December 3, 2024

attack of the context-sensitive blog spam?

I love spammers, really I do. Some of you may recall my earlier post here about freezing your credit report. In the past week, I’ve deleted two comments that were clearly spam and that made it through Freedom to Tinker’s Akismet filter. Both had generic, modestly complementary language and a link to some kind of credit card application processing site. What’s interesting about this? One of two things.

  1. Akismet is letting those spams through because their content is “related” to the post.
  2. Or more ominously, the spammer in question is trolling the blogosphere for “relevant” threads and is then inserting “relevant” comment spam.

If it’s the former, then one can certainly imagine that Akismet and other such filters will eventually improve to the point where the problem goes away (i.e., even if it’s “relevant” to a thread here, if it’s posted widely then it must be spam). If it’s the latter, then we’re in trouble. How is an automated spam catcher going to detect “relevant” spam that’s (statistically) on-topic with the discussion where it’s posted and is never posted anywhere else?

On freezing your credit reports

In my last post, where I discussed the (likely) theft of my SSN from the State of Ohio, I briefly discussed the possibility of “freezing” my credit report. I’ve done some more investigation on how, exactly, this works.

Details seem to vary from state to state (Consumer’s Union has a nice summary), but you generally can write to each of the three major credit report bureaus, via postal mail, and request that your account be “frozen.” This will not prevent you from getting “pre-approved” credit-card offers. For that, you separately opt-out, although you can at least do it online. Once your request takes effect, most requests to access your credit report will be denied. There are a wide variety of exceptions, mostly related to people who you’re already doing business with, which strikes me as entirely reasonable.

Cost? If you’re the victim of identity fraud (and it’s unclear whether I meet that definition), it’s free. You include a copy of your police report when you’re writing your letters to each of the credit ratings bureaus. If not, the cost is $10 per bureau. Multiply by three, and that’s $30. You’re married and want to do it for your spouse? Add another $30. What if you want to temporarily (or permanently) lift the block? The price varies, but it’s comparable.

Here’s the problem with this system: let’s say you’re doing the sort of things for which people legitimately want to look up your credit report (e.g., borrowing money for a car, opening a new credit card, renting a new apartment, etc.). Particularly if you’re changing jobs, moving to a new area, and so forth, you’ll be doing a lot of this all at once. As a result, precisely when you’re most often giving out your SSN and thus increasing your vulnerability, you also have to disable the block on your account, exposing yourself to the risk of identity theft.

The proper answer, of course, is to arrange for SSNs to have no more value to an identity thief than your name and address. The unanswered question, then, is what exactly can replace it as an authenticator? One possibility, raised in the thread on car dealers who insist on fingerprints, is to require these sorts of transactions be notarized. A notary public‘s main function is to authenticate that a specific person signed a specific document. You already need a notary’s services when you buy or sell a house. Why not require their services for any transaction that involves a personal credit report? The answer, I imagine, is cost, both in time and money. Department stores would be unable to give you “instant credit cards.” Applying to rent an apartment would become more complicated and annoying. There would be more friction, all around, to get credit. However, if identity theft continues to be such a significant problem, maybe it’s a trade-off worth making.

(Aside: how, exactly, do you convince the notary of your identity? The answer varies, but it seems to involve a photo ID, signature, and in some cases a thumbprint. You could certainly imagine cutting the notary out of the process and pushing the same authentication process out to a cash register or wherever else, but this creates a trusted path problem. When a human notary is authenticating a paper document, there’s no question to anybody what, exactly, is being authenticated. If you give your biometric and ID card to a scanner in a store, you have no idea where that data is going and what, ultimately, is being authenticated on your behalf. Astute readers may see a connection between this and the need for election systems to have voter-verifiable paper trails, but that’s a discussion for another day.)

On stolen data with privacy-relevant information

I just received a first-class letter from the State of Ohio, telling me:

The State of Ohio has confirmed that your name and social security number was contained on a computer back-up device that was stolen. It is unlikely that someone can access the data contained in the device without specialized knowledge and equipment. Because we have no information to date that the data has been accessed, everything we are doing, or suggesting that you consider doing, is preventative.

The State of Ohio is doing everything possible to recover the stolen device and protect the personal information that was on the device. We regret that the loss of this sensitive data may place an undue burden of concern on you.

The letter explains how I can sign up with Debix for their identity protection services, and provides a PIN for me to use. (So, now I can spread my SSN further. Wonderful.)

The last time I set foot in Ohio was over three years ago, when I testified about electronic voting security issues, so it seems odd that they would still have my SSN on file. I don’t recall if they specifically asked me for my SSN, but it’s common for these sorts of things to ask for it as part of reimbursing travel expenses. It’s also possible that my SSN was on this backup tape for other reasons. Some news stories say that sixty Connecticut citizen’s information were present on the tape; I’m from Texas, so that shouldn’t have affected me. The State of Ohio has its own official web site to discuss the incident, which apparently happened back in June, yet they’re only telling me now.

Okay, let’s see if we can figure out what’s going on here. First, the “back-up device” in question appears to be nothing more than a backup tape. They don’t say what kind of tape it was, but there are only a handful of options these days, and it’s not exact hard to buy a tape drive, making the “specialized knowledge and equipment” line seem pretty unlikely. (As long as I’ve been doing security work, I’ve seen similar responses. The more things change…) So what actually happened? According to the official web site:

The Inspector General investigation determined that: “OAKS administrators failed to protect confidential information by authorizing state employees, including college interns, to take backup tapes containing sensitive data to their homes for overnight storage”; “OAKS, OIT (Office of Information Technology) and OBM (Office of Budget and Management) officials failed to report the theft of confidential information to state and law enforcement officials in a timely manner”; and “OAKS administrators failed to protect confidential information by allowing personnel to store sensitive data in an unsecured folder on the OAKS intranet.” The Inspector General found no evidence to suggest state agencies or employees engaged in criminal or illegal behavior surrounding these circumstances.

At its core, Ohio apparently had fantastically poor procedures along with what Jerry Saltzer refers to as the “bad news diode“, i.e., bad news never flows up the chain of command. Combine those and it shouldn’t be surprising that something would eventually go wrong. In my case, such poor procedures make it believable that nobody bothered to delete my information after it was no longer necessary to retain it. Or, maybe they have some misguided anti-terrorist accounting rule where they hang onto this data “just in case.” Needless to say, I don’t know.

It’s reasonable to presume that this sort of issue is only going to become more common over time. It’s exceptionally difficult to keep your SSN truly private, particularly if reimbursement paperwork, among other things, unnecessarily requires the disclosure of a SSN. The right answer is probably an amalgamation of data destruction policies (to limit the scope of leaks when they happen), rational data management policies (to make leaks less likely), and federal regulations making it harder to convert a SSN into cash (to make leaked SSNs less valuable).

(Sidebar: when my wife and I bought a new car in 2005, the dealer asked for my SSN. “I’m paying cash. You don’t need it,” I said. They replied that I could either wait until the funds cleared, or I could let them run a credit check on me. I grumbled and caved in. At least they didn’t ask for my fingerprint.)

New business models in the recording industry

The New York Times Sunday Magazine has a fascinating piece that interviews and discusses Columbia Records’ hiring of Rick Rubin as their new studio chieftain. Rubin has been a well-known music producer (among other things, he orchestrated the famous mash-up of Aerosmith and Run-DMC and worked with Johnny Cash later in his life), and is quoted in the article saying many things that Freedom-to-Tinker readers will find familiar.

For example, on DRM and spyware:

By the time [Columbia executive] Barnett first approached Rubin about coming to Columbia, Rubin had already decided that he would have nothing more to do with Columbia Records. This was because of the company’s handling of the Rubin-produced Neil Diamond record “12 Songs” in 2005. Diamond was a hero of Rubin’s, and he spent two years working on the album, persuading Diamond to record acoustically, something he hadn’t done since the ’60s.

“The CD debuted at No. 4,” Rubin told me at Hugo’s, still sounding upset. “It was the highest debut of Neil’s career, off to a great start. But Columbia — it was some kind of corporate thing — had put spyware on the CD. That kept people from copying it, but it also somehow recorded information about whoever bought the record. The spyware became public knowledge, and people freaked out. There were some lawsuits filed, and the CD was recalled by Columbia. Literally pulled from stores. We came out on a Tuesday, by the following week the CD was not available. Columbia released it again in a month, but we never recovered. Neil was furious, and I vowed never to make another album with Columbia.”

Still, Columbia managed to hire this guy and he’s now pretty much running the show. He thoroughly acknowledges that the music industry’s real problem is that its former business model isn’t going to work in the future and the solution is about completely changing the pricing model to be cheap enough and the quality of service to be good enough that piracy will no longer be rational for consumers.

Rubin has a bigger idea. To combat the devastating impact of file sharing, he, like others in the music business (Doug Morris and Jimmy Iovine at Universal, for instance), says that the future of the industry is a subscription model, much like paid cable on a television set. “You would subscribe to music,” Rubin explained, as he settled on the velvet couch in his library. “You’d pay, say, $19.95 a month, and the music will come anywhere you’d like. In this new world, there will be a virtual library that will be accessible from your car, from your cellphone, from your computer, from your television. Anywhere. The iPod will be obsolete, but there would be a Walkman-like device you could plug into speakers at home. You’ll say, ‘Today I want to listen to … Simon and Garfunkel,’ and there they are. The service can have demos, bootlegs, concerts, whatever context the artist wants to put out. And once that model is put into place, the industry will grow 10 times the size it is now.”

Rubin sees no other solution. “Either all the record companies will get together [for a unified subscription model] or the industry will fall apart and someone like Microsoft will come in and buy one of the companies at wholesale and do what needs to be done,” he said. “The future technology companies will either wait for the record companies to smarten up, or they’ll let them sink until they can buy them for 10 cents on the dollar and own the whole thing.”

I’ve always thought that something like this could be a successful business model. Of course, enforcing such a scheme (i.e., ensuring that the music dries up if you don’t keep spending your cash) requires a DRM strategy, which clearly isn’t going to fly.  Is there an alternative?  How good would a music service have to be that you would have no incentive to store local copies? If I’m totally comfortable keeping my email and calendar “out there” on the Internet, why shouldn’t I be comfortable keeping my CD collection (1500+ and growing) out there as well?

The article goes on to quote other industry experts on the difficulties of getting a subscription model correct, but I have to admire Rubin on his focus:

“I don’t want to waste time,” he said, sounding a little frustrated. “The existing people will either get smart, which is a question mark. Or new people will understand what a resource the music business is and change it without us.” Rubin paused. “I don’t want to watch that happen.”

It’s hard to argue with that. The primary focus of the article was on how Rubin is all about refining and polishing the music, and it’s great to know that somebody like that will help bring out the best in our artists. I just hope they can really sort out this whole business model thing in a technologically feasible fashion. My fear is that yet another new snake-oil company with yet another DRM scheme will promise to “solve” the piracy problem, when we all know that the real solution lies instead in completely rethinking the business model. Make the price cheap enough and the quality of the service compelling enough, and people will prefer it to the hit-or-miss world of piracy.  Let’s hope it can be a hit.  (Until then, I’ll stick with buying CDs.)

On the emotions you feel when you do a security review

[I’m happy to introduce Dan Wallach, who will be blogging here from time to time. Dan is an Associate Professor of Computer Science at Rice University. He’s a leading security expert who has done great work on several topics, including e-voting. – Ed]

I was one of the co-authors of the Hart InterCivic source code report, as part of California’s “top to bottom” analysis of its voting systems. As many Freedom to Tinker readers now know, we found problems. Lots of problems. I’ve done this sort of thing before, as have many others, and I realized that there’s a somewhat odd emotion that we all feel when we do it. You’re happy because you found how to break something, but you’re sad that the system is so poorly engineered. It’s a great accomplishment that we were able to discover so much, but it’s terrible that widely used systems have such easily exploitable vulnerabilities. What word can describe that good/bad emotion?

About a year ago, I started asking everybody I knew, speakers of any language, if their language had a word to describe that emotion. Somebody, somewhere, must have such a word. There are lots of close-but-no-cigar choices, such as:

Schadenfreude (German) – the pleasure you feel at somebody else’s pain (common example: laughing at Hollywood celebrities arrested for drunk driving)

Bathos (Greek) – mixing serious issues with humor (a common literary device)

Neither quite capture it. Finally, in a discussion with my colleague, Moshe Vardi, we came up with a Yiddish coinage that seems to do the trick: oy gevaldik.

Origin? Oy vey is a standard Yiddish expression of woe (similar to “oh boy”). Oy gevalt is a stronger version of the same expression (similar to “oh expletive” for milder expletives). Curiously, the Yiddish word for beautiful is gevaldik, which sounds similar to gevalt. Put it together, and you get oy gevaldik. Oh, beautiful. And that’s what security reviews are all about.