"Internet isolationism is bad for business"

don-corleone.jpgDan Kaminsky has a good essay on internet isolationism, which is his name for the opposite of net neutrality. It starts:

Oh, sure, there’s UPS and DHL and the US Postal Service. But imagine if they were all proposing that, because people make money based on the contents of packages other people shipped, that they should see some of that money. Imagine they implied that, if you or your company did not pay a reception fee… well, things might happen. Packages might get lost, you see.

Read “Internet Isolationism is bad for business.”

Me, I’m fond of noting when business tactics can be compared to the mafia. Anyway, it’s a good essay, and worth realizing that the opposite of neutrality isn’t opinion, it’s isolationism and an end to innovation on the internet.

Questions about 'Ignoring The "Great Firewall of China"'

Later today at the Privacy Enhancing Technologies workshop, , Richard Clayton will be presenting a talk on “Ignoring the Great Firewall of China.” I’ll be the ‘session chair’ for the session, which usually means I make sure the speaker is in the room, has some slides on a computer, and knows how much time they have remaining. It also means I’ll get to ask a question if I have a good one. Right now, I don’t, but suggestions are welcome.

(I will try to read through the comments on the links below, as well.)

See Richard’s blog post, via Schneier or Slashdot.

Indistinguishable from magic

The press relase you won’t see.

For Immediate Release
The Catawba County Public School System (NC)  announced today that
district web site administrators have remedied a configuration error which
accidentally resulted in the social security numbers and names of several
hundred students being made available via the popular Google search engine.
Officials were alerted to the misconfiguration when the confidential data
was found by a district parent seeking information on a beauty pageant
Catawba County Schools chief technology officer Judith Ray explained that,
although the district's site password-protects areas containing non-public
information, the area containing the student information had inadvertently
been excluded.  "Our web masters immediately recognized their error", Ray
added, "and made the change needed to protect this information".  All
affected individuals have been notified, and the district has modified
both its web site configuration, and its document management processes to
provide an additional layer of checking against a repetition of the error.
Moreover, added Ray, the district has begun a process of removing social
security numbers as identifiers from files it maintains.  "This information
was gathered in another era.  Today, it's simply inappropriate.  We're
updating our databases, just as we've updated our procedures", she explained.
The district's quick response was matched by Google.  A day after being
informed of the exposure, the information was no longer available via
the popular search engine.

What you will see instead:

Q. How did this happen?

A. School system officials say Google broke through the password and
username protected server the information was stored in and took a photo
of the page, which it posted to the Internet.

(Hat tip to lyger)

I’m Joining Microsoft

I’m very pleased to announce that I’ve accepted a position with Microsoft. I’ll talk in a bit about the work I’ll be doing, but before I do, I’d like to talk a bit about the journey that’s brought me here, and the change I’ve seen in Microsoft that makes me feel really good about this decision.

I started my career as a UNIX sysadmin. You can find really old email from me to Sun-managers, or a 1994 “Introduction to S/Key.” In the past, I’ve heaped scorn on Microsoft’s security related decisions. Over the last few years, I’ve watched Microsoft embrace security. I’ve watched them make very large investments in security, including hiring my friends and colleagues. And really, I’ve watched them produce results.

In making this decision, I’ve had conversations with many people and organizations. The one theme that stands out was the difference in the conversations I had with Microsoft versus other software producers. Some of things that Microsoft does and are looking to improve haven’t even made it in rudimentary form anywhere else. I found myself having to shift gears and explain Microsoft’s Security Development Lifecycle. I noticed no one else with a Blue Hat conference. No one else stopping feature development to hunt for bugs. I (re-)discovered how few organizations have even basic formal security processes in place, and how few of those have audit to make sure that their processes are followed.

I realized just how many smart people are thinking about these questions at Microsoft, and I’m glad to be joining them. I’ll be working on threat modeling and improving that afore-mentioned Security Development Lifecycle.

Part of the process that’s taken a long time and has been hard for me is that Microsoft is adamant on minimizing risks of intellectual property contamination, and that includes technical advisory boards (TABs). Looking around, I found exactly two Microsoft employees on commercial TABs. One was John Conners, CFO, the other is Rob Willis, who founded the company he now advises. Two people. Six years. I might have had a slightly better chance if I wasn’t taking the role I’m taking, in a central security group. I want to be clear that my decision is about the tremendously cool opportunity within Microsoft, not a lack of confidence or enthusiasm for the companies I have had the pleasure of working with. I remain enthusiastic, and wish all of them them great success.

That said, Microsoft didn’t offer to buy this blog. It remains mine, with a healthy dose of Chris and Arthur, and lots of great reader comments. I am free to say what I want here, and they’re free to question my judgment. At the same time, I’m going to shy away from some topics: Microsoft. How other companies do security processes. Why you should use IE. I’m going to shy away from these, at least initially, because there’s a tendency to take everything Microsoft employees say as company gospel, regardless of disclaimers, etc. I expect to speak more about liberty, privacy, breaches, usability, and as I find them, giant animals.

So, I’ve joined Microsoft, and I look forward to doing great things here.

More on Risk Tolerance

funky-dice.jpgThere’s a number of good comments on “Risk Appetite or Volatility Appetite,” and I’d like to respond to two of the themes.

The first is “risk appetite is an industry-standard term.” I don’t dispute this. I do question if I should care. On the one hand, terms that an industry picks up and uses tend to be useful and revelatory. Sometimes, they are also distortive. Risk appetite makes sense from the perspective of the financial industry, which is selling products of various riskiness. Knowing their customer’s appetite for risk makes sense. It makes sense even if that appetite is formed on false premises, that you must accept higher risk for a higher return. This is clearly false-just look at interest rates on insured savings accounts. A great deal of return is a function of information, and the willingness to find and use it. (Admittedly, a high interest rate may correlate with moral hazard on the part of the insured bank, and you may have to accept getting your money back later.) I think that the term risk appetite is also distortive, in that it influences the way people look at risk. I once caught myself looking for a risky investment, rather than one with a high expected upside. That high-reward investments often include lots of risk doesn’t mean it’s what I’m looking for.

The second is that I misunderstand risk. That may well be true, but I think that the goal of disaggregating risk from reward is useful. Anyone who’d like to offer up a more purely disaggregated risk is free to do so. It’s an interesting thought experiment, one that’s clearly making many readers uncomfortable. That’s not my usual goal, but I’m willing to accept it now and then in exchange for a rewarding conversation.

(These dice are from NelC, too.)

Proud Comments About Bank Spying

spies.jpgOver at the Counterterrorism Blog, Dennis Lormel writes “Initial Comments about Terrorist Financing and “The One Percent Doctrine”” and “U.S. Government Terrorist Financing Initiative Involving SWIFT:”

…I was in the FBI in a leadership role responsible for terrorist financing. Immediately after 9/11, we realized we had to develop financial investigative methodologies different than anything we had done before. We had to think outside the box by developing and implementing time sensitive and time urgent investigative techniques. To succeed, we needed the assistance of the financial community. At all times, we were cognizant of privacy rights and civil liberties.

He seems hurt that people don’t understand the programs, and how the FBI carefully balanced their interests with those of society, as they’d been instructed to do by Congress and the public, when we passed the “Hey, you guys figure it out” law. (Snark aside, Congress did seem to take that attitude for a while.) The American people are worried about the unfettered exercise of power. One subpoena doesn’t seem to balance with “probable cause,” or our expectations of how these things ought to be done.

We should be having debates about these things, and the debates require information.

There’s good information in both posts, especially about how the counterterror groups view what they’ve done. See also, “Provider of financial records to US had assurances,” by Reuters.

Gartner to Google: Learn to read minds

Concerning a school district which misconfigured its web server and wound up posting student social security numbers for all — including Google’s spiders — to see, Gartner’s Avivah Litan weighs in:

They say the Internet is free and open, and you can’t stop them,” Litan said. “But they ought to scrutinize some of the content and, at least, send a warning to Web sites that they’re exposing this information.

Google doesn’t honor robots.txt? Wow. Gartner really does know something everyone else doesn’t.