“Got kitesurfing on the mind, mixed with some search & classification tech, and a dab of political ranting”

Archive for April, 2006

Bush on Plame…but what about the tax payers?

Posted by direwolff on April 13, 2006

With all the hubbub about Bush leaking Valerie Plame’s CIA role to the public, the speculation over how he’s allowed to release classified material and so there should be nothing wrong with what he did, it occurred to me that this all begs some basic questions.  For one, if he did nothing wrong, then why didn’t he come clean…ah, I mean why didn’t he just tell the public (“come clean” sounds like I’m suggesting that he was dirty or something, right?)?  Afterall, given how long the investigations into this matter have been going on, at great expense to the American tax payers (that’s us folks), if he had simply divulged the fact that he authorized this release of information then this matter would have been addressed and resolved years ago.

As always, I suspect every one involved knows that this was not all that clean of a matter.  So the next question is how dirty of a matter was it and what punishment should be doled out given that fact?  The President’s effective denial to all branches of government (since no one appears to have known about this until Libby’s recent statements) for as long as he declined to divulge his involvement, suggests that at the very least there’s a matter of lying to the American people (yeah, I know you liberals out there are chuckling at my seeming naivete on this matter, “why he’s been lying to us since the day he took office”) and to Congress.  Doesn’t that mean something any more, or is only when one denies receiving felatio in the oval office?

In the words of conservative movement in America, “I think it’s time someone be held accountable”!  Both Bush & Cheney have done nothing but obstruct justice in this matter and it’s time that they take responsibility for their actions, not simply by admitting their guilt and complicity, but by also being removed (or stepping down, I’m not fussy here) from office.

OK now, who’s with me?!…close your eyes, click your heels three times and repeat after me, “there’s no place like home, there’s no place like home”…I can dream can’t I?


Posted in Public Policy | Leave a Comment »

Credit card theft and its repercussions, but first a lil’ history…

Posted by direwolff on April 8, 2006

For 2.5 yrs, from mid ’95 ’til the end of ’97, I worked as director of strategy for the first payment system company on the Internet, called First Virtual Holdings Inc. (FVHI).  The payment system was to this date, probably the most secure online solution ever devised (using zero encryption, just cleverness) because it was founded on the principle that a user’s credit card would never be made visible or accessible via the Internet.  This principle was a very important one to the founders, 3 Internet luminaries: Einar Steffereud (developed first Internet listserv in 1972), Marshall Rose (co-author of SNMP v.2 and was one of the Area Directors of the IETF), and Nathaniel Borenstein (creator of MIME (Multipart Internet Mail Extension, yes invented the protocol for e-mail attachments) and a very successful business man, Lee Stein, who had managed several high profiles music bands, had been Chairman of the San Diego Stadium Authority and a commercial real-estate developer.   Many people poo-poo’d this foundational principle, but it was at the crux of why this system was so secure. To register, one could do so using an online form or by e-mail, but when it came time to provide the credit card details this had to be done by phone through an AVR (automated voice response) system where the user was asked to type in their credit card number, expiration, and their VirtualPIN which was the instrument being bound to the credit card that would be used online.

When a user wanted to buy something from an individual or a service online that accepted VirtualPINs (aka. VPIN), the user would simply provide their VPIN and the process would begin from there.  The service accepting the VPIN would then send a transaction to FVHI (by e-mail or another faster but e-mail like protocol) with the user’s VPIN and the service provider’s VPIN, FVHI would then forward an approval notification to the user by e-mail asking them to confirm the transaction with a response of “yes”, “no” or “fraud”.  The meaning of the first two choices are obvious, the third, “fraud”, was intended to be a rapid way to suspend a transaction if the VPIN had been stolen.  The “no” response really dealt with someone changing their minds on completing a transaction.

The system has some drawbacks to physical goods merchants which were addressed in later iterations of the system, but the key was that security was obtained through obfuscation because transactions between merchants and FVHI, and between FVHI and the VPIN holder, never contained both the VPIN and the VPIN holder’s e-mail address, hence there was a shared secret between FVHI and VPIN holder which created the security.  The merchant only needed to send the VPIN, and FVHI only needed to send the VPIN holder a confirmation e-mail.  The response to FVHI was one word (“yes”, “no”, “fraud”), the response back fm FVHI to the merchant was a transaction number with an approval or rejection code to complete the transaction.  If someone were to steal the VPIN, the confirmation message would arrive to the actual VPIN holder’s e-mail account and they could respond “fraud” to immediately terminate the transaction.

FVHI counted 3 financial institutions as its primary investors, First Data Corporation (the largest processor of credit card transactions), First USA (now part of Chase after the BancOne acquisition, who had previously acquired FUSA), and GE Capital (the largest issuer of private label store cards at the time).  We also spent quite a bit of time talking with Visa and MasterCard.  A VP from MasterCard joined FVHI as president in early ’97.  It’s only in recent history that the credit card companies now enable cardholders to receive e-mail confirmations after any transaction they do (or based on user definable criteria, ie. over $1,000 transactions).

FVHI spent a great deal of time explaining the dangers of putting credit cards online.  For one, they’re easily detectable.  We demonstrated an application we called “Card Shark” which could make its way on to a machine (this was before spyware or major viruses) like a virus, quietly and undetectable, and watch the keyboard buffer.  From this, it could recognize any time a user was typing in a credit card and store this in a message that would be sent with the next e-mail connection without the users knowledge.  It would end up in an abandoned newsgroup somewhere expressly set-up to receive credit cards numbers.  This demonstration upset a lot of people and FVHI was labeled a fear-monger at the time.  The abnking industry paid some attention to this, but still preferred the idea of the fees they would generate from not obstructing the flow of credit card transactions online.  Programs started appearing guaranteeing losses.  It used to be that cardholders were responsible for up to $50 if there was a fraud committed with their cards.  Soon, this limit was removed and now a cardholder would owe nothing if their card was misappropriated (online or otherwise since there was no way to know where the card number had been captured).

Well, FVHI changed its business to being a provider of bulk e-mail services and was acquired by Softbank as part of a roll-up they were doing with e-mail services companies, and renamed the whole, MessageMedia.  Since FVHI had already made it to the public markets (Nasdaq), MessageMedia assumed that position and a full-fledged e-mail services company was grown.  Much later, DoubleClick acquired MessageMedia, and its payment system patents were sold to eBay whose recent acquisition at the time, Paypal, was fighting a lawsuit brought on by AT&T on some of its payment system patents.  I believe the case was settled once eBay got the FVHI patents.

At the time, I remember all of us thinking that there wasn’t much difference between being right and no one listening or believing us (since this people would still put their credit cards out in the clear), and being wrong.  EIther way, you don’t get the business.  Even with our well thought out explanation saying that if there was a significant breach and a million credit cards were stolen, and a $2 transaction was done on each card, you’d never find out where the fraud came from and wouldn’t know the extent of the damage (most cardholders wouldn’t notice a $2 transaction).  This would force the entire credit card industry to reissue every card and would prove disastrous.  Even this wasn’t enough.

Well since then, we’ve witnessed several events that are leading us in this very direction.  The ChoicePoint case was one not so long ago, and now we find another that begins to approach the more serious type of incident we predicted back then.  Perhaps none of these have yet surfaced the apocalypse we once predicted, but it sure looks like, albeit slowly, we will see these predictions come true in my lifetime, and it will be a sad day as all of us will suffer from the arrogance of the credit card industry which could have prevented this in several ways over the past 10 years, but preferred to stand by and let their greed dictate the path.

Payment processor fears credit card crooks
By Joris Evers
Staff Writer, CNET

A major online payment provider said Monday that its processing service had been used in an attempt to charge money to stolen credit and debit cards.

Posted in Online Community, Technology | Leave a Comment »

YouTube, the next eBay

Posted by direwolff on April 5, 2006

The metaphor I’m drawing on in the title goes as follows, eBay started out as a marketplace for individuals to be able to find quick liquidity in goods they wanted to sell.  The auction model was innovative and it built a large audience of buyers quickly.  This natually lead to actual merchants seeing eBay as a source for audience and prospective customers.  Today, I believe something like 80% of eBay’s revenue comes from professional merchants selling goods on the site.  They built it for organic use and the professionals came in and took over.

With YouTube’s announcement today, we’re seeing the whole thing happen again, but this time with videos.  Here’s a link to the press release:

G4 and YouTube Form Strategic Alliance, Beginning With Exclusive World Premiere of G4 ‘Star Trek 2.0’ Short

Effectively, what’s happening is that because YouTube has developed an innovative site for the upload and viewing of videos.  As a result they drew a large audience for the user created videos quickly (yes, and some professional videos (ie. SNL skits) that shouldn’t have been there).  This has gotten the attention of studios who are looking for all sorts of ways to promote their TV shows and movies online.  With this deal w/G4 for the new “Star Trek 2.0”, we begin to see the emergence of a business model for YouTube that could really go a long way for them.  We can also now expect to see much more professional content being uploaded to YouTube as the studios see this as a perfect promotional oppty for their properties.   For YouTube, it’s where the money is.

UPDATE – 4/17/06 Article in USATODAY:
“Nike, Warner Bros., MTV2 and Dimension Films are among the firms seeding the site with commercial clips. Now, along with consumer-made videos of newborn babies, weddings and teens pulling pranks, is a short of soccer star Ronaldinho in his new Nike sneakers.”

Looks like the advertisers came on quickly.

Posted in Online Community | Leave a Comment »