Dear TSA, How Do We Contact Thee?

Phil Schwan, who was able to read to the end of “Homeland Security tracks travelers’ meals” without blowing a gasket, noticed that they said they’d only gotten 15 comments:

I tried for 30 goddamn minutes to figure out how to comment. That’s
why there are only 15 comments. All I could find was a Privacy
Impact Assessment, authored by their “Chief Privacy Officer”, which
was a total whitewash.

If you can figure out where to send it, I’ll comment. Otherwise, the
terrorists win again.

Can someone help? Where do we send comments about this crap?

We’ll have more, and cheerier, from Phil over the weekend.

The New Transparency

xray.jpgSometimes, we Americans forget how lucky we are to live in a country with 51 legislative bodies, all of which can pass laws which affect all of us. By sheer luck, some of those laws will not stink, and a few actually turn out to be useful, not jarringly out-of-tune with the gestalt, and not trampling of civil liberties.

One such example is the rise of 1386 style laws. There are now 35 of them, of which some stink, and some are good. What interests me most is the commentary surrounding the NationWide laptop loss. NatWest is a `Building Society,’ in the UK, which roughly maps to a credit union in the US. [Natwest is not Nationwide. Thanks, Richard!]

Note both the expectations, and the explicit admission that problems are being swept under the rug, in this BBC story:

Diane Gaston, of the National Consumer Council, told the programme she is angry customers were not told sooner.

“A three-month delay is appalling. People should be able to trust that if a problem has happened they will be told about it straight away.”

And why is that? The UK has no breach notice law, as of yet. Neither does the EU. Ms. Gaston is speaking of an ethical expectation, based on seeing change in the US. It would be my guess that she’s not even aware of the shift. In saying that, I mean no disrespect, only that no one noticed the absence of these notices, but now that they’re here, we would certainly notice their disappearance.
More from the BBC:

But Nationwide said there is no indication that data had been stolen and nobody has lost any money.

Chief executive Philip Williamson told BBC Five Live that he was “genuinely sorry” for the theft and any concern it had caused customers.

But, Barry Stamp, former director of CIFAS, the fraud prevention service, said it was unusual for an entire customer database to be stored on a laptop.

Mr Stamp, who is now joint managing director of, told the BBC: “On the one hand we should say hats off to Nationwide for actually admitting that one of these laptops has been stolen.

“We’ve seen cases like this almost every week at the moment, but on the other hand you have to ask why that information was contained on a laptop and why the security was lax at Nationwide in such a way that you could download the entire database to a laptop.

This was linked by Slashdot, whose lead includes:

This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public?

Again, note the underlying assumption: breaches should be made public, and quickly. What a transformation 1386 has caused, around the world. From one little law in California.

Photo: Radiographica by B3ca.


How’d you like to be the person at British Airways who has to write the letter to 30,000 people explaining that they might have been exposed to a radioactive poison while traveling on BA flights?
Remarkably, authorities will not confirm that the substance detected was Polonium, yet passengers on the flights are being asked to talk to their doctors. About what? The general risks of ionizing radiation? No need for that, since BA helpfully has that information right on its web pages.
I know little about such things, since the only physics lab I studied in had a telescope as its main instrument, but if I am going to ask my doctor how much I need to worry, she’s going to want to know what kind of radiation I was exposed to, and for how long. I don’t see that information as being available, so it seems as though asking the passengers to speak to their doctors is really asking doctors to giver their patients a pat on the head.
Meanwhile, the contrast between the official reaction to this incident, which I would describe as quite measured, and the reaction to the “chemical explosive threat” could hardly be more stark.

More on Godin and Tufte

There’s another good article on Juice Analytics, “Godin, Tufte, and Types of Infographics:” (hey, guys, where are the author names? Author names only show in RSS, not the web page?)

Tufte frustrates on a number of levels. He is enormously influential in business. Businesses send people to his seminars and they come back energized with the essential truthfulness of his message. Yet weeks later those principles are abandoned by the lack of practicality of his message. No one in business is going to design a graph in Adobe Illustrator as he can. They use Excel. Seldom can we spend days or weeks refining and testing a graph. The work must be done and then we move on.

So I totally agree with this, and ask, why aren’t we asking more of Excel? Why can’t we get graphics that are of Tuftian quality from them? As I’ve said, I’m really fond of the ribbon design, and if enough customers were asking for great, and defined improvements in graphical excellence, I suspect Excel would ship it. (A personal example: I’d like to be able to lock a set of graphs to the same scales for the axes, so I can create small multiples more easily. I have some graphs today that slice one data set differently, and I have to work hard to make the scales the same.)

It would be really interesting to see if the community of excellence around Excel could come up with ideas.

(In another post, Zach points to Re-Visions of Minard.)

The Two Minute Rule for Email and Slides?

So I’ve been discomfited by the thoughts expressed by Tom Ptacek and the Juice Analytics guys over what presentations are for, and a post over at Eric Mack’s blog, “A New Two Minute Rule for Email.” The thing that annoys me is the implicit assumption that all issues should be broken down into two minute chunks. That we’re all dumb enough to require summaries like “It’s a slam dunk, Mr. President.” I find myself slipping into this belief. Annoyed that the authors of “A Report on the Surveillance Society” prepared for the UK Information Commissioner didn’t make it shorter. It’s already easy to read, but it’s 102 friggin’ pages. Who wants to read 102 pages? You’re probably already onto the next blog post already.

If you’re not, it may be because you recognize that there are arguments that take longer. There’s also arguments that don’t take so long, and I think I’ve made mine.

PS: I don’t think that Juice or Tom would ever argue for a hard-and-fast rule of this sort, but guidelines with subtlety become rules that people get tied up about.

Fanning the flames, security metrics style

Amidst the to and fro over insider v. outsider threats, whether security metrics can be “gamed”, and so on, and in recognition of the best buddies that security geeks and economists have now become, I offer the following. 

The saying often quoted from Lord Kelvin (though the substance, I believe, is
much older) that “where you cannot measure your knowledge is meagre and
unsatisfactory,” as applied in mental and social science, is misleading and pernicious.
This is another way of saying that these sciences are not sciences in the sense
of physical science, and cannot attempt to be such, without forfeiting their
proper nature and function. Insistence on a concretely quantitative economics
means the use of statistics of physical magnitudes, whose economic meaning and
significance is uncertain and dubious. (Even “wheat” is approximately
homogeneous only if measured in economic terms.) And a similar statement would
apply even more to other social sciences. In this field, the Kelvin dictum very largely means in practice, “if you cannot measure, measure anyhow!” That is,one either performs some other operation and calls it measurement or measures something else instead of what is ostensibly under discussion, and usually not a social phenomena. To call averaging estimates, or guesses, measurement seems to be merely embezzling a word for its prestige value.

Frank H. Knight, “‘What is Truth’ in Economics?”
The Journal of Political Economy
Vol. 48, No. 1, Feb. 1940, 1-32.

Halvar on Vulnerability Economics

Back in July, I wrote:

If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better?

Now, I was actually tweaking F-Secure a little, in a post titled “It’s Getting Worse All The Time?” I didn’t expect Halvar Flake would demonstrate that the answer is yes. Attacks getting worse may well mean that things are getting better. Which is kind of counter-intuitive.

In Client Side Exploits, a lot of Office bugs and Vista, he writes about the other side of the Vista exploit coin, and how good security can drive bugs into widespread use:

ASLR is entering the mainstream with Vista, and while it won’t stop any moderately-skilled-but-determined attacker from compromising a server, it will make client side exploits of MSOffice file format parsing bugs a lot harder…As a result of this, client-side bugs in MSOffice are approaching their expiration date. Not quickly, as most customers will not switch to Vista immediately, but they are showing the first brown spots, and will at some point start to smell.

See also “Economics of vulnerabilities,” and “Vulnerability Game Theory.”

Small Bits of Chaos

Banksy Again

Or how museum security is like information security. Or as Sivacracy put it “Involuntary Art Acquisitions”. Call it what you will, but in all cases it highlights the fact that most security programs be they physical or information focused, tend to be unidirectionally focused. In the case of museums, it is to ensure that nothing illegitimately leaves the premises and in infosec, traditionally it is that no one breaks in.
In this case Banksy walked into several famous New York museums and hung up pieces of his own art.
One can argue that museums shouldn’t worry about people putting up art, but I have to say, I’m worried that it took 3 of the 4 museums multiple days to notice…..