In the light of yesterday's newly revealed attack by the NSA on Internet standards, what are the systemic problems here, if any?
I think we can question the way the IETF is approaching security. It has taken a lot of thinking on my part to identify the flaw(s), and not a few rants, with many and aggressive defences and counterattacks from defenders of the faith. Where I am thinking today is this:
First the good news. The IETF's Working Group concept is far better at developing general standards than anything we've seen so far (by this I mean ISO, national committees, industry cartels and whathaveyou). However, it still suffers from two shortfalls.
1. the Working Group system is more or less easily captured by the players with the largest budget. If one views standards as the property of the largest players, then this is not a problem. If OTOH one views the Internet as a shared resource of billions, designed to serve those billions back for their efforts, the WG method is a recipe for disenfranchisement. Perhaps apropos, spotted on the TLS list by Peter Gutmann:
Documenting use cases is an unnecessary distraction from doing actual work. You'll note that our charter does not say "enumerate applications that want to use TLS".
I think reasonable people can debate and disagree on the question of whether the WG model disenfranchises the users, because even though a a company can out-manouver the open Internet through sheer persistence and money, we can still see it happen. In this, IETF stands in violent sunlight compared to that travesty of mouldy dark closets, CABForum, which shut users out while industry insiders prepared the base documents in secrecy.
I'll take the IETF any day, except when...
2. the Working Group system is less able to defend itself from a byzantine attack. By this I mean the security concept of an attack from someone who doesn't follow the rules, and breaks them in ways meant to break your model and assumptions. We can suspect byzantium disclosures in the fingered ID:
The United States Department of Defense has requested a TLS mode which allows the use of longer public randomness values for use with high security level cipher suites like those specified in Suite B [I-D.rescorla-tls-suiteb]. The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient.
Assuming the story as told so far, the US DoD should have added "and our friends at the NSA asked us to do this so they could crack your infected TLS wide open in real time."
Such byzantine behaviour maybe isn't a problem when the industry players are for example subject to open observation, as best behaviour can be forced, and honesty at some level is necessary for long term reputation. But it likely is a problem where the attacker is accustomed to that other world: lies, deception, fraud, extortion or any of a number of other tricks which are the tools of trade of the spies.
Which points directly at the NSA. Spooks being spooks, every spy novel you've ever read will attest to the deception and rule breaking. So where is this a problem? Well, only in the one area where they are interested in: security.
Which is irony itself as security is the field where byzantine behaviour is our meat and drink. Would the Working Group concept past muster in an IETF security WG? Whether it does or no depends on whether you think it can defend against the byzantine attack. Likely it will pass-by-fiat because of the loyalty of those involved, I have been one of those WG stalwarts for a period, so I do see the dilemma. But in the cold hard light of sunlight, who is comfortable supporting a WG that is assisted by NSA employees who will apply all available SIGINT and HUMINT capabilities?
Can we agree or disagree on this? Is there room for reasonable debate amongst peers? I refer you now to these words:
On September 5, 2013, the New York Times , the Guardian  and ProPublica  reported the existence of a secret National Security Agency SIGINT Enabling Project with the mission to “actively [engage] the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs.” The revealed source documents describe a US $250 million/year program designed to “make [systems] exploitable through SIGINT collection” by inserting vulnerabilities, collecting target network data, and influencing policies, standards and specifications for commercial public key technologies. Named targets include protocols for “TLS/SSL, https (e.g. webmail), SSH, encrypted chat, VPNs and encrypted VOIP.”
The documents also make specific reference to a set of pseudorandom number generator (PRNG) algorithms adopted as part of the National Institute of Standards and Technology (NIST) Special Publication 800-90  in 2006, and also standardized as part of ISO 18031 . These standards include an algorithm called the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC). As a result of these revelations, NIST reopened the public comment period for SP 800-90.
And as previously written here. The NSA has conducted a long term programme to breach the standards-based crypto of the net.
As evidence of this claim, we now have *two attacks*, being clear attempts to trash the security of TLS and freinds, and we have their own admission of intent to breach. In their own words. There is no shortage of circumstantial evidence that NSA people have pushed, steered, nudged the WGs to make bad decisions.
I therefore suggest we have the evidence to take to a jury. Obviously we won't be allowed to do that, so we have to do the next best thing: use our collective wisdom and make the call in the public court of Internet opinion.
My vote is -- guilty.
One single piece of evidence wasn't enough. Two was enough to believe, but alternate explanations sounded plausible to some. But we now have three solid bodies of evidence. Redundancy. Triangulation. Conclusion. Guilty.
Where it leaves us is in difficulties. We can try and avoid all this stuff by e.g., avoiding American crypto, but it is a bit broader that that. Yes, they attacked and broke some elements of American crypto (and you know what I'm expecting to fall next.). But they also broke the standards process, and that had even more effect on the world.
It has to be said that the IETF security area is now under a cloud. Not only do they need to analyse things back in time to see where it went wrong, but they also need some concept to stop it happening in the future.
The first step however is to actually see the clouds, and admit that rain might be coming soon. May the security AD live in interesting times, borrow my umbrella?
How fast does an alternative payment system take to join the mainstream? With Paypal it was less than a year; when they discovered that the palm pilot users were preferring the website, the strategy switched pretty quickly. With goldmoney it was pretty much instant, with e-gold, they never achieved it.
With Bitcoin's new announcement, we can mark their intent as around four years or so. Belated welcome is perhaps due, if one thinks the mainstream is actually the place to be. Many do, although I have my reservations on this point and it is somewhat of a surprise to read of Bitcoin's choice of merchant authentication mechanism:
Everyone seems to agree - the public key infrastructure, that network of certificate authorities that stands between you and encrypting your website, sucks.
It’s too expensive. CA’s don’t do enough for the fees they charge. It’s too big. There isn’t enough competition. It’s compromised by governments. The technology is old and crusty. We should all use PGP instead. The litany of complaints about the PKI is endless.
In recent weeks, the Bitcoin payment protocol (BIP 70) has started to roll out. One of the features present in version 1 is signing of payment requests, and the mechanism chosen was the SSL PKI.
Mike Hearn then goes on to describe why they have chosen the SSL PKI. The description reads like a mix between an advertisement, an attack on the alleged alternates (such as they are) and an apology. Suffice to say, he gets most of the argumentation as approximately right & wrong as 99% of the experts in the field do.
Several things stand out. I read from the article that there was little attempt to explore what might be called the "own alternative." From this I wonder if what is happening is that a conservative inner group are actually trying to push Bitcoin faster into the mainstream?
Choosing to push merchants to SSL PKI authentication would certainly be one way to do it. However, this is a dangerous strategy, and what I didn't see addressed was the vector of control issue. This was a surprise, so I'll bring it out.
A danger with stated approach is that it opens up a clear attack on every merchant. Right now, merchants deal under the radar, or can do so, and caveat emptor widely rules in Bitcoinlandia. Once merchants are certified to trade by the CAs however, there is a vector of identification, and permission. There is evidence. Requirements for incorporation. There are trade records and trade purposes.
And, there is a CA which has ... what?
Terms & conditions. Unfortunately, T&C in the CA industry are little known, widely ignored, and not at all understood. Don't believe me? Ask anyone in the industry for a serious discussion about the legal contracts behind PKI and you will hear more stoney silence than if you'd just proven to the UN that global warming was another malthusian plot to prepare the world for the invasion of Martians. Still don't believe me? Check what CABForum's documents say about them. Stoney silence, in words.
But they are real, they exist, and they are forceful. They are very intended, as even when CAs don't understand them themselves, they mostly end up copying them.
One thing you will find in them is that most CAs will decline to do business with any person or party that does something illegal. Skipping the whys and wherefores, this means that any agency can complain to any CA about a merchant on any basis ("hasn't got a license in my state to do some random thing") and the CA is now in a tricky position. Tricky enough to decide where its profits come from.
Now, we hope that most merchants are honest and legal, and as mentioned above, maybe the strategy is to move in that direction in a more forceful way. The problem is that in the war against Bitcoin, as yet undeclared and still being conducted under diplomatic cover, any claim of illegality will take on a sort of state-credibility, and as we know when the authorities say that a merchant is acting against the law, the party is typically seen to be guilty until proven innocent &/or bankrupt. Factor in that it is pretty easy for an agency to take a line that Bitcoin is illegal per se. Factor in that all commercial CAs are now controlled via CABForum and are all aligned into one homogoneous equivalency (forget talk of competition, pah-lease...). Factor in that one sore thumb isn't worth defending, and sets a precedent. We should now see that all CAs will slowly but surely feel the need to mitigate against the threat to their business that is Bitcoin.
It won't be that way to begin with. One thing that Bitcoiners will be advised to do is to get a CA in a safe and remote country, one with spine. That will last for a while. But the forces will build up. The risk is that one day, the meme will spread, "we're not welcoming that business any more."
In military strategy, they say that the battle is won by the general that imposes his plan over the opponent, and I fear that choosing the SSL PKI may just be the opponent's move of choice, not Bitcoin's move of choice, no matter how attractive it may appear.
But what's the alternative, Mike Hearn asks? His fundamental claim seems to stand: there isn't a clear alternative.
This is true. If you ignore Bitcoin's purpose in life, if you ignore your own capabilities and you ignore your community, then ... I agree! If you ignore CAcert, too, I agree. There is no alternate.
But what would happen if you didn't ignore these things? Bitcoin's community is ideally placed to duplicate the system. We know this because it's been done in the past, and the text book is written. Indeed, long term readers will know that I am to some extent just copying the textbook in my current business, and I can tell you it certainly isn't as hard as getting Bitcoin up and rolling.
Capabilities? Well, actually when it comes to cryptographic protocols and reliable transactions and so forth, Bitcoin would certainly be in the game. I'm not sure why they would be so shy of this, as they are almost certainly better placed in this game than all the other CAs except perhaps the very biggest, and even that's debatable because it's been a long time since the biggest actually had the staff and know-how to do any game-changing. Bitcoin has got the backing of google who almost certainly have more knowledge about this stuff than all the CAs combined, and most of the vendors as well (OK, so Microsoft might give them a run for their money if they could get out of the stables).
They've got the mission, the community, the capabilities and the textbook. Why then not? This is why I think that Bitcoin people have made a strategic decision to join the mainstream. If that's the case, then good luck, but boy-oh-boy! are they playing high-stakes poker here.
Old Chinese curse: be careful what you wish for.
This was a draft of an article now published in Bitcoin Magazine. That latter is somewhat larger, updated and has some additional imagery.
MtGox, the Bitcoin exchange, is in the news again, this time for collapsing. One leaked report maintains that MtGox may only have 2,000 Bitcoins in reserve over against 744,408 BTC in liabilities - which indicates a reserve of less than 1%.
MtGox originally claimed that their troubles stem from a long-term exploit of the evil malleability bug, which was exploited by means of repeated double spending through an algorithm. However a loss of 99.7% of their reserves cannot be attributed to some mere market timing bug. It is clear that the failure of MtGox is a failure of governance.
Trust Shall Not Live by Tech Alone
One of the temptations for applied cryptographers is to think that we can solve all problems with clever mathematics and inspired code. Thus there has been much discussion over the past two decades about using cryptography to build trust models that work for untrusted parties over the Internet.
This hope in cryptography is misplaced, and often dangerously so. In the first generation of the Internet, SSL was promoted to solve the trust and security problem. However, it failed to do that. Although it secured the line of communications, it left the end-points open to attack, and failed to solve the problem of knowing who the person at an end-point really is.
As history shows, and MtGox confirms, the end-point security question is by far the dominating one, and thus we saw the rise of phishing attacks, “man in the browser” attacks, and server breaches throughout the 2000’s. Yet, SSL remains synonymous with Internet e-commerce security, and its very domination is a blindness that attackers benefit from.
Bitcoin can be broadly described as an attempt to solve the problem of governance of a centralised issuer of currency through technology. By using a common protocol to manage a public blockchain, we can make sure everyone follows the rules and make it technically impossible to issue more Bitcoins than the protocol has decreed shall ever exist.
However, like SSL, Bitcoin’s solution to the issuance problem has left open the weaker parts of the system to continued attack. In order to provide useful Bitcoin services, businesses must hold the users’ Bitcoins and/or their cash in trust. These businesses, such as exchanges, brokerages, online wallets, retail, etc, are at risk from insider theft, external hacking and loss through poor accounting.
Bitcoin’s brilliant design for issuance governance may have obscured a complete lack of protection for end-point governance.
How can a user trust a person to protect his or her value?
This is not a new problem for finance. It is called the “agency problem” in reference to the fact that an agent acts for the user as a trusted intermediary. Institutions in the finance space have been dealing with the issue of trusted intermediaries for millennia. This field is broadly called “governance” and has many well known methods for achieving accountability and reliability for fiduciary institutions.
Drawing from “Financial Cryptography in Seven Layers,” Governance includes the following techniques:
- Escrow of value with trusted third parties. For example, funds underlying a dollar currency would be placed in a bank account.
- Separation of powers: routine management from value creation, authentication from accounting, systems from marketing.
- Dispute resolution procedures such as mediation, arbitration, ombudsman, judiciary, and force.
- Use of third parties for some part of the protocol, such as creation of value within a closed system.
- Auditing techniques that permit external monitoring of performance and assets.
- Reports generation to keep information flowing to interested parties. For example, user-driven display of the reserved funds against which a currency is backed.
As technologists, we strive to make the protocols that we build as secure and self-sustaining as possible; our art is expressed in pushing problem resolution into the lower layers. This is an ideal, however, to which we can only aspire; there will always be some value somewhere that must be protected by non-protocol means.
Our task is made easier if we recognise the existence of this gap in the technological armoury, and seek to fill it with the tools of Governance. The design of a system is often ultimately expressed in a compromise between Governance and the lower layers: what we can do in the lower layers, we do; and what we cannot is cleaned up in Governance.
The question then is how to bring those practices into a digital accounting and payment system.
To address this weakness of customer escrowed funds, back in the late 1990’s we developed a governance technique for digital currency that we called the “Five Parties Governance Model.” (This model was built into the digital currency platform that we designed for exchange, called “Ricardo”.)
The five parties model shares the responsibility and roles for protection of value amongst five distinct parties involved in the transactions. Although originally designed to protect an entire digital issuance, a problem that Bitcoin addressed with its public blockchain and its absence of an asset redemption contract, this technique can be broadly applied to many problems such as that which has brought MtGox down.
The Five Parties Model (5PM)
In terms of a cryptocurrency issuance with a single issuer (Ricardo model), the Five Parties Model looks like this (Figure 1).
Issuer. The Issuer is the institution guaranteeing the contract with the User. This is the person or entity ultimately responsible for the assets and whether the governance succeeds or fails.
In the present case, MtGox is the contractual party that is guaranteeing to deliver an exchange of value, and in the mean time keep those values secure. In Ricardo the Issuer is the party who defines and offers the contract for a particular issuance, which contract creates the rules that govern the five parties.
As can be seen from the following screen capture taken from the Internet Archive, MtGox did in fact have a contract with the users to fully reserve their internal Bitcoin and currency accounts:
However, as an Issuer, MtGox appears to have failed to implement internal controls to put the other four parties into place.
Trustee. In a digital value scenario, there is always a Trustee role that controls creation or release of long-term funds. For MtGox, this Trustee might be the person who signs off on outgoing wires and outgoing Bitcoin payments, or it might be the person who creates or deletes the derivative monetary units (BTC,LTC,EUR,USD,etc) inside the exchange’s books.
For a cryptocurrency that contracts to an underlying asset, the Trustee’s account, sometimes known as the Mint account, is the only one that has the ability to create or destroy digital units of value, as that underlying asset pool increases or decreases. For a cryptocurrency without a contractual underlying, the protocol itself can stand in the person’s stead by employing an algorithm such as Bitcoin’s mining rewards program.
Manager. The manager is the person or entity, usually an employee of the Issuer, who asks the Trustee to perform the big controlled operations: create or destroy digital assets, or deposit or withdraw physical ones, in order to reflect the overall pattern of trading activities.
The Manager typically works on a daily trading basis. As funds come in and go out, some of these request match each other. For a perfect balance, nothing needs to be done, but normally there is an overall flow in one direction or another. As trading balances build up or draw down, the Manager asks the Trustee to authorise the conversion of daily trading assets against the long-term reserves.
In the MtGox context, when BTC is flowing out and cash is flowing in, the Manager would ask the Trustee to release the BTC from the cold wallets, and would deliver cash into the long-term sweep accounts held at bank under the Trustee’s control. The Trustee would control that action by looking at the single transfer into the sweep account to confirm the transaction is backed by assets.
In the context of an issuance of digital gold, the Manager might receive an inflow of a 1kg physical bar. The Manager must bail the physical gold into the vault, and present the receipt to the Trustee. With that receipt in hand, and any other checks desired, the Trustee can now release 1kg of freshly-minted digital gold to the Manager’s Account.
The Manager is in this way guarded by the Trustee, but it works the other way as well. In a well-governed system, the Trustee can only direct value to be sent to the Manager. In this way, the Trustee cannot steal the value under trust, without conspiring with the Manager; a well-run business will keep these two parties at a distance and bound to govern each other by various techniques such as professional conduct codes.
For example, Ricardo has an ability to lock the Mint’s account together with the Manager’s account in this fashion. Bitcoin lacks account-control features, but there is no reason that MtGox could not have implemented account-control for their internal Bitcoin accounts.
Operator / Escrow / Vault. For a cryptocurrency, the operator is the part of the business ensuring that the servers and the software are running and properly doing their job. By outsourcing this to a third party, we add another degree of separation of powers to the governance model.
In the case of Ricardo and similar contractually-controlled issuances, there is generally a single server cluster that maintains the accounts. The sysadmin for this server controls the accounts and ensures that no phantom accounts or transactions are let in; software designs assist by including techniques such as triple entry accounting, which guarantees that only original users can create signed instructions to transfer value with their private keys.
For the physical side of a digital issuance such as gold, a vault fills the operator role. In the case of GoldMoney.com the vault operator is ViaMat. They don’t do anything with the client’s gold unless they receive a signed instruction from the Trustee. They just keep thieves from physically stealing it.
Bitcoin is very different in this respect in that it creates the public blockchain as the accounting mechanism. In this case, the operator role is not outsourced to one party, rather it is spread across the miners, the software and the development team, presenting a very strong governance equation over operator malfeasance.
For a business such as MtGox, the operators or escrows are two-fold. On the one part is the bank providing accounts, and especially the primary account holding long term cash reserves. On the other part, as an exchange provider, is the set of cold wallets holding long term BTC.
The Fifth Party - The Public as Auditor. The final and most important element of the Five Parties Model is the role of the Public as auditor.
Typically, the role of audit is to examine the books to validate that the other parties are indeed doing their job. As is covered elsewhere (Audit), paid auditors have a long-term conflict of interest, which has been at the root of several notable disasters in the last decade - the failure of Enron, the wholesale bankruptcy of banking in 2007 financial crisis, the collapse of AIG, none of which auditors rang the bell for.
Auditors, as well as being conflicted, are also expensive, which leads to the search for alternates. Once we have mined the cryptographic techniques available to us, we are still left with a set of things we cannot control so easily. What then?
Introducing you, the user, or the Public. You do not have a conflict of interest, in that it is your value at risk, and you have a strong interest in seeing that the other four parties are doing their job properly. Which then begs the question of how you, the public, can audit anything, when audit almost by definition means seeing that which cannot be seen?
The answer is to make that which was previously unseen, seen. Some examples of digital currencies that have supported audit by you the Public include:
Two-Sided Variation on the Five Parties Model
The Five Parties Model is just and exactly that - a model. Which means there are variations and limitations, and a business must modify it to suit. For example, many businesses in the space have not one but two bases of value to control: an underlying asset and a digital issuance. Bitcoin Exchanges fall into this category, for example.
When an Issuer is backing the digital currency with a reserve asset, both of these assets need to be protected. To do this, we utilise two instances of the Five Parties Model in a mirrored pair. In each, the Issuer and the Public act as parties on both sides, whereas the Trustee, the Operator and the Manager may be duplicated (or not). Figure 3 shows an arrangement where a single Manager works with mirrored Operators and Trustees.
An exchange such as MtGox would have had an even more complicated regime. For every one of their assets - BTC, Altcoins, USD, EUR, JPY, etc, they would have needed to delegate operators, trustees and managers. We as users expect they did that, which then leaves us with a question -- what went wrong?
MtGox Failed Because Nobody Was Watching Them
We can now measure MtGox against the governance picture drawn above. Although originally developed for an issuance, the model applies wherever there is an important asset to protect.
As a business, the role of Issuer is relatively easy to identify - the company MtGox itself. Their terms and conditions constituted a clear contract between themselves and the users, where MtGox would hold the user’s Bitcoin assets in reserve.
Likewise, the Operator for cash is clear: the banks holding the long-term value are presumably identifiable via incoming and outgoing wires. MtGox had transactions going in and out for some time, so Managers are in evidence. The Operator for the long-term BTC cold wallets is the Bitcoin network itself.
What about Trustees? Although MtGox has repeatedly placed blame on their in-house operations team for various hacks and bugs, it is rather more likely that they fell short on the appointment and management of Trustees.
Somehow, the Management created for themselves 744,408 BTC on their internal books against an underlying reserve of only 2,000 actual Bitcoins, which should have been an obvious disaster to all. If this is the case, this suggests that no Trustees were appointed at all, and Managers were essentially uncontrolled.
Finally, the Public as auditor is not in evidence. MtGox on their website did not show the balances of any of their major asset classes, nor provide any easy way to ensure that their parties are doing their job.
Ideally, MtGox would have displayed a balance sheet with references to cold wallets on one side, and their internal Bitcoin/Altcoin balances on the other side. The former is checkable via the blockchain, the latter could be made available by the operator, and periodically audited to ensure the code providing the balance query was accurate.
With this information, you the Public as individuals or as media or other observers can verify that things are as they should be, and if not, sound the alarm! That’s what Twitter is for, that’s what sites such as DGCMagazine.com, CoinDesk.com and BitcoinMagazine are for.
Under such circumstances failure might be expected and indeed may be inevitable. As MtGox did not have a sufficient governance model in place, we might have been disconcerted to learn that more than $300 million worth of Bitcoin managed to disappear, but we should also be aware that we may ultimately blame our own failure to insist on good governance.
What other players in the Bitcoin world will fall for the same lack of care? You, the fifth party, the auditing Public would be well advised to review all of your Bitcoin partners to see what forms of governance they use, and to choose wisely. It is your value at risk, and demanding quality governance such as is outlined above is your right.
If you read only one thing this weekend, read this.
This is why the 2007 crisis was not resolved. This is why we now socialize their losses, but leave them their profits. This is why it is impossible to fix, and the only game in town is predicting which economy is toast, this weekend, and which investment bank is making monopoly profits while being technically bankrupt.
It is likely impossible to roll back the USA's lifting of the Glass-Steagall barrier, which is in other places known as sound banking. How one deals with a world in which banking is morphing into industrial combines with infinite and free capital is beyond my small brain; we need something like bitcoin, but much stronger.
Hack on, your code may save society as we know it.
The entire Digital Evidence and Electronic Signature Law Review is now available as open source for free here:
Current Issue Archives
All of the articles are also available via university library electronic subscription services which require accounts:
EBSCO Host HeinOnline v|lex (has abstracts)
If you know of anybody that might have the knowledge to consider submitting an article to the journal, please feel free to let them know of the journal.
This is significant news for the professional financial cryptographer! For those who are interested in what all this means, this is the real stuff. Let me explain.
Back in the 1980s and 1990s, there was a little thing called the electronic signature, and its RSA cousin, the digital signature. Businesses, politicians, spooks and suppliers dreamed that they could inspire a world-wide culture of digitally signing your everything with a hand wave, with the added joy of non-repudiation.
They failed, and we thank our lucky stars for it. People do not want to sign away their life every time some little plastic card gets too close to a scammer, and thankfully humanity had the good sense to reject the massively complicated infrastructure that was built to enslave them.
However, a suitably huge legacy of that folly was the legislation around the world to regulate the use of electronic signatures -- something that Stephen Mason has catalogued here.
In contrast to the nuisance level of electronic signatures, in parallel, a separate development transpired which is far more significant. This was the increasing use of digital techniques to create trails of activity, which led to the rise of digital evidence, and its eventual domination in legal affairs.
Digital discovery is now the main act, and the implications have been huge if little understated outside legal circles, perhaps because of the persistent myth in technology circles that without digital signatures, evidence was worth less.
Every financial cryptographer needs to understand the implications of digital evidence, because without this wisdom, your designs are likely crap. They will fail when faced with real-world trials, in both senses of the word.
I can't write the short primer on digital evidence for you -- I'm not the world's expert, Stephen is! -- but I can /now/ point you to where to read.That's just one huge issue, hitherto locked away behind a hugely dominating paywall. Browse away at all 10 issues!
Many systems are built on existing trust relationships, and understanding these is often key to their long term success or failure. For example, the turmoil between OpenPGP and x509/PKI can often be explained by reference to their trust assumptions, by comparing the web-of-trust model (trust each other) to the hierarchical CA model (trust mozilla/microsoft/google...).
In informal money systems such as LETS, barter circles and community currencies, it has often seemed to me that these things work well, or would work well, if they could leverage local trust relationships. But there is a limit.
To express that limit, I used to say that LETS would work well up to maybe 100 people. Beyond that number, fraud will start to undermine the system. To put a finer point on it, I claimed that beyond 1000 people, any system will require an FC approach of some form or other.
Now comes some research that confirms some sense of this intuition, below. I'm not commenting directly on it as yet, because I haven't the time to do more than post it. And I haven't read the paper...
'Money reduces trust' in small groups, study shows
By Melissa Hogenboom Science reporter, BBC News
People were more generous when there was no economic incentive
A new study sheds light on how money affects human behaviour.
Exchanging goods for currency is an age old trusted system for trade. In large groups it fosters co-operation as each party has a measurable payoff.
But within small groups a team found that introducing an incentive makes people less likely to share than they did before. In essence, even an artificial currency reduced their natural generosity.
The study is published in journal PNAS.
When money becomes involved, group dynamics have been known to change. Scientists have now found that even tokens with no monetary value completely changed the way in which people helped each other.
Gabriele Camera of Chapman University, US, who led the study, said that he wanted to investigate co-operation in large societies of strangers, where it is less likely for individuals to help others than in tight-knit communities.
The team devised an experiment where subjects in small and large groups had the option to give gifts in exchange for tokens.
- Participants of between two to 32 individuals were able to help anonymous counterparts by giving them a gift, based solely on trust that the good deed would be returned by another stranger in the future
- In this setting small groups were more likely to help each other than the larger groups
- In the next setting, a token was added as an incentive to exchange goods. The token had no cash value
- Larger groups were more likely to help each other when tokens had been added, but the previous generosity of smaller groups suffered
They found that there was a social cost to introducing this incentive. When all tokens were "spent", a potential gift-giver was less likely to help than they had been in a setting where tokens had not yet been introduced.
The same effect was found in smaller groups, who were less generous when there was the option of receiving a token.
"Subjects basically latched on to monetary exchange, and stopped helping unless they received immediate compensation in a form of an intrinsically worthless object [a token].
"Using money does help large societies to achieve larger levels of co-operation than smaller societies, but it does so at a cost of displacing normal of voluntary help that is the bread and butter of smaller societies, in which everyone knows each other," said Prof Camera.
But he said that this negative result was not found in larger anonymous groups of 32, instead co-operation increased with the use of tokens.
"This is exciting because we introduced something that adds nothing to the economy, but it helped participants converge on a behaviour that is more trustworthy."
He added that the study reflected monetary exchange in daily life: "Global interaction expands the set of trade opportunities, but it dilutes the level of information about others' past behaviour. In this sense, one can view tokens in our experiment as a parable for global monetary exchange."
Sam Bowles, of the Santa Fe Institute, US, who was not involved with the study, specialises in evolutionary co-operation.
He commented that co-operation among self-interested people will always occur on a vast scale when "helping another" consists of exchanging a commodity that can be bought or sold with tokens, for example a shirt.
"The really interesting finding in the study is that tokens change the behavioural foundations of co-operation, from generosity in the absence of the tokens, to self-interest when tokens are present."
"It's striking that once tokens become available, people generally do not help others except in return for a token."
He told BBC news that it was evidence for an already observed phenomenon called "motivational crowding out, where paying an individual to do a task which they had already planned to do free of charge, could lead people to do this less".
However, Prof Bowles said that "most of the goods and services that we need that make our lives possible and beautiful are not like shirts".
"For these things, exchanging tokens could never work, which is why humans would never have become the co-operative species we are unless we had developed ethical and other regarding preferences."
The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.
The process is by direct connection to the servers, and requires no intervention by the companies:
Equally unusual is the way the NSA extracts what it wants, according to the document: “Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.”
Dropbox, the cloud storage and synchronization service, is described as “coming soon.”
From outside direct access might appear unusual, but it is actually the best way as far as the NSA is concerned. Not only does it give them access at Level Zero, and probably better access than the company has itself, it also provides the victim supplier plausible deniability:
“We do not provide any government organization with direct access to Facebook servers,” said Joe Sullivan, chief security officer for Facebook. ....
“We have never heard of PRISM,” said Steve Dowling, a spokesman for Apple. “We do not provide any government agency with direct access to our servers, ..." ....
“Google cares deeply about the security of our users’ data,” a company spokesman said. “We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”
Microsoft also provided a statement: “.... If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”
Yahoo also issued a denial. “Yahoo! takes users’ privacy very seriously,” the company said in a statement. “We do not provide the government with direct access to our servers, systems, or network.”
How is this apparent contradiction possible? It is generally done via secret arrangements not with the company, but with the employees. The company does not provide back-door access, but the people do. The trick is to place people with excellent tech skills and dual loyalties into strategic locations in the company. These 'assets' will then execute the work required in secret, and spare the company and most all of their workmates the embarrassment.
Patriotism and secrecy are the keys. The source of these assets is easy: retired technical experts from the military and intelligence agencies. There are huge numbers of these people exiting out of the armed forces and intel community every year, and it takes only a little manipulation to present stellar CVs at the right place and time. Remember, the big tech companies will always employ a great CV that comes highly recommended by unimpeachable sources, and leapfrogging into a stable, very well paid civilian job is worth any discomfort.
Everyone wins. It is legal, defensible and plausibly deniable. Such people are expert at keeping secrets -- about their past and about their current work. This technique is age-old, refined and institutionalised for many a decade.
Questions remain: what to do about it, and how much to worry about it? Once it has started, this insertion tactic is rather difficult to stop and root out. At CAcert, we cared and a programme developed over time that was strong and fair -- to all interests. Part of the issue is dealing with the secrecy of it all:
Government officials and the document itself made clear that the NSA regarded the identities of its private partners as PRISM’s most sensitive secret, fearing that the companies would withdraw from the program if exposed. “98 percent of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources,” the briefing’s author wrote in his speaker’s notes.
But for the big US companies, is it likely that they care? Enough? I am not seeing it, myself, but if they are interested, there are ways to deal with this. Fairly, legally and strongly.
How much should we worry about it? That depends on (a) what is collected, (b) who sees it, and (c) who's asking the question?
There has been “continued exponential growth in tasking to Facebook and Skype,” according to the PRISM slides. With a few clicks and an affirmation that the subject is believed to be engaged in terrorism, espionage or nuclear proliferation, an analyst obtains full access to Facebook’s “extensive search and surveillance capabilities against the variety of online social networking services.”
According to a separate “User’s Guide for PRISM Skype Collection,” that service can be monitored for audio when one end of the call is a conventional telephone and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms.
Firsthand experience with these systems, and horror at their capabilities, is what drove a career intelligence officer to provide PowerPoint slides about PRISM and supporting materials to The Washington Post in order to expose what he believes to be a gross intrusion on privacy. “They quite literally can watch your ideas form as you type,” the officer said.
Live access to everything, it seems. So who sees it?
My rule of thumb was that if the information stayed in the NSA, then that was fine. Myself, my customers and my partners are not into "terrorism, espionage or nuclear proliferation." So as long as there is a compact with the intel community to keep that information clean and tight, it's not so worrying to our business, our privacy, our people or our legal situation.
But there is no such compact. Firstly, they have already engaged the FBI and the US Department of Justice as partners in this information:
In exchange for immunity from lawsuits, companies such as Yahoo and AOL are obliged to accept a “directive” from the attorney general and the director of national intelligence to open their servers to the FBI’s Data Intercept Technology Unit, which handles liaison to U.S. companies from the NSA. In 2008, Congress gave the Justice Department authority for a secret order from the Foreign Surveillance Intelligence Court to compel a reluctant company “to comply.”
Anyone with a beef with the Feds is at risk of what would essentially be a corrupt bypass of the legal justice system of fair discovery (see this for the start of this process).
Secondly, their credibility is zero: The NSA has lied about their access. They have deceived most if not all employees of the companies they have breached. They've almost certainly breached the US constitution and the US law in gaining warrant-free access to citizens. Dismissively. From the Guardian:
"Fisa was broken because it provided privacy protections to people who were not entitled to them," the presentation claimed. "It took a Fisa court order to collect on foreigners overseas who were communicating with other foreigners overseas simply because the government was collecting off a wire in the United States. There were too many email accounts to be practical to seek Fisas for all."
The FISA court that apparently governs their access is evidently ungovernable, as even members of Congress cannot breach its secrecy.
And that's within their own country -- the NSA feels that it is under no such restrictions or niceties outside their own country.
A reasonable examination of the facts and the record of the NSA (1, 2, 3) would therefore conclude that they cannot be trusted to keep the information secret. American society should therefore be worried. Scared, even. The risk of corruption of the FBI is by itself enough to pull the plug on not just this programme, but the system that allowed it to arise.
What does it mean to foreign society, companies, businesses, and people? Not a lot different as all of this was reasonable anyway. Under the history-not-rules of foreign espionage, anything goes. The only difficulty likely to be experienced is when the NSA conspires with American companies to benefit them both, or when American assets interfere with commercial businesses that they've targetted as assisting enemies.
One thing that might now get a boost is the Internet in other countries:
The presentation ... noted that the US has a "home-field advantage" due to housing much of the internet's architecture.
Take note, the rest of the world!
Yes, it's the first of May, also known as May Day, and the communist world's celebration of the victory over capitalism. Quite why MayDay became the international distress message over radio is not known to me, but I'd like to know!
The bank went through their customer base and identified which businesses were asset rich and cash poor.
Typically, the SME (small to medium enterprise) would require funding for expansion or to cover short term exposures, and the bank’s relationship manager would work with the business owner on a loan funding cover.
The loan may be for five or ten years, and the relationship manager would often call the client after a short time and say “congratulations, you’ve got the funding”.
The business owner would be delighted and would start committing the funds.
This would start the process of the disturbance sale of the IRSA.
The rest you can imagine - the bank sold an inappropriate derivative with false information, and without advising the customer of the true costs. This time however the costs were more severe, as it seems that many such businesses went out of business in whole or in part because of the dodgy sale.
In particular, the core issue is that no-one has defined whether the bank will be responsible for contingent liabilities.
The liabilities are for losses made by those businesses that were mis-sold these products and, as a result, have now gone into bankruptcy or been constrained so much that they have been unable to compete or grow their business as they would have if they had not taken these products.
Ouch! I have to applaud Chris Skinner and the Financial Services Club here for coming forth with this information. It is time for society to break ranks here and start dealing with the banks. If this is not done, the banks will bring us all down, and it is not clear at all that the banks aren't going to do just that.
Meanwhile back to the scandal du jour. We are talking about 40k businesses, with average suggested compensation of 2.5 million quid - so we are already up to a potential exposure of 100 billion pounds. Given this, there is no doubt that even the most thickest of the dumbest can predict what will happen next:
Mainly because of the Parliamentary investigation, the Financial Services Authority was kicked into action and, on June 29 2012, announced that it had found "serious failings in the sale of IRSAs to small and medium sized businesses and that this has resulted in a severe impact on a large number of these businesses.”
However, it then left the banks to investigate the cases and work out how to compensate and address them .
The banks response was released on January 31 2013, and it was notable that between the June announcement and bank response in January that the number of cases rose from 28,000 to 40,000. It was also noteworthy that of those 40,000 cases investigated, over 90% were found to have been mis-sold. That’s a pretty damning indictment.
Even then the real issue, according to Jeremy [of Bully Banks], is that the banks are in charge of the process.
Not only is the fox in charge of the chickens, it's also paying off them off for their slaughter. Do we really need to say more? The regulators are in bed with the banks in trying to suppress this scandal.
Obviously, this cunning tactic will save poor banks money and embarrassment. But the emerging problem here is that, as suggested many times in this blog (e.g., 2, 3, 4, ...) and elsewhere, the public is now becoming increasingly convinced that banks are not healthy, honest members of society.
But I see an issue emerging in the next systemic shock to hit the financial world: if the public's patience is exhausted, as it appeared to be over Cyprus, then the next systemic shock is going to cause the collapse of some major banks. For right or wrong, the public is not going to accept any more talk of bailouts, taxpayer subsidies, etc etc.
The chickens are going to turn on the foxes, and they will not be satisfied with anything less than blood.
One hopes that the old Lady's bank tear-down team is boned up and ready to roll, because they'll be working hard soon.
Without much comment, from Francine McKenna:
Auditors All Fall Down; PFGBest and MF Global Frauds Reveal Weak Watchdogs
The made-for-TV drama is instead unfolding in Cedar Falls, Iowa and Chicago where, in “truth is stranger than fiction” style, PFGBest’s Russell Wasendorf Sr. says he used his “blunt authority” as sole owner and CEO to falsify bank statements sent to regulators for twenty years using Photoshop, Excel, scanners and laser printers.
Instead of MF Global’s world-renowned auditor PwC, we’ve got a one-woman show, Jeannie Veraja-Snelling, signing the audit opinion accompanying the financial statements for PFGBest. Not that there’s much less apparent incompetence when a global firm like PwC misses increased risk and deteriorating controls at MF Global and signs off on a clean annual audit opinion as recently as March 31, 2011, seven months before MF Global was forced into bankruptcy. PwC also signed off on a 10-Q review at the end of June, and a bond issue in August of 2011.
Wasendorf’s suicide note said that he duped his first-response regulator, the National Futures Association, by intercepting its request for confirmation of his bank balances, including funds segregated and safeguarded for customers, by using a P.O. Box he set up in the name of US Bank. He simply wrote whatever he wanted on those confirmation requests and signed in the name of the bank. His doctored banks statements with matching figures were sent along with the confirmation request back to the regulator.
“I was forced into a difficult decision: Should I go out of business or cheat?” he wrote. “I guess my ego was too big to admit failure. So I cheated,” his suicide note said.
Regulators, auditors and internal controls can not prevent a psychopath from lying, cheating and stealing to perpetuate a myth and sustain a lavish lifestyle, but they can and should detect the fraud much sooner if not immediately.
Wasendorf’s admission does not explain how he also duped the independent auditor. One of the cornerstones of an independent audit is an independent confirmation of bank balances. PFGBest’s auditor was either duped for twenty years or complicit in the fraud. Neither conclusion is a good one for her. Auditors are forbidden to use company personnel to obtain or process bank balance confirmations. Of course, that hasn’t prevented auditors from falling down on this critical part of their job anyway, leading recently to some of the biggest and most notorious fraud cases in years.
Deloitte’s audit client Parmalat gave that firm falsified bank confirmations. Deloitte’s Milan firm and its international coordinating firm eventually settled the 2003 case with Parmalat bondholders and shareholders for almost $200 million total. Price Waterhouse India partners are still facing criminal charges and the firm is being sued by its former audit client Mahindra Satyam for the fraud revealed by Satyam’s CEO who admitted to falsifying $1 billion in bank balances. Price Waterhouse India paid fines to the SEC, PCAOB, and settled with shareholders. Regulators said Price Waterhouse India’s audits were negligent because they failed to obtain confirmations of bank balances directly from banks and instead accepted management’s representations without independent verification. Several of the current Chinese frauds allege bank confirmation fraud, including accusations of collusion with executives by bank officials and negligence by auditors Deloitte China and others.
What’s even more troubling to me is PFGBest’s auditor, and many others who audit only SEC-registered broker-dealers, may be breaking laws as well as being negligent in their public duty to the capital markets.
On that latter, read the article for detail...
Several cases in USA are resolving in online theft via bank account hackery. Here's one:
Village View Escrow Inc., which in March 2010 lost nearly $400,000 after its online bank account with Professional Business Bank was taken over by hackers, has reached a settlement with the bank for an undisclosed amount, says Michelle Marsico, Village View's owner and president.
As a result of the settlement, Village View recovered more than the full amount of the funds that had been fraudulently taken from the account, plus interest, the company says in a statement.
And two more:
Two similar cases, PATCO Construction Inc. vs. Ocean Bank and Experi-Metal Inc. vs. Comerica Bank, raised questions about liability and reasonable security, yet each resulted in a different verdict.
In 2010, PATCO sued Ocean Bank for the more than $500,000 it lost in May 2009, after its commercial bank account with Ocean Bank was taken over. PATCO argued that Ocean Bank was not complying with existing FFIEC requirements for multifactor authentication when it relied solely on log-in and password credentials to verify transactions.
Last year, a District Court magistrate found the bank met legal requirements for multifactor authentication and dismissed the suit.
In December 2009, EMI sued Comerica after more than $550,000 in fraudulent wire transfers left EMI's account.
In the EMI ruling, the court found that Comerica should have identified and disallowed the fraudulent transactions, based on EMI's history, which had been limited to transactions with a select group of domestic entities. The court also noted that Comerica's knowledge of phishing attempts aimed at its clients should have caused the bank to be more cautious.
In the ruling, the court required Comerica to reimburse EMI for the more than $560,000 it lost after the bank approved the fraudulent wire transfers.
Here's how it happens. There will be many of these. Many of the victims will sue. Many if the cases will lose.
Those that lose are irrelevant. Those that win will set the scene. Eventually some precedent will be found, either at law or at reputation, that will allow people to trust banks again. Some more commentary.
The reason for the inevitability of this result is simple: society and banks both agree that we don't need banks unless the money is safe.
Online banking isn't safe. It behoves to the banks to make it safe. We're in the phase where the court of law and public opinion are working to get that result.
Here's the full unedited quote from Avivah Litan, who comments on the latest 1.5m credit card breach in US of A:
What’s the takeaway on PCI? The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.
Just a little emphasis, so audit me! PCI is that audit imposed by the credit card industry on processors. It's widely criticised. I imagine it does the same thing as most mandated and controlled audits - sets a very low bar, one low enough to let everyone pass if they've got the money to pay to enter the race.
For those wondering what happened to the audits of Global Payments, DigiNotar, Heartland, and hell, let's invite a few old friends to the party: MFGlobal, AIG, Lehman Brothers, Northern Rock, Greece PLC, the Japanese Nuclear Industry disaster recovery team and the Federal Reserve.... well, here's Avivah's hint:
In the meantime, Global Payments who was PCI compliant at the time of their breach is no longer PCI compliant – and was delisted by Visa – yet they continue to process payments.
That's a relief! So PCI comes with a handy kill-switch. If something goes wrong, we kill your audit :)
Problem solved. I wonder what the price of the kill-switch is, without the audit?
After a week of fairly strong deliberations, Mozilla has sent out a message to all CAs to clarify that MITM activity is not acceptable.
It would seem that Trustwave might slip through without losing their spot in the root list of major vendors. The reasons for this is a combination of: up-front disclosure, a short timeframe within which the subCA was issued and used (at this stage limited to 2011), and the principle of wiser heads prevailing.
That's my assessment at least.
My hope is that this has set the scene. The next discovery will be fatal for that CA. The only way forward for a CA that has issued at any time in the past an MITM-enabled subCA would be the following:
+ up-front disclosure to the public. By that I mean, not privately to Mozilla or other vendors. That won't be good enough. Nobody trusts the secret channels anymore.
+ in the event that this is still going on, an *fast* plan, agreed and committed to vendors, to withdraw completely any of these MITM sub-CAs or similar arrangements. By that I mean *with prejudice* to any customers - breaching contract if necessary.
Any deviation means termination of the root. Guys, you got one free pass at this, and Trustwave used it up. The jaws of Trust are hungry for your response.
That is what I'll be looking for at Mozilla. Unfortunately there is no forum for Google and others, so Mozilla still remains the bellwether for trust in CAs in general.
That's not a compliment; it's more a description of how little trust there is. If there is a desire to create some, that's possibly where we'll see the signs.
As an aside to the old currency market currently collapsing, in the now universally known movie GFC-2 rolling on your screens right now, some people have commented that perhaps online currencies and LETS and so forth will fill the gap. Unlikely, they won't fill the gap, but they will surge in popularity. From a business perspective, it is then some fun to keep an eye on them. An article on Facebook credits by George Anders, which is probably the one to watch:
Facebook’s 27-year-old founder, Mark Zuckerberg, isn’t usually mentioned in the same breath as Ben Bernanke, the 58-year-old head of the Federal Reserve. But Facebook’s early adventures in the money-creating business are going well enough that the central-bank comparison gets tempting.
Let's be very clear here: the mainstream media and most commentators will have very little clue what this is about. So they will search for easy analogues such as a comparison with national units, leading to specious comparisons of Zuckerberg to Bernanke. Hopeless and complete utter nonsense, but it makes for easy copy and nobody will call them on it.
Edward Castronova, a telecommunications professor at Indiana University, is fascinated by the rise of what he calls “wildcat currencies,” such as Facebook Credits. He has been studying the economics of online games and virtual worlds for the better part of a decade. Right now, he calculates, the Facebook Credits ecosystem can’t be any bigger than Barbados’s economy and might be significantly smaller. If the definition of digital goods keeps widening, though, he says, “this could be the start of something big.”
This is a little less naive and also slightly subtle. Let me re-write it:
If you believe that Facebook will continue to dominate and hold its market size, and if you believe that they will be able to successfully walk the minefield of self-issued currencies, then the result will be important. In approximate terms, think about PayPal-scaled importance, order of magnitude.
Note the assumptions there. Facebook have a shot at the title, because they have massive size and uncontested control of their userbase. (Google, Apple, Microsoft could all do the same thing, and in a sense, they already are...)
The more important assumption is how well they avoid the minefield of self-issued currencies. The problem here is that there are no books on it, no written lore, no academic seat of learning, nothing but the school of hard-knocks. To their credit, Facebook have already learnt quite a bit from the errors of their immediate predecessors. Which is no mean feat, as historically, self-issuers learn very little from their forebears, which is a good predictor of things to come.
Of the currency issuers that spring up, 99% are destined to walk on a mine. Worse, they can see the mine in front of them, they successfully aim for it, and walk right onto it with aplomb. No help needed at all. And, with 15 years of observation, I can say that this is quite consistent.
Why? I think it is because there is a core dichotomy at work here. In order to be a self-issuer you have to be independent enough to not need advice from anyone, which will be familiar to business observers as the entrepreneur-type. Others will call it arrogant, pig-headed, too darned confident for his own good... but I prefer to call it entrepreneurial spirit.
*But* the issuance of money is something that is typically beyond most people's ken at an academic or knowledge level. Usage of money is something that we all know, and all learnt at age 5 or so. We can all put a predictions in at this level, and some players can make good judgements (such as Peter Vodel's Predictions for Facebook Credits in 2012).
Issuance of money however is a completely different thing to usage. It is seriously difficult to research and learn; by way of benchmark, I wrote in 2000 you need to be quite adept at 7 different disciplines to do online money (what we then called Financial Cryptography). That number was reached after as many years of research on issuance, and nearly that number working in the field full time.
And, I still got criticised by disciplines that I didn't include.
You can see where I'm heading. The central dichotomy of money issuance then is that the self-issuer must be both capable of ignoring advice, and putting together an overwhelming body of knowledge at the same time; which is a disastrous clash as entrepreneurs are hopeless at blindspots, unknowns, and prior art.
There is no easy answer to this clash of intellectual challenges. Most people will for example assume that institutions are the way to handle any problem, but that answer is just another minefield:
If Facebook at some point is willing to reduce its cut of each Credits transaction, this new form of online liquidity may catch the eye of many more merchants and customers. As Castronova observes: “there’s a dynamic here that the Federal Reserve ought to look at.”
Now, we know that Castronovo said that for media interest only, but it is important to understand what really happens with the Central Banks. Part of the answer here is that they already do observe the emerging money market :) They just won't talk to the media or anyone else about it.
Another part of the answer is that CBs do not know how to issue money either; another dichotomy easily explained by the fact that most CBs manage a money that was created a long time ago, and the story has changed in the telling.
So, we come to the the really difficult question: what to do about it? CBs don't know, so they will definately keep the stony face up because their natural reaction to any question is silence.
But wait! you should be saying. What about the Euro?
Well, it is true that the Europeans did indeed successfully manage to re-invent the art and issue a new currency. But, did they really know what they were doing? I would put it to you that the Euro is the exception that proves the rule. They may have issued a currency very well, but they failed spectacularly in integrating that currency into the economy.
Which brings us full circle back to the movie now showing on media tonight and every night: GFC-2.
As we all know by now, MF Global crashed with some many billions of losses, filing for bankrupcy on 31st October. James Turk wonders aloud:
First of all investors should be concerned because everything is so inter-connected today. People call it contagion and this contagion is real because the MF Global bankruptcy is going to have a knock on effect, just like Lehman Brothers had a knock on effect.”
The point being that we know there is a big collapse coming, but we don't know what it will that will trigger it. James is making the broad point that a firm collapsing on the west side of the Atlantic could cause collapse in Europe. But wait, there's more:
So the contagion is the first reason for concern. The second reason for concern is it’s taking so long for them to find this so called missing money, which I find shocking. It’s been three weeks now since the MF Global bankruptcy was declared and they started talking about $600 million of missing funds.
So I’m not too surprised that now they are talking about $1.2 billion of missing customer funds. I think they are just trying to delay the inevitable as to how bad the situation at MF Global really is.
And more! Chris points to an article by Bloomberg / Jonathan Weil:
This week the trustee for the liquidation of its U.S. brokerage unit said as much as $1.2 billion of customer money is missing, maybe more. Those deposits should have been kept segregated from the company’s funds. By all indications, they weren’t.
Jonathan zeroes in on the heart of the matter:
Six months ago the accounting firm PricewaterhouseCoopers LLP said MF Global Holdings Ltd. and its units “maintained, in all material respects, effective internal control over financial reporting as of March 31, 2011.” A lot of people who relied on that opinion lost a ton of money.
So when I asked:
Let's check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?
we now know that PricewaterhouseCoopers LLP will not be stepping up to the podium with MF Global! Jonathan echoes some of the questions I asked:
What’s the point of having auditors do reports like this? And are they worth the cost? It’s getting harder to answer those questions in a way the accounting profession would favor.
But now that we have a more cohesive case study to pick through, some clues are emerging:
“Their books are a disaster,” Scott O’Malia, a commissioner at the Commodity Futures Trading Commission, told the Wall Street Journal in an interview two weeks ago. The newspaper also quoted Thomas Peterffy, CEO of Interactive Brokers Group Inc., saying: “I always knew the records were in shambles, but I didn’t know to what extent.” Interactive Brokers backed out of a potential deal to buy MF last month after finding discrepancies in its financial reports.
That's a tough start for PricewaterhouseCoopers LLP. Then:
For fiscal 2007, MF Global paid Pricewaterhouse $17.1 million in audit fees. By fiscal 2011, that had fallen to $10.9 million, even as warning signs about MF’s internal controls were surfacing publicly.
In 2007, MF and one of its executives paid a combined $77 million to settle CFTC allegations of mishandling hedge-fund clients’ accounts, as well as supervisory and record-keeping violations. In 2009, the commission fined MF $10 million for four instances of risk-supervision failures, including one that resulted in $141 million of trading losses on wheat futures. Suffice it to say, Pricewaterhouse should have been on high alert.
On top of that, Pricewaterhouse’s main regulator, the Public Company Accounting Oversight Board, released a nasty report this week on the firm’s audit performance. The agency cited deficiencies in 28 audits, out of 75 that it inspected last year. The tally included 13 clients where the board said the firm had botched its internal-control audits. The report didn’t name the companies. One of them could have been MF, for all we know.
In a response letter to the board, Pricewaterhouse’s U.S. chairman, Bob Moritz, and the head of its U.S. audit practice, Tim Ryan, said the firm is taking steps to improve its audit quality.
Ha! Jonathan asks the pointed question:
The point of having a report by an independent auditor is to assure the public that what a company says is true. Yet if the reports aren’t reliable, they’re worse than worthless, because they sucker the public with false promises. Maybe, just maybe, we should stop requiring them altogether.
Exactly. This was what I was laying out for the reader in my Audit cycle. But I was doing it from observation and logic, not from knowing about any particular episode. One however was expected to follow from the other...
The Audit brand depletes. Certainly time to start asking hard questions. Is there value in using a big 4 auditor? Could a firm get by on a more local operation? Are there better ways?
And, what does a big N auditor do in the new world? Well, here's one suggestion: take the bull by the horns and start laying out the truth! KPMG's new Chairman seems to be keen to add on to last week's revelation with some more:
KPMG International LLP’s global chairman, Michael Andrew, said fraud was evident at Olympus Corp. (7733) and his firm met all legal obligations to pass on information related to Olympus’s 2008 acquisition of Gyrus Group Ltd. before it was replaced as the camera maker’s auditor.
“We were displaced as a result of doing our job,” Andrew told reporters at the Foreign Correspondents’ Club in Hong Kong today. “It’s pretty evident to me there was very, very significant fraud and that a number of parties had been complicit.”
Now, if I was a big N auditor, that's exactly what I'd do. Break the cone of silence and start revealing the dirt. We can't possibly make things any worse for audit, so let's shake things up. Go, Andrew.
I like a guy who picks a fight. Especially, if he's an auditor!
New KPMG global chairman Michael Andrew says global regulators are hell-bent on breaking the dominance of large global audit firms without regard for the impact on stability of financial makerts and employment. "This is the worst time to be reforming the profession. You want financial stability. You want large employers in the marketplace taking on graduates. Why an earth is this an imperative right now?"
Australian Financial Review's article, "Global Chief blasts audacious attack on audit" of 21st November 2011, brings us some of the worst sort of self-serving excuses - saying that Auditors are part of the solution, not part of the problem.
I'm not buying it. Back in February of 2009 I asked of the auditors:
Let's check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?
No. Not one, not even a single one!
KPMG's Chairman is going to need a better set of excuses. Indeed, belatedly, it seems that others are asking too. From the same article, behind a paywall it seems:
The move against the big four is a backlash to the global financial crisis. The whole premise of audit is to inform capital markets. So why didn't they foresee, or prevent, the financial crisis and Europe's currency problems?
Now, I'm not going that far. I don't think audit could or should have prevented the GFC1 or GFC2, and it is the economist that foresees crises, not auditors. Rather, I'm saying:
Yet, the basic failures in the financial crisis are so blatant that surely, even by accident at least one audit should have picked up at least one pending failure, and fixed it?
Surely an easier test: not a single auditor has rung the bell on a single bad bank, that we know of. So what went wrong? I suggest the cause of failure by examination of the basic product of audit, and I conclude, in short words, you the public cannot rely on it. To you, the public, audit is an unknown unknown, you don't even know enough to know what it is. And in that environment, auditors shifted it somewhere else.
However, Michael Andrew brings a new causality to the court of public appeal:
One of the US's major criticisms of IFRS (International Financial Reporting Standards) is that it is subject to political intervention.
They're right to be concerned, said Mr Andrew. "We had regulators and governments telling us not to write down Greek debt in certain countries. They were refusing to allow accounting firms to adjust, saying they would underwrite a portion of the debt but refusing to put [that commitment] in writing," he said.
Whoa! Did he just say that? Did I just write out those words, taken from a scrappy photocopy of a print-only article? Yes indeed, word for word.
Haven't we seen that before? Let's ask Joseph T. Wells for the definition of fraud:
Under common law, three elements are required to prove fraud: a material false statement made with an intent to deceive (scienter), a victim’s reliance on the statement and damages.
Now, I don't want to be sued back into the dark ages by accusing auditors of fraud, so let's test it in the court of the informed observer:
Now, I'm no lawyer. And, the Auditor's defence will clearly be "the government told us to do it!" Which might even get them off, who knows? Or it might just bring the governments in on the act -- have they defrauded the entire planet by some act of conspiracy or abuse? Or, or or...
I don't know. But this is a question that simply must be answered.
I call for a jury of victims! Over to you. What is your verdict?
PS: before the papparazzi and the bureaucrats get too excited: Michael Andrew did the right thing by blowing the lid on the intervention. We need more facts, more causes, not more coverups.
How to cope with a financial system that looks like it's about to collapse every time bad news turns up? This is an issue that is causing a few headaches amongst the regulators. Here's some musings from Chris Skinner over a paper from the Financial Stability gurus at the Bank of England:
Third, the paper argues for policies that create much greater transparency in the system.
This means that the committees worldwide will begin “collecting systematically much greater amounts of data on evolving financial network structure, potentially in close to real time. For example, the introduction of the Office of Financial Research (OFR) under the Dodd-Frank Act will nudge the United States in this direction.
“This data revolution potentially brings at least two benefits.
“First, it ought to provide the authorities with data to calibrate and parameterise the sort of network framework developed here. An empirical mapping of the true network structure should allow for better identification of potential financial tipping points and cliff edges across the financial system. It could thus provide a sounder, quantitative basis for judging remedial policy actions to avoid these cliff edges.
“Second, more publicly available data on network structures may affect the behaviour of financial institutions in the network. Armed with greater information on counterparty risk, banks may feel less need to hoard liquidity following a disturbance.”
Yup. Real time data collection will be there in the foundation of future finance.
But have a care: you can't use the systems you have now. That's because if you layer regulation over policy over predictions over datamining over banking over securitization over transaction systems … all layered over clunky old 14th century double entry … the whole system will come crashing down like the WTC when someone flies a big can of gas into it.
The reason? Double entry is a fine tool at the intra-corporate level. Indeed, it was material in the rise of the modern corporation form, in the fine tradition of the Italian city states, longitudinal contractual obligations and open employment. But, double entry isn't designed to cope with the transactional load of of inter-company globalised finance. Once we go outside the corporation, the inverted pyramid gets too big, too heavy, and the forces crush down on the apex.
It can't do it. Triple entry can. That's because it is cryptographically solid, so it can survive the rigours of those concentrated forces at the inverted apex. That doesn't solve the nightmare scenarios like securitization spaghetti loans, but it does mean that when they ultimately unravel and collapse, we can track and allocate them.
Message to the regulators: if you want your pyramid to last, start with triple entry.
PS: did the paper really say "More taxes and levies on banks to ensure that the system can survive future shocks;" … seriously? Do people really believe that Tobin tax nonsense?
I had thought I was a voice in the wilderness on the question of criticising Audit as having left the party by the back door before the cops arrived. But, no, it seems that some have noticed. The Economist reports:
THE average divorce in Britain comes after 11 years of marriage. Compare that with the fidelity of a big British company to its auditors: 48 years on average, according to the Financial Reporting Council, Britain’s accounting watchdog, which tallied the figures for Britain’s biggest firms, the constituents of the FTSE 100. The reason is increasingly obvious, and worrisome, to regulators in Britain and elsewhere: the concentration of big accounting engagements in just four firms’ hands: PwC, Deloitte, KPMG and Ernst & Young.
The “Big Four” audit 99 of the FTSE 100, and 240 of the FTSE 250. ...
OK, that's really a follow-on from the Arthur Anderson and KPMG story of too big to fail. Yes, the Audit industry is now totally concentrated, which indicates to the economists amongst us that fees will have risen and the product will have drifted. Note that I didn't say quality, as in some cases the quality might have gone up -- including to well beyond reasonable, where we are paying for something we don't get a benefit from.
Which point I made in that Audit cycle; Auditors no longer serve society, society serves Auditors. Which came to a head with the financial crisis of 2007:
This caught the attention of the House of Lords, which in March pinned the firms’ “dereliction of duty” in the financial crisis, in part, on their oligopoly. (To make matters worse, only three of the four audit banks in Britain.) The Lords recommended that the Office of Fair Trading take a look at the problem. On May 17th the OFT announced that it was opening formal investigations into whether to refer the issue onto the Competition Commission, which could force changes on the industry.
So an investigation is being opened. This is one of those sticky areas where the Auditors police themselves, so what happens when that fails? Who do you go to? Well, the answers are somewhere between nobody and everyone. In this case, everyone includes the Lords, the OFT and the Competition Commission.
Which brings up the next sticky point. Are we really saying that this is a competition issue?
The firms insist that removing experienced audit firms from their clients would be inefficient and expensive. But regulators will weigh that potential expense against the expense of another systemic “dereliction of duty” by the auditors. The disappearance of one of the Big Four—recalling how quickly Arthur Andersen evaporated in the Enron scandal—would be more expensive still.
Apparently we are at least weighing competition issues with the systemic problem of the collapse of 2007. I don't know quite how the Economist came to that conclusion, but to me, the big question is this: how did the Auditors completely miss that all the big firms in Wall Street were about to cross into bankrupcy (declared or otherwise)? As the UK parliament summarised this question:
‘The breakdown of dialogue between bank auditors and regulators made the financial crisis worse’
Auditors were either unaware of the mounting dangers in the banks or, if they were aware, failed to alert the supervisory authority. The paucity of meetings between bank auditors and the supervisor was a “dereliction of duty” by both auditors and regulators. The Committee recommends legislation to re-establish mandatory two-way confidential dialogue between bank auditors and supervisors to help avoid a similar crisis in future.
Here's one suggestion of an answer:
...the UK House of Lords’ Economic Committee [...] recently asked UK leaders of all of the Big 4 audit firms – Deloitte, Ernst & Young, KPMG and PricewaterhouseCoopers – about the absence of warnings or “going concern” qualification for banks that failed or were bailed out.
The auditors’ response: The Bank of England told us, in confidence, that they would support the banks financially.
That's a really interesting answer! But I for one am not ready to call that a *good answer*. And if we don't have a good answer to that question, do we have a need for a good Audit?
ICAEW chief executive Michael Izza rejected the argument that auditors were culpable in the banking crisis, stating: “They did the job that they were expected to do - provide an audit opinion on banks' financial statements.”
But that isn't it! Audit has shifted from "opinion over financial statements" to being a small cog in a huge consulting machine. So we seem to be getting to the nub of the question: can the Auditors have their cake and eat it to?
This is a question that is slowly being asked. Amongst leading cases against audit is this:
Cuomo’s final act as NYAG last [December] was suing Ernst & Young for fraud for allowing Lehman Brothers to cook its books using “Repo 105.” That accounting practice, which may have been used by other Wall Street firms during the subprime binge, allowed Lehman to take billions of its toxic assets off its balance sheet for a few days at the end of the crucial 2nd and 3rd quarters of 2008, months before it filed for bankruptcy.
By moving toxic assets first off and then back on its books, Lehman was effectively dressing up its balance sheet in a deceptive manner. The lawsuit essentially alleges that Ernst & Young was aware of the practice, starting when it became Lehman Bros.’ auditor in 2001 until the firm’s death in 2008.
Lehman Bros.’ actions, and Ernst & Young turning a blind eye to them, stink to high heaven. Investors suffered devastating losses from the accounting chicanery. But one, huge question remains unanswered: As the financial and subprime crisis unfolded, where were the auditors who were the “gatekeepers” charged with protecting shareholders?
Or, more on point to whether Auditors do indeed provide an audit opinion, the Lehman Brothers bankrupcy report said:
(3) Ernst & Young Would Not Opine on the Materiality of Lehman’s Repo 105 Usage
Don't hold your breath that Auditors will be brought to account before the judge, though.
"Every time somebody comes up with a new fraudulent scheme, auditors miss it," said Andrea Kim, a partner at law firm Diamond McCarthy LLP in Houston who represents plaintiffs in auditor lawsuits. "The historical pattern is that they find a way to manage the litigation to limit their liability."
The credit crisis, which pushed the U.S. financial system to the brink of collapse, led to a wave of investor litigation against banks, lenders and others. Auditors are prime targets because investors try to rope in as many defendants as possible to increase recoveries. Auditors also may have the deepest pockets if the company they audited files for bankruptcy.
So we are now seeing a big lesson unfold. So far the Auditors are securing many dismissals and some settlements. The lesson then is more for us than them.
In yet more confusing evidence, Wired reports on the Boeing Audit Whistleblowing case:
The 9th U.S. Circuit Court of Appeals set aside the appeal of two former Boeing auditors who claimed their leaks to the media were protected by the Sarbanes-Oxley Act of 2002, adopted to protect shareholders against fraud. A three-judge panel of the San Francisco-based appeals court sided with Boeing, saying a provision in the act only protects those who notify the authorities, not the media, of alleged wrongdoing.
What appears to be the cause of this is that auditors, frustrated at trying to get attention in Boeing for Sarbanes-Oxley compliance, decided to leak some documents. Claiming immunity under Sarbanes-Oxley is novel, but leaking documents to the media in order to put pressure on the company is not novel - it's just not done. And, this is not a case of "should have known better." Auditors know better, they knew they are given the keys to the castle, so it is unclear why they were just fired.
The law protects employees from discrimination if they deliver the information to a federal regulatory or law enforcement agency, a member or committee of Congress or or a work supervisor.
“Members of the media are not included,” Judge Barry Silverman wrote for the unanimous court.
Anyway, that all aside, we benefit by a unique insight into the traumas of audit. Referring to the original article from Seattle-Post Intelligencer:
Sarbanes-Oxley is a wide-ranging law aimed at preventing stockholder rip-offs such as the Enron scandal from happening again. Among its requirements, it forced public companies such as Boeing to shine a light on their internal controls. It must show it has checks and balances on people and computer systems to guarantee accuracy of financial statements. ....
The federal guidelines for computer controls are unclear, and where the law is murky, auditors and company officials are left to fill in the gaps — facing criminal penalties if they are wrong. Companies are hungry for clarification on how to handle the information technology portion of Sarbanes-Oxley, according to The Institute of Internal Auditors, a leading professional association.
In step the Auditors, the cash-machine bells spinning in their eyes, and havoc reigns:
But Boeing’s information technology staff suffered. “They weren’t used to being involved in a finance-related audit,” McGee said in a June interview at Chicago headquarters. “We drove process discipline pretty hard.”
One person involved in the compliance effort, who asked not to be identified, told the P-I that information technology managers thought the new rules would blow over and that workers were “openly hostile” to the audits. The level of rigor — for example, documenting every single approval for a coding change — was foreign to the get-things-done culture of Boeing’s computer professionals.
The employee described the first two years as “pure hell” for the information technology staff. Colleagues agreed. Even auditors were unhappy, leading to infighting last year between consultants at PricewaterhouseCoopers and Jefferson Wells — the two firms contracted to help Boeing with internal audits.
Infighting in consultants is nothing special, as they defend their billings to the death. There's a huge incentive in replacing another contractor that turns them against each other. This sometimes ends up badly for a consultant, but it always ends up badly for the client:
Meanwhile, the experts at Jefferson Wells and PricewaterhouseCoopers spent hours — billed to Boeing — disputing each other’s findings.
What appears to be at the heart of this is that audit hasn't really served the corporation well. We know that Sarbanes-Oxley was a good effort at tightening up controls. But to what end? In this case, Boeing wasn't an Enron. It's easy to measure its progress. Planes come off the line at regular intervals, they are huge and easily countable, and if they don't work, it's spectacularly obvious.
So we have the possibility of over-measurement -- measuring something that costs more to measure than it delivers in benefits to the stockholder. What might be needed for the Enrons and the banks of the world, which deal in virtual product, isn't so clear for the physical sector.
“This sounds really, really messy,” Heriot Prentice, director of technology practices at the Institute of Internal Auditors, said upon hearing all of the charges and countercharges without knowing that he was speaking about Boeing, specifically. “This sounds like a big mess.”
Companies have been monitoring their computer systems for years — but under Sarbanes-Oxley, it was the first time that all public companies were required by law to do so as a part of a company’s “internal control over financial reporting.”
That control requirement, often nicknamed “404 compliance” after its corresponding part of the law, has been the most controversial and expensive aspect of Sarbanes-Oxley — and federal rules are now under review. Many executives bristled at the soaring costs of information technology compliance.
Control over financial reporting starts with control over financial transactions ... perhaps this was a simple case where they should have used SOX not SOx and triple entry accounting not double entry auditors?
Twans asks what happened to the blog, and the short answer is, like the US Patent Office in the early 1900s, there's nothing new worth writing.
At one point, the lack of quality control at Deutsche Bank’s mortgage lending unit, MortgageIT, prompted the hiring of an outside vendor to conduct reviews of the mortgages the bank approved for FHA insurance.
According to the suit, when the outside vendor found violations in the way it was approving mortgages for FHA insurance it sent letters to MortgageIT making them aware of the problems. Unfortunately, those letters weren’t read because employees there “stuffed the letters, unopened and unread, in a closet in MortgageIT’s Manhattan headquarters,” according to the suit.
Short version: In order to get some form of subsidy in the securitization business, Deutschebank hired an external auditor to review its lending practices. Then, didn't read the results. Which of course were adverse.
What does it mean for the mortgage lending industry? Sabino speculates that there’s a 50/50 chance that the allegations made by the U.S. Attorney’s office are not unique to Deutsche Bank.
In my Audit cycle I speculated that the Audit industry is so filled with errors at many and different points that at this time in history, it is useless to society. That is, it cannot be relied upon to deliver the result. This is evidence supporting that hypothesis.
In a funny little announcement that will have CA industry fans scratching their heads for a year or so, Verisign announces a one day sale of its "Trust seals":
According to VeriSign, "The VeriSign Trust seal shows the world that VeriSign has confirmed your identity and your site has passed the VeriSign malware scan."
A year's worth of service for a VeriSign Trust seal normally sells for $299. During the "Dollar Day" sale, which will run from 12:01AM PST to 11:59PM -- "from midnight to midnight," said Tim Callan, head of marketing for VeriSign trust services at Symantec -- VeriSign is offering a $298 discount on one year's worth of Trust seal.
A comment of background. VeriSign recently closed a deal to sell its CA (Certification Authority) to Symantec. For CAs, this was a big development, because VeriSign has about three quarters of the market, it would be like General Motors selling its car division to some random dude with a car parts shop.
The big issue then for VeriSign and Symantec is how to slice and dice the various brands and assets up to maintain the integrity of the deal . VeriSign more or less pioneered the use of the word "Trust" as with a lot else, hence the term "Trust Business." A curiosity that arose from the sale was whether Symantec was to be Trusted with the Business, as it were. Apparently they are:
Available since April 2010, the VeriSign Trust seal is an alternative to the company's older seal. "The 'VeriSign Secured' circle-and-check VeriSign Seal has historically been yoked to our VeriSign SSL certificate, which meant that you had to be using VeriSign SSL Certificates to get a seal," said Callan.
"But many small businesses outsource their shopping cart to a third party like Yahoo or eBay, where they can't get SSL," said Callan. These third-party shopping carts are typically secured with SSL on their own, as indicated by the URL starting with HTTPS or SHTTP. "This means that credible businesses are penalized for being too small. So we are creating a standalone version of the seal. Businesses have to be secure, and have their identify confirmed... but they don't have to be using SSL."
Is that for real? Yes it is. Indeed, over at CAcert (where I do lots) we have long recognised that the use of these words in the context of the overall certificate business was confusing and could present substantial difficulties if challenged in court .
The word "Trust" is more or less taboo in CAcert, and has been for many years; instead, we do other things that IMNSHO are far more sustainable, useful and justifiable. These are loosely grouped under the term RELY, generally written in caps to signal its special status as a word of much meaning.
Using the opportunity at hand, the new manager has wisely firewalled the issue as a separated brand and business. Which leaves the rest of the CA business to swing back into line in their own time.
 That's euphemistic code for "open to charges of deceptive trading practices" or other salacious troublemongering by an aggrieved plaintiff. I also hasten to point out that I have from time to time warned CAs about sailing too close to the wind, and VeriSign to its credit had become more careful about using the term too aggressively. Which is to say, I claim voce piano, there's more to this than idle grumbling about a successful competitor's annoyingly successful brand.
Skype, RIM, and now CircleTech v. the governments. This battle has been going on for a while. Here's today's battle results:
BIS [Czech counter-intelligence] officers first offered to Satanek that his firm would supply an encryption system with "a defect" to the market which would help the secret service find out the content of encrypted messages. "This is out of question. It is as if we were proclaiming we are selling bullet-proof vests that would actually not be bullet-proof," Satanek told MfD.
This is why BIS offered a deal to the firm's owners. BIS wanted CircleTech to develop a programme to decipher the codes. It would only partially help the secret service since not even CircleTech is capable of developing a universal key to decipher all of its codes. Nevertheless, software companies are offering such partial services, and consequently it would not be a problem for CircleTech to meet the order, MfD notes.
However, BIS officers said the firm need not register the money it would receive from BIS for the order, the paper writes. "You will have on opportunity to get an income that need not be subject to taxation," MfD cites the secret recording of a BIS officer at a meeting with the firm. Satanek rejected the offer and recorded the meetings with BIS.
BIS then gave it up. However, two months ago it contacted Satanek again, MfD writes. "They told me that we are allegedly meeting suspicious persons who pose a security risk to the state. In such a case we may not pass security vetting of the National Security Office (NBU)," Satanek told MfD.
Subversion, bribes, and threats, it's all in there! And, no wonder every hot new code jockey goes all starry-eyed at the thought of working on free, open encryption systems.
Iran's Bushehr nuclear power plant in Bushehr Port:
"An error is seen on a computer screen of Bushehr nuclear power plant's map in the Bushehr Port on the Persian Gulf, 1,000 kms south of Tehran, Iran on February 25, 2009. Iranian officials said the long-awaited power plant was expected to become operational last fall but its construction was plagued by several setbacks, including difficulties in procuring its remaining equipment and the necessary uranium fuel. (UPI Photo/Mohammad Kheirkhah)"
Click onwards for full sized image:
Compliant? Minor problem? Slight discordance? Conspiracy theory?
(spotted by Steve Bellovin)
Daniel wrote in comments a month or so back about the need to put the CA's brand on the chrome, so all can see who makes the statement:
Assume for the moment that there is a real interest in fixing this issue (there isn't, but I'll play along). Andy is right that it isn't going to do much good because, in essence, users don't care.
The fundamental problem with this security scheme is that it requires some action of the part of the consumer. But consumers aren't interested in the bother.
This is the accepted wisdom of the community that builds these tools. Unfortunately it is too simple, and the sad reality is that this view is dangerously wrong, but self-perpetuating. Absence of respect is not evidence that the actors are stupid. For a longer discussion, see this paper: "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users." The title is maybe self-referential; if it takes you a while to work out what it is saying, you'll appreciate how consumers feel :-)
In short, it is not that consumers aren't interested in the bother, it's that they reject bad advice. And they're right to do so.
So there are two paths here, one is to improve the advice /up to the point where it is rational for users to pay attention/ which you'll recognise is a very hard target. Or, remove the advice entirely and fix the model so that it represents a better trade-off (e.g., there is only one mode, and it is secure). As far as the secure browser architecture goes, that second path is pretty much impossible because it relies on too many external components, ones which will not move unless we've also figured out how to start and stop earthquakes, volcanoes and tsunamis at whim.
So we are left with improving the advice, itself a very hard target. Let's try that:
Imagine the following situation. You walk into your local bank but in order to withdraw any money you needed to do the following: interview the guard at the door to make sure he really worked for the bank, interviewed the teller to make sure he really worked for the bank, and then set at least 10% of the money you withdrew from the bank on fire so you could watch it burn and see if it was fake or not.
Right, this is a common problem. The mistake you are making is that the majority view is how to design the product. In this case, if the majority ignore the information, we don't need to follow their view in order to redesign the product.
The reason for this is that the minority can have a sufficient effect to achieve the desired result. This is what we call Open Governance: the information is put out there, but only a small minority look at any particular subset. The crowd in aggregate looks at all, but individually, specialisation takes root and becomes the norm.
Let's step outside that context and try another. Consider a police officer's badge. It's got a number on it. Often a name, as well. When the police officer busts some trouble maker, likely the perp does not notice the badge, nor the number. 99% likely, because the perp doesn't need to know, he's busted, and it matters little by whom. So what's the point?
The point is, 1% will notice the badge number! And that's enough to cause the police -- that officer and all others -- to be cautious. To follow the rules. They don't know beforehand who's noting these things down, or not, and they don't need to. The just need to know that bad behaviour can be spotted, and as we get closer to routine bad behaviour, it is more likely that the number will be noted.
Same with your bank guard. You don't have to interview him because the teller will. And if not, someone else in the branch. And if not them, some other customer will look.
Welcome to Open Governance. This is a concept where the governance of the thing, whatever it be (a CA, a bank, a government, a copper) is done by all of us, the world, not by "some special agency." Each of us on the net has the same chance to play in this game -- to govern the big bad player -- but only a very few of us actually govern any particular thing in question.
Let's go back closer into context and consider CAs. How are these governed? Well, they publish CPSs, they get audited by auditors, and they audit is checked over by third party vendors.
For example, we've seen audit reports that totally exclude important issues from consideration. And, nobody noticed beforehand! Which indicates that whatever is being done, whatever is being written, it isn't being verified nor understood. Which more or less casts in doubt all the prior due diligence done over CAs.
This is one reason why Mozilla decided to bring in more open governance ideas. There was a recognition that the old mid-1990s CA audit model wasn't providing a reliably solid answer. There was at least some smoke and mirrors, some criticism of abuse, and these criticisms weren't getting answered. More was needed, but not more of the same, more alternate governance.
So Mozilla put in place an open list (you can join), published all new requests from CAs, and proposed them for open review (section 16 of the policy). There are a few people who read these things. Not many, because it is hard work, and it takes a lot of time. But it's a start, we can't grow these things on trees. A forest starts with a single tree.
The brand name on the chrome is the same thing. We might predict that 99% of the users won't look at it. But 1% will. And, we also know that most all computer users have someone experienced they turn to for help, and those people have a shot at knowing what the brand is about.
The effect of the brand on the chrome as a security feature is then highly dependent on that effect: the CA doesn't know who is looking, but it knows that it is now totally tied to the results in the minds of those who are looking. This is powerful. Any marketing person will tell you that a threat to the brand is far more important than a deviation from a policy. CAs will fiddle their policies and practices in a heartbeat, but they'll not fiddle their brand.
There is an old saying "trust but verify". The problem is that this is a contradiction in terms. Trust means precisely that I don't have to verify. If I have to verify every transaction to see if the money is good, that's not trust. If I have to spy on my wife all the time to see if she's cheating, that's not trust.
Asking the user to verify, when what the user wants to do is trust, is design failure that no amount of coding is going to fix.
Actually, the expression is dead-right; trust can only come from verification, and repeated verifications at that. However, those verifications will have happened in the past; we might for example point to the fact that 99.999999% of all certificates issued have never caused a problem. That's a million verifications, right there.
When you say you don't have to verify, you're really saying you can take a risk this time. But there will come a time when that will rebound. Trust without verification is naïveté.
But, what we can do is outsource and share who does the verifying. And that's what Brand on the Chrome is about; outsourcing and sharing the verification of the CAs' business practices to the crowd.
The proposed changes, approved in a 5-0 vote despite misgivings expressed by two commissioners, now enter a 90-day period for public comment before coming back to the commission for revision and final approval.
but more importantly,
The bond issuers would also be required to keep a chunk of the securities in their own portfolios so that they retain some of the bonds’ risk, under the S.E.C.’s plan. ... The changes would “represent a fundamental revision to the way in which the asset-backed securities market would be regulated,” the S.E.C.’s chairwoman, Mary L. Schapiro, said. “I think changes are both necessary and critical components of restoring investor confidence.”
Aha! Someone knows the definition of banking:
Banking is the borrowing of /demand deposits/ from the public, and the lending of those same deposits, /at term/ to the public.
Banking is special for one and only one reason. Because the funds are borrowed as deposits, they can be returned today, immediately. That's what "on demand" means, and also that's what deposits mean.
Yet the loans are "at term" or to be repaid in the future. 30 years away, in the case of modern western mortgages.
And that is the crux of banking. The loans out on houses can't be called in under normal circumstances, but the public can call in its deposits now, today. Ordinarily this would be called fraud, because the bank is entering into a contract that it knows it is impossible to guarantee. For this reason, a bank charter is like a specialised permission to undergo a certain sort of fraud, or more kindly, to turn this specialised contract into something that isn't a fraud.
This arrangement is delicate. Change one word above and it is no longer banking (and in this statement you can find much of the ills of modern banking). Which leads us to securitization.
Securitization is the process of creating the at-term loans, with demand deposits, and then packaging them and selling them onto the bond market. A bond issue might collectively handle thousands of similar properties, and gets sold into the market maybe 100 days after the mortgages are sold.
Securitization breaks banking. It breaks banking because the loans are no longer at term, or they are, but they are no longer in the hands of the banks, they are on the market! So the investors in the bond market are lending at term to the house owners, and the magic link of banking has been broken.
Regulators say the financial companies that created the bonds had little incentive to ensure that the bonds were backed by reliable loans. When large portions of the borrowers began to default on the loans, the holders of the securities had big losses.
Right, exactly. As, in theory the banks no longer owned the bonds, having sold them on the market, they no longer had an incentive to manage the loans. And this is the implicit, unwritten corollary in the definition of banking: in order to get the charter, you have to look after the loans for their entire term. That's what it means, to be a bank, guard the deposited funds, out on loan, for their entire life!
The proposed rules, which would affect a large portion of new offerings in the $9.5 trillion market for securities backed by consumer loans, would in many cases require financial companies to retain 5 percent of each offering, a move that Ms. Schapiro said would “better align” the interests of investors and the securities firms.
Financial reform bills winding their way through Congress contain similar requirements that financial companies “keep skin in the game,” as the commission put it. So does a proposal by the Federal Deposit Insurance Corporation, which regulates some asset-backed securities originated by banks.
Skin in the game! Which the Python can only shed, as it outgrows model after model, leaving investors more and more confused. Models can only approximate risks of defaulting borrowers, and aren't a substitute for attentive bankers.
The big message to take away is this: Securitization breaks the fundamental law of banking. Is this good or bad? We should probably know this, because practically everything is done with securitization these days. And why not? It is decidedly more efficient, saving the occasional global meltdown.
The answer is, that securitization is decidedly good, but it renders banking no longer "special." This has a lot of ramifications: it means we no longer need banks. But we've got banks, so there is going to be a huge hangover period while society shifts from banking to market-oriented facilitation. And likely a few more crises.
It also means we don't need central banks; or at least partly, we don't need that part which regulates the banks, because standard competition and exchange regulators should be able to do the job. It's all consumer products called bonds, after all.
Yeah, sure, I hear you say, "we don't need banks..." chortle chortle. Admittedly the hangover from the century of central banking will be with us for a long time, and we can only move forward slowly. But watch: slowly but surely the move will be to open the market for loans origination.
Under the new rules, bond underwriters would not be required to receive a credit rating; rather, the chief executive of the bond issuer would have to certify that the assets were likely to produce the expected cash flows. ... Moody’s, in a statement, said, “We believe the market benefits when ratings agencies compete on the basis of the quality of their credit analysis, and we have long supported the removal of ratings from regulation.”
Baby step by baby step, the business of banking is moving over to the marketplace.
We are proposing to require that most ABS issuers file a computer program that gives effect to the flow of funds, or “waterfall,” provisions of the transaction. We are proposing that the computer program be filed on EDGAR in the form of downloadable source code in Python. … (page 205)
Under the proposed requirement, the filed source code, when downloaded and run by an investor, must provide the user with the ability to programmatically input the user’s own assumptions regarding the future performance and cash flows from the pool assets, including but not limited to assumptions about future interest rates, default rates, prepayment speeds, loss-given-default rates, and any other necessary assumptions … (page 210)
An ABS or asset backed security is a basically a financial instrument that has or "owns" a lump of property. In short, instead of owning the property yourself, you own a security (or instrument or contract) that has an interest in the property. At the simplest, trivial level of own house, one instrument, this is mostly meaningless, because the instrument owns the property so you may as well own it directly.
But it allows for more complexity. What they are talking about here is securitized home loans and the like, essentially the instruments that blew up in the recent financial crisis. In this case, your instrument has an interest in 1000 properties, but also this is the same interest that another 10,000 instruments have. So you don't own a house, or a tenth of a house, you own a share in the revenues of a combined 1000 houses.
What is that revenue? Well, it is probably the mortgage payments on the 1000 houses. Every month, the mortgage payments are collected, aggregated, fees taken, then the payments out are sent to the instrument holder.
So what the SEC is on about is complicated formulas. Also, they change. If 10 of the houses are delinquent this month, then 20 next month, the money changes. If interest rates go up, again it changes. If fees change, more change. Indeed, it's pretty clear that there is much more complexity and change than there is stability.
So the SEC is seeking to encourage the manager to show the formulas. In a computer program, so we can plug in the numbers, and investors can play around to isolate their preferred situations. On the surface it is a good idea. It gives the investor more power, and it sets up a key disclosure which can likely be challenged in the event of trouble. But it is unlikely to work as a mandated thing.
There are several things against this. Complexity is the enemy here. There are two ways of looking at it, as too complex, and as not complex enough. Initially, the models will be simple, but this will just set the scene for disputes, and the models will get more complex. And then more complex again because the hidden-by-complexity bug will strike -- managers will realise that if they make the models so complex that nobody can deal with them except real experts, then they'll be both compliant and impenetrable, and can get back to their normal games. If you look long enough at the financial crisis, you'll see that one important factor is complexity, and worse, deliberate complexity. This is an old game.
Further, there is a bit of a trap for young players here (as explained to me by Jim). The model will display the "flow of funds" which is in turn dictated by the instrument (the contract). Servicing and pooling provisions in the contract will mandate the manager's actions, and therefore the cash flow. So measuring & comparing the cash flow in this way tells us the manager is meeting targets, etc, *but it tells us nothing about the underlying collateral* which is the true asset in the picture. Recall, again, the financial crisis: meeting targets and bonuses was part of the problem, not the solution. These agreements are written to provide plenty of scope for this sort of trouble, and the SEC's invention runs the risk of making this worse, not better.
What's the solution? Well, the real health of the fund to which your instrument draws on is based on the collateral, and the revenues from it. That is, the real information you want is detailed income, not aggregated outgoings. So if the SEC were to want to make a difference, what it should do is mandate that the anonymised income transactions be made available (FCers will know what that means). That is, any time a house-owner makes a payment into the fund, that transaction be published to the fund investors. By tracking month to month the payments, and matching that to what the investors get, we have some data of value.
Would they do this? The SEC is not going to propose this, because of the complexity argument. The industry will not give up any of its treasured complexity, because that's how it makes money. If you could see what was going on, the prices would be beaten down.
But it could be done voluntarily. A private player could set this up; we have all the tech and understanding to do this. So what could the SEC do? Expand its proposal slightly, and create a format for a fund to reveal the anonymised flow of incomes from the collateral. And provide a program to deal with that. And see if anyone bites...
Meanwhile, two postcripts on spotted observations. One: a group of language specialists think the SEC are trying to give formal definition to the instrument; by means of Python. No, they're on the wrong track. Firstly, that isn't what the SEC is trying to do. Secondly, it won't work because bonds by their nature are contracts, and formal proofs of contracts are the domain of the courts, not compilers. Although this concept has been explored, real world bonds still have more to do with my Ricardian Contract form than esoterica like Nick Szabo's smart contracts.
Two: another group of developers are arguing whether Python is the right language. No need to comment :)
And Three, added from next post, maybe this is to happen:
The companies selling the bonds would also have to give the government extensive information, in a form that is easily searchable, on all of the individual loans that make up the portfolio behind the bond offering, and update it on a continuing basis. Previously, reports were required only on the overall credit quality of the pool of loans, and for some bonds, updates were suspended after about a year. .... Ms. Casey also expressed concerns about the impact of the rules on personal privacy, asking whether “data miners” might be able to use the information on individual loans to determine the identification of loan holders.
Spotted in NYT article.
The report on Lehman Brothers' collapse is out, and it apparently includes a smoking gun against the auditor. Prison Planet alleges that "The firm’s auditor, Ernst & Young, one of the four biggest auditing firms in the world, failed in its oversight role:"
In May 2008, a Lehman Senior Vice President, Matthew Lee, wrote a letter to management alleging accounting improprieties; in the course of investigating the allegations, Ernst & Young was advised by Lee on June 12, 2008 that Lehman used $50 billion of Repo 105 transactions to temporarily move assets off balance sheet and quarter end.The next day -- on June 13, 2008 -- Ernst & Young met with the Lehman Board Audit Committee but did not advise it about Lee’s assertions, despite an express direction from the Committee to advise on all allegations raised by Lee.
Ernst & Young took virtually no action to investigate the Repo 105 allegations. Ernst & Young took no steps to question or challenge the non-disclosure by Lehman of its use of $50 billion of temporary, off-balance sheet transactions.
Colorable claims exist that Ernst & Young did not meet professional standards, both in investigating Lee’s allegations and in connection with its audit and review of Lehman’s financial statements.
The Audit industry will now feel the old Chinese curse: to live in interesting times...
Lynn in comments points to news that Mastercard has eased up on the PCI (association for credit card issuers) standard for merchant auditing:
But come Dec. 31, 2010, MasterCard planned to require that all Level 1 and, for the first time, Level 2 merchants, use a QSA for the annual on-site PCI assessment.
(Level 1 merchants are above 6 million transactions per year, with 352 merchants bringing in around 50% of all transactions in the USA. Level 2 merchants are from 1 to 6 million, 895 merchants and 13% of all merchants.)
Now, this rule would have cost your merchant hard money:
That policy generated many complaints from Level 2 merchants, who security experts say would have to pay anywhere from $100,000 to $1 million for a QSA’s services.
These Qualified Security Assessors (QSA) are certified by the PCI Security Standards Council for an on-site assessment, or audit. Because of kickback, complaints, etc, MasterCard backed down:
This month, however, MasterCard pushed back the deadline by six months, to June 30, 2011. And instead of requiring use of a QSA, MasterCard will let Level 2 merchants do the assessments themselves provided they have staff attend merchant-training courses offered by the PCI Council, and each year pass a PCI Council accreditation program. Level 2 merchants are free to use QSAs if they wish. Come June 30, 2011, Level 1 merchants can use an internal auditor provided the audit staff has PCI Council training and annual accreditation.
That's you, that is. Or close enough that it hurts. Your company, being a retail merchant bringing in say 100 million dollars a year over 1 million transactions, can now save itself some $100,000 to $1 million. You can do it with your own staff as long as they go on some courses.
If a merchant with millions to billions of direct value on the line, and measurable losses of say 1% of that (handwave and duck) can choose to self-audit, why can't you?
I established in a series of posts that Audit is in a crisis (I, II, III, IV, V, VI). It didn't perform during the financial crisis, and even if it had, we wouldn't know it. Audit has entered a phase of life where it can not deliver its brand-promise to the buying public, but the cost of the brand is delivered frequently in invoices to us, the buying public. Worse, the cost will go up and the relevance will go down, the machine they built ensures it.
What then do we do in the future? How do we live in a world of Audits without Control? How do we reclaim the control that works to our real needs?
As a user, as a (systems not financial) auditor, as a builder of systems, both financial and Internet, as an investor, as a financial player and as a party reading and relying on audits, I've come across only one person that will provide for your auditing needs. That person is:
In a maxim, it is this: if you the user cannot see it, it is worthless. To you.
It is not entirely true that Audit is worthless, per se, in absolute terms. Many checks and balances can help, and this is the spirit that the audit profession alludes to. These checks and balances are good; we call them governance. But the problem for you is, you can't tell from the outside whether these checks, this audit, are useful or useless. Whether they are coded positively or negatively, whether they are purchased or perverted.
And therefore, your only good strategy is to label an opaque process as useless.
Which leads to a first step: Let's call for an open audit process, not a closed audit process. We know that "open" works from the Internet world, and the claim of many is that "open" can work in many more scenarios than we believed. I emphasise this in a presentation on An Open Audit (which, to close the loop back to the first post of the Audit series, was immediately after Bruce Schneier's apropos talk on the psychology of security).
But, please note, openness is only a first and intermediate step: once we get across the brave step of opening up the entire process, we are inexorably drawn to the fact that if an audit is really open, then the user can do it, herself. An open audit is an audit over open data; if the data is open, she can also audit the data herself.
All of it, or most of it, as much as the user can handle. Which is to say, even my meager attempt at open audit is not going far enough; what you really want is to openly audit the entire system yourself. I as auditor might simply lay the guide posts for you to follow, and in future, you can follow them better than I can.
Say hello to open governance . Yes, this way means more work for the user. But, this is work we already proved we could do. The wider Internet musters thousands of communities of thousands and millions, and a few of those people -- call them the 1% -- are the self-appointed guardians of truth and justice within their communities. Open governance harnesses the vigilantes of Wall Street, the crypto-jihadists of the security world, the peer-to-peer rebels of the intellectual property world, all, as the leaders in a process of checking for everyone else.
What then is the part of the professional auditor? We already recognised over the past couple of years that the proper role of the security expert is to educate programmers and architects to employ more security techniques. Likewise, the proper role of the auditor may be to teach the mechanisms of open governance; rather than opine on their results themselves. To teach, rather than to measure. To lead, rather than to do. To participate, rather than bill.
How would this work? Well, here's one idea. I haven't implemented it, but I want to. Over at the audit I participated in, there is a set of criteria which have to be audited against. Some have green ticks, others have red crosses, signifying OK and not OK. Classical audit process would call for me to investigate all those criteria, find evidence of controls over the criteria, and report on each. That's a lot of work. A lot of billable hours.
Open governance would call for each individual of the body-public to do that instead; in tech terms, each criteria would become a blog post, with comments added by the public, including comments of reliance. In effect, mini-opinions. If you the member-public post that the criteria is good and covered, and you put your monika on to that statement (which is easy to do because it is a CA and client-certs are its business), then that becomes reliable evidence. Once the set of criteria meets some watermark (say 95% green ticks), the audit is done.
That's just one idea. I know a dozen or so others; but their essence is all the same. Instead of having one person look and attest, have our entire net community look, and share notes. Travelling long distances, checking technical things and making clear reports is now trivial with the net, with cryptography, with protocols, with communities. We no longer need the single trusted third party to do this, we have the trusted members, we have our own stakeholders, we have customers.
It may be that the evolution of open governance, an invention from the world of digital cash, has come just in time to save us. We'll see.
In the very sad story of the Justice System as we know it, a British courts has ruled the beginning of the end.
He went to jail this week, protesting his innocence. Speaking to The Times, he said: “There are no missing millions, there’s no villa in the Virgin Islands, there has been no fraud. I am not allowed to earn any money, my assets were restrained so I couldn’t use them to defend myself — it’s a relentless, never-ending, vicious, cruel and wicked system.
Of course, all mobsters say that. So what was the crime?
Bowles was convicted by a jury in June of cheating the Revenue of £1.2 million in VAT but sentencing had been adjourned on three previous occasions. He had been found guilty of failing to pay VAT on a BIG land sale and diverting money due to the taxman to prop up Airfreight Express, his ailing air-freight company.
Now we have come full circle, and the evidence is presented: the Anti-money-laundering project of the OECD (known as the Financial Action Task Force, a Paris-based body) is basically and fundamentally inspired by the desire to raise tax. Hence, we will see a steady progression of government-revenue cases, occasionally interspersed with Mr Big cases. This is exactly what the OECD wanted. Not the mobsters, murderers, drug barons and terrorists pick up, but:
Bowles is a divorced, middle-aged company director from Maidenhead who has been transformed from successful entrepreneur to convicted fraudster.
A businessman, from the very heartland of English countryside. Not a dangerous criminal at all, but someone doing business. Not "them" but us. POCA or Proceeds of Crime Act is now an important revenue-raising tool:
It was not suggested that Bowles, who has no criminal record, had used the money to fund a luxury lifestyle. Nevertheless, when the Revenue began a criminal investigation into his affairs in 2006 all his assets were frozen under the powers of the Proceeds of Crime Act.
Bowles was required to live on an allowance and rely on legal aid for his defence rather than pay out of his own resources. Defence lawyers claimed that preparation of Bowles’s defence case was hampered further because his companies’ financial records were in the hands of administrators.
The accounts were not disclosed until a court hearing in February this year, at which point Bowles sought permission to have a forensic accountant examine them to determine the VAT position. He was refused a relaxation of the restraint order to pay for a forensic accountants’ report. The Legal Services Commission also declined to fund such a report from legal aid.
After the court was told that the records “could be considered by counsel with a calculator” the trial went ahead. Bowles was cleared of two charges but found guilty of a third.
It works this way. First the money is identified. Then, the crime is constructed, the assets are frozen, legal-aid is denied, and the businessman goes to jail. By the time he gets out of that, he probably cannot mount a defence anyway, and rights are just so much confetti. This stripping of rights is a well-known technique in law, as only 1 in 100 can then mount a recovery of rights action, it is often done when the job of the prosecutor is more important than rights.
Let's be realistic here and assume that Bowles was guilty of tax fraud. His local paper certainly thinks he was guilty:
A tax cheat from Maidenhead who dodged paying £1.3m in VAT has been jailed for three-and-a-half years. ... The court heard between October 2001 and July 2006 Bowles failed to submit VAT returns to HM Customs and Excise (HMCE) and then HM Revenue & Customs (HMRC). The VAT related to the sale of land for commercial development in Cardiff worth £7.5m.
Following an HMRC criminal investigation Bowles, from Sandisplatt Road, was charged on three counts of ‘cheating the revenue’. Peter Avery, assistant director, HMRC Criminal Investigations, said: "This sentence will serve as a deterrent to anyone who thinks that tax fraud is a risk worth taking."
Firstly, this is quite common, and secondly, tax is the most complicated thing in existance, so complicated that most ordinary lawyers don't recognise it as law by principle. It's the tax code, it's special. It's actually very hard not to be guilty of it, when you have a fair-sized business (whoever heard of a value-added-tax on a land sale?)
But even assuming that the guy was guilty, there was rather stunning evidence to the contrary, which underscores the point that this was revenue raising, not the bringing down of a Mr Big:
A financial report has since been prepared, free of charge, by a firm of chartered accountants. A draft copy was presented to the judge two months ago and a full version handed to him this week. Its analysis concludes that rather than owing tax, Bowles’s companies had actually overpaid their taxes.
The report stated: “In our opinion, none of the evidence points to Philip Bowles fraudulently evading or concealing VAT due to HMRC ... It would have been reasonable to conclude that no fraud has taken place.”
Lawyers for Bowles claimed in court that matters were compounded by a failure to explain VAT law properly. They alleged the jury were wrongly informed that companies in the same group could not asssign tax liabilities and credits between each other.
When a firm of *chartered accountants* utters _an opinion_ over finances, this is a legally imposing evidence. It is given a special status in court, in that the court may rely on it, and so might all others; this special status is awarded for the purposes of public companies that need to impress others such as creditors and shareholders that the company is sound. This form of reliance is not available outside the accounting profession, and only available in an accounting context (e.g., when a firm of accountants audits a certification authority, we do not get a special right to rely on it without further ado).
When a firm of chartered accountants does this for free, this is beyond surprising, this is a shock. The natural order of things is now upset. When the accountants are working for free, this might mean that the professions are mounting a last-ditch effort to preserve the Justice System in Britain, as I predicted:
It took 20 years to hollow out Mexico, we have a bit longer in other countries, because the institutions are staffed by stiffer, better educated people.
Those stiffer, better educated institutions realise that we all are poorer when the justice system is used to raise revenue. Or perhaps they realise their turn is next?
We've established that Audit isn't doing it for us (I, II, III). And that it had its material part to play in the financial crisis (IV). Or its material non-part (II). I think I've also had a fair shot at explaining why this happened (V).
I left off last time asking why the audit industry didn't move to correct these things, and especially why it didn't fight Sarbanes-Oxley as being more work for little reward? In posts that came afterwards, thanks to Todd Boyle, it is now clear that the audit industry will not stand in front of anything that allows its own house to grow. The Audit Industry is an insatiable growth machine, and this is its priority. No bad thing if you are an Auditor.
Which leaves us with curious question: What then stops the Audit from growing without bound? What force exists to counterbalance the natural tendency of the auditor to increase the complexity, and increase the bills? Can we do SOX-1, SOX-2, SOX-3 and each time increase the cost?
Those engineers and others familiar with "systems theory" among us will be thinking in terms of feedback: all sustainable systems have positive feedback loops which encourage their growth, and negative feedback loops which stop their growth exploding out of control. In earlier posts, we identify the positive feedback loop of the insider interest. The question would then be (for the engineers) what is the negative feedback control?
Wikipedia helpfully suggests that Audit is a feedback control over organisations, but where is the feedback control over Audit? Even accepting the controversial claim that Sarbanes-Oxley delivered better reliability and quality in audits, we do know there must be a point where that quality is too expensive to pay for. So there must be a limit, and we must know when to stop paying.
We already established that the outside world has no view into the audit. Our chartered outsider has taken the keys to the citadel and now owns the most inner sanctums. The insider operates to standard incentives which is to improve own position at the expense of the outsider; the Auditor is now the insider. Which leads to a compelling desire to increase size, complexity and fees of Audit.
Yet the machine of audit growth has no brake. So it has no way to stop it moving from a useful position of valuable service to society to an excessive position of unsustainable drain on the public welfare. There is nothing to stop audit consuming the host it parasites off, nor is there anything that keeps even the old part of the Audit on the straight and narrow.
And this is more or less what has happened. That which was useful 30 years ago -- the opinion of financial statements, useful to educated investors -- has migrated well beyond that position into consuming the very core of the body corporate. IT security audits, industry compliance audits, quality audits, consulting engagements, market projects, manufacturing advice, and the rest of it now consume far more of their proper share.
Many others will point at other effects. But I believe this is at the core of it: the auditor promises a result for outsiders, has taken the insiders' keys and crafted a role of great personal benefit, without any external control. So it follows that it must grow, and it must drift off any useful agenda. And so it has, as we see from the financial crisis.
Which leads to a rather depressing conclusion: Audit cannot regulate itself. And we can't look to the government to deal with it, because that was part & parcel of our famous financial crisis. Indeed, the agencies have their hands full right now making the financial crisis worse, we hardly want to ask them to fix this mess. Today's evidence of agency complicity is only just more added to a mountain of depression.
Phishing has come a long way. It is now no longer characterised by its email lure to get you to click on a different website. The phishers have moved on from the basic MITM that cracked secure browsing ... and are now concentrating on takeover of the machine. MITB, and the email is one of their weaker hooks.
Defences have also moved on, too. In some places they relied on two-factor auth, and in others a series of barriers. One common barrier was to make transactions to the country easy, and outside hard, on the basis that all phishers come from another country.
Phishers responded by employing Mules, being people who are in the country, and are well-paid to just re-transmit the money. People, it turns out, can easily send the money abroad, but trojans or MITBs couldn't.
But a problem with Mules is that they are slow. They might take a day or two to get around to it, because they are busy people. And in that time, the victim often spotted the fraudulent transaction ... and complained to the Mule! At which point the latter often realised he had been duped, was not part of the new International trading world, but was instead an essential cog in an international conspiracy to launder money etc et al ad nauseum.
Now phishers have gone to the next step:
New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.
The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.
The ruse buys the crooks time before a victim discovers the fraud, though won’t work if a victim uses an uninfected machine to check his or her bank balance.
The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan
This is the man in the middle, par exellence. Not only does Mallory steal the information and use it, he rewrites the evidence to hide the crime. Note, this was back in August. More claimed facts, ftr, and also and here:
The researchers also found statistics in the command tool showing that out of 90,000 visitors to the gang’s rogue and compromised websites, 6,400 were infected with the URLZone trojan. Most of the attacks Finjan observed affected people using Internet Explorer browsers, but Ben-Itzhak says other browsers are vulnerable too.
Which juxtaposes with a question that Stephen asked me a few days ago: how can we presume that the system is operating correctly? He was asking this hypothetical from the legal tradition, where it is common for banks to assert the presumption. In the above case, it is quite interesting, because from both points of view, the evidence is clear: correct operation.
The user sees the correct balances and transactions. The bank sees the correct authentication procedures. But we have a case here were neither side is correct, and the system is not operating correctly.
Why is this a problem? Because security commerce has it that a security system is secure. It has to be completely secure, otherwise it is impossible to sell. Nobody buys a partly-secure system, they want the fully-secured model. So what tends to happen is a form of society-wide cognitive dissonance where we sell the partly-secured as fully-secured. Hence, by the time the banks get around to being the defendents in some case against their "fully-secured" system, they are compelling in their belief that it is secure. The presumption that it operates correctly is part of that cognitive dissonance.
Which reminds us of a German case where the presumption that DES was secure was knocked out, because there were things like DeepCrack out there. The role of the courts in breaking this dissonance is important; I can't recall the case precisely, but here is another case from German courts, this time over the famous Sony rootkit:
According to Germany’s Heise, a district court has just ruled in a case where an individual claimed that the presence of the Sony rootkit caused him financial losses.
After purchasing an Anastacia CD, the plaintiff played it in his computer but his anti-virus software set off an alert saying the disc was infected with a rootkit. He went on to test the CD on three other computers. As a result, the plaintiff ended up losing valuable data.
Claiming for his losses, the plaintiff demanded 200 euros for 20 hours wasted dealing with the virus alerts and another 100 euros for 10 hours spent restoring lost data. Since the plaintiff was self-employed, he also claimed for loss of profits and in addition claimed 800 euros which he paid to a computer expert to repair his network after the infection. Added to this was 185 euros in legal costs making a total claim of around 1,500 euros.
The judge’s assessment was that the CD sold to the plaintiff was faulty, since he should be able to expect that the CD could play on his system without interfering with it. The court ordered the retailer of the CD to pay damages of 1,200 euros.
Which strangely echoes this case:
Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an "online community" for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable.
To join the "My SHC Community," users downloaded software that ended up grabbing some members' prescription information, emails, bank account data and purchases on other sites. Sears called the group that participated "small" and said the data captured by the program was at all times secure and was then destroyed.
The FTC filed a complaint against Sears, accusing the retailer of deceiving those who signed up for the service and downloaded the software.
"(Sears) failed to disclose adequately that the software application, when installed, would: monitor nearly all of the Internet behavior that occurs on consumers' computers, including information exchanged between consumers and websites other than those owned, operated, or affiliated with respondent, information provided in secure sessions when interacting with third-party websites, shopping carts, and online accounts, and headers of web-based email; track certain non-Internet related activities taking place on those computers; and transmit nearly all of the monitored information (excluding selected categories of filtered information) to respondent's remote computer servers," the FTC concluded.
Which all seems to lead to a rather heavy presumption of rightness in favour of the larger party. Sony was safe in installing rootkits, and only got slapped for the direct costs that this unexpected behaviour caused. Sears was safe for the same practice, except it got a tap on the wrist for not disclosing it fully.
Which leads to class action. The obvious asymmetry here is that the large parties (allegedly) did a lot of small damages to many parties. Yet, in each case, they do not get more than a light tap, for various reasons. So the message is clear: if there is profit, take on that risk, because the downside is small.
Which leads me to an old observation I made many times in the original phishing days: the issue of fundamental liability allocation will only be sorted out when class action suits redress the imbalance in power (to avoid adverse judgement).
This solution of course is only applicable in the USA where class-action is popular. And it probably doesn't apply to continental banking where the banks tend to take more care and absorb more of the liabilities directly (hence their losses are much lower). Which is bad news for UK, Australia, Canada, where the banking models tend to follow liability-dumping models, but don't have the ultimate backstop of the class-action suit.
Closing remark: all of these articles were spotted in Bruce Schneier's cryptogram, and all seemed to resonate. There is one hilarious thread about the DHS in USA deciding to "employ 1000 cyber-security experts." Frequent readers of this blog will see the error at multiple levels. But Bob Cringley took the claim at face value and did some research. He asked 6 people who he thought were experts, and this one was the closest:
“Define ‘expert,’ said another friend from behind Door Number Three, who comes from the security software business. “(An expert is) a person with a high degree of skill in or knowledge of a certain subject. Great, but the question is all about scope. I may be an expert cook – but can I run a kitchen? Same thing with security there are tons of experts – in specific areas. I was an expert in AV, IDS, and other areas. But I was not the all knowing security guru. (even though my knowledge base was very broad). This is where we run into unintended actuated consequences. An expert will make a choice and take an action. The end result may not be what they had anticipated because of other factors beyond the realm of their expertise caused an unanticipated consequence.
Which is to say, the word expert simply doesn't work for us. The field is too big so you are either a generalist like myself (and make frequent detailed mistakes, but hopefully survive in the big picture) or you are a deep specialist who gets the detail correct, but ends up on the wrong mapboard.
But this guy also hit the nail on the head:
So this is the wrong approach entirely. It won’t work, the DHS probably knows it won’t work (if they don’t know that, well God help us all) but they see it as better than nothing. That doesn’t worry me so much, though. What really worries me is the point brought up by cybersecurity expert number six, who himself came in from the cold:
“Sure there are 1,000 (cybersecurity experts),” he said, ” but they are already employed… as hackers.”
And, looking at our "presumption of security" question in the big picture, we can understand why. Because of liability dumping, your country's banks are cooperating with the world's 1000 cybersecurity experts. Who's engaged in a criminal conspiracy now?
So, if they are not doing audits and accounting, where does the accounting profession want to go? Perhaps unwittingly, TOdd provided the answer with that reference to the book Accounting Education: Charting the Course through a Perilous Future by W. Steve Albrecht and Robert J. Sack.
It seems that Messrs Albrecht and Sack, the authors of that book, took the question of the future of Accounting seriously:
Sales experts long ago concluded that “word of mouth” and “personal testimonials” are the best types of advertising. The Taylor Group1 found this to be true when they asked high school and college students what they intended to study in college. Their study found that students were more likely to major in accounting if they knew someone, such as a friend or relative, who was an accountant.
So they tested it by asking a slightly more revealing question of the accounting professionals:
When asked “If you could prepare for your professional career by starting college over again today, which of the following would you be most likely to do?” the responses were as follows:
Type of Degree % of Educators Who Would % of Practitioners Who Would Who Would Earn a bachelor’s degree in something other than accounting and then stop 0.0 7.8 Earn a bachelor’s degree in accounting, then stop 4.3 6.4 Earn a Master’s of Business Administration (M.B.A.) degree 37.7 36.4 Earn a Master’s of Accountancy degree 31.5 5.9 Earn a Master’s of Information Systems degree 17.9 21.3 Earn a master’s degree in something else 5.4 6.4 Earn a Ph.D. 1.6 4.4 Earn a J.D. (law degree) 1.6 11.4
These results are frightening,...
Well indeed! As they say:
It is telling that six times as many practicing accountants would get an M.B.A. as would an M.Acc., over three times as many practitioners would get a Master’s of Information Systems degree as would get an M.Acc., and nearly twice as many practitioners would get a law degree instead of an M.Acc. Together, only 12.3 percent (6.4% + 5.9%) of practitioners would get either an undergraduate or graduate degree in accounting.2 This decrease in the perceived value of accounting degrees by practitioners is captured in the following quotes:We asked a financial executive what advice he would give to a student who wanted to emulate his career. We asked him if he would recommend a M.Acc. degree. He said, “No, I think it had better be broad. Students should be studying other courses and not just taking as many accounting courses as possible. ...
My job right now is no longer putting numbers together. I do more analysis. My finance skills and my M.B.A. come into play a lot more than my CPA skills.
.... we are creating a new course of study that will combine accounting and
information technology into one unique major….
...I want to learn about information systems.
(Of course I'm snipping out the relevant parts for speed, you should read the whole lot.) Now, we could of course be skeptical because we know computing is the big thing, it's the first addition to the old list of Reading, Arithmetic and Writing since the dark ages. Saying that Computing is core is cliche these days. But the above message goes further, it's almost saying that Accountants are better off not doing accounting!
The Accounting profession of course can be relied upon to market their profession. Or can they? Todd was on point when he mentioned the value chain, the image in yesterday's post. Let's look at the wider context of the pretty picture:
Robert Elliott, KPMG partner and current chairman of the AICPA, speaks often about the value that accountants can and should provide. He identifies five stages of the “value chain” of information. The first stage is recording business events. The second stage is summarizing recorded events into usable data. The third stage is manipulating the data to provide useful information. The fourth stage is converting the information to knowledge that is helpful to decision makers. The fifth and final stage is using the knowledge to make value-added decisions. He uses the following diagram to illustrate this value chain:
This five-stage breakdown is a helpful analysis of the information process. However, the frightening part of Mr. Elliott’s analysis is his judgment as to what the segments of the value chain are worth in today’s world. Because of the impact of technology, he believes that:
- Stage 1 activity is now worth no more than $10 per hour
- Stage 2 activity is now worth no more than $30 per hour
- Stage 3 activity is now worth $100 per hour
- Stage 4 activity is now worth $300 per hour
- Stage 5 activity is now worth $1,000 per hour
In discussing this value chain, Mr. Elliott urges the practice community to focus on upper-end services, and he urges us to prepare our students so they aim toward that goal as well. Historically, accounting education has prepared students to perform stage 1- and stage 2-type work.
Boom! This is compelling evidence. It might not mean that the profession has abandoned accounting completely. But it does mean that whatever they do, they simply don't care about it. Accounting, and its cousin Audits are loss-leaders for the other stuff, and eyes are firmly fixed on other, higher things. We might call the other stuff Consulting, and we might wonder at the correlation: consulting activities have consumed the major audit firms. There are no major audit firms any more, there are major consulting firms, some of which seem to sport a vestigial audit capability.
Robert Elliot's message is, more or less, that the audit's fundamental purpose in life is to urge accountancy firms into higher stages. It therefore matters not what the quality (high?) is, nor what the original purpose is (delivering a report for reliance by the external stakeholder?). We might argue for example whether audit is Stage 2 or Stage 3. But we know that the auditor doesn't express his opinion to the company, directly, and knowledge is the essence of the value chain. By the rules, he maintains independence, his opinion is reserved for outsiders. So audit is limited to Stages 3 and below, by its definition.
Can you see a "stage 4,5 sales opportunity" here?
Or perhaps more on point, can you avoid it?
It is now very clear where the auditors are. They're not "on audit" but somewhere higher. Consulting. MBA territory. Stage 5, please! The question is not where the accounting profession wants to go today, because they already got there, yesterday. The financial crisis thesis is confirmed. Audits are very much part of our problem, even if they are the accounting profession's solution.
What is less clear is where are we, the business world? The clients, the users, the reliers of audit product? And perhaps the question for us really is, what are we going to do about it?
Regarding the failure of financial auditing, or statutory audits, there is probably a body of knowledge to be found in academia and business journals. There is certainly a lot of wisdom and knowledge among the accounting profession, although it is heavily suppressed, and auditors, like bankers, start out opaque and unself-aware. All three of these things grow deeper over lifelong habit (lack of honest self appraisal, lack of communication skills to talk about their business in anything but literal terms, and lack of any motive or impulse to be honest or candid even if they wanted to.) So, you'll find the best research on this problem in the business schools and press, for whom auditors are a business problem to be understood, and in the accountancy schools who still harbor a lot of great minds, with too much integrity to survive in the global audit firms. The audit profession took root in the 1930s and I would have to guess that it was captured from day one, by the publicly listed companies they were supposed to be auditing.
Accountants have had the choice to improve themselves at several historic points in time; the 1929 crash, the end of WW2, when every other economy was demolished, and the end of the Soviet threat. What they've actually done was continue fiddling with their false definitions of economic substance, called GAAP, which is really intended to modulate the lies and maintain as much opaqueness as the public would tolerate.
The greatest opportunity to improve business reporting, if that were the intention, has come from improvements in database, computing, and the internet. Internally of course, companies have built information tools to navigate and understand their customers, suppliers, financial structures and inner working. All of it conceived, developed and maintained for the benefit of senior executives. The host-centric, server-centric architecture of the dominant computing architectures (ibm, att, dec, sun, microsoft etc) reflect this.
There is nothing that reveals the intent and will of the AICPA more clearly than its design choices in XBRL. And I doubt if anybody will ever write the book about XBRL, since the people who realized what a betrayal it was, while it was being cooked up, were physically nauseated and left the standards bodies, myself included. Outside the meeting room and convention halls, there were more than a few people who saw what was happening-- and why would they pay annual dues of $thousands, plus travel costs, to attend the next XBRL conference, unless they were part of the corrupt agenda themselves?
I am reminded of the State of Washington democratic party convention I attended a few years ago-- more than 2/3s of the 1000 delegates from the precincts, statewide had never been to a convention before. And, by the end of the convention, a percentage even larger than that, was in open rebellion against the selection of candidates and railroading of the platform and agenda, by top party officials. So, 2/3s of them would never bother participating in the Democratic Party in the next election cycle either.
The people responsible for the sabotage and corruption of the AICPA's XBRL and other technologies, are Barry Melancon, working on behalf of opaque interests in the audit firms and wall street, and, the young turks they hired, Charlie Hoffman and Eric Cohen. Hoffman bubbled up in the Seattle area as an evangelist for microsoft technologies in accounting firms and probably never understood where the money and support for his magic carpet ride was coming from. Microsoft itself being a front-end for IBM and wall street. There have been a few, who try from time to time, to make these technologies honest, such as David RR Weber, Glen Gray, Bill McCarthy...
A more hopeful technology, ebXML emerged shortly after XBRL, and again the history is so vast, somebody should write a book---indeed would write a book-- if they had the stomach for it. Now, here, we ran into a different set of entrenched interests, the EDI industry and adjacent companies and interests. It was a fabulous project, with at least ten different workgroups, each with a lot of dedicated people, supported by many great companies.
To sum it all up-- there are people who want to use the power of computers and communications to reach process improvements, labor savings, AND transparency for all stakeholders. These people have developed over many years, a very complete understanding of business processes in their industries and somewhat less completely, a generalized architecture for all economic transactions. However, there are a plutocracy who own all their companies and make all of the hiring and firing decisions. Obviously, these people at the very top, have leaned hard on the tiller, since the early days.
And the accounting and auditing profession knows where its bread is buttered, see Bob Elliot's diagram of "five stage value chain."
After a rather disastrous meeting a few days ago, I finally found the time to load up:
The Office of Strategic Services was the USA dirty tricks brigade of WWII, which later became the CIA. Their field manual was declassified and published, and, lo and behold, it includes some mighty fine advice. This manual was noticed to the world by the guy who presented the story of the CIA's "open intel" wiki, he thought it relevant I guess.
Sections 11, 12 are most important to us, the rest concentrating on the physical spectrum of blowing up stuff. Onwards:
(11) General Interference with Organizations and Production
(a) Organizations and Conferences
(1) Insist on doing everything through "channels." Never permit short-cuts to be taken in order to, expedite decisions.
(2) Make "speeches." Talk as frequently as possible and at great length. Illustrate your "points" by long anecdotes and accounts of personal experiences. Never hesitate to make a few appropriate "patriotic" comments.
(3) When possible, refer all matters to committees, for "further study and consideration." Attempt to make the committees as large as possible - never less than five.
(4) Bring up irrelevant issues as frequently as possible.
(5) Haggle over precise wordings of communications, minutes, resolutions.
(6) Refer back to matters decided upon at the last meeting and attempt to reopen the question of the advisability of that decision.
(7) Advocate "caution." Be "reasonable" and urge your fellow-conferees to be "reasonable" and avoid haste which might result in embarrassments or difficulties later on.
To summarise previous posts, what do we know? We know so far that the hallowed financial Audit doesn't seem to pick up impending financial disaster, on either a micro-level like Madoff (I) or a macro-level like the financial crisis (II). We also know we don't know anything about it (III), trying harder didn't work (II), and in all probability the problem with Audit is systemic (IV). That is, likely all of them, the system of Audits, not any particular one. The financial crisis tells us that.
Notwithstanding its great brand, Audit does not deliver. How could this happen? Why did our glowing vision of Audit turn out to be our worst nightmare? Global financial collapse, trillions lost, entire economies wallowing in the mud and slime of bankruptcy shame?
Let me establish the answer to this by means of several claims.
First, complexity . Consider what audit firm Ernst & Young told us a while back:
The economic crisis has exposed inherent weaknesses in the risk management practices of banks, but few have a well-defined vision of how to tackle the problems, according to a study by Ernst & Young.
Of 48 senior executives from 36 major banks around the world questioned by Ernst & Young, just 14% say they have a consolidated view of risk across their organisation. Organisational silos, decentralisation of resources and decision-making, inadequate forecasting, and lack of transparent reporting were all cited as major barriers to effective enterprise-wide risk management.
The point highlighted above is this: This situation is complex! In essence, the process is too complex for anyone to appreciate from the outside. I don't think this point is so controversial, but the next are.
My second claim is that in any situation, stakeholders work to improve their own position . To see this, think about the stakeholders you work with. Examine every decision that they take. In general, every decision that reduces the benefit to them will be fiercely resisted, and any decision that increases the benefit to them will be fiercely supported. Consider what competing audit firm KPMG says:
A new study put out by KPMG, an audit, tax and advisory firm said that pressure to do "whatever it takes" to achieve business goals continues as the primary driver behind corporate fraud and misconduct.
Of more than 5,000 U.S. workers polled this summer, 74 percent said they had personally observed misconduct within their organizations during the prior 12 months, unchanged from the level reported by KPMG survey respondents in 2005. Roughly half (46 percent) of respondents reported that what they observed "could cause a significant loss of public trust if discovered," a figure that rises to 60 percent among employees working in the banking and finance industry.
This is human nature, right? It happens, and it happens more than we like to admit. I suggest it is the core and prime influence, and won't bother to argue it further, although if you are unsatisfied at this claim, I suggest you read Lewis on The End (warning it's long).
As we are dealing with complexity, even insiders will not find it easy to identify the nominal, original benefit to end-users. And, if the insiders can't identify the benefit, they can't put it above their own benefit. Claims one and two, added together, give us claim three: over time, all the benefit will be transferred from the end-users to the insiders . Inevitably. And, it is done naturally, subconciously and legally.
What does this mean to Audits? Well, Auditors cannot change this situation. If anything, they might make it worse. Consider these issues:
As against all that complexity and all that secrecy, there is a single Auditor, delivering a single report. To you. A rather single very small report, as against a rather frequent and in sum, huge series of bills.
So in all this complexity, although the Audit might suggest that they can reduce the complexity by means of compressing it all into one single "opinion", the complexity actually works to the ultimate benefit of the Auditor. Not to your benefit. It is to the Auditor's advantage to increase the complexity, and because it is all secret and you don't understand it anyway, any negative benefit to you is not observable. Given our second claim, this is indeed what they do.
Say hello to SOX, a doubling of the complexity, and a doubling of your auditor's invoice.
Say thank you, Congressmen Sarbanes and Oxley, and we hope your pension survives!
Claim Number 4: The Auditor has become the insider. Although he is the one you perceive to be an outsider, protecting your interests, in reality, the Auditor is only a nominal, pretend outsider. He is in reality a stakeholder who was given the keys to become an insider a long time ago. Is there any surprise that, with the passage of time, the profession has moved to secure its role? As stakeholder? As insider? To secure the benefit to itself?
Over time, the noble profession of Auditing has moved against your interests. Once, it was a mighty independent observer, a white knight riding forth to save your honour, your interest, your very patrimony. Audits were penetrating and meticulous!
Now, the auditor is just another incumbent stakeholder, another mercenary for hire. Test this: did any audit firm fight the rise of Sarbanes-Oxley as being unnecessary, overly costly and not delivering value for money to clients? Does any audit firm promote a product that halves the price? Halves the complexity? Has any audit firm investigated the relationship between the failed banks and the failed audits over those banks? Did any audit firm suggest that reserves weren't up to a downturn? Has any audit firm complained that mark-to-market depends on a market? Did any auditor insist on stress testing? Has ... oh never mind.
I'm honestly interested in this question. If you know the answer: posted it in comments! With luck, we can change the flow of this entire research, which awaits ... the NEXT post.
The CA and PKI business is busy this week. CAcert, a community Certification Authority, has a special general meeting to resolve the trauma of the collapse of their audit process. Depending on who you ask, my resignation as auditor was either the symptom or the cause.
In my opinion, the process wasn't working, so now I'm switching to the other side of the tracks. I'll work to get the audit done from the inside. Whether it will be faster or easier this way is difficult to say, we only get to run the experiment once.
Meanwhile, Mike Zusman and Alex Sotirov are claiming to have breached the EV green bar thing used by some higher end websites. No details available yet, it's the normal tease before a BlabHat style presentation by academics. Rumour has it that they've exploited weaknesses in the browsers. Some details emerging:
With control of the DNS for the access point, the attackers can establish their machines as men-in-the-middle, monitoring what victims logged into the access point are up to. They can let victims connect to EV SSL sites - turning the address bars green. Subsequently, they can redirect the connection to a DV SSL sessions under a certificates they have gotten illicitly, but the browser will still show the green bar.
Ah that old chestnut: if you slice your site down the middle and do security on the left and no or lesser security on the right, guess where the attacker comes in? Not the left or the right, but up the middle, between the two. He exploits the gap. Which is why elsewhere, we say "there is only one mode and it is secure."
Aside from that, this is an interesting data point. It might be considered that this is proof that the process is working (following the GP theory), or it might be proof that the process is broken (following the sleeping-dogs-lie model of security).
Although EV represents a good documentation of what the USA/Canada region (not Europe) would subscribe as "best practices," it fails in some disappointing ways. And in some ways it has made matters worse. Here's one: because the closed proprietary group CA/B Forum didn't really agree to fix the real problems, those real problems are still there. As Extended Validation has held itself up as a sort of gold standard, this means that attackers now have something fun to focus on. We all knew that SSL was sort of facade-ware in the real security game, and didn't bother to mention it. But now that the bigger CAs have bought into the marketing campaign, they'll get a steady stream of attention from academics and press.
I would guess less so from real attackers, because there are easier pickings elsewhere, but maybe I'm wrong:
"From May to June 2009 the total number of fraudulent website URLs using VeriSign SSL certificates represented 26% of all SSL certificate attacks, while the previous six months presented only a single occurrence," Raza wrote on the Symantec Security blogs.
... MarkMonitor found more than 7,300 domains exploited four top U.S. and international bank brands with 16% of them registered since September 2008.
.... But in the latest spate of phishing attempts, the SSL certificates were legitimate because "they matched the URL of the fake pages that were mimicking the target brands," Raza wrote.
VeriSign Inc., which sells SSL certificates, points out that SSL certificate fraud currently represents a tiny percentage of overall phishing attacks. Only two domains, and two VeriSign certificates were compromised in the attacks identified by Symantec, which targeted seven different brands.
"This activity falls well within the normal variability you would see on a very infrequent occurrence," said Tim Callan, a product marketing executive for VeriSign's SSL business unit. "If these were the results of a coin flip, with heads yielding 1 and tails yielding 0, we wouldn't be surprised to see this sequence at all, and certainly wouldn't conclude that there's any upward trend towards heads coming up on the coin."
Well, we hope that nobody's head is flipped in an unsurprising fashion....
It remains to be seen whether this makes any difference. I must admit, I check the green bar on my browser when online-banking, but annoyingly it makes me click to see who signed it. For real users, Firefox says that it is the website, and this is wrong and annoying, but Mozilla has not shown itself adept at understanding the legal and business side of security. I've heard Safari has been fixed up so probably time to try that again and report sometime.
Then, over to Germany, where a snafu with a HSM ("high security module") caused a root key to be lost (also in German). Over in the crypto lists, there are PKI opponents pointing out how this means it doesn't work, and there are PKI proponents pointing out how they should have employed better consultants. Both sides are right of course, so what to conclude?
Test runs with Germany's first-generation electronic health cards and doctors' "health professional cards" have suffered a serious setback. After the failure of a hardware security module (HSM) holding the private keys for the root Certificate Authority (root CA) for the first-generation cards, it emerged that the data had not been backed up. Consequently, if additional new cards are required for field testing, all of the cards previously produced for the tests will have to be replaced, because a new root CA will have to be generated. ... Besides its use in authentication, the root CA is also important for card withdrawal (the revocation service).
The first thing to realise was that this was a test rollout and not the real thing. So the test discovered a major weakness; in that sense it is successful, albeit highly embarrassing because it reached the press.
The second thing is the HSM issue. As we know, PKI is constructed as a hierarchy, or a tree. At the root of the tree is the root key of course. If this breaks, everything else collapses.
Hence there is a terrible fear of the root breaking. This feeds into the wishes of suppliers of high security modules, who make hardware that protect the root from being stolen. But, in this case, the HSM broke, and there was no backup. So a protection for one fear -- theft -- resulted in a vulnerability to another fear -- data loss.
A moment's thought and we realise that the HSM has to have a backup. Which has to be at least as good as the HSM. Which means we then have some rather cute conundrums, based on the Alice in Wonderland concept of having one single root except we need multiple single roots... In practice, how do we create the root inside the HSM (for security protection) and get it to another HSM (for recovery protection)?
Serious engineers and architects will be reaching for one word: BRITTLE! And so it is. Yes, it is possible to do this, but only by breaking the hierarchical principle of PKI itself. It is hard to break fundamental principles, and the result is that PKI will always be brittle, the implementations will always have contradictions that are swept under the carpet by the managers, auditors and salesmen. The PKI design is simply not real world engineering, and the only thing that keeps it going is the institutional deadly embrace of governments, standards committees, developers and security companies.
Not the market demand. But, not all has been bad in the PKI world. Actually, since the bottoming out of the dotcom collapse, certs have been on the uptake, and market demand is present albeit not anything beyond compliance-driven. Here comes a minor item of success:
VeriSign, Inc. [SNIP] today reported it has topped the 1 billion mark for daily Online Certificate Status Protocol (OCSP) checks.
[SNIP] A key link in the online security chain, OCSP offers the most timely and efficient way for Web browsers to determine whether a Secure Sockets Layer (SSL) or user certificate is still valid or has been revoked. Generally, when a browser initiates an SSL session, OCSP servers receive a query to check to see if the certificate in use is valid. Likewise, when a user initiates actions such as smartcard logon, VPN access or Web authentication, OCSP servers check the validity of the user certificate that is presented. OSCP servers are operated by Certificate Authorities, and VeriSign is the world's leading Certificate Authority.
[SNIP] VeriSign is the EV SSL Certificate provider of choice for more than 10,000 Internet domain names, representing 74 percent of the entire EV SSL Certificate market worldwide.
(In the above, I've snipped the self-serving marketing and one blatant misrepresentation.)
Certificates are static statements. They can be revoked, but the old design of downloading complete lists of all revocations was not really workable (some CAs ship megabyte-sized lists). We now have a new thing whereby if you are in possession of a certificate, you can do an online check of its status, called OCSP.
The fundamental problem with this, and the reason why it took the industry so long to get around to making revocation a real-time thing, is that once you have that architecture in place, you no longer need certificates. If you know the website, you simply go to a trusted provider and get the public key. The problem with this approach is that it doesn't allow the CA business to sell certificates to web site owners. As it lacks any business model for CAs, the CAs will fight it tooth & nail.
Just another conundrum from the office of security Kafkaism.
Here's another one, this time from the world of code signing. The idea is that updates and plugins can be sent to you with a digital signature. This means variously that the code is good and won't hurt you, or someone knows who the attacker is, and you can't hurt him. Whatever it means, developers put great store in the apparent ability of the digital signature to protect themselves from something or other.
But it doesn't work with Blackberry users. Allegedly, a Blackberry provider sent a signed code update to all users in United Arab Emirates:
Yesterday it was reported by various media outlets that a recent BlackBerry software update from Etisalat (a UAE-based carrier) contained spyware that would intercept emails and text messages and send copies to a central Etisalat server. We decided to take a look to find out more.
Whenever a message is received on the device, the Recv class first inspects it to determine if it contains an embedded command — more on this later. If not, it UTF-8 encodes the message, GZIPs it, AES encrypts it using a static key (”EtisalatIsAProviderForBlackBerry”), and Base64 encodes the result. It then adds this bundle to a transmit queue. The main app polls this queue every five seconds using a Timer, and when there are items in the queue to transmit, it calls this function to forward the message to a hardcoded server via HTTP (see below). The call to http.sendData() simply constructs the POST request and sends it over the wire with the proper headers.
Oops! A signed spyware from the provider that copies all your private email and sends it to a server. Sounds simple, but there's a gotcha...
The most alarming part about this whole situation is that people only noticed the malware because it was draining their batteries. The server receiving the initial registration packets (i.e. “Here I am, software is installed!”) got overloaded. Devices kept trying to connect every five seconds to empty the outbound message queue, thereby causing a battery drain. Some people were reporting on official BlackBerry forums that their batteries were being depleted from full charge in as little as half an hour.
So, even though the spyware provider had a way to turn it on and off:
It doesn’t seem to execute arbitrary commands, just packages up device information such as IMEI, IMSI, phone number, etc. and sends it back to the central server, the same way it does for received messages. It also provides a way to remotely enable/disable the spyware itself using the commands “start” and “stop”.
There was something wrong with the design, and everyone's blackberry went mad. Two points: if you want to spy on your own customers, be careful, and test it. Get quality engineers on to that part, because you are perverting a brittle design, and that is tricky stuff.
Second point. If you want to control a large portion of the population who has these devices, the centralised hierarchy of PKI and its one root to bind them all principle would seem to be perfectly designed. Nobody can control it except the center, which puts you in charge. In this case, the center can use its powerful code-signing abilities to deliver whatever you trust to it. (You trust what it tells you to trust, of course.)
Which has led some wits to label the CAs as centralised vulnerability partners. Which is odd, because some organisations that should know better than to outsource the keys to their security continue to do so.
But who cares, as long as the work flows for the consultants, the committees, the HSM providers and the CAs?
We can take a statistical approach to the investigation. We can probably agree that some audits are not strong (the financial crisis thesis), and some are definitely part of the problem (Enron, Madoff, Satyam, Stanford) not the solution. This rules out all audits being good.
The easy question: are all audits in the bad category, and we just don't know it, or are some good and some bad? We can rule out all audits being bad, because Refco was caught by a good audit, eventually.
So we are somewhere in-between the extremes. Some good, some bad. The question then further develops into whether the ones that are good are sufficiently valuable to overcome the ones that are bad. That is, one totally fraudulent result can be absorbed in a million good results. Or, if something is audited, even badly or with a percentage chance of bad results, some things should be improved, right?
The problem with this view is that we the outside world can't tell which is which, yet the point of the audit is to tell us: which is which. Because of the intent of the audit -- entering into the secrets of the corporate and delivering a judgment over the secrets -- there are no tools for us to distinguish. This is almost deliberate, almost by definition! The point of the audit is for us to distinguish the secretively good from the secretively bad; if we also have to distinguish amongst the audits, we have a problem.
Which is to say, auditing is highly susceptible to the rotten apples problem: a few rotten apples in a barrel quickly makes the whole barrel worthless.
How many is a few? One failed audit is not enough. But 10 might be, or 100, or 1% or 10%, it all depends. So we need to know some sort of threshold, past which, the barrel is worthless. Once we determine that some percentage of audits above the threshold are bad, all of them are dead, because confidence in the system fails and all audits become ignored by those that might have business in relying on them.
The empirical question of what that percentage would be is obviously a subject of some serious research, but I believe we can skip it by this simple check. Compare the threshold to our by now painfully famous financial crisis test. So far, in the financial crisis, all the audits failed to pick up the problem (and please, by all means post in comments any exceptions! Anonymously is fine!).
Whatever the watermark for general failure is, if the financial crisis is any guide, we've probably reached it. We are, I would claim, in the presence of material evidence that the Audit has passed the threshold for public reliance. The barrel is rotten.
But, how did we reach this terrible state of affairs? How could this happen? Let's leave that speculation for another post.
(Afterword: Since the last post on Audit, I resigned my role as Auditor over at CAcert. This moves me from slightly inside the profession to mostly outside. Does this change these views written here? So far, no, but you can be the judge.)
(Lynn and RAH point to) an article on the sad declines of e-gold, which I was involved with in some sense back in the period 1998 to 2000.
Bullion and Bandits: The Improbable Rise and Fall of E-Gold
Following his story, the picture that emerges of Jackson is not a portrait of a calculating criminal. Rather it is one of a naive visionary who thought his dream was bigger than any financial regulations, who got in over his head, and who finally struggled, too late, to make up for his missteps.
“There was no indication at all that anyone had a problem with what he was doing,” says Richard Timberlake, a former economics professor at the University of Georgia and author of several books on U.S. banking. Timberlake visited Jackson at his E-Gold office in 1997 and vouches for Jackson’s innocent intentions. “He was always very honest and very forthright in what he was trying to do as a business. Even the Federal Reserve believed it was legitimate.”
Well, in 1997, and indeed up until the end of 1999, it was indeed easy to believe that all was good. As we entered into 2000, the signs started popping up, and by the middle of that year, they were everywhere. It was this inability to deal with the changing makeup of the business, while always standing firm to the 1997 business model, that sewed the seeds of disaster.
It is possible to say, "naive visionary." It's also necessary to say, "responsible director." Which is, at its core, the Founder's paradox: we need that Founder to get us this far, pass the unbeatable odds, beat the regs, bash the naysayers.
Then, when he's done his job, how do we ease him aside to start running the business, as a business, and not as a mission from God?
As Jackson envisioned it, E-Gold was a private, international currency that would circulate independent of government controls, and stand impervious to the market’s highs and lows. Brimming with evangelical enthusiasm, Jackson proclaimed it a cure for the modern monetary system’s ills and described it at one point as “an epochal change in human destiny” and “probably the greatest benefit to humanity that’s ever been thought of.”...
Over the next few years, Jackson drained his retirement accounts, sold his medical practice and charged credit cards to raise more than $1 million to nurture the fledgling venture. Cynics might have considered him just another internet hustler looking to strike it rich, but those who knew him say he was a true believer. “He truly thinks that having a gold-backed currency is what’s needed in the world,” says James Clement, a libertarian attorney who met Jackson in 2003. “I don’t think anyone would have stuck with it … other than that he thinks it’s extremely important and somebody has to do this.”
Something like that. We stuck with him (and really, many many of us committed a great deal to the community!) because it was a truly great idea, and he'd done the hard work to get it off the ground. We left when it became clear that Jackson's visionary focus was going to take e-gold to disaster.
Jackson, who’d hocked his future to start E-Gold, now faced the potential of a federal prison term. He was frustrated and confused.
“It never crossed my mind that anyone could seriously want people like us in prison,” he says. “But I guess my bigger fear was that we would go bankrupt, and there would be a train wreck of people that had trusted value to us who couldn’t get their money.”
The worst part about it is that we were right, he was wrong, and the world lost the benefit of his great, original vision.
The financial innovations that came out of the 1990s were extraordinary, and e-gold was one of them. Now they are all confined to the history books, perhaps with little footnotes such as "with this, the financial crisis might have been averted." Oh well. Learning is not humanity's strong suit.
Duane points to a Wired report that Savvis has been sued (also /., 1, 2). Savvis was the Auditor of the ill-fated payments operator CardSystems that was breached heavily, lost huge amounts of privacy data, and went bankrupt.
This is significant. The audit business has invaded the IT field, now dominating the quality aspects with a stamp of approval over security and governance of all forms. I'm in one myself (at least today, not sure about tomorrow). The way it works is that we check the systems according to some metrics like criteria, management's disclosures, and other things that are called variously best practices (worst case) or common sense (better) or core competences (best case). Then we write up an opinion. Then others attempt to use that opinion in some sense or other:
When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor’s report.
In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.
The problem arises when something goes wrong -- see last week's post on the inverted pyramid. Is the auditor responsible for failure, and how much? The issue is murky, and here are two extremes:
One view has it that the auditor's opinion is relied upon by others and that this is a fiduciary responsibility before the courts, deriving from the history and tradition of financial audits. These latter hold a privileged place in the legal system; others can rely on audits over financial statements, and they can sue the auditor if there were issues. This then applies to systems audits.
A completely contrary view is that the auditor provides a useful service for whoever asks for it, and writes a limited opinion to that person. Others rely at their peril. The opinion is written in internal language, with limitations of liability, over a snapshot of time, and would not be a sound basis for reliance. The tests are closely guarded secrets, the interpretations are interesting but not revealed, and there is absolutely no indication in the process that it is oriented to the needs of the public. That is, an audit is worth practically nothing to any outsider (and insiders don't need it because they can see what's there themselves).
“We’re at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it,” says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School who specializes in information security issues. “For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits.”
If the court rules that the auditor can be sued, and did wrong ... then the results will ripple through the field. Auditors will reach further into their bag of tricks to cover their backs, which will make audits more difficult to rely upon. This can be seen as an economic result, because likely the court's adverse ruling will break the firm that is doing the audit. No other audit firm will like that scenario of a random bankrupcy event, and we even have the data point to show it: walk the line from Arthur Andersen to Sarbanes-Oxley to the global financial crisis.
In contrast, if the court rules that the Audit cannot be relied upon, then it is game over. Once a court rules that the process is not to be relied upon, then relying parties don't need it. The audit business collapses. Maybe we need to change jobs before the exodus...
Grundfest: As we look at the current situation, how much of the responsibility would you lay at the feet of the accounting profession?
Munger: I would argue that a majority of the horrors we face would not have happened if the accounting profession developed and enforced better accounting. They are way too liberal in providing the kind of accounting the financial promoters want. They’ve sold out, and they do not even realize that they’ve sold out.
Grundfest: Would you give an example of a particular accounting practice you Find problematic?
Munger: Take derivative trading with mark-to-market accounting, which degenerates into mark-to-model. Two firms make a big derivative trade and the accountants on both sides show a large profit from the same trade.
Grundfest: And they can’t both be right. But both of them are following the rules.
Munger: Yes, and nobody is even bothered by the folly. It violates the most elemental principles of common sense. And the reasons they do it are: (1) there’s a demand for it from the financial promoters, (2) fixing the system is hard work, and (3) they are afraid that a sensible fix might create new responsibilities that cause new litigation risks for accountants.
Yeah, I just copied Gunnar's post (including the crazy "Fi" HTML artifact!). Except this bit:
This situation is very comparable to what happens in when auditors interview infosec. Auditor asks -do you have a firewall? Infosec says yes. Check.
Its too bad but assumptions of yesteryear lead to building things on shaky foundations.
The full interview is worth reading!
Let's talk about why we want Identity. There appear to be two popular reasons why Identity is useful. One is as a handle for the customer experience, so that our dear user can return day after day and maintain her context.
The other is as a vector of punishment. If something goes wrong, we can punish our user, no longer dear.
It's a sad indictment of security, but it does seem as if the state of the security nation is that we cannot design, build and roll-out secure and safe systems. Abuse is likely, even certain, sometimes relished: it is almost a business requirement for a system of value to prove itself by having the value stolen. Following the inevitable security disaster, the business strategy switches smoothly to seeking who to blame, dumping the liability and covering up the dirt.
Users have a very different perspective. Users are well aware of the upsides and downsides, they know well: Identity is for good and for bad.
Indeed, one of the persistent fears of users is that an identity system will be used to hurt them. Steal their soul, breach their privacy, hold them to unreasonable terms, ultimately hunt them down and hurt them, these are some of the thoughts that invasive systems bring to the mind of our dear user.
This is the bad side of identity: the individual and the system are "in dispute," it's man against the machine, Jane against Justice. Unlike the usage case of "identity-as-a-handle," which seems to be relatively well developed in theory and documentation, the "identity-as-punishment" metaphor seems woefully inadequate. It is little talked about, it is the domain of lawyers and investigators, police and journalists. It's not the domain of technologists. Outside the odd and forgettable area of law, disputes are a non-subject, and not covered at all where I believe it is required the most: marketing, design, systems building, customer relations, costs analysis.
Indeed, disputes are taboo for any business.
Yet, this is unsustainable. I like to think of good Internet (or similar) systems as an inverted pyramid. On the top, the mesa, is the place where users build their value. It needs to be flat and stable. Efficient, and able to expand horizontally without costs. Hopefully it won't shift around a lot.
Dig slightly down, and we find the dirty business of user support. Here, the business faces the death of a 1000 tiny support cuts. Each trivial, cheap and ignorable, except in the aggregate. Below them deeper down are the 100 interesting support issues. Deeper still, the 10 or so really serious red alerts. Of which one becomes a real dispute.
The robustness of the pyramid is based on the relationship between the dispute at the bottom, the support activity in the middle, and the top, as it expands horizontally for business and for profit.
Your growth potential is teetering on this one thing: the dispute at the apex of the pyramid. And, if you are interested in privacy, this is the front line, for a perverse reason: this is where it is most lost. Support and full-blown disputes are the front line of privacy and security. Events in this area are destroyers of trust, they are the bane of marketing, the nightmare of PR.
Which brings up some interesting questions. If support is such a destroyer of trust, why is it an afterthought in so many systems? If the dispute is such a business disaster, why is resolution not covered at all? Or hidden, taboo? Or, why do businesses think that their dispute resolution process starts with their customers' identity handles? And ends with the lawyers?
Here's a thought: If badly-handled support and dispute events are leaks of privacy, destroyers of trust, maybe well-handled events are builders of trust? Preservers of privacy?
If that is plausible, if it is possible that good support and good dispute handling build good trust ... maybe a business objective is to shift the process: support designed up front, disputes surfaced, all of it open? A mature and trusted provider might say: we love our disputes, we promote them. Come one, come all. That's how we show we care!
An imature and unstrusted provider will say: we have no disputes, we don't need them. We ask you the user to believe in our promise.
The principle that the business hums along on top of an inverted pyramid, that rests ultimately on a small powerful but brittle apex, is likely to cause some scratching of technophiliac heads. So let me close the circle, and bring it back to the Identity topic.
If you do this, if you design the dispute mechanism as a fully cross-discipline business process for the benefit of all, not only will trust go positive and privacy become aligned, you will get an extra bonus. A carefully constructed dispute resolution method frees up the identity system, as the latter no longer has to do double duty as the user handle *and* the facade of punishment. Your identity system can simply concentrate on the user's experience. The dark clouds of fear disappear, and the technology has a chance to work how the techies said it would.
We can pretty much de-link the entire identity-as-handles from the identity-as-punishment concept. Doing that removes the fear from the user's mind, because she can now analyse the dispute mechanism on its merits. It also means that the Identity system can be written only for its technical and usability merits, something that we always wanted to do but never could, quite.
(This is the rough transcript of a talk I gave at Identity & Privacy conference in London a couple of weeks ago. The concept was first introduced at LexCybernetoria, it was initially tried by WebMoney, partly explored in digital gold currencies, and finally was built in
CAcert's Arbitration project.)
A repeated theme in the Madoff hearing (by the person trying for a decade to get SEC to do something about Madoff) was that while new legislation and regulation was required, it was much more important to have transparency and visibility; crooks are inventive and will always be ahead of regulation.
however ... from The Quiet Coup:
But there's a deeper and more disturbing similarity: elite business interests -- financiers, in the case of the U.S. -- played a central role in creating the crisis, making ever-larger gambles, with the implicit backing of the government, until the inevitable collapse. More alarming, they are now using their influence to prevent precisely the sorts of reforms that are needed, and fast, to pull the economy out of its nosedive. The government seems helpless, or unwilling, to act against them.
From The DNA of Corruption:
While the scale of venality of Wall Street dwarfs that of the Pentagon's, I submit that many of the central qualities shaping America's Defense Meltdown (an important new book with this title, also written by insiders, can be found here) can be found in Simon Johnson's exegesis of America's even more profound Financial Meltdown.
... and related to above, Mark-to-Market Lobby Buoys Bank Profits 20% as FASB May Say Yes:
Officials at Norwalk, Connecticut-based FASB were under "tremendous pressure" and "more or less eviscerated mark-to-market accounting," said Robert Willens, a former managing director at Lehman Brothers Holdings Inc. who runs his own tax and accounting advisory firm in New York. "I'd say there was a pretty close cause and effect."
The federal agency that insures bank deposits, which is asking for emergency powers to borrow up to $500 billion to take over failed banks, is facing a potential major shortfall in part because it collected no insurance premiums from most banks from 1996 to 2006.
with respect to taxes, there was roundtable of "leading expert" economists last summer about current economic mess. their solution was "flat rate" tax. the justification was:
their bottom line was that it probably would only be temporary before the special interests reestablish the current pervasive atmosphere of graft & corruption.
a semi-humorous comment was that a special interest that has lobbied against such a change has been Ireland ... supposedly because some number of US operations have been motivated to move to Ireland because of their much simpler business environment.
with respect to feedback processes ... I (Lynn) had done a lot with dynamic adaptive (feedback) control algorithms as an undergraduate in the 60s ... which was used in some products shipped in the 70s & 80s. In theearly 80s, I had a chance to meet John Boyd and sponsor his briefings. I found quite a bit of affinity to John's OODA-loop concept (observe, orient, decide, act) that is now starting to be taught in some MBA programs.
A canonical question in cryptography was about how much money you could put over a digital signature, and a proposed attack would often end, "and then Granny loses her house!" It might be seen as a sort of reminder that the crypto only went so far, and needed to be backed by institutional support for a lot of things.
And now comes Darren with news that Granny is losing her house, proverbially at least. In a somewhat imprecise article (written by a lawyer?) in the Times:
... The ingenuity of the heists carried out ranges from “selling” property they do not own to “buying” property at inflated valuations and making off with the difference.
Critical to many of these scams is the use of stolen identities. According to many solicitors specialising in the field, the key context for the problem was the dash into deregulation and e-commerce earlier this decade.
“There was a view throughout the profession that the abolition of documents of title and reliance upon electronic records would contribute to fraud. And so it has proved,” Samson says. “All this information is open to view through the internet so a fraudster can see exactly who owns a property, assume his or her identity and then sell it.”
While this may sound absurd for owner-occupied homes, it is all too easy, for example, with vacant properties. “What’s more the rightful owner won’t even know that it has happened,” he adds.
So the basic fraud appears to be: find a property that is not cared for by its owner. Assume the owner's identity. Sell it. Or,
To put the hat on what seems a complete botch-up by lawmakers and regulators, the effect of the Land Registration Act 2002 was that the fraudulent purchasers are given a legal title to their “purchase”. “If the fraudster succeeds in having title registered in his name he can mortgage the property,” Samson says. “The true owner may be able to have the transfer to the fraudster reversed by rectification but he will still take the property subject to the mortgage.”
buy it! Now, within that article, there is no shortage of soliciters saying "we told you so!" But the real systemic causes of this fraud will need more digging. We can guess what the first cause is: identify theft. That is, high levels of dependency on the fictitious notion of identity as a protector of security. Yes, that will always get you, and it will likely take another decade before the British populace lose their current faith in identity.
The second cause however is more subtle. As pointed out by Eliana Morandi in a 2007 article, "The role of the notary in real estate conveyancing," problems like that do not happen in continental Europe (see _Digital Evidence and Electronic Signature Law Review," 2007). What's the difference? Whereas the English common law system requires each party to have independent representation, the continental system requires one party, the notary to secure the entire deed for both the buyer and seller. And take the full responsibility, so issues such as this are solved easily:
In cases where, for example, a lender whose mortgage is being paid off has no lawyer, the conveyancer may face claims for having not fully observed the Land Registry’s practice guide. And instead of the Land Registry paying compensation, it will look to the solicitors to reimburse the victims.
Warren Gordon, of Olswang, who sits on the Law Society’s conveyancing and land law committee, protests that it is unrealistic to expect solicitors to do a comprehensive check on someone who is not their client. “It’s unfair to put all the risk on the solicitor, including asking him or her to sign off on the identity of someone he or she does not act for,” he says.
Meanwhile, Paul Marsh, president of the Law Society, points the finger instead at the bankers who are providing fraudsters with the funds to perpetrate their dodgy deals. “At the top end we see vast bonuses being paid to bankers at board level for what turn out to be disastrous investments, while at the grass roots local bankers are under pressure to make loans — to sell money — without even the most basic procedures in place to prevent fraud,” he says. “The banks are refusing to take responsibility for this because they know that they can pin it on the solicitors.”
The bottom line of course is which system is more efficient in the long run. The European Notary may charge more money for the perfect transaction. If the English solicitors can undercut that price, and reduce the fraud such that the result is still better, it is a good deal. Which is it? The abstract to Morandi's article gives a clue:
The role of the notary in real estate conveyancing
Eliana Morandi sets out the role of the civil law notary in the context of real estate conveyancing, illustrating how more effective and less costly it is when undertaken by civil law notaries.
(Unfortunately my copy has conveyed itself into hiding.) If fraud rises in Britain, we will need changes. Now, we've seen with the rise of identity fraud in the USA that there has been zero incentive for the players to change the way identity is used, so we can predict that the Brits will not change the registry practice. Also, the likelihood of the soliciters giving up their lucrative representational practice is pretty low.
However the complicated notarial versus solicitorial versus identity versus registry war pans out in the long run, it seems that solicitors are going to have to bear increased responsibility to check the identity of their counterparty. Perhaps they should pop into the Identity and Privacy forum, 14th 15th May over in London's Charing Cross Hotel? Probably a bargain if it saves them from granny's wrath.
Are Audits going to help at all? Are they worth the cost? Are they part of the problem or can they be part of the solution? Originally, I claim they can help, especially for an organisation that has never been audited. That's my experience of one data point. But that's surely not sufficient, we need more. We need to know whether we can rely on these things, we need to know how to rely on these things, and when. And in the aftermath of the failure of Sarbanes-Oxley, we need to dismiss the easy answer of "we'll all just work harder."
In short, we need to know what it is we do know. Here is my view: we don't know enough.
Let's see if I can sustain that claim. If we read through the background of the cases of failure before us, whether Madoff, Satyam, Bear-Stearns, Lehman Brothers or all the bailouts, we will (a) find the Auditor, (b) find why he didn't pick up the failure, (c) cry foul, and say it should be like this or that, and (d) be fooled again. Why is this? We need to look beyond the superficial (tweaks like changing the auditor, rewriting the rules, or collapsing all firms down to the Big One) and go deep.
What actually do we the end-user really know about an audit? We can look at this several ways.
If you didn't quite follow the above, that is precisely the point. To cut a long story short, if you can successfully interpret an audit report, you are probably either very experienced, or in the business yourself. For the most part, the result of the audit is inscrutable to the outsider.
Just to ask that stress that last point, I asked a mate this seemingly innocent and easy question: "how do I find a dodgy auditor for hire?" Without a moment's thought, he came back with three recommendations: examine the regulatory filings, look for suspensions, and, ask a crooked lawyer. There followed a much more detailed explanation of how these things will help, which I won't bore people with here. Suffice to say, these dirty tricks reveal the existence of auditors who are easily for hire. Hopefully, they are the exception not the rule, but how do we know?
Let me explain what I mean by that point. Auditors if pressed will reveal that their opinion is strictly limited by a number of caveats. Indeed, the opinion is rendered over layers of indirection, such as the management's procedures rather than the assets in question. See point 1 above. However, Auditors will not press home the real conclusions: you yourself do not understand it, nor will you spot when it is no longer useful to you. Meanwhile, those same Auditors are happy to let you believe as the wider public that the audit is a singular, all encompassing stamp of goodliness.
In short, the Audit profession benefits by letting you believe in one very broad and saintly brand, but acts to reduce the scope of the result so far as to make that brand non-representative. To use a polite term, you understand ... the point to fixate on here is not why it is like this, or how far it is from the truth, but that this may explain why you don't really appreciate the limits of audit, let alone understand them.
My claim in today's post then is that the user cannot tell whether an audit is any use or not. Which audit is good for you, and which not, even if good for others? Which audit is good, and which is plain bad? The crux of the matter is that you yourself cannot tell what any of those pronouncements mean, unless you are an insider. You don't know whether you can rely, when to rely or how to rely.
Instead, you are offered a promise of a verified obscurity, within the comfort of a wonderful brand. In this situation, although there is a vague promise of positive results, there are also far too many circumstances in which the results can be positive for others, while negative for you, so obfuscated and confused as to be worthless, or, even as far as downright fraudulent. You will never know, and indeed, you probably can never know.
To put it in terms of the popular security media, the Audit is fully compliant with security-by-obscurity. In the security world, we would say that a tool designed to that standard is generally brittle. Once cracked, it often fails completely, and badly. This is because, although the obscurity gave a measure of protection, that same obscurity hid other weaknesses which could have been easily fixed. For that reason, we in the security field do not advise security-by-obscurity.
What that does to the concept of reliance on Audits is left for another post!
In the last post on audit, I raised the possibility that we need some fixes to the audit process, rather than just following some journo's best practices list ("use a big-4 auditor"). Is it then a possibility to rewrite the regime, to create a tougher approach? If we look a little deeper in history, we find the answer:
No, we already tried it. Say hello to two more scary words: Sarbanes-Oxley. Recall that this was a huge project by the Congress of the USA to rewrite the entire auditing requirement for public companies. It was deliberately and carefully done in the aftermath of the collapse of audited-but-unauditable Enron.
In Sarbanes-Oxley, no stone was left un-turned, no leaf un-renewed. The noble profession of Financial Auditors had, post-Enron, plenty of incentive to improve their game. Sarbanes-Oxley was written at the behest of the auditing industry. They asked for it, and they got it, cost regardless. It more or less doubled the size of the public audit.
Indeed, Sarbanes-Oxley was so fierce that, by some lights, it killed the international market for Wall Street IPOs! Given all this substantial work, and substantial cost, the paying public might therefore expect that Sarbanes-Oxley must have done some good. Fair enough?
Certainly, there have been many reports of "stronger, better" but this is one of those questions that is hard to measure objectively because we cannot run proper tests. However, we do now have would could be considered to be a highly indicative test: the financial crisis.
Let's check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?
No. Not one, not even a single one!
Yet, the basic failures in the financial crisis are so blatant that surely, even by accident at least one audit should have picked up at least one pending failure, and fixed it? No, not one, known to date. At least, as far as I know, and we should probably wait a few years before writing the final judgment. Post any examples in comments! (And yes, for the record, we are ignoring all of the regulators, central banks, finance committees, rating agencies and other checks and balances that also apparently came to nought.)
Can we pronounce the financial audit as bankrupt by its own measures? In theory, the audit should have picked up these failures, all of them. Consider this case-in-point, to prove that the theory works: the enhanced audit required on public listing did in fact pick up the Refco fraud that led quickly to its failure, and the near-failure of Bawag, a big bank in Austria that participated in the fraud. (The sorry fool who found the fraud was fired for his troubles, and only later did his reports filter out and cause questions that ultimately forced the fatal result.)
The audit theory works, then, in some sense or other. Manifestly, audits didn't work for the financial crisis. And, they so didn't work after that so-huge rewrite called Sarbanes-Oxley, that we can conclude that mere improvement is completely off the agenda.
Questions arise. And, this time they are serious, more serious than post-Enron. This time the questions cannot be answered from within, but only from without. By us, the paying public. The questions before us could be considered like this:
Why did the audit not work in practice? For the financial crisis?
Are audits delivering a benefit?
Is the benefit of audits in excess of their cost?
Are audits part of the problem rather than the solution?
What do we do about it?
In order to answer that, we need more information. What is it that we really know about that audit? That's the subject of the next post.
Sometimes I slave over a hot keyboard for an entire weekend to get a point across. With elegant arguments, carefully constructed logic, and a full path from beginning to end. Integrated across 3 separate disciplines. If I get to QED in less than 3 pages, I'm happy!
And then Gunnar comes along and says:
A teacher asks the class, 'If there are nine sheep in the pen and one jumps out, how many are left?'
A little girl says, 'None of them are left.'
The teacher shakes her head sadly and says, 'You don't understand arithmetic.'
The girls says, 'No, you don't understand sheep.'
I had been meaning to write something on audits when this dropped into the email box from Bruce Schneier, late last year, which gave me the perfect opening:
How to Prevent Digital Snooping
What these three incidents illustrate is not that computerized databases are vulnerable to hacking -- we already knew that, and anyway the perpetrators all had legitimate access to the systems they used -- but how important audit is as a security measure.
Most security against crime comes from audit. Of course we use locks and alarms, but we don't wear bulletproof vests. The police provide for our safety by investigating crimes after the fact and prosecuting the guilty: that's audit.
Audit helps ensure that people don't abuse positions of trust. The cash register, for example, is basically an audit system. Cashiers have to handle the store's money. To ensure they don't skim from the till, the cash register keeps an audit trail of every transaction. The store owner can look at the register totals at the end of the day and make sure the amount of money in the register is the amount that should be there.
Bruce Schneier presents the positive, classical case for Auditing fairly well. Audits can help, especially operations that have never been audited, which receive what amounts to a serious kick in the behind.
But, and switching away from Schneier's "world without Audit" context to the financial world, it is fairly clear that the Audit has limits. Here's a word on those limits: *Madoff*. A reasonable question would be, if Audit can save us from bad stuff, why didn't it save us from Madoff? Some apparent or alleged facts from that case:
(Note, I wrote this about a month ago, and we probably know more now... hopefully I haven't missed something key. Anyway, journalistic standards being pretty low these days, onwards and upwards!)
All these claims, alleged or claimed or assumed or otherwise, have to give pause for thought.
What's truly scary about Madoff is that when you talk to people who were ripped off you think, there but for the grace of God goes me.
Professionals feel the same way.
This from the president of a fund of fund business: "Every time one of these frauds is discovered I get scared to death it could happen to us. We do lots of things to try to ensure it doesn't, such as checking and confirming auditors and auditor changes, using a private investigator to check on managers when we first invest and the having the PI annually update the file, trying to find references which are not on someone's reference list, etc." If big investors like these could be fooled, he said, anybody can be fooled.
Audits can help, and I do one myself. It helps, I claim, and I document some of the effects. Yet we clearly have problems, there are many flaws. For example, some will say, Madoff happened because it wasn't a big auditor:
"Clearly everyone believed that someone else had done the due diligence. And by relying on some small firm that Madoff employed rather than a big independent auditor was clearly a mistake," said one person who asked not to be identified because several clients lost money with Madoff and he was not permitted to speak publicly.
If you believe that, then I have an audited bridge to sell you. There is something more endemic and more core going on here, and the answer to this is likely not as trivial as "use a big 4 auditor." Indeed, we can knock that one on the head, comprehensively, with one single fearsome word: Enron. Followed by two more scary words: Arthur Andersen.
The world's oldest and most prestigious Auditor collapsed because of the audit failure with Enron. But, for the real result in this, and what happened after those fearsome events, let's slice some more scary words off to another post.
In a previous entry I suggested creating an AES-style competition for automated voting systems. The idea is to throw the design open to the world's expertise on complex systems, including universities, foundations and corporates, and manage the process in an open fashion to bring out the best result.
Several people said "Who would judge a contest for voting machines?" I thought at first blush that this wasn't an issue, but others do. Why is that? I wonder if the AES experience surfaced more good stuff than superficially apparent?
If you look at the AES competition, NIST/NSA decided who would be the winner. James points out in comments that the NSA is indeed competent to do this, but we also know that they are biased by their mission. So why did we trust them to judge honestly?
In this case, what happened is that NIST decided to start off with an open round which attracted around 30 contributions, and then whittled that down to 5 in a second round. Those 5 then went forward and battled it out under increased scrutiny. Then, on the basis of the open scrutiny, and some other not-so-open scrutiny, the NSA chose Rijndael to be the future AES standard.
Let's hypothesize that the NSA team had a solid incentive to choose the worst algorithm, and were minded to do that. What stopped them doing it?
Several things. Firstly, there were two rounds, and all the weaker algorithms were cleaned out in the first round. All of the five algorithms in the second round were more or less "good enough," so the NSA didn't have any easy material to work with. Secondly, they were up against the open scrutiny of the community. So any tricky choice was likely to cause muttering, which could spread mistrust in the future, and standards are susceptible to mistrust. Thirdly, by running a first round, and fairly whittling the algorithms done on quality, and then leading into the second round, NIST created an expectation. Positively, this encouraged everyone to get involved, including those who would normally dismiss the experiment as just another government fraud, waiting to reveal itself. At a more aggressive extreme, it created a precedent, and this exposed the competition to legal attack later on.
These mechanisms worked hand in hand. Probably, either alone was not sufficient to push the NSA into our camp, but together they locked down the choices. Once that was done, the NSA saw its natural incentives to cheat neutered by future costs and open scrutiny. As it no longer could justify the risk of cheating, its best strategy was to do the best job, in return for reputation.
The mechanism design of the competition created the incentives for the judge to vote how we wanted -- for the best algorithm -- even if he didn't want to.
So, we can turn the original question around. Instead of asking who would judge such a competition, design a mechanism such that we don't care who would judge it. Make it like the AES competition, where even if they had wanted to, the NSA's best strategy was to choose the best. Set yourself a challenge: we get the right result even when it is our worst enemy.
The USA financial mess was seen taking a brief pause, with almost 24 hours going by without another new world record in greatest failures ever. Morgan Stanley gamely held on ... But even as we speak, they are preparing the mother of all bailouts. It's the weekend, of course, and recent tradition has it that only on Sundays is it right to sell the free market. Or something.
Since the crisis began more than a year ago, the Treasury and Federal Reserve have already put nearly $1 trillion of taxpayer money on the line to help credit flows, while banks have suffered more than $500 billion of write-downs and loan losses.
A trillion here, 500 billion there. 700 billion by Monday? Pretty soon we'll be talking about real money.
The deficit for this budget year, which ends on Sept. 30, is expected to rise to $407 billion, a figure that is more than double the $161.5 billion imbalance for 2007, reflecting what the economic slowdown and this year's $168 billion economic stimulus program are already doing to the government's books. And that forecast doesn't include the $200 billion the administration committed to spending two weeks ago when it took over the nation's two biggest mortgage companies, Fannie Mae and Freddie Mac.
And it doesn't have any of the $700 billion the administration is seeking to soak up the bad mortgage-backed securities that have been at the heart of the severe credit crisis the country has been struggling with since August 2007. The legislation Congress passed this summer that gave the authority to rescue Fannie and Freddie boosted the limit on the national debt by $800 billion to $10.6 trillion.
Frankly, writing about the financial scene right now is trivially easy -- any number of sage saying will ring true. But, writing is also pointless, as the flood of diatribe might entertain us, but does nothing to take us forward.
Well, maybe it's the grief thing: we need this time to wail and gnash over lost innocence and easy profits. We seem to be in the bargaining phase, as Ben Bernanke and Henry Paulson tell various leaders, great and good, to move forward, sign the (blank) cheque and accept the master you all know you need.
In an ideal world, we could skip the depression and move onto acceptance, and rebuilding. How to rebuild? The answer to that question requires a very deep understanding of what is wrong, first and foremost. As I described earlier, I believe the failure syndrome is one of an overly complex system, in which each component works in isolation, but is too complex to analyse externally. Especially, building upwards on this shaky foundation is not safe, but continues nonetheless.
(If, by way of your example, you believe the problem is something else, you are not going to subscribe to the following. That's ok, because in the blogosphere, we still retain a free market in ideas, if little else.)
Onwards. Financial cryptography exists to reduce that complexity. One of the emerging results of financial cryptography, in all its various guises, is that the simple component is the stronger one, and the only sound basis for building to the next layer. We can build higher if we aggressively simplify the lower layers.
Let's present an example, one from Ricardo, which isn't the only system to employ these strategies, just the one I did and therefore is easier to present (another is Lynn's x9.59).
In this system, we use a thing called triple entry bookkeeping, which is digitally signed transactions stored in three places: yours, mine and the repository. Because the transactions are digitally signed and because there are 3 independently administered copies, and because all are equivalent (students of digital evidence take note) there is a very strong foundation on which to build the next layer. It might not be the best way to do transactions, per se (all those extra copies! all that superflous crypto-cycling! no two-phase commits!) but it does present the strongest foundation known to the upper layers.
So much so, that triple entry does for external accounting what double entry did for internal accounting 700 years ago. It is for reasons like this that designs like Ricardo will eventually change the financial system: they create building blocks that can be built on, and will support a massive weight, unlike the the current benchmark of cinder blocks of reinforced air.
When this system was presented to the SEC, someone at the meeting called it the third rail, which is finance-geek talk for the silver bullet. Ben Bernanke probably won't remember (he was there), but the point of this sophistication is an aggressive simplification: by knowing we can rely on every transaction being solidly recorded, we can move up to the next layer. Which we did; the whole system was really intended to resolve many of the uncertainties in today's trading, not just the lower layer accounting.
Which then raises the real question: why the innovations in FC (the above one, and for further example, the so-called blinding formula and its three orders of cost-reduction, or naked transactions de-risking strategies, or ...) did not move forward? I believe the answer is found, again, in the complexity of each incumbent building block.
Incumbents favour complexity. More complexity means more jobs, which finds more favour. Complexity means that while it takes a long time to learn it all, once you get there, you are safer. It requires extraordinary minds to understand it all, and that makes you feel good about yourself, and helps you to lord it over the rest. It gives plenty of flexibility to deliver complex claims, and cover them up when they go wrong.
In fact, it is rather hard to find a good reason not to make something complex. That's because all of these things are good for incumbents, and terrible for everyone else, and nobody asks anyone else. E.g., the customer or the taxpayer is never asked, always told, and always lied to. Every one of the great reasons for complexity is a cost, a priori, with no payback. Every little complexity helps in the long run to raise our own entrenched position, inside, and create a 'tax' on the paying classes. Otherwise we wouldn't promote it.
But what is worse is that complexity hides a greater sin: what we might call complexity fraud. When everything is a mess, nobody cares if someone is stealing the garbage. Nobody will likely notice, and if indeed you are noticed, they'll likely praise you for your help! Complexity fraud is the best fraud of all, because it is a long term cash flow, it looks legal, and anyone smart enough to spot it and understand it would probably join it rather than fight it.
For example, consider the rating agencies. They are supposed to warn of credit risks. They didn't (again), until it was too late (again). Why not? Because they are mandated. Ratings have to be done for many markets, which guarantees a steady flow of revenue as long as nobody upsets the apple cart. This might have seemed like a wise move once, but it can also be seen as a fraud born of complexity: if the complex markets are too hard to understand, then we can create a rating agency that is simple to interpret. Fine. On paper, we apparently simplified it, but in practice, we removed the observation from the real complexity, and put it across to a single number system, and we created a payout for a special person. The moment it is *mandated* then the rating agency kicks back and sucks at the teat, like everyone else, as it has absolutely no interest in upsetting its relationship with the companies that pay for their rating. (Students of incentives, take note.)
And, this is why there was not so much resistance to that early 2000s evil, Sarbanes-Oxley. As long as it was done to everyone equally, everyone made more money. Everyone who was asked, that is. Accounting doubled in size, so the auditors weren't complaining. Rules doubled, too, so the high-end complexity-crooks were happy. Large banks weren't complaining because it reduced the nibbling of the smaller banks. Democrats are always happy at more regulation. Republicans are always happy to promise a safe free market. Everyone was happy.
Who lost? The end-paying public of course. Sarbanes-Oxley was a bill to ravell fraud, but it was hopeless at unravelling. Rather than stopping Enrons, we got a rabbit-like plague of them; not directly because of Sarbanes-Oxley, but because we took our eye off of the systemic mess -- well identified in the early 2000s -- and created more complexity to hide the real problems.
Technology can help. FC can simplify things; but the leadership to put in simplifications instead of complications is strangely absent in Finance, and tech can not solve that. You might not agree that this is because of the forces I outline above; but I've yet to find another compelling explanation for this observation: simplification is rarely praised, but complexity finds many friends.
One of the perpetual threads is about how to deal with users' expectations (profit!), especially when they clash with the goal of protecting their assets (governance). In one example, people are dealing with the impossibility of CA liability versus the imponderability of universal service to browser users. In another place, security researchers are mentally edging away from life-as-seller to life-as-mentor. In user interface circles, the news is likewise not good: all the efforts look good on paper, but have trouble working in measurable practice.
Just how far is the gulf between user expectations and what the infrastructure can deliver? One airline just got a lesson:
Apparently a botched news story sparked a selloff of shares of United Airlines (UAL) yesterday. It seems that, on Sunday afternoon, the South Florida Sun-Sentinel accidentally re-ran a six year old Chicago Tribune article about United filing bankruptcy. Unfortunately, there was no date associated with the story, and Bloomberg picked it up and reported it as new information shortly before 11AM yesterday.
Not surprisingly, this blunder resulted in massive selling, driving shares of UAL down 75% from a bit over $12/share to $3/share. Here’s a screenshot of the stock chart showing the precipitous drop.
The story was pulled, and United is reportedly investigating what happened. As of right now, the stock is trading at just shy of $11/share. It’s kind of scary what an errant click of the mouse can do, isn’t it?
It is pretty clear that users can be spooked by a false story. It's also clear that the degree of spooking is inversely related to the accuracy of information; the vast number of stories that are printed in the media have approximate truth in them.
What to do about this? In practice, there is little to do. Make sure that the source of the error is fixed, and, make sure it was an innocent error. But that doesn't solve the real problem, only makes sure that the one person never makes the one exact error again.
In practice, a rogue hit can always damage. So, roll out the damage control. The answer with how to deal with these totally unexpected events then is almost always "we'll look at it when it happens," and "we have damage control for that."
(The users in the above case might have other views. But for them: investment is risky, and they can always take their dispute to the courts. I'm more interested in how it would play out in a security market where courts traditionally haven't backed up the user, and the market is supposed to be non-risky by design.)
JPM points to the tabloid for serious teenagers, the Wall Street Journal, who finds someone to blame for Fannie Mae and Freddie Mac:
There you have the Fannie Mae problem in profile. Mr. Frank wants you to pick up the tab for its failures, while he still vows to block a reform that might prevent the same disaster from happening again.
At least the Massachusetts Democrat is consistent. His record is close to perfect as a stalwart opponent of reforming the two companies, going back more than a decade. The first concerted push to rein in Fan and Fred in Congress came as far back as 1992, and Mr. Frank was right there, standing athwart. But things really picked up this decade, and Barney was there at every turn. Let's roll the audiotape:
In 2000, then-Rep. Richard Baker proposed a bill to reform Fannie and Freddie's oversight. Mr. Frank dismissed the idea, saying concerns about the two were "overblown" and that there was "no federal liability there whatsoever."
Read the whole thing, it is hilarious or sad, depending on whether you have to pick up the check. (For the latter, consider that $200bn leveraging that $5.4 trillion of expanded credit is actually a bargain!).
Yet, blaming Mr Frank is just childish. The WSJ writes as if it were Peter Pan:
Mr. Frank has had many accomplices from both parties in his protection of Fan and Fred. But he was and is among the most vociferous and powerful. In any other area of American life, this track record would get a man run out of town.
A Congressman is just a hired gun. Perhaps suspecting that adults lurk nearby, it is admitted that, if it wasn't Mr Frank, it would be someone else. Or something else. Running him out of town might make the lost boys feel better, but it changes nothing.
The core failure in the mess is as I described yesterday, and if you want to avoid collapses of this size, then there is one solution: "don't do that!" That being, in a nutshell, interfere in a market. Sometimes known as "small government" or whatever passes for the opposite of socialism these days (now that choosing capitalism is no longer trendy).
The US government has, like all other socialist enterprises, fallen for the old trick of interfering in a market, because (a) it can, and (b) it's always easy to convince people you have a good idea, if you pay them... Of course, it's not a good idea, and the real truth is the governments do not know how the markets work, almost by definition: that's why we have markets, and if government workers knew how they worked, they would get in them and make money like everyone else.
If the population of the USA decides to run a socialist housing market, then so be it. And, there seems little doubt that this is what the population of the USA wants, as the only man who wouldn't write the check, Ron Paul, got nowhere in the recent Presidential nominations.
It's your choice! Pass the hat around, and write up another mortgage application.
A slightly smaller problem than this weekend's systemic risk and the US Treasury is the continuing weakness of the security of the US retail banking sector:
They are a staple of consumer-complaint hotlines and Web sites: anguished tales about money stolen electronically from bank accounts, about unhelpful bank tellers and, finally, about unreimbursed losses.
But surely customers of the elite private banking operation at JPMorgan Chase, serving only the bank’s wealthiest clients, are safe from such problems, right? Wrong, says Guy Wyser-Pratte, an activist investor on Wall Street for more than 40 years who uses his hedge fund’s war chest of roughly $500 million to wage takeover fights and proxy battles in the United States and Europe.
In May, Mr. Wyser-Pratte learned that someone had siphoned nearly $300,000 from his personal account at the private bank through many small electronic transfers over a 15-month period. Then he was told by the bank that he could stop the theft only by closing his account and opening a new one — an enormous hassle, he said. And finally, JPMorgan Chase told him that the bank would cover only $50,000 of his losses.
Just like the other scandals, we watched this one arise, and now it is here. Warnings fell on deaf ears, so we can only wonder what is the systemic cause here of this mess.
In the case of phishing, it is relatively clear. The developers believe the PKI book. The PKI people believe in the efficacy of digital signatures to prove stuff. The cryptographers believe in the perfection of mathematics, and the security world believes in the completeness of their own learning. They are all wrong, but only at the large level of generalisations, not at the detailed level of particular claims. Any one of the claims, in isolation can be shown to be true. But, generalising these brittle claims to be solid building blocks is a completely different question. Few of the claims are strong enough to partake in a general model without severe support; the general model of secure browsing is the best evidence of how it is secure in name only.
How then is it built? By accident or by design, a series of claims meet together in a holy ring of righteous architecture. Each of the proponents claim loudly that their part is strong, but the ring has no strength. Eventually, one of the claims in the links is broken. For phishing, the browsers never did have the potential to show authenticity; not only did they not have the security strength to do it (c.f., Skype v. CSRF), they didn't even do it in practice (recall the lost padlock?), and their recent efforts to show authenticity (c.f. colour debate) reveal how far they are from understanding even the goal, let alone the implementation. Once that link was broken, and money was made, all the others revealed their weaknesses, as crooks systematically worked to breach the lot.
If we look at the wider financial collapse, now underscored by the nationalisation of the worlds biggest financiers of mortgages ($ 5.3 trillion.... or is it $ 5.4 ?), we see the same pattern. The bankers believed in their product. The originators believed in their origination, the securitizers believed in their free market and accurate price, and the holders believed in the assets. The CDO, the subprime, the other 100 special names, each was a contract. Each was clear in and of itself. But, when placed end-to-end, in a line, with a bunch of other agreements, the claims that were good in isolation were not strong enough to participate in the super-claim made of the overall edifice.
The financial system was built like a bridge; each piece rested on the previous one. And then, the clever architects bent the bridge around ... and around again, until the first piece met the last. The elegant keystone of finance was to finally lift up the first one to rest on the last.
Thus, the banks themselves invested their capital in their own product.
This weekend, the US Treasury joined in to make the ring stronger. The cunning masters of the financial universe carefully lifted up the fan-fred paper and rested them on the T-bills, which as we know are the expressions of the US economy's ability to generate taxes. These willing taxpayers are proud to place themselves and their mortgaged homes in the ring of power.
Beautiful, elegant, and hugely profitable. Just, somewhat, slightly against the laws of gravity.
The problem with this -- both the financial markets and the Internet security markets -- is that there is no-one to blame . Each is constructed in ring of claims, which eventually return to rely on themselves.
So when you read about who is to blame, be quick to be skeptical:
Long before the mortgage crisis began rocking Main Street and Wall Street, a top FBI official made a chilling, if little-noticed, prediction: The booming mortgage business, fueled by low interest rates and soaring home values, was starting to attract shady operators and billions in losses were possible.
"It has the potential to be an epidemic," Chris Swecker, the FBI official in charge of criminal investigations, told reporters in September 2004. But, he added reassuringly, the FBI was on the case. "We think we can prevent a problem that could have as much impact as the S&L crisis," he said.
Today, the damage from the global mortgage meltdown has more than matched that of the savings-and-loan bailouts of the 1980s and early 1990s. By some estimates, it has made that costly debacle look like chump change. But it's also clear that the FBI failed to avert a problem it had accurately forecast
Forget it. My experience of the mutual funds mess -- one what was *not* cleaned up despite public pronouncements to the contrary -- and other messes such as the digital gold story indicates that the FBI has zero chance of understanding the mortgage mess, let alone cleaning it up. Sure, there is fraud going on, but don't expect the FBI to understand the nature of it.
Not just another two scalps being counted: Fannie Mae and Freddie Mac, the huge USA mortgage lenders, are to be nationalised:
The government’s planned takeover of Fannie Mae and Freddie Mac, expected to be announced as early as this weekend, came together hurriedly after advisers poring over the companies’ books for the Treasury Department concluded that Freddie’s accounting methods had overstated its capital cushion, according to regulatory officials briefed on the matter.
Well, what else can they do? Think about how huge this is: the two of them hold or back debts of around $5.3 trillion dollars . Failure is almost certain systemic collapse: first the US housing market, then the rest.
The theory of central banking has it that the CB is the lender of last resort. And after that last resort, it owns the bank. So the Fed now will own these mortgage lenders, as a consequence of its role. No change here.
But, the theory also has it that any lending brings on the most severe punishments. Collapse and rescue by the CB then means: all shareholders are set to zero. All directors are sacked. It is then welcome to see that, in contrast to earlier wimpy efforts by Bernanke's Fed, this:
The details of the deal have not fully emerged, but it appears that investors who own the companies’ common stock will be virtually wiped out; preferred shareholders, who have priority over other shareholders, may also wind up with little. Holders of debt, including many foreign central banks, are expected to receive government backing. Top executives of both companies will be pushed out, according to those briefed on the plan.
will be pushed out? Pah! In Switzerland, it is apparently a crime to be an officer of a failed bank. Think hard here.... Who are their auditors? Who were the ratings agencies? Who were the regulators?
While others ponder the detail of rounding up the guilty, there is the wider question of how to act, systemically, and properly, if one were a CB. What caused this to happen?
Clearly, we don't know the full detailed story. We do know the US economy has been out of balance for the last many years, you pick the number. We do know that pay-up time is now. Further, it has been obvious for a long time that FM & FM have been structured on continually rising housing prices. How dumb is that?
Still, assuming a free-market, the government is wise not to tell bad investors (or companies) how to act properly. Even if it "knows" what is "right", the theory of free markets is that it knows much less than it would like to, and certainly less than how to run a business. (Otherwise it would be doing it, right?)
The mistake then is in allowing the mortgage backers to become too big to fail. That is, assuming a free-market, we must also respect the right to collapse. When there is no right to collapse, there is no free market. All else is subsidies, and the various other isms are just around the corner. Communism, nationalism, socialism, playing-fieldism:
Fannie Mae executives are likely to have resisted the proposed takeover because the company's financial condition isn't as dire as its sibling company, said Bert Ely, an Alexandria, Va.-based banking industry consultant.
But the government would still have to take over both companies, he said, to allow them to borrow money at the same rates. "In order to level the playing field between the two companies, you've got to take over both of them," said Ely, a longtime critic of the two companies.
The backing by the USG for the mortgage lenders' debt is the tactical error. Having got the systemic details off our chest, let's move to the witchhunt. Who started these monstrosities then? How did the shared guarantee from the US taxpayer come into being? Who fell for that old trick? The US taxpayer deserves to know who's stupidity she's paying for this time, no?
Fannie Mae was created by the government in 1938, and was turned into a shareholder-owned company 30 years later. Freddie Mac was established in 1970 to provide competition for Fannie.
I have in the past presented the strawman that your CISO needs an MBA. Nobody has yet succeeded in knocking it down, and it is proving surprisingly resilient. Yet more evidence comes from Bruce Schneier's blog post of yesterday:
Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable.
It's become a big deal in IT security, too. Many corporate customers are demanding ROI models to demonstrate that a particular security investment pays off. And in response, vendors are providing ROI models that demonstrate how their particular security solution provides the best return on investment.
It's a good idea in theory, but it's mostly bunk in practice.
Bunk is wrong. Let's drill down. It works this way: NPV (net present value) and ROI (its lesser cousin) are a mathematical tool for choosing between alternate projects. Keep the notion of comparison tightly in your mind.
The tools measure the money going in versus the money going out in a neutral way. They are entirely neutral between projects because NPV is just mathematics, and the same mathematics is used for each project. (See the top part of Richard's post.)
Obviously, any result from the model depends totally on the inputs, so there is a great deal of care and theory needed supply those proper inputs. And, it is here that security projects have the trouble, in that we don't have a good view as to how to predict attack costs. To be clear, there is no controversy about the inputs being a big problem.
But, assuming we have the theory, the process and the inputs, we can, again in principle, measure fairly across all projects.
That's how it works. As you can see above, we do not make a distinction between investment, savings, costs, returns or profits. Why not? Because NPV model and the numbers don't, either.
What then goes wrong with security people when they say ROI doesn't apply to security?
Before I get into the details, there's one point I have to make. "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.
The bottom line is that security saves money; it does not create money.
It seems to be that they seize on the words investment and returns, etc, and realise that the words differ from costs and savings. In conceptual or balance sheet terms, they do differ, but here's the catch: to the models of NPV and ROI, it's all the same. In this sense, we could say that the title of ROI is a misnomer, or that there are several meanings to the word "investment" and you've seized on the wrong one.
If you are good at maths, consider it as simply a model that deals equally well with negative numbers as well as positive numbers. To a model, savings are just negatives of returns.
Now, if your security director had an MBA, she would know that the purpose of NPV is to compare projects, and not anything else, like generating returns. She would also know that the model is neutral, and that the ability to handle negative numbers mean that expenses and savings can be compared as well. She would further know that the problems occur in the inputs and assumptions, not in the model.
Finally, she would know how to speak in the language of finance, which is the language that the finance people use. This might sound obvious, but it isn't so clear. As a generalism, it is this last point that is probably most significant about the MBA concept: it teaches you the language of all the other specialities. It doesn't necessarily make you a whizz at finance, or human resources, or marketing. But it at least lets you talk to them in their language. And, it reminds you that the other professions do have some credibility, so if they say something, listen first before teaching them how to suck eggs.
What's wrong with this picture, from an affidavit filed into a random Los Angeles court concerning divorce proceedings (his emphasis):
"I personally maintain and control ALL access security codes and passwords. I have been and am the ONLY individual in the company who can physically access the building, its contents AND precious metal vaults simultaneously, twenty-four hours a day. All others have limited access that is monitored and/or time-controlled (clock-based) and recorded in security records. Alarm calls are sent directly to me at all hours. ...
... I personally designed and customized the installation of a complex, ultra-sophisticated DOUBLE REDUNDANT security system that is both physical (in the building and its parameters) and virtual (reporting to his private office network round the clock.) This custom, high security system monitors and controls the safety of the corporate headquarters and all its contents, the safety of its employees, and the active 24/7 implementation of advanced, anti-theft, crime prevention. I oversee and monitor all security issues round the clock through a Virtual Private Network set-up at my home office."
Nothing, as long as the above mentioned person is available forever. Unfortunately he is now in jail, charged with much the same situation as the e-gold founders faced over the last two years. Checking the webpage:
05 August, 2008, 1:00pm PST: The e-Bullion website will be unavailable for a period of approximately four hours while our Tech Dept. performs routine maintenance.
We apologize for any inconvenience caused by this interruption to service.
Is this a coincidence? Maybe, but it is just another reminder that serious and professional operations do not subscribe to superhero status as described above, for any of a hundred routine and boring scenarios.
(More details might be found here, written up by Ian Lamont of the Standard. Poking around a bit there is also a complication that the other side of the divorce proceedings, his wife, was murdered, and the LA police allege that there is a connection of some form.)
The computer network hostage crisis in San Francisco is over, thanks to the city's mayor.
Terry Childs, a network administrator for the city of San Francisco, has been in custody since July 13 on four felony charges of taking control of the city's computer network and locking administrators out. Access to much of the city's information was blocked, including law enforcement, payroll, and jail-booking records.
Childs had reportedly refused to surrender the codes to his supervisors, but after a little more than a week as a guest of the city, he apparently had a change of heart and invited Mayor Gavin Newsom to meet with him, according to a report on the San Francisco Chronicle Web site Monday night.
A secret meeting was arranged at the city jail on Monday afternoon, where Childs gave Newsom the codes to the network. The meeting reportedly was so secret that the police department and district attorney were not informed of the meeting ahead of time.
Well, he built it, right? So why can't he tell the users what to do? Right?
The serious question here is whether there is in fact a viable case where a systems administrator takes over and decides to lock his managers out:
Erin Crane, Childs' defense attorney, is expected to cite his cooperation during a court hearing on Wednesday in a bid to have his $5 million bail reduced. Crane has argued that Childs was merely protecting the network from incompetent city officials who were trying to force him out of his job.
"Mr. Childs had good reason to be protective of the password," Crane told the newspaper. "His co-workers and supervisors had in the past maliciously damaged the system themselves, hindered his ability to maintain it...and shown complete indifference to maintaining it themselves...He was the only person in that department capable of running that system."
Tough call! It is rather rare, but this is essentially what whistleblowing seeks to exploit: the insider knowledge that a manager is manipulating the system for nefarious purposes. However, for all practical purposes this is an unlikely situation. Firstly, the managers who are doing the nefarious stuff are likely to then bury he who blows the whistle. See above, $5m bail buys a lot of dirt on this guy's coffin.
Secondly, there is a huge difference between incompetence and fraud. Incompetence is routine, but also the full and proper legal and moral right of the manager. The system administrator that determines that the world should be protected from the manager's incompetence, is generally as deluded as the manager, and is technically and legally wrong. The way to do that is to write to higher-ups and lay paper evidence.
Fraud, while another consideration entirely, is equally difficult: let's start with an easy question. Please define fraud! Now prove it! If you can get that far, the fun is only just starting....
Electronic signatures are now present in legal cases to the extent that while they remain novel, they are not without precedence. Just about every major legal code has formed a view in law on their use, and many industries have at least tried to incorporate them into vertical applications. It is then exceedingly necessary that there be an authoritative tome on the legal issues surrounding the topic.
Electronic Signatures in Law is such a book, and I'm now the proud owner of a copy of the recent 2007 second edition, autographed no less by the author, Stephen Mason. Consider this a review, although I'm unaccustomed to such. Like the book, this review is long: intro, stats, a description of the sections, my view of the old digsig dream, and finally 4 challenges I threw at the book to measure its paces. (Shorter reviews here.)
First the headlines: This is a book that is decidedly worth it if you are seriously in the narrow market indicated by the title. For those who are writing directives or legislation, architecting software of reliance, involved in the Certificate Authority business of some form, or likely to find themselves in a case or two, this could well be the essential book.
At £130 or so, I'd have to say that the Financial Cryptographer who is not working directly in the area will possibly find the book too much for mild Sunday afternoon reading, but if you have it, it does not dive so deeply and so legally that it is impenetrable to those of us without an LLB up our sleeves. For us on the technical side, there is welcome news: although the book does not cover all of the failings and bugs that exist in the use of PKI-style digital signatures, it covers the major issues. Perhaps more importantly, those bugs identified are more or less correctly handled, and the criticism is well-ground in legal thinking that itself rests on centuries of tradition.
Raw stats: Published by Tottel publishing. ISBN 978-1-84592-425-6. At over 700 pages, it includes a comprehensive indexes of statutory instruments, legislation and cases that runs to 55 pages, by my count, and a further 10 pages on United Kingdom orders. As well, there are 54 pages on standards, correspondents, resources, glossary, followed by a 22 page index.
Description. Mason starts out with serious treatments on issues such as "what is a signature?" and "what forms a good signature?" These two hefty chapters (119 pages) are beyond comprehensive but not beyond comprehension. Although I knew that the signature was a (mere) mark of intent, and it is the intent which is the key, I was not aware of how far this simple subject could go. Mason cites case law where "Mum" can prove a will, where one person signs for another, where a usage of any name is still a good signature, and, of course, where apparent signatures are rejected due to irregularities, and others accepted regardless of irregularities.
Next, there is a fairly comprehensive (156 pages) review of country and region legal foundations, covering the major anglo countries, the European Union, and Germany in depth, with a chapter on International comparisons covering approaches, presumptions, liabilities and other complexities and a handful of other countries. Then, Mason covers electronic signatures comprehensively and then seeks to compare them to Parties and risks, liability, non-contractual issues, and evidence (230 pages). Finally, he wraps up with a discussion of digital signatures (42 pages) and data protection (12 pages).
Let me briefly summarise the financial cryptography view of the history of Digital Signatures: The concept of the digital signature had been around since the mid-1970s, firstly in the form of the writings by the public key infrastructure crowd, and secondly, popularised to a small geeky audience in the form of PGP in the early 1990s. However, deployment suffered as nobody could quite figure out the application.
When the web hit in 1994, it created a wave that digital signatures were able to ride. To pour cold water on a grand fire-side story, RSA Laboratories manage to convince Netscape that (a) credit cards needed to be saved from the evil Mallory, (b) the RSA algorithm was critical to that need, and (c) certificates were the way to manage the keys required for RSA. Verisign was a business created by (friends of) RSA for that express purpose, and Netscape was happily impressed on the need to let other friends in. For a while everything was mom's apple pie, and we'll all be rich, as, alongside VeriSign and friends, business plans claiming that all citizens would need certificates for signing purposes were floated around Wall Street, and this would set Americans back $100 a pop.
Neither the fabulous b-plans nor the digital signing dream happened, but to the eternal surprise of the technologists, some legislatures put money down on the cryptographers' dream to render evidence and signing matters "simpler, please." The State of Utah led the way, but the politicians dream is now more clearly seen in the European Directive on Electronic Signatures, and especially in the Germanic attitude that digital signatures are as strong by policy, as they are weak in implementation terms. Today, digital signatures are relegated to either tight vertical applications (e.g., Ricardian contracts), cryptographic protocol work (TLS-style key exchanges), or being unworkable misfits lumbered with the cross of law and the shackles of PKI. These latter embarrassments only survive in those areas where (a) governments have rolled out smart cards for identity on a national basis, and/or (b) governments have used industrial policy to get some of that certificate love to their dependencies.
In contrast to the above dream of digital signatures, attention really should be directed to the mere electronic signature, because they are much more in use than the cryptographic public key form, and arguably much more useful. Mason does that well, by showing how different forms are all acceptable (Chapter 10, or summarised here): Click-wrap, typing a name, PINs, email addresses, scanned manuscript signatures, and biometric forms are all contrasted against actual cases.
The digital signature, and especially the legal projects of many nations get criticised heavily. According to the cases cited, the European project of qualified certificates, with all its CAs, smart cards, infrastructure, liabilities, laws, and costs ad infinitum ... are just not needed. A PC, a word processor program and a scan of a hand signature should be fine for your ultimate document. Or, a typewritten name, or the words "signed!" Nowhere does this come out more clearly than the Chapter on Germany, where results deviate from the rest of the world.
Due to the German Government's continuing love affair with the digital signature, and the backfired-attempt by the EU to regularise the concept in the Electronic Signature Directives, digital and electronic signatures are guaranteed to provide for much confusion in the future. Germany especially mandated its courts to pursue the dream, with the result that most of the German case results deal with rejecting electronic submissions to courts if not attached with a qualified signature (6 of 8 cases listed in Chapter 7). The end result would be simple if Europeans could be trusted to use fax or paper, but consider this final case:
(h) Decision of the BGH (Federal Supreme Court, 'Bundesgerichtshof') dated 10 October 2006,...: A scanned manuscript signature is not sufficient to be qualified as 'in writing' under §130 VI ZPO if such a signature is printed on a document which is then sent by facsimile transmission. Referring to a prior decision, the court pointed out that it would have been sufficient if the scanned signature was implemented into a computer fax, or if a document was manually signed before being sent by facsimile transmission to court.
How deliciously Kafkaesque! and how much of a waste of time is being imposed on the poor, untrustworthy German lawyer. Mason's book takes on the task of documenting this confusion, and pointing some of the way forward. It is extraordinarily refreshing to find that the first to chapters, and over 100 pages, are devoted to simply describing signatures in law. It has been a frequent complaint that without an understanding of what a signature is, it is rather unlikely that any mathematical invention such as digsigs would come even close to mimicing it. And it didn't, as is seen in the 118 pages romp through the act of signing:
What has been lost in the rush to enact legislation is the fact that the function of the signature is generally determined by the nature and content of the document to which it is affixed.
Which security people should have recognised as a red flag: we would generally not expect to use the same mechanism to protect things of wildly different values.
Finally, I found myself pondering these teasers:
Athenticate. I found myself wondering what the word "authenticate" really means, and from Mason's book, I was able to divine an answer: to make an act authentic. What then does "authentic" mean and what then is an "act"? Well, they are both defined as things in law: an "act" is something that has legal significance, and it is authentic if it is required by law and is done in the proper fashion. Which, I claim, is curiously different to whatever definition the technologists and security specialists use. OK, as a caveat, I am not the lawyer, so let's wait and see if I get the above right.
Burden of Liability. The second challenge was whether the burden of liability in signing has really shifted. As we may recall, one of the selling points of digital signatures was that once properly formed, they would enable a relying party to hold the signing party to account, something which was sometimes loosely but unreliably referred to as non-repudiation.
In legal terms, this would have shifted the burden of proof and liability from the recipient to the signer, and was thought by the technologists to be a useful thing for business. Hence, a selling point, especially to big companies and banks! Unfortunately the technologists didn't understand that burden and liability are topics of law, not technology, and for all sorts of reasons it was a bad idea. See that rant elsewhere. Still, undaunted, laws and contracts were written on the advice of technologists to shift the liability. As Mason puts it (M9.27 pp270):
For obvious reasons, the liability of the recipient is shaped by the warp and weft of political and commercial obstructionism. Often, a recipient has no precise rights or obligations, but attempts are made using obscure methods to impose quasi-contractual duties that are virtually impossible to comply with. Neither governments nor commercial certification authorities wish to make explicit what they seek to achieve implicitly: that is, to cause the recipient to become a verifying party, with all the responsibilities that such a role implies....
So how successful was the attempt to shift the liability / burder in law? Mason surveys this question in several ways: presumptions, duties, and liabilities directly. For a presumption that the sender was the named party in the signature, 6 countries said yes (Israel, Japan, Argentina, Dubai, Korea, Singapore) and one said no (Australia) (M9.18 pp265) Britain used statutory instruments to give a presumption to herself, the Crown only, that the citizen was the sender (M9.27 pp270). Others were silent, which I judge an effective absence of a presumption, and a majority for no presumption.
Another important selling point was whether the CA took on any especial presumption of correctness: the best efforts seen here were that CAs were generally protected from any liability unless shown to have acted improperly, which somewhat undermines the entire concept of a trusted third party.
How then are a signer and recipient to share the liability? Australia states quite clearly that the signing party is only considered to have signed, if she signed. That is, she can simply state that she did not sign, and the burden falls on the relying party to show she did. This is simply the restatement of the principle in the English common law; and in effect states that digital signatures may be used, but they are not any more effective than others. Then, the liability is exactly as before: it is up the to relying party to check beforehand, to the extent reasonable. Other countries say that reliance is reasonable, if the relying party checks. But this is practically a null statement, as not only is it already the case, it is the common-sense situation of caveat emptor deriving from Roman times.
Although murky, I would conclude that the liability and burden for reliance on a signature is not shifted in the electronic domain, or at least governments seem to have held back from legislating any shift. In general, it remains firmly with the recipient of the signature. The best it gets in shiftyville is the British Government's bounty, which awards its citizens the special privilege of paying for their Government's blind blundering; same as it ever was. What most governments have done is a lot of hand-waving, while permitting CAs to utilise contract arrangements to put the parties in the position of doing the necessary due diligence,. Again, same as it ever was, and decidedly no benefit or joy for the relying party is seen anywhere. This is no more than the normal private right to a contract or arrangement, and no new law nor regulation was needed for that.
Digital Signing, finally, for real! The final challenge remains a work-in-progress: to construct some way to use digital signatures in a signing protocol. That is, use them to sign documents, or, in other words, what they were sold for in the first place. You might be forgiven for wondering if the hot summer sun has reached my head, but we have to recall that most of the useful software out there does not take OpenPGP, rather it takes PKI and x.509 style certificate cryptographic keys and certificates. Some of these things offer to do things called signing, but there remains a challenge to make these features safe enough to be recommended to users. For example, my Thunderbird now puts a digital signature on my emails, but nobody, not it, not Mozilla, not CAcert, not anyone can tell me what my liability is.
To address this need, I consulted the first two chapters, which lay out what a signature is, and by implication what signing is. Signing is the act of showing intent to give legal effect to a document; signatures are a token of that intention, recorded in the act of signing. In order, then, to use digital certificates in signing, we need to show a user's intent. Unfortunately, certificates cannot do that, as is repeatedly described in the book: mostly because they are applied by the software agent in a way mysterious and impenetrable to the user.
Of course, the answer to my question is not clearly laid out, but the foundations are there: create a private contract and/or arrangement between the parties, indicate clearly the difference between a signed and unsigned document, and add the digital signature around the document for its cryptographic properties (primarily integrity protection and confirmation of source).
The two chapters lay out the story for how to indicate intention in the English common law: it is simple enough to add the name, and the intention to sign, manually. No pen and ink is needed, nor more mathematics than that of ASCII, as long as the intention is clear. Hence, it suffices for me to write something like signed, iang at the bottom of my document. As the English common law will accept the addition of merely ones name as a signature, and the PKI school has hope that digital signatures can be used as legal signatures, it follows that both are required to be safe and clear in all circumstances. For the champions of either school, the other method seems like a reduction to futility, as neither seems adequate nor meaningful, but the combination may ease the transition for those who can't appreciate the other language.
Finally, I should close with a final thought: how does the book effect my notions as described in the Ricardian Contract, still one of the very few strong and clear designs in digital signing? I am happy to say that not much has changed, and if anything Mason's book confirms that the Ricardo designs were solid. Although, if I was upgrading the design, I would add the above logic. That is, as the digital signature remains impenetrable to the court, it behoves to add the words seen below somewhere in the contract. Hence, no more than a field name-change, the tiniest tweak only, is indicated:
Signed By: Ivan
My notes of a presentation by Dr Ugo Bechini at the Int. Conf. on Digital Evidence, London. As it touches on many chords, I've typed it up for the blog:
The European or Civil Law Notary is a powerful agent in commerce in the civil law countries, providing a trusted control of a high value transaction. Often, this check is in the form of an Apostille which is (loosely) a stamp by the Notary on an official document that asserts that the document is indeed official. Although it sounds simple, and similar to common law Notaries Public, behind the simple signature is a weighty process that may be used for real estate, wills, etc.
It works, and as Eliana Morandi puts it, writing in the 2007 edition of the Digital Evidence and Electronic Signature Law Review:
Clear evidence of these risks can be seen in the very rapid escalation, in common law countries, of criminal phenomena that are almost unheard of in civil law countries, at least in the sectors where notaries are involved. The phenomena related to mortgage fraud is particularly important, which the Mortgage Bankers Association estimates to have caused the American system losses of 2.5 trillion dollars in 2005.
OK, so that latter number came from Choicepoint's "research" (referenced somewhere here) but we can probably agree that the grains of truth sum to many billions.
Back to the Notaries. The task that they see ahead of them is to digitise the Apostille, which to some simplification is seen as a small text with a (dig)sig, which they have tried and tested. One lament common in all European tech adventures is that the Notaries, split along national lines, use many different systems: 7 formats indicating at at least 7 softwares, frequent upgrades, and of course, ultimately, incompatibility across the Eurozone.
To make notary documents interchangeable, there are (posits Dr Bechini) two solutions:
A commercial alternative was notably absent. Either way, IVTF (or CNUE) has adopted and built the second solution: a website where documents can be uploaded and checked for digsigs; the system checks the signature, the certificate and the authority and translates the results into 4 metrics:
In the IVTF circle, a notary can take full responsibility for a document from another notary when there are 4 green boxes above, meaning that all 4 things check out.
This seems to be working: Notaries are now big users of digsigs, 3 million this year. This is balanced by some downsides: although they cover 4 countries (Deustchland, España, France, Italy), every additional country creates additional complexity.
Question is (and I asked), what happens when the expired or revoked certificate causes a yellow or red warning?
The answer was surprising: the certificates are replaced 6 months before expiry, and the messages themselves are sent on the basis of a few hours. So, instead of the document being archived with digsig and then shared, a relying Notary goes back to the originating Notary to request a new copy. The originating Notary goes to his national repository, picks up his *original* which was registered when the document was created, adds a fresh new digsig, and forwards it. The relying notary checks the fresh signature and moves on to her other tasks.
You can probably see where we are going here. This isn't digital signing of documents, as it was envisaged by the champions of same, it is more like real-time authentication. On the other hand, it does speak to that hypothesis of secure protocol design that suggests you have to get into the soul of your application: Notaries already have a secure way to archive the documents, what they need is a secure way to transmit that confidence on request, to another Notary. There is no problem with short term throw-away signatures, and once we get used to the idea, we can see that it works.
One closing thought I had was the sensitivity of the national registry. I started this post by commenting on the powerful position that notaries hold in European commerce, the presenter closed by saying "and we want to maintain that position." It doesn't require a PhD to spot the disintermediation problem here, so it will be interesting to see how far this goes.
A second closing thought is that Morandi cites
... the work of economist Hernando de Soto, who has pointed out that a major obstacle to growth in many developing countries is the absence of efficient financial markets that allow people to transform property, first and foremost real estate, into financial capital. The problem, according to de Soto, lies not in the inadequacy of resources (which de Soto estimates at approximately 9.34 trillion dollars) but rather in the absence of a formal, public system for registering property rights that are guaranteed by the state in some way, and which allows owners to use property as collateral to obtain access to the financial captal associated with ownership.
But, Latin America, where de Soto did much of his work, follows the Civil Notary system! There is an unanswered question here. It didn't work for them, so either the European Notaries are wrong about their assertation that this is the reason for no fraud in this area, or de Soto is wrong about his assertation as above. Or?
Cryptographers, software and hardware architects and others in the tech world have developed a strong belief that everything can be solved with more bits and bites. Often to our benefit, but sometimes to our cost. Just so with matters of law and disputes, where inventions like digital signatures have laid a trail of havoc and confusion through security practices and tools. As we know in financial cryptography, public-key reverse encryptions -- confusingly labelled as digital signatures -- are more usefully examined within the context of the law of evidence than within that of signatures.
Now here cometh those who have to take these legal theories from the back of the technologists' napkins and make them really work: the lawyers. Stephen Mason leads an impressive line-up from many countries in a conference on Digital Evidence:
Digital evidence is ubiquitous, and to such an extent, that it is used in courts every day in criminal, family, maritime, banking, contract, planning and a range of other legal matters. It will not be long before the only evidence before most courts across the globe will all be in the form of digital evidence: photographs taken from mobile telephones, e-mails from Blackberries and laptops, and videos showing criminal behaviour on You Tube are just some of the examples. Now is the time for judges, lawyers and in-house counsel to understand (i) that they need to know some of the issues and (ii) they cannot ignore digital evidence, because the courts deal with it every day, and the amount will increase as time goes by. The aim of the conference will be to alert judges, lawyers (in-house lawyers as well as lawyers in practice), digital forensic specialists, police officers and IT directors responsible for conducting investigations to the issues that surround digital evidence.
Not digital signatures, but evidence! This is a genuinely welcome development, and well worth the visit. Here's more of the blurb:
Conference Programme International Conference on Digital Evidence
26th- 27th June 2008, The Vintner's Hall, London – UNITED KINGDOM
Conference: 26th & 27th June 2008, Vintners' Hall, London
Cocktail & Dinner: 26th June 2008, The Honourable Society of Gray's Inn
THE FIRST CONFERENCE TO TREAT DIGITAL EVIDENCE FULLY ON AN INTERNATIONAL PLATFORM...
12 CPD HOURS - ACCREDITED BY THE LAW SOCIETY & THE BAR STANDARDS BOARD
This event has also been accredited on an ad hoc basis under the Faculty's CPD Scheme and will qualify for 12 hours
Understanding the Technology: Best Practice & Principles for Judges, Lawyers, Litigants, the Accused & Information Security & Digital Evidence Specialists
MIS is hosting & developing this event in partnership with & under the guidance of Stephen Mason, Barrister & Visiting Research Fellow, Digital Evidence Research, British Institute of International and Comparative Law.
Mr. Mason is in charge of the programme's content and is the author of Electronic Signatures in Law (Tottel, 2nd edn, 2007) [This text covers 98 jurisdictions including case law from Argentina, Australia, Brazil, Canada, China, Colombia, Czech Republic, Denmark, Dominican Republic, England & Wales, Estonia, Finland, France, Germany, Greece, Hungary, Israel, Italy, Lithuania, Netherlands, Papua New Guinea, Poland, Portugal, Singapore, South Africa, Spain, Switzerland and the United States of America]. He is also an author and general editor of Electronic Evidence: Disclosure, Discovery & Admissibility (LexisNexis Butterworths, 2007) [This text covers the following jurisdictions: Australia, Canada, England & Wales, Hong Kong, India, Ireland, New Zealand, Scotland, Singapore, South Africa and the United States of America]. Register Now!
Stephen is also International Electronic Evidence, general editor, (British Institute of International and Comparative Law, 2008), ISBN 978-1-905221-29-5, covering the following jurisdictions: Argentina, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, Norway, Poland, Romania, Russia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Thailand and Turkey.
Bruce Schneier writes about the classical technology / security view and how it applies to such oddities as the fax signature. As he shows, we have trouble making them work according to classical security & tools thinking.
In a 2003 paper, "Economics, Psychology, and Sociology of Security," Professor Andrew Odlyzko looks at fax signatures and concludes:Although fax signatures have become widespread, their usage is restricted. They are not used for final contracts of substantial value, such as home purchases. That means that the insecurity of fax communications is not easy to exploit for large gain. Additional protection against abuse of fax insecurity is provided by the context in which faxes are used. There are records of phone calls that carry the faxes, paper trails inside enterprises and so on. Furthermore, unexpected large financial transfers trigger scrutiny. As a result, successful frauds are not easy to carry out by purely technical means.
He's right. Thinking back, there really aren't ways in which a criminal could use a forged document sent by fax to defraud me.
The problem that shakes the above comments is that signatures are not tools to make things secure, nor to stop fraud. Instead, they are signals of legal intent. The law has developed them over centuries or millenia not as tools to make contracts binding, as per the simplistic common myth, or to somehow make it hard for fraudsters, the above security myth, but signals to record the intent of the person.
These subtleties matter. When you send a fax with your signature on it, it doesn't matter that the signature can be copied; it is the act of you creating and sending the fax with signature that establishes intent. Indeed, the intent can be shown without the signature, and the source of the fax is then as important as anything else. For this reason, we generally confirm what you intended somehow. Or we should, as Bruce Schneier writes:
On October 30, 2004, Tristian Wilson was released from a Memphis jail on the authority of a forged fax message. It wasn't even a particularly good forgery. It wasn't on the standard letterhead of the West Memphis Police Department. The name of the policeman who signed the fax was misspelled. And the time stamp on the top of the fax clearly showed that it was sent from a local McDonald's.
The success of this hack has nothing to do with the fact that it was sent over by fax. It worked because the jail had lousy verification procedures. They didn't notice any discrepancies in the fax. They didn't notice the phone number from which the fax was sent. They didn't call and verify that it was official. The jail was accustomed to getting release orders via fax, and just acted on this one without thinking. Would it have been any different had the forged release form been sent by mail or courier?
It's all backwards, according to the law. There should have been an intent, but there wasn't one. It wasn't that the policeman's signature established an intent, it was that the signature should have been a final step in confirming an intent that already existed. The point of phoning the policeman wasn't to check the signature, but to establish the intent. Which the signature would have nicely confirmed, but the check on intent isn't substitutable with the check on signature. As Jeff commented on the post:
Most people don't understand that signatures don't generally perform a security function, they perform a solemnization function. At least that was the case before the mathematicians got involved and tried to convince folks of the value of digitial signatures . . .. :-)
Before they got it totally backwards, that is. Your copied signature does not show intent by you, instead, it suggests an intent by you, that should be confirmed regardless. For you, this is good, as the principle of redundancy applies: you need something much more than one signature to lock you into a contract, or get you out of prison. And this process of showing intent bounces back to the signature in a particularly powerful protocol that is used in the legal world. This is a closely held secret, but I shall now reveal it and risk censure and expulsion for breaking the code:
That's it, just ask the question. This can happen anywhere, but is best seen in a court setting: The judge says "Did you sign this?" If you did, then you say yes. (Else you're up for perjury, which is a serious risk.) If you didn't, you deny it, and then the court has a claim that it is not yours. The court now looks further to establish who's intent was behind this act.
It is for these reasons that digital signatures failed to make any mark on the real world, when cast as some sort of analogue to the human signature. Indeed, the cryptography community got it backwards, upside down and inside out. They thought that the goal was to remove the uncertainty and simplify the procedure, when in fact the goal was to preserve and exploit the uncertainty, and to augment the procedure. They were thinking non-repudiation, yet the signature is there to entice repudiation. They thought the signature was sufficient, yet it is no more than a signal of something much more important. They thought simplicity, when redundancy is the principle.
Digital signatures were presented as a new beginning and ending for electronci contracts, and users intuitively recognised they were neither a beginning nor an ending. Digital signatures were nothing, without a custom, and within a custom were shown to be more trouble than they were worth. Case in point: this is the reason why the digital signature on Ricardian Contracts is just cryptographic sugar: the intent is better shown by the server mounting the contract, by the issuer saying "I'm selling this contract", and by the system memorialising all these events in other signed records.
You might ask, why they are there, but I'll side-step that question for now :) Instead, let us ask, how then do we move forward and use digital signatures?
We should be able to see now that it is the wrong question. The right question is firstly, how do we establish intent, and the follow-up is, intent of what? Attest to a statement, conclude a negotiation, sell a house, contract for a road to be dug up, marriage with or without a shotgun? Once we have established that, we can construct a custom (techies would say a protocol) that captures the intent _and_ the agreement, suitable for the value at hand.
We might find a way to slip in some digsigs or we might not. That's because the role is to capture intent, not the signature. Intent is obligatory, signature is not.
(Indeed, this is why we say, in financial cryptography, the cryptography is optional, which causes no end of head-scratching. What then does a poor vendor of cryptographic digsigs do with them? Simple: define the digsig as meaning nothing, legally, outside an additional custom. Nothing, nix, nada, zip! And use them purely for their cryptographic properties, only. Which happen to be useful enough, if properly designed.)
Philipp pointed me to another issue that turns the good ship Digital Signature into yet another Nautilus, rapidly going down the whirlpool.
Consider compromise of my signing key. If my key is compromised, then it can be used to sign any document on behalf of the erstwhile owner (was, me). Now, a curiosity of this is that the signature can be backdated, so if I lose my signing key to you, then you can sign away my house, back date it to a few years back to when it was a valid key, and take my house for a buck.
Hence, when my key is compromised, I have to revoke the key, and also potentially revoke all the signatures. The revocation of a signing cert can result in signatures of all dates becoming invalid, or questionable, even back in time. (Apparently, some proportion of client software works this way, because once a cert is revoked, all signatures are deemed "unacceptable" and thus effectively revoked. Nautilus, meet whirlpool.)
This could even be used by myself, in a nefarious mood, to cast doubt over the my own validly-made signatures. If I was homesick, I could conceivably use this to deny a valid contract to sell my house. Hey presto, Grandma gets her house back! (For other woes in the use of public keys for signing purposes, see Signed Confusion)
So how do we solve this problem? Skip down to **** if you are fully informed on that invention known as the Ricardian Contract, which does solve this issue.
In the Ricardian Contract I solved it by taking the hash of the signed contract, making that the identifier for the contract, and then embedding that hash into every transaction that happens thereafter. So, in effect, all new transactions accept and affirm the contract; and therefore form part of the evidence over the signature; if we question the original digsig, we also question all the transactions in the issuance, which is not reasonable beyond the first few dozen transactions.
What happens in more conventional PKI-land, where wisdom is writ, and standards are dusty? As is frequently pointed out, any human-meaningful use of digital signatures would then need to be confirmed with a secure timestamp, perhaps so that any later key revocation can avoid revoking that signature. Makes some sense, and indeed, every single Ricardo transaction sums to achieve that timestamp, as it builds up a tree of timestamped, signed transactions, pyramided on the original contract and its certificate.
We could then propose a rule in the use of public key digsigs for digital signing:
digital signatures cannot be relied upon over time without secure timestamping
The problem with this is that it undermines the very architecture of PKI; if we are assuming online, authoritive entities such as timestamping or digital cash issuers, then we don't actually need PKI, as it is written. Click on lynn://frequent.rant/ at this point... or for my version, in Ricardo as described above, the strength was the fact that strong evidence of the contract was kept over time, not the digsig. In this case, the evidentiary hash over the total document is what is kept, and the digsig added no more than the sweetness of headline confirmation of intent to the picture.
Because PKI (and in this case, OpenPGP cleartext signing) established a convention of signalling an intent with a digsig, it was handy to use that signal.
But we never relied on that, and a specific requirement was that someone could steal the signing key and create a bogus contract. The real strength that captured the signing over the contract was this: we took the hash of the document, and used that hash as the identifier for the contract. We are talking about Ivan, a person who is an issuer of value, and is purporting to the world that his contract is good. Them we arrange matters so that in every statement he makes to the world, he uses a strong identifier. By including the hash of the contract in every transaction, we establish Ivan's intent, understanding, liability on the basis of strong acts by the signer himself. The subtext is that the dominating evidence of intent on the document was the hash over the document, and the transactions that embedded that hash preserved and published that evidence .
**** The conclusion is that the hash is a better "signature" than a public-private-key digsig, if we are talking about evidence of time, leading to intent, etc; both need to be accompanied by an infrastructure that isolates the realtime of effect of the original event, and an environment where that intent is preserved. In which case, we can take the above, spin it and say that simple hashes are as good as public key digsigs at the application known as digital signing, and better because they are cheaper. Or, if the infrastructure is present, then public key digsigs makes a good carrier of hashes, as long as their use doesn't damage the application in other ways (which unfortunately it does, c.f. revocation).
What does a timestamped hash lack? It has no indicator of who the signer is. Hence, the hash does not quite defeat the digsig on the basis of Occam's razor.
But we need that in other ways anyway, as the pure cryptographic notion of a public key signature is no better than "this set of bits saw that set of bits" and we know from practical cryptography that there is no easy way to measure and control the distance from a human (intent) to a set of bits. PKI fails to achieve this because it outsources identity to a thing called Certificate Authorities, which so far have not shown themselves to be useful harbingers of your signatory, if in part because they are more expensive than the old pen&ink method.
Let's step back then, and place this in terms of requirements. We need these things to create any system of digital signing:
Public key signatures add very little if anything over hashes and timestamps, as the former needs independent timestamping and revocation, which means that their PKI claims of offline-checking are unravelled. Neither public key digsigs or simple hashes establishes who, easily (consider the cost of PKI infrastructures versus the low statements of reliance), and neither establishes intent.
Indeed, the requirements are so badly met that we can invent a system in 30 seconds that beats the incumbent "approved digital signing systems", hands down:
Iang is who Iang says he is.
This is strong, because, it was me that said it, me that posted it, and this blog, google, the time machine and all the other net tricks will preserve it . Oh, and the hash adds some precision.
Are public key signatures dead? In technical and legal terms, yes. Public key signatures are at least brain-dead, and should be terminated for lack of sentience. While they retain some residual value in marketing senses and in infrastructure senses, they cannot be relied upon as signatures. We'll continue to put in the cryptocandy of the OpenPGP signatures on contracts, but the strength is elsewhere.
Which also means that we do not need to worry about revocation in digsig signing applications: the PKI digsigs as signing applications already revoked themselves, and we shouldn't spend any time over the issue except to say that they are not reliable enough for reliance applications. Instead, if you want a reliable digital signing application, read the Ricardian Contract paper carefully, and construct a protocol that carries the cryptocandy of the existing infrastructure alongside a proper chain that evidences the perfection of the contract: reading/understanding/intent/delivery.
Notes : To follow a digital issuance through in technical, accounting terms: in a digital currency, we start out with one transaction to create value. This is of necessity a double entry transaction that puts large positive value into a manager's account, against large negative value into a float account. Then, the freshly minted positive value is distributed to the users, resulting in more transactions. The value is probably split in the second transaction and further split and recombined in each succeeding transaction, resulting in something like a tree structure.
Each of these transactions evidence an intent to honour the contract, as they all point back by means of the same hash over the same document. Hence, the OpenPGP signature is crypto-icing over the real cake within the Ricardian contract; in this particular case at least, the OpenPGP signature adds little to what the evidentiary chain of transactions provides.
Note : If you want to wrap some cleartext signing sugar onto it, try this:
----- BEGIN OpenPGP Hash-Signed Document -----
I am who I say I am.
----- BEGIN HashSIG -----
----- END HashSIG -----
Note : how did we do that hash? Like this:
$ openssl sha1
Hash-signing my contract is as easy as typing text and adding newline then control-D at the end
Cut and paste the text line into a Unix terminal application, and follow the instructions. Don't forget to hit return, then hit ctrl-D. Don't include the spaces at the beginning.
Everyone is talking about Société Générale and how they managed to mislay EUR 4.7bn. The current public line is that a rogue trader threw it all away on the market, but some of the more canny people in the business don't buy it.
One superficial question is how to avoid this dilemma?
That's a question for financial cryptographers, I say. If we imagine a hard payment system is used for the various derivative trades, we would have to model the trades as two or more back-to-back payments. As they are positions that have to be made then unwound, or cancelled off against each other, this means that each trader is an issuer of subsidiary instruments that are combined into a package that simulates the intent of the trade (theoretical market specialists will recall the zero-coupon bond concept as the basic building block).
So, Monsieur Kerviel would have to issue his part in the trades, and match them to the issued instruments of his counterparty (whos name we would dearly love to know!). The two issued instruments can be made dependent on each other, an implementation detail we can gloss over today.
Which brings us to the first part: fraudulent trades to cover other trades would not be possible with proper FC because it is not possible to forge the counterparty's position under triple-entry systems (that being the special magic of triple-entry).
Higher layer issues are harder, because they are less core rights issues and more human constructs, so they aren't as yet as amenable to cryptographic techniques, but we can use higher layer governance tricks. For example, the size of the position, the alarms and limits, and the creation of accounts (secret or bogus customers). The backoffice people can see into the systems because it is they who manage the issuance servers (ok, that's a presumption). Given the ability to tie down every transaction, we are simply left with the difficult job of correctly analysing every deviation. But, it is at least easier because a whole class of errors is removed.
Which brings us to the underlying FC question: why not? It was apparent through history, and there are now enough cases to form a pattern, that the reason for the failure of FC was fundamentally that the banks did not want it. If anything, they'd rather you dropped dead on the spot than suggest something that might improve their lives.
Which leads us to the very troubling question of why banks hate to do it properly. There are many answers, all speculation, and as far as I know, nobody has done research into why banks do not employ the stuff they should if they responded to events as other markets do. Here are some speculative suggestions:
Every one of those reasons is a completely standard malaise which strikes every company, but not other industries. The difference is competition; in every other industry, the competition would eat up the poorer players, but in banking, it keeps the poorer players alive. So the #1 fundamental reason why rogue traders will continue to eat up banks, one by one, is lack of competitive pressures to do any better.
And of course, all these issues feed into each other. Given all that, it is hard to see how FC will ever make a difference from inside; the only way is from outside, to the extent that challengers find an end-run around the rules for non-competition in banking.
What then would we propose to the bank to solve the SocGen dilemma as a short term hack? There are two possibilities that might be explored.
This works because it is an independent and financially motivated check. It also helps to start the inevitable shift of moving parts of regulation from the current broken 20th century structure over to a free market governance mechanism. That is, it is aligned with the eventual future economic structure.
So outsource the whole lot of risk governance to specialists in a separate board-level structure. This structure should have visibility of all accounts, all SPEs, all positions, and should also be the main conduit to the regulator. It has to be equal to the business board, because it has to have the power to make it happen.
The existing board maintains the business side: HR, markets, products, etc. This would nicely divide into two the "special" area of banking from the "general" area of business. Then, when things go wrong, it is much easier to identify who to sack, which improves the feedback to the point where it can be useful. It also puts into more clear focus the specialness of banks, and their packaged franchises, regulatory costs and other things.
Why or how these work is beyond scope of a blog. Indeed, whether they work is a difficult experiment to run, and given the Competition finding above, it might be that we do all this, and still fail. But, I'd still suggest them, as both those ideas can be rolled out in a year, and the current central banking structure has at least another decade to run, and probably two, before the penny drops, and people realise that the regulation is the problem, not the solution.
(PS: Jim invented the second one!)
Second Life takes another step onto the slippery slope. They have previously banned gambling, and now they are banning finance.
Please read this if you operate, or have transferred L$ to, an in-world “bank” or financial company.
As of January 22, 2008, it will be prohibited to offer interest or any direct return on an investment (whether in L$ or other currency) from any object, such as an ATM, located in Second Life, without proof of an applicable government registration statement or financial institution charter. ...
This is the slippery slope. By putting a blanket ban on the operation of financial services (or, passing the buck to the old-world regulators, which amounts to the same thing), they have exited from a large sector of commerce. Expect others to follow.
The reason? In short, it is not economic for them. Linden Labs have no economic / libertarian background to understand the theory, so they cannot see a forward path. Nor do they have the necessary regulatory background or friends, so they have inherited a big and powerful enemy (or more precisely, a horde of enemies who all look the same on first glance) with no way to deal with a war.
Also, it has been recently shown by one similar venture (eBay/Paypal) that taking the slippery slope has a quid pro quo: no financial downside, indeed success and profits. Other than a lot of noisy press ("traitors to the cause"), what's the problem? The process looks on track according to modern marketing theories (ditch the early adoptors as you move to the mainstream).
Under this cloud of exit stories, sad to some, there is at least a silver lining. We extract one data point from the experiment that confirms the theories developed in the 1990s for unregulated finance providers:
You probably haven’t heard of Joshua Zarwel (Second Life’s ‘Teufel Hauptmann’), but he was the very first person I thought of when Linden Lab banned banking last week. ‘Hauptmann’ doesn’t get a lot of press. He’s never been accused of insider trading or blackmail in the Second Life Herald, he doesn’t spend much money on his avatar, he SL Bank Logodoesn’t issue cringe-inducing press releases, and he doesn’t have his name in diamonds above his virtual door. In short, he’s the kind of guy you want managing your money.
Sounds like a scam already, right? Call the Feds? The USSS should be hovering as we speak? Read on...
The fund’s web site is plain, and its entire in-world presence consists of one tiny, unremarkable virtual building. ... When Linden Lab ended banking in Second Life last week, Zarwel did something I’ve not heard of any other banker doing: he quietly announced that every single Linden Dollar in his customers’ accounts was available for immediate withdrawal. ...
For those who have memories of the unregulated gold and dollars economy:
... we tried to be as transparent as possible. If you check our website and/or in world note card you will see that we provide our real world names, addresses, backgrounds, profitability, fund allocation, etc. We had nothing to hide, nor did we ever wish to be anonymous.
This is rhyme. Indeed, it's as close to repeat as you can get, to challenge Mark Twain. We can see everything, as indeed it should be in open governance:
The long and the short is that if Linden Labs had implemented the lessons of open governance, they would have likely knocked out (over time) the scams and been left with the gems (again, over time). This does not change the question of whether it would have been economic of them to pursue Austrian approaches to commerce (Hayek's open money, etc), but it does show that there was a forward path, and the place at the end of that path will stand up to scrutiny.
While we are on the finance business, let's check in to see where the regulated world are at in governing their activities:
The UK's HSBC is to use Identrust's Internet authentication network to enable its corporate customers to digitally sign electronic payments files. Identrus provides a secure digital certificate-based infrastructure for business-to-business e-commerce transactions and corporate-to-bank communications....
A select number of HSBC corporate banking clients will be issued with Identrus digital certificates so that their staff can electronically sign payment files.
Identrust-backed digital signatures are used to guarantee non-repudiable and legally binding electronic communications between banks and their corporate clients. Only one Identrus digital identity per user is needed to interact with all of a corporate client's banks, which simplifies the transaction authentication process.
(Imagine here comments about Ricardian contracts, x.509 failings, x9.59 designs, transaction economics, and a whole host of lessons that simply can't be learnt at any price.)
This would be almost boring except for the numbers involved. The Economist writes:
TROUBLE had been expected but nothing like this. Widespread concerns that Société Générale, a large French bank, had more subprime-related problems to reveal were proved right on January 24th with the announcement of a €2.05 billion ($3 billion) write-down on its exposure to mortgage-related investments and to creaking bond insurers. But those numbers were a side-show to something far more shocking.
The bank also disclosed that a single trader, Jérôme Kerviel, had racked up a further €4.9 billion loss by taking unauthorised bets on futures linked to European stockmarkets. Trading in SocGen's shares was temporarily suspended on January 24th, but punishment was bound to be severe.
How did this happen? For that we have to see what the FT wrote:
The trader joined the bank in 2000 and worked in Paris. The first three years of his career were spent in the bank’s so-called “back office” and “middle office”, where trades are settled and risk is managed. Though it did not name Mr Kerviel, SocGen said he had never worked directly in its risk control section, but remained in contact with people in those areas so he could be updated with the bank’s risk controls.
“The reasons he could succeed was because the trader knew intimately the bank’s risk controls and swiftly shifted positions to evade detection at each level of control,” Mr Bouton said.
The fraud was discovered after the trader made an error with a fictitious counterparty. Its extent became clear over the weekend, when the bank‘s management interviewed Mr Kerviel.
OK, so rule #1 in governance is to separate the decisions from the implemention. Those on the decision side (in this case, traders) can not touch the money. Those on the money side (in financial lingo, back-office) cannot make any decisions. Seems simple, right?
The flaw here is that separation of roles also has to be backed up by more than mere words. Those in the back-office are supposed to check for valid trading by some metric or other, and supervisors are supposed to watch everything and make judgement calls. Those in the front-office (traders) are supposed to be rewarded for successful trades, and those in the back-office are supposed to be rewarded for safe trades.
As we know from the Barings case (and a thousand years of history) if a person crosses the border between front and back-office, there is trouble. Nick Leeson not only traded, he was also the guru that fixed or ran the accounting system in the Singapore branch. So he knew the back-office commands to create special or secret accounts, like 88888, which came in handy to hide losses.
The same will be true here: Kervial was trained in the back office, so almost certainly he knew how to do things that were under the covers. Which points to a crazy state of affairs: how is it at all possible to do things that are below the covers?
If you need a systemic reason, it would be because the system has evolved through centuries and is full of obscure rules, quirks, paperwork, oversights and so forth. It is too complex for anyone but a few to understand, indeed, it is quicker to build a complete new governance system from scratch than it is to understand a modern trading system (I know because I've done it). We can conclude that the modern systems are opaque, by history if not by design, and that therefore the real question to ask is whether it is plausible to even understand what happens under the covers, and to stop this weakness?
We know how to solve these problems in financial cryptography. My results were confirmed by others; but we all faced the same systemic blockages in getting systems deployed. Those same blockages will probably also work to save Société Générale from the real solution, which is sacking of the entire board at minimum and sacking of the shareholders at maximum.
Top tip from anonymous observer: watch Société Générale slide in a lot of other hidden losses into this one, so as to combine all the losses into one efficient hit. This is good news for shareholders, and bad news for everyone else, but that sort of high stakes poker playing with assets can also backfire if the losses threaten real closure.
I listened to an entire Second Life interview with Dan Miller from the Joint Economic Council, a thinktank for the USA government. Interesting stuff, because virtual world governance gives us a window on all-of-Internet governance.
On a slightly related question, I have one question on the efficiency of the new generation of podcasts and interviews and so forth. These new tools are seeking to simulate the old world of radio and TV as the channel of preference, but to my mind they are terribly inefficient. I had to spend an entire hour or so listening to the scratchy sound, with a drop out in a critical part, when I could have skimmed the same written content in about 2 minutes. The nice way of putting this is that it's not ready for recommendation to my business partners as yet, and a slightly less nice way is "who has time for that?"
Does anyone have any alternate experience in these podcasts, etc, that indicates it is finding a market place in real business?
(Addendum: cross-over to TV.)
CAcert has just approved rules for dispute resolution which, in brief, puts all before their own arbitration. (Disclosure: I was involved!)
The key in this process is the provision in the user agreement that asserts the agreement to arbitrate disputes, and the lock that matches the key is the Arbitration Act in most countries. To make it work, the Act generally says that courts must respect the intent to arbitrate. From the US:
Under the FAA, on the motion of a party, a court must stay proceedings and order the parties to arbitrate the dispute if the court finds that the parties have agreed in writing to do so. A party seeking to compel arbitration must show (1) that a valid agreement to arbitrate exists between the parties and (2) that the specific dispute falls within the scope of the agreement.
E.g., the courts will kick you back to Arbitration. But, there are some exceptions, and I took that above quote from one such, being Bragg v. Second Life, wherein Judge Robreno decided to kick out the Arbitration Clause, not the parties. As VB writes, this is a big deal. So, it is useful to check his logic, and find out if CAcert has made some of the same mistakes.
Bear in mind this is not legal writing; if you want the real story you have to read the full transcripts linked above. To stress that, I've stripped out the references, etc, so as to maintain the readability rather than the reliability.
Having said that, onwards! With some legal musing, the Court arrives at this:
Bragg claims that the arbitration agreement itself would effectively deny him access to an arbitrator, because the costs would be prohibitively expensive, a question that is more appropriately reserved for the Court to answer.
To answer the question, the Court decided to look at procedural and substantive components to the issue of unconscionability which is a get-out card generally written into Arbitration Acts, and construct a balanced view from those components. Here's a quick summary:
Contract of adhesion. The Second Life agreement is a contract of adhesion, because there is no chance to negotiate. It's a take it or leave it. Therefore, the contract meets a standard of procedural unconscionability.
"Surprise," meaning that the Arbitration intent is hidden. Again, SL has met the Court's standard of surprise, by (a) using an opaque heading and (b) not setting out the costs clearly. This is a second leg of procedural unconscionability.
"One-sidedness of the contract terms." This seems to ride on several issues:
The Court asserted that "the arbitration remedy must contain a “modicum of bilaterality." It also quoted a Paypal case which is likely as close as it gets in industry similarity. In short, Paypal was able to control the entire assets within by way of freezing, restricting, take ownership, and change the TOS, whereas the the user could only (presumably) arbitrate. Linden Labs had (has?) the same power:
The TOS proclaim that “Linden has the right at any time for any reason or no reason to suspend or terminate your Account, terminate this Agreement, and/or refuse any and all current or future use of the Service without notice or liability to you.” Whether or not a customer has breached the Agreement is “determined in Linden’s sole discretion.” Linden also reserves the right to return no money at all based on mere “suspicions of fraud” or other violations of law. Finally, the TOS state that “Linden may amend this Agreement . . . at any time in its sole discretion by posting the amended Agreement [on its website].”
Ouch! Which brings us to tricky issue of costs. For some reason, Linden Labs chose the ICC for Arbitration, with three Arbitrators. The Court estimated costs at $17,250 for an action of recovery of $75,000. However, the ICC rules say that costs must be shared by the parties, and that is apparently sufficient to make Arbitration unenforceable in California law. The trick here appears to be that the existence of a fee, imposed in excess of a similar court process, creates a supports the finding of unconscionability:
California law has often been applied to declare arbitration fee-sharing schemes unenforceable. Such schemes are unconscionable where they “impose on some consumers costs greater than those a complainant would bear if he or she would file the same complaint in court.” ... Here, even taking Defendants characterization of the fees to be accurate, the total estimate of costs and fees would be $7,500, which would result in Bragg having to advance $3,750 at the outset of arbitration. See Dfts.’ Reply at 11. The court’s own estimates place the amount that Bragg would likely have to advance at $8,625, but they could reach as high as $13,687.50. Any of these figures are significantly greater than the costs that Bragg bears by filing his action in a state or federal court. Accordingly, the arbitration costs and fee-splitting scheme together also support a finding of unconscionability.
As well as that, the Court found that all these factors helped to suggest that Arbitration was an attempt to shield liability rather than resolve disputes:
OK, so the court really went to town in striking down the Arbitration clause. When I read their agreement a couple of weeks ago, I came to the same conclusion, without the Court's care, and the tip-off was the choice of the ICC (a big, expensive French body?!) and three, that's THREE arbitrators. The ICC has to be expensive just from the name, and by Linden Labs choosing 3 times the price, it doesn't take a PhD in maths to realise this was a barrier not an aid.
It may be that Linden Labs have learnt their lesson, as the TOS has just been changed, which is what sparked this blog post. Benjamin of VB writes:
the new terms also create a special class of claims under $10,000 that are to be handled via non-appearance arbitration. This change is very good for users, as the new clause replaces one that required a full-blown arbitration proceeding before a three-person panel, which could easily cost more than $10,000 itself (that is essentially why the clause was declared unconscionable in the Bragg case). Non-appearance arbitration can actually be quite inexpensive, and, notably, it could even be conducted in Second Life. The arbitrator must be an established ADR provider, must have published guidelines for dispute resolution, and must be a “retired judge or attorney with legal expertise in the subject matter of the dispute.”
Two caveats: it seems to stop around the $10k mark, and I haven't looked at the new terms.
Now, to get back to CAcert and their new arbitration system. We can run the Court's ruler over CAcert's new user agreement (albeit, still in DRAFT). It's maybe a little premature as experience is new, and only one case has been heard. But let's see what we can find:
Now, with a nod to the other elements of the Court's ruling, and to the Appeals Court which needs to affirm the ruling, it should be borne in mind that this is a back-of-the-napkin calculation. Still, it's instructive. I'd say cautiously that CAcert made none of the mistakes that the Court found. Indeed, CAcert bent over backwards and tied itself in knots in order to present itself as approximately equal to the registered users.
(As I say, I had something to do with the process. Indeed, I have been hammering the desk for this policy, or any other, to be approved for more than a year now. The more excellent result of last week's conference, which I attended, is that CAcert is now firmly back on the rails.)
Over on Second Life, they (LL) are trying to solve a problem by providing an outsourced service on identity verification with a company called Integrity. This post puts it in context (warning, it's quite long, longer even than an FC post!):
So now we understand better what this is all about. In effect, Integrity does not really provide “just a verification service”. Their core business is actually far more interesting: they buy LL’s liability in case LL gets a lawsuit for letting minors to see “inappropriate content”. Even more interesting is that LL does not need to worry about what “inappropriate content” means: this is a cultural question, not a philosophic one, but LL does not need to care. Whatever lawsuits will come LL’s way, they will simply get Integrity to pay for them.
Put into other words: Integrity is an insurance company. In this day and age where parents basically don’t care what their children are doing, and blame the State for not taking care of a “children-friendly environment” by filing lawsuits against “the big bad companies who display terrible content”, a new business opportunity has arisen: selling insurance against the (albeit remote) possibility that you get a lawsuit for displaying “inappropriate content”.
(Shorter version maybe here.)
Over on Perilocity, which is a blog about the insurance world, John S. Quarterman points at the arisal of insurance to cover identity theft from a company called LifeLock.
I have to give them credit for honesty, though: LifeLock admits right out that the main four preventive things they do you could do for yourself. Beyond that, the main substance they seem to offer is essentially an insurance package:
"If your Identity is stolen while you are our client, we’re going to do whatever it takes to recover your good name. If you need lawyers, we’re going to hire the best we can find. If you need investigators, accountants, case managers, whatever, they’re yours. If you lose money as a result of the theft, we’re going to give it back to you."
For $110/year or $10/month, is such an insurance policy overpriced, underpriced, or what?
It's possible easier for the second provider to be transparent and open. After all they are selling insurance for stuff that is a validated disaster. The first provider is trying to cover a problem which is not yet a disaster, so there is a sort of nervousness about baring all.
How viable is this model? The first thing would be to ask: can't we fix the underlying problem? For identity theft, apparently not, Americans want their identity system because it gives them their credit system, and there aren't too many Americans out there that would give up the right to drive their latest SUV out of the forecourt.
On the other hand, a potential liability issue within a game would seem to be something that could be solved. After all, the game operator has all the control, and all the players are within their reach. Tonight's pop-quiz: Any suggestions on how to solve the potential for large/class-action suits circling around dodgy characters and identity?
(Manual trackbacks: Perilocity suggests we need identity insurance in the form of governments taking the problem more seriously and dealing with identity thefts more proactively when they occur.)
This blog frequently presses the case for the dysfunctional family known as security, and even presents evidence. So much so, that we've gone beyond the evidence and the conclusion, and we are more interested in the why?
Today we have insights from the crypto layer. Neal Koblitz provides his thoughts in an article named "The Uneasy Relationship Between Mathematics and Cryptography" published in something called the Notices of the AMS. As perhaps everyone knows, it's mostly about money, and Koblitz identifies several threads:
We've certainly seen the first three, and Koblitz disposes of them well. Definately well recommended reading.
But the last thread takes me by surprise. I would have said that cryptographers have done precisely the reverse, by meddling in areas outside their competence. To leap to computer science's defence, then, permit me to turn Koblitz's evidence:
Here the word “protocol” means a specific sequence of steps that people carry out in a particular application of cryptography. From the early years of public key cryptography it has been traditional to call two users A and B of the system by the names “Alice” and “Bob.” So a description of a protocol might go as follows: “Alice sends Bob..., then Bob responds with..., then Alice responds with...,” and so on.
I don't think so! If you think that is a protocol, you are not a computer scientist. Indeed, if you look at the designs for protocols by cryptographers, that's what you get: provable security and a "protocol" that looks like Alice talking to Bob.
Computer science protocols are not about Alice and Bob, they are about errors. Errors happen to include a bunch of things, including Alice and Bob. Also, Mallory and Eve, but also many many other things. As the number of things that can go wrong far exceed the numbers of cryptographic friends on the planet, we would generally suggest that computer scientists should write protocols, so as to avoid the Alice-Bob effect.
Just to square that circle with yesterday's post, it is OK to talk about Alice-Bob protocols, in order to convey a cryptographic idea. But it should be computer scientists who put it into practice, and as early as possible. Some like to point out that cryptography is complex, and therefore you should employ cryptographers for this part. I disagree, and quote Adi Shamir's 3rd misconception. Eventually your crypto will be handled by developers, and you had better give them the simplest possible constructions they can deal with.
Back to Koblitz's drive-by shooting on computer science:
Cryptography has been heavily influenced by the disciplinary culture of computer science, which is quite different from that of mathematics. Some of the explanation for the divergence between the two fields might be a matter of time scale. Mathematicians, who are part of a rich tradition going back thousands of years, perceive the passing of time as an elephant does. In the grand scheme of things it is of little consequence whether their big paper appears this year or next. Computer science and cryptography, on the other hand, are influenced by the corporate world of high technology, with its frenetic rush to be the first to bring some new gadget to market. Cryptographers, thus, see time passing as a hummingbird does. Top researchers expect that practically every conference should include one or more quickie papers by them or their students.
Ouch! OK, that's fair point. However the underlying force here is the market, and computer science itself is not to blame, rather, the product of its work happens to locate a lot closer to the market than, say, mathematics. Koblitz goes on to say:
There’s also a difficulty that comes from the disciplinary culture of cryptography that I commented on before. People usually write papers under deadline pressure — more the way a journalist writes than the way a mathematician does. And they rarely read other authors’ papers carefully. As a result even the best researchers sometimes publish papers with serious errors that go undetected for years.
That certainly resonates. When you spot an error, and it appears embedded in an academic paper, it stays for years. Consider a random paper on my desktop today, one by Anderson and Moore, "On Information Security -- and beyond." (Announced here.) It is exceedingly well-written, and quite a useful summary of economics thought today in academic security fields. Its pedigree is the best, and it seems unassailable.
Let us then assail. It includes an error: the "lemons" myth, which has been around for years now. Indeed, someone has pointed out the flaw, but we don't know who:
In some cases, security is even worse than a lemons market: even the vendor does not know how secure its software is. So buyers have no reason to pay more for protection, and vendors are disinclined to invest in it.
In detail, "lemons" only applies when the seller knows more than the buyer, this being one of the two asymmetries referred to in asymmetrical information theory. Other things apply in the other squares of the information matrix, and as with all such matrices, we have to be careful not to play hopscotch. The onus would be on Anderson and Moore, and other fans of citric security, to show whether the vendors even know enough to qualify for lemon sales!
Which all supports Koblitz's claims at least partially. The question then is why is it that the academic world of cryptography is so divorced? Again, Anderson and Moore hint at the answer:
Economic thinkers used to be keenly aware of the interaction between economics and security; wealthy nations could afford large armies and navies. But nowadays a web search on ‘economics’ and ‘security’ turns up relatively few articles.
Ironically, their very care and attention is reflected in the list of cited references at the end of the paper: one hundred and eight references !!! Koblitz would ask if they had read all those papers. Assuming yes, they must have covered the field, right?
I scanned through quickly and found three references that were not from reputable conferences, university academics and the like. (These 3 lonely references were from popular newspapers.)
What does a references section that only references the academic world mean? Are Anderson and Moore ignoring everything outside their own academic world?
I hasten to add, this is not a particular criticism against those authors. Many if not all academic authors, and conferences, and peer-review committee chairs would plead guilty of the same crime, proudly, even. By way of example, I have on my desk a huge volume called Phishing and Countermeasures, edited by Jakobsson and Myers. The list of contributors reads like a who's who of Universities, with the occasional slippage to Microsoft, RSA Laboratories, etc.
Indeed, Koblitz himself might be bemused by this attack. Why is the science-wide devotion to academic rigour a criticism?
Because it's security, that's why. Security against real threats is the point where scientific integrity, method and rigour unravels.
Consider a current threat, phishing. The academic world turned up to phishing relatively late, later than practically everyone else. Since arriving, they've waltzed around as if they'll solve it soon, just give them time to get up to speed, and proceeded to mark out the territory. The academics have presented stuff that is sometimes interesting but rarely valuable. They've pretty much ignored all the work that was done before hand, and they've consequently missed the big picture.
Why is this? One reason is above: academic work is only serious if it quotes other academic work. The papers above are reputable because they quote, only and fulsomely, other reputable work. And the work is only rewarded to the extent that it is quoted ... again by academic work. The academics are caught in a trap: work outside academia and be rejected or perhaps worse, ignored. Or, work with academic references, and work with an irrelevant rewarding base.
And be ignored, at least by those who are monetarily connected to the field. By way of thought experiment, consider how many peer-review committees on security conferences include the experts in the field? If you scan the lists, you don't find names like "Ivan Trotsky, millionaire phisher" or perhaps "John Smith, a.k.a. Bob Jones and 32 other aliases, wanted for tera-spamming in 6 states." Would we find "Mao Tze Ling, architect for last year's Whitehouse network shakedown?"
OK, so we can't talk to the actual crooks, but it's just a matter of duplicating their knowledge, right? In theory, it's just a matter of time before the academics turn the big guns onto the threat, and duplicate the work done outside academia. They can catch up, right?
Unfortunately not. Consider anoother of Koblitz's complaints, above where cryptography is
"influenced by the corporate world of high technology, with its frenetic rush to be the first to bring some new gadget to market."
Actually, there are two forces at work here, being the market and the attacker . In short, a real attack in this field migrates in terms of a month. Even with an accelerated paper cycle of 3 months to get the work peer-reviewed and into the next party for student quickies, to use Koblitz's amusing imagery, attacks migrate faster.
The academic world of security is simply too far away from their subject. Do they know it? No, it seems not. By way of example, those in the academic world of security and economics claim that the field started only recently, in the last few years. Nonsense! It has always been there, and received massive boosts with the work of David Chaum, the cypherpunks, Digicash, the Amsterdam hackers and many others.
What was not done was to convert this work into academic papers. The literature is there, but not in conference proceedings.
What was done was to turn the academic thought process into hugely beneficial contributions to security and society. All of the work mentioned above has led directly, traceably, to the inventions we now know as PayPal, ebay, WebMoney, gold community, and slowly moving through to the mass of society in the form of NFC, mobile and so forth. (The finance and telco sectors move slowly to accomodate these innovations, but do they move more slowly than the academic sector?)
The problem is that since the arisal of the net, the literature for fast-paced work has moved out of the academic sphere into other means of distribution: shorter essays, private circulations over email, business plans, open source experiments, focussed maillists and ... of course, blogs. If you are limiting yourself to conference proceedings on security, you are dead in the water, to take a phrase from naval security of a bygone age.
So much so that when you add up all these factors, the conclusion suggested is that the academic world will possibly never be able to deal with security as a science. Not if they stick to their rules, that is. Is it possible we now live in a world where today's academia cannot practically and economically contribute to an entire sector of science? That's the claim, let's see how it pans out.
Some criticisms also apply to Koblitz. Maybe mathematics is so conveniently peaceful as to support an academic tradition, but why is it that on the first page, he waxed longingly and generously on the invention of public key cryptography, but without mentioning the authors of the paper? He might say that Diffie and Hellman did not include any mathematics in their paper, but I would say "tosh!"
Some are skeptical that open governance can change things. I say, they just haven't seen it in action, and haven't really dug deep into the popular but less efficacious regulated alternative.
Two examples: Over on Second Life, a pretty obvious ponzi scheme called Ginko crashed and burned. It didn't do very quickly, but it did so with *plenty* of warning, so the lesson is there. Open governor Benjamin Duranske wrote:
Two weeks ago, when I started paying close attention to Ginko (full coverage here), a Second Life blogger (who I won’t name) emailed me this:Ultimately, all do-gooders like yourself have to ask yourself what can be done *when Linden Lab itself will do nothing.*
That sounded like a challenge, and one that was worth taking up. And the answer to that question, it turns out, is “quite a bit.” Ginko is no more.
But what really opened depositors’ eyes? What caused the internal gears at Ginko to start turning a different direction? Talking to people. One to one. Day after day. We weren’t a few writers, we were hundreds of people ranging from newbies to three and four year residents, from bilingual users translating questions into their own language for fellow depositors with little English, to economics professors at major universities talking about issues that were over my head. We covered every segment of the Second Life populace. Some knew what was happening early, some figured it out later on, but all of us asked hard questions at the ATMs, pushed the hard issues to the front of the public’s attention, and didn’t accept lies — even well intentioned ones — as truths.
Over in BAWAG-struck Austria, Helga Seeliger sits in court and reads the law of open governance over the biggest scandal in Austrian finance. (No URL, the translation is mangled directly from a newspaper snippet from Der Standard):
On one seat, by the side of journalists, is a 67 year old Viennese woman who has not missed one day of proceedings, and that's the way it shall be until the verdict is delivered. Her name is Helga Seeliger.
She was the first pensioner in March to demand that the OeGB (Federation of Austrian Unions) continue to pay the enterprise pension that had been cancelled. For 25 years Seeliger was a union representative. For more than 10 years, she was a manager at the Union. Since April 2005, she was a pensioner. She started studying law in the 2000, and finished in 2005. Her favourite: business law.
She writes down all the questions, and all the answers. She writes it in shorthand. If asked, she explains her interest in BAWAG as being a stakeholder. "These testimonies, about how easily the union money was offered, are important for our process."
After the BAWAG crisis, the unions cancelled all the additional pensions for ex-workers, and offered them a single final payment that, depending on their age, was between 2.2 and 8.8 annual salaries. Those who didn't accept, didn't get anything.
The unions paid with this solution 60m euros. For Seeliger and her co-workers, this was too little. "You should not call it the BAWAG scandal, you should call it a union scandal."
When, on Monday, Judge Claudia Bandion-Ortnera will call the "Elsner and others" case, Seeliger will be sitting in the front row and will take her notebook out of her black briefcase and continue her work.
What does this achieve? It locks the court's options down, it preserves the justice. If a convenient settlement offers to emerge, it will only survive, knowing that someone who really cares will see all, record all, and tell all.
Open governance is that: In today's networked world, we can use many small observers to watch, write and share the information. All we need is the latin phrase to capture that, and we're set to conquer the world of governance.
In the PKI ("public key infrastructure") world, there is a written practice that the user, sometimes known as the relying party, should read the CPS ("certificate practice statement") and other documents before being qualified to rely on a certificate. This would qualify as industry practice and is sensible, at least on the face of it, in that the CA ("certificate authority") can not divine what you are going to use the cert for. Ergo, the logic goes, as relying party, you have to do some of the work yourself.
However, in the "PKI-lite" that is in place in x.509 browser and email world, this model has been simplified. Obviously, all of us who've come into contact with user software and the average user know that the notion of a user reading a CPS is so ludicrous that it's hardly worth discussing. Of course, we need another answer.
There are many suggestions, but the one that is in effect is that the browser, or more precisely, the software vendor, is the one who reads the CPS, on behalf of the users. One way to look at this is that this makes the browser the relying party by proxy, as, in making its assessment, it reads the CPS, measures it against own needs, and relies on audits and other issues. (By way of disclosure, I audit a CA.)
Unfortunately, it cannot be the relying party because it simply isn't a party to any transaction. The user remains the relying party, but isn't encouraged to do any of the relying and reading stuff that was mentioned above. That is, the user is encouraged to rely on the certificate, the vendor, the CA and the counter-party, all on an article of blind faith in these people and processes she has never heard of.
This dilemma is better structured as multi-tiered authorities: The CA is the authority on the certificates and their "owners." The software vendor is the authority on the CAs, by means of their CPSs, audits, etc.
Such a re-drawing of the map has fairly dramatic consequences for the PKI. The widespread perception is that the CA is highly liable -- because that's the "trust" product that they sell -- and the browser is not. In principle, and in contract law, it might be the other way around, as the browser has an agreement with the user, and the CA has not. Where the perception might find comfort is in the doctrine of duty of care but that will generally limit the CA's liability to gross negligence. Either way, the last word on this complicated arrangement might need real lawyers and eventually real courts.
It has always been somewhat controversial to suggest that the browser is in control, and therefore may need to consider risks, liabilities and obligations. But now, Paul Hoffman has published a rather serious piece of evidence that Microsoft, for its part, has taken on the R/L/O more seriously than thought:
If a user running Windows XP SP2 in its default configuration removes a root certificate that is one that Microsoft trusts, Windows will re-install that root certificate and again start to trust certificates that come from that root without alerting the user. This re-installation and renewed trust happens as soon as the user visits a SSL-based web site using Internet Explorer or any other web browser that uses the Cryptographic Application Programming Interface (CAPI) built-in to Windows; it will also happen when the user receives secure email using Outlook, Microsoft Mail, or another mail program that uses CAPI, as long as that mail is signed by a certificate that is based on that root certificate.
In effect, the user is not permitted by the software to make choices of reliance. To complete the picture, Paul was careful to mention the variations (Thunderbird and Firefox are not effected, there is an SP2 feature to disable all updates of roots, Vista has the same problem but no override...).
This supports the claim, as I suggested above, that the effective state of play -- best practices if you'll pardon the unfortunate term -- is that the software vendor is the uber-CA.
If we accept this conclusion, then we could conceivably get on and improve security within these limitations, that the user does little or nothing, and the software manufacturer decides everything they possibly can. OK, what's wrong with that? From an architectural position, nothing, especially if it is built-in up-front. Indeed this is one of the core design decisions of the best-of-security-breed applications (x9.59, Skype, SSH, Ricardo, etc. Feel free to suggest any others to the list, it's short and it's lonely.)
The problem lies in that software control is not stated up-front, and it is indeed denied by large swathes of securityland. I'd not be surprised if Microsoft themselves denied it (and maybe their lawyers would be right, given the rather traumatic link between phishing and mitm-proof-certificates...). The PKI state-of-denial leaves us in a little bit of a mess:
To extract from this mess probably takes some brave steps. I think I applaud Microsoft's practice, in that at least this makes that little part clearer.
They are in control, they are (I suggest) a party with risks, liabilities and obligations, so they should get on and make the product as secure as possible, as their primary goal. This includes throwing out bits of PKI best practices that we know to be worst practices.
They are not the only ones. Mozilla Foundation in recent years has completed a ground-breaking project to define their own CA processes, and this evidences great care and attention, especially in the ascension of the CA to their root list. What does this show other than they are a party of much power, exercising their duty of care?
Like Microsoft, they (only) care about their users, so they should (only) consider their users, in their security choices.
Will the CAs follow suit and create a simpler, more aligned product? Possibly not, unless pushed. As a personal remark, the criteria I use in auditing are indeed pushing dramatically in the direction of better care of risks, liabilities and obligations. The work to go there is not easy nor trivial, so it is no wonder that no CA wants to go there (and that may be an answer to those asking why it is taking so long).
Even if every CA stood forth and laid out a clear risks, liabilities and obligations statement before their relying parties, more would still need to be done. Until the uber-CAs also get on board publically with the liability shift and clearly work with the ramifications of it, we're still likely locked in the old PKI-lite paper regime or shell game that nobody ever used nor believed in.
For this reason, Microsoft is to be encouraged to make decisions that help the user. We may not like this decision, or every decision, but they are the party that should make them. Old models be damned, as the users surely are in today's insecurity, thanks in part to those very same models.
As mentioned, I advised e-gold on governance models way back when, and now we can see how the company deals with its relationship to the US government. Someone has posted a video over on YouTube of some 2006 testimony before Senate hearings on child pornography, wherein governance models are much discussed.
The video looks like hatchet job versus hatchet job, as governance of Internet child pornography collides with governance over payment integrity.
There is a wide-spread belief that the case against e-gold is likely to be fought on a battle ground of public opinion and regulated insiders, rather than that of law and public policy. Same as it ever was, perhaps, but a wider question for future FCers is what to do about it?
The governance models that were provided to e-gold were relatively sound, albeit incompletely implemented. No matter the incompleteness, the models were strong enough to preserve the gold for many years, at least to the extent that the recent seizure by the courts was able to complete. That's by way of a proof that some gold existed, although the victims of the seizure will have other choice words.
But those governance models are designed in general to deal with routine fraud of an inside nature. They are not designed to deal with the sort of difficulties facing e-gold. How then to do better in the future?
I see three lessons here for FCers at the governance layer.
1. A lot depends on the contract Ivan has with his users. We might say that an issuer should have a clear contract with its users. And, in that contract we might expect to find certain relationships with governments, law enforcement, regulators and other interested parties.
The question then would be to see whether these relationships were sustainable, stable and reasonable. In the case of e-gold, they were somewhat unbalanced at least due to its nominal offshore status, so e-gold ended up serving two or three jurisdictions instead of one. Complication, not simplification, without any offsetting protection.
2. Normal business process is to arbitrage existing structures and regulatory postures, but this is not to say that sustainable business includes simply facilitating crime. There is some grave doubt as to whether child pornography was more severe within the e-gold system than in classical banking, but there is much less doubt about ponzi schemes and pyramids. e-gold seems to have permitted these to a far greater extent than desirable, and that was unlikely to make friends in the long run.
Then, the need might be interpreted as to create a business process that delivers an overwhelming good without delivering an overwhelming bad. Truly a matter of judgement, but an easy call might be to keep clear of the more popular crimes.
3. Finally, a reasonable and sustainable dispute system is required. Neither Paypal nor e-gold achieved this, and indeed the banks are widely criticised for it (or its absence). The only payment system that seems to have achieved this is WebMoney, although the story takes on fairy tale proportions due to the lack of english documentation.
Either way, the e-gold dispute resolution system is coming in for a hammering, so this aspect should be noted well by FC community. As a matter of record, alternative dispute resolution (ADR) was well studied by the e-gold founders, who gave speeches at conferences on subjects such as arbitration, but study did not apparently transfer to implementation.
As discussed earlier, the US government, in cases against e-gold and presumably yet-to-be-charged account holders, has apparently completed seizure of some part of the gold:
In an unprecedented move on or just before Wednesday May 9th, 2007, the United States of America has forced Omnipay et al E-gold to redeem all the gold backing the 58 previously frozen accounts owned by e-gold, 1mdc, icegold and a handful of other exchangers and customers to be liquidated effective immediately to a us dollar account owned by the federal government. ...
MoneyNetNews has learned from a reliable source that e-gold has been ordered to hand over a fresh copy of the customer database when the redemption is completed.
Bear in mind this is unconfirmed at this stage. HT-RAH! I'll update this article if anything more comes to hand.
It's been a bad week for security leaders. Bruce Schneier has been lambasted for asking whether we need a security industry at all, Ross Anderson published an article "commissioned by the Federal Reserve" that was riddled with errors, and now the chief security researcher of one of the leading security firms, Mikko Hyponnen, proposes a lame duck idea.
I feel very conflicted. On the one hand, I applaud these people for airing some opinions -- we need open discussion and new ideas. On the other hand, there is a serious difference between conjecturing in a scientific sense, in order to spark some serious debate, and selling snake oil.
The latter is often the result of moral hazard. As Ross Anderson complains about banks, when we sell a false statement such as "our systems are secure, so it must be your fault," then our own standards slip due to our own beliefs, and eventually we get the reverse of what we are selling.
Fair enough, but this moral hazard also applies to the writer of security ideas. I feel very strongly about this, as ordinary users are paying for this! When someone gets phished, they lose a lot. Of time, reputation, credit, etc etc. Sometimes money, and at least someone loses the money in a successful phish.
Maybe Schneier is really saying "With leadership like this, you'd be better off without a security industry?"
When a company starts selling "security" ... or merely writing about it ... then maybe we need to consider the liability for this. Class action suits are already in play, and I think it is only a matter of time before software vendors also find themselves responsible for their fraudulent sales by one means or another.
Maybe it is time to call a spade a spade. Forget snake oil. Call it fraud!
The very definition of fraud is discussed by Joseph T. Wells, perhaps America's most voluble presenter on the subject:
Under common law, three elements are required to prove fraud: a material false statement made with an intent to deceive (scienter), a victim’s reliance on the statement and damages.
I'd suggest that you read the entire article.... Several times! Meanwhile, let's cast the definition of fraud over one of the ideas facing us today, the suggestion of a .bank TLD.
Do we have a material false statement?
The Internet Corporation for Assigned Names and Numbers, the body that creates new top-level domains, should create a new, secure domain just for this reason—something like “.bank,” for example.
What is false about that? Specifically, a .bank TLD does not give any vestige of security at all, as discussed earlier. That's one tick in the box.
Showing "intent" is harder it seems, so let's refer to JTW again:
There is no such thing as an accidental fraud. What separates error from fraud is intent, the accidental from the intentional. Assume [the] statements contain material false statements: Were they caused by error or fraud? The problem with proving intent is that it requires determining a person’s state of mind. As a result, intent usually is proven circumstantially. Some of the ways we can help prove intent by circumstantial evidence include
- motive, ...
- opportunity, ...
- repetitive acts, ...
- witness statements, ...
- concealment. ...
Only the last is clearly not present, as publication of the idea in foreign policy is pretty much out in the open :) Motive is clearly present:
Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn’t be just a few dollars: It could be something like $50,000—making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time.
That's an invitation for someone to make some easy money if ever I saw it. That looks like the sort of rewards only seen in crime.
Opportunity is generally open but hard, in that anyone can submit a proposal to ICANN and create a TLD, in theory. Repetitive acts ... would depend on who is doing this, and as this is simply an idea being floated, we can't pinpoint anyone. Witness statements are also dependent on the idea turning into practice.
I would then call "intent" a cautious positive. If this idea was turned into reality, we can suggest motive and opportunity.
Next, JT Wells says "a victim's reliance on the statement." Well, that seems a slam dunk, if you've ever worked with banks. As a quick generalisation, they are only capable of doing security thinking in the most extreme of contexts, and they frequently rely on outside companies with a reputation in security sales to advise them.
Finally, damages will follow in due course, in any actual phishing attacks. It isn't necessary for us to predict these, simply to say that if they occurred , the rest of the discussion will complete the claim.
This isn't a court of law, and even if it were, we are unlikely to find an idea fraudulent. However, it seems plausible that we can apply the same test that the lawyers do. In that sense, it seems that the idea of a .bank TLD, if it were taken forward as a security proposal, would run the risk of being ruled as fraud.
Someone pointed out that the indictment unsealed last week against e-gold, etc includes this clause:
78. As a result of the offenses alleged in Counts One and Three of this indictment, the defendants E-GOLD, LTD., GOLD & SILVER RESERVE, INC., DOUGLAS JACKSON, REID JACKSON, and BARRY DOWNEY shall forfeit to the United States any property, real or personal, involved in, or traceable to such property involved in money laundering, in violation of Title 18, United States Code, Section 1956, and in operation of an unlicensed money transmitting business, in violation of Title 18, United States Code, Section 1960; including, but not limited to the following:
(a) The sum of money equal to the total amount of property involved in, or traceable to property involved in those violations. Fed.R.Crim.P. 32.2(b)(1).
(b) All the assets, including without limitation, equipment, inventory, accounts receivable and bank accounts, of E-GOLD, LTD., and GOLD & SILVER RESERVE, INC., whether titled in those names or not, including, but not limited to all precious metals, including gold, silver, platinum, and palladium, that "back" the e-metal electronic currency of the E-GOLD operation, wherever located.
If more than one defendant is convicted of an offense, the defendants so convicted are jointly and severally liable for the amount derived from such offense. By virtue of the commission of the felony charged in Counts One and Three of this indictment, and and all interest that the defendant has in the property involved in, or traceable to property involved in money laundering is vested in the United States and hereby forfeited to the United States pursuant to Title 18, United States Code, Section 982(a)(1).
(My emphasis. I included the whole clause, intending to allow each to form their own opinions. Of course, you and I should read the whole thing...)
A little background. In the gold community, it is dictum that the US is no respecter of property rights. Twice in the 20th century, the financial rebels will point out, the US seized the gold of its private citizens, generally as a result of its own bad management of the currency, and trying to stop people from fleeing the over-inflated dollar.
In this case, the US government is seeking to seize all of the gold held within the system as reserves to the currency, without due regard to the operation of property rights for the rest of the user base. It would seem an over-broad reaching by the government, but sadly, expected and unsurprising to the digital currency community.
Whatever one thinks of e-gold, its operators and their actions, this is likely to reinforce the reputation of complete and utter disrespect that the US has for property rights around the world.
Unfortunately, this is no isolated case, but is in fact a concerted and long-lived programme by the US government to undermine property rights the world around. The US-invented Anti Money Laundering (AML) regime stretches back 20 years or more to Ronald Reagan's war on drugs, and is now sufficiently strong to destroy the effect of property laws, which latter are nothing if not strong.
AML takes implementing countries backwards in time and history. Although England and its former colonies inherited strong property rights from the days of the Magna Carta, it is as well to realise that the English experiment may have been more an exception than the rule. Consider Russia as counterpoint:
Since only the Tsar or the Party had property, no individual Russian could be sure of long-term usage of anything upon which to create wealth. And it is the poor to whom the property right matters most of all because property is the poor man's ticket into the game of wealth creation. The rich, after all, have their money and their friends to protect their holdings, while the poor must rely upon the law alone.
"The Rape of Russia" was not ancient history according to Williamson's 1999 testimony before the US House of Representatives, but living times: during the decade of the 1990s, the same group conspired with Russians to launder much of the residual value of the Russian people.
One would hope that the court is a little wise to the fact that if e-gold Ltd's system was used for crimes, then there was also use for good purposes; that is, it was the operators and some users that were responsible. Normally we would expect the system to be placed under administration, and then a wholesale cleanout of any "bad" accounts to occur, under court supervision.
If not, the author above warned the US Congress what will happen to those who dismantle what property rights there are:
In the absence of property, it was access - the opportunity to seek opportunity - and favor in which the Russians began to traffic. The connections one achieved, in turn, became the most essential tools a human being could grasp, employ and, over time, in which he might trade. Where relationships, not laws, are used to define society's boundaries, tribute must be paid. Bribery, extortion and subterfuge have been the inevitable result. What marks the Russian condition in particular is the scale of these activities, which is colossal. Russia, then, is a negotiated culture, the opposite of the openly competitive culture productive markets require.
It is fairly clear that the e-gold operation was presented to the world and operated as a property rights operation. Although not without shenanigans, the very basis of the digital gold community has been a joyful expression of the right of property, and what good it can do when it is left to run free.
Unfortunately, the US government may have learnt too much from the Russian experience. The substantial crime in the indictment is "property rights without a licence" and the fine for that is "seizing all the property." Welcome to the world of tribute; bribery, extortion and subterfuge to follow.
I wrote a week or so back about the failure of liability sharing and the consequent failure in market information. In that case, it circulated around the expectation that the banks have to back up the consumer every time something goes wrong. Is the TJX case enough to trigger the long awaited pass-on of liability to the other parties who share some responsibility?
Following lawsuits in February against some of the nation's largest retailers for illegally revealing too much credit card information on printed receipts, two of those retailers are now suing their POS vendors.
In the initial lawsuits filed early this year, some 50 of the nation's top retailers... were accused of printing full credit numbers and expiration dates on printed customer receipts, violating a provision of the Fair and Accurate Credit Transactions Act (FACTA) ...
In the last couple of weeks, two of those retail defendants—Charlotte Russe and Shoe Pavillion—have sued their POS vendors, saying that the retailer relied on them and if the retailer is liable, then the POS vendor should pay for it.
Is this a good thing? I think, yes. The alternates are not good: the vendor has no liability for actions, a law is passed that suits nobody, and things get worse.
Nick commented "Let the suing begin!" Better to suck up some court time and create an environment where -- no matter how small -- a vendor of security stuff has to work *with the customer's and the end-customer's risk model* and also take on some of the liability when it goes wrong.
Ordinarily I wouldn't follow the course of a case in such detail, contenting to only pick out the big picture and the important messages for Financial Cryptography readers. However, because of the 'special circumstances' in the e-gold case, I'll post the full response by Dr Jackson on the indictment from last week.
e-gold® Founder Denies Criminal Charges
April 30, 2007
On April 24, 2007, a Federal Grand Jury handed down an indictment charging e-gold Ltd., Gold & Silver Reserve, Inc., and the Directors of both companies with money laundering, operating an unlicensed money transmitter business, and conspiracies to commit both offenses.
Dr. Douglas Jackson, Chairman and Founder of e-gold, speaking on behalf of his fellow Directors and both companies vigorously denies the charges, taking particular exception to the allegations that either company ever turned a blind eye to payments for child pornography or for the sale of stolen identity and credit card information.
Dr. Jackson states, "With regard to child pornography, the government knows full well that their allegations are false, yet they highlight these irresponsible and purposely damaging statements in order to demonize e-gold in the eyes of the public. During the Inquisition, accusations of witchcraft and heresy were used to sanctify torture and seizures of property. In post 9-11 America, child porn and terrorism serve as the denunciations of choice. e-gold, however, as a matter of incontrovertible fact, is the most effective of all online payment systems in detecting and interdicting abuse of its system for child pornography related payments. e-gold Ltd. is a founding member of the National Center for Missing and Exploited Children's (NCMEC) Financial Coalition to Eliminate Child Pornography. e-gold is the only member institution to demonstrate with hard, auditable data a dramatic reduction of such payments to virtually zero, while billions of child porn dollars continue to flow through other (heavily regulated) payment systems. [Most members, that is, all the banks and credit card associations are utterly unable to even provide an estimate of the volume of such payments processed by their systems. eBay's PayPal subsidiary, who may have the ability to make such a determination, has refused to do so and has indicated they destroy payment records after two years.] What is worse, until August 2005 when NCMEC courageously broke ranks with US law enforcement agencies and began directly notifying e-gold of criminal sites via the CyberTipline, component agencies of the US Department of Justice purposely concealed their knowledge of child pornography abuses from e-gold's investigators, subordinating actual crime fighting to a policy agenda designed to dirty up e-gold."
In December 2005, the Secret Service (USSS) deceived a Federal
Magistrate judge with bogus testimony in order to obtain search and
seizure warrants authorizing the government to seize the US bank
accounts of Gold & Silver Reserve, Inc. The seizure, which netted the
government about $ 0.8 million, was designed to put e-gold out of
business without due process, since G&SR serves as the contractual
Operator of the e-gold system. At a subsequent emergency hearing, the
government made no effort to defend their (sealed) allegations of
lurid criminality, falling back to a position that their action was
warranted because of a licensure issue. At the hearing, G&SR described
its ongoing dialog with the Department of Treasury, initiated by
formal request of the company in Spring 2005, to determine a possible
basis for regulating the company's activities, since it was patently
clear to competent authorities that G&SR's exchange service was not
encompassed within any existing regulatory rubric [subsequently
re-confirmed by experts at the Federal Reserve]. The US Attorney for
the District of Columbia, responsible for the prosecution, was
completely unaware of this orderly proceeding, as well as Treasury
reports issued the same week that acknowledged e-gold as an innovation
not meeting definitions of a money services business or a money
Since this time, the government has been confronted with overwhelming
evidence that the USSS had made a horrible mistake in its attack on
the e-gold system and its repeated defamatory claims in the media that
e-gold is anonymous, untraceable, and inaccessible to US law
enforcement. They have concealed the fact that Dr. Jackson had
personally arranged to come to USSS headquarters to train the USSS
cybercrime squad in December 2004 (along with agents of the UK's
National High Tech Crime Unit, and the Australian Federal Police) on
advanced techniques, particularly in the area of efficient interaction
with e-gold's in-house investigative staff, but was prevented when
senior USSS management learned of the initiative and forbade the
training on the grounds of a policy declaring e-gold as their
designated boogey man.
The Department of Justice has had to determine whether to continue to
stand behind their component agency. Their decision to close ranks has
directly resulted in a gross misallocation of resources, with the
result that vicious criminals who might have been brought to justice
remain at large. An example of this is the Shadowcrew investigation,
hyped by the USSS as a major success in disrupting international
credit card thieves. The USSS did not subpoena records from e-gold at
any time in their investigation, or engage with e-gold's superb
in-house investigative staff, with the result that the sophisticated
hierarchy of the ring was unmolested and probably strengthened while
the USSS hauled in the low hanging fruit, "a dime a dozen and
relatively easy to track down and pop".
Similarly, there is compelling evidence that the international cartel
of commercial vendors of child pornography continues to operate
because the FBI Innocent Images Unit and Special Agents within the
Immigration and Customs Enforcement Agency have been forbidden to
follow investigative protocols developed by Dr. Jackson, apparently
for fear of further belying the party line that e-gold is itself a
With regard to allegations of money laundering, Dr. Jackson notes
"G&SR's online exchange service, OmniPay, has for years followed
stringent customer identification procedures and an absolute policy of
only accepting money payments by bank wire. If bank wires aren't
already "clean" then what is? Furthermore, e-gold Ltd. can scarcely be
construed as a money launderer since it does not accept money payments
from anyone in any form and has never owned a single dollar, yen, euro
or any other brand of legacy money. As far as the possibility of a
criminal successfully obfuscating a money trail, e-gold is a closed
system. The only way to obtain e-gold is by receiving a transfer from
someone who already has some. e-gold is also the only payment system
accessible by the public that maintains a permanent record of all
On April 27, 2007, the government served seizure warrants on G&SR
ordering it to freeze, liquidate and turn over to the government the
operating e-gold accounts of G&SR and e-gold Ltd. The value seized,
about $762 thousand worth of e-gold from e-gold Ltd. and about $736
thousand worth of e-gold from G&SR [on top of the $0.8 million seized
from G&SR in 2005, and the approximately $1 million spent by G&SR so
far in its defense] constitutes the bulk of the liquid assets of both
companies. Perplexingly, a post-indictment restraining order states
"Nothing in the provisions of this restraining order shall be
construed as limiting the e-gold operation's ability to use its
existing funds to satisfy requests from its customers to exchange
e-gold into national currency, or its ability to sell precious metals
to accomplish the same once approval has been obtained." Having taken
virtually the entire operating funds of G&SR and e-gold Ltd., that is,
the e-gold in both companies' own e-gold accounts, it is unclear if
the government has even a basic grasp of the operations it has been
investigating for three years at a taxpayer expense in the millions.
The most remarkable element of the restraining order is that the US
government deputizes e-gold with plenipotentiary powers to act as
judge, jury and executioner against any account user e-gold itself has
deemed to be a criminal: "It is further ordered that upon receipt of
this order the defendants are required to freeze, that is, not conduct
or allow any further transactions in e-gold accounts that the e-gold
operation itself has identified as being used for criminal activity".
Although not accompanied by an outright letter of marque, this
commission (the financial equivalent to double ought status?) would
appear to be an acknowledgement that e-gold's 'Know Your Customer'
prowess far exceeds that of any regulated financial institution, who
would be obliged to rely on court orders or other legal writs to
determine if freezing an account is warranted.
Concurrent with this latest attempt to knock e-gold Ltd. and G&SR out
of business and thereby effectively deny them due process, the
government also attacked other prominent exchange services that deal
in e-gold; IceGold, The Bullion Exchange, Gitgold, Denver Gold
Exchange, AnyGoldNow, and Gold Pouch Express, plus a sophisticated and
secure alternative payment system called "1MDC". All of the listed
exchange services also follow stringent Customer Identification
Programs congruent with what would be required of a currency exchange
business, if the law supported such a classification. Two of the
services, IceGold and AnyGoldNow, are located in Europe and deal
primarily with non-US customers. As a direct and immediate result of
the seizures, these companies, all of who had built a reputation for
honoring their obligations to customers in a timely fashion, have been
disrupted, and, at least in the case of Gitgold, checks to customers
issued in fulfillment of exchanges have bounced. This is a repeat of
what happened to G&SR as a direct result of the 2005 seizure, when
over 200 checks to customers bounced and refunds had to be sorted out
with severely crippled liquidity and without a US bank account.
It must not be overlooked that the search warrant obtained by
misrepresentations before a magistrate judge in 2005 resulted in the
government helping themselves to the financial records of hundreds of
thousands of American citizens [plus citizens of virtually every other
country] who had not been accused of any wrongdoing. Since the initial
raid, the prosecutor has caused the Grand Jury to order complete dumps
of the e-gold data base on three additional occasions.
This case has nothing to do with criminal activity, at least not on
the part of e-gold Ltd., G&SR, the named individuals or these other
exchange services of high reputation. It is about a Department of
Justice that is out of control, cognizant of having made a horrible
mistake but determined at all costs to preserve its turf. In a meeting
at the US Attorney's office in Washington on December 29, 2006, a
Chief Assistant US Attorney told us that the United States knew we
weren't "bad guys" and that the United States had no interest in
sending any of us to prison or causing e-gold to go out of business.
This was in virtually the same breath as proposing that the current
defendants plead guilty to Federal felony charges.
The plain fact is that the repeated statements and actions of the
government since 2001, especially the USSS, are directly responsible
for crippling e-gold's ability to market its service to mainstream
businesses and consumers, slowing [but fortunately not stopping]
e-gold's continuous development of advanced anti-crime capabilities,
subordinating US law enforcement's cybercrime fighting efforts to the
forlorn hope of destroying e-gold, driving market share to non-US
based alternative payment systems and making the US law enforcement
community the laughingstock of competent cybercrime fighting agencies
worldwide because of its obstinate inability to back down from the
USSS's longstanding e-gold vendetta.
All inquiries should be directed to the law offices of:
Bob Hettinga found and forwarded the press release from the Washington DC courts:
A federal grand jury in Washington, D.C. has indicted two companies operating a digital currency business and their owners on charges of money laundering, conspiracy, and operating an unlicensed money transmitting business, Assistant Attorney General Alice S. Fisher of the Criminal Division and U.S. Attorney for the District of Columbia Jeffrey A. Taylor announced today.
The four-count indictment, handed down on April 24, 2007, and unsealed today, charges E-Gold Ltd; Gold & Silver Reserve, Inc.; and their owners Dr. Douglas L. Jackson, of Satellite Beach, Fla.; Reid A. Jackson, of Melbourne, Fla.; and Barry K. Downey, of Woodbine, Md., each with one count of conspiracy to launder monetary instruments, one count of conspiracy to operate an unlicensed money transmitting business, one count of operating an unlicensed money transmitting business under federal law and one count of money transmission without a license under D.C. law.
(Or here.) This is the next chapter in a long running saga. The e-gold investigation started sometime around 2002, with three primary agencies involved: IRS, FBI and USSS. The latter, the US Secret Service, has the original mission of protecting the currency, and hence their interest in money.
The actual charges are curiously not that interesting. Obviously, it is a money operation so there will always be a charge of Money Laundering, which in today's US courts is guilty by naming. Slightly less obviously, the charge of conspiracy just implies something else criminal was done by people acting together: and of course there are several people involved. So that charge simply succeeds if the others do, else it fails by definition.
Which leaves operating an unlicensed money transmitting business. This is the core charge. As we recall, this law came in in the aftermath of 9/11, when a Hawala was found to have transmitted one of the payments needed to finance the terrorist attack (the vast majority of the funds went through normal bank transfers). This then started a war on Hawalas, and the regulations were put in place * with a clear offer: license yourself as a money transmitter or face the consequences.
e-gold declined the offer. I recall that they argued they were not a money transmitter business because e-gold was not money, and the sales operation of Omnipay just used the banks to transmit the dollars back and forth. (This is from memory, these arguments were made in public in either the press or the mailing lists. ... Addendum: read Dr Jackson's response for more details on the position taken.)
I don't know about you, but that was a ludicrous position to take then, and now. It was pretty clear that the point was, come in from out of the wild wild west, or well go and hunt you down. To argue on a technicality like that was just insane, as courts will ignore such nonsense on the basis of a "reasonable man" test.
Is e-gold more or less in the money transmitting business? A reasonable man will say yes.
This characterises the extraordinary levels of arrogance of the e-gold founders. Because they had built a business that had seemingly escaped from the jaws of defeat and the evils of the banking cartel, they were right, God-blessed and destined to change the world. From their dramatic successes around 2000, there was a persistent belief in the righteousness of their mission, and an equal belief in the willingness of the courts to defend them. Because they were right!
Such hubris has to go down. Whatever we think about David versus Goliath stories, the US Government isn't happy to be taunted that way, and the competitors aren't going to let the USG proudly ignore the taunts. Consider all the banks in the US, and all the (licensed) money transmitters. And if that isn't enough, recall all the other countries in the world that suffered, and still suffer, the indignities of Ronald Reagan's war on drugs: every time there is a criticism about money laundering, all these players are going to keep banging the table about e-gold.
"Sort out your own house, first!" There is only one end to this story. A bad end.
Disclosure: I myself was closely engaged with e-gold in the years 1998 to 2000, and locked in court battles with them from 2001 to 2003. Before those battles, however, I argued that they should take no position that puts them up against (the, any) government. Luckily, e-gold filed my arguments in court, as evidence against me.
* Footnote on Law on Money Transmitters: historically the Hawala episode was just the excuse needed. The draft law had been circulating for some time, and had been inspired directly by the success of Paypal and e-gold in bypassing the normal banking regulations.
The gold community is a-buzz with the news ... first an announcement from BullionVault (no URL):
There have been growing stresses on our relationship with Brinks Inc, the US-owned vault operator, and it has become clear that they feel uncomfortable about continuing to vault BullionVault gold.
Why this might be so I am genuinely unable to say. Their exact reasoning has not been disclosed to us.
Fortunately, there is an excellent alternative available to us in ViaMat International, the largest Swiss-owned vault operator, and one which has a full quota of internationally located professional bullion vaults.
Swiss ownership suggests an independence from some of the pressures which Brinks may have found themselves operating under recently. Also you - our users - have chosen to vault 26 times as much gold in Switzerland as in the United States, so we believe this change will be both natural and welcome.
This is an echo of the old e-gold story, where different reputable vault companies handed the e-gold reserves around like it was musical chairs. BuillionVault is a new generation gold system, not encouraging payments but instead encouraging holding, buying and selling. It's not yet clear why they would be a threat.
But then, from 1mdc, a payment system:
Friday Apr 27 2007 - 4AM UTC
It appears that a U.S. Government court order has forced e-gold(R) to close down or confiscate all of 1mdc's accounts. All of 1mdc account's have been closed at e-gold by order of the US Government.
Please note that it appears the accounts of a number of the largest exchangers and largest users of e-gold have also been closed or confiscated overnight: millions of Euros of gold have been held in this event. A couple of large exchanger's accounts have been shutdown.
If the confiscation or court order in the USA is reversed, your e-gold grams remaining in 1mdc will "unbail" normally to your e-gold account.
We suggest not panicking: more will be known on Monday when there will be more activity in the courts.
You CAN spend your 1mdc back and fore to other 1mdc accounts. 1mdc is operating normally within 1mdc. However you should be aware there is the possibility your e-gold will never be released from e-gold due to the court order.
Ultimately e-gold(R) is an entirely USA-based company, owned and operated by US citizens, so, as e-gold users we must respect the decisions of US courts and the US authorities regarding the disposition of e-gold. Even though 1mdc has no connection whstsoever to the USA, and most 1mdc users are non-USA, e-gold(R) is USA based.
You are welcome to email "firstname.lastname@example.org", thank you.
Yowsa! That's heavy. And now, BullionVault's actions make perfect sense. Brinks probably heard rumour of happenings, and BullionVault are probably sweating off those pounds right now crossing the border with rucksacks of kg of yellow ballast.
It's worth while looking at how 1mdc worked, so as to understand what all the above means. 1mdc is simply a pure-play e-gold derivative system, in that 1mdc maintained one (or some) e-gold accounts for the reserve value, and then offered an accounting system in grams for spending back and forth.
1mdc then stands out as not actually managing and reserving in gold. Instead it manages e-gold ... which manages and reserves in gold. Now, contractually, this would be quite messy, excepting that the website has fairly generally made no bones of this: 1mdc is just e-gold, handled better.
So, above, 1mdc is totally uneffected! Except all the users who held e-gold there (in 1mdc) are now totally stuffed! Well, we'll see in time what the real story is, but when this sort of thing happens, there are generally some losers.
What then was the point of 1mdc? e-gold were too stuffy in many ways. One was that they charged a lot, another was the owners of e-gold were pretty aggressive characters, and they scared a lot of their customers away. Other problems existed which resulted in a steady supply of customers over to 1mdc, who famously never charged fees.
We could speculate that 1mdc was destined for sale at some stage. And I stress, I don't actually know what the point was. In contrast to the e-gold story, 1mdc ran a fairly tight ship, printed all of their news in the open, and didn't share the strategy beyond that.
It may appear then that the US has moved to close down competition. Other than pique at not being able to see the account holders, this appeared yesterday to be a little mysterious and self-damaging. Today's news however clarifies, which I'll try and write a bit more about in another entry:
...the Department of Justice also obtained a restraining order on the defendants to prevent the dissipation of assets by the defendants, and 24 seizure warrants on over 58 accounts believed to be property involved in money laundering and operation of an unlicensed money transmitting business.
Governance is about protecting the assets of the owner. Here's an anecdote on an early development in Governance, that reflects the arisal of robust accounting and predicts redundant computing:
IN THE BEGINNING
It’s said that accountants’ predecessors were the scribes of ancient Egypt, who kept the pharaohs’ books. They inventoried grain, gold and other assets. Unfortunately, some fell victim to temptation and stole from their leader, as did other employees of the king. The solution was to have two scribes independently record each transaction (the first internal control). As long as the scribes’ totals agreed exactly, there was no problem. But if the totals were materially different, both scribes would be put to death. That proved to be a great incentive for them to carefully check all the numbers and make sure the help wasn’t stealing. In fact, fraud prevention and detection became the royal accountants’ main duty.
Accounting is both a mundane tool for telling you how much you have, and a critical tool for stopping that "how much" from shrinking through theft. Hence, it is a Governance tool as well; double-entry accounting is also a tool to achieve a governance feature, by the magical trick of clearly identifying errors and separating them from intent.
In the absence of double entry, the Egyptians solved the errors problem using redundant computers. Just like today's designs for redundant computers, errors caused the shutdown of the system, although it seems that Egyptian designs for redundant computers did not advance to voting and quorum systems.
I've previously blogged on how the non-profit sector is happy hunting grounds for scams, fraud, incentives deals and all sorts of horrible deals. This caused outrage by those who believe that non-profits are somehow protected by their basic and honest goodness. Actually, they are fat, happy and ripe for fraud.
The basic conditions are these:
Examples abound, if you know how to look. Coming from a background of reading the scams and frauds that rip apart the commercial sector, seeing it in the non-profit sector is easy, because of the super-fertile conditions mentioned above.
Here's one. In New York state in the US of A, the schools have been found taking incentives to prefer one lender over another for student loans.
[State Attorney-General] Cuomo has sent letters to and requested documents from more than a hundred schools for information about any financial incentives the schools or their administrators may have derived from doing business with certain lenders, such a gifts, junkets, and awards of stock.
A common practice exposed by Cuomo is a revenue-sharing agreement, whereby a lender pays back a school a fixed percentage of the net value loans steered its way. Lenders particularly benefit when schools place them on a short list of “preferred” lenders, since 3,200 firms nationwide are competing for market share in the $85 billion a year business.
Here's an inside tip that I picked up on my close observance of the mutual funds scandal, also brought by then NY-AG Elliot Spitzer (now Governor, an easy pick as he brought in $1.5bn in fines). If the Attorney-General writes those letters, he already has the evidence. So we can assume, for the working purposes of a learning exercise, that this is in fact what is happening.
There's lots of money ($85Bn). The money comes from somewhere. It can be used in small incentives to steer the major part in certain directions.
To narrow the options, most schools publish lists of preferred lenders for both government and private loans. They typically feature half a dozen lenders, but they might have only one. Students should always ask if the school is getting any type of payment or service from lenders on the list.
To get a loan, schools must certify that you are qualified. By law, schools can't refuse to certify a loan, nor can they cause "unreasonable delays," because you choose a nonpreferred lender. That said, many schools strongly discourage students from choosing a nonpreferred lender.
The University of North Carolina at Chapel Hill tells students on a form that if they choose a lender other than the school's sole preferred lender for Stafford loans, "there will be a six-week delay in the processing of your loan application" because it must be processed manually.
How do we address this? If we are a non-profit, then we can do these things:
It's not so exceptional. Some schools got it:
Thirty-one other schools joined Penn and NYU in adopting a code of conduct that prohibits revenue-sharing with lenders, requires schools to disclose why they chose preferred lenders, and bans financial aid officers and other school officials from receiving more than nominal gifts from lenders.
Clues in bold. How many has your big fat, rich open source non-profit got? I know one that has all of the first list, and has none of the second.
Some many years ago I created a five parties model that used the public as the fifth party to bind all the others together in governing the toughest of assets: money. 5PM is now the benchmark for digital gold issuers, and while not universally adopted, it is widely understood. While I say it myself, I think it a lot more effective, bang for governance buck, than the efforts of the national competitors.
Mostly 5PM is just classical separation of roles (sometimes known as 4 eyes principle), but it also introduced the new factor of open governance: disclosure of key facts to the public, who then audit and share their results over the Internet.
The innovation of open governance creates a dramatic shift in classical governance, as it moves tasks that were previously only possible with (expensive) audits or (backfiring) regulations across to the open market. Solutions then emerge in accord with what stakeholders want to spend, and they emerge in interesting ways.
And, oh so many interesting possibilities! John Quarterman posts:
- Bakersfield pothole map -- Locals report seeing potholes and they get mapped.
- U.S. Fatalities in Iraq -- Someone has taken the home of record for each U.S. fatality in Iraq and mapped it.
- Chicago Crime Map -- This one says down at the bottom: "Important disclaimer: This site is not affiliated with the Chicago Police Department. This site uses crime data obtained from the CPD's Citizen ICAM Web site, which is a publicly available database of reported crime. Please read the Citizen ICAM disclaimer to understand the data fully."
- Bakersfield homicide map -- "This is a map of Homicides in the Bakersfield area that occured in 2006. Locations are approximated and based on data provided by the Office of the Coroner."
In every one of those, people have identified an asset, and have created an open participatory forum for sharing information about it. Why? To protect the asset, of course.
This is a darn sight less expensive than classical forms of governance (regulations, external auditing, but also see how the above list directly challenges representational democracy and internal auditing). As those efforts move steadily, deeper into stormy weather, we can expect open governance to become more and more important in securing assets. Mark the rising star as one to watch.
Insider fraud is like an evil twin of security. From the "it could be you" department...
There has been an internal feud at the company for some time between joint owners Kevin Medina, CEO, and John Naruszewicz, vice president, which culminated in a February 12 lawsuit.
Naruszewicz sought, and received, a preliminary court injunction preventing Medina from accessing the company's funds. Naruszewicz claimed that Medina had been using corporate money to pay for a life of luxury, at the expense of the company and its customers.
Among the allegations were claims that Medina has used Registerfly's money to pay for a $10,000-a-month Miami Beach penthouse, a $9,000 escort, and $6,000 of liposuction surgery.
Many "security people" from the new, net-based culture only discover what older value institutions have known for centuries -- and then only when it happens to them.
The overall lesson that we need to bear in mind is that the twins should be kept in balance: cover the external security to the same extent as the internal security. Security proportional to risk, in other words, as having perfect security in one area is meaningless if there is a weak area elsewhere.
That's a case from the computer industry: It could be you... We can imagine that it all started out as an innocent need to network with some important clients.
(Note that the unsung hero here, the VP who challenged the fraud, will probably never be rewarded, thanked, or protected from counter-attacks.)
KPMG is in trouble again, this time for being breached. If you are one of the world's select group of targetted companies, read the whole article. Here's the teaser:
The intelligence firm was originally looking for people who fit one of two profiles for sources likely to leak the audit information, according to a Project Yucca planning memo. One personality type was a "male in his mid-20s who is somewhat bored...has a propensity to party hard, needs cash, enjoys risk, likes sports, likes women, is disrespectful of his managers, fiddles his expenses, but is patriotic." The memo described the second personality type as "a young female who is insecure, overweight, bitchy, not honest. Someone who spends money on her looks, clothes, gadgets. Has no boyfriend, and only superficial friends. Has a strong relationship with her mother." Apparently, no one on Diligence's list quite fit either profile, but the firm settled on Enright, the British-born accountant.
Do you know anyone like that in your company? Probably you do, and that is no coincidence.
There are several stock responses, pick one:
Leaving naivete aside, consider what in your firm stops would catch this and stop it. It's a standard governance exercise.
FEBRUARY 26, 2007
Spies, Lies & KPMG
An inside look at how the accounting giant was infiltrated by private intelligence firm Diligence
In the spring of 2005, Guy Enright, an accountant at KPMG Financial Advisory Services Ltd. in Bermuda, got a call from a man identifying himself in a crisp British accent as Nick Hamilton. Hamilton said he needed to see Enright about matters of utmost importance.
Over the course of two meetings, Hamilton led Enright to believe he was a British intelligence officer, according to a person familiar with the encounters. He told Enright he wanted information about a KPMG project that Hamilton said had national security implications for Britain. Soon, Enright, who was born in Britain, was depositing confidential audit documents in plastic containers at drop-off points designated by Hamilton.
But Nick Hamilton was not an agent of Her Majesty's secret service, and the documents never found their way to the British government.
Nick Hamilton was in fact Nick Day, now 38, a onetime British agent and co-founder of Diligence Inc., a Washington private intelligence firm that counts William Webster, former director of the CIA and FBI, among its advisory board members. Diligence's client was not Britain's Queen, but Barbour Griffith & Rogers, one of the most formidable lobbying firms in Washington. Barbour Griffith represented a Russian conglomerate whose archrival, IPOC International Growth Fund Ltd., was being audited by KPMG's Bermuda office.
A 2006 scandal involving Hewlett-Packard Co. (HPQ ) put the issue of corporate espionage in the headlines. Diligence's methods, revealed in court documents and interviews by BusinessWeek, show how far some in the corporate investigation business will go.
Without denying this account of events in Bermuda, Diligence's Day says: "We've always respected the laws of the jurisdictions in which we operate." He adds that corporate intelligence firms like his provide an invaluable service. "We essentially help businesses deal with the risks of operating in challenging markets," Day says. "It's a role which government agencies don't necessarily have the resources or understanding to be able to fulfill."
From the start, Diligence's goal was clear, if far from simple: Infiltrate KPMG to obtain advance information about the audit of IPOC, an investment fund based in Bermuda. Russian conglomerate Alfa Group Consortium hired Barbour Griffith & Rogers through a subsidiary, and the lobbying firm in turn hired Diligence. Alfa is dueling with IPOC for a large stake in the Russian telecom company MegaFon. "We have a good chance of success on this project," Day wrote in an internal Diligence memo, referring to the Bermuda espionage effort. The memo, which BusinessWeek reviewed, added: "We are doing it in a way which gives plausible deniability, and therefore virtually no chance of discovery." Similar Diligence operations, the memo noted, had been successful before.
Within Diligence the KPMG campaign was dubbed Project Yucca, and it unfolded in stages, according to people familiar with the operation and documents filed in a court proceeding involving IPOC and Alfa in the British Virgin Islands. First, two Diligence employees contacted KPMG's Bermuda offices pretending to be organizers of a legal conference on the island, according to a person familiar with the operation. The Diligence staff members called KPMG secretaries and asked about how the office worked. Soon, Diligence had the names of a handful of KPMG employees who might have access to the IPOC data. But Diligence wanted to narrow the list.
The intelligence firm was originally looking for people who fit one of two profiles for sources likely to leak the audit information, according to a Project Yucca planning memo. One personality type was a "male in his mid-20s who is somewhat bored...has a propensity to party hard, needs cash, enjoys risk, likes sports, likes women, is disrespectful of his managers, fiddles his expenses, but is patriotic." The memo described the second personality type as "a young female who is insecure, overweight, bitchy, not honest. Someone who spends money on her looks, clothes, gadgets. Has no boyfriend, and only superficial friends. Has a strong relationship with her mother." Apparently, no one on Diligence's list quite fit either profile, but the firm settled on Enright, the British-born accountant.
Enright soon got a call from Diligence's Nick Day, posing as Nick Hamilton, according to a person familiar with the situation. The two agreed to meet for lunch near the KPMG offices in Hamilton, Bermuda. At lunch, Day, who is dark-haired and has a warm smile, said the assignment he had in mind for Enright was top secret and involved Britain's national security. Day kept the conversation vague, never mentioning IPOC or the audit, according to the person familiar with the situation. Day told the accountant he would have to undergo a British government background check to ensure that he was up to the task. Day produced an official-looking--but fake--questionnaire with a British government seal at the top and asked for information about Enright's parents, his professional background, any criminal history, and political activities, according to a copy of the questionnaire reviewed by BusinessWeek. Enright provided the information.
Several weeks later the two men met again, this time in a local bar, says the person familiar with the events. Day, still calling himself Nick Hamilton, told war stories from what he said were his days in the Royal Navy's Special Boat Service, Britain's equivalent of the U.S. Navy SEALS. He then steered the conversation toward his real interest: What did Enright know about the KPMG audit of IPOC?
Soon, Enright was handing over confidential audit documents, including transcripts of interviews KPMG had conducted in the IPOC investigation, according to court documents on file in the British Virgin Islands and the source familiar with the events. Day picked out a rock in a field along Enright's 20-minute daily commute from his home in Elbow Beach and placed a plastic container under the rock, creating what spies call a dead drop site. At appointed times, Enright slipped new material into the container, which Day later retrieved. On one occasion, Enright left documents in the storage compartment of his moped, which he parked at his home. Enright had told Diligence employees where he hid the keys to the moped. When Enright left for a trip, Day collected the papers, according to the person familiar with the situation.
Day and Diligence took elaborate precautions to make sure Enright wasn't himself a plant or a corporate spy, people familiar with the events say. Diligence employees followed Enright from his office to every meeting with Day. A Diligence employee was at each meeting spot before the men arrived to determine whether Enright was using associates for surveillance. Enright was followed to his destinations when meetings ended. When Day left the meetings with Enright, the source says, the Diligence executive followed a process spies call dry cleaning, which was designed to detect whether Day was being followed. He walked a prescribed route through several narrow "choke points" that made it possible for Diligence employees to identify anyone who might have been tailing him.
Diligence was paid handsomely for its work. An invoice produced in a federal court proceeding in Washington involving IPOC and Diligence shows that Barbour Griffith was billed by Diligence "For Bermuda report and Germany work--A Telecom." Diligence was paid $25,000 a month, plus $10,000 a month for expenses, according to documents reviewed by BusinessWeek and an interview with a person familiar with the matter. The company was also paid a $60,000 bonus for acquiring the first draft of KPMG's audit of IPOC. Diligence's total take couldn't be determined.
The undercover Project Yucca ended after someone--it remains unclear who--dropped a bundle of papers at the Montvale (N.J.) office of KPMG on Oct. 18, 2005. The papers included Diligence business records and e-mails with details of Project Yucca.
On Nov. 10, 2005, KPMG Financial Advisory Services sued Diligence for fraud and unjust enrichment in U.S. District Court in Washington. On June 20, 2006, the case settled. Diligence paid KPMG $1.7 million, according to a person familiar with the settlement.
On June 15, 2006, IPOC sued both Diligence and Barbour Griffith & Rogers in the same District Court, alleging civil conspiracy, unjust enrichment, and other misdeeds. That case is pending. Gavin Houlgate, a spokesman for KPMG, declined comment, as did attorneys for KPMG at the New York law firm Hughes Hubbard & Reed. Kirill Babaev, a vice-president at Alfa's telecom arm in Moscow, said in a statement when asked about Alfa's involvement in the Diligence operation: "We are...not a party in any litigation with IPOC, and therefore cannot comment on any rumours or speculations in this regard."
Barbour Griffith & Rogers' most famous co-founder is Haley Barbour, who is now governor of Mississippi. Barbour left the lobbying firm in 2003, before the Diligence operation began. Another Barbour Griffith co-founder, Ed Rogers, was an early investor in Diligence. The lobbying firm rented space at its Pennsylvania Avenue offices to Diligence. Edward MacMahon, a lawyer for Barbour Griffith, says the firm has done nothing wrong and that no one affiliated with Barbour Griffith currently has an equity stake in Diligence. A person familiar with Diligence says the firm's shareholders are CEO Day, former U.S. Ambassador to Germany Richard Burt, Edward Mathias of Washington-based private equity firm Carlyle Group, and Buenos Aires private equity firm Exxel Group. Burt confirms he is Diligence's chairman but declines to discuss Project Yucca. Mathias confirms he is an investor in Diligence but says he is unaware of the Bermuda events. Exxel Group lists Diligence among its portfolio companies on its corporate Web site but did not respond to an e-mail seeking comment.
It's unclear whether Diligence broke any British or American laws. In an interview at his Washington office, Day says he and his firm always stay within the law but have learned much since 2005: "As an organization we've changed a lot as a result of everything we've been through in the last year." He says Diligence has "spent a lot of time training our staff as to what they can and cannot do."
In a statement to BusinessWeek, IPOC director Mads Braemer-Jensen said: "The fact that Alfa hired Barbour Griffith & Rogers and Diligence to use illegal and dishonest smear tactics against IPOC just shows that Alfa is trying to change the subject away from the fact that they stole from IPOC. We hope the U.S. and Bermuda law enforcement authorities will make note of this and take appropriate action against Alfa."
Guy Enright, who now works for Deloitte & Touche in London, declined repeated requests for comment on his relationship with Nick Day and his work on the IPOC audit. The terms of Enright's departure from KPMG couldn't be determined. But he apparently didn't come away empty-handed from his encounters with Nick Day.
As Project Yucca wound down in 2005, Day, still in the guise of Nick Hamilton, gave Enright a Rolex watch worth thousands of dollars, according to two people familiar with the present. Enright was led to believe it was a thank-you gift from the British government, but it, too, came from Diligence.
By Eamon Javers
The Mozilla governance debate is running hot, rejoinders flowing thick and fast. Here is a seriously good riposte by James Donald:
A successful open source project has a large effect on what large numbers of people do. The effect has a large indirect effect on various for-profit ventures, who then proceed to give handouts to the non profit open source project. Thus, for example, linux was the beneficiary of vast amounts of work by engineers employed by corporations who feared that they would be screwed by Microsoft or wintel, and urgently wanted to have an alternative, or, in the case of Sun, had to ensure that their customers had an alternative.
In that case, the big corporations were the good guys, reacting against the dangerous power of a particular big corporation, protecting everyone in the course of protecting themselves.
More nefarious activities are common: For example OpenID is backed by XRI, and tends to do things that are more in the interests of XRI rather than support the objectives of OpenID - but then there is nothing terribly wicked or nefarious about the objectives of XRI.
Getting back to the case in dispute, the various browser responses to phishing, to the internet crisis of identity and security, make more sense as a Verisign business plan than as a response to phishing, and in so doing harm security, in the sense that they are disinclined to take any effective action, for any effective action would compete with the services provided by Verisign.
We don't need to worry about governance with linux, for the interests of the contributors are well aligned - they all want free software ("free" as in "free speech", not just "free" as in "free beer") that does all the things that Microsoft's unfree software does) So we just proclaim Torvalds dictator and let him get on with it. No one cares about linux governance.
Trouble is that some of the contributors to Mozilla want to paid for security, which means that they do not want Mozilla to provide free security - neither in the sense of free speech, nor in the sense of free beer.
And Mozilla really should provide free security.
Now, we might not agree with everything written above ... but James does raise the rather good point that there is a big difference between the Linux community and the Mozilla community.
Superficially, there is tight control over both projects. In the first case by Linus, Grand Vizier and Despot Over all his Kernels and Dominions. In the second, MoFo developers are Most Benevolent and Principled Dictators, Defenders of the Freedom of all our Code in all our Repositories. To paraphrase.
Both despots, both dictators. Here is the difference. Linus only rules over the kernel; which is then fed to 100 or more secondary tier distributors, within the freedom granted by GPL. They then feed it to users.
In contrast, Mozo rules over the whole show. The user interface ("UI") is controlled by the Mozo developers, but not by Linus in his project. For Mozo the money comes flooding in like the spring melt because they have a vast user base wanting to access the lodestone of net commerce: search engines.
For the linux kernel there is no such centralised opportunity, as the UI is controlled at the remote distro level. In practical terms, the Linux commercial opportunity has been outsourced into the free market of Redhat, Ubuntu, Suse, Debian and a hundred others.
The reason that no-one cares about Linux governance is that the very structure of the Linux industry is the governance. The governance issue of regulating benefits and opportunities is solved by placing it were it is best dealt with: in the market place.
Expressed as a principle, Linus says it's ok to be a systems despot, but, please, let the UI go free.
Governance seems to be a term that is less familiar to more than a few. So I will try and paint a picture of it. (Caveat: Governance is a huge field, so it won't be possible to give more than a small overview...)
The closest to what we mean in Financial Cryptography is what is called Corporate Governance; other uses of the term suffer from manipulation. In the corporate world, Governance is in essence the need to align the organisation's decision makers with the interests of the organisation itself. (We will come to the non-profit versus for-profit issue later.)
Let's get right back to basics and consider two people, an Owner and an Employee. The owner's interests are aligned with her decisions; if not she loses money.
However her employee has a more perverse situation: his decisions are naturally aligned with his own interests, which might be contrary to the interests of the owner.
(This is called the Principal-Agent problem, where the Principal is the owner, and the employee is an Agent of the Principal. The Agent has a conflict of interest, whereas the Principal does not, in simple terms. It is a widely studied theory.)
The Shop of Humble Things
Pretty dry stuff, so let's try an example. The canonical story is that of a small retail shop. How does the Owner structure things such that the Sales Assistant doesn't simply keep the money handed him by the customer?
Several age-old inventions created revolutions that enabled our humble shop to advance to greater things. Here's two from the Halls of Governance Fame:
1. The cash register (or till or box). These days we think the cash register is about the need to calculate change and store the cash safely from robbers, but its original success was due to something else: the creation of a separate box that created a mental and physical barrier between the Agent's money and the Principal's money.
Think here of the old shop assistant's uniform -- a huge pair of overalls with 2 grand pockets in the front, and you'll see where we are heading. The Agent can put the Customer's payment into his 2 grand pockets ... and simply forget some or all of it!
Who's to say?
Instead, by putting the money into the box clearly labelled as the Principal's cash register, a protocol was established; if any money was taken out, that was theft, and if the Customer's money didn't go in, that was also theft.
2. The receipt. Again, today, we think of the receipt as the "customer's right." No such! At least not primarily; its core purpose in life is not evidence for the customer, but evidence for the Principal. At the end of the day, the money in the cash register is counted up, and if the total of receipts didn't match the amount of money, then we have a problem.
So why does the Customer get a receipt? Because the Customer checks that the Principal gets a receipt!
In order to make both the above inventions work, the customer was signed up as an unwitting but interested participant in the purchase of Humble Things. She is encouraged to participate in the protocol by one means or another, and is encouraged to report infractions to the owner. With the receipt, we want her to make sure that the Shop Assistant fills out a copy for the Owner, so the owner rewards her with a copy as well. When she sees money going into those 2 grand overalls pockets, she is encouraged to think about rising prices due to theft.
These two inventions created a revolution in shops: they and other Governance techniques meant that it was possible to employ Agents and trust them to work unsupervised.
So what do we mean by Corporate Governance? Simply the enlarged form of the above: using techniques like the cash register to construct larger, better and more trustworthy enterprises.
Imagine your new job is Financial Controller at Enron! Do you get into the spirit of financial engineering, and shovelling of huge bundles of corporate value into obscure corporate vehicles for later profiting ... by self ... or do you work to clean all this up and make the money work for the shareholder?
Well, it all depends on how the interests are aligned. Do you get to keep the money? We all know that everyone has a price, and it only depends on the *amount* money on offer ... we also know that the equation is fundamentally one of risk and likelihood: A nigerian scam offers you millions, but you know that the chances are ridiculous, so your expectation is negative.
So, for our financial controller at Enron, it is *just* another risk calculation, and <ahem> he's very good at that, because risk is his job!
What stands in his way is: Governance. Enron was nothing but a failure in governance.
Corporate Governance, then, is the mission of establishing the shareholder as the ultimate benficiary and searching for the best way to reward that shareholder for her investment. It *specifically* looks at how we align the interests of all the players -- directors, managers, etc -- so that they all work to reward the shareholder.
And, not themselves. Governance works on the expectation that directors and managers will consider their own interests before that of the shareholders. How we deal with that is the art and science of governance; we don't eliminate it, nor even totally control it, but we search for the profitable balance, the convenient seduction, the ultimate win-win. You pick the terms, but recognise that Governance starts when you understand that the employees are on a pay-packet, and that will always be stronger than their interests in the welfare of the shareholder.
Now, how does this all apply to an organisation without shareholders? Well, obviously, the interests cannot be aligned because there is no benchmark available -- no shareholder. Does this mean that Corporate Governance is null and void in the world of non-profits?
Not at all. It means that we start from an absence of Governance, which is a worse situation than a corporation without governance. With a corporation, the owners can always sack the board and start again, albeit with losses. With a non-profit, we can't even take that drastic step.
How we deal with this is tough. I'm no expert on non-profit governance, but I can offer some tips. First one:
Identify the stakeholders. These people can be impressed into service as proxy shareholders; in that where we would align interests to shareholders before, now we align interests to the stakeholders.
Next, identify the interests of the stakeholders. As we aren't paying them money, it will have to be something else. Money is fantastic for this purpose because each payment ("dividend") is measurable and comparable, and it will be hard to come up with something as good as money to create a feedback loop. But, it is possible.
Then, align the interests of employees to the above interests of the stakeholders. E.g., maybe your stakeholders are interested in "choice in software." If so, we could measure how many choices you offer, and what proportion of the population chooses your choice. Then, we could reward the employees on how the growth in choice pans out over time.
By way of example, consider an option on future market shares of software. Imagine you give me an option on 19% share for our product Fuxbirdie within the overall market for brailers. When Fuxbirdie reaches 19%, I get paid out a buck, and if not, it expires worthless.
Summarising the Governance of Humble Things
Governance isn't exciting. It doesn't seem to get more code written, it doesn't get your picture in Linuxworld, and there are no awards. It literally is the last and most ugly thing to work at.
It is also the thing that fewest honest people understand least well, and most crooked people understand very well. For the crooks, it is their way to their pot of gold, without even the sense of theft; it is the ultimate fraud, one that actually .. didn't happen because the crook changed the rules to make it work in his favour.
Governance is simply about identifying your core stakeholders, their interests and then aligning the business to your stakeholders and interests. Now, your interests. It's easy if you are a Corporate, as the profit motive and shareholder base are easily set up.
It's a bit harder as a non-profit; but there is an avenue in identifying stakeholders, and their interests.
Annex: Things Excluded from FC's meaning of Governance
A characteristic theme of IT governance discussions is that the IT capability can no longer be a black box. The traditional handling of IT management by board-level executives is that due to limited technical experience and IT complexity, key decisions are deferred to IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers and related areas such as finance, have the necessary input into the decision making process. This prevents a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected:
A board needs to understand the overall architecture of its company's IT applications portfolio ... The board must ensure that management knows what information resources are out there, what condition they are in, and what role they play in generating revenue... 
Again, this is an old pig called "management." Putting it in a dress and calling it governance doesn't help. I'd speculate that it is done that because telling the board that they don't understand IT isn't helpful, but telling them that it is governance might wake them up.
"Simply put "governance" means: the process of decision-making and the process by which decisions are implemented (or not implemented). Governance can be used in several contexts such as corporate governance, international governance, national governance and local governance.
Since governance is the process of decision-making and the process by which decisions are implemented, an analysis of governance focuses on the formal and informal actors involved in decision-making and implementing the decisions made and the formal and informal structures that have been set in place to arrive at and implement the decision."
Over on anti-fraud, Gervase asked:
>> Perhaps you should define "stakeholder" while you are here.
Ok, fair question. I received a huge tome entitled Phishing and Countermeasures in the post a week or so ago, and it includes lots of academic articles. In one, in a discussion of behavioural studies of phishing, it says:
As previously stated, Smetters and Grinter  have made the claim that there are three groups of stakeholders to consider in the design of security technologies, namely developers, administrators, and end-users. They claim also that the latter two groups are the primary focus of most security-related research. Finally, they claim that end-users are more frequently forced to be their own systems administrators nowadays, leading to an undesirable condition in which managing security is more complex for end-users than ever.
The notion that the stakeholders are developers, administrators, and end-users is perhaps the most obvious inventory. In a larger sense, all of society is affected by the security and trustworthiness of the online world, and we should not here discount the effects on all of society that arise when the security rights of individuals are violated. In global terms, the very notion of transactions between people and societies can be effected by the level of collective trust that depends on the reported experience of individuals.
[discussion of personas, snipped] ... it is not enough to design a system that makes it easy for security experts to manage the security of their transactions systems, but also it is necessary to design systems that make it possible for other kinds of people to easily become aware and act compliantly.
The full article is "Behavioural Studies," Jeffrey Bardzell, Eli Blevis, and Youn-kyung Lim.
To complete the discussion, "stakeholder" is a term that sits in opposition to "shareholder;" it both identifies others who are important, and also asks organisations without shareholders to go through the same exercise as those with.
See also the 2nd (managament) definition on wikipedia.
Over in MozoLand, they have opened up a bug track on the problems with Extended Validation certificates, as their way of carrying out the debate as to what Mozo should do. Using bug tracking systems doesn't mean "EV is a bug," it just fits the process and culture of the people concerned.
As I'd commented before about EV, and hit on the liability issue as one big area, the following is a more clear description of the issue: possibly suitable for filing as a bug. I just find it easier to wax on in blog form when it reaches a certain level of complexity.
Classically and simply, the certificate business is one that promises coverage of some form for MITMs (such as phishing attacks) to Internet browser users (relying parties, perhaps), while charging server users (subscribers) for the privilege. It is structured as a systemic franchise, meaning a group of interlinked but independent business units such as CAs, server vendors and browser vendors, operating to provide a single cohesive service; which term I just coined to capture the lack of transparency and potential problems incumbent in that opacity.
In practice, the promise of "safe Internet browsing" is generally false, as evidenced by phishing. In particular, CAs more or less generally seek to reduce their liability to Internet browser users to zero, using a variety of tricks . For example, in law, there is generally no liability if there is no contract or no specific legislation; so a common trick is for CAs is to hand out contracts that spell out that liability only exists if the crypto has been breached or other conditions that are statistically or security-wise irrelevant.
The new EV Guidelines may then be viewed on whether they improve on this position, from the pov of users and other stakeholders. Some comments follow that attempt to interpret/predict any new liability position that arises for CAs to browser users under EV .
The big picture within the Guidelines is at page 42. Here is my summary:
37.(a). CA Liability
(1) Subscribers and Relying Parties.
A. If the CA is compliant with EVG, then it is not liable.
B. If the CA is *not* compliant then it may seek to limit liability.
C. But not to any lower than $2000 per customer.
So what we have is that if CAs did the "right thing," then they are not liable, but even if they did the wrong thing, then they are only liable for up to $2000!
Let's get specific:
1. We know that the average phish is around $1000. Many are more, of course, and some frauds have reached towards $100,000. Now, maybe we don't want to limit liability to $100k ... but something a lot greater than twice the average phish -- data which we know have for some 3 years -- would be somewhat more impressive.
2. It has been suggested that the base price of an EV certificate will be around twice the existing "best of class" cert. That is, around $2000 from Verisign.
So in effect, for any one customer, the issuer is likely only liable for the same amount as the monies which they have accepted, albeit from the subscriber. This happens to be a normal watermark in both contract and law anyway.
3. Even when phished, you aren't covered. If there is a flaw in the Guidelines, you're not covered. If there is a flaw in the browser, you're not covered (but see "Indemnification" for more confusion).
4. Only if there is an error in the CA's actions are you covered. This could be as egregious as issuing a summer madness discount package of certs for all the Banks in in all the Americas to the Russian mobsters... and the CA still may limit liability to $2000!
5. Further, there is no hint anywhere that CAs should take on an expected liability of $2000. This is not an insurance policy by any stretch of the imagination; quite the reverse, as the CA
may seek to limit its liability ... by any means that the CA desires ...
provided that the monetary amount is capped at $2000.
What does this mean in plain words for liability? Knock yourselves out, guys: Use all those old barriers and reduce the expected liability to zero. Just state that the monetary damages upper limit is $2000.
6. For one tiny example, the statement that CAs are not liable if they are compliant with EVG is simply that: a trick to reduce liability. EVG is no contract, it is simply yet another document to wave in front of the judge and make him or her want to clear this horrible case from the calendar.
7. For further small example, what lawyer will take on a legal case for $2000? US attorneys won't deal, and no expert witness will testify on your behalf on whether the CA made a mistake (yes, you will need expert help, unless you actually understand the Guidelines....). And, um, how many attornies do the CAs have call on?
8. Bottom line is that EVG has practically knocked out all possibility of an individual case. This doesn't exclude for example class-action cases ... but if that's the case, it should just say that, if there was any interest in serving users. It doesn't, and there isn't.
To summarise. There are some benefits on behalf of the user here. It is useful for users and courts to at least know that with EV certs, there is the admission of potential liability . And with pre-EV certs, there is no admission of any useful liability at all; nix liability, zero, zip, nada, m'lord. It can then be up to a court to determine just how viable these disclaimers and limits are.
It's also beneficial to put these above numbers in perspective. Try this free test: go to your favourite computer store, pick up any soho-grade UPS like an APS or a Belkin, and read the blurb on the box.
(You don't need to buy to read...)
An uninterruptible power supply (in the US at least) carries a guarantee or warranty that claims that it will pay you for damages incurred if it fails to protect your PC. The limits are something like $50,000 for a $50 unit and $100,000 for a $100 unit. ('scuse flaky memory here ...)
Serious surge protection is needed about as frequently as lighting strikes hit your block. UPS manufacturers are prepared to cover you for the surges that fry your whole office, but EV issuers won't cover more than your laptop, and on past acturial bases, they're only paying out if you are unfortunate to be struck twice.
If EV and the authors get away with this tailoring of our Emporer's new suit, then these benefits are so limited, so measly, so out of tune with validated threats of the real world (phishing, etc) that no user, no subscriber, and no software vendor would be thinking rationally to pay for these "benefits."
The only business case here is is one of deception; in this case achieved by franchising out the decision of secure browsing to some august body that writes and talks well. A rational analysis, one that could see through the systemic franchise of confusion, would conclude that there be choices that are to the benefits of the users.
The first of which is to ignore the whole thing, as it delivers insufficient benefits to users. Whether users are offered a choice in secure browsing or not is certainly an interesting question; to date, the answer is Definately Not.
 For a wider but equally polemic treatment, see PKI Considered Harmful.
 Disclosure: I audit a CA, and in that act I have come across these and other problems with liability.
That's because that's what is needed now: hard words. Agreement isn't much use; it is indistinguishable from aquiescence, ignorance, and real agreement.
The reason we do this is simple: because we distrust the words of the insiders. Not because they are nasty people, but because the systems are complex, the objectives aren't clear, and there is too much money washing around. Fraud is a 'when,' not an 'if.'
The alternate is opacity. Which means we outsiders can't see in. Which positively means that Mozo could do some tricky deals that wouldn't survive a skeptical public ... and it negatively means that deals that shouldn't survive will carry on to cause more and more complications.
I've been there and done that. Opening yourself up to scrutiny is painful, and it is more work. But sometimes deals that I've favoured have been shot down by outsiders, and in retrospect, they've been right.
So when I read this:
#8. Transparent community-based development processes promote participation, accountability, and trust.
what strikes is that *development* processes are to be transparent, but not other processes. So deals can be conducted in secret? Strike One!
#9. Commercial involvement in the development of the Internet brings many benefits; ...
Strike Two! "...brings many benefits" leaves out the essential truth -- that it brings many costs! How can we trust these principles when they are couched in such miserly touchy-feely words, evading the hard truth?
Don't be subtle. Be blunt. Benefits *and* costs, please. Which leaves us to consider:
... a balance between commercial goals and public benefit is critical.
Where in the mission or in the principles or anywhere is it stated that commercial deals are a necessary part of Mozilla?
Strike Three! Take a walk. There is no assumption of commercial activity; you chose it, now explain it.
Mozilla has a choice. It can live off donations (which are listed in the financial report, the top 5 donors all being named, thanks to IRS rules). When it chooses to accept a commercial deal from Google, and participate in their mission to swallow the whole earth, or with Yahoo, and participate in their mission whatever that is, then it behoves Mozilla to explain to the user base why this is positive, and why this is negative. And how Mozilla has protected its user interests, positively.
Not the other way around. As written, these principles do not surface the core dilemma that Mozilla may be able to do more good towards its mission if it accepts commercial deals.
Which begs so many questions that go unanswered: who chooses? who benefits? Where did the 54 million go? What did I personally pay in accepting the stealth search deal? Are they tracking my queries? Does Mozilla know what it has done?
The reason they aren't answered is because they aren't admitted in the principles, which is reflective of what you admit to yourselves.
So Mozilla should be looking for ways to improve that. Looking at the published accounts for 2005, there was some $54 million flowing through, which equals a whole lot of potential for trouble. Ask yourselves this: how are you going to be keeping your eye on principles when you find the first scam diverting funds within?
So there is a massive need for scrutiny. Who is going to be able to push the CEO out for authorising nefarious things, as happened recently at HP, more or less?
There are many ways to do this; but they all involve opening up to outside scrutiny. That's the first emotional barrier to deal with.
#4. Individuals’ security on the Internet is fundamental and cannot be treated as optional.
Basically, we as a discipline do not have a good view of what the word security means. For every definition, there are people who firmly believe that it's wrong, and can show it. So in a sense, this might backfire and further entrench today's definition, whichever it is.
In one sense, resorting to the *Individual's* security might indicate that Mozo will look at what hurts users most: phishing, spam, OS viruses, dodgy sites, etc. Which seems a good idea, but see below.
I think the best we can say is that the more people put security on their agenda, the more likely it is that progress might be made. But you can only really put it into the Principles if you care to make it stick.
Which indicates a weakness: maybe, if security is still a difficult area in Mozilla, then it should be taken off the list, until it is resolved. Do you or do you not want to have a security mission? Is it something special that you do, and you go all out for; or is it something you do to a "general standards level," no worse, but no better than anyone else?
You don't want something weak and limiting to hold you back.
What to do? Should Mozilla prepare a new set of principles? Not worry about it too much? Leave the USA and encamp to Switzerland?
This gets us into the area of asking just how far can we rely on Mozilla to protect us. Recent admissions from Skype, by way of example, have indicated that they can breach the security of their phone calls. Can Mozilla breach the security of some of their products? Would they? Do they have an established and documented procedure to deal with this?
So, although the principles are full of comforting words, what I don't see is anything that helps me determine how Mozo deals with the real hard questions. E.g., reporting on Chinese dissidents, or reporting on Iranian bomb-making plans encrypted in Thunderbird email? Does it make a difference if they are their dissidents or our terrorists?
Or consider the slippery slope of Paypal. Look at the list of things you can buy now, or auction on eBay. It's a disaster for the public mission, and it's a story that will have Mozilla's name on it, one day.
#1. The Internet is an integral part of modern life ...
No, not quite. It is only prevalent in the 1st world. Basically, the rest of the world (worlds 2, 3, and 4 depending on your geopolitics) hasn't yet got to the point of integrating the Internet.
Now, it may be that Mozo simply isn't in that business, in the same way that the Gates' and Soros' Foundations are. However, Mozo should be careful to a least be aware of how these principles are perceived outside their bailiwick.
I recently looked at how to extend security systems like classical CAs into poor countries. It was very tough because those countries can't afford classical identity systems, and the CA world prays at that church. Suffice to say, it was possible, but one needs some extreme mental judo to do it, and the system needs to be well tuned.
There is no criticism intended then, in focusing on only those with incomes to pay for 1st world standard laptops and 2 mobile phones. But let's be aware of our focus, because as time goes on, it trickles down and outwards.
Considering that the Principles project (like so many others within Mozilla) was conducted internally, we can immediately identify the most powerful stakeholders: insiders. Then, we can identify the weaker stakeholders as those who were left until the draft was complete. That is, the users.
Is that right? In both senses of the word...
Further, it may be unpopular, but there do exist other stakeholders. By way of example: CAs (a topic of much currency because of the polemic EV story), the legal process (courts, LEOs, civil suits, etc), foreigners versus those who are not foreign (the term becomes harder to define with every new political revelation), independent programmers who volunteer their efforts, dependent programmers who are volunteered by corporations, the very corporations who pay for the deals, the NGOs that do some good and useful work that want help (here I'm thinking of the "access" projects that FH pursues).
Etc etc; the list of potential stakeholders is very long. Which leads us to their conflicts:
A critical first step is to identify the stakeholders. Then, identify which are yours. Principles 2 thru 5 speak to the individual. I would guess that you want to state that your primary mission, above all else, is to serve the individual on the Internet.
If so, say so.
Then, with a clear conscience, it will be easy to deal with the conflicts of dealing with corporations, governments, etc, all those who do not have your stakeholders as their mission.
If so, make them more certain. More principled.
a. Not this:
#2. The Internet is a global public resource that must remain open and accessible.
That doesn't identify the crux of any pledge; because if it fails to remain accessible, then it wasn't our fault.....
For anyone to treat it seriously, It has to be something like:
Mozilla pledges to keep the Internet a global and public resource, open and accessible to all.
If you believe in something, then stick your neck out. Failing to achieve what you believe in is far more honourable than succeeding to avoid the blame for something you might or might not have said.
These principles are full of wishy washy stuff, that makes me think that the air in California is just nicer and less invasive to our thought processes.
b. Consider #3:
#3. The Internet should enrich the lives of individual human beings.
That is soooo.... pre-Netscape! Where were you guys when they made the commercial browser?
The Internet is a shared space for all -- be they humans, corporations, NGOs, dissidents and freedom fighters, criminals & terrorists, governments, both good, bad and atrocious.
If you mean that Mozilla concentrates on the enrichment of the experience for individuals, and *not* the commercial interests of corporations, then so be it. Say it. But you'd better explain then why you take $54m from corporations, and nothing from people. And, please *identify* who your core and leading stake holders are.
Or, if you mean that you'll enrich the success rates of various terrorist or criminal elements, in order to empower their individuality and spread the enlightenment, then please explain how we deal with the due process of the law. Start with how you reject the NSL ...
Which all goes to say that putting in a wishy washy "principle" might be really useful to get "consensus" and "bring us all together" and make us "feel good about ourselves" but nobody else will believe it, and even your own people won't pay attention to it after its put in place.
But it sure makes it easier for idle critics to idly criticise.
c. Same with #4. Either sign up to protect the Individual's security, and actually do it, or take a number. Get in the queue.
You can blather on in press articles to your heart's content, behind Symantec, Microsoft, Oracle, Sun, the airlines, and other snake-oil salesmen. Nobody believes your words nor theirs about security any more.
In the new world of security, only actions speak.
d. Ditto with #7. If you believe in open source, then do it. Say:
We only do free and open source software.
Let others waffle on about why, and what the precise term should be.
Delving into vague goals of common good is generally not a good idea; smart people can abuse it and generally do so. It is far better to select a group and serve them than to serve a false god of a political ideal. Too many wars have been fought over capitalism versus socialist, christianity versus islam, representation versus taxation, freedom of speech versus right to live without fear of intimidation ... and it seems unwise to be diverted into those.
Unless you are absolutely sure. Then, make it your core. If you believe you are going to protect freedom of speech, above all else, then say that. If not, then don't.
Serving a browser alternate to the user public is a good enough mission without colouring it with such vagueries as enrichment, public benefit, etc etc.
#8. Transparent community-based development processes promote participation, accountability, and trust.
Right, but that's not what happened, is it?
a. Firefox was written *after* that process failed. It was written by one guy or two guys, in frustration. Then another, and another ... but they joined *their* process, not some open blah blah feelgood exercise.
Details of course are disputable but concentrate on the big dilemma here: your mission is to deliver the choice in browsing, etc. While as a principle, you promote open processes to enable that mission, there are exceptions.
b. Which brings up a clash: mission versus principles. To my mind, the mission must come first. The principles come second. Where the principles get in the way of the mission, the principles are dropped, at least temporarily.
So this entire document should headed with the Mission. And the priority should be clear.
c. The original browser author(s) was right, of course, to go way outfield and start again. You need to accomodate all successes, in their time and place, because the mission says that delivery is more important.
This is called "the internal marketplace" in business speak; which probably grates. But, think of your mission, not your politics.
It's also an essential hubris -- encourage your own principles to be hacked. Because, at the end of the day, the individuals are opinionated, but the delivery is what counts.
Well, that was long, wasn't it :) It is slight but ignorable coincidence that there are 10 criticisms for 10 principles. The most important thing is that this is a process, and this is now open. Let's get stuck in; the result can only be better.
One of the things that has been a continual bug(bear) in the private non-profit association form that Mozilla adopted was the lack of a defined feedback loop. How do we know we are doing the right thing?
One way to deal with this lack of feedback is to sign up to some solid principles. (Or, a mission, but let's not quibble today.) And, yesterday, Mitchell@mozo posted a draft of principles. This is a very welcome development. It isn't easy to do this, no matter how many internal naysayers and external grumblers there are:
1. The Internet is an integral part of modern life -- a key component in education, communication, collaboration, business, entertainment and society as a whole.
2. The Internet is a global public resource that must remain open and accessible.
3. The Internet should enrich the lives of individual human beings.
4. Individuals’ security on the Internet is fundamental and cannot be treated as optional.
5. Individuals must have the ability to shape their own experiences on the Internet.
6. The effectiveness of the Internet as a public resource depends upon technological interoperability, innovation and decentralized participation worldwide.
7. Free and open source software promotes the development of the Internet as a public resource.
8. Transparent community-based development processes promote participation, accountability, and trust.
9. Commercial involvement in the development of the Internet brings many benefits; a balance between commercial goals and public benefit is critical.
10. Magnifying the public benefit aspects of the Internet is an important goal, worthy of time, attention and commitment.
Pointed to by Gervase, here, where you may be able to comment.
I have no easy comments right now, but I'd encourage you all to think about it. The need right now is to set up a strong foundation, which will last for decades, the time for gushing is in future years when it's cast in concrete. Be critical, be very critical, future users will thank you.
Back in the good old days when security people would sprout nonsense and nobody blinked, we talked about non-repudiation as a feature of public keys. Finally, we blabbered to anyone who would listen, we can prove that the bad guy is bad, through adroit application of PAIN and other suitable acronyms.
I was put straight on this issue by a post on the cryptography list several years back (many thanks to Carl Ellison). Basically, non-repudiation is a contradiction, as there is no way to stop a person repudiating something. She simply says
"I did not!"
And now it is over to the two sides to prove it or otherwise. Which is to say that repudiation is a basic human act, and it is a foundational stone of our modern juridical system; one side makes a claim, the other side disputes it. In court, before an impartial judge.
The term "non-repudiation" is nonsense. Even worse, the technology didn't even come close to that sense, because of the whole security mess known as the PC. Ellison & Schneier said simply that "it is your machine signing for another machine," which I long-windedly refer to as a failure to anthromorphise the PC: we have no good theory to relate a human to a key.
And, in more formal legal terms, it's a straightforward case of agent-principal failure, in that there is no clear agent-principal relationship between a natural person and a PC; given the predominant security record of Microsoft and competitors, there is no real hope for ever pushing the fantasy in court that the PC is acting for the user.
So .... as a security field, a lot of us have been beating the drum that non-repudiation does not exist in practicality, it's a hype feature only. And digital signatures aren't human signatures. And... (read my collected PKI grumble list for more).
One small contribution I might have been responsible for was the perspective that we should be talking about evidence, not signatures. Protocols reveal evidence. As anyone who's been through the mill of the legal process will tell you, anything can be evidence, and it is up to the court to decide what is good evidence and what is bad.
Hence, our role as architects is to think in terms of the quality of evidence. How can we improve the conclusions drawn from the events and logs? Well, one way is to use PK digital signatures, with the caveats of compromised keys and so forth. Another way is to use hash chains and entanglement, with the caveats of compromised PCs and so forth. Then there are timestamps, and written statements, and ... the list goes on.
By way of personal example, the Ricardian Contract gets it right, because it thrusts a human readable document out there in front of ... humans! It isn't the digsig that helps, it is the fact that the human who signed cannot be unaware of the document, normal circumstances pertaining. So as time goes on, the chances of the contract issuer "repudiating" his own contract diminish dramatically. Cunning tricks like that are the meat and drink of financial cryptography -- getting into the core of the real finance application and understanding how they tick; and then designing systems to help them tick better.
Which long preamble brings us to an Internet Draft entitled "Transport Layer Security (TLS) Evidence Extensions." This document purports to add an "evidence" extension to the venerable but ever popular TLS protocol (a.k.a. SSL, secure browsing and all that). From the introduction:
Evidence created using this extension may also be used to audit various aspects of the TLS handshake, including the cipher suite negotiation and the use of other TLS extensions. In many cases, the evidence does not need to be validated by third parties; however, in other cases, the evidence might be validated by third parties. To accommodate all of these situations, the evidence is generated using a digital signature.
Now ordinarily I would applaud this "single-minded approach" as a very useful employment of my hypothesis of "there is only one mode, and it is secure." But, from the Overview:
Generating evidence is not compatible with Diffie-Hellman Ephemeral (DHE) key exchanges. DHE does not permit the same keying material to be generated for validation of the evidence after the TLS session is over. Persistent evidence requires the use of a digital signature so that it can be validated well after the TLS session is over.
I beg to differ! As I mooted above, evidence is what you present to the court; A DHE session will do nicely thank you very much as it can log information that can be utilised for evidentiary purposes: time logs, successful password usages, etc.
So why the need to eliminate classes of evidence? More from the body:
Persisten[t] evidence of the TLS session content is produced by the TLS Evidence Protocol.
[Ed: my slight correction of word persistence used in the ID.]
What we have is a new chance at the old non-repudiation trick. That trick goes like this: First, we redefine the term "Evidence" to be what we want. Then we deliver what we want, calling it all the time Evidence. Then we force people to adopt Evidence because evidence is needed.
Nobody notices there are two disparate definitions until it is too late and they have adopted it, but that's ok because the mission is adoption, not evidence.
This would be OK if Evidence delivered anything useful. But, as we described above:
When digital certificates are to be employed in evidence creations, the client must obtain the public key certificate (PKC) for the server, and the server must obtain the PKC for the client. This is most easily accomplished by using the PKCs provided in the Handshake Protocol Certificate messages. Further, both parties SHOULD have an opportunity to validate the PKC that will be used by the other party before evidence creation. Again, this is naturally accomplished using the Handshake Protocol, where the TLS session can be rejected if the PKC cannot be validated.
Spot the problem? The client they are talking about is software, but the party they are talking about is the poor dumb victim behind the PC. Call it agency-principal failure or anthromorphism failure, it's still failure, and the security threats inherent within are unrecognised in the document despite a long history (and a very clear heading entitled 6. Security Considerations).
So what is it that they want? It looks to me -- my personal opinion -- like the same old same old: "we" need a way to push various groups into mandating PKI key infrastructure, a la the many and various agency dreams from a decade ago. Sarbanes-Oxley and others create a need for compliance, and evidence feeds into compliance.
The two come together: create a web of technical blah blah that leads to a claim that TLS delivers the Evidence, the whole Evidence, and nothing but the Evidence. Then convince everyone to accept this future RFC via the unimpeachable IETF standards process, those stalwart protectors of the Internet. Then take the RFC and push it before the regulators eyes -- if they have our Evidence, then they have your Compliance with Sarbanes-Oxley.
The hope is that another bunch of suckers will be duped into pushing PKI into inappropriate places. This simply won't work. Indeed, the way it treats evidence is so callous that it probably (my LLB U.Gresham coming into play here) makes matters worse. The evidence it produces will likely not be useful nor reliable in court, and it may even be dangerous because of the false sense of security generated. E.g., there will be enough expert witnesses around to testify that it is useless, and the added complexity will cause all sorts of problems.
And it will certainly slow down the usage of TLS or similar security processes, which is the last thing anyone wants. A security protocol used is far more secure than one not used because the barriers to adoption are too high.