Chaordic Mind

Contemplation, originally uploaded by The Inadvertent Gardener.

Overcast Bay Bridge, originally uploaded by SFview.

Another great night with the Friday Night Drinking and Shooting (FNDS) photo team. This time Mik lead the team over to Oakland for some shooting around the 19th Street BART stop, inside some of the art bars, the Paramount theatre, and the very amazing Cathedral of Christ the Light.

I really love the team and friends I’ve made through this group. In all honesty it’s mostly because they like me as well. Eric gives the best hugs, Nick is so sincere, Mik is always fashion equipped, Bob has this allure about him, and Genie is so open about herself I want to listen to all her stories, and Dusty is always good for a high-five. All great people with smiles who I liked to call the “light chasers” as they are always looking for the best lighting to highlight their subject.

Cory Doctorow signing books, originally uploaded by SFview.

Cory Doctorow – acclaimed sci-fi author, BoingBoing blogger, former EFF staffer, and watch aficionado – did a reading from his book For The Win in San Francisco. It was an event to raise money for the EFF, an organization that defends your legal rights online and in digital media.

I’ve followed his life and admire his never ending work ethic to achieve his goals. His self-styled life includes a wide collection of obscure watches, a wedding wing with custom crypto key, and his constant quest against DRM and those platforms that support them.

I met a nice guy, Al, from openbuddha.org who recorded the session. Check out his writeup and audio recording.

Cory Doctorow signing books, originally uploaded by SFview.

Scouts, originally uploaded by SFview.

Furries, originally uploaded by SFview.

Bay 2 Breakers is a “race” across the 7 miles (11.3 km) that is San Francisco. There are some serious racers up front by the majority of participants show their true San Francisco pride by breaking out the costumes and dressed up for a long, and mostly drunken, trot across the city.

Many of the “racers” group up into theme teams and make a day of it. Here are some photos I took of various team enjoying the sun as part of their run.

See more photos of the event here.

As many of you know EMV, or more commonly referred to as Chip and PIN (Chip/PIN), have been a long time structure in areas such as Europe and most of the Asia-Pacific region.  Europe made the transition between 2001 to 2006.  Canada has a mandate of October 2010 for implementation and the intra-region liability shift.  The US it seems is now entering the came with a few very small but significant moves.

• Wal-Mart has asked for Chip-and-PIN saying that now is the time to roll it out.
• In May 2010, the United Nations Federal Credit Union (UNFCU) became the first financial institution to begin issuing Chip/PIN cards.
• It should be noted that although AmEx is not technically a “financial institution” in the US, it did issue its “Blue” card with a chip for such transactions in Europe.

So will this bring us all the safety and security we want?  What will this change mean for cardholders and retailers?  Those are more complicated answers and the answer really varies from one region/country/bank to the next.  Here’s a few things that Chip/PIN changes do mean.

Liability Shift

If you read the Visa OpRegs you’ll see three different listings for liability shift.  Merchants that accept Chip/PIN transactions are not always liable for fraudulent transactions since the understanding is that they are asking for both a card and the PIN (something allegedly only the cardholder knows.)

These shifts in liability can be either domestic, intra-region or bilateral shifts (according to Visa).  MasterCard says of domestic liability shifts, “A shift in liability to the non-EMV compliant party, fraud liability is born by non-EMV complaint party for all regional transactions.  Bilateral shifts existed previously between the various Visa Regions, “Visa EU and CEMEA signed a bi-lateral agreement in order for the liability shift rule to apply for international transactions between both regions as soon as the CEMEA rule went into effect on January 2006.”

This shift takes the liability off the merchant, but who does it go to?  Well according to the Financial Ombudsman Service (FOS) in the UK that handles consumer complaint disputes, it is the bank that is responsible for the fraud unless customers acted “without reasonable care”. This could include writing down a PIN or allowing someone else to use a card.  What does this really mean?  Well, banks around the world are struggling as consumers claim fraud and the banks claim “without reasonable care.”

Risky Business

In a ComputerWorld article, analyst Avivah Litan, says that “companies such as Visa and MasterCard should consider easing some of their security requirements for U.S. merchants willing to make their payment systems EMV-ready. Visa has reduced the scope of its security audits in cases where organizations have implemented EMV technologies, and the same could be done in the U.S”

Pardon? (Fallacy alert!)

Let’s remember that Chip/PIN only helps reduce fraud at a singular merchant, it does not reduce the instance of payment card data theft.  In fact Chip/PIN transactions can be just as risky as magnetic stripe transactions from a data theft and skimming perspective.  Chip/PIN cards used as a payment terminal may leave “track equivalent data” which cannot be used to recreate the Chip but could be used to re-encode the magnetic strip on the back of traditional cards.  I mentioned this in 2008 and Gartner is still saying the same thing.

Conclusion

The US moving to Chip/PIN is a good thing and something that will drive down card-present fraud.  It may not directly impact payment card data theft and thus will not detract from PCI DSS compliance. I remember teaching a PCI DSS class of QSAs (back then CISP assessors) in the UK back in 2006.  They struggled with the problem that merchants in the UK thought they didn’t need PCI DSS compliance because they already had adopted Chip/PIN, something they already equated with “credit card security”.  I blogged about this from 2006 – 2007 to explain the differences between Chip/PIN and PCI DSS compliance and risks.

Companies that adopt Chip/PIN will still need to comply with the PCI DSS.  That being said, there are some benefits:

• Reduced interchange (in some instances)
• Reduced fraud (as measured in the UK by APACS)
• Liability shift for Chip/PIN transactions

Links

• Visa International OpRegs on Chip/PIN global mandates (2007)
• Visa Regional OpRegs for Canada (2008)
• Visa Smart Debit/Credit Certification Authority Service Description (2008)
• RBSWorldPay talks about liability shifts

After swing dancing and playing mahjong (poorly) one of my favorite non-computer pastimes is hanging out with photographers. I fell in with the Friday Night Drinking and Shooting group and have met a number of great photographers.

It’s like traveling with my own paparazzi entourage!

Here’s a few of my favorite:

• Chipmonkey
• angryf
• Generik11
• bats1234
• JMSF415
• KayVee
• Nick.Fischer
• underthewaves

Although you may know me more for my musings on traffic theory and becoming immortal, this post focuses on the increasing ease of exchanging money within our daily lives.

In the Beginning

You see, in the beginning was the bank and the bank stored all the gold.  Accessing the gold required going to the bank and withdrawing it for use in the market place.  As new modes of communication evolved the methods of exchanging money became easier and easier.  You now have ATMs replacing banks for dispensing cash, e-commerce replacing brick-and-morter, and PayPal replacing Western Union.  (Ok, so perhaps replaced is a strong term, instead these services supplemented the older forms of exchanging funds.)

Throughout time one thing that held true was the relationship between the merchant and the consumer.  The merchant was typically a company and the consumer an individual.  Common area market places such as eBay helped break down the walls and enabled individuals to sell items to other individuals, but still these required a virtual store front.

New Merchant Class

The term merchant is slowly being democratized in the open market place as individuals accept and exchange digital funds through fluid, simple, and inexpensive methods.  There are a number of factors that influence this new merchant class, so let’s go into a few.

1. Increasing number of Payment Service Providers: The affect of Web 2.0 and social media applications have catalyzed the marketplace for new methods of exchanging money in both a virtual environment (Facebook, Second Life, Zynga) and via emerging payment methods (Spreedly, PayPal PayFlowPro, iPhone applications).  The lines between the individual and the merchant are blurring to the point that exchanging funds can be done more fluidly than ever before.
2. Increasing number of payment integrators: With this increase in the number of payment service providers comes a wave of new businesses that aim to support the new merchant population.  With new merchants come new point of sale third parties who wish to sell them services and support.  More and more service providers are appearing with an ever greater list of services they are offering to the new merchant class.  Each of these new services providers may act as a vector or path through which an attacker can access payment data.
3. Becoming a merchant is easier than ever: In addition to the new methods of accepting payments, merchants can go mobile faster than ever.  Instead of accepting cash only at the local farmers market, the new merchant class will gladly accept major payment cards via their Square or VeriFone PAYware enabled iPhone.  This level of service, once reserved for more established merchants, is now being disseminated into the hands of the masses.
4. Chip and PIN increasing: Chip and PIN or EMV has seen great successes in reducing card present fraud in Europe and Asia.  This technology recently jumped-the-pond and was adopted for implementation in Canada.  It’s only a matter of time before merchants in the US begin to see Chip and PIN technology rolled out to their personal cards and then to their retail locations.
5. Cost cutting is key: Previous approaches to compliance were via the mass adoption of security technology.  These days merchants are more cost conscious and agile in their approach towards compliance and security.  The new merchant class calls for reduced costs through new technology such as point-to-point encryption and “tokenization”.  They are happy to exchange the flexible use of payment data for the security and cost savings of scope reduction.  They are looking for overlapping regulatory controls to kill multiple birds with one stone.  They don’t want point solutions but instead comprehensive approaches towards security.  They want strategy, flexibility, and mobility instead of “solutions”.
6. Training and education needed: In order to achieve these goals: adopt new technology, reduce scope, and leverage internal employees there is a great demand for education and how they can achieve all this.  The need is stronger than ever for an educated merchant class who understand the tradeoffs and can make strategic decisions that balance not just compliance but also business directions.

Future of Electronic Money

Today we see the break down from traditional models and democratization of technology that equips and enables mobile merchants.  Taking this to its natural evolution we will next see the seamless move towards person-to-person transactions where exchanging money is as simple as taping your mobile phone against that of another.

• Want to split the dinner bill five ways? Put all your cell phones back to back and shake them in unison and the bill plus tip is split five ways and paid!
  
• Do you owe your friend $10? Pay them via email!

The barriers of exchanging proverbial gold are dissolving and those that enable this new future will be the ones who survive and rise to the top.

I manage and mentor a number of people and always want them to get the most out of their career.  I’m a realist and know they will not be at their job forever.  Either they will find greener pastures elsewhere or their employer will replace or downsize them due to one reason or another.  In that period that they are in their job, however long it is, I want them to maximize both their and the company’s value.

When I talk with people about their jobs, many times I hear the same complaints:

“There is no career development.”

“I’m bored. I do the same thing over and over.”

“I’m too good to be promoted.”

“My boss doesn’t value my skills.”

Most of these statements reflect a common mistake when approaching your job.  The mistake is thinking that your job is there to make you happy.  You are dead wrong.  Your job exists to benefit the company and in doing so may benefit the employees with employment.  If your position is not seen as a benefit to the company you are in for a long disappointment.

3 Tools to Jumpstart Your Job

So how can we turn what we like to do and are good at into something that is seen as a benefit to the company.  I recommend that people approach their boss with the following three pillars:

1. Inform them about what you are working on. You may assume your boss knows what you spend your time on but in many instances you would be wrong.  You boss may know the core events but they may not know that you are working on a side project that will benefit the entire team.  You need to be your own cheerleader and in doing so you will get feedback on if you should continue these projects or realign them to something that better matches the direction of your team or company.
2. Suggestion new ideas for how you can improve the company. Suggest a new service, a new approach, a way to cut costs, a way to remove bottlenecks.  Suggesting new ideas both shows initiative and puts you on the radar of your boss as an active member of the team.  When new opportunities arise or questions need answering your boss is more likely to go to you if they feel you share their desire to act beyond your role as an individual contributor.
3. Ask how you can help. I have a million projects I am working on or being pulled into and would love for someone to volunteer to help me out.  In doing so I begin to see them doing my job so when it’s time for me to move on it’s easier for me to recommend them for my position.  Most people who are promoted are already doing the roles and responsibilities of their new position, so why not get started on your next promotion by asking for that work now.

Communication

Do not execute any of these items via email.  If TV killed the radio star then email killed the telephone.  Most people think email creates efficiency but the only thing it begets is more email.  If I receive an email over one page I usually won’t read it.  If an email takes more than a short paragraph to reply to I usually won’t reply via email.  I pick up the phone and connect with that person verbally.  Invariably it saves me valuable time and I often time solve other problems in the process.

Your boss is busy and does not want to carry on an email conversation with you to help advance your career.  Call them to get immediate feedback on your ideas.  If they don’t offer feedback then ask for it.

“Do you feel I’m moving in the right direction?”

“Will this project have a broad impact on the organization?”

“What can I do to help you advance?”

Be Decisive

One last bit of advice, be decisive.  It’s OK to tell your boss that you want their job.  In fact it may very well make it happen faster.  Be up front and honest with others while maintaining a professional tone.

So that’s it.  Inform others.  Suggest new ideas.  Ask to help.  In doing so make sure you communicate clearly and decisively.  Welcome to your new old job.  Make the most of it while you’re there!

Another device, another application ported to it for processing payments.  This is the natural evolution of any technology and like any new deployment there are advocates on either side yelling ‘tastes great’ or ‘less filling’.  So I decided to weigh in on the conversation, let you know who feels what and what the real risks are.  I actually wrote about this back in January 2009 which you can read here (and check out other posts while you’re at it.)

One on side we have Forrester researchers yelling, “Stop the Madness! Payment Apps Are On The iPad Too Soon”.

On the other hand you have the payment processors who are rolling out payment apps for the iPhone/iPad as fast as their customers demand them.  Although there are a plethora of payment apps for your iPhone/iPad there are only two, that I know of, that accept swiped credit cards magnetic stripe or track data.

• VeriFone’s PAYware Mobile (PA-DSS validated)
• Square’s Square

I’m happy to see VeriFone having their application undergo PA-DSS validation and I’m sure Square will do the same, if not for security then for marketing power.  It is these situations that I feel the naysayers are most concerned – applications that accept sensitive authentication data (ala. track data, CVV2, or PIN block data).  The reasoning is that theft or compromise of this data is what leads to the highest instance of credit card fraud in the industry.  The reason for this is that it is hard to perpetrate high-dollar credit card fraud with only the PAN and expiration data.  This is directly reflected in the resale value of PAN information which is sometimes 10-100 times less than that of the lucrative sensitive authentication data.

But let’s get real here.  The vast majority of payment applications for the iPhone/iPad only accept PAN and expiration date.  What is the real risk here?  I’m not as much worried about one of these applications being compromised as I am about the potential for iSkimming.  That’s right, did I just coin a term?

iSkimming: The sale of an altered or fradulent mobile phone payment application that sends credit card details to an attacker before routing them to an authorized payment vendor.  The attacker is able to collect or harvest the payment card details, and potentially collect a fee for the payment application itself.

Much like the physical credit card skimming in the physical world, we could see iSkimming in the virtual world.  The best way to protect against this is to NOT download an off-brand payment application.  I mean, would you use your credit card at a white-label ATM? I try not to.

If I wanted to accept mobile payments and reduce the risk of fraud, I would research the available market space and only use payment applications from vendors with a current good stranding in the industry.

Let’s not slow innovation, just be smart about it.

In April 2010 I’ll be at SOURCEBoston on a panel discussing how compliance regulations get made.  This got me thinking about how to explain in simple terms such a complex series of events.  I’ve previously discussed the question of “why” regulatory compliance is important and it’s relation to vaccinations.  Here I’d like to discuss the “how” of regulatory issues.

(If you’d like to hear about this and other PCI related issues then register for the BrightTALK PCI Compliance Summit on March 25, 2010.)

There are so many debates about the pros and cons of regulatory compliance but they all focus on the individual and not the population as a whole.  In fact, the best way to model and examine the evolution of regulation and deregulation is through the eye of the scientist examining the entire population of players.

Background:

Let’s take a look at the history of regulation and deregulation.  The following are a few industries that have experienced both regulation and deregulation over the years, but the list may as well also include industries such as agriculture, telephone, communications (radio, TV, cable), medical and pharmacy.

• Airline
  –Civil Aeronautics Board (1937)
  –Airline Deregulation Act (1978)
• Railway
  –Interstate Commerce Commission (1887)
  –Railroad Revitalization and Regulatory Reform Act (1976) / Staggers Rail Act (1980)
• Trucking
  –Motor Carrier Act (1935)
  –Motor Carrier Regulatory Reform and Modernization Act (1980)
• Energy
  –OPEC price hikes (1973)
  –Emergency Natural Gas Act (1977)

Each of these industries experienced a need for regulation and eventual deregulation in order to keep in check the potential for large problems that could impact large numbers of people (e.g. monopoly, poor conditions, unbound risk, lack of consumer protection).  In 1935 Congress passed the Motor Carrier Act that gave the Interstate Commerce Commission (ICC) authority to regulate trucking involved in interstate commerce.  When the confines of this regulation outlived it usefulness the tides turned.  From 1971 until the eventual passage in 1980 politicians worked to remove barriers to entry into this industry and finally passed the Motor Carrier Regulatory Reform and Modernization Act.  This migratory pattern of regulation and deregulation occurs regularly in many industries.

Pattern of Data Loss

It is no surprise to anyone that there is a building momentum of data loss.  We can gather individual statistics from the news or get detailed statistics from DataLossDB.org.  Either way we notice a pattern of attacks and rising numbers of data breaches that make us ask, is the situation getting better or worse?  Is what we are doing having the desired effect?

It’s very difficult to answer that question since the problem is multi-factorial, but there are signs that things are getting better.  As fraud shifts from one industry to another and one method to another we are slowly driving it from the system.  (This type of analysis does not as easily apply to authentication/identity fraud, but may very well when it comes to system infiltration and data exfiltration techniques.)  For example, we see attack vectors moving from one method to another and from one geographic region to another.  Attackers originally stole data from flat files but when those were encrypted the attackers began capturing data as it traversed the network.  When this was encrypted they began installing custom malware to capture data in memory.  Slowly the system are moving from system protection, to network, to software, and finally hardware protection.

As protection system such as Chip-PIN were implemented across Europe and Asia we saw a drop in card present fraud as the attackers moved to online and e-commerce fraud (via UKPA or APACS).  The attackers adapted to the system and moved on to other low hanging fruit.

History of Regulatory Time

I can’t really do justice to replicating the work of David Lineman, of  Information Shield, so I’ll simply reference his paper “A History of Regulatory Time” and reference his graph showing a timeline of security privacy-related regulations.  Take a look and map the regulations below against the major data breaches of recent and we begin to notice the correlation of regulation in reaction to the rise in tide of data breaches.

Inflection Points and Traffic Jams

Simply analyzing data breaches and their respective reactionary regulation doesn’t paint a precise picture of how the regulations are formed, only that they are somehow correlated.  To understand this we need to first understand a little about math.  Inflection points are the change in slope from an increasing value to a decreasing value or vice versa.  In terms of data breaches we can consider if the number of data breaches, though currently increasing, has a slope that is increasing or decreasing.

Andy Grove, founder of Intel, said in his book Only the Paranoid Survive that “An inflection point occurs where the old strategic picture dissolves and gives way to the new.”  We need to focus on this inflection point in order to understand and if the increasing numbers reflect a state of growth or decline in a system, which we are (unfortunately) only able to measure over time.

In fact, this concept is familiar to physicists in the term “hysteresis“.

For example, consider a thermostat that controls a furnace. The furnace is either off or on, with nothing in between. The thermostat is a system; the input is the temperature, and the output is the furnace state. If one wishes to maintain a temperature of 20 °C, then one might set the thermostat to turn the furnace on when the temperature drops below 18 °C, and turn it off when the temperature exceeds 22 °C. This thermostat has hysteresis. If the temperature is 21 °C, then it is not possible to predict whether the furnace is on or off without knowing the history of the temperature.

The question we always ask is “Where are we on the Sine Wave of Pain?“  Is the rate of negative events increasing or decreasing?  The only way to know is gather and map data as well as measure trending patterns in the industry and make calculated estimates as to which it is.

One thing for sure is that the population not the individual is what drives regulation and as such it is the population that examined the rising data loss numbers and determines when they want change.  It is this demand for change that ultimately initializes the regulation engine to affect what the individual cannot directly.

Traffic Patterns and Modeling

Still, all we have shown at this point is that a culmination of actions can result in change brought upon by the populous.   How that change is enacted is an area of great interest and one that draws from, of all things, traffic patterns.  Before getting into that I’d like to reflect on different types of phase shifts seen both in nature and fiction.  We are all familiar with the concept of ice melting into water which freezes into ice.  It was Kurt Vonnegut who in his book Cat’s Cradle first proposed the fictional concept of Ice-Nine.  This was said to be a polymorph of water that freezes at 45.8 °C (114.4 °F) instead of 0 °C (32 °F).  The idea being that ice could maintain its ice form even at room temperature which is around 20 °C  (68 °F) to 25 °C (77 °F).  In the book, it would take only a single fragment of “ice-nine” to come in contact with the ocean and they would all instantly freeze.  This shows how a seemingly stable system can react suddenly when given the proper catalyst.

A common method of modeling traffic patterns is the Nagel-Schreckenberg (NaSch) model.  (For more detailed information on this model I recommend reading Traffic Simulation using Agent-Based Modelling by Andrew Lansdowne.)  The diagram to the right shows this model in that the traffic flow (y-axis) is measured against the traffic density (x-axis).  You can see that as the traffic density increases the traffic flow increases.  This continues until point “A” where we reach the critical density.  This is the density at which a chance can occur but not at which it must occur.  If everyone continues driving along at the same rate the density can increase until a critical event occurs that breaks down the system.  An example could be one person applying the breaks which then causes the person behind them to do the same, and on and on.  Point “B” is the moment at which the critical event occurs.  At this point we see the traffic flow decrease representing the slowing of traffic until the density is so high it stops (point “D”).

One interesting feature of this series of events is that the traffic flow pattern will always exist in a cycle moving from point A to B, to D and back to A in that order.  Traffic will never go from D to B because doing so requires it to first traverse A.  Remember that term hysteresis?  In the book Critical Mass by Philip Ball he states, “A state of traffic depends not only on its density but on its history – on whether it was previously denser or less dense.  As the traffic rate rises and then falls, the flow rate follows a loop.”

We can examine the graphical flow of data in another form by mapping space on the road (x-axis) against time (y-axis).  As you can see in the second diagram, we map the position of each vehicle over time.  Until the density decreases the traffic jam will continue.  Here the traffic jam is visible in the very dense points as a diagonal across the diagram.  Once the density decreases we once again see a greater flow of traffic.

What’s the Solution?

As you can see, modeling traffic patterns can be very similar to the regulation and deregulation of an industry.  So what is the solution to an increase in incidents that push us past the critical density?  Contrary to initial though the solution to high traffic is not to simply build more roads.  In fact, Richard Moe, Head of the US National Trust for Historic Preservation, once said “building more roads to ease traffic is like trying to cure obesity by loosening the belt”.  Simply applying ‘more’ security does not mean you achieve ‘better’ security.

I propose the following approaches:

• Help prevent data sprawl :: Security is required where data is maintained.  Does your environment reflect the “data, data, anywhere” or “data, data, everywhere” philosophy?  Do you know where all your data is? Does it exist in more locations than is necessary?  Check these items and set measurable actions to correct it.
• Examine use cases :: While medical record data requires persistence, payment card data is only used once and then not ever again.  The use cases are simple enabling a flexible set of measures to secure the data.  If your business model does require retention of data then examine what data you are retaining and make sure it’s as benign as possible.
• Brute force is effective but costly, while the elegant solution is simple and secure :: Have you ever considered replacing the data you retain with a reference number instead?  I recommend you read up on technologies such as point-to-point encryption and tokenization.
• Solve tomorrows problems with today’s technology :: Problems are not hard if you know which ones to solve.  I recommend absorbing and comparing as many of the data breach reports (more) you can to determine what emerging attack patterns exist in your industry and how to prevent them.  If you are only able to implement one set of technology each 10+ years then make sure it solves tomorrows problems and not yesterdays.
• Plugging one hole doesn’t save the levee :: Reducing card present fraud drives attackers to e-commerce.  Reducing fraud in one country drives them to others.  Only a holistic solution will work on such interconnected systems.  This is one of the arguments for industry regulation.

3 Habits of Highly Effective Regulation

In the end there are three attributes, or habits, that make regulation effective in achieving adoption and acceptance.

1. Education, education, education :: This is the single most effective method of driving adoption.  People want to know how to interpret, implement, and adopt the regulation to their business model.  I’ve seen more people fail to start because they didn’t know where to start than anything else.  People want to know if they can use a $0.10 piece of duct tape or if they need to replace the entire engine of the car.
2. Flexibility of controls :: This is an attribute of so many regulations due to the fact that they apply to such a range of companies, industries, size of organizations and the like.  Remember that 100% compliance is not the goal when system failures occur in groups.  The PCI DSS has what’s called “compensating controls.”  The EU Data Protection Directive has the “comply or explain” concept.  Even the ISO 27000 series do not mandate 100% adherence to each and every control.
3. More data for Risk Modeling :: Let’s consider this without getting into a debate over Frequentist vs. Bayesian statistics (as I’ll leave that to Alex Hutton).  The more data we have the more closely we can make educated decisions about how to evolve the standard, protect against failure, and make deterministic decisions about how to proceed.  More data will help us understand when we have reached an inflection point and ultimately determine when the rising regulation turns toward deregulation.