whenever a message is received on the device, the Recv class first inspects it to determine if it contains an embedded command — more on this later. If not, it UTF-8 encodes the message, GZIPs it, AES encrypts it using a static key (”EtisalatIsAProviderForBlackBerry”), and Base64 encodes the result. It then adds this bundle to a transmit queue. The main app polls this queue every five seconds using a Timer, and when there are items in the queue to transmit, it calls this function to forward the message to a hardcoded server via HTTP (see below). The call to http.sendData() simply constructs the POST request and sends it over the wire with the proper headers.

Oops! A signed spyware from the provider that copies all your private email and sends it to a server. Sounds simple, but there's a gotcha...

The most alarming part about this whole situation is that people only noticed the malware because it was draining their batteries. The server receiving the initial registration packets (i.e. “Here I am, software is installed!”) got overloaded. Devices kept trying to connect every five seconds to empty the outbound message queue, thereby causing a battery drain. Some people were reporting on official BlackBerry forums that their batteries were being depleted from full charge in as little as half an hour.

So, even though the spyware provider had a way to turn it on and off:

It doesn’t seem to execute arbitrary commands, just packages up device information such as IMEI, IMSI, phone number, etc. and sends it back to the central server, the same way it does for received messages. It also provides a way to remotely enable/disable the spyware itself using the commands “start” and “stop”.

There was something wrong with the design, and everyone's blackberry went mad. Two points: if you want to spy on your own customers, be careful, and test it. Get quality engineers on to that part, because you are perverting a brittle design, and that is tricky stuff.

Second point. If you want to control a large portion of the population who has these devices, the centralised hierarchy of PKI and its one root to bind them all principle would seem to be perfectly designed. Nobody can control it except the center, which puts you in charge. In this case, the center can use its powerful code-signing abilities to deliver whatever you trust to it. (You trust what it tells you to trust, of course.)

Which has led some wits to label the CAs as centralised vulnerability partners. Which is odd, because some organisations that should know better than to outsource the keys to their security continue to do so.

But who cares, as long as the work flows for the consultants, the committees, the HSM providers and the CAs?

Audits IV - How many rotten apples will spoil the barrel?

In the previous post on Audits (1, 2, 3) I established that you yourself cannot determine from the outside whether an audit is any good. So how do we deal with this problem?

We can take a statistical approach to the investigation. We can probably agree that some audits are not strong (the financial crisis thesis), and some are definitely part of the problem (Enron, Madoff, Satyam, Stanford) not the solution. This rules out all audits being good.

The easy question: are all audits in the bad category, and we just don't know it, or are some good and some bad? We can rule out all audits being bad, because Refco was caught by a good audit, eventually.

So we are somewhere in-between the extremes. Some good, some bad. The question then further develops into whether the ones that are good are sufficiently valuable to overcome the ones that are bad. That is, one totally fraudulent result can be absorbed in a million good results. Or, if something is audited, even badly or with a percentage chance of bad results, some things should be improved, right?

Statistically, we should still get a greater benefit.

The problem with this view is that we the outside world can't tell which is which, yet the point of the audit is to tell us: which is which. Because of the intent of the audit -- entering into the secrets of the corporate and delivering a judgment over the secrets -- there are no tools for us to distinguish. This is almost deliberate, almost by definition! The point of the audit is for us to distinguish the secretively good from the secretively bad; if we also have to distinguish amongst the audits, we have a problem.

Which is to say, auditing is highly susceptible to the rotten apples problem: a few rotten apples in a barrel quickly makes the whole barrel worthless.

How many is a few? One failed audit is not enough. But 10 might be, or 100, or 1% or 10%, it all depends. So we need to know some sort of threshold, past which, the barrel is worthless. Once we determine that some percentage of audits above the threshold are bad, all of them are dead, because confidence in the system fails and all audits become ignored by those that might have business in relying on them.

The empirical question of what that percentage would be is obviously a subject of some serious research, but I believe we can skip it by this simple check. Compare the threshold to our by now painfully famous financial crisis test. So far, in the financial crisis, all the audits failed to pick up the problem (and please, by all means post in comments any exceptions! Anonymously is fine!).

Whatever the watermark for general failure is, if the financial crisis is any guide, we've probably reached it. We are, I would claim, in the presence of material evidence that the Audit has passed the threshold for public reliance. The barrel is rotten.

But, how did we reach this terrible state of affairs? How could this happen? Let's leave that speculation for another post.

(Afterword: Since the last post on Audit, I resigned my role as Auditor over at CAcert. This moves me from slightly inside the profession to mostly outside. Does this change these views written here? So far, no, but you can be the judge.)

Bullion and Bandits: The Rise and Fall of Another Visionary

(Lynn and RAH point to) an article on the sad declines of e-gold, which I was involved with in some sense back in the period 1998 to 2000.

Bullion and Bandits: The Improbable Rise and Fall of E-Gold

Following his story, the picture that emerges of Jackson is not a portrait of a calculating criminal. Rather it is one of a naive visionary who thought his dream was bigger than any financial regulations, who got in over his head, and who finally struggled, too late, to make up for his missteps.

“There was no indication at all that anyone had a problem with what he was doing,” says Richard Timberlake, a former economics professor at the University of Georgia and author of several books on U.S. banking. Timberlake visited Jackson at his E-Gold office in 1997 and vouches for Jackson’s innocent intentions. “He was always very honest and very forthright in what he was trying to do as a business. Even the Federal Reserve believed it was legitimate.”

Well, in 1997, and indeed up until the end of 1999, it was indeed easy to believe that all was good. As we entered into 2000, the signs started popping up, and by the middle of that year, they were everywhere. It was this inability to deal with the changing makeup of the business, while always standing firm to the 1997 business model, that sewed the seeds of disaster.

It is possible to say, "naive visionary." It's also necessary to say, "responsible director." Which is, at its core, the Founder's paradox: we need that Founder to get us this far, pass the unbeatable odds, beat the regs, bash the naysayers.

Then, when he's done his job, how do we ease him aside to start running the business, as a business, and not as a mission from God?

As Jackson envisioned it, E-Gold was a private, international currency that would circulate independent of government controls, and stand impervious to the market’s highs and lows. Brimming with evangelical enthusiasm, Jackson proclaimed it a cure for the modern monetary system’s ills and described it at one point as “an epochal change in human destiny” and “probably the greatest benefit to humanity that’s ever been thought of.”...

Over the next few years, Jackson drained his retirement accounts, sold his medical practice and charged credit cards to raise more than $1 million to nurture the fledgling venture. Cynics might have considered him just another internet hustler looking to strike it rich, but those who knew him say he was a true believer. “He truly thinks that having a gold-backed currency is what’s needed in the world,” says James Clement, a libertarian attorney who met Jackson in 2003. “I don’t think anyone would have stuck with it … other than that he thinks it’s extremely important and somebody has to do this.”

Something like that. We stuck with him (and really, many many of us committed a great deal to the community!) because it was a truly great idea, and he'd done the hard work to get it off the ground. We left when it became clear that Jackson's visionary focus was going to take e-gold to disaster.

Jackson, who’d hocked his future to start E-Gold, now faced the potential of a federal prison term. He was frustrated and confused.

“It never crossed my mind that anyone could seriously want people like us in prison,” he says. “But I guess my bigger fear was that we would go bankrupt, and there would be a train wreck of people that had trusted value to us who couldn’t get their money.”

The worst part about it is that we were right, he was wrong, and the world lost the benefit of his great, original vision.

The financial innovations that came out of the 1990s were extraordinary, and e-gold was one of them. Now they are all confined to the history books, perhaps with little footnotes such as "with this, the financial crisis might have been averted." Oh well. Learning is not humanity's strong suit.

Auditor(s) to be held to account? - CardSystems and Savvis

Duane points to a Wired report that Savvis has been sued (also /., 1, 2). Savvis was the Auditor of the ill-fated payments operator CardSystems that was breached heavily, lost huge amounts of privacy data, and went bankrupt.

This is significant. The audit business has invaded the IT field, now dominating the quality aspects with a stamp of approval over security and governance of all forms. I'm in one myself (at least today, not sure about tomorrow). The way it works is that we check the systems according to some metrics like criteria, management's disclosures, and other things that are called variously best practices (worst case) or common sense (better) or core competences (best case). Then we write up an opinion. Then others attempt to use that opinion in some sense or other:

When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor’s report.

In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.

The problem arises when something goes wrong -- see last week's post on the inverted pyramid. Is the auditor responsible for failure, and how much? The issue is murky, and here are two extremes:

One view has it that the auditor's opinion is relied upon by others and that this is a fiduciary responsibility before the courts, deriving from the history and tradition of financial audits. These latter hold a privileged place in the legal system; others can rely on audits over financial statements, and they can sue the auditor if there were issues. This then applies to systems audits.

A completely contrary view is that the auditor provides a useful service for whoever asks for it, and writes a limited opinion to that person. Others rely at their peril. The opinion is written in internal language, with limitations of liability, over a snapshot of time, and would not be a sound basis for reliance. The tests are closely guarded secrets, the interpretations are interesting but not revealed, and there is absolutely no indication in the process that it is oriented to the needs of the public. That is, an audit is worth practically nothing to any outsider (and insiders don't need it because they can see what's there themselves).

My view is explored in the "Audit" series of essays (1, 2, 3). However the ultimate call may come before the judge, and whichever way it goes, I suggest it is bad news for the audit business.

“We’re at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it,” says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School who specializes in information security issues. “For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits.”

If the court rules that the auditor can be sued, and did wrong ... then the results will ripple through the field. Auditors will reach further into their bag of tricks to cover their backs, which will make audits more difficult to rely upon. This can be seen as an economic result, because likely the court's adverse ruling will break the firm that is doing the audit. No other audit firm will like that scenario of a random bankrupcy event, and we even have the data point to show it: walk the line from Arthur Andersen to Sarbanes-Oxley to the global financial crisis.

In contrast, if the court rules that the Audit cannot be relied upon, then it is game over. Once a court rules that the process is not to be relied upon, then relying parties don't need it. The audit business collapses. Maybe we need to change jobs before the exodus...

Have the accountants sold out?

Gunnar points to an interview that echos my "Audit" series (1, 2, 3). This time from Charlie Munger:

Grundfest: As we look at the current situation, how much of the responsibility would you lay at the feet of the accounting profession?

Munger: I would argue that a majority of the horrors we face would not have happened if the accounting profession developed and enforced better accounting. They are way too liberal in providing the kind of accounting the financial promoters want. They’ve sold out, and they do not even realize that they’ve sold out.

Grundfest: Would you give an example of a particular accounting practice you Find problematic?

Munger: Take derivative trading with mark-to-market accounting, which degenerates into mark-to-model. Two firms make a big derivative trade and the accountants on both sides show a large profit from the same trade.

Grundfest: And they can’t both be right. But both of them are following the rules.

Munger: Yes, and nobody is even bothered by the folly. It violates the most elemental principles of common sense. And the reasons they do it are: (1) there’s a demand for it from the financial promoters, (2) fixing the system is hard work, and (3) they are afraid that a sensible fix might create new responsibilities that cause new litigation risks for accountants.

Yeah, I just copied Gunnar's post (including the crazy "Fi" HTML artifact!). Except this bit:

This situation is very comparable to what happens in when auditors interview infosec. Auditor asks -do you have a firewall? Infosec says yes. Check.

Its too bad but assumptions of yesteryear lead to building things on shaky foundations.

The full interview is worth reading!

The Inverted Pyramid of Identity

Let's talk about why we want Identity. There appear to be two popular reasons why Identity is useful. One is as a handle for the customer experience, so that our dear user can return day after day and maintain her context.

The other is as a vector of punishment. If something goes wrong, we can punish our user, no longer dear.

It's a sad indictment of security, but it does seem as if the state of the security nation is that we cannot design, build and roll-out secure and safe systems. Abuse is likely, even certain, sometimes relished: it is almost a business requirement for a system of value to prove itself by having the value stolen. Following the inevitable security disaster, the business strategy switches smoothly to seeking who to blame, dumping the liability and covering up the dirt.

---

Users have a very different perspective. Users are well aware of the upsides and downsides, they know well: Identity is for good and for bad.

Indeed, one of the persistent fears of users is that an identity system will be used to hurt them. Steal their soul, breach their privacy, hold them to unreasonable terms, ultimately hunt them down and hurt them, these are some of the thoughts that invasive systems bring to the mind of our dear user.

This is the bad side of identity: the individual and the system are "in dispute," it's man against the machine, Jane against Justice. Unlike the usage case of "identity-as-a-handle," which seems to be relatively well developed in theory and documentation, the "identity-as-punishment" metaphor seems woefully inadequate. It is little talked about, it is the domain of lawyers and investigators, police and journalists. It's not the domain of technologists. Outside the odd and forgettable area of law, disputes are a non-subject, and not covered at all where I believe it is required the most: marketing, design, systems building, customer relations, costs analysis.

Indeed, disputes are taboo for any business.

---

Yet, this is unsustainable. I like to think of good Internet (or similar) systems as an inverted pyramid. On the top, the mesa, is the place where users build their value. It needs to be flat and stable. Efficient, and able to expand horizontally without costs. Hopefully it won't shift around a lot.

Dig slightly down, and we find the dirty business of user support. Here, the business faces the death of a 1000 tiny support cuts. Each trivial, cheap and ignorable, except in the aggregate. Below them deeper down are the 100 interesting support issues. Deeper still, the 10 or so really serious red alerts. Of which one becomes a real dispute.

The robustness of the pyramid is based on the relationship between the dispute at the bottom, the support activity in the middle, and the top, as it expands horizontally for business and for profit.

Your growth potential is teetering on this one thing: the dispute at the apex of the pyramid. And, if you are interested in privacy, this is the front line, for a perverse reason: this is where it is most lost. Support and full-blown disputes are the front line of privacy and security. Events in this area are destroyers of trust, they are the bane of marketing, the nightmare of PR.

Which brings up some interesting questions. If support is such a destroyer of trust, why is it an afterthought in so many systems? If the dispute is such a business disaster, why is resolution not covered at all? Or hidden, taboo? Or, why do businesses think that their dispute resolution process starts with their customers' identity handles? And ends with the lawyers?

---

Here's a thought: If badly-handled support and dispute events are leaks of privacy, destroyers of trust, maybe well-handled events are builders of trust? Preservers of privacy?

If that is plausible, if it is possible that good support and good dispute handling build good trust ... maybe a business objective is to shift the process: support designed up front, disputes surfaced, all of it open? A mature and trusted provider might say: we love our disputes, we promote them. Come one, come all. That's how we show we care!

An imature and unstrusted provider will say: we have no disputes, we don't need them. We ask you the user to believe in our promise.

The principle that the business hums along on top of an inverted pyramid, that rests ultimately on a small powerful but brittle apex, is likely to cause some scratching of technophiliac heads. So let me close the circle, and bring it back to the Identity topic.

If you do this, if you design the dispute mechanism as a fully cross-discipline business process for the benefit of all, not only will trust go positive and privacy become aligned, you will get an extra bonus. A carefully constructed dispute resolution method frees up the identity system, as the latter no longer has to do double duty as the user handle *and* the facade of punishment. Your identity system can simply concentrate on the user's experience. The dark clouds of fear disappear, and the technology has a chance to work how the techies said it would.

We can pretty much de-link the entire identity-as-handles from the identity-as-punishment concept. Doing that removes the fear from the user's mind, because she can now analyse the dispute mechanism on its merits. It also means that the Identity system can be written only for its technical and usability merits, something that we always wanted to do but never could, quite.

(This is the rough transcript of a talk I gave at Identity & Privacy conference in London a couple of weeks ago. The concept was first introduced at LexCybernetoria, it was initially tried by WebMoney, partly explored in digital gold currencies, and finally was built in
CAcert's Arbitration project.)

Are the "brightest minds in finance" finally onto something?

[Lynn writes somewhere else, copied without shame:]

A repeated theme in the Madoff hearing (by the person trying for a decade to get SEC to do something about Madoff) was that while new legislation and regulation was required, it was much more important to have transparency and visibility; crooks are inventive and will always be ahead of regulation.

however ... from The Quiet Coup:

But there's a deeper and more disturbing similarity: elite business interests -- financiers, in the case of the U.S. -- played a central role in creating the crisis, making ever-larger gambles, with the implicit backing of the government, until the inevitable collapse. More alarming, they are now using their influence to prevent precisely the sorts of reforms that are needed, and fast, to pull the economy out of its nosedive. The government seems helpless, or unwilling, to act against them.

From The DNA of Corruption:

While the scale of venality of Wall Street dwarfs that of the Pentagon's, I submit that many of the central qualities shaping America's Defense Meltdown (an important new book with this title, also written by insiders, can be found here) can be found in Simon Johnson's exegesis of America's even more profound Financial Meltdown.

... and related to above, Mark-to-Market Lobby Buoys Bank Profits 20% as FASB May Say Yes:

Officials at Norwalk, Connecticut-based FASB were under "tremendous pressure" and "more or less eviscerated mark-to-market accounting," said Robert Willens, a former managing director at Lehman Brothers Holdings Inc. who runs his own tax and accounting advisory firm in New York. "I'd say there was a pretty close cause and effect."

From Now-needy FDIC collected little in premiums:

The federal agency that insures bank deposits, which is asking for emergency powers to borrow up to $500 billion to take over failed banks, is facing a potential major shortfall in part because it collected no insurance premiums from most banks from 1996 to 2006.

with respect to taxes, there was roundtable of "leading expert" economists last summer about current economic mess. their solution was "flat rate" tax. the justification was:

1. eliminates possibly majority of current graft & corruption in washington that is related to current tax code structure, lobbying and special interests
2. picks up 3-5% productivity in GNP. current 65,000 page taxcode is reduced to 600 pages ... that frees up huge amount of people-hrs in lost productivity involved in dealing directly with the taxcode as well as lost productivity because of non-optimal business decisions.

their bottom line was that it probably would only be temporary before the special interests reestablish the current pervasive atmosphere of graft & corruption.

a semi-humorous comment was that a special interest that has lobbied against such a change has been Ireland ... supposedly because some number of US operations have been motivated to move to Ireland because of their much simpler business environment.

with respect to feedback processes ... I (Lynn) had done a lot with dynamic adaptive (feedback) control algorithms as an undergraduate in the 60s ... which was used in some products shipped in the 70s & 80s. In theearly 80s, I had a chance to meet John Boyd and sponsor his briefings. I found quite a bit of affinity to John's OODA-loop concept (observe, orient, decide, act) that is now starting to be taught in some MBA programs.

... and then granny loses her house!

A canonical question in cryptography was about how much money you could put over a digital signature, and a proposed attack would often end, "and then Granny loses her house!" It might be seen as a sort of reminder that the crypto only went so far, and needed to be backed by institutional support for a lot of things.

And now comes Darren with news that Granny is losing her house, proverbially at least. In a somewhat imprecise article (written by a lawyer?) in the Times:

... The ingenuity of the heists carried out ranges from “selling” property they do not own to “buying” property at inflated valuations and making off with the difference.

Critical to many of these scams is the use of stolen identities. According to many solicitors specialising in the field, the key context for the problem was the dash into deregulation and e-commerce earlier this decade.

“There was a view throughout the profession that the abolition of documents of title and reliance upon electronic records would contribute to fraud. And so it has proved,” Samson says. “All this information is open to view through the internet so a fraudster can see exactly who owns a property, assume his or her identity and then sell it.”

While this may sound absurd for owner-occupied homes, it is all too easy, for example, with vacant properties. “What’s more the rightful owner won’t even know that it has happened,” he adds.

So the basic fraud appears to be: find a property that is not cared for by its owner. Assume the owner's identity. Sell it. Or,

To put the hat on what seems a complete botch-up by lawmakers and regulators, the effect of the Land Registration Act 2002 was that the fraudulent purchasers are given a legal title to their “purchase”. “If the fraudster succeeds in having title registered in his name he can mortgage the property,” Samson says. “The true owner may be able to have the transfer to the fraudster reversed by rectification but he will still take the property subject to the mortgage.”

buy it! Now, within that article, there is no shortage of soliciters saying "we told you so!" But the real systemic causes of this fraud will need more digging. We can guess what the first cause is: identify theft. That is, high levels of dependency on the fictitious notion of identity as a protector of security. Yes, that will always get you, and it will likely take another decade before the British populace lose their current faith in identity.

The second cause however is more subtle. As pointed out by Eliana Morandi in a 2007 article, "The role of the notary in real estate conveyancing," problems like that do not happen in continental Europe (see _Digital Evidence and Electronic Signature Law Review," 2007). What's the difference? Whereas the English common law system requires each party to have independent representation, the continental system requires one party, the notary to secure the entire deed for both the buyer and seller. And take the full responsibility, so issues such as this are solved easily:

In cases where, for example, a lender whose mortgage is being paid off has no lawyer, the conveyancer may face claims for having not fully observed the Land Registry’s practice guide. And instead of the Land Registry paying compensation, it will look to the solicitors to reimburse the victims.

Warren Gordon, of Olswang, who sits on the Law Society’s conveyancing and land law committee, protests that it is unrealistic to expect solicitors to do a comprehensive check on someone who is not their client. “It’s unfair to put all the risk on the solicitor, including asking him or her to sign off on the identity of someone he or she does not act for,” he says.

Meanwhile, Paul Marsh, president of the Law Society, points the finger instead at the bankers who are providing fraudsters with the funds to perpetrate their dodgy deals. “At the top end we see vast bonuses being paid to bankers at board level for what turn out to be disastrous investments, while at the grass roots local bankers are under pressure to make loans — to sell money — without even the most basic procedures in place to prevent fraud,” he says. “The banks are refusing to take responsibility for this because they know that they can pin it on the solicitors.”

The bottom line of course is which system is more efficient in the long run. The European Notary may charge more money for the perfect transaction. If the English solicitors can undercut that price, and reduce the fraud such that the result is still better, it is a good deal. Which is it? The abstract to Morandi's article gives a clue:

The role of the notary in real estate conveyancing

Eliana Morandi sets out the role of the civil law notary in the context of real estate conveyancing, illustrating how more effective and less costly it is when undertaken by civil law notaries.

(Unfortunately my copy has conveyed itself into hiding.) If fraud rises in Britain, we will need changes. Now, we've seen with the rise of identity fraud in the USA that there has been zero incentive for the players to change the way identity is used, so we can predict that the Brits will not change the registry practice. Also, the likelihood of the soliciters giving up their lucrative representational practice is pretty low.

However the complicated notarial versus solicitorial versus identity versus registry war pans out in the long run, it seems that solicitors are going to have to bear increased responsibility to check the identity of their counterparty. Perhaps they should pop into the Identity and Privacy forum, 14th 15th May over in London's Charing Cross Hotel? Probably a bargain if it saves them from granny's wrath.

Audits III: we don't know enough even to know what we don't know

Are Audits going to help at all? Are they worth the cost? Are they part of the problem or can they be part of the solution? Originally, I claim they can help, especially for an organisation that has never been audited. That's my experience of one data point. But that's surely not sufficient, we need more. We need to know whether we can rely on these things, we need to know how to rely on these things, and when. And in the aftermath of the failure of Sarbanes-Oxley, we need to dismiss the easy answer of "we'll all just work harder."

In short, we need to know what it is we do know. Here is my view: we don't know enough.

Let's see if I can sustain that claim. If we read through the background of the cases of failure before us, whether Madoff, Satyam, Bear-Stearns, Lehman Brothers or all the bailouts, we will (a) find the Auditor, (b) find why he didn't pick up the failure, (c) cry foul, and say it should be like this or that, and (d) be fooled again. Why is this? We need to look beyond the superficial (tweaks like changing the auditor, rewriting the rules, or collapsing all firms down to the Big One) and go deep.

What actually do we the end-user really know about an audit? We can look at this several ways.

1. We can read the audit opinion itself. That is, read any audit report of any bank-that-then-failed, and ask yourself what it says? Try these on for size:
   • Is there any language in there tells us it is good? Or about to fail?
   • Drill further. Do the criteria used for the examination advance your interests or not? Do you understand the criteria? Can you even find the criteria?
   • Who was the audit report delivered to? If the opinion wasn't delivered to you how do you know that it is relevant to you?
   • Are the opinions summarised, are critical disclaimers included?
   • Did the auditor tell the client what was to be provided, or did the client tell the auditor what was wanted? Were the terms of the examination stipulated? Where does it say that? Where does it say it wasn't?
   • Is it an audit, an opinion, a review, an attestation, or an attest? Is it a "trust service," an SAS70, or? Compatible with, or compliant with?
   • Was it a compliance audit or chosen by discretion? Almost certainly, it was a compliance audit, but what was it in compliance with? How useful is that goal to you?
   • Is there "audit language" in there that is only interpretable by another auditor? A "secret code," as it were, for other auditors?

   If you didn't quite follow the above, that is precisely the point. To cut a long story short, if you can successfully interpret an audit report, you are probably either very experienced, or in the business yourself. For the most part, the result of the audit is inscrutable to the outsider.

2. There wider business issues in the audit. Some are well known signals, frequently commented on in the press: Is the auditor too small or under-resourced to do the job? Is the auditor too big to avoid the channeled result, to avoid being locked in his box? Is the reviewer licensed by a body, tested to some standard, trained to some degree or knowledgeable through street learning? Are any of these relevant? And some are more subtle, but well understood in the industry: whether there are conflicts of interest, whether the auditor was chosen for the result, or more blatantly, whether the auditor is in pocket or for hire, or an out-and-out crook?

   Just to ask that stress that last point, I asked a mate this seemingly innocent and easy question: "how do I find a dodgy auditor for hire?" Without a moment's thought, he came back with three recommendations: examine the regulatory filings, look for suspensions, and, ask a crooked lawyer. There followed a much more detailed explanation of how these things will help, which I won't bore people with here. Suffice to say, these dirty tricks reveal the existence of auditors who are easily for hire. Hopefully, they are the exception not the rule, but how do we know?

3. It's probably also worth mentioning that the audit itself is only a very specific or narrow thing, yet most people like to think of the audit as a binary signal of saintliness. The public brand of the audit is still very good, indeed, almost unchallenged. The broader public likes to think of an audit as proof of goodliness, investment potential, security etc etc, when anyone who has been close to the situation knows that the gulf between perception and reality is so wide as to be at least wrong, definately troubling and possibly deceptive.

   Let me explain what I mean by that point. Auditors if pressed will reveal that their opinion is strictly limited by a number of caveats. Indeed, the opinion is rendered over layers of indirection, such as the management's procedures rather than the assets in question. See point 1 above. However, Auditors will not press home the real conclusions: you yourself do not understand it, nor will you spot when it is no longer useful to you. Meanwhile, those same Auditors are happy to let you believe as the wider public that the audit is a singular, all encompassing stamp of goodliness.

   In short, the Audit profession benefits by letting you believe in one very broad and saintly brand, but acts to reduce the scope of the result so far as to make that brand non-representative. To use a polite term, you understand ... the point to fixate on here is not why it is like this, or how far it is from the truth, but that this may explain why you don't really appreciate the limits of audit, let alone understand them.

My claim in today's post then is that the user cannot tell whether an audit is any use or not. Which audit is good for you, and which not, even if good for others? Which audit is good, and which is plain bad? The crux of the matter is that you yourself cannot tell what any of those pronouncements mean, unless you are an insider. You don't know whether you can rely, when to rely or how to rely.

Instead, you are offered a promise of a verified obscurity, within the comfort of a wonderful brand. In this situation, although there is a vague promise of positive results, there are also far too many circumstances in which the results can be positive for others, while negative for you, so obfuscated and confused as to be worthless, or, even as far as downright fraudulent. You will never know, and indeed, you probably can never know.

To put it in terms of the popular security media, the Audit is fully compliant with security-by-obscurity. In the security world, we would say that a tool designed to that standard is generally brittle. Once cracked, it often fails completely, and badly. This is because, although the obscurity gave a measure of protection, that same obscurity hid other weaknesses which could have been easily fixed. For that reason, we in the security field do not advise security-by-obscurity.

What that does to the concept of reliance on Audits is left for another post!

Audits II: Two more scary words: Sarbanes-Oxley

In the last post on audit, I raised the possibility that we need some fixes to the audit process, rather than just following some journo's best practices list ("use a big-4 auditor"). Is it then a possibility to rewrite the regime, to create a tougher approach? If we look a little deeper in history, we find the answer:

No, we already tried it. Say hello to two more scary words: Sarbanes-Oxley. Recall that this was a huge project by the Congress of the USA to rewrite the entire auditing requirement for public companies. It was deliberately and carefully done in the aftermath of the collapse of audited-but-unauditable Enron.

In Sarbanes-Oxley, no stone was left un-turned, no leaf un-renewed. The noble profession of Financial Auditors had, post-Enron, plenty of incentive to improve their game. Sarbanes-Oxley was written at the behest of the auditing industry. They asked for it, and they got it, cost regardless. It more or less doubled the size of the public audit.

Indeed, Sarbanes-Oxley was so fierce that, by some lights, it killed the international market for Wall Street IPOs! Given all this substantial work, and substantial cost, the paying public might therefore expect that Sarbanes-Oxley must have done some good. Fair enough?

Certainly, there have been many reports of "stronger, better" but this is one of those questions that is hard to measure objectively because we cannot run proper tests. However, we do now have would could be considered to be a highly indicative test: the financial crisis.

Let's check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?

No. Not one, not even a single one!

Yet, the basic failures in the financial crisis are so blatant that surely, even by accident at least one audit should have picked up at least one pending failure, and fixed it? No, not one, known to date. At least, as far as I know, and we should probably wait a few years before writing the final judgment. Post any examples in comments! (And yes, for the record, we are ignoring all of the regulators, central banks, finance committees, rating agencies and other checks and balances that also apparently came to nought.)

Can we pronounce the financial audit as bankrupt by its own measures? In theory, the audit should have picked up these failures, all of them. Consider this case-in-point, to prove that the theory works: the enhanced audit required on public listing did in fact pick up the Refco fraud that led quickly to its failure, and the near-failure of Bawag, a big bank in Austria that participated in the fraud. (The sorry fool who found the fraud was fired for his troubles, and only later did his reports filter out and cause questions that ultimately forced the fatal result.)

The audit theory works, then, in some sense or other. Manifestly, audits didn't work for the financial crisis. And, they so didn't work after that so-huge rewrite called Sarbanes-Oxley, that we can conclude that mere improvement is completely off the agenda.

Questions arise. And, this time they are serious, more serious than post-Enron. This time the questions cannot be answered from within, but only from without. By us, the paying public. The questions before us could be considered like this:

Why did the audit not work in practice? For the financial crisis?

Are audits delivering a benefit?

Is the benefit of audits in excess of their cost?

Are audits part of the problem rather than the solution?

What do we do about it?

In order to answer that, we need more information. What is it that we really know about that audit? That's the subject of the next post.

"No, you don't understand sheep"

Sometimes I slave over a hot keyboard for an entire weekend to get a point across. With elegant arguments, carefully constructed logic, and a full path from beginning to end. Integrated across 3 separate disciplines. If I get to QED in less than 3 pages, I'm happy!

And then Gunnar comes along and says:

A teacher asks the class, 'If there are nine sheep in the pen and one jumps out, how many are left?'

A little girl says, 'None of them are left.'

The teacher shakes her head sadly and says, 'You don't understand arithmetic.'

The girls says, 'No, you don't understand sheep.'

Audits I: A Word on the Limits -- Madoff

I had been meaning to write something on audits when this dropped into the email box from Bruce Schneier, late last year, which gave me the perfect opening:

How to Prevent Digital Snooping

[snip]
What these three incidents illustrate is not that computerized databases are vulnerable to hacking -- we already knew that, and anyway the perpetrators all had legitimate access to the systems they used -- but how important audit is as a security measure.
...
Most security against crime comes from audit. Of course we use locks and alarms, but we don't wear bulletproof vests. The police provide for our safety by investigating crimes after the fact and prosecuting the guilty: that's audit.

Audit helps ensure that people don't abuse positions of trust. The cash register, for example, is basically an audit system. Cashiers have to handle the store's money. To ensure they don't skim from the till, the cash register keeps an audit trail of every transaction. The store owner can look at the register totals at the end of the day and make sure the amount of money in the register is the amount that should be there.

Bruce Schneier presents the positive, classical case for Auditing fairly well. Audits can help, especially operations that have never been audited, which receive what amounts to a serious kick in the behind.

But, and switching away from Schneier's "world without Audit" context to the financial world, it is fairly clear that the Audit has limits. Here's a word on those limits: *Madoff*. A reasonable question would be, if Audit can save us from bad stuff, why didn't it save us from Madoff? Some apparent or alleged facts from that case:

1. The crime had been running for years, with Madoff himself admitting that the fund was technically bankrupt for years. Allegedly.
2. It was the most basic fraud of all: funds that were used to pay out retiring investors did not exist, and instead were being transferred from new investors. E.g., we are talking about the Numbero Uno, Absolute First Thing that a financial audit should check: solvency.
3. There was an auditor.
4. The Auditor spotted nothing.
5. The SEC likewise spotted nothing.
6. Investors spotted nothing, at least the ones that invested didn't and those that did said little.

(Note, I wrote this about a month ago, and we probably know more now... hopefully I haven't missed something key. Anyway, journalistic standards being pretty low these days, onwards and upwards!)

All these claims, alleged or claimed or assumed or otherwise, have to give pause for thought.

What's truly scary about Madoff is that when you talk to people who were ripped off you think, there but for the grace of God goes me.

Professionals feel the same way.

This from the president of a fund of fund business: "Every time one of these frauds is discovered I get scared to death it could happen to us. We do lots of things to try to ensure it doesn't, such as checking and confirming auditors and auditor changes, using a private investigator to check on managers when we first invest and the having the PI annually update the file, trying to find references which are not on someone's reference list, etc." If big investors like these could be fooled, he said, anybody can be fooled.

Audits can help, and I do one myself. It helps, I claim, and I document some of the effects. Yet we clearly have problems, there are many flaws. For example, some will say, Madoff happened because it wasn't a big auditor:

"Clearly everyone believed that someone else had done the due diligence. And by relying on some small firm that Madoff employed rather than a big independent auditor was clearly a mistake," said one person who asked not to be identified because several clients lost money with Madoff and he was not permitted to speak publicly.

If you believe that, then I have an audited bridge to sell you. There is something more endemic and more core going on here, and the answer to this is likely not as trivial as "use a big 4 auditor." Indeed, we can knock that one on the head, comprehensively, with one single fearsome word: Enron. Followed by two more scary words: Arthur Andersen.

The world's oldest and most prestigious Auditor collapsed because of the audit failure with Enron. But, for the real result in this, and what happened after those fearsome events, let's slice some more scary words off to another post.

Who would judge a contest for voting machines?

In a previous entry I suggested creating an AES-style competition for automated voting systems. The idea is to throw the design open to the world's expertise on complex systems, including universities, foundations and corporates, and manage the process in an open fashion to bring out the best result.

Several people said "Who would judge a contest for voting machines?" I thought at first blush that this wasn't an issue, but others do. Why is that? I wonder if the AES experience surfaced more good stuff than superficially apparent?

If you look at the AES competition, NIST/NSA decided who would be the winner. James points out in comments that the NSA is indeed competent to do this, but we also know that they are biased by their mission. So why did we trust them to judge honestly?

In this case, what happened is that NIST decided to start off with an open round which attracted around 30 contributions, and then whittled that down to 5 in a second round. Those 5 then went forward and battled it out under increased scrutiny. Then, on the basis of the open scrutiny, and some other not-so-open scrutiny, the NSA chose Rijndael to be the future AES standard.

Let's hypothesize that the NSA team had a solid incentive to choose the worst algorithm, and were minded to do that. What stopped them doing it?

Several things. Firstly, there were two rounds, and all the weaker algorithms were cleaned out in the first round. All of the five algorithms in the second round were more or less "good enough," so the NSA didn't have any easy material to work with. Secondly, they were up against the open scrutiny of the community. So any tricky choice was likely to cause muttering, which could spread mistrust in the future, and standards are susceptible to mistrust. Thirdly, by running a first round, and fairly whittling the algorithms done on quality, and then leading into the second round, NIST created an expectation. Positively, this encouraged everyone to get involved, including those who would normally dismiss the experiment as just another government fraud, waiting to reveal itself. At a more aggressive extreme, it created a precedent, and this exposed the competition to legal attack later on.

These mechanisms worked hand in hand. Probably, either alone was not sufficient to push the NSA into our camp, but together they locked down the choices. Once that was done, the NSA saw its natural incentives to cheat neutered by future costs and open scrutiny. As it no longer could justify the risk of cheating, its best strategy was to do the best job, in return for reputation.

The mechanism design of the competition created the incentives for the judge to vote how we wanted -- for the best algorithm -- even if he didn't want to.

So, we can turn the original question around. Instead of asking who would judge such a competition, design a mechanism such that we don't care who would judge it. Make it like the AES competition, where even if they had wanted to, the NSA's best strategy was to choose the best. Set yourself a challenge: we get the right result even when it is our worst enemy.

Success has many fathers, but failure has the US taxpayer

The USA financial mess was seen taking a brief pause, with almost 24 hours going by without another new world record in greatest failures ever. Morgan Stanley gamely held on ... But even as we speak, they are preparing the mother of all bailouts. It's the weekend, of course, and recent tradition has it that only on Sundays is it right to sell the free market. Or something.

Since the crisis began more than a year ago, the Treasury and Federal Reserve have already put nearly $1 trillion of taxpayer money on the line to help credit flows, while banks have suffered more than $500 billion of write-downs and loan losses.

A trillion here, 500 billion there. 700 billion by Monday? Pretty soon we'll be talking about real money.

The deficit for this budget year, which ends on Sept. 30, is expected to rise to $407 billion, a figure that is more than double the $161.5 billion imbalance for 2007, reflecting what the economic slowdown and this year's $168 billion economic stimulus program are already doing to the government's books. And that forecast doesn't include the $200 billion the administration committed to spending two weeks ago when it took over the nation's two biggest mortgage companies, Fannie Mae and Freddie Mac.

And it doesn't have any of the $700 billion the administration is seeking to soak up the bad mortgage-backed securities that have been at the heart of the severe credit crisis the country has been struggling with since August 2007. The legislation Congress passed this summer that gave the authority to rescue Fannie and Freddie boosted the limit on the national debt by $800 billion to $10.6 trillion.

Frankly, writing about the financial scene right now is trivially easy -- any number of sage saying will ring true. But, writing is also pointless, as the flood of diatribe might entertain us, but does nothing to take us forward.

Well, maybe it's the grief thing: we need this time to wail and gnash over lost innocence and easy profits. We seem to be in the bargaining phase, as Ben Bernanke and Henry Paulson tell various leaders, great and good, to move forward, sign the (blank) cheque and accept the master you all know you need.

In an ideal world, we could skip the depression and move onto acceptance, and rebuilding. How to rebuild? The answer to that question requires a very deep understanding of what is wrong, first and foremost. As I described earlier, I believe the failure syndrome is one of an overly complex system, in which each component works in isolation, but is too complex to analyse externally. Especially, building upwards on this shaky foundation is not safe, but continues nonetheless.

(If, by way of your example, you believe the problem is something else, you are not going to subscribe to the following. That's ok, because in the blogosphere, we still retain a free market in ideas, if little else.)

---

Onwards. Financial cryptography exists to reduce that complexity. One of the emerging results of financial cryptography, in all its various guises, is that the simple component is the stronger one, and the only sound basis for building to the next layer. We can build higher if we aggressively simplify the lower layers.

Let's present an example, one from Ricardo, which isn't the only system to employ these strategies, just the one I did and therefore is easier to present (another is Lynn's x9.59).

In this system, we use a thing called triple entry bookkeeping, which is digitally signed transactions stored in three places: yours, mine and the repository. Because the transactions are digitally signed and because there are 3 independently administered copies, and because all are equivalent (students of digital evidence take note) there is a very strong foundation on which to build the next layer. It might not be the best way to do transactions, per se (all those extra copies! all that superflous crypto-cycling! no two-phase commits!) but it does present the strongest foundation known to the upper layers.

So much so, that triple entry does for external accounting what double entry did for internal accounting 700 years ago. It is for reasons like this that designs like Ricardo will eventually change the financial system: they create building blocks that can be built on, and will support a massive weight, unlike the the current benchmark of cinder blocks of reinforced air.

When this system was presented to the SEC, someone at the meeting called it the third rail, which is finance-geek talk for the silver bullet. Ben Bernanke probably won't remember (he was there), but the point of this sophistication is an aggressive simplification: by knowing we can rely on every transaction being solidly recorded, we can move up to the next layer. Which we did; the whole system was really intended to resolve many of the uncertainties in today's trading, not just the lower layer accounting.

---

Which then raises the real question: why the innovations in FC (the above one, and for further example, the so-called blinding formula and its three orders of cost-reduction, or naked transactions de-risking strategies, or ...) did not move forward? I believe the answer is found, again, in the complexity of each incumbent building block.

Incumbents favour complexity. More complexity means more jobs, which finds more favour. Complexity means that while it takes a long time to learn it all, once you get there, you are safer. It requires extraordinary minds to understand it all, and that makes you feel good about yourself, and helps you to lord it over the rest. It gives plenty of flexibility to deliver complex claims, and cover them up when they go wrong.

In fact, it is rather hard to find a good reason not to make something complex. That's because all of these things are good for incumbents, and terrible for everyone else, and nobody asks anyone else. E.g., the customer or the taxpayer is never asked, always told, and always lied to. Every one of the great reasons for complexity is a cost, a priori, with no payback. Every little complexity helps in the long run to raise our own entrenched position, inside, and create a 'tax' on the paying classes. Otherwise we wouldn't promote it.

But what is worse is that complexity hides a greater sin: what we might call complexity fraud. When everything is a mess, nobody cares if someone is stealing the garbage. Nobody will likely notice, and if indeed you are noticed, they'll likely praise you for your help! Complexity fraud is the best fraud of all, because it is a long term cash flow, it looks legal, and anyone smart enough to spot it and understand it would probably join it rather than fight it.

For example, consider the rating agencies. They are supposed to warn of credit risks. They didn't (again), until it was too late (again). Why not? Because they are mandated. Ratings have to be done for many markets, which guarantees a steady flow of revenue as long as nobody upsets the apple cart. This might have seemed like a wise move once, but it can also be seen as a fraud born of complexity: if the complex markets are too hard to understand, then we can create a rating agency that is simple to interpret. Fine. On paper, we apparently simplified it, but in practice, we removed the observation from the real complexity, and put it across to a single number system, and we created a payout for a special person. The moment it is *mandated* then the rating agency kicks back and sucks at the teat, like everyone else, as it has absolutely no interest in upsetting its relationship with the companies that pay for their rating. (Students of incentives, take note.)

And, this is why there was not so much resistance to that early 2000s evil, Sarbanes-Oxley. As long as it was done to everyone equally, everyone made more money. Everyone who was asked, that is. Accounting doubled in size, so the auditors weren't complaining. Rules doubled, too, so the high-end complexity-crooks were happy. Large banks weren't complaining because it reduced the nibbling of the smaller banks. Democrats are always happy at more regulation. Republicans are always happy to promise a safe free market. Everyone was happy.

Who lost? The end-paying public of course. Sarbanes-Oxley was a bill to ravell fraud, but it was hopeless at unravelling. Rather than stopping Enrons, we got a rabbit-like plague of them; not directly because of Sarbanes-Oxley, but because we took our eye off of the systemic mess -- well identified in the early 2000s -- and created more complexity to hide the real problems.

Technology can help. FC can simplify things; but the leadership to put in simplifications instead of complications is strangely absent in Finance, and tech can not solve that. You might not agree that this is because of the forces I outline above; but I've yet to find another compelling explanation for this observation: simplification is rarely praised, but complexity finds many friends.

reliance on security claims: what can go wrong?

One of the perpetual threads is about how to deal with users' expectations (profit!), especially when they clash with the goal of protecting their assets (governance). In one example, people are dealing with the impossibility of CA liability versus the imponderability of universal service to browser users. In another place, security researchers are mentally edging away from life-as-seller to life-as-mentor. In user interface circles, the news is likewise not good: all the efforts look good on paper, but have trouble working in measurable practice.

Just how far is the gulf between user expectations and what the infrastructure can deliver? One airline just got a lesson:

Apparently a botched news story sparked a selloff of shares of United Airlines (UAL) yesterday. It seems that, on Sunday afternoon, the South Florida Sun-Sentinel accidentally re-ran a six year old Chicago Tribune article about United filing bankruptcy. Unfortunately, there was no date associated with the story, and Bloomberg picked it up and reported it as new information shortly before 11AM yesterday.

Not surprisingly, this blunder resulted in massive selling, driving shares of UAL down 75% from a bit over $12/share to $3/share. Here’s a screenshot of the stock chart showing the precipitous drop.

The story was pulled, and United is reportedly investigating what happened. As of right now, the stock is trading at just shy of $11/share. It’s kind of scary what an errant click of the mouse can do, isn’t it?

It is pretty clear that users can be spooked by a false story. It's also clear that the degree of spooking is inversely related to the accuracy of information; the vast number of stories that are printed in the media have approximate truth in them.

What to do about this? In practice, there is little to do. Make sure that the source of the error is fixed, and, make sure it was an innocent error. But that doesn't solve the real problem, only makes sure that the one person never makes the one exact error again.

In practice, a rogue hit can always damage. So, roll out the damage control. The answer with how to deal with these totally unexpected events then is almost always "we'll look at it when it happens," and "we have damage control for that."

(The users in the above case might have other views. But for them: investment is risky, and they can always take their dispute to the courts. I'm more interested in how it would play out in a security market where courts traditionally haven't backed up the user, and the market is supposed to be non-risky by design.)

WSJ finds someone to blame.... be skeptical, and tell the WSJ to grow up.

JPM points to the tabloid for serious teenagers, the Wall Street Journal, who finds someone to blame for Fannie Mae and Freddie Mac:

There you have the Fannie Mae problem in profile. Mr. Frank wants you to pick up the tab for its failures, while he still vows to block a reform that might prevent the same disaster from happening again.

At least the Massachusetts Democrat is consistent. His record is close to perfect as a stalwart opponent of reforming the two companies, going back more than a decade. The first concerted push to rein in Fan and Fred in Congress came as far back as 1992, and Mr. Frank was right there, standing athwart. But things really picked up this decade, and Barney was there at every turn. Let's roll the audiotape:

In 2000, then-Rep. Richard Baker proposed a bill to reform Fannie and Freddie's oversight. Mr. Frank dismissed the idea, saying concerns about the two were "overblown" and that there was "no federal liability there whatsoever."

Read the whole thing, it is hilarious or sad, depending on whether you have to pick up the check. (For the latter, consider that $200bn leveraging that $5.4 trillion of expanded credit is actually a bargain!).

Yet, blaming Mr Frank is just childish. The WSJ writes as if it were Peter Pan:

Mr. Frank has had many accomplices from both parties in his protection of Fan and Fred. But he was and is among the most vociferous and powerful. In any other area of American life, this track record would get a man run out of town.

A Congressman is just a hired gun. Perhaps suspecting that adults lurk nearby, it is admitted that, if it wasn't Mr Frank, it would be someone else. Or something else. Running him out of town might make the lost boys feel better, but it changes nothing.

The core failure in the mess is as I described yesterday, and if you want to avoid collapses of this size, then there is one solution: "don't do that!" That being, in a nutshell, interfere in a market. Sometimes known as "small government" or whatever passes for the opposite of socialism these days (now that choosing capitalism is no longer trendy).

The US government has, like all other socialist enterprises, fallen for the old trick of interfering in a market, because (a) it can, and (b) it's always easy to convince people you have a good idea, if you pay them... Of course, it's not a good idea, and the real truth is the governments do not know how the markets work, almost by definition: that's why we have markets, and if government workers knew how they worked, they would get in them and make money like everyone else.

If the population of the USA decides to run a socialist housing market, then so be it. And, there seems little doubt that this is what the population of the USA wants, as the only man who wouldn't write the check, Ron Paul, got nowhere in the recent Presidential nominations.

It's your choice! Pass the hat around, and write up another mortgage application.

The Mess: looking for someone to blame?

A slightly smaller problem than this weekend's systemic risk and the US Treasury is the continuing weakness of the security of the US retail banking sector:

They are a staple of consumer-complaint hotlines and Web sites: anguished tales about money stolen electronically from bank accounts, about unhelpful bank tellers and, finally, about unreimbursed losses.

But surely customers of the elite private banking operation at JPMorgan Chase, serving only the bank’s wealthiest clients, are safe from such problems, right? Wrong, says Guy Wyser-Pratte, an activist investor on Wall Street for more than 40 years who uses his hedge fund’s war chest of roughly $500 million to wage takeover fights and proxy battles in the United States and Europe.

In May, Mr. Wyser-Pratte learned that someone had siphoned nearly $300,000 from his personal account at the private bank through many small electronic transfers over a 15-month period. Then he was told by the bank that he could stop the theft only by closing his account and opening a new one — an enormous hassle, he said. And finally, JPMorgan Chase told him that the bank would cover only $50,000 of his losses.

Just like the other scandals, we watched this one arise, and now it is here. Warnings fell on deaf ears, so we can only wonder what is the systemic cause here of this mess.

In the case of phishing, it is relatively clear. The developers believe the PKI book. The PKI people believe in the efficacy of digital signatures to prove stuff. The cryptographers believe in the perfection of mathematics, and the security world believes in the completeness of their own learning. They are all wrong, but only at the large level of generalisations, not at the detailed level of particular claims. Any one of the claims, in isolation can be shown to be true. But, generalising these brittle claims to be solid building blocks is a completely different question. Few of the claims are strong enough to partake in a general model without severe support; the general model of secure browsing is the best evidence of how it is secure in name only.

How then is it built? By accident or by design, a series of claims meet together in a holy ring of righteous architecture. Each of the proponents claim loudly that their part is strong, but the ring has no strength. Eventually, one of the claims in the links is broken. For phishing, the browsers never did have the potential to show authenticity; not only did they not have the security strength to do it (c.f., Skype v. CSRF), they didn't even do it in practice (recall the lost padlock?), and their recent efforts to show authenticity (c.f. colour debate) reveal how far they are from understanding even the goal, let alone the implementation. Once that link was broken, and money was made, all the others revealed their weaknesses, as crooks systematically worked to breach the lot.

If we look at the wider financial collapse, now underscored by the nationalisation of the worlds biggest financiers of mortgages ($ 5.3 trillion.... or is it $ 5.4 ?), we see the same pattern. The bankers believed in their product. The originators believed in their origination, the securitizers believed in their free market and accurate price, and the holders believed in the assets. The CDO, the subprime, the other 100 special names, each was a contract. Each was clear in and of itself. But, when placed end-to-end, in a line, with a bunch of other agreements, the claims that were good in isolation were not strong enough to participate in the super-claim made of the overall edifice.

The financial system was built like a bridge; each piece rested on the previous one. And then, the clever architects bent the bridge around ... and around again, until the first piece met the last. The elegant keystone of finance was to finally lift up the first one to rest on the last.

Thus, the banks themselves invested their capital in their own product.

This weekend, the US Treasury joined in to make the ring stronger. The cunning masters of the financial universe carefully lifted up the fan-fred paper and rested them on the T-bills, which as we know are the expressions of the US economy's ability to generate taxes. These willing taxpayers are proud to place themselves and their mortgaged homes in the ring of power.

Beautiful, elegant, and hugely profitable. Just, somewhat, slightly against the laws of gravity.

The problem with this -- both the financial markets and the Internet security markets -- is that there is no-one to blame . Each is constructed in ring of claims, which eventually return to rely on themselves.

So when you read about who is to blame, be quick to be skeptical:

Long before the mortgage crisis began rocking Main Street and Wall Street, a top FBI official made a chilling, if little-noticed, prediction: The booming mortgage business, fueled by low interest rates and soaring home values, was starting to attract shady operators and billions in losses were possible.

"It has the potential to be an epidemic," Chris Swecker, the FBI official in charge of criminal investigations, told reporters in September 2004. But, he added reassuringly, the FBI was on the case. "We think we can prevent a problem that could have as much impact as the S&L crisis," he said.

Today, the damage from the global mortgage meltdown has more than matched that of the savings-and-loan bailouts of the 1980s and early 1990s. By some estimates, it has made that costly debacle look like chump change. But it's also clear that the FBI failed to avert a problem it had accurately forecast

Forget it. My experience of the mutual funds mess -- one what was *not* cleaned up despite public pronouncements to the contrary -- and other messes such as the digital gold story indicates that the FBI has zero chance of understanding the mortgage mess, let alone cleaning it up. Sure, there is fraud going on, but don't expect the FBI to understand the nature of it.

When risks go south: FM&FM to be nationalized

Not just another two scalps being counted: Fannie Mae and Freddie Mac, the huge USA mortgage lenders, are to be nationalised:

The government’s planned takeover of Fannie Mae and Freddie Mac, expected to be announced as early as this weekend, came together hurriedly after advisers poring over the companies’ books for the Treasury Department concluded that Freddie’s accounting methods had overstated its capital cushion, according to regulatory officials briefed on the matter.

Well, what else can they do? Think about how huge this is: the two of them hold or back debts of around $5.3 trillion dollars . Failure is almost certain systemic collapse: first the US housing market, then the rest.

The theory of central banking has it that the CB is the lender of last resort. And after that last resort, it owns the bank. So the Fed now will own these mortgage lenders, as a consequence of its role. No change here.

But, the theory also has it that any lending brings on the most severe punishments. Collapse and rescue by the CB then means: all shareholders are set to zero. All directors are sacked. It is then welcome to see that, in contrast to earlier wimpy efforts by Bernanke's Fed, this:

The details of the deal have not fully emerged, but it appears that investors who own the companies’ common stock will be virtually wiped out; preferred shareholders, who have priority over other shareholders, may also wind up with little. Holders of debt, including many foreign central banks, are expected to receive government backing. Top executives of both companies will be pushed out, according to those briefed on the plan.

will be pushed out? Pah! In Switzerland, it is apparently a crime to be an officer of a failed bank. Think hard here.... Who are their auditors? Who were the ratings agencies? Who were the regulators?

While others ponder the detail of rounding up the guilty, there is the wider question of how to act, systemically, and properly, if one were a CB. What caused this to happen?

Clearly, we don't know the full detailed story. We do know the US economy has been out of balance for the last many years, you pick the number. We do know that pay-up time is now. Further, it has been obvious for a long time that FM & FM have been structured on continually rising housing prices. How dumb is that?

Still, assuming a free-market, the government is wise not to tell bad investors (or companies) how to act properly. Even if it "knows" what is "right", the theory of free markets is that it knows much less than it would like to, and certainly less than how to run a business. (Otherwise it would be doing it, right?)

The mistake then is in allowing the mortgage backers to become too big to fail. That is, assuming a free-market, we must also respect the right to collapse. When there is no right to collapse, there is no free market. All else is subsidies, and the various other isms are just around the corner. Communism, nationalism, socialism, playing-fieldism:

Fannie Mae executives are likely to have resisted the proposed takeover because the company's financial condition isn't as dire as its sibling company, said Bert Ely, an Alexandria, Va.-based banking industry consultant.

But the government would still have to take over both companies, he said, to allow them to borrow money at the same rates. "In order to level the playing field between the two companies, you've got to take over both of them," said Ely, a longtime critic of the two companies.

The backing by the USG for the mortgage lenders' debt is the tactical error. Having got the systemic details off our chest, let's move to the witchhunt. Who started these monstrosities then? How did the shared guarantee from the US taxpayer come into being? Who fell for that old trick? The US taxpayer deserves to know who's stupidity she's paying for this time, no?

Fannie Mae was created by the government in 1938, and was turned into a shareholder-owned company 30 years later. Freddie Mac was established in 1970 to provide competition for Fannie.

Oops!

Yet more evidence: your CISO needs an MBA

I have in the past presented the strawman that your CISO needs an MBA. Nobody has yet succeeded in knocking it down, and it is proving surprisingly resilient. Yet more evidence comes from Bruce Schneier's blog post of yesterday:

Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable.

It's become a big deal in IT security, too. Many corporate customers are demanding ROI models to demonstrate that a particular security investment pays off. And in response, vendors are providing ROI models that demonstrate how their particular security solution provides the best return on investment.

It's a good idea in theory, but it's mostly bunk in practice.

Bunk is wrong. Let's drill down. It works this way: NPV (net present value) and ROI (its lesser cousin) are a mathematical tool for choosing between alternate projects. Keep the notion of comparison tightly in your mind.

The tools measure the money going in versus the money going out in a neutral way. They are entirely neutral between projects because NPV is just mathematics, and the same mathematics is used for each project. (See the top part of Richard's post.)

Obviously, any result from the model depends totally on the inputs, so there is a great deal of care and theory needed supply those proper inputs. And, it is here that security projects have the trouble, in that we don't have a good view as to how to predict attack costs. To be clear, there is no controversy about the inputs being a big problem.

But, assuming we have the theory, the process and the inputs, we can, again in principle, measure fairly across all projects.

That's how it works. As you can see above, we do not make a distinction between investment, savings, costs, returns or profits. Why not? Because NPV model and the numbers don't, either.

What then goes wrong with security people when they say ROI doesn't apply to security?

Before I get into the details, there's one point I have to make. "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.

Or, or here:

The bottom line is that security saves money; it does not create money.

It seems to be that they seize on the words investment and returns, etc, and realise that the words differ from costs and savings. In conceptual or balance sheet terms, they do differ, but here's the catch: to the models of NPV and ROI, it's all the same. In this sense, we could say that the title of ROI is a misnomer, or that there are several meanings to the word "investment" and you've seized on the wrong one.

If you are good at maths, consider it as simply a model that deals equally well with negative numbers as well as positive numbers. To a model, savings are just negatives of returns.

Now, if your security director had an MBA, she would know that the purpose of NPV is to compare projects, and not anything else, like generating returns. She would also know that the model is neutral, and that the ability to handle negative numbers mean that expenses and savings can be compared as well. She would further know that the problems occur in the inputs and assumptions, not in the model.

Finally, she would know how to speak in the language of finance, which is the language that the finance people use. This might sound obvious, but it isn't so clear. As a generalism, it is this last point that is probably most significant about the MBA concept: it teaches you the language of all the other specialities. It doesn't necessarily make you a whizz at finance, or human resources, or marketing. But it at least lets you talk to them in their language. And, it reminds you that the other professions do have some credibility, so if they say something, listen first before teaching them how to suck eggs.

Another gold issuer finds himself temporarily unavailable ...

What's wrong with this picture, from an affidavit filed into a random Los Angeles court concerning divorce proceedings (his emphasis):

"I personally maintain and control ALL access security codes and passwords. I have been and am the ONLY individual in the company who can physically access the building, its contents AND precious metal vaults simultaneously, twenty-four hours a day. All others have limited access that is monitored and/or time-controlled (clock-based) and recorded in security records. Alarm calls are sent directly to me at all hours. ...

... I personally designed and customized the installation of a complex, ultra-sophisticated DOUBLE REDUNDANT security system that is both physical (in the building and its parameters) and virtual (reporting to his private office network round the clock.) This custom, high security system monitors and controls the safety of the corporate headquarters and all its contents, the safety of its employees, and the active 24/7 implementation of advanced, anti-theft, crime prevention. I oversee and monitor all security issues round the clock through a Virtual Private Network set-up at my home office."

Nothing, as long as the above mentioned person is available forever. Unfortunately he is now in jail, charged with much the same situation as the e-gold founders faced over the last two years. Checking the webpage:

Dear Customer,

05 August, 2008, 1:00pm PST: The e-Bullion website will be unavailable for a period of approximately four hours while our Tech Dept. performs routine maintenance.

We apologize for any inconvenience caused by this interruption to service.

e-Bullion Management

Is this a coincidence? Maybe, but it is just another reminder that serious and professional operations do not subscribe to superhero status as described above, for any of a hundred routine and boring scenarios.

(More details might be found here, written up by Ian Lamont of the Standard. Poking around a bit there is also a complication that the other side of the divorce proceedings, his wife, was murdered, and the LA police allege that there is a connection of some form.)

When rogue system administrators lock out Managers

Over in San Francisco, we've no doubt all read about the guy who owned the city government's network deciding to ... own the network (1, 2). For the city at least there was a happy ending:

The computer network hostage crisis in San Francisco is over, thanks to the city's mayor.

Terry Childs, a network administrator for the city of San Francisco, has been in custody since July 13 on four felony charges of taking control of the city's computer network and locking administrators out. Access to much of the city's information was blocked, including law enforcement, payroll, and jail-booking records.

Childs had reportedly refused to surrender the codes to his supervisors, but after a little more than a week as a guest of the city, he apparently had a change of heart and invited Mayor Gavin Newsom to meet with him, according to a report on the San Francisco Chronicle Web site Monday night.

A secret meeting was arranged at the city jail on Monday afternoon, where Childs gave Newsom the codes to the network. The meeting reportedly was so secret that the police department and district attorney were not informed of the meeting ahead of time.

Well, he built it, right? So why can't he tell the users what to do? Right?

The serious question here is whether there is in fact a viable case where a systems administrator takes over and decides to lock his managers out:

Erin Crane, Childs' defense attorney, is expected to cite his cooperation during a court hearing on Wednesday in a bid to have his $5 million bail reduced. Crane has argued that Childs was merely protecting the network from incompetent city officials who were trying to force him out of his job.

"Mr. Childs had good reason to be protective of the password," Crane told the newspaper. "His co-workers and supervisors had in the past maliciously damaged the system themselves, hindered his ability to maintain it...and shown complete indifference to maintaining it themselves...He was the only person in that department capable of running that system."

Tough call! It is rather rare, but this is essentially what whistleblowing seeks to exploit: the insider knowledge that a manager is manipulating the system for nefarious purposes. However, for all practical purposes this is an unlikely situation. Firstly, the managers who are doing the nefarious stuff are likely to then bury he who blows the whistle. See above, $5m bail buys a lot of dirt on this guy's coffin.

Secondly, there is a huge difference between incompetence and fraud. Incompetence is routine, but also the full and proper legal and moral right of the manager. The system administrator that determines that the world should be protected from the manager's incompetence, is generally as deluded as the manager, and is technically and legally wrong. The way to do that is to write to higher-ups and lay paper evidence.

Fraud, while another consideration entirely, is equally difficult: let's start with an easy question. Please define fraud! Now prove it! If you can get that far, the fun is only just starting....

_Electronic Signatures in Law_, Stephen Mason, 2007

Electronic signatures are now present in legal cases to the extent that while they remain novel, they are not without precedence. Just about every major legal code has formed a view in law on their use, and many industries have at least tried to incorporate them into vertical applications. It is then exceedingly necessary that there be an authoritative tome on the legal issues surrounding the topic.

Electronic Signatures in Law is such a book, and I'm now the proud owner of a copy of the recent 2007 second edition, autographed no less by the author, Stephen Mason. Consider this a review, although I'm unaccustomed to such. Like the book, this review is long: intro, stats, a description of the sections, my view of the old digsig dream, and finally 4 challenges I threw at the book to measure its paces. (Shorter reviews here.)

First the headlines: This is a book that is decidedly worth it if you are seriously in the narrow market indicated by the title. For those who are writing directives or legislation, architecting software of reliance, involved in the Certificate Authority business of some form, or likely to find themselves in a case or two, this could well be the essential book.

At £130 or so, I'd have to say that the Financial Cryptographer who is not working directly in the area will possibly find the book too much for mild Sunday afternoon reading, but if you have it, it does not dive so deeply and so legally that it is impenetrable to those of us without an LLB up our sleeves. For us on the technical side, there is welcome news: although the book does not cover all of the failings and bugs that exist in the use of PKI-style digital signatures, it covers the major issues. Perhaps more importantly, those bugs identified are more or less correctly handled, and the criticism is well-ground in legal thinking that itself rests on centuries of tradition.

Raw stats: Published by Tottel publishing. ISBN 978-1-84592-425-6. At over 700 pages, it includes a comprehensive indexes of statutory instruments, legislation and cases that runs to 55 pages, by my count, and a further 10 pages on United Kingdom orders. As well, there are 54 pages on standards, correspondents, resources, glossary, followed by a 22 page index.

Description. Mason starts out with serious treatments on issues such as "what is a signature?" and "what forms a good signature?" These two hefty chapters (119 pages) are beyond comprehensive but not beyond comprehension. Although I knew that the signature was a (mere) mark of intent, and it is the intent which is the key, I was not aware of how far this simple subject could go. Mason cites case law where "Mum" can prove a will, where one person signs for another, where a usage of any name is still a good signature, and, of course, where apparent signatures are rejected due to irregularities, and others accepted regardless of irregularities.

Next, there is a fairly comprehensive (156 pages) review of country and region legal foundations, covering the major anglo countries, the European Union, and Germany in depth, with a chapter on International comparisons covering approaches, presumptions, liabilities and other complexities and a handful of other countries. Then, Mason covers electronic signatures comprehensively and then seeks to compare them to Parties and risks, liability, non-contractual issues, and evidence (230 pages). Finally, he wraps up with a discussion of digital signatures (42 pages) and data protection (12 pages).

Let me briefly summarise the financial cryptography view of the history of Digital Signatures: The concept of the digital signature had been around since the mid-1970s, firstly in the form of the writings by the public key infrastructure crowd, and secondly, popularised to a small geeky audience in the form of PGP in the early 1990s. However, deployment suffered as nobody could quite figure out the application. When the web hit in 1994, it created a wave that digital signatures were able to ride. To pour cold water on a grand fire-side story, RSA Laboratories manage to convince Netscape that (a) credit cards needed to be saved from the evil Mallory, (b) the RSA algorithm was critical to that need, and (c) certificates were the way to manage the keys required for RSA. Verisign was a business created by (friends of) RSA for that express purpose, and Netscape was happily impressed on the need to let other friends in. For a while everything was mom's apple pie, and we'll all be rich, as, alongside VeriSign and friends, business plans claiming that all citizens would need certificates for signing purposes were floated around Wall Street, and this would set Americans back $100 a pop. Neither the fabulous b-plans nor the digital signing dream happened, but to the eternal surprise of the technologists, some legislatures put money down on the cryptographers' dream to render evidence and signing matters "simpler, please." The State of Utah led the way, but the politicians dream is now more clearly seen in the European Directive on Electronic Signatures, and especially in the Germanic attitude that digital signatures are as strong by policy, as they are weak in implementation terms. Today, digital signatures are relegated to either tight vertical applications (e.g., Ricardian contracts), cryptographic protocol work (TLS-style key exchanges), or being unworkable misfits lumbered with the cross of law and the shackles of PKI. These latter embarrassments only survive in those areas where (a) governments have rolled out smart cards for identity on a national basis, and/or (b) governments have used industrial policy to get some of that certificate love to their dependencies.

In contrast to the above dream of digital signatures, attention really should be directed to the mere electronic signature, because they are much more in use than the cryptographic public key form, and arguably much more useful. Mason does that well, by showing how different forms are all acceptable (Chapter 10, or summarised here): Click-wrap, typing a name, PINs, email addresses, scanned manuscript signatures, and biometric forms are all contrasted against actual cases.

The digital signature, and especially the legal projects of many nations get criticised heavily. According to the cases cited, the European project of qualified certificates, with all its CAs, smart cards, infrastructure, liabilities, laws, and costs ad infinitum ... are just not needed. A PC, a word processor program and a scan of a hand signature should be fine for your ultimate document. Or, a typewritten name, or the words "signed!" Nowhere does this come out more clearly than the Chapter on Germany, where results deviate from the rest of the world.

Due to the German Government's continuing love affair with the digital signature, and the backfired-attempt by the EU to regularise the concept in the Electronic Signature Directives, digital and electronic signatures are guaranteed to provide for much confusion in the future. Germany especially mandated its courts to pursue the dream, with the result that most of the German case results deal with rejecting electronic submissions to courts if not attached with a qualified signature (6 of 8 cases listed in Chapter 7). The end result would be simple if Europeans could be trusted to use fax or paper, but consider this final case:

(h) Decision of the BGH (Federal Supreme Court, 'Bundesgerichtshof') dated 10 October 2006,...: A scanned manuscript signature is not sufficient to be qualified as 'in writing' under §130 VI ZPO if such a signature is printed on a document which is then sent by facsimile transmission. Referring to a prior decision, the court pointed out that it would have been sufficient if the scanned signature was implemented into a computer fax, or if a document was manually signed before being sent by facsimile transmission to court.

How deliciously Kafkaesque! and how much of a waste of time is being imposed on the poor, untrustworthy German lawyer. Mason's book takes on the task of documenting this confusion, and pointing some of the way forward. It is extraordinarily refreshing to find that the first to chapters, and over 100 pages, are devoted to simply describing signatures in law. It has been a frequent complaint that without an understanding of what a signature is, it is rather unlikely that any mathematical invention such as digsigs would come even close to mimicing it. And it didn't, as is seen in the 118 pages romp through the act of signing:

What has been lost in the rush to enact legislation is the fact that the function of the signature is generally determined by the nature and content of the document to which it is affixed.

Which security people should have recognised as a red flag: we would generally not expect to use the same mechanism to protect things of wildly different values.

Finally, I found myself pondering these teasers:

Athenticate. I found myself wondering what the word "authenticate" really means, and from Mason's book, I was able to divine an answer: to make an act authentic. What then does "authentic" mean and what then is an "act"? Well, they are both defined as things in law: an "act" is something that has legal significance, and it is authentic if it is required by law and is done in the proper fashion. Which, I claim, is curiously different to whatever definition the technologists and security specialists use. OK, as a caveat, I am not the lawyer, so let's wait and see if I get the above right.

Burden of Liability. The second challenge was whether the burden of liability in signing has really shifted. As we may recall, one of the selling points of digital signatures was that once properly formed, they would enable a relying party to hold the signing party to account, something which was sometimes loosely but unreliably referred to as non-repudiation.

In legal terms, this would have shifted the burden of proof and liability from the recipient to the signer, and was thought by the technologists to be a useful thing for business. Hence, a selling point, especially to big companies and banks! Unfortunately the technologists didn't understand that burden and liability are topics of law, not technology, and for all sorts of reasons it was a bad idea. See that rant elsewhere. Still, undaunted, laws and contracts were written on the advice of technologists to shift the liability. As Mason puts it (M9.27 pp270):

For obvious reasons, the liability of the recipient is shaped by the warp and weft of political and commercial obstructionism. Often, a recipient has no precise rights or obligations, but attempts are made using obscure methods to impose quasi-contractual duties that are virtually impossible to comply with. Neither governments nor commercial certification authorities wish to make explicit what they seek to achieve implicitly: that is, to cause the recipient to become a verifying party, with all the responsibilities that such a role implies....

So how successful was the attempt to shift the liability / burder in law? Mason surveys this question in several ways: presumptions, duties, and liabilities directly. For a presumption that the sender was the named party in the signature, 6 countries said yes (Israel, Japan, Argentina, Dubai, Korea, Singapore) and one said no (Australia) (M9.18 pp265) Britain used statutory instruments to give a presumption to herself, the Crown only, that the citizen was the sender (M9.27 pp270). Others were silent, which I judge an effective absence of a presumption, and a majority for no presumption.

Another important selling point was whether the CA took on any especial presumption of correctness: the best efforts seen here were that CAs were generally protected from any liability unless shown to have acted improperly, which somewhat undermines the entire concept of a trusted third party.

How then are a signer and recipient to share the liability? Australia states quite clearly that the signing party is only considered to have signed, if she signed. That is, she can simply state that she did not sign, and the burden falls on the relying party to show she did. This is simply the restatement of the principle in the English common law; and in effect states that digital signatures may be used, but they are not any more effective than others. Then, the liability is exactly as before: it is up the to relying party to check beforehand, to the extent reasonable. Other countries say that reliance is reasonable, if the relying party checks. But this is practically a null statement, as not only is it already the case, it is the common-sense situation of caveat emptor deriving from Roman times.

Although murky, I would conclude that the liability and burden for reliance on a signature is not shifted in the electronic domain, or at least governments seem to have held back from legislating any shift. In general, it remains firmly with the recipient of the signature. The best it gets in shiftyville is the British Government's bounty, which awards its citizens the special privilege of paying for their Government's blind blundering; same as it ever was. What most governments have done is a lot of hand-waving, while permitting CAs to utilise contract arrangements to put the parties in the position of doing the necessary due diligence,. Again, same as it ever was, and decidedly no benefit or joy for the relying party is seen anywhere. This is no more than the normal private right to a contract or arrangement, and no new law nor regulation was needed for that.

Digital Signing, finally, for real! The final challenge remains a work-in-progress: to construct some way to use digital signatures in a signing protocol. That is, use them to sign documents, or, in other words, what they were sold for in the first place. You might be forgiven for wondering if the hot summer sun has reached my head, but we have to recall that most of the useful software out there does not take OpenPGP, rather it takes PKI and x.509 style certificate cryptographic keys and certificates. Some of these things offer to do things called signing, but there remains a challenge to make these features safe enough to be recommended to users. For example, my Thunderbird now puts a digital signature on my emails, but nobody, not it, not Mozilla, not CAcert, not anyone can tell me what my liability is.

To address this need, I consulted the first two chapters, which lay out what a signature is, and by implication what signing is. Signing is the act of showing intent to give legal effect to a document; signatures are a token of that intention, recorded in the act of signing. In order, then, to use digital certificates in signing, we need to show a user's intent. Unfortunately, certificates cannot do that, as is repeatedly described in the book: mostly because they are applied by the software agent in a way mysterious and impenetrable to the user.

Of course, the answer to my question is not clearly laid out, but the foundations are there: create a private contract and/or arrangement between the parties, indicate clearly the difference between a signed and unsigned document, and add the digital signature around the document for its cryptographic properties (primarily integrity protection and confirmation of source).

The two chapters lay out the story for how to indicate intention in the English common law: it is simple enough to add the name, and the intention to sign, manually. No pen and ink is needed, nor more mathematics than that of ASCII, as long as the intention is clear. Hence, it suffices for me to write something like signed, iang at the bottom of my document. As the English common law will accept the addition of merely ones name as a signature, and the PKI school has hope that digital signatures can be used as legal signatures, it follows that both are required to be safe and clear in all circumstances. For the champions of either school, the other method seems like a reduction to futility, as neither seems adequate nor meaningful, but the combination may ease the transition for those who can't appreciate the other language.

Finally, I should close with a final thought: how does the book effect my notions as described in the Ricardian Contract, still one of the very few strong and clear designs in digital signing? I am happy to say that not much has changed, and if anything Mason's book confirms that the Ricardo designs were solid. Although, if I was upgrading the design, I would add the above logic. That is, as the digital signature remains impenetrable to the court, it behoves to add the words seen below somewhere in the contract. Hence, no more than a field name-change, the tiniest tweak only, is indicated:

Signed By: Ivan

Cross-border Notarisations and Digital Signatures

My notes of a presentation by Dr Ugo Bechini at the Int. Conf. on Digital Evidence, London. As it touches on many chords, I've typed it up for the blog:

The European or Civil Law Notary is a powerful agent in commerce in the civil law countries, providing a trusted control of a high value transaction. Often, this check is in the form of an Apostille which is (loosely) a stamp by the Notary on an official document that asserts that the document is indeed official. Although it sounds simple, and similar to common law Notaries Public, behind the simple signature is a weighty process that may be used for real estate, wills, etc.

It works, and as Eliana Morandi puts it, writing in the 2007 edition of the Digital Evidence and Electronic Signature Law Review:

Clear evidence of these risks can be seen in the very rapid escalation, in common law countries, of criminal phenomena that are almost unheard of in civil law countries, at least in the sectors where notaries are involved. The phenomena related to mortgage fraud is particularly important, which the Mortgage Bankers Association estimates to have caused the American system losses of 2.5 trillion dollars in 2005.

OK, so that latter number came from Choicepoint's "research" (referenced somewhere here) but we can probably agree that the grains of truth sum to many billions.

Back to the Notaries. The task that they see ahead of them is to digitise the Apostille, which to some simplification is seen as a small text with a (dig)sig, which they have tried and tested. One lament common in all European tech adventures is that the Notaries, split along national lines, use many different systems: 7 formats indicating at at least 7 softwares, frequent upgrades, and of course, ultimately, incompatibility across the Eurozone.

To make notary documents interchangeable, there are (posits Dr Bechini) two solutions:

1. a single homogenous solution for digsigs; he calls this the "GSM" solution, whereas I thought of it as a potential new "directive failure".
2. a translation platform; one-stop shop for all formats

A commercial alternative was notably absent. Either way, IVTF (or CNUE) has adopted and built the second solution: a website where documents can be uploaded and checked for digsigs; the system checks the signature, the certificate and the authority and translates the results into 4 metrics:

• Signed - whether the digsig is mathematically sound
• Unrevoked - whether the certificate has been reported compromised
• Unexpired - whether the certificate is out of date
• Is a notary - the signer is part of a recognised network of TTPs

In the IVTF circle, a notary can take full responsibility for a document from another notary when there are 4 green boxes above, meaning that all 4 things check out.

This seems to be working: Notaries are now big users of digsigs, 3 million this year. This is balanced by some downsides: although they cover 4 countries (Deustchland, España, France, Italy), every additional country creates additional complexity.

Question is (and I asked), what happens when the expired or revoked certificate causes a yellow or red warning?

The answer was surprising: the certificates are replaced 6 months before expiry, and the messages themselves are sent on the basis of a few hours. So, instead of the document being archived with digsig and then shared, a relying Notary goes back to the originating Notary to request a new copy. The originating Notary goes to his national repository, picks up his *original* which was registered when the document was created, adds a fresh new digsig, and forwards it. The relying notary checks the fresh signature and moves on to her other tasks.

You can probably see where we are going here. This isn't digital signing of documents, as it was envisaged by the champions of same, it is more like real-time authentication. On the other hand, it does speak to that hypothesis of secure protocol design that suggests you have to get into the soul of your application: Notaries already have a secure way to archive the documents, what they need is a secure way to transmit that confidence on request, to another Notary. There is no problem with short term throw-away signatures, and once we get used to the idea, we can see that it works.

One closing thought I had was the sensitivity of the national registry. I started this post by commenting on the powerful position that notaries hold in European commerce, the presenter closed by saying "and we want to maintain that position." It doesn't require a PhD to spot the disintermediation problem here, so it will be interesting to see how far this goes.

A second closing thought is that Morandi cites

... the work of economist Hernando de Soto, who has pointed out that a major obstacle to growth in many developing countries is the absence of efficient financial markets that allow people to transform property, first and foremost real estate, into financial capital. The problem, according to de Soto, lies not in the inadequacy of resources (which de Soto estimates at approximately 9.34 trillion dollars) but rather in the absence of a formal, public system for registering property rights that are guaranteed by the state in some way, and which allows owners to use property as collateral to obtain access to the financial captal associated with ownership.

But, Latin America, where de Soto did much of his work, follows the Civil Notary system! There is an unanswered question here. It didn't work for them, so either the European Notaries are wrong about their assertation that this is the reason for no fraud in this area, or de Soto is wrong about his assertation as above. Or?

Digital Evidence -- 26-27 June, London

Cryptographers, software and hardware architects and others in the tech world have developed a strong belief that everything can be solved with more bits and bites. Often to our benefit, but sometimes to our cost. Just so with matters of law and disputes, where inventions like digital signatures have laid a trail of havoc and confusion through security practices and tools. As we know in financial cryptography, public-key reverse encryptions -- confusingly labelled as digital signatures -- are more usefully examined within the context of the law of evidence than within that of signatures.

Now here cometh those who have to take these legal theories from the back of the technologists' napkins and make them really work: the lawyers. Stephen Mason leads an impressive line-up from many countries in a conference on Digital Evidence:

Digital evidence is ubiquitous, and to such an extent, that it is used in courts every day in criminal, family, maritime, banking, contract, planning and a range of other legal matters. It will not be long before the only evidence before most courts across the globe will all be in the form of digital evidence: photographs taken from mobile telephones, e-mails from Blackberries and laptops, and videos showing criminal behaviour on You Tube are just some of the examples. Now is the time for judges, lawyers and in-house counsel to understand (i) that they need to know some of the issues and (ii) they cannot ignore digital evidence, because the courts deal with it every day, and the amount will increase as time goes by. The aim of the conference will be to alert judges, lawyers (in-house lawyers as well as lawyers in practice), digital forensic specialists, police officers and IT directors responsible for conducting investigations to the issues that surround digital evidence.

Not digital signatures, but evidence! This is a genuinely welcome development, and well worth the visit. Here's more of the blurb:

Conference Programme International Conference on Digital Evidence

26th- 27th June 2008, The Vintner's Hall, London – UNITED KINGDOM
Conference: 26th & 27th June 2008, Vintners' Hall, London
Cocktail & Dinner: 26th June 2008, The Honourable Society of Gray's Inn

THE FIRST CONFERENCE TO TREAT DIGITAL EVIDENCE FULLY ON AN INTERNATIONAL PLATFORM...

12 CPD HOURS - ACCREDITED BY THE LAW SOCIETY & THE BAR STANDARDS BOARD
This event has also been accredited on an ad hoc basis under the Faculty's CPD Scheme and will qualify for 12 hours

Understanding the Technology: Best Practice & Principles for Judges, Lawyers, Litigants, the Accused & Information Security & Digital Evidence Specialists

MIS is hosting & developing this event in partnership with & under the guidance of Stephen Mason, Barrister & Visiting Research Fellow, Digital Evidence Research, British Institute of International and Comparative Law.
Mr. Mason is in charge of the programme's content and is the author of Electronic Signatures in Law (Tottel, 2nd edn, 2007) [This text covers 98 jurisdictions including case law from Argentina, Australia, Brazil, Canada, China, Colombia, Czech Republic, Denmark, Dominican Republic, England & Wales, Estonia, Finland, France, Germany, Greece, Hungary, Israel, Italy, Lithuania, Netherlands, Papua New Guinea, Poland, Portugal, Singapore, South Africa, Spain, Switzerland and the United States of America]. He is also an author and general editor of Electronic Evidence: Disclosure, Discovery & Admissibility (LexisNexis Butterworths, 2007) [This text covers the following jurisdictions: Australia, Canada, England & Wales, Hong Kong, India, Ireland, New Zealand, Scotland, Singapore, South Africa and the United States of America]. Register Now!

Stephen is also International Electronic Evidence, general editor, (British Institute of International and Comparative Law, 2008), ISBN 978-1-905221-29-5, covering the following jurisdictions: Argentina, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, Norway, Poland, Romania, Russia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Thailand and Turkey.

Technologists on signatures: looking in the wrong place

Bruce Schneier writes about the classical technology / security view and how it applies to such oddities as the fax signature. As he shows, we have trouble making them work according to classical security & tools thinking.

In a 2003 paper, "Economics, Psychology, and Sociology of Security," Professor Andrew Odlyzko looks at fax signatures and concludes:

Although fax signatures have become widespread, their usage is restricted. They are not used for final contracts of substantial value, such as home purchases. That means that the insecurity of fax communications is not easy to exploit for large gain. Additional protection against abuse of fax insecurity is provided by the context in which faxes are used. There are records of phone calls that carry the faxes, paper trails inside enterprises and so on. Furthermore, unexpected large financial transfers trigger scrutiny. As a result, successful frauds are not easy to carry out by purely technical means.

He's right. Thinking back, there really aren't ways in which a criminal could use a forged document sent by fax to defraud me.

The problem that shakes the above comments is that signatures are not tools to make things secure, nor to stop fraud. Instead, they are signals of legal intent. The law has developed them over centuries or millenia not as tools to make contracts binding, as per the simplistic common myth, or to somehow make it hard for fraudsters, the above security myth, but signals to record the intent of the person.

These subtleties matter. When you send a fax with your signature on it, it doesn't matter that the signature can be copied; it is the act of you creating and sending the fax with signature that establishes intent. Indeed, the intent can be shown without the signature, and the source of the fax is then as important as anything else. For this reason, we generally confirm what you intended somehow. Or we should, as Bruce Schneier writes:

On October 30, 2004, Tristian Wilson was released from a Memphis jail on the authority of a forged fax message. It wasn't even a particularly good forgery. It wasn't on the standard letterhead of the West Memphis Police Department. The name of the policeman who signed the fax was misspelled. And the time stamp on the top of the fax clearly showed that it was sent from a local McDonald's.

The success of this hack has nothing to do with the fact that it was sent over by fax. It worked because the jail had lousy verification procedures. They didn't notice any discrepancies in the fax. They didn't notice the phone number from which the fax was sent. They didn't call and verify that it was official. The jail was accustomed to getting release orders via fax, and just acted on this one without thinking. Would it have been any different had the forged release form been sent by mail or courier?

It's all backwards, according to the law. There should have been an intent, but there wasn't one. It wasn't that the policeman's signature established an intent, it was that the signature should have been a final step in confirming an intent that already existed. The point of phoning the policeman wasn't to check the signature, but to establish the intent. Which the signature would have nicely confirmed, but the check on intent isn't substitutable with the check on signature. As Jeff commented on the post:

Most people don't understand that signatures don't generally perform a security function, they perform a solemnization function. At least that was the case before the mathematicians got involved and tried to convince folks of the value of digitial signatures . . .. :-)

Before they got it totally backwards, that is. Your copied signature does not show intent by you, instead, it suggests an intent by you, that should be confirmed regardless. For you, this is good, as the principle of redundancy applies: you need something much more than one signature to lock you into a contract, or get you out of prison. And this process of showing intent bounces back to the signature in a particularly powerful protocol that is used in the legal world. This is a closely held secret, but I shall now reveal it and risk censure and expulsion for breaking the code:

Ask!

That's it, just ask the question. This can happen anywhere, but is best seen in a court setting: The judge says "Did you sign this?" If you did, then you say yes. (Else you're up for perjury, which is a serious risk.) If you didn't, you deny it, and then the court has a claim that it is not yours. The court now looks further to establish who's intent was behind this act.

It is for these reasons that digital signatures failed to make any mark on the real world, when cast as some sort of analogue to the human signature. Indeed, the cryptography community got it backwards, upside down and inside out. They thought that the goal was to remove the uncertainty and simplify the procedure, when in fact the goal was to preserve and exploit the uncertainty, and to augment the procedure. They were thinking non-repudiation, yet the signature is there to entice repudiation. They thought the signature was sufficient, yet it is no more than a signal of something much more important. They thought simplicity, when redundancy is the principle.

Digital signatures were presented as a new beginning and ending for electronci contracts, and users intuitively recognised they were neither a beginning nor an ending. Digital signatures were nothing, without a custom, and within a custom were shown to be more trouble than they were worth. Case in point: this is the reason why the digital signature on Ricardian Contracts is just cryptographic sugar: the intent is better shown by the server mounting the contract, by the issuer saying "I'm selling this contract", and by the system memorialising all these events in other signed records.

You might ask, why they are there, but I'll side-step that question for now :) Instead, let us ask, how then do we move forward and use digital signatures?

We should be able to see now that it is the wrong question. The right question is firstly, how do we establish intent, and the follow-up is, intent of what? Attest to a statement, conclude a negotiation, sell a house, contract for a road to be dug up, marriage with or without a shotgun? Once we have established that, we can construct a custom (techies would say a protocol) that captures the intent _and_ the agreement, suitable for the value at hand.

We might find a way to slip in some digsigs or we might not. That's because the role is to capture intent, not the signature. Intent is obligatory, signature is not.

(Indeed, this is why we say, in financial cryptography, the cryptography is optional, which causes no end of head-scratching. What then does a poor vendor of cryptographic digsigs do with them? Simple: define the digsig as meaning nothing, legally, outside an additional custom. Nothing, nix, nada, zip! And use them purely for their cryptographic properties, only. Which happen to be useful enough, if properly designed.)

on Revocation of Signing Certs and Public Key Signing itself

Philipp pointed me to another issue that turns the good ship Digital Signature into yet another Nautilus, rapidly going down the whirlpool.

Consider compromise of my signing key. If my key is compromised, then it can be used to sign any document on behalf of the erstwhile owner (was, me). Now, a curiosity of this is that the signature can be backdated, so if I lose my signing key to you, then you can sign away my house, back date it to a few years back to when it was a valid key, and take my house for a buck.

Hence, when my key is compromised, I have to revoke the key, and also potentially revoke all the signatures. The revocation of a signing cert can result in signatures of all dates becoming invalid, or questionable, even back in time. (Apparently, some proportion of client software works this way, because once a cert is revoked, all signatures are deemed "unacceptable" and thus effectively revoked. Nautilus, meet whirlpool.)

This could even be used by myself, in a nefarious mood, to cast doubt over the my own validly-made signatures. If I was homesick, I could conceivably use this to deny a valid contract to sell my house. Hey presto, Grandma gets her house back! (For other woes in the use of public keys for signing purposes, see Signed Confusion)

---

So how do we solve this problem? Skip down to **** if you are fully informed on that invention known as the Ricardian Contract, which does solve this issue.

In the Ricardian Contract I solved it by taking the hash of the signed contract, making that the identifier for the contract, and then embedding that hash into every transaction that happens thereafter. So, in effect, all new transactions accept and affirm the contract; and therefore form part of the evidence over the signature; if we question the original digsig, we also question all the transactions in the issuance, which is not reasonable beyond the first few dozen transactions.

What happens in more conventional PKI-land, where wisdom is writ, and standards are dusty? As is frequently pointed out, any human-meaningful use of digital signatures would then need to be confirmed with a secure timestamp, perhaps so that any later key revocation can avoid revoking that signature. Makes some sense, and indeed, every single Ricardo transaction sums to achieve that timestamp, as it builds up a tree of timestamped, signed transactions, pyramided on the original contract and its certificate.

We could then propose a rule in the use of public key digsigs for digital signing:

digital signatures cannot be relied upon over time without secure timestamping

The problem with this is that it undermines the very architecture of PKI; if we are assuming online, authoritive entities such as timestamping or digital cash issuers, then we don't actually need PKI, as it is written. Click on lynn://frequent.rant/ at this point... or for my version, in Ricardo as described above, the strength was the fact that strong evidence of the contract was kept over time, not the digsig. In this case, the evidentiary hash over the total document is what is kept, and the digsig added no more than the sweetness of headline confirmation of intent to the picture.

Because PKI (and in this case, OpenPGP cleartext signing) established a convention of signalling an intent with a digsig, it was handy to use that signal.

But we never relied on that, and a specific requirement was that someone could steal the signing key and create a bogus contract. The real strength that captured the signing over the contract was this: we took the hash of the document, and used that hash as the identifier for the contract. We are talking about Ivan, a person who is an issuer of value, and is purporting to the world that his contract is good. Them we arrange matters so that in every statement he makes to the world, he uses a strong identifier. By including the hash of the contract in every transaction, we establish Ivan's intent, understanding, liability on the basis of strong acts by the signer himself. The subtext is that the dominating evidence of intent on the document was the hash over the document, and the transactions that embedded that hash preserved and published that evidence [1].

**** The conclusion is that the hash is a better "signature" than a public-private-key digsig, if we are talking about evidence of time, leading to intent, etc; both need to be accompanied by an infrastructure that isolates the realtime of effect of the original event, and an environment where that intent is preserved. In which case, we can take the above, spin it and say that simple hashes are as good as public key digsigs at the application known as digital signing, and better because they are cheaper. Or, if the infrastructure is present, then public key digsigs makes a good carrier of hashes, as long as their use doesn't damage the application in other ways (which unfortunately it does, c.f. revocation).

---

What does a timestamped hash lack? It has no indicator of who the signer is. Hence, the hash does not quite defeat the digsig on the basis of Occam's razor.

But we need that in other ways anyway, as the pure cryptographic notion of a public key signature is no better than "this set of bits saw that set of bits" and we know from practical cryptography that there is no easy way to measure and control the distance from a human (intent) to a set of bits. PKI fails to achieve this because it outsources identity to a thing called Certificate Authorities, which so far have not shown themselves to be useful harbingers of your signatory, if in part because they are more expensive than the old pen&ink method.

Let's step back then, and place this in terms of requirements. We need these things to create any system of digital signing:

• a contract
• who is the person(s) that is "intending" the contract
• the time of original intent
• the preservation of all the above

Public key signatures add very little if anything over hashes and timestamps, as the former needs independent timestamping and revocation, which means that their PKI claims of offline-checking are unravelled. Neither public key digsigs or simple hashes establishes who, easily (consider the cost of PKI infrastructures versus the low statements of reliance), and neither establishes intent.

Indeed, the requirements are so badly met that we can invent a system in 30 seconds that beats the incumbent "approved digital signing systems", hands down:

Iang is who Iang says he is.
Sha1:9dea25a24190bd2cb129cc0b8718b6cf046fe154

This is strong, because, it was me that said it, me that posted it, and this blog, google, the time machine and all the other net tricks will preserve it [2]. Oh, and the hash adds some precision.

Are public key signatures dead? In technical and legal terms, yes. Public key signatures are at least brain-dead, and should be terminated for lack of sentience. While they retain some residual value in marketing senses and in infrastructure senses, they cannot be relied upon as signatures. We'll continue to put in the cryptocandy of the OpenPGP signatures on contracts, but the strength is elsewhere.

Which also means that we do not need to worry about revocation in digsig signing applications: the PKI digsigs as signing applications already revoked themselves, and we shouldn't spend any time over the issue except to say that they are not reliable enough for reliance applications. Instead, if you want a reliable digital signing application, read the Ricardian Contract paper carefully, and construct a protocol that carries the cryptocandy of the existing infrastructure alongside a proper chain that evidences the perfection of the contract: reading/understanding/intent/delivery.

---

Notes [1]: To follow a digital issuance through in technical, accounting terms: in a digital currency, we start out with one transaction to create value. This is of necessity a double entry transaction that puts large positive value into a manager's account, against large negative value into a float account. Then, the freshly minted positive value is distributed to the users, resulting in more transactions. The value is probably split in the second transaction and further split and recombined in each succeeding transaction, resulting in something like a tree structure.

Each of these transactions evidence an intent to honour the contract, as they all point back by means of the same hash over the same document. Hence, the OpenPGP signature is crypto-icing over the real cake within the Ricardian contract; in this particular case at least, the OpenPGP signature adds little to what the evidentiary chain of transactions provides.

Note [2]: If you want to wrap some cleartext signing sugar onto it, try this:

----- BEGIN OpenPGP Hash-Signed Document -----
I am who I say I am.
----- BEGIN HashSIG -----
d51cb67e97ae815c662042950189c59784a1560d
----- END HashSIG -----

Note [3]: how did we do that hash? Like this:

$ openssl sha1
Hash-signing my contract is as easy as typing text and adding newline then control-D at the end
1100ff22b4e28f439c03a9557b8a88eb8a749235
$

Cut and paste the text line into a Unix terminal application, and follow the instructions. Don't forget to hit return, then hit ctrl-D. Don't include the spaces at the beginning.

SocGen - the FC solution, the core failure, and some short term hacks...

Everyone is talking about Société Générale and how they managed to mislay EUR 4.7bn. The current public line is that a rogue trader threw it all away on the market, but some of the more canny people in the business don't buy it.

One superficial question is how to avoid this dilemma?

That's a question for financial cryptographers, I say. If we imagine a hard payment system is used for the various derivative trades, we would have to model the trades as two or more back-to-back payments. As they are positions that have to be made then unwound, or cancelled off against each other, this means that each trader is an issuer of subsidiary instruments that are combined into a package that simulates the intent of the trade (theoretical market specialists will recall the zero-coupon bond concept as the basic building block).

So, Monsieur Kerviel would have to issue his part in the trades, and match them to the issued instruments of his counterparty (whos name we would dearly love to know!). The two issued instruments can be made dependent on each other, an implementation detail we can gloss over today.

Which brings us to the first part: fraudulent trades to cover other trades would not be possible with proper FC because it is not possible to forge the counterparty's position under triple-entry systems (that being the special magic of triple-entry).

Higher layer issues are harder, because they are less core rights issues and more human constructs, so they aren't as yet as amenable to cryptographic techniques, but we can use higher layer governance tricks. For example, the size of the position, the alarms and limits, and the creation of accounts (secret or bogus customers). The backoffice people can see into the systems because it is they who manage the issuance servers (ok, that's a presumption). Given the ability to tie down every transaction, we are simply left with the difficult job of correctly analysing every deviation. But, it is at least easier because a whole class of errors is removed.

Which brings us to the underlying FC question: why not? It was apparent through history, and there are now enough cases to form a pattern, that the reason for the failure of FC was fundamentally that the banks did not want it. If anything, they'd rather you dropped dead on the spot than suggest something that might improve their lives.

Which leads us to the very troubling question of why banks hate to do it properly. There are many answers, all speculation, and as far as I know, nobody has done research into why banks do not employ the stuff they should if they responded to events as other markets do. Here are some speculative suggestions:

• banks love complexity
• more money is made in complexity because the customer pays more, and the margins are higher for higher payments
• complexity works as a barrier to entry
• complexity hides funny business, which works as well for naughty banks, tricky managers, and rogue traders. It creates jobs, makes staffs look bigger. Indeed it works well for everyone, except outsiders.
• compliance helps increase complexity, which helps everything else, so compliance is fine as long as all have to suffer the same fate.
• banks have a tendency to adopt one compatible solution across the board, and cartels are slow to change
• nobody is rewarded for taking a management risk (only a trading risk)
• banks are not entrepreneurial or experimental
• HR processes are steam-age, so there aren't the people to do it even if they wanted to.

Every one of those reasons is a completely standard malaise which strikes every company, but not other industries. The difference is competition; in every other industry, the competition would eat up the poorer players, but in banking, it keeps the poorer players alive. So the #1 fundamental reason why rogue traders will continue to eat up banks, one by one, is lack of competitive pressures to do any better.

And of course, all these issues feed into each other. Given all that, it is hard to see how FC will ever make a difference from inside; the only way is from outside, to the extent that challengers find an end-run around the rules for non-competition in banking.

What then would we propose to the bank to solve the SocGen dilemma as a short term hack? There are two possibilities that might be explored.

1. Insurance for rogue traders. Employ an external insurer and underwriter to provide a 10bn policy on such events. Then, let the insurer dictate systems & controls. As more knowledge of how to stop the event comes in, the premiums will drop to reward those who have the better protection.

   This works because it is an independent and financially motivated check. It also helps to start the inevitable shift of moving parts of regulation from the current broken 20th century structure over to a free market governance mechanism. That is, it is aligned with the eventual future economic structure.



2. Separate board charged with governance of risky (banking) assets. As the current board structure of banking is that the directors cannot and will not see into the real positions, due to all the above and more, it seems that as time goes on, more and more systematic and systemic conditions will build up. Managing these is more than a full time job, and more than an ordinary board can do.

   So outsource the whole lot of risk governance to specialists in a separate board-level structure. This structure should have visibility of all accounts, all SPEs, all positions, and should also be the main conduit to the regulator. It has to be equal to the business board, because it has to have the power to make it happen.

   The existing board maintains the business side: HR, markets, products, etc. This would nicely divide into two the "special" area of banking from the "general" area of business. Then, when things go wrong, it is much easier to identify who to sack, which improves the feedback to the point where it can be useful. It also puts into more clear focus the specialness of banks, and their packaged franchises, regulatory costs and other things.

Why or how these work is beyond scope of a blog. Indeed, whether they work is a difficult experiment to run, and given the Competition finding above, it might be that we do all this, and still fail. But, I'd still suggest them, as both those ideas can be rolled out in a year, and the current central banking structure has at least another decade to run, and probably two, before the penny drops, and people realise that the regulation is the problem, not the solution.

(PS: Jim invented the second one!)

When the SLippery SLope beckons

Second Life takes another step onto the slippery slope. They have previously banned gambling, and now they are banning finance.

Please read this if you operate, or have transferred L$ to, an in-world “bank” or financial company.

As of January 22, 2008, it will be prohibited to offer interest or any direct return on an investment (whether in L$ or other currency) from any object, such as an ATM, located in Second Life, without proof of an applicable government registration statement or financial institution charter. ...

This is the slippery slope. By putting a blanket ban on the operation of financial services (or, passing the buck to the old-world regulators, which amounts to the same thing), they have exited from a large sector of commerce. Expect others to follow.

The reason? In short, it is not economic for them. Linden Labs have no economic / libertarian background to understand the theory, so they cannot see a forward path. Nor do they have the necessary regulatory background or friends, so they have inherited a big and powerful enemy (or more precisely, a horde of enemies who all look the same on first glance) with no way to deal with a war.

Also, it has been recently shown by one similar venture (eBay/Paypal) that taking the slippery slope has a quid pro quo: no financial downside, indeed success and profits. Other than a lot of noisy press ("traitors to the cause"), what's the problem? The process looks on track according to modern marketing theories (ditch the early adoptors as you move to the mainstream).

Under this cloud of exit stories, sad to some, there is at least a silver lining. We extract one data point from the experiment that confirms the theories developed in the 1990s for unregulated finance providers:

You probably haven’t heard of Joshua Zarwel (Second Life’s ‘Teufel Hauptmann’), but he was the very first person I thought of when Linden Lab banned banking last week. ‘Hauptmann’ doesn’t get a lot of press. He’s never been accused of insider trading or blackmail in the Second Life Herald, he doesn’t spend much money on his avatar, he SL Bank Logodoesn’t issue cringe-inducing press releases, and he doesn’t have his name in diamonds above his virtual door. In short, he’s the kind of guy you want managing your money.

Sounds like a scam already, right? Call the Feds? The USSS should be hovering as we speak? Read on...

The fund’s web site is plain, and its entire in-world presence consists of one tiny, unremarkable virtual building. ... When Linden Lab ended banking in Second Life last week, Zarwel did something I’ve not heard of any other banker doing: he quietly announced that every single Linden Dollar in his customers’ accounts was available for immediate withdrawal. ...

For those who have memories of the unregulated gold and dollars economy:

... we tried to be as transparent as possible. If you check our website and/or in world note card you will see that we provide our real world names, addresses, backgrounds, profitability, fund allocation, etc. We had nothing to hide, nor did we ever wish to be anonymous.

This is rhyme. Indeed, it's as close to repeat as you can get, to challenge Mark Twain. We can see everything, as indeed it should be in open governance:

• provide transparent access to account balances
• show the governance arrangements (a.k.a. 5PM)
• describe the business model fully
• describe who the controllers really are (Ivan the Honourable)
• allow the public to regulate (the fifth party)

The long and the short is that if Linden Labs had implemented the lessons of open governance, they would have likely knocked out (over time) the scams and been left with the gems (again, over time). This does not change the question of whether it would have been economic of them to pursue Austrian approaches to commerce (Hayek's open money, etc), but it does show that there was a forward path, and the place at the end of that path will stand up to scrutiny.

While we are on the finance business, let's check in to see where the regulated world are at in governing their activities:

The UK's HSBC is to use Identrust's Internet authentication network to enable its corporate customers to digitally sign electronic payments files. Identrus provides a secure digital certificate-based infrastructure for business-to-business e-commerce transactions and corporate-to-bank communications....

A select number of HSBC corporate banking clients will be issued with Identrus digital certificates so that their staff can electronically sign payment files.

Identrust-backed digital signatures are used to guarantee non-repudiable and legally binding electronic communications between banks and their corporate clients. Only one Identrus digital identity per user is needed to interact with all of a corporate client's banks, which simplifies the transaction authentication process.

(Imagine here comments about Ricardian contracts, x.509 failings, x9.59 designs, transaction economics, and a whole host of lessons that simply can't be learnt at any price.)

Break the rules of governance and lose 4.9 billion...

This would be almost boring except for the numbers involved. The Economist writes:

TROUBLE had been expected but nothing like this. Widespread concerns that Société Générale, a large French bank, had more subprime-related problems to reveal were proved right on January 24th with the announcement of a €2.05 billion ($3 billion) write-down on its exposure to mortgage-related investments and to creaking bond insurers. But those numbers were a side-show to something far more shocking.

The bank also disclosed that a single trader, Jérôme Kerviel, had racked up a further €4.9 billion loss by taking unauthorised bets on futures linked to European stockmarkets. Trading in SocGen's shares was temporarily suspended on January 24th, but punishment was bound to be severe.

How did this happen? For that we have to see what the FT wrote:

The trader joined the bank in 2000 and worked in Paris. The first three years of his career were spent in the bank’s so-called “back office” and “middle office”, where trades are settled and risk is managed. Though it did not name Mr Kerviel, SocGen said he had never worked directly in its risk control section, but remained in contact with people in those areas so he could be updated with the bank’s risk controls.

“The reasons he could succeed was because the trader knew intimately the bank’s risk controls and swiftly shifted positions to evade detection at each level of control,” Mr Bouton said.

The fraud was discovered after the trader made an error with a fictitious counterparty. Its extent became clear over the weekend, when the bank‘s management interviewed Mr Kerviel.

OK, so rule #1 in governance is to separate the decisions from the implemention. Those on the decision side (in this case, traders) can not touch the money. Those on the money side (in financial lingo, back-office) cannot make any decisions. Seems simple, right?

The flaw here is that separation of roles also has to be backed up by more than mere words. Those in the back-office are supposed to check for valid trading by some metric or other, and supervisors are supposed to watch everything and make judgement calls. Those in the front-office (traders) are supposed to be rewarded for successful trades, and those in the back-office are supposed to be rewarded for safe trades.

As we know from the Barings case (and a thousand years of history) if a person crosses the border between front and back-office, there is trouble. Nick Leeson not only traded, he was also the guru that fixed or ran the accounting system in the Singapore branch. So he knew the back-office commands to create special or secret accounts, like 88888, which came in handy to hide losses.

The same will be true here: Kervial was trained in the back office, so almost certainly he knew how to do things that were under the covers. Which points to a crazy state of affairs: how is it at all possible to do things that are below the covers?

If you need a systemic reason, it would be because the system has evolved through centuries and is full of obscure rules, quirks, paperwork, oversights and so forth. It is too complex for anyone but a few to understand, indeed, it is quicker to build a complete new governance system from scratch than it is to understand a modern trading system (I know because I've done it). We can conclude that the modern systems are opaque, by history if not by design, and that therefore the real question to ask is whether it is plausible to even understand what happens under the covers, and to stop this weakness?

We know how to solve these problems in financial cryptography. My results were confirmed by others; but we all faced the same systemic blockages in getting systems deployed. Those same blockages will probably also work to save Société Générale from the real solution, which is sacking of the entire board at minimum and sacking of the shareholders at maximum.

Top tip from anonymous observer: watch Société Générale slide in a lot of other hidden losses into this one, so as to combine all the losses into one efficient hit. This is good news for shareholders, and bad news for everyone else, but that sort of high stakes poker playing with assets can also backfire if the losses threaten real closure.

Where the US Congress is going on virtual regulation

I listened to an entire Second Life interview with Dan Miller from the Joint Economic Council, a thinktank for the USA government. Interesting stuff, because virtual world governance gives us a window on all-of-Internet governance.

• US Congress isn't likely to pass laws, and indeed the JEC prefers less regulation;
• But agencies might issue rules;
• UST will probably treat trade in virtual games under the barter provisions. Also see Reuters article.
• Laws on currency were written in post-civil war and post-Fed periods, and did not consider issues today;
• Fed & SEC are less likely to be issuing any rules soon, they are busy elsewhere?;
• terrorists might use games to conduct dry runs;
• ML hasn't really taken off in virtual communities as the more round-eyed members of the press keep suggesting;
• SL isn't the big player, WoW is much bigger;
• Big corporations have this expectation that there will exist many platforms, all inter-communicating, and all equally available for global commerce. Can you take assets from world to another? (My view: dream on while others build on. Here's another view.)
• youth will be totally comfortable having meetings in the game-space, whereas old people like elected politicians have trouble understanding the basics...;
• a white paper is being written within JEC to prepare the ground for the future, but no promises;
• anyone can send a comment to the JEC (dan underscore miller at JEC dot senate dot gov) or their member of congress.

On a slightly related question, I have one question on the efficiency of the new generation of podcasts and interviews and so forth. These new tools are seeking to simulate the old world of radio and TV as the channel of preference, but to my mind they are terribly inefficient. I had to spend an entire hour or so listening to the scratchy sound, with a drop out in a critical part, when I could have skimmed the same written content in about 2 minutes. The nice way of putting this is that it's not ready for recommendation to my business partners as yet, and a slightly less nice way is "who has time for that?"

Does anyone have any alternate experience in these podcasts, etc, that indicates it is finding a market place in real business?

(Addendum: cross-over to TV.)

Arbitration -- a community tool or a weapon?

CAcert has just approved rules for dispute resolution which, in brief, puts all before their own arbitration. (Disclosure: I was involved!)

The key in this process is the provision in the user agreement that asserts the agreement to arbitrate disputes, and the lock that matches the key is the Arbitration Act in most countries. To make it work, the Act generally says that courts must respect the intent to arbitrate. From the US:

Under the FAA, on the motion of a party, a court must stay proceedings and order the parties to arbitrate the dispute if the court finds that the parties have agreed in writing to do so. A party seeking to compel arbitration must show (1) that a valid agreement to arbitrate exists between the parties and (2) that the specific dispute falls within the scope of the agreement.

E.g., the courts will kick you back to Arbitration. But, there are some exceptions, and I took that above quote from one such, being Bragg v. Second Life, wherein Judge Robreno decided to kick out the Arbitration Clause, not the parties. As VB writes, this is a big deal. So, it is useful to check his logic, and find out if CAcert has made some of the same mistakes.

Bear in mind this is not legal writing; if you want the real story you have to read the full transcripts linked above. To stress that, I've stripped out the references, etc, so as to maintain the readability rather than the reliability.

Having said that, onwards! With some legal musing, the Court arrives at this:

Bragg claims that the arbitration agreement itself would effectively deny him access to an arbitrator, because the costs would be prohibitively expensive, a question that is more appropriately reserved for the Court to answer.

To answer the question, the Court decided to look at procedural and substantive components to the issue of unconscionability which is a get-out card generally written into Arbitration Acts, and construct a balanced view from those components. Here's a quick summary:

Contract of adhesion. The Second Life agreement is a contract of adhesion, because there is no chance to negotiate. It's a take it or leave it. Therefore, the contract meets a standard of procedural unconscionability.

"Surprise," meaning that the Arbitration intent is hidden. Again, SL has met the Court's standard of surprise, by (a) using an opaque heading and (b) not setting out the costs clearly. This is a second leg of procedural unconscionability.

"One-sidedness of the contract terms." This seems to ride on several issues:

• Does one side have a choice in forums the other does not?
• Does one side have a range in remedies, yet reduce the other party to less?
• Are fees imposed in excess of a similar action in court?

The Court asserted that "the arbitration remedy must contain a “modicum of bilaterality." It also quoted a Paypal case which is likely as close as it gets in industry similarity. In short, Paypal was able to control the entire assets within by way of freezing, restricting, take ownership, and change the TOS, whereas the the user could only (presumably) arbitrate. Linden Labs had (has?) the same power:

The TOS proclaim that “Linden has the right at any time for any reason or no reason to suspend or terminate your Account, terminate this Agreement, and/or refuse any and all current or future use of the Service without notice or liability to you.” Whether or not a customer has breached the Agreement is “determined in Linden’s sole discretion.” Linden also reserves the right to return no money at all based on mere “suspicions of fraud” or other violations of law. Finally, the TOS state that “Linden may amend this Agreement . . . at any time in its sole discretion by posting the amended Agreement [on its website].”

Ouch! Which brings us to tricky issue of costs. For some reason, Linden Labs chose the ICC for Arbitration, with three Arbitrators. The Court estimated costs at $17,250 for an action of recovery of $75,000. However, the ICC rules say that costs must be shared by the parties, and that is apparently sufficient to make Arbitration unenforceable in California law. The trick here appears to be that the existence of a fee, imposed in excess of a similar court process, creates a supports the finding of unconscionability:

California law has often been applied to declare arbitration fee-sharing schemes unenforceable. Such schemes are unconscionable where they “impose[] on some consumers costs greater than those a complainant would bear if he or she would file the same complaint in court.” ... Here, even taking Defendants characterization of the fees to be accurate, the total estimate of costs and fees would be $7,500, which would result in Bragg having to advance $3,750 at the outset of arbitration. See Dfts.’ Reply at 11. The court’s own estimates place the amount that Bragg would likely have to advance at $8,625, but they could reach as high as $13,687.50. Any of these figures are significantly greater than the costs that Bragg bears by filing his action in a state or federal court. Accordingly, the arbitration costs and fee-splitting scheme together also support a finding of unconscionability.

As well as that, the Court found that all these factors helped to suggest that Arbitration was an attempt to shield liability rather than resolve disputes:

• imposing a location for Arbitration hearings over small disputes in Carlifornia
• imposing confidentiality on Arbitration (ICC rules)
• no "business realities" reason was advanced for the one-sidedness

OK, so the court really went to town in striking down the Arbitration clause. When I read their agreement a couple of weeks ago, I came to the same conclusion, without the Court's care, and the tip-off was the choice of the ICC (a big, expensive French body?!) and three, that's THREE arbitrators. The ICC has to be expensive just from the name, and by Linden Labs choosing 3 times the price, it doesn't take a PhD in maths to realise this was a barrier not an aid.

It may be that Linden Labs have learnt their lesson, as the TOS has just been changed, which is what sparked this blog post. Benjamin of VB writes:

the new terms also create a special class of claims under $10,000 that are to be handled via non-appearance arbitration. This change is very good for users, as the new clause replaces one that required a full-blown arbitration proceeding before a three-person panel, which could easily cost more than $10,000 itself (that is essentially why the clause was declared unconscionable in the Bragg case). Non-appearance arbitration can actually be quite inexpensive, and, notably, it could even be conducted in Second Life. The arbitrator must be an established ADR provider, must have published guidelines for dispute resolution, and must be a “retired judge or attorney with legal expertise in the subject matter of the dispute.”

Two caveats: it seems to stop around the $10k mark, and I haven't looked at the new terms.

Now, to get back to CAcert and their new arbitration system. We can run the Court's ruler over CAcert's new user agreement (albeit, still in DRAFT). It's maybe a little premature as experience is new, and only one case has been heard. But let's see what we can find:

• Fees: Maybe. CAcert reserves the right to impose some costs, but none are currently applied. Something to watch.
• Contract of Adhesion: Yes. That is probably an affirmative, by the definition of such contracts and Internet business. CAcert certainly intends that the user not negotiate, and should "take it or leave it." One pleading here might be that the bound users may seek changes by either open policy processes or through Arbitration itself.
• Surprise: No. I counted 25 references to Arbitration and the Arbitrator in 5.5 pages of their draft agreement. The heading says "3.2 Arbitration as Forum of Dispute Resolution." Also, contributory factors will be that the Assurers are to be trained in this area, and CAcert's principles would rule against "surprising" the users as a tactic.
• Choice of forums: No. Both CAcert and the user go to Arbitration for any dispute.
• Range of remedies: No. Only the Arbitrator may terminate an account or impose a financial penalty. Although support members may revoke, they must then refer to Arbitration for authorisation (this is unapproved CPS writings).
• Change of TOS: No. CAcert Inc has explicitly passed the right to change the TOS across to the users themselves, by way of the policy process. While CAcert Inc retains a veto, this seems not unreasonable given the fiduciary duties.
• Costly forum: No. Hearings are mostly conducted over email, and to address a point that the Court did not address, the process seeks to reduce costs by using senior people from within the community as advisors.
• Abusing even a "Modicum of mutality:" No, as Arbitrators are chosen from senior and experienced Assurers. E.g., arbitration is before peers, and CAcert itself is bound by the ruling.

Now, with a nod to the other elements of the Court's ruling, and to the Appeals Court which needs to affirm the ruling, it should be borne in mind that this is a back-of-the-napkin calculation. Still, it's instructive. I'd say cautiously that CAcert made none of the mistakes that the Court found. Indeed, CAcert bent over backwards and tied itself in knots in order to present itself as approximately equal to the registered users.

(As I say, I had something to do with the process. Indeed, I have been hammering the desk for this policy, or any other, to be approved for more than a year now. The more excellent result of last week's conference, which I attended, is that CAcert is now firmly back on the rails.)

If Insurance is the Answer to Identity, what's the Question?

Over on Second Life, they (LL) are trying to solve a problem by providing an outsourced service on identity verification with a company called Integrity. This post puts it in context (warning, it's quite long, longer even than an FC post!):

So now we understand better what this is all about. In effect, Integrity does not really provide “just a verification service”. Their core business is actually far more interesting: they buy LL’s liability in case LL gets a lawsuit for letting minors to see “inappropriate content”. Even more interesting is that LL does not need to worry about what “inappropriate content” means: this is a cultural question, not a philosophic one, but LL does not need to care. Whatever lawsuits will come LL’s way, they will simply get Integrity to pay for them.

Put into other words: Integrity is an insurance company. In this day and age where parents basically don’t care what their children are doing, and blame the State for not taking care of a “children-friendly environment” by filing lawsuits against “the big bad companies who display terrible content”, a new business opportunity has arisen: selling insurance against the (albeit remote) possibility that you get a lawsuit for displaying “inappropriate content”.

(Shorter version maybe here.)

Over on Perilocity, which is a blog about the insurance world, John S. Quarterman points at the arisal of insurance to cover identity theft from a company called LifeLock.

I have to give them credit for honesty, though: LifeLock admits right out that the main four preventive things they do you could do for yourself. Beyond that, the main substance they seem to offer is essentially an insurance package:

"If your Identity is stolen while you are our client, we’re going to do whatever it takes to recover your good name. If you need lawyers, we’re going to hire the best we can find. If you need investigators, accountants, case managers, whatever, they’re yours. If you lose money as a result of the theft, we’re going to give it back to you."

For $110/year or $10/month, is such an insurance policy overpriced, underpriced, or what?

It's possible easier for the second provider to be transparent and open. After all they are selling insurance for stuff that is a validated disaster. The first provider is trying to cover a problem which is not yet a disaster, so there is a sort of nervousness about baring all.

How viable is this model? The first thing would be to ask: can't we fix the underlying problem? For identity theft, apparently not, Americans want their identity system because it gives them their credit system, and there aren't too many Americans out there that would give up the right to drive their latest SUV out of the forecourt.

On the other hand, a potential liability issue within a game would seem to be something that could be solved. After all, the game operator has all the control, and all the players are within their reach. Tonight's pop-quiz: Any suggestions on how to solve the potential for large/class-action suits circling around dodgy characters and identity?

(Manual trackbacks: Perilocity suggests we need identity insurance in the form of governments taking the problem more seriously and dealing with identity thefts more proactively when they occur.)

The Failure of the Academic Contribution to Security Science

This blog frequently presses the case for the dysfunctional family known as security, and even presents evidence. So much so, that we've gone beyond the evidence and the conclusion, and we are more interested in the why?

Today we have insights from the crypto layer. Neal Koblitz provides his thoughts in an article named "The Uneasy Relationship Between Mathematics and Cryptography" published in something called the Notices of the AMS. As perhaps everyone knows, it's mostly about money, and Koblitz identifies several threads:

• bandwagon effect
• NSA-supplied money
• "the power that an aura of mathematical certainty can have over competitive solutions" a.k.a. provable security
• the unfortunate effect of computer science on cryptography

We've certainly seen the first three, and Koblitz disposes of them well. Definately well recommended reading.

But the last thread takes me by surprise. I would have said that cryptographers have done precisely the reverse, by meddling in areas outside their competence. To leap to computer science's defence, then, permit me to turn Koblitz's evidence:

Here the word “protocol” means a specific sequence of steps that people carry out in a particular application of cryptography. From the early years of public key cryptography it has been traditional to call two users A and B of the system by the names “Alice” and “Bob.” So a description of a protocol might go as follows: “Alice sends Bob..., then Bob responds with..., then Alice responds with...,” and so on.

I don't think so! If you think that is a protocol, you are not a computer scientist. Indeed, if you look at the designs for protocols by cryptographers, that's what you get: provable security and a "protocol" that looks like Alice talking to Bob.

Computer science protocols are not about Alice and Bob, they are about errors. Errors happen to include a bunch of things, including Alice and Bob. Also, Mallory and Eve, but also many many other things. As the number of things that can go wrong far exceed the numbers of cryptographic friends on the planet, we would generally suggest that computer scientists should write protocols, so as to avoid the Alice-Bob effect.

Just to square that circle with yesterday's post, it is OK to talk about Alice-Bob protocols, in order to convey a cryptographic idea. But it should be computer scientists who put it into practice, and as early as possible. Some like to point out that cryptography is complex, and therefore you should employ cryptographers for this part. I disagree, and quote Adi Shamir's 3rd misconception. Eventually your crypto will be handled by developers, and you had better give them the simplest possible constructions they can deal with.

Back to Koblitz's drive-by shooting on computer science:

Cryptography has been heavily influenced by the disciplinary culture of computer science, which is quite different from that of mathematics. Some of the explanation for the divergence between the two fields might be a matter of time scale. Mathematicians, who are part of a rich tradition going back thousands of years, perceive the passing of time as an elephant does. In the grand scheme of things it is of little consequence whether their big paper appears this year or next. Computer science and cryptography, on the other hand, are influenced by the corporate world of high technology, with its frenetic rush to be the first to bring some new gadget to market. Cryptographers, thus, see time passing as a hummingbird does. Top researchers expect that practically every conference should include one or more quickie papers by them or their students.

Ouch! OK, that's fair point. However the underlying force here is the market, and computer science itself is not to blame, rather, the product of its work happens to locate a lot closer to the market than, say, mathematics. Koblitz goes on to say:

There’s also a difficulty that comes from the disciplinary culture of cryptography that I commented on before. People usually write papers under deadline pressure — more the way a journalist writes than the way a mathematician does. And they rarely read other authors’ papers carefully. As a result even the best researchers sometimes publish papers with serious errors that go undetected for years.

That certainly resonates. When you spot an error, and it appears embedded in an academic paper, it stays for years. Consider a random paper on my desktop today, one by Anderson and Moore, "On Information Security -- and beyond." (Announced here.) It is exceedingly well-written, and quite a useful summary of economics thought today in academic security fields. Its pedigree is the best, and it seems unassailable.

Let us then assail. It includes an error: the "lemons" myth, which has been around for years now. Indeed, someone has pointed out the flaw, but we don't know who:

In some cases, security is even worse than a lemons market: even the vendor does not know how secure its software is. So buyers have no reason to pay more for protection, and vendors are disinclined to invest in it.

In detail, "lemons" only applies when the seller knows more than the buyer, this being one of the two asymmetries referred to in asymmetrical information theory. Other things apply in the other squares of the information matrix, and as with all such matrices, we have to be careful not to play hopscotch. The onus would be on Anderson and Moore, and other fans of citric security, to show whether the vendors even know enough to qualify for lemon sales!

Which all supports Koblitz's claims at least partially. The question then is why is it that the academic world of cryptography is so divorced? Again, Anderson and Moore hint at the answer:

Economic thinkers used to be keenly aware of the interaction between economics and security; wealthy nations could afford large armies and navies. But nowadays a web search on ‘economics’ and ‘security’ turns up relatively few articles.

Ironically, their very care and attention is reflected in the list of cited references at the end of the paper: one hundred and eight references !!! Koblitz would ask if they had read all those papers. Assuming yes, they must have covered the field, right?

I scanned through quickly and found three references that were not from reputable conferences, university academics and the like. (These 3 lonely references were from popular newspapers.)

What does a references section that only references the academic world mean? Are Anderson and Moore ignoring everything outside their own academic world?

I hasten to add, this is not a particular criticism against those authors. Many if not all academic authors, and conferences, and peer-review committee chairs would plead guilty of the same crime, proudly, even. By way of example, I have on my desk a huge volume called Phishing and Countermeasures, edited by Jakobsson and Myers. The list of contributors reads like a who's who of Universities, with the occasional slippage to Microsoft, RSA Laboratories, etc.

Indeed, Koblitz himself might be bemused by this attack. Why is the science-wide devotion to academic rigour a criticism?

Because it's security, that's why. Security against real threats is the point where scientific integrity, method and rigour unravels.

Consider a current threat, phishing. The academic world turned up to phishing relatively late, later than practically everyone else. Since arriving, they've waltzed around as if they'll solve it soon, just give them time to get up to speed, and proceeded to mark out the territory. The academics have presented stuff that is sometimes interesting but rarely valuable. They've pretty much ignored all the work that was done before hand, and they've consequently missed the big picture.

Why is this? One reason is above: academic work is only serious if it quotes other academic work. The papers above are reputable because they quote, only and fulsomely, other reputable work. And the work is only rewarded to the extent that it is quoted ... again by academic work. The academics are caught in a trap: work outside academia and be rejected or perhaps worse, ignored. Or, work with academic references, and work with an irrelevant rewarding base.

And be ignored, at least by those who are monetarily connected to the field. By way of thought experiment, consider how many peer-review committees on security conferences include the experts in the field? If you scan the lists, you don't find names like "Ivan Trotsky, millionaire phisher" or perhaps "John Smith, a.k.a. Bob Jones and 32 other aliases, wanted for tera-spamming in 6 states." Would we find "Mao Tze Ling, architect for last year's Whitehouse network shakedown?"

OK, so we can't talk to the actual crooks, but it's just a matter of duplicating their knowledge, right? In theory, it's just a matter of time before the academics turn the big guns onto the threat, and duplicate the work done outside academia. They can catch up, right?

Unfortunately not. Consider anoother of Koblitz's complaints, above where cryptography is

"influenced by the corporate world of high technology, with its frenetic rush to be the first to bring some new gadget to market."

Actually, there are two forces at work here, being the market and the attacker . In short, a real attack in this field migrates in terms of a month. Even with an accelerated paper cycle of 3 months to get the work peer-reviewed and into the next party for student quickies, to use Koblitz's amusing imagery, attacks migrate faster.

The academic world of security is simply too far away from their subject. Do they know it? No, it seems not. By way of example, those in the academic world of security and economics claim that the field started only recently, in the last few years. Nonsense! It has always been there, and received massive boosts with the work of David Chaum, the cypherpunks, Digicash, the Amsterdam hackers and many others.

What was not done was to convert this work into academic papers. The literature is there, but not in conference proceedings.

What was done was to turn the academic thought process into hugely beneficial contributions to security and society. All of the work mentioned above has led directly, traceably, to the inventions we now know as PayPal, ebay, WebMoney, gold community, and slowly moving through to the mass of society in the form of NFC, mobile and so forth. (The finance and telco sectors move slowly to accomodate these innovations, but do they move more slowly than the academic sector?)

The problem is that since the arisal of the net, the literature for fast-paced work has moved out of the academic sphere into other means of distribution: shorter essays, private circulations over email, business plans, open source experiments, focussed maillists and ... of course, blogs. If you are limiting yourself to conference proceedings on security, you are dead in the water, to take a phrase from naval security of a bygone age.

So much so that when you add up all these factors, the conclusion suggested is that the academic world will possibly never be able to deal with security as a science. Not if they stick to their rules, that is. Is it possible we now live in a world where today's academia cannot practically and economically contribute to an entire sector of science? That's the claim, let's see how it pans out.

Some criticisms also apply to Koblitz. Maybe mathematics is so conveniently peaceful as to support an academic tradition, but why is it that on the first page, he waxed longingly and generously on the invention of public key cryptography, but without mentioning the authors of the paper? He might say that Diffie and Hellman did not include any mathematics in their paper, but I would say "tosh!"

Open Governance - Vini Vidi Vici (Second Life, BAWAG)

Some are skeptical that open governance can change things. I say, they just haven't seen it in action, and haven't really dug deep into the popular but less efficacious regulated alternative.

Two examples: Over on Second Life, a pretty obvious ponzi scheme called Ginko crashed and burned. It didn't do very quickly, but it did so with *plenty* of warning, so the lesson is there. Open governor Benjamin Duranske wrote:

Two weeks ago, when I started paying close attention to Ginko (full coverage here), a Second Life blogger (who I won’t name) emailed me this:

Ultimately, all do-gooders like yourself have to ask yourself what can be done *when Linden Lab itself will do nothing.*

That sounded like a challenge, and one that was worth taking up. And the answer to that question, it turns out, is “quite a bit.” Ginko is no more.

...

But what really opened depositors’ eyes? What caused the internal gears at Ginko to start turning a different direction? Talking to people. One to one. Day after day. We weren’t a few writers, we were hundreds of people ranging from newbies to three and four year residents, from bilingual users translating questions into their own language for fellow depositors with little English, to economics professors at major universities talking about issues that were over my head. We covered every segment of the Second Life populace. Some knew what was happening early, some figured it out later on, but all of us asked hard questions at the ATMs, pushed the hard issues to the front of the public’s attention, and didn’t accept lies — even well intentioned ones — as truths.

Over in BAWAG-struck Austria, Helga Seeliger sits in court and reads the law of open governance over the biggest scandal in Austrian finance. (No URL, the translation is mangled directly from a newspaper snippet from Der Standard):

On one seat, by the side of journalists, is a 67 year old Viennese woman who has not missed one day of proceedings, and that's the way it shall be until the verdict is delivered. Her name is Helga Seeliger.

She was the first pensioner in March to demand that the OeGB (Federation of Austrian Unions) continue to pay the enterprise pension that had been cancelled. For 25 years Seeliger was a union representative. For more than 10 years, she was a manager at the Union. Since April 2005, she was a pensioner. She started studying law in the 2000, and finished in 2005. Her favourite: business law.

She writes down all the questions, and all the answers. She writes it in shorthand. If asked, she explains her interest in BAWAG as being a stakeholder. "These testimonies, about how easily the union money was offered, are important for our process."

After the BAWAG crisis, the unions cancelled all the additional pensions for ex-workers, and offered them a single final payment that, depending on their age, was between 2.2 and 8.8 annual salaries. Those who didn't accept, didn't get anything.

The unions paid with this solution 60m euros. For Seeliger and her co-workers, this was too little. "You should not call it the BAWAG scandal, you should call it a union scandal."

When, on Monday, Judge Claudia Bandion-Ortnera will call the "Elsner and others" case, Seeliger will be sitting in the front row and will take her notebook out of her black briefcase and continue her work.

What does this achieve? It locks the court's options down, it preserves the justice. If a convenient settlement offers to emerge, it will only survive, knowing that someone who really cares will see all, record all, and tell all.

Open governance is that: In today's networked world, we can use many small observers to watch, write and share the information. All we need is the latin phrase to capture that, and we're set to conquer the world of governance.

(There is a Cartoon in der Standard by Oliver Schopf but it is not on his website as yet.)

Microsoft asserts itself as an uber-CA

In the PKI ("public key infrastructure") world, there is a written practice that the user, sometimes known as the relying party, should read the CPS ("certificate practice statement") and other documents before being qualified to rely on a certificate. This would qualify as industry practice and is sensible, at least on the face of it, in that the CA ("certificate authority") can not divine what you are going to use the cert for. Ergo, the logic goes, as relying party, you have to do some of the work yourself.

However, in the "PKI-lite" that is in place in x.509 browser and email world, this model has been simplified. Obviously, all of us who've come into contact with user software and the average user know that the notion of a user reading a CPS is so ludicrous that it's hardly worth discussing. Of course, we need another answer.

There are many suggestions, but the one that is in effect is that the browser, or more precisely, the software vendor, is the one who reads the CPS, on behalf of the users. One way to look at this is that this makes the browser the relying party by proxy, as, in making its assessment, it reads the CPS, measures it against own needs, and relies on audits and other issues. (By way of disclosure, I audit a CA.)

Unfortunately, it cannot be the relying party because it simply isn't a party to any transaction. The user remains the relying party, but isn't encouraged to do any of the relying and reading stuff that was mentioned above. That is, the user is encouraged to rely on the certificate, the vendor, the CA and the counter-party, all on an article of blind faith in these people and processes she has never heard of.

This dilemma is better structured as multi-tiered authorities: The CA is the authority on the certificates and their "owners." The software vendor is the authority on the CAs, by means of their CPSs, audits, etc.

Such a re-drawing of the map has fairly dramatic consequences for the PKI. The widespread perception is that the CA is highly liable -- because that's the "trust" product that they sell -- and the browser is not. In principle, and in contract law, it might be the other way around, as the browser has an agreement with the user, and the CA has not. Where the perception might find comfort is in the doctrine of duty of care but that will generally limit the CA's liability to gross negligence. Either way, the last word on this complicated arrangement might need real lawyers and eventually real courts.

It has always been somewhat controversial to suggest that the browser is in control, and therefore may need to consider risks, liabilities and obligations. But now, Paul Hoffman has published a rather serious piece of evidence that Microsoft, for its part, has taken on the R/L/O more seriously than thought:

If a user running Windows XP SP2 in its default configuration removes a root certificate that is one that Microsoft trusts, Windows will re-install that root certificate and again start to trust certificates that come from that root without alerting the user. This re-installation and renewed trust happens as soon as the user visits a SSL-based web site using Internet Explorer or any other web browser that uses the Cryptographic Application Programming Interface (CAPI) built-in to Windows; it will also happen when the user receives secure email using Outlook, Microsoft Mail, or another mail program that uses CAPI, as long as that mail is signed by a certificate that is based on that root certificate.

In effect, the user is not permitted by the software to make choices of reliance. To complete the picture, Paul was careful to mention the variations (Thunderbird and Firefox are not effected, there is an SP2 feature to disable all updates of roots, Vista has the same problem but no override...).

This supports the claim, as I suggested above, that the effective state of play -- best practices if you'll pardon the unfortunate term -- is that the software vendor is the uber-CA.

If we accept this conclusion, then we could conceivably get on and improve security within these limitations, that the user does little or nothing, and the software manufacturer decides everything they possibly can. OK, what's wrong with that? From an architectural position, nothing, especially if it is built-in up-front. Indeed this is one of the core design decisions of the best-of-security-breed applications (x9.59, Skype, SSH, Ricardo, etc. Feel free to suggest any others to the list, it's short and it's lonely.)

The problem lies in that software control is not stated up-front, and it is indeed denied by large swathes of securityland. I'd not be surprised if Microsoft themselves denied it (and maybe their lawyers would be right, given the rather traumatic link between phishing and mitm-proof-certificates...). The PKI state-of-denial leaves us in a little bit of a mess:

• uber-CAs probably have some liability, but will likely deny it
• users are supposed to read the CPS, then rely. But don't or won't, and do.
• CAs claim to the users as if they have the liability, but write the CPS as if they have none.
• developers read from the PKI practices book, and write code according to uber-policy...
• (We can add many other issues which lead PKI into harm, but we are well past the average issue saturation point already.)

To extract from this mess probably takes some brave steps. I think I applaud Microsoft's practice, in that at least this makes that little part clearer.

They are in control, they are (I suggest) a party with risks, liabilities and obligations, so they should get on and make the product as secure as possible, as their primary goal. This includes throwing out bits of PKI best practices that we know to be worst practices.

They are not the only ones. Mozilla Foundation in recent years has completed a ground-breaking project to define their own CA processes, and this evidences great care and attention, especially in the ascension of the CA to their root list. What does this show other than they are a party of much power, exercising their duty of care?

Like Microsoft, they (only) care about their users, so they should (only) consider their users, in their security choices.

Will the CAs follow suit and create a simpler, more aligned product? Possibly not, unless pushed. As a personal remark, the criteria I use in auditing are indeed pushing dramatically in the direction of better care of risks, liabilities and obligations. The work to go there is not easy nor trivial, so it is no wonder that no CA wants to go there (and that may be an answer to those asking why it is taking so long).

Even if every CA stood forth and laid out a clear risks, liabilities and obligations statement before their relying parties, more would still need to be done. Until the uber-CAs also get on board publically with the liability shift and clearly work with the ramifications of it, we're still likely locked in the old PKI-lite paper regime or shell game that nobody ever used nor believed in.

For this reason, Microsoft is to be encouraged to make decisions that help the user. We may not like this decision, or every decision, but they are the party that should make them. Old models be damned, as the users surely are in today's insecurity, thanks in part to those very same models.

Choose your hatchet: when governance models collide

As mentioned, I advised e-gold on governance models way back when, and now we can see how the company deals with its relationship to the US government. Someone has posted a video over on YouTube of some 2006 testimony before Senate hearings on child pornography, wherein governance models are much discussed.

The video looks like hatchet job versus hatchet job, as governance of Internet child pornography collides with governance over payment integrity.

There is a wide-spread belief that the case against e-gold is likely to be fought on a battle ground of public opinion and regulated insiders, rather than that of law and public policy. Same as it ever was, perhaps, but a wider question for future FCers is what to do about it?

The governance models that were provided to e-gold were relatively sound, albeit incompletely implemented. No matter the incompleteness, the models were strong enough to preserve the gold for many years, at least to the extent that the recent seizure by the courts was able to complete. That's by way of a proof that some gold existed, although the victims of the seizure will have other choice words.

But those governance models are designed in general to deal with routine fraud of an inside nature. They are not designed to deal with the sort of difficulties facing e-gold. How then to do better in the future?

I see three lessons here for FCers at the governance layer.

1. A lot depends on the contract Ivan has with his users. We might say that an issuer should have a clear contract with its users. And, in that contract we might expect to find certain relationships with governments, law enforcement, regulators and other interested parties.

The question then would be to see whether these relationships were sustainable, stable and reasonable. In the case of e-gold, they were somewhat unbalanced at least due to its nominal offshore status, so e-gold ended up serving two or three jurisdictions instead of one. Complication, not simplification, without any offsetting protection.

2. Normal business process is to arbitrage existing structures and regulatory postures, but this is not to say that sustainable business includes simply facilitating crime. There is some grave doubt as to whether child pornography was more severe within the e-gold system than in classical banking, but there is much less doubt about ponzi schemes and pyramids. e-gold seems to have permitted these to a far greater extent than desirable, and that was unlikely to make friends in the long run.

Then, the need might be interpreted as to create a business process that delivers an overwhelming good without delivering an overwhelming bad. Truly a matter of judgement, but an easy call might be to keep clear of the more popular crimes.

3. Finally, a reasonable and sustainable dispute system is required. Neither Paypal nor e-gold achieved this, and indeed the banks are widely criticised for it (or its absence). The only payment system that seems to have achieved this is WebMoney, although the story takes on fairy tale proportions due to the lack of english documentation.

Either way, the e-gold dispute resolution system is coming in for a hammering, so this aspect should be noted well by FC community. As a matter of record, alternative dispute resolution (ADR) was well studied by the e-gold founders, who gave speeches at conferences on subjects such as arbitration, but study did not apparently transfer to implementation.

US government seizes the gold in frozen acounts

As discussed earlier, the US government, in cases against e-gold and presumably yet-to-be-charged account holders, has apparently completed seizure of some part of the gold:

In an unprecedented move on or just before Wednesday May 9th, 2007, the United States of America has forced Omnipay et al E-gold to redeem all the gold backing the 58 previously frozen accounts owned by e-gold, 1mdc, icegold and a handful of other exchangers and customers to be liquidated effective immediately to a us dollar account owned by the federal government. ...

MoneyNetNews has learned from a reliable source that e-gold has been ordered to hand over a fresh copy of the customer database when the redemption is completed.

Bear in mind this is unconfirmed at this stage. HT-RAH! I'll update this article if anything more comes to hand.

Leadership, the very definition of fraud, and the court of security ideas

It's been a bad week for security leaders. Bruce Schneier has been lambasted for asking whether we need a security industry at all, Ross Anderson published an article "commissioned by the Federal Reserve" that was riddled with errors, and now the chief security researcher of one of the leading security firms, Mikko Hyponnen, proposes a lame duck idea.

I feel very conflicted. On the one hand, I applaud these people for airing some opinions -- we need open discussion and new ideas. On the other hand, there is a serious difference between conjecturing in a scientific sense, in order to spark some serious debate, and selling snake oil.

The latter is often the result of moral hazard. As Ross Anderson complains about banks, when we sell a false statement such as "our systems are secure, so it must be your fault," then our own standards slip due to our own beliefs, and eventually we get the reverse of what we are selling.

Fair enough, but this moral hazard also applies to the writer of security ideas. I feel very strongly about this, as ordinary users are paying for this! When someone gets phished, they lose a lot. Of time, reputation, credit, etc etc. Sometimes money, and at least someone loses the money in a successful phish.

Maybe Schneier is really saying "With leadership like this, you'd be better off without a security industry?"

When a company starts selling "security" ... or merely writing about it ... then maybe we need to consider the liability for this. Class action suits are already in play, and I think it is only a matter of time before software vendors also find themselves responsible for their fraudulent sales by one means or another.

Maybe it is time to call a spade a spade. Forget snake oil. Call it fraud!

The very definition of fraud is discussed by Joseph T. Wells, perhaps America's most voluble presenter on the subject:

Under common law, three elements are required to prove fraud: a material false statement made with an intent to deceive (scienter), a victim’s reliance on the statement and damages.

I'd suggest that you read the entire article.... Several times! Meanwhile, let's cast the definition of fraud over one of the ideas facing us today, the suggestion of a .bank TLD.

Do we have a material false statement?

The Internet Corporation for Assigned Names and Numbers, the body that creates new top-level domains, should create a new, secure domain just for this reason—something like “.bank,” for example.

What is false about that? Specifically, a .bank TLD does not give any vestige of security at all, as discussed earlier. That's one tick in the box.

Showing "intent" is harder it seems, so let's refer to JTW again:

There is no such thing as an accidental fraud. What separates error from fraud is intent, the accidental from the intentional. Assume [the] statements contain material false statements: Were they caused by error or fraud? The problem with proving intent is that it requires determining a person’s state of mind. As a result, intent usually is proven circumstantially. Some of the ways we can help prove intent by circumstantial evidence include

• motive, ...
• opportunity, ...
• repetitive acts, ...
• witness statements, ...
• concealment. ...

Only the last is clearly not present, as publication of the idea in foreign policy is pretty much out in the open :) Motive is clearly present:

Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn’t be just a few dollars: It could be something like $50,000—making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time.

That's an invitation for someone to make some easy money if ever I saw it. That looks like the sort of rewards only seen in crime.

Opportunity is generally open but hard, in that anyone can submit a proposal to ICANN and create a TLD, in theory. Repetitive acts ... would depend on who is doing this, and as this is simply an idea being floated, we can't pinpoint anyone. Witness statements are also dependent on the idea turning into practice.

I would then call "intent" a cautious positive. If this idea was turned into reality, we can suggest motive and opportunity.

Next, JT Wells says "a victim's reliance on the statement." Well, that seems a slam dunk, if you've ever worked with banks. As a quick generalisation, they are only capable of doing security thinking in the most extreme of contexts, and they frequently rely on outside companies with a reputation in security sales to advise them.

Finally, damages will follow in due course, in any actual phishing attacks. It isn't necessary for us to predict these, simply to say that if they occurred , the rest of the discussion will complete the claim.

This isn't a court of law, and even if it were, we are unlikely to find an idea fraudulent. However, it seems plausible that we can apply the same test that the lawyers do. In that sense, it seems that the idea of a .bank TLD, if it were taken forward as a security proposal, would run the risk of being ruled as fraud.

US moves to seize the gold

Someone pointed out that the indictment unsealed last week against e-gold, etc includes this clause:

78. As a result of the offenses alleged in Counts One and Three of this indictment, the defendants E-GOLD, LTD., GOLD & SILVER RESERVE, INC., DOUGLAS JACKSON, REID JACKSON, and BARRY DOWNEY shall forfeit to the United States any property, real or personal, involved in, or traceable to such property involved in money laundering, in violation of Title 18, United States Code, Section 1956, and in operation of an unlicensed money transmitting business, in violation of Title 18, United States Code, Section 1960; including, but not limited to the following:

(a) The sum of money equal to the total amount of property involved in, or traceable to property involved in those violations. Fed.R.Crim.P. 32.2(b)(1).

(b) All the assets, including without limitation, equipment, inventory, accounts receivable and bank accounts, of E-GOLD, LTD., and GOLD & SILVER RESERVE, INC., whether titled in those names or not, including, but not limited to all precious metals, including gold, silver, platinum, and palladium, that "back" the e-metal electronic currency of the E-GOLD operation, wherever located.

If more than one defendant is convicted of an offense, the defendants so convicted are jointly and severally liable for the amount derived from such offense. By virtue of the commission of the felony charged in Counts One and Three of this indictment, and and all interest that the defendant has in the property involved in, or traceable to property involved in money laundering is vested in the United States and hereby forfeited to the United States pursuant to Title 18, United States Code, Section 982(a)(1).

(My emphasis. I included the whole clause, intending to allow each to form their own opinions. Of course, you and I should read the whole thing...)

A little background. In the gold community, it is dictum that the US is no respecter of property rights. Twice in the 20th century, the financial rebels will point out, the US seized the gold of its private citizens, generally as a result of its own bad management of the currency, and trying to stop people from fleeing the over-inflated dollar.

In this case, the US government is seeking to seize all of the gold held within the system as reserves to the currency, without due regard to the operation of property rights for the rest of the user base. It would seem an over-broad reaching by the government, but sadly, expected and unsurprising to the digital currency community.

Whatever one thinks of e-gold, its operators and their actions, this is likely to reinforce the reputation of complete and utter disrespect that the US has for property rights around the world.

Unfortunately, this is no isolated case, but is in fact a concerted and long-lived programme by the US government to undermine property rights the world around. The US-invented Anti Money Laundering (AML) regime stretches back 20 years or more to Ronald Reagan's war on drugs, and is now sufficiently strong to destroy the effect of property laws, which latter are nothing if not strong.

AML takes implementing countries backwards in time and history. Although England and its former colonies inherited strong property rights from the days of the Magna Carta, it is as well to realise that the English experiment may have been more an exception than the rule. Consider Russia as counterpoint:

Since only the Tsar or the Party had property, no individual Russian could be sure of long-term usage of anything upon which to create wealth. And it is the poor to whom the property right matters most of all because property is the poor man's ticket into the game of wealth creation. The rich, after all, have their money and their friends to protect their holdings, while the poor must rely upon the law alone.

"The Rape of Russia" was not ancient history according to Williamson's 1999 testimony before the US House of Representatives, but living times: during the decade of the 1990s, the same group conspired with Russians to launder much of the residual value of the Russian people.

One would hope that the court is a little wise to the fact that if e-gold Ltd's system was used for crimes, then there was also use for good purposes; that is, it was the operators and some users that were responsible. Normally we would expect the system to be placed under administration, and then a wholesale cleanout of any "bad" accounts to occur, under court supervision.

If not, the author above warned the US Congress what will happen to those who dismantle what property rights there are:

Connections

In the absence of property, it was access - the opportunity to seek opportunity - and favor in which the Russians began to traffic. The connections one achieved, in turn, became the most essential tools a human being could grasp, employ and, over time, in which he might trade. Where relationships, not laws, are used to define society's boundaries, tribute must be paid. Bribery, extortion and subterfuge have been the inevitable result. What marks the Russian condition in particular is the scale of these activities, which is colossal. Russia, then, is a negotiated culture, the opposite of the openly competitive culture productive markets require.

It is fairly clear that the e-gold operation was presented to the world and operated as a property rights operation. Although not without shenanigans, the very basis of the digital gold community has been a joyful expression of the right of property, and what good it can do when it is left to run free.

Unfortunately, the US government may have learnt too much from the Russian experience. The substantial crime in the indictment is "property rights without a licence" and the fine for that is "seizing all the property." Welcome to the world of tribute; bribery, extortion and subterfuge to follow.

more Tipping Point evidence - POS vendors sued

I wrote a week or so back about the failure of liability sharing and the consequent failure in market information. In that case, it circulated around the expectation that the banks have to back up the consumer every time something goes wrong. Is the TJX case enough to trigger the long awaited pass-on of liability to the other parties who share some responsibility?

Chris at EC points to Storefront:

Following lawsuits in February against some of the nation's largest retailers for illegally revealing too much credit card information on printed receipts, two of those retailers are now suing their POS vendors.

In the initial lawsuits filed early this year, some 50 of the nation's top retailers... were accused of printing full credit numbers and expiration dates on printed customer receipts, violating a provision of the Fair and Accurate Credit Transactions Act (FACTA) ...

In the last couple of weeks, two of those retail defendants—Charlotte Russe and Shoe Pavillion—have sued their POS vendors, saying that the retailer relied on them and if the retailer is liable, then the POS vendor should pay for it.

Is this a good thing? I think, yes. The alternates are not good: the vendor has no liability for actions, a law is passed that suits nobody, and things get worse.

Nick commented "Let the suing begin!" Better to suck up some court time and create an environment where -- no matter how small -- a vendor of security stuff has to work *with the customer's and the end-customer's risk model* and also take on some of the liability when it goes wrong.

e-gold responds -- denies Criminal Charges

Ordinarily I wouldn't follow the course of a case in such detail, contenting to only pick out the big picture and the important messages for Financial Cryptography readers. However, because of the 'special circumstances' in the e-gold case, I'll post the full response by Dr Jackson on the indictment from last week.

---

e-gold® Founder Denies Criminal Charges
April 30, 2007
Melbourne, FL

On April 24, 2007, a Federal Grand Jury handed down an indictment charging e-gold Ltd., Gold & Silver Reserve, Inc., and the Directors of both companies with money laundering, operating an unlicensed money transmitter business, and conspiracies to commit both offenses.

Dr. Douglas Jackson, Chairman and Founder of e-gold, speaking on behalf of his fellow Directors and both companies vigorously denies the charges, taking particular exception to the allegations that either company ever turned a blind eye to payments for child pornography or for the sale of stolen identity and credit card information.

Dr. Jackson states, "With regard to child pornography, the government knows full well that their allegations are false, yet they highlight these irresponsible and purposely damaging statements in order to demonize e-gold in the eyes of the public. During the Inquisition, accusations of witchcraft and heresy were used to sanctify torture and seizures of property. In post 9-11 America, child porn and terrorism serve as the denunciations of choice. e-gold, however, as a matter of incontrovertible fact, is the most effective of all online payment systems in detecting and interdicting abuse of its system for child pornography related payments. e-gold Ltd. is a founding member of the National Center for Missing and Exploited Children's (NCMEC) Financial Coalition to Eliminate Child Pornography. e-gold is the only member institution to demonstrate with hard, auditable data a dramatic reduction of such payments to virtually zero, while billions of child porn dollars continue to flow through other (heavily regulated) payment systems. [Most members, that is, all the banks and credit card associations are utterly unable to even provide an estimate of the volume of such payments processed by their systems. eBay's PayPal subsidiary, who may have the ability to make such a determination, has refused to do so and has indicated they destroy payment records after two years.] What is worse, until August 2005 when NCMEC courageously broke ranks with US law enforcement agencies and began directly notifying e-gold of criminal sites via the CyberTipline, component agencies of the US Department of Justice purposely concealed their knowledge of child pornography abuses from e-gold's investigators, subordinating actual crime fighting to a policy agenda designed to dirty up e-gold."

In December 2005, the Secret Service (USSS) deceived a Federal
Magistrate judge with bogus testimony in order to obtain search and
seizure warrants authorizing the government to seize the US bank
accounts of Gold & Silver Reserve, Inc. The seizure, which netted the
government about $ 0.8 million, was designed to put e-gold out of
business without due process, since G&SR serves as the contractual
Operator of the e-gold system. At a subsequent emergency hearing, the
government made no effort to defend their (sealed) allegations of
lurid criminality, falling back to a position that their action was
warranted because of a licensure issue. At the hearing, G&SR described
its ongoing dialog with the Department of Treasury, initiated by
formal request of the company in Spring 2005, to determine a possible
basis for regulating the company's activities, since it was patently
clear to competent authorities that G&SR's exchange service was not
encompassed within any existing regulatory rubric [subsequently
re-confirmed by experts at the Federal Reserve]. The US Attorney for
the District of Columbia, responsible for the prosecution, was
completely unaware of this orderly proceeding, as well as Treasury
reports issued the same week that acknowledged e-gold as an innovation
not meeting definitions of a money services business or a money
transmitter.

Since this time, the government has been confronted with overwhelming
evidence that the USSS had made a horrible mistake in its attack on
the e-gold system and its repeated defamatory claims in the media that
e-gold is anonymous, untraceable, and inaccessible to US law
enforcement. They have concealed the fact that Dr. Jackson had
personally arranged to come to USSS headquarters to train the USSS
cybercrime squad in December 2004 (along with agents of the UK's
National High Tech Crime Unit, and the Australian Federal Police) on
advanced techniques, particularly in the area of efficient interaction
with e-gold's in-house investigative staff, but was prevented when
senior USSS management learned of the initiative and forbade the
training on the grounds of a policy declaring e-gold as their
designated boogey man.

The Department of Justice has had to determine whether to continue to
stand behind their component agency. Their decision to close ranks has
directly resulted in a gross misallocation of resources, with the
result that vicious criminals who might have been brought to justice
remain at large. An example of this is the Shadowcrew investigation,
hyped by the USSS as a major success in disrupting international
credit card thieves. The USSS did not subpoena records from e-gold at
any time in their investigation, or engage with e-gold's superb
in-house investigative staff, with the result that the sophisticated
hierarchy of the ring was unmolested and probably strengthened while
the USSS hauled in the low hanging fruit, "a dime a dozen and
relatively easy to track down and pop".

Similarly, there is compelling evidence that the international cartel
of commercial vendors of child pornography continues to operate
because the FBI Innocent Images Unit and Special Agents within the
Immigration and Customs Enforcement Agency have been forbidden to
follow investigative protocols developed by Dr. Jackson, apparently
for fear of further belying the party line that e-gold is itself a
nefarious operation.

With regard to allegations of money laundering, Dr. Jackson notes
"G&SR's online exchange service, OmniPay, has for years followed
stringent customer identification procedures and an absolute policy of
only accepting money payments by bank wire. If bank wires aren't
already "clean" then what is? Furthermore, e-gold Ltd. can scarcely be
construed as a money launderer since it does not accept money payments
from anyone in any form and has never owned a single dollar, yen, euro
or any other brand of legacy money. As far as the possibility of a
criminal successfully obfuscating a money trail, e-gold is a closed
system. The only way to obtain e-gold is by receiving a transfer from
someone who already has some. e-gold is also the only payment system
accessible by the public that maintains a permanent record of all
transfers."

On April 27, 2007, the government served seizure warrants on G&SR
ordering it to freeze, liquidate and turn over to the government the
operating e-gold accounts of G&SR and e-gold Ltd. The value seized,
about $762 thousand worth of e-gold from e-gold Ltd. and about $736
thousand worth of e-gold from G&SR [on top of the $0.8 million seized
from G&SR in 2005, and the approximately $1 million spent by G&SR so
far in its defense] constitutes the bulk of the liquid assets of both
companies. Perplexingly, a post-indictment restraining order states
"Nothing in the provisions of this restraining order shall be
construed as limiting the e-gold operation's ability to use its
existing funds to satisfy requests from its customers to exchange
e-gold into national currency, or its ability to sell precious metals
to accomplish the same once approval has been obtained." Having taken
virtually the entire operating funds of G&SR and e-gold Ltd., that is,
the e-gold in both companies' own e-gold accounts, it is unclear if
the government has even a basic grasp of the operations it has been
investigating for three years at a taxpayer expense in the millions.

The most remarkable element of the restraining order is that the US
government deputizes e-gold with plenipotentiary powers to act as
judge, jury and executioner against any account user e-gold itself has
deemed to be a criminal: "It is further ordered that upon receipt of
this order the defendants are required to freeze, that is, not conduct
or allow any further transactions in e-gold accounts that the e-gold
operation itself has identified as being used for criminal activity".
Although not accompanied by an outright letter of marque, this
commission (the financial equivalent to double ought status?) would
appear to be an acknowledgement that e-gold's 'Know Your Customer'
prowess far exceeds that of any regulated financial institution, who
would be obliged to rely on court orders or other legal writs to
determine if freezing an account is warranted.

Concurrent with this latest attempt to knock e-gold Ltd. and G&SR out
of business and thereby effectively deny them due process, the
government also attacked other prominent exchange services that deal
in e-gold; IceGold, The Bullion Exchange, Gitgold, Denver Gold
Exchange, AnyGoldNow, and Gold Pouch Express, plus a sophisticated and
secure alternative payment system called "1MDC". All of the listed
exchange services also follow stringent Customer Identification
Programs congruent with what would be required of a currency exchange
business, if the law supported such a classification. Two of the
services, IceGold and AnyGoldNow, are located in Europe and deal
primarily with non-US customers. As a direct and immediate result of
the seizures, these companies, all of who had built a reputation for
honoring their obligations to customers in a timely fashion, have been
disrupted, and, at least in the case of Gitgold, checks to customers
issued in fulfillment of exchanges have bounced. This is a repeat of
what happened to G&SR as a direct result of the 2005 seizure, when
over 200 checks to customers bounced and refunds had to be sorted out
with severely crippled liquidity and without a US bank account.

It must not be overlooked that the search warrant obtained by
misrepresentations before a magistrate judge in 2005 resulted in the
government helping themselves to the financial records of hundreds of
thousands of American citizens [plus citizens of virtually every other
country] who had not been accused of any wrongdoing. Since the initial
raid, the prosecutor has caused the Grand Jury to order complete dumps
of the e-gold data base on three additional occasions.

This case has nothing to do with criminal activity, at least not on
the part of e-gold Ltd., G&SR, the named individuals or these other
exchange services of high reputation. It is about a Department of
Justice that is out of control, cognizant of having made a horrible
mistake but determined at all costs to preserve its turf. In a meeting
at the US Attorney's office in Washington on December 29, 2006, a
Chief Assistant US Attorney told us that the United States knew we
weren't "bad guys" and that the United States had no interest in
sending any of us to prison or causing e-gold to go out of business.
This was in virtually the same breath as proposing that the current
defendants plead guilty to Federal felony charges.

The plain fact is that the repeated statements and actions of the
government since 2001, especially the USSS, are directly responsible
for crippling e-gold's ability to market its service to mainstream
businesses and consumers, slowing [but fortunately not stopping]
e-gold's continuous development of advanced anti-crime capabilities,
subordinating US law enforcement's cybercrime fighting efforts to the
forlorn hope of destroying e-gold, driving market share to non-US
based alternative payment systems and making the US law enforcement
community the laughingstock of competent cybercrime fighting agencies
worldwide because of its obstinate inability to back down from the
USSS's longstanding e-gold vendetta.

All inquiries should be directed to the law offices of:
http://www.fuerstlaw.com/

e-gold founders indicted

Bob Hettinga found and forwarded the press release from the Washington DC courts:

A federal grand jury in Washington, D.C. has indicted two companies operating a digital currency business and their owners on charges of money laundering, conspiracy, and operating an unlicensed money transmitting business, Assistant Attorney General Alice S. Fisher of the Criminal Division and U.S. Attorney for the District of Columbia Jeffrey A. Taylor announced today.

The four-count indictment, handed down on April 24, 2007, and unsealed today, charges E-Gold Ltd; Gold & Silver Reserve, Inc.; and their owners Dr. Douglas L. Jackson, of Satellite Beach, Fla.; Reid A. Jackson, of Melbourne, Fla.; and Barry K. Downey, of Woodbine, Md., each with one count of conspiracy to launder monetary instruments, one count of conspiracy to operate an unlicensed money transmitting business, one count of operating an unlicensed money transmitting business under federal law and one count of money transmission without a license under D.C. law.

(Or here.) This is the next chapter in a long running saga. The e-gold investigation started sometime around 2002, with three primary agencies involved: IRS, FBI and USSS. The latter, the US Secret Service, has the original mission of protecting the currency, and hence their interest in money.

The actual charges are curiously not that interesting. Obviously, it is a money operation so there will always be a charge of Money Laundering, which in today's US courts is guilty by naming. Slightly less obviously, the charge of conspiracy just implies something else criminal was done by people acting together: and of course there are several people involved. So that charge simply succeeds if the others do, else it fails by definition.

Which leaves operating an unlicensed money transmitting business. This is the core charge. As we recall, this law came in in the aftermath of 9/11, when a Hawala was found to have transmitted one of the payments needed to finance the terrorist attack (the vast majority of the funds went through normal bank transfers). This then started a war on Hawalas, and the regulations were put in place * with a clear offer: license yourself as a money transmitter or face the consequences.

e-gold declined the offer. I recall that they argued they were not a money transmitter business because e-gold was not money, and the sales operation of Omnipay just used the banks to transmit the dollars back and forth. (This is from memory, these arguments were made in public in either the press or the mailing lists. ... Addendum: read Dr Jackson's response for more details on the position taken.)

I don't know about you, but that was a ludicrous position to take then, and now. It was pretty clear that the point was, come in from out of the wild wild west, or well go and hunt you down. To argue on a technicality like that was just insane, as courts will ignore such nonsense on the basis of a "reasonable man" test.

Is e-gold more or less in the money transmitting business? A reasonable man will say yes.

This characterises the extraordinary levels of arrogance of the e-gold founders. Because they had built a business that had seemingly escaped from the jaws of defeat and the evils of the banking cartel, they were right, God-blessed and destined to change the world. From their dramatic successes around 2000, there was a persistent belief in the righteousness of their mission, and an equal belief in the willingness of the courts to defend them. Because they were right!

Such hubris has to go down. Whatever we think about David versus Goliath stories, the US Government isn't happy to be taunted that way, and the competitors aren't going to let the USG proudly ignore the taunts. Consider all the banks in the US, and all the (licensed) money transmitters. And if that isn't enough, recall all the other countries in the world that suffered, and still suffer, the indignities of Ronald Reagan's war on drugs: every time there is a criticism about money laundering, all these players are going to keep banging the table about e-gold.

"Sort out your own house, first!" There is only one end to this story. A bad end.

Disclosure: I myself was closely engaged with e-gold in the years 1998 to 2000, and locked in court battles with them from 2001 to 2003. Before those battles, however, I argued that they should take no position that puts them up against (the, any) government. Luckily, e-gold filed my arguments in court, as evidence against me.

* Footnote on Law on Money Transmitters: historically the Hawala episode was just the excuse needed. The draft law had been circulating for some time, and had been inspired directly by the success of Paypal and e-gold in bypassing the normal banking regulations.

US moves to freeze Gold payment reserves

The gold community is a-buzz with the news ... first an announcement from BullionVault (no URL):

There have been growing stresses on our relationship with Brinks Inc, the US-owned vault operator, and it has become clear that they feel uncomfortable about continuing to vault BullionVault gold.

Why this might be so I am genuinely unable to say. Their exact reasoning has not been disclosed to us.

Fortunately, there is an excellent alternative available to us in ViaMat International, the largest Swiss-owned vault operator, and one which has a full quota of internationally located professional bullion vaults.

Swiss ownership suggests an independence from some of the pressures which Brinks may have found themselves operating under recently. Also you - our users - have chosen to vault 26 times as much gold in Switzerland as in the United States, so we believe this change will be both natural and welcome.

This is an echo of the old e-gold story, where different reputable vault companies handed the e-gold reserves around like it was musical chairs. BuillionVault is a new generation gold system, not encouraging payments but instead encouraging holding, buying and selling. It's not yet clear why they would be a threat.

But then, from 1mdc, a payment system:

ATTENTION

Friday Apr 27 2007 - 4AM UTC

It appears that a U.S. Government court order has forced e-gold(R) to close down or confiscate all of 1mdc's accounts. All of 1mdc account's have been closed at e-gold by order of the US Government.

Please note that it appears the accounts of a number of the largest exchangers and largest users of e-gold have also been closed or confiscated overnight: millions of Euros of gold have been held in this event. A couple of large exchanger's accounts have been shutdown.

If the confiscation or court order in the USA is reversed, your e-gold grams remaining in 1mdc will "unbail" normally to your e-gold account.

We suggest not panicking: more will be known on Monday when there will be more activity in the courts.

You CAN spend your 1mdc back and fore to other 1mdc accounts. 1mdc is operating normally within 1mdc. However you should be aware there is the possibility your e-gold will never be released from e-gold due to the court order.

Ultimately e-gold(R) is an entirely USA-based company, owned and operated by US citizens, so, as e-gold users we must respect the decisions of US courts and the US authorities regarding the disposition of e-gold. Even though 1mdc has no connection whstsoever to the USA, and most 1mdc users are non-USA, e-gold(R) is USA based.

You are welcome to email "team@1mdc.com", thank you.

Yowsa! That's heavy. And now, BullionVault's actions make perfect sense. Brinks probably heard rumour of happenings, and BullionVault are probably sweating off those pounds right now crossing the border with rucksacks of kg of yellow ballast.

It's worth while looking at how 1mdc worked, so as to understand what all the above means. 1mdc is simply a pure-play e-gold derivative system, in that 1mdc maintained one (or some) e-gold accounts for the reserve value, and then offered an accounting system in grams for spending back and forth.

1mdc then stands out as not actually managing and reserving in gold. Instead it manages e-gold ... which manages and reserves in gold. Now, contractually, this would be quite messy, excepting that the website has fairly generally made no bones of this: 1mdc is just e-gold, handled better.

So, above, 1mdc is totally uneffected! Except all the users who held e-gold there (in 1mdc) are now totally stuffed! Well, we'll see in time what the real story is, but when this sort of thing happens, there are generally some losers.

What then was the point of 1mdc? e-gold were too stuffy in many ways. One was that they charged a lot, another was the owners of e-gold were pretty aggressive characters, and they scared a lot of their customers away. Other problems existed which resulted in a steady supply of customers over to 1mdc, who famously never charged fees.

We could speculate that 1mdc was destined for sale at some stage. And I stress, I don't actually know what the point was. In contrast to the e-gold story, 1mdc ran a fairly tight ship, printed all of their news in the open, and didn't share the strategy beyond that.

It may appear then that the US has moved to close down competition. Other than pique at not being able to see the account holders, this appeared yesterday to be a little mysterious and self-damaging. Today's news however clarifies, which I'll try and write a bit more about in another entry:

...the Department of Justice also obtained a restraining order on the defendants to prevent the dissipation of assets by the defendants, and 24 seizure warrants on over 58 accounts believed to be property involved in money laundering and operation of an unlicensed money transmitting business.

The Begining of Governance - the Egyptian Accountants

Governance is about protecting the assets of the owner. Here's an anecdote on an early development in Governance, that reflects the arisal of robust accounting and predicts redundant computing:

IN THE BEGINNING

It’s said that accountants’ predecessors were the scribes of ancient Egypt, who kept the pharaohs’ books. They inventoried grain, gold and other assets. Unfortunately, some fell victim to temptation and stole from their leader, as did other employees of the king. The solution was to have two scribes independently record each transaction (the first internal control). As long as the scribes’ totals agreed exactly, there was no problem. But if the totals were materially different, both scribes would be put to death. That proved to be a great incentive for them to carefully check all the numbers and make sure the help wasn’t stealing. In fact, fraud prevention and detection became the royal accountants’ main duty.

Accounting is both a mundane tool for telling you how much you have, and a critical tool for stopping that "how much" from shrinking through theft. Hence, it is a Governance tool as well; double-entry accounting is also a tool to achieve a governance feature, by the magical trick of clearly identifying errors and separating them from intent.

In the absence of double entry, the Egyptians solved the errors problem using redundant computers. Just like today's designs for redundant computers, errors caused the shutdown of the system, although it seems that Egyptian designs for redundant computers did not advance to voting and quorum systems.

Does non-profit mean non-governance? Evidence from the fat, rich and naive business sector

I've previously blogged on how the non-profit sector is happy hunting grounds for scams, fraud, incentives deals and all sorts of horrible deals. This caused outrage by those who believe that non-profits are somehow protected by their basic and honest goodness. Actually, they are fat, happy and ripe for fraud.

The basic conditions are these:

• lots of money
• lots of people from "I want to do good" background
• little of the normal governance is necessary

Examples abound, if you know how to look. Coming from a background of reading the scams and frauds that rip apart the commercial sector, seeing it in the non-profit sector is easy, because of the super-fertile conditions mentioned above.

Here's one. In New York state in the US of A, the schools have been found taking incentives to prefer one lender over another for student loans.

[State Attorney-General] Cuomo has sent letters to and requested documents from more than a hundred schools for information about any financial incentives the schools or their administrators may have derived from doing business with certain lenders, such a gifts, junkets, and awards of stock.

A common practice exposed by Cuomo is a revenue-sharing agreement, whereby a lender pays back a school a fixed percentage of the net value loans steered its way. Lenders particularly benefit when schools place them on a short list of “preferred” lenders, since 3,200 firms nationwide are competing for market share in the $85 billion a year business.

Here's an inside tip that I picked up on my close observance of the mutual funds scandal, also brought by then NY-AG Elliot Spitzer (now Governor, an easy pick as he brought in $1.5bn in fines). If the Attorney-General writes those letters, he already has the evidence. So we can assume, for the working purposes of a learning exercise, that this is in fact what is happening.

There's lots of money ($85Bn). The money comes from somewhere. It can be used in small incentives to steer the major part in certain directions.

To narrow the options, most schools publish lists of preferred lenders for both government and private loans. They typically feature half a dozen lenders, but they might have only one. Students should always ask if the school is getting any type of payment or service from lenders on the list.

To get a loan, schools must certify that you are qualified. By law, schools can't refuse to certify a loan, nor can they cause "unreasonable delays," because you choose a nonpreferred lender. That said, many schools strongly discourage students from choosing a nonpreferred lender.

...

The University of North Carolina at Chapel Hill tells students on a form that if they choose a lender other than the school's sole preferred lender for Stafford loans, "there will be a six-week delay in the processing of your loan application" because it must be processed manually.

How do we address this? If we are a non-profit, then we can do these things:

• pick a very solid mission.
• build an environment that supports that mission, down to the cellular level.
• create an open disclosure policy which allows others to help us pick up drift.
• especially, create a solid framework for all "deals."
• put together a team that knows governance.

It's not so exceptional. Some schools got it:

Thirty-one other schools joined Penn and NYU in adopting a code of conduct that prohibits revenue-sharing with lenders, requires schools to disclose why they chose preferred lenders, and bans financial aid officers and other school officials from receiving more than nominal gifts from lenders.

Clues in bold. How many has your big fat, rich open source non-profit got? I know one that has all of the first list, and has none of the second.

Open Governance - using the 5th Party to protect the asset

Some many years ago I created a five parties model that used the public as the fifth party to bind all the others together in governing the toughest of assets: money. 5PM is now the benchmark for digital gold issuers, and while not universally adopted, it is widely understood. While I say it myself, I think it a lot more effective, bang for governance buck, than the efforts of the national competitors.

Mostly 5PM is just classical separation of roles (sometimes known as 4 eyes principle), but it also introduced the new factor of open governance: disclosure of key facts to the public, who then audit and share their results over the Internet.

The innovation of open governance creates a dramatic shift in classical governance, as it moves tasks that were previously only possible with (expensive) audits or (backfiring) regulations across to the open market. Solutions then emerge in accord with what stakeholders want to spend, and they emerge in interesting ways.

And, oh so many interesting possibilities! John Quarterman posts:

• Bakersfield pothole map -- Locals report seeing potholes and they get mapped.
• U.S. Fatalities in Iraq -- Someone has taken the home of record for each U.S. fatality in Iraq and mapped it.
• Chicago Crime Map -- This one says down at the bottom: "Important disclaimer: This site is not affiliated with the Chicago Police Department. This site uses crime data obtained from the CPD's Citizen ICAM Web site, which is a publicly available database of reported crime. Please read the Citizen ICAM disclaimer to understand the data fully."
• Bakersfield homicide map -- "This is a map of Homicides in the Bakersfield area that occured in 2006. Locations are approximated and based on data provided by the Office of the Coroner."

In every one of those, people have identified an asset, and have created an open participatory forum for sharing information about it. Why? To protect the asset, of course.

This is a darn sight less expensive than classical forms of governance (regulations, external auditing, but also see how the above list directly challenges representational democracy and internal auditing). As those efforts move steadily, deeper into stormy weather, we can expect open governance to become more and more important in securing assets. Mark the rising star as one to watch.

Insider fraud -- innocent client networking or excessive liposuction?

Insider fraud is like an evil twin of security. From the "it could be you" department...

There has been an internal feud at the company for some time between joint owners Kevin Medina, CEO, and John Naruszewicz, vice president, which culminated in a February 12 lawsuit.

Naruszewicz sought, and received, a preliminary court injunction preventing Medina from accessing the company's funds. Naruszewicz claimed that Medina had been using corporate money to pay for a life of luxury, at the expense of the company and its customers.

Among the allegations were claims that Medina has used Registerfly's money to pay for a $10,000-a-month Miami Beach penthouse, a $9,000 escort, and $6,000 of liposuction surgery.

Many "security people" from the new, net-based culture only discover what older value institutions have known for centuries -- and then only when it happens to them.

The overall lesson that we need to bear in mind is that the twins should be kept in balance: cover the external security to the same extent as the internal security. Security proportional to risk, in other words, as having perfect security in one area is meaningless if there is a weak area elsewhere.

That's a case from the computer industry: It could be you... We can imagine that it all started out as an innocent need to network with some important clients.

(Note that the unsung hero here, the VP who challenged the fraud, will probably never be rewarded, thanked, or protected from counter-attacks.)

How to breach a company: Spies, Lies and KPMG

KPMG is in trouble again, this time for being breached. If you are one of the world's select group of targetted companies, read the whole article. Here's the teaser:

The intelligence firm was originally looking for people who fit one of two profiles for sources likely to leak the audit information, according to a Project Yucca planning memo. One personality type was a "male in his mid-20s who is somewhat bored...has a propensity to party hard, needs cash, enjoys risk, likes sports, likes women, is disrespectful of his managers, fiddles his expenses, but is patriotic." The memo described the second personality type as "a young female who is insecure, overweight, bitchy, not honest. Someone who spends money on her looks, clothes, gadgets. Has no boyfriend, and only superficial friends. Has a strong relationship with her mother." Apparently, no one on Diligence's list quite fit either profile, but the firm settled on Enright, the British-born accountant.

Do you know anyone like that in your company? Probably you do, and that is no coincidence.

There are several stock responses, pick one:

• that would never happen to us!
• how could that happen to an audit firm?
• isn't that illegal?

Leaving naivete aside, consider what in your firm stops would catch this and stop it. It's a standard governance exercise.

---

FEBRUARY 26, 2007

INVESTIGATIONS

Spies, Lies & KPMG
An inside look at how the accounting giant was infiltrated by private intelligence firm Diligence

In the spring of 2005, Guy Enright, an accountant at KPMG Financial Advisory Services Ltd. in Bermuda, got a call from a man identifying himself in a crisp British accent as Nick Hamilton. Hamilton said he needed to see Enright about matters of utmost importance.

Over the course of two meetings, Hamilton led Enright to believe he was a British intelligence officer, according to a person familiar with the encounters. He told Enright he wanted information about a KPMG project that Hamilton said had national security implications for Britain. Soon, Enright, who was born in Britain, was depositing confidential audit documents in plastic containers at drop-off points designated by Hamilton.

But Nick Hamilton was not an agent of Her Majesty's secret service, and the documents never found their way to the British government.

Nick Hamilton was in fact Nick Day, now 38, a onetime British agent and co-founder of Diligence Inc., a Washington private intelligence firm that counts William Webster, former director of the CIA and FBI, among its advisory board members. Diligence's client was not Britain's Queen, but Barbour Griffith & Rogers, one of the most formidable lobbying firms in Washington. Barbour Griffith represented a Russian conglomerate whose archrival, IPOC International Growth Fund Ltd., was being audited by KPMG's Bermuda office.

A 2006 scandal involving Hewlett-Packard Co. (HPQ ) put the issue of corporate espionage in the headlines. Diligence's methods, revealed in court documents and interviews by BusinessWeek, show how far some in the corporate investigation business will go.

"PLAUSIBLE DENIABILITY"
Without denying this account of events in Bermuda, Diligence's Day says: "We've always respected the laws of the jurisdictions in which we operate." He adds that corporate intelligence firms like his provide an invaluable service. "We essentially help businesses deal with the risks of operating in challenging markets," Day says. "It's a role which government agencies don't necessarily have the resources or understanding to be able to fulfill."

From the start, Diligence's goal was clear, if far from simple: Infiltrate KPMG to obtain advance information about the audit of IPOC, an investment fund based in Bermuda. Russian conglomerate Alfa Group Consortium hired Barbour Griffith & Rogers through a subsidiary, and the lobbying firm in turn hired Diligence. Alfa is dueling with IPOC for a large stake in the Russian telecom company MegaFon. "We have a good chance of success on this project," Day wrote in an internal Diligence memo, referring to the Bermuda espionage effort. The memo, which BusinessWeek reviewed, added: "We are doing it in a way which gives plausible deniability, and therefore virtually no chance of discovery." Similar Diligence operations, the memo noted, had been successful before.

Within Diligence the KPMG campaign was dubbed Project Yucca, and it unfolded in stages, according to people familiar with the operation and documents filed in a court proceeding involving IPOC and Alfa in the British Virgin Islands. First, two Diligence employees contacted KPMG's Bermuda offices pretending to be organizers of a legal conference on the island, according to a person familiar with the operation. The Diligence staff members called KPMG secretaries and asked about how the office worked. Soon, Diligence had the names of a handful of KPMG employees who might have access to the IPOC data. But Diligence wanted to narrow the list.

The intelligence firm was originally looking for people who fit one of two profiles for sources likely to leak the audit information, according to a Project Yucca planning memo. One personality type was a "male in his mid-20s who is somewhat bored...has a propensity to party hard, needs cash, enjoys risk, likes sports, likes women, is disrespectful of his managers, fiddles his expenses, but is patriotic." The memo described the second personality type as "a young female who is insecure, overweight, bitchy, not honest. Someone who spends money on her looks, clothes, gadgets. Has no boyfriend, and only superficial friends. Has a strong relationship with her mother." Apparently, no one on Diligence's list quite fit either profile, but the firm settled on Enright, the British-born accountant.

Enright soon got a call from Diligence's Nick Day, posing as Nick Hamilton, according to a person familiar with the situation. The two agreed to meet for lunch near the KPMG offices in Hamilton, Bermuda. At lunch, Day, who is dark-haired and has a warm smile, said the assignment he had in mind for Enright was top secret and involved Britain's national security. Day kept the conversation vague, never mentioning IPOC or the audit, according to the person familiar with the situation. Day told the accountant he would have to undergo a British government background check to ensure that he was up to the task. Day produced an official-looking--but fake--questionnaire with a British government seal at the top and asked for information about Enright's parents, his professional background, any criminal history, and political activities, according to a copy of the questionnaire reviewed by BusinessWeek. Enright provided the information.

Several weeks later the two men met again, this time in a local bar, says the person familiar with the events. Day, still calling himself Nick Hamilton, told war stories from what he said were his days in the Royal Navy's Special Boat Service, Britain's equivalent of the U.S. Navy SEALS. He then steered the conversation toward his real interest: What did Enright know about the KPMG audit of IPOC?

Soon, Enright was handing over confidential audit documents, including transcripts of interviews KPMG had conducted in the IPOC investigation, according to court documents on file in the British Virgin Islands and the source familiar with the events. Day picked out a rock in a field along Enright's 20-minute daily commute from his home in Elbow Beach and placed a plastic container under the rock, creating what spies call a dead drop site. At appointed times, Enright slipped new material into the container, which Day later retrieved. On one occasion, Enright left documents in the storage compartment of his moped, which he parked at his home. Enright had told Diligence employees where he hid the keys to the moped. When Enright left for a trip, Day collected the papers, according to the person familiar with the situation.

Day and Diligence took elaborate precautions to make sure Enright wasn't himself a plant or a corporate spy, people familiar with the events say. Diligence employees followed Enright from his office to every meeting with Day. A Diligence employee was at each meeting spot before the men arrived to determine whether Enright was using associates for surveillance. Enright was followed to his destinations when meetings ended. When Day left the meetings with Enright, the source says, the Diligence executive followed a process spies call dry cleaning, which was designed to detect whether Day was being followed. He walked a prescribed route through several narrow "choke points" that made it possible for Diligence employees to identify anyone who might have been tailing him.

MYSTERY WHISTLEBLOWER
Diligence was paid handsomely for its work. An invoice produced in a federal court proceeding in Washington involving IPOC and Diligence shows that Barbour Griffith was billed by Diligence "For Bermuda report and Germany work--A Telecom." Diligence was paid $25,000 a month, plus $10,000 a month for expenses, according to documents reviewed by BusinessWeek and an interview with a person familiar with the matter. The company was also paid a $60,000 bonus for acquiring the first draft of KPMG's audit of IPOC. Diligence's total take couldn't be determined.

The undercover Project Yucca ended after someone--it remains unclear who--dropped a bundle of papers at the Montvale (N.J.) office of KPMG on Oct. 18, 2005. The papers included Diligence business records and e-mails with details of Project Yucca.

On Nov. 10, 2005, KPMG Financial Advisory Services sued Diligence for fraud and unjust enrichment in U.S. District Court in Washington. On June 20, 2006, the case settled. Diligence paid KPMG $1.7 million, according to a person familiar with the settlement.

On June 15, 2006, IPOC sued both Diligence and Barbour Griffith & Rogers in the same District Court, alleging civil conspiracy, unjust enrichment, and other misdeeds. That case is pending. Gavin Houlgate, a spokesman for KPMG, declined comment, as did attorneys for KPMG at the New York law firm Hughes Hubbard & Reed. Kirill Babaev, a vice-president at Alfa's telecom arm in Moscow, said in a statement when asked about Alfa's involvement in the Diligence operation: "We are...not a party in any litigation with IPOC, and therefore cannot comment on any rumours or speculations in this regard."

Barbour Griffith & Rogers' most famous co-founder is Haley Barbour, who is now governor of Mississippi. Barbour left the lobbying firm in 2003, before the Diligence operation began. Another Barbour Griffith co-founder, Ed Rogers, was an early investor in Diligence. The lobbying firm rented space at its Pennsylvania Avenue offices to Diligence. Edward MacMahon, a lawyer for Barbour Griffith, says the firm has done nothing wrong and that no one affiliated with Barbour Griffith currently has an equity stake in Diligence. A person familiar with Diligence says the firm's shareholders are CEO Day, former U.S. Ambassador to Germany Richard Burt, Edward Mathias of Washington-based private equity firm Carlyle Group, and Buenos Aires private equity firm Exxel Group. Burt confirms he is Diligence's chairman but declines to discuss Project Yucca. Mathias confirms he is an investor in Diligence but says he is unaware of the Bermuda events. Exxel Group lists Diligence among its portfolio companies on its corporate Web site but did not respond to an e-mail seeking comment.

It's unclear whether Diligence broke any British or American laws. In an interview at his Washington office, Day says he and his firm always stay within the law but have learned much since 2005: "As an organization we've changed a lot as a result of everything we've been through in the last year." He says Diligence has "spent a lot of time training our staff as to what they can and cannot do."

In a statement to BusinessWeek, IPOC director Mads Braemer-Jensen said: "The fact that Alfa hired Barbour Griffith & Rogers and Diligence to use illegal and dishonest smear tactics against IPOC just shows that Alfa is trying to change the subject away from the fact that they stole from IPOC. We hope the U.S. and Bermuda law enforcement authorities will make note of this and take appropriate action against Alfa."

Guy Enright, who now works for Deloitte & Touche in London, declined repeated requests for comment on his relationship with Nick Day and his work on the IPOC audit. The terms of Enright's departure from KPMG couldn't be determined. But he apparently didn't come away empty-handed from his encounters with Nick Day.

As Project Yucca wound down in 2005, Day, still in the guise of Nick Hamilton, gave Enright a Rolex watch worth thousands of dollars, according to two people familiar with the present. Enright was led to believe it was a thank-you gift from the British government, but it, too, came from Diligence.

By Eamon Javers

Why Linux doesn't care about governance...

The Mozilla governance debate is running hot, rejoinders flowing thick and fast. Here is a seriously good riposte by James Donald:

A successful open source project has a large effect on what large numbers of people do. The effect has a large indirect effect on various for-profit ventures, who then proceed to give handouts to the non profit open source project. Thus, for example, linux was the beneficiary of vast amounts of work by engineers employed by corporations who feared that they would be screwed by Microsoft or wintel, and urgently wanted to have an alternative, or, in the case of Sun, had to ensure that their customers had an alternative.

In that case, the big corporations were the good guys, reacting against the dangerous power of a particular big corporation, protecting everyone in the course of protecting themselves.

More nefarious activities are common: For example OpenID is backed by XRI, and tends to do things that are more in the interests of XRI rather than support the objectives of OpenID - but then there is nothing terribly wicked or nefarious about the objectives of XRI.

Getting back to the case in dispute, the various browser responses to phishing, to the internet crisis of identity and security, make more sense as a Verisign business plan than as a response to phishing, and in so doing harm security, in the sense that they are disinclined to take any effective action, for any effective action would compete with the services provided by Verisign.

We don't need to worry about governance with linux, for the interests of the contributors are well aligned - they all want free software ("free" as in "free speech", not just "free" as in "free beer") that does all the things that Microsoft's unfree software does) So we just proclaim Torvalds dictator and let him get on with it. No one cares about linux governance.

Trouble is that some of the contributors to Mozilla want to paid for security, which means that they do not want Mozilla to provide free security - neither in the sense of free speech, nor in the sense of free beer.

And Mozilla really should provide free security.

Now, we might not agree with everything written above ... but James does raise the rather good point that there is a big difference between the Linux community and the Mozilla community.

Superficially, there is tight control over both projects. In the first case by Linus, Grand Vizier and Despot Over all his Kernels and Dominions. In the second, MoFo developers are Most Benevolent and Principled Dictators, Defenders of the Freedom of all our Code in all our Repositories. To paraphrase.

Both despots, both dictators. Here is the difference. Linus only rules over the kernel; which is then fed to 100 or more secondary tier distributors, within the freedom granted by GPL. They then feed it to users.

In contrast, Mozo rules over the whole show. The user interface ("UI") is controlled by the Mozo developers, but not by Linus in his project. For Mozo the money comes flooding in like the spring melt because they have a vast user base wanting to access the lodestone of net commerce: search engines.

For the linux kernel there is no such centralised opportunity, as the UI is controlled at the remote distro level. In practical terms, the Linux commercial opportunity has been outsourced into the free market of Redhat, Ubuntu, Suse, Debian and a hundred others.

The reason that no-one cares about Linux governance is that the very structure of the Linux industry is the governance. The governance issue of regulating benefits and opportunities is solved by placing it were it is best dealt with: in the market place.

Expressed as a principle, Linus says it's ok to be a systems despot, but, please, let the UI go free.

on Governance

Governance seems to be a term that is less familiar to more than a few. So I will try and paint a picture of it. (Caveat: Governance is a huge field, so it won't be possible to give more than a small overview...)

The closest to what we mean in Financial Cryptography is what is called Corporate Governance; other uses of the term suffer from manipulation. In the corporate world, Governance is in essence the need to align the organisation's decision makers with the interests of the organisation itself. (We will come to the non-profit versus for-profit issue later.)

Let's get right back to basics and consider two people, an Owner and an Employee. The owner's interests are aligned with her decisions; if not she loses money.

However her employee has a more perverse situation: his decisions are naturally aligned with his own interests, which might be contrary to the interests of the owner.

(This is called the Principal-Agent problem, where the Principal is the owner, and the employee is an Agent of the Principal. The Agent has a conflict of interest, whereas the Principal does not, in simple terms. It is a widely studied theory.)

The Shop of Humble Things

Pretty dry stuff, so let's try an example. The canonical story is that of a small retail shop. How does the Owner structure things such that the Sales Assistant doesn't simply keep the money handed him by the customer?

Several age-old inventions created revolutions that enabled our humble shop to advance to greater things. Here's two from the Halls of Governance Fame:

1. The cash register (or till or box). These days we think the cash register is about the need to calculate change and store the cash safely from robbers, but its original success was due to something else: the creation of a separate box that created a mental and physical barrier between the Agent's money and the Principal's money.

Think here of the old shop assistant's uniform -- a huge pair of overalls with 2 grand pockets in the front, and you'll see where we are heading. The Agent can put the Customer's payment into his 2 grand pockets ... and simply forget some or all of it!

Who's to say?

Instead, by putting the money into the box clearly labelled as the Principal's cash register, a protocol was established; if any money was taken out, that was theft, and if the Customer's money didn't go in, that was also theft.

2. The receipt. Again, today, we think of the receipt as the "customer's right." No such! At least not primarily; its core purpose in life is not evidence for the customer, but evidence for the Principal. At the end of the day, the money in the cash register is counted up, and if the total of receipts didn't match the amount of money, then we have a problem.

So why does the Customer get a receipt? Because the Customer checks that the Principal gets a receipt!

In order to make both the above inventions work, the customer was signed up as an unwitting but interested participant in the purchase of Humble Things. She is encouraged to participate in the protocol by one means or another, and is encouraged to report infractions to the owner. With the receipt, we want her to make sure that the Shop Assistant fills out a copy for the Owner, so the owner rewards her with a copy as well. When she sees money going into those 2 grand overalls pockets, she is encouraged to think about rising prices due to theft.

These two inventions created a revolution in shops: they and other Governance techniques meant that it was possible to employ Agents and trust them to work unsupervised.

Corporate Governance

So what do we mean by Corporate Governance? Simply the enlarged form of the above: using techniques like the cash register to construct larger, better and more trustworthy enterprises.

Imagine your new job is Financial Controller at Enron! Do you get into the spirit of financial engineering, and shovelling of huge bundles of corporate value into obscure corporate vehicles for later profiting ... by self ... or do you work to clean all this up and make the money work for the shareholder?

Well, it all depends on how the interests are aligned. Do you get to keep the money? We all know that everyone has a price, and it only depends on the *amount* money on offer ... we also know that the equation is fundamentally one of risk and likelihood: A nigerian scam offers you millions, but you know that the chances are ridiculous, so your expectation is negative.

So, for our financial controller at Enron, it is *just* another risk calculation, and <ahem> he's very good at that, because risk is his job!

What stands in his way is: Governance. Enron was nothing but a failure in governance.

Corporate Governance, then, is the mission of establishing the shareholder as the ultimate benficiary and searching for the best way to reward that shareholder for her investment. It *specifically* looks at how we align the interests of all the players -- directors, managers, etc -- so that they all work to reward the shareholder.

And, not themselves. Governance works on the expectation that directors and managers will consider their own interests before that of the shareholders. How we deal with that is the art and science of governance; we don't eliminate it, nor even totally control it, but we search for the profitable balance, the convenient seduction, the ultimate win-win. You pick the terms, but recognise that Governance starts when you understand that the employees are on a pay-packet, and that will always be stronger than their interests in the welfare of the shareholder.

Non-profit Governance

Now, how does this all apply to an organisation without shareholders? Well, obviously, the interests cannot be aligned because there is no benchmark available -- no shareholder. Does this mean that Corporate Governance is null and void in the world of non-profits?

Not at all. It means that we start from an absence of Governance, which is a worse situation than a corporation without governance. With a corporation, the owners can always sack the board and start again, albeit with losses. With a non-profit, we can't even take that drastic step.

How we deal with this is tough. I'm no expert on non-profit governance, but I can offer some tips. First one:

Identify the stakeholders. These people can be impressed into service as proxy shareholders; in that where we would align interests to shareholders before, now we align interests to the stakeholders.

Next, identify the interests of the stakeholders. As we aren't paying them money, it will have to be something else. Money is fantastic for this purpose because each payment ("dividend") is measurable and comparable, and it will be hard to come up with something as good as money to create a feedback loop. But, it is possible.

Then, align the interests of employees to the above interests of the stakeholders. E.g., maybe your stakeholders are interested in "choice in software." If so, we could measure how many choices you offer, and what proportion of the population chooses your choice. Then, we could reward the employees on how the growth in choice pans out over time.

By way of example, consider an option on future market shares of software. Imagine you give me an option on 19% share for our product Fuxbirdie within the overall market for brailers. When Fuxbirdie reaches 19%, I get paid out a buck, and if not, it expires worthless.

Summarising the Governance of Humble Things

Governance isn't exciting. It doesn't seem to get more code written, it doesn't get your picture in Linuxworld, and there are no awards. It literally is the last and most ugly thing to work at.

It is also the thing that fewest honest people understand least well, and most crooked people understand very well. For the crooks, it is their way to their pot of gold, without even the sense of theft; it is the ultimate fraud, one that actually .. didn't happen because the crook changed the rules to make it work in his favour.

Governance is simply about identifying your core stakeholders, their interests and then aligning the business to your stakeholders and interests. Now, your interests. It's easy if you are a Corporate, as the profit motive and shareholder base are easily set up.

It's a bit harder as a non-profit; but there is an avenue in identifying stakeholders, and their interests.

Annex: Things Excluded from FC's meaning of Governance

Political governance, as defined by the World Bank.

Project governance, at least as described in wikipedia. That's what I would call standard project management, dressed up with a new name for the purpose of selling more consultancy time. Call me cynical...

Also, IT governance, as seen here, is not it:

A characteristic theme of IT governance discussions is that the IT capability can no longer be a black box. The traditional handling of IT management by board-level executives is that due to limited technical experience and IT complexity, key decisions are deferred to IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers and related areas such as finance, have the necessary input into the decision making process. This prevents a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected:

A board needs to understand the overall architecture of its company's IT applications portfolio ... The board must ensure that management knows what information resources are out there, what condition they are in, and what role they play in generating revenue... [1]

Again, this is an old pig called "management." Putting it in a dress and calling it governance doesn't help. I'd speculate that it is done that because telling the board that they don't understand IT isn't helpful, but telling them that it is governance might wake them up.

This is closer, and it might resonate for some people. "Good Governance" as applied in "development literature"

"Simply put "governance" means: the process of decision-making and the process by which decisions are implemented (or not implemented). Governance can be used in several contexts such as corporate governance, international governance, national governance and local governance.

Since governance is the process of decision-making and the process by which decisions are implemented, an analysis of governance focuses on the formal and informal actors involved in decision-making and implementing the decisions made and the formal and informal structures that have been set in place to arrive at and implement the decision."

Posted by iang at 06:41 PM | Comments (1) | TrackBack

Stakeholders in Security

Over on anti-fraud, Gervase asked:

>> Perhaps you should define "stakeholder" while you are here.

Ok, fair question. I received a huge tome entitled Phishing and Countermeasures in the post a week or so ago, and it includes lots of academic articles. In one, in a discussion of behavioural studies of phishing, it says:

As previously stated, Smetters and Grinter [39] have made the claim that there are three groups of stakeholders to consider in the design of security technologies, namely developers, administrators, and end-users. They claim also that the latter two groups are the primary focus of most security-related research. Finally, they claim that end-users are more frequently forced to be their own systems administrators nowadays, leading to an undesirable condition in which managing security is more complex for end-users than ever.

The notion that the stakeholders are developers, administrators, and end-users is perhaps the most obvious inventory. In a larger sense, all of society is affected by the security and trustworthiness of the online world, and we should not here discount the effects on all of society that arise when the security rights of individuals are violated. In global terms, the very notion of transactions between people and societies can be effected by the level of collective trust that depends on the reported experience of individuals.

[discussion of personas, snipped] ... it is not enough to design a system that makes it easy for security experts to manage the security of their transactions systems, but also it is necessary to design systems that make it possible for other kinds of people to easily become aware and act compliantly.

The full article is "Behavioural Studies," Jeffrey Bardzell, Eli Blevis, and Youn-kyung Lim.

To complete the discussion, "stakeholder" is a term that sits in opposition to "shareholder;" it both identifies others who are important, and also asks organisations without shareholders to go through the same exercise as those with.

See also the 2nd (managament) definition on wikipedia.

EV - liability situation is SNAFU

Over in MozoLand, they have opened up a bug track on the problems with Extended Validation certificates, as their way of carrying out the debate as to what Mozo should do. Using bug tracking systems doesn't mean "EV is a bug," it just fits the process and culture of the people concerned.

As I'd commented before about EV, and hit on the liability issue as one big area, the following is a more clear description of the issue: possibly suitable for filing as a bug. I just find it easier to wax on in blog form when it reaches a certain level of complexity.

Classically and simply, the certificate business is one that promises coverage of some form for MITMs (such as phishing attacks) to Internet browser users (relying parties, perhaps), while charging server users (subscribers) for the privilege. It is structured as a systemic franchise, meaning a group of interlinked but independent business units such as CAs, server vendors and browser vendors, operating to provide a single cohesive service; which term I just coined to capture the lack of transparency and potential problems incumbent in that opacity.

In practice, the promise of "safe Internet browsing" is generally false, as evidenced by phishing. In particular, CAs more or less generally seek to reduce their liability to Internet browser users to zero, using a variety of tricks [1]. For example, in law, there is generally no liability if there is no contract or no specific legislation; so a common trick is for CAs is to hand out contracts that spell out that liability only exists if the crypto has been breached or other conditions that are statistically or security-wise irrelevant.

The new EV Guidelines may then be viewed on whether they improve on this position, from the pov of users and other stakeholders. Some comments follow that attempt to interpret/predict any new liability position that arises for CAs to browser users under EV [2].

The big picture within the Guidelines is at page 42. Here is my summary:

37.(a). CA Liability

(1) Subscribers and Relying Parties.

A. If the CA is compliant with EVG, then it is not liable.
B. If the CA is *not* compliant then it may seek to limit liability.
C. But not to any lower than $2000 per customer.

So what we have is that if CAs did the "right thing," then they are not liable, but even if they did the wrong thing, then they are only liable for up to $2000!

Let's get specific:

1. We know that the average phish is around $1000. Many are more, of course, and some frauds have reached towards $100,000. Now, maybe we don't want to limit liability to $100k ... but something a lot greater than twice the average phish -- data which we know have for some 3 years -- would be somewhat more impressive.

2. It has been suggested that the base price of an EV certificate will be around twice the existing "best of class" cert. That is, around $2000 from Verisign.

So in effect, for any one customer, the issuer is likely only liable for the same amount as the monies which they have accepted, albeit from the subscriber. This happens to be a normal watermark in both contract and law anyway.

3. Even when phished, you aren't covered. If there is a flaw in the Guidelines, you're not covered. If there is a flaw in the browser, you're not covered (but see "Indemnification" for more confusion).

4. Only if there is an error in the CA's actions are you covered. This could be as egregious as issuing a summer madness discount package of certs for all the Banks in in all the Americas to the Russian mobsters... and the CA still may limit liability to $2000!

5. Further, there is no hint anywhere that CAs should take on an expected liability of $2000. This is not an insurance policy by any stretch of the imagination; quite the reverse, as the CA

may seek to limit its liability ... by any means that the CA desires ...

provided that the monetary amount is capped at $2000.

What does this mean in plain words for liability? Knock yourselves out, guys: Use all those old barriers and reduce the expected liability to zero. Just state that the monetary damages upper limit is $2000.

6. For one tiny example, the statement that CAs are not liable if they are compliant with EVG is simply that: a trick to reduce liability. EVG is no contract, it is simply yet another document to wave in front of the judge and make him or her want to clear this horrible case from the calendar.

7. For further small example, what lawyer will take on a legal case for $2000? US attorneys won't deal, and no expert witness will testify on your behalf on whether the CA made a mistake (yes, you will need expert help, unless you actually understand the Guidelines....). And, um, how many attornies do the CAs have call on?

8. Bottom line is that EVG has practically knocked out all possibility of an individual case. This doesn't exclude for example class-action cases ... but if that's the case, it should just say that, if there was any interest in serving users. It doesn't, and there isn't.

---

To summarise. There are some benefits on behalf of the user here. It is useful for users and courts to at least know that with EV certs, there is the admission of potential liability . And with pre-EV certs, there is no admission of any useful liability at all; nix liability, zero, zip, nada, m'lord. It can then be up to a court to determine just how viable these disclaimers and limits are.

It's also beneficial to put these above numbers in perspective. Try this free test: go to your favourite computer store, pick up any soho-grade UPS like an APS or a Belkin, and read the blurb on the box.

(You don't need to buy to read...)

An uninterruptible power supply (in the US at least) carries a guarantee or warranty that claims that it will pay you for damages incurred if it fails to protect your PC. The limits are something like $50,000 for a $50 unit and $100,000 for a $100 unit. ('scuse flaky memory here ...)

Serious surge protection is needed about as frequently as lighting strikes hit your block. UPS manufacturers are prepared to cover you for the surges that fry your whole office, but EV issuers won't cover more than your laptop, and on past acturial bases, they're only paying out if you are unfortunate to be struck twice.

If EV and the authors get away with this tailoring of our Emporer's new suit, then these benefits are so limited, so measly, so out of tune with validated threats of the real world (phishing, etc) that no user, no subscriber, and no software vendor would be thinking rationally to pay for these "benefits."

The only business case here is is one of deception; in this case achieved by franchising out the decision of secure browsing to some august body that writes and talks well. A rational analysis, one that could see through the systemic franchise of confusion, would conclude that there be choices that are to the benefits of the users.

The first of which is to ignore the whole thing, as it delivers insufficient benefits to users. Whether users are offered a choice in secure browsing or not is certainly an interesting question; to date, the answer is Definately Not.

[1] For a wider but equally polemic treatment, see PKI Considered Harmful.
[2] Disclosure: I audit a CA, and in that act I have come across these and other problems with liability.

Critiquing the Mozo (draft) principles

What follows is a long set of criticisms on the Mozilla draft principles. Like the original document, these are quite drafty; and also hypercritical.

That's because that's what is needed now: hard words. Agreement isn't much use; it is indistinguishable from aquiescence, ignorance, and real agreement.

1. Transparency. It may have escaped the techie community, but it hasn't escaped the business community: transparency is the way that we publically audit the operation. That is, if the deals and procedures and actions are transparent, then everyone can see through and confirm the logic.

   The reason we do this is simple: because we distrust the words of the insiders. Not because they are nasty people, but because the systems are complex, the objectives aren't clear, and there is too much money washing around. Fraud is a 'when,' not an 'if.'

   The alternate is opacity. Which means we outsiders can't see in. Which positively means that Mozo could do some tricky deals that wouldn't survive a skeptical public ... and it negatively means that deals that shouldn't survive will carry on to cause more and more complications.

   I've been there and done that. Opening yourself up to scrutiny is painful, and it is more work. But sometimes deals that I've favoured have been shot down by outsiders, and in retrospect, they've been right.

   So when I read this:

   #8. Transparent community-based development processes promote participation, accountability, and trust.

   what strikes is that *development* processes are to be transparent, but not other processes. So deals can be conducted in secret? Strike One!

   #9. Commercial involvement in the development of the Internet brings many benefits; ...

   Strike Two! "...brings many benefits" leaves out the essential truth -- that it brings many costs! How can we trust these principles when they are couched in such miserly touchy-feely words, evading the hard truth?

   Don't be subtle. Be blunt. Benefits *and* costs, please. Which leaves us to consider:

   ... a balance between commercial goals and public benefit is critical.

   Where in the mission or in the principles or anywhere is it stated that commercial deals are a necessary part of Mozilla?

   Strike Three! Take a walk. There is no assumption of commercial activity; you chose it, now explain it.

   Mozilla has a choice. It can live off donations (which are listed in the financial report, the top 5 donors all being named, thanks to IRS rules). When it chooses to accept a commercial deal from Google, and participate in their mission to swallow the whole earth, or with Yahoo, and participate in their mission whatever that is, then it behoves Mozilla to explain to the user base why this is positive, and why this is negative. And how Mozilla has protected its user interests, positively.

   Not the other way around. As written, these principles do not surface the core dilemma that Mozilla may be able to do more good towards its mission if it accepts commercial deals.

   Which begs so many questions that go unanswered: who chooses? who benefits? Where did the 54 million go? What did I personally pay in accepting the stealth search deal? Are they tracking my queries? Does Mozilla know what it has done?

   The reason they aren't answered is because they aren't admitted in the principles, which is reflective of what you admit to yourselves.

2. A wider problem with Mozilla in its current form is that it has no other owners to exercise governance over the board. Normally a shareholder's meeting will convene and kick out the board from time to time ... but this isn't possible with an non-profit association.

   So Mozilla should be looking for ways to improve that. Looking at the published accounts for 2005, there was some $54 million flowing through, which equals a whole lot of potential for trouble. Ask yourselves this: how are you going to be keeping your eye on principles when you find the first scam diverting funds within?

   So there is a massive need for scrutiny. Who is going to be able to push the CEO out for authorising nefarious things, as happened recently at HP, more or less?

   There are many ways to do this; but they all involve opening up to outside scrutiny. That's the first emotional barrier to deal with.

3. Security, #4. This is a difficult one, for me, personally:

   #4. Individuals’ security on the Internet is fundamental and cannot be treated as optional.

   Basically, we as a discipline do not have a good view of what the word security means. For every definition, there are people who firmly believe that it's wrong, and can show it. So in a sense, this might backfire and further entrench today's definition, whichever it is.

   In one sense, resorting to the *Individual's* security might indicate that Mozo will look at what hurts users most: phishing, spam, OS viruses, dodgy sites, etc. Which seems a good idea, but see below.

   I think the best we can say is that the more people put security on their agenda, the more likely it is that progress might be made. But you can only really put it into the Principles if you care to make it stick.

   Which indicates a weakness: maybe, if security is still a difficult area in Mozilla, then it should be taken off the list, until it is resolved. Do you or do you not want to have a security mission? Is it something special that you do, and you go all out for; or is it something you do to a "general standards level," no worse, but no better than anyone else?

   You don't want something weak and limiting to hold you back.

4. A little further afield, let's do some scenario planning. If all the things in this shrill article come to pass -- it's a scenario, no more -- do Mozilla's principles come under attack?

   What to do? Should Mozilla prepare a new set of principles? Not worry about it too much? Leave the USA and encamp to Switzerland?

   This gets us into the area of asking just how far can we rely on Mozilla to protect us. Recent admissions from Skype, by way of example, have indicated that they can breach the security of their phone calls. Can Mozilla breach the security of some of their products? Would they? Do they have an established and documented procedure to deal with this?

   So, although the principles are full of comforting words, what I don't see is anything that helps me determine how Mozo deals with the real hard questions. E.g., reporting on Chinese dissidents, or reporting on Iranian bomb-making plans encrypted in Thunderbird email? Does it make a difference if they are their dissidents or our terrorists?

   Or consider the slippery slope of Paypal. Look at the list of things you can buy now, or auction on eBay. It's a disaster for the public mission, and it's a story that will have Mozilla's name on it, one day.

5. On principle #1:

   #1. The Internet is an integral part of modern life ...

   No, not quite. It is only prevalent in the 1st world. Basically, the rest of the world (worlds 2, 3, and 4 depending on your geopolitics) hasn't yet got to the point of integrating the Internet.

   Now, it may be that Mozo simply isn't in that business, in the same way that the Gates' and Soros' Foundations are. However, Mozo should be careful to a least be aware of how these principles are perceived outside their bailiwick.

   I recently looked at how to extend security systems like classical CAs into poor countries. It was very tough because those countries can't afford classical identity systems, and the CA world prays at that church. Suffice to say, it was possible, but one needs some extreme mental judo to do it, and the system needs to be well tuned.

   There is no criticism intended then, in focusing on only those with incomes to pay for 1st world standard laptops and 2 mobile phones. But let's be aware of our focus, because as time goes on, it trickles down and outwards.

6. All in all, there is a gaping absence of thought here in who the stakeholders of the process are.

   Considering that the Principles project (like so many others within Mozilla) was conducted internally, we can immediately identify the most powerful stakeholders: insiders. Then, we can identify the weaker stakeholders as those who were left until the draft was complete. That is, the users.

   Is that right? In both senses of the word...

   Further, it may be unpopular, but there do exist other stakeholders. By way of example: CAs (a topic of much currency because of the polemic EV story), the legal process (courts, LEOs, civil suits, etc), foreigners versus those who are not foreign (the term becomes harder to define with every new political revelation), independent programmers who volunteer their efforts, dependent programmers who are volunteered by corporations, the very corporations who pay for the deals, the NGOs that do some good and useful work that want help (here I'm thinking of the "access" projects that FH pursues).

   Etc etc; the list of potential stakeholders is very long. Which leads us to their conflicts:

   • If it is right, then, that Mozo should treat its users fairly, it should also treat Google fairly. When the $10m cheque (check!) arrives, Google should know what they get for their money, and as importantly, what they don't get for their money.
   • Likewise, when a privacy activist works on the crypto libraries, he doesn't find that a backdoor was snuck in to reveal the chinese dissidents that he swore to protect.
   • Does a salaried Mozo employee have an interest in signing up the latest deal? Of course, as it helps their salary; but is that more or less biased than the corporately sponsored volunteer who is pressing the same deal, for the same unstated commercial flow?

   A critical first step is to identify the stakeholders. Then, identify which are yours. Principles 2 thru 5 speak to the individual. I would guess that you want to state that your primary mission, above all else, is to serve the individual on the Internet.

   If so, say so.

   Then, with a clear conscience, it will be easy to deal with the conflicts of dealing with corporations, governments, etc, all those who do not have your stakeholders as their mission.

7. Mozilla is musing on the notion of signing up to these principles.

   If so, make them more certain. More principled.

   a. Not this:

   #2. The Internet is a global public resource that must remain open and accessible.

   That doesn't identify the crux of any pledge; because if it fails to remain accessible, then it wasn't our fault.....

   For anyone to treat it seriously, It has to be something like:

   Mozilla pledges to keep the Internet a global and public resource, open and accessible to all.

   If you believe in something, then stick your neck out. Failing to achieve what you believe in is far more honourable than succeeding to avoid the blame for something you might or might not have said.

   These principles are full of wishy washy stuff, that makes me think that the air in California is just nicer and less invasive to our thought processes.

   b. Consider #3:

   #3. The Internet should enrich the lives of individual human beings.

   That is soooo.... pre-Netscape! Where were you guys when they made the commercial browser?

   The Internet is a shared space for all -- be they humans, corporations, NGOs, dissidents and freedom fighters, criminals & terrorists, governments, both good, bad and atrocious.

   If you mean that Mozilla concentrates on the enrichment of the experience for individuals, and *not* the commercial interests of corporations, then so be it. Say it. But you'd better explain then why you take $54m from corporations, and nothing from people. And, please *identify* who your core and leading stake holders are.

   Or, if you mean that you'll enrich the success rates of various terrorist or criminal elements, in order to empower their individuality and spread the enlightenment, then please explain how we deal with the due process of the law. Start with how you reject the NSL ...

   Which all goes to say that putting in a wishy washy "principle" might be really useful to get "consensus" and "bring us all together" and make us "feel good about ourselves" but nobody else will believe it, and even your own people won't pay attention to it after its put in place.

   But it sure makes it easier for idle critics to idly criticise.

   c. Same with #4. Either sign up to protect the Individual's security, and actually do it, or take a number. Get in the queue.

   You can blather on in press articles to your heart's content, behind Symantec, Microsoft, Oracle, Sun, the airlines, and other snake-oil salesmen. Nobody believes your words nor theirs about security any more.

   In the new world of security, only actions speak.

   d. Ditto with #7. If you believe in open source, then do it. Say:

   We only do free and open source software.

   Let others waffle on about why, and what the precise term should be.

8. If it's a principle, it is simple, to the point, and cannot be misinterpreted. If there is room for discussion, it ain't a principle, and it's only yourselves you are fooling.

9. Principles 1, 2, 6, 7, 10 speak to the common good. Once you identify your core stakeholder group, then these become tractable. If not, then not.

   Delving into vague goals of common good is generally not a good idea; smart people can abuse it and generally do so. It is far better to select a group and serve them than to serve a false god of a political ideal. Too many wars have been fought over capitalism versus socialist, christianity versus islam, representation versus taxation, freedom of speech versus right to live without fear of intimidation ... and it seems unwise to be diverted into those.

   Unless you are absolutely sure. Then, make it your core. If you believe you are going to protect freedom of speech, above all else, then say that. If not, then don't.

   Serving a browser alternate to the user public is a good enough mission without colouring it with such vagueries as enrichment, public benefit, etc etc.

10. Consider:

    #8. Transparent community-based development processes promote participation, accountability, and trust.

    Right, but that's not what happened, is it?

    a. Firefox was written *after* that process failed. It was written by one guy or two guys, in frustration. Then another, and another ... but they joined *their* process, not some open blah blah feelgood exercise.

    Details of course are disputable but concentrate on the big dilemma here: your mission is to deliver the choice in browsing, etc. While as a principle, you promote open processes to enable that mission, there are exceptions.

    b. Which brings up a clash: mission versus principles. To my mind, the mission must come first. The principles come second. Where the principles get in the way of the mission, the principles are dropped, at least temporarily.

    So this entire document should headed with the Mission. And the priority should be clear.

    c. The original browser author(s) was right, of course, to go way outfield and start again. You need to accomodate all successes, in their time and place, because the mission says that delivery is more important.

    This is called "the internal marketplace" in business speak; which probably grates. But, think of your mission, not your politics.

    It's also an essential hubris -- encourage your own principles to be hacked. Because, at the end of the day, the individuals are opinionated, but the delivery is what counts.

Well, that was long, wasn't it :) It is slight but ignorable coincidence that there are 10 criticisms for 10 principles. The most important thing is that this is a process, and this is now open. Let's get stuck in; the result can only be better.

Mozo posts some draft Principles

One of the things that has been a continual bug(bear) in the private non-profit association form that Mozilla adopted was the lack of a defined feedback loop. How do we know we are doing the right thing?

One way to deal with this lack of feedback is to sign up to some solid principles. (Or, a mission, but let's not quibble today.) And, yesterday, Mitchell@mozo posted a draft of principles. This is a very welcome development. It isn't easy to do this, no matter how many internal naysayers and external grumblers there are:

PRINCIPLES

1. The Internet is an integral part of modern life -- a key component in education, communication, collaboration, business, entertainment and society as a whole.
2. The Internet is a global public resource that must remain open and accessible.
3. The Internet should enrich the lives of individual human beings.
4. Individuals’ security on the Internet is fundamental and cannot be treated as optional.
5. Individuals must have the ability to shape their own experiences on the Internet.
6. The effectiveness of the Internet as a public resource depends upon technological interoperability, innovation and decentralized participation worldwide.
7. Free and open source software promotes the development of the Internet as a public resource.
8. Transparent community-based development processes promote participation, accountability, and trust.
9. Commercial involvement in the development of the Internet brings many benefits; a balance between commercial goals and public benefit is critical.
10. Magnifying the public benefit aspects of the Internet is an important goal, worthy of time, attention and commitment.

Pointed to by Gervase, here, where you may be able to comment.

I have no easy comments right now, but I'd encourage you all to think about it. The need right now is to set up a strong foundation, which will last for decades, the time for gushing is in future years when it's cast in concrete. Be critical, be very critical, future users will thank you.

Non-repudiation, Evidence and TLS: another fine mess I've got you into :-(

Back in the good old days when security people would sprout nonsense and nobody blinked, we talked about non-repudiation as a feature of public keys. Finally, we blabbered to anyone who would listen, we can prove that the bad guy is bad, through adroit application of PAIN and other suitable acronyms.

I was put straight on this issue by a post on the cryptography list several years back (many thanks to Carl Ellison). Basically, non-repudiation is a contradiction, as there is no way to stop a person repudiating something. She simply says

"I did not!"

And now it is over to the two sides to prove it or otherwise. Which is to say that repudiation is a basic human act, and it is a foundational stone of our modern juridical system; one side makes a claim, the other side disputes it. In court, before an impartial judge.

The term "non-repudiation" is nonsense. Even worse, the technology didn't even come close to that sense, because of the whole security mess known as the PC. Ellison & Schneier said simply that "it is your machine signing for another machine," which I long-windedly refer to as a failure to anthromorphise the PC: we have no good theory to relate a human to a key.

And, in more formal legal terms, it's a straightforward case of agent-principal failure, in that there is no clear agent-principal relationship between a natural person and a PC; given the predominant security record of Microsoft and competitors, there is no real hope for ever pushing the fantasy in court that the PC is acting for the user.

So .... as a security field, a lot of us have been beating the drum that non-repudiation does not exist in practicality, it's a hype feature only. And digital signatures aren't human signatures. And... (read my collected PKI grumble list for more).

One small contribution I might have been responsible for was the perspective that we should be talking about evidence, not signatures. Protocols reveal evidence. As anyone who's been through the mill of the legal process will tell you, anything can be evidence, and it is up to the court to decide what is good evidence and what is bad.

Hence, our role as architects is to think in terms of the quality of evidence. How can we improve the conclusions drawn from the events and logs? Well, one way is to use PK digital signatures, with the caveats of compromised keys and so forth. Another way is to use hash chains and entanglement, with the caveats of compromised PCs and so forth. Then there are timestamps, and written statements, and ... the list goes on.

By way of personal example, the Ricardian Contract gets it right, because it thrusts a human readable document out there in front of ... humans! It isn't the digsig that helps, it is the fact that the human who signed cannot be unaware of the document, normal circumstances pertaining. So as time goes on, the chances of the contract issuer "repudiating" his own contract diminish dramatically. Cunning tricks like that are the meat and drink of financial cryptography -- getting into the core of the real finance application and understanding how they tick; and then designing systems to help them tick better.

Which long preamble brings us to an Internet Draft entitled "Transport Layer Security (TLS) Evidence Extensions." This document purports to add an "evidence" extension to the venerable but ever popular TLS protocol (a.k.a. SSL, secure browsing and all that). From the introduction:

Evidence created using this extension may also be used to audit various aspects of the TLS handshake, including the cipher suite negotiation and the use of other TLS extensions. In many cases, the evidence does not need to be validated by third parties; however, in other cases, the evidence might be validated by third parties. To accommodate all of these situations, the evidence is generated using a digital signature.

Now ordinarily I would applaud this "single-minded approach" as a very useful employment of my hypothesis of "there is only one mode, and it is secure." But, from the Overview:

Generating evidence is not compatible with Diffie-Hellman Ephemeral (DHE) key exchanges. DHE does not permit the same keying material to be generated for validation of the evidence after the TLS session is over. Persistent evidence requires the use of a digital signature so that it can be validated well after the TLS session is over.

I beg to differ! As I mooted above, evidence is what you present to the court; A DHE session will do nicely thank you very much as it can log information that can be utilised for evidentiary purposes: time logs, successful password usages, etc.

So why the need to eliminate classes of evidence? More from the body:

Persisten[t] evidence of the TLS session content is produced by the TLS Evidence Protocol.
[Ed: my slight correction of word persistence used in the ID.]

What we have is a new chance at the old non-repudiation trick. That trick goes like this: First, we redefine the term "Evidence" to be what we want. Then we deliver what we want, calling it all the time Evidence. Then we force people to adopt Evidence because evidence is needed.

Nobody notices there are two disparate definitions until it is too late and they have adopted it, but that's ok because the mission is adoption, not evidence.

This would be OK if Evidence delivered anything useful. But, as we described above:

When digital certificates are to be employed in evidence creations, the client must obtain the public key certificate (PKC) for the server, and the server must obtain the PKC for the client. This is most easily accomplished by using the PKCs provided in the Handshake Protocol Certificate messages. Further, both parties SHOULD have an opportunity to validate the PKC that will be used by the other party before evidence creation. Again, this is naturally accomplished using the Handshake Protocol, where the TLS session can be rejected if the PKC cannot be validated.

Spot the problem? The client they are talking about is software, but the party they are talking about is the poor dumb victim behind the PC. Call it agency-principal failure or anthromorphism failure, it's still failure, and the security threats inherent within are unrecognised in the document despite a long history (and a very clear heading entitled 6. Security Considerations).

So what is it that they want? It looks to me -- my personal opinion -- like the same old same old: "we" need a way to push various groups into mandating PKI key infrastructure, a la the many and various agency dreams from a decade ago. Sarbanes-Oxley and others create a need for compliance, and evidence feeds into compliance.

The two come together: create a web of technical blah blah that leads to a claim that TLS delivers the Evidence, the whole Evidence, and nothing but the Evidence. Then convince everyone to accept this future RFC via the unimpeachable IETF standards process, those stalwart protectors of the Internet. Then take the RFC and push it before the regulators eyes -- if they have our Evidence, then they have your Compliance with Sarbanes-Oxley.

The hope is that another bunch of suckers will be duped into pushing PKI into inappropriate places. This simply won't work. Indeed, the way it treats evidence is so callous that it probably (my LLB U.Gresham coming into play here) makes matters worse. The evidence it produces will likely not be useful nor reliable in court, and it may even be dangerous because of the false sense of security generated. E.g., there will be enough expert witnesses around to testify that it is useless, and the added complexity will cause all sorts of problems.

And it will certainly slow down the usage of TLS or similar security processes, which is the last thing anyone wants. A security protocol used is far more secure than one not used because the barriers to adoption are too high.

Extended Validation - setting the minimum liability, the CA trap, the market in browser governance

Having read through the Extended Validation draft, it is pretty clear that this is "more of the same bad recipe." It didn't work last time, why should we expect the same recipe to work this time? Having said that, there are some interesting aspects.

Firstly, the EV proposal, from a CA group called the CA/Browser forum, asks for, nay, *requires*, that each CA maintain general business insurance, and more specific liability insurance. Further, it goes on to say that each CA must not disclaim liability below $2000.

They are saying, then, it's time to add some meat back into the sandwich of certificates. The "no liability" postures that were discovered about 5 minutes after the CA was invented have often rankled insiders. Wasn't the purpose of the CA to allow the public to rely?

The problem with this was that the CA wasn't in charge, the browsers were, and are. This resulted in the browsers reducing the visibility of the CA to nothing in what was called "the real-estate wars," which meant that the CA was in the worst of positions -- all the liability, none of the glory. The end result is of course all CAs disclaimed all liability; there is no business case otherwise.

Now, redressing that balance is tricky. Forcing the liability to $2000 is like setting the minimum wage to $2000. Are poor people now richer? No, because jobs will be reduced (where the increase doesn't justify) and prices will rise (where the job has to be done). For a perceived benefit of a small group of winners, everyone else pays, and some poor people lose more, which is bad policy and bad economics. Not to mention, it's quite nasty to the poor who lose their low paid jobs and become poorer.

Why doesn't it work that way? Firstly, we simply don't know how to do it. Someone in some council or standards group or wannabe-cartel has "decided" $2000 is a good number. They have no clue what is a good number, they just picked it, perhaps dressing it up with lots of blah blah. Much the same applies to the rest of the "minimum standard" claim, in this particular case, although those standards developed from experience would be excluded from that criticism.

Secondly, they don't have the control to make that number good. Who's in control? The browsers, of course. If the browser doesn't play, the game stops. So what we look for, and what we find, is that the draft is a very carefully designed request for the browsers to hand control over to the forum. Whether they consciously avoided asking the browsers to fix their problems or not, it is clear that there were few demands being made. (Notable exception in the fine print: 37(a)(2) Oops, that could cost you your job, right there.)

In voting for this proposal, word has it that Mozilla abstained, which might mean something or might not. The Register recorded that Verisign let slip and grumbled, soon retracted. Which suggests that this is all being done behind closed doors, and nobody dare say boo in case Mozo or the other browser manufacturers wake up.

Microsoft voted "yes" but this is a game they can play, they are better than anyone else at it, and they also have a motive: the Cardspace (was infocard) project needs friends and EV is a friend looking for friends, also. KDE would probably vote yes, as their openly stated policy is to outsource security policy. Annoying, but you have to admire their honesty. Opera is harder to predict, and Apple are not part of it.

So what happens next? Likely the EV project will fail, due to the simple mathematics of it. Too few target sites (<<1000) and too much cost in audits, re-checks, re-issue of keys (yes, required) and so forth and so on.

What then? Even though it looks bad business, we see the herd effect in full play. Many small and medium CAs are being dragged in, for fear of missing out. Perhaps it will be costly to join later? Perhaps they think the market will shift and people will suddenly demand quality? Perhaps they want to play with the big boys?

But cost is the key driver, not hype. It's serious, and given the restrictions, it is likely that only Verisign can pay the price, fully, comfortably. Which means the mid-tier will waste their money. And therein lies the trap. If the mid-tier CAs spend the money, endorse the standard, but cannot make the grade, either by resource depletion or by simply failing to get through all the checks, then who looks good? Verisign, of course. And the mid-tier crumbles.

So this is a dream ticket for the largest player in a competitive market. If it works, they own the EV field as well as extend their brand dominance within non-EV areas. If any mid-tier CAs do manage to get there, that will prove it was worthwhile, as well. If all the rest fail, and Verisign succeeds, that will prove it, too. Even if the whole project fails, it won't be possible to blame Verisign, as they tried so hard. Versiign will come out of EV smelling of roses, in all eventualities.

Can you say "barrier to entry" ? The document bears this out:

• There is a curious and complicated formula for a large company to self-insure, which means that Verisign might not even have to pay the insurance.
• The Audit principle of auditing by principles not rules is breached in much the same way as Sarbanes-Oxley, which is generally correlated with auditors seeking more money from customers who can't refuse.
• No open discussion, and a very short comment timeframe ... some were invited, others were definately not.
• There is a curious lack of serious consideration of the today's threat scenario, which by all indications was the original point. Instead, we get the same old PKI hobby horses: must run a good OCSP, must revoke, must ...
• Still, behind all that weighty and thoughtful consideration, there remains no benefit to relying parties. The liability limit of $2000 is a fig leaf, and it is written to support every expectation that CAs will continue to use all the other good tricks to reduce expected liability to zero.

What then to do? *Mid-tier CAs* should not do it (or more politely, sit on the fence and state that they are implementing the good bits). It makes no sense to spend that money, risk the company, and fail. Or even succeed: there is no future in being the 2nd best after Verisign in a game Verisign designed.

*Browsers* also should say "no." Or, should say, "sure, as long as it is an open market in governance." There is this underlying premise that the cartel known as the CA/Browser forum is the only one. No such. There is no reason why I can't form a cartel made of, say, European national CAs or open source software CAs or Internet Bank CAs or ... and simply request the colours purple, peach and turquoise.

As long as the browsers maintain an *open market* in governance models -- something which is written into Mozilla's policy, for example -- there is absolutely no reason for the rest of the world to get our collective knickers in a knot. Ask the browsers to accept the colour purple as meaning a our standard, and go out and market it. If and when EV fails, we can simply pick up the good bits and redo it. Which should appeal to everyone, as they get the best bits for free.

For *public policy* again the answer is "do nothing." It was suggested by one insider that the CAs are really worried about anti-trust. This is nothing more than a bunch of naughty schoolboys hoping not to be caught smoking in the toilets, it's far and away an unlikely target for anti-trust. As long as there is free entry into the market for browsers and web servers, there will be no great ability for a group to take control. If EV becomes a danger, we can write software to bypass it (as everyone has to do with browser security at the moment due to phishing).

SWIFT breach - Big Brothers

SWIFT won two Big Brother awards at last week's Austrian presentation. The first was in the "finance" category, underscoring the relationship between Orwell's despotic prediction of the future and the control of money and payments.

Nothing in English, it seems. The second Big Brother award for SWIFT was the "public voting" category. Surprisingly, the public voted that SWIFT was the worst thing that had happened to them over the last year, against other things that the Austrian people may have had much more exposure to.

This is somewhat significant as it signals how the SWIFT scandal is of wide-reaching impact. SWIFT has not handled it well, reacting in the worst possible way -- to suppress and deny the scandal where they could.

As an example of that poor handling, it is slowly becoming more clear that their responses are not honest. Last blog entry I pointed at this strange comment in responses to questioning by Quintessenz's Erich Moechel:

No, SWIFT does can not provide this type of data. It is important to understand that SWIFT does not have the means to read the information inside a message. SWIFT can only read the information necessary to route the messages across its network from bank A to bank B. In this respect SWIFT is similar to a postal service.

I don't believe that. To check, I've now talked to others that are in the finance sector and have some view on this, and universally, nobody else believes it either. Some research however has not been able to turn up a comprehensive answer, so it is not conclusive as yet.

If SWIFT are being honest, now's their chance to confirm. If they are spreading lies, now's the time to sack their Public Relations department, along with their security department, their privacy people, and their bank relations people.

Heck, sack the whole board. But that would be asking Europe's banking community to show some spine. Corporate governance is not going to come from the ECB and its flock.

SWIFT breach - SWIFT broke the law, the laws have changed, the ECB ducks responsibility

European data protection authorities empanelled an investigation, alongside their companion privacy commissioners. Their verdict? SWIFT broke the law.

The Belgian-based consortium known as Swift, which handles money transfers among banks, violated European privacy regulations when it turned over confidential transaction information to the Central Intelligence Agency and other American agencies, Belgium's privacy protection commission concluded today. ... Under European Union law, companies may not transfer confidential personal data to an entity in another country unless that country's privacy protections are deemed adequate. The union does not consider American protections adequate because the United States has never enacted comprehensive data protection laws. Under that rule, the commission found, Swift acted without a legal basis when it sent the data to the United States.

Swift has defended the transfers on the ground that, because it has offices in the United States, it was bound by United States law, and had no choice but to turn over the data after the Treasury Department issued broad administrative subpoenas to it.

The commission rejected this argument, saying Swift was still subject to Belgian rules, regardless of Swift's American subsidiary and its legal obligations. "Swift should have realized that exceptional measures based on American rules do not legitimize hidden, systemic violations of fundamental European principles related to data protection over a long period of time," the commission wrote.

Others agreed. This is not helped by SWIFT's ducking and weaving. SWIFT may have provided some evidentiary information in paper form:

Both SWIFT and the U.S. authorities say records were subpoenaed as part of targeted investigations into suspected terrorist activity. In its defense, SWIFT reiterated on Monday that it received "significant protections and assurances" that the data transferred to the U.S. was used confidentially.

But -- rumour has it -- the subpoenas have not been supplied to EU investigators, and we already know that UST passes the information on for other purposes / investigations, as mentioned here before.

Quintessenz points out that their answers were evasive, and I'd agree. They must think the public are muggins, but they did let some things slip out:

No, SWIFT does can not provide this type of data. It is important to understand that SWIFT does not have the means to read the information inside a message. SWIFT can only read the information necessary to route the messages across its network from bank A to bank B. In this respect SWIFT is similar to a postal service.

Yet, the investigation concluded that SWIFT was not simply a messaging service, and was in practice a financial institution. Is SWIFT suggesting that SWIFT can't see the content? In that case, what is the motivation of the US-Treasury interest? We already know that banks send lots of messages between each other, so this would seem to be a comment of quite extraordinary strangeness, and SWIFT's case may depend on the answer to this question.

The investigation also concluded that SWIFT had not advised its overseers to sufficient extent, had acted independently, and had acted more as principal than as agent. In other words, SWIFT is responsible. Consider these three statements, by SWIFT, from diverse sources:

The US Treasury cannot search the data for evidence of nonterrorist related crime. SWIFT has explicitly excluded searches for tax evasion, economic espionage, money laundering or other criminal activity.
...
In a statement signed by SWIFT's CEO Leonard H. Schrank, the company said the U.S. Treasury does not have unlimited access to data stored by SWIFT, and the information it got was used only "for the exclusive purpose of terrorism investigations."
...
The laws haven't changed. The environment of terrorism hasn't changed. SWIFT is well aware of the laws and regulations people are concerned about. The Board is monitoring the situation on a regular basis. Beyond that, SWIFT cannot comment.

With the extraordinary powers Congress passed a month ago, SWIFT's agreement is no longer a barrier of any import. The laws have changed. When President Bush signed the act into law that destroys habeus corpus, Military Commissions Act, he also signed in the ability to designate anyone as a terrorist. Without recourse.

SWIFT data may now be requested on discretion without any high degree of proof, simply on the say-so of the requestor.

Who's looking like a muggins now? The European privacy investigation wasn't fooled, and correctly rejected the argument that SWIFT was under US law; if the compliance broke European law, then the New York office of SWIFT should not have had the data in the first place. Again, Quintessenz asks:

As this process has been going for nearly five years why did SWIFT not cease to store all datasets in the New York headquarter?

To ensure the reliability and resilience of its network, SWIFT has redundant systems spanning multiple continents, including operating centres located on different continents. Each operating centre is an active backup to the other and is designed to independently manage SWIFT's entire operations, if required. In other words, messages are mirrored and stored for retrieval purposes during 124 days in both operating centres. This architecture has been in place for decades.

No muggins, that Erich Moechel ... From SWIFT again:

"We informed the overseers. What their position was in most cases was this didn't pose a risk for the financial stability of the financial system and that's what their remit is. So they didn't need to inform others and SWIFT wasn't legally bound to inform anyone else," said the spokesman.

"These discussions were held at the highest level between SWIFT's board and its overseers. None of them raised any objection."

So were are the regulators in this mess? The ECB remains under pressure. As mentioned, the central banks have to be involved in this one because they are the only regulators with credibility in the area. Begging out on some pretext then must be examined with the highest degree of skepticism.

The ECB is part of a group of central banks that oversee SWIFT informally but have no legal power to sanction it.

"The group considered that this matter would not have financial-stability implications and therefore concluded it fell totally outside the remit of the oversight role," [ECB President] Trichet said.

"We did not give SWIFT any blessing in their compliance with these subpoenas. SWIFT remains fully responsible for its decision," he said, adding that it was not up to the ECB, but SWIFT, to decide whether to inform European institutions.

Yet. their mandate is only loosely financial stability; when called upon, they quite happily dive into other areas. Here's how Ben Bernanke, the new Chairman of the Federal Reserve, puts it:

Historically, the goals of banking regulation have included the safety and soundness of bank operations, the stability of the broader financial system, the promotion of competition and efficiency in banking, assistance to law enforcement, consumer protection, and broader social objectives.

In many of these cases, it takes a very open imagination to create the nexus between central bank activities and these areas of interest, so the hand-waving of the European Central Bank at this point is like watching a man drown, and assuming it is the lifeguard's responsibility to save him.

This is justly called a scandal for the underhanded way in which the US Treasury breached the SWIFT databases. It wasn't that the EU wouldn't have done a deal, it was that the UST felt it necessary to keep it secret so as to not ask the Europeans.

Secrecy is a bad policy. Kerckhoffs said it a century ago, and it remains as true today. The need to show that some enemy could benefit from seeing your operations is a flimsy excuse alongside the massive danger you do to your own side when you hide things from your own people, and let them fester.

Which leads into that other "government secrets" case. Judge Taylor, who a month or two back ruled one of the Bush domestic spying programmes illegal, has rejected arguments to stop the programme. Instead, she has gave the government a week to get a reversal from the Appeals court, and effectively underlined the suggestion that the "government secrets" argument is being used to hide bad stuff, not good stuff.

Normally, we try and keep clear of politics, and stick to FC. Hence, the SWIFT breach represents a fascinating case of governance gone wrong in a major system of FC import. But it wouldn't be right to exclude mention of the broader canvas such as the suspension of habeas corpus in the US of A. In the latest of a long series of bills, American lawmakers have shown themselves willing to hand over all power to an exective branch, and SWIFT is happy to comply with that.

As we come into the November USA election madness, some might be asking, "Where the American people?" Most don't know or care. I think a comment on Bruce Schneier's blog had it best:

"We're better than that."

No we're not.

Strike the American people. Strike their Congress. The only thing left is the judiciary and other nations, and I'm not holding my breath over the European's response. Judge Taylor's case and the SWIFT breach in Europe bear watching closely.

Audit Follies - Atlantic differences, branding UnTrust, thumbs on Sarbanes-Oxley, alternates...

Arthur spots a humourous post:

But it also illustrated a fundamental difference in the way audits are conducted on both continents. In the United States, audits are about ensuring that sufficient controls are in place to mitigate risks. Thus, the audit findings tend to emphasize lapses in application and network security. In Europe, audits tend to focus on following a predefined process, being transparent in the actions taken, precisely defining policies and procedures, and adhering to international standards.

The difference, I suggest, may depend on whether you thought audits were useful, and whether auditors could be trusted to provide checks that were useful instead of being perverted by any of a hundred tricks. For an example of "agenda" see the recent HP case where the ethics officer was apparantly quite happy to approve spying on board members.

Would an audit have picked that up? And more importantly, what do we want in a world where an audit won't pick up those things? Value for money, right?

A further problem is what is known as Audit Independence. Audits tend to suffer from exploitation by auditors. One sign of this is when they turn the process of governance into a branding exercise, such as eTrust or WebTrust. Is this a process to provide customer value or is it a process to earn fees?

Abstract

Widely-used online "trust" authorities issue certifications without substantial verification of the actual trustworthiness of recipients. Their lax approach gives rise to adverse selection: The sites that seek and obtain trust certifications are actually significantly less trustworthy than those that forego certification. I demonstrate this adverse selection empirically via a new dataset on web site characteristics and safety. I find that TRUSTe-certified sites are more than twice as likely to be untrustworthy as uncertified sites, a difference which remains statistically and economically significant when restricted to "complex" commercial sites. I also present analogous results of adverse selection in search engine advertising - finding ads at leading search engines to be more than twice as likely to be untrustworthy as corresponding organic search results for the same search terms.

Either way, the *result* of the branding exercise is clear -- you tend to acquire better than your fair share of scams, which are willing to pay the price to hide behind the brand. The extent to which the process behind the brand adds value then becomes all-important. The brand makes it effectively more difficult, perhaps harkening back to the old days when the professions were not supposed to advertise.

One conclusion that is emerging out of the current spate of governance failures -- mostly from the US but sometimes in Europe -- is to ask why auditors aren't picking up the frauds?

In Enron's case (Enron's 30$bn), we know the Auditor was Arthur Andersen, and the reason they did not pick it up is that at the least, they were conflicted. More likely, they were "running cover" for the company. Bawag / Refco wasn't picked up until Refco went public, and even then it was lucky (the guy lost his job, a fitting reward for public service).

Switching across to the *long term response* to uncontrolled auditors and rampant audit practices, we have a critical mass against Sarbanes-Oxley building up. Sir Alan Greenspan reaches out and the thumb goes down!

The Sarbanes-Oxley Act is doing more harm than good and must be overhauled, Alan Greenspan told a technology audience here.

"One good thing: Sarbox requires the CEO to certify the financial statement. That's new and that's helpful. Having said that, the rest we could do without. Section 404 is a nightmare."

Sarbanes-Oxley was the legislation that approximately doubled the cost of audits in the US. Now the debate is on as to whether it is bad or good; does it deliver twice the value, or just twice the headaches? Does it deliver anything at all? Again, Sir Alan nails the key difference that likely counts above mere governance considerations:

He said the evidence is clear that *Sarbanes-Oxley strictures are driving initial public stock offerings away* from the New York Stock Exchange and to the London Stock Exchange. Increasingly, he said, people recognize that Sarbanes-Oxley must be changed. "The pressure on getting 404 significantly altered is rising and is taking on a critical mass." But he added, "You do not get a bill altered when the two names [Sarbanes and Oxley] are in the process of retiring. People are waiting until they are gone. Then, hopefully, changes will be made. Any bill that passes both houses almost unanimously, cannot be a good piece of legislation."

My emphasis. And don't miss that great quote at the end!

Not all agree. In a dramatic echo of the two posts on security training of last week, Sam E. Antar suggests that Sarbanes-Oxley is worth a partial raised thumb:

I say to you that the Sam E. Antar of twenty years ago (I am not a criminal today) would be just as successful in today’s environment.

Other than Sarbanes-Oxley and its limited reforms (which many misguided detractors are trying to weaken today), little progress has been made in the culture and attitude of the accounting profession (in private industry or government) regarding white collar crime.

Sam was the CFO for the Crazy Eddie fraud, so he is an expert in fraud. He now helps the other side (honest! His site was there last week, I swear!). He also bemoans the fact that accountants aren't trained enough in basic fraud. His more basic point:

Criminals always have the initiative and the professions approach to preventing fraud (whether as CPAs ay accounting firms, accountants in government, the private sector, and nonprofit sector) is “process oriented” rather than the criminal who approaches his work in a judgmental way.

Therefore, the criminal has the fundamental advantage against the under informed, not very well trained accounting profession in regards to combating white collar crime.

That bears interesting comparison to the first quote above. It's worth stressing that criminals think differently, and thus always have the advantage over process; you won't hear that in white hat security classes, because it is very hard to say just how criminals think, without exposing ones hat to a certain greyness.

Finally, I have long predicted a private class action response to the phishing and security morass (but not seen it yet). Here's a paper spotted by Adam that suggests it has merit:

Public choice analysis suggests that a meaningful public law response to insecure databases is as unlikely now as it was in the early Industrial Age. The Industrial Age's experience can, however, help guide us to an appropriate private law remedy for the new risks and new types of harm of the early Information Age. Just as the Industrial Revolution's maturation tipped the balance in favor of early tort theorists arguing that America needed, and could afford, a Rylands solution, so too the Information Revolution's deep roots in American society and many strains of contemporary tort theory support strict liability for bursting cyber-reservoirs of personal data instead of a negligence regime overmatched by fast-changing technology.

So which audit approach is better? Process oriented? Risks mitigation? It is clear that the value for money is sorely missing. Here's a summary of *my* thoughts, including the wider question of alternates to audits:

• audits -- not easily trustable
• regulation (I) -- useless and expensive, and a non-trivial possibility that the result is worse through complexity
• regulation (II) -- forced publicity on crimes such as SB1386 can result in a "win" but that was a "lucky win," most regulation is a lottery: some headline winners but the public as a whole loses out. Better then to discourage on principle, as the failures outweight the successes.
• private litigation -- potentially valuable overall, as at least it has inbuilt negative feedback loops. Payback to the damaged parties is far less frequent than headlines would have it, but if the public benefit is positive then maybe it's all we've got?

We can do better by:

• pushing systems and reporting out to reveal publically auditable information will engage the public as auditors (c.f., Enron, 5PM)
• aggresively reducing the "secret" parts to as small as possible, and vigourously documenting those parts
• conducting the audit process itself in as much public glare as we can stand.
• inducting the public to audit the audit
• pushing the liability for the risks out into the open
• as a public principle, standing more on the voluntary release of information, less on the Kitty People approach of Sarbanes-Oxley and SB1386.

But don't expect anything soon.

The Last Link of Security

Vlad Miller writes from Russia (translated by Daniel Nagy):

We can invent any algorithm, develop any protocol, build any system, but, no matter how secure and reliable they are, it is the human taking the final decision that remains the last link of security. And, taking into account the pecularities of human nature, the least reliable link, at that, limiting the security of the entire system. All of this has long been an axiom, but I would like to share a curious case, which serves as yet another confirmation of this fact.

We all visit banks. Banks, in addition to being financial organizations attracting and investing their clients' funds, are complex systems of informational, physical and economic defenses for the deposited cash and account money. Economic defenses are based on procedures of confirming and controlling transactions, informational defenses -- on measures and procedures guarding the information about transactions, personal, financial and other data, while physical defenses comprise the building and maintenance of a secure physical perimeter around the guarded objects: buildings, rooms and valuable items.

Yet, regardless of the well-coordinated nature of the whole process, final decisions are always taken by humans: the guard decides whether or not to let the employee that forgot his ID through the checkpoint; the teller decides whether a person is indeed the owner of the passport and the account he claims to own; the cashier decides whether or not there is anything suspicious in the presented order. A failure can occur at any point, and not only as a consequence of fraudulent activities, but also due to carelessness or lack of attention on the part of the bank's employee, a link of the security system.

Not too long ago, I was in my bank to deposit some cash on my account. The teller checked my passport, compared my looks to the photo within, took my book and signed a deposit order for the given amount. The same data were duplicated in the bank's information system and the order with my book were passed on to the cashier. Meanwhile, I was given a token with the transaction number, which I should have presented to the cashier so that she could process the corresponding order. Everybody is familiar with this procedure; it may differ a bit from bank to bank, but the general principles are the same.

Walking over to the cashier, I have executed my part of the protocol by handing over the token to the cahsier (but I did not put the cash into the drawer before having been asked to do so). She looked at my order, affixed her signature to it and to my book and ... took a few decks of banknotes out of the safe and started feeding them to the counting machine. I got curious how long it would take for the young lady to realize the error in her actions, and did not interrupt her noble thrust. And only when she turned around to put the cash into the drawer did I delicately remark that I did not expect such a present for March 8 and that I came to deposit some cash, not to withdraw. For a few seconds, the yound lady gave me a confused look, then, after looking at the order and crossing herself, thanked me for saving her from being fired.

The banking system relies a great deal on governmental mechanisms of prevention, control and reaction. Had I not, in computer-speak, interrupted the execution of the miscarried protocol, but instead left the bank with the doubled amount of money, it would not have lead to anything except for the confiscation of the amount of my "unfounded enrichment". The last link of security is unreliable: it fails at random and is strongly vulnerable to various interferences and influences. This is why control and reaction are no less important than prevention of attacks and failures.

SWIFT breach - Roundup - Good Morning Europe, BoE got out early, Simon Davies: "we won't be fooled again."

Collected notes on a month or so of SWIFT rumblings. European privacy regulators are taking on the investigation:

The test is whether European law has competence over US claims to data held by European firms. It does not look at all certain whether it does, but The Register understands that the EU is planning to walk and talk like it does.

It's a very wide geographical area, from Czech Republic to Canada:

Results of the Czech and other probes are expected by the end of the month, Stepankova said. "The next step" will be to determine whether the SWIFT system is being used "in a way that conforms to domestic legislation" in EU countries, she said.

As mused on before, the SWIFT breach has caught the attention of authorities where the one-way passing of confidential flight and phone data did not. Also, the industrial espionage issue of "restaurant economics" has exposed something of a dilemma in the US arguments for over-arching eurosociomonitoring. Problem is, the key regulators ducked and weaved:

The Bank of England, one of the 10 central banks with a place on Swift's managing committee, revealed it had told the British government about the programme in 2002. "When we found out we informed the Treasury and passed the relationship over to them," Peter Rogers of the Bank said. "We also told Swift that they had to speak to the government themselves. It had nothing to do with us. It was a matter of security and not of finance. It was an issue between Swift and the government."

In a written parliamentary answer, Gordon Brown last month confirmed the government was aware of the arrangement. Citing government policy not to comment on "specific security issues", however, the chancellor refused to say whether measures had been taken to "ensure the privacy of UK citizens who may have had their financial transactions viewed as part of US counter-terrorism investigations in conjunction with Swift". He also refused to say whether the Swift programme was "legally reconciled" with Article 8 of the European convention on human rights.

A Home Office spokesman said the government had been given "no reason to believe the operation was unlawful", adding that it "strongly supports US efforts to target, disrupt and cut off sources of funding for terrorism". He declined to comment on the commissioner's assessment that the programme may be illegal.

What we need now is for the authorities to recognise the governance issue of breaches. This could be called the camel's-nose-under-the-flap argument -- once a payment system starts shifting protected information out, the information is no longer protected, and breaches happen thick and fast. We're not there yet, as the BoE like others declined jurisdiction.

This issue of Central Banks ducking responsibility for governance is made all the more poignant as they are the only agency with credibility when it comes to the task of general regulation of payment systems, no matter how much we or they approve of their position(s) or not. Hence the general quacking and phaffing around in Belgium and other halls of power as data and competition regulators try and work out what SWIFT is, where it is, and how to spell it.

SWIFT stalled EU probe of US snooping

For the EU to feel confident that SWIFT had not betrayed home rules, and that the US hadn't stuck its nose where it was not warranted, it had to review the subpoenas by which the US has gained access to SWIFT's records for the last five years.

Yet if SWIFT gave this information up, it would offend the US intelligence services. If it didn't give the information up, it would offend the EU authorities.

Bingo. Why aren't they handing over the subpoenas? Rumour has it that there aren't any; the SWIFT executives in NY were extorted to hand over the data without papers in hand. This favoured technique is used as it guarantees that the Feds (or UST in this case) can do no wrong. They are covered because the information was "volunteered" by SWIFT, and thus, the US Treasury officials concerned have broken no laws. SWIFT of course are later hung out to dry.

Pressure is being exerted in Britain over the various and thin claims of oversight and governance:

However, campaign group Privacy International said [assurances] were not enough. It had filed a complaint to the British data protection body, the Information Commissioner. It is worried that the Treasury was fishing through international financial records in the hope of turning up terrorist finance records. It also feared the data could be used for other purposes, including espionage.

Swift's CEO, Leonard Schrank, flew to London to meet Privacy International on Friday. Simon Davies, a PI director, said he had told Schrank he wanted to see proof that the Treasury was only able to see records that it knew contained details of terrorist financial transactions.

"When was the last time you were satisfied with something that was claimed without seeing proof?" said Davies. "We are not prepared to accept anybody's face value assertions that protections have been put in place," he said.

"We won't be fooled again." Precedent is on Davies' side. The US government is on record as not operating secret overseas prisons, not wanting to re-negotiate FISA with Congress, and not wiretapping Americans without a warrant. A few weeks ago, Judge Taylor ruled illegal the wiretapping they promised they were not doing, and the Bush administration immediately turned to Congress to request re-negotiating the FISA act which they were not breaching. (The bills which hand an open cheque to the wiretappers have just been approved in committee.) Which presumptively renders factual their breach, a trend that seems more a standard than an exception.

More snippets: it also looks as though the New York Times might have been a little faithless in not only holding the story for "a year" but in fact before the last Bush election:

Such a delay was, in itself, unpardonable, and provoked angry criticism. Now we learn, from an interview with Executive Editor Bill Keller conducted by Calame, that internal discussions at the Times about drafts of the eventual article had been "dragging on for weeks" before the November 2, 2004, election, which resulted in a victory for Bush.

"The process," the public editor notes, "had included talks with the Bush administration." A fresh draft was the subject of discussion at the newspaper "less than a week" before the election.

Meanwhile, back at the mission ranch, let's consider why all this was necessary. Terrorism, that's what. Now the Foreign Affairs journal weighs in:

Intelligence estimates in 2002 held that there were as many as 5,000 al Qaeda terrorists and supporters in the United States. However, a secret FBI report in 2005 wistfully noted that although the bureau had managed to arrest a few bad guys here and there after more than three years of intense and well-funded hunting, it had been unable to identify a single true al Qaeda sleeper cell anywhere in the country. Thousands of people in the United States have had their overseas communications monitored under a controversial warrantless surveillance program. Of these, fewer than ten U.S. citizens or residents per year have aroused enough suspicion to impel the agencies spying on them to seek warrants authorizing surveillance of their domestic communications as well; none of this activity, it appears, has led to an indictment on any charge whatever.

In an exceedingly long article that details in painful detail how many terrorist threats failed to materialise, one of the most respected voices in US foreign policy calls the whole motivation for the SWIFT tracking ... bogus!

Who can we trust to inform us on these issues? Politicians asked the NSA to clarify what was secret and what was not so they could get on with their job of politicking.

On July 27, shortly after most members of the committee were briefed on the controversial surveillance program, the NSA supplied the panel's chairman, Pat Roberts (R-Kan.), with "a set of administration approved, unclassified talking points for the members to use," as described in the document.

Among the talking points were "subjective statements that appear intended to advance a particular policy view and present certain facts in the best possible light," Sen. John D. Rockefeller IV (D-W.Va.) said in a letter to the NSA director. [...]

Unfortunately the NSA upstaged them and did the politicking for them. Among them, this gem of advice on "what is secret":

"It is being run in a highly disciplined way that takes great pains to protect U.S. privacy rights. There is strict oversight in place, both at the NSA and outside, now including the full congressional intelligence committees."

Others have mentioned the tendency to answer every question with the policy and ignore the question as well as the truth, but this takes the dishonesty to a whole new level. Lying to the congressional committee when they are investigating the precise lack of any "strict oversight" has to be ineptness or chutzpa only possible with extraordinary levels of arrogance.

Naming the unnamable, "We have a problem, Houston," who blinks first? and who replaces President Bush?

Crypto-author James Bamford names the unnamable in Time:

James Bamford, a respected author of books on the NSA and a plaintiff in the suit, called Taylor's ruling "very significant, because what you have here is a massive eavesdropping operation, the largest one in history. And it's a criminal statute that the President has violated," with jail terms dictated for violations. "Nobody's talking about impeachment," Bamford added, "but if you had opposite parties in Congress, you'd have a situation, I think, very much like Watergate."

At this stage, we have a situation. "We have a problem, Houston" as the saying goes.

President Bush is a few mistakes away from being charged with a crime, and it looks like a sticky one. Washington DC insiders report that negotiations have been going on all night to find a settlement. Unfortunately the negotiations seem to have been spiked as unamable administration officials have done the unbelievable -- gone to Congress to negotiate changing the law to make the wiretapping legal. (Or, speed up the Specter "everything in the shop" bill.)

The time for changing the law is over; that would be a slap back in the face for the courts. Unfortunately, it is almost certain that the Taylor ruling of yesterday was not done in isolation, and we can expect the Supreme Court to back up Judge Taylor's ruling, especially if she gets badly treated at the hands of the administration.

So we now have the spectre of two of the three arms of power in the US involved in a Mexican standoff. Who blinks first?

There's only one President, and those around him are blinking like there's no tomorrow, because those at the middle layer are far more vulnerable. Judge Taylor agreed to stay the enforcement until 7th September, which might be a blink. There are many courts and many judges, including a feared majority in the Supreme Court.

Time to think the unthinkable. The deeper question is how to see the transition, and one thing is clear: VP Cheney will not easily fill the warm seat. Where Bush goes, Cheney follows.

Which leaves Condalezza Rice. And one mountain of a logistics problem in trying to organise succession. Frankly, I'd not want to be a Republican at the moment.

(Ed's apologies for off-topic crazy-talk post. I should explain that I have seen this story a half dozen times before and I've put it down to Republican panic merchanting. It's just that this time, there's a court and a crime involved... Nexus with FC: the SWIFT breach IMO is the same class of activity.)

Privacy v. LEO interests -- too simple an approach?

Dave Birch asks:

One of the key issues in designing new electronic payment systems is balancing the privacy of transaction counterparties (which may be a social good, even if neither of the counterparties cares one way or the other) with the legitimate requirements of law enforcement. But the article on Money Laundering says that the biggest recent boost to global money laundering is not hawala or pre-paid mobiles, but the euro. The fact that launderers can stuff 500 euro notes in their underpants, and zoom around Europe spending and depositing, helps them enormously.

I tried to write a comprehensive response to this important question, but it is too hard -- that is, long, involved. I suppose that is one point -- it is not possible to separate out the issues of privacy and law enforcement and present them as a balance, not in any cohesive fashion. Simplifying the question to that of a balance between these two factors will not help.

Having said that, there are some easy pithy things to say:

1. the "legitimate requirements" of law enforcement are handled by the law and the courts. Read the law, attend to court issued warrants. Don't get trapped in the marketing of LEOs and regulators who try to make their jobs easy at the expense of everyone else.

2. privacy is not an absolute, and users don't demand it in the general sense. What they do demand is a deal that doesn't change, and a deal that has no secret traps. So whatever you do in a payment system, do it openly. Likewise to the above, don't get trapped in the marketing of the privacy nuts who insist that assassination-grade secrecy is necessary for everyone.

3. the political move to monitor everything is way beyond logic or sense. Pointing out that paper notes are not controlled to the same extent is asking the political/bureaucratic body to start thinking logically and economically. To employ risk-based analysis, that is. That may happen one day (see #4 below), but it isn't likely to help any consumer or payment system in the forseeable future.

4. In time, the economists will get around to pointing out how all the tracking, tracing, monitoring and seizures is causing costs for little return. We the people already feel it, in trying to get simple transactions through recalcitrant payment systems, but it takes serious studies to point out the transaction costs to those who's interests are limited by guaranteed salaries.

5. The notion that a digital system does not involve tracking, tracing, monitoring is difficult to fathom. Even if we were not subject to external pressure and CYA behaviour at all levels of the business, we have substantial internal reasons to have in place sophisticated controls. How do I as an issuer know that I have issued exactly X? Only by looking at every transaction and counting them all up!

6. A full analysis of any system will reveal many requirements and many factors. To revisit the earlier point, privacy and such interests quickly become just more ticks on the box, and not essential ones at that. For e.g., a far more important thing to people is the reliability of the money as a money, and this tends to dwarf privacy issues. That is, privacy is what's left over when all the other things have been dealt with.

Having said all that, I know what Dave is saying -- the balance offered by "legitimate requirements" of law enforcement and the regulators is all wrong. It creates strains that can ultimately break a system (examples abound). Is there a way to get all the various external parties interested in tracking, tracing, monitoring and ultimately seizing everything to back off and stop breaking systems before they are fielded? How do we let financial cryptographers put in place systems that serve society?

Slapdown - US Court rules against Bush wiretaps

Chris points to the Court of the Honourable Anna Diggs Taylor, representing the third branch of power in the USA. Justice A. D. Taylor rules the telephone wire tapping programs out of order. That is, illegal.

In summary, she knocked out the "states secrets" defence because all the information needed was already public, and she granted a permanent injunction based on breaches of the law -- FISA -- and the US constitution and US bill of rights.

As the case has some bearing on the recent SWIFT breach by US Treasury (probably conducted under the same novel theories inside or outside the law), we present some snippets from Case No. 06-CV-10204:

The President of the United States, a creature of the same Constitution which gave us these Amendments, has undisputedly violated the Fourth in failing to procure judicial orders as required by FISA, and accordingly has violated the First Amendment Rights of these Plaintiffs as well.

....In this case, if the teachings of Youngstown are law, the separation of powers doctrine has been violated. The President, undisputedly, has violated the provisions of FISA for a five-year
period. ...

VII. The Separation of Powers

The Constitution of the United States provides that “[a]ll legislative Powers herein granted shall be vested in a Congress of the United States. . . .”43 It further provides that “[t]he executive Power shall be vested in a President of the United States of America.”44 And that “. . . he shall take care that the laws be faithfully executed . . . .”45

.... Justice O’Connor concluded that such a citizen must be given Fifth Amendment rights to contest his classification, including notice and the opportunity to be heard by a neutral
decisionmaker. (citation) Accordingly, [Justice O’Connor's] holding was that the Bill of Rights of the United States Constitution must be applied despite authority granted by the AUMF.

She stated that:

It is during our most challenging and uncertain moments that our Nation’s commitment to due process is most severely tested; and it is in those times that we must preserve our commitment at home to the principles for which we fight abroad. **** Any process in which the Executive’s factual assertions go wholly unchallenged or are simply presumed correct without any opportunity for the alleged combatant to demonstrate otherwise falls constitutionally short. Hamdi, 542 U.S. at 532, 537.

Under Hamdi, accordingly, the Constitution of the United States must be followed.
...

The duties and powers of the Chief Executive are carefully listed, including the duty to be Commander in Chief of the Army and Navy of the United States,49 and the Presidential Oath of Office is set forth in the Constitution and requires him to swear or affirm that he “will, to the best of my ability, preserve, protect and defend the Constitution of the United States.”50

...Not only FISA, but the Constitution itself has been violated by the Executive’s TSP. As the court states in Falvey, even where statutes are not explicit, the requirements of the Fourth Amendment must still be met.54 And of course, the Zweibon opinion of Judge Skelly Wright plainly states that although many cases hold that the President’s power to obtain foreign intelligence information is vast, none suggest that he is immune from Constitutional requirements.55
The argument that inherent powers justify the program here in litigation must fail.

... Plaintiffs have prevailed, and the public interest is clear, in this matter. It is the upholding of our Constitution.

As Justice Warren wrote in U.S. v. Robel, 389 U.S. 258 (1967):

Implicit in the term ‘national defense’ is the notion of defending those values and ideas which set this Nation apart. . . . It would indeed be ironic if, in the name of national defense, we would sanction the subversion of . . . those liberties . . . which makes the defense of the Nation worthwhile. Id. at 264.

IT IS SO ORDERED.

Date: August 17, 2006		s/Anna Diggs Taylor
Detroit, Michigan		ANNA DIGGS TAYLOR
		UNITED STATES DISTRICT JUDGE

Some caveats: we probably have to wait for the inevitable appeal, and we don't do law here, we just do FC. And here seems an appropriate moment to finish with Nick's observations on the wider scope:

There is a long-standing controversy about the idea of parliamentary supremacy -- the idea that legislative law trumps all other law. That is currently the dominant theory in England, but the United States holds a contrary view -- here judges review legislative laws against a prior and higher law: a written constitution (and perhaps also against natural law, but that is a subject we won't pursue here).

There will be multiple additional links to the precise case...

• Wired, blog.
• Naming the unnamable, "We have a problem, Houston," who blinks first? and who replaces President Bush?

Sarbanes-Oxley is what you get when you don't do FC

Adam over at EC, responding to an entry by Phill, is banging the drum on breach data collection and distribution, which is well needed. I first saw this point in a paper from around 2004, and it has been a well trodden theme in the now popular field of Sec&Econ. All well and good. We need more breach data.

However, collecting the data is not the be-all and end-all. It's not for example what would have saved Enron, which is what Adam alludes to:

SarBox is what we get when we have no data with which to push back.

Sarbanes-Oxley collects lots of data, but doesn't change the problem space, and it arguably makes the problem space worse.

Sarbanes-Oxley is what you get when (a) systems get too complex and (b) businesses don't implement Financial Cryptography techniques to reduce and eliminate those complexities. Under these two conditions, what you get first is fraud -- keep in mind that fraud comes out of complexity and lack of reliable systems. The lack of reliability means the systems can be perverted, and the complexity means the perversions can be hidden.

What you get second is Sarbanes-Oxley, as well-meaning accountants discover that they can set themselves up for a *lot* of work and provide a veneer of cover for frauds like Enron.

In contrast, in FC, we have patterns and methods to tighten up all that transaction stuff. RAH's old saw about it being 2 orders of magnitude cheaper is in the right ballpark, except that it might be conservative. FC creates both reliability --- cryptographically based real time non-pervertable reliability -- and removes complexity, as whole layers at a time can be dispensed with because we can simply write automatic audit processes that show 100% conformance.

But these aspects are also why FC didn't get implemented. In a regulated industry, there is incentive to corporate business model cloning (economists call this 'herding'), which leads to cartel behaviour (see paper for another angle) and this then leads to an incentive to raise costs, not lower costs. The banks are a canonical case, as they are so highly regulated that all banks are almost always clones of each other.

If that doesn't make sense, consider it this way. Ask an accountant whether he would recommend a system (say, FC) that would halve his account, or whether he'd recommend a system (like Sarbanes-Oxley) that would double his account.

Add to these effects of fraud and we find another barrier to FC: the experience of those who work at the systemic level to try to put in simpler, more cost-effective systems that eliminate fraud is that they also run slap-bang into those people who perpetuate fraud. These people are very hard to dislodge, for very good reason: they are making a lot of money out of the complexity and poor reliability systems. They are prepared to spend a lot of money keeping systems complex and unreliable.

The answer then is not to increase regulation a la Sarbanes-Oxley, but to decrease regulation, and let things like SOX (or AADS or other similar systems) innovate and drive costs and complexity down. Every time the regulation increases, expect more complexity and therefore more fraud and more costs. Decrease regulation and expect the reverse. Simple.

Economists have known this for decades, we don't need to re-invent the wheel in the security industry with calls for this or that regulation.

Thank AOL for bringing us this example of datamining

Readers might be mighty sick of reading how the boring non-entity SWIFT lost its data virginity in the grubby hands of the US Government. Now we have a change in melody, but the beat remains the same.

AOL released 20 million randomised searches, indexed to 650,000 users, from its Google-rebranded search front-end as an experiment to aid researchers. Unfortunately for them, the bloggers got hold and started to research:

....someone typed in "borderline personality disorder" multiple times and then days later there were many queries about "men that are abused by wives." The queries seem to be coming from somewhere in Toledo, Ohio. Months later someone searched for "ohio correctional institute strkyer ohio," then for airline tickets to Detroit Wayne airport and then finally on the words "win him back."

The Internet has been a boon to those who have needed to search difficult subjects. We all know that the doctor says, "visit me," but how many of us do? The net has the answers.

What might not have been clear is that the net has your questions, too. How easy is it to misconstrue dangerous search requests? Well, one could argue that if one is using the net, and not asking a human, there is a good reason. Plenty of room for misinterpretation, we can assume.

Sometimes it is clearer:

Check out the search history for user 17556639, most recent search is at the bottom of the list.. Does this look like the search history of a user wanting to do something bad?

17556639 how to kill your wife
17556639 how to kill your wife
17556639 wife killer
17556639 how to kill a wife
....

We all want to know that from time to time, but mostly we don't write down those spur of the moment thoughts. User 17556639, would you come quietly with us, please?

The primary point here being that this data is now permanently breached. Once breached, it will be shared. And datamined. Once datamined, expect surprising results, visits by surprising people and surprising levels of abuse.

Got governance? AOL does not, placing it in firm company with the US government. According to today's earlier post, expect firings & hirings to soar at AOL, and conspiracy theorists will suggest that the USG suggested the research angle to the witless at AOL after the subpoena debacle earlier in the year.

Thanks to Dani for heads-up.

SWIFT breach - leverage v. due process, Spy v. Spy, audit v. Ajax, three questions for SWIFT

More rumours on how the US Treasury breached SWIFT: It appears that UST knew about certain SWIFT breaches by insiders in the past and used those infractions as leverage to get access.

This may be in contrast to claims by SWIFT itself that UST prepared warrants for seizure as extortion ploys. Indeed, it has been suggested that not only were no warrants prepared, but that the UST provided no written evidence of any form of due process at all. An interesting question to put to SWIFT, #1: show us the evidence!

It gets better: SWIFT was breached not once, not twice, but three times!

Rumour has it that two other agencies of unknown character had also breached the SWIFT record set independently of UST, and that they were better at it than UST in that they really knew how to use the information. The timeline of these breaches is unclear.

At least one of these agencies has found all sorts of interesting information and has used it -- which is how the secret was outed. They apparently have done the datamining thing and fed the results into various cases. It's what you do with data, right? Then, conversations with those implicated groups (read: wall street firms) has led to a suspicion that more than just domestic data was involved. At least one company with rock-solid profitably has already proceeded on an "orderly exit from the market," after having been given "the talk." The people involved read like a who's who of the mothers of the Texas / Washington DC oil industry which raises the idle speculation of political connections and insider trading -- were there suspiciously good trading records in oil? And was this found in the SWIFT analysis? And what sort of agency takes on that power group and lives to tell the tale?

All which rumours might point to TLA2 being a US agency with interests domestic rather than foreign. Likely candidates we could speculate on given the financial regulatory interest would be the SEC or the Federal Reserve.

TLA3 remains obscure. But, once we get to 3 agencies, we can stop counting and also stop pretending that there is any governance in place. SWIFT is an open book for regulators in the US at least, and that makes it just another smoking gun in the never-ending Spy v. Spy game. At the least, this suggests question #2 for SWIFT: how many agencies have your data?

In related gossip, SWIFT itself has conducted an internal audit, perhaps in response to the above rumour of leverage, or perhaps out of caution. It has apparently found additional multiple breaches across the lines -- uncovering misuses of data by employees.

Insiders suggest a strategy of cleaning house before outside regulators come in. Do we audit then Ajax, or is it the other way around? Sustained pressure on privacy and banking regulators in Europe has made intervention a non-trivial risk; latest rumour there is that the Belgian privacy regulator is taking lead on the case for all EU privacy regulators, and they all now working through SWIFT's response to the first round of questioning. The question of whether European companies are alive to the risks of "Restaurant economics," a.k.a. industrial espionage remainsl an open one.

Question #3 for SWIFT: why didn't your prior and no doubt expensive audits uncover signs of data abuses? (Readers of FC already know the answer to that, but SWIFT might not, so it is worth making them think about it.)

Also, there are scurrilous suggestions that the SWIFT breach has triggered a wave of copycat audits across FIs with a wide network of users. Major banks take note -- you may want to now go through and audit how your data has been used and misused, and we ain't talking about Sarbanes Oxley. "One more time, with feeling." Many institutions are apparently already doing this, which has lead to a surge of firings and hirings where misuse of data has been found. Some of the breaches relate to USG as beneficiary, others do not, but details are of course scant. (Companies that are mentioned as having surges in firings/hriings other than SWIFT include three household names, leaders in their respective sectors.)

[ Search for more on SWIFT breach. ]

IdentityWatch: Cloning the RFID, swimming the channel on the cheap, the Russian view, AML success rate, and the genesis of Id Theft?

"Hackers clone e-passports" from wired reports that the RFID in the new passport formfactor can be cloned for peanuts:

Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country's e-passport, since all of them will be adhering to the same ICAO standard.

Lynn says that sounds somewhat akin to the "yes card" clones of sda chip&pin that started to show up in the 90s [1, 2].

And now for something completely different:

Confidence in the Government's immigration policy - insofar as it has one - is at rock bottom. The latest revelation was buried in a threat assessment issued by the Serious Organised Crime Agency yesterday. It revealed that the cost of a clandestine passage from France to Britain is now just £150.

Is that with a free Identity, or don't you need one as you stride out below the white cliffs of Dover? I've postulated on the basis of this and other collected resources that $1000 is the value of your identity. Over in Russia, Vlad Miller also came up with a $1000 maximum liability number which he uses when selling identity certification. He writes (from email):

My estimations of the liability amount was mostly based on similar indirect research of black market prices. According to the majority of my sources (paper and internet press as well as some unofficial discussions with old-hat officials from MIA) russian black market has two main fake identity (mostly domestic passports) offers:

1. Fake real identity, that is just a counterfeit document that looks real (at glance or under a more in-detail examination). Those cost 100-800 USD depending on the quality of forgery.

2. Real fake identity, that is a *real* and fully legal identity document issued on a *fake* name. These IDs can't be detecter with any forgery detection techniques; in some cases you can't determine this is a forgery even by inquiry to the official MIA database because this fake name is entered there too (this is resembling to real fake IDs used by undercover operatives). Such forgeries cost starting at 1200 USD (just filled on a legal blank) and may run up to 2000 USD and even more (fake information is inserted into the database).

I've made some security risks calculations, and final $1000 came up.

Our routine survey of fake Ids does not challenge:

The fake IDs were for more than 20 countries including South Korea, Singapore, Germany and the United States. Police also found about 1,500 visas for Australia, Malta, Moldova, the European Union (EU), Canada, Japan and South Africa. ... The suspects admitted that the gang charged about 4,000 baht ( 105 U.S. dollars) for producing a fake passport. They added forgery had become easy with the help of high-tech digital equipment.

Where this comes to the point is in the application of money. Here's Dani's Report from the Wild East:

I have participated in a conference titled "Banking and Criminal Law" organized by the International Association of Penal Law (AIDP, http://www.penal.org ) where the following figures were announced for 2005 in Hungary:

Reports by banks and law-firms concerning possible money-laundering: approx. 14000
Investigations initiated by the police: 8
Cases heared at court: 2
Guilty verdicts: 0
At the same time, the estimated volume of money laundering through the Hungarian financial system during the same year: $4 billion.

These figures came as a shock to some of the participants (including myself). This proves that the immensely expensive snooping machinery that requires one or two full-time employees at major branches (the guy dealing with the paperwork required for reporting suspicious cash transactions), which both customers and banks hate, is completely ineffective. Banks were forced into compliance by the regulation that puts the criminal responsibility for money-laundering on the teller, if s/he failed to report it; thus, they end up reporting almost every transaction, just in case. Same for law firms and escrow agencies (these two functions are traditionally performed by the same companies in Hungary).

On the other hand, living without a bank account is nearly impossible in Hungary (for instance, it is illegal to pay salaries in cash for a wide range of jobs) and it is becoming increasingly burdensome to transact without the banks' participation. It's getting worse year by year.

Russia is a completely different story, where the trust in the banking sector is generally low among the general population and large parts of savings are held either at home in cash (exclusively in USD during the nineties, then in Euros and in the past two years increasingly in the local currency, roubels) or lended to trustworthy friends and relatives. Major money laundering is done through off-shore banks, mostly in the baltic states (Russian-owned Latvian banks are the favorites). Even if salaries arrive to bank accounts, people tend to visit the ATM on pay-day to get some cash (most ATMs give both roubles and USD; when ATMs first appeared in Russia, they were dollar-only). Escrow agencies (of which WebMoney is technically one) are very popular in securing p2p or b2b transactions. These are very loosely regulated, use a diverse set of communication channels, and God alone can track all the financial flows. There are just too many of them.
Posted by: Daniel A. Nagy

It is relatively easy to draw a line from drugs -> ML -> AML -> identity obsession -> identity theft, albeit hard to stomach for the unforseen consequences. We can now possibly calculate the losses from AML: as identity became necessary for more and more processes, including for example the expansion of the credit society, more and more stress is placed on the weak instrument of the one true identity. In this case, the AML people have paved the way for fairly massive identity theft and concomittant fraud. Last time I saw the figures it was running around $10bn per year in the US, but maye it is more:

Nearly 10 million consumers were victimized by some form of identity theft in 2004 alone. That equals 19,178 people per day, 799 per hour and 13.3 per minute. Consumers have reportedly lost over US$5 million, and businesses have lost an estimated $50 billion or more.

The authorities will see statistics on the uselessness of AML as more evidence that they must try harder, but economists see it differently; If we reverse the cause and effect in our minds, correlation is still found to confirm our mistakes.

The late great President Ronald Reagan is often lauded as the most Austrian of leaders, but he made some mistakes. As instigator of the original war on drugs, he set the foundation for our current epidemic of identity theft, and his war fell victim to the law of unforseen consequences.

SWIFT breach - the 'squeeze', justice not being done, the Europeans wake up to "restaurant economics" a.k.a. industrial espionage

SWIFT was extorted to hand over the data. According to two Austrian reports:

"Einverständnis wurde abgepresst" Per Gerichtsbeschluss sollte der gesamte Datenverkehr in der US-Zentrale von SWIFT beschlagnahmt werden, falls SWIFT nicht freiwillig eine bestimmte Zahl von Datensätzen liefere - "das Einverständnis wurde abgepresst", sagt Gall.

“Agreement was squeezed off” By court order the entire data traffic in the US center should be seized by SWIFT, if SWIFT does not supply voluntarily a certain number of data records - “agreement was squeezed off”, says Gall.

Also, here (left in German, right in Googlish, sorry about that) and also see earlier reports (1, 2, 3, 4, 5) ... :

Mit Beschlagnahme gedroht Als sich SWIFT zunächst weigerte, drohten die Amerikaner mit der Beschlagnahme der in den USA gespeicherten SWIFT-Daten. Im US-Bundesstaat Virginia befindet sich nämlich eines der drei Hauptrechenzentren des weltweiten Finanztransaktionssystems SWIFT. Mit der Verhinderung von noch Schlimmerem begründet SWIFT nun, dass man alle gewünschten Daten freiwillig übermittelt habe.

Threatened with seizure When SWIFT refused first, the Americans threatened with the seizure of the Swift data stored in the USA. In the US Federal State Virginia is one of the three main computing centres of the world-wide financial transaction system SWIFT. With the prevention of still worse one SWIFT justifies now that one conveyed all desired data voluntarily.

SWIFT director Günther Gall made those comments at a recent "crisis meeting" held by Austrian banks. He reported that the US Treasury prepared warrants for the seizure of the entire data center, and then offered SWIFT the chance to cooperate by means of a slightly less draconian handover of data.

There's no doubt that the US Government can have this data if it wants. It has the power, and SWIFT is an easy touch, so say at least the Swiss

Stellt sich die Frage, wieso die Swift dem amerikanischen Finanzministerium gefügig Folge leistete. «Die Swift ist leicht erpressbar», mutmasst Mark Pieth, der bereits die Untersuchungskommission der Uno im «Oil for Food» -Skandal leitete, «denn wenn die US-Behörden der Swift die Lizenz für ihre amerikanische Niederlassung entziehen, ist sie nicht mehr funktionsfähig.» Pieth wäre auch nicht erstaunt, wenn der amerikanische Geheimdienst sich im selben Atemzug Einblick in andere Finanztransaktions-Plattformen beschafft hätte. Laut dem Bericht der «New York Times» bestätigten Offizielle der US-Behörden zudem, limitierte Abkommen mit Kreditkarten- oder Transaktionsunternehmen wie Western Union eingegangen zu sein. Die Angelegenheit stellt für Pieth jedenfalls einen eindeutigen Eingriff in die Freiheitsrechte der Bürger dar, und er ist gespannt, wie sich die Schweizer Behörden rechtfertigen werden.

The question arises, why Swift had complied to the American Finance Ministry so easily. “*SWIFT is easily extortable*”, presumed Mark Pieth, which already led the inquiry of the UN in the “oil for Food” scandal, “if the US authorities withdraw the licence from SWIFT, it is no longer functional.” Pieth would not be surprised also, if the American secret service had procured itself in the same breath view of other financial transaction platforms. According to the report the “New York Time” confirmed official one of the US authorities besides, agreement with credit card or transaction enterprises limited such as Western union to have been received. The affair represents a clear interference anyhow for Pieth into the liberty rights of the citizens, and it is strained, as Swiss authorities will justify themselves.

In this case, it used the power, and hence we now have another reason for the cover-up -- if true, the US government again exceeded the bounds of reasonable civilised behaviour. It brings to mind how Judge Lewis A. Kaplan recently ruled in the New York Southern District court:

"Justice is not done when the government uses the threat of indictment ... to coerce companies into depriving their present and even former employees of the means of defending themselves against criminal charges in a court of law," he wrote. "If those whom the government suspects are culpable in fact are guilty, they should pay the price. But the determination of guilt or innocence must be made fairly _ not in a proceeding in which the government has obtained an unfair advantage long before the trial even has begun."

There, Judge Kaplan was referring to the US Justice Department's documented technique of pressuring companies to "cooperate" by hanging their employees out to dry. Unfortunately, there was nobody at the American data center to represent the world's wire senders against the seizure "incentive."

This is a scenario which is all too routine in the money world which is why we have rather strict banking secrecy laws. More:

Offiziell Bescheid wusste in Österreich offenbar nur ein Manager der Raiffeisen Zentral Bank und SWIFT Aufsichtsrat Günther Gall. Er hatte bereits 2001 der Weitergabe von österreichischen Transaktionsdaten an die CIA zugestimmt. Angeblich wurden die österreichischen Banken über diese, nach österreichischem Recht illegalen Datenweitergaben, nicht informiert. Nach fast fünf Jahren wird es nun Zeit, dass sich die Banken darum kümmern, wie mit unseren österreichischen Finanzdaten umgegangen wird, die sie an SWIFT weitergeben. Denn es sind die Banken, die garantieren müssen, dass Dienstleister den gleichen Standard beim Datenschutz garantieren, wie sie selbst mit dem Bankgeheimnis versichern.

Officially, only one manager in Austria know, Raiffeisen central bank and SWIFT supervisory board Günther Gall. It had already agreed 2001 of the passing on of Austrian transaction data to the CIA. Allegedly the Austrian banks were not informed about these data passing on illegal after Austrian right. After nearly five years it becomes now time the fact that the banks worry about how with our Austrian financial data is handled, which pass it on at SWIFT. Because there is the banks, which must guarantee that Dienstleister guarantee the same standard with the data security, how they insure with the banking secrecy.

Which is a grumble that the Austrian responsibilities towards secrecy of data have been breached.

There is yet another problem. Most of the world is looking at this as a privacy issue. (Indeed Privacy International is right on the case, and it needs no crystal ball to predict who's top choice for this year's Big Brother award.) Yet, this is missing the point. As I've pointed out, the lack of governance means that the information will be leaked in due course; not to you or I, as we can't affort the price of illegal data, and we may not want to anyway. But to someone; and due to strong secrecy of their operations, we won't know who it is being leaked to.

René Pfeiffer reports in EDRIgram:

Members of Austrian business organisations have also voiced big concerns about possible cases of industrial espionage, because it is not known who has access to the intercepted SWIFT data. Combining the data from money transfers and the disputed Passenger Name Records data enables everyone who gets these records to use them for economic advantage. Organisations in UK, Germany and Austria have begun to investigate the scope of the damage caused by the SWIFT tapping. Letters to local banks and SWIFT board members have been prepared and published. Every company, business and individual is advised to demand a clarification about the intercepted data on the basis of data protection laws. Furthermore legal steps are being prepared against the SWIFT board since they gave customer details away without mutual consent.

This isn't so much about privacy of the individual, as privacy of the business. A.k.a. industrial espionage, on a state-run scale.

If a large enough deal is being done, where some US champion (say, Boeing) is up against some European champion (say Airbus) for some large bid (say 100 A380s for China), then we can expect _governance be damned_. Maybe the US Treasury would stand up and defend Airbus's right to privacy, against Boeing's corporate survival, ... but I wouldn't be betting *my* factory on it. More:

Wirtschaftsspionage mit EU-Finanzdaten Bisher wurde nur vermutet, die USA könnten ihr Überwachungssystem im Namen der Terrorabwehr auch dazu nutzen, Europas Wirtschaft auszuspionieren. Mit dem Abhören der Finanzdaten habe sich das nun betätigt, so ein Experte der Internationalen Handelskammer. "Für mich kommt diese Wendung nicht überraschend. Vom Überwachen des internationalen Telefonieverkehrs bis zur Kontrolle des Finanzverkehrs ist es ja nur ein kleiner Schritt. Was im ECHELON-Untersuchungsausschuss des EU-Parlaments noch Vermutung war, hat sich damit bestätigt", sagt Maximilian Burger-Scheidlin von der Internationalen Handelskammer [ICC] in Wien. ECHELON lässt grüßen Die Vermutungen im Untersuchungsausschuss, die USA würden ihr elektronisches Überwachungssystem ECHELON auch gezielt dazu benutzen, Europas Wirtschaft auszuspionieren, sind für Burger-Scheidlin mit der Affäre SWIFT nun real geworden. Man könne eigentlich dankbar sein, denn nun lägen handfeste Indizien vor, dass US-Geheimdienste die europäischen Finanztransfers systematisch durchsuchten. "Wir hoffen nun, dass die Regierungen Europas endlich aktiv werden, nachdem sie nun seit vielen Jahren Bescheid wissen", sagt Müller-Scheidlin, dessen Spezialgebiet bei der ICC die Abwehr von Wirtschaftsspionage ist.

Restaurant economics with European Union financial data So far only one assumed, which could use the USA their monitor in the name of the terror defense also to spy of Europe economics. With the hearing of the financial data now, such an expert of the international Chamber of Commerce worked. “For me this idiom does not come surprisingly. From supervising the international telephone voice traffic up to control of financial traffic it is only a small step. Which in the ECHELON committee of inquiry of the European Union parliament still assumption was, thereby”, says Maximilian Burger Scheidlin was confirmed of the international Chamber of Commerce [ICC] in Vienna. ECHELON says "I'm not dead yet!" The assumptions in the committee of inquiry, which the USA its electronic monitor ECHELON also purposefully to use to spy of Europe economics are become for Burger Scheidlin with the affair SWIFT now material. One can be actually grateful, because now strong indications would be present that US secret services scanned the European financial transfers systematically. “We hope now that the governments of Europe become finally active, after they know, say now for many years answer” Mueller Scheidlin, whose special field is with the ICC the protection from restaurant economics.

And More. "Restaurant economics" is googlish for "industrial espionage" it seems. Luckily, it's all in German which means the Bush Administration can wave off these funny krauts and their silly terms, and pretend this is just another case of New York Times treachery and treason.

It remains to be seen if the International Chamber of Commerce will carry this fight to the enemy. What was last month's curiousity -- the European Commission being quite happy to sign over so much data in one-way exchanges on individuals -- is now replaced with the new curiosity of whether they will do the same to their companies.

SWIFT breach - embarrassed Europeans, outrageous acting in Congress, the aggreated abuses, camelgate, and the institutionalised defrauding of American values

I was right on the embarrassment call. First the Canadians, now the British, the Irish and even the European Parliament:

The European Parliament demanded Thursday that European governments and European institutions in Brussels disclose how much they knew about a secret U.S. program to tap into international banking data.

In a resolution reflecting concern among Europeans about cooperation in America's "war on terror," the Parliament voted 302 to 219, with 22 abstentions, to demand that the European Commission, the European Central Bank and the EU's 25 member states "explain fully the extent to which they were aware of the secret agreement" between Swift, an international banking consortium, and the U.S. government.

Following the arrest in Italy on Wednesday of two Italian intelligence agents suspected of helping in the alleged CIA kidnapping of a terrorism suspect and his transfer to a third country, a process known as "extraordinary rendition," the Parliament also adopted a resolution stating that it was "implausible" that "certain European governments were not aware of the activities linked to extraordinary rendition taking place on their territory." It voted to extend its investigation into alleged CIA detention centers in Europe by six months.

While the resolutions are not legally binding, they have "political teeth," said Friso Rascam Abbing, spokesman for the EU's justice and security commissioner, Franco Frattini.

The European Parliament are an odd bunch. They have little power to pass laws, but when they jump up and do something, it is a hint that something's gone awray. In this case, the Commission -- where the real power lies -- has realised the writing is on the wall:

Belgian authorities are investigating whether the Brussels-based Society for Worldwide Interbank Financial Telecommunication, or SWIFT, broke the law by passing bank transaction data to the CIA.

Once that inquiry is concluded, European Commission officials will try to determine whether EU privacy laws were also violated.

"There is no question of a cover-up," said Friso Roscam Abbing, a European Commission home affairs spokesman in Brussels.

That other apparently powerless bunch of seat warmers, the US Congress, agrees:

In a sharply worded letter, the Republican chairman of the House intelligence committee has told President Bush that the administration is angering lawmakers, and possibly violating the law, by giving Congress too little information about domestic surveillance programs.

Rep. Peter Hoekstra (Mich.) has been a staunch defender of the administration's anti-terrorism tactics. But seven weeks ago, he wrote to Bush to report that he had heard of "alleged Intelligence Community activities" not outlined to committee members in classified briefings.

"If these allegations are true," he wrote, "they may represent a breach of responsibility by the Administration, a violation of law and . . . a direct affront to me and the Members of this committee."

However, one shouldn't take the noise from Congress as too scary. In a production more befitting of Hollywood than Pennsylvannia Avenue, the bill to legalise and also slip in a few more weapons of mass privacy destruction has already been written, under cover of outrage at the White House:

The White House balked at an early draft that would have mandated the president submit the NSA program to the FISA court for review. Specter agreed to make it voluntary as long as Bush promised to submit the program if Congress passes the bill. Aides privately acknowledged it was a big concession by a president who until now has resisted judicial interference in how he wages war against terrorists.

The White House conceded in part because it believes the NSA program will survive constitutional muster and the Specter bill will make it easier to argue that the program complies with congressional statutes as well. "We've always said it's constitutional," said one administration official who was not authorized to speak on the record.

The language acknowledging the president's constitutional authority to conduct intelligence operations also was important to the White House. "We see it as historic because here's a statute recognizing an authority the president says he has," the administration official said.

Still, that language alone might mean little because it did not define the scope of the authority or explicitly suggest that a president did not need to seek court approval for warrants. But at the same time, Specter agreed to repeal a section of the original FISA law that made it the exclusive statute governing such intelligence programs.

The combination of the statement acknowledging presidential authority and the deletion of the exclusivity clause left open the interpretation that Bush has the power to conduct other surveillance outside FISA's purview, a possibility administration officials noted with approval.

Also, added, a clause sweeping all civil suits before the FISA court. Whoops! In other words, "please tell us what bill you want written to legalise it, and we will pass it, loudly and angrily." Will this Patriot sequal outsell the Pirates of the Caribbean redux? Back to the IHT article:

Revelations about the SWIFT operation have coincided with growing awareness of the CIA's use of clandestine prisons in Europe for terrorism suspects, the abduction of such suspects, and secret flights to transport them, often to countries where they might be tortured.

Note that this is backtracking at rapid speed by the EC and other regulators. Earlier statements were of the ilk of "not our jurisdiction". Note also how this is being linked to the 'extraordinary rendition' issue above and in other press reports (two Italian intelligence agents arrested in recent weeks in connection...). Keeping in mind the phone tracking and the flight data, both cases where data was passed across the Atlantic without coming back the same way, Europe is now waking up to the fact that the much vaunted European privacy model has been breached on a wholesale level. For more evidence of asymmetry accepted by lame-duck politicians, consider the 3 accused Enron scapegoats:

Lawyers for the three former bankers known as the NatWest Three confirmed yesterday that the men will complete on Thursday their fast-track extradition to America to face charges relating to an £11m fraud involving the collapsed US giant Enron.

On the same day, the Home Secretary will dispatch a minister to Washington to try save the British Government from further humiliation by persuading US senators to drop their opposition to a reciprocal US-UK extradition treaty.

In each case in isolation, the government(s) let it happen -- a one way deal. The question we are now looking at is whether the European Union and others such as US Congress, the Canadians, and the rest of the world will view the abuses in aggregate in a different light.

Curiously, the Bush administrations fears may have been justified: Notwithstanding the expected nature of this particular breach, it may become the straw that broke the camel's back. In time honoured American tradition, maybe we should call the SWIFT breach Camelgate.

Finally, we need to keep our eye on the ball here. What is the central problem? It is this: the information that is being collected is not subject to appropriate governance, something that worries as financial cryptographers. The special conditions that once applied to national intelligence activities no longer apply. That data is as we speak being moved out of the box labelled "only for counter-terrorism":

"We can use that information for terrorism, money laundering - all sorts of law enforcement purposes," Stuart Levey, the Treasury Department's undersecretary for terrorism and financial intelligence, told the House Financial Services subcommittee on oversight and investigations. "And we can do all kinds of the things that people traditionally think about when they think about data mining in terms of looking for trend analysis, suspicious activity and the like."

There, he is talking about a *new* program to trace all American/International wires. The only thing that is surprising is the breathtaking speed with which US Treasury are discarding the claims of only a few weeks ago.

Now, the naive might think that the government has the data, and if you've done nothing wrong, then you have nothing to fear. Dead wrong. Because there is no governance worth spit in place, the SWIFT value will be used for nefarious purposes. Intelligence data is already being used so:

A former ISC insider passed the dossier to the intelligence arm of the anti-corruption squad in February. The informant directed handlers to a series of ISC payments, totaling 20,000 pounds, made to a recipient identified as Detective Sergeant Gary Flood.

United Kingdom (oops: not US) Intelligence data is now available to the highest bidder. Some will see this as a good thing -- an opportunity. Some of that data is good stuff:

Among the critical assets in the database are Old MacDonald's Petting Zoo, a Kangaroo Conservation Center, Jay's Sporting Goods, several Wal-Mart stores, Amish Country Popcorn, and the Sweetwater Flea Market.

The DHS Office of Inspector General found the National Asset Database, being compiled to support a variety of infrastructure protection projects, full to overflowing with "poor quality" data, such as 4,055 malls, shopping centers, and retail outlets, 224 racetracks, 539 theme or amusement parks and 163 water parks, 514 religious meeting places and 1,305 casinos.

(spotted by 27BStroke6.)

The USA is moving with breathtaking speed to financial tracking on a comprehensive scale, available to a wide range of interested parties. The institution known as the American Value System has been breached, and is about to be defrauded in a way that makes previous scandals (mutual funds, oil-for-food, KPMG, Enron, ...) look like quaint stories told by old-timers over sherry.

SWIFT breach - canonically novel theories in law revealed

In the breach that keeps on breaching, I suggested that the reason the Bush administration was nervous of the program was that the Europeans might be embarrassed via public opinion to put in place real governance. I was close (dead link to "Piling On the New York Times With a Scoop," Howard Kurtz, WaPo):

Keller said he spent more than an hour in late May listening to Treasury Secretary John Snow argue against publication of the story. He said that he also got a call from Negroponte, the national intelligence czar, and that three former officials also made the case to Times editors: Tom Kean and Lee Hamilton, chairmen of the 9/11 commission, and Democratic Rep. John Murtha of Pennsylvania -- an outspoken critic of the war in Iraq.

"The main argument they made to me, extensively and at length, besides that the program is valuable and legitimate, was that there are a lot of banks that are very sensitive to public opinion, and if this sees the light of day, they may stop cooperating," Keller said.

What useful reason could they have for keeping it secret? If it was legal, the banks will cooperate. I think we can clearly state that banks will generally operate within the law, and will always side with the government over the interests of their customers.

As far as the banks are concerned, their interests are covered as long as a) it is legal, and b) all banks equally have to comply. So, keeping it secret was either directed at covering up potential illegality or a lack of legality, or some particular discrimination that was going on. As there has been no real hint of any discrimination here (SWIFT by definition serving all banks), it would be the former. (And, what does he mean by "a lot of banks?")

He acknowledged, as did the Times article, that there was no clear evidence that the banking program was illegal. But, he said, "there were officials who talked to us who were uncomfortable with the legality of this program, and others who were uncomfortable with the sense that what started as a temporary program had acquired a kind of permanence.

So what we have here is a programme of dubious legality, where insiders know they have transgressed, and would like the law to be clarified and updated. So they themselves are not at risk, and evidently the banks feel the same way.

"It's a tough call; it was not a decision made lightly," said Doyle McManus, the Los Angeles Times' Washington bureau chief. "The key issue here is whether the government has shown that there are adequate safeguards in these programs to give American citizens confidence that information that should remain private is being protected." ... McManus said the other factor that tipped the paper's decision to publish was the novel approach government was using to gather data in another realm without warrant or subpoena.

"Police agencies and prosecutors get warrants all the time to search suspects' houses, and we don't write stories about that," he said. "This is different. This is new. And this is a process that has been developed that does not involve getting a specific warrant. It's a new and unfamiliar process."

That's raising an interesting question. The question of the maybe-subpoena is addressed here:

The Administration says the program is legal because every month the Treasury Department issues an administrative subpoena, basically a subpoena you write yourself without seeing a judge.

Ryan Single also offered a theory on how the newspapers wrote their own administrative subpoenas. More odd remarks from the McManus of the LATimes:

"I always start with the premise that the question is, why should we not publish? Publishing information is our job. What you really need is a reason to withhold information."

It's a point. As we dig further we discover the old black helicopter theories surging up:

The scandal here is not government over-reach, [Blum] tells me. The scandal is the pitiful reluctance of this administration (and others before it) to get serious about the problem. Bankers, Blum explained, "have fended off every conceivable rule that would really be effective. Why are we pandering to them if we say we are in such a desperate situation?" ... The monitoring system described by the Times seems unexceptional to Blum. Indeed, his complaint is that it's so narrowly focused that it mostly harvests empty information. "Meanwhile, the biggest purveyor of terrorist money, as everyone knows, are accounts in Saudi Arabia," Blum observes. "Nobody will deal with it because the Saudis own half of America." An exaggeration, but you get his point.

Blum knows the offshore outposts where US corporations and wealthy Americans dodge taxes or US regulatory laws. Congress could shut them tomorrow if it chose. Instead, it keeps elaborating new loopholes that enable the invention of exotic new tax shelters for tainted fortunes. The latest to flourish, he says, are shell corporations-- freely chartered by states.

"The GAO says this device is being used for money laundering by everyone else in the world," Blum says. "Congress ought to start there." He is not holding his breath.

Which would be the house of cards defence. Here's another card that is showing signs of bending:

The U.S. National Security Agency asked AT&T Inc. to help it set up a domestic call monitoring site seven months before the Sept. 11, 2001 attacks, lawyers claimed June 23 in court papers filed in New York federal court.

The allegation is part of a court filing adding AT&T, the nation's largest telephone company, as a defendant in a breach of privacy case filed earlier this month on behalf of Verizon Communications Inc. and BellSouth Corp. customers. The suit alleges that the three carriers, the NSA and President George W. Bush violated the Telecommunications Act of 1934 and the U.S. Constitution, and seeks money damages.

``The Bush Administration asserted this became necessary after 9/11,'' plaintiff's lawyer Carl Mayer said in a telephone interview. ``This undermines that assertion.''

People all around the world bent over backwards to help the USA deal with 9/11. And let's not forget a substantial number of people killed were foreigners -- expatriate workers in the towers at the time.

If it is true that the spying programmes were begun before 9/11, that might shake the faith a bit. For the unshakebly faithful, see the relevant complaint and some skepticism here (tip to Adam and 27BStroke6):

Within eleven (11) days of the onset of the Bush administration, and at least seven (7) months prior to the attacks of September 11, 2001, defendant ATT began development of a center for monitoring long distance calls and internet transmissions and other digital information for the exclusive use of the NSA.

Why are we doing all this? Eavesdropping. We know it is a present danger, but the clarity lacks. We need to figure out what capabilities the agencies have and how far it spreads, in order to inform future designs.

SWIFT breach - softly softly, catchee monkey?

As predicted, the politicians in Europe are responding, albeit mildly.

Meanwhile, Belgian Prime Minister Guy Verhofstadt issued a statement saying he has asked security officials to determine whether the U.S. program complied with Belgian laws.

In the same Toronto Star article:

New security powers aimed at fighting terrorism may be a "threat to privacy" and must be monitored, Canada's privacy commissioner said yesterday as she announced an inquiry into whether U.S. authorities accessed Canadian financial records.

Commissioner Jennifer Stoddart said she anticipates making the results of her inquiries public in coming weeks, after "examining whether Canadians' financial transactions are being improperly accessed by foreign authorities."

Fairly clearly, everyone in the financial community knew that SWIFT tracking was likely, and knew it was probably ineffective. They allegedly caught one guy, which makes it an inessential tool -- you don't take on those risks just to get one successful lead over 4-5 years. And, as we know:

In his new offering, "The 1 Percent Doctrine," author Ron Suskind says everyone in U.S. intelligence has known for years that al-Qaida and similar groups have jettisoned electronic banking for some time. These guys aren't fools. They also use untraceable cell phones. They now use bodies to carry the cash or hide it in other packages, so the 'use' of this spying is questionable.

The reason that terrorists aren't stupid is simple - the stupid ones get eliminated over time, an evolutionary feedback mechanism that seems unavailable in Washington D.C, no matter how desirable. Notwithstanding all that, the Bush administration chose to counter-attack the press for the 'leak':

President George W. Bush has condemned newspapers that carried initial reports on the program last week - including the New York Times, the Los Angeles Times and the Wall Street Journal - saying the disclosure made it "harder to win the war on terror."

The need for a message that can be explained in 25 simple words to the Republican support base is apparent, but this is verging on the ridiculous. Which raises the question -- aside from lack of evolutionary pressures -- why is Bush taking the New York Times to task on this?

You also can't count out the White House from being political on this. Attacking the messenger, in this case the New York Times, is "red meat" to some who dislike the media and may garner members of the current administration a few votes in November.

So, we are being asked to choose between the Republican base being too stupid to realise they are being conned again, or that they will wake up and call Bush's bluff. I don't want to go there. Also, what happens when there is a leak over an effective and agreeable tool? They'll have shot their wad. That's actually a fairly likely scenario, given the record of this administration to shoot first, think later.

But there might be more to this than mere stupidity and electoral panic. In considering what it means to threaten prosecution over the leak of an ineffective and controversial tool, keep in mind that terrorists aren't stupid. Therefore, they are not in this picture. So, if it is not about terrorists, everything else mentioned is likely as deceptive.

Let's consider the possibility of a deception plan. Why would Bush's team just not dampen down on it? Nobody knows who SWIFT is, and if we were to keep repeating "boring!" people would eventually get the message. The reason may have something to do with two factors:

1. International embarressment may actually force a debate on this, and could cause the tool to be modified, or at worst withdrawn. Is the Bush administration embarrassed and caught flat-footed in front of its erstwhile international peers? Or even the Democrats?

At a confirmation hearing Tuesday for Henry Paulson Jr., the nominee for Treasury secretary, Senator Max Baucus, Democrat of Montana, asked whether the monitoring might violate the Fourth Amendment's protection against unreasonable searches.

"I think you'll agree that we could fight terrorism properly and adequately without having a police state in America," Baucus said.

Paulson did not express an opinion on the propriety of the Swift monitoring but pledged to study it. "I am going to, if confirmed, be all over it, make sure I learn everything there is to learn, make sure I understand the law thoroughly," Paulson said.

Democrats said they hoped to get a clearer idea of the legal foundations for the program, how it was monitored, and how long it would be allowed to continue under the president's invocation of emergency powers.

I think it unlikely to be withdrawn, but it might earn some proper governance, especially if the Democrats keep embarrassing the international community into thinking about it. Which leads us to point 2:

2. There is massive support in US Treasury for this tool, if this embarrassing tidbit is anything to go by:

Democratic staff members said they had pressed Treasury officials in recent days for a fuller accounting of which members of Congress were briefed on the program and whether notification requirements under the International Economic Emergency Powers Act, invoked by Bush after Sept. 11, were met.

Treasury officials have told congressional staff members that they briefed the full intelligence committees of both houses about a month ago, after inquiries by The [New York] Times, according to one Democratic aide who spoke on condition of anonymity.

US Treasury possibly realise they now have the crown jewels in their grasp - the tool they need to chase their own subjects across the globe. Now is the time to roll out the long term strategy -- first migrate the SWIFT tracking across to drugs & ML (already started, as spotted earlier). Then on to own citizens.

Softly softly, catchee monkey. Is this going to happen? You might as well bet your bottom dollar, because it could be your last private bet:

A U.N. report on terrorist financing released in May 2002 noted that a "suspicious transaction report" had been filed with the U.S. government over a $69,985 wire transfer that Mohamed Atta, leader of the hijackers, received from the United Arab Emirates. The report noted that "this particular transaction was not noticed quickly enough because the report was just one of a very large number and was not distinguishable from those related to other financial crimes."
One of the key federal agencies vacuuming the financial information long has snubbed the terrorist threat. As of 2004, the Treasury Department's Office of Foreign Assets Control had 10 times more agents assigned to track violators of the U.S. embargo on Cuba as it had tracking Osama bin Laden's money. From 1994 to 2004, this Treasury bureau collected nearly 1,000 times as much in fines for trading with Cuba as for terrorism financing.

If you know anything about systems you can see where this going: individual queries on suspicions clarified through governance will give way to massive datamining in order to avoid the above embarrassing failures. Which leads to the earlier scenario of own citizen tracking, if we accept the principle that any (secret, ungoverned) system is eventually captured by those with the most interest.

Fear of embarrassment and consequent proper governance may explain why the administration is taking the line that this is "government at its best." In effect, daring detractors to call them; before you can put in proper governance, you have to present the Bush Administration as bad governance.

So watch to see how much resistance there is to proper governance and international oversight.

Relevance to wider currency matters? If the worst case scenario comes to pass and the SWIFT breach widens, then expect a couple of competitors to SWIFT to arise. One for the Muslim world and another for the Asian sphere.

Also, there are signs that the penny may have dropped for at least some FBI agents.

FBI Financial Crimes Section chief Dennis Lormel and his colleagues at other intelligence agencies eventually realized that the information supplied by the company could be used not only to locate and freeze the assets of terror groups, but also to track them in real time - in other words, to follow the money trail directly to the sources and destinations of the funds.

First Data subsidiary Western Union, with branches throughout the Arab world and a high volume of money transfers, was in a perfect position to help. American intelligence agents and company officials cooperated in tracking the data trail and in monitoring security cameras installed in Western Union branches in order to see who was picking up the funds.

According to the book, then Shin Bet head Avi Dichter, whom Suskind calls an agent of change in the U.S. war against terror, was briefed by Lormel on the new monitoring capabilities during one of his frequent visits to Washington.

In April 2003, Dichter called Lormel to ask for the FBI's help in this regard. Dichter told officials that the Shin Bet had information about a courier who was expected to be bringing money to Israel from Lebanon shortly. The source of the money was known, but not the identity of the person for whom its was destined.

In early April, 2003, an Islamic Jihad activist went to a Western Union office in Lebanon and ordered a money transfer to Hebron. The Justice Department authorized Western Union to release this information to the FBI and the CIA, and eventually to the Shin Bet. According to Suskind, all this took just minutes, enabling Israeli intelligence to track the person who collected the transfer in
Hebron and to uncover the terror cell.

According to the book, this method was used successfully many times over the next year and a half, until autumn 2004, when Palestinian operatives realized that their Western Union transfers were being used to trap them.

Top notch! There is potential value in the AML tool of money tracking for the anti-terrorism mission, notwithstanding the real fears of civil libertarians. But, the value is only present if the tool isn't destroyed beforehand. Seizing terrorist funds isn't likely to be effective, just as seizing drugs money isn't likely to be effective, as it just moves the committed into more committments, and gives them a good signal as to what not to do next time.

(If you don't follow the above, consider this: terrorists do not care about money, they've already crossed the rubicon of civil society. If they need more money they will just go and steal it. So seizures don't mean a thing to them, and the next terrorist attacks in USA are likely to be self-financing. Same with drugs dealers.)

But, as it has taken the champions of AML 20 years to work out that tracking is valuable, whereas seizures achieve nothing towards the fundamental stated goal, I wouldn't hold out much hope that Treasury will make a wise choice. They are after all a bureaucracy of many interests.

Roundup on SWIFT breach -- limits claimed are already breached -- US citizens are the victims

Snippets on the big news story of the SWIFT breach. Domestically, this sort of monitoring is perhaps mundane...

The Treasury routinely monitors financial transactions in U.S. banks under the Bank Secrecy Act. Under that law, banks are required to report any cash transaction above $10,000 and to file a suspicious activity report on any transaction that the bank believes may be tied to criminal activity.

U.S. banks have filed more than 2 million suspicious activity reports since 1996, according to John Hall, a spokesman for the American Bankers Association. Banks are also required to retain information on all transfers of more than $3,000.

Should we admire the UST for their careful governance?. FinTimes says:

He said: "We get a data set from Swift but our analysts cannot just look through that data - they have to type into a computer the targeted search they want to do."

This search request must include the name of the targeted person or entity and the reason for believing that person could be associated with terrorism. "There is a record kept of every single search," he said. "Swift itself has people inside our facility who can monitor these searches in real time, and if they have any questions they can stop a search instantly and ask these questions."

As a further safeguard, he said the Treasury had appointed an independent auditor to examine the log of search requests. Mr Levey said the Treasury could not see the data unless it came up in response to a specific search. "Our most recent number is 0.13 per cent of the information that we have we can access."

According to the New York Times, some of these safeguards were introduced in 2003 after Swift threatened to pull out of the programme.

Apparently not. News also in that the 10 major CBs all had the information, as (I am told) they are all represented on the advisory board of SWIFT.

"We had the information in the context of our monitoring activities" of Swift (Society for Worldwide Interbank Financial Transactions), a BNB [Belgium's national bank] spokesman said, refusing to say when it had that information.

"We were alerted informally in the framework of our contacts with this enterprise," he said. ... The BNB said it saw no ethical problem in an exchange of information between Swift and the US authorities, adding that ethical monitoring was not part of its responsibilities.

The bank was charged with the "external surveillance" of Swift, meaning that it had to "check on a certain number of standards of proper functioning" to ensure that the overall financial sector was performing correctly.

The news about US spying "did not call into question the correct functioning of the institutions". The giving of information was "the responsibility of the business (Swift) vis-a vis its clients. The BNB, for its part, was 'subject to professional secrecy'," the bank said.

It added that Swift's databases were in the US and the Netherlands and their management was subject to legislation in those states.

The major central banks are OK with it. Elsewhere it seems that major Swiss banks confirmed they knew. Also jurisidiction is established by the location of databases.

SWIFT is headquartered in Brussels, but much of its operations are based in the United States, where knowledge of the government's secret access to its data was not widespread. Of officials at three large U.S. banks who agreed to speak about the program, only one said his institution had knowledge of it before yesterday.

"People around here are fine with this," said the official at a major New York bank, who spoke on the condition of anonymity. "It was done right." Treasury Undersecretary for Terrorism and Financial Intelligence Stuart Levey said yesterday that the central bank governors of major industrialized nations had also been briefed, although he did not say when that occurred.

Which all confirms my original impression -- I had simply assumed that this would have been done anyway. Why would SWIFT be immune to the data mining that is going on?

Realpolitik aside, the real story here is this: what and where is the debate about whether this is an acceptable thing or not? What happens when the American agencies successfully breach the safeguards that were forced on them by SWIFT? As they will, in time.

"There was one instance noted at one point in an audit that there had been one search that was done that was, in our view, inappropriate. . . . The person who conducted that search is no longer allowed to work on this program. And no information from any search that's even been questioned has ever been disseminated," Levey said. When information appeared that indicated a non-terrorist crime, such as money laundering or drug trafficking, he said the source of the information was "sanitized" before it was passed to other law enforcement agencies.

Boom! Already, the information is being passed for ML and drugs. See how easy that was? The press will concentrate on meaningless blather like who is that poor unfortunate lamb who was sacrificed to prove the information is governed, and miss the wider significance that the system is already being breached, even as they are saying that it is only for terrorism.

One reason the administration is engaging in so much secret surveillance is that current technology makes it so easy, suggested Paul Light, a public policy professor at New York University. "It's almost a case where the technology is leading the policy. If you can do it, why not do it?"

"Bush and his advisers just don't see privacy rights as a particularly balancing test in making the decision to go ahead with these techniques," Light said.

And, how is the rest of the world going to treat this? My guess is that it will be yet another nudge to all the non-friends of the USA to review their dependency on the dollar. Look to see what Russia, Iran, China and the Muslim world make of this.

If a nudge is one more percentage points off the USD as reserve currency, then the cost is twice that in economic payback to the people of the US, who have to pay back the debt. There are some real victims, then.

Sealand burnt out - aid sent by neigbour UK - security guard airlifted

All things come to pass. Sealand, the erstwhile independent country in the Thames estuary and home of the HavenCo ISP for arbitrage businesses, burns out. Not to the waterline, but early reports have it as destroyed by a generator fire.

Sealand had one security guard on site. It looks like they have paid the price for high aspirations and low extinguishers.

The UK, being the nearest neighbouring country, immediately sent in disaster relief. Chances are they will probably stay to help the country back on its feet. And stay, and stay...

Late breaking news: "Michael Bates told the Evening Star the family would not give up its ownership of the former war-time fort and wanted to carry on running it."

Princely bow to JPM's wife who told him what's current and interesting.

Black Helicopter #2 (ThreatWatch) - It's official - Internet Eavesdropping is now a present danger!

A group of American cryptographers and Internet engineers have
criticised the FCC for issuing an order that amounts to a wiretap instruction for all VoIP providers.

For many people, Voice over Internet Protocol (VoIP) looks like a nimble way of using a computer to make phone calls. Download the software, pick an identifier and then wherever there is an Internet connection, you can make a phone call. From this perspective, it makes perfect sense that anything that can be done with a telephone, including the graceful accommodation of wiretapping, should be able to be done readily with VoIP as well.

The FCC has issued an order for all ``interconnected'' and all broadband access VoIP services to comply with Communications Assistance for Law Enforcement Act (CALEA) --- without specific regulations on what compliance would mean. The FBI has suggested that CALEA should apply to all forms of VoIP, regardless of the technology involved in the VoIP implementation.

In brief the crypto community's complaint is that it is very difficult to implement such enforced access, and to do so may introduce risks. I certainly agree with the claim of risks, as any system that has confused requirements becomes brittle. But I wouldn't bet on a company not coming out with a solution to these issues, if the right way to place the money was found. I've previously pointed out that Skype left in a Centralised Vulnerability Party (CVP, sometimes called a TTP), and last week we were reminded of the PGP Inc blunder by strange and bewildering news over in Mozilla's camp.

So where are we? The NSA has opened up the ability to pen-trace all US phones, more or less. Anyone who believes this is as far as it goes must be disconnected from the net. The EFF's suit alleges special boxes that split out the backbone fibre and suck it down to Maryland in real time. The FBI has got the FCC to order all the VoIP suppliers into line. Mighty Skype has been brought to heel by the mighty dollar, so it's only a phone call away.

Over in other countries - where are they, again? - there is some evidence that police in European countries have routine access to all cellphone records. There is other evidence that the EU may already have provided the same call records to the US (but not the other way around, how peculiar of those otherwise charming Europeans) in much the same way as last week the EU were found to be illegally passing private data on air travellers. To bring this into perspective, China of course leads the *public* battle for most prominent and open eavesdropper with their Cisco Specials, but one wonders whether they would be actually somewhat embarrassed if their capabilities were audited and compared?

If you are a citizen of any country, it seems, you need not feel proud. What can we conclude?

1. Eavesdropping has now moved to a real threat for at least email and VoIP, in some sense or other.
2. Can we say that it is a validated threat? No, I think not. We have not measured the frequency and cost levels so we have no actuarial picture. We know it is present, but we don't know how big it is. I'll write more on this shortly.
3. The *who* that is doing it is no longer the secure, secret world of the spooks who aren't interested in you. The who now includes the various other agencies, and they *are* interested in you.
4. Which means we are already in a world of widespread sharing across a wide range of government agencies. (As if sharing intel has not been a headline since 9/11 !)
5. it is only one step from open commercial access. Albeit almost certainly illegal, there isn't likely to be anything you can do about illegally shared data, because it is the very agents of the law which are responsible for the breach, and they will utter the defence of "national security," to you, and the price, to your attacker.
6. An assault on crypto can't be that far off. The crypto wars are either already here again, or so close we can smell them.
7. We are not arguing here, today, whether this is a good thing for the mission to keep us safe from terrorists, or a bad thing. Which is just as well, because it appears that when they are given the guy's head on a plate, the law enforcement officers still prefer to send out for takeaway.

My prediction #1for 2006 that government will charge into cyberspace in a big way is pretty much confirmed at this stage. Obviously this was happening all along, so it was going to come out. How important is this to you the individual? Here's an answer: quite important. And here's
some evidence:

What is Political Intelligence?Political intelligence is information collected by the government about individuals and groups.
Files secure under the Freedom of Information Act disclose that government officials have long been
interested in all forms of data. Information gathered by government agents ranges from the most personal data about sexual liaisons and preferences to estimates of the strength of groups opposing U.S. policies. Over the years, groups and individuals have developed various ways of limiting the collection of information and preventing such intelligence gathering from harming their work.

It has now become routine for political activists -- those expressing their rights under democracy -- to be investigated by the FBI. In what is a blowback to the days of J.Edgar Hoover, these activists now routinely advising their own people on how to lawfully defend themselves.

Hence the pamphlet above. There are two reasons for gathering information on 'sexual liasons and preferences.' Firstly, blackmail or extortion. Once an investigator has secret information on someone, the investigator can blackmail -- reveal that information -- in order to extort the victim to turn on someone else. Secondly, there may be some act that is against the law somewhere, which gives a really easy weapon against the person. Actually, they are both the same reason.

If there is anyone on the planet who thinks that such information shouldn't be protected then, I personally choose not to be persuaded by that person's logic ("I've got nothing to hide") and I believe that we now have a danger. It's not only from the harvesting by the various authorities:

Peter G, 41, asked for a divorce from his wife of six years, Lori G, 38, in March 2001. ... Lori G filed a counterclaim alleging the following: <snip...> and wiretapping. The wiretapping charges are what make this unfortunate case relevant to Police Blotter. ... But Peter admitted to "wiretapping" Lori's computer.

The description is general: Peter used an unspecified monitoring device to track his wife's computer transactions and record her e-mails. Lori was granted $7,500 on the wiretapping claim. ...

This is hardly the first time computer monitoring claims have surfaced in marital spats. As previously reported by CNET News.com, a Florida court ruled last year that a wife who installed spyware on her husband's computer to secretly record evidence of an extramarital affair violated state law.

Some hints on how to deal with that danger. Skype is probably good for the short term in talking to your loved one while he still loves you, notwithstanding their CVP, as that involves an expensive, active aggressive act which incurs a risk for the attacker. However, try and agree to keep the message history off - you have to trust each other on this, as the node and your partner's node remain at greater danger. Email remains poor because of the rather horrible integration of crypto into standard clients - so use Skype or other protected chat tools.

Oh, and buy a Mac laptop. Although we do expect Macs to come under increased attention as they garner more market share, there is still a benefit in being part of a smaller population, and the Mac OS is based on Unix and BSD, which has approximately 30 years of attention to security. Windows has approximately 3 years, and that makes a big difference.

(Disclosure: I do not own a Mac myself, but I do sometimes use one. I hate the GUI, and the MacMini keyboards are trash.)

How cheap is it to get companies to escrow records for LEAs?

The other day I posted criticisms and warnings about Mozilla's propensity to follow commercial programs that involve handing over their customers' data. Now, to underscore the Alice in Wonderland quality of the debate about data safety in America, we can read this over on Risks:

Feds Continue Push For Mandated Internet Data Retention (R-24.29) Lauren Weinstein Fri, 2 Jun 2006 08:28:06 -0700 (PDT)

The Justice Department said Thursday that it was not seeking to have the contents of e-mail archived, just information about the websites people visit and those with whom they correspond."

"Sounding the Alarm on Government-Mandated Data Retention"

This is a critical topic. The impracticality and cost issues associated with the new DOJ Internet data retention proposals are relatively obvious. It's difficult to even understand who would be required to comply with such demands. Only the big Web service companies? ISPs? (via packet tracking of their subscribers running their own servers?) Every small firm, organization, or even individual who operate their own e-mail and Web servers? Are the existing privacy policies of such entities instantly negated if they conflict with the DOJ wish list or data retention legislation?

Risks is a serious, long-lived institution in publishing, dating back to the pre-popular-Internet days. It's widely read, respected, and venerable. How then could the above poster have gotten it so wrong?

In America, the data a company has and the data their software controls is theirs to sell. That's how it is, get used to it. But this seems to be a new theme recurring over and over again, and Weinstein is not alone in misunderstanding the basic nature of data in America. (You'll note that when I posted about the issue with Mozilla, I wasn't saying "don't do that," rather I was warning of the need to manage the transition from open service to the rampant commerciality that the user base is afraid of.)

To see why this news is ominous (and Daniel offered a counter-perspective which I have not as yet got around to addressing), let's go back the ADK story.

I recall the day this idea of "impracticality and costs" was destroyed as an excuse for me. Actually, it was about two weeks of hard debate and thought, surrounding PGP Inc's infamous actions in introducing a way for people to escrow messages to another key. When PGP Inc decided it was going to add the feature for its customers, it ignited a firestorm of criticism over the net as apparently, "one of our own" had turned to the dark side.

Why? Because, at the very same time as this was happening, the net community was fighting FBI director Loius Freeh in US Congress who wanted exactly that. Escrow of all messages, or keys or whatever, as long as the LEAs could read the crypto. And, the fight was being carried on with exactly the same argument as written above - it would be impractical and costly to escrow keys or add FBI keys.

PGP Inc totally destroyed the case of expense and impracticality for the crypto and privacy lobbies. The curious fact was that they were pursuing an honest business need, one that many businesses not only need but must have by law (securities industry for example are desparate for secure but escrowed data comms). And if PGP Inc had only realised that their support base would rebel and had done something about it in advance, they could have successfully migrated that base over and still have the feature put in place.

Are going to see a repeat of this, as the privacy community squares up against the DoJ? Difficult to predict, the times are different. On thing that is different is we might have a better understanding of how this is going to happen. The DoJ just needs to find the right economic deal.

An organisation that sells stuff for money will do just that - sell it for money. Finding the deal was evidently workable for Firefox 2.0. Whether this deal is as bad as the fearmongers think, or whether it is benign as Daniel suggested, is irrelevant - the other interested party, the user, is not paying for the privilege of having a say, so the deal will eventually move against that user. That's economics, get used to it.

There is now, and has been for some time, a hole in the market for an independent secure browser. A sort of OpenBSD of Mozilla, if you are aware of the brands. It's not clear who will fill this hole, I know at least one group that is looking to do this. The problem of course is that it is no small undertaking, and kudos to those who have got their big browser projects to where they are now, with minimal or no funding.

Here's more:

U.S. Wants Companies to Keep Web Usage Records

By SAUL HANSELL and ERIC LICHTBLAU

03/02/06 "New York Times" -- -- The Justice Department is asking Internet companies to keep records on the Web-surfing activities of their customers to aid law enforcement, and may propose legislationto force them to do so.

The director of the Federal Bureau of Investigation, Robert S. Mueller III, and Attorney General Alberto R. Gonzales held a meeting in Washington last Friday where they offered a general proposal on record-keeping to a group of senior executives from Internet companies, said Brian Roehrkasse, a spokesman for the department. The meeting included representatives from America Online, Microsoft, Google, Verizon and Comcast.

The attorney general has appointed a task force of department officials to explore the issue, and that group is holding another meeting with a broader group of Internet executives today, Mr. Roehrkasse said. The department also met yesterday with a group of privacy experts.
...

Dodgy practices - and how to defend against them with Audits

One of the things that we as society do to protect us against dodgy practices is to employ specialists to prepare considered reports. Often known as audits, these reports solve a particular economic problem for us - it is too expensive for all or even any of us to gain the knowledge, travel to the site and review all the requirements. So we elect a specialist who can do it for all of us, thus saving our scarce resources.

(I stress this economic equation so that those familiar with open governance can compare & contrast.)

The downside of the auditing approach is that we are now beholden to the quality of the audit. How do we ensure that the process is good? In principle, we let institutions such as auditor's associations provide principles, standards of quality, and ethics. In practice, we hope they are followed, but practice often lags principle because of the dramatic costs of audits, and the less than transparent information provided. In effect, the problem is shifted from the company to the audit, resulting in what amounts to being two points of failure.

For CAs, a widely used standard is the WebTrust criteria, which have been written by bodies in the US and Canada. This backs into various other documents and standards of those bodies, but tries to narrow down the essentials for CA practice and policy.

It is perhaps interesting to view the WebTrust against yesterday's news of VeriSign being sued on alleged misrepresentation of security levels. Here is one snippet from their "WebTrust Program for Certification Authorities:"

Client/Engagement Acceptance
The practitioner [auditor] should not accept an engagement where the awarding of a WebTrust seal would be misleading.

The WebTrust seal implies that the entity is a reputable site that has reasonable disclosures and controls in a broad range of areas. Accordingly, the practitioner would avoid accepting a WebTrust engagement when the entity’s disclosures outside the scope of the engagement are known by the practitioner to be misleading, when there are known major problems with controls not directly affecting the scope of the engagement, or when the entity is a known violator of laws or regulations.

(My emphasis.) Some have found WebTrust controversial because it is (allegedly) permissive of any procedures, as long as you document them. By way of example, it has been commented (alleged) that you can get a WebTrust for spying on your customers, as long as that is what you say you do in your CPS.

(Whether that is true or not I have no idea.)

But, above, it says there in black and white that misleading disclosures are not acceptable. What's more, it states it broadly - even including disclosures _outside the scope of engagement_ which is likely to be a problem for a company as large and spread as VeriSign, as there are a lot of other areas they get into.

If the court case does find that there is misleading selling going on, there are going to be some questions to be asked. Indeed, maybe the auditor should be asking those questions now, or even in the past. Here's some of the questions that spring to my mind.

Should an auditor necessarily be aware of those sorts of disclosures? WebTrust says that the practitioner has to get into the business model of the CA, which necessarily involves understanding the pricing and product models to at least some extent. So it's a definate maybe. I know in my work, I would need to know the different pricing arrangments to form an assessment, but that's just me. Also, as the two products are apparently discriminated in terms of higher security, that would appear to be something the auditor would look at, as the public is relying on the security if nothing else.

Should this effect the current situation? WebTrust is determined on this issue - it is supposed to a more or less continuous engagement, with updates no more than every 12 months. Further:

During the period between updates, the CA undertakes to inform the practitioner of any significant changes in its business policies, practices, processes, and controls, particularly if such changes might affect the CA’s ability to continue meeting the WebTrust Principles and Criteria for Certification Authorities, or the manner in which they are met. Such changes may trigger the need for an assurance update or, in some cases, removal of the seal until an update examination by the practitioner can be made. If the practitioner becomes aware of such a change in circumstances, he or she determines whether the seal needs to be removed until an update examination is completed and the updated auditor’s report is issued.

In an actual engagement, an auditor can instruct the CA to pull the switch. "Now!" It is unlikely that the auditor will go that for, nor are they likely to pull the Seal. No auditor ever wields the stick that is written into the arrangements, they find other ways to deal with the issue, because any auditor that ever actually did that would not get another engagement. (This of course is part of the reality of auditing, something that is more evident from the Arthur Andersen experience.)

What's more there are plenty of arguments in favour of the practice. E.g., airline seats are quite happily sold at different prices, and the old game with computers is to sell the same machine for different prices but with internal switches set at different speeds. (In the really good old days, you could pay for an engineer to come out and turn the speed doubling switch.) So there are at least some bona fide arguments why this practice is beneficial, leaving aside the fair representation question.

What then should the Auditor do? Initiate a re-engagement? That is one plausible action. Another is simply drop the client, quietly or otherwise. A company that has to search for a new Auditors is sufficiently warned not to do it so many times that it runs out of potential suppliers. Alternatively, the auditor could simply put pressure on the company to sort out its misleading practices and also to settle any case forthwith.

What should relying parties do? Well, purchasers will think twice, but they do anyway, and this is only likely to add to the rumble of discontent with CAs, not change anything.

What about browser manufacturers? I think that depends on the Auditor's actions. Software manufacturers have already passed much of their reliance (but not their liability) onto the auditor by specifying the WebTrust. So they will now need to sit back and wait for the auditor to do the job, which is what the auditor wanted in the first place.

As long as something is done. If the auditor does nothing, or equally uncompellingly, does not inform the relying parties of any actions taken, a browser manufacturer might now wonder if the auditor can be relied upon for the very role they were selected. "Just exactly what would cause the auditor to respond, if not misleading practices towards the users, the very users that we the software suppliers serve and protect?"

Or, a software supplier might have to re-evaluate its own wider sense of duty of care. As the browsers sit in the front row of any liability for the use of SSL (by dint of embedding and hiding the certs and CAs), we could speculate how this case could spread wider. Could this be pinned on the software suppliers? Again, I can't quite see it, although if there is a rash of cases, including to do with phishing, then it is more plausible as the traditional relationship is not exactly an arms-length one.

Finally, what about the buyout of GeoTrust? Well, GeoTrust owners are likely to want to grab their cash and run faster rather than slower, and such events might conceivably destroy the buyout - although I can't see why it would have a material effect. More importantly, if the anti-trust grumbling took root, the law suit might have more an impact.

Of course, such musings are definately above our paygrade. But it is certainly one to watch.

Verisign sued over dodgy security practices

This may be the first of its kind. I've long predicted this response to ropey SSL industry practice, but unfortunately, today, I have no time to comment! (Note - FC is moving ... expect some disruption.)

---

Firm leads $200M suit vs. VeriSign
Alleges pricey business software is no more secure
By Kathy Robertson Sacramento Business Journal May 28, 2006

VeriSign Inc. faces a class-action lawsuit potentially worth more than $200 million for false and misleading advertising of the Internet-security software it sells to businesses that conduct commerce and communications with customers online.

Sacramento law firm Kershaw Cutter & Ratinoff is the lead counsel in the case and alleges that VeriSign sells two versions of its software -- and says that one of them provides a higher level of security -- when there is no practical difference between the two.

The law firm also alleges that the nation's largest Internet-security provider charges $546 more for the higher level of security and misleads customers into thinking they will get more protection if they buy the pricier version. The lawsuit, filed last year and certified as a class-action last month, contends that more than 400,000 Web sites nationwide use the security software.

The case is the first of its kind to be granted court approval to proceed as a class action in a hot legal arena resulting from the tremendous growth of online transactions -- and of a security industry to protect them. VeriSign spokesman Brian O'Shaughnessy declined to comment on the suit.

Five years of claims

"It's essentially a rip-off," said Bill Kershaw, the local attorney who is lead counsel on the case. "When you get charged significantly more money, you expect significantly more security." The lawsuit, initially filed in Santa Clara County Superior Court in February 2005, alleges unfair competition and seeks restitution for the people or businesses that have purchased the software since January 2001.

Mountain View-based VeriSign (Nasdaq: VRSN) operates services that enable and protect billions of online interactions daily, from sales to banking. The company reported $1.6 billion in revenue and net income of $112.4 million in the past four quarters.

The nation's largest Internet-security provider sells two types of software, or "certificates," to businesses. Both are intended to ensure that communications between the businesses' Web sites and their customers are secure, and that personal information such as addresses, credit card and Social Security numbers are kept private through data encryption while they are being transferred over the Internet. The two versions are called Secure Site and Secure Site Pro.

In its advertising, the company says its "Pro" version offers significantly enhanced encryption technology over the standard version and that, as a result, Web sites using it will be able to communicate with customers in a more secure fashion. The "Pro" version costs $895; the standard version, $349. About 99 percent of the time, the higher-level encryption software is provided to everybody, regardless of whether they pay the higher fee or not, Kershaw said.

'Essentially identical'

"Claims that these certificates provide added security are simply untrue," the plaintiffs assert in court documents. "Secure Site and Secure Site Pro provide essentially identical security for communications between businesses and their customers. It has only been through its false and misleading advertising that defendants have been able to extract a $546 premium from thousands of businesses throughout the country."

The lead plaintiff in the case is Southeast Texas Medical Associates LLP, of Beaumont, Texas. A technical expert at the group discovered the discrepancy while working on the system, Kershaw said. "This is not something an average business owner -- or technician -- would discover. It takes some sophistication," he said, adding that the practice appears to be limited to VeriSign.

Two Texas law firms -- Gravely & Pearson in San Antonio and Provost Umphrey in Beaumont -- asked the Kershaw firm to act as California counsel since VeriSign is based in Silicon Valley. The 4-year-old local firm is known for representing plaintiffs in class actions.

In early 2005, Kershaw Cutter & Ratinoff -- working with lawyers from the Sacramento firm of Dreyer Babich Buccola & Calaham -- won cash refunds, plus interest, for a group of California drivers insured by Allstate Corp.

British Columbia Supreme Court rules that you should lie back and enjoy it

A little sunday morning governance nightmare. Over in Canada, a media entrepreneur sued his ex-law firm:

Mr. Cheikes says that in 1997 [his lawyer] Mr. Strother advised him he could not legally operate his tax-shelter business because of tax rule changes. Mr. Cheikes shut operations down that fall and asked Mr. Strother to find ways to make Monarch compliant so that the company could re-open.

A year later, he found out that Mr. Strother had become a 50% partner in a movie tax shelter business called Sentinel Hill, and that [law firm] Davis & Co. were its attorneys. Mr. Cheikes says that from 1998 to 2002, Sentinel Hill made $140-million in total profits, that Mr. Strother made $32-million for himself and that Davis & Co. had been paid $9-million in fees.

Now, as written, this is a slam dunk, and in absence of a defence, we should be looking at what amounts to fraud here - breach of fiduciary trust, theft of trade secrets and business processes, etc etc.

A few words on where this all comes from. Why do we regularly question audits in the governance department of financial cryptography? Partly it is because the auditor's actual product is so disconnected from what people need. But the big underlying concern - the thing that makes people weak at the news - is the potential for abuse.

And this is much the same for your lawyer. They both get deep into your business. They are your totally trusted parties - TTPs in security lingo. This doesn't mean you trust them because you think they are trustworthy sorts, they speak with a silver toungue and you'd be happy to wave your daughter off with one of them.

No, quite the reverse: it means you have no choice but to trust them. The correct word is vulnerability, not trust. You are totally vulnerable to your lawyer and your auditor, more so than your spouse, and if they wish to rape your business, the only thing that will stop them is if you manage to get out of there with your assets firmly buttoned up. The odds are firmly against that - you are quite seriously relying almost completely on convention, reputation and the strength of the courts here, not on your ability to detect and protect the fraud as you are with almost all other attackers.

Which is why over time institutions have arisen to help you with your vulnerability. One of those institutions is the courts themselves, which is why this is such a shocker:

For example, the B.C. Supreme court agreed with Mr. Strother's argument that he had no obligation to correct his mistaken legal advice even though that advice had led to the closure of Monarch.

The lower court also agreed with Davis & Co.'s contention that it should be able to represent two competitors in a business without being obliged to tell one what the other is doing.

What the hell are they smoking in B.C.? The Supreme Court is effectively instructing the vulnerable client to lie back and enjoy it. There is no obligation in words, and it's not because it would be silly to write down "thou shalt not rape your client," but simply because if we write it down, enterprising legal arbitrageurs will realise it's ok to rape as long as they do it using different words. It's for reasons like this that you have "reasonable man" tests - as when your Supreme Court judges are stoked up on the finest that B.C. can offer, we need something to bring them back to reality. It's for reasons like this we also have appeals courts.

In 2003, the B.C. Supreme Court heard the case but found no wrongdoing. Two years later, however, the B.C. Court of Appeal overturned that ruling, finding the lawyer and firm guilty.

Mr. Strother was ordered to pay back the $32-million he had made and Davis & Co. was ordered to return $7-million of the $9-million in fees to Mr. Cheikes and his partners.

The high-stakes case was appealed again and the Supreme Court of Canada has granted leave to appeal, probably in October.

To be fair, this article was written from one side. I'd love to hear the case for the law firm! I'd also love to hear what people in BC think about that - is that a law firm you'd go to? What does a client of that law firm think when she reads about the case over his sunday morning coffee?

When they cross the line...

One way to tell when they cross the line is to watch the comics and jokes circuit. Here's another one:

Original source is RollCall.com, so tap their phones, not mine.

Seriously though, the reason this scandal has "legs" is because the Democrats' hands are clean. In previous scandals, it seems that the dirt was evenly spread across the political dipole. This time, the Dems have one they can get their teeth into and not look silly.

This Modern World - First they say they don't collect that data....

I wrote before:

First, they say they don't collect the data. Then they say they don't use it, except for engineering purposes. Then, they say that there are safeguards. Then, they say they don't supply it outside the company. Then, they sell it.

Then, they just make it up. It takes less than 10 years across the full life-cycle from total privacy to total piracy, and telcos have had a decade or two, already. Governments aren't any help.

Click to see today's interpretation!

From Tom Tomorrow's This Modern World, posted on cryptography by Ben Pfaff.

US and EU cooperating on phone tracking

By now, all know about Plamegate, the Valerie Plame affair. It seems that the White House leaked information in order to suppress an alternate view to the approved intelligence story. As they leaked actual intelligence information to do this, the various leakers - Libby, Rove, and potentially Cheney - are under investigation and at least the first, Libby, has been charged (or something - I don't follow that circus in detail).

Now (following on from prior posts) comes news that many journalists are being tracked over phone calls to trace where the information leaks are coming from:

A senior federal law enforcement official tells ABC News the government is tracking the phone numbers we (Brian Ross and Richard Esposito) call in an effort to root out confidential sources. "It's time for you to get some new cell phones, quick," the source told us in an in-person conversation.

ABC News does not know how the government determined who we are calling, or whether our phone records were provided to the government as part of the recently-disclosed NSA collection of domestic phone calls.

Other sources have told us that phone calls and contacts by reporters for ABC News, along with the New York Times and the Washington Post, are being examined as part of a widespread CIA leak investigation. One former official was asked to sign a document stating he was not a confidential source for New York Times reporter James Risen.

Is it true? Or just journalists doing what they do best - hyperventilating? I don't know, but if we read the acerbic comments far enough past the calls to lynch all and sundry, we come across this one:

"You do realize people are being paid by the Bush administration to attack the press publically on comment pages like this. I personally was offered a job doing it."

If that's true, then the article is more or less confirmed. Find out what the Bush administration is paying to have suppressed or attacked, and that confirms it. You don't pay good money to attack something that isn't dangerous or is just false.

I hinted in an earlier blog entry that the phone records were being made available across the atlantic - but had no documentary evidence of that. Here's an article that speaks to that:

US authorities can get access to EU citizens' data on phone calls, sms' and emails, giving a recent EU data-retention law much wider-reaching consequences than first expected, reports Swedish daily Sydsvenskan.

So, the US and the EU are swapping phone calls, SMS and emails so as to chase terrorists? Sounds great, except it's not quite what is happening. The data is only going one way, from east to west.

What lopsided arrangement this is only time will tell, but it is indicative of the Wonderland politics going on at the moment. It will be I suspect a subject of many blog entries, newspaper reports and even books to speculate on what convinced EU politicians to give up Europe's fabled strong privacy regime and hand it over to the American intel, police, White House rumour control police, private investigators, credit reporting agencies, deadbeat dad chasers and other protectors of America's way of life.

Relevance for FC? Information is dangerous. Do not keep it, unless you need it. If you keep it, then expect someone to ask for it, and that then enters into your threat model.

I wonder if we are moving to a world where we deliberately cannot keep useful transaction, identity, personal and other sensitive data, simply because we can no longer figure out a system to protect it?

Shifting the Burden - legal tactics from the contracts world

Nick Szabo writes on how various legal devices such as promissary notes shift the burden from one party to another. The interesting question is whether such an approach applies to FC in general:

Another way creditors shift at most of the burden of lawsuit is by having the debtor sign a promissory note. The creditor can then sell the note to a third party who is entitled to collect the note as a holder in due course, free of most defenses to payment on the original contract. Freedom from most defenses (such as fraud, failure to perform, etc.) to the original transaction makes the debt owed by the debtor to the holder in due course very clear-cut, thus greatly lowering the burden of lawsuit for the new creditor. The original creditor benefited because it could sell this unburdened debt at a higher price than a debt burdened by legal problems with the original transaction.

...

At a more basic level, the burden of lawsuit is shifted by shifting actual control as well as legal possession over objects of value. "Possession is 9/10 of the law." To this end, security technology and in particular smart contracts will likely become very useful devices for shifting the burden of lawsuit in commercial transactions.

Curiously, I came across such a case of contract burden shifting a month or two back. It seems that some certificate authorities put their root keys under copyright protection. The real reason for this -- apparently -- is that the relying party can then only use the root keys under licence. What is the licence? It is the CPS, or certificate practice statement.

This appears to close the loop. One of the many failings of the CA concept is that the CA purports to be serving the relying party, who is a member of the public. The CA does this by means that are codified in the CPS, which might take the place of an offer of contract. Unfortunately, the relying party has no concept of the CA, no knowledge of the CPS and probably wouldn't choose to be at this party if she was fully informed or formally invited.

Which causes some ruptions in the fabric of PKI. In this case, the CA in question advances the notion that intellectual property law brings the relying party into contact with the CPS. She is a party to the contract because it is under copyright and she has no licence otherwise.

I don't think one needs a law degree to see the speciousness in this - if she doesn't know she cannot be a party. Period. (Recall recently well commented discussion on intent.) If she used and relied upon the certificate, then it is more likely that the CPS is not binding on her at all.

Separation of Roles - an example

Having created the five parties model for digital governance, one of the things that has persisted is the difficulty in getting this implemented. Some DGCs have adopted it completely, more or less (goldmoney and Pecunix rise to mind), others only partially (e-gold for example only did parts of the physical metal side, and even that has fallen fallow) and yet others not at all. We don't mention the ones that do not ... at least in a governance post ... because it is hard to comment on their lack of governance.

So why is it so difficult to convince issuers of value to implement governance? Partly it is because the issuers of new value all hail from beyond the traditional accounting and banking spheres, so they simply don't know what's awaiting them. And, it is more information than people care to absorb, especially when the focus is on the customer's short term needs, not the defence against some hypothetical attacker. Partly of course, it is because it is not well explained.

(I think the model is really simple! The Issuer creates a new role called the Mint/co-signatory who is responsible for changes in the total value of issue. Another role created is the manager, who takes that day-to-day value increase and decrease and manages it. This means the Issuer never gets his hands dirty. The Operator runs the systems, and never does numbers, so his hands are clean, too. Finally, the User is the 5th party. She monitors all, leading to the need for open governance.)

One of the fundamentals is the centuries-old tradition of separation of roles. Here's an example of what goes wrong, talking about how 'Apparent authority' doctrine complicates credit card liability. An accounting manager went on a spending spree with her company credit card. She ordered the card, she paid the bills. When the gig was up ... $133k later ... the company argued that it gave no authority for this:

When Kathy's fraud was finally discovered, the company sued American Express, the card issuer, seeking a refund of everything it had paid over $50. But American Express (which has had considerable experience with this sort of thing) resisted, arguing apparent authority.

The company responded: "Nonsense. We never said anything or did anything to make American Express think Kathy had authority to use our card for personal purchases. Heck, we didn't even know she had a card. She ordered it herself."

But American Express prevailed, convincing the court that allowing Kathy to pay the credit card bill every month over a long period of time was enough to create apparent authority in Kathy to use the card.

Right, and that makes some sort of sense. Intiutively, the company is responsible for its employees, more or less. We can't go sticking it to the bank just because we weren't watching what was going on. But what was the one specific thing the company should have done? Here:

There are many lessons to be learned here, but the one that leaps to mind is: Don't let the same employee review the company's credit card statements and also write the checks to pay them.

Precisely. Separation of roles. There should always be at least two people responsible for controlling some asset - in this case the ability to order credit cards, run them up and pay them off.

Just how far you go with this depends on the circumstances - security should be proportional to risk. In the five parties model (5PM), I suggest that you start off with the Mint being controlled by the same person as the Operator. And the Issuer can be the Manager. That's because this is how it falls out in operational terms ... Later on as the risk grows, the security needs grow, so the Issuer needs to look at expanding the number of parties from 3 to 5. And beyond, as each of those parties simply divide internally.

But, if you do none of these things - if you implement no separation of roles, no 5PM, no governance at all - then history tells us what happens. One day, as Issuer, you'll be looking for someone to blame, and it might come as a shock to discover it is yourself.

Court rules email addresses are not signatures, and signs death warrant for Digital Signatures.

Daniel points to the Register:

The High Court in Manchester has ruled that an email cannot be recognised as a legal written offer if it does not contain a signature or name within the body of the mail. The inclusion of a user name in the message header is not enough.

Judge Pelling ruled that the automatic inclusion of an email address is not enough to count as a signature.

Yes, that makes sense. The email address is like a letterhead. It itself it doesn't make for more than a mild indication as to where it was supposed to have come from.

In this particular case, it seems that one party sent the other an email offering a personal guaruntee. But as Judge Pelling wrote in his ruling:

9. Section 4 of the Statute of Frauds provides that "no action shall be brought ... whereby to charge the defendant upon any special promise to answer for the debt default or miscarriage of another person ... unless the agreement upon which such action shall be brought or some memorandum or note thereof shall be in writing and signed by the party to be charged therewith or some other person thereunto by him lawfully authorised ". It follows that:

9.1. The agreement in question must be in writing or, if the agreement is made orally, there must be a memorandum or note evidencing the oral agreement; and

9.2. The agreement or memorandum must be signed by either

9.2.1. The guarantor, or

9.2.2. Someone authorised by the guarantor to sign the agreement or memorandum on his behalf.

The effect of a non compliance with Section 4 is that the contract is unenforceable.

[FC Editorial note. I shall break with normal tradition and only use indenting to highlight the quoted words.] Right. So the question at hand is whether the email was signed. If not, the statute does not apply (although Judge Pelling was careful to write that other issues probably did apply quite happily). And here we get to the crux:

19. As well know to anyone who uses email on a regular basis, What is relied upon is not inserted by the sender of the email in any active sense. It is inserted automatically. My knowledge of the technicalities of email is not sufficiently detailed to enable me to know whether it is inserted by the ISP with whom the sender or the recipient has his email account. ...

Which is pretty well spot on, including the apropos injection of user confusion. The email address is inserted automatically by an agent of uncertain pedigree. Citing an 1892 precedent:

25. It was this argument that succeeded. Cave J, said:

"I am of opinion that the principle to be derived from the decisions is this. In the first place, there must be a memorandum of a contract, not merely a memorandum of a proposal; and secondly, there must be in the memorandum, somewhere or other, the name of the party to be charged, signed by him or by his authorized agent. Whether the name occurs in the body of the memorandum, or at the beginning, or at the end, if it is intended for a signature there is a memorandum of the agreement within the meaning of the statute. " [Emphasis supplied]

As was emphasised by Cave J, the appearance of the name of the party to be bound must be "intended for a signature ". It is noteworthy that that this case was cited to the House of Lords in Elpis Maritime but was not disapproved by Lord Brandon. I do not think it can be said (and, in any event, there is no evidence) that either Mr Mehta's employee or the ISP either sending or receiving the e mail intended Mr Mehta's e mail address to be a signature in the sense identified above.

A name is only a signature if it is intended to be a signature, which goes right to the core of contract law. The signature exists as evidence of intent, and it is not the signature itself that is key, but the intent.

What then could make for a good signature, conceivably for this new invention of the typed email? Presumably in order to bolster his logic, Judge Pelling then proceeds to speculate on this question. He cites Lord Chelmsford C:

... It must be inserted in the writing in such a manner as to have the effect of "authenticating the instrument" or "so as to govern the whole instrument" ... The name of the party, and its application to the whole of the instrument, can alone satisfy the requisites of a signature. ...

and Lord Westbury:

" ... be so placed as to show that it was intended to relate and refer to, and that in fact it does relate and refer to, every part of the instrument. ... It must govern every part of the instrument. It must shew that every part of the instrument emanates from the individual so signing, and that the signature was intended to have that effect. It follows that if a signature be found in an instrument incidentally only, or having relation and reference only to a portion of the instrument, the signature cannot have legal effect and force which it must have in order to comply with the statute, and to give authenticity to the whole of the memorandum, [Emphasis supplied]

Again, notice that it must cover the entire instrument, and it must intend to govern. It is that latter part that blows away most every so-called digital signature effort - the technology cannot and will not show intent. Digital signatures are not and never can be signatures, alone.

Judge Pelling then closes:

26. In the light of the dicta cited above, it seems to me that a party can sign a document for the purposes of Section 4 by using his full name or his last name prefixed by some or all of his initials or using his initials, and possibly by using a pseudonym or a combination of letters and numbers (as can happen for example with a Lloyds slip scratch), providing always that whatever was used was inserted into the document in order to give, and with the intention of giving, authenticity to it. Its inclusion must have been intended as a signature for these purposes. ...

A typed name at the bottom of an email may constitute a good signature, if I intend for it to be so. And as a logical consequence, a "digital signature" is not and cannot be a signature, by itself. It can only be a digital signature if the user intends it to be so, but then so can a typed name.

That might be bad news for all those suppliers of cryptographic signing blah blah out there as all of their theories were expressly intended to override any user intention in order to give recipient more reliability. Not so, says the court in Metha v. JPF. User intention cannot ever be overridden by mere theories, user intent must be shown according to the law and precedents of signatures.

Bad news for digital signature suppliers, but good news for the rest of the world - as we can now get back to using digital signatures for their cryptographic and evidentiary properties without having to trip over the bogus human signature argument.

---

Addendums.

• The US District Court agrees at least in practice if not in precedence.
• The SEC agrees that digital signatures are unauthorised at least when Penthouse secretaries do them ...
• The Estonian court ruled that documents may be filed even when sent by email with a digital signature...
• Why Non-repudiation itself is repudiated.
• One of the few cohesive uses of digital signatures in a Contract Signing form. Perhaps the only?

.

Why audits are so important

Jim points to this story Man clobbered with £126 trillion phone bill in El Reg:

Publican Jack Harding got the shock of his life when he received his monthly phone bill from BT demanding more than £616,000.

But if you think that's bad, spare a thought for Yahaya Wahab, a 63-year-old meat importer from Malaysia. He's just been sent a bill for 806 trillion Ringgit - about £126 trillion.

According to Malaysia's New Straits Times, he's been given 10 days to cough up or face legal action.

He told the paper: "If the company wants to seek legal action as mentioned in the letter, I'm ready to face it. In fact, I can't wait to face it." ®

Notary Publics to Cryptographers - keep yur grubby mits off!

I've often written about how certain words are stolen and misrepresented in the field of FC. One is non-repudiation, which continues to bedevil some architectures and policies where they haven't been informed of the impossibility. Another is trust, which is more often used as a marketing plus than an admission of fundamental weakness. Yet another -- we're on a roll here -- is digital signature, which Lynn euphemistically refers to as sometimes being foolishly confused with signatures made by humans (one example v. another).

Philipp pointed me to a 2001 American Notarization Association position paper complaining about the abuse of the term 'notary' by the tech industry.

A Position on Misleading Usage of Notary Terms in the Electronic Age

Notarization, Notary, and related terms are being co-opted by certain private companies and state legislatures and applied to processes that have nothing to do with valid, legally recognized notarization. These new processes either do not involve state-commissioned Notaries at all or they violate key principles involving trusted third parties, principles that form the bedrock of commerce and law.

The repercussions of this verbal misappropriation can be devastating to consumers because, believing they are receiving certain protections from a process misrepresented as notarization, they may instead find themselves victimized by loss of valuable personal and real property without the legal assurances offered by valid notarization.

Where I've complained about the term notary is in the OpenPGP forum where there are efforts (every 12 months or so) to bolster up the capability of that protocol to do notary stuff. My comments were quite simple - the meaning and application of the word is completely different between civil law and common law, so when you apply the term into an international, cross-jurisdictional cryptoprotocol such as OpenPGP, which were you referring to?

Such comments were nowhere near as informed as this document, which includes a very concise, clear definition of the process, at least in US terms:

Fundamental Components of Notarization

In order to fully appreciate the harm caused by misleading usage of the term notarization it is necessary to understand the fundamental components of a traditional notarial act. Briefly explained, there are five essential steps in an acknowledgment;2 acknowledgment is the notarial act most often used to authenticate documents of great monetary value:

* Personal Appearance: The document signer must appear in person before, and communicate with, the Notary Public, face to face, in the same room. Physical presence allows the Notary not only to identify the signer, but also to make observations and commonsense judgments that the individual appears willing and aware.

* Identification: The Notary must positively identify the document signer beyond a reasonable doubt, either through personal knowledge of the individual's identity, the sworn vouching of a personally known credible witness, or reliable identification documents.

* Acknowledgment by Signer: Personal appearance and identification are meaningless without a context, and it is the signer's active acknowledgment of a particular signature, document, and transaction that provides the context.

* Lack of Duress: Integral to the acknowledgment is the Notary's observation that the signer was not under duress or direct physical threat at the hands of a third party.

* Awareness: Essential as evidence of the signer's intent is the Notary's observation and judgment that the signer appears to be conscious and aware at the time of signing.

Hot Dang! Try doing that in a remote-parties cryptoprotocol with NIST-approved blah blah. I have to admit, I'm impressed by the quality of writing in this paper. It goes right for the jugular.

Corporate License

Increasingly, American corporations offering Public Key Infrastructure (PKI)3 management services have been using the terms Notary and notarization to describe their services. These processes typically involve the time-date stamping of text, and they amount to notarization only in the metaphorical sense. These services do not provide the assurances associated with official notarial acts by a state-commissioned Notary Public and, for that reason, they lack the legal authority of proper notarization, which is "... to provide prima facie evidence of the truth of the facts recited in the certificate and to establish the genuineness of the signatures attached to an instrument."

It is repeatedly asked in circles where crypto really matters what the form of statement your average CA is making. This paper points out one of the flaws in the process - a CA may well not have any legal authority to make the statements that it is purporting to make! Think the so-called digital signature laws might resolve this? Think again:

Governmental License

Another development is adding to the current state of confusion in the marketplace and it is potentially more harmful to the public than deceptive misuse of sensitive terms by corporate marketers; that is, poorly thought-out redefinition of notarial procedures by hasty lawmakers.

Names are named! Not only are the States various slammed for their laws, many commercial services are given a darn good slapping. Read the whole thing, if only to see how no-nonsense rejections of poorly thought-out marketing programmes can be written. We need more of these!

FraudWatch - Chip&Pin, a new tenner (USD10)

Chip&Pin in Britain measured a nearly full year of implementation (since February) and found fraud had dropped by 13%. They say that's good. Well, it's not bad but it is a far cry from the 80% figures that I recall being touted when they were pushing it through.

The Chip and Pin system cut plastic card fraud by 13% in 2005, according to the Association of Payment Clearing Services (Apacs). Losses due to the fraudulent use of credit and debit cards fell last year by £65m to £439m.

Most categories of fraudulent card use dropped, except for transactions over the phone, internet or by mail. Chip and Pin cards were introduced in 2004, with their use becoming required in shops from February this year.

The new type of card appears to have brought a decisive turnaround with fraud levels now back to the levels last seen in 2003. In 2004, as the new cards were being introduced, card fraud continued to shoot up, by 20%, costing banks and retailers more than half a billion pounds.

Sandra Quinn of Apacs hailed the impact of Chip and Pin, which has been rolled out to most of the UK retailing and banking industries since October 2003:

"Seeing card fraud losses come down is cast-iron proof that Chip and Pin is doing its job. Back in 2002 we forecast that fraud would have risen to £800m in 2005 if we didn't make the move to Chip and Pin so it's heartening to see total losses well beneath this figure" she said.

So maybe if we factor in such a prediction of 800m, down now to 439, we are seeing a drop of 45%. I'd say that according to GP they moved too late and ended up with an institutionalised fraud at a high and economic level. Clawing that back is going to take some doing.

And, also from PaymentNews, the US mint continues its sly dance to use other colours than green:

Security Features
The redesigned $10 note also retains three of the most important security features that were first introduced in the 1990s and are easy to check: color-shifting ink, watermark and security thread.

Color-Shifting Ink: Tilt your ten to check that the numeral "10" in the lower right-hand corner on the face of the note changes color from copper to green. The color shift is more dramatic on the redesigned notes, making it even easier for people to check their money.

Watermark: Hold your ten up to the light to see if a faint image of Treasury Secretary Alexander Hamilton appears to the right of his large portrait. It can be seen from both sides of the note. On the redesigned $10 note, a blank oval has been incorporated into the design to highlight the watermark's location.

Security Thread: Hold your ten up to the light and make sure there's a small strip embedded in the paper. The words "USA TEN" and a small flag are visible in tiny print. It runs vertically to the right of the portrait and can be seen from both sides of the note. This thread glows orange when held under ultraviolet light.

To protect our economy and your hard-earned money, the U.S. government expects to redesign its currency every seven to ten years.

Everything is good fun about that page, even the URL!

"doing the CA statement shuffle" and other dances

The much discussed CA branding model has apparently been adopted by Microsoft, implemented in the InfoCard system, if the presentation by Cameron and Jones is anything to go by. I reviewed and critiqued that presentation last week, including relevant screenshots.

Now, the statement as the core reason for the CA's existance is becoming more clearly accepted. It's something that got thrown out with the bath water back in 1995 or so, but it seems to be heading for something of a revival. Cameron and Jones say:

In many cases, all that having a standard site certificate guarantees is that someone was once able to respond to e-mail sent to that site. In contrast, a higher-value certificate is the certificate authority saying, in effect, “We stake our reputation on the fact that this is a reputable merchant and they are who they claim to be”.

I also found an RFC by Chokhani, et al, called Internet X.509 Public Key Infrastructure (RFC 3647) which throws more light on the statement:

3.1. Certificate Policy

When a certification authority issues a certificate, it is providing a statement to a certificate user (i.e., a relying party) that a particular public key is bound to the identity and/or other attributes of a particular entity (the certificate subject, which is usually also the subscriber). The extent to which the relying party should rely on that statement by the CA, however, needs to be assessed by the relying party or entity controlling or coordinating the way relying parties or relying party applications use certificates. Different certificates are issued following different practices and procedures, and may be suitable for different applications and/or purposes.

The CA's statement is that the the key is bound to attributes of an entity (including Identity). So we are all agreed that the cert has or is a statement of the CA saying something. But consider the caveat there that I emphasised: the authors have recognised that relying parties typically do not control or coordinate their use of certificates. There is typically an intermediate entity that takes responsibility for this. To the extent that this entity controls or coordinates the root list, they are in the driver's seat.

For browsing, this is the browser manufacturer, and thus the browser manufacturer is the relying party of ultimate responsibility. What this does is put browser manufacturers in a sticky position, whether they admit to it or not (and notice how you won't find any browser manufacturer clarifying who makes the statement from a manufacturered cert).

Microsoft's position may be weak in understanding and implementation, or maybe they know full well where this is going, and are implementing an intermediate step. Leaving that aside, it does leave the interesting question as to why they have only partially implemented the model. Not only does the high-assurance program prove the point that the CA has to be branded (thanks for that!) but it also confirms that the browser is on the hook for all the other certs in the other, default, poor man's certificate regime.

Either way, we are on the move again...

High Assurance - summary of the Due Diligence

Someone (who has requested anonymity) has been doing the research on at least some of the goings on in the "High Assurance" programme. It seems that GeoTrust/RSA/Identrus approached the ABA with the view to endorsing the programme for purpose of notarising documents -- GeoTrust's current strategic desires in e-notarisation. To this end, they are proposing signoff by bank and a lawyer (thus we see the Identrus and ABA involvement) as well as a site visit and a supplementary WebTrust audit to bring the accountants on side.

The documents are located on the ABAnet site (over on the lower right, in the Listserv box, there is a javascript popup called Cert Issuance Standards.) The meat of the proposal seems to be enhanced Due Diligence ("DD"). Here's a summary:

(a) Notarization of the signature on the Application for the High Assurance certificate: This establishes a face-to-face contact with a real person acting on behalf of the certificate applicant for the first time in the industry. A notary will also ask for and record a piece of reliable ID (e.g., a driver's license or passport) from the person signing the Application, which will be invaluable in tracking down a fraudster.

(b) Obtaining an attorney opinion letter confirming important Application information: An attorney opinion letter from the Applicant's counsel will verify critical pieces of identity information
that a public CA presently only assumes by inference, such as current corporate existence and actual authority of the person requesting the Certificate. The attorney opinion letter will also be the chief way by which public CAs can verify the legal right of an Applicant to use a trademark or logo, thereby helping to avoid commercial disputes. Verified trademarks and logos will likely be included inside TLS/SSL digital certificates in the near future for use in new applications, creating important new branding opportunities for businesses.

(c) Confirming that the Applicant is actively engaged in business (i.e., is a "real" business) by confirming that the Applicant maintains a bank account: Consumer surveys show the public does not want to do business or share information online with imaginary business entities or shell corporations that have no real-world business existence. The High Assurance vetting process confirms that the Applicant maintains a banking relationship with a financial institution, which not only provides solid evidence of ongoing business activity but also provides an important additional confirmed point of contact in the event of a consumer complaint. Because financial institutions must follow stringent "know your customer" rules under federal regulations, they are likely to have extremely accurate information about the Applicant.

(d) Finally, verifying that a representative of the Applicant can be located at a confirmed physical location: Consumers have also indicated they want to be able to link a web site to a physical location where the site owner can actually be found, but no such testing is done by any CA for current SSL certificates. Public CAs today could even issue an organizational certificate to an Applicant listing a particular address, only to find out later (after online fraud) that the address is a vacant lot or an anonymous mailbox service and the web site owner has vanished. The High Assurance certificate is backed by a real-world site visit to the Applicant's address with recorded information to verify that a
representative of the Applicant can be found there, which establishes the final vital point of contact.

The good thing about DD processes is that if yours isn't working, there's always more you can throw into it. The bad thing is that this won't necessarily improve it.

There are several problems with the above, but probably the biggest issue is again how the big boys are doing the deals in the back rooms on their wish lists, and then expecting the net to swallow this as some sort of open consensus / rough working code. Those who are not represented in this process are the smaller CAs, the notaries, and all of the users; as suspected, my source informs me that there was no open call for wider industry participation, so some of the most obvious problems will go unaddressed until it is too late.

See also the competing proposal by the National Notary Association (in America) as written by the able Daniel Greenwood.

SSL phishing, Microsoft moves to brand, and nyms

fm points to Brian Krebs who documents an SSL-protected phishing attack. The cert was issued by Geotrust:

Now here's where it gets really interesting. The phishing site, which is still up at the time of this writing, is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust. SSL is a technology designed to ensure that sensitive information transmitted online cannot be read by a third-party who may have access to the data stream while it is being transmitted. All legitimate banking sites use them, but it's pretty rare to see them on fraudulent sites.

(skipping details of certificate manufacturing...)

Once a user is on the site, he can view more information about the site's security and authenticity by clicking on the padlock located in the browser's address field. Doing so, I was able to see that the certificate was issued by Equifax Secure Global eBusiness CA-1. The certificate also contains a link to a page displaying a "ChoicePoint Unique Identifier" for more information on the issuee, which confirms that this certificate was issued to a company called Mountain America that is based in Salt Lake City (where the real Mountain America credit union is based.)

The site itself was closed down pretty quickly. For added spice beyond the normal, it also had a ChoicePoint unique Identifier in it! Over on SANS - something called the Internet Storm Center - Handler investigates why malware became a problem and chooses phishing. He has the Choicepoint story nailed:

I asked about the ChoicePoint information and whether it was used as verification and was surprised to learn that ChoicePoint wasn't a "source" of data for the transaction, but rather was a "recipient" of data from Equifax/GeoTrust. According to Equifax/GeoTrust, "as part of the provisioning process with QuickSSL, your business will be registered with ChoicePoint, the nation's leading provider of identification and credential verification services."

LOL... So now we know that the idea is to get everyone to believe in trusting trust and then sell them oodles of it. Quietly forgetting that the service was supposed to be about a little something called verification, something that can happen when there is no reason to defend the brand to the public.

Who would'a thunk it? In other news, I attended an informal briefing on Microsoft's internal security agenda recently. The encouraging news is that they are moving to put logos on the chrome of the browser, negotiate with CAs to get the logos into the certificates, and move the user into the cycle of security. Basically, Trustbar, into IE. Making the brand work. Solving the MITM in browsers.

There are lots of indicators that Microsoft is thinking about where to go. Their marketing department is moving to deflect attention with 10 Immutable Laws of Security:

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea

Immutable! I like that confidence, and so do the attackers. #9 is worth reading - as Microsoft are thinking very hard about identity these days. Now, on the surface, they may be thinking that if they can crack this nut about identity then they'll have a wonderful market ahead. But under the covers they are moving towards that which #9 conveniently leaves out - the key is the identity is the key, and its called psuedonymity, not anonymity. Rumour has it that Microsoft's Windows operating system is moving over to a psuedonymous base but there is little written about it.

There was lots of other good news, too, but it was an informal briefing, so I informally didn't recall all of it. Personally, to me, this means my battle against phishing is drawing to a close - others far better financed and more powerful are carrying on the charge. Which is good because there is no shortage of battles in the future.

To close, deliciously, from Brian (who now looks like he's been slashdotted):

I put a call in to the Geotrust folks. Ironically, a customer service representative said most of the company's managers are presently attending a security conference in Northern California put on by RSA Security, the company that pretty much wrote the book on SSL security and whose encryption algorithms power the whole process. When I hear back from Geotrust, I'll update this post.

That's the company that also ditched SSL as a browsing security method, recently. At least they've still got the conference business.

US District Court uses digital signatures

Highlighting an order by Judge Collyer in the previous entry, we find her order duly signed:

ORDER As agreed by the parties in open court on January 13, 2006, it is hereby ORDERED that Suntrust Account Number 1000..... and Regions Bank Account Number 6709.... shall be unfrozen; however, the United States shall retain control of the funds previously seized from those accounts pursuant to the warrant issued by Magistrate Judge Facciola in Case No. 05-664 M-01 (JMF) on December 14, 2005. SO ORDERED. Date: January 13, 2006 /s/ ROSEMARY M. COLLYER United States District Judge

The digital signature appears on the paper as /s/.

Discuss.

G&SR / e-gold case in Washington DC court

The case against G&SR, operators of the e-gold payment system, has been filed in Washington DC courts. Here are some of the filings, apparently from the PACER system, which is a US Government site for court documents.

• Complaint
• Doc3
• Doc4
• Doc5
• Doc6
• Doc7

I've only briefly read parts, so far. The USG's case is based on the Money Transmitter Licensing requirement.

16. Title 18, United States Code, Section 1960 provides that: (a) Whoever knowingly conducts, controls, manages, supervises, directs, or owns all or part of an unlicensed money transmitting business, shall be fined in accordance with this title or imprisoned not more than 5 years, or both. (b) As used in this section (1) the term “unlicensed money transmitting business” means a money transmitting business which affects interstate or foreign commerce in any manner or degree and (A) is operated without an appropriate money transmitting license in a State where such operation is punishable as a misdemeanor or a felony under State law, whether or not the defendant knew that the operation was required to be licensed or that the operation was so punishable; (B) fails to comply with the money transmitting business registration requirements under section 5330 of title 31, United States Code, or regulations prescribed under such section; or (C) otherwise involves the transportation or transmission of funds that are known to the defendant to have been derived from a criminal offense or are intended to be used to promote or support unlawful activity; (c) the term “money transmitting” includes transferring funds on behalf of the public by any and all means including but not limited to transfers within this country or to locations abroad by wire, check, draft, facsimile, or courier.

Pretty broad writings! Apparently in response, G&SR published two letters, the second of which announces:

In an emergency hearing in US District Court January 13, 2006, the freeze order on G&SR's bank accounts was lifted. Though numerous criminal claims had been made in obtaining the search and seizure warrants, the Government has not sustained these allegations and the only remaining claim is a contention that G&SR has operated as a currency exchange without the proper license. G&SR had previously proposed to the Government that e-gold be classified for regulatory purposes as a currency, enabling G&SR to register as a currency exchange. In a Treasury report released January 11, 2006, however, the Department of Treasury reaffirmed their interpretation of the USC and CFR definitions of currency as excluding e-gold.

So G&SR would then agree that the case turns on whether they are a money transmitter or not, and they make this case more forcefully in Document 4 before the judge. However it is becoming clear that G&SR have been less than forthcoming, and have not advised their customers of the true position. Document 4 in the above list says:

ORDER

As agreed by the parties in open court on January 13, 2006, it is hereby ORDERED that Suntrust Account Number 1000..... and Regions Bank Account Number 6709.... shall be unfrozen; however, the United States shall retain control of the funds previously seized from those accounts pursuant to the warrant issued by Magistrate Judge Facciola in Case No. 05-664 M-01 (JMF) on December 14, 2005.

SO ORDERED.

Date: January 13, 2006

/s/ ROSEMARY M. COLLYER United States District Judge

(Sidenote of FC interest - I've created a good facsimile of Judge Collyer's signature. It is literally typed in as /s/ in the PDF. Whether it is a digital signature or not turns then on whether they still use mechanical typewriters in the District courts!)

No mention of the third bank account by the judge. And no mention by G&SR that their (accounts oops) funds remain under USG control and have been so since 14th December! (Which effectively means that G&SR is under control of the government. Oops, I grant this is no longer sustainable.)

In the earlier 6th Jan letter from Dr Jackson, he wrote:

There were other direct interventions as well that I am not yet at liberty to discuss that nearly crippled OmniPay's ability to honor its obligations to and on behalf of users.

So we now have pretty clear indications that a lot is going on. Whether G&SR have been advised or instructed to keep mum is unclear (and I'm skeptical, especially given the content and tones of the letters). But at the least it makes it rather difficult to carry on business, a point G&SR makes in Document 3. Is G&SR able to deliver on its business undertaking? If it is unable to control its funds under seizure or make any statements adverse or otherwise as to its credit position, then what form of exchange can they reliably do?

And what about e-gold in all this?

For those wondering what the fuss is all about, a few brief remarks of explanation. e-gold, the payment system, is one of the more successful ventrures in the field. It independently re-developed and championed the centuries old approach of escrow of value as epitomised by the gold bars held in vaults. This tool makes a pretty fair stab at establishing a base of governance for issuance of digital currency.

In the late 90s, e-gold made several moves designed to improve the standard of governance - moves that I had a lot to do with through my involvement approximately mid 1998 - mid 2000. Firstly, a co-signatory to the metal was created. Secondly, all physical assets were progressively migrated out of the filing cabinet and into secure vaults at repositories. Until this was done, the substantial part of the value was in "Macotta Delivery Orders" which were directly signable by Dr Jackson. These changes gave a separation of roles aspect that formed two of the parties in my five parties model, the independent vault and the co-signatory. To be fair, Dr Jackson had already understood the importance of the fifth party - the public - in governance by inventing his Examiner page to show his claims of the bars and metal under management.

In addition to protection of the gold, I also considered it essential to protect the digital issuance in a like 5PM system. e-gold only started on this process, before getting sidetracked on what could be stated loosely as "offshore strategies". Although the digital systems should have been placed under independent control, they remained in-house. Although an independent Mint role for creation of new digital float should have been done, I have never heard of it being so.

And the entire payment system should have separated from the risky business of exchange operations. Instead, e-gold Ltd was formed in Nevis, and gold was transferred under dubious legal circumstances to Trusts in Bermuda - completely at odds with the user agreement at the time. Notwithstanding all this legal manouvering, the substance of e-gold remained firmly in-house, in Florida, and firmly under control of Dr Jackson.

If e-gold had solidly and strongly separated itself from the highly lucrative exchange business - deliberately left where the market was in the USA - then G&SR could have disappeared and e-gold would have carried on. Now however, wherefor goes G&SR, there too follows e-gold. To all intents and purposes, they are both likely locked in a deadly embrace with the USG.

DigSig News - Notaries apply for an old Franchise, Colorado does PK with BRNs, old anecdote

MIT and the National Notary Association released a white paper on how to use notaries and cryptographic digital signatures (a.k.a. digsigs). The press release is a curious throwback to a decade ago where organisations aspirated deeply and warned that unless something was done immediately, fire, flood and pestilance was sure to strike eommerce.

Many paper-based transactions, from real estate conveyances to international adoptions to last wills and testaments, are notarized in order to prevent, detect and prosecute fraud. As government agencies and industry move toward a complete paperless workflow, electronic documents will need to receive the same level of security as their paper counterparts. However, Greenwood warns that laws and regulations to guide Notaries in the performance of electronic notarizations are lacking and must be immediately addressed to ensure the protection of property rights in the 21st century.

"Those who regulate Notaries Public would be derelict in their duty if they failed to effect the rule-making necessary to transition to a reliable system of e-notarization," Greenwood writes. "Failing to exercise oversight and control in this area would be akin to failing to provide and enforce safety rules for hydrogen or hybrid cars because the new technology is different from the old."

Cryptographic digsigs can work fine as indicators of human intent without laws, without notaries, and without fuss, once you get into the core of the application. On the other hand, a law put in place can set us back a decade or more. One of the reasons why we do not see digsigs used more often is because of the early franchise-building Utah models that were popularised in the mid 90s.

To my knowledge, courts and lawyers have this all wrapped up as they know that a signature is an indicator of intent, and the intent rules, not the mark. Efforts to regulate this long-known legal principle are therefore likely no more than franchise building, and should be summarily rejected for what they are.

Luckily the PDF that Daniel Greenwood wrote is far more clear on what a digital signature can be. Here's one fascinating snippet:

The state of Colorado has pioneered a simple but effective solution to enable state regulation of electronic notarization.26 It is called the Document Authentication Number, or DAN, and works like this:

In Colorado, this is an eleven-digit accounting number issued to each notary by the Secretary of State's accounting system. This number can be accessed and referenced by anybody. Like a white pages entry, it is unique but publicly accessible identification. The number will be searchable online to verify a notary's name, commission number, commission expiration date and other important information.

Second, each notary is issued multiple random numbers generated by the Secretary of State, who keeps a copy of each such number. Unlike the first number, these are kept confidential. They should be secured, just as is the notary's seal for paper-and-ink notarizations. One of these random, confidential numbers is used by the notary to ``brand'' every discrete eNotarization. The notary also has, associated with each confidential number, the relevant data that appears on the respective official seal, such as name, title, jurisdiction and commission expiration date. When used together, the Document Authentication Number and a randomly generated number assigned by the Secretary of State constitute the notary's electronic signature for a particular notarization.

In order to execute an eNotarization, the Colorado notary would simply affix to the electronic document both the private and public numbers, along with the pertinent commission information. This could be done by manually ``copying and pasting'' the data from a document or spreadsheet or through easy-to-use software. Thereby, the notary has tied the document to the electronic notary signature. In effect, an electronic notarization has occurred.

Nice! Public / private digital signatures with just a bunch of big random numbers (BRNs). That shows extraordinary flair by Colorado, and one wonders how they managed to slip that one past all the franchise builders, cryptography guildsmen and other worryworts.

I was reminded the other night of an anecdote about digsig laws. Some years ago, I was asked to (informally) advise a small nation on digital signatures. I read the two page draft law, and said, that's fine, but you don't need that, and here's why... (Insert blah blah here as above.)

It was then explained to me that the purpose of the law was not to regulate digital signatures, but to fill the spot, as a certain other friendly but elderly country of masculine sibling nature was pushing to put in place a regime of another sort. This action was recognised as a complete agenda push by the helpful elder sibling, and therefore a defensive action was needed: "we already have a digsig law, thanks, we don't need yours."

At which point I then understood. Fine, put in place your digsig laws, but stick to the tiny model: a digital signature should not be rejected by courts solely on the basis that it is a digital signature. End of story. Meanwhile, let the private sector get on with working out how to do this.

Szabo on the Contract v. the Note

It has often been to my regret that a fuller treatment of contracts as the keystone to financial cryptography has been beyond me. But not beyond Nick Szabo, who posts on a crucial case in the development of the negotiable instrument as a contract of money. He suggests two key differences:

Negotiable instruments – checks, bank notes, and so on – are promises to pay or orders with an implied promise to pay, and are thus contracts. But they differ from contracts in two important ways. First is the idea of “merger.” Normally, a contract right is an abstraction that is located nowhere in particular but belongs to a party to the contract or to a person to whom that party has assigned that right. Possessing a copy of a normal contract has nothing to do with who has rights under that contract. But in a negotiable instrument, the contract right is “merged” into the document. Assignment of that right takes place simply by transferring the document (in the case of a bearer instrument) or by indorsing (signing) and transferring it.

The second big way negotiable instruments differ from contracts is the “good faith purchaser” or “holder in due course” rule which is illustrated by Miller v. Race. In a normal sale of goods under common law, the new owner’s title to the goods is at risk to the contractual defenses of a prior owner. ...

In short, with a normal contract, even once assigned - sold - to new parties, there are defences to get it back. Yet in the case of Miller v. Race in the halcyon days of London's note banking, Lord Mansfield declared in 1758:

A bank-note is constantly and universally, both at home and abroad, treated as money, as cash; and paid and received, as cash; and it is necessary, for the purposes of commerce, that their currency should be established and secured.

It is these instruments that we commonly issue on the net. Although issuers sometimes have the technical capability to return them, subject to some good case, they often declare in effect that they are indeed negotiable instruments and the current holder is "holder in due course." Especially, the digital golds and the digital cashes have so declared, to their benefit of much lower costs. Those that aren't so resolved - the Paypals of the world - inflict much higher fees on their users.

Remittances - the bane of the Anti-Money Laundering Authorities

Adam points to Ethan's musings on the dire need to move many small payments across borders. It's a good analysis, he gets it right.

Remittances has been huge business for a long time. However it didn't burst onto the international agenda until 9/11 when it was suggested that some of the money was moved using Hawala. Whether that was found to be true or not I never heard - certainly most of it was sent through the classical banking channels. Not that it made any difference; even the Congressional committee remarked that the amounts neeeded for 9/11 were too small easily trace.

No matter, suddenly everyone was talking about remittances. The immediate knee-jerk reaction was to shut down the Hawalas. Of course, this got a huge cheer from anti-immigrant interests, and Western Union, who provides the same service at about 5 times the cost.

Unfortunately, shutting them down was never going to work. Remittances is such a large part of the economy it has to be recognised. The effect is so large, it is the economy in some senses and places. (I recall Ecuador numbers its exports as oil, remittances, and fruit, in some or other order. Other countries do something similar, without the oil.) Africa Unchained reports:

According to a recent report (Migrations and Development) by the International Development Select Committee (UK), over $300 Billion was sent from developed to developing countries in 2003 by diasporas living in the developed countries. Global remittance, the report maintains is growing faster than official development assistance from the developed countries, also global remittance is the second largest source of external funding for developing countries, behind Foreign Direct Investment (FDI), and also accounts for as much as 27% of the GDP for some African countries.

But these economies and their remittances will always now be cursed by the need to give lip service to the anti-money-laundering (AML) people. Of course money laundering (ML) will go on through those channels, but whether it is more or less than through other channels, and whether it is likely to be more obvious than not is open to question. From what I can tell, ML would be hard to hide in those systems because of the very cautious but "informal" security systems in place, and no operator wants the attention any more.

What is not open to question is that the attention of AML will dramatically increase the costs of remittances. Consider adding a 2% burden to the cost of remittances, which is easy given the cost disparity between the cheaper forms and Western Union. If remittances happens to generate half of the cash of a country, then the AML people have just added a whole percentage point of drag to the economy of an entire underdeveloped nation.

Gee, thanks guys! And there is another insidious development going on here, which is also mentioned above:

Hundreds of creative efforts are underway across the developing world to solve these problems with remittance. To address safety issues, MoneyGram is offering delivery services of money transfers in the Phillipines, bringing money to your door instead of forcing you to come and collect your funds from an office in town. Alternatively, if your recipient has an ATM card, they will transfer the deposit to her account. A new remittance strategy - goods and service remittance - addresses the safety, cost and misuse issues simultaneously. Instead of sending money home, make a purchase from a store or website in the US or Europe, and powdered milk, cans of corned beef or a live goat is delivered to your relatives. Manuel Orozco, an economist with the IADB, estimates that as much as 10% of all remittance happens via goods and services.

Mama Mike’s - a pioneer in goods remittance - offers online shoppers the ability to buy supermarket vouchers and mobile phone airtime for relatives in Kenya and Uganda, as well as more conventional gifts like flowers and cards. SuperPlus, Jamaica’s largest supermarket chain, goes even further, allowing online shoppers to fill a shopping card for their relatives and arrange for them to pick up the order in one of the SuperPlus stores around the country. SuperPlus is a partner with both Western Union and MoneyGram and has been promoting its supermarket remittance service through Western Union and MoneyGram stores in New York City, home to a large Jamaican diaspora. Goods remittance services generally don’t charge a fee, making their profit off goods sales instead.

Spot it? The ones who benefit most from the push for AML are the large transnational corporations that come in and provide a "creative effort." They get a free pass, and help from authorities because they say all the right words. Today's pop quiz: is Western Union is more likely to stop ML than informal methods of remittances? Would Western Union be able to close down any troublesome competitor with the right noises?

Depending on your answers, it's either the noble fight, or just another traumatic security agenda being captured and turned into a _barrier to entry_ to squeeze the small guys out of a very lucrative business.

Exploit Feeds - a public service or a commodity with a price?

Ben discusses the monetary conflicts behind disclosure entities like CERT, NISCC and Tipping Point. Several of these acquire exploits for free and ship them off to favoured friends according to some metric which isn't clear - and may not be "fair" whatever that means. Guess who these are? The non-profit ones. In contrast, the profit seekers simply pay for exploits and sell the information to their subscribers.

So, what’s wrong with this picture? Well, my original objection to CERT and NISCC was that they obviously have to choose who gets the early announcements, and there’s no fair way to do that. Even worse, if you’re going to claim to protect criticial infrastructure, then you have to include the vendors who supply that infrastructure. Of course, these vendors then get to exploit that information commercially - it gives them an edge on their competitors. And since you don’t get to supply criticial infrastructure unless you are huge, this creates an artificial bias towards huge companies.

Shades of Sony root kits, shades of Diamond Governance. Is paying for exploit information better than the alternate? I think it is for these reasons - it is objective, and it is available on non-discriminatory grounds. If you have a need, then pay to have that need met.

However, that's not the worst of it, and this is what became clear to me last night. What's worse is that many of those subscribed to these early announcement services have an interest in using these exploits. In the case of the CERT/NISCC model it will be the military and TLAs that will be in the market for useful exploits. Of course, they will still have access in the commercial cases, perhaps even at reduced rates (never hurts to keep the government happy, right?) - but worse still, commercialisation of the exploit market gives easy access to criminals (I’m sure that some do even in the CERT/NISCC model, but it must be harder to get that than by simply forking out money).

Once again, the commercial model wins, I suspect. Why? Because we know who is getting it to some extent, as the seller will perform some level of due diligence, starting with the top customers. OTOH, the CERT-like supplier of exploits will be all tangled up in other non-objective models, and won't be easily able to figure out who's using it for nefarious purposes.

Open governance could solve this fairly easily by just revealing who is on the list and at what delay. Then, the rest of us could watch for correlations between early exploit usage and those who were told in advance. That's my call, at least; but Ben promises more comments later on this.

Arbitration Arises on the net

Daniel points to the arisal of 'Robot agents' to manage arbitration proceedings:

"Robot agents digest all the information and make proposals to the parties. Once the arbitrator is agreed upon, the robot agent finds a suitable meeting date for everybody," said Jacques Gouimenou, managing director of Tiga Technologies, the company behind e-Dispute, speaking with ElectricNews.Net. "Our system reduces delays and costs. It is also very secure."

As far as I can tell from the article, the author got it wrong as the agent does not do the arbitration itself. What the robot does is to automate or facilitate the case management process in an arbitration, which includes for example selecting the arbitrator. Once that is done, the arbitrator takes charge. Certainly a valuable service, but it should be borne in mind that it is unlikely that a robot could ever arbitrate human disputes (c.f., smart contracts).

Some other quick scattered but old notes. Arbitration is starting to make its mark in small dispute resolution over the net. See The Cheese Dreams case and also WikiPedia's Arbitration Committee.

In IP news a while back, Google won a typosquatting case (link lost) in the arbitration forums. What's news here is the appropriateness of using Arbitration for Internet disputes - see the use by WebMoney which has extended the basic model that was written but never used by e-gold.

Daniel also wrote a while back:

... the most popular russian auction site at http://www.molotok.ru/ which is somewhat affiliated with WebMoney (they use the same arbitration service run by WM). PayPal/eBay refuse to do business in Russia because of the high levels of fraud and the slow and largely ineffective court system. WM's design is sound enough to accomodate for all that; their fraud levels are actually lower than those in PayPal (for obvious reasons; from a technical point of view, WM is far more secure). I'm wondering how money@mail.ru is hoping to survive with their password-based security and no arbitration service.

easy call #1 - USG to maintain control of Internet

Well, that was easy! I mentioned in my 2006 predictions that the USG controls enough of the Internet to have it's way, and it won't give that up. Now the administration has come out and defined its policy in definite terms, an unusually forthright step.

U.S. Principles on the Internet's Domain Name and Addressing System The United States Government intends to preserve the security and stability of the Internet's Domain Name and Addressing System (DNS). Given the Internet's importance to the world's economy, it is essential that the underlying DNS of the Internet remain stable and secure. As such, the United States is committed to taking no action that would have the potential to adversely impact the effective and efficient operation of the DNS and will therefore maintain its historic role in authorizing changes or modifications to the authoritative root zone file.

Etc, etc. Read the Register's commentary to see more background on who is suggesting otherwise. Curiously though, they missed one issue when they said that the US would let other countries run their own ccTLD domains. That's not what it said at all. Rather, the US has said that it recognises the other countries' interests while retaining the controlling role. (Icann falls into line.)

Why was this an easy call? The style of the current administration might be blamed by many, but the underlying issue is that this is the make-up of Washington policy and practice, going back decades or even centuries. The Internet will not be let go. The only thing that will shake this intent is complete and utter collapse of the USG, something pretty unlikely, really, regardless of what the conspiracy buffs over at IcannWatch think.

(For those looking for more meat, there was a Cook report on this about a decade ago. Also, see the snapshot of Internet Governance forces from a decade back in the GP4.3 case study on phishing. See also the Register on .al ccTLD.)

Open governance, bicycle helmets and certifying authorities

Over on "old thing new thing" a blogger asks whether users would know the difference between one bicycle helmet certifying authority from another.

Microsoft should allow orgs that are peers of WHQL [to] certify drivers and allow drivers to obtain certs from any such org or set of such orgs as they choose. Over time users would know which orgs were on the ball and which had agendas.

Would they?

Yes, they would. But not through the mechanism that was described.

In any market there are 90% of the people who know next to nothing about it. That's the "buy bicycle helmet with XXX certification" crowd as described in the post. These people rely on the 9% who do know.

The 9% who do know are those who are more interested amateurs and less interested insiders. This group knows about all gossip and chitchat and what is good and what is bad and who is on the up and who is on the skids. This group is the one that warns everyone when a particular standard or organisation is "not good" and others are "good."

Then there is the 0.9% who actually really truley know. They understand the field, in depth. These are the ones who make the determination that certain things are not good, and they write long and detailed arguments on the problem. Rants. They scan looking for facts and events and what-have-you and integrate them into the ongoing argument. They debate back and forth with their opponents until a consensus is achieved.

Finally, this small group of critics pass the results on to the 9% who spread it more broadly.

(The remaining 0.09% are the people who actually discover and predict the failures before anyone else ... but nobody listens to them until enough evidence has accumulated. These are the crazies who are eventually proven right, but nobody remembers that part. When the questions are raised they are there in advance with the facts and stories for the 0.9% to debate and put into a more accessible format. We don't like to admit this group exists, and we'd never credit them with influence.)

This is called open governance. It happens when regulators are not present. It works in the unregulated currency field. And it will probably work with Certification Authorities, but only if the browsers step aside from the judgment game and put the name of the CA on the chrome.

Only when the users have reason to ask the 9% what Verisign means, will the 9% ask the 0.9%. (Etc.) But it has to happen in a "pull" fashion, there has to be a question to ask before any debate on governance can start.

Non-profits and Fraud - case #1

I took a lot of flak from the Diamond Governance story, so it behoves to move forward and make the point more clearly. The essential point is that there are less interested stakeholders in non-profits, and therefore governance likely needs to be stronger.

Another way of putting it is that if fraud is your thing, non-profits are fertile territory. Or if you think non-profits mean trust, you are fertile territory.

Why this is will take more than a blog entry to write up, and as Jean points out there is lots of study in governance for non-profits. However, I'm aware of a bunch of fraud patterns, and I'll post those for when I see them. Here's one I've been aware of for a couple of years. It is based on certain daft legal provisions, and would disappear in an instant if the law were changed.

The government sued AmeriDebt and Andris Pukke two years ago, seeking $172 million in damages.

Regulators accused the Germantown- based nonprofit of charging excessive and poorly disclosed fees to consumers seeking help managing their debt and then channeling millions to Pukke's for-profit company, DebtWorks.

AmeriDebt once was one of the nation's largest credit counselors but is now out of business.

AmeriDebt was a non-profit. That's because there is some stupid law that says that a non-profit can do debt consolidation and gain certain privileges over a for-profit firm in the same business. A subsidy, in other words. So, obviously at least in hindsight, a smart operator starts a non-profit, consolidates a lot of debt for a lot of stricken people, and then funnels the cash somewhere else. Here's some more hints:

As consumer debt skyrocketed over the past two decades, a new breed of credit counselor emerged, one that relied heavily on television advertising to promote its services and toll-free telephone lines to dispense advice, replacing the person-to-person consultations offered by older firms.

As more aggressive firms proliferated, so did consumer complaints, prompting the Internal Revenue Service to begin auditing 60 credit-counseling organizations, including AmeriDebt, in late 2003 to see if they were misusing their tax-exempt status to benefit their owners. Those audits continue.

"Non-profit" equals no taxes, no audits, no owners. Now fill it with cash and see what happens. Likely, I will take yet more flak for this. All I would ask is, do you believe that a non-profit is safe from fraud because it is doing good works?

e-gold under attack

Troubles come in threes for e-gold, the gold payment system that dominates the field (by transactions if not reserves). On the 19th of December, the G&SR offices in Melbourne, Florida, were apparently raided by the FBI and US Secret Service. At the beginning of that month, Nevis revealed that e-gold Ltd, the company that holds the accounts for all users and metals, was struck off some 2 years ago. Ouch! Now there is a BusinessWeek feature with not one, not two, but 5 articles on the subject, to be published this coming week:

Law enforcement officials worry that the little-known digital currency industry is becoming the money laundering machine of choice for cybercriminals. On the evening of Dec. 19, agents with the Federal Bureau of Investigation and Secret Service raided the Melbourne (Fla.) office of e-gold's parent company, Gold & Silver Reserve Inc., and the nearby home of its founder, Douglas L. Jackson. Agents copied documents and computer files, but so far no charges have been brought. The Secret Service and the FBI declined to comment on the raid. Jackson has denied any wrongdoing, though the raid isn't the first indication that federal investigators view e-gold as a magnet for online misdeeds. The FBI separately is pursuing about a dozen probes in which e-gold appears as a "common denominator," a senior agent says.

(The above was copied from here but BW has now opened up the article to the public. See also a related story on WebMoney.)

My conclusion - the BW spread is a hatchet job. Reading between the lines, they had access to the federales' material to the extent that they published this article about the raid before anyone else was in the know, and to this day, some 2 weeks later, it is not formally confirmed. They were told from on high what the message would be, and the questions asked of people and the articles' focus point in that direction (disclosure: I was asked some of those questions and did not respond). Read it with that in mind.

Notwithstanding that, this "correction" has been a long time coming. October 1999, as it happens, when the first scams started to use the e-gold system. Then (more disclosure!) I was engaged in a 6 month long effort to craft a way forward in the light of this surprise customer, the Ponzi scheme.

We started off by debating the right of adults to participate in games where they knew that the point was to scam each other. Make no mistake, the victims in Ponzi schemes are under no illusions where the gains come from and go. Who then is a payment system to police these adults, when these self-same adults are engaging in self-fraud? Furthermore, it is a matter of record that the SEC - the agency with primary responsibility for scams - does not properly regulate this patch.

This was a debate of much heat, and in the face of such arguments, I carefully constructed my input based on what it would do to the system. I took advice from legal and regulatory experts who knew the islands (Nevis, and Anguilla where I was living at that time) and considered the issue from the point of view of threats to the system - the e-gold system. My main point was that regardless of what we thought or moralised or policed, if the policy brought heat in on the system, it was a risk to the system. Therefore, I asserted, e-gold should shut down the scams as a risk to their own system. (As an aside, it was stated to me that the islands would simply strike the company off the registry, a prediction that was borne out!)

To their credit, e-gold did close down the first couple of scams and this is where the learning began. It was exceptionally costly to close them down and reverse all the payments. Probably too costly, and remember that it isn't the scammers that bear the cost of the massive reversal operation, but the other users.

I was therefore wrong with my original assessment and advice. The experience also put the lie to the notion that a payment system has to police its users, at least, all the users all the time, and something more subtle was called for.

e-gold then adopted a policy of treating all complaints as disputes and deferring to court orders. This was a stroke of genius to my mind although by then I was out of the loop. By outsourcing the customer complaint as a dispute resolution before courts, they actually managed to solve the costs problems that derive from frauds. (Ask how many customer support reps Paypal employs and you will see the light!) Also, this is more or less the same thing that the SEC and the other agencies do - they do not act without a complaint. And the SEC does not shut things down without a court order. So what's the difference?

Probably not much in terms of policy but likely more in the implementation. Did e-gold treat all complaints and court orders equally? Did they try to keep clear of the worst business, or did they turn a blind eye in the quest for transaction revenue?

Also, one other point, one which continues to bug me: e-gold reputedly never lifted a finger to make filing court orders easy for the small victims. There are plenty of stories about how people tried and failed.

Could they have done better? Oh, yes! They sponsored, attended and presented at not one but two conferences called LexCybernetoria, the second of which we held at Nevis shortly after these scams turned up. At these conferences, the emphasis was on low cost dispute resolution in an open governance world. Internet disputes for unregulated payment systems, in other words! Arbitration, as is written in the terms of service, and an intent to give the small guy access to fair systems.

What remains a mystery is why they did not adopt small arbitration model that was so talked about at the time. WebMoney went on to pioneer this very model in Russia, and it works for them.

How the Chinese avoided insider fraud for over a millenium - The Chinese Remainder Theorem

Guest poster Daniel Nagy writes me a human readable explanation of the Chinese Remainder Theorem. That's too valuable a thing to go unposted:

> > Yes, I can agree with that. Yet, it is important to formalize the
> > methodology. (e.g. the Chinese Remainder Theorem was used in ancient China
> > on the basis of experience for more than a millenium before it was exactly
> > formulated and proven.)
>
> Ha! I didn't know that. Yes.....

Hmm. The Chinese Number Theorem was the first use of number theory in security. The Chinese, unlike people in India, did not have a place value system, and did not have floating-point notation, like Babylonians/Greeks either.

However, they did trade in large quantities of stuff (bricks, pottery, etc.). When they shipped a large number of something to some other place, they would write down the remainders of several counts done in modular arithmetic, as divided by a number of small, relative prime numbers. E.g. 1,2,3,4,5,6,7, 1,2,3,4,5,6,7, 1,2,3,4,5,6,7, 1,2 would leave 2 as the remainder for 23 divided by 7. This could be done several times with different primes, like 13, 17, etc,etc.

Now, if all the remainders from the several counts matched, the total number must have matched as well and nothing was stolen. Since addition and subtraction work in this modular arithmetic, this was a very convenient way of accounting for large quantities. This method has the rather stunning benefit that the actual counting can be done by unskilled people, who are only able to count up to a small number.

The only drawback (when compared to place-value system used in India and later in the whole world) is that it does not preserve ordering: finding out which quantity is bigger and which one is smaller is difficult.

Written records (actually, archived letters accompanying shipments) with such counts have been found from as early as the third century A.D. The exact formulation was given by Qin Jiushao in his commentary to the classic book called Mathematics in Nine Chapters (or something like that -- my notes on number theory are in Hungarian), which (the commentary, not the book) was written in 1247 A.D. Nine Chapters is a classic text in Chinese math, similar to Elements by Euclid.

The statement of the theorem is that up to the product of all the moduli, the remainders are unique. Also, Qin Jiushao provided an algorithm for finding the number given the remainders. In his original example, he would make his two disciples measure the distance between his home and a river by holding hands and stepping together, one counting 23, the other counting 17. When they tell the results to their master, he can figure out the distance of three hundred-something steps.

And perhaps as a humorous footnote, consider this: the Chinese managed to get away with using this unproven mathematics in a security system for a millenium or so...

--
Daniel

Addendum: Nick comments and also points at a more mathematical treatment.

A new security metric?

I have a sort of draft paper on security metrics - things which I observe are positive in security projects. The idea is that I should be able to identify security projects, on the one hand, and on the other provide some useful tips on how to think past the press release. Another metric just leaped out and bit me from that same interview with Damien Miller:

Why did you increase the default size of new RSA/DSA keys generated by ssh-keygen from 1024 to 2048 bits?

Damien Miller: Firstly, increasing the default size of DSA keys was a mistake (my mistake, corrected in the next release) because unmodified DSA is limited by a 160-bit subgroup and SHA-1 hash, obviating the most of the benefit of using a larger overall key length, and because we don't accept modified DSA variants with this restriction removed. There are some new DSA standards on they way that use larger subgroups and longer hashes, which we could use once they are standardized and included in OpenSSL.

We increased the default RSA keysize because of recommendations by the NESSIE project and others to use RSA keys of at least 1536 bits in length. Because host and user keys generated now will likely be in use for several years we picked a longer and more conservative key length. Also, 2048 is a nice round (binary) number.

Spot it?

Here it is again in bold:

Damien Miller: Firstly, increasing the default size of DSA keys was a mistake (my mistake, corrected in the next release) because [some crypto blah blah]

A mistake! Admitted in public! Without even a sense of embarrassment! If that's not a sign that the security is more important than the perception then I don't know what is...

Still not convinced? When was the last time you ever heard anyone on the (opposing) PKI side admit a mistake?

GP4.1 - Growth and Fraud - Case #1 - Mutual Funds

As the final part of this rant-in-four-parts, I'd like to leave you with a view that this is of relatively broad significance, if it works at all (previous parts: GP1, GP2, GP3). I attempt this by putting it in context of several case studies, which are chosen for their breadth as well as their topicality. In each, I try and draw out some of the implications of the theory, but I do not especially state when GP is reached. Rather, that is left as an exercise for the reader.

First off, the mutual funds scandal, one of the bigger frauds of recent times. This fraud happened because managers were in control of assets, but were not compensated as to how those assets performed. Rather, they are compensated according to the total size of assets. So not only do they have no incentive to perform, they are incentivised to not do so in a big way. This classical agency problem is also at the core of the recent Refco collapse. Brief digression on Refco:

Refco were offering, so the scuttlebut went, a facility to lose a bad order on demand. It worked this way. A dodgy manager could place, say, ten good orders into Refco, and then agree with her counterpart over at Refco to call one of them a bad debt. In a sense, a pre-ordained fake trade. The insider would then send the money off somewhere, and the two conspirators would split the profits. Meanwhile, the trade would get stuck on Refco's books as a bad debt and be dealt with some other time, including being traded back and forth for its tax advantages. Of course, over time this build up of bad debt would rise to strike, but by then it was someone else's problem.

So, how does all this happen? I suggest it is a case of post-GP insider fraud, something I first mused on when writing the testimony given by Jim before the U.S. Senate's finance subcommittee.

When a mutual fund first starts up it faces large upfront security costs. These are similar to those we discussed earlier, but this time it is more often termed governance, and they are more by regulatory fiat than the common sense of open governance. Included are separation of roles, audits, special purpose entities, accounting systems and best practices. We put all these in place before the fund gets off the ground, and we do it properly and in the best tradition of trying to make us look squeaky clean.

Add to that, the dramatic attention paid to every new fund! Who is it? Do they have a track record? Is there room for more funds, more ideas? Etc etc. Which results that the combined weight of all this attention both internal and external means that the security-to-value ratio is very high in the beginning.

Ludicrously high! But over time, much of the hard external scrutiny disappears as the reputation of the fund grows. New members hear it from old members, who are very happy with returns. Glowing reports are purchased from the press and rating agencies, who have nothing to fear and everything to gain. Insiders get used to believing in their impeccable reputation, which eventually becomes the axiom to be stressed, not the result of care and diligence. Brand replaces skepticism, and observation of the Bezzle-reducing kind is diverted and neutralised.

fig 6. Value Grows as Attention diminishes

And, of course, value under management climbs. From the first few millions, some funds reach into the billions. All the while, as value grows the internal attention to governance decreases. Inevitably, desire for profits means aggressive attention to controlling of costs. When directed at governance, a pure cost centre, the inevitable result is that the security-to-value ratio switches from ludicriously high to ludicrously low.

Why is it GP-apropos? Because the protection was put in place before it was needed. By the time it was needed, the protection had withered away and the fund no longer had the capability to govern itself.

All the mutual funds that were hit by market timing were older, established funds. Their reputation was impeccable, and that should be seen as a core symptom of the underlying syndrome - when the cat went away, the mice started to play.

Next case study: e-gold

Diamond governance

In news of a big scandal in the diamond world, the rating agency was found to be inflating valuations prior to sale. I find this a good example of what we mean when relying on "trusted third parties" means we are more vulnerable:

The Gemological Institute of America, which grades diamonds for independent dealers and big retailers, fired four employees and shuffled top management after an internal investigation of its policies, the Wall Street Journal said.

The institute's internal probe started after a jewelry dealer who was also the former head of retail operations at luxury jeweler Harry Winston claimed that the institute and two diamond dealers conspired to inflate the grade of two diamonds that he sold to members of the Saudi royal family.

The diamonds, which were sold for $15 million, were taken to an independent appraiser and found to have a lower grade that made them worth much less, the paper said.

The dealer alleged that lab workers took bribes to inflate the quality of diamonds in grading reports, according to the news report, which cited people familiar with the situation.

Bribes, Saudi royals, diamonds, it's got it all! Only problem is, this is an old plot.

When we create an agency of such power, we all become vulnerable to it (a point credited I believe to Mark Miller to many -- see comments). That which we call the Trusted Third Party is no more than a hack that leaves us vulnerable to the TP in exchange for maybe being secure against something else; whether that is a good exchange is highly dependent on the circumstances (see for e.g., Nick on TTPs).

In that case, when we say "trust" we mean you have no choice but to trust this arrangement - in other words you are highly vulnerable. The business about trust being nice and warm and consumer-oriented is simply marketing designed to lull us to sleep while others sleep not. (Auditors, CAs, Issuers, take note.)

We need to guard the guardians and watch the watchers as if they are untrustworthy. Because, frankly, if we do not, they will be. Oh, and for those who think it can't happen to them because they have structured it "properly" please take note:

"Fees depend on a diamond's size; grading a one-carat round diamond costs about $100. In 2004, the institute, a nonprofit, had income of $104 million, the paper said.

Non-profits are likely to have poorer governance as they have a better ability to hide information from stake holders. Why? They don't have shareholders, they only have employees. That means the guardians and watchers cannot be guarded and cannot be watched. Who'd trust a nonprofit voluntarily?

GP3 - Growth and Fraud - How to Book a Table

Previously, we talked about the Growth and Fraud's GP which is the place where growth kicks off into a self-sustained value growth machine (Parts 1,2) . Then I made some remarks on how to instruct security strategy, which lead to a rather keen need to know where this point is. That's because by the time we hit GP we really want to protect it, but not a moment earlier.

Where is GP? Obviously in a different place for every story. But there are some patterns. Assuming again that we are talking about a value system, we can predict the following indicators of GP by looking for the arisal of these factors:

• An independant exchange network. That is, other companies without any especial permission from the lead company engaging in arbitrage and value exchange.


• Delivered independant super-services such as plugins to popular clients. Think Eclipse, Skype, Firefox here.


• New business models and/or activities by third parties that were not originally envisaged by the Founders. Note here that as a founder, you don't need to admit to the world that you didn't envisage a new model arising, but you do need to admit it to yourself.


• Participants that founders don't know find other participants that founders don't know and ... trade! What this means is that no longer is the activity dependent on you, as founder, and your core network. You've exhausted your contacts, you've beaten up your relations, blackmailed your business partners and extorted your church. And it's still growing, with people you've never met and can't quite divine how they came to be in the system.
  
• Fraud!

Noticeable among those is the absence of journalism, blog posts, coolness ratings, cute crypto features, show awards, recommendations by experts, endorsements, government regulation or permissions, what your mate thinks, etc etc. They all suck, in large part because they can all be bought, and are often negative indicators of GP, not positive ones. On the other hand what is present in all the above is:

• Someone else's capital has been independently invested in the subsystem's potential,
• that capital has delivered separate and persistent value exchanges,
• and done so many times over to the extent that it is not an aberation, but more an economy.

These things cannot be bought. The importance is to see many independent events that indicate independent traders are putting their money where their mouths are, enough times such that it would take a major mistake on the part of original founders to break it now.

Thinking about fraudsters as investors might be confusing, but that's what they are at least as far as this analysis goes. Fraudsters invest their time and effort in a fraud, and some frauds pay off whereas others do not. Fraud is just a business where the more positive is the supply side, the more negative is the demand side.

Fraud is also a very good indicator of success. One reason for this is that fraud has a very short cycle of gratification. Unlike honest biz, most small frauds either pay off quickly or more generally not at all, so if you see a marked and noticeable incidence of fraud, that means the frauds are paying off. Thieves are very economically tuned, they move on to the next if this one isn't working, and stay and play if it is working.

Now that we've got a view that we can pick GP, what do we do about it? The previous section talked at length about security, so if it hasn't twigged by now, we start by ramping up our anti-fraud efforts. As we've included fraud on the list above, we are hopefully staring at the first efforts of fraudsters, so we should actually have some good, market driven data on what fraud matters and what is just crypto blah blah security hype.

The next thing we have to worry about is ... the whole business. Before GP we had not proven the model. After GP, we have, and this apocalypse changes our entire strategy. Before GP we were doing everything possible to push the model, but we had no real reason to keep it. After GP we switch to doing everything possible to preserve the business and user base without overly slowing down the model.

The switch is subtle, but it has quite dramatic connotations. Firstly, we now know where to spend money. So GP is the time to go for the big Venture Capital round! In fact, I'd say that the question to be asked at the VC meeting is "how do you know you've reached GP?" Anything before GP is seed money, as it is simply experimental funding to try out different ideas and different models.

Then, when we get the money, we know where to spend it: supporting the model. Extending it, expanding it, adding to it, and very important for those security guys that are still with us: protecting it.

Finally, this takes a very different mindset. This means a new team - in general, from a Human Resources perspective, most entrepreneurs don't cross over well from the mad chaos of pre-GP to the mindless protectionism of post-GP.

It's probably not wise to announce GP on your own. That might be tempting fate as those deep inside their own business have a tendency to migrate their beliefs to suit their desires, and I don't want to be blamed for them getting it wrong. At some point the market - your strong and critical fans especially - will agree one day that GP is passed. At that point these same critical fans will be strongly looking for signs of management team change, security overhaul, and serious understanding of the revenue and finance model.

They'll also be looking for people who have a bit more of a wider view than your average security geek, accountant or salesman with a great idea! And it is breadth to which we turn in our final installment (of 3 parts), in an attempt to show how relevant this concept is.

---

This is Part 3 of Growth and Fraud:

• GP1 - Meet at the Grigg Point
• GP2 - Instructing Security at GP
• GP3 - How to Book a Table
• GP4: Case Studies:
  • #1: Mutual Funds
  • #2: e-gold
  • #1: Phishing

OpenPGP supports any Trust Model that you desire!

[editorial note - this is a guest post by Ed Gerck]

James A. Donald wrote:
>     --
> From:               Werner Koch 
>
>> You need to clarify the trust model.  The OpenPGP
>> standard does not define any trust model at all.  The
>> standard merely defines fatures useful to implement a
>> trust model.
>
>
> "Clarifying the trust model" sounds suspiciously like
> designers telling customers to conform to designer
> procedures.  This has not had much success in the past.
>
> People using PGP in practice verify keys out of band,
> not through web of trust.

James,

Yes. Your observation on out-of-band PGP key verification is very important and actually exemplifies what Werner wrote. Exactly because there's no trust model defined a priori, uses can choose the model they want including one-on-one trust.

This is important because it eliminates the need for a common root of trust -- with a significant usability improvement.

If the web of trust is used, the sender and recipient must a priori trust each other's key signers, requiring a common root of trust -- that may not even exist to begin with.

So, instead of worrying about what trust model PGP uses, the answer is that you can use any trust model you want -- including a hierarchical trust model as used with X.509.

Jon Callas and I had several conversations on trust in May '97, when Jon visited me for two weeks while I was in Brazil at the time, I think before the OpenPGP WG was
even working on these issues. This is one of the comments Jon wrote in a listserv then, with a great insight that might be useful today:

As I understand it, then, I've been thinking about some of the wrong issues. For example, I have been wondering about how exactly the trust model works, and what trust model can possibly do all the things Dr Gerck is claiming. I think my confusion comes from my asking the wrong question. The real answer seems to be, 'what trust model would you like?' There is a built in notion (the 'archetypical model' in the abstract class) of the meta-rules that a trust model has to follow, but I might buy a trust model from someone and add that, design my own, or even augment one I bought. Thus, I can ask for a fingerprint and check it against the FBI, Scotland Yard, and Surite databases, check their PGP key to make sure that it was signed my Mother Theresa, ask for a letter of recommendation from either the Pope or the Dalai Lama (except during Ramadan, when only approval by the Taliban will do), and then reject them out of hand if I haven't had my second cup of coffee.

Cheers,
Ed Gerck

GP2 - Growth and Fraud - Instructing Security at GP

In the previous discourse (Meet at the Grigg Point), we discussed how growth works, and said that GP was the tipping point at which the demo became a system. From this model, we can make a number of observations, chief of which is about Security to which we now turn.

One of the security practitioner's favourite avisos is to suggest that the security is done up front, completely, securely, with strong integration, not to mention obeisance. Imagine the fiercely wiggling finger at this point. Yet, this doctrine has proven to be a disaster and the net's security pundits are in the doldrums over it all. Let's examine some background before getting to how GP helps us with this conundrum.

Hark to the whispering ghosts of expired security projects. Of those that took heed of the doctrine, most failed, and we do mean most. Completely and utterly, and space does not permit a long list of them, but it is fair to say that one factor (if not the sole or prime factor) is that they spent too much on security and not enough on the biz.

Some systems succeeded though, and what of them? These divide into three:

1. those that implemented the full model,
2. those that implemented a patchwork or rough security system, and
3. those that did nothing.

Of those few systems that heeded the wiggling finger and succeeded, we now have some substantial experience. Heavily designed and integrated systems that succeeded initially went on to expose themselves to ... rather traumatic security experiences. Why? In the worst cases, when the fraud started up (around GP) it simply went around the security model, but by that time the model was so cast in mental concrete that there was no flexibility to deal with it. One could argue that these models stopped other forms of fraud, but these arguments generally come from managers who don't admit the existence of the current fraud, so it's an argument designed to be an argument, not something that pushes us forwards.

Perversely, those systems that did nothing had an easier time of it than even those that implemented a patchwork, because they had nothing to battle.

fig 4. Investment directs the Revenue Curve

Why is this? I conjecture that at the beginning of a project the business model is not clear. That is, none of us really knows what to do, but darn it we're inspired! Living and dreaming in Wonderland as we are, this suggests that the business model migrates very quickly, which means that it isn't plausible to construct a security model that lasts longer than a month. Which means several interlinked things:

• until the business model is proven, there is little point in building a security model for security per se as an unproven model doesn't deserve to be protected,
• the more attention that is put into the security model, the more the security model kicks back and insists that the business model stop changing, dammit!,
• the more money that is put into the security model, the less money there is available for business activity, and
• the security system puts a cost on the whole system, slowing growth.

Now, anyone who's aware of compounding knows where to put the value: building the business, and security rarely if ever builds business, what it does is protect business that is already there. It's the issue of compounding we turn to now. Figure 4 depicts the cost of investment down below the horizontal axis, and the growth above. Investment isn't exponential, so it's not a straight line. Initially it grows well, but then hits limits to growth which doom it to sub-exponential growth, which is probably just as well as any investor I've met prefers less than exponential growth in contributions!

While not well depicted in that figure, consider that the pattern of investment fundamentally sets the growth model. The Orange line dictates the slope and placement of the Blue!

Now let's fiddle a bit in figure 5. Assume that investment is fixed. But we've decided to invest upfront in a big way in security, because that's what everyone said was the only way to sleep well at nights. Now the Orange Region of total investment over time is divided into two - above the thin line is what we invest in the business, and below the line is the security. The total is still the same, so security investment has squeezed us upfront.

fig 5. More Costs means Growth is Flatter and GP is Later

See what happens? Because resources were directed away from business, into security, the growth curve started later, and when the security model kicked in, the curve flattened up. That's because all security has a cost. If you're lucky, and your security team is hot (and I really do mean blistering here, see what I wrote about "most" above...) the kink won't be measurable.

Why is it so big? And why don't managers wade in there with mallet and axe and bash it back into forward growth before we can say hedonism is the lifeblood of capitalism? Oddly, the chances of a manager seeing it are pretty remote because seeing drivers to growth is a very hard art, most people just can't see things like that and assume that either today goes for ever, or tomorrow will solve everything. The end users often notice it, and respond in one of two ways: they scream and holler or they stop using the system. An example of the former is from the old SSL days when businesses screamed that it sucked up 5 times the CPU ... so they switched to hybrid SSL/raw sites. An example of the latter is available every time you click on a link and it asks you to register for your free or paid account to read an article or to respond to an article.

Students of security will be crying foul at this point because security does good. So they say. In fact what it does is less bad: until we draw in the fraud curve which security nicely attempts to alleviate the bad done by fraud, security is just a cost. And a deadweight one at that. Which brings us to our third observation: the upfront attention to security has pushed GP way over to the right, as it must do if you agree with the principle of GP.

So where is all this leading us? At this point we should understand that security is employed too early if employed at the beginning - the costs incur a dramatic shift of the curve of growth. Both to the right, and a flattening due to the additional drain. And we haven't even drawn in the other points above: restarts and kickback.

This logic says that we should delay security as long as we can, but this can't go on forever. The point where the security really kicks in and does less bad is when the bad kicks in: the fraud curve that slides up and explodes after GP. Then, the ideal point in which to kick security is after GP and before the fraudulent red line runs in ink onto the balance sheet.

Which leads us to question - finally, for some, no doubt - When is GP?. That is saved to another day :-)

GP1 - Growth and Fraud - Meet at the Grigg Point

Imagine if you will a successful FC system on the net. That means a system with value, practically, but for moment, keep close in your mind your favourite payments system. Success means solid growth, beyond some point of survival, into the area where growth is assured. It looks like this:

fig 1. Exponential Growth

That's an exponential curve, badly drawn by hand. It's exponential because that's what growth means; all growth and shrinkage is exponential. Let's draw that as a logarithmic curve, so we see a straight line:

fig 2. Growth Crosses the Value Tipping Point

I've observed in many businesses of monetary nature that there is a special tipping point. This is where the system transitions from being a working demo that is driven forwards by the keenness of its first 100 or so users, to being a system where the value in the system is inherent and cohesive. In and of itself, the value in the system is of such value that it changes the dynamics of the system.

That's why I labelled it the Self-Sustaining Value Growth Tipping Point, or GP for short. Before this point, the system will simply stop if we the founders or we the users stop pushing. After this point, there is a sustained machine that will keep rolling on, creating more and more activity. In short, it's unstoppable, at least as compared to beforehand.

The shortened term indicates who to blame when you reach that point, because there is something else that is going to happen here: fraud! When the system passes GP, and the value is now inherently stealable for its value, then someone will come along and try to steal it.

fig 3. Fraud Kicks Off then Levels Off

And that theft will probably work, if history is any judge. You'll get a rash of frauds breaking out, either insider or outsider fraud, and all will appear to be chaos. Actually, it's not chaos, it's just competition for different fraud models, and soon it will settle down to a set of best practices in fraud. At this point, when all the mistakes have been made and the surviving crooks know what they are about, fraud will rise rapidly, then asymptotically approach its long run standard level. Ask any credit card company.

Remember that the graph above has a logarithmic vertical axis, so vertical distances of small amounts mean big distances in absolute amounts. The long run gap between those lines - red to blue - is about two if the vertical was log 10. Assuming that, 10² gives us 100 which means fraud is 1% of total at any time. 1% is a good benchmark, a great number to use if you have no other number, even if the preceeding mathematics are rather ropey. Some systems deliver less, some deliver more, it all depends, but we're in the right area for a log chart.

Now that we have the model in place, what can we do with GP? Quite a lot, it seems, but that waits for the next exciting installment of Growth and the Big GP!

---

This is Part 1 of Growth and Fraud:

• GP1 - Meet at the Grigg Point
• GP2 - Instructing Security at GP
• GP3 - How to Book a Table
• GP4: Case Studies:
  • #1: Mutual Funds
  • #2: e-gold
  • #3: Phishing

How much will it cost you to lose your customer's data?

This one popped up and adds actual numbers to the debates on losses of data by companies. I can do no better than Chandler on this and will simply copy his snippets:

The first report is a survey of 14 organizations that lost confidential customer information and had a regulatory requirement to notify the affected individuals. The 14 organizations primarily hailed from the financial services arena but also included retailers, insurance companies, telecom firms, higher education and healthcare.

To cope and recover from a single security breach cost on average $14 million per company per breach or $140 per lost customer record. The direct costs in incremental spending for outside legal counsel, increased call-center costs and related items alone were $5 million.

Chandler went to PGP and in a supreme irony, entered his personal details in order to get the actual reports:

Breaches included in the survey ranged from 1,500 records to 900,000 records from 11 different industry sectors. In general, the largest breaches occurred in financial services, data integration, and retail; the smallest were in higher education and health care. Information in this study covers the costs of almost 1.4 million customer records compromised.

Among the study's key findings:

• Total costs to recover from a data breach averaged $14 million per company or $140 per lost customer record
• Direct costs for incremental, out-of-pocket, unbudgeted spending averaged $5 million per company or $50 per lost customer record for outside legal counsel, mail notification letters, calls to individual customers, increased call center costs, and discounted product offers
• Indirect costs for lost employee productivity averaged $1.5 million per company or $15 per customer record
• Opportunity costs covering loss of existing customers and increased difficulty in recruiting new customers averaged $7.5 million per company or $75 per lost customer record. Overall customer loss averaged 2.6% of all customers and ranged as high as 11%.

These cost estimates include recovery costs only and do not include the cost of putting in place technology and procedures to ensure such breaches do not occur in the future.

Those are hard numbers, not in the sense that they are fixed for you, but in the sense that they can not easily be ignored in NPV calculations. Now, if we were able to calculate the risk of this breach happening then we could simply multiple the two and get the expected loss. Which then could be compared and contrasted with our security expenditure!

Or, in simple terms, you might consider spending up to $140 per customer on security if you are 100% likely to lose the data, and your security is guaranteed to reduce that likelihood to zero. Leaves a lot of open territory, I know, but any numbers are better than no numbers.

Frank Hecker goes to the Mountain - mapping the structure of the Certificate Authority

Frank takes aim at the woeful business known as certificate authorities in an attempt to chart out their structural elements and market opportunities.

Frank argues that CAs can be viewed as providers of one of encryption, DNS-fixes, site identity proofs, or as anti-fraud services. Depending on which you choose, this has grave ramifications for what follows next -- Frank's thesis implicitly seems to be that only one of those can be pursued, and each have severe problems, if not inescapable and intractable contradictions. In the meantime, what is a browser manufacturer supposed to do?

For those who have followed the PKI debate this will not surprise. What is stunningly new -- as in news -- is that this is the first time to my knowledge that a PKI user organisation has come out and said "we have a problem here, folks!" Actually, Frank doesn't say that in words, but if you understand what he writes, then you'd have to be pre-neanderthalic not to detect the discord.

What to do next is not clear -- so it would appear that this essay is simply the start of the debate. That's very welcome, albeit belated.

After 10 years, a new policy on adding CAs

Frank announces the new Mozo policy for CAs.

This is a significant piece of news in an otherwise moribund field - there hasn't been anything happening in the CA business since Verisign bought Thwarte. In brief here's the story: since the dawn of SSL time, all browsers have more or less inherited a list of favoured buddies created by Netscape. When Mozilla started to ship significant numbers of browsers, they started to get calls for new CAs to be added.

Looking around, it was discovered there were no rules, other than "must be WebTrust Audited!" Well, that fell by the wayside when it was pointed out that Mofo was supposed to be working in the open source world and WebTrust audits start at $50k. Not to mention serious irregularities in the WebTrust process itself, and evolving security failures of the overall browser system...

Policy guru Frank Hecker burnt many candles to craft a compromise between the reds and the blues. Bitter debate ensued, but the end result is OK, although it does kind of highlight that Mofo (or is it Mozo?) is a meta CA and and has not or cannot escape some responsibility for the CAs that are added.

To cap it off, rumour has it that Microsoft has also started a policy review, no doubt following the quite serious discussion on the n.p.m.crypto lists over this major issue. Last I heard, Konqueror, Opera and Safari were expecting to follow Mozo on this policy, so this may result in a minor shakeup.

(Some minor disclosure - I have been helping the CAcert people with their policy ...)

Breaking Payment Systems and other bog standard essentials

Many people have sent me pointers to How ATM fraud nearly brought down British banking. It's well worth reading as a governance story, it's as good a one as I've ever seen! In this case, a fairly bog standard insider operation in a major brit bank (not revealed but I guess everyone knows which one) raided some 2000 user accounts and probably more. They did all this through the bank's supposedly fool proof transaction system, and the bank aided and abetted by refusing to believe there was an issue! Further, given the courts willingness to protect the banks' secrecy, one can say that the courts also aided and abetted the crooks.

This is the story of how the UK banking system could have collapsed in the early 1990s, but for the forbearance of a junior barrister who also happened to be an expert in computer law - and who discovered that at that time the computing department of one of the banks issuing ATM cards had "gone rogue", cracking PINs and taking money from customers' accounts with abandon.

This is bog standard. Once a system grows to a certain point, insider fraud is almost a given, and it is to this that the wiser FCer turns. As I say, this is a must-read, especially if you are new to FC. Here's news for local currency pundits on how easy it is to forge basic paper tokens.

In a world of home laser printers and multimedia PCs, counterfeiting has become increasingly easy. With materials available at any office supply store, those with a cursory knowledge of photo-editing software can duplicate the business-card-size rewards cards once punched at Cold Stone Creamery or the stamps once given out at Subway sandwich sho........

Steven Bellovin reports that Skype have responded to criticisms over their "secret cryptoprotocol."

Skype has released an external security evaluation of its product; you can find it at http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf (Skype was also clueful enough to publish the PGP signature of the report, an excellent touch -- see http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf.sig) The author of the report, Tom Berson, has been in this business for many years; I have a great deal of respect for him.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Predictibly, people have pored over the report and criticised that, but most have missed the point that unless you happen to have an NSA-built phone on your desk, it's still more secure than anything else you have available. More usefully, Cubicle reports that there is an update to Skype that repairs a few bugs. As he includes some analysis of how to exploit and create some worms... it might be worth it to plan on updating:

The Blackhat in me salivates at the prospect. It’s beautiful security judo, leveraging tools designed to protect confidentiality (crypto) and Availability (peer-to-peer) to better hide my nefarious doings. Combine it with a skype API-based payload and you’ve got a Skype worm that can leverage the implicit trust relationship of contact lists to propagate further, all potentially wrapped inside Skype’s own crypto.

Too bad the first that most of Skype’s 60 million-and-growing users will ever hear of it will be after someone who does pay attention to these sorts of things decides they want to see if it’s possible to create a 60-million node botnet or retire after making The One Big Score with SkypeOut and toll fraud.

Hey Skype, Ignoring Risk is Accepting Risk–NOT Avoiding it. Put this on your main page while upgrading is still prevention rather than incident response.

A little hyperventilated, but consider yourself in need of a Skype upgrade.

What happens when you don't do due diligence...

A story doing the rounds (1, 2) shows how money laundering is now being used to open up security in banks that don't do DD. The power of the money laundering bureaucrats is now so unquestioned that mere mention of it and a plausible pretence at it allows anyone to do the craziest things to you.

AN INGENIOUS fraudster is believed to be sunning himself on a beach after persuading leading banks to pay him more than €5 million (£3.5 million) in the belief that he was a secret service agent engaged in the fight against terrorist money-laundering. The man, described by detectives as the greatest conman they had encountered, convinced one bank manager to leave him €358,000 in the lavatories of a Parisian bar. "This man is going to become a hero if he isn't caught quickly," an officer said. "The case is exceptional, perfectly unbelievable and surreal."

In another case he did it with wires to Estonia, but had to sacrifice his wife and mother-in-law in the process:

A third payment of €5.18 million was made to an account in Estonia. This time Gilbert was quicker. Police identified him by tracing his calls, but by the time they caught up with him he was in Israel. They arrested his wife and mother-in-law at the family home outside Paris. They deny acting as accomplices.

Can you hear the mother-in-law screaming "I told you he was a SCHMUCK!?!" Read the whole thing - it's a salutory lesson in how governance is done not by blindly doing what bureaucrats and experts think is a good idea, but by thinking on your feet and doing your own due diligence. In this case, it is somewhat unbelievable that the banks did not do the due diligence on this chap, but I suppose they were waiting for an invitation!

It's official - doing due diligence is a criminal offence!

I wrote before about rising barriers in security. We now have the spectre of our worst nightmare in security turned haptic: the British have convicted a security person for doing due diligence on a potential scam site. If you work at a British Financial Institution, be very very aware of how this is going to effect security.

[writes El Reg] On December 31, 2004, Cuthbert, using an Apple laptop and Safari browser, became concerned that a website collecting credit card details for donations to the Tsunami appeal could be a phishing site. After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories.

After running the two tests, at between 15.12 and 15.15 on New Year's Eve, Cuthbert took no further action. In fact his action set off an Intrusion Detection System at BT's offices in Edinburgh and the telco called the police.

It may well be that the facts of the case are not well preserved in the above reporting; no journalist avoids a good story, and El Reg is no exception. A reading of other reports didn't disagree, so I'll assume the facts as written:

[El Reg again] DC Robert Burls of the Met's Computer Crime Unit said afterwards: "We welcome today's verdict in a case which fully tested the computer crime legislation and hope it sends a reassuring message to the general public that in this particular case the appropriate security measures were in place thus enabling donations to be made securely to the Tsunami Appeal via the DEC website."

The message is loud and clear, but it is not the one that they wanted. The Metropolitan's Computer Crime Unit is blissfully unaware of the unintended consequences it has unleashed... Let's walk through it.

According to the testimony, the site gave some bad responses and raised red flags. A routine event, in other words. Cuthbert checked it out a little to make sure it wasn't a phishing site, and apparently found it wasn't. This would have been a very valuable act for him, as otherwise he might have had to change all his card and other details if they had been compromised by a real phishing attack (of which we have seen many).

The 'victim' in the case was named as Disasters Emergency Committee (DEC). From Cuthbert, DEC received a 30 pound donation via donate.bt.com and then said (after he was charged):

[more] There's no suggestion any money was stolen and the Disasters Emergency Committee has issued a statement reassuring the public that the internet remains a safe way to donate money to victims of the 26 December disaster.

The real victim may well be the British public who now only have BT's IDS and the Metropolitan Computer Crime Unit between them and phishing. Let's imagine we are tasked to teach users or banks or whoever how to defend themselves against phishing and other Internet frauds. What is it that we'd like to suggest? Is it:

a. be careful and look for signs of fraud by checking the domain name whois record, tracerouting to see where the server is located, probing the webserver for oddities?

Or

b. don't do anything that might be considered a security breach?

Either way, the user is in trouble because the user has no capability to determine what is and what is not an "unauthorised access". Banks won't be able to look at phishing sites because that would break the law and invite prosecution; after this treatment, security professionals are going to be throwing their hands up saying, "sorry, liability insurance doesn't cover criminal behaviour." The Metropolitan Computer Crime Unit will likewise be hamstrung by not being able to breach the very laws they prosecute.

There is a blatant choice here not only for security professionals and banks, but also for the hapless email user. Follow the law, and perform due diligence without the use of ping, traceroute, telnet, whois, or even browsers ... Or follow the protocols and send the recognised and documented requests to respond according to the letter and spirit of the RFCs, and in the meantime discover just how bona fide a site is. Tyler dug up the appropriate document in this case:

So RFC 3986 explicitly lists this construction as a valid URL. See section 5.4.2.:

5.4.2. Abnormal Examples

Although the following abnormal examples are unlikely to occur in
normal practice, all URI parsers should be capable of resolving them
consistently. Each example uses the same base as that above.

Parsers must be careful in handling cases where there are more ".."
segments in a relative-path reference than there are hierarchical
levels in the base URI's path. Note that the ".." syntax cannot be
used to change the authority component of a URI.

"../../../g" = "http://a/g"
"../../../../g" = "http://a/g"

The way the security bureaucrats are treating this war, possession of an RFC will become evidence of criminal thoughts! The battle for British cybersecurity looks over before it has begun.

Addendum: Due diligence defined and reasonably duty of care discussed. Also see Alice in Credit-Card Land and also Phishing and Pharming and Phraud - Oh My for discussions in more depth. Also, I forgot to tip my hat to Gerv for the original link.

'bonus pater familias'

An article in the aforementioned JIBC, "Security as a legal obligation" by Edwin Jacobs, argues the current security crisis from the perspective of bonus pater familias. This legal doctrine has it that we should ask, what would the good citizen do in this case?

What can be reasonably expected of all the actors here, assuming they were good citizens? As I argued in a recent blog entry concerning online account fraud (a.k.a. phishing), you can't blame any one party totally, and if you put all the cost on one party and none of the responsibility on the other parties then we give rise to moral hazard. That's the economics idea that anyone who is fully insured is more likely to incur the events, as they take no care.

The current situation in most western countries is, in simple terms, if a transaction was not authorised by the account owner then the financial institution carries the risk. This is by no means cut & dry, but when push comes to shove, that's what gets written down in the laws.

Does that mean that the FIs are already on the hook for all of phishing, identity fraud and the like? By no means, as the greater part of cost of any online fraud seems to be the cost to the individual's identity. Although the estimated heist is about $1000, I've also seen estimates of time lost to the user of 100 hours. If your time is worth more than $10 per hour, then you are now more concerned about the waste of your life; and another statistic has it that one in four never recover completely from the situation.

So we already have risk sharing in place. Which isn't to say that it's a nice way to live and do business, but it is at least a clearly demarcatible sharing arrangment. FI's pick up the tab for the money, but your identity's your own problem.

Where we go from here is that if there is to be any adjustment from this current risk sharing between the FIs and their users, then it has to be a better risk sharing. That is, not only does it need to better account for the economics of repairing the damage, it also has to be as easily measurable. That's a tall order, and my hat off to anyone who can do this.

Jacobs takes Sarbanes-Oxley to task by pointing out that not only are there already many laws in Europe that cover these points (and he works through some of them), but both providers and customers have a general duty of care. Obviously in the current environment, there is no lack of examples of failure to follow this guideline, so the question arises how it is that the principle has failed to save us in this case?

3.1. The concept of general duty of care

The presence of specific legislation related to security and risk management should not make us forget that every person (so also customers of on line services!) and every company have a general duty of care. If the lack of appropriate security measures leads to damages for third parties, the liability of the company which omitted to apply best practices in this field (and hence to behave as the 'bonus pater familias') will automatically be involved. Contrary to the specific legal security obligations described above in the specific laws, the general liability can to a certain extent be reduced by liability disclaimers that have to be carefully drafted.

(My emphasis.) It would seem that if one were to stereotypically cast the models as European above and American for the alternate, we could ascribe his last comment as the reason for the failure: general liability and a duty of care has been widely written out by liability disclaimers in the American model. This is no light thing, as the history of the credit card shows. When banks were aggressively marketing their cards in the mad ramp up to saturation, it was common to send cards to people who hadn't asked for them, and to stick them with the fraud bills. This blatent act of fraud on the part of the banks resulted in the regulations (Reg E?) that made the banks liable for all of any transaction not authorised, thus switching all of the risk from the consumer to the bank. At least until identity fraud took off.

It would seem simplicity itself to write to our congresspersons and demand they write liability back in again. "Dammit!" But I fear it isn't so easy, and it may very well be that Reg E recognises bonus american pater est mortuus. The counterbalance to this dramatic accusation is that the ecommerce revolution happened in the US and only to a lesser extent in the European circles. If we looked at all the startups and IPOs, we should expect to find a massive difference, perhaps as much as an order of magnitude.

Which meant that the value was created in the US and then exported by copycats to other farflung dominions of capitalism. All of which goes to show that making a claim for bonus pater familias as against the widespread disclaiming of same by contract is not easy: either we need to show correlation not causality with dotcom boom, or the pundits of bonus pater familias need to find something that counterbalances the 'economic miracle' argument.

Jacob's article (and blog) is worth reading if you are trying to make sense of Choicepoint, phishing, viruses and keyloggers and the madness known as Sarbanes-Oxley. I don't think it answers everything but it does offer a perspective why the crisis in security and governance is primarily American and not elsewhere.

Journal of Internet Banking and Commerce

Vol 10 No. 2 Summer 2005 of JIBC is out now:

• From JIBC Publisher Nahum Goldmann
• From Editor-in-Chief Nikhil Agarwal

General and Review Articles

• Belgium EEMA: Focus on Technical and Legal Issues of e-Business in the European Union (By: Edwin JACOBS,University of Leuven)
• China Current Development Situation of E-Commerce in China (By: Alamusi, ChinaEClaw.com)
• USA B2B Marketers Integrate Precision Search to Boost Profitability and Increase Satisfaction Across the eCommerce Value Chain (By: Larry R. Harris, EasyAsk, a division of Progress Software)
• Canada Trust and Confidence and the Digital Economy: Issues and Challenges (By: Prabir K. Neogi and Arthur J. Cordell, Industry Canada)

Research Papers

• Belgium Security as a Legal Obligation: About EU Legislation Related to Security and Sarbanes Oxley in the European Union (By: Edwin JACOBS, University of Leuven)
• Belgium The Law on Electronic Medical Prescription (By: Francis de Clippele, Lawyer in Antwerp, Assistant Lecturer at the University of Antwerp)
• Canada Trust and Confidence and the Digital Economy: Issues and Challenges (By: Prabir K. Neogi, Arthur J. Cordell, Electronic Commerce Branch, Industry Canada)
• India Technical and Entrepreneurial Research Information System: An Applied e-Model for Sustainable Entrepreneurship Development (By: Dhrupad Mathur, S P Jain Institute of Management & Research, Mumbai)
• India A Framework for Evaluating e-Business Models and Productivity Analysis for Banking Sector in India (By: NVM Rao, Prakash Singh, and Neeru Maheshwari, BITS, Pilani)
• Malaysia Do Foreign Banks Lead in Internet Banking Services (By: Boon Han YEAP, Monash University Malaysia, and Kooi Guan CHEAH, Universiti Sains, Malaysia)
• Malaysia Marketing Mix: A Review of 'P' (By: Chai Lee GOI, Curtin University of Technology, Malaysia)
• Qatar E-banking Service Quality: Gaps in the Qatari Banking Industry (By: Norizan M. Kassim, University of Qatar)
• USA and Singapore A Case Study of Electronic Bill Presentment and Payment (EBPP) Integration Using the COIN Mediation Technology (By: Sajindra Jayasena, National University of Singapore, Stephane Bressan, Sloan School of Management and Stuart Madnick, Massachussets Institute of Technology)

Read on for abstracts....

General and Review Articles

BELGIUM: EEMA: Focus on Technical and Legal Issues of e-Business in the European Union
(By Edwin Jacobs)
http://www.aaraydev.com/commerce/JIBC/EdwinJacobs_EEMA_210705,asp

EEMA is Europe's leading independent association for e-Business and promotes collaboration concerning all technical (ICT), legal and business aspects of e-business. EEMA puts the emphasis on today's practical issues. In this respect, EEMA's Legal Interest Group, headed by Prof. Jos Dumortier, focuses on all legal aspects of e-business, i.e. electronic signature, e-invoice, identity management, security legislation (e.g. Sarbanes Oxley in the EU), privacy, etc. On November 22nd and 23 rd this year EEMA will organise a two-day seminar about electronic invoicing and electronic archiving in Brussels.

CHINA: Current Development Situation of e-Commerce in China
(By Alamusi)
http://www.arraydev.com/commerce/JIBC/2005-08/china.htm

The Chinese government puts a great deal of emphasis on E-Commerce work extremely. Generally speaking, the China E-Commerce market contains huge commercial opportunity, the development prospect of which is extremely broad. The relevant organizations are complying with and guiding commercial transformation tendency, absorbing latest international achievement of technical platform, payment system, creditability system, platform construction and safety guarantee system in E-Commerce, further optimizing the external environment, and speeding up development and innovating application complying with national features.

USA: B2B Marketers Integrate Precision Search to Boost Profitability and Increase Satisfaction Across the e-Commerce Value Chain
(By Larry R. Harris)
http://arraydev.com/commerce/JIBC/2005-08/Harris.asp

This article will describe the central role that site search and navigation plays in B2B eCommerce, as well as the defining characteristics of a successful search implementation from both a technical and marketing perspective. This article will also outline how integrating precision search into an existing eCommerce infrastructure can result in higher productivity, streamlined processes, increased conversion rates, greater commercial buyer and partner satisfaction, and higher profits per transaction.

Research Papers

BELGIUM: Security as a Legal Obligation: About EU Legislation Related to Security and Sarbanes Oxley in the European Union
(By Edwin Jacobs)
http://www.arraydev.com/commerce/JIBC/2005-08/security.htm

Since the Sarbanes-Oxley Act there is a worldwide focus on security issues in general. This new focus seems to emphasize that security is a new kind of legal obligation. However, security is already a legal obligation for all EU companies since the early nineties. On top of that, in electronic banking there is a whole range of legal obligations in some way related to security, that were already (and remain) applicable, notwithstanding a possible application of the Sarbanes-Oxley Act on some EU companies. The criterion of what can be 'reasonably expected' as 'bonus pater familias' from service providers, but equally also from their customers, becomes increasingly important.

BELGIUM: The Law on Electronic Medical Prescription
(By Francois de Clippele)
http://www.arraydev.com/commerce/JIBC/2005-08/EMV.HTM

Health care is one of the most important economic and business areas. The European Union has therefore worked out an e-health care strategy to achieving stronger growth and increased effectiveness of services. The application of information and communications technologies (ICT) that affect the health care sector is developing fast in Europe. In this respect various countries have launched pilot projects in order to modernize their medical prescription practices. A model of the electronic medical prescription must respect patient's rights and can only be deployed in a system of security in order to protect the confidentiality.

CANADA: Trust and Confidence and the Digital Economy: Issues and Challenges
(By Prabir K. Neogi and Arthur J. Cordell)
http://www.arraydev.com/commerce/JIBC/2005-08/Negi.htm

Globalization and technological change continue to profoundly affect economic growth and wealth creation. Information and Communications Technologies (ICTs) have been a key enabler and driver of globalization, which is likely to continue as trade and investment barriers continue to fall and communications become ever cheaper, easier and more functional. Every economy requires a physical, institutional and legal infrastructure, as well as understandable and enforceable marketplace rules, in order to function smoothly. In this paper the authors maintain that such an infrastructure must be developed for the new digital economy and society, one that provides trust and confidence for all those who operate in or are affected by it.

INDIA: Technical and Entrepreneurial Research Information System: An Applied e-Model for Sustainable Entrepreneurship Development
(By Dhrupad Mathur)
http://www.arraydev.com/commerce/JIBC/2005-08/DhrupadMathur.asp

This article stresses on the need for an e-application like Technical and Entrepreneurial Research Information System (TERIS), which enables interaction among academia, industry and various agencies related to researchers for sustainable entrepreneurship development. The functional details of the model are also discussed. This article is based on inputs with reference to the state of Rajasthan. However, the model can very well be replicated elsewhere.

INDIA: A Framework for Evaluating e-Business Models and Productivity Analysis for Banking Sector in India
(BY N.V.M. Rao, Prakash Singh ans Neeru Maheshwari)
http://www.arraydev.com/commerce/JIBC/2005-08/maheshwari.htm

This study is an effort to draw together some of the e-Business models and real-life experiments that has been circling around the e-business models. To study the sweeping changes brought about by e-initiative measures in the banking sector some banks were chosen, from public sector like SBI, BOB etc and from private sector like ICICI, HDFC etc.

MALAYSIA: Do Foreign Banks Lead in Internet Banking Services
(By Boon Han Yeap and Kooi Guan Cheah)
http://www.arraydev.com/commerce/JIBC/2005-08/JIBC_yeap%20&%20cheah.asp

Internet banking has been increasingly used as a delivery channel in retail consumer banking. As far as the provision of internet banking services in developing countries is concerned, foreign banks definitely enjoy distinct advantages over domestic banks due to their experiences in other, more advanced financial markets. This paper reports a study that examined the levels of retail internet banking services provided by foreign and domestic commercial banks in Malaysia over a period of two years. The study found that while foreign banks are marginally more sophisticated at information provision level, domestic banks offer a significantly higher level of transactional facilities in both years.

MALYASIA: Marketing Mix: A Review of "P"
(By Chai Lee Goi)
http://www.arraydev.com/commerce/JIBC/2005-08/goi.HTM

There has been a lot of debate in identifying the list of marketing mix elements. The traditional marketing mix by McCarthy (1964) has regrouped Borden's (1965) 12 elements and has comprised to four elements of product, price, promotion and place. A number of researchers have additionally suggested adding people, process and physical evidence decisions (Booms and Bitner, 1981; Fifield and Gilligan, 1996). The other suggested Ps are personnel, physical assets and procedures (Lovelock, 1996; Goldsmith, 1999); personalization (Goldsmith, 1999); publications (Melewar and Saunders, 2000); partnerships (Reppel, 2003); premium price, preference of company or product, portion of overall customer budget and permanence of overall relationship longevity (Arussy, 2005); and 2P+2C+3S formula (Otlacan, 2005), therefore personalisation, privacy, customer Service, community, site, security and sales promotion.

QATAR: E-Banking Service Quality: Gaps in the Qatari Banking Industry
(By Norizan M. Kassim)
http://www.arraydev.com/commerce/JIBC/2005-08/KassimTry.asp

Financial liberalization and technology revolution have allowed the developments of new and more efficient delivery and processing channels as well as more innovative products and services in banking industry. Banking institutions are facing competition not only from each other but also from non-bank financial intermediaries as well as from alternative sources of financing, such as the capital markets. Another strategic challenge facing banking institutions today is the growing and changing needs and expectations of consumers in tandem with increased education levels and growing wealth. Consumers are becoming increasingly discerning and have become more involved in their financial decisions. For this reason, they are demanding a broader range of products and services at more competitive prices through more efficient and convenient channels. This study investigates the discrepancy between customer's expectation and perception towards the e-banking services.

USA/SINGAPORE: A Case Study of electronic Bill Presentment and Payment (EBPP) Integration Using the CON Mediation Technology
(By Sajindra Jayasena and Stephane Bressan)
http://arraydev.com/commerce/JIBC/2005-08/Jayasema.asp

By its very nature, financial information, like the money that it represents, changes hands. Therefore the interoperation of financial information systems is the cornerstone of the financial services they support. In this paper we illustrate the nature of the problem in the Electronic Bill Presentment and Payment industry. In particular, we describe and analyze the difficulty of the integration of services using four different formats: IFX, OFX and SWIFT standards, and an example proprietary format. We then propose an improved way to accomplish this integration using the Context Interchange (COIN) framework.

Administrative Notice

Journal of Internet Banking and Commerce

JIBC is a leading edge publication that informs banking and electronic commerce professionals and executives on principal developments, benchmark practices, and future trends in the Internet-based marketing practices of governments and industry. This free online interactive journal is a way to keep in touch, to share information, and to establish business contacts (networking) for worldwide professionals that specialize in electronic commerce, governance and banking
solutions.

In JIBC you will find informed discussion of the latest internet-based banking and electronic trends and practices from around the world. Our priority is quality, not quantity. We want to maintain JIBC as a service that provides substantial information and an effective forum for your articles, your letters, your insights and ideas.

JIBC invites banking and electronic commerce professionals, academicians and publishers to submit important announcements, original articles, guest columns and significant feature presentations. We also welcome surveys, book reviews and letters to the Editor. Technical discussions in highly specialized areas of expertise will be kept to an absolute minimum.

JIBC is formally issued three to four times a year when an email summary of current articles is distributed to subscribers. The full text of current articles is posted on the JIBC Web site at
http://www.ARRAYdev.com/commerce/JIBC/current.asp.

The publication is complemented by the Compendium of Internet Banking and Commerce Initiatives at:
http://www.arraydev.com/frames/f-guest_comp.htm.
We invite readers to provide brief descriptions of products, books, and services that they think others will find interesting.

The Journal of Internet Banking and Commerce (JIBC) is provided as a service by ARRAY Development based in Ottawa, Canada. Views expressed are those of the authors and are not necessarily shared by ARRAY Development. Firms or individuals interested in sharing sponsorship of this project may contact array (at) ARRAYdev.com.

The JIBC Web Archive
http://www.arraydev.com/commerce/jibc/articles.htm contains all articles published to date.

You can reach the Editor-in-Chief Nikhil Agarwal with any questions or comments by email at:
nikhil.jibc (at) gmail.com

Publisher Nahum Goldmann is at:
Nahum.Goldmann (at) ARRAYdev.com.

Editorial Board

Publisher and Member of the Editorial Board: Nahum Goldmann

Chief Editor: Nikhil Agarwal

Founding Chief Editor Emeritus and Member of the Editorial Board: Gord Jenkins

Assistant Editor: Xin "Robert" Luo

Mailing List Managing Editor: Anne-Marie Jennings

Contributing Editors
U.K. Contributing Editor: David G.W.Birch
Australia Contributing Editor: Dale Pinto
Japan Contributing Editor: Carin Holroyd
Nordic Countries Contributing Editor: Minna Mattila
Legal Contributing Editor: Edwin Jacobs
Middle East Contributing Editor: Raed Awamleh
Africa Contributing Editor: Alemayehu Molla
France Contributing Editor: Jean-Michel Sahut

Please send any questions related to maintenance of this Web site to:
array (at) ARRAYdev.com

Information and subscription for JIBC mailing list is available via:
http://groups.yahoo.com/group/JIBC/

The Tipping Point - How Good Companies Go Bad and Executives Become Rogues

A new book by Sayles and Smith looking at governance from the angle of Corporate Executives being the bad guys is worth a look. It may do a good job of documenting the problems occuring in US business at the moment and the first chapter is online here:

To find their prescriptions one would presumably have to buy the book. I'm not sure I will as they are very keen to blame the executive, which isn't really going to help. Agency theory suggests that your employees do what you incentivise them to do, and executives are no different. Look instead at the incentives that have been created would be my prescription.

By way of example, on the mutual funds scandal (one that I'm at least passingly familiar with from the US Senate hearings) they write:

What Could Management Have Been Thinking? Here is an example of executives "shooting themselves in the foot," deception and cheating that comes back to whack the originator:

Numerous mutual funds destroyed their reputation by allowing a small number of investors to misuse the funds (by overnight trading and buying and selling at "stale" prices). Funds earned very modest extra management fees by granting these special privileges to hedge funds and a few "select" clients. Their corrupt trading and wrongful pricing cost the other 99% of the funds’ investors dearly. When the corrupt practices were revealed, some funds lost half of the investors’ money. In one case, the value of a fund family to its owners dropped half a billion dollars in a matter of weeks.

Yet as has been pointed out by the founder of Vanguard, John Bogle, in his testimony before the same Senate hearings the problems started when greedy investors forced mutual funds from percentage reward scales over to fixed reward scales. Bogle led Vanguard to be a dominating force in mutual funds and is to some extent viewed as the father of the post-war Mutual Funds industry; his words are worth reading:

March 21, 2004, less than two months from today, will mark the 80th anniversary of America’s first mutual fund. Organized in Boston, Massachusetts Investors Trust (MIT) was a Massachusetts trust managed by its own trustees, who held the power “in their absolute and uncontrolled discretion” to invest its assets. The trustees were to be compensated at “the current bank rate for trustees,” 6% of the investment income earned by the trust.

Our industry began, then, with the formation of a truly mutual mutual fund, one organized, operated and managed, not by a separate management company with its own commercial interests, but by its own trustees; compensated not on the basis of the trust’s principal, but, under traditional fiduciary standards, its income.

Has there been any suggestion that the funds industry go back to percentage rewards and thus encourage the managers to think of the investor?

Nope. Expect more problems then. And the emboldened question above is easily answered: Management was thinking of what you told them to think.

KPMG establishes the price of the get-out-of-jail card

The monopoly game of accounting goes on another round. A few rounds back, Arthur Andersen was knocked out, and now the KPMG is losing its houses on the plush side of the board:

Accounting firm KPMG LLP on Monday agreed to pay $456 million and to cooperate with authorities investigating tax shelter deals. Rival Ernst & Young LLP remains under grand jury investigation for its role in selling shelters.

which works out as $300k per partner for the get-out-of-jail card. Given how much each partner makes per year, this looks like no more than a blip in their yearly income; the more important question is ... whither accounting reputation now?

Serious Financial Cryptographers have always known that accounting practices and audits are but a fig leaf of respectibility. Arthur Andersen seemed to blow away that paltry covering for the first time, according to the public's viewpoint. Above we see that Ernst & Young are also under investigation, and there is every reason to believe that they were all doing it, whatever it was.

What "it" was is somewhat apropos - raking in huge fees for shady transactions. No matter your views on government, taxes and the equally shady concept of trading justice that resulted in a fine but no indictment, what is clear is that the accountants are not serving the public interest.

Serving the public interest by means of public audits is their being and meaning in life. It is the reason they are special, the reason they have privileges and the reason they can ask high fees. It's the reason that the regulator instructs public companies to get audited. It's the reason that any difficult hidden thing gets a secret report from an auditor, for a fat fee.

For this privilege they get to serve the public interest. It is a very easy test to apply and equally easy to see that this not terrifically high standard is not being met by the public auditors.

For this privilege the accountants have earnt huge fees for huge periods. We can fairly comfortably agree that they got out their rewards; no partner at a big N firm could reasonably claim that too much was asked of them for too little pay.

I have no hesitation therefore in stripping from them any specialness and calling for the end to KPMG. And the rest - society needs to move on and consider other ways in which we audit and confirm to our public that what we are doing is in the interests of our shareholders.

I know that ignoring these words is easy - and that "jobs are at stake." But those are poor excuses for supporting a rotten system. Why does a poor job (or worse - basically theft) by the auditors mean that their jobs must be protected?

Before the veins burst, here's today's ludicrous audit news:

CardSystems auditor completes compliance report Thu Sep 1, 2005 11:31 AM ET NEW YORK, Sept 1 (Reuters) - Payments processor CardSystems Solutions Inc., where a security breach exposed more than 40 million credit card accounts to fraud, on Thursday said its auditor had completed a report to payment networks and concluded it complies with industry data-security standards.

CardSystems, which handles payments for more than 119,000 merchants, in July hired AmbironTrustWave, a data security assessment firm, to review its compliance with payment card industry security standards. The report was submitted to MasterCard, Visa, American Express Co. (AXP.N: Quote, Profile, Research) and Morgan Stanley's (MWD.N: Quote, Profile, Research) Discover on Wednesday, as scheduled.

But they already had the t-shirt that said "I got my systems audited and only exposed 40 million accounts..." No mention of what happened to the predecessor auditor. Anyways, back to the the monopoly game, I wonder who's going to pick up Mayfair?

Accountancy Firms - too big to fail

Following the Arthur Andersen collapse, regulators in Europe have made their view known to their opposite numbers in the USA:

"Any reduction in the number of major audit firms could have negative implications, particularly for large companies in the U.K.," stated the U.K. Financial Services Authority, according to the FT. "We will be watching these developments very carefully." An unnamed European Commission official also told the publication: "It was already an issue going down to four [big accounting firms]. Obviously, having only three would be an even bigger problem."

KPMG has been declared too big to fail, thus bringing the big 4 auditors into the very select club of state-protected firms. The problem with this is of course the message that it sends to the world of accountancy. "If we can not be stopped, then we can do what we like."

One has to put this in context - the United States Department of Justice has taken on a tax case against KPMG. To ease the pressure against an expected DoJ indictment, KPMG has declared itself to be in the wrong (and thus made easier the costly process of civil litigation by the people they advised).

The big question is not about the particulars of the case but in how to regulate the market. The regulators are there and regulating; that's a fact, no matter how uncomfortable free market disciples find it. One of the rationales for regulation is that poor behaviour by dominating firms needs to be brought to heel. If as in some industries such as advertising there are no dominating firms, then the market can be expected to find its own solutions because the sector is spoilt for choice. However if the choice is limited to 4 large players acting in concert, we no longer have competition. Hence, regulation, so the rationale goes.

So in declining to bring KPMG to heel, regulators are simply undermining their own role. In choosing to not pursue KPMG to the fullest, they also choose to further weaken the viability of the audit in an efficient market by increasing the privilege available to the big 4.

Why not simply go back to the days of state-sponsored champions and declare auditing to be a protected business? The reason for this is fairly clear - regardless of the KPMG case and its predecessor Arthur Andersen, the big 4 audit sector has lost the faith of the public to deliver a viable honest service. Audits aren't trusted and for obvious agency reasons, so why are regulators bothering with both enforcing the use of an audit and letting the firms get bigger and more powerful?

(FC context - many systems are built with audits inserted to clean up the loose ends, as part of Governance. Now, if one starts from the point of view that audits are bad, one can actually do almost all the functions of audits internally and with ones own users, using modern FC techniques. But we still have to carry the cost of the mandated audit, which means that we are only interested in reducing the 'tax' paid to subsidised auditors.)

Ian Grigg - Triple Entry Accounting

It was widely recognised since David Chaum's designs first appeared that the new 'digital certificate' model of money was not aligned or symmetrical with accounting techniques such as double entry book keeping. Many people expected the two to compete and indeed many money systems avoided combining them; this is I believe one of the few efforts to integrate the two and show them as better in combination than apart.

Triple Entry Accounting

The digitally signed receipt, an innovation from financial cryptography, presents a challenge to classical double entry bookkeeping. Rather than compete, the two melded together form a stronger system. Expanding the usage of accounting into the wider domain of digital cash gives 3 local entries for each of 3 roles, the result of which we call triple entry accounting.

This system creates bullet proof accounting systems for aggressive uses and users. It not only lowers costs by delivering reliable and supported accounting, it makes much stronger governance possible in a way that positively impacts on the future needs of corporate and public accounting.

full paper

Comments below as always!

Two Hot Whistleblowers

The concept of whistleblowing informs our deepest designs. We cannot secure everything, so we go to the next best thing: we document everything. Extraordinarily, we can put together extremely strong systems that use the humble message digest to create chains of signatures and time entanglement, not because this is perfect, but because we know that if someone is looking, they can find.

As our deepest difficulties lie not in external security but in protecting against the insider, audit trails and wide dissemination of information is one of our hottest tools. For the financial cryptographer, our hope is to leave a trail so well buried and indicative that any investigator is supported with some real evidence and doesn't need to rely on anything but the evidence.

That's an ideal, thought, and it doesn't normally happen quite so well. Sometimes spectacularly so. Here are two whistleblowing stories from the US that provide colourful background to our efforts to secure systems and processes.

In what has turned into a festival of hand-wringing moralising, Deep Throat has revealed himself to be Mark Felt, the Deputy Director of the FBI during the Watergate Affair....

Deep Throat was the fabled secret source who prodded the journalists and provided the crucial inside tips to keep the story alive until it swept over and destroyed the corrupt and arrogant administration of Richard Nixon. (See google.news for a squillion articles.)

How could he, write many of Washington's finest. The act of treachery, the traitor!

How could he not? I ask. When your administration is corrupt, what do you do? What is the press for? What is that much exported model of freedom there for if not to dig out the dirt and keep politicians honest? And is Mark Felt an employee of a corrupt administration first and always? Or is he human being, a member of a society? (Americans would ask if he was an American, but that always confuses me.)

I think it is pretty clear that all our institutions, and also our models of financial cryptography support the concept and presence of whistle blowers. It may be hell when he's not on your team, but that's a different issue.

And in story #2, the Arthur Andersen conviction was overturned in the US Supreme Court by a unanimous decision. Arthur Andersen went down with Enron, which was done in by a public whistleblower when other, inside whistleblowers failed to do it.

What can done say about the Supreme Court's ruling - one of the most reputable names in accounting was wiped out by the original decision and now we are told it was wrong?

The obvious - too late for the 28,000 workers - has been written about elsewhere, but I can't help thinking such is simply the wrong way to look at the judicial process. Did it do the right thing or the wrong thing? I can't see the wrong thing having been done here. The prosecutor had a good case, and won the conviction. But he overstepped the mark and now it has been overturned. What else is there to say?

That's the way the process works, it's called checks and balances. If those that think this dreadful mistake means we should scrap the prosecutorial process, or "reel in the prosecution" then they need to think up a process to replace it. Regardless of the 27,000 or however many innocent workers at Arthur Andersen, that company was selling its soul.

So we need a process to stop that, and the current process just happens to do that. Sometimes. If anything, I think we need another big N accounting firm to go down for just such another scandal, as we know they were *all* doing it (as I've oft reported, I know all but one were doing it, and I just never heard what the other one was doing...).

Literally, yes, if the system needs to work that way, we need another 27,000 innocents to be turned onto the streets in order to get the message to the 1000 or so bad apples who will lie and cheat and basically sell their company's reputation for 30 pieces of silver. Remember, there are thousands of shareholders and the millions of california tax payers who also lost big time, and nobody's bemoaning their fate much. And nobody owns a job, whether they work for a corrupt company or an honest one.

But I'm all ears to a better system. Many older and legacy systems think they can protect themselves with an audit, and for the sake of all those who think that, well, their only real defence is an occasional spectacular bust of those selling unreliable audits. Or, to get serious about auditing and learn about financial cryptography :-)