ID Theft Risk Scores?

A bunch of widely read people are blogging about “ Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.”

First, there’s little explanation of how it’s working.

I got a 240 when I didn’t give them my SSN, and my score dropped to 40 when I submitted my SSN. [Editor’s note: Huh? Giving out your SSN lowers your risk of ID theft? That seems an odd message.]

Everybody talks about identity fraud, but nobody does anything about it. This does something about it – specifically, it will help stop the worrying on the part of people who don’t need to. And it will give people who should worry a few things to do to get their situation under control. The more that can be done to demystify identity fraud, the better – and the less likely there will be unwise legislation and regulation that ultimately harm the interests of consumers.

In “What is My ID Score?” there’s some explanation:

My ID Score is a statistical score that’s based on technology currently used by leading communications, financial services, retail companies, healthcare providers, government agencies, and consumers to assess your risk of identity theft. These companies use ID Analytics’ scoring technology to ensure that fraudsters do not apply for goods and services in an innocent consumer’s name

So I think this is not really your ID theft risk, but the perception that their software has. To put it another way, it’s the trouble someone is likely to experience when they try to open a new account in the name you’re giving

When you put someone’s information in, they ask you a bunch of questions about them, like “which of these phone numbers have you used?” It’s not clear how well that works when the attackers can access the same databases through their breaches.

(This didn’t post when I wrote it, so its old news, new analysis.)

Final Post on Mortman/Hutton and the Beginning of the End of the Beginning (Hopefully)

The last post on the Mortman/Hutton model today is the most important.  You see, the primary idea (to me) behind the Mortman/Hutton model was never really to come to a strict or broadly accepted model for discussing what factors drive the creation and adoption of exploit code.  That was and is a vehicle for what is my (our) primary aim – the sharing of information to help further our understanding of IT risk management and what we might call (for lack of a better term) the science of information security.

You see, a model is only a hypothesis.  It is for testing, for falsifying, for evolving.  And ours is no different.  We welcome criticism and alternate theories.  Heck, even I have problems with it:  a couple of branches “don’t feel right” (the deductive logic isn’t as strong as I’d like), and the “measurement theory” behind the model as we use it is, to be nice about it, informal.  We do welcome improvements.

And to that extent this welcoming of changes to the model is our primary aim in developing and releasing the Mortman/Hutton model.  We want it to be the first model to be written about and stored here for others to help evolve.  It was birthed to help make this website a resource for those who seek knowledge about what it is that we do.

To that extent we will host our white paper here, and invite others to do the same for the theories/models they produce.  Hopefully in the future we’ll expand the sites capabilities, creating a sort of academic storehouse of information not just about ancillary information security science-like topics (like visualization), but of real discussion about the very epistemic nature of information security.

Epistemological Anarchy and Sensationalist Talk Titles

Which brings me to my second part of this blog post, answering a post Adam made that was discussing why he doesn’t like at least the title of David and my SecurityBSides talk – “Challenging the Epistemological Anarchist to Escape our Dark Age”.  To be fair, Adam hasn’t heard the talk or really discussed what our assertion against Epistemological Anarchy (E.A.) is.  Also, I’m not really all that against aspects of E. A..  But here’s the crux:

Epistemological Anarchy is a philosophical concept offered by Paul Feyerabend.  In short, Feyerabend suggests that there is no universal scientific method, or even that if there was one, we would be in jeopardy of tyranny to it rather than to the search for knowledge.  Thus he proposed anarchy, that as a reduction of Karl Popper’s falsification to the absurd, the only real universal truth to scientific discovery is “anything goes”.

And there is some appealing aspect to E.A., I’ll admit.  At best, it challenges us to not conform to modern theories about our fields of study (and if you’ve read anything by me, you know I love to challenge conventional wisdom about InfoSec – even to a fault).  However, at worst, it suggests that we give credence to even the most absurd irrational assertions (Feyerabend himself suggests that someday Rain Dances and Astrology might be “rediscovered” as having some aspect of truth in their claims).

To this extent, I find that many of our most notable “security rock star” types are readily dismissing our ability to apply any scientific method at all.  Donn Parker and Marcus Ranum immediately spring to mind as those who not only offer no real rational set course of action in order to build knowledge or increase wisdom, but rather suggest that our version of shamanism is just fine and all we can ever ascribe to.  To me, this is a premature abortion of our field, what I would call a newly forming social science.  In fact, take for example, what Thomas Kuhn suggests are stages of a natural science (you can look them up or follow my series over on the Verizon security blog).

I have no problem accepting that Kuhn would label us in what he calls the “protoscientific” stage.  A stage of science that is described by somewhat random fact gathering (mainly of readily accessible data), and a “morass” of interesting, trivial, irrelevant observations.  In the protoscientific stage there are a variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering.(1)

Sound familiar?

Kuhn goes on to describe a second stage, where a theory comes to dominate all others and a “school” of “disciples” establish a discipline around the theory.  Not to re-hash the rest of what Kuhn says about how a science evolves, but I’ll offer this.  While I do want to push us out of Kuhn’s protoscience stage, I don’t see a predominant theory (or even despite the title of this blog – a “school” of disciples) forming just yet.  Rather, NewSchool seems to me, with all apologies to Churchill, just the beginning of the end of the beginning.   Our challenge is to use the positive aspects of Feyerabend’s E.A. to accelerate us past not only Kuhn’s “normal science” stage (where a predominant theory is held up and it spawns ancillary theories and models), but also past his “crisis” stage (where the predominant theory is falsified) into a stage of regular, repeating revolutions (and maybe we can use this crazy Internet technology to our advantage to do so).  That, to me at least (irony noted), is what is NewSchool.

But in doing so, we *have* to move beyond absolute dismissal of Information Security and Risk Management as a social science, beyond the Epistemological Anarchist who suggests that a quest for knowledge is futile.

(1) if you’ll indulge a little public naval gazing, I can see how one of my favorite modles, FAIR, could be interpreted to be theory spawned from philosophical speculation.  It is, after all, an almost purely deductive model that many have expressed difficulty resolving it’s approach to estimate-based measurement to their desire for precise results.  I will offer this, I found FAIR to fit many aspects of Kuhn’s requirements for Theory Choice (esp. the Fruitful aspect):

1.    – Accurate – empirically adequate with experimentation and observation
2.    – Consistent – internally consistent, but also externally consistent with other theories
3.    – Broad Scope – a theory’s consequences should extend beyond that which it was initially designed to explain
4.    – Simple – the simplest explanation, principally similar to Occam’s Razor
5.    – Fruitful – a theory should disclose new phenomena or new relationships among phenomena

To The Moon

One of the really fascinating things about listening to the streaming audio of the first moon landing is how much time was spent debugging the spacecraft, resetting this and that.

As the memory fades away, Charlie Stross wrote about the difficulties in going back to the moon:

Not only does the cost of putting a payload into orbit increase with the cube of the payload weight — this rule holds true in the opposite direction, too. Stick a LEM on the moon and bring the contents back? Easy. Increase the mass that the LEM brings back? Very expensive — the price goes up as the sixth power of the weight you’re returning from the lunar surface (because you have to loft the heavier LEM into Earth orbit to begin with).

Chris, I'm sorry

I hate the overuse of URL shortners like tinyurl. I like to be able to see what a link is before I click on it. I don’t like that these companies get to be yet another point of surveillance. (To be fair, tinyurl doesn’t seem to be taking advantage of that. I have cookies from and, but not TinyURL.) And so I edited your comment to replace a tinyurl with a full url, and commented that I “corrected it.”

I shouldn’t have done that, I should have just commented about it.

(If this blog was a Kindle, I’d undo it.)

The Arrest of Gates

A couple of good articles are John McWhorter’s “Gates is Right–and We’re Not Post-Racial Until He’s Wrong,” and Lowry Heussler’s “Nightmare on Ware Street.” The full police report is at “Gates police report.”

I think PHB’s comment on Michael Froomkin’s post is quite interesting:

You are all missing a rather significant fact, this is the Cambridge Police force, an organization that has a most peculiar relationship to the community it polices.

Houses in Cambridge cost a fortune, so it is not a city where cops live. So the city is a rich, liberal town policed by a conservative working class police force commuting in from other towns. You do not have to be black to have the Cambridge police act boorishly.

I am trying to avoid talking about the subject with my Cambridge friends as they all want to give their own litany of complaints.

When my apartment in Cambridge was burgled in 1999, the responding officer didn’t even want to get out of his car. When he finally did, he didn’t want to bother to physically examine anything, the one item that I pointed out had a grimy fingerprint was shattered and returned in pieces, and his report failed to document either that the front door was ripped from its hinges, or that a stack of currency from four countries had gone missing.

Sorry, PHB was trying to avoid that. I suspect that both the race and class cards played into this. There’s a strong echo of that in Crowley’s statements reported widely:

“I know what I did was right,” Crowley said in an interview with Boston-based WEEI Sportsradio Network. “I don’t have anything to apologize for.”

There’s one other element of this, which is that the police are separated from communities by a foolish and unwinnable war on drugs. Our last three Presidents have smoked pot, the last two snorted coke. But as long as the police are charged with impossible duties, they will be separated from whatever community may exist.

Please keep the comments civil and respectful of Gates, the officer and one another.

Today's Privacy Loss – English Soldiers' Details Published

Demonstrating that no one’s data is safe, the names, pay records, and other personal information of 90,000 English soldiers was placed on the Internet. These soldiers, who served with king Henry V at Agincourt now have their information listed at, exposing them to the chance of identity theft after nearly 500 years. They soldiers served from the years 1369-1453. There is no word as to whether they will get credit card protection yet.

For epistemological anarchism

So Dave Mortman and Alex Hutton have a talk submitted to Security BSides entitled “Challenging the Epistemological Anarchist to Escape our Dark Age.” Now, it would certainly be nice if we could all use the same words to mean the same things. It would make communication so much easier! It would let us build the semantic web.

Now, don’t get me wrong. I hate cutesy and confusing names for attacks as much as Alex and Dave. But let’s think about the solution for a minute. If we’re going to challenge anarchy, we do it from a position of authority. We ask some group of the great and the good
to authoritatively assign meanings to terms, and then we move on. To the next attempt to do the same thing.

Even with all these definitions, I still get the occasional sputtering prescriptivist trying to tell me that what my employer calls threat modeling should be called “sleeping furiously” or something. My response is now always the same. I ask “is this the most productive conversation we could be having?”

Now my other issue with challenging anarchy is that once you have some great and good, they shape the thoughts that we might have. [I’m running out of time, so imagine witty and relevant references to Orwell here, along with pointer to Politics and the English Language.]

So I have two reasons to not bother challenging the epistemological anarchist. First, it won’t work, and secondly, it wastes energy that we might otherwise use to shape the language in the directions we prefer.

July 20, 1969

The Apollo program took place at just about the right time for me. I was six (or, as I would quickly have pointed out at the time, six *and a half*) when the first lunar landing occurred, and barely ten when Apollo 17 splashed down. This was old enough to be fascinated by the technology and the sheer coolness (I would not have known the words “audacity” or “chutzpah”), and too young to question the wisdom of the project given the pressing alternative terrestrial uses for the funds. It’s funny that what my brain decided to remember, and what society made iconic or controversial do not really coincide. I distinctly remember the Apollo 8 launch, but nothing of the reading from the book of Genesis. I watched the Apollo 11 launch, but I don’t specifically recall Armstrong’s first steps. In all cases, I was glued to the TV for the launch and splashdown. Oddly, these more than the flight to (or activities on) the moon brought to mind the vast scale of the project. Launches always included references to tracking stations in Australia — a vast distance away for the 6-8 year-old mind. Splashdowns involved a whole aircraft carrier! This truly was big stuff.
Skylab and Apollo-Soyuz held my interest, but the shuttle never did. Viking, with actual color pictures of Mars, got things back on track, but it was clear that no human would set foot on Mars for some time. The sense of purpose just was not there the way it was for Apollo, and it hasn’t been since. It’s hard to know whether the undertone of loss I feel when thinking about Apollo is an effect of time — I am no longer the wide-eyed boy — or of a recognition of what might have been, but was not, due to the disintegration of the consensus that allowed Apollo to succeed.