hello world [what’s up]

Namastē Cartomancers! It’s spring. I thought it was safe to visit the northeast US, but no, I just barely beat a nor’easter to my destination. It’s cold and for some reason when it’s cold everything takes a bit longer. That said, I have come back to finish-up this week’s issue and am looking forward to this eclipse coming on Monday. (As I was driving up the highway, the signs on the road variously reminded me to not be texting and to enjoy the eclipse. I like this vibe, department of transportation, I like it.)

Let’s get into it:

• Noodling in the Lab

  • A reflection on giants who walked among us

• News nuggets 

  • All Content Issues in Moderation - Dealing with Deepfakes & Hate

  • Pricing the Checkout Process - how much is accepting money worth?

  • Some random tidbits: PrivAccess vs “regular” browsers, RaspPi crimekits, Krebs on Mozilla/Onerep situation

a noodle from the lab [what we’re working on]

Giants Who Walked Among Us

Those of you who’ve known me for any length of time know how proud I am of my time and training as an economist. It informs how I think about things, and I’ve always thought understanding economics is critical to understanding how risk, security, and systems operate - at least when there are humans involved. Information economics, the economics of information security, and behavioral economics all have a role. So I was hugely disappointed last week to hear of the passing of not one, but two, giants for me. 

Daniel Kahneman, Nobel prize winner (2002, Economic Sciences) and author of Thinking, Fast and Slow, passed away on March 27, 2024 after a remarkable life and career studying the psychology of judgement and decision-making, leading to the shifts in how economic theory considers rationality (i.e. they can’t assume it anymore). With research partners like Amos Tversky, Vernon L. Smith, and others, Kahneman “established a cognitive basis for common human errors that arise from heuristics and biases, and developed prospect theory”. (Framing is one of my favorite popular concepts that was built-out within prospect theory)

Ross J. Anderson, a prolific and well-regarded pioneer in security engineering, academic, (Professor of Security Engineering at the Department of Computer Science and Technology, University of Cambridge) researcher, author, and industry consultant in cybersecurity passed away the next day on March 28, 2024. I first came across Dr Anderson while working in banking – his name accompanied by some sighs & fist-shaking regarding his research on chip cards, but actually met and got to know him at the Workshop for Economics in Information Security. Anderson was a trailblazer and firebrand from start to finish, and I hope we are able to continue making progress on the trajectory he set: both his technical excellence, and his understanding of the human impact of security design choices - he was a fierce advocate for users.

I’m saddened by the loss of these two radical thinkers, they cast long shadows and now that they are missing we have more work to do to catch-up to where they left off.

I did want to take a second to recognize the historical and continuing impact of WEIS, the Workshop on the Economics of Information Security, which is entering its 23rd year. This year it’s in Switzerland, but it kicked off in 2002 at UC Berkeley (Go Bears!) chaired by  Ross Anderson (University of Cambridge) and Hal Varian (Google, UC Berkeley). WEIS has fostered a whole set of amazing research that ranges from computer science and UXR all the way over to industry and ecosystem trends. 

In that vein, here are a few of my favorite papers in security economics – not all of them were presented at WEIS, but they are all awesome):

• All Systems will be Gamed: Exploitive Behavior in Economic and Social Systems (W. Brian Arthur)

• Pricing Security (L. Jean Camp, Catherine Wolfram)

• Vulnerability Markets (Rainer Bohme)

• Measuring the Cost of Cybercrime (Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, Stefan Savage)

• Defending Debit: A Historical Study of the Indirect Effects of the Durbin Amendment on Investment in Debit Card Security (Allison Miller - okay okay, I know it’s gauche to add my own paper to my faves list, but I’m actually pretty proud of this very weird contribution to security economics literature)

Thanks Dan & Ross, for everything.

training data [what’s news]

🗨️ All Content Issues in Moderation - Dealing with Deepfakes & Hate: So this is kind of where I thought the deepfake train would be coming next - deepfakes used to promote scams and disinformation. We’ve seen this in crypto already, and now we see that Women’s faces stolen for AI ads selling ED pills and praising Putin. Y’all - this is not a good situation. Because even without the inclusion of deepfake content, social/info platforms are having a hard time finding “bad” (aka dangerous, policy-violating, and/or wrong) content. And as Mike Masnick said over on Bluesky: "Content moderation at scale is impossible to do well." 

And platforms vary in both capability and appetite for content moderation, and of course on definitions of what is “bad”. Last summer, the Center for Countering Digital Hate (CCDH) published research claiming X/Twitter) fails to act on reports of hate speech (at least those posted by Twitter Blue accounts) – and in some cases actually boosted the such content. The Musk-owned company sued CCDH over the report (calling it misleading) - and recently the Judge dismissed X's lawsuit against anti-hate group. (X/Twitter plans to appeal)

🗨️ Pricing checkout: I used to joke that every couple of years we have a presidential election - and a pricing-related lawsuit for the payment networks. So while I haven’t been keeping tabs on lawsuits against the networks, it wasn’t a huge surprise to hear that Visa and Mastercard agreed to a $30 billion settlement that will lower merchant fees.

• Holding swipe fees steady/lowering them is one thing - merchants have been complaining about swipe fees since the dawn of time.

• What I thought was more interesting in this article was the pointer to regulation being considered in the House & Senate - a throwback to the unending antitrust complaints of the 90s and 00s.

• If the proposal being considered passes, the largest credit card issuers (e.g. JPMC, BofA, & Citi) would be required to work more than one credit card processor, but can’t work with both Visa and Mastercard. (And what does that mean for the CapOne/Discover merger??)

I remain a bit skeptical, because - hey, look - I’m not a monopoly apologist, but the availability of card-based payments is why e-commerce grew the way that it did, and besides powering economies, cards/digital payments kind of saved our collective bacon during Covid.

• Nobody likes transaction costs, but a complete lack of transaction costs is worse: Can the Future Really be Cashless, as Greggs & Sainsbury's Unable to Take Card Payments. Digital payments mean faster checkouts, and often, more checkouts.

• And that innovation is still continuing – what a kick to see Virtual Card Numbers, once an tiny service for us paranoids who didn’t want to put our beloved card numbers into unknown merchant websites, helping to bolster Commercial payments, a still thorny area of money movement: Evolution of Commercial Payments: Insights on Virtual Card Numbers (VCNs) with Discover® Global Network

• Takeaway: What are efficiencies and value at “checkout” worth, and what’s a fair price to pay?

🗨️ My United States of Whatever: A couple of rando tidbits of interest (whatever!)

• CSO Online reports that Your employees are using sensitive corporate devices for personal browsing.

  • A bit of an alarmist headline, the gist is that folks use corporate devices for both business and personal use (yes, we know this reality, it’s often reflected in our Acceptable Use Policies).

  • The concern raised here is specifically about browsers as an exploit vector on corporate devices.

  • TL;DR CyberArk now joins several other firms in offering an “enterprise-grade” browsers. If we’re following the technology S-curve, we know that isolated browsing for high-risk use cases (threat intel and fraud analysts digging into deep web) has been followed by cheaper options for a broader use cases - like Authentic8, Talon, and virtualized offerings from Cloudflare, ZScaler, and more. (Disclosure, I’ve done more than one RFP in this space at more than one company, and also worked on browser-related security issues at Google)

  • Takeaway: Do you have Priv Access situations happening via a browser? If so, make sure you consider the browser itself in your IAM model

• Ruh-roh: You know in the movies where the attacker sticks a laptop, chip, or listening device under a desk or in an air vent at the target location? Or the other detection trope, where a phone call or network session are automagically tracked, hop-by-hop, in real-time? Well, attackers just got a non-fiction gadget to assist in their attacks and to cover their tracks: 

  • $700 cybercrime software turns Raspberry Pi into an evasive fraud tool (or you can subscribe for $80/month - handy).

  • The Pi itself is only about $35 - and it’s tiny, portable - and at that price point, disposable, which is perfect for dropping these devices in remote locations (read, anywhere)

  • It’s sole purpose is to provide a convenient and anonymous proxy.

  • Takeaway: IP address continues to be fairly useless for tracking attackers, bad actors have a new way to obfuscate their physical location.

• Krebs: I had not heard that Mozilla had bundled in a privacy-related reputation management service (to remove a user’s name from “people search” networks) into their popular Firefox browser, but perhaps that’s a good thing. Krebs On Security reported that Mozilla Drops Onerep After CEO Admits to Running People-Search Networks. Er, perhaps a conflict of interest there? Shelest is quoted as responding that his experience with people search networks actually gave him the insights leading to Onerep having “the best tech and team in the space”. Maybe so, and now they’ll have an opportunity to convince consumers that directly, without the benefit of a Mozilla affiliation.

find more cartomancy [what’s out there]

coming soon

▶️ On April 25th, join me at improve 2024 (featuring Fraud Fight Club). I’ll be discussing SCAMS: Defining, Measuring, and Combatting at 11am with fellow fraud experts David Kerman (Chase), Mike Timoney (FRB Boston), and Ian Mitchell (The Knoble / Mission Omega). See you there!

▶️ On Friday, May 24th, I’m delighted to join the 2024 BSides Knoxville speaker lineup as their keynote. (Happy 10th Anniversary, Knoxville Bsides-ians!) The theme for this year is near and dear to my heart - detection - and it should be a fun day of detective-ing and clue-deciphering wrapped by a Hacker Jeopardy after party. It’s elementary, dear Cartomancers - come on by!

on demand

I was delighted to spend some time discussing cybersecurity career paths, leadership development, and industry trends while reconnecting with my friend and colleague Sandra Liu (if you haven't seen what she's working on over on YouTube I encourage you to check out her projects). this interview, we cover cybersecurity career and industry topics including:

• 🤝 What do hiring managers look for when hiring candidates for a job?

• 💻 What cybersecurity skills are most relevant?

• 💭 What are the biggest challenges facing organizations today?

A bit of a throwback to but it was so much fun chatting with Andy Ellis, and so much in here is true even a couple of years later.

ttyl [what’s next]

Thanks for reading to the end of this set of lab notes. I’m thrilled to have some fellow travelers mapping out where we’ve been, philosophizing about where we want to be, and building the paths to get us where we’re going.

If you’ve read to the end and you find this content helpful, I’d love feedback. My news feed is full of leads, but my personal algorithm loves learning about what interests the community, so that I can focus in on what will be most useful. Just hit reply and your comments will come whizzing into my inbox. (It’s also a good way to find me if you are interested in working with me or with Cartomancy Labs).

See you next time on the Futurecast!

Allison

@selenakyle