17 December 2009

Seriously? No encryption on predator video feeds?

Sometimes a news story appears which leaves me flabbergasted. This report from the Wall Street Journal describes how "the enemy" in Iraq and Afghanistan have been able to use a simple piece of off-the-shelf software (costing $26) to capture video feeds being broadcast by Predator and presumably other UAVs working in the theater.

This reported incident, if true, seriously beggars belief. It has been more than 20 years since commercial satellite TV has deployed effective encryption for both analog and digital video signals to protect commercial interests. And yet the military planners singularly failed to specify simple encryption for sensitive information -- the live video feed of the drone.* Most likely this was done to speed up time-to-market, or to reduce costs--but most security experts would consider this a false economy.

The article clearly indicates that this problem was known since the Bosnian conflict in the 1990's -- but military leaders felt that "local adversaries wouldn't know how to exploit it". This is a perfect storm of stupidity, with two basic blunders: a) assuming that the enemy isn't as smart as we are, and b) relying on security through obscurity. One wonders if this decision means that there are similar weaknesses in the command-and-control channel of the drone's avionics or weapons platforms?

*Subsequent reportage suggested this was not a live feed directly from the Predator, but rather a rebroadcast of said feed via a satellite from the local groundstation uplink. It's still a COMSEC issue however.

16 December 2009

Rant of the day: DHL is seriously flawed

I recently had to send an important document from Austria to New Zealand.

I went to the local Austrian Post, and selected the EMS (Express Mail Service), which cost me 59 Euros to send a letter weighing 70 gm. I knew that this was outsourced to DHL, so assumed it should reach the destination reasonably quickly -- and I could follow it with the tracking number.

So, imagine my surprise when I learned that an item I had submitted in Vienna on Friday 11th of December had only reached London Heathrow by Wednesday 16th of December.

Thats FIVE DAYS to go from Vienna to London. And it still hasn't left on the plane for New Zealand!

I am seriously unhappy with the service from DHL, and plan to avoid using them in future. I've asked them for an explanation, but I doubt one will be forthcoming.

To see for yourself, check the URL:


The AWB number is 9653805361. Is this some kind of record for tardiness?

DHL, please fix your broken system!

/rant ends

Update: the package arrived on 21 December -- a total of TEN DAYS after I sent it on 11 December. I think this is the last time I use DHL, or the Austrian EMS which resells their service.

01 November 2009

CyberSecurity Weekend roundup for 1st November 2009

There have been quite a few security and risk-related stories this past week, which raise all sorts of questions about public perception of the theme of CyberSecurity.

Let's start with this one: http://www.wired.com/threatlevel/2009/10/gawker/

To summarise, a well-organised criminal gang is using paid advertising to distribute its malware through popular, respectable web sites. One of the challenges facing malware distributors, is how to get the ordinary person (who wouldn't visit a dodgy web site) to become infected. The answer is to be included in a popular website (which Gawker certainly qualifies for) as part of their advertising, then use a known Adobe vulnerability to foist its payload on the unsuspecting victim.

The fake ads, ostensibly from Suzuki, caused browsers to crash and malware to be installed. Gawker have published their correspondence with the fakers, showing them to be skilled and knowledgable in the media business -- not obvious script kiddies or foreigners with poor English. A similar scam targeted the New York Times recently.

In fact, the hackers were displaying quite competent social engineering techniques (including registering plausibly-near domain names for their email responses), in order to get an opportunity to deliver their payload. This is an excellent example of a blended attack -- social engineering, plus an exploit of a known vulnerability in Flash, plus a malware solution to be later used to steal identities and gain access to accounts and funds. In my view, this shows a high degree of coordination and professionalism, which is becoming a dominant characteristic of modern Cyber criminals -- and suggests a degree of specialization, and also possibly separate commercial illegal entities working together for fun and profit.

The second story, also from Wired, suggests that there is something of a disconnect between security planning and technology procurement, particularly in the energy sector.

It is well known that years of neglect and under-investment have left the US power distribution infrastructure in a vulnerable and delicate state (although not as bad as many other countries.)

According to the article,
“Smart grid” refers to the transition from the current, outdated power-grid infrastructure to a more technologically advanced structure that allows expanded real-time monitoring and energy delivery that’s more efficient and cost effective for utilities and consumers. The technology promises to solve a number of problems, but it also (as the Illinois press release states) could “introduce new problems, such as increasing the vulnerability to cyber attack as power grid resources become increasingly linked to the internet.”

One of the challenges of engineering new technology (such as the Smart Grid concept, with its intelligent monitoring) is to ensure that adequate security mechanisms are designed-in from the beginning, rather than being an afterthought -- much as UNIX had security pretty much from the beginning, while Windows security was very much bolted on later.

For me, CyberSecurity in the critical infrastructure protection business must be Job #1 -- to ensure that by design, the infrastructure is built with adequate redundancy and resiliance, able to cope with multiple cascade failures, extremes of weather and malaicious attack. The big issue here is only partly one of cost -- because make no mistake, anticipating and mitigating all possible risks can be expense -- but it is also one of the mindset. Where huge investments are being made, those with a responsibility to make associated decisions need to take into account risks of sabotage, insider attacks and even simple human error -- all of which have in the past caused serious problems, with associated loss of life.

Following up on this year's attacks apparently from North Korea, South Korea's spy agency has reported that the origin has indeed been traced back to that country.

Personally, I am not convinced. It's far too easy for competent hackers to mask their IP addresses through a long chain of anonymous proxies, which would then be programmed to wipe out all traces long before the attack has finished. It's a little too convenient for the South Korean intelligence officials to be able to attribute such an attack to North Korea -- although Occam's Razor does suggest it is the most likely party to want to commit such attacks.

I guess the issue for me here is whether such attacks are truly useful to a State actor such as North Korea -- even one so vilified and long associated with funding terrorism and "dirty tricks." At the most, I see this as a "me too" operation, where the NORKs are reading press reports about the "big boys" engaging in CyberWarfare investment and training, and deciding that they want to play too as a matter of national prestige, much as they joined the informal "Nuclear Club" by detonating a low-yield nuclear weapon.

These days, the capabilities being exercised by state actors and non-state actors seem to be converging. For example, a recent UN investigation into the legality of the US use of drones to carry out "targeted killings" raises some questions (beyond those of customary international law) about whether such use of force is a terrorist act, when not carried out in the theater of war.

Legally (and I'm no scholar of law), I wonder if the UN-sanctioned war action in Afghanistan can justify killings that cross the border in Pakistan -- even if it's compellingly clear that "terrorists" are well-ensconced in that region, and actively participating in actions that clearly deserve the label of terrorism.

My thinking here though is more about the fact that many other countries are deploying their own versions of these UAVs, some of which include ordinance capable of destroying cars or buildings. How long will it be before non-state actors (i.e., the local Al-Queda cell) are signing up for model-aeroplane classes, and buying Chinese UAVs in the black market to act as delivery systems for their Weapon of Mass Destruction Du Jour?

Now some old news -- which I guess will now be part of history. François Mitterand, the French president who committed a terrorist act in 1985, complained that Margaret Thatcher blackmailed him with the threat of a nuclear strike in South America in order to get the disable codes for the French-designed Exocet missiles being used by the Argentinians against the British.

This is an interesting story from the point of view that weapons systems often may have a built-in "kill switch" that may be used by their designer to disable their operation -- a concern shared by the Pentagon.. As an article in IEEE Spectrum suggested, it seems likely that the Israelis successfully used something similar in 2007, when their jets bombed a suspected Syrian nuclear installation -- and the Syrian radar seemed to mysteriously malfunction, or go offline. Of course, the techniques of electronic warfare, jamming, and sending spurious "ghost" signals have been widely known since the Cold War, but it's tempting to wonder just how many Trojan Horses remain covertly buried deep in the electronic bowels of the weapons systems that we still depend upon.

Some of the examples given include:
  • In 2004, Thomas C. Reed, an Air Force secretary in the Reagan administration, wrote that the United States had successfully inserted a software Trojan horse into computing equipment that the Soviet Union had bought from Canadian suppliers. Used to control a Trans-Siberian gas pipeline, the doctored software failed, leading to a spectacular explosion in 1982.
  • Crypto AG, a Swiss maker of cryptographic equipment, was the subject of intense international speculation during the 1980s when, after the Reagan administration took diplomatic actions in Iran and Libya, it was widely reported in the European press that the National Security Agency had access to a hardware back door in the company’s encryption machines that made it possible to read electronic messages transmitted by many governments.
  • According to a former federal prosecutor, who declined to be identified because of his involvement in the operation, during the early ’80s the Justice Department, with the assistance of an American intelligence agency, also modified the hardware of a Digital Equipment Corporation computer to ensure that the machine — being shipped through Canada to Russia — would work erratically and could be disabled remotely.

26 October 2009

The Myth of CyberTerrorism

I was woken shortly before midnight, on a chilly July evening in Auckland by the sound of a bomb. It was 1985, and the Greenpeace vessel Rainbow Warrior had been hit by two explosions, from limpet mines attached by two frogmen (I use that term very deliberately.) One man, Ferndando Pereira, was killed in the attack.

Most commentators now accept that this was an act of terrorism -- and indeed, the initial reaction of the French government was to condemn it as such. It was only twenty years later that French president François Mitterrand admitted that he had personally authorised the bombing.

Was this an act of terrorism, albeit state-sponsored? In my view, absolutely. It was an act deliberately intended to terrorise Greenpeace and its supporters (although the agents concerned claimed that they had tried to avoid any loss of life.)

Now let's look at another case. Three years earlier, in June 1982, the Russian government was conducting pressure tests on its new trans-Siberian gas pipeline, which resulted in a catastrophic explosion -- allegedly with the force equivalent to three kilotons of TNT.

According to the 2004 book "At the Abyss: An Insider's History of the Cold War", written by Thomas C. Reed, this was a deliberate act of sabotage, carried out by the CIA as part of the cold war against the Soviet Union. Reed, a former Air Force secretary who served in the US National Security Council during the Reagan administration,

reported how the U.S. allowed the USSR to steal pipeline control software from a Canadian company. Unknown to the Russians, this software included malicious code (known as a Trojan horse) that caused a major explosion of the Trans-Siberian gas pipeline in June 1982. The Trojan ran during a pressure test on the pipeline and massively increased the usual pressure, causing the explosion. Reed writes:

"In order to disrupt the Soviet gas supply, its hard currency earnings from the West, and the internal Russian economy, the pipeline software that was to run the pumps, turbines, and valves was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds"

By creating an explosion with the power of a three-kiloton nuclear weapon, the U.S. managed to disrupt supplies of gas and consequential foreign currency earnings of the Soviet Union for over a year.

Was this an act of CyberTerrorism? In my view, yes. This was probably the very first documented case where computer-related sabotage was used to trigger major damage (although apparently with no loss of life.)

Subsequently, the world has witnessed hundreds of lesser cases of sabotage and attempts to compromise control systems and economic attacks, which might be classed as cyberterrorism -- but is there really a threat here of the same class as we are confronted by with "classical" terrorism -- i.e., suicide bombers, assassinations, anthrax letters or mass poisonings?

In my view, the threat of CyberTerrorism is largely a myth. A report published by James Lewis of the Washington think-tank Center for Strategic and International Studies, tends to support this view, claiming that although clearly many major states have the capability of undertaking CyberWarfare attacks which could be classed as acts of war, there are few, if any, non-state actors with these capabilities.

These days, the greater threat comes from organized criminal groups, and their targets are almost exclusively economic. It's now possible for a well-funded terrorist group to rent a botnet, but this begs the question -- what would be their target? In order for a terrorist attack to be effective, it has to by definition cause fear or terror, and few conceivable attacks could lead to loss of life necessary to achieve that.

Despite what several "B" movies and shows like "24" or "Law and Order" suggest, there are no super-powered hackers who can take over GPS satellites, hospital emergency equipment or air traffic control systems. Any failures are more likely to be collateral damage from economic attacks, or simple incompetence in the deployment of basic safeguards by those responsible for defense.

CyberTerrorism is a great buzzword, and is being used to attract millions of dollars in counter-terrorism funding, but the real risks should be seen as financial, and the attackers are far more likely to be from the world of organized crime rather than Al Queda.

25 October 2009

Financial Crime and Money Laundering

Let's start by talking about 10 days in January earlier this year [2009]. You may have heard of the torpig malware, which builds a botnet focused on stealing Banking details and other information.

In a period of just over a week, US researchers were able to penetrate the torpig botnet, and collect some information. Here's a summary of what they found.

182,000 unique PCs were infected. In addition, 50,000 new PCs joined the network from fresh infections, mostly from drive-by web site takeovers and other program flaws.

That's 5,000 new PCs every day.

8,310 financial accounts were compromised, from USA, Italy, Germany, Spain, Poland and more countries – from 410 different banks. (The standard torpig configuration targets more than 300 online banking systems around the world.)

Top financial accounts stolen include PayPal (1,770 accounts), followed by Poste Italiane (765), Capital One (314), E*Trade (304) and Chase (217.)

Also stolen were credentials from thousands of corporate web sites, and 1,660 credit and debit card details.

Nearly 300,000 user names and passwords were collected, including Google, Facebook, MySpace and others, thereby compromising a wide variety of personal information and documents.

Typical attacks include man-in-the-middle browser phishing, web injection and form spoofing.

The market for stolen credit cards and bank details is now seeing greater sophistication, with increasing supply leading to lower prices. For example, credit cards with CVV2 codes which have not yet been confirmed can be sold in batches of 1,000 for around $3 each. Prices go up to $12 when you add the consumer's name, address and date of birth. The market is so strong, thieves are using classic marketing tactics -- “buy 500, get 500 free.”

Estimates of revenue from just 10 days of the botnet operation range up to $8 million, based on current market prices for credit card details and compromised bank accounts. Not a bad return on investment for just one criminal enterprise.

And in news from researchers at McAfee, 12 million new computers have been taken over as botnet zombies since January – that's a 50% increase over last year. According to the report, 18% of all computers in the USA have been compromised, with second place China on 13%.

Here's another case, from Korea. Rhee Jin-shik, a 57 year old self-employed businessman, received a phone call from the Post Office, telling him that they were unable to deliver his new credit card. Rhee said he never ordered one, so the Post Office told him they were reporting it to the Financial Police, who would help him. A few minutes later, with uncharacteristic efficiency, someone from the Cyber Investigation Unit called, and told him that he was being targeted by a gang of criminals. In order to protect his money, he was recommended to transfer it from his current account, into a special “protected” account set up by the government. A kind manager from the government controlled Bank soon called him, to help him do this.

Naturally, all three callers were fake – part of a sophisticated Voice Phishing scam, which targets small business owners.

You've all heard similar cases, and we could stand here all day talking about them, but let's focus on what's important.

First, the Fraud market is a global, complex problem. Nearly every country is affected, and the criminal gangs behind it are increasingly professional, using sophisticated techniques and the latest technologies to achieve their goals.

Wherever there is Fraud, you can be sure that Money Laundering isn't far behind.

Fraudsters need to channel their illegal earnings back to where they can spend them. This also brings in tax evasion, and a whole range of different ways of benefiting from the proceeds of crime.

A more worrying trend is that a significant percentage of crime is also being used to benefit terrorist organisations. Recent investigations for example show that Somali marine piracy is being funded from Dubai, and banks there have been accused of laundering money for the pirates.

There are well-recognized links between some traditional informal methods of money transfer (such as Fei Ch'ien or Hawala), and terrorism financing. Increasingly, terrorists are using the same channels as regular criminals, and are investing resources to build their capabilities.

This global problem is growing and changing, almost faster than the authorities can keep up. To protect themselves, financial institutions have to become more effective.

The criminals are becoming smarter. Last week, we learned that fraudsters were using their access to Lexis-Nexis to steal information required for Credit Cards – and have been doing it for three years, putting more than 32,000 people at risk of financial loss.

The threats are multiplying. Another factor which is starting to have a major impact is the financial meltdown of the past 12 months.

This has led to a huge loss of confidence among consumers, as well as a surge in financial crime from desperate people, some of whom may have lost their jobs in the industry.

Thus, we see greater risk from insider threats, as internal fraud is driven by employees with knowledge of vulnerable systems, and fear for their future.

Finally, we must not neglect consumer confidence among the risks, as this has been particularly hard-hit by the collapse of banks and property prices, with a string of bankruptcies leading to unemployment and loss of investments.

In the Unisys Security Index survey (Wave 4), 61% of Europeans believe that the world financial crisis will increase their personal risk of becoming a victim of identity theft – with the Spanish having the highest levels of concern.

All of these problems require a firm decision by regulators and financial institutions to take the threat seriously – which means continuing to invest in training, building institutional capabilities, and selecting appropriate technologies to combat financial crime.

To summarize, we have the following conditions:

1) Increasingly sophisticated complex attacks on financial systems;
2) More professional, highly motivated and intelligent criminals, with an apparently endless variety of new techniques for stealing our money;
3) Blended threats, using combinations of online phishing, telephone and document fraud, plus dangerous malware and botnets;
4) Global financial meltdown, with associated higher risks of internal attacks;
5) Threats are increasing by 40% each year – we are entering the age of CyberWar.
6) Urgent action is needed now – requiring coordination between the financial industry and government.

The “sharp end” for most of this criminal activity is something we see every day in Fraud and Money Laundering investigations.

Those of us active in CyberSecurity believe that the old techniques, based on basic transaction monitoring with pattern matching are no longer enough.

Investigators and the executives responsible for risk reduction need better intelligence to combat these threats.

By intelligence, we mean the training, tools and techniques used in the world of CIA, NSA and FBI, but applied in the domain of financial crime.

It's not enough to have access to data. By itself, the data does not help us.

We have to work smarter. This means approaching financial crime in a new strategic way. It means breaking down some of the barriers which may exist between silos, bridging the gaps between compliance and fraud investigation departments.

We see a need for closer cooperation between regulators, the Financial Intelligence Units, and banks and insurance companies.

And finally, we need the political will to tackle these issues, or the problems will simply continue to get worse.

23 October 2009

Chinese CyberWarfare Capabilities Developing

The following article (from Associated Press) shows that modern governments are seriously investing in their CyberWar Fighting capabilities.

But what does this mean to the rest of us? How can a government (especially one under totalitarian rule such as China) impact on the lives of we who live in democratic countries?

Currently, English is the dominant language on the Web -- but Google's Eric Schmidt recently proposed that within five years, Chinese language web sites could overtake this dominance, with their current rate of growth.

Increasingly, every aspect of our lives is becoming more dependent on the online experience. As China grows, and with the suggestion that "GreenWall"-like censorship measures could contain hidden backdoors that could recruit nearly every Windows PC in China into a giant government-controlled botnet, the threat of the Chinese being able to bring down nearly every Web site with a massive DDOS attack becomes a reality.

But in my view, for the Chinese government it's not only about force projection -- it's also about infiltrating themselves into foreign networks (e.g., NYPD and LAPD have long reported subtle attacks apparently originating from China), using a combination of HumInt and SigInt to subvert critical infrastructure, as part of a long-range plan to support potential future strikes.

More concerning for businesses however is the existence of ties between such intelligence operations, and the covert industrial espionage that endangers commercial enterprises. For this reason, in my view companies need to invest in long-range planning and strategic actions that reduce their exposure to such threats -- and acknowledge that the attackers are usually much better-funded, and smarter than our current defensive systems.

China is building its cyberwarfare capabilities and appears to be using the growing technical abilities to collect US intelligence through a sophisticated and long-term computer attack campaign, according to an independent report.

Released Thursday by a US congressional advisory panel, the study found cases suggesting that China's elite hacker community has ties to the Beijing government, although there is little hard evidence.

The commission report details a cyberattack against a US company several years ago that appeared to either originate in or come through China and was similar to other incidents also believed to be connected to the country.

According to the analysis, the company noticed that over several days, data from their network was being sent to multiple computers in the US and overseas. While the report does not identify the company, it contends that the attackers targeted specific data, suggesting a very coordinated and sophisticated operation by people who had the expertise to use the high-tech information. An internet protocol (IP) address located in China was used at times during the episode.

Barring proof, the study by the US-China Economic and Security Review Commission warns that the sort of expansive and sophisticated computer resources that have been seen in cyberattacks on the US and other countries "is difficult at best without some type of state sponsorship."

The study contends that the Chinese, long reported to be stoking a massive military build up, has also made computer warfare a priority. The Chinese government is said to view such cyberprowess as critical for victory in future conflicts - similar to the priority on offensive cyber abilities stressed by some US officials.

Potential Chinese targets in the US, according to the report, would likely include Pentagon networks and databases to disrupt command and control communications, and possibly corrupt encrypted data. The report notes, however, that penetrating such classified systems would be time consuming and difficult.

In large part, the commission report expands on the Pentagon's annual China military power review. The Defense study said earlier this year that China's People's Liberation Army has set up information warfare units to develop viruses to attack enemy computer systems and networks as well as to protect friendly systems.

The Pentagon report described computer attacks believed to have originated in China, but concluded that "it remains unclear if these intrusions were conducted by, or with the endorsement of, the PLA or other elements of the PRC (People's Republic of China) government."

The new report, prepared for the commission by Northrop Grumman, relies largely on publicly available information from Chinese hacker websites, technical articles and analysis of computer intrusions attributed to the Chinese.

21 October 2009

Presentation on CyberSecurity

Here is a presentation I prepared earlier this year for a talk I gave to a class at the University of Florida Levin College of Law.

Risk Management applied to Banking fraud

Trends in contemporary Risk Management and Enterprise Security

The Banking industry continues to be beset by external and internal fraud, covering a range of lines of business, from securities, online channels, application fraud, ATM, checks and money laundering. Recent best practices have recognized that Risk Management techniques yield the best results in detecting and preventing some of these diverse types of fraud.

From the earliest years when banking services were introduced in support of commerce, long distance trade and the prosecution of wars, there were creative and immoral intellects applying themselves to the task of fraudulently obtaining a share of the wealth. Banking has always been about trust, and finding mechanisms for allowing the legitimate control over flows of money that are difficult to counterfeit or circumvent.

In recent years, with the addition of the Internet and other online Banking channels (such as mPayments, Debit/Credit Cards and Wire Transfers), the tasks for banks have become exponentially more challenging. In addition to a huge increase in the value of transactions operating over electronic channels, there has also been a dramatic level of growth in the number and speed of such transactions. Given this trend, and the costs associated with manually checking each transaction for signs of fraud, Banks have been forced to invest in ever more complex systems and processes for detecting and preventing illegitimate transactions.

One of the earliest online international banking frauds hit Citibank in 1994, when a Russian criminal, Vladimir Levin, purchased access details for Citibank's X.25-based Cash Management system from fellow hackers. Over the next four months, he illegally transferred $10.7 million to several international accomplices. Citibank's fraud detection systems eventually were triggered, leading to investigation by the FBI, who traced the connections to St. Petersburg, which led to Levin's eventual arrest and successful prosecution.

In recent years, Citibank has again been hit by Russian fraudsters, who used ATM card information (including PINs) which were stolen from a compromised 3rd party banking system. With Ukrainian confederates, $2 million was stolen in cash from ATMs around New York over a period of months in late 2007, then laundered through various methods back to Russia.

Of much greater impact in recent times is the growth of insider fraud, which in more serious cases has led to the complete wiping out of a bank's assets -- such as the Barings Bank collapse in 1995, triggered when rogue trader Nick Leeson lost $1.4 billion from unauthorized futures trading positions. Austrian bank BAWAG hid $1 billion in losses for seven years until 2005, with on-going court cases, and the forced sale of the bank to new owners. An HSBC clerk stole $143 million from the bank in April 2008, using stolen account information. Credit Agricole lost $250 million from unauthorized trades in credit market indexes in its New York Calyon unit. And most spectacularly, Jerome Kerviel lost $7.1 billion from his employer, Societe Generale, from uncontrolled and highly risky trades in equity derivatives (hedge funds) based on European stocks.

These cases, while spectacular, are the tip of the iceberg, as many banks refuse to dislose publicly many of the smaller losses incurred, such as hundreds of millions annually from phishing attacks against customer accounts, as well as substantial levels of persisting check and credit card fraud. Understandably, banker's reluctance is driven by the fear that customers would lose confidence in a bank with such a poor security track record, and justifiably so. However, recent surveys [Unisys] have shown that many banking customers already are highly concerned about security, as more of them are hit by phishing, identity theft, advance-fee fraud and increased costs from banks, not to mention the dramatic liquidity crisis resulting from apparently fraudulent sale of unsecured mortgages and their toxic derivatives.

Bankers have not been unconcerned, and the most promising efforts in this area have come from a combination of self-regulation and government legislation. For the former, the Basel Committee on Banking Supervision has released many documents which outline voluntary codes by which banks can regulate their internal controls and risk management processes, especially in regards to Credit and Operational Risk. The Three Pillars of Basel II include:

1. Minimum capital requirements -- defining mechanisms for calculating the required level of capital adequacy to deal with market, operational or credit risk (potential losses);
2. Supervisory review process -- increasing accountability and transparency of banking supervision, in particular in its Risk Management processes and procedures;
3. Market disclipine -- requirements for a bank to publicly disclose its known risks and capital positions.

Beyond these voluntary accords, which have been successfully applied world-wide by banks in hundreds of countries, governments have enacted legislation intended to strengthen confidence in the banking system by requiring greater protection for consumers, as well as regulating bank's behaviours in selected markets. These laws include, for example, MiFID (European law for governing the sale of securities); 2nd and 3rd EU AML Directives, OFAC lists, FATF 40+9 (which regulate bank's behaviour in regard to requiring the detection and prevention of money laundering and terrorist financing,) and a host of other local laws that seek to improve Governance, Regulatory and Compliance processes within the financial services sector.

Such industry self-regulation and government laws have unfortunately not significantly diminished the growing wave of financial crime which threatens the banking industry. There is a trend for well-funded, ruthless and highly skilled and motivated international criminal gangs, which deliberately target the weakest institutions and the apparently threadbare security of online banking channels (according to one recent survey by the University of Michigan, 75% of a sample of 214 banking web sites have significant security flaws which could be used for identity theft or other fraudulent activities.)

Banks are driven by increasing complexity in the management of their business, with consumer demand for faster response, lower costs, wider ranges of products and services, and regulatory pressure. All of these conflicting demands mean that the necessary investments in security have not kept pace with the rapid rate of change in the fraud landscape, and the almost monthly tales of huge losses due to unauthorized insider trading and the rapid growth in identity theft paint a grim picture. Banking management will spend on security only in the face of a compelling event, such as recent major loss, or threat of government intervention. Until then, they will perform a rational risk cost/benefit analysis -- are the losses due to fraud likely to be significantly higher than the investments required and internal process changes needed to better detect and prevent such fraud? When the answer to this question is no, then banks will spend the minimum required to achieve compliance with the basic standards, and hope that customers won't notice the difference. Fortunately, consumers are becoming more discriminating, and are starting to insist that banks take responsibility for the poor state of banking security and its concomitant lack of confidence.

Can we continue to trust banks? In my view, the answer is maybe -- and those banks which demonstrate a higher level of security competence and investment in improved Governance, Regulatory and Compliance activity will get my business, while those other "soft target" banks will struggle to maintain their position. A revolution is needed--but fortunately the evolutionary effects of increasingly more successful "predators" (the fraudsters and criminals) will have the effect of weeding out the weaker banks, leading to an overall strengthening of security.

12 October 2009

Aubade: A poem by Philip Larkin

I work all day, and get half drunk at night.
Waking at four to soundless dark, I stare.
In time the curtain edges will grow light.
Till then I see what's really always there:
Unresting death, a whole day nearer now,
Making all thought impossible but how
And where and when I shall myself die.
Arid interrogation: yet the dread
Of dying, and being dead,
Flashes afresh to hold and horrify.

The mind blanks at the glare. Not in remorse
- The good not used, the love not given, time
Torn off unused - nor wretchedly because
An only life can take so long to climb
Clear of its wrong beginnings, and may never:
But at the total emptiness forever,
The sure extinction that we travel to
And shall be lost in always. Not to be here,
Not to be anywhere,
And soon; nothing more terrible, nothing more true.

This is a special way of being afraid
No trick dispels. Religion used to try,
That vast moth-eaten musical brocade
Created to pretend we never die,
And specious stuff that says no rational being
Can fear a thing it cannot feel, not seeing
that this is what we fear - no sight, no sound,
No touch or taste or smell, nothing to think with,
Nothing to love or link with,
The anaesthetic from which none come round.

And so it stays just on the edge of vision,
A small unfocused blur, a standing chill
That slows each impulse down to indecision
Most things may never happen: this one will,
And realisation of it rages out
In furnace fear when we are caught without
People or drink. Courage is no good:
It means not scaring others. Being brave
Lets no-one off the grave.
Death is no different whined at than withstood.

Slowly light strengthens, and the room takes shape.
It stands plain as a wardrobe, what we know,
Have always known, know that we can't escape
Yet can't accept. One side will have to go.
Meanwhile telephones crouch, getting ready to ring
In locked-up offices, and all the uncaring
Intricate rented world begins to rouse.
The sky is white as clay, with no sun.
Work has to be done.
Postmen like doctors go from house to house.

19 September 2009

Some quotes on Atheism

I saw this collection of quotes on Atheism, and decided to collect them here for future reference.

The fact that a believer is happier than a sceptic is no more to the point than the fact that a drunken man is happier than a sober one.
- George Bernard Shaw

We must question the story logic of having an all-knowing all-powerful God, who creates faulty Humans, and then blames them for his own mistakes
- Gene Roddenberry

The world holds two classes of men - intelligent men without religion, and religious men without intelligence
- Abu'l‐Ala al Ma'arri

I do not fear death. I had been dead for billions and billions of years before I was born, and had not suffered the slightest inconvenience from it
It ain't the parts of the Bible that I can't understand that bother me, it is the parts that I do understand.
- Mark Twain

Properly read, the bible is the most potent force for Atheism ever conceived.
- Isaac Asimov

Lighthouses are more useful than churches
- Benjamin Franklin

"The Christian God can be easily pictured as virtually the same as the many ancient gods of past civilizations. The Christian god is a three headed monster; cruel, evil and capricious. If one wishes to know more of this raging, three headed, beast-like god, one only needs to look at the caliber of the people who say they serve him. The are always of two classes: fools and hypocrites."
"Christianity is the most perverted system that ever shone on man"
-- Thomas Jefferson

God is an essence that we know nothing of. Until this awful blasphemy is got rid of, there never will be any liberal science in the world.
-- John Adams

"During almost fifteen centuries has the legal establishment of Christianity been on trial. What has been its fruits? More or less, in all places, pride and indolence in the clergy; ignorance and servility in the laity; in both, superstition, bigotry and persecution."
What has been Christianity's fruits? Superstition, Bigotry and Persecution.
-- James Madison

"The Bible is not my book nor Christianity my profession. I could never give assent to the long, complicated statements of Christian dogma."
- Abraham Lincoln

"Religion was born when the first con man met the first fool."
"If religion was based on real truth, there only would be one."
-- Mark Twain

I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours
- Stephen Roberts

With or without religion, you would have good people doing good things and evil people doing evil things. But for good people to do evil things, that takes religion.
- Steven Weinberg

Isn't it enough to see that a garden is beautiful without having to believe that there are fairies at the bottom of it too
- Douglas Adams

It was, of course, a lie what you read about my religious convictions, a lie which is being systematically repeated. I do not believe in a personal god and I have never denied this but have expressed it clearly. If something is in me which can be called religious, then it is the unbounded admiration for the structure of the world so far as our science can reveal it.
- Albert Einstein

"Creationists make it sound as though a 'theory' is something you dreamt up after being drunk all night."
"Creationists don't want equal time, ... they want all the time there is."
Isaac Asimov

And in the other corner:

"Reason must be deluded, blinded, and destroyed. Faith must trample underfoot all reason, sense, and understanding, and whatever it sees must be put out of sight and wish to know nothing but the word of God."
-Martin Luther

Hence today I believe that I am acting in accordance with the will of the Almighty Creator: by defending myself against the Jew, I am fighting for the work of the Lord.
~ Adolph Hitler, Mein Kampf

25 May 2009

1981: adventures in computer science

Many years ago (in 1981), I was one of a small group of people in New Zealand who were part of the first wave of computer entrepreneurship, and defying logic and common sense, felt that we could compete by designing and building our own personal computer.

I'd met the late Stewart Holmes at Auckland University, where he was studying for his PhD in digital microelectronics. I was working part time at the then Auckland Technical Institute, with a focus on digital circuits and electrotechnology, although my speciality was software. Together with the Irishman Ernest Halliday, we three formed a company, which I named "Technosys" (combining "Technology" with "Gnosis", or deep esoteric knowledge.) I also designed the logo, but the core idea of making a personal computer (and therefore the credit for the pioneering vision) came from Stewart.

Ernie Halliday was a fascinating fellow, full of stories from his years serving with the British SAS regiment in Northern Ireland and Borneo. Who knows, some of them might have even been true. I have no idea whether he is still alive, but after the injuries he reported (botched HALO drops), I suspect he might not be. Whatever his fate, he was a great salesman, and had the vision to put the company together, and find a market when few business people even knew the potential of computers.

When time permits, I will dredge through my recollections, and perhaps contribute them to the archive. I am grateful to Philip Lord, who has put together a Web site which features the Aamber Pegasus, including photos, some old documents, and even software downloads. Great work guys!

24 April 2009

Three Nights in Dubai: Staying in a Hotel with reservations

The plane came in over the desert sands, the far off towers gleaming in the evening light. It was our first trip to Dubai, and I was anticipating a unique experience. As tourists, I knew that we might be unable to appreciate all the challenges we had read about, which are faced by the exploited foreign workers, wealthy expatriates and aloof Arabs, but I hoped to get a genuine taste of the local culture in our brief stay there.

Arriving late at night, our first challenge was to get to our hotel, the newly opened Atlantis at the Palm Jumeira. We were disappointed that even though the hotel knew our flight details, they hadn't arranged transportation, and we had to find our own way there. Fortunately, the airport staff were friendly and helpful, and we only had to wait a couple of hours for a shuttle heading our way.

Soon after midnight, we passed through the huge brass doors of the hotel, adorned by sea-horse and other marine motifs, into a lobby of polished marble floors, filled with colorful murals and amazing glass sculptures. It was like entering into a dream – which we soon did for real, after the rigours of the journey. As I feel asleep, I wondered if Dubai's reality would match its reputation.

We were woken before dawn the next morning by a siren – the fire alarm was going off! We'd heard that the opening of the hotel some weeks earlier had been delayed by a major blaze, and were worried about a repeat performance. Fortunately, a voice with a strong Australian accent came over the tannoy, telling us that “the situation is now under control. Elevators are running again. We apologise for the conven... uh, inconvenience.” Reassured, we went back to sleep.

I'd booked us into the Atlantis in Dubai for a few days, on a stop over for a trip to New Zealand. I had followed the hotel's construction details, starting with the creation of a completely artificial island, the “Palm” (one of three such man-made archipelagos off the coast.) Hotelier Sol Kerzner had left behind the wildly successful Sun City and Lost City resorts he'd created under the apartheid regime in South Africa, to build a new gambling complex in the Bahamas, with a strong aquatic theme.

He continued this theme with the Atlantis in Dubai (minus the gambling of course), and again invested heavily in displays of marine life, and an incredible re-imagining of an archaeological reconstruction of what the fabled lost city of Atlantis might have looked like. Marshalling a team of artists, sculptors, architects, marine biologists and creative engineers, Kerzner has produced a unique artistic statement, which repeats mythical and nautical themes throughout the décor and interior furnishings of the 2,000+ room hotel.

The centerepiece is the lost city itself, which includes a massive sea-water tank with a huge variety of sea-life, swimming around the reconstructed throne room of the sunken kingdom. Selected rooms of the hotel abut directly onto one wall of the tank, so well-heeled guests may be observed at their slumbers by a plethora of marine life. A labyrinth of mysterious artefacts and ancient scrolls in unknown scripts, and murals depicting long-lost gods and goddesses round out the illusion, including crystal power sources and dozens of marvellous living aquaria.

In addition to the indoor marvels, the hotel boasts a 160,000m2 water park, including a remarkable ziggurat water slide taking its riders down underneath a shark-filled lagoon, and 2.3 km of tidal river rapids in a tropical setting – highly incongruous in dry and dusty Dubai. These attractions and the hotel's shopping precinct bring in thousands of visitors every day, most of them families with young children, who seem delighted by the attractions.

We found our basic room (which had already stressed our limited budget) comfortable and well-appointed, with a sea-facing balcony and great attention to detail in the furnishings and fixtures. Navigating the warren of corridors was a little daunting, but eventually we discovered landmarks of unusual wall coverings or art work, leading us back to the central lobby with its massive glass sculpture, looking like a fountain of translucent serpents, illuminated and with trickling water.

A selection of restaurants awaited our palates, from the traditional middle eastern (complete with a too-thin blonde belly dancer) to the upmarket Nobu and European mainstay of Ossiano. I found most of the dining options quite expensive compared to other hotels we have stayed in, although the food of course was a very high standard. We were particularly impressed by the effort made by staff of the cafeteria restaurant, who kindly prepared a travel meal for us, as we had to catch an early flight before breakfast was to be served.

Training my binoculars on the far-off Dubai cityscape, the dominant feature of the Burj Dubai tower was impressively prominent, soon to open as the planet's tallest building. The city inspires a sense of vibrancy and energy, with evidence of construction everywhere you look. The latest model cars race around streets that might be seen in a PlayStation game, with mile after mile of aseptic concrete, steel and glass. This is a city that never really followed the slow evolution of European metropolises, but rather sprang as if fully formed like Athena from the brow of Zeus, its towers spearing into the air from the hot dry sands, pushed up from underneath by subterranean oceans of oil.

We took a taxi to visit one of the largest shopping malls in the world at the base of the Burj tower, with over 600 retailers covering 12 million square feet. Size isn't everything however, as I discovered few bargains in the Dubai Mall, with mostly well-known brands and luxury goods which may be found in almost every airport duty free store. Taxis leaving the mall are in high demand – if you depart at a peak time, be prepared to queue for more than an hour.

One highlight which delighted my wife was a perfumery nestled in the Gold Souk within the mall. Eschewing the traditional western brands, this small shop is a treasure house of garish bottles and jars, replete with mysterious herbs and tree barks, essences and attars, merging into a harmonious olfactory note which soothed and uplifted. We observed middle-eastern women dressed head to toe in black burkas, attended by an Indian serving girl, taking tea and sampling the wares.

My impressions of the city were consistent with my understanding of its culture. Dominated by expatriates and low-wage guest workers, Dubai has many faces. To the tourist, it is a shopping mecca, and fantastic children's holiday destination, lacking the sleaze of Las Vegas or the sophistication of Paris. To the labourers and domestic servants subsisting on near slave salaries under harsh conditions, the city recites a litany of broken promises and shattered dreams, especially as the realities of the global economic crisis have closed down all but the most well-funded construction projects. To the less than twenty percent of locals, the emirate presents a Disneyfied face of Arab culture and opulence, untempered by economic modesty yet trammelled by Islamic mores.

I had the sense that there is a darkness at the heart of Dubai, hidden behind a thin veneer of opulence, and characterised by stark inequalities of consumption and excess, both of consumer items and natural resources. The Atlantis stands out as a triumph of engineering and artistry, demonstrating a dominance over the natural world, rather than an efficient stewardship of resources. One cannot fail to be impressed by the grandeur, the excitement and beauty of the surroundings, yet at the same time feel guilt over the exploited under-classes, who must have suffered in building this temple of excess and the city that surrounds it.

Would I go back? Probably yes. As an experience, Dubai is remarkable for its unflinching focus on tomorrow, its apparent disregard of market forces and its steadfast determination to find a new economic reality based on tourism rather than the rapidly depleting oil reserves of the region. The Palm symbolizes the triumphalism of man's expropriation of Nature's bounty, and yet it retains a unique beauty and impressive artistry, that celebrates the latest pinnacle of Marx's concentration of capital. The Atlantis hotel is a meeting place, of Western and Middle Eastern cultures, of economic power and mythical legend, that entertains and sustains the weary soul – until the money runs out.

23 April 2009

A Delicate Balance: A Visual Guide to Secured Business

Unisys have released a great high-level booklet on managing risk in large enterprises, which is surprisingly easy to read and helpful. Although I was not involved in writing it, I certainly concur with the conclusions, and would be pleased to discuss its implications and application to different industries.

A Delicate Balance: A Visual Guide to Secured Business Operations

22 April 2009


The International Monetary Forum recently forecast that the global economy will shrink this year for the first time in more than 70 years. Appropriately dubbed the ‘Great Recession’, the current financial crisis is causing unrest across the world for consumers, businesses, governments and financial institutions. Paul Gillingwater, European lead, Fraud and Risk Intelligence at Unisys, examines the growing link between this time of unrest and a rise in financial fraud and provides insight for businesses and governments on how to tackle growing consumer fears.

Over recent years we have seen a significant rise in financial fraud across Europe. This form of fraud, which primarily encompasses identity theft and credit card fraud, is now the number one consumer complaint and billions of Euros are lost each year to unscrupulous operators, hackers and gangs.

And how are consumers reacting to this burgeoning offense? According to research from Unisys - poorly. The Unisys Security Index, a bi-annual global study, shows that nearly two thirds (61 per cent) of Europeans believe that the world financial crisis will increase the risk that they will personally fall victim to financial fraud.

According to fraud prevention agency CIFAS, in 2008 fraud levels increased by 16 per cent compared to the previous year. Facility takeover frauds – when a fraudster takes over a victim's bank, credit card or catalogue account - increased by 207 per cent. Specifically, a survey conducted by MessageLabs directly following the bank chaos which began in August 2008, reveals that phishing attacks rose by 16 per cent between August and September before a surge of 103 per cent the following month.

So why is this happening? During a time of financial unrest when banks are making global headlines, it makes sense for spammers to use the credit crunch as a hook to exploit the worried and confused customers who have been shaken by recent events and are looking for a way out.

And how can we explain the sudden increase in the number of perpetrators of these attacks? Hand in hand with a recession comes insecurity. It is this insecurity which increases the motivation for some employees and consumers to commit crimes in order to maintain their existing lifestyles, replace lost funds, or meet increasingly challenging sales targets. In short, difficult economic times can foster the criminally opportunistic and create desperate individuals who embark on desperate measures to deal with personal debt. An overall rise in white-collar crime is in turn seeing attacks such as identity theft and credit card fraud explode.

Additionally, consumers are an easier target for credit card fraud during a recession – leaving themselves more open and vulnerable to fraudsters. As they desperately shop online for bargains, they are not as cautious as they might have previously been.

Finally, there has been a serious breakdown in the relationship between financial institutions and their customers. Consumers have lost faith in banks and no longer trust them to protect their livelihood and money. As faith in financial institutions declines, consumers become a prime target for online attacks such as fraudulent mass e-mail campaigns designed to lure customers into providing personal financial information such as passwords or account information – phishing attacks.

Revisiting Unisys Security Index results from March 2009, the survey reveals significant disparity across Europe, with only one third (32 per cent) of Dutch consumers believing that there is an increased risk of fraud during the recession, compared to 83 per cent of Spaniards. Interestingly, the Spanish were more concerned than their German counterparts over this issue, with just over half (56 per cent) of German consumers thinking that the global crisis will increase the risk of ID theft. This figure falls as income rises – Germans with monthly household incomes of 4,000 Euros or more worry the least. Surprisingly, the research places Germany as one of the least worried nations over this issue, coming fourth out of the five countries questioned.

Perhaps the impact of the financial crisis has not yet filtered down from company level to consumer in Germany, or perhaps the German public planned well for it.

Despite the Belgians relatively low levels of concern in the overall Security Index, residents are clearly worried about this issue, as two thirds (63 per cent) think that their personal risk of ID theft and credit card fraud will increase in light of the recession.

The British are also extremely anxious about ID theft, with a clear majority (72 per cent) believing their personal risk will increase. This puts the UK as the second most worried European country, at 11 per cent below Spain.

While there is disparity across all of the regions surveyed in Europe, these results underscore the urgent need for companies to address this burgeoning fear. Banks and financial service providers in particular must now do everything to win back the trust of their customers. These include strict security measures to protect data, identities, credit cards and cash cards.

It is important that any company doing business online or handling sensitive data take note that the current financial crisis has deepened consumer fear and intensified risks. Outside of the financial services industry, all organisations in both the public and private sector must demonstrate good security practices, ensuring that the high profile security breaches and customer data losses of the past 12 months become a thing of the past. Although cyber criminals will continue to attempt to access our private information, consumers, companies and governments can all work together to combat the threat and reduce the risk of fraudsters succeeding.

While the debate rages on about the mechanics of government bailouts and optimal interest rates, one thing is certain: there will be no return to economic stability without increased trust and rising consumer confidence. Restored trust among banks will open the flow of credit and boost deposits. Stronger trusts between governments and citizens will promote the sense that economic growth and fair markets can be sustained over the long term. And importantly, secure operations and high-quality customer experiences will help inspire the confidence necessary to boost consumer spending.

For more information about the Unisys Security Index and full European results, visit http://www.unisyssecurityindex.com.

18 April 2009

Automation of Bank Card Fraud

I was interested to read about an old scam resurfacing with modern technology, as reported in the Police blotter of the Denton, Texas Police Department.

The scam is as follows. An automated calling system is programmed with an "Interactive Voice Response (IVR)" (set of audio menus, to which the callee must respond by pressing digits on their phone.) Such calling systems are cheap and easy to set up, e.g. using the great open source software Asterisk.

The initial call is made using a message that identifies itself as coming from a local Bank (which is of course a lie.) The message tells the callee that there is a problem with their credit card, and that it has been blocked. (More lies.)

In order to solve the problem, the callee is invited to enter their credit card number, expiration date, CVE code and other confidential details, and to record their name and address. This might be done using the touch-tone system (for the numbers), and with simple audio recording for the name and address.

The scammers will often use a phone link which is able to block caller ID (typically by routing using SIP through a VOIP provider over an anonymous relay,) or they will spoof the Automated Number Identification to pretend that they are originating from the genuine business.

As soon as the hapless victim falls for the scam, their credit card details will usually be sold on via an aggregator, to the next stage in the criminal chain who will then use the stolen information to order goods over the Internet. These goods are then usually laundered through yet more victims, who think they are working at home for a real business.

The insidious aspect of these crimes is that the originator is very hard to track down (and may be operating off-shore.) Furthermore, because the process is automated, they can program the system to call tens of thousands of targets without any additional effort -- and if even 1% of the victims fall for the scam, then the criminals are making money.

What can be done? In the absence of good technical solutions that can make it easier for law enforcement to track down such criminals, and the lack of strong international Policing cooperation, such criminals can operate with relative impunity. Therefore, our only option is to get the word out, and educate the intended victims to never give confidential information over the phone, especially to automated calling systems.

If someone calls you claiming to be from a Bank with whom you do business, then ask for a number and call them back -- but even this might not be enough, so check on the Internet whether that number is listed for your bank.

21 March 2009

Sumitomo: Anatomy of $423m Fraud that failed

The Register offers a fascinating analysis of one of the most audacious Bank heists of the past few years, and the story of the patient investigation which led to the conviction earlier this year of most of its suspects.

It has elements of a classic heist -- the inside man, recruited with thoughts of greed to compromise internal security controls (in this case, tampering with cameras and giving the criminals access to the bank at weekends), the hackers, and the money launderers.

The technology used was simple and readily available -- a commercial keystroke logging software package, installed on critical PCs in a trading room to capture account details and passwords. The target was the Swift system -- the world-wide and widely trusted system for transferring money between banks around the world. Sumitomo was the victim -- and if it wasn't for a crucial lack of vital information, the crooks would have got away with it.

Accomplices around the world -- in Spain, Dubai, Turkey, Israel, Singapore and Hong Kong -- were ready to assist with laundering of the money, seeking to withdraw the large sums from counterparty banks. Luckily, the banks never received the wire transfers, because the Swift forms had not been correctly filled out, and the bank's internal controls prevented the losses.

The lesson here is that insiders can always be compromised, but robust internal controls with strict separation of duties can prevent most issues. The criminals were unlucky (or incompetent) because they failed to fill out the Swift forms correctly -- had they done so, it is likely they would have made a great deal of money. Another lesson is that username/password pairs are not enough -- at least two-factor authentication should be used.

Most importantly however, is that Sumitomo Bank made the correct decision in reporting this crime as soon as possible to the authorities, and diligent police work led, four years after the fact, to the successful prosecution of most of those responsible.

13 February 2009

Cyberstalking and You

A brief guide to staying safe online

Email, instant messaging and social media websites are ubiquitous, convenient and useful forums for networking, doing business or just staying in touch. But there is a dark side, which may often be very upsetting for the victim--that of being stalked or harassed online. Anyone who uses the Internet can be subjected to Cyberstalking, which can occur in many ways. According to Wikipedia, Cyberstalking may be defined as

the use of information and communications technology, particularly the Internet, by an individual or group of individuals, to harass another individual, group of individuals, or organization. The behavior includes false accusations, monitoring, the transmission of threats, identity theft, damage to data or equipment, the solicitation of minors for sexual purposes, and gathering information for harassment purposes. The harassment must be such that a reasonable person, in possession of the same information, would regard it as sufficient to cause another reasonable person distress.[1]

It's very easy for an anonymous person to forge emails, making it look like messages are being sent by someone else. If the messages contain personal details combined with insults or obscene images, it can be very upsetting for the recipients, especially if they think the mail is genuine. Furthermore, it's possible to make anonymous phone calls over the Internet which are untraceable (without the resources of major governments or law enforcement agencies).

Usually, the person being Cyberstalked (if not a celebrity) knows their stalker, or has engaged in online discussions which triggered that behavior in some stranger. Examples might include the ex-partner from a relationship gone bad, political antagonists, fired ex-employees, or predatory individuals with a sexual motivation.

The results of Cyberstalking can often be very distressing for the victims and their family, and in extreme cases have led to serious mental health issues, including attempted suicide. Where the subject of the attacks is a minor, their physical safety may also be at risk, especially if grooming is being used by suspected pedophiles.

Young people don't always use social media sites in responsible ways, and parental guidance and regular monitoring of online activities is often recommended. Parents need to inform themselves of the risks of online activities, and educate their children in keeping themselves safe. Some simple guidelines might include:

  • Don't exchange emails and photographs of yourself with people you've never met
  • Don't assume that the person you meet online is who they say they are -- digital identities are malleable
  • Don't use a webcam like a bathroom mirror
  • Never open unknown attachments from strangers, and use up-to-date anti-virus software
  • If you with to meet someone you know from online, take a friend or parent
  • Educate your child about the risks of "stranger danger"
  • Always assume that if you send someone naked pictures of yourself, they are likely to be shared with strangers

Young people are likely to have a false sense of security when online. They may engage in attention-seeking behavior, where they seek to validate their sense of self-worth by craving the approval of others, even strangers. Blogging and twittering are popular social communications, but have their extreme cases. Some people seem to invite unwanted attention, such as the case in January 2009 of "Boxxy", a young woman with plenty to say. Her videos on Youtube generated tens of thousands of fans, and many others who couldn't stand her, with escalation of hostilities between the two camps leading to death threats, Cyberstalking, flame wars and distributed denial of services attacks on web sites (such as the popular message board 4chan.org, that originated the LOLcats meme.)

Organizations and cults are often high-profile targets for abuse, such as the Church of Scientology (along with some of its most prominent converts like Tom Cruise and John Travolta). Such organizations often employ professionals who track down and use legal threats to silence their critics, although the actions in 2008 of the international group that call themselves "Anonymous" showed that it's easy to hide your identity on the Internet.

Usually, however, Cyberstalking is more personal, with a single individual attempting to harass or threaten their intended victim. The target of such harassment has few options. Unless there is evidence of a direct physical threat to safety, it is rare for a complaint to the Police to be useful. However, establishing a paper trail through an official complaint might be useful later when seeking to take out a restraining order against a particular individual.

Targeted individuals may sometimes have their accounts or email hacked, especially if they use poor password selection policies. Immediate complaints to the abuse departments of the relevant websites can sometimes help, but will likely take weeks or months for action. Sometimes, the better choice is to create new accounts, and contact all friends personally to let them know that correspondence from the old accounts should be ignored. Related to this is the important step of making backup copies of all contact information and personal documents, which is good practice under any circumstances.

In general, it's best to ignore communications coming from a Cyberstalker, and refrain from giving them validation through attention. Don't attempt to reply -- simply delete such messages, which can be handled automatically by some email systems based on filters. For those who spend a lot of time online, it's a good idea to check how much personal information can be found about yourself through search engines. Use your social security number, name, email addresses or user names to discover whether you have "leaked" personal information online. If you can find such data, then it's likely that other people can too, so try to remove it if possible. As a rule, avoid entering private information (such as your birth date or passport details) into any web site. If it's not "official", then just make up fake data.

Some popular websites, like Facebook or Bebo, request personal information, that most people are happy to provide. While mechanisms exist on many sites to restrict the privacy of such information, mistakes can be made, and have led to leaks of private data (including birth details, names and addresses, and phone numbers or credit card details.)

In a world where life is increasingly being experienced online, some basic common sense should be applied to protect your privacy, and respect that of others.

09 February 2009

Recycled: Essay on Capital Punishment

Another old essay written back in my university days.

The Hand of a Killer -- An Essay on Capital Punishment

by Paul Gillingwater

for LLN210 Methods of Research (Webster University, Spring I) April 1995

"No man is an Iland, intire of it selfe; any man's death diminishes me, because I am involved in Mankinde; and therefore never send to know for whom the bell tolls; It tolls for thee."

John Donne, Devotions upon Emergent Occasions (1623-1624)

Last week, Nicolas Ingram was executed in Georgia, U.S.A., after 12 years on death row. Despite considerable publicity and appeals for clemency from secular and religious leaders, the electric chair was again used to end the life of a convicted killer. Is such state-enforced killing justified? When we are faced with this question, we are challenged to define our moral position in relation to society. To what extent do the laws relating to capital punishment reflect our individual ethics? Laws are formulated in Western countries to maintain civil order and to protect society from criminal behaviour. To this end, penalties are devised which are intended to punish those who break the laws. Is execution an appropriate form of punishment in modern society? There are many arguments for and against execution. This paper will review some of the important ones, and show that capital punishment is unjustifiable, not only because it is both ineffective as a deterrent and can cost more than long-term detention, but also because it is ethically wrong by the standards of developed Western nations.

Ethics is about the relation of human beings to each other, especially in the field of moral questions. John Donne's poem (cited above) about the interconnectedness of all humanity holds true in more than just a philosophical sense, as suggested by findings from the field of ecology which show how the actions of one group of pople can have their effect on another group. Each person in society contributes to public opinion, which influences the official attitudes to moral questions in a democracy. Any argument for or against capital punishment eventually arrives at the question of the morality of taking one life in exchange for another. My view is that the deliberate decision to end the life of a human being is equally wrong, whether made by an individual contemplating murder or by a court passing sentence, because life is inherently the thing that each one of us values the most.

A clear distinction exists between lawful and unlawful killing. Since modern society universally condemns murder as morally wrong, we'll confine our discussion only to that form of official penalty known as "capital punishment", (named thus because early forms of execution involved beheading.) Individually, most of us have never participated in a killing, however in a democracy, all citizens are responsible for the laws enacted by our representatives in government, so it may be said that we are all individually implicated in any state execution. To understand this, it may be useful to consider the analogy of the hand, that symbolizes how each member of society participates in the processes leading to an official execution. Whether the finger of a killer pulls the trigger to unlawfully end another human life; or the hand of a doctor administers the lethal injection during the state-authorized execution; the result is the same, and it is the human hand that carries out the intent.

Our hands, with their opposable thumbs, serve to distinguish us from, and elevate us above, the animal kingdom. Human beings rarely use anything else to kill. It is the hand which must grip the weapon, sign the death warrant, pull the trigger or administer the fatal dose. By way of contrast, in the wild no mediation is required between predator and prey, unlike in our human world, where most of us isolate ourselves from the reality of death in the slaughter-house by butchers and supermarkets. Similarly, those who favour executions are rarely willing to pull the trigger themselves, preferring that the State develop the mechanisms to kill the condemned: out of sight, out of mind. How and why did these mechanisms develop?

A brief consideration of the history of capital punishment shows that public killing has long formed a part of law, as early as the Code of Hammurabi (1750 B.C.E.) In early societies, the punishment of wrong-doers was the prerogative of the individual or the tribe, and was usually undertaken as an act of vengeance. It often consisted of forms of torture or execution, which today would be deemed excessive and disproportionate by most educated people. As society became more complex, the right to punish was taken over by the state, which used each execution as a public spectacle "to encourage the others." [1. Voltaire] Since the 1950's, many developed Western nations have joined an international convention against capital punishment. Even in those countries which continue the practice, such as the U.S.A., executions are largely private affairs with public participation limited to the trial and sentencing. It's interesting to speculate as to why executions are no longer held in public --- could it be that the sight of a deliberate killing is somehow deleterious to society? Regardless of the possible negative effects that public executions may have on society, it is clear that certain countries still consider that executions per se have a deterrent effect, as evidenced by their continued popularity; however most Western criminologists believe that there is no conclusive evidence that the death penalty is any more effective as a deterrent than life imprisonment. [2. Microsoft]

Proponents of capital punishment would argue that the deterrent effect of capital punishment, whether public or not, is far stronger than the threat of life imprisonment, a view which is shared by the majority of the U.S. public opinion. This view does not accord with the evidence. [2. Microsoft] In one study, it was shown that two adjacent states (one with capital punishment and the other with life imprisonment) showed no significant differences in the murder rate. In fact, states that use the death penalty seem to have higher murder rates than those which do not, (although this does not necessarily imply a reverse causal relationship, as many other factors are involved, including the influences of demography and poverty.) Similarly, no change was seen when one state first abolished then reintroduced the death penalty, and no reduction in murders has been found in cities where executions have recently taken place. Thus it may be seen that capital punishment has no statistically significant effect on the rate of murder in a state, from which we can deduce that the deterrent effect of executions is negligible. Unfortunately, neither capital punishment nor imprisonment seem to be capable of slowing the growth of crime in modern society.

Since deterrence is no longer a convincing argument in favour of capital punishment, we may turn briefly to consideration of the economics of death. At first glance, it would seem that simply killing an offender may be cheaper than keeping him or her in gaol for life. This is true in some countries, such as China, which has a policy of "one execution, one bullet." In Western countries, however, the extensive legal proceedings of indictment, trials, appeals and their associated expenses have been shown to cost more than the projected costs of life-long incarceration. This apparatus is necessary to reduce the likelihood of mistakes in the administration of justice, since more innocent people would be executed if matters were speedier. Advocates of capital punishment who claim that long-term use of imprisonment costs taxpayers more than executions not only fail to provide evidence for their arguments, but also commit the fallacy of an appeal to greed (lower costs may potentially mean lower taxes), at the expense of compassion. Such logic can lead to the view that public health services should be denied to the elderly or to smokers, because they're more likely to die than others on whom limited funds could more effectively be spent. A further danger of this type of thinking is that once capital punishment is commonly used for murderers, it may more easily be extended to other crimes. For example, China has recently begun a series of executions of people who have defrauded the government of V.A.T. (Value Added Taxes.) Should tax evasion also be considered a capital crime?

A third area which has been used to attack capital punishment is that of bias in its application. Although advocates of capital punishment would argue that there is nothing inherent in the laws of capital punishment that causes racist, sexist or class bias in its application, research has shown [2. Microsoft] that all of these biases have been demonstrated. For a start, women are responsible for 20% of all homicides, yet proportionally far fewer women are executed than men --- a bias which works in the women's favour, but discriminates against men. Secondly, when considering sentencing of convicted murderers, racism is clearly a factor in determining the death penalty, with statistics showing that black men are far more likely to be executed for similar crimes than white men. Finally, defendants without the money or influence to buy experienced (and often expensive) legal counsel are more likely to be executed than well-educated and wealthy murderers. From the above, it may be seen that any suggestion that capital punishment is unbiased fails to meet the same standard of evidence that might be applied in judging a defendant. Now let us consider the most abstract, yet to many, the most compelling argument against capital punishment --- the ethical one.

When we execute a convicted person, what are our reasons? Are we killing him or her to exact vengeance on behalf of those wronged? Such retribution does nothing for them --- it certainly won't bring back the victim of a murder. Do we want to remove the offender from society, eliminating any chance that he or she will reoffend? In this case, it could be argued that life imprisonment should be sufficient, especially when it is accompanied by attempts at rehabilitation. Admittedly, there are problems with this argument, for example, if a prisoner escapes, he or she often returns to a life of crime. Furthermore, some prisoners who are paroled lapse back into offending. Such failures, however, point more to a failure of the current system of rehabilitation rather than any fundamental error in the rationale for opposing capital punishment. Surely, each person deserves a second chance? When such persons reoffend, society has the right to deny them liberty, but not to deny them their lives.

Will executing criminals reduce crime? Unfortunately, as already argued, not even the threat of death is enough to slow the growth of crime in our increasingly sick society. Whatever the reason, it is important to consider the effect that the execution has upon those who carry it out. Given that the act of killing can desensitize the finer human feelings of compassion and forgiveness (as may be seen in times of war and in slaughter-house workers), society has a moral obligation toward those who carry out the punishment on its behalf. Someone has to pull the trigger, throw the switch or inject the poison that ends a life. The chain of responsibility continues back to prosecutors, judge and jury, through to the legislators who voted for capital punishments as an option, and eventually to each of us. Each person who supports, condones or does not actively oppose capital punishment is in some small way contributing to its continuation, and to the debilitating effect this has upon society. That this effect is real was shown by a recent Time [3] magazine article, in which a judge in the Philippines formed a club for judges who have imposed the recently reintroduced death penalty. He explained that some form of support group was needed by those who had to give such terrible sentences. How much worse must the effect be on those who have to carry out the execution? Moral philosophy might provide an answer to the question of whether we have an ethical obligation to our fellow citizens. Once such an obligation is recognized, we might then accept responsibility in a personal sense for permitting society to kill on our behalf, whether in time of war or through execution of murderers.

Recognition of personal responsibility for the death of others was first suggested by John Donne, who talked about no man being an island, existing apart and separate from society. Donne's view, although radical in his day, is now increasingly seen to be true. (Depth ecology [4. Lovelock] takes this idea further, suggesting that all life on earth is somehow interconnected by ties of mutual dependence, as demonstrated by environmental problems knowing no political boundaries.) Social philosophers such as Bertrand Russell suggested that each individual must participate fully in the life of society, and that personal ethical decisions should be made for the good of society. In a contrasting view, Hegel argued that moral choice was not the result of a social contract as outlined by Hobbes, but a natural outgrowth of healthy family life. In either view, human beings must make choices that dictate their place in, and the operation of, the society in which they live. Such a choice is made when we determine that people who seriously transgress our laws are to be denied their freedom. These choices link each of us in an inextricable web of moral responsibility, in which the serious offender may be seen as one who is threatening the health of society. A common analogy is that if we consider society as a single body, then criminals are similar in effect to disease organisms, which can cause suffering to the whole body. (Of course it must be acknowledged that criminals are often a product of illnesses that afflict the whole of society, such as poverty, racism and poor education.) When something threatens our health, we generally act to destroy it, isolate it or control its effects. In the case of habitual criminals, we seek to reduce their negative impact on society by denying them freedom.

In the past, this denial of freedom was achieved in one of several ways: either by imprisonment, mutilation, banishment or death. Today, banishment is no longer practical, and mutilation by the state is considered cruel and unusual punishment by all but the most fundamentalist of Islamic states (although the senate of one U.S. state has just allowed for the surgical castration of sexual offenders), leaving us with two options --- imprisonment or death. Incarceration alone, however, is not sufficient for an ethical society. Penal science advocates rehabilitation --- the training and reeducation of offenders so that they may potentially contribute once again to, and enjoy the privileges of, a free society. Such a choice means that a price must be paid, in the form of higher taxes to pay for the construction and maintenance of prisons --- but greed should not be an acceptable argument for the use of capital punishment, as earlier discussed.

In summary, I have dealt with capital punishment in terms of its failure to deter, its economics and its inherent unfairness. A serious consideration of the ethical basis for eliminating execution as a means of combating crime has shown that there is a wider picture that must be grasped. That wider view may be analogous to the holistic view of medicine, which states that when an individual part of the body is sick, then the whole person is ill. Similarly, when an individual chooses to commit crimes such as murder, this is a sign that the whole of human society is somehow sick. If it is your finger that pulls the trigger, is it enough to simply cut it off? No, because the whole person is responsible. By analogy, when one person runs amok, we need to look at all of the factors influencing this behaviour, including education, racism and poverty.

Just as the hand may be seen as symbolically responsible for killing, it may equally be used to prevent death. If you feel as I do that termination of human life is wrong, then pick up a pen and write a letter --- to your congressman, political party, newspaper or judge. Make your feelings known, that every time a state chooses to end someone's life, such an act is against your will. Eventually, public opinion may be educated to the point when it recognizes that executions are both barbaric and unnecessary, in the same way that we now condemn slavery, torture and murder.


1. This is a quote from Voltaire, who wrote of England that "it is good to kill an admiral from time to time, to encourage the others." (Pour encourager les autres.) The reference is to Admiral John Byng, who was executed in 1757 for failing to relieve Minorca.
2. Microsoft Encarta Encyclopedia, article on Capital Punishment.
3. Time Magazine, March 1995
4. Lovelock, J. The Gaia Hypothesis

05 February 2009

The totem animals of the United Nations Bureaucrat

Many years ago, I used to work for the United Nations. While bored at the office one day, I composed the following essay (1996)...

It was a quiet night in November. I was working late in the United Nations building, finishing off a document for a forthcoming conference, when I decided to take a break for a cup of machine coffee. Heading back to my cubicle, I nearly bumped into an elderly man shuffling around the corner. His UN Retiree’s pass fell off, and I automatically reached down to pick it up. He must have been more agile than he looked, because our heads bumped as he ducked too. Laughing, we agreed to head back to the coffee area, where we sat on some low chairs, and he started talking.

He told me this story, which he said was told to him by a friend of a friend. His eyes twinkled, as he asked me whether I knew about the three totem animals of the U.N. Pleading ignorance, I smiled, and he continued.

The first totem animal of the UN bureaucrat is the
three-toed sloth (Bradypus Tridactylus). A native of South America, this animal has long puzzled Biblical scholars, due to its amazing abilities. How could a pair of these intrepid animals have made the incredible journey from their home in the wilds of the Amazon basin, all the way to Mount Ararat in time for Noah to take them on board the ark? Clearly, they must have a prodigious capability for anticipation of important events. Calculating a daily distance travelled of around 3 km, the pair must have known about the forthcoming inundation over 30 years before the first drops fell. Imagine the sneers of the other sloths as these two visionaries departed on their epic adventure.

The hardships of the journey are almost beyond belief, with intervening stretches of desert, ocean, ice-floes and predators all too capable of running down an animal whose best defence consists in hanging upside down in a tree, nearly motionless. It is this motionlessness which fits the sloth for its place at the bottom of the UN totem pole, as staff members have sometimes been known to avoid the predatory glance of internal auditors through remaining absolutely still at their desks.

Our second totem animal also spends considerable time in trees. Evolving in the great southern land of Australia, the koala bear (Phascolarctos cinereus), is blessed with the ability to sit motionless on a branch for dozens of hours at a stretch, occasionally reaching for a new handful of gum leaves to chew. This unique talent is so well-developed that the koala has actually evolved a hard bony plate in its rear, which it uses to sit on the durable wood of the gum trees. Any UN bureaucrat worth his or her salt would immediately recognise the advantages of such an adaptation, given the long meetings, conferences, sessions and plenaries that fill our days, not to mention long hours in front of a desk.

For the third and final totem animal, we turn to that great reservoir of mysterious life, the ocean. The humble sea squirt, (Cnemidocarpa finmarkiensis), in its juvenile form frolics in the clear warm waters of the Mediterranean, crawling around the bottom of the sea, called by an unknown impulse to find a suitable rock on which to perch. When the rock is found, a subtle alchemy occurs within the metabolism of the sea-squirt, as it undergoes a sea-change, from animal to a kind of sea vegetable. To facilitate the process, the sea-squirt glues itself to the rock in much the same way as oysters do, its permanent post now assured. It immediately begins the next stage of its transformation. The rudimentary brain it used to find the rock is now superfluous, so the sea-squirt starts to absorb it, effectively digesting its own brain. Sadly, the parallel is in some cases all too clear, as the staff member with the permanent post is no longer obliged to engage in creative thought.

My new friend got up to leave, his eyes still twinkling. “Don’t worry too much about the Bureaucratic totem animals. They’re only as true as you want them to be. Perhaps we’ll meet again someday, and I can tell you of the feeding frenzies that follow the release of the hy… --I mean delegates—as they leave their great meetings. But that’s another story.”