Entries Tagged "economics of security"

Page 23 of 39

Speeding Tickets and Agenda

If you ever need an example to demonstrate that security is a function of agenda, use this story about speed cameras. Cities that have installed speed cameras are discovering motorists are driving slower, which is decreasing revenues from fines. So they’re turning the cameras off.

Perhaps a better solution would be to raise the fines to the remaining speeders to make up for the lost revenue?

EDITED TO ADD (3/31): Too many people thought that above comment was serious. It’s not. The whole incident illustrates why fines should never be considered part of a revenue stream: it gives the police a whole new agenda.

Posted on March 28, 2008 at 1:42 PM

Spending Money on the Wrong Security Threats

This story is a year and a half old, but the lessons are still good:

Kim Hyten, emergency management director in Putnam County, said he didn’t realize homeland security grants can now be used to prepare for tornados. As a result, Putnam County is using its grant money to prepare for something else.

“Weapons of mass destruction,” Hyten said.

That’s right—weapons of mass destruction. This year, Putnam County spent most of its $58,000 homeland security grant to buy dozens of gas masks, boxes full of chemical suits, a plutonium-detecting gamma and neutron ray radiological monitor and, for good measure, this rural county about fifty miles west of Indianapolis also ordered plenty of weapons of mass destruction test strips.

But asked whether weapons of mass destruction are a concern, Hyten replied: “The weapons of mass destruction—I don’t believe this county has ever, when we did our terrorism protection plan, ever looked at that we’d be a targeted site.”

Posted on February 19, 2008 at 7:18 AMView Comments

Lock-In

Buying an iPhone isn’t the same as buying a car or a toaster. Your iPhone comes with a complicated list of rules about what you can and can’t do with it. You can’t install unapproved third-party applications on it. You can’t unlock it and use it with the cellphone carrier of your choice. And Apple is serious about these rules: A software update released in September 2007 erased unauthorized software and—in some cases—rendered unlocked phones unusable.

Bricked” is the term, and Apple isn’t the least bit apologetic about it.

Computer companies want more control over the products they sell you, and they’re resorting to increasingly draconian security measures to get that control. The reasons are economic.

Control allows a company to limit competition for ancillary products. With Mac computers, anyone can sell software that does anything. But Apple gets to decide who can sell what on the iPhone. It can foster competition when it wants, and reserve itself a monopoly position when it wants. And it can dictate terms to any company that wants to sell iPhone software and accessories.

This increases Apple’s bottom line. But the primary benefit of all this control for Apple is that it increases lock-in. “Lock-in” is an economic term for the difficulty of switching to a competing product. For some products—cola, for example—there’s no lock-in. I can drink a Coke today and a Pepsi tomorrow: no big deal. But for other products, it’s harder.

Switching word processors, for example, requires installing a new application, learning a new interface and a new set of commands, converting all the files (which may not convert cleanly) and custom software (which will certainly require rewriting), and possibly even buying new hardware. If Coke stops satisfying me for even a moment, I’ll switch: something Coke learned the hard way in 1985 when it changed the formula and started marketing New Coke. But my word processor has to really piss me off for a good long time before I’ll even consider going through all that work and expense.

Lock-in isn’t new. It’s why all gaming-console manufacturers make sure that their game cartridges don’t work on any other console, and how they can price the consoles at a loss and make the profit up by selling games. It’s why Microsoft never wants to open up its file formats so other applications can read them. It’s why music purchased from Apple for your iPod won’t work on other brands of music players. It’s why every U.S. cellphone company fought against phone number portability. It’s why Facebook sues any company that tries to scrape its data and put it on a competing website. It explains airline frequent flyer programs, supermarket affinity cards and the new My Coke Rewards program.

With enough lock-in, a company can protect its market share even as it reduces customer service, raises prices, refuses to innovate and otherwise abuses its customer base. It should be no surprise that this sounds like pretty much every experience you’ve had with IT companies: Once the industry discovered lock-in, everyone started figuring out how to get as much of it as they can.

Economists Carl Shapiro and Hal Varian even proved that the value of a software company is the total lock-in. Here’s the logic: Assume, for example, that you have 100 people in a company using MS Office at a cost of $500 each. If it cost the company less than $50,000 to switch to Open Office, they would. If it cost the company more than $50,000, Microsoft would increase its prices.

Mostly, companies increase their lock-in through security mechanisms. Sometimes patents preserve lock-in, but more often it’s copy protection, digital rights management (DRM), code signing or other security mechanisms. These security features aren’t what we normally think of as security: They don’t protect us from some outside threat, they protect the companies from us.

Microsoft has been planning this sort of control-based security mechanism for years. First called Palladium and now NGSCB (Next-Generation Secure Computing Base), the idea is to build a control-based security system into the computing hardware. The details are complicated, but the results range from only allowing a computer to boot from an authorized copy of the OS to prohibiting the user from accessing “unauthorized” files or running unauthorized software. The competitive benefits to Microsoft are enormous (.pdf).

Of course, that’s not how Microsoft advertises NGSCB. The company has positioned it as a security measure, protecting users from worms, Trojans and other malware. But control does not equal security; and this sort of control-based security is very difficult to get right, and sometimes makes us more vulnerable to other threats. Perhaps this is why Microsoft is quietly killing NGSCB—we’ve gotten BitLocker, and we might get some other security features down the line—despite the huge investment hardware manufacturers made when incorporating special security hardware into their motherboards.

In my last column, I talked about the security-versus-privacy debate, and how it’s actually a debate about liberty versus control. Here we see the same dynamic, but in a commercial setting. By confusing control and security, companies are able to force control measures that work against our interests by convincing us they are doing it for our own safety.

As for Apple and the iPhone, I don’t know what they’re going to do. On the one hand, there’s this analyst report that claims there are over a million unlocked iPhones, costing Apple between $300 million and $400 million in revenue. On the other hand, Apple is planning to release a software development kit this month, reversing its earlier restriction and allowing third-party vendors to write iPhone applications. Apple will attempt to keep control through a secret application key that will be required by all “official” third-party applications, but of course it’s already been leaked.

And the security arms race goes on …

This essay previously appeared on Wired.com.

EDITED TO ADD (2/12): Slashdot thread.

And critical commentary, which is oddly political:

This isn’t lock-in, it’s called choosing a product that meets your needs. If you don’t want to be tied to a particular phone network, don’t buy an iPhone. If installing third-party applications (between now and the end of February, when officially-sanctioned ones will start to appear) is critically important to you, don’t buy an iPhone.

It’s one thing to grumble about an otherwise tempting device not supporting some feature you would find useful; it’s another entirely to imply that this represents anti-libertarian lock-in. The fact remains, you are free to buy one of the many other devices on the market that existed before there ever was an iPhone.

Actually, lock-in is one of the factors you have to consider when choosing a product to meet your needs. It’s not one thing or the other. And lock-in is certainly not “anti-libertarian.” Lock-in is what you get when you have an unfettered free market competing for customers; it’s libertarian utopia. Government regulations that limit lock-in tactics—something I think would be very good for society—is what’s anti-libertarian.

Here’s a commentary on that previous commentary. This is some good commentary, too.

Posted on February 12, 2008 at 6:08 AMView Comments

UK Two-Tier Tax Security System

Poor security for everyone except the rich and powerful:

The security of the online computer system used by more than three million people to file tax returns is in doubt after HM Revenue and Customs admitted it was not secure enough to be used by MPs, celebrities and the Royal Family.

Thousands of “high profile” people have been secretly barred from using the online tax return system amid concerns that their confidential details would be put at risk.

Posted on February 5, 2008 at 2:38 PMView Comments

Corporate Spying

This is a good article on a new trend in corporate spying: companies like Wal-Mart and Sears have resorted to covert surveillance of employees, partners, journalists, and even Internet users to protect itself from “global threats.”

“Like most major corporations, it is our corporate responsibility to have systems in place, including software systems, to monitor threats to our network, intellectual property and our people,” Wal-Mart spokeswoman Sarah Clark said in a statement in April. Following the Gabbard firing, Wal-Mart said it conducted a review of its monitoring activities. “There have been changes in leadership, and we have strengthened our practices and protocols in this area,” Clark said.

[…]

At a gathering of security specialists in New York City in January of 2006, David Harrison, the former Army military intelligence officer who was hired by Senser to head Wal-Mart’s analytical security research center, provided a rare glimpse into the company’s monitoring operations. Harrison told the gathering Wal-Mart faces a wide range of threats: “A bombing in China, an armed robbery in Brazil, an armed robbery in Las Vegas, another bomb threat, and that was just yesterday,” Harrison said.

To safeguard its employees and operations Wal-Mart has tapped its massive data warehouse of information, now believed to be larger than 4 petabytes (4,000 terabytes), to look for potential threats. It tracks customers who buy propane tanks, for example, or anyone who has fraudulently cashed a check, or anyone making bulk purchases of pre-paid cell phones, which could be tied to criminal activities. “If you try to buy more than three cell phones at one time, it will be tracked,” he reportedly told the audience.

[…]

Gabbard, the Wal-Mart employee fired for recording reporters’ phone calls, said in his interview with The Wall Street Journal that Wal-Mart uses software from Raytheon Oakley Networks to monitor activity on its network. The Oakley product was originally developed for the U.S. Department of Defense.

The Oakley software is so sophisticated it can allow administrators to visually see what types of information are moving across the network, from Excel spreadsheets to job searches on Monster.com, or photos with flesh tones that might indicate a user is viewing pornography.

And this article talks about ex-CIA agents working for corporations:

The best estimate is that several hundred former intelligence agents now work in corporate espionage, including some who left the C.I.A. during the agency turmoil that followed 9/11. They quickly joined private-investigation firms whose U.S. corporate clients were planning to expand into Russia, China, and other countries with opaque business practices and few public records, and who needed the skinny on international partners or rivals.

These ex-spies apply a higher level of expertise, honed by government service, to the cruder tactics already practiced by private investigators. One such ploy is pretexting—obtaining information by pretending to be somebody else. While private detectives have long posed as freelance reporters or job recruiters to get people to talk, former agents have elevated pretexting to an art.

[…]

Similarly, ex-agents have helped popularize the use of G.P.S.-based monitoring devices and long-range cameras for following people around. One corporate-espionage technique comes straight from the C.I.A. playbook. In the constant search for the slightest edge, some hedge funds and investment companies have turned to a handful of private-investigation firms for a tactic that seems to fall between science and voodoo. Called tactical behavior assessment, it relies on dozens of verbal and nonverbal cues to determine whether someone is lying. Signs of potential deception include meandering off topic rather than sticking to the facts and excessive personal grooming, such as nervously picking lint off a jacket. This method was developed by former lie-detector experts from the C.I.A.’s Office of Security, which administers polygraph tests to keep agents honest and verify the stories of would-be defectors.

[…]

Most of the ex-agents’ activities, from surveillance to lie detection, are perfectly legal. In the wake of the 2006 Hewlett-Packard scandal, detectives used pretexting to obtain the private telephone records of company directors, employees, and journalists. In an effort to track leaks to the media, federal law was tightened to prohibit using fraudulent means to obtain telephone records. Financial records were already off-limits. But federal law doesn’t forbid assuming a false identity to get other information—an area that ex-spies exploit.

Still, a few techniques favored by the spies-for-hire do appear to violate privacy statutes. One of these involves using “data haunts,” extreme methods of electronic monitoring such as tracking cell-phone calls and gathering emails by relying on secretly installed software to record computer keystrokes. An ex-C.I.A. agent described a group of his former colleagues who set up shop offshore so that they could tap into telephone calls—a practice prohibited by federal law—outside U.S. jurisdiction. “They call themselves the bad boys in the Bahamas,” he said.

Even some of the legal methods are controversial within the industry. Certain old-school firms won’t stoop to dumpster diving or stealing garbage—which is usually legal as long as the trash is on a curb or other public property—” because they consider it unethical. They say that the prevalence of former intelligence agents in the field and the rise of unscrupulous tactics have tarnished a business that often struggles with its reputation. One longtime investigator complained that he recently lost business to some ex-C.I.A. officers who promised a potential client that they could obtain the phone and bank records of a target—something that is illegal in most cases.

[…]

Current and former employees said Diligence’s ex-spies also held classes in using false identities to obtain confidential information. Ex-employees said it wasn’t unusual for an investigator to have five or six cell phones, each representing a different identity, on his or her desk. And while ex-C.I.A. and former MI5 agents were old hands at such deception, the new initiates sometimes got confused and answered a phone with the wrong name.

All interesting. It seems that corporate espionage has gone mainstream, and the debate is more about how and when.

On a related note, this paragraph disturbed me:

On occasion, Diligence investigators were dispatched to collect garbage from a target’s home or office. In some cases, two former employees said, Diligence hired off-duty or retired police officers to take trash so that they could wave their badges and fend off any awkward questions.

It’s public authority being used for private interests. We see it a lot—off-duty police officers guarding private businesses, for example—and it erodes public trust of authority. In the case above, I’m not even sure it’s legal.

Posted on January 16, 2008 at 12:21 PMView Comments

Passport Fraud

Investigative report on passport fraud worldwide.

Six years after 9/11, an NBC News undercover investigation has found that the black market in fraudulent passports is thriving. On the streets of South America, NBC documented the sale of stolen and doctored passports, and travel papers prized by terrorists: genuine passports issued under false names. For a few thousand dollars, an undercover investigator was able to purchase several entirely new identities from organized criminal networks with access to corrupt government employees. The investigator obtained passports from Spain, Peru, and Venezuela and used the Peruvian and Venezuelan passports to travel widely in the Western Hemisphere, with practically no scrutiny.

Posted on January 8, 2008 at 1:59 PMView Comments

The Cybercrime Economy

Interesting article:

While standard commercial software vendors sell software as a service, malware vendors sell malware as a service, which is advertised and distributed like standard software. Communicating via internet relay chat (IRC) and forums, hackers advertise Iframe exploits, pop-unders, click fraud, posting and spam. “If you don’t have it, you can rent it here,” boasts one post, which also offers online video tutorials. Prices for services vary by as much as 100-200 percent across sites, while prices for non-Russian sites are often higher: “If you want the discount rate, buy via Russian sites,” says Genes.

In March the price quoted on malware sites for the Gozi Trojan, which steals data and sends it to hackers in an encrypted form, was between $1,000 (£500) and $2,000 for the basic version. Buyers could purchase add-on services at varying prices starting at $20.

This kind of thing is also discussed here.

Posted on January 2, 2008 at 7:21 AMView Comments

1 21 22 23 24 25 39

Sidebar photo of Bruce Schneier by Joe MacInnis.