DirecTV called. They were eager to let me know about all kinds of exciting offers — but they couldn’t, so I should contact them and take myself off their do-not-call list.

A ramble.

All credit cards numbers have to meet a certain check (mod-10) in order be be valid. I just wrote a little checker to make sure of this, but 10% of all randomly generated 16-digit numbers will pass a mod-10 check (funny how that works out, huh). I’ll probably find out I messed up.

Okay, so there are 16 digits in a credit card, 10 possibilities per, so 10^16 possible numbers. But if only 10% are valid, and you can know that in advance, a list of all possible, valid credit card numbers would contain 10^15. That’s a petabyte of storage, and would cost you a fair (but not astronomical) amount of money to put together. Back when I started working on credit cards and fraud stuff, it was essentially impractical for someone operating on their own to pull that off.

The actual number, though, isn’t even 10^15. It’s much, much smaller, because the first digit or two are card identifiers, then you’ve got four digits of your card identify the issuing bank and whatnot. So the first six digits aren’t actually random at all, and that dramatically contains the number space you’re working with. It’s a whole ANSI standard and everything.

So it’s actually…. 4*some limited number I could work out if I had enough time*10^10. Now we’re getting down to something you can pretty easily stash.

Anyway, there are two things I’m going to gloss over: encryption and hashing. Encryption, you use a key to take a piece of text and turn it into something you can bring back using the same key. In hashing, you put a chunk of whatever through a mathematical function and out the back end comes some crazy number. You can’t derive the original from that number, even knowing the function. (standard caveats apply)

This is used for all kinds of cool stuff, like signatures for files. If I publish an document along with the hash you can verify, and as long as I use a decent method, it’s essentially impossible for someone else to modify that document and get the same hash number to come out the end.

But let’s say you get a list of hashed passwords. You know that all passwords are eight letters long, lowercase. You can generate all 8^26 possibilities, run that same mathematical function on them, and then compare the results to what you have. Tada! You have everyone’s password.

Which is a great argument for long, complicated passwords (I’ve ranted about that before, though) — you should make your password as complicated as you can at every place that requires one.

I know you won’t. It’s okay.

Ah, so anyway, here’s the thing — what if, for whatever reason, someone uses your credit card number for verification purposes? And they store… a hash to do the compare with?

Unless they’re doing something called salting (and the attacker doesn’t figure that out), you’re toast. Same attack: the guy with the huge list of valid numbers can go through and say “for each of these potentially valid numbers, run them through a function and go see if there are any matches in this list I’ve got here.”

Whirr…. running that hash function on 10^15 (or whatever the actual number turns out to be) takes a while, but not as long as you might think, and then… tada! All the credit card numbers.

And after you’ve got those, it’s open season.

Now, this is still a pretty tough attack to make, and it’s almost certain that if an attacker can get that far, there will be more lucrative means of getting card numbers. And it’s also true that an attacker sophisticated enough to make this attack is almost certainly going to have many, many more lucrative targets that aren’t as secure.

But I kept thinking about this today: how many companies can look up your payment or account history based on your credit card number? Either they’re storing the number unencrypted to do lookups, they’re doing something clever, or… they’re using hashes. And if they’re using hashes, it might be clever, or pretty much as good as plaintext.

If you’re a customer of the companies I’ve worked at, you will be happy to know that they’ve all been clever.

If you’ve worked at a large company, where all kinds of ridiculous and bizarre decisions get made, decisions that are indefensible almost at once, how unlikely does it seem that there’s someone out there doing this?

(where “international” seems to means “mostly Korean and Japanese”).

When I was w/o car there for a while, I had to get some ingredients for my mom’s birthday dinner, so I hiked down to the market a couple blocks (it’s about a 10m walk) to buy my stuff. It was initially disorienting, because it’s not laid out in standard grocery store form, and doesn’t have nearly the same stuff: the meat selection, for instance, wildly, wildly different from your local Kroger-owned store.

But that’s not what I’m ranting about. I was shocked at how cheap everything I needed was. I understand the pricing’s going to be different, but on items that you can buy at QFC or Safeway compared to the same item, the difference was astonishing.

For instance: I found an item that sells at my normal grocery store for $3.59 for $.99. That’s not a joke. It wasn’t on sale or anything. No matter how you figure it, it means that the nationally supplied grocery chain’s profit on that item was at least $2.60 — and I’ve paid that $3.59 before. That’s crazy! Noodles! Fish sauce! The list went on and on, and the only thing I saw that was comparably priced was bean sprouts.

This is likely not news to anyone, and I’ve bored you already. But it’s the why that fascinates me.

I thought of a couple ways to look at this, but it keeps derailing.

Say that the normal grocery store knows that people who shop there have no idea how much to pay for fish sauce, so they do some market testing and find that if they put it out at $5, they sell to their normal client base and lose the people willing to go to the international market, for a total profit of $tons.

But then why doesn’t the international market sell it for, say, $4 instead of $1? Why hasn’t that price gap collapsed? Is there a different market force operating between this market and the other international ones?

Even if you figure that the international market is pricing at, say, cost + markup, it’s hard to believe that they haven’t walked up the street to where the other two grocery stores are to take a look at their pricing.

I feel compelled to go take some economics classes.

I should put another steadily rising line in there for “desire to purchase a new Prius or something”.

To all developers, everywhere:

Unless the message you’re displaying is “you’re in incredible danger” there is no excuse, ever, to steal focus from my current application. I don’t care if you’re updating virus definitions, or if you want to check for software updates. It’s less important than me actually working. If I’m writing full-tilt and something pops up, I:
– almost certainly key input to that dialogue that does something unintentionally
– lose ~10-15 words of whatever I was writing
– lose my concentration
which leads to
– losing my shit

I, no joke, uninstall programs that can’t be quiet. If your objective was to be noticed, you succeeded, and now I don’t use your app at all. Congratulations.

Windows should – easily – allow me to disable that operation entirely. There’s no reason a user shouldn’t be able to control whether they’re interrupted by messages like that.

There’s a Bay Area band called Worker Bee (myspace page here) that I totally, totally recommend. They’ve got a 5-song record out called “Divorce Your Legs” which you pretty much can’t find anywhere, but they’re ridiculously good. The best way I figured out to describe them is “If you like Explosions in the Sky, they’re like all the things you like about them”. Roger Waters once wrote an essay in Newsweek that recommended the best way to rebel against the Boomers was to find music that was complicated, subtle, and built on itself until it burned a hole in your head, and unfortunately, we didn’t have Mogwai and Explosions in the Sky and all those other great band then, but I waited, and I love them, and that’s Worker Bee.

I don’t even know how to encourage people to check them out, except to look at their MySpace page, which has two songs you can listen to, or check them out if you can get to one of their shows. They’re not even on eMusic (!). I would bet you can find their CD on all the finer P2P networks, too, though obviously, I don’t want to encourage that. I wish I could point people to an online purchase option. I’m sure I’ll be pimping their album if it ever comes out.