Unmeddle Housing More

Last month, I wrote:

But after 50 years of meddling in the market, reducing the support for housing is going to be exceptionally complex and chaotic. And the chaos isn’t going to be evenly distributed. It’s going to be a matter of long, complex laws whose outcomes are carefully and secretly influenced. Groups who aren’t photogenic or sympathetic will lose out. (I’m thinking “DINKs” in gentrified urban areas.) Groups who aren’t already well-organized with good lobbyists will lose out. (See previous parenthetical.) Those who believed that the government housing subsidy would go on forever will lose. (“Unmeddling Housing,” January )

Now, the New York Times reports on the administration’s plan, calling it “audacious:”

The Obama administration’s much-anticipated report on redesigning the government’s role in housing finance, published Friday, is not solely a proposal to dissolve the unpopular finance companies Fannie Mae and Freddie Mac. It is also a more audacious call for the federal government to cut back its broadly popular, long-running campaign to help Americans own homes. The three ideas that the report outlines for replacing Fannie and Freddie all would raise the cost of mortgage loans and push homeownership beyond the reach of some families. (“Administration Calls for Cutting Aid to Home Buyers,” New York Times)

Audacious would be to put the mortgage interest deductions on the table. This is a move in the right direction, but it’s not going to let people express their real preferences in a market. It will continue to distort the market, reducing people’s flexibility to move, and encouraging them to make their major asset a non-liquid one which is likely to decrease in value as the US population ages.

Best Practices for the Lulz

The New School blog will shortly be publishing a stunning expose of Anonymous, and before we do, we’re looking for security advice we should follow to ensure our cloud-hosted blog platform isn’t pwned out the wazoo. So, where’s the checklist of all best practices we should be following?

What’s that you say? There isn’t a checklist? Then how are we supposed to follow advice like this:

So there are clearly two lessons to be learned here. The first is that the standard advice is good advice. If all best practices had been followed then none of this would have happened. Even if the SQL injection error was still present, it wouldn’t have caused the cascade of failures that followed.

So please, if you’re going to advocate for best practice security, please provide a list so we can test what you say. Otherwise, I worry that someone, somewhere will have declared something else a best practice, and your hindsight will be 20/20.

Incidentally, the opening sentence is a lie. Attacking this blog is probably like kicking stoned puppies. Even though we do try to ensure it’s up to date with patches and use strong passwords, we selected the blog hosting company on a diverse set of criteria which included cost effectiveness for our hobby blog.

Previously on best practices:

Finally, there’s a little more context below the fold.

Continue reading

Police Officers should be able to speak out

I got this in email and wanted to amplify it:

Law Enforcement Against Prohibition prides itself on the willingness of our members to stand up and take action against drug prohibition. Last fall, LEAP member Joe Miller did exactly that. A California police officer for eight years before taking a position as a deputy probation officer in Arizona, Joe signed a letter in support of Proposition 19, California’s marijuana legalization initiative. He was fired for it. Now he needs your help, and so does LEAP.

Former deputy probation officer 
Joe Miller

As a retired police officer of 33 years who myself spoke out against drug prohibition as a private citizen while employed as a police officer, I am extremely disheartened by Joe’s termination and the bigger issue it represents. Firing law enforcement professionals for speaking out against policies they know are wrong is not only an unfair intimidation tactic but also a violation of First Amendment rights. I urge you to support their right to speak out by signing this petition now. Joe is not the first officer to face unfair termination for expressing his personal opinion. Former US border patrol agent Bryan Gonzalez’s case recently made headlines when he was fired after expressing his views on drug legalization to a fellow officer.

LEAP is always there to provide support to those ethical and courageous law enforcers who come forward and say that drug prohibition is a failed policy. Our speakers are law enforcement professionals who are as dedicated as they are distinguished. In the past month, our speakers have made 101 presentations and appeared in such prestigious publications as the Wall Street Journal, the San Francisco Chronicle, the Boston Globe, the Los Angeles Times, the Hartford Courant, the Village Voice and the Miami Herald. We even got President Obama’s attention. Our speakers have become the go-to source for the law enforcement perspective on drug policy reform, and in the past week alone, we have provided expert testimony for drug policy related bills in four states. [You should give LEAP some money to help – Adam]

The ability of law enforcers to criticize the policies they are responsible for upholding serves a vital public interest. It lays the groundwork for much-needed reform, supports harm reduction efforts and provides tangible evidence that these laws simply are not working.

Law enforcement officers have a unique position to comment on the efficacy of our laws. We need them to be able to speak freely as individuals about their experiences. Even if they’re being foolish and telling me to “Just Shut Up and Be a Good Little Socialist,” I support their right to speak their minds, and not be fired for it. (Even if, as in Officer Pomper’s case, I believe he would have been well advised to shut up.)

But civil liberties aren’t just for folks we agree with. I think Joe Miller deserves his job back, and I urge you to sign the petition and consider supporting LEAP.

SIRA Meeting Today at Noon EST! >> RICH MOGULL

HEY Y’ALL @securosis’ own @rmogull for today’s “al desco” SIRA meeting.  Details, details:

SIRA’s February monthly online meeting is TODAY; February 10th from 12-1 PM EST. We are excited to have Mr. Rich Mogull from Securosis talk to us with a behind-the-scene look at Securosis’ “2010 Data Security Survey”. Block off your calendars now! The online meeting details are below.

***
——————————

————————-
Topic: Securosis 2010 Data Security Survey
——————————————————-
Presenter: Mr. Rich Mogull, Analyst & CEO, Securosis

About Securosis: Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster. We’re here to cut through the noise and provide clear, actionable, pragmatic advice on securing your organization.

About Mr. Mogull: Rich has twenty years experience in information security, physical security, and risk management. He specializes in data security, application security, emerging security technologies, and security management. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team where he also served as research co-chair for the Gartner Security Summit. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator. Rich is the Security Editor of TidBITS, a monthly columnist for Dark Reading, and a frequent contributor to publications ranging from Information Security Magazine to Macworld. He is a frequent industry speaker at events including the RSA Security Conference and DefCon, and has spoken on every continent except Antarctica (where he’s happy to speak for free – assuming travel is covered).

Prior to his technology career, Rich also worked as a security director for major events such as football games and concerts. He was a bouncer at the age of 19, weighing about 135 lbs (wet). Rich has worked or volunteered as a paramedic, firefighter, and ski patroller at a major resort (on a snowboard); and spent over a decade with Rocky Mountain Rescue. He currently serves as a responder on a federal disaster medicine and terrorism response team, where he mostly drives a truck and lifts heavy objects. He has a black belt, but does not play golf. Rich can be reached at rmogull (at) securosis (dot) com.

***
Date: Thursday, February 10, 2011
Time: 12:00 pm, Eastern Standard Time (New York, GMT-05:00)
Meeting Number: 748 192 233
Meeting Password: securosis

——————————————————-
To join the online meeting (Now from iPhones and other Smartphones too!)
——————————————————-
1. Go to https://van.webex.com/van/j.php?ED=143102442&UID=1148368612&PW=NOTQ2YTIyNGRi&RT=MiMxMQ%3D%3D
2. Enter your name and email address.
3. Enter the meeting password: securosis
4. Click “Join Now”.

To view in other time zones or languages, please click the link:
https://van.webex.com/van/j.php?ED=143102442&UID=1148368612&PW=NOTQ2YTIyNGRi&ORT=MiMxMQ%3D%3D

——————————————————-
To join the teleconference
——————————————————-
Provide your phone number when you join the meeting to receive a call back. Alternatively, you can call:
Call-in : 1-203-480-1893  (US)

Attendee access code: 867 530 955

——————————————————-
For assistance
——————————————————-
1. Go to https://van.webex.com/van/mc
2. On the left navigation bar, click “Support”.

You can contact me on twitter:  @alexhutton

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
https://van.webex.com/van/j.php?ED=143102442&UID=1148368612&ICS=MI&LD=1&RD=2&ST=1&SHA2=1xf3h5WZWQJrGUb/Oyj8ONgO0CqE8pWeTfWnTJoj65I=&RT=MiMxMQ%3D%3D

The playback of UCF (Universal Communications Format) rich media files requires appropriate players. To view this type of rich media files in the meeting, please check whether you have the players installed on your computer by going to https://van.webex.com/van/systemdiagnosis.php

IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, do not join the session.

Would a CISO benefit from an MBA education?

If a CISO is expected to be an executive officer (esp. for a large, complex technology- or information-centered organization), then he/she will need the MBA-level knowledge and skill. MBA is one path to getting those skills, at least if you are thoughtful and selective about the school you choose. Other paths are available, so it’s not just about an MBA credential.

Otherwise, if a CISO is essentially the Most Senior Information Security Manager, then MBA education wouldn’t be of much value.

Continue reading

Elevation of Privilege (Web Edition) Question

Someone wrote to me to ask:

A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow?

For example:

“An attacker can make a client unavailable or unusable but the problem goes away when the attacker stops”

I don’t have a great answer, but I’m thinking someone else might have taken it on.

For Denial of Service attacks in the Microsoft SDL bug bar, we roughly to break things down to a matrix of (server, client, persistent/temporary). That doesn’t seem right for web apps. Is there a better approach, and perhaps even one that can translate into some good threat cards?

What should a printer print?

Over at their blog, i.Materialise (a 3D printing shop) brags about not taking an order. The post is “ATTENTION: ATM skimming device.” It opens:

There is no doubt that 3D printing is a versatile tool for materializing your 3D ideas. Unfortunately, those who wish to break the law can also try to use our technology. We recently received an order which bore a strong resemblance to an ATM skimming device. Basically, the customer placed a 3D print order for a device similar to the one below which is inserted in an ATM machine.

The plastic part can be attached to an ATM machine and with the appropriate hardware and tapped keyboard can scan cards and get personal data. In most cases, such a device does not prevent the cardholder from withdrawing funds from their account, but as their card has been scanned, it can later be reproduced and funds can be stolen from their account.

Fortunately, our engineers were quick to react, and after communication with the customer, the decision was made to decline the order. We do not support criminal activity and will do everything in our power to prevent possible crimes.

The choice that i.Materialise has made is their business. And I appreciate the impulse to protect people from the potentially negative side effects of their awesome business. At the same time, I think it’s a thought provoking and questionable decision for a whole slew of reasons:

  • There are legitimate uses for an ATM skimmer part. For example, as a security expert, I might want such a thing to wave around at conferences. Bank employees might want some for training people on what to look out for. (This is somewhat mitigated by their reaching out, but do I want a business that makes judgement calls about what I print? Maybe I’ll take my adult toy business elsewhere, rather than thinking about what it means for their engineers to be “quick to react.”)
  • The public needs to start to understand that physical objects like this are coming. As 3D printing becomes common, many things will become easier to spoof and fake. Caveat emptor will return. I expect we’ll see a race between high and low volume manufacturers where the high volume folks will specialize in things that are hard to make at home, perhaps using things translucent plastics, toxic ingredients and/or aluminum and titanium, both of which require high temperatures.
  • The banking industry needs to understand that skimmers are getting insanely realistic, and they would be fools to rely on the good graces of 3d printing firms. Skimmers are already so realistic that they’re being installed on in-bank ATMs. Banks are going to need to figure out what to do about that. I figure they can go seamless curvy metal, settle on a single card slot design and roll it out, or start hiring mural painters to customize each ATM machine. Banks will also find it increasingly expensive to stay with magstripe + PIN.
  • This may set a precedent for i.Materialize to not be a “common printer” but a co-conspirator in production. (I believe the company is in Belgium, so their mileage will vary.) In the US, we have a concept of a common carrier, that is, one that will take all customers who can pay. You can choose to discriminate, but if you do, you’re answerable for it. If i.Materialise produces a part that’s used in a future crime, they’ve set a precedent that their engineers should have prevented it. I certainly wouldn’t want to have to answer in court for the statement that we’d “do everything in our power to prevent possible crimes.”

But, it’s their business, and their choice to make. It’s important to understand that 3D printing is getting faster, cheaper and more exciting every year, and that’s going to lead to a lot of chaos emerging.

I’m not aware of anything that makes it unlikely that there will be commercial, inexpensive home 3d printers in 5-10 years. Many of those will be based on open source software like RepRap, just as many inexpensive home routers either ship with or advertise support for dd-wrt. Those home devices will print ATM skimmer covers because it will be easy to remove code that tries to censor what can be printed. They’ll also print bomb parts, “drug paraphernalia,” and print-at-home Star Wars toys. Sorry, Kenner! And Pottery Barn, your days of selling glazed clay may be coming to an end. Later on, we’ll be able to print with easily worked metals like copper, silver or zinc, and those patented cables will be conspicuous consumption.

What’s happening to music and books will happen to physical things. The experience (the concert, the cruise with the band) becomes part of the artist’s revenue stream. Etsy will replace WalMart, because it will be cheaper to print plastics at home than to print them in China, ship them and warehouse them. And you’ll be able to buy plastic and clay that you know are BPA-free, or whatever the latest fad is. You’ll get your circuits or other harder things at shops like Metrix:Create Space. What you’ll pay for, and what Etsy is set up to deliver, is artistry and uniqueness.

Most of us in what’s left of the first world will be able to print the things we want, in the colors, designs and customizations we want. We’ll be better off for it. GDP will likely go down while our standard of living goes up.

Whichever way all this goes, lots of chaos is going to emerge, and we’re going to live in interesting times.

(Thanks to Boing Boing for catching the story.)

Infosec's Flu

In “Close Look at a Flu Outbreak Upends Some Common Wisdom,” Nicholas Bakalar writes:

If you or your child came down with influenza during the H1N1, or swine flu, outbreak in 2009, it may not have happened the way you thought it did.

A new study of a 2009 epidemic at a school in Pennsylvania has found that children most likely did not catch it by sitting near an infected classmate, and that adults who got sick were probably not infected by their own children.

Closing the school after the epidemic was under way did little to slow the rate of transmission, the study found, and the most common way the disease spread was a through child’s network of friends.

The work he discusses is “Role of social networks in shaping disease transmission during a community outbreak of 2009
H1N1 pandemic influenza
” by Simon Cauchemeza, Achuyt Bhattaraib, Tiffany L. Marchbanksc, Ryan P. Faganb, Stephen Ostroffc, Neil M. Fergusona, David Swerdlowb, and the Pennsylvania H1N1 working group.

The first thing that comes to mind is that closing schools is a best practice. It’s something that makes so much sense that it’s hard to argue against, even if it does no good. The next thing is look at what happens when they have data available to them. They can study their prescriptions and test to see if they did any good. But note how detailed the data is: social graphs, seating charts. This isn’t something we would obviously get from more detailed breach notices. It’s going to require in-depth investigations, and investigators who talk about their methods. VERIS is a step in this direction, and I’m looking forward to seeing critiques or even competitors that can help us move forward and learn.

But the data we have is the data we have, and while we work to get more, there’s a good deal that we can probably learn from what’s out there. We just have to be willing to ask if our practices really work.

Navigation