m: Well, all the small businesses would lie. Right? If you’re a small outfit, and the choice is “Either I say yes to everything or my business is destroyed…” What’s the choice?

s: When did you start taking PCI compliance seriously?

m: At some point just prior to fall of 2005, we concluded that PCI applied to us because we’re a merchant who accepts credit cards, and so we had Responsibilities. I don’t remember there being a good enough dialogue about it, or even any dialogue. Was there some point that I said, “Yes, I agree that if I would like to continue accepting credit cards as an Internet merchant I additionally agree to comply with this 100-point list?” I don’t remember ever doing that. I don’t remember ever saying, “Dear VISA, yes, I agree, I’ll do it!”

s: What is the impact of PCI/DSS on small businesses?

m: Well, if it continues to be generally ignored by the vast majority of small merchants and small hosting companies, then the impact will be slow and steady.

It’s a matter of how aggressive the credit card processors and the PCI SSC themselves decide to get on their customers. Sure, my payment processing company… could decide to demand from me an attestation of compliance. They could hold this over my head and say, “we will REVOKE your credit-card processing privileges if you do not submit your attestation of compliance.”

Imagine us asking thousands and thousands of customers who have previously been on auto-pay to “please, hand-write me a check from now on.” And customers in 40-something countries. Good luck.

s: It’s fair to say you would go out of business.

m: It might not kill us, but it would cripple us. But that credit card processor, in making that decision to revoke our privileges, would of course be cutting themselves out of thousands of dollars of revenue every month that we paid them. They would be killing one of their customers. So, they’re torn in two directions.

s: Do you feel that the PCI SSC took appropriate input from merchants?

m: In reality, 95% of the merchants would have not been capable of providing substantive technical feedback to the committee.

s: How come?

m: Because 95% of merchants are not technical operations. They are business that are selling coffee on the corner, or they’re selling widgets, and their cardholder data environment doesn’t consist of much but a plastic box with a phone line connected to it.

s: What do you think that implies for their ability to comply with PCI/DSS?

m: The jaw-dropping, gasp, oh-my-goodness implication of PCI/DSS is for all the “Laura’s Online Candle-Shop” and “Best-Fishing-Lures-in-Arkansas Dot Com” and the small Internet merchants with online shopping carts. These are my customers. I know a lot of them have shopping carts that are not million-dollar-a-month e-commerce operations. They are not Amazon. They are modestly successful online merchants.

Now these millions of small businesses, and the small-to medium-sized web hosting companies that are called upon by these small merchants, have a 100-point checklist of things that are not terribly understandable and are broadly interpretable and in many ways onerous to the point of absurdity for a small operation.

s: Do you think that PCI/DSS will cause consolidation in the web hosting industry, or that there will be fewer small businesses as a result?

m: I don’t think the American public or the international public is going to shed a tear if there is bloodletting consolidation of the web hosting industry. Where they would take up arms would be if Laura and Sam and Bob can’t open candle shops online. If that becomes impossible, or unrealistic, or incredibly expensive, there’s going to be pushback.

s: You think that people won’t miss the mom-and-pop web hosting companies?

m: Most web hosting companies are noticed by their customers when something breaks. The future of baseline web hosting is like the future of the electric company. Who gives a damn who you buy electricity from? You expect it to work 100% of the time. When it doesn’t, you’re annoyed and it’s disruptive. You don’t have a relationship with your electric company the way you do with your corner coffee shop or brewery.

s: Why is that?

m: The nature of commoditization, I guess.

s: Sounds like you’re suggesting that what will happen with the web hosting industry is similar to what happened in the telephone industry.

m: Sure, or any of the utilities that we all take for granted. Now, everyone assumes that cell phone service is going to work, your cable is going to work, there’s going to be water when you turn on the spigot. Web hosting companies will need to grapple with that commoditization and provide services that impress or delight or become more part of the daily workflow of the customer, rather than being part of some background thing that [you only notice when] something breaks.

s: Do you think there’s value for the public in having a variety of hosting options, or is it simpler to have it centralized?

m: The web hosting industry has got to be incredibly confusing for a customer right now. There are tens of thousands of hosting operations, many of which are 1, 2, 3, 4 dollars a month… Talk about a race for the bottom! How low can you go? It’s below the threshold of constituting commerce. A dollar a MONTH? I think the industry would benefit greatly from a culling.

I have in my mind that perhaps half of all “web hosting companies” are a one-man show with someone who has another job, whether a student or some sort of professional. Those folks are in no way equipped to ensure the security of credit card data or to fix a server when it breaks. There’s such a low barrier to entry in the web hosting industry right now.

s: What do your peers in the industry think of PCI/DSS?

m: People are flabbergasted at the absurb impossibility of the vast majority of web hosts from ever approaching PCI/DSS compliance. Laura’s Candle Company? She’s required by PCI/DSS to ONLY host her web site that accepts credit cards in an environment that is itself PCI/DSS compliant. The only hosting that she’s allowed to use under PCI/DSS [requires 8 separate devices]: hardware firewall, application firewall, log audit system, and all that business. However, the vast majority of companies load up customers onto one box, and then get a new box. Then they load up customers on that, and then get a new box. And so on.

I know someone who has a hosting account with one of the top ten hosting companies. When she wants to FTP or SSH into her server, she goes to server 192 dot domain name dot com, and that machine hosts FTP, SSH, web, database, DNS, SSL, POP3, etc. It hosts all services. Bang, right off the bat, that’s not a PCI/DSS compliant hosting environment. For these web hosting companies, it’s a shaking of the foundation.

s: Do you think it’s realistic to expect small business owners to comply with PCI/DSS in the near future?

m: As a small business owner myself, I’m both the operations guy and the people manager. We have always hired new staff as we identified a clear and defined role, and more importantly, had the revenue to pay that person a fair wage and benefits. We’ve got this daily pop and crackle of operations plus customer service. We do not have the extra thousands or tens of thousans of dollars a month to, oh, just staff up!

Stopping customer service is not a viable option. Stopping operations pop and crackle is not a viable option. So who do I pull off? Where do I find the right staff or the right expertise to start working through the things that are required of PCI/DSS? I don’t know.

If I ran a technical operation that had 1000 operations employees, I could say, “Hey! pull team B-13 off of their raised floor construction project. They are now the PCI/DSS regulation security team.” That sounds fine. That’s something that a big operation could pull off. If I was in a position to hire three new engineer sysadmins next week, then I’d surely put one or maybe two of them on PCI/DSS. “Hey, we’ve got to rewrite this code,” or “Hey, we’ve got to reconfigure this network,” We’ve got to do this, we’ve got to do that. But like many small businesses, we barely keep up with what’s going on right now.

s: This economy must be especially hard.

m: That’s right. We’re watching customers shut down their gardening blogs and their chess club web sites. These sites were important to them until they lost their jobs, and now they’ve got to figure out what the priorities are in terms of monthly expenses.

s: How much do you think this is going to cost you?

m: Well, of course if our credit card processor tells us it’s going to cost us an extra 1% of every transaction, that’s measurable. If they, like I’ve heard from other web hosts, decide that until we submit our attestation of compliance, we’ll have an extra $19.95 a month nuisance fee, then it’ll be $20 a month for the foreseeable future.

Another potential angle on cost: Will our customers begin demanding some sort of certification / attestation? “My credit card processor tells me that I’m only allowed to host with a PCI complant host so I really need to know.” If our only answer is “no,” we’ll lose customers. Our growth will be stifled, and we may shrink as an operation. So, we could wither, or be crippled or killed, or just be taxed by PCI/DSS.

s: Basically, you’re saying that PCI/DSS could cause small businesses to go under.

m: Yes, if it was enforced vigorously. I should go on record as saying that I support the general idea of having standards for how credit card data is handled on behalf of your customers. People should use secure best practices and due care to ensure that credit card data is not released to hackers in Des Moines or Denmark or Indonesia. We must avoid that. Good! Let’s have some standards.

s: What is the purpose of PCI/DSS?

m: To push cardholder data security downstream to the merchants who handle it first.

s: Do you think PCI/DSS is at all effectve?

m: Yes. I would say that PCI/DSS is effective in encouraging– let’s say urging or demanding– entities that handle personal information, including card holder data, card numbers and whatnot, to review the security procedures. It provides a not-valueless checklist of things to think about when handling this sensitive information.

s: What is the future of PCI/DSS?

m: First, I’ll say that no more than 20% credit card merchants will be PCI/DSS compliant, truly, in the next decade. It will be a slow and gradual process. At some point, a team of brilliant security engineers is going to come up with something that renders plaintext credit card numbers like telegraphs. There will no longer be a concept of entering some numbers that magically allow you to move money around.

s: You think our financial transaction system will evolve beyond credit cards into something different?

m: Yes, that is exactly what I mean. Even the biggest, most responsible badass security processors with awesome security practices keep getting compromised. The data at rest is inherently vulnerable, and so will continue to be a succulent target. We need to make the target less tasty. [We need] a transaction system that could– perhaps magically– ensure that the transation was legitimate, and it isn’t just a string of not very many magic numbers. When smart guys and gals invent that, we will begin forgetting about PCI/DSS compliance in its current form.

s: Do you think that the credit card companies should be focusing on changing the system?

m: For all I know they have teams of ten thousand in underground bunkers who are developing the next great payment transaction processing technology. If they are, that’s great. That’s awesome. I have no idea what they’re doing, but I hope they are. I hope they are not believing that a short string of numbers is the tool of the future.

Reverse of the United States Great Seal Novus Ordo Seclorum “A New Order of the Ages”

“Death of Anonymous Travel”
DEFCON 2009 – PDF
MD5sum: c772681c37c9ad5d210c19c12eb43095

Thanks to everyone who sent in comments, suggestions, and encouragement. (Special thanks to the EFF lawyers for reviewing this beforehand– you guys rock!)

I’ll have the full list of references (vendor marketing materials, news articles, FOIA docs, etc) up in the next week, so check back!

Abstract:
Worldwide, people who use cars, buses, trains, and carry cell phones are tracked in increasingly centralized corporate and government databases. This capability is still in its infancy, and has been facilitated by communication and payment systems which are linked to identification and refer to centralized electronic databases.

* Collate and disseminate information about current known travel monitoring practices;
* Discuss technical and social solutions for maintaining personal privacy and the freedom to assemble;
* Encourage greater transparency and public control over data collection and use.

The coupon is similar to a credit card, with a serial number and expiration date printed on the front (as well as a nifty hologram that reads “Security”). It also has a magnetic stripe. Curious, I borrowed a coupon and swiped it through my trusty mag-stripe reader. The output was as follows (name/number have been changed for privacy):

%B5897320630985200^SMITH/FRANK ^0903121000000000000000798000000?
;5897320630985200=09031210000079800000?

Much to my surprise, the applicant’s name was encoded on the coupon, in addition to the serial number and expiration date.

Consumers are clearly not aware that their names are encoded on the cards. Although National Telecommunications and Information Administration (NTIA) documents refer to “identifying serial numbers,” (NTIA 2006) there is no mention of the fact that names themselves are encoded on the cards. Since the name is not printed on the face of the card itself, there’s no way for recipients to tell it is there without special card-reader equipment.

As a result, over 24 million Americans have now unknowingly submitted their names into the tracking systems of nationwide corporate retailers such as Wal-Mart and Best Buy. “There are federal privacy laws that say what the government can do with your information, but once that information is given to private industry, it’s theirs,” commented senior security consultant Jonathan Ham.

What’s more, the NTIA itself tracks the location, date and time of each purchase. Retailers are required to “provide NTIA electronically with redemption information and payment receipts related to coupons used in the purchase of converter boxes, specifically tracking each serialized coupon by number with a corresponding [certified converter box] purchase.” (NTIA retailer site.) Each week, the NTIA publishes statistics indicating the number of cards used in each zip code.

Consumers are not explicitly informed of the coupon tracking on the TV Converter Coupon Program web site or application. Buried in the NTIA’s web site is the statement that “to keep track of the number of coupons issued, used and redeemed, as well as to minimize fraud and counterfeiting, NTIA intends to place identifying serial numbers on the coupons.” (NTIA 2006)

I went to Best Buy to get a retailer’s perspective on the TV Converter Coupon Program. Like most retailers, Best Buy likes to track their customers. With cash or check, this is difficult, but with credit cards and similar systems (such as the DTV coupons), customers can be automatically added to their database.

Rob Hooper, the helpful manager on duty, explained, “[The DTV coupon] would probably have their name, a number, and they probably have to put in their phone number for us to ring out the remainder of the transaction. As soon as that number gets rung through a Best Buy retailer or a Wal-Mart retailer or anywhere else, [NTIA can] probably break it down underneath the ID of the retailer, and then also the ID of the individual who applied for that particular card number. Not only do they have demographics, they also have geographics– where each card is used.”

In other words, the government receives detailed information about precisely where and when each card is used, and each card is explicitly linked to a name. What’s more, since the names are stored on the coupon’s magnetic stripe itself, the retailer also receives and can store personal information about the consumer. The consumer may never even be aware that his or her name has been given to the retailer.

My mother, who applied for the program by phone, was shocked to learn that her name was encoded on the card and her purchases were tracked. “The government should have made me aware of the information they would be collecting about me if I used the card,” she said. “They’re taking away my freedom. If they decide they need to collect information, they should do so with the people they are collecting the information from volunteering to give it, not being forced.”

Presumably the names encoded on the coupon’s magnetic stripe can be used to prevent fraud, but in practice this has not been occurring. Even if the name on the coupon doesn’t match the consumer, retailers still accept the coupons.

“We generally don’t check IDs against the card,” said Rob. “If someone’s out there stealing digital converter box cards and they’re just hoarding boxes of those cards, that’s not on the top priority list for Best Buy’s loss prevention.”

“We haven’t really seen too much fraud whatsoever with these coupon cards,” he added. “It would be a really interesting thing to try to steal $40 converter box cards, because you’re basically getting paid off in technology that will be antiquated.”
 
Millions of Americans using the DTV converter coupons have unknowingly had their shopping habits tracked and names given to third parties such as Best Buy and Wal-Mart. What is the value of our privacy? Is watered-down “fraud protection” really worth giving away millions of American’s names to retailers? Would my mother really want her shopping habits recorded in an obscure government database, even to save $40?

“I like to shop for a product without Big Brother watching over me,” said Mom.

The troublemakers weren’t faceless terrorists but local youth and ultimately, mainstream moms and dads. The most notable shift in the demographic of the looters occurred between the hours of 11:00 P.M. and midnight when stable, normally law-abiding citizens began to participate in the scavenging and mayhem.

The massive extent of the looting, especially compared with the few disruptions that occurred during the 1965 blackout, was partly due to the economic downturn. By 1977 the unemployment amongst young blacks in New York City had reached 40%, compared to roughly 20% in 1965. Many people were out of work and the standard of living had decreased; however, television and media constantly reminded people of the material goods which they could not possess. (Time, 1977)

It’s no wonder that in the current economic downturn, companies are starting to worry more about the “insider threat” and white-collar looting. “Information security experts are bracing for the law of unintended consequences to swing into action in 2009 as layoffs, downsizing and low morale bring the worst out of trusted insiders looking to profit off of proprietary intellectual property, customer contact lists, trade secrets and any other sensitive information. …[L]ast December the majority of participants in a survey reported that if they were fired tomorrow they would definitely take company data with them to their next employer.” (Lumension, 2009)

Today, as downsizing becomes rampant, there are increasing numbers of disgruntled former employees, who sometimes have deep knowledge of an organization’s IT infrastructure. There are also more disgruntled current employees, as downsizing places greater burden and stresses on staff that remain. As scholar Ho Yanxi quoted, “The one who treats me well is my leader, the one who treats me cruelly is my enemy.’” (Cleary, Art of War).

Exacerbating the situation, fewer staff means less people to monitor and maintain already out-of-control networks. This increases the risk of security vulnerabilities and lowers the risk that a theft will be noticed, proportionally increasing the likelihood of exploitation. Cutting already overworked IT staff leads to a downward spiral of network disrepair, security incidents and stressed IT workers.

The risk-vs-reward calculations are illustrated in this interview with one of the first blackout looters:

Interviewer: “What kind of money would you need to stop you from [looting]?”
J: Oh, it wouldn’t just have to be money. It would have to be my position in life. Like if I was to go to law school, and have a nice paying job, and be established in a firm or something… I wouldn’t take the risk of getting busted and havin to go to jail and blowin’ my schooling. It’s not worth the risk. (Blackout Looting!, p.176)

As white-collar workers feel increasingly disenfranchised, the risk of insider data theft proportionally rises.

Who are “we,” anyway?

The “insider threat” is even more serious when a large percentage of workers are contractors, who have even less incentive to ensure long-term organizational stability. The war in Iraq nicely illustrates this phenomenon. Last week the GAO released a very interesting report on US operations management in Iraq and Afghanistan, in which they stated, “As of July 2008, there were approximately 162,400 DOD contractors and, as of December 1, 2008, approximately 148,500 U.S. troops in Iraq.” This enormous ratio of contractors to military staff proved overwhelming. “Lack of adequate numbers of contract oversight personnel,” was cited as a serious issue. “[T]oo few contract oversight personnel limited DOD’s ability to identify savings, monitor contractor performance, or resolve contractor performance issues.” (GAO, 2/2009)

Lacking oversight, training and incentives, contractors took enormous advantage of their situation. “KBR employees who were contracted to perform construction duties inside palaces and municipal buildings were looting,” said Linda Warren, a contracted laundry foreman, during Senate hearings. “Not only were they looting, but they had a system in place to get contraband out of the country so it could be sold on eBay. They stole artwork, rugs, crystal, and even melted down gold to make spurs for cowboy boots.” (The transcript of her testimony is definitely worth reading.)

Even contracting officers took advantage. Yesterday the New York Times released a front-page exposee, in which they reported, “Maj. John L. Cockerham of the Army pleaded guilty to accepting nearly $10 million in bribes as a contracting officer for the Iraq war and other military efforts from 2004 to 2007, when he was arrested. Major Cockerham’s wife has also pleaded guilty, as have several other contracting officers…. Former American officials describe payments to local contractors from huge sums of cash dumped onto tables and stuffed into sacks as if it were Halloween candy. “You had no oversight, chaos and breathtaking sums of money,” said Senator Claire McCaskill.”(NYTimes, 2/15/2009)

Iraq is an extreme, but informative, example. Given these recent graphic illustrations of the results of contractor mismanagement, it’s worth examining the current situation in the IT sector, where contractor jobs are rising even as general employment falls.

“Contract work fuels rise in tech job postings” reported CNET news last week. “Tech job listings rose to 57,337 as of February 2…But if you’re looking for full-time work with health benefits, you may not find the new data to be especially good news: Helping to drive that modest increase was a 7.3 percent gain in the number of contractor positions… ‘In uncertain times, companies are looking for flexibility in their payrolls to continue with critical projects,” said Tom Silver.. [of] Dice.com. Those critical projects often involve improvements to a company’s infrastructure… ‘For the last year or so, contractor jobs have accounted for 38 to 40 percent of the positions, but I expect that increase,’ Silver said. He noted he wouldn’t be surprised if the percentage for contractor job postings eventually reached to 50 percent later this year.” (Kawamoto, 2/2009)

In other words, the people being hired to work on “critical” infrastructure projects are increasingly those that do not receive health benefits and have little invested in the long-term survival of the company. Furthermore, as the ratio of full-time to contractor staff shrinks, there are fewer full-time employees to provide oversight.

Solutions: Maintaining Security in a Weakening Economy

The blackout of 1977 and the Iraq war illustrated two important factors which ultimately led to widespread security failures and looting:

1. Reduced incentives for large numbers of individuals to support the current system;
2. Limited oversight and low perceived risk of personal repercussions.

These two factors are increasingly present in the IT sector today, where a growing percentage of disgruntled employees and contractors have access to critical IT infrastructure, and where companies do not have the staffing or technical resources to monitor access and lock systems down.

How can we correct these fundamental problems that lead to the “insider threat?

1. Help workers to feel invested in the current system;
2. Increase the perception of oversight and perceived likelihood of repercussions.

Any time there is a fundamental disconnect between the incentives of the people versus the organization, there is naturally internal conflict and greater risk of people undermining the status quo. When workers do not feel invested in the system, security incidents abound. Conversely, organizations can reduce the risk of insider attack by giving people a stake in the company’s success. A favorite of the security industry, ancient military strategist Sun Tsu wrote about the importance of “inducing the people to have the same aim as the leadership.”

Even on a tight budget, organizations can still foster worker loyalty. As demonstrated during World War II, it is possible to maintain– and even grow– a dedicated workforce during tough times. The WWII propaganda effort was implemented as a massive postering campaign on an unprecedented scale. During a period where civilians re-used scraps of paper because supplies were so limited, the US Office of War Information sought to “[ poster ] America every night,” and treated posters “as real war ammunition.” (Design for Victory, p. 11-12) The investment paid for itself hundredfold.

Without resources for appropriate staffing and equipment, a high-return security investment for many companies might be a simple PR campaign, designed to motivate employee loyalty. Similarly, even organizations that lack the resources to install and maintain proper monitoring capabilities can still at least create the perception of oversight, which can dramatically reduce incidents. Physical security professionals have long utilized this tactic, for example by installing $30 dummy cameras and warning signs which advertise that the premises is actively monitored.

I often say that “humans are unreliable components,” but that’s not really true. Humans are unreliable when placed in unstable situations and given conflicting incentives. Much like transistors in a circuit, humans within organizations tend to act predictably based on perceived incentives and risk.

In today’s downward economy, companies are dramatically reducing incentives for workers and expanding the ratio of IT contractors to employees, even while IT oversight and monitoring capabilities are already very limited. As with New York’s 1977 blackout and the Iraqi occupation, workers find themselves with conflicted incentives, and some will invariably decide to serve their own well-being rather than the larger organization. How can organizations lower the risk of “white-collar looting”? Advertise incentives for workers to support the organization, and instill at least the perception (and better, the actuality) of oversight and monitoring.

Sounds like a protection racket to me. “A protection racket is an extortion scheme whereby a powerful entity or individual coerces other less powerful entities or individuals to pay protection money which allegedly serves to purchase protection services against various external threats. Those who do not buy into the protection plan are often targeted by criminals…” (Wikipedia)

Equifax’s scare tactics include: “Don’t become a statistic. Every year, millions of people fall victim to identity theft.” Experian writes, “Specialized criminal gangs increasingly work outside of the United States to gain access to account information. They then perpetrate crimes online…” Discover advertises “Identity theft occurs every 79 seconds and affected 8.4 million people last year.”

Funny– at the same time, the Big Three lobbyists have been trying to convince Washington that “identity theft isn’t as big a threat as people think.” Represented by the Consumer Data Industry Association (CDIA), these very same companies lobbied intensely against laws “empowering consumers to freeze access to their credit histories to prevent identity theft.” (USA Today, 2007) Credit companies also routinely sell consumers’ financial and contact information, subjecting people to solicitations including bait-and-switch loan swindles or identity theft scams.

Credit bureaus have fought against widespread use of fraud alerts and similar techniques which require that they proactively verify consumer identities before, say, new accounts are opened in consumers’ names. Last year Experian sued identity theft protection firm, LifeLock, for activating fraud alerts on behalf of hundreds of thousands of clients. Experian “claimed that alerts should be entered only when people have already been victimized by identity theft or have legitimate reasons to believe that they are at imminent risk.” (Network World, 2008.) I’ve heard that “identity theft occurs every 79 seconds.” Does that count?

Having put himself through MIT on a credit card, Blake Brasher, author of “Infinity Day Weekend,” knows more than anyone I’ve ever met about how to wrangle with the credit industry. The roboticist-turned-painter writes, “I had an obnoxious encounter with Discover card a month ago. I called to negotiate a special APR and they tried to get me to sign up for their identity theft protection service. The guy wouldn’t take no for an answer, and very nearly tricked me into signing up.

“I finally said, ‘Actually, I want to close this account. You’ve convinced me that using this card is not safe and to protect myself from identity theft I want to close the account.’ So he transferred me to someone in the accounts department.

“The woman who answered… explained to me that actually, my Discover card account has built in, free fraud protection, and that if someone tried to commit a fraud with my account I would not be liable at all. They scare you into thinking you need this extra service, but if they scare you too much and you threaten to close your account to keep it safe they go ahead and let you know that you don’t actually need it.”

There are obvious steps that credit companies could take which really would reduce the risk of identity theft– such as taking further measures to verify identity, reducing sales of personal data, using PINs, etc. However, credit companies won’t support measures which reduce their own profits. “Identity theft could be made as obsolete a crime as cattle rustling or high-seas piracy,” reported MONEY Magazine several years ago. “…[It's] now possible to request a freeze on your credit report, stopping anyone from granting new credit without your approval. Why isn’t this brutally simple and effective solution more widespread? Simply put, it disrupts the free flow of credit information on which consumer lenders and data sellers depend.”

When credit companies play both sides of the game, there are reduced incentives for them to build secure systems. Rather, they have found a way to profit from crime. By fighting consumer protection measures and selling personal data, credit companies increase consumers’ risk of identity theft. As long as credit companies can scare enough people into paying them for “protection,” they can actually make money from the results of their own recklessness– thus passing the costs of identity theft on to consumers or merchants, and reducing or even eliminating financial incentives for genuine, systematic improvements.

My, how time flies. A little over two hundred years later, it’s difficult to conduct business privately.  “American Express knows everywhere I go, how long I stay, where I eat, how much I pay,” said security consultant Jonathan Ham. “They could reconstruct my activity on a day-to-day basis.”

Our entire system for conducting financial transactions has changed– and the collection, trade and analysis of detailed personal information is now an enormous component of everyday payment processing.  During 2006, there were 93.3 billion non-cash payments in the United States, meaning third parties were involved in transactions 93.3 billion times. Non-cash payments have increased an average of 4.6% each year since 2006. (Federal Reserve, 2007) There’s no direct way to measure the number of cash transactions, but estimates indicate that the usage of cash in the US is decreasing.

Due to the extreme importance of credit scores, Americans are strongly pressured to use credit cards and build up credit, at the cost of our privacy. Without a credit score, it’s very difficult to buy a house or car, and companies charge far more for insurance. Personal credit checks are now standard for renting apartments, buying houses and many other basic needs.  “They are using FICO scores to evaluate job applicants!”  wrote my father recently.

Personal transaction monitoring goes far beyond credit reports. Financial institutions routinely track and profile customers’ daily habits. A few months ago, I drove cross-country and found myself using my credit card a lot for gas purchases. In the middle of South Dakota, the card suddenly stopped working. I called up the card company.

“Well, you need to notify us if you’re going to be traveling,” admonished the American Express representative.

Like hell, I thought. Notify American Express every time I want to travel? Who do they think they are, my nanny?

Of course, American Express has an undeniable business interest in rabidly tracking card use. The system (which they have created) is ripe for abuse and fraud. As Matt Knox said, “When I use a credit card, the security model is the same as that of handing you my wallet and saying, ‘Take out whatever money you think you want, and then give it back.’”

To compensate for security weaknesses in their own system, financial institutions conduct extremely detailed, real-time monitoring of customer purchases and locations.

Financial institutions also profit from selling and trading personal payment histories. For example, credit card companies sell detailed personal purchasing records for the purposes of marketing. “Privacy restrictions… would require businesses to send significantly more catalogs to obtain the same response rates, and the resulting increase in cost would be passed along to consumer.” (Turner, 2001) Credit card companies routinely profit from selling personal consumer information to third parties, who use the data for targeted advertising.

If financial institutions were not able to reap financial gains from selling personal information, and if they were forced to compensate for systematic security weaknesses out of their own pockets, there would be economic incentives for them to create electronic payment systems that are genuinely more secure and require less monitoring.

Personal financial histories held by private companies are also routinely accessed by the government. Many people are concerned that this access has been abused. “Bipartisan groups in Congress are pressing to place new controls on the FBI’s ability to demand troves of sensitive personal information from telephone providers and credit card companies, over the opposition of agency officials who say they deserve more time to clean up past abuses.”  (Johnson, Washington Post, 2008)

What would Franklin have thought of our modern third-party payment and credit systems?

As it happens, the fledgling United States was completely ripped off by the manufacturer of the first official penny. At the time, the United States didn’t yet have a national Mint, so they outsourced currency production to James Jarvis of Connecticut, who had bribed the head of the Treasury board with $10,000 for the contract. Jarvis was supposed to produce 300 tons of pennies, but ultimately only produced four tons of slightly underweight coins. Furthermore, a congressional report stated that “Jarvis had received a large quantity of federal copper but had only paid for a small portion.” (Louis Jordan, University of Notre Dame)

Would tighter financial monitoring have ensured that the original contract was awarded based on merit rather than a bribe? Would a credit check have helped our fledgling nation avoid making a bad loan? Quite possibly.

Then again, payment is deeply tied with freedom to travel and other fundamental liberties. Anyone who has had their credit card frozen while traveling understands the power that global payment processing companies hold over individuals. Due to the extreme importance of a credit score, Americans today are strongly pressured into using credit cards, which result in the intimate details of our daily purchasing habits being sold and exploited. Fundamentally, we are being forced to choose between our privacy and essential needs such as a house.

Our founding fathers never experienced loss of personal privacy at the scale that we see today, and probably could not imagine a system in which even their daily grocery purchases were tracked and analyzed. If they had, they might have pointed out that privacy is fundamental to freedom, and freedom comes at a price. Sometimes the price of freedom is blood, sometimes it’s money, and sometimes it’s the convenience of “instant credit.”

One chilly day last September, United Airlines’ stock temporarily crashed more than $1 billion due to an accidental re-release of an old news report about its 2002 bankruptcy. The New York Times reported that “shares of United traded at one cent… down 99.92 percent, or $12.29.” Other news sites and blogs quoted or linked to the NY Times story.

Shortly afterwards, the NY Times article changed.

Today, the New York Times article from Sept 8, 2008 instead reads “United Airlines shares fell to about $3 from more than $12 in less than an hour before trading was halted… Its shares closed at $10.92, down 11.2 percent.” There is no record of that earlier statement on the NYTimes site. There is no indication in the article that a correction or previous release was made. It’s almost impossible to find the earlier version online, except in a few personal reports and isolated quotes on random sites. Months ago there were blogs with comments that referred to the $.01 low point, which have now mostly disappeared. The statement they refer to does not seem to exist in public archives.

Fifty years ago, physically published mainstream newspaper articles provided a fairly high degree of reliability: physical copies were distributed throughout the country, and then locally archived. Corrections necessarily left an audit trail. Readers could go to trusted custodians at their local libraries to verify that certain information had been released by a major central news source.

Nowadays, the fox is guarding the henhouse. Major publishers offer their own global public archives, and a decreasing number local libraries are archiving printed news articles. “[N]ews libraries have stopped clipping newspapers because so much of the information is available online,” write Christine Malesky and Richard Geiger in “News Media Libraries.” Unlike librarians, publishers do not have strong incentives to retain comprehensive records of revisions, errors and corrections. Instead, news publishers want to preserve the very “best” article possible.

At the New York Times, the online editors run a “continuous news desk,” which is “kind of an in-house re-write desk that feeds the Web site,” said Toby Usnik, director of public relations for the Times. “As we know new information, we add it. As information changes, we update it. If we misspell a name we spell it right and update the story again.” (OJR) History is routinely rewritten.

With respect to the United stock crash, Kim Zetter of Wired wrote “the problem wasn’t the market, it was the newspaper’s archive, which stored the story without a publication date attached to it — not a completely uncommon occurrence.”

As publishers, not librarians, increasingly store and provide access to their own media archives, readers lose the ability to independently verify the source, date and original content of news articles. If the world economy hinges on verifiable information, why not cryptographically sign articles as soon as they’re published? Ironically, the same unreliability that caused the United stock crash also manifested itself in the NYTimes article which reported it.

The Great Firewall of Britain

The United Airline stock crash was really just a tremor, the symptom of a profound global shift. Last month, millions of people in the UK were suddenly blocked from editing Wikipedia after the Internet Watch Foundation (IWF) blacklisted a single page. This was able to occur because “95 per cent of British residential internet” traffic is reportedly routed through only six ISPs, which “voluntarily” send traffic through a centralized content filtering system called Cleanfeed at the request of the IWF. (Wikipedia) This week, the point was underscored when another IWF blacklist suddenly left many UK residents without access to the Internet Archives (aka the Wayback Machine).

In both the recent Wikipedia and Wayback Machine cases, end users quickly detected the blocks, public outcry ensued, and most access was restored. However, now that traffic filtering in the UK has become automated and centralized, future blocks could certainly go unnoticed by end readers. The current Cleanfeed implementation has been rather crude, in that it has been used to block entire pages and web sites in response to a single objectionable image. However, it is technically possible to quietly drop (or replace) “questionable” images and text much more subtly.

The “voluntary” British ISP filtering has more in common with China’s censorship than many Westerners realize. In China, “the ISPs and other service providers are restricting customers’ actions for fear of being found legally liable for customers’ conduct. The service providers have assumed an editorial role with regard to customer content… Although the government does not have the physical resources to monitor all Internet chat rooms and forums, the threat of being shut down has caused Internet content providers to… stop and remove forum comments which may be politically sensitive.” (Wikipedia)

East and West, a little fear goes a long way.

What can we do?

The September United Airlines stock crash resulted in one good thing: there is now demonstrated financial incentive for technology that would allow businesses to instantly verify the source, publication date and content of news articles. Perhaps economics will help spur the tools of democracy.

Geeks can also take matters into our own hands. Technically speaking, the tools to cryptographically sign and verify web pages are within reach. For instance, publishers could voluntarily embed PGP markers and signature as comments inside web page source code. A Firefox plugin could search for PGP beginning and ending markers within web page source code, grab only the static ASCII text between these markers, automatically verify signatures, and present the publisher, date, etc in a browser toolbar. Browsers could store signatures locally, or check them against independent online repositories.  There’s already a beta Firefox plugin (FireGPG) which facilitates the use of PGP signatures with web pages. That’s a good start.

Philosecurity will be regularly releasing PGP signed versions of articles from now on. Check the bottom of each article from here on out for a link. I’m sure this system will be a little clunky at first, but I hope it will evolve to be more user-friendly. Feel free to send feedback and suggest better methods, tools, etc.

Censorship and silent corrections to online news archives are two sides of the same coin. Whether an article has been modified by the publisher, the ISP or the government, readers and journalists deserve to know. Unfortunately, our current system of online news distribution does not allow readers to independently verify publications dates and sources, or identify retroactive changes and omissions.

We have the technology to provide a verifiable audit trail as news articles are published, modified or retracted. We have the ability to make this accessible to everyday readers. Ultimately, readers can and should demand that our professional media sources cryptographically sign articles upon release. In a world where knowledge is power, verifiably accurate information is as important as running water.

S: You wrote adware. You bastard.

M: [sheepishly] Yes, I did.  I got to write half of it in Scheme, which probably means that I deployed more Scheme runtime than anybody else on the planet.

S: Let’s back up a second. Why did you write adware?

M: I was utterly and grindingly broke for a little while.  I started working on SPAM filtering software. That work got noticed by [Direct Revenue], who hired me to analyze their distribution chain.  For a little while, the site through which all their ads ran was something like top 20 in Alexa. Monstrous, really huge traffic. Maybe 4 or 5 months into my tenure there, a virus came out that was disabling some of the machines that we had adware on. I said, “I know enough C that I could kick the virus off the machines,” and I did. They said “Wow, that was really cool. Why don’t you do that again?” Then I started kicking off other viruses, and they said, “That’s pretty cool that you kicked all the viruses off. Why don’t you kick the competitors off, too?”

It was funny. It really showed me the power of gradualism. It’s hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything.

S: Did you feel this was the gently sloping path to Hell?

M: Oh yeah! Absolutely. [ laughs ] I actually believe that if you sum up everything I did it comes out positive, if only because I kicked off an awful lot more adware than I installed.

S: What was Direct Revenue’s business model?

M: Their business model was that they would buy a screensaver from somebody, or develop it themselves. It would be some stupid thing like a guy who’s washing their screen. Looks like a window washer guy? They’d say “Hey, if you want this, install our adware and you can have it for free.” An astonishing number of people will do that.

S: What did they call it? I presume they didn’t call it “adware.”

M: The good distributors would say, ‘This is ad-supported software.” Not-so-good distributors actually did distribute through Windows exploits. Also, some adware distributors would sell access. In their licensing terms, the EULA people agree to, they would say “in addition, we get to install any other software we feel like putting
on.” Of course, nobody reads EULAs, so a lot of people agreed to that. If they had, say, 4 million machines, which was a pretty good sized adware network, they would just go up to every other adware distributor and say “Hey! I’ve got 4 million machines. Do you want to pay 20 cents a machine? I’ll put you on all of them.” At the time there was basically no law around this. EULAs were recognized as contracts and all, so that’s pretty much how distribution happened.

S: Your company’s not one of those that would leverage exploits in order to get software on people’s computers?

M: We didn’t, no. Some of the distributors certainly did. If we found out a distributor was doing that, we’d say “Now we’re not going to distribute with you any more,” and we’d try to get off those machines.

The thing that I had a real problem with was the persistence work that I was doing.  This made it difficult for competitors to kick us off the machine. It was effectively impossible for a civilian to get us off the machine– unless they went through our uninstall process. You had to go to some web site, download an uninstaller, take a short survey about why they were getting rid of us, and then it would actually remove us and we would also leave a Registry key to make sure we didn’t reinstall.  Sadly, some misguided antivirus and anti-adware software would go in and remove that, which therefore meant that we would reinstall again.

S: Can you tell me more about your strategies for persistence?

M: Yes. I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you’re using IE, then either you don’t care or you don’t know about all the vulnerabilities that IE has.

IE has a mechanism called a Browser Helper Object (BHO) which is basically a gob of executable code that gets informed of web requests as they’re going. It runs in the actual browser process, which means it can do anything the browser can do– which means basically anything. We would have a Browser Helper Object that actually served the ads, and then we made it so that you had to kill all the instances of the browser to be able to delete the thing. That’s a little bit of persistence right there.

If you also have an installer, a little executable, you can make a Registry entry and every time this thing reboots, the installer will check to make sure the BHO is there. If it is, great. If it isn’t, then it will install it. That’s fine until somebody goes and deletes the executable.

The next thing that Direct Revenue did– actually I should say what I did, because I was pretty heavily involved in this– was make a poller which continuously polls about every 10 seconds or so to see if the BHO was there and alive. If it was, great. If it wasn’t, [ the poller would ] install it. To make sure the poller was less likely to be detected, we developed this algorithm (a really trivial one) for making a random-looking filename that was consistent per machine but was not easy to guess. I think it was the first 6 or 8 characters of the DES-encoded MAC address. You take the MAC address, encode it with DES, take the first six characters and that was it. That was pretty good, except the file itself would be the same binary.  If you md5-summed the file it would always be the same everywhere, and it was always in the same location.

Next we made a function shuffler, which would go into an executable, take the functions and randomly shuffle them. Once you do that, then of course the signature’s all messed up. [ We also shuffled ] a lot of the pointers within each actual function. It completely changed the shape of the executable.

We then made a bootstrapper, which was a tiny tiny piece of code written in Assembler which would decrypt the executable in memory, and then just run it. At the same time, we also made a virtual process executable. I’ve never heard of anybody else doing this before. Windows has this thing called Create Remote Thread. Basically, the semantics of Create Remote Thread are: You’re a process, I’m a different process. I call you and say “Hey! I have this bit of code. I’d really like it if you’d run this.” You’d say, “Sure,” because you’re a Windows process– you’re all hippie-like and free love. Windows processes, by the way, are insanely promiscuous. So! We would call a bunch of processes, hand them all a gob of code, and they would all run it. Each process would all know about two of the other ones. This allowed them to set up a ring … mutual support, right?

So we’ve progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that’s encrypted– really more just obfuscated– to an executable that doesn’t even run as an executable. It runs merely as a series of threads. Now, those threads can communicate with one another, they would check to make sure that the BHO was there and up, and that the whatever other software we had was also up.

There was one further step that we were going to take but didn’t end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. In fact, you can register with the OS a chunk of code to handle a given interrupt. Then all you have to do is arrange for an interrupt to happen, and every time that interrupt happens, you wake up, do your stuff and go away. We never got to actually do that, but it was something we were thinking we’d do.

We did create unwritable registry keys and file names, by exploiting an “impedance mismatch” between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel.  NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can’t express in ASCII. Most notably, you can have things with a Null in the middle of it.

That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn’t be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.

We also wrote a device driver and then a printer driver.  When you write a device driver you get to do all sorts of crazy things, even crazier than the things you typically get to do in Windows. This was right around the time that the company [ got sued by Eliot Spitzer and started shrinking ]. They made a somewhat poor business decision at the same time to get visible, and they branded their ads and everything at the same time that they were having me kick all of our competitors off and we were doing all that persistence stuff.

There was also of course Scheme. Eventually, we got sick of writing a new C program every time we wanted to go kick somebody off of a machine. Everybody said, “What we need is something configurable.” I said, “Let’s install a Turing-complete language,” and for that I used tinyScheme, which is a BSD licensed, very small, very fast implementation of Scheme that can be compiled down into about a 20K executable if you know what you’re doing.

Eventually, instead of writing individual executables every time a worm came out, I would just write some Scheme code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.

S: In your professional opinion, how can people avoid adware?

M: Um, run UNIX.

S: [ laughs]

M: We did actually get the ad client working under Wine on Linux.

S: That seems like a bit of a stretch!

M: That was a pretty limited market, I’d say.

S: What is the future for adware?

M: To the extent that advertising is beautifully targeted, it ceases to become advertising is now more informational. The most encouraging example of this is Gmail. I see nothing but Ruby on Rails developer jobs and Scheme developer jobs on Gmail.

S: Does it weird you out that there’s some automated script filtering all your mail?

M: When I think about that, it sometimes troubles me. The good news is that I’ve been on the other side of those automated script things. Their capability is incredibly dangerous, but the actuality tends not to be.

It would have been fairly trivial for me to go spelunking for people’s credit card information or whatever. I had four million nodes. I could have done it without anybody at the company even noticing.  I was the guy writing Scheme, so I could have just put a text file somewhere and then made it go away, and there wouldn’t even have been an executable lying around.

But I didn’t. To do that, by definition you have to be willing to become a criminal, and that’s a little bit rare. So I’m not too worried about that. I think that advertising it going to turn into something that’s just a big mess of algorithms, where somebody says “this guy may be interested in this new programming language.”

S: How private is people’s information today?

M: Not at all.

S: Do you think that in our society we delude ourselves into thinking we have more privacy than we really do?

M: Oh, absolutely. If you think about it, when I use a credit card, the security model is the same as that of handing you my wallet and saying, “Take out whatever money you think you want, and then give it back.”

S: …and yet it seems to be working.

M: Most things don’t have to be perfect. In particular, things involving human interactions don’t have to be perfect, because groups of humans have all these self-regulations built in. If you and I have an agreement and you screwed me over badly, you’ve always got in the back of your mind the nagging worry that I’m going to show up on your doorstep with a club and kill you. Because of that, people don’t tend to screw each other too much, right? At least, they try not to. One danger, perhaps, of moving towards an algorithmically driven society is that the algorithms aren’t scared of us showing up and beating them up. The algorithms will do whatever it is that they are designed to do. But mostly I’m not too worried about that.

S: Is there anything else you wanted to comment on?

M: People can have things as good as they are willing to work for. If you want to have a system that’s clean of nasty software, you can do that. If you want to have personal privacy, it’s possible– very hard, but possible. And I think it’s worth it.

“I don’t know,” she frowned. “The Internet’s down. I can’t access our product catalog.” (Gah!)

Weeks later, I walked into a U-Haul to rent a truck. The computers weren’t working properly, and the manager was having trouble completing my transaction. “What happens if the computers are down?” I asked. “Can you still rent me a truck?”

“Well, I can,” he said, “But that’s because I’ve been here for fifteen years and I remember how to use the forms. That kid over there–” he gestured toward the younger employee, “He doesn’t even know the paper forms exist.”

As communication technology advances, society has shifted from a thick client to a thin client model. Until recently, Radio Shack employees maintained product knowledge in their heads and on paper that they could physically access. U-Haul staff used paper and ink to rent out their trucks. Individual stores could operate independently of the central system, at least until supplies ran out. They each had to maintain up-to-date books and forms, and train employees.

More and more, information resides on remote systems, which distributed franchises and employees access in order to conduct transactions. On the one hand, this increases efficiency. Gone are the reams of preprinted contracts and forms to be manually filled out for each transaction. Employees have less to memorize, as information and procedures are built into software systems.

On the other hand, individual locations are increasingly vulnerable to network disruptions. Many businesses today rely upon the Internet in order access central databases and conduct normal transactions. Without connection, they’re just appendages cut off from the central body. Radio Shack may have FM transmitters, and U-Haul may have trucks, but without network access they have difficulty conducting business. Many businesses do not physically have the paper and supplies to support manual transactions, let alone the knowledge of manual procedures.

Do the benefits of the thin client model outweigh the costs? That depends on your perspective. From Radio Shack’s point of view, the vast savings from cutting employee training and paper supplies probably does outweigh occasional losses due to network outages. This is especially true if they create a more stable infrastructure than their competitors. Furthermore, in the thin client model, employees require less specialized knowledge, and are therefore more mobile (and expendible).

However, as a society our economic dependance on the Internet may be premature. The Internet was not designed for security, and as noisy worms have demonstrated, it can be brought to a standstill by small groups of people or even by accident. If a widespread network outage brought businesses to a halt, Radio Shack might not lose market share compared to other businesses, but society and the individuals within it would suffer.

The vulnerability of the thin client model was strikingly illustrated back in 2002, when Beth Israel Deaconess hospital “experienced one of the worst health-care IT disasters ever. Over four days, [the] network crashed repeatedly, forcing the hospital to revert to the paper patient-records system that it had abandoned years ago. Lab reports that doctors normally had in hand within 45 minutes took as long as five hours to process.” The emergency department was forced to close down and divert patients elsewhere.¹

The disaster also helped hospital staff understand the benefits of the thin client system. One physician commented, “When I do this on computer, it checks for allergy complications and makes sure I prescribe the correct dosage and refill period. It prints out educational materials for the patient. I remember being scared. Forcing myself to write slowly and legibly…Without that dashboard of information I’d get from the computer, I had to walk up to patients I had treated before and ask basic questions like, What allergies do you have? Even if I thought I remembered, I didn’t trust my memory.”²

Will individuals become “dumb terminals”? Or will we simply evolve different kinds of processing capabilities? During the past few decades in the computer market, we’ve oscillated from thin clients to thick clients and back again. In the early days of computing, people used dumb terminals to access a mainframe, which stored and processed the data. Later, personal computers emerged, and each individual machine ran specialized applications and hardware.³ Nowadays, with the emergence of web-based business applications such as Google Apps and other client-server business processing systems, data is increasingly stored and processed on central systems once again.

Business processes will always mirror the technologies upon which they depend. As computers and business become increasingly intertwined, the efficiencies and vulnerabilities of our economy reflect those of our information technology. Humans have limited information storage capabilities, and leveraging centralized data storage systems helps us function as a group more efficiently.

How can we leverage the efficiencies of the thin client model, while still maintaining a robust and reliable infrastructure?

 
Sherri Davidoff

Oddly enough, all the pump handles were covered with plastic bags. The guy from the car in front of us came up to our truck and tapped on the glass. “Pumps are closed,” he said. “I used this one anyway, and they came out and told me they were bagged off for a reason. Guess it works, but they don’t want you to use them.” He shrugged. “Cheapest place around, though.”

Strange. We thanked him, and headed into the station to find out if we could use the pumps. “Excuse me,” I said to the man behind the counter. “We noticed that the pumps are covered with bags. Are any of them open?”

“Computers are down,” he said. “Can’t take credit cards. Sorry.”

“We can pay cash.”

“We can’t control the systems. Computers are down. Sorry. No gas.”

As we drove away, we saw that all twenty of the gas pumps were covered with plastic bags. “Every gas pump must be an autonomous point-of-sale system,” commented Jonathan. “That gentleman in front of us was able to fuel up, presumably with a credit card. What was offline was the store’s ability to communicate with the sales systems.”

We drove back onto the highway in search of another gas station, our money burning holes in our pockets.

“An erroneous headline that flashed across trading screens Monday, saying United had filed for a second bankruptcy, sent the airline’s stock plummeting. United Airlines shares fell to about $3 from more than $12 in less than an hour before trading was halted, wiping more than $1 billion in value.” (Note: original reports indicated that the stock fell to $.01 per share.)

United Airlines identified the source as “an old Chicago Tribune article that, it said, was posted on the Web site of The South Florida Sun-Sentinel newspaper. That article was picked up by a research firm, Income Securities Advisors, which then posted a link to it on a page on Bloomberg News, which sent a news alert based on the old article.” -A Mistaken News Report Hurts United

Jonathan Ham wrote in to say, “Seems to me a pretty good proof of concept for a web hack resulting in financial windfall. I’d sure as hell have bought UAL at $.01 if I *knew* the rumor to be false. It was bound to recover most of its value by the end of the day… If I’d bought $1,000 of UAL at $.01 this morning, it’d be worth $1.2M right now… If I’d spent $1M defending SEC inquiries, I’m still not working very hard anymore.”

Big business just got an expensive lesson in the importance of verifying the source and publication date of news articles. I have to wonder if this will generate interest in cryptographically signed news articles, which would allow consumers to quickly verify the original source and release date of the article. News companies and their affiliates could market client software which would verify the date and report back, perhaps as part of a premium subscription service. Alternatively, third-party software vendors could verify articles from many news sources. News organizations could make a profit from distributing verification keys to software developers.

Cryptographic verification could also be used as a mechanism to maintain readership. Major vendors could ensure that their keys were distributed by default in popular verification software (as with certificates and web browsers). End users could always add their own keys, but the easy availability of keys from major news vendors would help the status quo maintain readership.

With the UAL crash this week, there’s demonstrated financial incentive for both the news industry and big business to invest in developing an infrastructure for cryptographically verifying the original source and publication date of news articles. It’s about time! We haven’t yet learned to fully capitalize on the idea of selling trusted information on the Internet, but as the UA stock crash demonstrated, there is a need. Perhaps when this market matures, a lot of the technology that privacy geeks have been fighting for all along will finally become mass implemented.
 
 

“Banking institutions and Foreign Exchange networks rely heavily on precision timing so a stock order placed on one side of the globe can be received almost instantly in New Yorks, Wall Street, at the same market price, without losing any valuable data along the way. Timing, synchronisation and security are paramount when dealing with digital monetary transactions, where great losses could be sustained if any data is lost, or 2 points do not synchronise simultaneously.” – Wikipedia, “GPS Timing”

For less than $1,000 of off-the-shelf equipment which fits in the trunk of a car, anyone can forge GPS timestamps. If you’re within a half mile or so of a GPS receiver that is used by the financial industry, you could cause major meltdowns that would be difficult, if not impossible, to trace. How many GPS receivers exist within a half mile of Wall Street? Good question.

http://www.screwprivacy.com/

Yes! Now you can benefit when hackers in Guam steal your bank account password. Don’t be left out of the financial windfall. The more you upload, the more YOU EARN!

Don’t be a victim of data theft. Be a data entrepeneur!

To Rolling Stone,

Several months ago you began stamping my name and address on piles of dead trees and convincing the United States postal service to drop these unrequested items on my doorstep.

I like reading your magazine. It’s fun getting it delivered, and I enjoy learning about music and politics over breakfast. However, my respect for your business practices has been damaged by the action these deliveries represent: misuse of my personal information. I have never subscribed to your magazine. Rather, you purchased my name and address and hope to profit from it. You’re using me to beef up your “subscribers” list, lower the average age of your “readers,” and appease your shareholders.

Is this practice really in keeping with the concept of freedom that America, and your magazine, theoretically represent? I believe that a free country is one in which I can correspond with my friends, ride the subway, buy a book or rent a movie without having my actions tracked, my behavior analyzed and automated systems send me glossy packages afterwards in a manipulative attempt to milk me for my time and money.

As demonstrated by the growing amount of resources dedicated to the anti-spam industry, receipt of information is not free. Every time you or one of your business contemporaries sells my information, you contribute to the growing stack of mail which drowns my legitimate correspondence and sucks away my time and attention.

I understand that the magazine industry is rapidly changing, and in order to stay competitive, you must evolve your business strategies. Current fashion in the business world is to harvest information from individuals through enticement, theft and legitimate service, and then to sell or trade that information for profit behind the scenes. It is no wonder that you’ve chosen this technique. However, at one time, it was fashionable to buy and sell people in this country in order to stay competitive in the business world. Buying and selling people’s personal information without their knowledge and permission is just another, more subtle evolution of this exploitation.

Over the years, Rolling Stone’s authors and editors have often expressed strong support of social justice and individual freedom. This is what drew me to purchase your magazine at newsstands in the past, and the reason that I am taking the time to write to you today. I’d like to purchase your magazine in the future, but I can’t in good conscience support the unsolicited harvest and trade of personal information. I hope that you will publicly practice the values that your staff have so eloquently supported over the years by showing more respect for people’s time, attention and privacy.

To provide financial incentive, I’d like you to know that I will not purchase or read your magazine again until you:

1) Remove my personal information from your systems;

2) Assure me that in the future, you will never buy or sell my personal information without my explicit permission;

3) Donate $25 to the Electronic Frontier Foundation for the time I have spent responding to your repeated unsolicited mail.

I am not for sale, and neither is my personal information.

Thank you,

Sherri Davidoff

Hawken points out that “when a forest products company buys logging rights from the Forest Service at pennies to the dollar and then clear-cuts the area, leaving it degraded for the next hundred years, the “profit” from the sale of the wood goes to the corporation, but the loss of habitat and biodiversity is borne by society… The companies who practice driftnetting, sweeping monofilament nets thirty miles long through the oceans, will never be presented a bill for the decimation of Pacific fisheries.”

Similarly, organizations today are externalizing costs with respect to information collection and mismanagement. Companies collect enormous amounts of sensitive information about their customers– financial information such as credit card numbers, personal information such as social security numbers, shopping records, health records, communication records. This information is often very poorly managed and stored in many places on their network. Often, companies will claim to auditors that sensitive data is stored in a specific database, and completely ignore the fact that it is also cached in spreadsheets on employee desktops, on laptops, on the email server, and in backup tapes.

When a company sells personal data to another company, it profits from the sale but experiences no further liability, even though its customers are now at a higher risk of data theft and are never even informed of this fact. Data is often stored indefinitely, even after policy dictates that it should be deleted. If losses occur, they are often not detected; if they are detected, they are often not reported. This is because there is little incentive for companies to detect incidences of customer data loss, and even less incentive to report them. Even when regulation dictates that a loss must be reported, companies work to find loopholes and sometimes decide that risk incurred by deliberately hiding an incident is less than the definite cost of public disclosure.

If a company loses millions of credit card numbers, who bears the cost? As long as no one finds out that the company is to blame, then the customer and society bear the cost of dealing with credit card fraud. In today’s environment, companies benefit from harvesting, storing and processing consumer information, but are often able to pass costs of mismanagement, which include credit card theft and identity theft, back to the consumer. Companies are routinely able to cover up incidents and pass off risk, and therefore they achieve maximum profit when they store and sell customers’ data and do not bother investing in proper management.

Perhaps the most serious cost of information mismanagement is also the most dispersed, and the hardest to quantify. Across America, government, small businesses and corporations are dependent on IT, and store tremendous quantities of sensitive data on networks which are poorly secured. As a security consultant that has worked in many different industries over the past seven years, including finance, transportation, health, government and academia, I have seen this first hand. Nationally, we are at great risk of accident (such as the 2003 northeast blackout which was linked to a virus) and also vulnerable to deliberate large-scale attacks.

Hawken writes that “where harm and suffering exist because of market dealings– when the real costs of that market are not factored into the price of goods and services–we require the government as representatives of citizenry to step in and prevent those abuses, one way or the other.”

Bruce Schneier has called for a comprehensive data privacy regulation. While I agree that this is a step in the right direction, I have to wonder if economic solutions might be more efficient and effective than regulation. Hawken cites Pigovian taxes – the origin of “green taxes” as one economic solution to environmental problems. “Pigou argued that competitive marketplaces would not work if producers did not bear the full costs of production, including whatever pollution, sickness or environmental damage they caused. Pigou’s solution was to impose a ‘tax to correct maladjustments’ on producers, a tax that would be comparable to the avoidable cost or unborne expense. Pigou cited prematurely peeling paint on a house near a coal-fired mill as an example of an external cost that should be paid by the producer. He theorized that when the producer was forced to bear full costs, it would have incentives to reduce its negative impact, thus lowering those costs.”

Perhaps Pigovian taxes can be applied to information management in order to provide real incentives for companies to appropriately manage their data. For example, the government could tax corporations based on the amount and type of personal data stored, internal information management policies and the results of yearly information security audits.

Right now, personal information is cheap to harvest and profits are high. Companies clear-cut forests because they are able to absorb the short-term gains and pass off the long-term costs. Similarly, companies harvest information from consumers, store it carelessly and resell it, reaping short-term financial gains and passing off the costs. Using Pigovian taxes or a similar strategy, we could perhaps give companies quantifiable, assured financial incentives to reduce the amount of personal data stored, develop appropriate information management policies, and meet security standards.

At the same time, specific genetic modifications could be marketed to the “worker” humans. Perhaps there will be an “intelligence” trait (which actually modifies your child so that he or she focuses better– no need for Ritalin!) Humans might well develop into two (or likely more) different species, based on class.

Right now genetic experimentation on humans is commonly seen as distasteful to in our society — perhaps because of a widespread belief in the sacredness of every human life– but I don’t think this will stop us in the long run. The incentives are just too high. Also, if someone were to develop human genetic modifications in secret, over a long period of time, and then eventually release modified humans to the world, how would we treat these people? I believe the larger population would still consider them as having the same rights as a “normal” human, therefore assuring them of the right to live and reproduce. In a world of six billion people, it is hard for me to imagine that there isn’t ONE person currently being used for genetic experimentation right now.

We’re at a defining edge in human evolution. Barring major catastrophe, those who are financially well off in the next few centuries might live to see their genes evolve in one manner, while those who are not might see their genes evolve in a very different way.

To a limited extent, this isn’t much different than what has been happening all throughout evolution. Humans have been managing our own breeding for millennium through careful mating selection, which breeds specific traits. The difference is that now the pace will accelerate. You will not only be a product of your ancestor’s genes and their culture, but you will incorporate specific physical and intellectual traits that they consciously decided you should have. Advertising in the medical industry will take on whole new implications.

This is the very principle that has been espoused by Clay Ward, Lucy Mendel and all the terrific students and volunteers working right now on Buy It Like You Mean It. Sometimes I bemoan the lack of control that individuals have over big corporations, which have become the dominant force in our global society. Sometimes I forget that every one of us has the opportunity to voice our opinions, every single day. If I feel uncertain about my power in the voting booth, the one thing I am sure about is the power of the almighty dollar.

Right now, undercutting the power of the individual’s dollar is the fact that consumers do not have access to convenient, accurate information about the social and environmental impact of companies in a product’s supply chain. When I buy a popsicle, what is my money really supporting? Toxic pesticides, maltreated workers and clear-cut forests that get turned into popsicle sticks? That’s not very tasty. If we are to shape our world in the information age, we must demand and create an informed market feedback system. Access to unbiased information should be as important to our society as access to clean water.

Buy It Like You Mean It, a nonprofit, is dedicated to creating that information system which will enfranchise the individual and enable us to make socially responsible and environmentally friendly purchases. Their technology, developed by the MIT community and volunteers, will someday enable you to go to the grocery store, take a photo of a product barcode with your cell phone, and immediately receive a score based on your preferences which indicates how the product’s impact matches your values. They’ve started with the chocolate industry.

I really believe that these guys will change the world, by giving us back our daily vote!

Incidentally, Buy It Like You Mean It is having a launch party at the Taza Chocolate Factory on Tuesday, June 3. Check out their site, and if you’re in the area, come to the launch party Tuesday night!