Saturday, April 7, 2007

Limiting H1Bs: Bad News for US Workers

This year, only about half of the foreign engineers and other temporary workers that US businesses need will be allowed to come here.

Some would have us believe this is good news for American workers. Not true.

When a foreign worker comes to the US under an H1B, most of their paycheck stays here - in the form of mortgage payments, rent, car payments, supermarket and utility bills, taxes, school fees, entertainment, air travel home, and all of the other stuff people in this country spend their paychecks on. Every cent spent here is good news for someone working in those industries.

When that worker isn't allowed to come to the US, none of their paycheck gets spent here: it gets spent (via outsourcing contracts) at supermarkets and gas stations and schools in China, India, Russia, Singapore, Malaysia, or the Philippines.

Limiting H1Bs means more money sent overseas, and less spent here - which impacts everyone - from waitresses to landlords to teachers to the folks who work the ticket booth at the local cinema to the guys working the pit in the local car repair shop.

During the early years of this decade, Singapore's economy was in a slump. The government there pays its members well, and as a result has one of the world's smartest groups of policy makers. They studied the various options and decided the best way to fix their economy was not to overly protect local talent but instead to recruit as many smart people as they could, from the four corners of the Earth.

Entrepreneurs, scientists, entertainers, researchers - even assembly-line workers - answered the call, breathing new life into Singapore's high-value-add industries: software manufacturing, pharmaceutical research, private banking and wealth-management, and even aerospace.

At the time the policy was announced, there was a certain amount of unhappiness expressed by locals, but within two years of the enactment of this policy, the positive effects of the influx of talent started to become apparent and unemployment actually dropped. Money started flowing into the economy from the new immigrants and banking customers, the value of property starting to rise, the value of exports started to increase, and the economy boomed.

Remind you of anything? Perhaps America in the golden century 1850-1950?

Singapore continues to offer a home to the kind of talent refused entry to the US, and continues to build their economy and talent pool as a result. According to the latest published figures on singstat.gov.sg, in 2006, more than 27% of the people employed in this country of fewer than five million people were legal foreign workers.

By contrast, according to the US Bureau of Labor, the US employed just over half the number of "foreign born workers", per capita, in 2006.

The anti-immigration folks would try and have you believe that there are US-born software engineers and knowledge workers that are having a terrible time finding work in the US. This is not true. The reason many companies are outsourcing as much as they are is that there is a shortage of talent available to grow new industries, not an over-abundance of it.

And the reason we're losing other jobs? Outsourcing, based on an inability to fill the jobs using in-country talent brought in from outside the US, and the consequent drain of cash away from local economies.

The argument against immigration is counter-productive: wages paid outside this country benefit no US workers. Wages paid in the US benefit everyone. The talent that we clearly need should be allowed to live here, and add their paycheck to the local economy.

Wednesday, April 4, 2007

Enabling Gramm-Leach-Bliley Act Provisions

The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (see extract below) established a benchmark for consumer privacy, and standards for financial data security, that have not yet been met.

Back in 1999, when fewer than 4% of consumers banked or traded stocks online, lack of compliance was less of a problem than it is today. However, in 2007, with the number of online banking subscribers rising to include tens of millions of households, and the number of web sites and data entry forms requesting that consumers submit personal information (such as their social security number) also rising, we are reaching a tipping point.

We need no further confirmation than the recent "pump and dump" scams involving six leading banks, and almost $30m in lost funds, and the daily rise in identity fraud attacks on consumers and businesses.

Our prediction is, unless some significantly better technologies are enabled to protect consumer credentials and sign-up information, during the next twelve months, things may get significantly worse with respect to fraud levels, both in terms of number of "hits", and the amount involved.

Here's the extract and GLB, and our proposed solution:

TITLE 15 > CHAPTER 94 > SUBCHAPTER I > § 6801

§ 6801. Protection of nonpublic personal information

(a) Privacy obligation policy

It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.

(b) Financial institutions safeguards

In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805 (a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards—

(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Clearly, the sponsors of the Act knew what they were talking about, and what they wanted to enable. The good news is, with the release of VirtualATM, we have technology available than can finally enable compliance with GLB. The less good news is that the technology may not qualify as an objective standard until it achieves a tipping point of its own.

There are ways to create a certified approach. We have already spent quite a bit of money on third party penetration testing of this technology and will continue to do so. Also, in the coming months we shall be focusing on ensuring that the standards that VirtualATM enables are understood by the standards bodies, and by the sponsors of the GLB Act, with the objective of enabling true end-to-end transaction security and consumer privacy.

The most important focus point here is the protection of consumer privacy and personal information. If we all stay focused on that, we will create a better environment for online financial transactions than the situation that currently exists.

Monday, April 2, 2007

Exploit, Vector, Scope

Robert's guys in the Virus Lab have had a busy weekend. The team has been working on patching a flaw currently being exploited in user32.dll - a file stored within the Windows System32 folder that is used to render animated cursors.

This flaw has been called many things by many vendors, but is currently best known as the "ANI exploit", or "animated cursor exploit".

The basic issue created by the potential exploit has been well-described by folks in the media, including several security experts, but in a nutshell, hackers have figured out a new way how to run malicious code using a Windows file commonly used to render cursors, and are using the user32.dll application located within the System32 folder as their engine of choice.

From the standpoint of propagation, the threat is pretty nasty: you can catch this virus simply by peering at an infected web page, or staring at the preview pane of your pre-2007 version of Outlook. It appears to infect IE and Firefox similarly.

The exploit is so nasty that Microsoft did something out of the ordinary - they brought forward Patch Tuesday by one week and a day, in order to provide a fix. Which is kind of strange, since they've known about it since December... which is when Determina says they first made them aware of it.

Anyway, back to Robert's post. He makes the point that the media often equates an exploit with a virus - or ignores exploits until they exhibit qualities that show they are propagating. The reason is obvious: media stories are not interesting until they involve risk. And when it comes to electronic threats, risk only becomes newsworthy when three attributes are present:

1. exploit
2. propagation vector
3. scope of damage

Back in December, all Microsoft knew was that the possibility of an exploit existed. It wasn't until weeks later - last week, in fact - that the first "propagation vector" was first identified in the wild, and barely three days ago that the global "scope of deprecation" first started to be quantified and understood.

Tomorrow, the fixes of various security companies will be firmly in place, the Microsoft patch will be available, and the ANI exploit will be history. And we will have learned nothing from the experience - except that security software company employees are expected to do in hours what most operating system developers are allowed to do in weeks.

Carradine's Pebble

I'm sitting at home, watching the Yellow Pages ad that stars David Carradine in his most memorable role - the monk-like sage that is Kung Fu.

I met Carradine once. He's a great guy. And he's more of a genuine sage than you can imagine. Here's the story.

About twenty years ago, I ended up at a New Year's Eve party hosted by a Hollywood film producer at his sprawling ranch house on La Tuna Canyon Road, just north of L.A. It was an excellent party. But I've been to many excellent parties. This particular evening remains in my memory for two reasons:

1) At precisely five minutes to midnight, approximately fifty armed men dressed in cowboy outfits left the ranch house, went outside, and shot about two hundred rounds apiece of live ammunition into the sky.

2) I got to snatch a pebble from the hand of David Carradine.

That's right. I snatched a pebble from the hand of Kung Fu. Read on.

Although I'd seen Carradine earlier in the night, walking among various, easily-recognizable Western character actors from The Unforgiven (the guy with the weird lightning-bolt scar, the guy with the especially thin face, the guy with eyes like a squinting pig), we didn't really get to talk. Our host, a leading Western film producer, was holding court, telling stories of Westerns old and new.

Good stories. Cowboys are nice guys. There were a lot of laughs.

So it wasn't until around midnight, when the house became suddenly deserted, as the cowboys rushed outside, that Carradine and I finally met up. As it happened, I didn't have a gun and he didn't seem to care much for shooting at the moon. So we ended up in the kitchen together, drinking Coronas.

In between the gunshots and reloads, it was quiet in the canyon house. We talked for a long time. Like a lot of folks currently in their forties, I grew up watching Kung Fu. It was great to have a chance to talk about it, with the star of the series. And talk we did.

The music. The picture of Carradine walking off over the sand dunes, into the sunset. The Tibetan monks. The lifting of the scorching bronze urn by the forearms - all of this lurked in the back of my mind as I chatted with David Carradine in the kitchen of my host's house - Carradine seated on a formica and chrome table, I standing in front of him with a half-drunk lime sticking out of the neck of my Corona, twenty rounds a minute popping behind me through the kitchen window, from 45's, 38's, and god-knows-what-else-caliber weapons.

Then I posed a question, which elicited a response that was so perfect, so exactly right, that to this day, it's the only part of the conversation that I can relate to you now verbatim.

The question I asked him was: "I can't be the only person that's ever asked about this Kung Fu stuff. You must get twenty people an hour coming up to you. How do you deal with it?"

Carradine smiled and reached into his pocket. In a single, refined action, he drew out a shiny, river-smoothed pebble, placed it in the middle of his upturned palm, and held it out to me.

Now, I don't know what would be running through your mind at this moment, but let me tell you what was running through mine. I've had several Coronas and a couple or more of Tequilas. I'm up against the star of Kung Fu.

As a child, as "Grasshopper", Kung Fu spent eight years trying to snatch the pebble. Now, he has issued me the Challenge. If I can somehow take the pebble from his hand, I'll have a story that I can talk about forever.

Carradine moved his hand a tad closer, taunting me. I moved my hand into position. He did not reposition his. I moved my hand a little higher, placing my hand in a striking position, slightly above his. He didn't appear to notice, and he didn't move.

I looked into his eyes. There was a long pause. Then I went for it...

Now, to recap, the story of the boy who trained with the monks in the original series of Kung Fu (and who would eventually become Carradine's grown-up Fung Fu character) was based around the understanding that the boy would know when it was time for him to leave - because in taking the stone from his hand, the boy would become the master.

I pulled back my hand. There was something in it. I opened it. There, lying in my palm, was Carradine's pebble.

I looked at him, astonished. Then it dawned on me. He had just answered the question - "You must get twenty people an hour coming up to you. How do you deal with it?"

The answer is: have twenty pebbles in your pocket.

Carradine smiled as he saw the look of recognition cross my face. He lifted his hand and waved.

"It's time for you to leave", he said.

The truth sunk in. The irony. It was beautiful. I smiled, and pocketed the pebble. Outside, the cowboys were still firing at the sky. Carradine and I clinked our Coronas and waited for them to come back inside.

FTC Consumer Data Collection - Part II

In searching today for the person I wanted to speak with at the FTC about the current state of their consumer ID theft reporting process, I came across the following testimony to Congress from approximately ten days ago, March 22, 2007:

The Federal Trade Commission today told the Senate Judiciary Committee Subcommittee on Terrorism, Technology, and Homeland Security that “the government and the private sector must continue to work together to reduce the opportunities for thieves to obtain consumers’ personal information and make it more difficult for thieves to misuse that information if they obtain it.”

Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection, said government and the business community should evaluate whether they need to collect and maintain the data they have about consumers, better-protect the data that they do possess, and develop better ways to authenticate customers to keep identity thieves from using the information they steal.

Amen - see my earlier post re the FTC's own information-gathering process. I thought the following testimony was also relevant to Consumer Protection (and our economy):

According to the testimony, “A recent Wall Street Journal/Harris Interactive survey, for example, found that, as a result of fears about protecting their identities, 30 percent of consumers polled were limiting their online purchases, and 24 percent were cutting back on their online banking.”

FTC Complaint Form a "Keylogger's Paradise"

Those of you who follow my blog know that I'm worried about the increasing sophistication of keyloggers.

Which is why, when I went on the FTC site this morning, I was a little shocked to discover that the format of the FTC ID Theft Complaint Form presents a veritable gift to keyloggers. Here's a screen shot of the form from the FTC's site:


Can you spot the problem?

The complaint form asks people who think they may have been a victim of ID Theft to enter every scrap of personal information that could possibly have been stolen from them - their name, address, city, state, time lived at that address, date of birth, social security number, home phone, cell phone, state their driver's license is located in - even bank account and credit card account details.

Yes, you read that right. Scroll down and you'll find that the ID Theft Complaint form requests complainants to include the details of any "current accounts" that may have been compromised, along with the name and address of the their bank, and account number.


The methodology at work here is not best practice. Assuming the complainant had their personal data stolen by a keylogger in the first place (and the FTC's own statistics say that 60% of ID Theft in 2006 was perpetrated by electronic means), the criminal just got a free "second shot" at collecting any personal data they may have missed - courtesy of the agency charged with preventing the crime.

Now don't get me wrong, I think the FTC is a tremendous asset. But someone over there needs to rethink this whole ID Theft Complaint process. The current approach sends the wrong message to web form designers - and criminals - and just compounds the problem it was supposed to help solve.