Black Hat Speaker Selection

Black Hat USA News:
We’re very proud to announce a new feature for paid Black Hat attendees
starting with the USA show in August – delegate access to our CFP system!
Paid delegates can now log into our CFP database, read and review our
proposed presentations and share their ratings and comments with Black Hat.

Your ratings will help us create the show you want to attend, and even help
focus presentations as they’re being created. We are excited to see what
kind of information we learn about what interests our delegates and what
kind of talks meet their needs best. We’ve always said that our delegates
make Black hat the experience it is, and we’re glad to have the opportunity
to extend their influence on the final product. To read more about this new
opportunity, go to:

I think this is tremendously cool for a couple of reasons.

  • First, attendees get to influence what Black Hat selects. Help build the conference of your dreams!
  • Second, I’ve heard griping over the years about BlackHat’s selection process being opaque. I’ve helped out occasionally with talk selection, and let me tell you, what’s also opaque are a lot of the submissions that come in. Sometimes, it’s really hard to decide if a given submission would be good or not.
  • Another complaint is “the same speakers speaking every year.” A lot of times, these are easy accepts. The submissions are clear, the value prop is there, and they pack rooms.

I’m a big fan of transparency and openness, and I think that BlackHat and its attendees will all benefit from this move.

Now please go vote for me as a speaker.

(Just kidding, I haven’t submitted. Yet.)

Wendy Richmond’s Surreptitious Cellphone


At the International Association of Privacy Professionals meeting last week, I had the pleasure of meeting Wendy Richmond.

Richmond is intrigued with the ways in which we share our public space. Some of us create invisible buffer zones for quiet reverie; others enhance or negate reverie through portable technology like iPods, cell phones and laptops. These zones become the subject of her videos and stills. Satisfying in both form and content, they are psychologically riveting, intentionally beautiful, and surprisingly witty portraits of our private lives lived publicly.” (From “Public Privacy” site.)

I think it’s tremendously cool to add an artist and their art to a business conference. Too often, we find ourselves focused entirely on questions such as cost of compliance, or forthcoming regulation. Bringing in new and different perspectives may be uncomfortable or challenging, but it’s important to remember the people for whom we’re doing this work.

I’d encourage anyone running a conference to consider bringing in artists whose work touches, even tangentially, on the subject at hand.

Who knows, you might have some chaos in an otherwise too-well-oiled machine.

Photo: Wendy Richmond, photo with Adam’s cell phone and permission.

A Crime That Flourishes Because Victims Remain Silent

There’s a fascinating article in the New York Times, “Report Sketches Crime Costing Billions: Theft From Charities.”

“I gave a talk to a group of nonprofit executives a few weeks ago, and every single one of them had a fraud story to tell,” said one of the report’s authors, Janet S. Greenlee, an associate professor of accounting at the University of Dayton. “This has been going on for years, but there’s a feeling that it shouldn’t be discussed,” because of the effect it might have on donations.

But it will now be harder for charities to hide fraud, because beginning with tax forms they must file for 2008, the Internal Revenue Service has added a question requiring them to disclose whether they have experienced theft, embezzlement or other fraud during the year.

This resonated pretty strongly with points we make in the New School. It’s about how problems fester when we don’t talk about them. There’s a principal-agent problem here, where charities, acting as agents for their donors, are actively concealing problems. And it shows yet another example of diverse perspectives helping to solve problems.

The report is available at “An Investigation of Fraud in Nonprofit Organizations.”

Dan Solove's books free and online

Dan Solove has put his two current books, “The Future of Reputation” and “The Digital Person” online for free.

I’ve felt bad in not reviewing The Future of Reputation, because I really enjoyed it, and have been trying to figure out what to say. Solove does a great job of surveying reputation in its many forms, and offering up an interesting framework for making tradeoffs about how to manage some of the costs and benefits of being able to speak freely about people online.

Check them out!

Saving the Taxpayers Money

The Washington Times reports, “Outsourced passports netting govt. profits, risking national security.” It is the first of a three-parter.

Interesting comments:

The United States has outsourced the manufacturing of its electronic passports to overseas companies — including one in Thailand that was victimized by Chinese espionage — raising concerns that cost savings are being put ahead of national security, an investigation by The Washington Times has found.

The Government Printing Office’s decision to export the work has proved lucrative, allowing the agency to book more than $100 million in recent profits by charging the State Department more money for blank passports than it actually costs to make them, according to interviews with federal officials and documents obtained by The Times.

The GPO tells us we don’t need to worry, because the blanks are moved by armored car. I feel better already, but can’t stop giggling.

New, Improved Indiana Breach Law

Thanks to infosec expert (and Indiana resident) Chris Soghoian, and a receptive state legislator who listened to an informed constituent, Indiana now has a much improved breach notification law , closing a loophole we discussed previously.
We’ve written about expert involvement in crafting improved state laws before, most recently here.
BTW, the loophole Indiana has fixed still has a tenacious grasp on the press. As folks on the Dataloss Mailing List know all too well, nary a week goes by without a reportedreporter dutifully and unquestioningly stating that “risk is said to be small, since the stolen laptop was protected by a password”. More on this in a future post.

The Principal-Agent Problem in Security

There’s a fascinating article in the New York Times, “At Bear Stearns, Meet the New Boss.” What makes it fascinating is the human emotion displayed:

“In this room are people who have built this firm and lost a lot, our fortunes,” one Bear executive said to Mr. Dimon with anger in his voice. “What will you do to make us whole?”

The packed room of senior managing directors applauded.

Mr. Dimon responded gingerly. “You’re acting like it’s our fault, and it’s not. If you stay we will make you happy.”

But the Bear employee was not satisfied. “I think it’s galling you come into our house and you call this a ‘merger,’ ” the Bear executive went on.

Now, there’s an easy slam on that exec, but I’d like to do better than that. There’s a very real desire to not go from the mansion to the poorhouse overnight. Picking arbitrary numbers of shares, on Friday, this fellow might have held 10,000 shares, worth $300,000, representing a large fraction of his savings. Monday morning, it was worth $20,000. He’s worried about how he’s going to pay for his kid’s education or his next vacation. (There’s more excellent analysis in Jeffrey Lipshaw’s “Exuberant Bulls, Rueful Bears, and Rational Frogs

People’s concerns, first and foremost, are for themselves.

People who work in security are often deeply concerned with security, because it’s the thing that makes or breaks their careers. They’re focused on the impact of security on them, as well as their business. So sometimes they make choices which aren’t perfect for the business, but take their perspectives into account. It’s only human.

Nick Owen talks a bit about the motives of security chiefs in “On the short tenure of CISOs and low-frequency, high-impact events.” (Damnit, Nick, I should have seen that. Now you’re banned from the prom.) ((Which is yet another instance of a principal-agent problem. I’d like to appear smarter and more insightful than Nick, so I have to ensure I don’t link to him.))

Economists call this set of issues principal-agent problems, with the classic example being Alice hiring Bob to sell a car that she doesn’t have time to sell. How does she know that he’s not selling it to a friend? Economists are generally worried about the CEO, but the thinking can and should be applied across a company. How do you ensure people’s motives are well aligned with that of the business and it’s shareholders?

Nick Szabo has some interesting points about “representation distances” in a political analysis of principal agent problems. I’m surprised that he talks about the distance from one agent to a group. I would think that the interesting questions involve average distances between various groups and agents, and the tensions between them.

On the Frequency of Fake bin Laden Messages

I’ve noticed that every time there’s a new message from Osama bin Laden, the press very carefully calls into question its authenticity. For example, CNN’s article “Purported bin Laden message: Iraq is ‘perfect base’” opens:

Al-Jazeera broadcast on Thursday an audiotape on which a voice identified as Osama bin Laden declares “Iraq is the perfect base to set up the jihad to liberate Palestine.”

The voice calls on “Muslims in neighboring countries” to “do their best in supporting their mujahedeen brothers in Iraq.”

So I’m wondering, have there been fake messages?

My understanding is that bin Laden’s manner of speaking, his words and phraseology, are quite unusual and hard to capture. What’s more, it doesn’t make sense for his followers to fake messages from him. As a leader who inspires through his words, the authenticity of those words is very important. It doesn’t jibe with my (admittedly limited) understanding to think that anyone would fake a message from him.

I understand that the intelligence community would like us to believe that they’re on the verge of catching him, that he might be dead, and that he can’t get messages out of his base in Pakistan’s Waziristan region.

But why does the media play along? Is there a problem with fake messages, or an expectation that there might be?