ID Theft Risk Scores?

A bunch of widely read people are blogging about “MyIDscore.com Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.”

First, there’s little explanation of how it’s working.

I got a 240 when I didn’t give them my SSN, and my score dropped to 40 when I submitted my SSN. [Editor’s note: Huh? Giving out your SSN lowers your risk of ID theft? That seems an odd message.]

Everybody talks about identity fraud, but nobody does anything about it. This does something about it – specifically, it will help stop the worrying on the part of people who don’t need to. And it will give people who should worry a few things to do to get their situation under control. The more that can be done to demystify identity fraud, the better – and the less likely there will be unwise legislation and regulation that ultimately harm the interests of consumers.

In “What is My ID Score?” there’s some explanation:

My ID Score is a statistical score that’s based on technology currently used by leading communications, financial services, retail companies, healthcare providers, government agencies, and consumers to assess your risk of identity theft. These companies use ID Analytics’ scoring technology to ensure that fraudsters do not apply for goods and services in an innocent consumer’s name

So I think this is not really your ID theft risk, but the perception that their software has. To put it another way, it’s the trouble someone is likely to experience when they try to open a new account in the name you’re giving MyIdScore.com

When you put someone’s information in, they ask you a bunch of questions about them, like “which of these phone numbers have you used?” It’s not clear how well that works when the attackers can access the same databases through their breaches.

(This didn’t post when I wrote it, so its old news, new analysis.)

To The Moon

One of the really fascinating things about listening to the streaming audio of the first moon landing is how much time was spent debugging the spacecraft, resetting this and that.

As the memory fades away, Charlie Stross wrote about the difficulties in going back to the moon:

Not only does the cost of putting a payload into orbit increase with the cube of the payload weight — this rule holds true in the opposite direction, too. Stick a LEM on the moon and bring the contents back? Easy. Increase the mass that the LEM brings back? Very expensive — the price goes up as the sixth power of the weight you’re returning from the lunar surface (because you have to loft the heavier LEM into Earth orbit to begin with).

Identity Theft

Remember Identity Theft isn’t getting your credit card stolen, that’s fraud. Having the records that define who you are to an entire country and determine whether you can get a relatively high paying job get stolen. That’s identity theft…

Chris, I’m sorry

I hate the overuse of URL shortners like tinyurl. I like to be able to see what a link is before I click on it. I don’t like that these companies get to be yet another point of surveillance. (To be fair, tinyurl doesn’t seem to be taking advantage of that. I have cookies from tr.im and su.pr, but not TinyURL.) And so I edited your comment to replace a tinyurl with a full url, and commented that I “corrected it.”

I shouldn’t have done that, I should have just commented about it.

(If this blog was a Kindle, I’d undo it.)

The Arrest of Gates

A couple of good articles are John McWhorter’s “Gates is Right–and We’re Not Post-Racial Until He’s Wrong,” and Lowry Heussler’s “Nightmare on Ware Street.” The full police report is at “Gates police report.”

I think PHB’s comment on Michael Froomkin’s post is quite interesting:

You are all missing a rather significant fact, this is the Cambridge Police force, an organization that has a most peculiar relationship to the community it polices.

Houses in Cambridge cost a fortune, so it is not a city where cops live. So the city is a rich, liberal town policed by a conservative working class police force commuting in from other towns. You do not have to be black to have the Cambridge police act boorishly.


I am trying to avoid talking about the subject with my Cambridge friends as they all want to give their own litany of complaints.

When my apartment in Cambridge was burgled in 1999, the responding officer didn’t even want to get out of his car. When he finally did, he didn’t want to bother to physically examine anything, the one item that I pointed out had a grimy fingerprint was shattered and returned in pieces, and his report failed to document either that the front door was ripped from its hinges, or that a stack of currency from four countries had gone missing.

Sorry, PHB was trying to avoid that. I suspect that both the race and class cards played into this. There’s a strong echo of that in Crowley’s statements reported widely:

“I know what I did was right,” Crowley said in an interview with Boston-based WEEI Sportsradio Network. “I don’t have anything to apologize for.”

There’s one other element of this, which is that the police are separated from communities by a foolish and unwinnable war on drugs. Our last three Presidents have smoked pot, the last two snorted coke. But as long as the police are charged with impossible duties, they will be separated from whatever community may exist.

Please keep the comments civil and respectful of Gates, the officer and one another.

Today’s Privacy Loss – English Soldiers’ Details Published

Demonstrating that no one’s data is safe, the names, pay records, and other personal information of 90,000 English soldiers was placed on the Internet. These soldiers, who served with king Henry V at Agincourt now have their information listed at www.medievalsoldier.org, exposing them to the chance of identity theft after nearly 500 years. They soldiers served from the years 1369-1453. There is no word as to whether they will get credit card protection yet.

For epistemological anarchism

So Dave Mortman and Alex Hutton have a talk submitted to Security BSides entitled “Challenging the Epistemological Anarchist to Escape our Dark Age.” Now, it would certainly be nice if we could all use the same words to mean the same things. It would make communication so much easier! It would let us build the semantic web.

Now, don’t get me wrong. I hate cutesy and confusing names for attacks as much as Alex and Dave. But let’s think about the solution for a minute. If we’re going to challenge anarchy, we do it from a position of authority. We ask some group of the great and the good
to authoritatively assign meanings to terms, and then we move on. To the next attempt to do the same thing.

Even with all these definitions, I still get the occasional sputtering prescriptivist trying to tell me that what my employer calls threat modeling should be called “sleeping furiously” or something. My response is now always the same. I ask “is this the most productive conversation we could be having?”

Now my other issue with challenging anarchy is that once you have some great and good, they shape the thoughts that we might have. [I’m running out of time, so imagine witty and relevant references to Orwell here, along with pointer to Politics and the English Language.]

So I have two reasons to not bother challenging the epistemological anarchist. First, it won’t work, and secondly, it wastes energy that we might otherwise use to shape the language in the directions we prefer.

July 20, 1969

The Apollo program took place at just about the right time for me. I was six (or, as I would quickly have pointed out at the time, six *and a half*) when the first lunar landing occurred, and barely ten when Apollo 17 splashed down. This was old enough to be fascinated by the technology and the sheer coolness (I would not have known the words “audacity” or “chutzpah”), and too young to question the wisdom of the project given the pressing alternative terrestrial uses for the funds. It’s funny that what my brain decided to remember, and what society made iconic or controversial do not really coincide. I distinctly remember the Apollo 8 launch, but nothing of the reading from the book of Genesis. I watched the Apollo 11 launch, but I don’t specifically recall Armstrong’s first steps. In all cases, I was glued to the TV for the launch and splashdown. Oddly, these more than the flight to (or activities on) the moon brought to mind the vast scale of the project. Launches always included references to tracking stations in Australia — a vast distance away for the 6-8 year-old mind. Splashdowns involved a whole aircraft carrier! This truly was big stuff.
Skylab and Apollo-Soyuz held my interest, but the shuttle never did. Viking, with actual color pictures of Mars, got things back on track, but it was clear that no human would set foot on Mars for some time. The sense of purpose just was not there the way it was for Apollo, and it hasn’t been since. It’s hard to know whether the undertone of loss I feel when thinking about Apollo is an effect of time — I am no longer the wide-eyed boy — or of a recognition of what might have been, but was not, due to the disintegration of the consensus that allowed Apollo to succeed.

Color on Chrome OS

New things resemble old things at first. Moreover, people interpret new things in terms of old things. Such it is with the new Google Chrome OS. Very little I’ve seen on it seems to understand it.

The main stream of commentary is comparisons to Windows and how this means that Google is in the OS business, and so on. This is also the stream that gets it the most wrong.

It’s just another Linux distribution, guys. It’s not like this is a new OS. It’s new packaging of existing software, with very little or even no new software. I have about ten smart friends who could do this in their sleep. Admittedly, a handful of those are actually working on the Chrome OS, so that somewhat weakens my comment. Nonetheless, you probably know someone who could do it, is doing it, or you’re one of the people who could do it.

Moreover, Chrome OS isn’t an OS in the way you think about it. Google isn’t going to provide any feature on Chrome OS that they aren’t going to provide on Windows, Mac OS, Ubuntu, Android, Windows Mobile, iPhone, Palm Pre, Blackberry, and so on.

Consider the differences between the business model of Microsoft and that of Google. Microsoft believes that it should be the only software company there is. Its actual historic mission statement says that its mission is to push its software everywhere. Its mission does not include “to the exclusion of everyone else,” it merely often acts that way. Google’s mission is to have you use its services that provide information.

To phrase this another way, Microsoft gets paid when you buy Windows or Office or an Xbox, etc. Their being paid does not require that you not run Mac OS, or Lotus, or PlayStation, but that helps. Google gets paid when you click on certain links. It doesn’t matter how you clicked on that link, all that matters is that you click. Google facilitates that clicking through its information business facilitated its software and services, but it’s those clicks that get them paid.

The key difference is this: Microsoft is helped by narrowing your choices, and Google is helped by broadening them. It doesn’t help Microsoft for you to do a mashup that includes their software as that means less Microsoft Everywhere, but it helps Google if you include a map in your mashup as there’s a chance a paid link will get clicked (no matter how small, the chance is zero if you don’t).

I don’t know whether it’s cause or effect but Microsoft really can’t stand to see someone else be successful. It’s a zero-ish sum company in product and outlook. Someone else’s success vaguely means that they’re doing something non-Microsoft. Google, in contrast, is helped by other people doing stuff, so long as they use Google’s services too.

If I shop for a new camera, for example, the odds are that Google will profit even if I buy it on eBay and pay for it with PayPal. Or if I buy it from B&H, Amazon, etc. So long as I am using Google to gather information, Google makes money.

Let me give another more pointed example. Suppose you want to get a new smartphone. Apple wins only if I get an iPhone. RIM wins when I get a BlackBerry. Palm wins if I get a Pre or a Treo. Nokia wins a little if I get any Symbian phone (most of which are Nokias, but a few aren’t). Microsoft wins if I get any Windows Mobile phone, of which there are many. But Google wins not only if I get an Android phone, but also if I get an iPhone (because the built-in Maps application uses Google), or if I install Google Maps on anything. One could even argue that it wins more if I get a non-Android phone and use their apps, because the margins are higher on the income.

This openness as a business model is why Microsoft created Bing. Partially it is because Microsoft can’t stand to see Google be successful, but also because Microsoft envies the way Google can win even when it loses, and who wouldn’t?

Interestingly, Bing is pretty good, too. One can complain, but one can always complain. Credible people give higher marks to Bing than Google, even. This puts Microsoft in the interesting position of being where Apple traditionally is with them. They’re going to learn that you can’t take customers from someone else just by being better.

But this is the whole reason for Chrome OS. Chrome OS isn’t going to make any money for Google. But it does let Google shoot at Microsoft where they live. When (not if, when) Chrome OS is an option on netbooks, it will cost Microsoft. Either directly, because someone picks Chrome OS over Windows, or indirectly because Microsoft is going to have to compete with free. The netbook manufacturers are going to be only too happy to use Chrome as a club against Microsoft to get better pricing on Windows. The winners on that are not going to be Google, it’s going to be the people who make and buy netbooks, especially the ones who get Windows. The existence of Chrome OS will save money for the people who buy Windows.

That’s gotta hurt, if you’re Microsoft.

This is the way to look at Chrome OS. It’s Google’s statement that if Microsoft treads into Google’s yard, Google will tread back, and will do so in a way that does not so much help Google, but hurts Microsoft. It is a counterattack against Microsoft’s core business model that is also a judo move; it uses the weight of Microsoft against it. As Microsoft moves to compete against Google’s services by making a cloud version of Office, Google moves to cut at the base. When (not if) there are customers who use Microsoft apps on Google’s OS, Microsoft is cut twice by the very forces that make Google win when you use a Google service on Windows.

(Also, if you’re Microsoft you could argue that Google has been stepping on their toes with Google Docs, GMail, etc.)

Someday someone’s going to give Ballmer an aneurysm, and it might be Chrome.

We Regret The New York Times’ Error

In “Kindling a Consumer Revolt,” I quoted the New York Times:

But no, apparently the publisher changed its mind about offering an electronic edition, and apparently Amazon, whose business lives and dies by publisher happiness, caved. It electronically deleted all books by this author from people’s Kindles and credited their accounts for the price.”

What seems to have happened is that a publisher, Mobile Reference, incorrectly loaded the Orwell works onto their Amazon site. (1984, published 61 years ago, is out of copyright in most of the world.)

So the claim of the Times that the publisher “changed its mind” is a little misleading, and Amazon seems to have deleted only those copies, not all books by the author.

I had read this New York Times story as I wrote “Kindling a Consumer Revolt,” and decided that the story that interested me was that of what happened after the books were sold, and how that differed from the physical world, and so didn’t point this out. (It did influence my writing-I wrote “Eric Blair, a publisher…” rather than “his publisher.”)


This morning Jer Warren posted a comment on that article, pointing out his post on what happened, and we’ve emailed back and forth a little.


My take is that the inaccuracies were in cited and reputable sources, and are tangential to my main line of discussion which is about the way our laws and expectations are different in the physical and digital worlds, and a suggestion that Amazon change the Kindle to give them less control over the devices they sell.

But I can see Jer’s side of it, and thus, the title of this post. I’d be interested in your thoughts–how should we handle corrections like this that might be relevant?

Kindle Brouhaha Isn’t About DRM

In case you haven’t heard about it, there is a brouhaha about Amazon un-selling copies of two Orwell books, 1984 and Animal Farm. There has been much hand-wringing, particularly since it’s deliciously amusing that that it’s Orwell.

The root cause of the issue is that the version of the Orwell novels available on the Kindle weren’t authorized editions. When contacted by the owners of Orwell’s copyrights, they deleted the books and refunded customers’ money.

All things considered, Amazon did something approximating a right thing in this matter. They didn’t have the right to sell the novels, and so they pulled the novels from the store and customers, and gave the customers a refund. About the only thing they could have done righter was to give something to the people who thought they had the books. The best thing to give them would have been authorized copies of the books, but store credit would be nice, too.

You can find a New York Times article on it, as well as a CNET article, as well as a Tech Dirt article that brings up the very good point that deleting the books was very likely against the Kindle terms of service, which is why Amazon likely should offer those people something.

Among all the handwringing, there are a number of stupid people — or perhaps people who should just know better — who somehow mutter dark things about how this serves people right for getting a device that has DRM in it. (As if they’ve never owned a DVD.)

Some of these people who should know better might think that I’m somehow in favor of DRM, so let me say that I am not. I am against DRM. I am also against nuclear war, swine flu, totalitarian governments, and bad service in restaurants. I’m also against one or two other things. None of them had anything to do with this little contretemps.

The issue is caused not by DRM, but by cloud computing. The problem is that Amazon has a cloud service in which Kindle customers can keep their e-books on Amazon’s shelf, and shuffle them around to any Kindle-enable device they have (like a Kindle proper, or an iPhone running the Kindle app). Customers can even delete a book from their Kindle and get it back from the cloud at a later date.

The event is that Amazon removed the book from the cloud, not that it had DRM in it. If you are concerned by this, you should be concerned by the cloud service. The cloud service enabled Amazon to respond to a legal challenge by removing customers’ data from the cloud. They didn’t need DRM to do it. In contrast, if iTunes store or the Sony e-book store had improperly sold a book, they wouldn’t be able to revoke it because they don’t have a cloud service as part of the store. (eMusic, incidentally, regularly adds and removes music from their store with the waxing and waning of desire to sell it.)

This is why we need to look at it for what it is, a failure in a business model and in the cloud service. Interestingly, the newly-formed Cloud Security Alliance predicts similar issues in which outside parties cause a cloud provider to shaft its customers. Not bad.

Their prescience is a bit limited because the proposed solution to this problem is to encrypt the cloud data with some fancy key management. That wouldn’t work here for the same reason that DRM isn’t an issue. If I know you have a resource, it doesn’t matter if magic fairies protect it, if I can delete it. It’s still good advice, it just wouldn’t have worked here.

What’s needed is some sort of legal protection for the customers, not technical protection. There are many potential warts here. If the owners of Orwell’s copyrights do not desire any ebooks of his works, it’s hard for Amazon to go buy legal copies for their customers (which would have been the most right thing to do). And it’s hard to argue that the seller shouldn’t do everything in their power to undo a sale they shouldn’t have made.

The correct way to deal with this is through some sort of contract arrangement to protect the customer. (The Cloud Security Alliance is prescient on this, as well.) That contract should be the Terms Of Service between the cloud provider and its customers. As TechDirt pointed out, this was likely a breach of Amazon’s TOS. They’re not supposed to delete books. They said they wouldn’t. Because of this, they owe something to their customers who were on the losing end of this breach of contract beyond the refund. I think ten bucks store credit is fine, myself.

They really need to do something, however, because without doing something, then someday someone will violate their TOS with Amazon and defend it with this breach of the TOS.

However, if you want to cluck your tongue, it should not be about buying goods with DRM, it should be about goods stored in the cloud. Everyone who offers cloud services ought to be clarifying now what they will do to protect their customers against lawsuits from outside parties. It can be crypto or contracts, it doesn’t matter, it just needs to work. This may be the first major cloud-based customer service failure, but it won’t be the last.

Kindling a Consumer Revolt

kindle-finger-gizmodo.jpg
Well, by now it’s all over the blogo/twitter spheres, and everything that might be said has already been said about Eric Blair, a publisher and Amazon:

This morning, hundreds of Amazon Kindle owners awoke to discover that books by a certain famous author had mysteriously disappeared from their e-book readers. These were books that they had bought and paid for—thought they owned.

But no, apparently the publisher changed its mind about offering an electronic edition, and apparently Amazon, whose business lives and dies by publisher happiness, caved. It electronically deleted all books by this author from people’s Kindles and credited their accounts for the price. [Update: This is misleading, see “We Regret The New York Times’ Error“]

This is ugly for all kinds of reasons. Amazon says that this sort of thing is “rare,” but that it can happen at all is unsettling; we’ve been taught to believe that e-books are, you know, just like books, only better. Already, we’ve learned that they’re not really like books, in that once we’re finished reading them, we can’t resell or even donate them. But now we learn that all sales may not even be final. (“Some E-Books Are More Equal Than Others,” David Pogue, New York Times.)

Jack Balkin has some interesting commentary in “Control at a Distance:”

This is because of the combination of the first sale doctrine in copyright law and the fact that the book is a physical copy. Because it is a physical copy, nobody would think that the publisher of the book would have the rights to enter your house and remove the book. But when you purchase an e-book, what you really purchase is merely a license to store the an electronic copy on the Kindle’s hard drive according to end user license agreement that Amazon provides (and that you agree to when you purchase and first use the device). As a result you may not have the rights to do things with the e-book that you think you can.

For example, you may not have the right to read or write code like “MobiDeDRM.zip.” You probably have a right to read English about it in places like “Converting Kindle Books: a painful process that works for reading Kindle books without a Kindle.” I probably have the right to tell you that this will give you advice to type sentences like python mobidedrm.py Title-of-Book.azw Title-of-Book.mobi (your kindle serial number> (which is just an imperative form verb, a noun and three adjectives.) That sentence is incredibly expressive, and even emotionally evocative to any Kindle owner who is upset over what Amazon has done, and who takes the time to think through what the sentence means. It means that the boot can be removed from the device.


Back in the days of the crypto wars, we had the ITAR regulations which treated crypto like a munition, and helped keep the internet insecure against wiretappers. (The knock-on effects of the ITARs probably substantially enabled the Iranian government’s monitoring of internet traffic, as standards stay deployed for a long time, and the 3G phone standards were written in a world where crypto was radioactive.)

Back to the ITAR, people like Phil Karn and John Gilmore printed some crypto software and applied for an export license for the printed form, and the same software on a disk. Obviously, the paper form was covered by the first amendment, and to restrict something based on form was silly and ineffectual. Confronted with that, the NSA went back to the drawing board and revised their regulations. I’m hopeful that this “Memory Hole 2.0” that Amazon has just demonstrated to the world will draw attention to the DMCA and its provisions which prohibit people from speaking certain sentences which cause ‘technological protection measures’ to be bypassed. Those sentences might be powerful, but they’re really little different from other sentences you might write in languages which you didn’t learn growing up. Written words have long been powerful. The pen is mightier than the sword, and all that.

Amazon is between a rock and a publisher here. They need the cooperation of publishers to get most any content created in the last 70 years onto the Kindle. They know consumers who discover book removal hate it. But I think they’ve chosen a sub-optimal position between that rock and publisher. I don’t believe they need the ability to reach out into Kindles and change things. They should treat that as a bug and fix it.

The alternative would be that consumers fix it themselves, and who knows what else they might do with the Kindles they’ve purchased? Folders? A private PDF reader? Chaos might emerge.

Oh, the very best part? The books in question? The ones that went down the memory hole? Blair wrote them under a pen name, George Orwell. And the books? Animal Farm and 1984.

Some additional links which I think are worth reading:

Image: Gizmodo.

Up Again

We had some expected downtime this morning. Thanks for your notes and IMs. If you’re reading this, things are now working again.