enriched the data factory without the data factory having to pay for anything. and the data factory sits in the middle, far more closely connected than any automobile factory or textile mill ever was directly connected to these consumers, who in turn provide immediate rich feedback and it's all maneuvered and massaged by these central data factories. and i'm going to spend the next

few minutes explaining some of the implications of all of this. but here i am trying to get across the notion that the data factory benefits from unpaid contributions from lots of people and hear, to give the sense that the data factory is actually selling a whole bunch of services, that most importantly allow the purchases of those services to make money for themselves. but you can see now how powerful the position of these data factories has become. so, here is one example in this is the only example that i will give you of unpaid contributions but think youtube, think yelp and think of a whole bunch of other services and at the same

precise thing. linked in about a year ago started to beef up its content effort and invited different people around the world to contribute content. if these weren't ordinary people. among the contributors are bill gates and the president and other people like jamie dimon, head of jpmorgan. they are all contributing content to linkedin for free. the result has been linkedin now ranks among one of the biggest business sites on line in the world and the result has been that linkedin's traffic on linkedin has multiplied eightfold thanks to a whole bunch of contributions. now, more interestingly i would like to talk about what happens when tools are put in the hands of individuals.

i'm going to rifle through a whole bunch of slides really quickly to show this, starting with three or so examples and i know you heard from the founder earlier of places that are really helping people who otherwise would be lost in the low-paid part of the american service economy. so here is what goober has done for a fellow named sam taylor. here is a local shopping service started in san francisco where this college student is able to gain employment, make money, pay rent in a fashion that she would not have been able to dupe before instant calm came along and the same as you know is evident with -- all of those examples are what i would think up as dollar per hour jobs, maybe 18 to $30 per

hour. here are some examples of what the tools of the data factories have put out to people all over the world. ebay and i'm going to start with a couple of the big examples and work through to the small ones. ebay has enabled 25 million sellers around the world including people like the fellow pictured at the bottom of the slide who now run multiple million-dollar businesses that they couldn't have managed before ebay. the same thing for google app words thanks to the way in which ad words enabled this little company in the northeast to get business. here is an example of youtube. you probably have all heard from michelle fan gone from the unknown but thanks to the power of the tools supplied by youtube data factory now has a thriving

business and following of her own. probably the biggest data factory in the world is amazon. this fellow here, rice had a business that was on its back before amazon came along and he now sells more than 14,000 sleds a year as a small business thanks to the amazon tools all over the world. kindle has put tools in the hands of authors that have transformed their business. it's allowed the authors to get paid far more quickly than they would have done yesteryear and in the course of perhaps 60 months since the inception of kindle and direct publishing there have been a whole bunch of million title sellers and old making a thriving income far more income than they could have done in their previous life as

normal writers. and amazon web services, here's a slightly different example but it's the same thing taking pinterest from this tiny little service to 17 million people, users and nine months with fewer than 12 people at the harp. a few other very quick examples. there's a lady called kerry who uses a service called we believe. she distributes products all over the world, and the tools didn't exist 15 years ago. people were making significant amounts of money thanks to the air bnp. people are paying their mortgages than their helping putting kids through school etc.. again the coals -- the tools did not exist and this

new data factory is enabling a lot of fat. this lady had a very small real estate business in san diego before the advent of truly have. thanks to the services it provides her it has allowed to not only transform her business but also to buy her business areas this lady is in canada. her houses and palo alto. this lady here now has business all over the world thanks to the services that house provides. here is an example from square. there is a company that makes bracelets and i think costa rica that employs college student so contracts with college students all over the country who can sell these bracelets and provide income for people in costa rica thanks to the square service.

and two final examples and then i will begin to wrap up really quickly. unity does something very similar for the whole ecosystem of video developers and i expect you all know about the examples of people, individuals who would have been able to build businesses thanks to etsy. what does all this mean? it means life is very tough for most everybody in america. it means life is very tough if you are poor. it means life is very tough if you are middle class. it means that you have to have the right education to go work at a place like the companies on the right-hand slide create 2.2 million people, google employs 40,000. general motors used to employ 700,000 people and today apple including -- employs 80,000 people.

here's what the median household income in america has done over the last 40 years. it is brutal. here is what has happened to the minimum wage in america over the last half a century. it is riddled. we are very lucky here. we are extremely fortunate and we belong in real small minority and despite all this explosion of tools, it hasn't had much of an effect on gdp, despite the fact that 20 million businesses in america are self-employed as this is, despite the fact that about 30% of americans now work by themselves thanks to a lot of the tools that i have just mentioned but hasn't had much of an effect on gdp for two reasons.

one, because of the decline of manufacturing in america and the second is because of the difficulty or another big part of the reason is the difficulty that we have had attracting talent to america and keeping them in america. these are visas granted in 2011. 600 or so two people of. >> when there are thousands of people who would be qualified to come work and help with the personal revolution on its way. the most important thing and the reason that it has yet to bring the benefits to america that we have talked about with those earlier reveled -- revolutions is this is the first shift in industrial and technology revolution, a technology revolution that has occurred simultaneously around the world. the textile mills were centered

as i said, in the middle part of england. the automobile factories in the small part of america. the explosion of these data factories is occurring all over the world and though i give you all this morning american examples of these companies, the same thing is happening in different geographies, most noticeably in china where companies like ali baba are doing very similar things for their marketplace that the american companies are doing today. and today there are more than half of the most valuable internet companies in the world and not in the united states. that has never been true for the emergence of a huge abrupt shift in the organization of human

work. that is never occurred in human history before it. i see my time is up. we all need a caffeine break and appreciate very much being here on behalf of sequoia. think you. [applause] charlie cook with "the cook political report" gave his thoughts on the 2014 elections. he was a guest of american university's campaign management institute and he told students about what he sees are the republican party's branding issues. here is a look. it's the first let's talk about the republican brand image problems. i don't want to dwell too much into this coming out of 2012 but you can blame mitt romney for his loss in his campaign and to be honest i think that was actually a very very wonderful race had it then runs somewhat

differently. the obama campaign was a very smart campaign and they made a lot of very smart decisions in the romney campaign not so much. notwithstanding that when you sort of look at other races and look broader you can see that there is huge problems facing the republican party. first, minority voters. you know when african-americans make up 13% of the elect. and your presidential candidate loses by 87 points, 93-6, that's pretty bad. and when hispanics pick up 10% of the vote in romney lost by 44 points, 71-27. the group that i kind of like to point to this sort of making a statement is a smaller group, asian voters which make up 3% of the elect are it. let's do some, don't worry i'm not going to say anything bad. let's do some profiling. what are the stereotypes of

asians, asian-americans? hard-working, entrepreneurial, capitalistic. they have a lower unemployment rate than whites. they have a higher household income than whites. they tend to be culturally conservative. wouldn't that kind of describe republicans, one would attribute to the -- republican party? yet romney lost the asian vote by 47 percentage points, three points more than he lost the hispanic vote. that's really really interesting to me and a vote for congress was almost identical. so you say wait a minute nobody was talking about the asian vote. the thing about it is, when you look at the polling, when you sift through focus groups with voters, the message that minority voters across-the-board are getting is the republican party doesn't seem to like

anybody that doesn't look just like themselves. now, is that a fair characterization of all republicans? no, i don't think it is but that's the message that so many minority voters are getting and i think to me what's happening with the asian vote is particularly symptomatic of it because that is where it has a lot less -- is republicans have an enormous problem with minority voters and this in the country is getting more and more and more diverse. romney won the 59% of the white vote in his last election. historically, if you got 59% of the white vote and you are republican and you got 59% of the white vote you have just won the election, but it's no longer sufficient.

>> do we are in the gallery of the whatcom museum. we are looking at finishing eyes, alpine and polar landscapes in art, 1775 to 2012. the purpose of the expedition is to highlight the rich cultural heritage of the planets frozen

frontiers, the alpine regions, the art take and the end are the cup. this is a photograph of the greenland ice sheet by a german artist olaf becker dating from 2008 and is exhibited side-by-side with a photograph by camille seaman also of the east greenland. it's from her last iceberg series of 2006. many people understand the importance of the ice for the planet it's reflective qualities that help regulate the climate but many people are unaware that there is a collective consciousness in western culture about these regions, and so it was important within the context of climate change to let people know that these regions are fundamental to our identity.

♪ >> hey. what's up? >> not too much, great to be here. >> it's great to have you. it's been a long time since we have talked, about six hours. how have things changed? >> a lot going on, fun stuff. we are doing our snapshot update. spent the last time we talked it was 200 million snaps. >> we are seeing 350 million

snaps every day which we are really excited about. >> it's a big number. the last month we saw a 50% lift in daily installs on androids are android bases picking up nicely competing with the iphone crew which is really exciting. >> lets talk a little bit about the demographic. for a long time it's all about the teens but then it was like parents are jumping on it. we were talking about that just a second ago about how an older group is using it. what is that looking like? >> i was just snapping my mom this morning. yeah i think it's fun to see where we are growing across every demo. i see 30-year olds using it in the airport in 16-year-olds using it in the mall so it's cool. >> awesome. the federal market in general, this idea things that disappear and don't last forever on the internet. it's clearly working for you. obviously, but i mean do you

think other apps and services like social services are going to pick up on this? where do you see the market for ephemeral content going? >> i think the fundamental premise is it's better and more fun if you believe everything except for the things that are important. they save everything and then you delete the things that make you feel uncomfortable. i certainly think more companies will be interested in this philosophy of letting things go just because it makes you feel better and it celebrates growth. also saving those things that are important. >> where will snap check go? you guys do the photo thing and is at 40 characters in a snap lacks. >> between 30 and 40. are you guys going to go into a different vertical with messages only, snap male? >> we been spending a lot of time thinking about the future of the products.

we hired this great guide named late -- nathan jurgensen. we have been thinking about what we want to build. one of the reasons we hired nathan is six he created this term digital dualism which explains a way of thinking about the digital and analog world saying that they are separate. traditionally lot at development of technology sphere has brought them into the digital, something like video chat. it turns out video chat is kind of lame because the connection rakes up, i can't hear you, what did you say? when you could leverage all these great aspects of the digital world like snapchat where you don't have to set a time to talk to someone and you never have to say goodbye. we are kind of looking at a future where people acknowledge the hybridization of digital and analog and appreciate and understand they both affect each other and products will be built in that vein so that is where

thinking is. >> what will they look like? >> if i told thee that i would have to kill you. [laughter] one of our latest thinking exercises so to speak around the social media feed and it was one of the biggest innovation since social media of late and really kind of supercharged growth of a lot of these companies. the interesting thing about a feed is that the more content you consume the more photos that you look at the further away in time to get from your friends. when you go to social media site to get caught up like what's jordan up to you end up getting stuck with jordan a year ago. that doesn't make you feel very good so we have really been putting a lot of time into thinking about the feed. >> defeat come interesting. you are one of the few social apps out there that doesn't have a feed. it's an inbox. my phone is ringing.

so popular. i've got a snap. without a feed the way that a lot of these companies are monetizinmonetizin monetizing is with their feet. what does that mean? does that mine you might introduce a feed or go in a different route of conversation? >> again monetization is a great topic and one we think a lot about is where business and we want to make money. >> really? >> contrary to popular belief. so the way we think about monetization has changed substantially since the last time we talked. we have looked to a role model of ours which is a really big company in china. they make the vast majority of their revenue off of internet transactions. what's fascinating about that is when 10-cent started having to make money there wasn't really a huge brand advertising market so they couldn't just say here is this bucket of millions of dollars and i'm taking 5%.

they have to build things that people wanted to buy and i think that's a really scary challenge to sit in a board meeting and saying rather than taking 5% of these billions of dollars in display ads we are going to make something that people want and not the question mark. we are fortunate to have really great long-term investors have believe in our ability to do that and they think there will be great innovation on along those lines. >> we talk a few months ago i think and you said we are going to be the first move towards monetization. there has been a lot floating about it about what that might look like. maybe can add length for type more than 33 characters. any hints about what you might be buying from snapchat? stickers? it's going to be stickers, isn't it? everybody loves stickers. i am so sick of that. you and i have been -- for a

while. i really enjoyed it. it's out there and people are talking about it. the older groups especially, they can understand why young kids want to send us things that disappear other than dirty things in those messages. you haven't really had an opportunity i don't think to stand up and be like no this is what's up. i'm giving you your podium right now. what is the deal with sexting? every time i get this question we have to remind people that snapchat is not a great way to share photos that you want to keep highly secure because the recipient can only see the screenshot and people with a lot of money and time can hack into it or whatever to betray your trust. my message is really that we can't prevent people that are financially motivated with enough time and want to betray your trust, we can't prevent that so again it's not a great way to send inappropriate photos.

>> i'm just going to put this right in your mouth. >> thank you. >> you told me at one point that if you really wanted sexting why would you want it to disappear in 10 seconds? you can get anything done in 10 seconds. >> here i thought that was off the record. >> competition. you own the space and you own the federal messaging that you are still competing for mind share of a certain group of people. who in this group is competitive? >> oh man. i think in general we are going in a totally different direction than traditional social media so i'm not sure we view them as a direct competitor. i think if anything we want to make sure that people still have those spaces to create and save really pretty photos or things they are really proud of. i want to support the growth of

those companies that like to do that. so i don't necessarily think that we are going head-to-head with anyone. i think we will be going a different direction. >> what about instagram because instagram is the hot thing right now. everybody loves it. they are 130 million monthly active users on the site. it's the hot new thing. do you guys consider them to be a competitor in a more it's hard not to like someone that makes you look pretty. maybe in terms of you open your phone and in which appier questions that snapshot is more about saving the moment and instagram is about saving the special moments in making them look great. if anything they complement each other. >> what about facebook. are you a user? what do you think about facebook? >> i have an account. >> that's not promising.

>> like a snapshot page or something but my picture is of a fish. i really respect mark. he has done an incredible job building that company and continues to. they have done some really great recent innovation with mobile advertising and showing that they are going to be around for a long time. that is great for the industry and it's great for us. >> what about polk? they clearly were copying you there and they released a product and it was number one for a day and a half and then it fell off the charts. i haven't heard anybody mention it. i don't think they are developing or set courting it a whole lot. i haven't seen any updates. do you consider that a complement? >> it certainly scary when a giant enters your space and you are a small company. for us it really showed snapchat is special and it was fun to see

the snapchat around the world. so that was great. we now talk about it was the greatest christmas present we ever got. >> facebook built poke. is there a chance. >> we have not received any formal acquisitions. >> have you talked to them? you are snapping with them? >> unfortunately not. >> your last round you got 60 million. can you tell us about that experience? were you shopping around and were people coming to you? >> yeah. it's a good question. we tend to build those relationships over long periods of time to make sure that our investors really understand and support the division of the company. it gets less of the pressure is on and you can get into the deal. we really have spent time with each other over the last year, a

lot to bring us into the family. to that effect we feel fortunate to have truly outstanding thoughtful investors involved with their company. >> 60 million is a big chunk of cash. i am sure your server bill is out of this world. do you need funding soon? what is that going to look like? >> i think we are all right for a while. >> i want to see revenue before your next round. is that something you can say? >> i hope so. >> another question. you talked about purchases but what about native advertising because brands are chomping at the bit. they are finding their own ways to get on. taco bell was the one i think that was like follow us on snapchat. are you going to give brands an opportunity to market through the apt? >> yeah in the future we would like to support their efforts.

i'm not sure we are going to do it directly. our team is really interested in supporting people who don't have the marketing team in the big voice so upcoming artists, people who are trying to be actors etc.. that to us is a lot more exciting. supporting people in our generation who don't have the social marketing team. the social marketing teams are going to be a the figured out or make it happen. we have seen a lot of companies take initiatives like taco bell for example. they are not the ones i see us getting a lot of help. i would like to see a space for people who have lots of talent but not a tone of reach can get an awesome. >> so you are saying you're going to help the little guy. what would that help look like? >> i can tell you that. >> man, it's like sending snaps up here. i'm sure you're not going to say a whole lot about it but you know is there anything that is, up because a lot is coming to the surface.

is there a lot coming up with these court documents that you are a little bit upset about that you don't want out there? >> it i can't comment on pending litigation. >> i figured that was what you're going to say. there was one thing i want to know about the lawsuit before he cut away from it, there was this tax to center reggie. is that i want to make sure you know that you came up with disappearing text messages and i want to give you credit for that do you wish you had sub one been? >> the interesting thing about snapchat is when we were building it we looked at a lot of competitors in the space. we looked at tiger text in a company called stealth tax than they were focused on sharing secrets and photos that would disappear because you want to cheat on your wife and stuff like that. we thought it was an opportunity around self-expression. it's interesting to see the idea in the space and i feel fortunate that reggie share that desire with me.

>> okay. snapchat microis the new app coming out for galaxy smart watches your first foray off of the smartphone onto a new kind of type of gadget. are you guys excited about that and why? why is smartwatch? it doesn't really jibe with snapchat in my mind read. >> we to get totally does because one of the key parts of our services reducing the amount of time between seeing something you really want to share in being able to share it very maybe takes me seven seconds to get my phone out of my pocket and unlock it and open the app and we really found the prototypes of the watch that it was really fun and easy to be able to grab it on the watch and take it to pop up on your phone and add a caption or send it straight from the watch. there's a lot of delight about how that was two seconds. that is when we will continue to explore a wide friday the products. wearables are interesting and

very popular. i want to make sure we are playing around with them. >> what about -- is that something you might consider? >> not currently. i don't think so. >> you would go for the watch but you wouldn't go for the headset. why? >> it may just be our teams feeling about the product. i think the glasses tend to feel more evasive. a lot of people talk about the feeling of having technology melt away but that doesn't acknowledge the experience of people standing around the people wearing the glasses. you feel like you have a gun pointed at you. that does not make them feel more comfortable. one thing it would be interesting to some of these products incorporate a recording light just so you knew. that would be fun to see. >> also the question with a

watch because snapchat has this ghost around it if you will. there is all the claims and people want to find something that might be wrong or dirty just because these messages are disappearing. then you add the layer of you might not know when your photos being taken. is there any concern for that with the watch apt? >> i think there was some concern but i think it was more in the vein of that being a playful experience like a james bond thing. that may be due to the fact that we like to have faith in people. we think people are great and they want to be expressive and generally not mean. so maybe that's naïve. >> what about -- this is something we have talked about in the past. people want an explanation. why when the content i'm sending is tried it are you letting people know who they are talking to?

>> when we built snapchat there are so a lot of questions around is this an app to cheat on my spouse with another? it was actually friends talking to other friends. and it was helpful in doing that. we don't want to be a place for people sharing mean secrets. we are all about -- >> it's a popular feature so if you type in so popular into a snap so popular with a space or no space.,.,.--. >> we found even the three best friends we were sending a message so we played around the idea of having five and some people, i personally do.

>> i can be one of your five. >> what is your favorite app. what app can you not go through a day without? >> that's a great question. i run be snapchat twitter. [laughter] >> it's just indispensable for that. i also like the uber. it's less expensive areas it's a great example of one of those hybrid services that is it knowledge in all the power of the digital world and interplay more with the analog and that's a signal for some of these bigger companies to come. >> we talked about competition but is there anyone in the space you look at that you really want to learn from that is just doing things right and you want to take some cues from them? >> i've been playing with his front back at recently. i think it's really fun and the

way they articulate the personalization of photos it's not just a sunset but your silly face and your experience at the moment. it's really exciting. >> it looks like we are just about out of time but i really appreciate you being out here with me. >> thank you by having me. it was a lot of fun. >> cool, thanks guys rated. [applause] ♪ ♪

>> 10 or 15 years ago we started looking at the census department data and something very strange

pops out. when you look at where the profits are in the multinationals, if you look at the map of your pc germany france, ireland and italy but if you look at the data on where the profits are france, germany, ireland. it's a hugely disproportionate amount of profit in ireland so that was one indication that something was going on. the national consumers league recently held a daylong conference here in washington focusing on identity theft and data security. panelist discuss discussed the evolution of identity theft and the future of consumer protection. this is about an hour, 20 minutes.

>> thank you. i am rob pegoraro or so you have been led to believe. i want you all to introduce yourselves briefly. >> my name is andy bonillo from verizon. verizon, we handle hundreds of data breaches for our clients around the world and we have this unique position where we can see what happens when security fails. as we travel around the world investigating crimes we felt the need to share research and that perspective with the rest of the world. we put out a data breach investigation report every year and you can get it from verizon.com. just googled dvi are to get into it. prior to that i was with the secret service. i've been involved in investigating and consulting on identity that since 2001 so i'll

be sharing some insights from the law enforcement component as well as my private sector time that verizon. >> thank you. i am a i am abaco devonport on i am with hart research. we are strategic research firm. i do research on a wide variety of topics but have the privilege of doing research for the family on line safety institute for the past few years on issues related to parents and teens and their attitudes about privacy, security and on line safety net identity theft particularly most recently in the wall did a survey of teens looking more specifically about their attitudes regarding identity theft, what their behaviors are and what they are doing to protect themselves and what they might be old to do more of. so i can bring that perspective in terms of parents and teens in the way they approach this issue. >> my name is allan friedman and i'm at brookings. i used to be a computer scientist and i wasn't very good at it so i got a degree in

public policy which make's me a economist and of mediocre political scientist and pay for less. when you are mediocre at that many things you simply have to move to washington. a few years ago i wrote a paper on identity fraud from sort of a systemic risk perspective and i'm also here to plug a book coming out in january cybersecurity and cyberwar which ties together how these different issues are related to these broader international discussions. >> my name is zach intrater and i'm the assistant u.s. attorney in -- i worked in the economic crimes unit and more specifically part of the computer hacking and intellectual property section in our office here at our office is one of the first ones to start up a so-called chips unit. the coolest unit in the office obviously. so i worked on these types of cases pretty much every day.

>> let's go to the first question. chaplain strategy does a lot of research on identity theft. the problem in financial terms peak in 2005 at $32 billion now it's down to only $20.9 billion in 2012 which is great except the% of u.s. customers hit by identity fraud seems to have stayed at 5% in the last seven years. is it just giving -- is the profit margin but taken out of this but not enough? what is it that we see here? >> what is interesting, the population may have grown since but what's interesting about looking at the numbers there, we see that the number of data breaches is certainly going up every year. when we look at our report we analyze 7000 last year and 600-2021 resulted in a data breach.

when you look at the evolution of the criminal and their desire to go after a central location of large data it plays intervening factor. >> allan. >> building on the idea that a lot of the risk we are seeing is emerging from data breach triggers a study that came out of carnegie mellon a few years ago that found that data breach notification laws actually help so the ftc collects state a state reporting data so they look at how states adopted data breach laws and found that on average about 6% reduction which is a large number when you talk about the numbers we have been talking about that make a difference. the bigger question is how people are using this today. and he is completely that these are criminal acts and the question is how are people actually extracting value from the system?

credit card numbers. on the open market for dollars and certainly andy can tell you this group has done a lot of work on that. i interpret that fact to say the heavy lifting is not getting the data. it's using the data. if i had your credit card i could go on a nice spree and have a nice night on the town. if i have all of your credit cards, the defenses have to focus on changing the economics, raising the cost of the attacker of efficiently and most importantly automatically extracting data. anytime you can remove the computer as a tool rum a cybercriminal and do things by hand you have helped reduce crime. >> that's an excellent point. if you read up on malware viruses and spam whatever a lot of focuses on technology and really it's a business. it's a stupid business in a criminal one that their economic motivations and if you can make

it more expensive to try to make a living this way if criminals wanted to work hard they would get a real job. >> i hate to disagree right out of the box. >> that's why we are here. >> i think a lot of the criminals that we look at especially the sophisticated ones really do treat it like a job. i get up in the morning and go to work. these guys get up probably later than i do but they work just as hard. it's remarkable when you were sitting across the table from someone who you have arrested and who is profiting and you realize how much work it is. just to build on what allan saia simple thing. especially if you are obtaining large amounts of data. you need oftentimes you need a

network of lower-level people. you need runners and you need people who you can sacrifice if things go wrong and it's much more difficult than you would think to actually pull the dollars out of stolen identities. >> the bigger cases they came out, you probably remember his name, can't remember it. he was linked to compromising 30 million debit card filings. they demonstrated he had earned $200,000 over three or four years. that is not a lot of money for a smart guy in the tech industry. >> that being said he probably has a million dollars buried in his backyard. what we are focused on is the infrastructure that the criminals are leveraging. over time and you will see as we go to the panel today the evolution of the cybercriminal and the of the structure that supports them has developed.

they are now the ones that are industrializing the commoditization of malware leveraging other types of dentzer schachter -- infrastructure. that's going to continue to provide the anonymity and stack and what his team does in their recent -- i don't think the public understands the on line identity with the real world identity. that is a daunting task that becomes quite cumbersome so the effort of law enforcement around the world and secret service and the investigations do a good job of being able to merge that and it becomes challenging. the results of that give us a bigger and brighter per -- picture than the campaign for you today. >> the second question may shed the fatal flight on that. another stat factoid.

2010, 11.8 are sent to david reach victims were victims of identity fraud. it climbed to 22.5% so it seems that we are talking about industrializing and getting at the mechanism of exploiting this. obviously feeling get a whole bunch of credit card numbers and data points about someone all at once it's usual to monetize that. to what extent can you drive up the cost if you assume the data breaches will happen at the next level. actually getting the money out of the data you have acquired. >> i'm going to speak from a law enforcement background here and not necessarily from a verizon brand. what's interesting about the evolution of the infrastructure is that it is built upon a certain mindset in that mindset has been embedded within that

culture for well over a decade. in order to operate within that environment you have to have certain skills. you have to have a certain respect for the community if you will. it releases itself and as that evolution and that mindset has been permeated, it's not a large group when we look at it exactly. we are not fighting, we talk about identity theft and the credit card industry is a small number. it's not a large group of individuals. it's those that hone their skills that have access. i don't want to get any kind of indication to the criminal but at the end of the day i would say it's less than a few thousand. but it's important to understand because as long enforcement are having successes every year we

focus on -- would understand the importance of the one or two arrests of the high-level criminal because we don't truly understand what it means. when we look at date of reach statistics i can map from 2008 until now changes in the statistics of the methods of the bad guy and how they have to attack organizations in their shifts and the cat and mouse game in the data breach report we produce. there are statistical changes in how bad guys go after the data they want. this isn't, even though statistically there are things that are occurring year-over-year as far as organizations and the weaknesses and vulnerabilities that exist the bad guy still has to see those changes year-over-year in those statistics. >> to get out of the economic and goal, there's a certain amount of competition in the markets being made more efficient. >> as soon as they if they find

a vulnerability and they can leverage the vulnerability it across a piece of software they are going to do it. >> to jump then, one of the first talks i gave, tried to make the case that cybercrime is not a law enforcement issue which i gave an interpol conference and that didn't go over very well. i actually got a good education shortly thereafter but i think there are some things that we can look at as things evolve. we are seeing a change in the data i have seen in the curve up with the losses. for example for payment card fraud a lot more people are getting notifications because there are a lot more cards out there but when you talk to the card assessors a lot of those are test cases. they are trying to find out is this a good card in that triggers an alert and want to get a phonecall from your credit card company they're going to say yes.

we need to understand the data in and the different types. similarly when we talk about the organizations, banks aren't just in understanding the value of their internal credentials protecting their brands against fishing. but it wasn't until recently that the banks were going after money sites. a huge network of web sites trying to recruit individuals to act as the patsies and these were the runners were talking about. the banks say this affects our business and we have to go after them as well. it's important to draw a distinction between how you raise the cost and the payment card sector versus the complicated frauds that do require the sophistication that you talked about. >> this question is for zach. in july the office in new jersey announced the biggest bust in u.s. history involving the theft of more than 160 million credit

card numbers which i guess statistically some of you must have been the victim of that. hundreds of millions of dollars in losses. was this a big difference in the scale in terms of the techniques they are using? >> the short answer is yes. it goes back to something that amy said earlier which is that the population of people who are really sophisticated a shockingly small. i think there's a perception out there that every other eastern european teenager in a sweatshirt is able to pull data out of the cloud and essentially terrorized americans and western europeans. it's not the case and if you really want to engage in this kind of high-level, long-term at

city it's extremely difficult. you need a tremendous amount of skills but even more importantly you need a group of people who have the division of labor. so what we think, what separated this crew out from your run-of-the-mill group are a few things. the biggest thing less patience. these guys were willing to wait for six months or a year after infiltrating, to hang out essentially in the systems and not exfiltrate any data. so the systems would not necessarily see a brand-new code and then immediate exfiltrate shin to look to see well what is the change? what took place just now that allowed the exfiltrate shin? so they waited and if you are desperate for cash in your look for quick hit you are not going

to take that time. the first difference between these guys and almost anybody else was that they were willing to wait and they were willing to be patient. second, they had this division of labor where they had specific people who were skilled at the initial hack and then there were people who were skilled at exfiltration and people who were skilled at monetization. most groups, most gangs don't have that kind of really specific division of labor and you know the other thing that really should be pointed out is that the case that we announced in july was really a continuation of the albert gonzalez case. the albert gonzalez case is an amazing case for a number of reasons and andy actually worked on it. i was still in high school i think.

[laughter] but it was an amazing case that resulted in the long-distance sentence in cyberhistory. albert gonzalez is serving 20 years right now and it was amazing for one reason that he was caught initially. he flipped. he began cooperating at a very high level and the same time he was caught reading at a high level on the one hand he was hacking the data stream at a high level on the other simultaneously. he is quite a character. he was caught again and his arrest really spurred on this heartland case which was still producing results as of july of this year. i think andy can probably give more details on exactly how the case went down.

>> okay. this next question actually is something we have gotten familiar with at home. if you are with your bank want to change your password, think i got two of those in the past. do any of the steps recommended in those letters, do they actually do anything? i don't know that we actually check terry the finances seemed normal and from then on it seemed like nothing happened. is that of vice actually constructive? >> personally i think the answer is yes. i think anything that you do helps and i think there are real-world analogies that work. so you know thieves are looking for soft targets on the subway.

they are looking for soft targets if they are are grazing houses and they are looking for soft targets at air engaging in theft and data reach. any of those things are going to put you ahead of 99.9% of the population and nothing is going to stop them worst sophisticated person from obtaining your data but if he gets to the next that then there's time for monetization and your data, your information is a little bit more difficult to obtain, why would they spend the time through just a regular person to obtain it as opposed to going down the line and finding the person whose password is 1234 which is not a good idea. so all of those things, all of those things, longer password, changing your password. the head of the fbi's cyberunit in new jersey left but he had a

very cheap idea that would be extremely i think, extremely useful and extremely effective. he said anybody can go up these days and buy a laptop or a desktop for three bucks. you buy a laptop or desktop for three bucks and he set it up in your house. the only thing you do on that computer is your on line banking, the only thing. you don't check "the new york times" and you don't do your gmail. you don't do anything except your on line banking and you turn your computer off when you're not using it. that would make your bank information -- >> get a linick cd and you don't even need the extra computer he. >> sure. does that make you 100% secure? does it make you a lot more secure than almost anybody else? absolutelabsolutel y so their steps you can take and the

answer for each one of those is yes. >> i would agree with the fact that we all play a role in protecting data and we can look at this on a broader level. all of this revolves around the action of a criminal. anything we can do to protect ourselves and give some sort of assistance to law enforcement in their efforts to try to combat this crime, every major data breach we have heard on the news that resulted in identity theft leads back to the street on some level. if you report something that happens to you and law enforcement can take action eventually that all adds up to give law enforcement more information. albert gonzalez original arrest was at an atm in new york so everything goes back to the industry. we forget because we demystify cyber. it's hard to put a face to cyber, but it's being conducted

right real humans with real skills and they could be anywhere at anytime. i think it's important. those steps are reactive steps in it we can take those steps proactively, that may give us a better chance as individuals and organizations around the world are now to point where they realize the results of their security and the other efforts they put into this and how they affect the livelihood of others. they are taking secret service security very seriously. ..

would suggest to me, you know, the threats are greater now than in the past. interestingly, teens -- the issue of identity theft is on the radar. people have talked to them about it. the idea of the personality, the security of the personal information is something they are cognizant of, and they say is a concern for them. >> but is a disconnect because they're teenagers. they don't really think they would have anything worth stealing. they don't personally feel particularly vulnerable. they make a distinction between themselves and parents. recognize when someone is an adult they have something that can be stolen. they mostly focus on credit card

fraud. the idea of credit or a credit history i is not something that teens are aware of. we try to talk about that a little bit, it just kind of goes over their head. it's more concrete for them if so you a credit card and someone can steal the number. you're on the hook for whatever they charged. that's more concrete. so i do think that there is an awareness there. and the question is the ftc's report showed that 18 to 29-year-old cohorts -- people there were particularly the prief lens of identity theft was higher there and the folks may know more about the figures. i think the question i wouldn't have is there's an awareness there. they don't particularly feel vulnerable now. there's clearly room to educate kids and parents about what teens can do. there are some things they are doing. for instance, using a ratety of passwords about 54% of teens say

they do that. on the other hand, they recognize that as the most helpful thing they can do to protect their information. there's a lot that aren't doing it. there's a bit of a disconnect. the focus group say it's complicated and burdensome. and the idea of a dual authentication. i log on to facebook and do it every time? there's a convenience factor which overrides any particular personal vulnerability. they feel. there's the question of are they going age in to adult hollywood when they go on to college and when they go out to the real world and start to take out whether it's loan for the education or credit cards or other things. are they going to bring an awareness of the issue i don't think there was as much for previous generations. whether they take the steps to protect their information as needed in a more comprehensive and complete way will remain to be seen. i think the stlet greater now.

there's an opportunity because they seem more aware. and recognize once they become an adult, once they get a credit card, for instance, then they are particularly vulnerable. will that play out in term of their actual behaviors? >> to avoiding is it seem like what what is wrong with kids these days. i must share this from my past. when i was a college student the laws were a little looser what would past muster. i made a fake idea based on my college. my college had a social security number on it. it was 1989. i put on the fake id too. why not? i think today's kids are a little smart than i was. [laughter] >> can i piggyback off one thing. and this is above my pay grade. of course as a federal employee. most things are. [laughter] look, the sort of harsh reality, if you want to call it harsh is that security and convenience are in constant attention. we should recognize that.

and, you know, corporations need to recognize that; right? because there are some times that corporations, perhaps, make it easier to access, you know, legitimately access your data than it maybe should be. based upon their understanding and their history. but they want to provide their customers with the most convenient and best possible interface. best possible experience they can. they're afraid if they are services are harder to use than the competitors, then people are going tomy grate to the competitors. we're all responsible. it's like -- everybody is responsible for, you know, taking the steps they can to make themselves more secure. but, yeah, who wants to change a password every two weeks? who wants to do the dual authentication. it's a pain. but we should at least recognize as a starting point these two

thing are in tension with one another. >> i think if they recognize the personal vulnerability more, that tension would be greater and they, you know, might a harder time going down the road of convenience. >> absolutely. one thick that is interesting. we asked you online is your social security number available online to your knowledge? and 75 or more said their -- full name was. at lough people said their school was and other things. only about 2 or 4% said their social security number was. in these focus groups we did, kids clearly have been told do not carry your card with you, and do not ever give the number out. i think it's also worth noting they don't know their social security numbers. so it's not something they're going share off the top of their head. but they've heard this message. and that is something that -- they don't understand why it's important, they recognize that a lot of people are telling them that is something they you

shouldn't share with anyone. >> if i can add one last thing. i think it's important are they more or not vulnerable. it comes down to the motivation of the attacker. certainly the attack surface, the more data we put out. whether you're an adult or teenager, you know, we don't all know where that data goes; right. but the end of the day it comes down to the some extent what the attacker wants. >> the next question i speak that. this one to ellen. you did a paper in 2011 on online identity and consumer trust suggesting that what is underthreat is not just specific credential but the whole identity layer of the internet. the part never part of the original architecture but emerged organically through sites like linked in, facebook, four square, whatever. how well you protect your identity while documents yourself through the different portals? >> -- this is why i hate the term

identity theft. so if i -- as we usually conceive theft. if i'm stealing her water bottle, we as a society will say two things. one, if you steal her water bottle we're going find a bit of your area and chop it off. we also say, alabamay, why did you leave the water bottle next to the guy who looks like alan. come on. and we intuitively understand that we have a responsibility to mitigate theft. that it can't all be law enforcement. don't park in that neighborhood. lock your doors, have insurance. these are all things that we intuitively understand going as part of the theft model. but what we're talking about is more of the case of me going to andy and saying i'm abigail. can i have my water bottle, please? and here is my business card. what? this is abigail's business

card. sure. here it is. if we wanted to stop that we can go after me with a knife and dotted marker line. we can say what can we do to empower andy to make better city about whether or not the person claiming to be abigail is abigail. there are a couple of implications for that. one, is to compare the payment industry's response to fraud and the broader response to fraud. or the more complicated. we have consumer protection laws in this country that we're sort of actually fought against by the early credit card companies. but now turn out to be the best friend because consumers weren't afraid to adopt credit cards in america. question argue whether it was ultimately a good thing. and now we're made whole. it's inconvenient. we have to go back and say hey, i didn't make that purchase. but most of the responsibility -- the financial burden rests on the banks who are in a decision

to align responsibility. this brotherhood question of open up new line of credit or obtaining access to goods and services which require things like social security numbers, other information, which, by the way, if you're a -- if i see your social security number, i can tell when and where you're born. so why are -- why isn't anyone looking and say that person is teenage per. they couldn't possibly a mortgage with that social security number. we need figure out how to put the protections at the decision making process. unfortunately there's a financial conflict of interest here. the same people who are responsible for making a lot of decision about how and when to grant credit also have a vested economic interest in ensuring the consistent availability of their services to make that decision. and so you have people

proposing, hey, you know, maybe teenagers we should have a lock on their ability to take out a large line of credit. for me it seems like no brainer. using the sort of nudge-based regulations saying listen, let's make it harder for everyone to get a line of credit. if you want a line of credit, you can get one but it's going to be harder to get. we're raising the -- the real risk is total identity layer. when does fraud get high enough. when are the criminals getting systemic enough they're actually going break the authentication systems we use now. online that's just user name and password. so when the back end fraud protection fails to keep up. you have decision makers who say, well, here is my fraud rate. here is my profit enabling online access for banking or anything else. when that fraud rate gets too high, as a society we're going

lose a lot of important infrastructure that has made a lot of things cheaper and easier. >> okay. the next question. we mentioned we have been discussing parses wads. a few years ago the advice you get is stereotypical i.t. you can't possibly remember and change it every 90 days. now we're saying i think we stwowng a little smarter view. something like two step verification. that's a better answer. to you think that's the case? >> i would like that take a stab at that. weak or stolen credential. to give you an idea. two factor -- saw that particular statistic.

so in our from our perspective that would be one mitigating factor. right if you can employ it. now certainly there are some pieces malware that can bypass and have some capability. more sophisticated for target attacks. it points back to how do i become you without interacting with you. and we go back to the almost to some extent the, you know, phishing and the human factor. 95% of all state sponsored acts we investigated or reported to us as state affiliation leveraged fishing. we -- we partnered with a company and they contributed to the data breach last year. they found -- what they do is do phishing education and training for global organizations. they send executive and the rest of the company a phishing e-mail to see how many clicked.

you are right around 22% click rate or so. and about 7 or 8 you're getting upwards of 90 plus percent. in reality an attacker needs to send you or your organization seven or eight e-mails to have, you know, a very high 90% success rate. you talk about return on the investment for them. and know the lack of two continues to work; right. we are need to employ a strategy to help them chase that behavior. >> right. it's interest i'm looking through the app on the phone and i have google authenticator. it work great for the google account and word press blog. i have it turned on facebook and twitter. my bank will send me a code if it sees me log. my problem is when i don't have the option the business banks account i have i don't think it's supported.

i should know -- i don't think verizon have a two-step veryification? >> i don't work in that department. i don't know. it's great when it's there. you're hoping the provider that has all the important data about you either offer it is or will tosser sometime soon. and i say this not really knowing a heck of a lot about the burden involved in setting this up internally. but do you think it's going to be something a common place thing right after you say you say your user name and password. give us the mobile phone number. >> certainly we as a company take great strides in security efforts to protect our consumer data and the privacy of our customer's data. as we look at solutions we create and provide. we build solutions based upon the statistic of our data report. we take a look at what is happening in the threat landscape and failing around the world. how can we offer a luges to mitigate that. some of the things we do offer

and work on developing stronger authentication -- methods. for a two-step vertification to work you can't have it all the time. in word press it does. if i'm logging in the desk top, i have to enter the code. and facebook will sort of only ask me to submit the code if it's a strange log in from a new location or computer. for that to work they need to know a lot about you. saying your credit card company. there's a lot about where you spend. so are we deciding red did toy noted trass saying yes, you should sort of be peeking what i'm doing all the time so you know when something, you know, a log in supposed to be me is

probably not. i think all the questions are fraud. and none are simple. but i can say that, for example, the steps that banks take when you apply for a credit card online. i'm sure most of you at this point. maybe some of you don't. you apply for a cd online. the bank places a cookie on the machine that applied for that credit card online. i'm work on a charge case, an indicted case we took down about 25 people in new jersey, new york, pennsylvania, mostly around the northeast who had applied for and received tens of thousands of fraudulent credit cards. this is one of the sort -- this was not, you know, a tremendously sophisticated

fraud. they had a huge network. dozen or hundreds of people working for them. and they would apply for credit cards online, receive the direct credit cards to address in this case controlled, have runners go out, collect the credit cards, use them for really decent period of time. build up the credit, slowly and eventually bust them out. there's a massive credit card bustout case. and a tremendous amount of the evidence we have been able to obtain is say, well, from this address we know that -- from this ip or this machine we know that, you know, 44 credit cards were applied for from this single machine. now, that's extremely helpful to the eventual prosecution. query why it was on the 43rd or 44th application from the same machine, you know, there wasn't a -- right a sort of automatic

rejection. the bank thought it was a start-up founder trying to -- >> fair enough. but the same thing applies -- the same thing applies in stolen identity refund fraud. i don't know how many of you know about stole, identity refund fraud. it's something that affects all of us very directly because it's money stolen directly from the united states treasury. it is the theft of real peoples' social security numbers and the filing of tax returns using the social security numbers of real people. the thieves direct -- they fill out online usually now they fill out tax returns that indicate that the applicant is due a refund. they direct the refund checks to addresses they control. again, runners go out, check -- collect them, depositive it them to accounts the thieves control and spend the money.

you might. be shocked to learn it cost the united states treasury $2 billion a year. every year. and to me that was a shocking amount. it seems huge. a lot of stolen identity fraud is centered on puerto rican citizens. because they have social security numbers but they are not required to file 1040 unless they do work in the continental united states. you have a big pool of social security numbers that will not already have a 1040 filed. all right. and we broke up a ring in the case i worked on with about had 14 arrests and $65 million in real losses to the united states treasury. you know, why is it that if -- again, the irs knows where the

online tax refund applications -- sorry where the 1040s are being filed from. all right. they can tell you that, you know,, you know, 56 1040 were filed from the same computer. we had one in the bronx that filed hundreds of tax refund applications. okay. it you can tell there hundreds of applications being timed from one computer. why would you accept anything beyond the first? if you want to say, well, you know, hr block is going file hundreds of applications from one computer, then fine. then all tax preparers should have to register with the irs and say this ip. -- >> right. >> so, you know, i think that we're, you know, -- look all of these things -- it's a continuum. so corporations, the government, we're moving toward greater security. and it is the cat and mouse game referred to before.

but, you know, lots of steps can be taken that would makes more secure and make it a lot more difficult to monotize, i think. the fraudulent information. >> the difference between public and privacy -- we talked about. other day. it seems if you compare the loss prevention -- that major credit card issuers, you know, with what seems to be in effect the irs sort of wonder if the irs was a good at catching fraud as american express, what would we have? to what extent can you improve that given that more effective irs enforcement gets some people upset. >> yeah. no, i mean, that's exactly right. but it's also, you know, it's -- it's a resources issue. i mean, the -- it was said earlier; right. but to effectively monotize a surf scheme.

you can get a lot of people you need a lot of criminals willing to work together. you also need, quite frankly, you need crooked postal workers. what we'll see is and, you know, the postal service without getting to too much detail. they are beginning to be able to track this stuff. you'll see that 700 tax refunds checks fraudulently obtained tax refund checks are being clavered along the same mail route. what does that mean? be, you know, all of this stuff is so reactive. we first see that, then you have to start at the bottom; right. with a mail carrier. you try to arrest the mail carrier and flip them. you get to the next step and the next step. and the people at the top of the pyramid are sophisticated. but you have to get through the hood layers. >> you start to sound like an episode of wire. >> it's hard. and, you know, our case was a great case. you know, not --

it was a great case but it was a aifd -- $65 million case. it's a $2 million problem. the people like me on the line are not the ones who solve the problem systemically. it's the reality of the situation. >> yeah. it's interesting too. one of the reasons why we do the data breach report is most organizations are protecting themselves from

remember them all off the top of your head. which, if any, have you seen most effective? >> i would like the rules which grew out of this, and it basically is, i think, a lightweight approach to regulations. and doesn't prescribe particular

processes. and it also doesn't prescribe, you know, so you to hire a consult assistant to give you an entire process. which is sort of the model. instead it says you need to think in your organization what are red flags that you might look at for identity fraud. and just tell us how you respond them. and in fact, you don't have to tell us. you have to have a plan so if something bad happens to your organization you come in to look that you worry and had a plan. you were looking for bad things. i think that's a nice lightweight model of the government identifying risks without being overly prescriptive in a way because information systems varies so much across companies. you can't have a one size fits all model. abigail? >> ting comes down to the end of the day not pointing out one

specific recommendation. i think it comes down to, you know, as we evolve; right and look at the landscape and it is constantly changing. that changing model being able to apply to yourself. i try to tells organization it is goes back to individuals as well. you're the best intelligence source. a lot of threats and the things that happen to us from the security standpoint happen us we don't know about. and i think the efforts here we talk about the red flag piece. the job to look at ourselves internally to focus on what is happening to us so we can detect it. if you look at data breach and data breach information to. 86 percent of breach victims were novembered by somebody else. so i think that is the important part. i think where allan is going. with the red flag portion i think it's a big part. getting us a point and perspective internally to see and then understanding the landscape outside of us and pushing it back in.

i will say the representation i liked was don't use social security numbers -- and yet, you know, health care.gov and filling tout i think sometimes you get get around it. there's an important point make with regard to how we build systems. the social security numbers absolutely critical. we need them and we have to use them. we have to treat them as an identifier. you know me as allan freeman. that's not a secret. at least i hope it's not. the distinction is that we've also decided to say, well, it's also an authenticator. we use the same thing as an identifier have the computer looks you up. in a system and there's only one you. there are many john smiths. there's --

there's a wonderful study that went from taking a picture of you to actually being able to guess what 60 to 70% accuracy first five digit of your social security number by basically doing facial recognition, mapping it to online social network profiles, if you have your hometown and birth date, then you've got a good chance at guessing just from probability

statistics. ting demonstrates how, you know, the can that we we can't assume it's private anymore. in term of, you know, ways to find information about people and the amount of data collected on our purchases and activities online. if we invited for identity thefts. i didn't check your license. you could be identity theives. to the panel. you four what would they say are the biggest changes they have seen in their own, you know, business model. how they go about their work such as it is. i want to look for centralized data store.

and leverage and get more return on the investment. i focus on the easy prey. but at the end of the day, have to have and make sure i maintain the relationships with large scale infrastructure providers in the underground help facility my criminal activity. >> like bullet -- >> that example. sure. and so as, you know, i have to navigate the landscape within the underground. i'm going to be cognizant of the relationships i maintain. and continue to do research on organizations that take security seriouses and those that don't. i'm going to try the easiest way to get to an organization to steal data before i try anything else. i might have sophisticated means. i'm not going share them with you if i don't have to. i can save those tools in the arsenal for a later date when i need to come up against an adversary or a security team more -- defense. >> abigail?

>>, i mean, i don't know enough about the back end of it. in terms of just the many opportunities that people have to share their information are encouraged to do so, and can provide them a lot of value. you know, it seems there's more and more that is out there. and so there's a lot more you can land upon, i would think. but i don't know the back end.

at the garden variety you sort of retail local level i think you see the more insidious crimes. there are two things exchanged. one fake id have become a global business predominantly driven by american university students. so, you know, you can get a large amount of very good quality idea instead of having to rely on some guy in the baifm. there's someone with a plant who is going to make them for you. using some of the defenses we have set up as an autoimmune attack. essentially. it you are a clever criminal who is trying to really exploit a small number of people's identities for a large gain, you'll start a affirmatively asserting that the real mystery is the identity thief. and that will just gum up.

things in time and give you more time to extract value and get away. >> a couple of things that are interesting. first, i think that just in the last five years, i think at the federal level anyway there's more federal law enforcement attention being paid to cyber than there was before. i think that, you know, secret service has really taken the lead on at lough these things. the secret service has a long standing dedication to it. but thing all the other agencies that we deal with now much more cyber aware and are setting up more spots to do cyber. you know, so that would make me a little bit nervous as an identity thief. what would make me happier is that obviously in the last five years, there's been an explosion had of and this will continue. there's been an explosion in the sheer amount of data that exists. all right. that's going continue perhaps

geometricically perhaps not. there's more data online tomorrow than today. and obvious point. but all right. that's going continue. that trend is going continue. i would be happy about that. one thing is sort of interesting to me and to the folks i work with is that it seems it seems as though there's less of the sort of original hacker mentality among cyber thieves. where as, you know, it used to be that the thrill of the chase was much more of a shared kind of -- [inaudible] if you can get in and show your skills and prove yours to the community that you are in. let's not fool ourselves. these folks are in communities. they know of one another. it is really a much more tight

knit community than you might think. you get in, get out, demonstrate you could exfiltrate data. but i don't think it was as organized in the dedication to monotizing breaches as there is now. i think that unfortunately i think that cybercriminals have become more professional. i think that is a trend that we've been trying to do deal with. and we will continue to. because it's gotten away from the sort of, you know, i don't know if it was ever, like, an idealistic group. there's more dedication to getting paid than there used to be. >> that's good capitalist. >> if i could add a couple of things to this. as we talk about landscape from the criminal's perspective as changing; right. the russian government has come out recently in the publicly stated -- if you are russian cybercriminal

and hacking crimes against other countries you should not travel outside of russia; right. and so especially to countries where the u.s. has -- and that is something that is publishingly, you know, put out by the russian government. say, hey, the law enforcement around the world is working together. i think the same is the same for security organizations. realize we can't fight them on our own anymore. and so i think that's an important part. the third thing as an adversary as a bad guy i would say to the group that, you know, i focus and study and student of the regulatory environment globally. i change my operations based upon the regulatory environments of certain country and where the data i would want to steal operates in. i also track the arrests of bad guys around the world and understand how they are so i can

understand how law enforcement is doing what they do. i think it's an important part. they are students of their craft. they are honing their skills. we want to share the lessons learned because you don't know. there's a lot of myth about a certain cybercriminal and skepticism around how they may are been arrested. until they read an averred public i are available or talk to another cybercriminal there is not truly going to know. the information travels very quickly among the underground. they communicate, you know, in a manner is much more effective and efficient than most security teams, you know, communicate within the private sector. >> okay. last question for me. there's a lot of chatter about real names policy and place like facebook, google+, and, you know, when why first got online

there was no such thing. it could be whatever. the user name wasn't your choice. it was a string of numbers. and now certainly it's easier to figure out -- except of course when we're talking about spammers who it is you're talking to. i want to hear from you, abigail. how are teens patients and average consumers dealing with the fact, i guess, they're making it a little years for people to figure out who they are. irl while online and still, you know, interacting in all the interesting sights and services that were just not an option back in the day. >> well, teens certainly -- a lot of them say they are using the privacy settings and aware of them. but there are some that aren't. and i think 10% didn't have privacy settings on any of their various account. the majority said they had them on all account. there's certainly room there to increase the usage of those

settings among teens. they're clear aware of them. parents who did surveys for parallel of parent and teens previously. parent there's a bit of a disconnect. parent think they know more about what their teens are doing than the teens say they know. but a lot of parents are using controls. we had a majority but there certainly was room for that. i think this challenge is that parents are not only concerned about identity theft but concerned particularly about stranger danger and the personal safety of their kids. so a lot of it the ways they are monitoring relate to that in terms of logging on to their children's facebook account. looking at browser history and other thing. interestingly, the parents actually underestimated teens.

they thought they could be more concerned about reputational damage if someone posts a picture they didn't like or said something they didn't like. it's on parents' radar clearly. they recognize their kid are focused on it. they may not understand the degree to which their kids are aware of it. i think the challenge that you're highlighting, rob, is they're encouraged to get at lough information and so how do they balance what is okay and what is part of the experience versus maintaining that privacy of their information? and the conversations and the surveys that we've done would suggest they this are some challenge they're having in navigating that. the social security number is a clear bright line. a lot of other thingses are not. ic i think they don't necessarily think about the web of information that could be availably. particularly across platforms this then, you know, if we had

done a survey of the thieves themselves we may have learned a lot about how they use it. but obviously you know more about that. >> i think briefly it is critical online. and i'm not -- >> well, so for the tumblr community which is active among counter culture and minority groups is op already and based on culture of sim anymorety. similarly it's a rev. of the people seen as a private network limited and the studies i have

seen show that they were care about privacy. they care about privacy. for a teenager privacy is about hiding information from your parents. and so that is the main issue a point of control. and very important that most dangerous thing i have seen in term of security behavior is password sharing is seen as a sign of intimacy. the way you know two tenth graders care about each other they share passwords. and that a is a very dangerous habit to see enforced in the hopes that like maniesof things duo when we're teens it's grown out of. >> and the survey said they would share their pass word with someone besides their parents response, you know, there was a disconnect between their recognition of the concern about

privacy and about identity theft. but behaviors that might not be protecting that. >> and now is your opportunity to quiz the five folks. somewhere throughout there's somebody with a microphone who i can't see because the lights. please raise your hand. it the microphone will somehow make the way to you. >> hi, susan grant consumer federation of america. if breaches are the main source of identity theft and fraud these days, should there be a law that says that breached entities have to pay damages to breached victims automatically? perhaps a set amount or actual damages chevre is greater as a way to -- the holders of consumers data to secure it better?

there's a certainly a whole market emerging. so i think, you know, as that continues to mature and grow not to push liability on one, you know, perspective party or another. at the end of the day organizations are looking at what is my liability and what am i going to be responsible for based on a set of circumstance i have to deal with. i think you'll see the market don't evolve over time. i know the government is doing at lough work and research on that currently. >> on the question of this. so three year -- every year every security company sells twhairp selling last year. now protection is a different threat. and three years it was data loss prevention. i think there is a pretty active set of incentives for organizations to minimize data breach. they're spending on it. it's the only area where we're seeing cyber insurance actually thriving where companies are

sort of understanding what the exposure is. there's a real consequence. breach notification is not free. and it's enough of a cost it's gotten the attention of council and council gets the attention of senior management to invest in mitigation and then insurance. the real challenge is creating environment where you have an insurance not just pushing the risk on to another party, but actually internalizing that so the insurers are in turn working with companies to minimize the overall probability of loss. >> yeah? just add one thing. i don't want to advocate one way or the other in term of what laws should or shouldn't exist. one thing we should consider if we were thinking about a law like that. who it might impact the most because we see a lot of breaches that are not against a verizon or not against an at&t. companies that have tremendous

amount of resources dedicated to breach prevention. but some of the most effective breaches that we see now and a growing trend are -- for, you know, small very small businesses. so, you know, your local chinese restaurant has a credit card terminal, you know, there is information stored on those. when that is breached it's not as though the chinese restaurant has a tremendous amount of excess cash to be able to try to mitigate those risks. if there was automatic liability you might be hurting the little guy a lot more than, you know, you might be sort of misincentivizing, i think. we have seen organizations go bankrupt in size organizations. small organizations file for bankruptcy because they can't survive everything they have to go through cybersecurity distribute.

i think what is important shifting focus from regulation to, you know, i think empowering organizations on the first place. we mentioned earlier 86% of organizations don't detect the breach themselves. you're in the dealing with regulation. all of those type of thing. i think we should focus efforts not just on -- liability focus on the empowering organizations to be able to teenager tect things on their own to give them the ability to control how they move forward. >> who has the next question? >> you've teached on this a little bit. can you address specifically the role of consumer education in both -- [inaudible] what more we can be doing as consumer advocates?

>> certainly, you know, education is always great tool; right. i don't think you can have enough of it. to leverage criminal activity. i think it's important for us to truly understand and train and make aware the threat. not just the behavior what we do and how it can be.name. but the threat exist. and the more awareness we can give we should don't do so. the use ability is key. and sort of helping consumers understand their actions and -- say something is another thing just to say your password must have all of these thing. there's a great tool launched this week out of microsoft called guess my password or some variation. where it's, you know, hosted by

microsoft research. they are encouraging people to enter their password letter by letter and what it will do is try predict what the next letter in your password is as you enter it. you can see that the computer can read your brain. and actually tell you what your password is before you have identified it. that type of tool is so powerful because it suddenly, oh, yeah, this is how i can make a stronger password. i have evidence immediately upon me. immediate feedback. that type of tool is what we need to -- the point of interface where consumers making decisions and using tools so security becomes something that the part of flow without just being follow these rules. >> i think for teens, you know, we did talk a little bit about who would want to hear from on this. and particularly to make them more aware of their own vulnerability.

not just once they are no longer minors. hearing from somebody who experienced this. and maybe they are 19 or 20 and went to get the college loan and denied because their identity had been breached. and the credit was no longer clean and good. so hearing from someone who had that experience to make it more real, i think particularly important for -- recognizable to them as something that could affect them. >> we have time for one more question. >> just to follow up on the question about the password guesser. you know, i'm 55 and there's a study that says at the peak of the financial decision making. so they tell you don't write down your pass word. you're saying make a difficult password. i have 30 account for which i have to have a password. so i'm not supposed to write it down, my brain can't remember

-- >> you think? >> so, i mean, i understand what you're saying. for the average person, that is really difficult. and -- >> so -- if i write it down -- >> so you should write down your password. ly say you should write it down. it's better password you write down. with the assumption that your house is fairly safe space. if the bad guy is sitting in front of your computer. you have a lot of other problems. [laughter] >> yep. >> yeah. so if you can't trust people you live with. that's a different thing. asiewmenting that's a safe space, it is better to have that. and the over thing is we can talk about what the latest advice i would argue. first, your e-mail address of with which you cot most important thing. primary personal e-mail address should have the best password and changed regularly. that's a key which comprised can lead to the comprise of

everything else. not just write down your password but put it in the wallet. you though to keep it safe. the piece of paper they want is not the one with a bunch of random string of character. it's these pieces of paper. >> there's a lot of ways you can go with the conversation. whatever you do has to be something you can employ. understanding adversary are key lagging putting malicious soft software on your computer. to have a long tsh you can have 100 character password if it allowed you. a bad guy could steal it without

having to be in your home. we talk about the issues around you need to constantly move your online identity and move your -- the way you awe then candidate in the security space. we call it shell game. we want to move. if we want to move different places. we wouldn't -- you're going it in your physical protection; right. so think in term of that. that might be a strong strategy for you.

>> i want to thank you. and thank you as well. [applause] [inaudible conversations] we are in the gallery of the light catcher building at the museum. we're looking at vanishing ice, alpine and polar landscapes 1775 and 2012. the purpose of the exhibition is to highlight the rich cultural heritage of the planets frozen frontiers, the alpine region, the arctic, and antarctica. this is a photograph of the greenland ice sheet bay german artist. dating from 2008 and exited side by side with a photograph by

kamile. also of east greenland. from her last iceberg series of 2006. many people understand the importance of ice for the planet. it's reflective qualities that help regulate the climate. but many people are unaware that there is a collective consciousness in western cultural about these renales. and so it was important within the context of climate change to let people know that these regions are fundamental to our idea. >> there's more from the watkin museum this weekend adds booktv and american history tv look at the history and literary life of washington. saturday at noon on c-span2 and sunday at 5:00 on c-span 3. ..