Shostack + Friends Blog Archive

 

Voltage Predicts the Future

It’s easy to critique the recent Voltage report on breaches. (For example, “2009 started out to be a good year for hackers; in the first three months alone, there were already 132 data breaches reported.” That there were 132 breaches does not mean that hackers are having a good year; most breaches are not caused […]

 

On the Assimilation Process

Three years and three days ago I announced that “I’m Joining Microsoft.” While I was interviewing, my final interviewer asked me “how long do you plan to stay?” I told him that I’d make a three year commitment, but I really didn’t know. We both knew that a lot of senior industry people have trouble […]

 

Thanks, Jeffrey Bennett

In “Books that should be in a security manager’s library,” Jeffrey Bennett says nice things about The New School (the book) and suggests that it’s one of eight that “no professional library is complete without.” Thanks!

 

Emergent Traffic Chaos

Paul Kedrosky has an amazing video: As described in the New Scientist: Researchers from several Japanese universities managed the feat by putting 22 vehicles on a 230-metre single-lane circuit (see video). They asked drivers to cruise steadily at 30 kilometres per hour, and at first the traffic moved freely. But small fluctuations soon appeared in […]

 

More Friday Skepticism

Since Adam started it, I’ll add a link to a nice YouTube video about how to be a good skeptic h/t BoingBoing

 

Death-related items

I’m cleaning out my pending link list with couple morbidly-thematic links. Old-but-interesting (2007 vintage) list of relative likelihoods of death compared to dying in a terrorist attack.  For example… You are 1048 times more likely to die from a car accident than from a terrorist attack You are 12 times more likely to die from […]

 

Visualization Friday & More!

OK, so this week for Visualization Friday, I’m going to point you to just one thing: At Last, a Scientific Approach to Infographics A blog post by the awesome visualization expert Stephen Few that praises: Visual Language for Designers: Principles for Creating Graphics that People Understand by Connie Malamed OK, I’ll also mention that I […]

 

Science, Skepticism and Security

Rich Mogull has a great post on “Science, Skepticism and Security” In the security industry we never lack for theories or statistics, but very few of them are based on sound scientific principles, and often they cannot withstand scientific scrutiny. For example, the historic claim that 70% of security attacks were from the “insider threat” […]

 

The Cost of Anything is the Foregone Alternative

The New York Times reports: At least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the […]

 

Economics of Information Security

Ross Anderson is liveblogging the 2009 Workshop on Economics of Information Security. I’m in Seattle, and thus following eagerly. It seems Bruce isn’t liveblogging this time. I know I found it challenging to be a stenographer and a participant at SHB.

 

The emergent chaos of fingerprinting at airports

HONG KONG (Reuters) – A Singapore cancer patient was held for four hours by immigration officials in the United States when they could not detect his fingerprints — which had apparently disappeared because of a drug he was taking. The incident, highlighted in the Annals of Oncology, was reported by the patient’s doctor, Tan Eng […]

 

UnClear where the data will go

So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “ Clear Shuts Down Registered Traveler Lanes.” Clear collected a lot of data: The information that TSA requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration Number (if applicable), current home […]

 

Iran Links

The Economist’s Bagehot writes about his idea of “The chemistry of revolution,” while admitting he’s generalizing from two. Ethan Zuckerman on “Iran, citizen media and media attention.” “Unfortunately, unlike positive online gestures of solidarity (retweeting reports from Iran, turning Twitter or Facebook pictures green), this one does little more than piss off sysadmins, helps Iranian […]

 

Ron Paul supporter inadvertently gets iPhones banned from U.S. aircraft

Via CNN: Steve Bierfeldt says the Transportation Security Administration pulled him aside for extra questioning in March. He was carrying a pocket edition of the U.S. Constitution and an iPhone capable of making audio recordings. And he used them. On a recording a TSA agent can be heard berating Bierfeldt. One sample: “You want to […]

 

Suffering for Art

Joseph Carnevale, 21, was nabbed Wednesday after a Raleigh Police Department investigation determined that he was responsible for the work (seen below) constructed May 31 on a roadway adjacent to North Carolina State University. Carnevale, pictured in the mug shot at right, was charged with misdemeanor larceny for allegedly building his orange monster from materials […]

 

Visualization Friday!

Yesterday I got to see what might have been one of the most amazing(ly bad) security dashboards I’ve ever seen.  And those who have read my posts on visualization know that I find the visualization of risk & security to be a pretty fascinating field of study.  So given the quality of the GRC apps […]

 

Happy Juneteenth!

Celebrate Juneteenth, but remember that we have not eliminated the scrouge of slavery.

 

The Trouble With Metrics

Is that they can be gamed. See “ Terror law used to stop thousands ‘just to balance racial statistics’” in the Guardian: Thousands of people are being stopped and searched by the police under their counter-­terrorism powers – simply to ­provide a racial balance in official statistics, the government’s official anti-terror law watchdog has revealed. […]

 

Privacy Enhancing Technologies 2009

The organizers of the 9th Privacy Enhancing Technologies Symposium invite you to participate in PETS 2009, to be held at the University of Washington, Seattle, WA, USA, on Aug 5-7, 2009. PETS features leading research in a broad array of topics, with sessions on network privacy, database privacy, anonymous communication, privacy policies, and privacy offline. […]

 

Chaos in Iran

Millions of people in Iran are in the streets, protesting a stolen election. Nate Silver, who did a great job on US election statistics has this: However, given the absolutely bizarre figures that have been given for several provinces, given qualitative knowledge – for example, that Mahdi Karroubi earned almost negligible vote totals in his […]

 

The Art of Mathematics

Paul Nylander has some amazingly beautiful mathematical constructs which he’s ray-tracing. Via Aleks Jakulin.

 

Green Dam

Update 26 June 2009: The status of Green Dam’s optionality is still up in the air.  See, for example, this news story on PC makers’ efforts to comply, which points out that Under the order, which was given to manufacturers in May and publicly released in early June, producers are required to pre-install Green Dam […]

 

SHB Session 8: How do we fix the world?

(Bruce Schneier has been running a successful prediction attack on my URLs, but the final session breaks his algorithm. More content to follow.) So as it turns out, I was in the last session, and didn’t blog it. Bruce Schneier and Ross Anderson did. Matt Blaze has the audio. I’ll turn my comments into an […]

 

SHB Session 7: Privacy

Tyler Moore chaired the privacy session. Alessandro Acquisti, CMU. (Suggested reading: What Can Behavioral Economics Teach Us About Privacy?; Privacy in Electronic Commerce and the Economics of Immediate Gratification.) It’s not that people act irrationally, it’s that we need deeper models of their privacy choices. Illusion of control, over-confidence, in privacy people seek ambiguity, people […]

 

SHB Session 6: Terror

Bill Burns (Suggested reading Decision Research: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike) Response to Crisis: Perceptions, Emotions and Behaviors. Examining a set of scenarios of threats in downtown LA. Earthquake, chlorine release, dirty bomb. Earthquake: likely 100-200 casualties. Dirty bomb, expected casualties: 100 at most. Chlorine may be thousands to […]

 

SHB Session 5: Foundations

Rachel Greenstadt chaired. I’m going to try to be a little less literal in my capture, and a little more interpretive. My comments in italic. Terence Taylor, ICLS (Suggested reading: Darwinian Security; Natural Security (A Darwinian Approach to a Dangerous World)). Thinks about living with risks, rather than managing them. There are lessons from biology, […]

 

SHB Session 4: Methodology

David Livingstone Smith chaired. Angela Sasse “If you only remember one thing: write down everything the user needs to do and then write down everything the user needs to know to make the system work. Results of failure are large, hard to measure. (Errors, frustration, annoyance, impact on processes and performance, coloring user perception of […]

 

SHB Session 3: Usability

Caspar Bowden chaired session 3, on usability. Andrew Patrick NRC Canada (until Tuesday), spoke about there being two users of biometric systems: the purchaser or system operator and the subject. Argues that biometrics are being rolled out without a lot of thought for why they’re being used, when they make sense and when not. Canada […]

 

Publius Outed

The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers […]

 

SHB Session 2: Fraud

Julie Downs studied users who were going through an email inbox full of phishing emails, while doing a talk-aloud. They also did interviews afterwards. People with incidents get very sensitive to risks, but don’t get any better at identifying phishing emails. What really helps is contextualized understanding. Do they know what a URL is? Do […]

 

SHB Session 1: Deception

Frank Stajano Understanding Victims Six principles for systems security Real systems don’t follow logic that we think about. Fraudsters understand victims really well. Working with UK TV show, “the real hustle.” Draft paper on SHB site. Principles: Distraction, social compliance, herd principle, decption, greed, dishonesty David Livingstone Smith What are we talking about? Theoretical definitions: […]

 

Security & Human Behavior

I’m at the Security & Human Behavior workshop, and will be trying to blog notes as we go. I should be clear: these notes aren’t intended to be perfect or complete. Update: Bruce Schneier is also liveblogging. intro. Ross Anderson is blogging in comments to this post.

 

Security & Human Behavior

I’m blogging the Security & Human Behavior Workshop at the New School blog. Bruce Schneier is also blogging it, as is Ross Anderson.

 

A Farewell to Bernstein

From Chandler, who is in China: Adam sent along to the authors of this blog a link to the http://www.nytimes.com/2009/06/08/business/08bernstein.html?_r=1&hpw New York Times obituary for Peter Bernstein yesterday Peter L. Bernstein, an economic historian and a widely read popularizer of the efficient market theory, which changed trading behavior on Wall Street, died Friday at NewYork-Presbyterian/Weill […]

 

Pirate Party Victory in Sweden

“Together, we have today changed the landscape of European politics. No matter how this night ends, we have changed it,” Falkvinge said. “This feels wonderful. The citizens have understood it’s time to make a difference. The older politicians have taken apart young peoples’ lifestyle, bit by bit. We do not accept that the authorities’ mass-surveillance,” […]

 

Links To Interesting Stuff

I have a ton of tabs open in Firefox about stuff I thought would be some sweet newschool-esque reading for everybody out there. 1.) Threat and Risk Mapping Analysis in Sudan Not really about measurement and progress, but a fascinating look at “physical risk management” nonetheless: http://irevolution.wordpress.com/2009/04/09/threat-and-risk-mapping-analysis-in-sudan/ 2.)  I thought Gunnar did a great job […]

 

Mr. Bureaucrat, Please Report to Room 101

As I’ve said before, all non-trivial privacy warnings are mocked and then come true. Sixty years ago today, George Orwell published 1984. He unfortunately failed to include a note that the book was intended as a warning, not a manual. Today, in England, there are an unknown number of surveillance cameras, including many around Orwell’s […]

 

Bialystock Triumphs in Berlin

The crowd for the premiere seemed pleased. It wasn’t your typical Broadway musical audience, to judge from the number of smart-looking young people with interesting haircuts. A “lively counterpoint to Hollywood productions like ‘Valkyrie’ and ‘Defiance,’ with their impeccable Resistance heroes and clichés,” decided the reviewer for Spiegel Online. “The New York triumph was repeated […]

 

S&P Risk Models

There was an interesting segement on NPR this morning, “Economy Got You Down? Many Blame Rating Firms” that covered amongst other things the risk model that Standard and Poors used to rate bonds and in specific mortgage backed ones. There are a few choice quotes in the story about how the organizations approached the models […]

 

The Art of Living Dangerously

I haven’t had a chance to read it, but I’ll probably pick up “Absinthe and Flamethrowers: Projects and Ruminations on the Art of Living Dangerously” at some point, if only because of the author’s writing on the relationship between risk and happiness says something I’ve always suspected, that risk takers are happier than risk avoiders […]

 

Pirates, Inc.

I found this short documentary about piracy around the Straits of Malaca to be an interesting view of the reality of pirate life as a last refuge of the unemployed fisherman to be an interesting counterpoint to the NPR Story, “Behind the Business Plan of Pirates, Inc.” which provides an altogether different view of the […]

 

Statistics Police?!

From Gelman’s blog: U.K. Sheriff Cites Officials for Serious Statistical Violations I don’t know if we need an “office” of information assurance in the government sector, but it would be nice to have some penalty on the books for folks who abuse basic common sense statistical principles. Of course, the *real* answer lies in education […]

 

TAKE PART IN PROJECT QUANT (please)!

Hey everyone.  I wanted to let you know that Rich, Adrian & Co. at Securosis are spearheading a research project  called “Quant”.  They currently have a survey up on survey monkey about Patch Management that they’d like participation in.  If you can, please give thoughtful contribution to the survey. http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d There’s something about a registration […]

 

Amusements with Alpha

I just saw a link to someone who had broken Wolfram Alpha. Their breaking question was, “when is 5 trillion days from now?” The broken result is: {DateString[{13689537044,5,13,16,57,18.5796},Hour12Short],:,DateString[{13689537044,5,13,16,57,18.5796},Minute],:,DateString[{13689537044,5,13,16,57,18.5796},Second], ,DateString[{13689537044,5,13,16,57,18.5796},AMPMLowerCase]} | {DateString[{13689537044,5,13,16,57,18.5796},DayName],, ,DateString[{13689537044,5,13,16,57,18.5796},MonthName], ,DateString[{13689537044,5,13,16,57,18.5796},DayShort],, ,13689537044} Which is certainly amusing. A quick check shows that even one trillion days gives a similar error. A bit of the […]

 

New Means of Pie Chart Abuse

Just for Adam, because I know he’ll *love* this. Was reading the “How to transform your ETL tool into a data quality toolkit” post on the data quality blog when I noticed something. In the graphic they’re presenting there: The.Pie.Chart.Spins. Which could be one of the most awesome data visualization abuses.  ever.

 

Voltage Security's Breach Map

The folks over at Voltage have released a really cool interactive map of breaches from around the world.  Tools like this show how important having data is, just imagine how much more impressive and useful something like this could be if more people were willing to share data about breaches or other information security issues […]

 

Open Thread

What’s on your mind? Extra points for mocking other members of the combo for not posting. Me? I’m wondering why the opening of the Parliament of South Africa involves so many bagpipes.

 

Thoughts on Bejtlich's Information Security Incident Ratings

Check out Richard Bejtlich’s Information Security Incident Rating post. In it, he establishes qualitative, color-based scales for various asset-states in relation to the aggregate threat community.  As Richard states, he’s not modeling risk, but rather he’s somewhat modeling half of risk (in FAIR terms, an attempt at TEF/LEF/TCap information, just not the loss magnitude side). […]