A little while back, I wrote why I think Why Microsoft will never open their legacy file formats.

Unfortunately, according to this essay by Richard Stallman, Microsoft’s New Monopoly, I was dead on in my low expectations of Microsoft. I just didn’t know what exact mechanism they would use to screw up the competition.

While Stallman is mostly upset that Microsoft is corrupting the license purity of applications that would read or write the Microsoft data formats,

The next version of Microsoft Word will use formats that involve a technique that Microsoft claims to a patent on. Microsoft offers a royalty-free patent license for certain limited purposes, but it is so limited that it does not allow free software. You can see the license here.

I went and read the license and I’m upset for a whole different reason. Namely because it includes this little poison pill right here:

No right to create modifications or derivatives of this Specification is granted herein.

Did I call it or what? I said:

Microsoft is “opening” their format so they can maintain control of what features can be saved into a data file. So long as they can effectively dictate what information you can save into their formats, they control the pace of change and innovation in the Office Automation software market. That’s smart risk management on their part.

Now, thanks to Pure Evil Software Patents, the only way you’ll be able to legally read or write the Microsoft format is if you only read and write data elements that they’ve already implemented. They’re using patent law to lock out any innovation that they don’t come up with themselves. If it works, then Microsoft will have finally found a way to make sure that no one can both come up with a compelling reason to abandon Office and provide a migration path away from it.

*sigh*

Eric Riscorla has done a damn fine job of explaining the different mechanisms used to authenticate participants in a transaction while not leaving re-usable credentials lying all over the place in his essay, “Password equivalence and identity theft (I).

The basic problem with credit card authentication is that the information required by the merchant to run your credit card is exactly the same information that you require to use it: the number, the exp date, the security code, and maybe your ZIP. Every time you give your credit card to someone in a restaurant, they have an opportunity to steal your card information (remember having to tear up your carbons?). And of course, Mastercard’s database has exactly the same information. So, any compromise of the merchant’s or issuer’s systems leads to the attacker being able to forge credit card charges. Not all authentication systems are like this.

Go read the whole thing to find out the differences. You’ll be simultaneously glad you did and irritated that no one seems willing to tackle implementing a solution.

Unfortunately, this still doesn’t address the crux of the problem–the continuing American dependence on Social Security Number + Name as the credentials to access one’s potential credit, which reducing card fraud will make worse. If it becomes more difficult to steal someone eles’s existing credit (card), then the demand for the credentials which gain access to their credit potential will almost certainly lead to increased Identity Theft Fraud-by-Impersonation if no improvements are made. The risk from the card in your wallet may seem to be Mitigated, but in reality it’s being transferred to your unused credit potential where it will go through the roof.

That’s not to say I’m worrying too much about that scenario, because I don’t see it happening any time soon.

Why not? I have to think it’s at least partly because the credit card industry still sees fraud as being an externality. From their perspective, they’ve already done something about card fraud–they’ve provided a little bit of guidance and passed the cost on to the merchants.

Now imagine trying to sell the concept internally. I’ve got this great idea. It’s going to cost a ton of money and reduce chargeback revenue, but if it works and people migrate to it, we’ll have solved someone else’s problem. Sure, you could suggest that merchants would be all over it, but they tried to make the same case for Visa’s CISP and it still wound up having to be a lot more more stick than carrot to get merchants to comply.

Card companies see the status quo as consisting of risks that they understand and feel they’re managing effectively.

Revenue Risk if those chargeback fees go away? They get that. Risk of losing merchants who don’t want to adopt the new standards? They get that, too. Share Price Risk from reduced topline revenue numbers? Senior Management definitely get that. Project Risk if the whole thing doesn’t work well enough? They don’t even want to think about that.

What it comes down to is a change that’s going to be expensive to implement. How expensive? I don’t know off the top of my head, other than “a whole lot.” It would require almost entirely replacing the entire credit processing infrastructure, but it’s completely do-able if the will existed. When you consider that a significant portion of the cost would be passed on to the merchants who had to buy the new Point-of-Sale hardware or software, it should seem reasonable.

When compared to what the average retailer loses to credit card fraud in any given year, (7 cents per $100 sold for card-present transactions, about $0.27 per $100 for online or phone sales), it might sound like a loser for the merchant. But when you throw in the chargeback fee ($20 to $50 per successfully contested transaction), it starts to look a whole lot better–if the merchant reduced the chargeback rate by one per month, that would pay for the new machine in about a year.

The real upside is for the merchants who are currently forced to assume all that avoidable fraud risk, but most of them are too busy working for a living to follow these developments. Once again, ignorance of Risk and its management turns into Assumption of Risk.

Over at The Economist, there is an article, “The Leaky Corporation,” which suggests that Information Protection could be becoming a much bigger deal within most companies than it is today, driven largely by the increased attention that data security breaches are receiving from both the press and regulators.

“Data is becoming an asset which needs to be guarded as much as any other asset,” says Haim Mendelson of Stanford University’s business school. “The ability to guard customer data is the key to market value, which the board is responsible for on behalf of shareholders”. Indeed, just as there is the concept of Generally Accepted Accounting Principles (GAAP), perhaps it is time for GASP, Generally Accepted Security Practices, suggests Eli Noam of New York’s Columbia Business School. “Setting the proper investment level for security, redundancy, and recovery is a management issue, not a techie one,” he says.

Specifically, they point to the FTC’s settlement with BJ’s Wholesale Club as an example of the changing expectation for data protection within the United States

The FTC decided to settle with BJ’s Wholesale Club, a retailer whose lax data-protection practices the agency said constituted an “unfair practice that violated federal law.” The firm collected too much data, kept it too long, did not encrypt it, lacked password protections and left its wireless network open. This, in turn, enabled criminals to produce counterfeit credit and debit cards using stolen customer data and rack up millions of dollars in fraudulent charges. The firm has agreed to fix these problems and undergo information-security audits for 20 years.

Data Protection is getting increased focus among several corporate security management types I know. We’re all busily erecting or resurrecting Data Protection and Privacy efforts. Risks that were once deemed acceptable without any actual Risk Analysis are now being called into question.

This is a Good Thing. If it’s on the minds of The Economist’s readers, that means that Management is waking up to the importance of paying attention to this stuff. While as a general rule I never wish misfortune on anyone, I’m not unwilling to leverage their misfortune for the common good.

IanG pointed out recently the New Best Practice for security: Avoid “Best Practices”.

I’ve written long and critically (including in a draft paper) how “best practices” may actually oppose security rather than support it. Yes, there is a model that explains why best practices is bad. It appears that others may be coming to the same conclusion; here’s a few snippets in that direction.

1. “Best fit” is better fit. An otherwise routine article by Tan Shong Ye (Partner and Head of Security & Technology Practice at PricewaterhouseCoopers) suggests:

It is becoming more common for organisations to strive for a “best fit” solution, as opposed to obtaining “best practice” in every security-related matter. Conforming to a set of best practices can be an extremely expensive exercise that does not necessarily deliver business benefits equal to or greater than the resources expended to get there.

A best-fit model is, instead, about understanding what the risks are and applying the most appropriate risk mitigation strategy to reduce them, as opposed to applying best practice processes regardless of the associated risk.

Let me use a little illustration to demonstrate the difference between a Best Practices approach and a Risk-Based approach to protecting an Enterprise.

The area under the green line represents the amount of security-related effort that systems need throughout the Enterprise. Some need very little security-related effort. Some need a lot of security-related effort. This may be due to a poor default security configuration or because extra effort is needed to ensure the Confidentiality, Integrity, and/or Availability of the system in question.

The cross-hatched area under the blue line represents the effective security produced by applying Best Practices across the Enterprise. Basically, a lot of systems that don’t need a lot of security are going to receive effort they don’t necessarily need or deserve. This could be effort in excess of asset value. It could be implementing safeguards against inapplicable threates. The key is that under Best Practices, you don’t ask these questions, you just implement the Best Practice.

Compare this to the Risk Management approach. Threats are identified, their likelihood assessed, and the effort to mitigate or avoid is compared to the asset’s value. Sure, it’s not perfect. Some machines will get more security than they need or are worth, some will have residual risk which must be accepted or transferred.

The exact relationship between the Risk-based coverage and the actual security requirements will be a function of Management’s appetite for Residual Risk. Are they more interested in getting everything covered (i.e. regulated industries or applications whose Integrity must be guaranteed for SOX or other compliance reasons)? In this case, the red area will tend to run above the green line. Are they more concerned with controlling costs? In that case, there will tend to be some Residual Risk out there. In general, however, the systems that need the most security attention will get it, and those that don’t won’t.

…any questions?

Since Adam Shostack is suffering from Stupid Privacy Invasion Fatigue, I’ll take this one for him.

According to The Register quoting The Sun (deemed nsfw by many places, including my employer),

The paper says one of its journalists bought details of 1,000 UK banking customers from an IT worker in Delhi for £4.25 each. He was also able to buy the numbers of credit cards and account passwords. An unnamed security expert hired by the paper verified that the details were genuine. The information sold could be readily exploited by ID thieves to apply for credit cards or loans under assumed identities or to simply loot compromised accounts. The call centre worker bragged that he could sell up to 200,000 account details each month.

Well duh…take a well-educated, widely-underemployed, highly-entrepreneurial culture and give them ready access to information which is easily converted into cash and what’d you think would happen? I know that this may have been just a bad apple. I’ve seen the same things (and worse. Much worse, actually) occur in US Call Centers, where it’s a bunch of under-educated, lazy, corrupt idiots doing the work, they just want more money per-account.

I also know that companies aren’t willing to do anything “dramatic” about it, like prosecute the offenders, since that might entail accepting the risk of some negative press coverage. It’s only when it’s already hitting the fan in the press that they’re interested in getting The Cops involved.

This is just another example of corporations transferring risk onto their customers to save a buck (or Pound Sterling, as the case may be). The fact that they’ll then further sell out those customers when an incident occurs to prevent Brand Damage just makes it that much more offensive.

So the fine folks at Techdirt pointed out that the fine folks at Yankee Group had noticed an interesting and ominous trend in network security:

In 2004, researchers uncovered 60 vulnerabilities in security software, up from 31 in 2003, according to the study. In May this year, 23 security bugs have already turned up, compared with 22 for Microsoft applications. The figures through May 2005 are up 50 percent over the same period last year, Yankee Group said. The figures were reported by Business Week.

That’s right…according to the Yankee Group, the The Second-Order Risks resulting from the implementation of network security safeguards are now officially greater than the risks they are supposed to mitigate. It’s looking more and more like the Witty worm was just a sign of things to come.

The NY Times published an editorial today, “The Data Fleecing of America,” which praises members of the US Congress who are trying to do something about Identity Theft Fraud by Impersonation.

If it were not for California’s pioneering law requiring notice to affected consumers, the rest of the nation might not have even heard warnings of how their assets and identities are increasingly at risk. Senator Dianne Feinstein, Democrat of California, is proposing a national requirement for consumer notification, with civil damages for negligent companies. Her bill is a good start in conjunction with a comprehensive measure by Senators Charles Schumer of New York and Bill Nelson of Florida to begin regulating data merchants by requiring registration with the Federal Trade Commission. It would adopt stronger safeguards, stop the easy access to Social Security numbers and help identity theft victims regain their fiscal balance.

Credit-card companies and information brokers - not consumers and merchants - bear prime responsibility for the ravages of data thieves.

(emphasis mine)

There’s some inkling of clue in that final sentence, but it’s too little too late to save this editorial.

How many times do we have to say it? The SSN cat is out of the bag. It can’t be put back, no matter how much people would like it to be. Fixing the problem is going to be hard and it’s going to be expensive. If I had to guess where in the Seven Stages of Grief people are at the loss of their beloved SSN as an all-in-one identifier and password, I’d definitely go with “Denial.”

So let me say it one more time: The number of compromised credit card numbers, Social Security Numbers, Bank Account Numbers, and other bits of PII is simply too great. When real life reads like something out of The Onion, it’s time to admit that Humpty Dumpty probably isn’t going to come out of this in one piece and start tackling the Root Cause of the problem–inadequate authentication methods for financial transactions.

Personally, I like Bruce Schneier’s suggestion that the US Government should announce that they are going to publish the SSN of every American in, say, two years. This would force the updating of financial transactional systems and as an added bonus, create a huge demand for all those poor FORTRAN and COBOL programmers who’ve been looking for work since Y2K.

Edward Felten JD Lasica has a must-read posting today, “DRM and ‘casual piracy’,” which does a better job of juxtaposing the rights of the consumer with the music & movie industry’s vision of what those rights should be than anything else I can recall reading on the subject.

Go read it. The only way to do it justice is to copy the whole thing, and that’s not cool in my book.

His conclusion reminds me of the illustrating anecdote in Part 2 of Cory Doctorow’s “Microsoft DRM Speech,” only without the expository background.

Will citizens balk at these kinds of restrictions, or come to accept them? My suspicion is that the Darknet will grow in direct proportion to actions that turn mainstream Americans into “casual pirates.”

The recording industry in particular has two problems here. The first is its self-destructive strategy of eschewing the long-term development of artists, preferring instead the quick buck of one-hit wonders. The second is that if an artist is only going to have one CD worth buying and that one CD only has one or two songs worth listening to, then “schoolyard copying” is going to have a material impact on sales of that CD.

With this strategy, the music industry has essentially made its product a disposable commodity. There’s no point in paying for the CD because the consumer has been trained by the music industry itself to not value that CD. After all, how much are you willing to pay for something you fully expect to be sick of in a couple of weeks or a month, after which time it just becomes a storage problem? If I can get full benefit (listening to the one or two non-sucky songs on the disc) by copying them from a friend, then I don’t need the actual CD. The fact that I avoid the long-term problem of storing it, combined with the ability to put it somewhere useful to me (on my iPod, laptop, or mix disc) is just an added bonus.

So the music industry’s response to their own niche version of stagflation (reduced artist quality & longevity reducing the fan’s desire to own the CD combined with increased ease of obtaining full value from those artists through fair-use “schoolyard copying”) is to try and prevent the completly legal (but fully-satisfying) fair-use of music.

This makes less-than-no sense. DRM has never prevented a song or movie from escaping into an unencumbered format, nor will it. If the music industry wants to improve sales, they should produce music that causes people to believe it has enough long-term value that they’re willing to pay for it.

Another option is to reduce prices on CD’s. I know that there’s no way in hell I’m paying $20 for one or two songs that I’ll be sick of in a month, and $20 is a lot less to me than it is to the kids who comprise the core of the music market. The problem here is that thanks to iTunes and $0.99 songs, the value of a CD is now effectively $2. This is further borne out by the fact that iTunes increasingly forces people to buy the “filler” on the album to go with the two good songs, raising the effective price of those two decent songs to $8 each. I don’t know about you, but I’m not paying $8 for a song I’m expected to be sick of in a month.

Now think of the children. Every kid with a computer and a broadband connection knows that music can be had “for free” on the Internet. Trying to cut off the supply through DRM is a pointless effort which serves only to increase the average user’s skill at finding “illegal/free” music. The only ways to convince more people to pay for music is to either shift the price point of music down the demand curve or produce music that has value beyond the time it spends on the pop music playlist.

I’m not holding my breath for either.

One of the Washington Post’s columnists has a wonderfully scathing rebuke of the airport security system.

Almost none of the agony you are experiencing is making you safer, at least not to any statistically significant or economically rational degree. Certainly any logical analysis of the money that has been spent on the airport security system since Sept. 11, 2001, and the security that the system has created, must lead to that conclusion.

This is not to say that the uniformed screeners aren’t more professional than they were in the past or that their presence doesn’t create a degree of psychological comfort, both for government officials, who can claim to be doing something to keep us all safer, as well as for those passengers who continue to believe that engaging in ritualistic shoe-removal gives them mysterious, magical protection against terrorism. On the grand scale of things, though, that’s all it is: magical protection.

Personally, I now refuse to take my shoes off unless they tell me to, and they haven’t told me to for the past few months. Of course, I haven’t had to go to DC recently, either. Still, I’ll give up my Safety Magic to mitigate the risk dying in a crowd rush after someone notice the holes in my socks form an image of the Virgin Mary.

Getting back on-topic, we’re reminded that

Probably the most significant measure taken in the past four years was one funded not by the government but by the airline industry, which put bulletproof doors on its cockpits at the relatively low price of $300 million to $500 million over 10 years. In extremely blunt terms, that means that while it may still be possible to blow up a plane (and murder 150 people), it is now virtually impossible to drive a plane into an office building (and murder thousands). By even the crudest cost-benefit risk analysis, bulletproof cockpit doors, which nobody notices, have the potential to save far more lives, at a far lower cost per life, than the screeners who open your child’s backpack and your grandmother’s purse while you stand around in your socks waiting for them to finish.

But, then, this isn’t a country that has ever been good at risk analysis. If it were, we would never have invented the TSA at all. Instead, we would have taken that $5.5 billion, doubled the FBI’s budget, and set up a questioning system that identifies potentially suspicious passengers, as the Israelis do.

Which is why I conclude that we don’t actually want value for money. Magic words, it seems, are what make Americans feel really safe.

I’m always glad to see a major news outlet pointing out that “Inconvenience” is not “Security.”

I started reading this article/Akonix Media Relations placement about Instant Messaging because IM security is on my mind a lot lately. What I found most interesting about it was its focus on Legal Risk:

Lack of an IM policy can also produce problems during a legal-discovery process. For example, what if an executive logs IM conversations locally, yet the company at large doesn’t? After subpoenaing records, would lawyers have only part of the picture?

Thus, a business can put itself at risk by not having an authoritative record of IM communications. Call this IM’s “basic legal compliance” threat, says Francis Costello, chief marketing officer at Akonix in San Diego. He’s not referring to compliance in the Sarbanes-Oxley sense. Rather, it’s the “risk of discovery, human resources issues, and the risk of disputes.

When I look at risks, I’m generally looking at threats which might impact Confidentiality, Integrity, and Availability*. Legal Risk is something I farm out to the lawyers, and they’re notorious for not getting back to me since that would mean going “on record” about something, which apparently flies square in the face of Legal Risk management.

So what should the lawyer’s response be (at least according to this article)? IM Monitoring. Log it all, let the discovery process sort it out. No mention of the Second-Order Risks that implementing comprehensive logging and monitoring creates, such as Privacy issues or Personnel Risks created by the lowered morale that generally accompanies the feeling that Big Brother is watching.

Thus, this is a nice bit of strawman work. They’ve found a legitimate legal risk (incomplete response to a discovery request), rolled it in with a longstanding, real network security threat and suggested that there is only one solution to it, and that’s to log everything. The funny thing about this is that it seems to fly in the face of the overall trend toward retention policies in general, which is to retain as little as possible except where required by law to do otherwise.

But that wouldn’t help you sell an IM Monitoring and Security solution, would it?

* Actually, I usually look at risks in order of I-C-A, but that’s because I’m usually asked to comment from a SOX perspective and because everyone else is always obsessed with Confidentiality to the exclusion of all other risks. They always seem to forget that perfect Confidentiality means no Availability. An amateur-hour mistake, sure, but no less common for being so.