Disclosure and PayMaxx

There seems to be a bit of a spat going between PayMaxx, and ThinkComputer (who may have the worst web site I’ve tried to view in a long time). As documented by Robert Lemos at Ziff-Davis:

Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company’s system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.

Instead of being denied access, Greenspan found that another person’s W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers’ data.

“Due to the lack of specificity provided by Mr. Greenspan in his obvious sales pitch, PayMaxx did not view his communications as credible,” the company said. “Consequently, we declined his offer to hire his services.”

It seems that Greenspan provided more than enough data to Mr. Lemos for me to understand the problem. [Update: oops! Via Security, Trust and Privacy News.]

Oh, there it is.

Back in October, I asked, “where’s the 8-in-1 media reader to take photos directly from your camera.” From today’s Apple press release:

The new iPod Camera Connector is an optional accessory that enables customers to connect their digital camera to iPod photo and import their photos into the iPod. By simply connecting the iPod Camera Connector and a digital camera*, customers can easily transfer digital images to their iPod photo, providing tremendous storage space so they can take more pictures. Imported photos are immediately viewable on iPod photo’s crisp color screen, and can also be brought back to iPhoto(R) on the Mac or various photo applications on the PC. The iPod Camera Connector is expected to be available in late March for $29.

Now can I have my HTML export from Keynote? Thanks!

When The Future Has No Shadow

I remember when I was in college, discussing what we’d do if we discovered we had a terminal disease. Being college students, there were lots of ways to maximize short-term fun before the disease ate you.

The game theory folks talk about “the long shadow of the future,” the idea that cooperation can be rewarded in the future, as a strong driver towards cooperative behavior. So what happens if you expect that your company will, over the next few years, be sued out of existence?

One valid answer is to maximize the cash extracted from your customers now, and damn the effects on the rest of the world. You might break laws in other countries. You might claim, under tenuous logic, that local regulations don’t apply to you. You should maximize short term profits over everything, because you may be shut down soon.

Now, I’m not privy to any secrets at Choicepoint. (Unlike Choicepoint, who is privy to secrets about me.) I have no idea if this is their strategy. But are their actions distinguishable from this?

Let’s close with a quote from Schneier:

ChoicePoint protects its data, but only to the extent that it values it. The hundreds of millions of people in ChoicePoint’s databases are not ChoicePoint’s customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. Maybe they should rename the company “NoChoicePoint.”

[Other Choicepoint posts today include a roundup, some analysis. Or you may just want to look at the archives from Feb 17th onwards.]

Today’s Choicepoint Roundup

Google is running an ad when you search on Choicepoint: “ChoicePoint letter says your identity stolen? Learn your rights. www.jameshoyer.com” On clicking through, its just a form, asking someone to contact you. Renaissancemen has a good roundup, including the fact that only 5% or perpetrators are arrested, and a pointer to Kevin Drum arguing for more consumer control. (The industry will successfully argue that they can’t identify customers like that, and it would be too expensive if they did.) The Seattle Times points out that Choicepoint will be rescreening 17,000 customers.

Wired has a story by Kim Zetter:

Legal experts say that people who suffered losses as a result of the breach will find it difficult to get compensation from ChoicePoint for selling their personal data to con artists, even if the victims can prove that ChoicePoint was negligent in screening customers who purchased their data. That’s because courts have been unwilling to penalize companies when victims of identity theft are not their direct customers.

Michelle Malkin has a roundup, which includes pointers two comments from a private investigator on the value of that industry and the danger of knee-jerk reactions (with more on why PIs are good for you). I am actually very sympathetic to the problem of bad law. It’s too bad that Choicepoint has claimed they’re not covered under the Fair Credit Reporting Act. If they hadn’t taken that position, they’d find it easier to oppose new laws.

Finally, Jackson’s Junction has an interesting insider’s view, including:

I have always known that fraudulent companies were finding ways to obtain credit reports. How have I known this you may ask? Simple. One of the major bureaus issues a list of companies they have banned for improperly obtaining credit reports each month. This list is sent out to all resellers of credit reports letting us know not to do business with these companies. 

More on Choicepoint

Enter ChoicePoint’s two-building campus in Alpharetta, and you get the feeling you are being watched.

starts a new story at the Atlanta Journal-Constitution. (Use Bugmenot to login.) It’s sort of ironic. Choicepoint is focused on identifying people, rather than identifying behavior that leads to trouble. They figure once you have an account, they want you to use it. The TSA is making this same mistake. They’re all over trying to identify the bad people with CAPPS, CAPPS-II, and Free Wheelchairs for Paraplegic Children. The issue isn’t who you are, it’s what you’re doing.

In a move that a lot of people might laugh at, Rich Baich, Chief Information Security Officer of ChoicePoint will be speaking at a web seminar on risk management. (From Mike T, posting to IP.) This is actually a good thing. Mr. Baich and his company have been managing their risks very well. The 140,000 victims? Well, they were an externality. From the company’s tactical viewpoint, it makes sense to maximize revenue by selling as much product as possible. No instance of ID theft, job-lockout, or false arrest was likely to come back to haunt Choicepoint. Then 1386 happened, and now the stock has fallen 5½%. Was this predictable by a reasonable person? I’m sure the courts will decide.

The Open Passport

Third, this may be all moot if the government takes the easy step of giving citizens a passport cover made of aluminum foil. According to one article “Even Schneier agrees that a properly shielded passport cover should solve the problem. He wonders why this wasn’t included in the original plans for the new passports.”

writes Dennis Bailey over at “The Open Society Paradox.” However, a properly shielded passport isn’t the right fix; the right fix is to make the chip one that requires contact to read. Otherwise, you’re at risk every time you open your passport, say at a hotel, money-changer, or bank. The added value of a contact-less reader hasn’t been made clear at all, while the risks are very, very clear.

Cool Tech at RSA: i-Mature

At RSA, I didn’t get a demo, but did talk to John Brainard of RSA about i-Mature, a fascinating biometrics company.
There’s been some discussion on Interesting People. Vin McClellan discusses the tech, Seth Finkelstein maps their web site, reporter Andy Sullivan plays with one, Lauren Weinstein on probable attacks, Herb Lin on the limits of the tech. Some folks wanted to believe that the tech is to magically distinguish 18 year olds from 17 year olds. All of these were discussing the online use of the technology.

I think much more useful and practical is to reduce the demand for ID cards for drinking. If we can reliably, and anonymously, discover that Alice is over 21, then Alice doesn’t need to carry an ID. This is a good thing. Bars would go for this, if it’s both cheap and legally covered, because they sometimes have people who would like to buy drinks who don’t have ID. Bars, being businesses, would like to serve them, if they could manage their liability. So I hope this technology takes off.

Small Bits of Chaos: Passports, Financial Crypto

Ryan Singel has a good post on chipped passports:

Bailey is right that the new passport will be harder to forge with the inclusion of RFID chips, especially since the chip would be digitally signed to prevent changes to the data in the chip. That’s a solid security measure.

But, the chips create a new hazard, since older passports, which have a ten year expiration, will remain valid until they expire.

An unencrypted RFID enabled passport can be skimmed by a hidden reader most easily when the bearer is showing it at a money-changer, giving it to a hotel for safe keeping in the safe or checking into a hostel.

The data — inluding the digital photo — can then be used to create a phony version of the *old* passport, using the name, passport number, and possibly even the picture of a real passport holder.

Firstly, you don’t need an RFID chip to get the benefits of a digital signature. You can use a physical print out (say, several 2-d bar codes, or the signing technology used for physical mail), or a contact chip, like smart-cards have.

Secondly, if the chip isn’t doing a signature, then I can copy the entire block, data and signature, and insert it in a new RFID chip. Since there will be a chip that’s read, I may be able to get away with a lower quality passport fake.

Adam Shostack, another of the original organizers, thinks that the reason for the failure of financial cryptography is simple. “People are conservative in how they pay for things,”

is only one of things that Peter Wayner has to say in this Technology Review article.

Free Mojtaba and Arash!

Sending people to jail for expressing their opinions is wrong. In the west we’ve understood why it was wrong since John Stuart Mill wrote On Liberty. So please, for the betterment of Iran, and the entire world:


Mojtaba and Arash are Iranian bloggers jailed for their ideas. What ideas is almost not relevant. Even if they were saying disgusting things like “Osama is a great guy,” (which would probably get them a medal in Iran), they should be allowed to speak, so that others can counter their false ideas.

(My prior post on Fighting Terrorist Ideas also mentions Mill.)

Cool Tech At RSA

One of the best bits at RSA was at the HP booth.
Marc Stiegler, Alan Karp, Ka-Ping Yee and Mark Miller have created Polaris, a system for isolating and controlling untrustworthy code on Windows. The white paper is here. It’s very simple, easy, and looks like a winner. I hope they find a way to bring it to market.