30 vs 150,000

For your consideration, two articles in today’s New York Times. First, “How to Remind a Parent of the Baby in the Car?:”

INFANTS or young children left inside a vehicle can die of hyperthermia in a few hours, even when the temperature outside is not especially hot. It is a tragedy that kills about 30 children a year, according to the National Safety Council.

Janette Fennell is the founder and president of KidsAndCars.org, a safety advocacy group based in Leawood, Kan., that focuses on issues involving children and automobiles. In a telephone interview, Ms. Fennell made her view clear, saying she believed that carmakers must develop reminder devices to warn drivers if a child is left behind.

Second, “The Hard Sell on Salt:”

High blood pressure is rising among adults and children. Government health experts estimate that deep cuts in salt consumption could save 150,000 lives a year.

Bets on which problem is “addressed” first are encouraged in the comments.

ANNOUNCEMENT: The Society of Information Risk Analysts

I was talking with (the now nationally famous) Rich Mogull at Secure360 last week in St. Paul (fabulous security gathering, btw, I highly recommend it), and he reiterated his position that we had too much “echo chamber” and not enough engagement with everyone – especially our peers who are down in the trenches and too busy to have a voice.
I also had a chance to sit down with Jay Jacobs while I was there and he started talking to me about his perceived need for a bunch of “risk interested” security folks to get together and talk in an informal manner, a desire driven from his reading about how, during the enlightenment, great minds (esp. French mathematicians) would get together to talk.
Now I’ve been a big fan of informal but focused discussions as a means of furthering our ability as a profession to actually get things done.  Nothing worse than an ISSA/ISACA/Infraguard/Whatever meeting where everyone is sitting forward, not engaging with others, watching some bullet heavy powerpoint (usually supplied by a vendor).  So after talking with Jay and Chris Hayes, Chris Carlson and Marty Miracle – we came up with an idea.

The Society of Information Risk Analysts

The idea here is this:  Building a real information risk management program isn’t easy.  Anybody who says they’ve got it figured out is talking out of their elbow.  The Society of Information Risk Analysts should be a place (virtual, physical) where people who have to deal with IRM can get together and talk.  Sometimes this might be a webex from a real practicioner.  Sometimes this might be a local gathering at a coffee shop or bar.  Sometimes this might be a sponsored get together at a regional or national security conference.  But wherever we can congrate, we should — and discuss and help each other out.
I don’t want to add too much structure or vision beyond this.  I think that’s for the members to decide.  But if you had to ask, I would say the Society should be formally, informal.
So what I’ve done is set up an initial Google Group: http://groups.google.com/group/InfoRiskSociety
It’s currently “invite only” but that’s just to keep the spam out.   If you’re interested, please feel free to send us a request.  Similarly, there’s a twitter account (of course):
You can follow for announcements, and links, and so forth but also to discuss interest.  You can always also get in touch with me via Twitter, too: http://twitter.com/alexhutton
From here, Once we have a dozen or so interested parties, I’d like to hold a Webex to see what sort of combined vision we can create.  I hope to let it be, as Adam would say, emergent.  Maybe, if enough are present (or even if it is just a couple) there can be initial face to face meetings attached to Metricon, Blackhat, and/or Defcon.



Today will be remembered along with the landing on the moon and the creation of the internet:

Researchers at the J. Craig Venter Institute (JCVI), a not-for-profit genomic research organization, published results today describing the successful construction of the first self-replicating, synthetic bacterial cell. The team synthesized the 1.08 million base pair chromosome of a modified Mycoplasma mycoides genome. The synthetic cell is called Mycoplasma mycoides JCVI-syn1.0 and is the proof of principle that genomes can be designed in the computer, chemically made in the laboratory and transplanted into a recipient cell to produce a new self-replicating cell controlled only by the synthetic genome.

Press release, or read more in Science or the Economist. (Whose image I borrowed.)

We'll always have Facebook…

Facebook, Here's Looking at You Kid

The last week and a bit has been bad to Facebook. It’s hard to recall what it was that triggered the avalanche of stories. Maybe it was the flower diagram we mentioned. Maybe it was the New York Times interactive graphic of just how complex it is to set privacy settings on Facebook:


Maybe it was Zuckerberg calling people who trust him “dumb fucks,” or the irony of him telling a journalist that “Having two identities for yourself is an example of a lack of integrity.” Or maybe it was the irony that telling people you believe in privacy while calling them dumb fucks is, really, a better example of a lack of integrity than having two identities.

Maybe it was the Facebook search (try ‘my dui’), or Facebook: The privatization of our Privates and Life in the Company Town. Maybe it was getting on CNN that helped propel it.

It all generated some great discussion like danah boyd’s Facebook and “radical transparency” (a rant). It also generated some not so great ideas like “Poisoning The Well – A Response To Privacy Concerns… ” and “How to protect your privacy from Facebook.” These are differently wrong, and I’ll address them one at a time. First, poisoning the well. I’m a big fan of poisoning the wells of mandatory data collectors. But the goal of Facebook is to connect and share. If you have to poison the data you’re trying to share with your friends, the service is fundamentally broken. Similarly, if you’re so scared of their implicit data collection that you use a different web browser to visit their site, and you only post information you’re willing to see made public, you might as well use more appropriate and specialized sites like Flickr, LinkedIn, Okcupid, Twitter or XBox Live. (I think that covers all the main ways people use Facebook.)

But Facebook’s problems aren’t unique. We’ve heard them before, with sites like Friendster, MySpace, Tribe and Orkut. All followed the same curve of rise, pollution and fall that Facebook is going to follow. It’s inevitable and inherent in the attempt to create a centralized technical implementation of all the myriad ways in which human beings communicate.

Play it Sam…once more, for old time’s sake

I think there are at least four key traps for every single-operator, all-purpose social network.

  1. Friend requests The first big problem is that as everyone you’ve ever had a beer with, along with that kid who beat you up in 3rd grade sends you a friend request, the joy of ‘having lots of friends’ is replaced with the burden of managing lots of ‘friends.’ And as the network grows, so does the burden. Do you really know what that pyronut from college chemistry is up to? Do you want to have to judge the meaning of a conversation in light of today’s paranoia? This leads us to the next problem:
  2. Metaphors Facebook uses two metaphors for relationships: friend and network. Both are now disconnected from their normal English meanings. An f-friend is not the same as a real friend. You might invite a bunch of friends over for drinks. Would you send the same invite to your f-friends list? Similarly, if I were to join Facebook today, I could join a Microsoft network, because I work there (although I’m not speaking for them here). Now, in the time that Facebook has been open to the world, lots of people have gained and lost Microsoft email addresses. Some have been full time employees. Some have been contractors of various types. Some have been fired. Is there a process for managing that? Maybe, we have a large HR department, but I have no idea. One key point is that membership in an f-network is not the same as membership in a real network. The meaning of the words evolve through practice and use. But there’s another issue with metaphors as made concrete through the technical decisions of Facebook programmers: there aren’t enough. I think that there’s also now “fans” available as an official metaphor, but what about salesguy-you-met-at-a-conference-who-won’t-stop bugging-you? The technical options don’t match the nuance with which social beings handle these sorts of questions, and even if they do, telling a computer all that is too much of a bother. (See the chart above for an attempt to make it do something related.)
  3. Privacy means many things Privacy means different things to different people. Even the same person at different times wants very different things, and the costs of figuring out what they will want in some unforeseen future is too high. So privacy issues will keep acting as a thorn in the side for social network systems, and worse for centralized ones.
  4. Different goals Customers & the business have different desires from the system. Customers want fast, free, comprehensive, private, and easy to use. They don’t want to worry about losing their jobs or not getting one. They don’t want to worry about stalkers. They don’t want their sweetie to look over their shoulder and see an ad for diamond rings after talking to their friends about engagement. But hiring managers want to see that embarrassing thing you just said. (Hello, revenue model, although Facebook has not, as far as I know, tapped this one yet.) Stalkers are heavy users who you can show ads to. Advertisers want to show those diamond ring ads. Another example of this is the demand to use your real name. Facebook’s demand that you use your real name is in contrast to 4 of the 5 alternatives up there. Nicknames, psuedonyms, handles, tags are all common all over the web, because, in fact, separating our identities is a normal activity. This is an idea that I talk about frequently. But it’s easier to monetize you if Facebook has your real name.

So I’m shocked, shocked to discover that Facebook is screwed up. A lot of other shocked people are donating to Diaspora ($172,000 of their $10,000 has been pledged. There’s interesting game theory about commitment, delivery on those pledges, and should they just raise a professional round of VC, but this post is already long.) There’s also Appleseed: A Privacy-Centric Facebook Slayer With Working Code.

Now, before I close, I do want to say that I see some of this as self-inflicted, but the underlying arc doesn’t rely on Zuckerberg. It’s not about the folks who work for Zuckerberg, who, for all I know are the smartest, nicest, best looking folks anywhere. It’s about the fundamental model of centralized, all-purpose social networks being broken.

To sum it all up, I’m gonna hand the microphone to Rick:

If you don’t get off that site, you’ll regret it. Maybe not today, maybe not tomorrow, but soon and for the rest of your life. Last night we said a great many things. You said I was to do the thinking for both of us. Well, I’ve done a lot of it since then, and it all adds up to one thing: you’re getting off that Facebook. Now, you’ve got to listen to me! You have any idea what you’d have to look forward to if you stayed here? Nine chances out of ten, we’d both wind up with our privacy in ruins. Isn’t that true, Louie?

Capt. Renault: I’m afraid that Major Zuckerberg will insist.

This is what science is for

In “The Quest for French Fry Supremacy 2: Blanching Armageddon,” Dave Arnold of the French Culinary Institute writes:

Blanching fries does a lot for you – such as:

  • killing the enzymes that make the potatoes turn purpley-brown. Blanching is always necessary if the potatoes will be air-dried before frying.
  • gelatinizing the starch. During frying, pre-cooked fries form a crust faster than raw ones, and they can be cooked at higher oil temperatures than raw fries – which is easier for workflow.
  • pre-salting the interior of the fries. We blanched two batches of fries, one in boiling 3% salt water, one in boiling plain water. The plain-water fries tasted like crap next to the salt-water ones. All subsequent tests fries were blanched in a 3% salt solution.

It’s easy to think of science as just being good for building computers and the internet, extending average lifespans, giving us goretex, nylon and vulcanized rubber. Some people may worry that it’s in the weeds when worrying about string theory. But science is an approach to problems. The testing of ideas to see how well they work, rather than loving the idea.

And Dave Arnold, along with Harold McGee and others, and driving the intersection of science and cooking. And while they’re likely to skewer quite a few cows along the way, the results are worth it.

Where's the Checks and Balances, Mr. Cameron?

[Update: See Barry’s comments, I seem to misunderstand the proposal.]
The New York Times headlines “
Britain’s New Leaders Aim to Set Parliament Term at 5 Years
.” Unlike the US, where we have an executive branch of government, the UK’s executive is the Prime Minister, selected by and from Parliament.

As I understand things, the primary check on the Prime Minister is that if their choices are sufficiently unpopular, their party defects and votes against them, leading to a new election. This threat of government collapse is a major check on the power of Parliament, as evidenced by how both Cameron and Clegg are repeating that “this government will last 5 years.”

So if Parliament will last 5 years, what are the checks on its power?

[Edit: Steps on scrapping ID cards and ContactPoint are very positive, but to my mind, those are symptoms of the already barely-checked power of the Prime Minister.]

Malware reports? (A bleg)

I’m doing some work that involves seeing what people are saying about the state of malware in 2010, and search terms like “malware report” get a lot of results, they don’t always help me find thinks like the Symantec ISTR, the McAfee threats report or the Microsoft SIR.

To date, I’ve found reports from Cisco, IBM/ISS, Kaspersky, McAfee, Microsoft, Sophos and Symantec. Are there others that cover malware? (I’m leaving off Verizon since it doesn’t cover what I need for this particular project.) Recent things like the Nocebo paper here are also interesting.

If you know of other reports that will help me gain insight into the state of the world, please leave a comment.

Welcome to the club!

As EC readers may know, I’ve been sort of a collector of breach notices, and an enthusiastic supporter of the Open Security Foundation’s DataLossDB project. Recently, I had an opportunity to further support DataLossDB, by making an additional contribution to their Primary Sources archive – a resource I find particularly valuable.

Unfortunately, that contribution was a breach notification letter[pdf] addressed to me! Since I now have some skin in the game, I figured I’d use the opportunity to take a close look at this incident and see what can be learned from it.

Who sent the letter, and how do I reach them?

Let’s start with the letter itself. While it identifies the data owner (“EHP”, an emergency room practice I had patronized), it provides no return address, and the letter is unsigned. Unsurprisingly given this opacity, the envelope return address is a post office box. While a toll-free number is provided, this is a requirement of many state breach laws, and repeated calls to the number resulted in my being placed in an ACD queue, rather than being routed to a human being. So far, it looks to me like they’re trying to ensure that all communication regarding this issue is either squelched by the magic of painful on-hold music, or diverted into a call center. In particular, there seems to be no enthusiasm for written correspondence.

What was exposed, and how?

Now let’s consider the nature of the exposed data. According to the notification letter, a hard drive was stolen from a 3rd party service provider (Millennium Medical Management Resources). That hard drive contained “unencrypted copies of records with health and financial information about [me]”. Furthermore, the service provider

…believes the hard drive contained personally identifiable information about EHP patients, including name, address, phone number, date of birth, and Social Security Number and, in some cases, other information such as diagnosis and/or diagnosis code, types of procedure and/or procedure code, medical record number, account number, driver’s license number, and health insurance information.

Surprisingly, the letter does not say that “the exposure appears to be the work of criminals interested in the hardware” or other such language often used to suggest that crooks don’t go after data. This even though the police report notes that the “suite [was] in disarray”. Kudos to EHP for this. And kudos to the Westmont, IL PD for handling my FOIA request same day. I understand they received literally hundreds of requests for this report. Anyone who handles a dramatic, unexpected increase in work so cheerfully deserves praise.

As to what was stolen, the notification letter — seemingly drafted by an attorney — states what the service provider believes, not what the service provider knows. This suggests there is some question as to what precisely was on the unencrypted drive. Clearly, though, health and financial information are involved, suggesting that this breach is subject to HITECH and HIPAA provisions, as well as to myriad state breach laws. Reading on, this is further reinforced, when EHP says they “…will report this security breach to the Office of Civil Rights of the U.S. Department of Health and Human Services.” Such a report is required by HITECH when more than 499 persons have been affected by a breach, which establishes a lower bound for the likely number of affected individuals in this incident. (In the few days I have been composing this blog post, the report has appeared on HHS’s web site. 180,111 folks impacted by this one. Ouch. Why not put this in the letter to me, if it will be one mouse-click away anyhow?)

How long did notification take?

HITECH requires that notification occur within sixty days of the discovery of the breach. This breach was discovered March 1st. The letter is dated April 30. I wonder if the delay would have been longer, were it legally permissible?

How will future incidents be prevented?

According to the letter,the service provider has

…implemented new and improved technical, physical, and administrative security measures to prevent future thefts and security breaches, including encryption of electronic personally identifiable information stored on portable storage devices. Millennium will also take additional steps to further secure patient information.


EHP is carefully monitoring these security measures to ensure that they meet regulatory requirements and appropriately secure information about its patients.

With a letter such as this, which undoubtedly was closely crafted by people who pay attention to word choice, it seems fair to read it as attentively as it was written. An admittedly cynical interpretation is that this “careful monitoring” is a new thing for EHP. After all, they didn’t say they would “continue to carefully monitor” or would “more carefully monitor”. As to what “technical, physical, and administrative” measures Millennium might be adding, who knows? It’s hard enough to audit ones own service provider. Knowing what somebody else’s is doing is harder still.

So what can I do?

The letter concludes with sections which roughly follow the guidelines provided by various sample breach notification letters. This is impressive. After reading many notification letters, I’ve come to expect some soft-pedaling of the risk of identity theft. This one does not do that. Again, kudos.

Closing Thoughts

So this has been a long blog post about one incident and one letter, and not exactly a man bites dog situation either. Apologies. I think two things are interesting about this particular letter:

  1. For matters that pertain to breaches generally rather than to this one specifically, it was straightforward, clear, and reasonably complete. The advice about what to do, how to interact with credit bureaus, when to notify law enforcement, etc., was all sound, with little or no “spin”.
  2. With respect to the details of this specific incident, the letter was more circumspect, with — to my eyes — more parsing of words.

Unsurprising, perhaps, but (I have not done a content analysis to verify this) I wonder how typical the openness would have been three or four years ago. Perhaps, if California’s SB 1166 is signed by the Governor (rather than vetoed, as was a previous version), this greater transparency will extend to incident-specific details as well. I don’t see the harm in it. I’ve already filled in the blanks with what I think really happened to my information. There isn’t too much EHP could say that would make me feel much different about their vendor management program, or about the degree of care Millennium evinced here, so they should just say it.