Shostack + Friends Blog Archive

 

Models are Distracting

So Dave Mortman wrote: I don’t disagree with Adam that we need raw data. He’s absolutely right that without it, you can’t test models. What I was trying to get at was that, even though I would absolutely love to have access to more raw data to test my own theories, it just isn’t realistic […]

 

Security is About Outcomes, FISMA edition

Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write: the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ […]

 

Meta-Data?

So awhile back, I posted the following to twitter: Thought of the Day: We don’t need to share raw data if we can share meta-data generated using uniform analytical methodologies. Adam, disagreed: @mortman You can’t test & refine models without raw data, & you can’t ask people with the same orientation to bring diverse perspectives. […]

 

Gates Was Hardly An Exception

There was a lot of news when Henry Lewis Gates was arrested back in July, essentially for mouthing off to a cop. What happened was a shame, but what is more of a shame is that this sort of thing isn’t that rate. Time magazine had a recent article about this, Do You Have the […]

 

Happy Banned Books Week!

Quoting Michael Zimmer: [Yesterday was] the start of Banned Books Week 2009, the 28th annual celebration of the freedom to choose what we read, as well as the freedom to select from a full array of possibilities. Hundreds of books are challenged in schools and libraries in the United States each year. Here’s a great […]

 

Podcasts with Amrit

I had fun recording Beyond the Perimiter Episode 48 and 49 with Amrit. I think Amrit asked some of the broadest, most complex questions I’ve been asked, and it was hard to keep the episodes short. Go have a listen!

 
 

A Little Temporary Safety

So I saw this ad on the back of the Economist. (Click for a larger PDF). In reading it, I noticed this exhortation to “support the STANDUP act of 2009:” The STANDUP Act* (H.R. 1895) creates a National Graduated Driver Licensing (GDL) law that [limits nighttime driving, reduces in-car distractions, puts a cap on the […]

 
 

Metrics Abused

Statistically speaking, 6 out of 7 dwarves are not happy. [via zem42]

 

National Cyber Leap Year Summit reports now available

I believe these are the final deliverables: National Cyber Leap Year Summit 2009 Co-Chairs Report — main discussion of metrics is p 26-28 National Cyber Leap Year Summit 2009 Participants’ Ideas Report – main discussion of metrics is p 44-46, p 50-51, and p 106; with related discussion on p 53-54. Also worth noting is […]

 

Happy Emancipation Proclamation Day!

That on the first day of January in the year of our Lord, one thousand eight hundred and sixty-three, all persons held as slaves within any state, or designated part of a state, the people whereof thenceforward, and forever free; and the executive government of the United States [including the military and naval authority thereof] […]

 

Making Sense of the SANS "Top Cyber Security Risks" Report

The SANS Top Cyber Security Risks report has received a lot of positive publicity. I applaud the effort and goals of the study and it may have some useful conclusions. We should have more of this. Unfortunately, the report has some major problems. The main conclusions may be valid but the supporting analysis is either confusing or weak. It would also be good if this study could be extended by adding data from other vendors and service providers.

 

Private Thoughts on Race

So I’m sitting on the plane home from* Seattle, and I had a really interesting conversation on race with the woman next to me. We were talking, and she asked me, why is it so hard to have conversations like this. I thought that the answer we came to was interesting, and insofar as it […]

 

Visualization Friday – Improving a Bad Graphic

We can learn from bad visualization examples by correcting them. This example is from the newly released SANS “Top Cyber Security Risks” report. Their first graphic has a simple message, but due to various misleading visual cues, it’s confusing. A simplified graphic works much better, but they probably don’t need a graphic at all — a bulleted list works just as well. Moral of this story: don’t simply hand your graphics to a designer with the instructions to “make this pretty”. Yes, the resulting graphic may be pretty, but it may lose its essential meaning or it might just be more confusing than enlightening. Someone has to take responsibility for picking the right visualization metaphor and structures.

 

Secret Photo Apps for the iPhone

If you try searching the App store for photo apps, you find all sorts of things to make your photos sepia. Or blurry. Or to draw on them. Which is great, but if you want apps to help you take photographs, they’re sorta hard to find. So here are some links: First up, a reference […]

 

Proskauer Rose Crows "Rows of Fallen Foes!"

Over on their blog, the law firm announces yet another class action suit over a breach letter has been dismissed. Unfortunately, that firm is doing a fine business in getting rid of such suits. I say it’s unfortunate for two reasons: first, the sued business has to lay out a lot of money (not as […]

 

Notes to the Data People

Over on his Guerilla CISO blog, Rybolov suggests that we ask the Data.gov folks for infosec data using their Suggest a data set page. It sounds like a good idea to me! I took his request and built on it. Rather than breaking the flow with quotes and edit marks, I’ll simply say the requests […]

 

Atoms, Photographed

The pictures, soon to be published in the journal Physical Review B, show the detailed images of a single carbon atom’s electron cloud, taken by Ukrainian researchers at the Kharkov Institute for Physics and Technology in Kharkov, Ukraine….To create these images, the researchers used a field-emission electron microscope, or FEEM. They placed a rigid chain […]

 

12 Tips for Designing an InfoSec Risk Scorecard (its harder than it looks)

An “InfoSec risk scorecard” attempts to include all the factors that drive information security risk – threats, vulnerabilities, controls, mitigations, assets, etc. But for the sake of simplicity, InfoSec risk scorecards don’t include any probabilistic models, causal models, or the like. It can only roughly approximate it under simplifying assumptions. This leaves the designer open to all sorts of problems. Here are 12 tips that can help you navigate these difficulty. It’s harder than it looks.

 

BBC Video of Liquid Explosives

The BBC has some really scary video “Detonation of Liquid Explosives.” However, as I thought about it, I grow increasingly confused by what it purports to show, and the implications. At the end of the day, I think there are two possibilities: It’s a fair representation, or it’s not. I’m leaning slightly towards the second. […]

 

This Friday is “Take an Academic Friend to Work Day”

We need more cross-disciplinary research and collaboration in InfoSec. We start on a small scale, starting with people in our professional network. One fertile area of research and collaboration is to apply the latest research in non-standard logic and formal reasoning (a.k.a. AI) to InfoSec risk management problems. The problem is that most of that research reads like Sanskrit unless you are a specialist. Rather than simply post links to academic papers and ask you to read them, let’s use these papers as a vehicle to start a dialog with an academic friend, or a friend-of-friends. Maybe there are some breakthrough ideas in here. Maybe not. Either way, you will have an interesting experience in cross-discipline collaboration on a small scale.

 

Is risk management too complicated and subtle for InfoSec?

Luther Martin, blogger with Voltage Security, has advised caution about using of risk risk management methods for information security, saying it’s “too complicated and subtle” and may lead decision-makers astray. To backup his point, he uses the example of the Two Envelopes Problem in Bayesian (subjectivist) probability, which can lead to paradoxes. Then he posed an analogous problem in information security, with the claim that probabilistic analysis would show that new security investments are unjustified. However, Luther made some mistakes in formulating the InfoSec problem and thus the lessons from Two Envelopes Problem don’t apply. Either way, a reframing into a “possible worlds” analysis resolves the paradoxes and accurately evaluates the decision alternatives for both problems. Conclusion: risk management for InfoSec is complicated and subtle, but that only means it should be done with care and with the appropriate tools, methods, and frameworks. Unsolved research problems remain, but the Two Envelopes Problem and similar are not among them.

 

Caster Semenya, Alan Turing and "ID Management" products

South African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony. There are reports that: […]

 

National Cyber Leap Year: Without a Good Running Start, There Might Be No Leap

The National Cyber Leap Year (NCLY) report coming out in a few weeks might lead to more US government research funding for security metrics in coming years. But that depends on whether the report is compelling to the Feds and Congress. Given the flawed process leading up to the Summit, I have my doubts. Clearly, this NCLY process is not a good model for public-private collaboration going forward.

 

Rebuilding the internet?

Once apon a time, I was uunet!harvard!bwnmr4!adam. Oh, harvard was probably enough, it was a pretty well known host in the uucp network which carried our email before snmp. I was also harvard!bwnmr4!postmaster which meant that at the end of an era, I moved the lab from copied hosts files to dns, when I became […]

 

Metrics: 50% Chance of Injury by Biscuit

The Telegraph reports: More than half of all Britons have been injured by biscuits ranging from scalding from hot tea or coffee while dunking or breaking a tooth eating during a morning tea break, a survey has revealed. Who knew that cookies could be so dangerous? So forget worrying about AV or even seat belts, […]

 

Some Stuff You Might Find Interesting 9-8-2009

IT’S A TAB DUMP Hey,  because of the holiday, I missed posting some stuff for you all about security & visualization last week. So I thought I’d make it up to you today (plus, I’m about to declare Firefox tab bankruptcy, as I tend to find things to mention on the blog here and then […]

 

Make the Smart Choice: Ignore This Label

He said the criteria used by the Smart Choices™ Program™ were seriously flawed, allowing less healthy products, like sweet cereals and heavily salted packaged meals, to win its seal of approval. “It’s a blatant failure of this system and it makes it, I’m afraid, not credible,” Mr. Willett said. […] Eileen T. Kennedy, president of […]

 

Only an idea after a bunch of calculating

Andrew Koppelman has a post on lawprof blog Balkinization, titled “You have no idea:” This data sits uneasily beside a recent study in the American Journal of Medicine of personal bankruptcies in the United States. In 2007, 62% of all personal bankruptcies were driven by medical costs. “Nationally, a quarter of firms cancel coverage immediately […]

 

Non Commercial

If you haven’t listened to Larry Lessig’s 23C3 talk, it’s worthwhile to listen to the argument he makes. As I was listening to it, I was struck by the term non-commercial, and, having given it some thought, think that we need a better word to describe the goals Creative Commons is pursuing. The term non-commercial […]

 

We're all reputable on this bus

There’s an interesting story at Computerworld, “Court allows suit against bank for lax security.” What jumped out at me was Citizens also had claimed that its online banking services were being provided and protected by a highly reputable company. In addition to the third-party security services, Citizens said it had its own measures for protecting […]

 

Ten Years Ago: Reminiscing about Zero-Knowledge

Ten years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who […]