Posts tagged ‘Arizona Corporation Commission’

AZ Corporation Commission's Completely Inadequate Response to My Critique on their Site Security

A while back I wrote about my concerns about the total absence of any security at all in the Arizona corporate annual reporting system

I started the annual reporting process by just typing in the name of my company and getting started.  There was no password protection, no identity check.  They had no way of knowing I had anything to do with this corporation and yet I was answering questions like "have you been convicted for fraud."  The potential for mischief is enormous.  One would have to get the timing right (an annual report must be due before one can get in) but one could easily open the site on January 1 and start entering false information in the registrations for such corporations as Exxon and Wal-Mart.

See for yourself.  .

I showed how one could open and file the report for a company like Wal-Mart, changing all their officers names, and confessing to all sorts of imagined corporate crimes

Again, note what I am saying.  This is not the result of hacking.  This is not lax security I figured out how to evade.  This is the result of no security whatsoever.  I simply went to the link above, clicked on the Wal-Mart Associates link, and then clicked on the annual report link.  I know from doing my own registration that there is a signature page at the end, but all you do is type in the name of an officer and a title -- data that is right there on the site.  It's like asking you for a password after the site just listed all the valid passwords.

The head of the Arizona Corporation Commission wrote me back. Here is here email in its entirety:

Dear Mr. Meyer:

Thank you for your email regarding the Corporations Division.  The Arizona Corporation Commission is the repository for all business formation documents for corporations and limited liability corporations.  We are in full compliance with state statutes.

Submitting false documents to alter another’s corporate structure or status is a crime and carries a Class 4 or Class 5 penalty.  The Commission or the aggrieved business entity may refer the false filing to the Attorney General’s office for prosecution.  Additionally, the individual business entity may pursue a civil cause of action.  The Commission only accepts on-line charges for a few services such as name reservation or to order a certificate of good standing, and the online payment process is completely secure.

Even though the Commission’s existing security measures comply with the state law and are similar to most other states and other Arizona governmental entities like the County Treasurer’s Office, the Commission is looking at implementing new technology to allow for the online submission of additional services – such as the filing of original Articles of Organization and Articles of Incorporation.  We do intend to provide password protected security features when that new technology is offered to the public.

J. Jerich

Executive Director

Arizona Corporation Commission

I had no doubt that submitting a false annual report for Wal-Mart would be illegal.  Duh.  However, it is just incredibly naive that this is the sole extent of the Commission's security, to prosecute people once the damage is done.  Can you imagine if Amazon had the same security policy - "we are getting rid of passwords because it would be illegal for you to buy something from someone else's account."  I wonder if the commissioners leave their doors unlocked at night, trusting in the threat of future prosecution to deter burglary and mayhem in their homes?

Arizona Corporation Commission Web Site is Criminally Insecure

Today I had to do my annual renewal of my corporate registration in Arizona.  As in most states, this involves a bit of information foreplay followed by the purpose of the exercise -- sending in a check to the corporation commission.

But here is the extraordinarily scary part -- I started the annual reporting process by just typing in the name of my company and getting started.  There was no password protection, no identity check.  They had no way of knowing I had anything to do with this corporation and yet I was answering questions like "have you been convicted for fraud."  The potential for mischief is enormous.  One would have to get the timing right (an annual report must be due before one can get in) but one could easily open the site on January 1 and start entering false information in the registrations for such corporations as Exxon and Wal-Mart.

See for yourself.  .  Below is a screen shot of the site letting me in to edit one of Wal-Mart's corporate registrations in Arizona:

click to enlarge

 

Again, note what I am saying.  This is not the result of hacking.  This is not lax security I figured out how to evade.  This is the result of no security whatsoever.  I simply went to the link above, clicked on the Wal-Mart Associates link, and then clicked on the annual report link.  I know from doing my own registration that there is a signature page at the end, but all you do is type in the name of an officer and a title -- data that is right there on the site.  It's like asking you for a password after the site just listed all the valid passwords.

If I disliked Wal-Mart, I could put all kinds of crazy garbage in here.  I did not go further, because I would have had to answer these questions to proceed and I had no desire to mess with another company's critical data, but if I had gone further I could have changed their mailing address, the names of their officers, etc. -- all I had to do was just pay the $60-ish registration fee for them and they would have a big mess on their hands to sort out.   If I had access to a fake or stolen credit card and a public computer, I could have done it all without any hope of being traced.

By the way, from my experience, this is not unique to Arizona.  This criminally lax behavior seems to be the norm in most states.

I have submitted this all as a complaint to the state, so far with no response.  If anyone in AZ knows how I can get someone's attention with this, let me know.

Chutzpah Award -- "Decoupling" Revenues from Actually Having to Deliver Services

I read this article three times to see if it made any sense, and it still does not, except as an incredibly ballsy attempt by a member in good standing of the corporate state to get more revenues out of its customers by government fiat.

A major shift in business is occurring at Arizona Public Service Co. and other regulated utilities in the state.

APS, Southwest Gas and other utilities are beginning to ask regulators to "decouple" their prices from the volume of their sales, which proponents said will encourage conservation.

If approved by the five-member Arizona Corporation Commission, decoupling would allow APS to collect a certain amount of revenue per customer regardless of how much energy was sold.

It would wipe out utilities' incentive to sell more power and be akin to a fast-food restaurant paying loyal customers to go on a diet.

Wow, what a fabulous business concept!   It's obviously a holdover from some horrible past wherein we pay for services based on, you know, actually getting those services.  End the tyranny of giving consumers something in return for their money!  In the modern corporate state, everyone knows a corporation earns revenue in proportion to how much influence it has with the government, and how much that government can be cajoled to let the company take by fiat from consumers.  Silly old me, actually charging people in my business for camping when they actually camp.  I should have been running to the government to get them to let me charge everyone in the country whether they camp or not.  By all means, let's let McDonald's decouple taking your money from actually giving you a Big Mac in return.

Seriously, beyond the fact that this concept is obscene, it makes zero sense even against its stated goal of conservation.   They are basically talking about shifting the consumer's marginal cost for electricity to zero.  How in the hell is that going to spur conservation?  Charge me the same amount each month for gas whether I drive or not, and that is going to cause me to drive less??

Apparently, in the weird mental world of utilities, conservation only results form utility subsidies of  efficient appliances.  So the big benefit here is utilities can somehow better afford their subsidies for more efficient appliances.  Left unexplained is why anyone would want to buy even a subsidized such device once their marginal cost for electricity goes to zero.  This is such a typical government-think, assigning much more value to government intervention and choice of winners in balancing supply and demand than they do to the operation of markets and prices.

Here is an idea -- just freaking stop subsidizing this stuff.  See, problem solved.   We now no longer need a new pricing model.  Either a conservation makes sense for the end user to invest in or it doesn't.  Here is an example they cite

An example of how APS promotes efficiency is found at the 250-student Metropolitan Arts Institute in Phoenix, which replaced $23,000 in lights last year. APS contributed $20,000 to the project.

The school said it saves about $2,000 a month in energy costs with the new lights and recovered its costs for the project in two months.

The new lights use less energy and produce less heat, reducing the air-conditioning needed.

Why the hell is our utility using my money to subsidize this particular institution?  If the numbers are right, the investment, without a subsidy has a 12-month payback.   Very respectable.  So why does this even need to be subsidized in the first place? Why is my money needed to give the Arts Institute a 1.5 month payback instead of a 12-month payback?

This is a total ripoff.  I can't possibly believe they are even considering giving this to these guys.