The Daily Parker

Politics, Weather, Photography, and the Dog

How the McDonalds Monopoly game was rigged

Via Schneier, the head of security for the marketing firm running the game stole the million-dollar game pieces:

[FBI Special Agent Richard] Dent’s investigation had started in 2000, when a mysterious informant called the FBI and claimed that McDonald’s games had been rigged by an insider known as “Uncle Jerry.” The person revealed that “winners” paid Uncle Jerry for stolen game pieces in various ways. The $1 million winners, for example, passed the first $50,000 installment to Uncle Jerry in cash. Sometimes Uncle Jerry would demand cash up front, requiring winners to mortgage their homes to come up with the money. According to the informant, members of one close-knit family in Jacksonville had claimed three $1 million prizes and a Dodge Viper.

When Dent alerted McDonald’s headquarters in Oak Brook, Illinois, executives were deeply concerned. The company’s top lawyers pledged to help the FBI, and faxed Dent a list of past winners. They explained that their game pieces were produced by a Los Angeles company, Simon Marketing, and printed by Dittler Brothers in Oakwood, Georgia, a firm trusted with printing U.S. mail stamps and lotto scratch-offs. The person in charge of the game pieces was Simon’s director of security, Jerry Jacobson.

Dent thought he had found his man. But after installing a wiretap on Jacobson’s phone, he realized that his tip had led to a super-sized conspiracy. Jacobson was the head of a sprawling network of mobsters, psychics, strip-club owners, convicts, drug traffickers, and even a family of Mormons, who had falsely claimed more than $24 million in cash and prizes.

The longish read is worth the time.

Too many things in my inbox

I probably won't have time to read all of these things over lunch:

Share that last one with your non-technical friends. It's pretty clever.

Morning links

I didn't have a chance to read these yesterday:

Now I'm off to work. The heat wave of the last few days has finally broken!

Your mouse knows when you're lying

Via Bruce Schneier, interesting research into how to use mouse movements to detect lying:

Cognitive psychologists and neuroscientists have long noted a big "tell" in human behavior: Crafting a lie takes more mental work than telling the truth. So one way to spot lies is to check someone's reaction time.

If they're telling a lie, they'll respond fractionally more slowly than if they're telling the truth. Similarly, if you're asked to elaborate on your lie, you have to think for a second to generate new, additional lies. "You're from Texas, eh? What city? What neighborhood in that city?" You can craft those lies on the fly, but it takes a bit more mental effort, resulting in micro hesitations.

In essence, the scientists wanted to see whether they could detect -- in the mouse movements -- the hesitation of someone concocting a lie.

Turns out ... they could. The truth-tellers moved the mouse quickly and precisely to the true answer. The folks who were lying jiggered around the screen for a bit, in a sort of hemming-and-hawing adaptation of Fitts' Law.

That's kind of cool. And kind of scary.

Because who needs cyber security, anyway?

Lawyer Paul Rosensweig and national security analyst Megan Reiss think John Bolton getting rid of the "cyber czar" position is "a magnificent idea:"

Bolton is completely correct that there is no need for any coordinationbetween the various federal agencies on this issue. Cybersecurity is not a cross-cutting problem that affects all sorts of equities. We have no concerns that eliminating this position will result in conflicting mission imperatives. We have every confidence that the National Security Agency, for example, can work out vulnerability disclosure equities without the need for input from the Departments of Commerce, Justice or Homeland Security (much less Treasury or State).

We also are confident that the decision accurately reflects the diminished importance of cybersecurity as a national issue. Cybersecurity is no longer deserving of the prominence that so many national security experts seem to give it. We fully expect the Office of the Director of National Intelligence to eliminate the cybersecurity menace from its annual threat assessment. We are confident that the trend lines for cyber threats and intrusions are down.

Didn't we already know John Bolton was incompetent

Democratic candidates know what they're doing

Greg Sargent this morning points out that my party's congressional candidates aren't running the campaigns that the popular imagination thinks they are, which is a good thing:

There’s a narrative about our politics right now that you constantly encounter on social and political media. It goes like this: Democrats are too obsessed with the Russia investigation, or with Stormy Daniels, or they’re just too focused on “not being President Trump,” and as a result, they aren’t articulating an affirmative agenda and risk getting caught flat-footed by Trump’s supposedly rising popularity.

But this narrative is entirely wrong, and two new pieces this morning help set the record straight.

The first article is by Nate Silver, and it puts Trump’s job-approval numbers in their proper perspective.

If Trump’s numbers are rising, they are only doing so inside a very narrow range that remains abysmally low. And don’t forget the polling that shows strong disapproval of Trump is running higher than strong approval, which could impact disparities in voter engagement.

The second piece is by Ron Brownstein, and it reports accurately on how Democrats are actually running their campaigns right now. As Brownstein notes, many Democrats think that their chances of winning this fall turn less on whether Trump gets further dragged down by scandal, and more on their ability to link the GOP’s tax cuts to its failed (but continuing) drive to roll back health coverage, which together amount to a deeply unpopular overall set of GOP priorities.

With Republican primary elections in Indiana, Ohio, West Virginia, and North Carolina going on today, we may have even better data about how we're retaking the House in November.

On the other hand, Bruce Schneier notes that both parties' campaigns are dangerously nonchalant about IT security. Great.

Quick links

A couple stories of interest:

OK, back to being really too busy to breathe this week...

Ides of March reading list

I'm writing a response to an RFP today, so I'll have to read these when I get a chance:

There were two more stories in my inbox this morning, but they deserve their own post after lunch.

Bronze age defenses, modern attacks

Via Bruce Schneier, DHS Senior Analyst Jack Anderson describes how walls are still a dominant security metaphor, and the consequences of that choice:

Walls don’t fail gracefully. But there is a bewitching tendency to trust them more than we should, and this leads to dangerous liabilities. Extreme risk prognosticator Pasquale Curillo calls this tendency to depend too much on controls we’ve put in place the “fence paradox.” By protecting things — which they must — organizations can encourage situations where they stand to lose a lot if their wall is breached. When that fortification fails (and eventually, every fortress fails) it fails catastrophically. The scale of the Equifax hack in 2017 and the Brussels bombings in 2016 both illustrate the way that organizations and systems organize risk, tending to put together massive targets for potential threats. Walls actually encourage this kind of thinking. If you build walls to protect something, it makes sense to expect them to work. But network architects and airport security designers both need to listen to de Montluc, the 16th century French military mastermind: “Nothing is impregnable.”

We need a new awareness of what walls do. It’s tempting to think of them as blocking threats, but they don’t. They behave more like filters — winnowing out only those threats not serious enough to circumvent them. And this implies a secondary problem apart from the fence paradox. A wall that prevents large-scale foot traffic across unsecured locations in the U.S border means that only determined, capable adversaries will be able to cross the wall. The people who are the least threatening are the only ones who are easily deflected. It may prevent smaller scale losses, but it actually encourages your biggest threat to innovate, leaving room for catastrophe. Bag checks and barricades moved a perimeter outward at the Mandalay Bay Casino last October, but Stephen Paddock circumvented this by moving his position upward. As Washington considers the marginal benefits of a massive border wall, it needs to think equally of this revenge effect.

This weakness is where the idea of “defense in depth” (layered security) comes from. A good summary of the reasons for defense in depth comes from a 1921 Infantry Journal, published by the U.S. Infantry Association: “All essential elements of the defense should be organized in depth. If the forward defensive areas are captured, resistance is continued by those in the rear.”

That's bronze-age wisdom, in fact. And yet security designers don't seem to learn. And the President's wall around Fantasyland will not prevent the threats he fears, not one little bit.

Mid-week link roundup

Lots of things popped up in my browser today:

And now, back to work.