AT&T’s weak default security provides a huge security hole for Google 2-Step verification

Mat Honan’s article from November of last year about the weakness of using passwords for online security details a terrifyingly easy method to crack Google’s 2-step verification:

On the consumer side, we hear a lot about the magic of Google’s two-factor authentication for Gmail. It works like this: First you confirm a mobile phone number with Google. After that, whenever you try to log in from an unfamiliar IP address, the company sends an additional code to your phone: the second factor. Does this keep your account safer? Absolutely, and if you’re a Gmail user, you should enable it this very minute. Will a two-factor system like Gmail’s save passwords from obsolescence? Let me tell you about what happened to Matthew Prince.

This past summer UGNazi decided to go after Prince, CEO of a web performance and security company called CloudFlare. They wanted to get into his Google Apps account, but it was protected by two-factor. What to do? The hackers hit his AT&T cell phone account. As it turns out, AT&T uses Social Security numbers essentially as an over-the-phone password. Give the carrier those nine digits—or even just the last four—along with the name, phone number, and billing address on an account and it lets anyone add a forwarding number to any account in its system. And getting a Social Security number these days is simple: They’re sold openly online, in shockingly complete databases.

Prince’s hackers used the SSN to add a forwarding number to his AT&T service and then made a password-reset request with Google. So when the automated call came in, it was forwarded to them. Voilà—the account was theirs. Two-factor just added a second step and a little expense. The longer we stay on this outdated system—the more Social Security numbers that get passed around in databases, the more login combinations that get dumped, the more we put our entire lives online for all to see—the faster these hacks will get.

It’s extremely easy to get someone’s social security number. I don’t know about other telephone providers other than AT&T, but the fix for this is easy. You can call AT&T’s customer support and lock your account with a password. The password you create should be strong and unique, and have absolutely no connection to anything else in your life, and thus unavailable for sale on the black market. Once your account is locked with a password, AT&T representatives will refuse to make any account changes whatsoever without the password. If you forget or lose your password, the only way into your account is to go into a brick-and-mortar AT&T store and present a government-issued ID.

Will this solution achieve perfect security? Of course it won’t. Nothing is 100% secure. AT&T representatives might not comply, and government IDs can be forged, but a hacker would have to be much more determined, and would have to conduct their entire operation in a very difficult time frame, before the targeted account holder is notified and figures out that something is amiss.

Medicalization of criminal behavior is a problematic political weapon

Patients committed to a Catonsville, Maryland psychiatric hospital have been consistently assaulting the hospital staff and generally causing chaos:

The chaos at the state’s largest psychiatric hospital, the consultant found, is fueled by a few patients who “prey upon patients and staff with relative impunity” after being ordered by courts to the hospital for psychiatric evaluation — sometimes with dubious symptoms.

The findings are contained in a report created for the Department of Health and Mental Hygiene in response to safety complaints from hospital staff. The report by Dr. Kenneth Appelbaum, an expert in forensic psychiatry at the University of Massachusetts Medical School, describes a number of violent incidents over the past year. It also highlights an ongoing dispute between judges and clinicians over patient admission standards.

Remember Rosenhan’s 1973 experiment? Rosenhan challenged the validity of psychiatric diagnoses by having sane “pseudopatients” fake symptoms to be admitted into psychiatric hospitals, then immediately cease simulating any symptoms of abnormality. The hospitals never recognized the pseudopatients’ sanity.

Diagnosing mental illness is plagued by ambiguity, and a diagnoses carry power. The combination of power and inherent ambiguity makes the institution of psychiatry a political weapon.

The Maryland criminal justice system faces latent incentives to medicalize criminal behavior. Maybe prisons are overcrowded, or there’s pressure to cook statistics so as to disingenuously minimize the number of crimes, or there’s something else going on. We may never know. Regardless, the violence to the hospital staff is another example of an unintended consequence when a government co-opts a nexus of power.

The Wire: The Musical perfectly describes the nefarious spontaneous order:

There are complex problems inherent in the bureaucratic institutions of the state, but there’s no one to blame. It’s a vast array of personal interests that conflict in a way that undermines the overall system.

Out-group loyalty might exist

Some subjects, to counter in-group loyalty, overcompensate by demonstrating out-group loyalty. Uhlmann, E.L., Pizarro, D.A., & Bloom, P. (2008):

Additional suggestive evidence for awareness of automatic attitudes comes from work showing that implicit and explicit measures interact to predict judgments and behaviors. These interactions suggest that people not only compensate, but
in some cases even overcompensate for their automatic attitudes. For example, individuals who are automatically prejudiced but who are consciously motivated to respond without prejudice respond even more favorably towards Black targets in terms of their trait judgments (Olson & Fazio, 2004) and willingness to interact with the person (Towles-Schwen & Fazio, 2003) than individuals who are not automatically prejudiced (see also Dasgupta, 2004). As noted earlier, increased awareness of an automatic process can lead to correction effects (Newman & Uleman, 1990; Moskowitz & Roman, 1992).

In terms of Haidt’s dimensions, this phenomenon probably arises from the fairness dimension, from considerations about historical injustices to minorities. It’s probably not a direct inversion of the in-group loyalty dimension.

Marginal analysis debunks conflict theory

Intel is attempting to challenge the traditional television content distribution model, with a box that would provide cable channels à la carte. Netflix is starting to stream original content, having just launched their breakthrough House of Cards.

All of this exciting news raises the question of why television content has always been bundled up to this point. A while back, Megan McArdle explained that bundling occurs because the fixed cost of laying cable is quite high, while the marginal cost of providing an additional channel is quite low.

Applying calculus to truly understand marginal analysis is absolutely crucial to understanding cable companies’ behavior. Marginal analysis debunks the narrative that conflict theory would predict: that cable companies deliberately structure their services at the expense of their consumers.

Cable companies aren’t full-fledged monopolies, but they have indeed secured some monopoly power through regulatory capture, since they’ve had to cooperate directly with governments to lay cable on public land. Even so, they still face exogenous demand curves. Bundling isn’t some nefarious conspiracy indicative of limitless corporate power; it’s just the nature of the good itself.

Corporations have, up to this point in time, responded to exogenous demand curves, and now à la carte content is a logical outgrowth of widespread broadband. The proliferation of broadband drives creative destruction. Innovation is beautiful.

Does vengeance underlie social justice?

Django Unchained reminded me of a Louis C.K. bit from an old post by The Last Psychiatrist.

Is vengeance a premise of social justice? If it actually is, it would be incendiary to say so directly. Though I’m not certain social justice is even a coherent concept, restitution as a justification seems way more palatable than retribution.

The conflation of restitution and retribution seems to plague discussions of privilege and social justice. Is the language in discussions of social justice deliberately ambiguous to conceal the retribution premise?

I have no answers. I have only questions.

Cottage industries preceded the Industrial Revolution

An oft-forgotten period of history in England and the United States was the putting-out system. Cottage industries served as the precursors to the factories we associate with the Industrial Revolution.

Manufacturing didn’t begin in factories. It began when technological progress allowed people to manufacture raw materials right out of their homes. Eventually, when it became politically viable to do so, larger firms formed to minimize transaction costs.

What’s my point? In contrast to what you might hear from Marxist historical narratives, Western Europe didn’t morph from feudalism to capitalism. The Industrial Revolution wasn’t a transformation of feudalistic exploitation into capitalistic exploitation. It was a spontaneously ordered progression from empowered, decentralized manufacturers.

Who would benefit from a “Council of Psychological Advisors?”

Barry Schwartz is proposing that the federal government assemble a council of psychological advisors, modeled after the Council of Economic Advisors.

Economics has a long history of fetishizing central planning, and economic advisors often get pulled into political games of chess, but psychology has rarely been so directly linked to government policy.

What is something like this supposed to accomplish? An institution like this certainly isn’t meant to distill the latest psychological evidence into optimal policy recommendations; the purpose of the institution would be to gather the language of science to justify whatever policies governments would want to enact.

Barry Schwartz is arguing that because economic assumptions of perfect rationality are overused in policy prescriptions, we need a council of psychological advisors to counteract the Council of Economic Advisors. It’s an oversimplification for political purposes, and a straw man. The argument posits that free markets only work when agents are perfectly rational, and since people aren’t perfectly rational, we can’t have free markets, and should instead rely on a team of trained psychologists to function as central planners.

Free enterprise isn’t superior to central planning only when agents are rational. Free enterprise is superior because knowledge is so distributed in an economy, that absent the price mechanism, central planners have no way of assessing tradeoffs and planning for different individuals’ subjective values and preferences.

There’s a crop of trendy academics, like Sunstein and Thaler, well versed in Kahneman and Tversky’s heuristics and biases program, who just assume that because humans suffer from systematic biases, their choices should be restricted and their decisions be made by the elites who know better. Unfortunately, those most familiar with systemic biases are in no way less vulnerable from such biases.

Beware of politics masquerading as science.