www.fgks.org   »   [go: up one dir, main page]

  • What credit card firm attracts the most complaints? New consumer agency launches tell-all website

    By Bob Sullivan

    The nation's new consumer protection agency is about to start naming names, albeit in baby steps.

    Despite vocal opposition from the financial industry, the Consumer Financial Protection Bureau on Tuesday launched a website that allows consumers to browse through complaints filed against large financial companies.

    Website users can see the name of the company targeted by each complaint, the nature of the issue, the company response -- including timeliness -- and the zip code of the complainer.  Users can also generate charts showing which banks attract the most complaints, which issues are hardest to resolve and which regions of the country seem most irritating by bank practices. 

    “(This) is a major milestone for consumers and all those who are interested in knowing more about their day-to-day experiences,” said Richard Cordray, the bureau's first director.  “We believe this is the first time that the general public has been able to see such individual-level consumer complaint data for financial products and services. …  Anyone with access to the web will be able to review and analyze the information, and draw their own conclusions.”

    Initially, the website includes only a small fraction of the 17,000 complaints filed regarding credit cards since July of the last year, when the agency began receiving customer gripes. Only complaints filed since June 1 will be available at first, as the agency works out the kinks in its "beta" launch of the database. 

    A change in the way the agency categorizes resolutions has forced the agency to limit the initial release, said an agency official, speaking on background. Older complaints are being re-categorized and will be added to the public database by the end of the year, the official said.

     

    Complaints about mortgages and checking accounts will also be added later, making Tuesday’s launch a bit of a baby step toward providing full access of complaints to consumers.

    The financial industry has complained that release of the data is unfair, as the complaints will represent raw, unverified data that could be misleading.  

    "Bureau publication of complaint data alone implies an official endorsement of inferences drawn out of context and suggests reliability about overall issuer customer experience and satisfaction that is not well-founded and that invites untrustworthy analysis that will mislead consumers, said the American Bankers Association in its public comments on the consumer bureau's proposal to publish the data.

    The bank lobbying group also complained that publication of unverified complaints is at odds with the bureau's mission to be a data-driven banking regulator.

    "The Bureau’s proposal expands its role by inventing a new mission of publicly outing information about an issuer’s customer experience and satisfaction record, a function that is fundamentally at odds with its obligation to handle confidentially supervisory information," it said.

    Other banking officials have compared public release of the data to gossip, and the database to the customer review site Yelp.com, complaining that many consumer complaints are unfounded, and some are fraudulently posted by competitors.

    But the bureau official said each individual complaint was a worthy data point that consumers should consider when weighing decisions on banking products, and that release of the data would give banks an incentive to compete on customer service.

    Twitter
    Send idea E-mail a tip to Bob Sullivan

    The agency will confirm that an authentic business relationship exists between complainer and target, but nothing else about the complaint will be verified. A warning will tell users that accuracy of the information has not been confirmed, according to the agency official. Complaints will not appear until a bank has responded, or until the 15-day response period has passed, nor will the agency offer opinions on the meaning of the data, the official said.

    Initially, the "narrative" section of the complaints will not be published, because the agency has not yet determined how to sanitize the information to avoid publishing personal information, which could be harmful to the consumer. In fact, Cordray stressed that none of the complainers' personal information will be published.

    Most government complaint data is not public, a situation which has drawn criticism in the past from consumer advocates. The Federal Trade Commission, for example, collects hundreds of thousands of complaints from consumers but only makes the information available in aggregate, or when it files litigation against a firm. Because only a tiny fraction of complaints lead to litigation, the possibility exists that consumers fall for scams or unfair business practices committed by firms that are already attracting a pile of complaints in a government database.

    The consumer bureau’s model suggests consumers might be able to learn from each other, and avoid unfair treatment that way. The data will provide a real-time view of what's happening in the marketplace, the agency official said, and could prevent consumers from falling for new tricks or traps invented by the financial industry.

    But even in the Internet age, where sites like Yelp that let consumers warn each other are common,  sharing of complaints filed with government agencies is extremely controversial.  Last year, the Consumer Product Safety Commission made its complaints available for the first time at SaferProducts.gov. Almost immediately, an as-yet-unnamed firm filed a federal lawsuit to keep a complaint about an allegedly dangerous product off the public website.

    Cordray said he hoped publication of the data would make it easier for consumers to seek fair treatment from financial institutions.

    “Nobody needs to be told there are deep problems in the consumer financial product marketplace – it is why we were created in the first place…For every consumer who reaches out to us to tell us about their troubles, we know that many others have the same troubles but suffer them in silence,” Cordray said. “These complaints tell us personal stories of real pain. … Do your own digging.  Find your own information.  And help us make the marketplace a better and safer place.”

    *Follow Bob Sullivan on Facebook.
    *Follow Bob Sullivan on Twitter.  

  • 'Bad deal' lump pension payouts for veterans draw new scrutiny

    By Bob Sullivan

    Daryl Henry's reward for 20 years of service in the Navy was a $1,083 monthly pension. But more than half of it went to a private California company -- Retired Military Financial Services -- after Henry was duped into a complex financial agreement, the Maryland resident alleged in a class-action lawsuit.

    Struggling with bills, Henry says he answered an ad in the Navy Times and traded 96 months of future pension checks -- totaling $103,000 -- for a lump sum payment of $42,131. He then spent years depositing his government pension checks into a special account so Retired Military Financial Services could take its share of the taxpayer-funded payments and pay private investors with it.

    Lump sum pension payments for vets are big business, targeting 1.5 million former service members who receive $40 billion annually. Companies that provide them have attracted negative attention from military advocates for years. Tales of retired or injured vets getting 30 to 40 cents on the dollar are easy to find. In 2004, Congress threatened legislation designed to banish the industry, and several courts have ruled the arrangements run afoul of existing federal laws.

    Still, companies offering so-called "annuity utilization contracts" crowd out Google searches around military pensions and loans. The websites that rank highest are often decorated with red, white and blue banners, and they have government-sounding dot-com names. While the lump payouts may sound attractive to retired vets in a financial bind, the terms are oppressive: Participants find themselves with what is essentially a loan at 30 percent interest.

     

    But on Monday, Consumer Financial Protection Bureau Director Richard Cordray said his agency will begin focusing on pension lump sum payments.

    "We are ... concerned about military pension buyout schemes," Cordray said in a speech on Elder Abuse Awareness Day. "Military retirees are offered lump-sum cash payments in return for surrendering their rights to their pension payouts. These schemes are usually very bad deals for the retirees. We want to collect information on all of these kinds of financial practices."

    Twitter
    Send idea E-mail a tip to Bob Sullivan

    Several agencies and investigators have been collecting information on the industry for years. John Wasik, an author of 13 books on personal finance, recently investigated the industry for investment-related fraud in a column on Forbes.com.

    "Basically, you sign up they lock you in, and if you want out, you don't have recourse," Wasik said. "There is very clear language saying, ‘This is not a loan,’ but it resembles a loan in all characteristics."

    Where do these pension payout companies get their capital from? Investors looking for steady returns. Wasik found that Retired Military Financial Service’s partner, California-based Structured Investments Co., was ordered by an arbitrator in November to repay $5 million to investors who alleged they were defrauded. In December, the firm agreed to stop selling the investments in California.

    In August, a California court ruled in favor of Henry and the class of veterans who joined his lawsuit, ordering Retired Military Financial Service to return $2.9 million.

    "There is an awful lot of litigation out there," Wasik said. "My biggest concern is the proliferation of these things without regulation. Somebody should be looking at what they are doing."

    Attempts to reach Retired Military Financial Services by deadline were unsuccessful. Founder Steven P. Covey defended his company last year in a story published by the Center for Public Integrity’s iWatchNews.org.

    "The position is: We’re purchasing at a discounted lump-sum, future cash flow,” he said. “We’re not lenders. When you’re not lenders, you’re not dealing in potential usury areas.”

    Covey's attorney, Robert Clarkson, told Wasik that his client had "done nothing wrong,” but said he wouldn't answer questions because of pending litigation.

    'It's likely every single one is violating a law'
    Plenty of websites offer cash for pension and disability payments, which add to an already crowded field of firms offering lump payments for structured settlement recipients. There’s good money in granting lump payments to down-on-their-luck consumers who have a guaranteed stream of income. Military pensions fall into a protected category, however, says Stuart Rossman of the National Consumer Law Center, who helped argue Henry's case.

    "If these sites are dealing with the issue of military pensions, it's likely every single one is violating a law," he said.

    All firms that offer such lump payments are between a legal rock and a hard place, he said. Assigning military pensions to a third party isn’t legal; offering loans without abiding by Truth and Lending Requirements is also illegal.

    "And they are either one of the other," he said. 

    One site, MilitaryPensionLoan.org, offers a typical example: "This program is NOT A LOAN," it says on its home page, despite its Web address. "We will buy the next eight years of your pension for a lump sum of cash."

    MilitaryPensionLoan.org didn’t immediately respond to requests for comment.

    Despite the legal troubles, and occasional bad publicity, the military loan/pension products have survived for more than a decade. Rossman said he filed his first case against such a firm nine years ago. But why?

    He thinks many of these companies use veterans' sense of honor against them.

    "They believe in doing their duty. They don't want to come forward. They believe 'It's my mistake and I have to own up to it,'" Rossman said. "And a lot of them don't even realize they are paying 30 percent interest."

    Rossman hopes military pension payout companies are on the ropes now that investors might be scared away by the California litigation. No investors would mean no money for lump payments. 

    Henry’s legal triumph was a bit of a hollow victory, however -- he'd already made all 96 payments by the time the judge ruled in his favor. While he is entitled to a portion of the $2.9 million judgment, Rossman said the owners of Retired Military Financial Payments had declared bankruptcy, so there are no assets to pay the judgement.  

    Still, it was a worthy fight, Rossman said. 

    "He's proud he's put a stop to this, and once we had the judge's ruling, we were able to tell other members of the class they could stop making payments. We saved them a lot of money, and he's proud of that," Rossman said.

    *Follow Bob Sullivan on Facebook.
    *Follow Bob Sullivan on Twitter.  

  • FYI EVERYONE: Spokeo fined, but it's still really spooky

    By Bob Sullivan

    "FYI EVERYONE -- There's a site called spokeo.com and it's an online phone book that has a picture of your house..," begins the breathless chain email, which has made its way around the Internet for the past three years or so. It'd be hard to find an email inbox or Facebook wall that hasn't been disrupted by the scary warning.

    It sounds like typical urban legend spam:  but Spokeo is quite real. So real, in fact, that the site was just slapped with an $800,000 fine by the Federal Trade Commission for alleged deception and violations of the Fair Credit Reporting Act.

    Spokeo agreed to pay the fine without admitting any wrongdoing; but it certainly doesn't shy away from the Big Brotherish accusations.  On its home page Wednesday, despite the fine, is this tag line: "Not your grandma's phone book."

    Most Web users have heard of Spokeo because of the chain email and online posts, some of which make even scarier claims, like this: "It's an online phonebook that has a picture of your house, credit score, profession, age, how many people live in the house," claims one version, begging to go viral. "Remove yourself AND ANY AKA OR SPOUSE by the Privacy button on the bottom right. (passing along, scary stuff!) I have personally checked it out ... and it is really there! CUT PASTE AND REPOST!!!"

     Spokeo is a common data background company. Along with a host of competitors, it compiles ragged, incomplete and often inaccurate dossiers on U.S. residents. It does a pretty good job of finding people's home addresses, and then bulks up its reports (that is, tries to get snoopers to pay extra) to see additional vague data, such as average income in your neighborhood.  It's no scarier that dozens of other such services. But unlike companies such an Intellius, Spokeo has fully embraced the spooky nature of its business (the name should tell you that) and used it as a marketing tool.

    Twitter
    Send idea E-mail a tip to Bob Sullivan

    It appears that marketing plan may have cost the firm $800,000, though the FTC didn't sue Spokeo for being spooky. The consumer agency said Spokeo marketed itself to human resource professionals as an employment background company, using the tagline "Explore Beyond the Resume."  But acting as a credit reporting agency triggered the Fair Credit Reporting Act, which includes a list of legal obligations, such as giving consumers a process to challenge incorrect information, for example. Spokeo did not comply with them, according to the FTC .

    Doing so won Spokeo this distinction: It became the first firm sued by the FTC for sale of data collected from online sources, including social media, for employment screening purposes.

    Spokeo did not immediately respond to requests for comment. Founder Harrison Tang did publish a blog post called "Empowering Spokeo's Users" which said the firm has changed its business practices.

    "It has never been our intention to act as a consumer reporting agency," he wrote. "We have made changes to our site and our internal business practices in order to ensure we don’t infringe upon the FCRA’s important consumer protections, and to ensure an honest and transparent service that will continue to be easy for our customers to use."

    In case Spokeo's reputation needed an even heavier anchor, the FTC also said the firm violated its endorsement rules, sprinkling inauthentic praise about Spokeo all around the Web.

    "Spokeo deceptively posted endorsements of their service on news and technology websites and blogs, portraying the endorsements as independent when in reality they were created by Spokeo's own employees," the FTC says. 

    Let that be a healthy reminder to content creators: Fake comments, discussions and company plugs aren't just bad form. They are illegal.

    As part of the fine, Spokeo has agreed to stop acting like a credit reporting agency and to stop spreading fake endorsements around the Internet.  But back to the original point: If Spokeo's line of business is so scary that it can make Internet chain mails into reality, why is it allowed to exist in the first place? 

    FYI EVERYONE: Weak U.S. privacy laws, that's why. See for yourself a picture of your house. No address required. Feel free to forward this to everyone you know!   And while you're at it, visit http://spokeo.com/privacy to opt out of the company's database. Scroll to the bottom for the essentials.

    *Follow Bob Sullivan on Facebook.
    *Follow Bob Sullivan on Twitter.  

  • Is Flame virus fallout a Chinese, Russian plot to control the Internet?

    AFP - Getty Images

    This undated screen grab taken released by the Kaspersky Lab site shows a program of the computer virus known as Flame.

    By Bob Sullivan

    Has the U.S. government been caught with its virtual hands in the world's cookie jar? And might it lose control of the Internet as a consequence?

    If you were among the forces on the planet wanting to wrest control of the Internet from the U.S.-friendly agencies that manage it, that's the story you'd surely want to tell. 

    But things are rarely what they seem.  The barrage of Flame news – including word that Flame and Stuxnet appear to have common authorship -- should not be viewed in a vacuum.

    A group of nations led by China, Russia and several Middle Eastern countries would love to see the end of U.S. dominance over the operational control of the Internet, and these nations think they have found their vehicle for accomplishing that: A U.N. body called the International Telecommunications Union.

     

    The organization, which manages international telephony agreements, will meet in Dubai in December and attempt to extend its charter to take operational control of the Internet away from the U.S.-dominated nonprofit International Corporation for Assigned Names and Numbers, or ICANN. 

    Even as news of Flame first hit, an ITU working group was meeting in Geneva to finalize the agenda for the Dubai meeting. At almost the same time, there was a hearing in an obscure congressional subcommittee where experts rang alarm bells about an ITU coup.

    The argument that the U.S. should not be in a position of power as far as overseeing the Internet will be bolstered by a world set aflame by news that the U.S. may have exploited its technological advantage to attack sovereign nations with Flame and Stuxnet.

    Some technology experts say the Dubai meeting could very well decide the direction of the world's most valuable resource - information - for the rest of the 21st century:   The future of Internet anonymity, free speech and perhaps freedom itself could be at stake.

    "I think there is a political story that is being missed here," said Chris Bronk, a former State Department official who worked in that agency’s Office of eDiplomacy and is now a professor at Rice University. "There's much more to this. … Stuxnet was better than bombs in the short run, but this could hurt the U.S. down the road.”

    Conspiracy theorists -- including several interviewed for this story who requested that their comments remain off the record -- point out that the world learned about Flame from a Moscow-based antivirus company (Kaspersky Labs), and the ITU chose Flame as the subject of its first-ever international cyber-warning, claiming for the first time an important role in cybersecurity affairs.  They see the grand publicity surrounding Flame as little more than a power grab by the ITU in advance of the Dubai meeting, dubbed the World Conference on International Telecommunications (WCIT).

    “If you want to be cynical, this is definitely a play by an international group to try to gain control over arguably the world’s most valuable resource,” said Paul Rohmeyer, a Stevens Institute of Technology professor who specializes in cybersecurity and international issues, and one of the few members of the conspiracy camp willing to connect the dots publicly.

    But you don't have to draw such a direct connection to see the relationship between Flame and ITU's desire to find and flex new power. Kaspersky Labs, the Russian firm that continues to publish the most informative details about Flame, has a solid reputation in the security research world, and there’s no reason to believe it is acting on behalf of Russian national interests. Still, it's impossible not to view Flame -- and recent revelations about Stuxnet -- without understanding the diplomatic backdrop.

    “If I were advising Russia, I would be all over the place waving these stories around,” said Eneken Tikk, formerly the legal and policy advisor for NATOs Cooperative Cyber Defense Centre in Estonia.  “It seems like a great opportunity to increase pressure on talks around cyber threats to international peace and security and gather a coalition of potential victims to say, ‘We see the U.S. establishing itself on the Net in offensive way, we need an international umbrella to do something.’”

    If the U.S. is guilty of escalating cyberwar by writing computer code that disabled critical Iranian computers, there is no question that forces around the globe will try to exploit the news to their own ends. While most analysts have focused on the potential that Flame invites other countries to counterattack the U.S. with similar cyber-bombs, the real threat might be the rationale it could provide for ending the free-flow of information around the Web.

    “It's very concerning from a purely political standpoint. You can see why a group like ITU would be incentivized to release this news,” Rohmeyer said. “I’m guessing that's what they are trying to set up. They are building their case for internationalization. They have everything to gain and the established order, which is U.S.-based, has everything to lose.”

    U.S. officials aren't blind to the threat; they've made very public warnings about it. In February, Federal Communications Commission member Robert McDowell wrote an op-ed piece in the Wall Street Journal where he criticized the ITU:

    "The most lethal threat to Internet freedom may not come from a full frontal assault, but through insidious and seemingly innocuous expansions of intergovernmental powers," he wrote. "Scores of countries led by China, Russia, Iran, Saudi Arabia, and many others, have pushed for, as then-Russian Prime Minister Vladimir Putin said almost a year ago, 'international control of the Internet' through the ITU."

    McDowell also testified before that congressional subcommittee on May 31, and warned that "pro-regulation" forces led by China and Russia are far more organized than U.S. allies.

    Twitter
    Send idea E-mail a tip to Bob Sullivan

    "While precious time ticks away, the U.S. has not named a leader for the treaty negotiation," he said.

    Some in Congress were even more blunt:

    “If we're not vigilant, just might break the Internet," said Rep. Greg Walden, R-Ore.

    The dire-sounding warnings aren't coming solely from U.S. government officials, either.  Even the so-called “father of the Internet,” Vint Cerf, expressed grave concern that day in Congress.

    “(The Dubai meeting) holds profound—and I believe potentially hazardous— implications  for the future of the Internet and all of its users," he testified. "If all of us do not pay attention to what is going on, users worldwide will be at risk of losing the open and free Internet that has brought so much to so many.”

    Nor is the alarm coming just from the U.S. Toomas Hendrik Ilves, president of Estonia, rang alarm bells on Friday during the International Conference on Cyber Conflict in Tallinn.

    “The outcome of (the Dubai meeting), and related processes, will help determine the topography of the Web for the next two decades,” he said. “While this conference may fall into the domain of ministries of commerce and communications, make no mistake, there will be major cybersecurity ramifications. More ominously, we will face calls to limit free expression as we know it on the Web today.”

    But as Western nations try to draw battle lines, the reality of Flame and Stuxnet muddies the argument considerably.  The U.S. risks losing moral high ground through stories about such cyberattacks.

    "When we had plausible deniability for Stuxnet, we could make the argument more easily,” Bronk said. “This completely cuts at the knees the Internet freedom agenda.  How can the U.S. use clandestine cyberattack to go after a threatening regime, and then push the free agenda? "

    As Rohmeyer sees it, the combination of U.S. cyberattacks and the Dubai meeting puts the Internet at “an age-old crossroads.”

    What might change mean?
    The ITU has its roots in an organization created during the 1860s to standardize cross-border telegraph traffic in Europe. It became a U.N. body after World War II, focused almost entirely on simplifying international telephony. Only recently has it tried to extend its charter to Internet traffic, most notably with the creation of an agency called The International Multilateral Partnership Against Cyber Threats, or IMPACT, based in Kuala Lumpur. Modeled after national computer emergency response teams, IMPACT’s stated mission is to share time-critical computer vulnerability and virus information around the globe. The U.S. has so far refused to join ITU’s IMPACT. Russia, China, Iran and about 140 other nations are members.  

    IMPACT tried to take the lead in international dissemination of information about Flame, using the virus as cause for its first-ever warning.

    How might ITU change the way the Internet works? No one knows, of course, but there are obvious reasons for concern.  Chinese officials have repeated stated they want an Internet where users must register by IP address, effectively ending anonymity and, perhaps, Internet-based uprisings. 

    McDowell warns that Russia, Tajikistan and Uzbekistan asked the U.N. General Assembly to create an “International Code of Conduct for Information Security” to mandate “international norms and rules standardizing the behavior of countries concerning information and cyberspace.”  Even  ITU’s head of corporate strategy, Alexander Ntoko, raised eyebrows  earlier this year in Cancun when he predicted that anonymity online would end.

    “Why countries are interested in the ITU varies. … China and Russia, their motivations are not very friendly to human rights or openness,” said Cynthia Wong, a lawyer for Center for Technology and Democracy. “Other places feel like they don't have a voice in the current process. “

    One of the main criticisms of the process is a lack of transparency and the limitations on participation of non-governmental groups, according to complaints publicized but the Center for Technology and Democracy and human rights groups.  But it’s clear the ITU plans new ways to raise revenue, which might lead to some form of a per-click tax, according to witnesses who testified before Congress at that May 31 hearing.  wong also expects the ITU to push for mandatory standards for packet delivery – Net standards have been voluntary so far -- which could be a precursor for giving nations more control over incoming and outgoing Internet traffic at their borders.

    One state, one vote
    “Part of the problem with ITU process is that it's so opaque, so it is really hard to understand what might be at stake,” Wong said.  “But what we do know is Russia and some of the Arab states have put cybersecurity on the table.  There are proposals for greater regulation of traffic routing for security purposes.  Depending on how such regulations are implemented, it could be used to justify greater intrusions on privacy and fundamentally change how the Internet currently works technically.”

    In other words, such proposals would make it easier for nations to control Internet traffic.

    Practically speaking, it will be difficult for ITU to grab control over the central tool governing the Web – the domain name system – in Dubai. That system is currently operated by ICANN. But a sizable block of non-U.S. countries agreeing to mandatory routing standards could still wield considerable power. Treaty negotiations are one state, one vote. The U.S. government could make a reservation with something in the treaty, but if ITU standards become mandatory, all Internet users could be impacted. One potential outcome would see a “splitting” of the Internet, where traffic from nations following one standard is denied by a bloc of nations following another.

    But Wong’s chief concern currently is that groups like hers aren’t welcome in the proceedings. On May 17, the Center for Democracy and Technology and 20 other non-governmental agencies from around the world sent a letter of protest to Secretary-General Dr. Hamadoun Touré, who is running the meeting, saying “there has been scant participation by civil society” in the run-up to Dubai.  But Wong thinks the influential Internet protests around SOPA demonstrate that no government agency will be able to pull a fast one on a recently empowered digital constituency.

    “One of the lessons you can pull from SOPA is this: The time when governments can go behind closed doors and make important decisions about how we use the Internet is gone. That’s not acceptable anymore,” she said. “There is a community of users who are paying attention, and are really concerned about the future of the Internet. They are not going to find it acceptable anymore to use these old ways of creating laws. And it behooves governments involved in this to pay attention to that.” To that end, several groups have collaborated to create WCITLeaks.org, to encourage anonymous uploading of conference-related documents.

    The experience of SOPA might make the Flame and Stuxnet sagas even more important. Could the potential for Internet users to rise up against U.N. control of the Net be blunted if the alternative seems to be continued control by the U.S., its image damaged by Flame and Stuxnet?  Rohmeyer thinks so: Like many technology experts, he’s skeptical of claims that Flame is the most powerful virus ever created. As others have pointed out, Flame is so large that it’s clearly not designed for stealth operation – whoever created it almost begged for it to be found. He thinks a big part of the publicity around Flame is a function of this battle for control of the Net.

    “Is the U.S. releasing viruses so powerful that it needs to lose its control of the Internet?” he said. “I don't think by itself the release of Flame rises to threshold. I’m dubious of is effectiveness, and suspicious of those claims.” 

    There are also open questions about ITU’s ability to take operational control over the Internet and cybersecurity.

    'No country is an island on the Internet'
    “The ITU has been kind of like one big group hug,” said Rohmeyer.  “Do U.N. groups have a track record of success with this kind of operation? The ITU was a standard-setting body for telephony. Once you move out of the connectivity realm into operational controls – wow! That gives them an enormous amount of power. ICANN seems to be functioning. When I woke up this morning, the Internet seemed to be working. I don’t think (ITU) has been in this business before.”

    Not everyone in the U.S. is against giving ITU more control over cyberspace.  Jody Westby, who launched the Central Intelligence Agency’s famed In-Q-Tel technology investment arm and is now a highly sought-after U.S. cyberexpert, penned a column for Forbes last week strongly endorsing U.S. participation in IMPACT.

    “No country is an island on the Internet, and the U.S. cannot expect to be able to adequately respond to cyberattacks or malware infiltrations without the input and involvement of others around the globe,” said Westby, who disclosed that IMPACT was previously a client of her consultancy firm. “The U.S.’s ‘our way or the highway’ attitude in the important area of cybersecurity appears petulant.”

    She also said that, absent U.S. participation, other nations will look to Russia and China for leadership.

    “The U.S. appears as the shirking nation state quietly standing on the sidelines while being accused of engaging in cyberwarfare tactics,” she said.

    But Rohmeyer was was among those who wondered aloud what was in it for the U.S.

    “There is no upside for the U.S. (in participation),” he said. “Is the Internet going to be managed better? Will it be more open?”

    Many experts think the end result of Dubai will mean the already tense balance between bottom-up governance, where private firms dictate policy through collaboration, and top-down governance, where governments mandate Internet policies, will grow even more stressed. So will the tension between anonymity, free speech and U.S.-friendly control on one side, they say, vs. accountability, control, and Chinese/Russian/Arab interests on the other. McDowell, from the FCC, has repeatedly warned that even a positive outcome for the U.S. in Dubai offers little reason to celebrate. 

    “Given the high profile, not to mention the dedicated efforts by some countries, I cannot imagine that this matter will disappear,” he testified before Congress. “Similarly, I urge skepticism for the ‘minor tweak’ or ‘light touch.’ As we all know, every regulatory action has consequences.”

    Phillip Hallam-Baker, writing in the online magazine CircleID, compared the balancing act to the uneasy management of the Church of the Holy Sepulchre in Jerusalem, where power is shared awkwardly among various Christian groups and squabbles are common.

    “Backing ICANN appears to be the only sensible course for the U.S. But the problem with this approach is that the U.S. cannot risk ICANN itself being captured by hostile powers, and that in turn means that the U.S. cannot ever release its de facto control of ICANN,” he wrote. “It is an inherently unstable situation that is only maintained through constant vigilance on all sides. “

    *Follow Bob Sullivan on Facebook.
    *Follow Bob Sullivan on Twitter. 

     

  • A LinkedIn leak lesson: top 30 dumb passwords people still use

    Internet users continue to make things very easy for hackers.  A close inspection of a portion of the 6.5 million leaked LinkedIn passwords proves people keep making foolish password choices.  In fact, the most commonly used phrase in the password set appears to be “link,” according to Boston-based security firm Rapid7, which created a top 30 list for msnbc.com. The list was generated by studying a sample of 160,000 passwords from the 6.5 million that have been released on the Internet.

    What hacker would ever guess that your LinkedIn password had the work “link” in it? Answer: All of them.

    Second on the list of most common password phrases: “1234.”  And because LinkedIn required seven-letter passwords, “12345” wasn’t far behind, either, ranking sixth on the list (123456 was 15th.) Rounding out the top 10 were “work,” “god,” “job,” “angel,” “the,” “ilove,” and “sex.”

    “We are seeing a trend of Internet users trying to use simplistic passphrases on Internet sites,” said Marcus Carey, a security researcher at Rapid7. “They are (being hacked) because of the simple fact that many are using words that have been long considered bad passwords. Password-cracking algorithms include these bad passwords as a part of their recipe.”  

    The top 30 list generated by Rapid7 contains partial passwords used by consumers.  In other words, no one used the simple word “link” as a password – it was part of a password, such as “BobLink” or “LinkPass.”  That might seem to mitigate the danger, but it doesn’t offer much protection. Hackers spend hours guessing users’ passwords, using tools that brute force their way through millions of combinations.  If a hacker knows someone used a seven-letter password, and part of that password is “link,” the bad guy only has to crack what is essentially a three-letter password. That’s exponentially easier.  (How much easier? Assuming 94 potential password characters, based on the common keyboard layout, a three-digit password offers 830,000 possibilities; a seven-digit password offers 65 billion possibilities.)

    “What people need to understand is that even with trusted sites such as LinkedIn there is still a possibility for massive compromise,” Carey said. “The bigger the site, the more personal information is leaked, and the big boys on the block are the ones who are targeted the most.”

    This experiment has been done before. In fact, a company named SplashData compiles a “worst passwords” list annually from stolen passwords. You’ll see a lot of overlap between that list and this LinkedIn list. That means people aren’t learning. To that end, if you use any of the phrases on the list below to build your password, you should know that attaching “!!!” to the end doesn’t make you safe.

    RED TAPE WRESTLING TIPS

    It's important to note that even the strongest of passwords provided little defense against the LinkedIn hack (and the subsequently announced eHarmony hack).  Bad guys stole password files directly from the companies involved, so even "%R7^Tgh1" ( wasn't safe from their prying eyes. This doesn't lessen the lesson, however.  Consumers still should do all they can to protect themselves, and they don't.

    Words that are in the dictionary shouldn't be in your password, but unusual characters should be.  Names on your Facebook page -- such as your dog's name or high school mascot -- shouldn't be in your password, either. That of course makes remembering your password a challenge, but here's a trick that security professionals recommend: think of a sentence that you can remember, and take the first letter of every word in the sentence as your password. For example: My daughter Julie was born on November 1 would yield a password of "MdJwboN1." Throw in an exclamation point at the end to show your love for your daughter, and you have a pretty strong, unique password.  For more tips, vist this page at US-CERT.

    *Follow Bob Sullivan on Facebook.
    *Follow Bob Sullivan on Twitter. 

     

    Ranking

    Password Phrase

    Number of Times Appeared

    1

    link

    941

    2

    1234

    435

    3

    work

    294

    4

    god

    214

    5

    job

    205

    6

    12345

    179

    7

    angel

    176

    8

    :the

    143

    9

    ilove

    133

    10

    sex

    119

    11

    jesus

    95

    12

    connect

    91

    13

    Fu**

    85

    14

    monkey

    78

    15

    123456

    76

    16

    master

    72

    17

    Bitch

    65

    18

    Dick

    60

    19

    michael

    52

    20

    jordan

    48

    21

    dragon

    46

    22

    soccer

    45

    23

    Killer

    32

    24

    654321

    32

    25

    pepper

    31

    26

    Devil

    30

    27

    princess

    29

    28

    1234567

    28

    29

    iloveyou

    26

    30

    career

    26

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

  • Famed 'credit zombie' resurrected, with lessons for anyone with an SSN

    Bob Miller / for msnbc.com

    Judy Rivers of Cullman, Ala. sits in the RV that has been her temporary home for the past two years since the credit system decided she was dead in 2010.

    By Bob Sullivan

    Judy Rivers isn't dead after all. And, as anyone who's had a maddening run-in with the nation's credit system would agree, her "resurrection" is miraculous.

    Some loyal Red Tape readers might recall an August 2010 story we published on Rivers titled, "Hey banks: This woman is alive."  At the time, Rivers had fallen -- or was pushed -- into a credit system black hole. She was declared dead by someone, rendering her invisible to the nation's lenders and other entities that rely on Social Security numbers for verification. She couldn't open a bank account, write a check, use a credit card, get a loan or an apartment. In many cases, she couldn't even apply for a job. 

    She was, by 21st century standards, dead. Or, in perhaps a more-apt description, she had become a credit zombie.

    Rivers, who lives in Alabama outside Birmingham, became a mini-celebrity after we published her digital nightmare. “This woman is alive” was one of our most popular stories, and publications the world over retold Rivers’ tale. Even Reader's Digest covered the story.

    Her odyssey began in late 2010, when a bank told her its systems said she was dead – and had been for two years.

    “This Social Security Number has been discontinued; the holder of this number was reported dead on August 3, 2008," read a notice she was shown by a bank official. A check of her consumer report obtained from Chex Systems, which the bank had used to obtain that information, confirmed the error. It read, “number inactivated due to report of death.”  Chex Systems said it received the data directly from the Social Security Administration, but that agency told Rivers that she was alive and well, according to its data.  She had the same experience with every other creditor and credit bureau she talked to. And there she remained for years, stuck in a Catch-22 despite her herculean efforts to find and correct the error.

     

     

    As a result of her experience, Rivers became an advocate of credit zombies everywhere. She met with members of Congress and her state Legislature. She received many offers of help and even a few date proposals. (Side note: No one seems to know what happens if a "living" credit user marries a zombie.) She wrote letters and filed protests with every entity she could think of. But every time she tried to get a credit report, she got the same response: "Deactivated because of death."

    Meanwhile, her life took darker and darker turns. The 50-something woman couldn't get a job because companies couldn't verify her work history or her credit. She couldn't receive unemployment benefits -- or any government benefits -- because she was, well, dead.  One local bank, where she’d deposited money for years, agreed to cash checks for her, but otherwise she lived a pure “cash existence.” She accepted a friend's offer to let her live in a small trailer by Smith Lake, about 90 minutes north of Birmingham, while she fought her battle. 

    Along the way, she met a host of other credit zombies, who, like her, had been pushed off the grid by the erroneous declaration of the death of their Social Security numbers.  According to the Social Security Administration, about 1,000 people each month are accidentally declared dead and their SSNs listed in the agency’s Death Master File. By some estimates, that means there are nearly half a million credit zombies walking around the U.S. right now.

    "I feel very blessed," Rivers said. "My problems are minimal compared to the horror stories I have listened to."

    After Rivers' story was published, other zombies sought her out for advice. One woman, from nearby Winston City, Ala., was wheelchair-bound and had stopped receiving her disability checks seven months earlier. She was unable to purchase medicine, and her family had no idea what to do. So Rivers accompanied her to the nearest Social Security office, which discovered the woman had been placed on the Death Master File a year earlier. Rivers eventually helped get her benefits restored. 

    "She had been going without for seven months," Rivers said.

    Accidental death isn't just for the elderly, however. Rivers also heard from an 18-year-old who had saved thousands of dollars in a bank account for college, and discovered when he tried to withdraw the funds for tuition that it had been frozen because he had been declared dead.  The student had to miss a semester while fixing the problem.

    Twitter
    Send idea E-mail a tip to Bob Sullivan

    (Out of privacy concerns, Rivers said she couldn't share the identity of the other victims.)

    All the while, Rivers kept lobbying for changes that would help victims, speaking with all nine members of Alabama's congressional delegation at some point. She has started work on a book describing the nightmare. She's working on a potential class-action lawsuit against various entities that have denied her and others credit.  

    "I don't mind being the poster child for this," she said. "When I speak to people, I am very direct. I just ask them what they are doing to fix this."

    But in all that time -- nearly two years -- no one was able to resuscitate her credit, and her digital life. She's sure of this because, under a lawyer's instructions, she has religiously applied for credit at least twice a month since August 2010. She had to steel herself against constant rejection.

    "I've been turned down about 40 times," she said.

    But two weeks ago, the unthinkable happened.

    "I was at a Belk store, and the clerk said, 'Do you want to fill out a credit card application?' I told her it wouldn't do any good. But she gave me a funny look, and said, ‘Why don't you try anyway?  It would get me 15 percent off my purchase. So I filled it out. I figured it would be this month's test," Rivers said. "Three minutes later it came back approved and I was in shock.  The clerk looked at me with an expression that said, 'You just made all that up.' She was a little disappointed when I didn't use the card to make the purchase. "

    Dizzy with excitement, but also worried about false hope, Rivers marched across the street to a T.J. Maxx and applied for a second card.  Within minutes, she was approved for that one, too. 

    “GUESS WHAT? I AM FINALLY LIVING," Rivers wrote in an exuberant email to msnbc.com a few hours later.

    Rivers still has no idea how she ended up dead, though it almost certainly has something to do with the Social Security Death Master File.  In part because of her prompting, criticism of the DMF has ramped up in the past two years, and change seems to be in the air. Last fall, Rep. Sam Johnson, R-Texas, introduced the Keeping IDs Safe Act, which would change the way death reporting works. And in February a subcommittee of the House Ways and Means Committee held hearings on death record reporting, at which the Social Security Administration's Office of Inspector General offered critical testimony.  

    One often overlooked element of the problem: Even after the Social Security administration fixes death reporting errors, victims' SSNs often are still available through third-party websites, leaving zombies open to second nightmare: identity theft. "In some cases, these individuals’ (personal information) was still available for free viewing on the Internet—on ancestry sites like genealogy.com and familysearch.org—at the time of our report," the inspector general said.

    Social Security receives about 2.5 million death reports each year from multiple sources, including funeral homes, government agencies and family members. The inspector general, which says typographical errors are responsible for  the bulk of the credit zombie problem, says there’s a simple solution:  forcing Social Security to only accept reports from accredited entities using an electronic system.

    "In February 2009, we found that about 98 percent of erroneous death entries on the DMF were death reports from non-state sources," it said. But even electronic reports from states wouldn’t eliminate the problem. "Even if all states were to submit death reports via (electronic death registration), there could still be some erroneous death entries on the (Death Master File).”

    With all that Rivers has been through, she's not willing to believe her "death" is over.  Still waiting for proof that she has a valid credit report – it is in the mail, she hopes. But most important, she's still unemployed. Her biggest problem remains the job application process, which almost always includes a credit check. Even when her SSN is restored, her credit report will be mysteriously empty for several years, and she fears that will still hurt her chances of landing a job.

    So while Congress wrestles with solutions, Rivers intends to keep applying pressure for change, and keep working to promote awareness of the problem.

    "If you own a Social Security card, this can happen to you," she said. 

    RED TAPE WRESTLING TIPS: What to do if you're a credit zombie
    If it does happen to you, there's one absurd question you must answer: How do you prove you're alive? Proving you're dead is relatively easy -- a death certificate will do the trick.  But proving you're alive? That will probably require an in-person visit to the Social Security office with a valid ID, such as a driver's license.  Copies of recent utilities bills, paystubs or other credit-related activity could help make the case, too. 

    Have the clerk request a correction to the Death Master File, and don't leave the office without some kind of written record about the fix.  You'll probably need to send copies of that record to your bank, other creditors and the nation's credit bureaus.

    The Identity Theft Resource Center recommends an additional step: finding the underlying death certificate and filing to have it amended. The certificate should be available from the county clerk or recorders’ office where it was initially filed, and should include the name of the informant who reported the death. Contact that informant, the agency says, and have that person sign a State Vital Record Amendment Affidavit Form. Bring that form to the Social Security officer, the Identity Theft Resource Center recommends.

    Additional tips and a “Death Reported in Error” form letter are available from the Identity Theft Resource Center’s website.

    *Follow Bob Sullivan on Facebook.
    *Follow Bob Sullivan on Twitter. 

  • 'First Amendment rights can be terminated': When cops, cameras don't mix

    Video from March 2012 shows Chicago police taking members of the media into custody.

    By Bob Sullivan

    The video is chilling, but it's also a sign of the times.

    "Your First Amendment rights can be terminated," yells the Chicago police officer, caught on video right before arresting two journalists outside a Chicago hospital.  One, an NBC News photographer, was led away in handcuffs essentially for taking pictures in a public place.  He was released only minutes later, but the damage was done. Chicago cops suffered an embarrassing "caught on tape" moment, and civil rights experts who say cops are unfairly cracking down on citizens with cameras had their iconic moment.

    Tales of reporters, protestors and citizen journalists being threatened or arrested for filming law enforcement officials during disputes are on the rise, critics say, with Occupy Wall Street protests a lightning rod for these incidents. The National Press Photographers Association claims it has documented 70 such arrests since September and, in May, called on U.S. Attorney General Eric Holder to focus attention on the issue.

    "The First Amendment has come under assault on the streets of America," the photography association said in a letter to Holder that was also signed by several other interest groups. "Police have arrested dozens of journalists and activists simply for attempting to document political protests in public spaces.”

    Such allegations are ironic, given the sharp rise in police surveillance technology, which gives cops vast capabilities to film citizens, said Catherine Crump, an American Civil Liberties Union attorney.

    "It is true that Americans are photographed more and more today as they walk around in public spaces," Crump said. "And it is ironic that law enforcement agencies are objecting when the same activity is being used to film their activities. But it's not surprising because there's often a double-standard in this space."

    There's always been a tense relationship between cops and cameras, but that relationship is being pushed to the brink now that half of U.S. adults carry smartphones, nearly all of them capable of filming and sharing visuals instantly with the whole world via the Internet.  Cops at Occupy Wall Street protests -- such as those at Zucotti Park in New York City -- routinely deal with dozens of amateur photographers shoving cameras in their faces, many of them aggressive.  It's not hard to see how the cameras can escalate an already tense situation.

    But First Amendment law is clear: Citizens in public spaces have a right to film things they see in plain sight. Courts have repeatedly upheld that right in high-profile cases.

    Court rulings sometimes have no bearing during intense situations, however.

    "It wouldn't really matter with some police officers if you had an original copy of Bill of Rights with you," said Mickey Osterreicher, a lawyer for the press photographers association. He said he deals with new cases nearly every day involving photographers who he believes have been wrongly arrested.

    "The sign on my desk that reads, 'Bang head here,' is getting worn out," he said.

    In April, Connecticut's State Senate passed a law that clearly defined citizens' right to film, but the state's lower house failed to act on the measure. The proposal was introduced by Sen. Majority Leader Martin M. Looney , D-New Haven, after a series of incidents involving cops in that state's capital city. In one, a police officer is caught on camera saying “You don’t take pictures of us,” before making an arrest. In another incident, 26-year-old Luis Luna was arrested for filming an arrest, and video files on his iPhone were deleted.

    "In the past several years, police officers have wrongly arrested members of public for using video cameras or cell phone cameras," said Adam Joseph, a spokesman for Looney.  "In the opinion of a number of senators, there were far too many instances, and that demonstrated the right to videotape needed to be codified and is unfortunately necessary." 

    The proliferation of devices that can film and share has made this conflict almost inevitable, but there are other causes, too.

    “So many mainstream journalists have been laid off and are freelancing,” said Osterreicher, the press association lawyer. ”Then you have people who consider themselves citizen journalists. They have ‘pro-sumer’ devices capable of taking video and still images with the same quality as pro equipment, and can share them with the world, without mainstream media. That’s something we've never seen, until recently.”

    'Threatening act'
    As a result, civil liberties lawyers have beaten a path to courthouses around the country, said Crump.

    "We do hear about these more frequently now because everyone walks around with cell phone cameras,” she said. “Law enforcement officers sometimes react badly to this, and view it as a threatening act.”

    The most celebrated case involves Simon Glik, who in 2007 filmed police arresting a homeless man near Boston Commons. Glick was arrested and charged with violating the state's wiretapping law.  His case was dismissed, but he then brought a federal civil rights lawsuit against the city. In August 2011, the First U.S. Circuit Court of Appeals for the First Circuit ruled unanimously in his favor.

    "That decision is 24 pages of pure gold," Osterreicher said.  "The judges talked about the right to record in public. They said the First Amendment right is self-evident. They took judicial notice of the fact that news is as likely to come from someone with a cellphone as anyone. And they talked about the fact that police officers … should expect to be recorded when out in public."

    In March of this year, Boston paid Glik $170,000 to settle the suit.

    Twitter
    Send idea E-mail a tip to Bob Sullivan

    "It's really not up to police officers to decide what is and isn't newsworthy," Osterreicher said. "It's a shame Boston had to learn an expensive lesson."

    Other rulings have offered a similarly strong endorsement of the right to film, Crump said.

    "The First Amendment is strongly protective of right to video and record in public spaces. There’s obviously a good reason for that. Sunlight is the best disinfectant," she said.  She said court rulings have been so consistent, she’s not worried about any weakening of the First Amendment –  but she is worried about the more practical side of the problem.  Glik's settlement -- most of which paid for his legal fees -- took five years to arrive.  In most real-life situations, police officers have wide discretion, and few observers have the time, money or wherewithal to see a First Amendment case through to completion.

    Osterreicher, both a former journalist and a reserve police officer, prefers far more practical methods.  He travels the country training police officers in First Amendment law. Invited by Chicago police brass, he offered such training in advance of recent NATO meetings in Chicago, which attracted sizable protests.  He thinks it worked: To his knowledge, only one photographer was arrested during those protests. 

    He also offers suggestions tips to would-be cop videographers.

    "The First Amendment is not absolute," he said. "It is subject to reasonable time, place and manner restrictions. But the key word is ‘reasonable.’ Is it reasonable when covering a protest to ask someone to stand back or get on a sidewalk? Absolutely. Is it reasonable to expect the press to go away when there is an order to disperse? No."

    One rule that is fairly absolute, he said: While there are situations when police can seize cameras and cellphones, they have no right to destroy data, such as pictures or videos, without consent from the owner.  In fact, doing so could be considered destruction of evidence.

    The ACLU hosts an information page designed to help amateur photographers understand their rights on its website.  But Crump offered a thumbnail sketch of the law that draws an important distinction between public and private property.

    "Generally, when you are in a public space where you have the right to be, you have right to photograph anything in plain view, and that includes police who are executing their duties,” she said. “But if you are on private property, the property owner gets to set the rules.”

    But Osterreicher said any advice photographers receive should come with a warning:  "It's complicated."

    "I can't give you an answer that covers all situations. You’re going to have to make an assessment,” he said “Is this officer nonchalantly asking you to move? Or is he getting real cranky? A lot of situations can be defused with conversation. … You want it to end well.”

    *Follow Bob Sullivan on Facebook.
    *Follow Bob Sullivan on Twitter. 

  • Was Flame virus written by cyberwarriors or gamers?

    AFP - Getty Images

    This undated screen grab released by the Kaspersky Lab site shows code from the computer virus known as Flame.

    By Bob Sullivan

    Why would super-secret spy software be written in a video game language?  As security researchers continue to unpack the digital mystery that is the Flame virus, that's just one question looming over perhaps the world's most intriguing digital whodunit.

    With all the talk about Flame being the most powerful, ingenious and stealthy computer virus ever written, some properties of the mysterious malicious software are causing confusion.

    For one thing, the program takes up 20 megabytes of space on infected machines. That's not stealthy; large files usually indicate sloppy programming. Also, unlike Stuxnet, Flame didn't come with precision targeting, and hasn't yet been credited with doing anything as impressive as hacking nuclear power plant computers. But perhaps most mysterious of all: Part of Flame’s code was written in the Lua programming language, a simple language used almost exclusively by video game programmers.  Why would a nation-state trying to commit secret espionage toy with video game software?

    "This is not a stealth operation," said Marcus Carey, who worked as a security analyst at the National Security Agency for eight years before joining the security firm Rapid7 in Boston.

    News of the Flame virus hit Monday, as multiple computer security firms claimed the program represented a huge escalation in cyberwarfare. Moscow-based Kaspersky Labs, among the first to analyze the virus, called it the most powerful malicious program ever.

    “The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date,” it said.

    Flame reportedly comes loaded with lots of capabilities, such as remotely turning on victims' PC microphones, but it's hardly the first virus to accomplish that.  And unlike Stuxnet, it's yet clear that Flame used a series of so-called 0-day exploits --  vulnerabilities in software that are undiscovered by the security industry and for which there are no antidotes.  While initial reports immediately linked Stuxnet to Flame, primarily because they both seem to target Iran, skepticism is beginning to build that the two are directly linked.

    That's partly because the two programs were written in very different ways. Flame’s authors used Lua, something that confuses observers.

    "Lua in a spy tool is just ... weird," said one Israeli programmer who uses Lua and requested anonymity. "The little snippet I've seen of the code seems so ... ordinary ... really like the work of your average programmer.  Stuxnet sounded genius.”

    Said another: "Lua is considered a kids language.... All I see around that is built with Lua are games. I mean, the syntax is very simple."

    Not exactly the stuff of high-tech international espionage. Or is it?

    Lua has been around since the 1980s, developed at the Pontifical Catholic University of Rio de Janeiro in Brazil. It was created out of necessity; at the time, trade barriers made importing software development tools too expensive.  Development of Lua as a programming language remains centered in Brazil, where a small group of programmers make infrequent updates to the language.  But it's become a favorite platform for a few thousand devotees around the world, who are attracted to its simplicity, its ability to play well with other software and its tiny footprint, which makes it ideal for use on embedded devices or games, where memory and space are at a premium.

    Unlike other programming languages that grow in size out of necessity over  time, Lua has actually shrunken in recent years, as developers have revised and refined its architecture.

    Its name – Portuguese for “moon” – hints at Lua’s use as a subordinate language to attach satellite projects to larger pieces of software.

    At the Lua-L discussion list, Flame talk was all the rage on Monday, as its users’ small corner of the technology world was suddenly thrust into the limelight. One even the virus "in some morbid way...an endorsement for Lua."

    "I'm a bit perplexed about the alleged high sophistication of that malware, when I see unobfuscated Lua with self-descriptive names," added a poster identified as Enrico Colombini

    But longtime Lua programmer Erik Hougaard, based in Denmark, said such opinions show a fundamental misunderstanding of Lua's simple elegance as a programming tool.

    "It's a well-kept secret, but it's everywhere. It's hard to pick up an Xbox game without it," said Hougaard, who now uses Lua to program robots but has also used it to create from-scratch accounting software and other financial tools at EFoqus Danmark A/S.  "It's not sexy, but it's unique. It's so small you can fit it onto a single chip."

    Twitter
    Send idea E-mail a tip to Bob Sullivan

    That's essential, because Lua includes both program and programming language in one tidy package -- meaning programs written in Lua will run reliably on machines as diverse as PCs and iPhones. 

    "Lua is quite common in the mobile application space. If someone has Angry Birds installed on their iPhone, they are using Lua," said Carey, the security analyst. In fact, thousands of iPhone apps are written with Lua, he said.

    Hackers have taken notice. While security firms have said they can't think of another computer virus before Flame that used Lua, it is a fundamental part of a favorite hacker tool called "NMAP." NMAP is used to scan the Internet for computers with potentially exploitable vulnerabilities; it’s the first tool used by hackers looking for trouble, and by security professionals looking to plug holes. NMAP permits use of a scripting language that runs under Lua so hackers can adjust the tool as needed.

    "People have been using Lua to hack networks for a while, so this shouldn't surprise anyone," Carey said.  "Attackers are just using what works."

    Lua first came to hackers' attention about two or three years ago, roughly when some analysts believe Flame was written, Carey said.

    As with most information about Flame, Lua's appearance in the virus can be interpreted in two ways:

    • Flame's writers may have been ahead of their time, using a unique programming language to create their cybermonster, and further confuse computer security professionals.
    • Or, Flame's writers may have been video gamers and relative amateurs who didn't bother to do much to cover their tracks.

    Symantec Corp. believes the use of Lua supports the former theory. It’s one of many security firms calling Flame one of the most powerful and complex virus ever written.

    "Lua is scriptable, easy to understand, and easy to update. That said, it’s not used often," said Vikram Thakur, principal security manager at Symantec Security Response. "Anecdotally, we can’t think of another threat that is written in Lua..... The usage of the programming language is what makes the program, independent of the language, interesting."

    But is it the work of genius, and a sign that cyberwar has escalated a new and dangerous level? Carey is not so sure.

    "Saying this is the work of a nation-state is premature," he said. "This is not a particularly clever piece of malware or uber-elite." And despite the fact that it apparently operated in stealth for at least two years, many experts say it is too big to have been conceived as a spy tool.

    "What's with the size?" said the anonymous Israeli Lua programmer. "It's like the trick they do in the movies of making a scene on the train/plane” to create a diversion while committing a crime. 

    Colombini was even more direct in his assessment.

    "I find it difficult to believe this to be the work of an intelligence service, at least of a decent one,” he said. “Obfuscating … the Lua code would have made analysis more difficult and above all slower. In the spying business gaining time has a very high value. … No self-respecting intelligence service (would have neglected to do that)."  

    So far, most of the roughly 300 confirmed Flame infections have been in Middle Eastern countries that are natural enemies of Israel, including 189 in Iran, according to Kaspersky Lab.  

    “If it weren't for the peculiar geographical distribution, (which is) the only thing that makes one think of politically charged malware, I'd think of a sort of malware construction kit,” designed to simply collect a large series of attack tools in one place, Colombini said.   

    Given that the subject is covert cyberwar, confusion, half-truths and disinformation are the rule rather than the exception. Already, an unnamed U.S. official has told NBC News that the U.S. government is probably responsible for it; while Israeli officials have hinted that their side developed it.

    Something else concerns Carey about the way that the Flame narrative has progressed so far.  Much of what we know about Flame has come directly from Iran's Computer Emergency Response Team Coordination Center.

     "Generally, we don't believe anything Iran says. Here, we seem to be believing everything they say," he said. "But this incident reinforces a storyline for Iran playing the victim."

    Symantec, and many other security organizations, have said the sheer size of Flame is making thorough analysis of the virus a slog. Early reports on the malicious program all came with warnings that findings were preliminary.  Symantec expects to issue a follow-up later this week.

    • Judge rules text message sender not liable in distracted driving crash case

      By Bob Sullivan

      A New Jersey judge ruled Friday that the sender of a text message cannot be held liable for an accident caused by a driver who read that message, dismissing a case that attracted national attention.

      Morris County Superior Court Judge David Rand said the sender of the text, Shannon Colonna, had no way to know when driver Kyle Best would read the text, and therefore had no responsibility for a horrific 2009 accident in which Best was found at fault. Both David and Linda Kubert, who were in a vehicle struck by Best, suffered devastating injuries in the crash, including leg amputations.

      The Kuberts' lawyer, Skippy Weinstein, advanced a novel legal theory which would have placed part of the liability for the crash on Colonna, arguing that she knew Best would be driving as she engaged him in a text message conversation.  His theory rested a claim that Colonna "aided and abetted" the responsible party, and last week, several legal experts told msnbc.com the argument might have merit, and could be convincing to a jury.  

      But Rand didn't see it that way. He dismissed the case on summary judgment.

      “Were I to extend this duty to this case, in my judgment, any form of distraction could potentially serve as the basis of a liability case,” Rand said, according to the Associated Press. He noted that drivers are tempted by all manner of distractions now, such as GPS devices and smartphones, and senders can assume that recipients who happen to be driving can be expected to behave responsibly.

      "We expect more of our drivers. We expect more of the people who are given the license and privilege to operate vehicles on our highways," Rand said, according to the AP. "I find that there was no aiding, abetting here in the legal sense. I find it is unreasonable to impose a duty upon the defendant in this case under these facts."

      Weinstein said the Kuberts hope they've generated attention to the important issue of texting while driving.

      "Even though the case against Shannon Colonna has been dismissed, they are comforted by the thought that by bringing the case, it has accomplished the goal of making people think before they text, whether while driving or to someone who is driving. Perhaps it may prevent another tragic accident from occurring," he said in a statement.

      He said the Kuberts plan to appeal the decision, probably after the remaining case against Best is decided. 

      *Follow Bob Sullivan on Facebook.
      *Follow Bob Sullivan on Twitter. 

       

    • 'Fair and square' pricing? That'll never work, JC Penney. We like being shafted

      By Bob Sullivan

      You might have seen recently that iconic retailer JC Penney is slumping badly. You almost certainly have seen the reason why: A massive, creative and aggressive new advertising and pricing campaign that promises simplified prices.

      No more coupons or confusing multiple markdowns. No more 600 sales a year. No more deceptive circulars full of sneaky fine print. Heck, the store even did away with the 99 cents on the end of most price tags.  Just honest, clear prices.

      Sounds like a sales pitch aimed at consumer advocates and collectors of fine print frustration, like me. As it turned out, it was a sales pitch that only a consumer advocate could love.

      Shoppers hated it.

      The campaign, which launched on Feb. 1, appears to be a disaster. Revenue dropped 20 percent for the first quarter compared to last year. Customer traffic fell 10 percent. Last year, the company made $64 million in the first quarter; this year, it lost $163 million.

      Could we have a moment of silence please for what might be the last heartbeat of honest price tags?

      Not only did Penney’s plain pricing structure fail to attract fair-minded shoppers –  business reporters wrote with seeming glee during the past few days that it “repelled” them.

      Don't blame Ellen DeGeneres, the spokeswoman for the Penney’s plain pricing campaign. If only executives at the firm were familiar with the work of behavioral economist Xavier Gabaix and the concept of "shrouding," all of this could have been avoided.

      Seven years ago, Gabaix and co-author David Laibson wrote a brilliant (if depressing) paper on shrouding and "information suppression" that should be required reading for all consumers and executives considering a harebrained new pricing strategy. The principle is simple, and shows why cheating is rampant in our markets and why honesty is rarely the best policy.

      First, a definition of shrouding:

      Twitter
      Send idea E-mail a tip to Bob Sullivan

      In days gone by, price tags were simple. An apple cost 10 cents.  A cup of coffee cost $1. But today, the consumer marketplace is far more complicated, giving sellers the opportunity to create confusion. Many items have follow-up costs that make the original price tag meaningless. 

      Computer printers are the classic example. You might get a great deal on a printer, but if the ink is expensive, you lose in the end. In fact, Gabaix argues that it's impossible for consumers to intelligently shop for printers. No consumer knows how much ink costs -- the cartridges don't come in standard sizes, the amount of ink used to print varies and ink costs are unpredictable. That makes the true price of a printer "shrouded," in Gabaix's terminology. Not quite hidden, but not quite clear, either.  Advantage seller. It's easy for printer companies to lowball printer price tags and overcharge for ink, enabling them to print money.

      If you think about it, shrouded price tags are everywhere. The hotel website might say "$99 a night" but you know the bill will be more like $120 or $130. Pay TV companies promise $30-a-month service, which ends up costing more like $50. And what happens when you buy a TV with a store credit card that offers an upfront discount but a complex interest charge? And so it goes.

      Consumers complain about this constantly. That's the basis of the Red Tape Chronicles in fact. At its best, the maddening mixture of coupons, rebates, sales and fine print fees can feel like a game. At worst, it's being cheated. You'd think shoppers would love a chance to buy from a store that doesn't play these games, the way car buyers (allegedly) like shopping at no-haggle auto dealerships.

      They don’t, says Gabaix, and Penney should have known better.

      “I think it was an ill-advised move,” he said. 

      All this price manipulation is really an information war, he says. Shoppers hunt for the tricks that let them save money. Stores hide booby traps that let them take money. It's a bad system, one I've labeled "Gotcha Capitalism." But it is the system we have now.

      And it's simply impossible, Gabaix argues, to be the one company that attempts to bridge this information gap.  If a firm tries to educate consumers on tricks and traps, and tries to offer an honest product, a funny thing happens: Consumers say, "Thank you for the tips," and go back to the tricky companies, where they exploit the new knowledge to get cheaper prices, leaving the "honest" firm in the dust.

      “Once you educate consumers on the right way to shop, they will seek out the lowest cost store, and that will be the one with the shrouded prices,” he said. “Once they are savvier consumers, you make less money from them.”

      Gabaix calls this the "curse of debiasing." And it leads to this depressing conclusion: "Shrouding is the more profitable strategy."

      To oversimplify for a moment, here's Penney's problem. They told the world that retailers only offer their best prices during crazy sales, and Penney stores would no longer host them. Sensible consumers apparently took that information to heart and decided to simply wait for such sales at other stores. As an added benefit, Penney lowered consumers' search costs, because they now knew they didn't need to bother driving to a Penney’s store anymore.

      That's probably not what new Penney CEO Ron Johnson had in mind when he decided to spend his marketing budget on those witty DeGeneres ads. A former Apple Inc. executive who took the Penney’s job in November, he thought he was lifting the store out of the brutal commodity clothing market. He may ultimately succeed at that. But he won't do it by telling customers the firm's pricing is fairer than at other stores, Gabaix believes.

      "It will be a very, very uphill battle," Gabaix said. "So, sorry for them."

      There have been a few other celebrated efforts by companies to educate consumers that their higher prices are really lower prices after hidden fees. During the last decade, Intercontinental Hotels experimented with up-front pricing that included all fees on its website. Executives at the firm told the New York Times that customers left in droves, choosing competitors with lowball prices. 

      More recently, Southwest Airlines has undertaken the most aggressive anti-shrouding campaign to date, picking on other airlines' baggage fees. The profitable carrier is holding its own with its "Bags Fly Free" campaign, but there are indications that the firm won't be able to resist all that free money forever. In what may be a sign of things to come, Southwest elected to leave AirTran's baggage fee structure in place after it acquired the competitor last year. 

      Shrouding isn't the only reason Penney's pricing plan is flawed. The firm is also leaving a lot of money on the table by rejecting a phenomenon known as "price discrimination." Some people have more money than time, and some have more time than money.  Some shoppers don't mind spending hours to save $20; others would gladly give a store $20 to escape quickly. Smart retailers get money from both. By killing couponing, Penney has eliminated its ability to satisfy price discriminators.

      And as others have pointed out, markdowns serve the age-old retailing trick of "anchoring." For some reason, even very smart consumers feel better paying $60 for something if you initially tell them it costs $100, and then reduce the price.

      But the real problem is Penney's ill-fated attempt to cast itself as the only fair poker player in a game of cheats. Shoppers just aren't buying it. However unsophisticated consumers are, very few of them believe a pair of shoes bought at Penney's everyday low price will be cheaper than a pair of shoes bought at Macy's on clearance with a 25 percent off coupon.

      Like it or not, hidden fees – and secret discounts – are here to stay.

      *Follow Bob Sullivan on Facebook.
      *Follow Bob Sullivan on Twitter. 

       

    • Could you be sued for texting with a driver? Experts say, 'maybe'

      By Bob Sullivan

      Could you be blamed for a car crash because you sent a text message? 

      A New Jersey judge will decide later this week if the sender of a text message might be partially liable for a horrific auto accident that occurred because the driver was reading that message on his cell phone and drifted into oncoming traffic.

      With nearly half a million U.S. drivers injured in distracted driving-related accidents every year, according to the National Highway Traffic Safety Administration, the judge’s decision could have wide-ranging impact in both the legal and digital realms.

      While it might seem absurd to blame someone who isn't even in the car -- or anywhere near it -- for causing an accident, some legal experts say the plaintiff is on firmer ground than you might think.

      Skippy Weinstein, a Morristown-based lawyer, is using similar logic to press the case he filed on behalf of David and Linda Kuber. Both Kubers lost their legs during a 2009 crash in Mine Hill, N.J., after 19-year-old Kyle Best sideswiped their car when driving while texting. Weinstein said Shannon Colonna, who was texting with Best, should also be held responsible for the Kubers’ injuries.

      "She was not physically in the vehicle but she was electronically present," Weinstein told msnbc.com. "She and he were assisting each other in a violation of the law."

      That word "assisting" is at the crux of Weinstein's novel legal argument. 

      Most readers will be familiar with the notion of "aiding and abetting" a criminal act and the guilt it brings: the man who knowingly holds the door for the gang is just likely to be convicted of bank robbery as the safe cracker.

      More recently, this notion of aiding and abetting has been extended to civil liability cases, too, creating a basis for what's sometimes called "secondary" or "vicarious" liability. For the past two decades, most civil aiding and abetting cases have been limited to investment and securities fraud: An aggrieved investor might not only sue Bernie Madoff for stealing his money, for example, but also go after a third-party broker who repeatedly executed trades for Madoff. Even if the trader wasn't profiting from the scheme or part of a "joint enterprise,“ a court might find the trader provided assistance to Madoff, and should have known that someone was likely be injured by his actions.

      Twitter
      Send idea E-mail a tip to Bob Sullivan

      The aiding and abetting argument in injuries that give rise to lawsuits, known as "torts," is only beginning to find its way into other kinds of civil cases.

      There's a simple three-pronged test to prove someone is partly to blame for causing an injury by aiding and abetting someone else. It is set out in the Restatement of Torts published by the American Law Institute, which guides most civil courtrooms:

      1) The party the defendant assists must do a wrongful act;

      2) The party must be generally aware of his or her role in the illegal or "tortuous" act;

      3) The party must "substantially assist" in the principal violation.

      Weinstein think his argument is easy to make. The driver violated the law by texting while driving. Colonna, the text sender, should have known that Best was driving home from work and had to know texting while driving was a violation, he said. Therefore, it's hard to argue that a text sender isn't substantially assisting in the creation of a text message conversation that violates New Jersey's driving laws.

      "That very comfortably satisfies the third prong of the legal test," he said.

      Colonna’s lawyer, Joseph McGlone, doesn't think the argument has any merit, and has asked Morris County Superior Court Judge David Rand to dismiss the case. Rand is scheduled to rule this week on McGlone’s motion to dismiss the case.

      The sender of a text message has no way to control or predict when the recipient will read it, McGlone argues.

      "The sender of the text has the right to assume the recipient will read it at a safe time,” McGlone told the local Daily Record  newspaper. “It’s not fair. It’s not reasonable. Shannon Colonna has no way to control when Kyle Best is going to read that message."

      He added that there is no precedent for heaping liability on a person on the other side of a text message conversation that causes injury.

      Of course, there's no precedent for a lot of legal areas in the Digital Age. In situations like this, judges usually turn to analogies. In driving injury cases, the judge has a bushel full to choose from.

      For starters, it's hard to tag liability on anyone who isn't holding the steering wheel of the car while an accident occurs. Lawyers around the nation have repeatedly tried and failed to make passengers partly responsible for accidents caused by drunken drivers when passengers knowingly get into a car with an intoxicated driver.

      There are exceptions, however. A South Carolina court has said a passenger could be judged a "proximate cause" of an injury if the driver and passenger were in some kind of "joint enterprise," such as the passenger steering the car while the driver presses the gas pedal.

      Passengers who have directly encouraged drivers to break the law -- by urging them to speed excessively or to drive in the oncoming lane as part of a game, for example -- have also been found liable, Weinstein says.

      But to find a passenger liable, the South Carolina court said, "The passenger must have an equal right to control the direction and management of the vehicle." It seems hard to argue that a text message sender has equal ability to control the vehicle as the driver does.

      But there are plenty of other situations where someone other than the driver has to pay after an injury accident, an extension of liability called “imputed negligence.” The most common is when the driver is "an agent" of someone else -- when a pizza delivery man driving for work causes an accident, his employer is liable.  Parents are often liable for accidents their children cause if they kids are directly under their care. 

      There's also concept called "negligent entrustment": if you knowingly let an unlicensed driver take your auto out for a spin, you will probably be liable for an accident he or she causes. 

      Neither of those cases fit this situation well, however. So Weinstein has settled on a simpler analogy.

      "If she was in the vehicle and put her hands over his eyes so he couldn't see, she would be liable," he said. "(Texting with him) is as if she put her hands over his eyes."

      Is texting the digital equivalent of willfully rendering someone blind? To even make that argument, and to press on with the aiding and abetting claim, Weinstein has to persuade the judge that Colonna knew that Best was texting while driving. Colonna's lawyers are contesting that point, but Weinstein says the pattern of texts between boyfriend and girlfriend make clear that she must have known he was on his way home from work.

      But even if he fails on that argument, it's easy to imagine other lawsuits where evidence of knowledge by the sender could be hard to deny. A driver might directly text, "Hey, I'm driving home," for example.

      That would make a big difference in a case like this, said Robert Mitchell, a Utah-based lawyer and author of a recent article on aiding and abetting claims.

      "If there is conclusive evidence that the person sending the text messages to the driver knew the driver was texting while driving, we see no reason why a claim for aiding and abetting the driver’s negligent or reckless conduct could not be made. The case is probably weaker if there is no evidence of actual knowledge, but only evidence of ‘constructive knowledge,’" said Mitchell, referring to a concept that the sender "should have known" the recipient was driving. "Courts disagree over whether constructive knowledge is sufficient to give rise to aiding and abetting liability."

      Courts have found that the contribution by this third party in aiding and abetting cases can't be slight – it must be “significant.” For example, giving directions to the bank robber probably wouldn’t be substantial enough to get you prosecuted, but telling him what time security guard shifts change could be. And, as with most civil liability cases, the harm caused by the action doesn't have to be intentional.

      Mitchell said this is the critical phrase in the American Law Institute's guidelines.

      "If the encouragement or assistance is a substantial factor in causing the resulting tort, the one giving it is himself a tortfeasor and is responsible for the consequences of the other’s act. This is true both when the act done is (intentional) and when it is merely (negligent)," Mitchell wrote in his review, quoting the guidelines with added parenthesis. In fact, liability exists even if the third-party has no idea he or she is doing something illegal or negligent.

      So in Mitchell’s view, it's a relatively easy to argue that the texter "substantially assisted" the driver in causing the accident. 

      "The third prong, substantial assistance, would be an easier hurdle to clear (than knowledge) since sending somebody a text message while driving distracts the driver and that distraction may ultimately cause the accident," he said.  "Of course defenses may include superseding or intervening causes to the underlying tort (the first prong), like bad weather, poor road conditions or visibility, avoiding someone or something on the road."

      Not all experts agree, however. Maryland-based lawyer Bradley Shear, an expert in digital law, openly fretted about how far liability might extend if Weinstein is successful in his novel legal argument.

      "What if someone is hopping on a boat, and they look down at a text, slip and drown? What if a doctor gets a text before a surgery that upsets him and he makes a mistake? Is the sender responsible?" he said. "If you start going down that route where are you going to draw the line?"

      Mark Rasch, for head of the Justice Department’s Computer Crimes Unit, said he thinks the case will boil down simply into this question: Can anyone really prove that the sender of the text, Colonna, knew that Best would read it while driving? Absent such proof, there is no case, he says.

      But he was concerned with the larger issue of extending liability through digital means.

      “The real question here is, do we as a society want to impose a duty on the non-driving texter for accidents that happen when a recipient is driving?” he said. “For now, it seems a reasonable place to draw the line at this: The person driving has a duty not to text. And the person on other end of line has no duty unless there are special circumstances.”

      One special circumstance he envisioned: A boss or other person in a position of power who received a message from an employee saying, “I can’t text, I’m driving,” but continued to send demanding texts with an implied threat if they weren’t answered quickly.

      “The person in the position of authority might have liability then,” said Rasch, now a cybersecurity consultant with Virginia-based CSC Inc.

      Complicating matters, juries can apportion liability, and theoretically could find a driver 90 percent responsible and the sender of a text 10 percent responsible. Damages can be similarly apportioned, although the realities of collections means the party with the deepest pockets usually pays the most in damages.

      It’s also possible that Congress or state legislatures might create a chain of liability, as states have done with dram shop laws, which make bars liable for injuries and damages caused by patron who are served after they’re drunk.

      For his part, Weinstein demurs when asked if he's trying to set an important legal precedent or make law. He's just trying to win a case for his client, he said.

      "The defense ... wants to make this into a cause celebre, but this is not complicated," he said. "A jury may find I'm wrong and thrown me out on my duff. ... All I'm saying is don't (text) while driving, and don't assist someone else in texting while driving."

      *Follow Bob Sullivan on Facebook.
      *Follow Bob Sullivan on Twitter. 

       

    • Social media and privacy: A panel discussion

      On the heels of Facebook's IPO, msnbc.com's Bob Sullivan joins consumer advocate Jeff Fox and social media commentator Steve Rubel for a Web chat about the state of privacy in a social media-obsessed world.

      Welcome to the hangout on social media and privacy, powered by Google+, conducted on May 18. 

      Our panelists are: Bob Sullivan, author of msnbc.com's Red Tape ChroniclesJeff Fox of Consumers Union and Steve Rubel of the public relations firm Edelman. You can read a bit more about them below:

      Questions were submitted at msnbc.com's Google Hangout or by tweeting using the hashtag #talkprivacy.

    Older posts
    Advertise | AdChoices