St. Cajetan's Revenge

For some time, I’ve watched the War on Bottled Water with amusement. I don’t disagree with figuring out how to reduce waste, and so on and so forth, but the railing against bottled water per se struck me as not thought out very well.

The major reason for my thinking is that I never heard any of the venomous railing against water extending to any other drinks that come in bottles. To my mind, it seemed that a Coke, hey, that’s okay, but if you start with one and take out the sugar, the caffeine, the artificial flavors, and CO2 you end up with water. Coke okay, water evil.

Me, sometimes all I want is a cool drink of water. More often, I want something a little more. I’m very fond of those fizzy waters with a bit of essential oils in them, as well as iced tea. But I don’t want the sugar. I want an artificial sweetener even less, and often when faced with decisions, water is what’s available. When I’m traveling nearly anywhere, I think I’d rather have it in a bottle, thanks.

The prejudice against water comes from thinking that it’s just water. Rarely is there such a thing as just water. The only just water there is is distilled (or in a pinch deionized) water, and that is itself special because it is unusual for something to be just water.

And now, I can’t help but think, “Uh huh” as I read, “Millions in U.S. Drink Dirty Water, Records Show.”

The summary is that more than 20% of US water treatment systems have violated key provisions of the Safe Drinking Water Act over the last five years. The violations include sewage bacteria, known poisons and carcinogens, parasites, and so on. Mid-level EPA investigators say that the government has been interested in other things and just not enforcing things, and they don’t think change will happen.

Security isn’t just going after terrorists, it’s basic thing. Like water.

Top Security Stories of the Year?

On Wednesday, I’ll be joining a podcast to discuss “top security stories of the year.”

I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year?

(I posted this on Emergent Chaos, but forgot to post it here.)

We Take Your Privacy Seriously

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login.

Boy, am I glad to know they take my privacy seriously, because otherwise, their failure to fill out fields in their certificate might really worry me.

I mean, I’m not annoyed that BNY Mellon treated my information negligently. Oh, no. I expect that. I am a little annoyed that having done so, they offered me a year of “monitoring” rather than prevention. I’m annoyed that it’s a year, when there’s no evidence that risk of harm falls after a year. And I’m annoyed that the company offering monitoring doesn’t bother to get the little things right.

[Update: This may be a broader issue of all non-EV certs being treated like this. I admit, I rarely check because I rarely care. But when I do care, I reasonably expect it to be done right.]

Data Not Assertions

There have already been a ton of posts out there about the Verizon DBIR Supplement that came out yesterday, so I’m not going to dive into the details, but I wanted to highlight this quick discussion from twitter yesterday that really sums of the value of the supplement and similar reports:

georgevhulme: I’m glad we have data to refute the “insiders conduct 80% of all attacks” mantra that has been repeated, ad nauseum for at least a decade

adamshostack: @alexhutton @georgevhulme yeah, but… Data, not assertions

This is so awesome, I can barely stand it. We’re actually starting to be able to make data based decisions as opposed to just asserting something is true because we believe it on faith or like the way it sounds.

“Data, not assertions” really sums up so much of what I was trying to get at in the the discussion on securosis last week about password changing time frames. Read the comments over there. It really shows how far we have yet to go.

Monkeys krak-oo krak-oo

monkey petting a cat
According to “Campbell’s Monkeys Use Affixation to Alter Call Meaning:”

We found that male alarm calls are composed of an acoustically variable stem, which can be followed by an acoustically invariable suffix. Using long-term observations and predator simulation experiments, we show that suffixation in this species functions to broaden the calls’ meaning by transforming a highly specific eagle alarm to a general arboreal disturbance call or by transforming a highly specific leopard alarm call to a general alert call. We concluded that, when referring to specific external events, non-human primates can generate meaningful acoustic variation during call production that is functionally equivalent to suffixation in human language.

Sorta via Wired, who, not being monkeys, did not use the invariable suffix “here’s a link.”

Photo: Macque monkey and kitten by Kaz Campbell.

Sweden: An Interesting Demographic Case Study In Internet Fraud

saab-900(quietly, wistfully singing “Yesterday” by the Beatles)

From my favorite Swedish Infosec Blog, I don’t speak Swedish, so I couldn’t really read the fine article they linked to.  Do go read their blog post, I’ll wait here.

Back?  Great.  Here are my thoughts on those numbers:


The World Bank estimates the population of Sweden to be 9,220,986 – 2008

For Reference, London (2006 figures) was 7.5 million, New York City was 8.275 million in 2007

So the Swedish “market” for fraud was around 60,000 people out of a total population of 9,000,000 suffering an average  of  €1050-1100 each.  This line of thinking draws the inevitable comparison to what VC call The Chinese Soft Drink Argument (If we can just get each person from China to buy one drink, we’ll make a billion!), obviously, but I thought it was interesting to put this into context.

When I saw those numbers, I thought of a couple of other stats I’d like to have at hand:

Break down of types of “attacks” that resulted in fraud (was the attack primarily hacking, was their SE involved, was it phishing, etc.), estimated number of attack attempts, number of arrests, demographics around Internet banking and broadband penetration…

What other information do you think would be helpful to you as a practitioner?

obligatory Swedish Chef reference: