" /> net.wars: June 2012 Archives

« May 2012 | Main

June 29, 2012

Artificial scarcity

A couple of weeks ago, while covering the tennis at Eastbourne for Daily Tennis, I learned that there is an ongoing battle between the International Tennis Writers Association and the sport at large over the practice of posting interview transcripts online.

What happens is this. Tournaments - the top few layers of the men's (ATP) and women's (WTA) tours - pay stenographers from ASAP Sports to attend players' press conferences and produce transcripts, which are distributed to the journalists on-site to help them produce accurate copy. It's a fast service; the PR folks come around the press room with hard copies of the transcript perhaps 10-15 minutes after the press session ends.

Who gives press conferences? At Eastbourne, like most smaller events, the top four seeds all are required to do media on the first day. After that, every day's match winners are required to oblige if the press asks for them; losers have more discretion but the top players generally understand that with their status and success level comes greater responsibility to publicize the game by showing up to answer questions. The stenographer at Eastbourne was a highly trained court reporter who travels the golf and tennis worlds taking down these questions and answers verbatim on a chord keyboard.

It turns out the transcripts particular battle has been going on for a while; witness this unhappy blogger's comment from June, 2011, after discovering that the French Open had bowed to pressure and stopped publishing interviews on its Web site. The same blogger had earlier posted ITWA's response to the complaints.

ITWA's arguments are fairly simple. It's a substantial investment to travel the tour (true; per year full-time you're talking at least $50,000). If interview transcripts are posted on the Web before journalists have had a chance to write their stories, it won't be worth spending that money because anyone can write stories based on them (true). Newspapers are in dire straits as it is (true). The questions journalists ask the players are informed by their experience and professional expertise; surely they should have the opportunity to exploit the responses they generate before everyone else does - all those pesky bloggers, for example, who read the transcripts and compare them to the journalists' reports and spot the elisions and changes of context.

Now, I don't believe for a second that there will be no coverage of tennis if the press stop traveling the tour. What there won't be is *independent* coverage. Except for the very biggest events, the players will be interviewed by the tours' PR people, and everything published about them will be as sanitized as their Wimbledon whites. Plus some local press, asking things like, "Talk about how much you like Eastbourne." The result will be like the TV stations now that provide their live match commentary by dropping a couple of people in a remote studio. No matter how knowledgeable those people are, their lack of intimate contact with the players and local conditions deadens their commentary and turns it into a recital of their pet peeves. (Note to Eurosport: any time a commentator says, "We talk so often about..." that commentator needs to shut up..)

This is the same argument they used to have about TV: if people can see the match on TV they won't bother to travel to it (and sometimes you do still find TV blackouts of local games). That hasn't really turned out to be true - TV has indeed changed this and every other sport, but by creating international stars and bringing in a lot of money in both payment for TV rights and sponsorship.

My response to the person who told me about this issue was that I didn't think basing your business model on artificial scarcity was going to work, the way the world is going. But this is not the only example of such restrictions; a number of US tournaments do not allow fans to carry professional-quality cameras onto the ground (to protect the interests of professional photographers).

What intrigued me about the argument - which at heart is merely a variant of the copyright wars - is that it pits the interests of fans and bloggers against those of the journalists who cover them. For the tournaments and tours themselves it's an inner conflict: they want both newspaper and magazine coverage *and* fan engagement. "Personal" contact with the players is a key part of that - and it is precisely what has diminished. Veteran tennis journalists will tell you that 20 years ago they got to know the players because they'd all be traveling the circuit together and staying in the same hotels. Today, the barriers are up; the players' lounge is carefully sited well away from the media centre.

Yet this little spat reflects the reality that the difference between writing a fan blog and working for a major media outlet is access. There is only so much time the stars in any profession - TV, sports, technology, business - can give to answering outsiders' questions before it eats into their real work. So this isn't really a story of artificial scarcity, though there's no lack of people who want to write about tennis. It's a story of real scarcity - but scarcity that one day soon is going to be differently distributed.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


Artificial scarcity

A couple of weeks ago, while covering the tennis at Eastbourne for Daily Tennis, I learned that there is an ongoing battle between the International Tennis Writers Association and the sport at large over the practice of posting interview transcripts online.

What happens is this. Tournaments - the top few layers of the men's (ATP) and women's (WTA) tours - pay stenographers from ASAP Sports to attend players' press conferences and produce transcripts, which are distributed to the journalists on-site to help them produce accurate copy. It's a fast service; the PR folks come around the press room with hard copies of the transcript perhaps 10-15 minutes after the press session ends.

Who gives press conferences? At Eastbourne, like most smaller events, the top four seeds all are required to do media on the first day. After that, every day's match winners are required to oblige if the press asks for them; losers have more discretion but the top players generally understand that with their status and success level comes greater responsibility to publicize the game by showing up to answer questions. The stenographer at Eastbourne was a highly trained court reporter who travels the golf and tennis worlds taking down these questions and answers verbatim on a chord keyboard.

It turns out the transcripts particular battle has been going on for a while; witness this unhappy blogger's comment from June, 2011, after discovering that the French Open had bowed to pressure and stopped publishing interviews on its Web site. The same blogger had earlier posted ITWA's response to the complaints.

ITWA's arguments are fairly simple. It's a substantial investment to travel the tour (true; per year full-time you're talking at least $50,000). If interview transcripts are posted on the Web before journalists have had a chance to write their stories, it won't be worth spending that money because anyone can write stories based on them (true). Newspapers are in dire straits as it is (true). The questions journalists ask the players are informed by their experience and professional expertise; surely they should have the opportunity to exploit the responses they generate before everyone else does - all those pesky bloggers, for example, who read the transcripts and compare them to the journalists' reports and spot the elisions and changes of context.

Now, I don't believe for a second that there will be no coverage of tennis if the press stop traveling the tour. What there won't be is *independent* coverage. Except for the very biggest events, the players will be interviewed by the tours' PR people, and everything published about them will be as sanitized as their Wimbledon whites. Plus some local press, asking things like, "Talk about how much you like Eastbourne." The result will be like the TV stations now that provide their live match commentary by dropping a couple of people in a remote studio. No matter how knowledgeable those people are, their lack of intimate contact with the players and local conditions deadens their commentary and turns it into a recital of their pet peeves. (Note to Eurosport: any time a commentator says, "We talk so often about..." that commentator needs to shut up..)

This is the same argument they used to have about TV: if people can see the match on TV they won't bother to travel to it (and sometimes you do still find TV blackouts of local games). That hasn't really turned out to be true - TV has indeed changed this and every other sport, but by creating international stars and bringing in a lot of money in both payment for TV rights and sponsorship.

My response to the person who told me about this issue was that I didn't think basing your business model on artificial scarcity was going to work, the way the world is going. But this is not the only example of such restrictions; a number of US tournaments do not allow fans to carry professional-quality cameras onto the ground (to protect the interests of professional photographers).

What intrigued me about the argument - which at heart is merely a variant of the copyright wars - is that it pits the interests of fans and bloggers against those of the journalists who cover them. For the tournaments and tours themselves it's an inner conflict: they want both newspaper and magazine coverage *and* fan engagement. "Personal" contact with the players is a key part of that - and it is precisely what has diminished. Veteran tennis journalists will tell you that 20 years ago they got to know the players because they'd all be traveling the circuit together and staying in the same hotels. Today, the barriers are up; the players' lounge is carefully sited well away from the media centre.

Yet this little spat reflects the reality that the difference between writing a fan blog and working for a major media outlet is access. There is only so much time the stars in any profession - TV, sports, technology, business - can give to answering outsiders' questions before it eats into their real work. So this isn't really a story of artificial scarcity, though there's no lack of people who want to write about tennis. It's a story of real scarcity - but scarcity that one day soon is going to be differently distributed.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


June 22, 2012

The numbers game

Sometime around mid-May I discovered a couple of thousand pounds were missing from my bank account. This was the result of a more haste, less speed situation: faced with an upcoming overseas trip, when someone said to me, "We can pay you electronically next week or send you a check today," I opted for the check, thinking it would be quicker.

What actually happened: somewhere in transit from me to my bank account the check was intercepted, the name of the payee was altered, and the check was paid to someone else. It took several weeks to establish this, of course. I had to get my bank's call center to call my bank to find someone who could say they'd never seen the check. Then *their* bank had to request a copy of the microfilm and then a second, higher-resolution image to establish whether the payee's name had been altered (in which case the bank was at fault for paying it) or left blank (in which case the payer goofed).

Through the whole thing, I imagined Mr Cashless Society, David Birch, smirking. My solution for the future, however, is not to insist that everything be paid electronically - when electronic payments go wrong, the results can be even more difficult to trace and unwind - but to digitally photograph every check, both incoming and outgoing. If I had done that in this case, our end of the investigation would have taken a minute, not a month.

There are some things about this theft that are striking. First is that it's very low-tech, even quaintly old-fashioned. While we spend so much time worrying about the strength of cryptography algorithms and the One True Way to devise good passwords, the postal and physical banking systems are supposed to be safe. I imagine our thief carefully working on the cheque like Lane Pryce in Mad Men. Second is that it's dumb, because it's enough money that people will notice it's missing and investigate when they do, and the likelihood is that the thief will be successfully traced. Had this guy instead run a small eBay scam and stolen £200 from ten different people - or £20 from 100 different people - he'd be enjoying his freedom and their money. Theft of physical pieces of paper doesn't pay even as well as the relatively low-profit crime of physical bank robbery.

Last year, Detica estimated the annual cost to the UK at £27 billion, a figure that was almost immediately (and rightly) questioned by both the press and security experts. Now, Ross Anderson and a team of co-authors has analyzed that number in detail. in a paper for the annual Workshop on the Economics of Information Security.

Unlike the Detica paper, Anderson and company fully expose their methodology and reasoning. Also unlike Detica, they don't provide a single big number. As they write, a lot depends on the assumptions you make and the types of crime you want to include. Welfare fraud has been with us as long as welfare has; should it be added to the cybercrime figures when the UK shifts all claims for welfare payments online next year? In any event, the authors estimate that traditional frauds cost each UK citizen a few hundred pounds a year; transitional frauds (fraud such as online payment card fraud that is moving online alongside the relevant infrastructure) cost each of us a few tens of pounds per year, and new cyber-frauds cost perhaps tens of pence per year. However, the cost of defending against those cyber-frauds - patching, anti-virus software, the opportunity costs of loss of trust - are something like ten times the cost of the frauds themselves. The authors wind up arguing for better policing: throwing the relatively small number of gangs in jail would do more to stop cybercrime than telling people to run anti-virus software.

I have my doubts about this part of the proposition. While clearly better - and better-resourced - policing would be a very good thing, I imagine that there are plenty of other criminals waiting for their chance. I liken the situation to what would happen if, say, 90 percent of the pregnancies on the planet were the work of just ten guys and you put them all in jail and took away their nookie privileges: smart women would still use birth control. It is not clear how much computer defense we could actually afford to do away with.

But what is very clear from the paper is the cost of getting our numbers wrong, and not just because when you spray around figures like £27 billion in losses to consumers (£3 billion), government (£3 billion), and companies (£21 billion) someone may start paying you large sums of public money to fix the problem. The consistent over-reporting of the number of phishing Web sites, types of malware, and attackers, Anderson et. al write, leads "some police forces to believe that the problem is too large and diffuse for them to tackle...This is part of a much wider problem of attributing risks to patterns of offending". Right. So instead of focusing on the technology by which crime is committed, focus instead on...yep, the people. Ain't it always the way?


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series


June 15, 2012

A license to print money

"It's only a draft," Julian Huppert, the Liberal Democrat MP for Cambridge, said repeatedly yesterday. He was talking about the Draft Communications Data Bill (PDF), which was published on Wednesday. Yesterday, in a room in a Parliamentary turret, Hupper convened a meeting to discuss the draft; in attendance were a variety of Parliamentarians plus experts from civil society groups such as Privacy International, the Open Rights Group, Liberty, and Big Brother Watch. Do we want to be a nation of suspects?

The Home Office characterizes the provisions in the draft bill as vital powers to help catch criminals, save lives, and protect children. Everyone else - the Guardian, ZDNet UK, and dozens more - is calling them the "Snooper's charter".

Huppert's point is important. Like the Defamation Bill before it, publishing a draft means there will be a select committee with 12 members, discussion, comments, evidence taken, a report (by November 30, 2012), and then a rewritten bill. This draft will not be voted on in Parliament. We don't have to convince 650 MPs that the bill is wrong; it's a lot easier to talk to 12 people. This bill, as is, would never pass either House in any case, he suggested.

This is the optimistic view. The cynic might suggest that since it's been clear for something like ten years that the British security services (or perhaps their civil servants) have a recurring wet dream in which their mountain of data is the envy of other governments, they're just trying to see what they can get away with. The comprehensive provisions in the first draft set the bar, softening us up to give away far more than we would have in future versions. Psychologists call this anchoring, and while probably few outside the security services would regard the wholesale surveillance and monitoring of innocent people as normal, the crucial bit is where you set the initial bar for comparison for future drafts of the legislation. However invasive the next proposals are, it will be easy for us to lose the bearings we came in with and feel that we've successfully beaten back at least some of the intrusiveness.

But Huppert is keeping his eye on the ball: maybe we can not only get the worst stuff out of this bill but make things actually better than they are now; it will amend RIPA. The Independent argues that private companies hold much more data on us overall but that article misses that this bill intends to grant government access to all of it, at any time, without notice.

The big disappointment in all this, as William Heath said yesterday, is that it marks a return to the old, bad, government IT ways of the past. We were just getting away from giant, failed public IT projects like the late unlamented NHS platform for IT and the even more unlamented ID card towards agile, cheap public projects run by smart guys who know what they're doing. And now we're going to spend £1.8 billion of public money over ten years (draft bill, p92) building something no one much wants and that probably won't work? The draft bill claims - on what authority is unclear - that the expenditure will bring in £5 to £6 billion in revenues. From what? Are they planning to sell the data?

Or are they imagining the economic growth implied by the activity that will be necessary to build, install, maintain, and update the black boxes that will be needed by every ISP in order to comply with the law. The security consultant Alec Muffet has laid out the parameters for this SpookBox 5000: certified, tested, tamperproof, made by, say, three trusted British companies. Hundreds of them, legally required, with ongoing maintenance contracts. "A license to print money," he calls them. Nice work if you can get it, of course.

So we're talking - again - about spending huge sums of government money on a project that only a handful of people want and whose objectives could be better achieved by less intrusive means. Give police better training in computer forensics, for example, so they can retrieve the evidence they need from the devices they find when executing a search warrant.

Ultimately, the real enemy is the lack of detail in the draft bill. Using the excuse that the communications environment is changing rapidly and continuously, the notes argue that flexibility is absolutely necessary for Clause 1, the one that grants the government all the actual surveillance power, and so it's been drafted to include pretty much everything, like those contracts that claim copyright in perpetuity in all forms of media that exist now or may hereinafter be invented throughout the universe. This is dangerous because in recent years the use of statutory instruments to bypass Parliamentary debate has skyrocketed. No. Make the defenders of this bill prove every contention; make them show the evidence that makes every extra bit of intrusion necessary.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


June 8, 2012

Insecure at any speed

"I have always depended on the kindness of strangers," Blanche says graciously to the doctor hauling her off to the nuthouse at the end of Tennessee Williams' play A Streetcar Named Desire. And while she's quite, quite mad in her genteel Old Southern delusional way she is still nailing her present and future situation, which is that she's going to be living in a place where the only people who care about her are being paid to do so (and given her personality, that may not be enough).

Of course it's obvious to anyone who's lying in a hospital bed connected to a heart monitor that they are at the mercy of the competence of the indigenous personnel. But every discussion of computer passwords tends to go as though the problem is us. Humans choose bad passwords: short, guessable, obvious, crackable. Or we use the same ones everywhere, or we keep cycling the same two or three when we're told to change them frequently. We are the weakest link.

And then you read this week's stories that major sites for whom our trust is of business-critical importance - LinkedIn, eHarmony, and Last.fm" - have been storing these passwords in such a way that they were vulnerable to not only hacking attacks but also decoding once they had been copied. My (now old) password, I see by typing it into LeakedIn for checking, was leaked but not cracked (or not until I typed it in, who knows?).

This is not new stuff. Salting passwords before storing them - the practice of adding random characters to make the passwords much harder to crack - has been with us for more than 30 years. If every site does these things a little differently, the differences help mitigate the risk we users bring upon ourselves by using the same passwords all over the place. It boggles the mind that these companies could be so stupid as to ignore what has been best practice for a very long time.

The leak of these passwords is probably not immediately critical. For one thing, although millions of passwords leaked out, they weren't attached to user names. As long as the sites limit the number of times you can guess your password before they start asking you more questions or lock you out, the odds that someone can match one of those 6.5 million passwords to your particular account are...well, they're not 6.5 million to one if you've used a password like "password" or "1233456", but they're small. Although: better than your chances of winning the top lottery prize.

Longer term may be the bigger issue. As Ars Technica notes, the decoded passwords from these leaks and their cryptographically hashed forms will get added to the rainbow tables used in cracking these things. That will shrink the space of good, hard-to-crack passwords.

Most of the solutions to "the password problem" aim to fix the user in one way or another. Our memories have limits - so things like Password Safe will remember them for us. Or those impossible strings of letters and numbers are turned into a visual pattern by something like GridSure, which folded a couple of years ago but whose software and patents have been picked up by CryptoCard.

An interesting approach I came across late last year is sCrib, a USB stick that you plug into your computer and that generates a batch of complex passwords it will type in for you. You can pincode-protect the device and it can also generate one-time passwords and plug into a keyboard to protect against keyloggers. All very nice and a good idea except that the device itself is so *complicated* to use: four tiny buttons storing 12 possible passwords it generates for you.

There's also the small point that Web sites often set rules such that any effort to standardize on some pattern of tough password is thwarted. I've had sites reject passwords for being too long, or for including a space or a "special character". (Seriously? What's so special about a hyphen?) Human factors simply escape the people who set these policies, as XKCD long ago pointed out.

But the key issue is that we have no way of making an informed choice when we sign up for anything. We have simply no idea what precautions a site like Facebook or Gmail takes to protect the passwords that guard our personal data - and if we called to ask we'd run into someone in a call center whose job very likely was to get us to go away. That's the price, you might say, of a free service.

In every other aspect of our lives, we handle this sort of thing by having third-party auditors who certify quality and/or safety. Doctors have to pass licensing exams and answer to medical associations. Electricians have their work inspected to ensure it's up to code. Sites don't want to have to explain their security practices to every Sheldon and Leonard? Fine. But shouldn't they have to show *someone* that they're doing the right things?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


June 1, 2012

The pet rock manifesto

I understand why government doesn't listen to security experts on topics where their advice conflicts with the policies it likes. For example: the Communications Capabilities Development Programme, where experts like Susan Landau, Bruce Schneier, and Ross Anderson have all argued persuasively that a hole is a hole and creating a vulnerability to enable law enforcement surveillance is creating a vulnerability that can be exploited by...well, anyone who can come up with a way to use it.

All of that is of a piece with recent UK and US governments' approach to scientific advice in general, as laid out in The Geek Manifesto, the distillation of Mark Henderson's years of frustration serving as science correspondent at The Times (he's now head of communications for the Wellcome Trust). Policy-based evidence instead of evidence-based policy, science cherry-picked to support whatever case a minister has decided to make, the role of well-financed industry lobbyists - it's all there in that book, along with case studies of the consequences.

What I don't understand is why government rejects experts' advice when there's no loss of face involved, and where the only effect on policy would be to make it better, more relevant, and more accurately targeted at the problem it's trying to solve. Especially *this* government, which has in other areas has come such a long way.

Yet this is my impression from Wednesday's Westminster eForum on the UK's Cybersecurity strategy (PDF). Much was said - for example, by James Quinault, the director of the Office of Cybersecurity and Information Assurance - about information and intelligence sharing and about working collaboratively to mitigate the undeniably large cybersecurity threat (even if it's not quite as large as BAe Systems Detica's seemingly-pulled-out-of-the-air £27 billion would suggest; Detica's technical director, Henry Harrison didn't exactly defend that number, but said no one's come up with a better estimate for the £17 billion that report attributed to cyberespionage.)

It was John Colley, the managing director EMEA for (ISC)2 who said it: in a meeting he attended late last year with, among others, the MP James Brokenshire, Minister for Crime and Security at the Home Office shortly before the publication of the UK's four-year cybersecurity strategy (PDF), he asked who the document's formulators had talked to among practitioners, "the professionals involved at the coal face". The answer: well, none. GCHQ wrote a lot of it (no surprise, given the frequent, admittedly valid, references to its expertise and capabilities), and some of the major vendors were consulted. But the actual coal face guys? No influence. "It's worrying and distressing," Colley concluded.

Well, it is. As was Quinault's response when I caught him to ask whether he saw any conflict between the government's policies on CCDP and surveillance back doors built into communications equipment versus the government's goal of making Britain "one of the most secure places in the world to do business". That response was, more or less precisely: No.

I'm not saying the objectives are bad; but besides the issues raised when the document was published, others were highlighted Wednesday. Colley, for example, noted that for information sharing to work it needs two characteristics: it has to go both ways, and it has to take place inside a network of trust; GCHQ doesn't usually share much. In addition, it's more effective, according to both Colley and Stephen Wolthusen, a reader in mathematics at Royal Holloway's Information Security Group, to share successes rather than problems - which means that you need to be able to phone the person who's had your problem to get details. And really, still so much is down to human factors and very basic things, like changing the default passwords on Internet-facing devices. This is the stuff the coalface guys see every day.

Recently, I interviewed nearly a dozen experts of varying backgrounds about the future of infosecurity; the piece is due to run in Infosecurity Magazine sometime around now. What seemed clear from that exercise is that in the long run we would all be a lot more secure a lot more cheaply if we planned ahead based on what we have learned over the past 50 years. For example: before rolling out wireless smart meters all over the UK, don't implement remote disconnection. Don't link to the Internet legacy systems such as SCADA that were never designed with remote access in mind and whose security until now has depended on securing physical access. Don't plant medical devices in people's chests without studying the security risks. Stop, in other words, making the same mistakes over and over again.

The big, upcoming issue, Steve Bellovin writes in Privacy and Cybersecurity: the Next 100 Years (PDF), a multi-expert document drafted for the IEEE, is burgeoning complexity. Soon, we will be surrounded by sensors, self-driving cars, and the 2012 version of pet rocks. Bellovin's summation, "In 20 years, *everything* will be connected...The security implications of this are frightening." And, "There are two predictions we can be quite certain about: there will still be dishonest people, and our software will still have some bugs." Sounds like a place to start, to me.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.