Wachovia the Wicked? Yikes what a stunningly bad way to run a bank

Okay, this post will probably reduce to nil my chances of getting hired as a computer security or data privacy consultant to Wachovia Bank, but it's hard to let this story pass without comment. According to a report in the New York Times, Wachovia Bank kept doing business with rip-off artists long after it was clear that doing so was aiding and abetting them. In short, Wachovia:

"solicited business from companies it knew had been accused of telemarketing crimes....high-ranking employees at the nation’s fourth-largest bank frequently warned colleagues about telemarketing frauds routed through its accounts.... Documents also show that Wachovia was alerted by other banks and federal agencies about ongoing deceptions, but that it continued to provide banking services to multiple companies that helped steal as much as $400 million from unsuspecting victims."

Now, obviously I don't have the time and resources to watch all the news that appears on television, but I haven't seen this latest development in the story on either CNN or NBC. True, it doesn't have the same urgency as an election or a killer storm. But right now the blogosphere is the only place it seems to be kept alive, by bloggers who are making sure it doesn't get swept under the rug (along by some good old-fashioned, old-media leg work).

Consider the words I italicised. A major American bank, a Main Street retail bank, provided banking services to multiple companies that helped steal as much as $400 million from unsuspecting victims.

Shouldn't that be a major, ongoing news story until justice is served? The fourth largest US bank deeply-entangled in a $400 million consumer rip-off?

3 Smart Choices in One Cute Picture

As some of my friends already know, we are in beta mode at our place in the hills between the Adirondacks and the Catskills, testing the feasibility of year-round residence.

The Arctic Cat ATV you see here was an early purchase, mainly for pleasure, but also for utility (the miniature pickup-bed behind the driver actually tilts--very useful for hauling and dumping firewood, dirt, etc.). The rack on the front is a handy place to strap tools, axe, chainsaw, shotgun, and so on.

We have had great use of this 4x4 on the trails around the property, but in terms of mileage the main use has been dog walking: our Springer Spaniel loves to run ahead of it.

But we don't just drive the ATV around to exercise the dog while we conserve human calories sitting in the driver's seat. No-o-o. We drive to previously unexplored locations, park, then head off on our own two feet, weather permitting.

And speaking of weather, smart choice number two in this picture is the Warn snow plow. Installed by Dan Beebe, a.k.a. "Dan the ATV Man," of Performance Recreation, this plow really gets the job done. Following Dan's advice, we installed chains on the rear tires and we always plow in Low gear with 4-wheel drive engaged. Haven't got stuck yet. Raising and lowering the plow is handled by the Warn winch (barely visible just above the plow). The winch came pre-installed on the ATV and the fingertip controls are fully integrated on the handlebar.

Thanks to a simple but effective design the winch can still be used with the plow installed, like when I had to haul a fallen tree off the trail to get back to base camp (in fact the plow worked well as an anchor when the winch started to exert serious tension on the dead weight of the tree trunk).

And of course the third smart choice in the picture is the lady at the controls, my amazing partner Chey (as in: I chose her and she, thankfully, chose me). Who knew she would be a talented and enthusiastic plower of snow. That simply wasn't on my radar when I spotted her, over twenty years ago, amid San Francisco's ultra-cool coffee-house scene.

The Happiness Life Cycle: An Open Letter to NBC's Brian Williams

Dude...I just wanted to have a few words with you about the Happiness Life Cycle that you featured on NBC Nightly News last night.

(I'm assuming you're cool with the whole "Dude" salutation, what with you being a frequent and much applauded guest on The Daily Show and now heading up a very slick, video-rich, blog-enabled web site.)

And the first word I want to have is Dude! As in Dude! Did you look at this thing? It's going to drive people crazy.

Take me, for example. I'm a 55-year old guy and the chart is right! I am unhappy. Very unhappy. About rock bottom in fact, just like the chart says I should be. The thing is, Dude, I thought it was because the real estate crash just wiped out most of my net worth.

So much that I worked for has gone, poof, disappeared! Talk about depressing! But no, the real reason I'm unhappy, according to the chart, is because I'm at the bottom of the happiness curve.

Furthermore it looks like I'm about to start heading back up to happiness. This is great news, but so confusing. Does it mean I'm going to come to terms with being poorer than I was eight years ago? Eight years of hard toil, all for nought, yet I'm going to be happy? Maybe I am going to win the lottery just like the lady with the crystal ball said. Or perhaps an up-turn in the housing market is just around the corner (maybe you could start talking about it, pretty much like you talked us into bursting the bubble?). The thing is...

On IP and PII: Merely the Location of a Computer? Non!

A recent AP article entitled "EU Official: IP Is Personal" shows that some people still don't understand, or are prepared to willfully misconstrue, one of the basic privacy concepts: personally identifiable information or PII.

On the one hand you have the head of the European Union's group of data privacy regulators stating that "IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information." He is correct.

On the other hand you have Google insisting that "an IP address merely identifies the location of a computer, not who the individual user is." Google is incorrect.

An IP address does not merely identify the location of a computer, just as your street address does not merely identify a physical location and your year of birth does not not merely identify a year. All someone needs is a few 'mere' facts about you and your identity can be established. That's why it is called personally identifiable information.

There are plenty of simple experiments you can conduct to prove this.

Once More Unto the Breach Dear Friends?

I think that I speak for a number of my colleagues in the information security and data privacy communities when I say that "breach burn-out" is a recurring occupational hazard.

Here's how it goes. After some period of time spent working on projects to improve security and privacy you hear about a rash of incidents, a string of security breaches, that elicit weary groans. You find yourself asking, "Why do I bother?"

Sometimes the still small voice of calm will answer, "For the money." You remind yourself of the payments that are due, the mortgage, the doctor bills and the health insurance (which may well be bigger than the mortgage). And you decide to keep going.

Sometimes you find yourself in a position to ease back on the earnings and take some time to smell the roses, and you say to yourself "Them roses, they sure smell good." But then you hear about a rash of breaches that elicit groans of a different kind, groans of anger and frustration, tinged with regret. And sometimes you decide it's time to rejoin the fray.

Speaking for myself, I've been groaning a lot lately. There was Facebook, valued at billions, either failing to get a clue about privacy or arrogantly flaunting privacy conventions to see if it could make a buck. There was the year-end count of private data exposures that topped 160 million records. There was Boeing and its hackable Dreamliner (after the FAA intimated the 787 could be hacked because "it allows new kinds of passenger connectivity to previously isolated data networks," Boeing said that "the plane's networks don't completely connect" as though partial connection was somehow not connection). Now we have CIA statements at SANS about hacking utilities and other SCADA systems, reminding everyone that folks in several sectors have continued to develop and deploy mission critical systems under various false assumptions about security.

(Which part of War Games did these people sleep through? BTW, there is a good primer on SCADA on Wikipedia and here is a well-balanced set of slides--in .pdf--put together by D. Maynor and R. Graham at ISS. Their experience parallels what my colleagues found in the nineties: zero systems they could not penetrate, and many that could be hacked with skills rated 3 or less on a scale of 1 to 5.)

Even cool companies like Aptera seem to be forgetting simple things, like not letting other people sign you up for their email. Hardly on the same scale as diddling with the spent fuel rods at a nuclear power plant, but one more reminder that when it comes to security and privacy, most people just forget this stuff. Which is not so much a criticism of "most people" but a reminder that most people don't have an innate talent for "security-think."

Indeed, this truism is so well-established that the folks in charge should have put well-established mechanism in place to compensate some time ago, like security input at the design stage and security review during development and deployment. With all the other problems the world faces, it would be nice to think that by now we had routed the insecurity dragon or at least chained it up in its cave. Apparently we have not. Darn it!

[Exeunt. Alarum, and chambers go off]

Natural Beauty

Sometimes I find nature more beautiful than any art.

This is the view down the trail from my house right now. Layla, our Springer Spaniel, is looking back at me, encouraging me to take a walk.

The snow on the branches of the birch trees and maples creates a sort of cathedral over the trail. The silence is wonderful and the air is fresh and clear.

A walk down this trail seldom fails to cheer me up. Layla ventures off to the left and the right, bouncing through snow cover, following deer tracks and turkey tracks, but looking back every fifty feet or so to get my nod to continue or return.

I now have a wider shot of this scene as the wallpaper on my laptop (1280x800). That way I can see it long after the snow melts. If you'd like to try it you can download it here (it is free, licensed under Creative Commons Share Alike 3.0, attribute: Stephen Cobb).

Data Exposure Stats Exposed

When I picked the top three privacy/security stories of 2007, the annual toll of privacy breaches was not included. My intention was not to belittle the ongoing plague of personal data exposures. However, this is a plague in progress and in that sense it is not new, thus arguably less newsworthy than some other developments.

That said, the year-on-year increase in exposures is worth noting, as Mark Jewell, did recently, writing for the Associated Press. He cites Linda Foley of the San Diego-based Identity Theft Resource Center who says "more than 79 million records" were reported compromised in the United States through Dec. 18 2007. That is almost a fourfold increase from the nearly 20 million records reported compromised in all of 2006.

Another source is Attrition.org, which reckons more than 162 million records were compromised through Dec. 21 of 2007, but that was worldwide and not just the US. The comparable 2006 figure from Attrition was 49 million, so they are suggesting a year-on-year increase of more than 3X.

Jewell points out that the biggest difference between the record-loss counts of the two organizations is Attrition’s estimate that 94 million records were exposed in the TJX case (T.J. Maxx, Marshalls, etc.). Attrition’s figure is based on estimates from Visa and MasterCard officials who were deposed in a lawsuit banks filed against TJX whereas the Identity Theft Resource Center counts about 46 million, which is the number of records TJX acknowledged in March were potentially compromised.

Strangely, Jewell states that Attrition.org and the Identity Theft Resource Center are the only groups, government included, maintaining databases on breaches and trends each year. That's a [hopefully unintentional] slight to the Privacy Rights Clearinghouse where Beth Givens has been keeping track of numbers for several years. The PRC site documents 217,118,526 records exposed from 2005 through 2007. I think a lot of the PRC data is sourced from Attrition, but PRC reviews it and sometimes modifies it. David Shettler has developed a Web site that provides statistical analysis of security breach data, at www.etiolated.org.

When you consider this chart, based on Attrition numbers, the scale of the problem is apparent. While some of the steepness of the curve is probably due to increased reporting of incidents following disclosure laws passed in California and other states, those laws are not creating the exposures, which are all real, real people, for whom exposure causes real problems. Clearly, companies and governments need to do a much better job.