Saturday, May 9, 2015

Applying Federal Law to Support Mandatory Healthcare Coverage

Applying Federal Law to Support Mandatory Coverage

by Elyssa Durant,
July 25th 2009 9:59 AM

Underwriting the Social Contract: Distributive Justice & Health Care Reform

The Problem Statement

As health care costs climbed exponentially in the 1980's, so did the cost of health insurance plans. As a result, employers began to enroll their employees in managed care organizations, and many Americans were forced to leave their traditional indemnity type plans. With the advent of the health maintenance organization, there is a financial incentive for the underutilization of care. (Blumstein, 1996; Davis & Shoen, 1996).

In order to reduce financial risk, health insurance companies have restricted enrollment to individuals in poor health. By covering the minimal standards of treatment and excluding high risk groups altogether, major US insurance companies have realized that the health insurance market can a be an extremely profitable industry. The public sector absorbs the cost of unreimbursed care for chronic care in America (Robert Wood Johnson Foundation, 1996). Based upon these findings, it seems clear that the money being removed from the health care marketplace is fattening the pockets of CEOs and majority stockholders.

Recent trend towards localized government leaves individuals without a financial safety net. This is the least efficient manner to handle health care costs, and evades the premise that medical care is a natural right in a civilized society. Few Americans feel secure within the current system. The rising costs of medical care contributed to the recent market changes in both the administration and delivery of health services. The financial incentive to cover only the healthiest individuals ignores the fact that medical care is a social good.

Health Insurance Portability Act of 1996

Two years after the Clinton Health Plan was defeated in Congress, Senator Ted Kennedy and Nancy Kassebaum introduced the Kennedy-Kassebaum Bill in response to growing concerns about selective enrollment procedures used by health insurance companies in the private sector. In the final version of the Bill, insurance companies must limit preexisting condition clauses to twelve months. It has been estimated that this provision of the Bill will help an estimated 150,000 Americans obtain health insurance coverage.

There are many levels of the underinsured, including those without any coverage; effective policy must address the needs of the total population without shifting costs from one disadvantaged person to another. Kennedy-Kassebaum fails to address the cost issue—the primary concern for those at risk for losing their health insurance. It does nothing to help the uninsured acquire a decent health policy, and then provides no solution to the critical issue at hand— cost

Since Kennedy-Kassebaum does nothing to control the cost of health insurance and medical care in America, the Bill fails to respond to the issue of greatest concern to the citizens of this country: the cost of medical care. The Bill looks towards the states to develop consumer protections and weakens the regulatory role of the federal government. The majority of the American public is unaware of the fancy footwork involved with this legislation, and the demographics of the population it is intended to protect. In order to assess the utility of this Bill, it is critical to identify the populations at risk for loosing health insurance coverage and the underinsured.

Kassebaum-Kennedy focuses on a slim portion of the uninsured population, and those who would be eligible for COBRA continuation (Consolidated Omnibus Reconciliation Act of 1974). Of the 41 million uninsured Americans, only about 150,000 are expected to benefit from this legislation. The Health Insurance Portability and Accountability Act of 1996 is really nothing more than smoke and mirrors since it fails to address the true issue at hand—the simple fact that the cost of quality health care in America is becoming a privilege that only the wealthy can afford.

The Cost of Care for Pre-existing Conditions

An individual with high blood pressure may just require prescription medication. Cancer patients in remission may require chemotherapy, and a person suffering with a degenerative disease may be involved in treatment studies. Each condition requires individualized treatment that cannot be based upon the simple economic/cost-benefit analysis used in the utilization review process by large insurance companies. Clearly, the most effective treatment for one patient may not be the best for another. The time required for utilization review may present additional health risks and complications to a patient suffering from a chronic health condition.

Twelve months without insurance coverage may be financially devastating to some patients, and 63% of Americans have already forgone some type of medical treatment within the last year due to financial constraints. Publicity surrounding Kennedy-Kassebaum has hailed the bill as the "be all and end all in progressive legislation, however, in actuality it will only help about 150,000 people.

Recent studies have found that the majority of the uninsured population simply cannot afford to pay the premiums (Donelan et. al., 1996; Hoffman & Rice, 1996). According to their data, only 1% of the Uninsured population is due to current health status and exclusionary preexisting clauses, yet an overwhelming number of insured respondents reported an inability to receive medical care for chronic conditions. The majority of Americans with chronic illness are covered by some type of insurance, yet they are still subject to the utilization review process and access problems that deny or delay medically necessary treatment (Donelan, et. al., Hoffman & Rice, 1996).

Underwriting the Solidarity Principle

Traditional forms of insurance underwriting required that the contract explicitly state which illness or services are not covered by the policy, in advance. If the underwriter did not specifically state a certain condition in the contract, the insurer was held to the terms of the contract and required to pay for services utilized by the policyholder (Stone, 1994, as cited in Durant, 1996).

Increasing numbers of for-profit and non-profit insurance companies began to control costs by refusing to insure individuals who they felt would utilize more services. Insurers began to require health survey status questionnaires (refer to attachment A), and even began implementing AIDS and genetic testing to identify high-risk individuals (Brunetta, as cited in Gutmann & Thompson, 1996). In the 1980s, large insurance companies began including sexual orientation as a high-risk category, by using actuarial sound criteria. Such criteria concluded that gay men were a higher risk for contracting AIDS virus and refused to write policies for anyone believed to be homosexual, (Stone, 1994 as cited in Durant, 1996).

By limiting enrollment to the healthiest members of society, selective enrollment undermines the solidarity principle of health insurance (Davis & Shoen, 1996; Snow, 1996; Stone, 1994). By eliminating those who were suspect of using more services than their healthier counterparts use, insurance companies are able to offer rock bottom prices for young, healthy individuals. By excluding preexisting conditions and requiring certain individuals to purchase high-risk policies, the number of uninsured and underinsured Americans continues to grow exponentially (Durant, 1996).

More individuals are choosing not to purchase insurance simply because they cannot afford it. Even among those with employer based health coverage, the policies frequently exclude coverage for long-term illness or care of chronic conditions (MSNBC News Forum, 1996). Without a standard definition of preexisting conditions, these clauses serve as "wildcards" since they allow insurers to deny coverage for any illness that "manifested itself before the issuing date of the policy (Stone, 1994 as cited in Durant, 1996).

This statement allows insurers to deny treatment for benefits and services for the policyholder for undiagnosed illnesses or conditions of which they were unaware. As a result, the insurers began to demand medical histories of applicants and their families in order to identify high risk individuals (please refer to attachment A).

Legitimacy of Distributive Justice

While there is a legitimate role of government to distribute scarce resources among the nation's neediest individuals, sadly this is not the cause for the mismanagement of medical dollars in the United States today. There is a big distinction between an individual being denied prescription medication at their local pharmacy due to a cost-effective formulary developed by their Managed Care Organizations (MCOs), than an individual being denied a liver transplant because healthy livers are a scarce resource. While both may have equally devastating consequences, it is more difficult to rationalize a lost life based upon rigid cost benefit analysis and utilization decisions made according to formulas and cost-benefit analysis of treatment protocols.

"The political controversy over the distribution of health care in the United States is an instructive problem in distributive justice. Good health is care is necessary for pursuing most other things in life. Yet equal access to health care would require the government to not only redistribute resources from the rich, healthy to the poor, and infirm, but also restrict the freedom of doctors and other health care providers. Such redistributions may be warranted, but to what level, and to what extent?" Gutmann & Thompson (Page 178).

Blendon and his colleagues have reported similar findings in public opinion polls from 1992 and 1994 (Blendon et. al., 1992; Blendon et. al., 1994). A recent study by the American Medical Association found cost to be of paramount concern to an overwhelming number of Americans (Donelan et. aI., 1996). Of the 40 million uninsured Americans, only 1% attributes their failure to acquire health insurance coverage to their preexisting conditions. Among the uninsured, cost is cited as the primary obstacle in obtaining health insurance coverage. Only 1% of the uninsured attributes their lack of coverage to a preexisting condition.

Based upon these democratic principles of distributive justice, consistent opinion polls demonstrate the legitimate role and public desire for government regulation of the health care industry. It has become obvious that the federal government must intervene in order to protect natural law rights, the social contract, and the Constitution of the United States. Regulation is needed to protect the individual freedoms, liberty, and the pursuit of "health, happiness, and the American Dream."

If America is to be the "Land of Opportunity," then clearly individual health and wellness should be an ideal to reach for. Current models of distributive justice emphasize public consensus as a legitimate role for government intervention. According to a number of studies by Blendon and his colleagues, the public has reported an overwhelming general concern about health care in this country, (1992, 1993, 1994, 1995, 1996).

State civil courts are backed up with cases where HMOs have violated the First Amendment (gag orders), the Fourteenth Amendment (due process), and the rights of protected classes under the Americans with Disabilities Act. Countless examples of "anecdotal" evidence appear as headlines everyday across the country. (New York Times, 1996; The New York Daily News, 1996; Long Island Newsday, 1996; LA Times, 1996; Picayne Times, 1996; Columbia Spectator, 1996; Columbia University Record, 1996; US News & World Reports, 1996; Newsweek 1996; Healthline, 1996; The Tennessean, 1996; The Albany Times, 1996; The Nashville Scene, 1996). In their entirety, these case reports represent the human tragedy that lies beneath the web of the very worst of American capitalism: corporate greed.

Identifying Populations At-Risk

A study by The Lewison Group in 1996 reveals insight into the private individual health insurance market. Clearly, individuals choosing to purchase health insurance policies for several hundred dollars each month expect their health care needs and expenditures to exceed that amount Regardless of health status, a young healthy 25 year old who purchases an individual health insurance policy can expect to pay well over $300.00 monthly for a health insurance policy with Empire Blue Shield Blue Cross (based upon 1996 rates, current rates available from the New York State Insurance Department).

Since individual policies are not addressed in the Health Insurance Portability and Accountability Act of 1996 (HIPA), an individual policy with Blue Cross Blue Shield of Tennessee excludes preexisting conditions for 24 months (enrollment booklet available upon request). The critical markets in need of reform are the adversely selected individual insurance market, and the state's most vulnerable populations: children; the elderly; the chronically ill; the uninsured; and the underinsured.

For the millions of individuals who have lost their employer based coverage, the cost of private health insurance is prohibitively expensive. Many individuals opt out of the individual market and apply for public assistance when the need arises. Those who have retained their health insurance coverage through their employers are being moved into managed care despite their efforts to retain their indemnity style plans (Davis & Shoen, 1996; The Lewison Group, 1996).

Access to Medical Care

As routine practice, HMOs deny or delay care for all services that are not outright medically necessary. Growing numbers of individuals have suffered irreparable harm, and many have died awaiting approval from their HMO's (The New York Times, 1996; Long Island Newsday, 1996; The Tennessean, 1996; Healthline, 1996). It is hardly a secret that HMOs have fallen short of their promise to provide comprehensive health care for the "whole" individual by emphasizing preventative medicine, using medical management to coordinate care. There is substantial evidence that individuals with chronic conditions receive substandard care in HMOs.

A four-year longitudinal study of medical outcomes found that the elderly, the poor, and persons with chronic conditions were in better health when covered by fee-for-service plans compared with a control group covered in HMOs (Ware et. al., 1996). New statistics released in Washington, DC by the American Medical Association and the Robert Wood Johnson Foundation revealed the direct costs of individuals with chronic conditions account for 75% of direct medical expenditures in the United States (Hoffman & Rice, 1996; based upon the National Medical Expenditures Survey; raw data available on CD from the Department of Health and Human Services Washington, DC). 45% of the American population suffers from at least one chronic illness.

If managed healthcare has been found to deliver inadequate care to this population, then we are looking at 100 million individuals who are potentially facing personal and financial crisis as they are moved into managed care. The public already accounts for the largest payment of direct medical expenditures, which means the millions of dollars being made by for-profit insurance companies are not being circulated into the economy to assist in public health costs care. The industry made a 14.8% profit in the 3rd quarter of 1996, however these medical dollars were removed from health care and used to fatten the pockets of CEO's and majority stockholders (Healthline, 1996).

Based upon a new report from the Robert Wood Johnson Foundation, the direct costs for persons with chronic conditions represent 69.4% of national expenditures in personal health care (Robert Wood Johnson Foundation, 1996). Their direct medical costs are estimated at $4672.00 annually compared with $817.00 annually for individuals with acute illness (Hoffman & Rice, 1996; based upon National Medical Expenditures Survey 1987, not adjusted for inflation). This population is the most vulnerable to complications in their health and with their source of payment. Large insurance companies only provide adequate coverage for acute illness (Donelan et al., 1996; Hoffman et. al, 1996).

Medicaid Managed Care

Following Tennessee's lead, many states have enrolled their medically indigent populations in Medicaid Managed Care Organizations (MCOs). In Daniels v. Wadley, (926 F. Supp. 1305), the court held that TennCare violated the Due Process Clause of the Fourteenth Amendment since such procedures eliminate fair hearings and independent medical review of disputes. The court found the pattern of routine denials of care by MCOs participating in the states TennCare program to violate the Medicaid Act since it compounded the problem of institutionalized waiting periods for medical appeals pending independent review by the Medical Review Unit (MRU), (42 U.S.C. § 1396 (a)(8)).

Furthermore, the court ordered federal injunctive protection to participants and beneficiaries because no state law may preempt federal law by depriving individuals of their constitutional rights. The Department of Health and Human Services (HHS) was ordered to revise its utilization review procedures for TennCare recipients in keeping with the Medicaid Act (42 U.S.C. § 1396 (a) (8)) ensuring due process protections for all covered beneficiaries by requiring "services are provided with 'reasonable promptness,'" (926 F. Supp. 1305).

This case is one of 543 civil suits pending in the state courts for violations of the Medicaid Act (based upon a Lexis-Nexis search performed December 26, 1996). With the passing of H.R. 3507 into public law, (The Welfare Reform Bill) private citizens will find little reprieve in the federal courts, so any attempts to hold states accountable for violations of federal law will be feeble at best (Denkeret. al., 1996).

Managed care has shown itself to be a farce of "medical management" in light of all the condemning evidence to the contrary. Timothy Icenogle, a medical doctor in the state of Arizona commented in 1981, "We play sort of an advocacy role. I think the public demands something more from physicians than to just be a blob of bureaucrats, and I think we have to take a stand now and then. Our role essentially as patient advocate, is to tell them, well, just because the insurance company is not going to pay, that is not the end of all the resources," (Icenogle, as cited in Gutmann & Thompson, 1996). Never has this statement been needed more than it is today. Unfortunately, as more insurance companies refuse to pay for medical treatment, fewer resources become available for patients in desperate need of financial assistance. As Judge Kessler eloquently stated as she handed down her decision in Salazar v. District of Columbia, No. 93-452, December 11, 1996, "behind every fact found herein is a human face and the reality of being poor in the richest nation on earth, (936 F. Supp. Slip op. At 3).

Perhaps most distressing is the lack of accountability for mismanaged healthcare and improper denials of medically necessary treatment. HMOs claim immunity under ERISA, and leaving individuals without recourse in a sea contractual language and lengthy court calendars. It is evident that individuals protected under the Medicaid Act are not fundamentally different from other populations entrapped in the maze of managed care. They are simply those who have "had their day in court."

Due Process Protections

Since all Americans are theoretically entitled to due process protections under the constitution of the United States, it seems the federal courts are long overdue for making such a public statement. We are wasting precious time and losing millions in valuable human resources as we await decisions to be handed down from state courts. The Supreme Court of the United States has agreed to hear New York's request for an ERISA (Employee Retirement Income Security Act of 1985) waiver, making health maintenance organizations liable for medical malpractice in the state of New York.

When HMOs deny care from patients, it is ludicrous to hold individual physicians liable for the utilization decisions made by decentralized corporate review boards. It is time to take a serious look at tort reform, and demand action by the Supreme Court as they approach the date of New York's ERISA hearing. A blanket court ruling upholding Daniels v. Wadley, and Salazar v. District of Columbia is desperately needed to avoid an avalanche of liability suits filed in state courts. The court must uphold Daniels v. Wadley, and Salazar v. District of Columbia if further lives are to be saved in medicine rather than wasted away in the utilization review procedures. While we wait patiently for District of Columbia circuit court to order injunctive relief, the number of individuals suffering irreparable harm due to the systematic denial of medical care grows larger each day.

The history of Medicaid Managed Care does not provide a very optimistic look into the future of TennCare recipients and Medicaid beneficiaries in states around the country. Dating back to the implementation of the Arizona Health Care Cost Containment System (AHCCCS) in 1981, there are documented cases where "people reportedly died for lack of medical treatment before their eligibility was determined," (Varley, as cited in Gutman & Thompson, I 996). This leaves me to wonder why the states continue to enroll their most vulnerable populations into a system of managed care that has proven to be a disaster.

Perhaps worthy of comment is that Arizona is the only state to have voted Republican in every election since 1948—certainly provides insight into the conservative morale of the state. Although Arizona was the last state to accept the Medicaid cost sharing incentive proposed by the federal government in 1966, it was the first state to force its medically indigent population into managed care in 1981.

Violating Federal Law

Rigid pre-certification requirements and nonspecific utilization review procedures place strategic barriers to access medical treatment and services in Health Maintenance Organizations (HMOs). Pre-certification requirements are strategic barriers incorporated into the "black box" of utilization review that institutionalizes exclusionary waiting periods and routine denials of medically necessary treatment. According to federal law, "care and services are to be provided in a manner consistent with the simplicity of administration and the best interests of recipients," (42 U.S.C. § I 396a (a) (19)). Clearly, such rigid pre-certification requirements that complicate administrative processing and paperwork on the part of the enrolled beneficiaries is a violation of United States Code.

Furthermore, using primary care providers as a mechanism to limit access to specialists not only complicates administrative processing, but limits enrolled beneficiaries choice of health professionals beyond what is available to the general public in the geographic area (42 U.S.C. § 1 396a (a)(30)(A)). Certainly referral procedures do not "assure that recipients will have their choice of health professionals within the plan to the extent possible and appropriate," (42 U.S.C. § 434.29). Under this provision, it seems that any individual, especially those with chronic health conditions or disabilities should be allowed

Original Page:

Tuesday, November 11, 2014

Denial of Service: Deconstructed

Denial of Service, Deconstructed

Denial-of-service attacks are an old and crass way to disrupt a network, and yet still are immensely effective. DoS attacks overload the pipes that connect computers to the Internet with massive amounts of legitimate but useless data. DoS attacks create epic traffic jams. The cars in this analogy would be requests for service that hackers send to the target website. Each time the target site gets a request, it must deny it. But because the hacker sends massive numbers of requests from thousands of computers, the target must use nearly all of its time and resources just to deny these requests for service, effectively blocking access to anyone with a legitimate request.

Before that, though, the hacker must create a network of computers big enough to overwhelm the target. They don't buy these computers, they commandeer them. They plant software scripts on systems distributed throughout the world (hence, distributed denial of service, or DDoS). These compromised computers are called zombies, or bots, because they generate attack traffic automatically, without the owners' knowledge.

Hackers create zombies by scanning for exposed systems that they can manipulate remotely. Often these are home and office broadband users. (Lately, existing bot networks have been found scanning for more computers to turn into bots when they're not launching attacks of their own—akin to an army recruiting its soldiers in peacetime. One security consultant said he connected an unsecured computer to the Internet to see what would happen, and it was recruited within three minutes.) Hackers can also insert their attack code through phishing, spyware, viruses and social engineering. Universities have long been popular spots for creating zombies because of the number of easily accessible, unsecured public computers.

With a zombie network in place, the only issue left is scale. The more zombies on a network, and the more aggregate upstream bandwidth they have, the swifter and more severe havoc they can wreak. Several hundred computers could generate 100MB of traffic, enough to knock a small network offline. A 10,000-computer bot network could deliver a 1Gb attack, enough to knock anyone offline who hasn't installed some rudimentary anti-DDoS infrastructure.

Some experts believe that right now different sets of hackers are engaged in an arms race to see who can build the biggest zombie network. Not for bragging rights, but for renting out the networks to anyone who wants to launch an attack, the raw capitalist idea being that the biggest network will generate the best rental business.

Tuesday, Nov. 25, 2003: Running Out of Time

The extortionists' e-mail that arrived on this morning demonstrated that they were losing whatever patience they had: [all typos sic] "I told you that if you try and f*** with us that your site will be down forever.... The excuse that you were in the hospital does not matter to me. So here are your choices: 1) You have until 4pm est today to send us our $40K. 2) You have until 4pm est Wednesday to send us $50K if you can not send the $40K today. 3) You do not pay and your site will be down for 4 days starting Thursday and it will cost you $75K to come back up Monday. 4) You do nothing and do not respond to this email within an hour and we will make sure you are down forever...."

Richardson was panicked. He can't remember precisely when—the entire week has blurred in his memory—but by this time, he had reported the crime to the National Hi-Tech Crime Unit (NHTCU) in Scotland Yard. According to an NHTCU spokeswoman, the unit had already opened a similar investigation with a British gaming site called CanBet.

According to Richardson and Lyon, the NHTCU encouraged Richardson to wire two extortion payments of a few thousand dollars each to separate Western Union offices in Eastern Europe. The NHTCU wanted to nab anyone who showed up to take the cash. (NHTCU won't confirm this; the spokeswoman said the unit does not discuss investigative tactics.) Richardson agreed, but for a different reason: He wanted his site back up. "I knew another person [in the industry] who was successful getting back online by sending three or four small payments like this," Richardson says, "and those guys didn't even have a solution to the problem when they paid. I knew Barrett was getting closer and closer to a solution. So I sent the payments, thinking maybe I can get a good week out of this."

But no one took the bait. After about two weeks, Richardson pulled the money back.

Wednesday, Nov. 26, 2003: Barrett's Big Bet

From Sacramento, Lyon instructed the PureGig engineers who would turn on his system 630 miles southeast, in Phoenix. Another 2,400 miles southeast from Phoenix, everyone at BetCris waited impatiently.

Lyon's system intercepted traffic headed for BetCris's servers in Costa Rica, diverted it to his creation in Phoenix, scrubbed off the attack traffic and delivered legitimate traffic back to Costa Rica. It was designed to bar DDoS traffic from touching BetCris. If the system failed, it couldn't defend BetCris, and it wouldn't be able to send legitimate traffic to Costa Rica. But BetCris itself wasn't getting attacked. The system did a lot of other stuff too: monitoring, capacity planning, logging and analysis.

It wasn't perfect. After it was installed, Lyon had to tweak routers on the network, install new versions of software and add capacity to his system. The extortionists kept changing attack vectors, and Lyon and his team kept tweaking. It was a constant battle, but Lyon was confident that the system would enable to stay online. Wilson at PureGig called Lyon's system "ingenious" not because it was unique—it was monitoring and filtering at a proxy location—but because Lyon's monitoring and filtering seemed to stop attacks better than any other effort he'd seen.

But when it was first turned on, the extortionists stuffed too much traffic down its throat. Wilson recalls the math: "We had 100MB links to the DNS servers. We went from handling under 2MB per link to, all of a sudden, 600MB." That's six times a full load. Imagine Fenway Park, which holds about 35,000 people. Now imagine 200,000 people trying to get inside Fenway Park at one time.

The DNS servers were overloaded, and Phoenix got tense.

Costa Rica had been tense for nearly a week (as much as half a million dollars in lost revenue), but now BetCris was bordering on despair. Mickey Richardson lacked sleep, and he struggled to make decisions and lead. His IT staff was fracturing, feeling impotent as they watched the attacks and waited for Lyon. BetCris's small call center staff was getting abused around the clock by customers calling in to vent frustration and demand to know what the heck was going on. The simple task of creating a smart message about what was happening eluded Richardson. "You can't just have your call center staff tell people you were hacked," Richardson says, because it creates more questions than answers.

At the same time, his decision not to pay the extortionists was affecting other wagering sites that shared the same ISP and were experiencing network problems. "I'm getting calls from friendly competitors saying, 'Look, Mickey, we paid. Just pay. We're going down because of you.'"

He was running out of time and energy. Richardson remembers around this time having to update his staff—275 or so people who weren't entirely sure they'd have a job soon—and he couldn't even find words. He thought, "I wish they could read my mind because I'm too exhausted to explain it anymore. I don't have any answers."

In hindsight, Richardson says, he would have spent more time preparing for these human issues attached to the crisis—decision making under pressure, keeping the staff together—and less time worrying about technical defenses. Yes, create those technical defenses and make sure you have a crisis response plan. But also focus more on issues like exhaustion and emotional distress, and how they can be handled.

It was in this context that Richardson received an e-mail, at 11:12 a.m. It caused him to feel, for the first time, "blind fear."

"I would like to thank you for not keeping your end of the deal and making this upcoming weekend an enjoyable one for me." The extortionists demanded $75,000, but then seemed to disregard the money. "I do not care how long I have to destroy your business and I will. You will learn the hard way that you do not make a deal and then f*** around with us.... Let the games begin."

Richardson would soon learn they were not bluffing. They could destroy his business, and they were going to try. For BetCris to survive, Lyon's slapdash system in Phoenix, which was just starting to find its purchase, would have to stand up to the biggest DDoS attack any of them had ever seen.

The DNS servers that had overloaded in Phoenix were brought back online in a couple of hours, after Lyon and Wilson adapted some filtering scripts and increased the size of their network pipes.

Lyon then spent Thanksgiving and Friday eating leftover turkey his girlfriend delivered and tweaking his system to absorb bigger DDoS attacks. On Friday, he believed it could handle a 1Gb attack, and he felt good about that. He assured a frayed Richardson that he'd never see an attack that big. It would take tens of thousands of zombie computers.

Which is exactly what happened. It turns out the extortionists had more than 20,000 zombies. PureGig's data center suffered badly, which affected several of its ISP customers. PureGig decided to take Lyon's system offline to fix it.

"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."

Richardson recalls the attack: "So I have Barrett on the line, who I think is the second coming, and he says, 'Let me think about this. Give me some time.' And I say, 'OK, I don't want to pressure you. I have faith. But if you don't fix it, I'm out of business.'"

Why Online Extortion Works

It was never supposed to have gotten to this point; Richardson was supposed to have paid long ago. The extortionists expertly optimized the chances of it.

To ensure a quick, quiet transaction, the extortionists did what all extortionists (in the physical or online world) do: They exploited the problem of the commons. An ecological principle, the problem of the commons states that people will act in self-interest if it profits them in the short term, even if that act will hurt everyone, including themselves, in the long term. Every act, every threat, every negotiation tactic, every single move extortionists make is designed to make paying the protection fee not only appealing, but in fact, the smartest business decision you can make in the short term, even if you know in the long run that you haven't stopped the problem at all.

Thus, extortionists attack when it hurts the target the most; they ask for $10,000 to $100,000 (generally considered the sweet spot of extortionist profitability versus victim willingness to pay, depending on the size of the victim company).

In BetCris's case, the extortionists revealed they were Eastern European, which would make them hard to find, never mind prosecute. Online crime laws are weaker in Eastern Europe than in the United States and the desire to enforce them weaker still (and the FBI wouldn't get involved with offshore gaming sites being extorted from overseas).

The online version of extortion provides unique advantages (relative anonymity, low probability of prosecution, lots of easy targets, diminished chance of physical violence) that have made it a highly lucrative business alternative for bad guys.

BetCris was just another easy target. What the extortionists didn't count on was the unlikely confluence of Richardson's resolve, Lyon's ingenuity and an ISP that would provide them a place to fight back.

Friday, Dec. 12, 2003: BetCris Wins the War of Attrition

The extortionists must have screamed "Hooy na ny!" or some other Russian expletive after their blitzkrieg, when Lyon "got the chemistry down" and managed to absorb the massive amounts of attack traffic and get PureGig and BetCris back up and running. Lyon assumed the bad guys would come back with something bigger, as hard as that was to imagine, so he set out to scale up his system "for whatever was next, a 6Gb attack or something."

But for the next week, the attack stayed steady at around 1Gb. BetCris, Lyon and PureGig had entered a war of attrition. The extortionists would find a way to kick Lyon's system, Lyon and Lebumfacil would tweak it and get back up. Cat and mouse. "Attack, counterattack, back and forth," Lebumfacil says. "It was 24-by-7 monitoring for two weeks." Wilson and PureGig stopped noticing any of this because the attacks had been segregated from PureGig's other traffic.

And then, suddenly, the attacks stopped.

At 8:46 a.m. on Friday, Dec. 12, two weeks after the assault that nearly put him out of business and three weeks after he first read the words "Your site is under attack," Richardson received an e-mail: "Dear Mickey, I tried getting to your site today and I could not. I thought with all the money you spent you would not have these problems anymore. I guess you wasted your money instead of keeping your word. Good luck. P.S. I bet you feel real stupid that you did not keep your word. I figure by now you have lost 5 times what we asked and by the end of the year your decision will cost you more than 20 times what we asked."

Richardson knew this was an admission of defeat, even if it was disguised as braggadocio. His site was up. The extortionists couldn't get to it because they were blocked. He hadn't paid them a dime. They made no more threats. They couldn't because they couldn't back them up with action. The extortionists had lost.

And yet, the e-mail was not far off. Richardson figures it cost him a million dollars in lost revenue and IT investments to win this war. "It was worth it," he says. "I just didn't know it would take a couple years off my life."

"It was amazing we made that system work against that attack," Lyon says. "It was a wake-up call on how good the bad guys had gotten."

And Lyon knows the bad guys have gotten even better since. They've built zombie networks of 35,000 machines, capable of delivering a steady stream of 3Gb traffic. Peter Rendell, CEO of Top Layer Networks, which makes intrusion prevention and anti-DDoS hardware, says he expects botnets to pass 50,000 machines (and 4Gb to 5Gb) by the end of this year. It's an arms race, as defenses scale, then offenses scale, though Lyon is convinced the defenses have far outpaced what extortionists can throw at them.

But the bad guys have a response. Extortionists have encrypted DoS attack scripts and have put them on peer-to-peer networks, making criminals who use them nearly impossible to track or contain. They're registering domains and then attacking those domains, only those domains are redirected to other targets. "The only way to stop that is to delete the domain," Lyon says, "and that's not something you can just do." Lyon stopped an attack but certainly didn't stop the problem.

Still, he wouldn't learn of all this until later, after he decided to start a business and, as he did with Don Best, track down the BetCris extortionists. At that moment, though, after the extortionists admitted defeat, he was ready to relax. He booked a vacation in San Jose, Costa Rica, for New Year's. Finally, he'd meet the people he saved and celebrate with them.

New Year's, 2004: Visit to an Online Gaming Hotbed

Costa Rica is about the size of West Virginia, bookended by Nicaragua to the northwest and Panama to the southeast on the Central American isthmus. With coastlines on both the Pacific Ocean and Caribbean Sea, and mountainous terrain inland, Costa Rica sits along the Ring of Fire, so volcanoes and earthquakes are native. Political strife is not. The CIA calls Costa Rica a "Central American success story."

Lured by its stability, BetCris located there in 1993. Richardson joined as a "utility man" in 1996. Back then, the business wasn't online, it was a call center. BetCris's call center once employed more than 500 operators at peak hours, but the number dwindled as the business moved online. Today, maybe 30 operators will man a call center at peak hours, or during an extortion crisis.

As the Internet took off, so did San Jose as an offshore gaming mecca, for several reasons. The government encouraged the industry to expand its economy. (BetCris supports an industry group to lobby local politicians.) Also, the people are educated, with an excellent work ethic, Richardson says. Costa Rica has a 96 percent literacy rate. More high-level employees at gaming companies are Costa Ricans, including all of BetCris's accounting staff and 90 percent of its managers.

The other reason gaming companies swarmed here is, of course, because it's not the United States, where gambling laws are difficult to negotiate. Today, hundreds of offshore gaming companies, most of them online ventures, operate from San Jose. In BetCris's seven-story headquarters alone, Richardson says, there are 10 such enterprises, two software companies and a telecom company—pretty much offering everything you need to get started in the online gambling business in one building. The competition is mostly friendly. Richardson says it's not unusual to bump into competitors at a restaurant and join them for dinner.

The valley that makes up the San Jose metropolitan area holds almost half the country's 4 million people. Richardson says the valley gets blistering hot, and downtown San Jose is "undesirable." But BetCris, and most of the gaming and tourism industries, are above all that, nestled in the higher elevations of the valley's surrounding mountains, where Richardson compares the weather—and the lifestyle—favorably to San Diego.

When Lyon arrived here, he felt a sense of pride for helping. He saw "this beautiful building with this top-notch data center," he recalls. "And I met all the people who work there, and I kept thinking, I protected all of this. Me and my keyboard helped all these people keep their jobs. It was so neat to see how good a thing it was that we did."

Richardson and Lyon bonded immediately. There was a party with professional-grade fireworks launched from Richardson's front lawn. They went to dinner, talked about life and the attacks. Lyon had developed antipathy to the extortionists; he wanted to nail them. He told Richardson and Lebumfacil he was going to start a business, a service whereby people could subscribe to his anti-DDoS attack infrastructure. Lyon recruited Lebumfacil to help him start DigiDefense. BetCris was his first customer. Richardson gave them office space to start.

That business talk, though, was in the background. Lyon relaxed, went deep-sea fishing and zip-lining through the rain forest.

Friday, October 3, 2014

An Open Letter ��

October 2, 2014

Dear Mr. Leiderman:

I am humbly requesting assistance to find a IP attorney who can help me with severe hacking, d0xing, 

Additional security breaches included HIPPA violations, posting medical, financial, and ERISA benefits online. 

The harassment continues FOUR years after I resigned from CyberSecurity firm and I have lost friends, jobs, integrity; my professional identity was compromised after fake credentials were posted on an open forum designed to discredit and destroy my professional credibility and reputation. 

Furthermore,  my family has suffered terribly by having their names, addresses, Social Security numbers online in an effort to destroy the family business. 

My father's business accounts were posted on by BlackHat hackers who ADMITTED to hacking Columbia University as well as SOCA FBI CIA Stratfor, Joseph K. Black, HB Gary and many others. 

I recently relocated to South Florida due to constant harassment and stalking when my phone and address were posted online. 

I am concerned about the Stature of limitations and I want to be sure that I file the necessary reports before time runs out. 

I would appreciate any advice or referral you can provide for CyberCrimes experts including forensic specialists who can confirm what I have known for several years. 

I'm hacked. 


Thank you for the wonderful work you have done in this area and any assistance you may be able to provide. 

Sincerely yours,

Elyssa D. Durant, Ed.M.
Research & Policy Analyst


Cc: Marc Durant, Esq.
       Joel Rosenblatt
       George Schuessler

Friday, July 4, 2014

Work to Welfare

Yup! That's right, I'm on welfare... 
I'm milking the system for all its worth! I had better go get in line before those immigrants suck up all our resources (which have never once been available when I have needed them) 
That's right, just another Ivy League grad too smart to go to work! I am just waiting on my next free meal ticket, subsidy, or voucher. The opportunities to exploit the government are endless! Where do I begin???

I remember how difficult it was for me to obtain benefits when I first applied several years ago. I am deeply concerned about how the most recent decision to eradicate yet another class of TennCare / Medicaid recipients (the Daniels class made up of SSI recipients by way of a pending federal waiver) will affect the poor and disabled residents in Tennessee. 

Without my current level of benefits, I simply do not function.

Before my benefits were stabilized, learning to navigate the system consumed every waking moment of my life. 

I was unable to work or attend school on any substantial level and I am frightened to see at might happen if I were to stray from my established, stabilized, treatment plan. If I lose my benefits, will I still be able to work? To function? To be productive?

Any new public program requires careful planning if it is to be effective. Recent discussions have not focused on the true impact these changes will have on the "street-level."

Has anyone asked recipients how they feel the new program (safety- net) should be designed, implemented, or evaluated? How will this impact the community and other social service or welfare agencies??? I want access, quality, and outcomes. 

I want... I want... I want!!!

The massive number of people being dis-enrolled or limited in their access to medical care and other social services will no doubt create significant anxiety, confusion, and chaos for everyone involved in the social service and health care industries.

I remember when Mr. Brian Lapps was somewhere very high up on the corporate TennCare ladder in 1999 when  they adjusted the prescription formulary over Memorial Day in 1999. I see Mr. Lapps quite frequently since he now works at the local gas station down the street from where I live.

To this day, he insists that cell phones and TennCare are somehow contraindicated. Perhaps he knows nothing of the population he claims to know just all-too-well... housing conditions that may or may not have electricity, broken families-some riddled with community violence and domestic disturbances. In the hood, your cell phone is your very best friend. 9-1-1.

These people plagued by domestic violence and community instability makes a cell phone the only logical option. How  can you find a job with out a phone? How can you find a home with out a job? Yet even 6 years later, Mr. Lapps uses cellular phones as an example how the TennCare program is being abused by lazy, cheap, and unscrupulous second hand citizens who are just shiftless lazy bums waiting around for their next free hand-out.

Anyone who has EVER applied for or relied upon any kind of government subsidy to have their basic needs met, e.g., food, shelter, medical care, dental treatment, etc... let me personally assure you that there has never been a single time where I felt I was "pulling one over" on the government. I am not just one of the poor saps who believed what they told me they in school, I bought it hook, line, and sinker for the mere price of $279,982.00 and not a shred of financial security to show for it.

Even after consolidating my student loans, the interest alone is $10 less than my monthly income from social security.

So what happens now that the state of Tennessee will begin to cut off social security recipients from TennCare? I honestly do not think I can survive yet another re-certification process-- God knows the first one almost killed me. 

After three years of appeals, my condition had deteriorated so severely that I was forced to drop out of school, lost my home, lost my sanity, and lost hope. In short-- I lost my dignity and my belief in the social welfare system.

By the time my benefits were approved, I had already checked myself in to NYU Psych Ward because simply could not cope with the reality of what my life I had  become. I weighed 94 pounds and suffered in excruciating pain that has only gotten worse with time. My extremities were ice cold, and my hands were numb since I went without medical treatment for the spinal injury that was first discovered when I was 22.

I am now 35 years old. My spinal cord is now damaged from years of delayed, sub-standard medical treatment. I owe the federal government $279,982.00 in student loans and when I am able to work, I make $10.46 / hour as a substitute teacher in an urban school district. That job comes with no security and no benefits. It does however offer the flexibility I need to receive the bi-monthly epidural injections and other procedures necessary to manage my pain and alleviate the numbness I feel because of the damage to my nerves. And even though I cannot afford the gas money to get my appointments, pay for all of my medication, or even to get back and forth to work, it does allow me a few weeks of mobility so I can drive, use my mouse or hold a pen.

I have an advanced master's degree from an Ivy League Institution. I am 12 credits shy of a PhD in public policy. And despite maintaining a 3.83 grade point average while completing an advanced masters in social and educational policy at an, "Ivy League" institution; a 3.2 GPA during the 3 years I spent working on my doctorate at a not-quite-so-prestigious Graduate School; The Powers That Beat in that damn Ivory Tower don't will not grant me any leniency by extending the amount or time permitted to complete my degree-- a rule that was changed while I was on a formal leave of absence tending to my health (and my Medicaid appeals!). 

Not only did they decide 8 years was the rule instead of the 10 it had been previously, I was also told that I could not even transfer the credits I had earned toward a different degree towards another program at the same institution. It has been just over ten years since I first  enrolled. 

What a mistake that was!
The "Harvard of the South" no longer offers the degree to which I was admitted and enrolled so they actually suggested that I pay for a 3rd application to the school (I was admitted into two degrees-- the MPP as well as the PhD program in  a separate college) requiring two independent applications, fees, transcripts, test scores, even way back when I was still considered a promising candidate. 

Now "they" think it is reasonable to ask that I do it all over again??? It goes without saying that I do not have the financial resources available to finish my last semester, take the GREs  or GMATs one more time, or even the money to release my transcripts from the Graduate School into any other program at the same University, I guess I am just shit out of luck.

To be clear, WE ARE ALL PAYING for that student debt because I can assure you that their endowment is far greater than any income or earning potential I have given my current financial status and student loan debt! To be clear, YOU ARE ALL PAYING to keep me on Welfare. Yes, all of us are paying some price..... We I want to work. I want to be productive. I want to be a part of something greater than myself. I want to share what I've learned.

So throughout the years I struggled to stay in school, believing somehow that social justice would prevail, and my heart and dedication towards the greater good would show through to whomever, wherever, or whatever that could make my degree worth while-- the Medicaid and disability applications managed to take front seat. 

So as I filed appeal after appeal after appeal, I managed to acquire well over 1/4 million (yes-- MILLION) dollars in debt due to uninsured medical expenses and student  loans.

My life will never be the same. My heart will never be the same. I want to pay my bills on time. I want to get off welfare, but  no one ever taught me how to be poor.

So after all this-- now I face losing my healthcare once again? Where is the safety net? Where is the American Dream that I so diligently chased after for so many years? 

What was the point spending so much on an education that will never be utilized? I understand the how; I just don't understand why.

Maybe one of these days Vanderbilt University or and the Department of Education will realize it might just be cheaper to hire me that harass me, because unless I find a real paying job soon, their collections department will no longer be able to reach me on that extravagant lifeline my friend, Brian Lapps, refers to as a luxury.

If anyone on your staff would like to "trade places" with me for one month-I will gladly assume his/her responsibilities for that position if you can find a writer who is willing to endure and write aboutthe reality of social services in our fine state. I do not want a paycheck from your organization; I just want the opportunity to put the myth of freeloading welfare mothers to rest.

 Live in my shoes for 30 days. Can you find the out? Can you balance my budget and make it work? Can you get the bill collectors of my back? 

Can you afford Internet service to file state job applications and apply for services online? Can you maintain pride and dignity without feeling the least bit sorry for yourself and the choices you have made?

When I go to the pharmacy, I am humiliated that I do not have the $3.00 necessary for the co-pay on my covered TennCare prescriptions. At least when it was $40 dollars, I was not so damn embarrassed by my lack of funds.

Remind me again why I went to school. Remind me once more why I bother to speak out. Then remind me right now that that there is somebody listening. I cannot be the only one who actually gives a crap. My contact information is listed below.

Live & not so well in the US of A

Elyssa D. Durant, Ed.M.
(Former doctoral student in public policy)

Originally Published by Elyssa Durant, Ed.M. © 2008-2013