Research

I figure our lack of blogging has created a vacuum of mostly-useless security snark and babble. Who else can put so little content in so many words? But all is not lost – we continue banging away building content for the Nexus. Thanks to a few of our excellent clients, you have the opportunity to hear me ramble on about two of my favorite topics this week. If you need some excuse to get out of your root canal appointment, need to postpone that audit findings meeting, or perhaps just choose not to grovel for 2012 budget on Wednesday or Thursday afternoon, do a little clicky-clicky and join me for the following webcasts… Log Data is Not Enough! How to Supplement Logs with Network Security Analytics: On Wednesday 12/14 @ 1 PM ET, I’ll be joined by Solera Networks as we discuss how to react faster and better to attackers. I’ll be covering a lot of the content in our Applied Network Security Analysis blog series. Register here. Network Security – Measuring the Immeasurable: On Thursday 12/15 @ 2 PM ET, I’ll be joining RedSeal Networks to talk about security metrics and how to prioritize your security efforts based on data, as opposed to making stuff up. This event will be a more interactive discussion of some of the concepts discussed in the Fact-based Network Security paper. Register for the event here. There will be plenty of time during both events to ask questions. So hopefully you’ll be able to dial in and virtually heckle me on Twitter during the event. Looking forward to seeing you all at both these events. Share:

We are pleased to announce the availability of our latest white paper: Tokenization Guidance: How to Reduce PCI Compliance Costs. It discusses the dos and don’ts of replacing credit card data with tokens, to improve security while reducing PCI DSS auditing costs. Our primary goal was to help merchants understand how to employ tokenization to reduce PCI scope, as well as the costs of Payment Card Industry Data Security Standard audits. When we read the PCI supplement on tokenization guidelines we were shocked that it failed to provide concrete answers to the target audience’s most-asked question: How can I reduce audit scope? It felt like the paper was designed to lull us to sleep – it would raise topics we were interested in, but then ramble on without answers. But we are here to fix that, filling the gaps they left. This is the white paper the PCI Council should have written. The paper is the product of hundreds of hours of research and about a hundred phone calls to various merchants, payment processors, tokenization vendors, and qualified assessors. We make many controversial assertions but we stand by them – we have vetted the content through interviews in discussions with every expert we could reach. And we have subjected our analysis to open scrutiny by the payment community through our Totally Transparent Research process. We include an overview analysis for merchants and auditors, as well as a step by step guide which works through all the PCI DSS requirements which are directly affected when using tokens to replace primary account numbers. We are very happy that Elavon, Liaison, Prime Factors, and Protegrity have sponsored this white paper! We could not spend the hours of research required for a project like this without help from sponsors, and we are grateful for their support. You can get a copy of the paper from our sponsors, from our Research Library, or directly: TokenGuidance-Securosis-Final2.pdf Index of Posts Tokenization Guidance (new series) Tokenization Guidance: PCI Supplement Highlights Tokenization Guidance: Merchant Advice Tokenization Guidance: Audit Advice Share:

As Rich announced, we are shaking up the Friday Summary a bit. We will still talk about what we are up to. And we’ll share some of our personal – possibly security related – stories in the Summary. But we will focus on fewer stories with more analysis of interesting news items. Honestly, we’ll likely sneak in security news as well – it just depends on whether we see interesting stuff. Story of the week: DNSCrypt The big news this week is the ‘preview’ release of DNSCrypt from the OpenDNS group. As its name implies, DNSCrypt is a tool to encrypt Domain Name Service lookups to avoid evesdropping and deter Man-in-the-Middle (MitM) attacks and tampering. Note that this is not DNSSEC, which was designed to enable users to detect tampering, and to authenticate DNS DNS answers. DNSSEC was not designed to encrypt DNS requests, which leaving requests unprotected from monitoring by ISPs and other parties; DNSCrypt fills this gap by encrypting requests and responses. I understand from the press release that this is currently a Mac OS X only package, so Windows and Linux users will have to wait. The installer is dead simple and the configurations settings are conveniently placed into the ‘Other’ section of System Preferences. And I can tell you this is one of the few End User Licensing Agreements I have ever read because, in a very Securosis-like style, there is no lawyer BS included. Took about a minute to download and another to install, and no restarts were required. I ran OpenDNS with DNSCrypt enabled, both over SSL on port 443 and without, and did not notice any performance difference. The packets appear to be encrypted as advertised – but they could be using a ROT13 cipher for all I know, given the minute I spent looking at the stream. I have not, and probably will not, review the source code – I assume there are better qualified people with more free time on their hands (i.e., those not filling the Nexus with great new content) who will. And I look forward to hearing what the community thinks about the implementation, as I think this will be a highly sought-after addition for those interested in security and privacy. The key takeaway here is that DNS requests should be safe from spying and MitM, provided someone cannot impersonate the DNS service. There is a small but real chance of this. For average users this is a very real advance in security and privacy! If you’re an IT manager you should check it out and see how well it performs for you. There may be issues – it is an early release product after all – but this dead-simple tool enhances security. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike’s Dark Reading post on Work and Play in Security. Adrian’s DR post on DAM. Rich quoted on Carrier IQ. Don’t tell Rich, but somebody thinks he’s an ‘influencer’. Securosis Posts Incite 12/6/11: Stinky. Friday Summary: Big Changes and Carrier IQ. Favorite Outside Posts Mike Rothman: Best Job Description Ever. This is how security folks should think about their jobs. Kudos to Quicken Loans for making their philosophy on security very clear, before applicants start the hiring process. It doesn’t hurt that their ideas are right on the money. (h/t Alex Hutton) Adrian Lane: Ask Slashdot: To Hack or Not To Hack. How many times have I said that in the ‘landgrab’ for mobile payments, security is left on the roadside, thumb in the air? You don’t have to guess too hard who this is! Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. Research Reports and Presentations Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Sripathi Krishnan, in response to last week’s Friday Summary. Rich, I have been a lurker on your blog for a long time now. I am a developer by profession, and security is a small but important part of what I do. Consequently, I do not spend much time on twitter or other ‘new media’ to stay up to date on this field. Friday Summary and the Incite give me a great perspective and insight on this field. ‘Read these two columns, and you will not miss anything significant’ has been my attitude. I would definitely miss the random list of articles. Please don’t exclude that. I know you have been complaining that people don’t leave comments. I am guilty of that. Hopefully, this comment of mine can influence you to not change the Friday summary too much. Thanks for the great work! And thank you for the great feedback! Share:

I have a younger brother. It was just the two of us (and Mom) growing up, so I find myself ill suited to dealing with girl stuff. Thankfully the Boss is wonderful at working with the girls on how to deal with bullies/mean girls, and this physical maturation process that seems to happen to girls. One day they are all cute, young and innocent; the next day you’re shopping for bras. Thankfully the Boss handles that duty as well. I’d favor the model that is bolted onto their respective rib cages, and don’t get me started on chastity belts… But when it comes to the Boy, I’m all over that. He’s a pretty active kid. Most days he likes to head outside with his buddies in the cul-de-sac, and plays some kind of sport. For years he came back in, washed his hands and was good to go. Not so much any more. Over the summer we had a few situations where you could smell him way before he got back into the house. That’s when we realized our little boy is growing up, and after enough activity he smells like a locker room. So we had a little chat. I started with the importance of smelling good because the girls don’t like stinky boys. He blurted something out about cooties, so maybe that didn’t resonate as well as I hoped. Next I tried to explain about being considerate to the rest of his family, who shouldn’t be subjected to stink-o-rama. Yeah, that didn’t go over well either – he’s still enamored with the pull my finger game. Then I realized that most boys want to emulate their Dads. I took a quick run into my bathroom and emerged with the prize: a new stick of deodorant. He was very excited to use my deodorant and was pretty consistent about using it. In fact, the Boy was sitting next to the adult sister of one of our friends (no, this isn’t some Penn State story) and she noticed he smelled pretty OK, especially for an 8 year old. So she asked him why he smelled good, and he deadpanned, “Because I wear deodorant.” Then he went right back to his video game. Out of the mouths of babes. I thought he was in a good place regarding hygiene, until this past weekend. I took him over to a friend’s house to watch the football games on Sunday. He literally played football outside for about 4 hours, and by the time he got back inside he smelled like a compost pile. I was a little surprised, and asked whether he put his deodorant on. Of course, he gave me the 8-year old “oh well” shrug. I reminded him of the importance of not smelling like crap, and figured he was ready for the next step in his man training. Yup, I taught him the arm pit sniff. Now he should be able to tell, proactively, when it’s time for a deodorant refresh. But I’m not teaching him everything yet. I’ll wait a little while to introduce the underwear sniff test. That’s only for advanced students. -Mike Photo credits: “Warning: Politician Ahead!!!” originally uploaded by The Rocketeer Incite 4 U Security company does (some) good: As a skeptic it’s hard to find anything good in security, but let’s tip our hats to Barracuda. They are running a campaign to donate meals for children during the holiday season. Working with the United Nations World Food Programme to fight hunger, Barracuda will donate meals for every user that participates. How do you get involved? Follow @BarracudaLabs on Twitter, ‘Like’ them on Facebook, or just install their free Profile Protector, and they will donate a meal to the UN programme. It’s a no-cost way to donate food through the holidays! – AL The APT who shall not be named: Kudos to Bob Bragdon for slaying the sacred cow of political correctness and making (in print) the connection between the ‘APT’ and China. We have actually been saying for a while that many of the persistent attackers out there are state-sponsored, and that state is China, all while comparing them to Voldemort. What’s funny to me is the folks who use APT to justify a logical evolution of security. Like Jon Oltsik, who jumped on the APT hype train and did a survey. Magically enough, users told him existing tools aren’t working very well. And in terms of the future view, what end-user doing anything today wouldn’t say “Security tools need to be smart enough to detect and react to suspicious behavior, anomalous activities, and attacks in progress.” That’s ground-breaking! But here’s the newsflash: this evolution has nothing to do with APT. Simple detection has been ineffective for years. And even if we get to this so-called ‘smart’ security tool, I’ll take the Red Army every day of the week. All they have is time and money, so they will get in. Though maybe Bob B should try out this SkyNet contraption on his home network, since Voldemort is no doubt coming for a visit. – MR Coding conundrum: IBM is using a developer scorecard to measure the productivity of its developers. That’s good. And it sucks. As pointed out by Neil McAllister on his blog metrics typically devolve into measuring lines of code, which does more harm than good. But here’s the conundrum: all metrics suck, but you you need them regardless. Any individual metric only shows a fragment of the truth, and there is no ‘best’ metric. By themselves, most development metrics I have used were misleading to some degree, so I used different collections to show trends and warning flags. I used them as a cue to dig deeper and understand why some metrics were skewing in a certain direction. Use metrics, but don’t assume what they indicate without some digging. I applaud IBM for quantifying productivity, but warn users to be careful how they use any metrics in practice. – AL Don’t

Back when we started the Friday Summary the world of blogs and social media was much different. RSS feeds were the primary means by which most of us sucked down our news, and we tended to communicate through cross-blog links and comments. Our goal with the Summary was to provide a good way to highlight what we have been to up every week, while also sharing some nice link love with our friends and strangers (all in an email-friendly format). We also wanted to highlight good comments and use that as an excuse to donate some cash back to the non-profit side of the community. Since then a lot has changed. People blog a lot less, and there are far fewer discussions across blogs commenting on each other’s posts. Much of this has gone over to Twitter – which is sometimes good and sometimes bad. We also brought Mike on board and restarted the Security Incite which covers at least 6 stories a week. So I think it’s time to shake up the Summary a bit and switch its format. Moving forward (as in, not this week) we will highlight the 1-3 top stories we think you need to pay attention to, why, and point out any angles we think folks are missing. After that we will continue to list what we have been up to, but you don’t need us to provide you with a random list of articles on the Internet. Some weeks we might not highlight a comment of the week, but we will still donate on a weekly basis to different charities related to the security world. We may also pick out a particularly good Nexus question instead. We hope you like the new format, and all feedback is appreciated. The Story of the Week: Carrier IQ The big story this week seems to be the saga of Carrier IQ – logging software installed on many phones, mostly by carriers, that enables them to log pretty much everything you do on your device. Yes, even your banking passwords. This became public thanks to the hard work of Trevor Eckhart and was quickly picked up by big media like Wired’s Threat Level. The story quickly hit the (mostly uninformed) spin machine. The short version is that Carrier IQ is software with the potential to log pretty much everything you do on your phone, and some but not all carriers install it on your phone without telling you or giving you a way to turn it off. From a privacy standpoint this is, of course, a crappy thing to do. But all the hype does highlight some hypocrisy: Your phone carriers already log all your calls, text messages, and web URLs you visit. Google and all the ad tracking networks work hard to log everything you do on the Internet. As I made fun of this on Twitter, I got some very thoughtful responses that highlighted the big differences between this and other privacy-invading stuff: @adamshostack: I generally agree, but CarrierIQ was surreptitious. I’m deeply privacy aware, didn’t know they were on my phone till this morning @davienthemoose: google logs my keystrokes on my banking site? 😮 While I still consider most web tracking surreptitious, at least there’s something you can do about it. With your phone you are locked in unless you change devices and/or carriers, and even then you might still have it installed. And there is definitely a difference between a keystroke logger and a URL tracker. So I stand corrected. Thanks to Twitter. Webcasts, Podcasts, Outside Writing, and Conferences Adrian quoted on Oracle database patching. Liquidmatrix Cyber Expert Interviewed (on TV). See one of our favorite Canadians, our own contributor Dave Lewis, on TV to discuss the Anonymous threats against the Toronto Government. Securosis Posts Incite 11/30/2011: An Introverted Thanks. Changing Focus through the Holidays. Fundamentals of Crowd Management. Occupy Work. Mobile Payments without Credit Cards. Index of Posts: Security Management 2.0. Incite 11/16/11: Blockage. FireStarter: Looking the other way. Favorite Outside Posts Mike Rothman: Are you positive? Jack Daniel discusses the Achilles’ heel of any detection technique: the false positive. Read it. Adrian Lane: DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists. Hacks, fraud, money mules, and DDoS – this story has it all. Gunnar: Best statistics question ever. See if you can find the right answer. Research Reports and Presentations Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. This week we will be making a donation to Brad “theNurse” Smith. Share:

As with most things, I have mixed feelings about the holidays. Who doesn’t enjoy a few days off to recharge for the end-of-year rush? But the holidays also mean family, and that’s a good thing in limited doses. I’m one of the lucky few who gets along with my in-laws. They have an inexplicably high opinion of me, and who am I to say they are wrong? But by the fifth day of being surrounded by family over Thanksgiving weekend I was fit to be tied. I spent most of Saturday grumbling on the couch, snapping at anyone who would listen. And even those who didn’t. Thankfully my family ignores me, and suggested I stay back when they went to the fitness center pool. I was much better when they got back. I was able to recharge my social batteries – I just needed a little solitary confinement. Why? Because I’m an introvert – like all introverts, the longer I’m around people the harder it is for me to deal. I found this great guide to dealing with introverts from The Atlantic, and it’s right on the money. I like to say I’m anti-social but that’s really not the case. But I only enjoy people in limited doses. I remember reading, a few years back, Never Eat Alone, a guide to networking. There is a lot of great stuff in that book, which I will never do. I actually like to eat alone, so most days I do. That’s really what I’m thankful for this year. I have a situation where I can be around people enough, but not too much. For me that’s essential. But that’s not all I’m thankful for. I’m thankful for all the folks who read our stuff, who have bought my book, and who show up to hear us pontificate. When I explain what I do for a living most folks say, “really?” For the record, nobody is more surprised than me that I can write and speak every day and pay my bills. It’s really a great gig. So thank you for supporting our efforts. And I’m also thankful that the important people in my life tolerate me. Obviously Rich and Adrian are getting used to my, uh, quirks. They haven’t voted me off the island. Yet. My kids are growing into wonderful people despite their genetically similarity to me. They continue to amaze me (almost) daily, and usually in a good way. But most of all, I have to thank the Boss. We just celebrated our 15th year of marriage, and although there have been a number of great days in my life, the day we met is in the Top 4. She holds it all together, keeps me grounded, and lets me, well… be me. She has never lost faith, no matter how bumpy things got. I can only hope my kids are lucky enough to find someone who supports them like The Boss supports me. Yes, I need my alone time, but without my partners (in business and life) I would be nowhere. Now is the time to remember that. So think about all those folks who allow you to do your thing, and thank them. Especially a week after Thanksgiving – after they thought you forgot. Got to keep them on their toes, after all. -Mike Photo credits: “Thank You Trash…” originally uploaded by Daniel Slaughter Incite 4 U Can we call this a false positive? The major media was buzzing over the short pre-holiday week with reports of a foreign cyber-attack that took down a water pump in Springfield IL. Too bad it didn’t happen – it was an authorized contractor trying to troubleshoot stuff over a connection from Russia (where the guy was traveling on business). What perplexes me is how such a volatile piece of news could get out without corroboration or investigation. Who’s at fault here? The Illinois Statewide Terrorism and Intelligence Center, or the so-called expert who alerted the media? Probably both, but this kind of Chicken Little crap doesn’t help anything. If a water pump goes down, what is the danger? It’s not like the water supply was tampered with. At some point, a cyber-attack will happen. Let’s hope there is more and better information next time – and that it turns out to be as harmless as this incident. – MR No app for that: Good on Chris DiBona for calling anti-virus vendors “charlatans and scammers”. Your average mobile phone user does not know – and does not want to know – the differences between viruses and malware. But developers know the risk vector is not viruses – it’s malicious apps that users willingly install because they don’t know any better. And these bad apps behave like every other app, so it’s not like signature-based detection can help! Of course that does not prevent AV vendors from spewing FUD and selling their wares to the unsuspecting public. It’s refreshing to see a developer sound off without being muzzled by the HR and legal teams, because he is right – AV will not provide any greater protection than what your platform provider offers by yanking malicious apps from their app store. – AL Burn the house down: Before I go any further, I do think the hack these researchers came up with attacking printers is interesting. They figured out that the firmware updates weren’t signed, and were merely sent over as part of a print job. There’s a lot of hyperbole on this one that I will ignore, but printers really are something you should be paying attention to – especially multifunction devices (MFDs). I co-authored a Gartner note about these risks back in the day – among other things they often have insecure web servers built in, keep copies of everything faxed or printed on local hard drives, etc. And a lot of you probably outsource your printer support – like the client who told me their vendor insisted on full VPN access

Hey everyone, As you may have noticed, we are pretty focused on this Securosis Nexus thing we have been working on for a while. The system is coming along great, but it’s time for us to start hammering on its content. So through the end of this year we will be blogging on a reduced schedule. We will still hit you with the weekly Incite and Friday Summary plus our research projects, but day-to-day blogging will subside a bit (as it already has) so we can focus on writing for the Nexus. Unless, of course, something really tweaks us off and we need a good rant. Share:

I have joked over the years that I’m more qualified to run security at a stadium concert than an IT shop, and it’s somewhat true. My security career started way back at the young age of 18 when I started working on the event staff at CU Boulder, and for Contemporary Services Corporation (CSC), who managed most of the Denver venues. By 21 I was running security at CU and supervising for CSC – managing or supervising sports, music, and other events ranging from under 100 people to over 100,000. Sometimes I was in charge, sometimes I just managed one area, and I was often a rover/troubleshooter. I did this multiple times a week for about 4-5 years (including working summers at Red Rocks), then dropped down to occasional contract work for bigger events after that. Including some with extreme logistical complexity, high risk profiles, or other complicating factors. (Like the time my employees called to ask why the bomb squad was walking around and Secret Service snipers were in the rafters). I was also fortunate the the people I worked with were true professionals. Crowd management is an industry filled with low-bid/minimum-wage contract firms with very poor work ethics and management. CSC are the guys who run the Super Bowl and most other ‘massive’ events, and I learned a hell of a lot from them and running my own teams. I have been watching a lot of the coverage of the Occupy movement and the police response and see a series of common, preventable mistakes being made over and over. Rather than specifically criticizing YouTube clips without context, here are some of the fundamental principles I learned over the years with comments on mistakes I see. Deescalate. Always. – The single most important fundamental is that crowd management is all about deescalation. You’ll never outnumber the crowd… and the more tension rises, the greater the chance of physical conflict or transitioning to a riot. There are always more of them than of you. Peer security is more effective than policing – Peer security the principle of staffing the event with demographic peers of the attendees. Police are law enforcement officers, and so they naturally and unavoidably escalate any situation they are at, by the role they play in society and the weapons they carry. Unarmed peers of the crowd have much greater flexibility in response – they are not required to arrest or enforce all laws, they are not perceived as the same kind of threat, they do not carry weapons, and they do not have arrest authority. Weapons are not your friend in a crowd – Crowds are messy, fluid affairs that make it impossible to maintain a safe stand-off distance. I have never met an intelligent police officer who went into a crowd without more than a little fear that someone would try to grab their OC spray, handgun, or other tools. Where I worked, peer security would go into crowds and pull people out for the police – who would almost never enter the crowd itself. Know your crowd – You can fully predict the behavior of a crowd if you know the demographic and environmental conditions. I know how everything from the weather, to ages, to kinds of music affect a crowd… and it isn’t what you’d think. For example, serious injuries (and deaths) were far more common at Grateful Dead and Blues Travelers shows than metal bands with mosh pits. Slow and steady wins the race – When dealing with an uncooperative but nonviolent crowd, you have to eat at it bit by bit. From dispersing a crowd to ejecting a big group, you have to handle it piece by piece and person by person – even when force is used. That goes for removing tents (yes, I have had to do that at ‘campout’ events) and clearing the aisles at a Dead show so people could move around. The more authority you have, the less you should look like security – This was one of my favorite tricks – when I ran events I rarely wore an event staff shirt. As the last person able to deescalate most conflicts before turning someone over to the police, the more I looked like a normal person or non-security staff the better. If they think you’re with the band/team, even better. Defense in depth – Crowd management is like IT security – you need multiple people with different specialties, properly trained and positioned. For example, I hated going into a mosh pit without a spotter. At a large stadium show I might have 500 people working for me. We’d have rovers, ticket takers, people inside and outside, folks dedicated to ejections, supplementing medical (to help them through the crowd), and more. When you need to use force, don’t hesitate, but don’t hit – I have no problem using force when it is needed (and we frequently had to, especially to break up fights). In a crowd your goal is to get the person out of the crowd as fast as possible. You never punch or kick… that is excessive use of force (the exception is when you are in serious danger yourself). Your goal is to solve the problem without anyone getting hurt. Deescalation, remember? Spontaneous crowds aren’t riots – I sometimes dealt with spontaneous crowds appearing where we didn’t expect them, which weren’t tied to a normal event. Usually these were campouts, but I was also called into a few protests and such when the police wanted trusted people in the crowd but not uniformed officers. All normal crowd dynamics still apply. Riots are for the police – Crowds need peer security. Riots need cops and all the OC spray you can get your hands on. A riot is an uncontrolled situation where mob behavior takes over and there is serious damage to life/safety and property. I was at a Guns ‘n’ Roses show we thought might turn into a riot when that ass-hat Axl

I don’t get this #occupy stuff. Maybe that’s an indication that I’m old. Maybe it means I’m selfish. It could be a sign that I have a lot of competing priorities and they don’t leave me a lot of time. But most of all, it’s because I don’t get it. Really. Should we be pissed off that parasites on the system always seem to walk away with millions of dollars for little added value? Yes. Could we be frustrated with a US governance model that spends more time bickering than getting anything done, while squandering trillions of dollars. Absolutely. But in my best NY accent: “Whaddya gonna do?” I plan to remain intentionally tone deaf regarding all this stuff. Again, maybe that makes me selfish. Maybe I’m more interested in my own comfort and lifestyle than the tens of millions of folks who are screwed by the system. But here is the difference: I have worked for everything I’ve achieved. Everything. Sure I graduated from an Ivy League engineering college. But I got in based on my achievements in high school with very little parental guidance or oversight. My Mom was too busy trying to put food on the table, working in a crappy retail pharmacy, to push me to do my homework. And at the end of the day, my education helped me get my first job. That’s it. Sure I could get pissed off that dumb guys I grew up with joined the right investment banks at the right time and make 7 figures a year now. I could get angry that kids right out of mediocre engineering programs (but with decent connections) end up at one of the Silicon Valley start-ups and win the Google lottery, pulling millions out as cogs in the wheel. Does that mean we should “Occupy Sand Hill Road” and get pissed at how high-tech financiers engineer value from the (at times) unholy alliance between big IT, storied entrepreneurs, and the puppet master VCs that seem to pull all the strings? What’s the use of that? I choose to get up and (as Chris Nickerson says) “do work.” The only thing I can control is how hard I work. I can’t control what anyone else does. I can’t control market swings. I can’t control whether the light of good fortune shines on me at some point. I can (and do) control what I do. And that’s how I’ll rail against the system. I’m totally on board with Larry Walsh’s thoughts on innovation and entrepreneurship. Larry’s quote here is exactly right: “I’m protesting today. I’m calling it “Occupy Work.” I pledge to sit at my desk, service my clients, be productive and innovative, and contribute to the economy. Oh, and I will do it with humility.” He makes a number of great points. Clearly the system(s) need reform. But what is the value of sitting in a park? How is that aiding the collective? How does taking a shot of pepper spray (however appalling) bring light to the issues the protesters want to discuss? It turns the story from corruption and greed to brutality. Obviously we all need to act in a dignified manner (especially law enforcement), but it seems the core message of fighting greed is lost. I saw an old friend last week, and we did get philosophical for a short time. He asked me whether I was scared for the world my children were growing up in. I answered with a resounding no. I still believe that I live in a country where hard work will be recognized. I believe that my kids can become whatever they want, and with enough effort can achieve their dreams. Lots of folks overcome long odds every day to prosper through the force of their own will, regardless of their circumstances. I’m teaching the kids to be self-sufficient and not hope a big company will support and provide for them. Pensions are not guaranteed by a bankruptcy court. Nor is healthcare coverage. I believe in entrepreneurship. I believe in creating your own opportunities, not waiting for someone to give something to you. I believe in the capitalist system and although clearly imperfect, it’s the best thing out there. Maybe I’m naive. Maybe I’m stupid. But I still believe that as long as I focus on what I need to get done every day, things will work out in the end. So rather than spending my time in a pup tent in some public park, like Larry I will occupy work. We all have choice about what we do on a daily basis. The folks Occupying whatever seem to think their approach will result in positive change. Maybe they are right. But either way, I figure the only great equalizer in a capitalist system is hard work. And on this week of Thanksgiving in the US, I’m thankful that I live in an area where I can control my own destiny, which is what I plan to do. Happy Thanksgiving everyone. If you celebrate, enjoy the holiday and be safe. Share:

The San Francisco Chronicle ran an interesting story about a small payment processing firm that is trying to disintermediate credit card companies. But they are doing it the old fashioned way – cutting out the middleman and going direct to banks to move money for them. Dwolla is a start-up payment processor providing person-to-person payment via mobile and social media outlets. Their hook is providing payment at a substantially reduced reduced commission – just twenty-five cents ($0.25) per transaction. Compare that to credit card companies that charge a flat 3%, or PayPal, who changes thirty cents per transaction in addition to 2.9% (less 2.2% for volume sellers). Dwolla’s offering can be viewed as similar to PayPal’s or an ATM transaction, but ATM fees have escalated into the $3-10 range. With mobile payment in its infancy, this space is a greenfield for startups and established players to redefine what’s possible. Credit card companies have been talking up the benefits of mobile payments for years as an easier and more pleasurable shopping experience – but today many of their solutions have not yet been delivered to the market. The promised benefit to merchants is rather nebulous growth in “customer loyalty” and data on purchasing history. Cold hard cash would be preferable, which is why I think many small merchants are going to like Dwolla’s offering. When it comes down to it 3% may not sound like much, but it’s a lot of money for many merchants struggling to be competitive. Popular sentiment doesn’t hurt either, especially in light of consumer dissatisfaction with credit card companies (despite overall credit card use going up), and many halting use of cards because they make spending too easy. As far as security goes, not much information is available on Dwolla’s security model for establishing user identity. What’s described sounds similar to existing models based on a combination device (phone) verification, a password, and location-based services. But it’s not their security model that interests me – it’s that this is one of the first upstarts I have seen really breaking the old mold of how payments are done, and it looks promisingly disruptive. The concept is not new, but it’s one of the first times someone has pulled off the direct-to-bank model and demonstrated a new concept of what mobile payments can be. For banks willing to take some risk on the security and legality of person-to-person or mobile payments, Dwolla offers both a new revenue model and a means to strengthen customer relationships. Keep in mind that many banks offer credit cards expressly to be foremost in the consumer’s mind when looking for auto or home loans – loans being the principal source of bank revenue. While that sounds like a no-brainer, I can tell you from personal experience that most banks won’t touch this concept with a 20’ pole because of the risk to their banking charters in this heavily regulated sector. But the market usually rewards efficiency, and if someone can offer convenient payment services at a reduced cost they are likely to win market share in a hurry. Dwolla sounds like they have a recipe for success. Share: