Comments on: HP Spying on Their Board

By: Adam

Adam — Thu, 14 Sep 2006 14:09:37 +0000

Phill,
Since I need an account to respond to your blog, I respond here:
The cost of an effective control is low: Mail me a password with the first physical mail you send me. Require it for future action. If I don’t have it, mail another one. Optionally, fedex it at my expense.

By: Phill

Phill — Wed, 13 Sep 2006 10:28:51 +0000

I just posted a reply on my blog, its a bit long for a comment. I don’t think that a case against ATT would be likely to work given how widespread the practice is.
The question I would like to see an answer to is what other controls were in place. Where were the records sent out to? Was a letter sent to the original billing address to provide notification that it had changed?
We could do the usual thing here and just gripe about ATT but what could be done to eliminate the problem? Telephones do provide a fairly good means of authenticating a line user. Its not like there is nothing to work with here.
http://dotfuturemanifesto.blogspot.com/2006/09/more-hp-fallout.html

By: wpn

wpn — Wed, 13 Sep 2006 09:30:53 +0000

Until there’s a law on the books that says you’re not allowed to require people to authenticate themselves by supplying an SSN, this is going to happen again and again. I doubt that’s going to happen, though, because people constantly confuse identification (telling one individual apart from another) with authentication (validating who they say they are for the purposes of granting them access to something). The default has been to use the SSN for both purposes rather than separating them. Companies can’t stop using it. If they feel bad about using it, they convince themselves that just limiting it to the last 4 digits isn’t so bad — and that’s how you get to where AT&T is now.

By: Iang

Iang — Wed, 13 Sep 2006 06:17:42 +0000

Think of it this way: if it was a small-nothing-nobrand company doing it, and someone lost their job and privacy was breached and all that sort of stuff, then, yes, they would be negligent, they’d be sued, wire fraud and all.
Because it’s AT&T, people aren’t likely to call them on it. The same thing happened in the recent Sony case — too big to be treated as a wrongdoer. And, that’s what the Chairman was relying on, HP being too big to be wrong.
Perkins presumably called the HP board on it because of his need to preserve his future employability on boards, but he isn’t likely to sue AT&T for their part. The only reason the FCC is interested now is that it hit the papers. Every security player in the business has been building these systems forever, but they know which side their bread is buttered on.
The clients pay the bills, so they are innocent. AT&T is a client and a victim. Anyone else is a suspect.

By: Mordaxus

Mordaxus — Tue, 12 Sep 2006 13:53:47 +0000

It may not be necessary for a court to be convinced. It may be sufficient for the FCC to be convinced. The FCC is talking to AT&T now and asking some pointed questions about how this happens.
Last night on Marketplace, a law professor (sorry, I forget whom) said that the solution may be to notify people by snail mail and email when their basic parameters change. Other industries do this, and it’s an effective way to create hard-to-beat detection.
His other good point was that this was wire fraud, and should be treated as such.