SSN: Identifier or Authenticator?

Spire Security Viewpoint lists some salient points about social security numbers (SSNs), among them this one:
There are over 150,000 people (my estimate) with “defendable” access to your SSN right now. They aren’t secret.

SSNs Re-Re-Re-Revisited, 8 March 2007

And you’re ten times more likely, he says, to be victimized with identity fraud by one of these authorized people than by somebody else. And his main point is that the problem with SSNs is not their use as identifiers, rather their use as authenticators. After all, if everybody knew SSNs as readily as names, credit card companies and the like would have to stop using them as authenticators. Then they’d have to use something better for authentication. That would be better risk management.

-jsq

Dating RIsk

Chander Howell about a fiance wasn’t happy about his fiancee requiring him to undergo a background check before dating:
’ll bet he wasn’t, given that in the United States, the SSN is still the golden key to access someone’s potential lines of credit. Someone has probably already figured out that they can use a demand for this information as the source of inputs to commit full-fledged identity fraud. It’s an emotionally loaded demand, so it will probably work. Then, the scammer can break off the relationship for something that was allegedly found in the check. It’s the worst security of all: Insecurity in the name of security.

Beware the Dating Security Complex, by Chandler Howell, Not Bad For a Cubicle, March 9th, 2007

I bet it’s already worked. How long before some dating service that does background checks and reveals them to members before dating gets sued bigtime?

-jsq

Narrowly Focused Anti-Terrorism

Bruce Schneier says he’s tired of headlines like one that says a new autopilot will prevent any more 9/11s, and says:

Why are people so narrowly focused? The goal isn’t to protect against another 9/11. The goal is to protect against another horrific terrorist incident.

Making Another 9/11 Impossible, Bruce Schneier, Schneier on Security, March 15, 2007

Why? Because 66-74% of the U.S. population have detail-oriented personalities, good at seeing details, not good at seeing the big picture. Other populations probably aren’t much different.

Continue reading

Reputation Management

In the previous post I mentioned reputation systems. The flip side of that is reputation management, so that companies can react to reputation systems and proactively manage their own reputations. It turns out that Harold Burson, “the century’s most influential PR figure”, and Jon Harmon are thinking along similar lines:
The key is in reputation management. When company leaders come to understand that reputation is the company’s most valuable asset, they will increasingly value those who can actively and successfully manage reputation.

Reputational momentum defines the art of the possible of nearly every other goal of the business or organization – sales, profits, retention, recruitment or fund-raising. If your reputation is on the rise, achieving your other goals is so much easier. Conversely, a poorly managed crisis leading to a significant drop in reputation can capsize even the company’s most valiant efforts to achieve its other goals.

An Open Letter to Harold Burson: Reputation Management Fulfills PR’s Highest Calling, John Harmon, Force for Good, 15 March 2007

Harmon’s specific suggestion has to do with a chief-level PR officer, with potential for being on CEO track. On the one hand, every profession seems to want this. On the other hand, after the big reputation botches at Intel and HP it’s hard to argue that corporations could use reputation advice at the highest levels, preferably before they shoot themselves in the foot. So a PR consigliere sounds good to me.

-jsq

ID Theft Virus Map

Brian Krebs has used google maps to plot the locations of victims of identity theft:
I based the story in part on a cache of stolen data I found online (more on how I obtained it in a bit). The data was being compiled by a password-stealing virus that had infected many thousands of computers worldwide; the particular text file that I found included personal information on 3,221 victims scattered across all 50 U.S. states.

Tracking the Password Thieves, Brian Krebs, Security Fix,

He didn’t have to look up the locations of the victims to map them; the virus had already done that for him, sometimes accurately, sometimes not. The virus cared because banks flag transactions that are from unexpected geographical locations. Continue reading

Super-Cat Fear?

Warren Buffett notes that neither he nor anyone else knows whether the many big hurricanes of 2004 and 2005 were an aberration or the beginning of a trend, but super catastrophe bonds are the likely insurance response.
Don’t think, however, that we have lost our taste for risk. We remain prepared to lose $6 billion in a single event, if we have been paid appropriately for assuming that risk. We are not willing, though, to take on even very small exposures at prices that don’t reflect our evaluation of loss probabilities. Appropriate prices don’t guarantee profits in any given year, but inappropriate prices most certainly guarantee eventual losses. Rates have recently fallen because a flood of capital has entered the super-cat field. We have therefore sharply reduced our wind exposures. Our behavior here parallels that which we employ in financial markets: Be fearful when others are greedy, and be greedy when others are fearful.

To the Shareholders of Berkshire Hathaway Inc, Warren Buffett, Annual Report, Berkshire Hathaway, 28 Feb 2007

So the current super-cat market is unsure because a lot of capital has entered, yet not as many events happened last year as expected.

-jsq

PS: Seen in Warren Buffett on Risk Management, Gunnar Peterson, 1 Raindrop, 2 March 2007.

Malamud Concludes

Carl Malamud has not only started archiving and indexing Congressional committee hearings, he’s spent two years studying the problem of using the Internet to make Congress accessible, and has concluded:
By the end of the 110th Congress, the U.S. House of Representatives could achieve the goal of providing broadcast-quality video of all hearings and the floor for download on the Internet.

Report to Congress, Carl Malamud to Nancy Pelosi, Speaker of the House, 13 March 2007

Sounds doable to me. See his report for copious details.

-jsq

Cringely Does DNS

I often admire Cringely’s posts, but not so much this one, in which he channels a proposal for replacing DNS:
Domain dispute resolution would be rapid: one week for evidence presentation, 24 hours to decide, and 24 hours for appeals. At which point the Inet DNS system would block the loser. Domain transfers would be fast and low cost. All domain activity would operate through Inet, not be farmed out to resellers, since the system is too important, and has proved to be difficult to police on the Internet. Inet domain holders would be expected to maintain control over the content of their users on sites with Inet domain registrations. Repeated failures to rapidly do so would result in the temporary or permanent loss of their Inet domain.

Just Say No: David Harrison wants to replace your Internet. I, Cringely, February 22, 2007

So, let’s see: wait until the owner of a domain is on a road trip, claim he’s a squatter, run through this kangaroo court’s process, and by the time he’s back, he’s got no domain, because he didn’t respond in 24 hours. Continue reading

Moral Panic

OK, that last post about "Is Your Child a Computer Hacker" was a joke. Sort of. Unfortunately, it seems to be about the level at which many adults understand the Internet:

Theirer:  ISPs and site would have to collect data on their customers, like IP address, for at least a year and maybe longer.  It’s already in place in EU, DOJ is enthusiastic.  We don’t know what problems this will create.  There are agreements to retain for six to nine months or longer (voluntary agreements).  Most of these sites will preserve on official request if there’s a bad guy.  Do we go from preservation to fullblown retention model?  Good chance of this.

Adam Theirer, by Susan Crawford, Susan Crawford Blog, 6 March 2006

She’s reporting on a talk and Q&A at the recent Freedom to Connect conference. Why would anyone want universal data retention? To protect the children. They’re scared (or being scared by people who want them scared) that the Internet is swarming with predators out to get their child. Nevermind that IP address doesn’t necessarily map to person. It looks like they’re doing something!

Continue reading