Unmeddle Housing More

Last month, I wrote:

But after 50 years of meddling in the market, reducing the support for housing is going to be exceptionally complex and chaotic. And the chaos isn’t going to be evenly distributed. It’s going to be a matter of long, complex laws whose outcomes are carefully and secretly influenced. Groups who aren’t photogenic or sympathetic will lose out. (I’m thinking “DINKs” in gentrified urban areas.) Groups who aren’t already well-organized with good lobbyists will lose out. (See previous parenthetical.) Those who believed that the government housing subsidy would go on forever will lose. (“Unmeddling Housing,” January )

Now, the New York Times reports on the administration’s plan, calling it “audacious:”

The Obama administration’s much-anticipated report on redesigning the government’s role in housing finance, published Friday, is not solely a proposal to dissolve the unpopular finance companies Fannie Mae and Freddie Mac. It is also a more audacious call for the federal government to cut back its broadly popular, long-running campaign to help Americans own homes. The three ideas that the report outlines for replacing Fannie and Freddie all would raise the cost of mortgage loans and push homeownership beyond the reach of some families. (“Administration Calls for Cutting Aid to Home Buyers,” New York Times)

Audacious would be to put the mortgage interest deductions on the table. This is a move in the right direction, but it’s not going to let people express their real preferences in a market. It will continue to distort the market, reducing people’s flexibility to move, and encouraging them to make their major asset a non-liquid one which is likely to decrease in value as the US population ages.

Best Practices for the Lulz

The New School blog will shortly be publishing a stunning expose of Anonymous, and before we do, we’re looking for security advice we should follow to ensure our cloud-hosted blog platform isn’t pwned out the wazoo. So, where’s the checklist of all best practices we should be following?

What’s that you say? There isn’t a checklist? Then how are we supposed to follow advice like this:

So there are clearly two lessons to be learned here. The first is that the standard advice is good advice. If all best practices had been followed then none of this would have happened. Even if the SQL injection error was still present, it wouldn’t have caused the cascade of failures that followed.

So please, if you’re going to advocate for best practice security, please provide a list so we can test what you say. Otherwise, I worry that someone, somewhere will have declared something else a best practice, and your hindsight will be 20/20.

Incidentally, the opening sentence is a lie. Attacking this blog is probably like kicking stoned puppies. Even though we do try to ensure it’s up to date with patches and use strong passwords, we selected the blog hosting company on a diverse set of criteria which included cost effectiveness for our hobby blog.

Previously on best practices:

Finally, there’s a little more context below the fold.

Continue reading “Best Practices for the Lulz”

Is Norton Cybercrime Index just 'Security Metrics Theater'?

Symantec’s new Norton Cybercrime Index looks like it is mostly a marketing tool. They present it as though there is solid science, data, and methods behind it, but an initial analysis shows that this is probably not the case. The only way to have confidence in this is if Symantec opens up about their algorthms and data.

I really hope that Symantec has invested serious money and resources to produce a good composite metric that meaningfully improves the ability of decision-makers to make better security decisions.  But an initial investigation leads me to believe that it is mostly a marketing ploy, at least in this initial version. Let me be the first to call it ‘Security Metrics Theater’ (with nod to Bruce S.).

Here’s the website: www.nortoncybercrimeindex.com (all in FLASH)

Here’s a typical article:

Norton Cybercrime Index, unveiled today, rates the current state of cybercrime in a single, simple number and indicates whether the danger level is going up or down. Interested visitors can drill down for almost any level of detail. […]

The index is open-ended, like the Dow Jones Industrial Average. Symantec’s proprietary algorithm draws on many sources to produce the index, among them the Symantec Global Intelligence Network, Norton Safe Web and the millions of customers using Norton 360 Version 4.0, Norton AntiVirus 2011, and Norton Internet Security 2011. To ensure the validity of the algorithm Symantec had it analyzed by experts at the University of Texas’s Institute for Cyber Security; the experts approved.

What’s the goal?  From the FAQ (embedded in FLASH):

Symantec created the Norton Cybercrime Index to show people that cybercrime is real, it can happen to anybody, and there is something you can do to protect yourself.

How is it calculated?

…using a statistical model and algorithm, which assigns values to the number of online threats observed each day.  Threats include malware, fraud, identity theft, spam, phishing, and social engineering trickery.  Once threats are quantified and processes through an algorithm, the Norton Cybercrime Index number is generated.  The algorithm has been endorsed by the University of Texas San Antonio as a valid measurement reflecting the risk of cybercrime.”

My initial judgement

It looks like it is purely a product of Symantec’s marketing department.  There’s a massive PR effort underway via blogs, twitter, public places (e.g. London, Times Square), and probably at the RSA Conference, now underway in San Francisco. The web advertising firm Fine Design Group created the FLASH UI, and tweeted about it first.

It will be interesting to probe their methods and data, assuming that Symantec will be transparent about the “proprietary algorithm” used to compute the index.  If they really want to establish credibility, it would be irrational to treat this as proprietary, confidential, and closed, for all the obvious reasons.  ID Analytics is listed as a data provider, but there’s no evidence that their ‘advanced analytics’ are used by Symantec, only their summary data regarding personal identity theft in the US.

I’d be very surprised if any of Symantec’s metrics experts are behind it.  I don’t know of anyone in the security metrics community who has been contacted or involved as an outside expert.  They certainly haven’t presented it for peer review at last Monday’s Mini-metricon (why not?) or to the securitymetrics.org email list (why not?) or any academic conference or journal (why not?).  Searching the University of Texas at San Antonio, Institute of Cyber Security’s web site, I couldn’t find any mention of their work on this project, nor any presentation or report.  A search of Google Scholar for “cyber crime index” produced a few results, but not related to this and not from anyone at UT-SA.

Q: Who did have an early look at this?  A: Angus Kidman, a blogger from Gizmodo.  And what did he learn from his demo?  From his blog post:

“On the day of the demo, these were the top search terms being targeted for poisoning:

  • Invisible
  • Camel toe
  • Wifetube”

Right.  How very useful.  I’ll now modify my search patterns so I avoid those words today. 🙂

I don’t have  a good feeling about this

It smells like FUD in a spiffy FLASH interface. Sure, there probably is real data behind it, but it’s aggregated into an index that is supposed to mean something.  A daily index!  The FUD label fits because this presentation gives the illusion of scientific validity, precision, reliable aggregation, and meaningful signals, when that none of these are present (it appears). Using fancy words like “statistical method” and “algorithm” gives it the air of scientific validity without really saying anything.  Worse, those words hide the assumptions, judgments, fudge factors, and who-knows-what that make the index work.

My intuition about this is that Symantec marketing manager wanted to create a “daily itch” to get average people to read what ever news blips were available that day about ‘cybercrime’, which would increase the chances that they would move from ‘awareness’ to ‘action’ (= buy more Symantec stuff).  By getting this out as a daily index, any up or down moves each day will trigger some people to click the buttons to find out ‘why?’.   But this will take them to news items, but not any credible justification of why they might be at greater risk on that day, compared to the day before.

As a thought experiment, imagine a similar ‘Risk Index’ that is powered by astrology readings, numerological interpretations of Nostradamus’ texts, or some other daily signal source.  With the appropriate shroud of credibility, some number of people are going to start following it, and when ever it changes, they will seek information as to ‘what does this mean for me?’  It would serve have exactly the same function as their current design.  This doesn’t prove anything, but establishes in my mind some plausibility.

What’s the harm?

Some might argue that this is harmless or even mildly beneficial if it prompts people to be more aware of security problems and to fix their security problems.  But I think it’s harmful because it promotes a false signal and a false method for doing information security metrics — for consumers or for anyone else.

Maybe I’m wrong and this may be an important advance, or at least a step forward.   At very the least, it shows that one  major security product/service vendor spent money to define a method, collect data, and make public the results.  Prior to this, no major vendor was even spending money on it.

What to do now

Is there any way this Index could be redirected to be a more valuable and extensible project?  I hope so.  But for that to happen, those of us how care about the New School approach to security need to apply the full-court press on Symantec to open up their method and data.

Your action — contact Symantec, preferably in-person at RSA Conference, and demand they open up and also engage in the security metrics community in a serious way.  The burden of proof is on them, and if they can’t back it up then they should be shamed.

Police Officers should be able to speak out

I got this in email and wanted to amplify it:

Law Enforcement Against Prohibition prides itself on the willingness of our members to stand up and take action against drug prohibition. Last fall, LEAP member Joe Miller did exactly that. A California police officer for eight years before taking a position as a deputy probation officer in Arizona, Joe signed a letter in support of Proposition 19, California’s marijuana legalization initiative. He was fired for it. Now he needs your help, and so does LEAP.

Former deputy probation officer 
Joe Miller

As a retired police officer of 33 years who myself spoke out against drug prohibition as a private citizen while employed as a police officer, I am extremely disheartened by Joe’s termination and the bigger issue it represents. Firing law enforcement professionals for speaking out against policies they know are wrong is not only an unfair intimidation tactic but also a violation of First Amendment rights. I urge you to support their right to speak out by signing this petition now. Joe is not the first officer to face unfair termination for expressing his personal opinion. Former US border patrol agent Bryan Gonzalez’s case recently made headlines when he was fired after expressing his views on drug legalization to a fellow officer.

LEAP is always there to provide support to those ethical and courageous law enforcers who come forward and say that drug prohibition is a failed policy. Our speakers are law enforcement professionals who are as dedicated as they are distinguished. In the past month, our speakers have made 101 presentations and appeared in such prestigious publications as the Wall Street Journal, the San Francisco Chronicle, the Boston Globe, the Los Angeles Times, the Hartford Courant, the Village Voice and the Miami Herald. We even got President Obama’s attention. Our speakers have become the go-to source for the law enforcement perspective on drug policy reform, and in the past week alone, we have provided expert testimony for drug policy related bills in four states. [You should give LEAP some money to help – Adam]

The ability of law enforcers to criticize the policies they are responsible for upholding serves a vital public interest. It lays the groundwork for much-needed reform, supports harm reduction efforts and provides tangible evidence that these laws simply are not working.

Law enforcement officers have a unique position to comment on the efficacy of our laws. We need them to be able to speak freely as individuals about their experiences. Even if they’re being foolish and telling me to “Just Shut Up and Be a Good Little Socialist,” I support their right to speak their minds, and not be fired for it. (Even if, as in Officer Pomper’s case, I believe he would have been well advised to shut up.)

But civil liberties aren’t just for folks we agree with. I think Joe Miller deserves his job back, and I urge you to sign the petition and consider supporting LEAP.

SIRA Meeting Today at Noon EST! >> RICH MOGULL

HEY Y’ALL @securosis’ own @rmogull for today’s “al desco” SIRA meeting.  Details, details:

SIRA’s February monthly online meeting is TODAY; February 10th from 12-1 PM EST. We are excited to have Mr. Rich Mogull from Securosis talk to us with a behind-the-scene look at Securosis’ “2010 Data Security Survey”. Block off your calendars now! The online meeting details are below.


Topic: Securosis 2010 Data Security Survey
Presenter: Mr. Rich Mogull, Analyst & CEO, Securosis

About Securosis: Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster. We’re here to cut through the noise and provide clear, actionable, pragmatic advice on securing your organization.

About Mr. Mogull: Rich has twenty years experience in information security, physical security, and risk management. He specializes in data security, application security, emerging security technologies, and security management. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team where he also served as research co-chair for the Gartner Security Summit. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator. Rich is the Security Editor of TidBITS, a monthly columnist for Dark Reading, and a frequent contributor to publications ranging from Information Security Magazine to Macworld. He is a frequent industry speaker at events including the RSA Security Conference and DefCon, and has spoken on every continent except Antarctica (where he’s happy to speak for free – assuming travel is covered).

Prior to his technology career, Rich also worked as a security director for major events such as football games and concerts. He was a bouncer at the age of 19, weighing about 135 lbs (wet). Rich has worked or volunteered as a paramedic, firefighter, and ski patroller at a major resort (on a snowboard); and spent over a decade with Rocky Mountain Rescue. He currently serves as a responder on a federal disaster medicine and terrorism response team, where he mostly drives a truck and lifts heavy objects. He has a black belt, but does not play golf. Rich can be reached at rmogull (at) securosis (dot) com.

Date: Thursday, February 10, 2011
Time: 12:00 pm, Eastern Standard Time (New York, GMT-05:00)
Meeting Number: 748 192 233
Meeting Password: securosis

To join the online meeting (Now from iPhones and other Smartphones too!)
1. Go to https://van.webex.com/van/j.php?ED=143102442&UID=1148368612&PW=NOTQ2YTIyNGRi&RT=MiMxMQ%3D%3D
2. Enter your name and email address.
3. Enter the meeting password: securosis
4. Click “Join Now”.

To view in other time zones or languages, please click the link:

To join the teleconference
Provide your phone number when you join the meeting to receive a call back. Alternatively, you can call:
Call-in : 1-203-480-1893  (US)

Attendee access code: 867 530 955

For assistance
1. Go to https://van.webex.com/van/mc
2. On the left navigation bar, click “Support”.

You can contact me on twitter:  @alexhutton

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:

The playback of UCF (Universal Communications Format) rich media files requires appropriate players. To view this type of rich media files in the meeting, please check whether you have the players installed on your computer by going to https://van.webex.com/van/systemdiagnosis.php

IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, do not join the session.

Would a CISO benefit from an MBA education?

If a CISO is expected to be an executive officer (esp. for a large, complex technology- or information-centered organization), then he/she will need the MBA-level knowledge and skill. MBA is one path to getting those skills, at least if you are thoughtful and selective about the school you choose. Other paths are available, so it’s not just about an MBA credential.

Otherwise, if a CISO is essentially the Most Senior Information Security Manager, then MBA education wouldn’t be of much value.

This question was introduced recently in an article by Upasana Gupta: Should a CISO Have an MBA? She asked four CISO’s their opinion, and three essentially said “no”, while one said “yes”.  Eric, at Security, Cigars, and FUD blog, posted his opinion here and here.  Basically, he said “no, it’s not necessary as a credential, but some business knowledge might be helpful”.   The opinions offered on Twitter were almost universally “no”.

As a business guy, I was somewhat surprised that much of the discussion and opinions centered on MBA as a credential rather than what knowledge or skills someone would learn in an MBA program.  None of us at New School are a fan of credentials as such, so my interest in this question is on the educational value compared to alternative investments in education

Also following the New School philosophy, I thought I would look for data and evidence rather than just offering my opinion.

To my delight, I found a fairly comprehensive study: THE CHIEF INFORMATION SECURITY OFFICER: AN ANALYSIS OF THE SKILLS REQUIRED FOR SUCCESS, by Dwayne Whitten of Texas A&M University . The paper is worth reading because it gives a good overview of the conflicting values and forces that are affecting CISO hiring, evaluation, and effectiveness.

Specifically, he finds a gap between how CISOs define success and the job duty descriptions. Quoting from his conclusion:

Based on a thorough review of the literature, interviews with security executives, and an analysis of job listings, a comprehensive list of duties and background/experience requirements were found related to the CISO position (see Table 3). The most interesting issue that arose from this research is that business strategy did not make the list of most included job duties. Given the high level of importance given to this by the literature and the executives, it is surprising that it was not listed on the job listings surveyed. Thus, it appears that many of the organizations searching for new CISOs during the research period did not fully understand the importance of including the CISO in the business strategy formulation.  [emphasis added]

This dichotomy seems to relate to how CISOs are viewed.  From one point of view, CISO is equivalent to “Most Senior Information Security Manager”.  That is, they contribute to the organization in exactly the same way as do other information security managers, but only on larger scope.  It is this perspective that is most closely aligned with the opinion that an MBA education would not be helpful.  Instead, it would be more valuable to get deeper education in InfoSec technical aspects — engineering, forensics, incident response — plus regulations, compliance, etc.

Another point of view is that a CISO is an executive officer of the organization, and thus has fiduciary duties to stakeholders regarding the organization’s overall performance, and also has teamwork responsibilities with the other executive officers regarding crucial strategic decisions.

Maybe this is rare in practice, and maybe the “Chief Information Security Officer” title is just another example rampant job title inflation.  But if a CISO in some organizations are expected to perform in this role, then it is not the case that they are not “just another information security manager, only  bigger”.  Their job is qualitatively different and the knowledge gained at a good quality B-school might be just what they need.

To respond to Eric, who said “And I’ve yet to see a course on security risk management in traditional MBA programs”, I offer two examples: 1) James Madison University offers an MBA in Information Security.  2) Worcester Polytechnic Institute offers an MBA concentration in Information Security Management. The WPI MBA course catalog list quite a few that would be directly valuable to a CISO (e.g. “INFORMATION SECURITY MANAGEMENT”, “OPERATIONS RISK MANAGEMENT”, and “E-BUSINESS APPLICATIONS”), plus many that would be indirectly valuable (statistics, change management, negotiations).   (Disclosure: I got my undergraduate degree from WPI.  Their MBA program is very good, esp. for technical managers.)

I’ll close with a comprehension test for CISOs.  Read this workshop report: Embedding Information Security Risk Management into the Extended Enterprise.  It’s the output of 18 CISO discussing the most challenging issues facing them regarding information security across their enterprise and across their supply chain.

I think you’ll see that most of the problems involve analysis and methods go well beyond the typical education and experience of information security managers.  Instead, they require knowledge and skills that are more typically covered in MBA programs — business strategy, economics, finance, organization behavior and change management, organization performance management and incentives, plus business law and public policy.

Conclusion: if a CISO is expected to be an executive officer (esp. for a large, complex technology- or information-centered organization), then he/she will need the knowledge and skill exemplified by the comprehension exercise, above.  MBA is one path to getting those skills, at least if you are thoughtful and selective about the school you choose.  Other paths are available, so it’s not just about an MBA credential.

Otherwise, if a CISO is essentially the Most Senior Information Security Manager, then MBA education wouldn’t be of much value.

Elevation of Privilege (Web Edition) Question

Someone wrote to me to ask:

A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow?

For example:

“An attacker can make a client unavailable or unusable but the problem goes away when the attacker stops”

I don’t have a great answer, but I’m thinking someone else might have taken it on.

For Denial of Service attacks in the Microsoft SDL bug bar, we roughly to break things down to a matrix of (server, client, persistent/temporary). That doesn’t seem right for web apps. Is there a better approach, and perhaps even one that can translate into some good threat cards?

What should a printer print?

Over at their blog, i.Materialise (a 3D printing shop) brags about not taking an order. The post is “ATTENTION: ATM skimming device.” It opens:

There is no doubt that 3D printing is a versatile tool for materializing your 3D ideas. Unfortunately, those who wish to break the law can also try to use our technology. We recently received an order which bore a strong resemblance to an ATM skimming device. Basically, the customer placed a 3D print order for a device similar to the one below which is inserted in an ATM machine.

The plastic part can be attached to an ATM machine and with the appropriate hardware and tapped keyboard can scan cards and get personal data. In most cases, such a device does not prevent the cardholder from withdrawing funds from their account, but as their card has been scanned, it can later be reproduced and funds can be stolen from their account.

Fortunately, our engineers were quick to react, and after communication with the customer, the decision was made to decline the order. We do not support criminal activity and will do everything in our power to prevent possible crimes.

The choice that i.Materialise has made is their business. And I appreciate the impulse to protect people from the potentially negative side effects of their awesome business. At the same time, I think it’s a thought provoking and questionable decision for a whole slew of reasons:

  • There are legitimate uses for an ATM skimmer part. For example, as a security expert, I might want such a thing to wave around at conferences. Bank employees might want some for training people on what to look out for. (This is somewhat mitigated by their reaching out, but do I want a business that makes judgement calls about what I print? Maybe I’ll take my adult toy business elsewhere, rather than thinking about what it means for their engineers to be “quick to react.”)
  • The public needs to start to understand that physical objects like this are coming. As 3D printing becomes common, many things will become easier to spoof and fake. Caveat emptor will return. I expect we’ll see a race between high and low volume manufacturers where the high volume folks will specialize in things that are hard to make at home, perhaps using things translucent plastics, toxic ingredients and/or aluminum and titanium, both of which require high temperatures.
  • The banking industry needs to understand that skimmers are getting insanely realistic, and they would be fools to rely on the good graces of 3d printing firms. Skimmers are already so realistic that they’re being installed on in-bank ATMs. Banks are going to need to figure out what to do about that. I figure they can go seamless curvy metal, settle on a single card slot design and roll it out, or start hiring mural painters to customize each ATM machine. Banks will also find it increasingly expensive to stay with magstripe + PIN.
  • This may set a precedent for i.Materialize to not be a “common printer” but a co-conspirator in production. (I believe the company is in Belgium, so their mileage will vary.) In the US, we have a concept of a common carrier, that is, one that will take all customers who can pay. You can choose to discriminate, but if you do, you’re answerable for it. If i.Materialise produces a part that’s used in a future crime, they’ve set a precedent that their engineers should have prevented it. I certainly wouldn’t want to have to answer in court for the statement that we’d “do everything in our power to prevent possible crimes.”

But, it’s their business, and their choice to make. It’s important to understand that 3D printing is getting faster, cheaper and more exciting every year, and that’s going to lead to a lot of chaos emerging.

I’m not aware of anything that makes it unlikely that there will be commercial, inexpensive home 3d printers in 5-10 years. Many of those will be based on open source software like RepRap, just as many inexpensive home routers either ship with or advertise support for dd-wrt. Those home devices will print ATM skimmer covers because it will be easy to remove code that tries to censor what can be printed. They’ll also print bomb parts, “drug paraphernalia,” and print-at-home Star Wars toys. Sorry, Kenner! And Pottery Barn, your days of selling glazed clay may be coming to an end. Later on, we’ll be able to print with easily worked metals like copper, silver or zinc, and those patented cables will be conspicuous consumption.

What’s happening to music and books will happen to physical things. The experience (the concert, the cruise with the band) becomes part of the artist’s revenue stream. Etsy will replace WalMart, because it will be cheaper to print plastics at home than to print them in China, ship them and warehouse them. And you’ll be able to buy plastic and clay that you know are BPA-free, or whatever the latest fad is. You’ll get your circuits or other harder things at shops like Metrix:Create Space. What you’ll pay for, and what Etsy is set up to deliver, is artistry and uniqueness.

Most of us in what’s left of the first world will be able to print the things we want, in the colors, designs and customizations we want. We’ll be better off for it. GDP will likely go down while our standard of living goes up.

Whichever way all this goes, lots of chaos is going to emerge, and we’re going to live in interesting times.

(Thanks to Boing Boing for catching the story.)

Infosec's Flu

In “Close Look at a Flu Outbreak Upends Some Common Wisdom,” Nicholas Bakalar writes:

If you or your child came down with influenza during the H1N1, or swine flu, outbreak in 2009, it may not have happened the way you thought it did.

A new study of a 2009 epidemic at a school in Pennsylvania has found that children most likely did not catch it by sitting near an infected classmate, and that adults who got sick were probably not infected by their own children.

Closing the school after the epidemic was under way did little to slow the rate of transmission, the study found, and the most common way the disease spread was a through child’s network of friends.

The work he discusses is “Role of social networks in shaping disease transmission during a community outbreak of 2009
H1N1 pandemic influenza
” by Simon Cauchemeza, Achuyt Bhattaraib, Tiffany L. Marchbanksc, Ryan P. Faganb, Stephen Ostroffc, Neil M. Fergusona, David Swerdlowb, and the Pennsylvania H1N1 working group.

The first thing that comes to mind is that closing schools is a best practice. It’s something that makes so much sense that it’s hard to argue against, even if it does no good. The next thing is look at what happens when they have data available to them. They can study their prescriptions and test to see if they did any good. But note how detailed the data is: social graphs, seating charts. This isn’t something we would obviously get from more detailed breach notices. It’s going to require in-depth investigations, and investigators who talk about their methods. VERIS is a step in this direction, and I’m looking forward to seeing critiques or even competitors that can help us move forward and learn.

But the data we have is the data we have, and while we work to get more, there’s a good deal that we can probably learn from what’s out there. We just have to be willing to ask if our practices really work.