The Bankwatch

Tracking the consumer evolution of financial services

As American fans chanted “U-S-A! U-S-A! U-S-A!” the Germans countered with, “N-S-A! N-S-A! N-S-A!”

with one comment


While football (soccer to North America) fans may not, as a group apparently represent the intellectual elite,they do reflect the practical & political reality. On June 26th, 2014 when USA and Germany played each other in the World Cup, the brilliantly social reflective fans got straight to the true core of international relations.

World Cup chants reveal true state of U.S.-German relations

As Germany basks in its World Cup victory, it’s easy to forget that one of the most telling geopolitical moments of the tournament came during the Germany-U.S. game. As American fans chanted “U-S-A! U-S-A! U-S-A!” the Germans countered with, “N-S-A! N-S-A! N-S-A!”

Written by Colin Henderson

July 19, 2014 at 00:32

Posted in Uncategorized

Apple and IBM enter enterprise market together

with 2 comments


This seems like a seminal moment for Enterprise devices that to date were officially owned by Blackberry.

Apple and IBM Forge Global Partnership to Transform Enterprise Mobility

Written by Colin Henderson

July 15, 2014 at 19:14

Posted in Uncategorized

iOS and Android | Google and Apple strategies are clear, for now

leave a comment »


I found this a thoughtful and provocative article. Even the comments are worthwhile if you ignore the Apple vs Google troll comments. There is a distinction being drawn between Apple/iOS and Google/ Android, and its one that both reflects history of computing, and their respective business models which are very different.

The next phase of smartphones

Hence, WWDC was all about cloud as an enabler of rich native apps, while the most interesting parts of IO were about eroding the difference between apps and websites.

… …

The interaction models become different. I’ve said before that Apple’s approach is about a dumb cloud enabling rich apps while Google’s is about devices as dumb glass that are endpoints of cloud services.

Cloud differences were most striking in observing the Apple (WWDC) and Google (IO) strategies this year. I doubt Steve Jobs thought much about cloud (early 2000’s) while Larry Page was forced to do so much more recently when stuck with the Motorola purchase, and an inevitable ‘lets copy Apple strategy’. Lets break some of this down.

At WWDC this year, Apple decided to make iCloud more obvious to users, but the basic contract remains that it silently manages user information, preferences and data. Announcements were made about health, auto and home.

At IO Google also talked about health, auto and home. Google was already heavy into cloud based apps including flagship office and storage.

So whats the difference especially they both announced health, auto and home?

As Ben discussed in the linked piece above, this year in particular for these annual events drew certain strategic differences between Apple and Google as platforms. This is not to say that people cannot have an iPhone and a Windows laptop, or a MacBook and an android phone, as many do.

The larger point is that the two companies have different business models and their strategies reflect those models.

Google’s primary revenue is from advertising. They do this by enabling the worlds information on the internet. It makes sense that their approach is to drive activity to the network (web and mobile internet) where their advertising lies. This was also seen in their Chromebooks, one of which I recently saw and used … very cool. Your own information is stored in the Google cloud and local hard drives eventually become a burden in this environment.

Apple are an integrated hardware software company with end to end ownership from chips through hardware, software to cloud. Apple’s predominant use of cloud has been to store your preferences, music and some data silently such that it is available across any Apple device seamlessly and intuitively. iOS 8 promises to raise cloud profile and allow active cloud storage of data.

What is striking is that neither are using cloud like say dropbox to store things primarily. Their primary use of cloud is experience. Simple examples in these early days:

1. Google provides full office, browsing experience and music functionality that is available on any device behind a Google sign in.
2. Apple provides continuity of music listening, working on office docs, passwords, browsing experience across any Apple device.

These examples are just intended to note that both use cloud for experiential purposes. More importantly is how they choose to implement cloud.

As I mentioned these are clearly early days, but going back to Bens article, one strategic distinction is that of thin client vs fat client. This is a perennial debate that has bounced between the two reflecting increased computing capability and faster, smarter bandwidth. For now Apple lean towards fat client (apps talking to network) while Google lean towards thin client (apps on the network).

There is not right or wrong answer here, but those two companies have laid down their approaches for the near term. Google even dumped their $11bn acquisition of Motorola to make the point. They are not getting into the hardware business.

Apple’s mobile approach is a hardware, rich app with cloud in background approach. Google’s approach is an, any android device with rich cloud in the foreground.

These approaches are fundamental to their business models, and both will succeed. This is not a zero sum game. In fact as time passes, it would not surprise me to see subtle shifts by both that encroach on the others approach.

I will resist the temptation to discuss benefits of the two approaches. That is for you to decide.

Written by Colin Henderson

July 7, 2014 at 00:42

Posted in Uncategorized

Update from Microsoft Digital Crimes Unit on no-ip action today

leave a comment »


Here is the blog post from from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.

We can expect more:

Microsoft takes on global cybercrime epidemic in tenth malware disruption

http://blogs.technet.com/b/microsoft_blog/archive/2014/06/30/microsoft-takes-on-global-cybercrime-epidemic-in-tenth-malware-disruption.aspx

This is the third malware disruption by Microsoft since the November unveiling of the Microsoft Cybercrime Center—a center of excellence for advancing the global fight against cybercrime.

Written by Colin Henderson

July 1, 2014 at 14:18

Posted in Uncategorized

Microsoft successfully take down alleged malware host ISP no-ip.com

with 2 comments


This story reflects the kind of thing that is usually told in urban legend terms, but this one actually happened. Microsoft took on no-ip.com and took down their network. What is especially interesting and precedent setting is that Microsoft obtained a court order to initiate the attack. The order is dated Jun 30th, 2014 for execution today Jul 1st, 2014.

No-ip provides a dynamic IP hosting service that act as described here by Brian Krebs:

Typically, the biggest users of dynamic DNS services are home Internet users who wish to have a domain name that will always point back to their home computer, no matter how many times their ISP changes the numeric Internet address assigned to that computer.

In this case, however, the attackers responsible for leveraging these two malware families — remote-access Trojans known as “njrat” and “njw0rm” — were using no-ip.com’s services to guarantee that PCs infected with this malware would always be able to reach the Internet servers that the attackers were using to control them.

In short, such services are used by criminals to host bot networks. Bot networks are used to manage thousands of personal and corporate PC’s and to have them act as one large computer to spread malware, and mount Distributed Denial of Service Attacks.

No ip

This presents moral and legal dilemmas in these times of government surveillance, malware, and internet security.

  1. Legal Understanding: when Microsoft obtained the court order, did the judge comprehend what he was being asked and what he was approving Microsoft to do?
  2. Private Agents of Law: this sets a precedent of a private corporation taking on and defeating criminals. This was at Microsoft’s own volition, and not as far as we know at the behest of a law agency
  3. Appropriate force: In this case they also defeated apparently legitimate users. In war we have become blazeé about surgical strikes, drone attacks and smart missiles (as we saw last night in Gaza where individual rooms in an apartment block were blown up). The force used was more akin to a nuclear bomb than a laser guided missile attack

Relevance to Bankwatch:

This is strong relevance to banks, where the urban legends of certain large banks taking out hacker networks several years ago did the rounds.

Lets dive a little deeper on this. Here is the court order obtained by Microsoft. You will see the order was granted on the basis that the Defendants Mutairi, Benabdellah, and Does 1-500 were suspected of violating the Anti-Cybersquatting Consumer Protection Act law by facilitating placement of malware on to others computers without their permission. Those people/ entities are referred to as ‘malware defendants’.

msft-noip-tro.pdf

And more specifically the defendants are accused of:

Leasing to Malware Defendants No-IP sub-domains containing Microsoft’s protected marks; and
b. Negligently enabling Malware Defendants to participate in illegal acts, and failing to take sufficiently corrective action to stop and prevent the abuse of its services, all of which harms Microsoft, Microsoft’s customers, and the general public.

The order provides Microsoft authority to:

To immediately, on all authoritative name servers for the .COM, .NET, .ORG, .BIZ, and .INFO top level domains,1 change the Domain Name System authoritative name servers for the No-IP second-level domains, listed in Appendix B, that are associated with the malware sub-domains (“Malware Sub-Domains”), listed in Appendix A, to “ns7.microsoftinternetsafety.net” and “ns8.microsoftinternetsafety.net,” and remove all other authoritative name servers for the domains listed in Appendix B. The Registry Operators shall reasonably cooperate with Microsoft to implement this order through one or more of the foregoing changes, as may be necessary to effectuate the terms of this order;

In short Microsoft have authority to get control of domains that purport to represent Microsoft (by containing Microsofts name). The final order is the one that fascinates me:

IT IS FURTHER ORDERED that the authoritative name server set up and managed by Microsoft to respond to requests for the IP addresses of the sub-domains of No-IP may respond to requests for the IP address of any domain listed in Appendix B or later determined to be associated with malware activity either by (1) giving no reply; or (2) replying with the address of a special Microsoft “sink-hole” computer, which, when contacted, shall log the date and time of the request, the IP address and related information from the requesting computer but otherwise not respond to the
request.

Sink hole? I had to look that up:

A sinkhole is a standard DNS server that has been configured to hand out non-routeable addresses for all domains in the sinkhole, so that every computer that uses it will fail to get access to the real website.

In other words any attempt to access links routed to the sink-hole will go no-where. This probably explains the fact that 4 million users were impacted, and to me rather than over powering force suggests that the criminal activity at no-ip was in fact wider and broader than even Microsoft knew.

Back to the three dilemmas:

1. The order is very carefully and clearly worded despite use of terminology, so I believe the Judge knew exactly what he was approving. More power to the Microsoft lawyers and engineers for getting making that milestone.

2. This is a non issue. Microsoft were provided authority to claim that which they have every right; their name.

3. Appropriate force is also a non issue. There may be legitimate uses for free dynamic IP hosting however unequivocally one use is for criminal use in managing botnets. Despite any legal arguments to the contrary, what these people were doing was facilitating crime, and Microsoft found a way to legally stop them. Meantime, as a regular user I ask: would you locate your web site with these people? The force was appropriate and probably uncovered more illegal activity than expected.

Go Microsft and I would like to see the computing and brain power of Google, FaceBook and Yahoo get into this game as strongly as Microsoft. Going back to my first dilemma, the legal system cannot do this by itself. Similarly NSA, GCHQ, ASD,CSEC,GCSB (The Five Eyes) perhaps could but their hands have been tied by Snowden leaks.

It is too technical and fast evolving, and requires engineers on the edge of this world who understand it.

Written by Colin Henderson

July 1, 2014 at 12:20

Posted in Uncategorized

If we think about it what is the problem with security service surveillance?

with one comment


Totally of banking topic. The consternation about NSA and government surveillance displays an enormous lack of historic perspective on the topic.

What Americans Need to Know About the History of Spying | The Big Picture

5,000 Years of History Shows that Mass Spying Is Always Aimed at Crushing Dissent

For thousands of years, tyrants have spied on their own people in order to crush dissent.

Keith Laidler – a PhD anthropologist, Fellow of the Royal Geographical Society and a past member of the Scientific Exploration Society – explains:

The rise of city states and empires … meant that each needed to know not only the disposition and morale of their enemy, but also the loyalty and general sentiment of their own population.

There are articles about tunnels and other obscure methods of information gathering.

However on a much simpler scale I am aware of someone who subscribed to certain magazines in the 1990’s that were related to that persons (legal) hobby. It turns out that hobby and the magazines set off alarm bells in the post office which found their way to the local RCMP. Fortunately that person knew someone in the local detachment, who made contact and all was sorted out uneventfully. But even if that were not the case a quick interview with the RCMP would have clarified the situation.

The point is that the Post Office and the RCMP were connected at the hip, and have been forever. Personally I have no issue with this. The Post Office and the security services have been connected closely for hundred of years in British based society. And we are the stronger for it. Security does not need to be managed on CNN.

Back the the NSA. Of course they are listening to stuff. Its a worthwhile debate about how and on what guidance or regulation they are permitted to do so, but really at the end of the day are we so so concerned that we actually want them to stop? Really? The internet world is complicated and that requires complicated solutions which build on age old practices. The latest dissertation on your most recent restaurant or family spat is hardly going to be something intelligence agencies will care about, but if that gets gathered, I say so what. (And yes, the 1990 magazines story was in fact yours truly, and thats for an over a beer conversation)

Written by Colin Henderson

June 30, 2014 at 20:39

Posted in Uncategorized

BBVA implement HCE in their wallet deployment

leave a comment »


BBVA who recently purchased digital only Simple Bank announce their first and the worlds first (apparently – requires validation) implementation of HCE which in practical terms is the recently uncovered method for bypassing the telco’s previous hold on payments using mobile phones. For more read my earlier review of Dave Birch’s discussion on HCE here.

BBVA introduces HCE-based mobile NFC payments | Finextra

Spain’s BBVA has become the first major global bank to commercially launch a host card emulation-based mobile contactless payments service.

Relevance to Bankwatch:

In summary from my earlier post and subsequent study, HCE (Host Card Emulation) is a method by which phone app developers can bypass the phone hardware usually embedded by telco’s in their SIM card and known as “secure element”. The secure element was designed to have telco’s own, and take a fee, for every payment transaction using phones using their network. As you can imagine the development of HCE is huge, even game changing, for payments and future revenue flow associated with payments.

Question: do the Canadian Banks employ secure element in their wallets? I think the answer must be yes, but reaching out to hear.

Written by Colin Henderson

June 30, 2014 at 16:20

Posted in Uncategorized

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: