SDL Announcements

I’m in Barcelona, where my employer has made three announcements about our Security Development Lifecycle, which you can read about here: “SDL Announcements at TechEd EMEA.”

I’m really excited about all three announcements: they represent an important step forward in helping organizations develop more secure code.

But I’m most excited about the public availability of the SDL Threat Modeling Tool. I’ve been working on this for the last 18 months. A lot of the thinking in “Experiences Threat Modeling at Microsoft” has been made concrete in this new tool, which helps any software engineer threat model.


I’m personally tremendously grateful to Meng Li, Douglas MacIver, Patrick McCuller, Ivan Medvedev and Larry Osterman. Each of them has contributed tremendously to making the tool what it is today. I’m also grateful to the many Microsoft employees who have taken the time to give me feedback, and I look forward to more feedback as more people use the tool.

Public Policy and InfoSec

…Armed with my favorite govie (who is actually the lead on this, I’m just a straphanger), The New School of Information Security (Hi Adam and Andrew), some government policy directives, and the National Strategy to Secure Cyberspace, I am teaching an Information Security Management and Public Policy class for Carnegie Mellon’s Heinz School.

The more I work with the Masters of Science in Public Policy Management program, the more I’m sold on it. Basically the students do a year on-campus in Pittsburg, then they have the option of staying there or coming to DC. The students who come to DC work a 32-hour week (some do more), 2 night classes, and class for most of Friday. Our information security class fits in as a sector-specific deep-dive, the other one being healthcare (which needs smart public policy people, too).

Which is where we need some help. It’s a little behind the game, but we’re constantly looking for Government agencies, NGOs/NPOs, and contractors who are interested in taking on interns. Even better if you have jobs that don’t have a US citizenship requirement. If you want to be linked up, just drop me a line.

First, thank you! Andrew and I are both tremendously excited to see the New School being used at CMU. If anyone knows of internships to help their students find jobs, please visit “The Guerilla CISO” and let’s help them out?

An early clue to the new direction?

Obama gave his first press conference as President-elect last Saturday. Pundits have noted his humor in responding to the urgent canine matter, but I was struck by a particular phrase used in response to a question regarding whether he’d be moving quickly to fill key cabinet positions:

When we have an announcement about cabinet appointments, we will make them. There is no doubt that I think people want to know who’s going to make up our team.
And I want to move with all deliberate haste, but I want to emphasize “deliberate” as well as “haste.” I’m proud of the choice I made of vice president, partly because we did it right. I’m proud of the choice of chief of staff, because we thought it through.
The emphasized portion is a variation of Earl Warren’s “with all deliberate speed“, as used in the Supreme Court decree implementing their Brown v. Board opinion. Whether Obama used such similar language simply because it evoked a sense of thoughtful urgency and as a constitutional scholar the words would come easily to him, or whether he wanted to subtly signal a soon-to-be renewed White House interest in civil rights is impossible to know. Either way, it was a refreshing hint of erudition.
(I promise not to obsess over every move made by our new Harvard Law Overlord. I offer my silence on the matter of the Sox cap as an example of my forebearance.)

CTO of the United States?

So Obama wants a CTO for the United States. The job description:

Obama will appoint the nation’s first Chief Technology Officer (CTO) to ensure that our government and all its agencies have the right infrastructure, policies and services for the 21st century. The CTO will ensure the safety of our networks and will lead an interagency effort, working with chief technology and chief information officers of each of the federal agencies, to ensure that they use best-in-class technologies and share best practices.

So that’s a reasonably traditional, large company definition of CTO. It’s like a CIO on steroids. It’s very different than a startup CTO, where a lot of my experience lies, and I’m not sure if it’s what the US needs. There are a couple of larger jobs which may need doing. Scoping broader and broader:

Information Technology policy leadership for the government. I think there are three key issues for US technology policy right now, and they’re scattered across organizations:

  1. Innovation and rewards. As the economy moves from atoms to bits, how do we reward people who create new things? When copying costs approach zero, how do we reward people for creating? (This is often called intellectual property.)
  2. Access to networks, including simple access and what ISPs may or may not do. Broadband access in the US, even in large cities, is far slower than in other countries, and far more expensive per megabyte/second. These are results of government policy and we should do better.
  3. Privacy and security. I suspect most readers of this blog don’t need a primer here.

Technology Policy leadership need not be constrained to information technology. There is a tremendous amount going on in clean energy, in nanotechnology, in biotechnology including genomics, protonomics and pharma. Some of the issues that an information technology policy CTO would need to take on impact on these industries.

The trick, of course, is finding someone who can handle a job this large. Many names that have been floated would be great at one of these things. Very few people could take on all of them.

But there’s one person who’s been put forward who I think has disqualified himself. Before I get into the details, I want to be clear, I have huge respect for his early technical achievements. As someone who cut their teeth on BSD Unix, I was tremendously influenced by Bill Joy’s work. So it’s hard for me to opppose John Doerr’s suggestion, except his most famous work recently is “Why The Future Doesn’t Need Us.” I believe that Joy raised great concerns, but his ways of addressing them, I think, raise real questions of should we have him as CTO of the United States.

Joy hasn’t shown an ability to get people excited about an obscure topic like copyright in the way that Lessig has. He hasn’t shown a talent for explaining complex issues simply the way Schneier has. I don’t think he’s qualified for the CIO-on-steroids job, nor for any of the CTO jobs.

On the other hand, there are other founders of Sun Microsystems who have shown an interest in politics, innovation and liberty, who I think would be great. I have huge respect for his intellect, his morals and his integrity. I’m speaking, of course, of John Gilmore, who helped found Sun, the Electronic Frontier Foundation (EFF) and was a major force behind Cygnus. So why not fly him out for an interview?

Regardless of who we pick, I think the key for that role is to embrace the value of innovation, and to create a level playing field which encourages the chaos of invention and a willingness to believe that given a chance, good solutions will emerge.

After I wrote this on the plane, I landed and discovered that and Slashdot are covering the same question.

Chaos, My Desk and Dilbert

The Wall St Journal covers the latest management fad in “Neatness Counts at Kyocera and at Others in the 5S Club:”

5S is a key concept of the lean manufacturing techniques that have made makers of everything from cars to candy bars more efficient. The S’s stand for sort, straighten, shine, standardize and sustain. Lately, 5S has been moving from the plant floor to the cubicle at hundreds of offices around the country, adding desk cleaning to the growing list of demands on employees.

That means companies like Kyocera Corp., Mr. Scovie’s employer, are patrolling to make sure that workers don’t, for example, put knickknacks on file cabinets. To impress visitors, the company wants everything to be clean and neat. Meanwhile, doctors in Seattle are relearning where to stick their stethoscopes. And output from the printer at Toro Co., a Bloomington, Minn., lawn-mower maker, is sorted daily and tossed weekly.

In a hospital, I can see value in neatness in shared space, and knowing where the tool is in the nearest cube. For a hospital, crash carts are always bright red, and are organized pretty much the same everywhere. That doesn’t mean you have to forbid pictures on the wall. For a knowledge worker, if you make the environment lifeless, you get lifeless output. World leading design companies like Ideo have offices which are personalized, chaotic and emergent.

The value of anything is the foregone alternative. These companies are spending money on, well, I’ll just use this neat little anecdote:

When [Mr Brown of Kyocera] got to the accounting department, he discovered a hook on a door and told cash-management assistant Deanna Svehla that doors are supposed to be free of such accouterments. “But that’s where I hang the Christmas decorations,” she said.

“C’mon, like there aren’t plenty of places to put decorations,” he said, nodding at the orange and black Halloween tinsel strung along the outside of her cubicle. That’s OK, it turns out, because it isn’t permanent.

They do try to defend it a little:

While that may sound authoritarian, it’s not the initiative that’s important, it’s how managers communicate it, says Gary Hayes, managing partner at Hayes Brunswick & Partners LLC, a leadership advisory firm in Bronxville, N.Y. “If managers clearly explain why they’re doing something, I think most people will understand the rationale. But if you say, ‘We’re doing this because 14 efficiency experts say it increases productivity,’ then it becomes kind of Dilbert,” he says, referring to the comic strip of satirical office humor.

No Gary, it never becomes kind of Dilbert. Dilbert-ness is the very core of 5S. 5S advocates, please call the outsourced layoff call center. Your 3 approved desk items will be sent to you.

(I was going to tie this to security, but I have to go change my password.)

I Was On NPR, An Unmasking of Sorts

Okay so for a long time now, I’ve been blogging as Arthur. It all started as an excuse to blog without the company I worked for at the time having to worry about anything I said being a reflection on them. Almost three years ago they were acquired by Oracle and I have long since moved on to other pastures. Many of you already know who I am and since I really want to share the story below, I am no longer to going to hide who Arthur really is. Listen to the audio linked below if the picture hasn’t already given me away completely.
On Monday I went to early vote. Well, I live in Columbus, OH where there was a big push to vote early. Since I was driving to Chicago the next day to speak at Information Security Decisions, I figured I’d knock it out a day early and get it over with. What I didn’t expect was that I would be standing on line for four hours to cast my ballot.
What I also didn’t expect was to be interviewed by Neal Conan on Talk of the Nation. So there I was, three and half hours into my wait, when I was approached by Mandy Trimble of WOSU, the local NPR affiliate. Anyways, to make a long story short (I know, too late!), I ended up on the air nationwide talking about how to pass time in line at the polls. My bit is about 4:00 minutes in.

Confirmation Bias and Newspaper Endorsements

We’ve been talking a lot lately about confirmation bias. It turns out that newspaper endorsements are more influential when they are unexpected.

The degree of this influence, however, depends upon the credibility of the endorsement. In this way, endorsements for the Democratic candidate from left-leaning newspapers are less influential than are endorsements from neutral or right-leaning newspapers…

Via the Economist Free Exchange blog, after the newspaper credibly endorsed Obama.

Previously on confirmation bias: “Things only an astrologist could believe,” “No evidence the data was misused,” and “More on confirmation bias.”

Checking in on the Security of Chequing

I remember a conversation back in 1995 or 1996 with someone who described to me how the Automated ClearingHouse (ACH) for checking worked. He explained that once you had an ACH merchant account, you sent in a message of roughly the form (src, dest, amount, reason) and money got moved. I argued with him that this was inconceivable (yeah, yeah), and he must be mis-understanding. He assured me that no, he was right, and that the reason they ran this way was because it was cheaper, and because only trustworthy people could get ACH merchant accounts.

Fast forward a few years, to a fellow who sends out cheques for bugs:

Leading banks and investment funds have been foundering, because of bad debts and lack of trust; and other, less well-known kinds of fiscal chaos are also on the horizon. For example, due to an unfixable security flaw in the way funds are now transferred electronically, worldwide, it is no longer safe to write personal checks. A criminal who sees the numbers that are printed at the bottom of any check that you write can use that information to withdraw all the money from your account. He or she can do this in various ways, without even knowing your name — for example by creating an ATM card, or by impersonating a bank in some country of the world where safeguards are minimal, or by printing a document that looks like a check. The account number and routing information are all that international financial institutions look at before deciding to transfer funds from one account to another. (Donald Knuth, “Financial Fiasco.”)

It’s Morning in America

It’s hard to know what to say after an election that feels so momentous in so many different ways. So, I’ll start from the simple: congratulations to Obama on being elected the 44th President of the United States.

Obama Makes History headline

Next, let’s add some chaos here and see what emerges. So what’s on your mind?

And please, keep it civil in this election open thread.