Author: Cem Paya

Cem Payahttps://randomoracle.wordpress.com/Building & breaking systems.
Cem Paya's avatar

State of the art in credit-card antifraud

Let’s start the day by recounting a recent encounter with American Express’s finest customer service.

This is not the first time that AmEx has engaged in dubious practices when it comes to protecting user information. For a very long time their login page did not use SSL, instead trying to make up for that by placing an ersatz padlock icon on the page, no doubt playing to the confusion in users’ minds about the meaning of web browser security indicators. Their latest exploit involved the pioneering of RFID chips in credit cards– perfect time, considering these new Blue cards came out around the same time as news stories about the ease of cloning RFID chips and skimming information from RFID devices carried by unsuspecting victims.

The incident in question started out as a simple unauthorized charge from DirectTV, a satellite provider. Considering that this blogger has cable at home, this was clearly a case of mistaken customer. At least in the US such errors are easy to dispute. Onus is on the merchant to prove that the charge did take place. After a cordial phone conversation with a representative, the charge was suspended pending investigation.

Fast forward one month. Another charge from DirectTV, about the same amount. Clearly this is set up as recurring charge, one of those auto-payment options where the company bills subscribers every month after the user provides their credit card number once. Another call, another dispute, charge placed on hold again. Only this time the conversation is less cordial. The customer service rep claims that American Express has no way to block payments from a merchant. In other words, until DirecTV wises up to the error, they will continue billing every month and this dispute charade must continue each time.

That’s right: for all the sophisticated fraud detection algorithms, designed to cry foul when a bachelor used to buying beer starts purchasing diapers on his card, the credit card networks can’t implement a simple rule along the lines of: “block all charges to this account from this merchant.”

(continued)

cemp

Another full-disclosure debacle at Black Hat

Here we go again. It’s almost as if the lessons from 2005 Michael Lynn incident were completely forgotten. Granted the conference has changed ownership but the challenges to full-disclosure from over eager companies remain the same.

In this case Kim Zetter of Wired News reports that a demonstration of weaknesses in RFID proximity cards by Chris Paget of research firm IOActive was scuttled after some legal scare-mongering by HID, a vendor that produces such cards. Quote:

IOActive says it offered a few compromises after hearing from HID, including allowing an HID representative to appear on stage with Paget to discuss its product — but HID wouldn’t agree not to sue.

The incredible part of this is that the vulnerability was already demonstrated at another conference (RSA 2007) earlier in February. And just like the remote code execution in Cisco routers that the company tried to suppress in 2005 (ever wondered why the conference proceedings are missing an entire section of pages from that year?) the incident only served to increase awareness of the problem and draw more attention.

cemp

Netflix vs. McDonalds vs. iTunes

McDonalds likes to boast about its billions of burgers served. According to a BusinessWeek article it took slightly more than 8 years for the franchise to hit the first billion mark. But Netflix reached the same milestone in seven months less, which is the main point of the article. At its current pace of 1.5M DVDs in the mail every week, the projected time for next billion is another two-and-half years. Even more telling is the growth rate which promises to cut down that time drastically: Netflix added over 2 million customers last year to reach 6M+ total subscribers and expects to reach 20M by 2012.

While entertaining, this comparison between making burgers and mailing out DVDs falls flat for many reasons. First is relative population: McDonalds started in 1955, when US population stood at less than 200M. Today in the wake of crossing 300M, Netflix has a much larger customer base to draw on. In relative terms, McDonalds expansion in its earlier years was faster. On the other hand a single Netflix DVD could mean multiple views, since the average family of 4+ individuals will all watch the same single disc. Burgers are not exactly intended for sharing. Netflix also does not face the same geographical challenges. While the company operates warehouses around the country for receiving and shipping DVDs, its reach within the continental US is a function of the postal service. No physical presence is required. By contrast proximity to customers is crucial in retail and the Golden Arches depends on a relentlessly following suburban sprawl to build new franchises.

A better comparison may be iTunes, which recently crossed the 2B threshold. A creature of the technology industry, free from any geographic limitation or even the problem of transporting stuff around by mail, its meteoric rise has been hailed as a sign that traditional music distribution is obselete. (A cautionary second opinion points out that online sales are still a tiny fraction of all music purchases and news of the RIAA dinosaur extinction may have been slightly exaggerated.)  It shows similar exponential growth pattern: hitting half billion on July 2005, one billion in February 2006 and two billion recently in January 2007.

cemp

Past anniversary of congressional hearings: US companies and China

“I do not understand how your corporate leadership sleeps at night”

(Rep. Tom Lantos, democrat CA)

You might think that Rep Lantos had been grilling representatives from oil, energy or tobacco companies. But this harsh criticism on Feb 15th 2006 was aimed at the technology giants Yahoo, Google, Cisco and Microsoft, over their business operations in China. On that day the House Subcommittee on Africa, Global Human Rights and International Operations called the three online giants and the networking hardware vendor on the carpet over their impact on online freedom in China.

One full year passed since that day, but there is still no compelling solution to the problem of doing business worldwide while grappling with questions of different jurisdictions, rooted in values that are fundamentally at odds with each other.

Link to full transcript of the hearing.

cemp

Back in the USA

After one week in Istanbul, arrived in snow-covered Chicago yesterday afternoon, via Munich complements of the always punctual and efficient Lufthansa.

A series of blog posts will cover the differences in basic parts of life in Istanbul that stood out for this blogger, who had last seen the city in April 2004.

cemp

Environmentally friendly spam

This must be the reductio ad absurdum of eco-consciousness. After organic-this, Energy-star that here comes unsolicited email extolling the benefits of biofuels. AutoBlogGreen reports a bizarre incident where one of the bloggers received 2 copies of the same message singing the praises of biodiesel. Quote:

“Biodiesel is a safe alternative fuel. Biodiesel has a higher flash point than regular diesel. It is classified as non-flammable by the NFPA, and is not required to carry a Hazardous Material label when being shipped.”

All true and this is where the standard spam message would urge the reader (“hurry, only for short time!”) to snatch up shares in some dubious enterprise ready to capitalize on the said great technology. Except the mail quoted in its entirety does not name a single company or website. Hopefully spammers have not taken to distributing public service announcements for free.

cemp

Copyright: state of the union in three stories

1. Neutral: Following Steve Job’s call to end digital rights management, a story is circulating in the blogosphere that EMI may release its entire catalogue DRM-free.

2. On the upside: AACS, the content protection system used for HD-DVD and BluRay has experienced its first serious defeat. The news comes from the same Doom9 forums where 2 months ago a researcher with handle “muslix” had succeeded in extracting a volume key for one of the titles. That attack was only good for stripping DRM from a single title. Each DVD has its own volume key, which itself is encrypted to many “player keys” one for every device/player that licences the standard. Of course once you can extract a single volume key, you can repeat the process to extract others but that can become a labor-intensive process. Yesterday another researcher announced that he had been able to recover one of the players keys.

Surprising? Hardly. It was only a matter of time. The attack targeted a software player– in other words an application that the user installs on their computer. Palladium / NGSCB / TCG notwithstanding the PC remains an open platform today: there is no way to hide secrets from the owner of the machine. That means the DVD-player software that ships with its own key material has no reliable way to hide it from the administrator of the machine. There is no equivalent to a “vault” where keys can be safely squirreled away, protected from the user assumed to be malicious. This is why DRM depends on obfuscation and obscurity, without any solid grounding in theory, and that’s why it desperately needs non-technical defenses such as DMCA to discourage reverse-engineering. And we can see how successful DMCA has been in the HackSDMI challenge, DeCSS debacle and series of successful attacks on iTunes and Windows Media Player.

Development of attacks on AACS also bear out a prediction from Ed Felten:

“Once he has device keys, he could in principle publish them (or equivalently publish a program containing them), thereby allowing everybody to extract title keys and decrypt discs. But if he does this, the AACS central authority will learn which device keys he is using and will blacklist those keys, which will prevent those keys from decrypting discs manufactured in the future.”

Compare this to the following quote from the post announcing successful break:

“I’m not telling which player I used (well you can guess but you might guess wrong) to retrieve the Processing Key because I don’t want to give the AACS LA any extra legal ammunition against any player company.”

3. On the downside: “This copyright notice is copyrighted.” Wendy Seltzer just received a DMCA takedown notice for posting on YouTube a recording of the copyright notice from NFL’s Superbowl broadcast. She is a law professor and intended to use the clip for teaching. (YouTube did not waste any time and sent her the letter in 5 days; if only customer service worked that quickly.) Except this is one takedown notice they may come to regret: Wendy runs the Chilling Effects clearing-house where website owners can post take-down notices they received. Even Google used to forward their DMCA notices there, giving full disclosure when search results are altered due to legal requests.

cemp

Voting with the portfolio: Fidelity and Sudan divestment

This is the 21st century version of “voting with the wallet.” Socially responsible investing is not a new idea. SRI mutual funds have been around since the 1970s and they even have their own S&P-equivalent index (Domini Social Index 400) as benchmark to gauge the performance of different offerings.

But a renewed interest in the unstable situation in Sudan suggests the difficulty defining responsibility and making it actionable. A number of people have called for a divestment from all companies benefitting from the war in Sudan. This is no fringe movement: no less than Harvard University has implemented the recommendation by elliminating its positions in PetroChina and Sinopec, both oil companies drilling in Sudan. (Quote: “Although Harvard maintains strong presumption against the divestment of stock …we believe that the case for divestment in this instance is persuasive.”)

In spite of its wealth, Harvard still controls a small amount of total US capital invested overseas. Mutual funds control the lion’s share, on behalf of ordinary citizens and institutional investors. Case in point: Fidelity is the largest investor in PetroChina and not surprisingly one website singles out Fidelity to drop any Sudan-related equities from its mutual funds. Fidelity’s take on the problem? According to this Money/CNN article, primarily denial and form letters:

“We believe the resolution of complex social and political issues must be left to the appropriate authorities of the world that have the responsibility, and capability, to address important matters of this type. And we would sincerely hope that they would do so wisely on behalf of all of the citizens of the globe.”

Deja vu? Sounds like the same spineless stance Fidelity has taken in the past, when confronted with the decision to support shareholders demanding greater accountability from boards.

The page pointledly notes that Fidelity handles retirement accounts for a number of large companies including Microsoft and Time Warner. This raises an interesting question for what individuals can do. While there is no control over choice of brokerage for corporate accounts, typically employees do have a say in what funds they hold in those accounts. (Don’t expect unbiased representation though: it is natural for the brokerage to emphasize its own funds.) There is a second question around whether the issue taints all Fidelity funds or only those with positions in the questionable equities. One might expect that only foreign funds are impacted, which would be bad enough considering the exodus of money into foreign funds owing to this class having outperformed domestic stocks for 3 years. But according to this helpful breakdown of holdings, even the domestic weighted and extremely popular Contrafund (FCNTX) is involved, increasing its position by close to 10% in the 3rd quarter of CY2006.

cemp

City of Raleigh pioneering use of LEDs

An earlier post here discussed LED lighting as an emerging technology, ready for taking on florescent bulbs for specialized niceh markets and poised to become a mainstream competitor for lighting once the price point drops. Today CNet reports that the city of Raleigh has already started replacing existing sodium lights in a downtown parking garage with LEDs.

This is a pilot project in conjunction with the manufacturer Cree. Mayor Meeker claims they expect to recoup the higher initial cost of the LEDs in 2-3 years. (It is not clear if the city had to pay market price for this installation. For one thing, wholesale buyers benefit from economy of scales and the vendor may have been incented to give away its V1 product at significant discount for goodwill and positive PR coverage.)

Commercial markets for lights that stay on 24/7 and have associated maintenance costs may well become the beach-head for LEDs:

“Over the next year, LED-based light fixtures for commercial buildings and signs will begin to increase in number […] . The commercial market in many ways is inherently more attractive because they don’t need to be replaced as often, which cuts down the number of times the maintenance crew has to put up a ladder.”

Cree CEO Chuck Swoboda claims that new homes may feature LED lighting as early as 6-12 months from today. That may be too optimistic: with the slump in real-state across the board, it’s difficult to imagine developers used to churning out cheap, wood-frame, cookie-cutter units start using expensive parts that will only pay off for the buyers long term. Or for that matter, buyers being rational enough to weigh in future savings against initial price, if the costs were passed on. At best this could be become the showcase feature for an urban construction project, trying to distinguish itself by appealing to eco-conscious buyers.

cemp

Conflict diamonds on the big screen

It is not often that an international non-profit organization sends letters to contributors urging them to watch the latest Hollywood block-buster. That’s exactly what Amnesty International has done with Blood Diamond.

It’s not the first time the subject of conflict diamonds has featured in a  major production. That honor goes to a James Bond movie of all things. As played by Pierce Brosnan, 007, not exactly known for insisting on fair-trade coffee and dolphin-safe tuna, makes a passing reference to  the problem of conflict diamonds in Die Another Day, where the villain is guilty of “laundering” gems from war zones through a bogus mine in New Zealand. But any deeper political and economic examination of the problem is cast aside as 007 gets busy shooting up things.

So it falls to Leonardo Di Capprio to make the point four years later, playing the mercenary Danny Archer smuggling diamonds out of Sierra Leone in order to help a  major diamond producer (based in Belgium, just enough seperation from reality that De Beers will not take offense) work around the official embargo against trading with the war-stricken country. The movie attempts to make the case on two levels. First there is the ultra-realistic violence reminiscent of Blackhawk Down, showing the effects civil war, fueled by diamond profits, on the lives of ordinary citizens. In case the audience misses that, there is a very blunt monologue by Archer, filmed in sepia tones and delivered in practiced South-African accent. It purports to explain how demand for diamonds is created as a cultural myth on the one hand, while scarcity is created on the supply side by withholding production from the market. Given the flow of cash involved, Archer says, raising questions about the source is  not wise: the last thing buyers need before forking over three months salary is even the hint of third-world destruction in the making of their shiny bling-blings.

And for that reason, the sanctimonious  suggestion at the end that buyers question the source of diamonds before purchasing, rings hollow. Given the incentives at stake, is it in the interest of the sellers to know– let alone disclose– the true origins of their wares?   (The three-letter acronym often repeated in the movie, “TIA” or this-is-Africa might as well be read as this-is-America.)

cemp