So it’s early Sunday AM, and I’m getting my RSA Schedule together finally.  So here’s what I’m looking forward to this week, leave us stuff in the comments if you’ve identified other cool stuff:


Monday:  8 freaking AM – I’m talking with Rich Mogull of @securosis about Risk Management.  Fun!

Monday is also Metricon, this year run by Russ and Scott Crawford.  Should be good.

I’m capping my Monday off 4-5pm at BSides for this little gem:

Name: Dr. Mike Lloyd
Talk: Metrics That Don’t Suck: A New Way To Measure Security Effectiveness


On the Tuesday, I’ll be speaking with Mortman, @csoandy, Ally Miller, Bob Blakely at the Risk Management Smackdown II:  Wrath of Kuhn

It’s in room 309.  Don’t know how this happens, but I get to be the dumbest person on the panel.

That afternoon, I’ll probably pop over to BSides to hear Wade Baker and Chris Porter talk, and @ch0rt is doing a part 2 to his Security Moneyball talk.


On Wednesday, at 10am in room 309, I’ll be talking about Metrics.  Should be awesomesauce.  Don’t know how this happens, but I get to be the dumbest person on the panel (again).



Preston Wood, Kelly White, and Mike Fowkes from Zions Bancorp are talking about their Hadoop install and Security Data Warehouse.  So, yeah.  The hype?  Pshaw, these guys are DOING IT.  GO.  Go to see this.  Srsly.

That afternoon, there’s a peer2peer risk management session going on.  Ally Miller and I are talking about Frameworks for some reason.



On Friday I gotta get down.  I’ll spend a large amount of my time trying to figure out if I should take the front seat, or kick it in the back seat.

Twitter Weekly Updates for 2012-02-26

Powered by Twitter Tools

Admitting Mistakes

Tripwire’s blog has “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them.” I’m glad to see attention paid to the simple reality that we all make mistakes.

Extra points to Bill Brenner, Pete Lindstrom, Andrew Hay, Chris Wysopal, Rob Ton and Larry Ponemon for being willing to talk about mistakes that had technical security consequences. Not that the soft skills are unimportant, but a great many folks think that with technical ability, you can overcome that. The tech skills are core to how we present as security people, and being willing to own up to those is a praise-worthy act.

My own contribution is “Owning Up to Pwnage (Part 2).

"Anonymized, of course"

I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it.

But today I want to talk about the phrase “anonymized, of course”, what it means, why people might say it, and how members of the New School should tackle it when it comes up.

First, let’s look at what it means to anonymize aspects of security breaches. That means that we take an incident and hide to whom it happened, the way we do with a small subset of other crimes, primarily rape, but also sometimes defamation. This is good insofar as it inhibits silly finger-pointing and name-calling. But it also stops learning. I can’t go listen to a talk from the CISO of PwnedCo and see what I might learn from what he talks about and what he doesn’t talk about. I can’t see that an award went to the CEO of Comodo, right before they were pwned, and adjust my opinions accordingly.

In other words, anonymization breaks feedback loops.

But that’s probably not what people mean when they say “anonymized, of course”. So what could they mean?

  1. First, it may be an acknowledgement of today’s reality: we have little to no information sharing (never mind publishing). Anonymized may, for a while, be the best we can do. Heck, it may be the best we can ever do. I think we can do better, and “we can’t do better” is a testable hypothesis which fails pretty regular testing. Those of us in the New School think we should learn something when our hypotheses fail.

  2. Second, it may be an attempt to reassure listeners that the speaker is not some crazy radical New School type who wants to do the inconcievable. Excuse me, “inconceivable.” They know that it’s just never worked that way, and feel a need to re-assure themselves and/or others of that obvious reality.
  3. Third, it may be an attempt to delay argument over how much data should be published. Sometimes postponing argument is helpful for moving a project forward overall, other times it’s politics in the worst way.
  4. Fourth, it may be an attempt, conscious or unconscious, to define the boundaries of acceptable debate to exclude the idea of sharing information that includes names. I find this last form, especially in its conscious form, to be the most objectionable. I don’t object to debate, or even rhetoric in its better forms, but attempts to define things as outside what reasonable people can discuss are outside what reasonable people do with reasonable arguments.

So what do we do for each of these meanings?

Acknowledgements of reality are reasonable. However, they have a nasty habit of reinforcing and validating the reality they acknowledge. That can be useful as a matter of transmitting knowledge or approaches. It can also be harmful when what’s reinforced really isn’t reality. (“Of course, the Earth is flat, so you’ll fall off the edge.”) Both this and conscious attempts to align with the old school ways that have kept us superstitious for so long deserve a gentle challenge. Perhaps something in the form of “Do we really need to anonymize this data?”

Help Find the People Who Killed Ulf Möller

The family of Ulf Möller are asking for help in finding the people who murdered him, and asking for help spreading the word:

They have a web site with details in English, German, Polish and Lithuanian:

The two men are described as slim, both about 1.75 m to 1.80 m tall, between 20 and 30 years old. One of them was wearing a dark jacket with a fur-like hood. The surveillance cameras took clear pictures of his face. The other killer was wearing a noticeable light blue quilted Nike-brand jacket.

We are grateful for any help in finding the murderers. Clues can be reported to the German police (Polizeidirektion Sachsen-Anhalt Ost, who are leading the investigation) by calling +49 340 6000 293, by sending e-mail to lfz.pd-ost@polizei.sachsen-anhalt.de, or by visiting any German police station. If you prefer, you can email us directly at mail.ulfm@googlemail.com.

Help us find the people who killed Ulf.


It's a Lie: Seattle Taxpayers Will Pay for a Staduim

The Seattle Times carries a press release: “Arena plan as solid as it looks?

The intricate plan offered for an NBA and NHL arena in Sodo hinges on the untested strategy of building a city-owned, self-supporting arena, without the aid of new taxes, and with team owners — not taxpayers — obligated to absorb any losses.

This not only a lie, it is a blatant lie, contradicted by statements later in the article:

…Seattle and King County would finance $200 million — likely in bonds — to cover construction costs. The city would recoup its money through lease payments and the taxes on everything from tickets to concessions from the arena.

Let me translate that into plain English. The taxpayers of Seattle and King County would sign a bond. We’d be obligated to pay it back if or when the Supersonics new team leaves town. Also, let me comment that the use of “would” is inaccurate. The word that the writers sought and were unable to come up with is “might”, as in: “the city might recoup its money…”

One more quote:

It’s hard to argue against the idea of an arena that pays for itself.

It’s even harder to guarantee it, though.

Actually, it’s easy to guarantee that the arena pays for itself, or at least that the taxpayers don’t pay for it. The builders finance the arena. See how easy that is? They issue the bonds, they reap the profits. Then the people of Seattle and King county are guaranteed to not be on the hook.

Pretty simple, if the Seattle Times would stop relaying lies about who’s on the hook for bonds issued by Seattle or King County.

Look, while I’m opposed to having to sit in traffic for yet more sporting events, I shouldn’t have a say in how these folks spend their money. The arena backers should feel free to spend their money, plus as much as anyone will loan them, to build a stadium, buy a team, or hold a parade. That’s what freedom is about. But the people of Seattle should not carry any of the risk. The money should be entirely private.

Maybe the plan can’t work without Seattle bearing some of the risk. If that’s the case, that’s because this isn’t the sure thing that its backers want us to think. It means that the bankers see this as a risky thing, and want to transfer that risk to some sucker. I don’t want to be the sucker who’s paying for a failed deal. Do you?

Twitter Weekly Updates for 2012-02-19

  • RT @csoghoian If Path-like apps that pilfered user contact data suffered a data breach, existing laws wouldn't require disclosure to users. #
  • New quickie blog: Bismark's Voice http://t.co/zk01Biec #
  • RT @paulmadsen Sharingfreude, n. – pleasure derived from inadvertent sharing of personal information on social media by friends & colleagues #
  • .@dakami @jeremiahg @tqbf see also Carl Ellison's work on "Ceremony Analysis"– it's broader than a ux issue, into mental models #
  • Bruce Schneier was kind enough to link my "Dear Verisign, Trust Requires Transparency" blog post http://t.co/iAZKFX1g so I've updated it #
  • Short form: We still don't know who knew what when about the Verisign breach http://t.co/iAZKFX1g #
  • Bruce Schneier was kind enough to link my "Dear Verisign, Trust Requires Transparency" blog post http://t.co/iAZKFX1g so I updated it #
  • RT @lennyzeltser An example of an SMS #phishing message that pursues Verizon Wireless logon credentials: http://t.co/Gk0o1IUh #
  • RT @jeremiahg "Senate Passes Bill Allowing Airports To Evict TSA Screeners" http://t.co/VvdXyxo8 <an airport w/o TSA is very attractive #
  • RT @FAQShop [TechNet Blogs] Elevation of Privilege – we made a card game for developers! Welcome to Tuesday article http://t.co/I3z7Oj2S #
  • I'm looking for interesting analysis of the Collins-Leiberman security bill: http://t.co/ARsWtIn6 #
  • "Cheating is encouraged" http://t.co/YvUqbaY2 #
  • RT @PrivacyMemes Twitter Is The Latest Company To Admit It Uploads Your Address Book http://t.co/QFUxSezG < Time for a law? A tort? #
  • Wow, the new Twitter is both ugly and less customer-centered. #FAIL #
  • RT @KimZetter TSA Denies it Targets Attractive Female Passengers for Body Scans http://t.co/MT4SPWCN << Except the claim was "nice figure" #
  • RT @mtanji @KimZetter Of course there is no "policy" to target the hawtness, that's merely the practice once humans are put in the loop. #
  • RT @BlackHatEvents Black Hat EU 2012 Schedule is out! http://t.co/d1zdTqQD #
  • RT @MSFTsdl The Evolution of Elevation: Threat Modeling in a #Microsoft World http://t.co/SScd3vWW by @danaepp #security #
  • RT @singe Worried about AddressBook privacy on iOS? Check out AdiOS http://t.co/SS38Aha8 & Gorilla http://t.co/8l1K0mnF (latter requires JB) #
  • RT @rsingel .@jerrybrito on how transparency might be better for infrastructure security than regulation: http://t.co/dHShX23e < like #
  • RT @singe Have any of you ever worked on a project where privacy controls were part of the requirements spec? << both at ZKS & Microsoft #
  • RT @Wh1t3Rabbit I think I have a new game for those speakers coming to OWASP AppSecAPAC …shoot me a note if you want to play < yay, games! #

Powered by Twitter Tools

New Cyber Security Bill: Crowdsource Analysis?

A lot of people I trust are suggesting that the “Collins-Lieberman” bill has a substantial chance of passing. I have some really interesting (and time-consuming) work tasks right now, and so I’m even more curious than usual what you all think, especially how this

According to the press release, the “Collins-Lieberman” bill would:

  • The Department of Homeland Security (DHS) to assess the risks and vulnerabilities of critical infrastructure systems—whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life—to determine which should be required to meet a set of risk-based security standards. Owners/operators who think their systems were wrongly designated would have the right to appeal.
  • DHS to work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements, looking first to current standards or industry practices. If a sector is sufficiently secured, no new performance requirements would be developed or required to be met.
  • The owners of a covered system to determine how best to meet the performance requirements and then verify that it was meeting them. A third-party assessor could also be used to verify compliance, or an owner could choose to self-certify compliance.
  • Current industry regulators to continue to oversee their industry sectors.
  • Information-sharing between and among the private sector and the federal government to share threats, incidents, best practices, and fixes, while maintaining civil liberties and privacy.
  • DHS to consolidate its cybersecurity programs into a unified office called the National Center for Cybersecurity and Communications.
  • The government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.

Some of that, like risk-based security standards, sounds potentially tremendously positive. There are some clear risks, like DHS will make a best-practices table of risk management activity without any focus on outcomes, and then classify it.

Other bits, like information sharing, sounds worrisome, because the authors clearly know that there’s a risk of privacy and liberty impacts. It’s not clear what the data to be shared is. If that’s (for example) “Verisign has been pwned using a 3-year old Flash expliot” there’s minimal impact to liberty. (Of course, since they haven’t said anything, we don’t know how Verisign was owned.) If it’s “We suspect Kevin Mitnick, then that’s both less useful and more privacy impactful.

Stepping back, where should I look for analysis? Have you looked at the bill? What does it do for the New School pillars? As a reminder, those are:

  • Learning from other professions, such as economics and psychology, to unlock the problems that stymie the information security field. The way forward cannot be found solely in mathematics or technology.
  • Sharing objective data and analysis widely. A fetish for secrecy has held us back.
  • The embrace of the scientific method for solving important problems. Analyzing real world outcomes is the best way for information security to become a mature discipline.

In other words, how New School is this bill?

Predictably Apathetic responses to Cyber Attack

Wh1t3Rabbit has a great post “Understanding the apathetic response to a cyber attack:”

Look, Dana’s right. His business is the organizing and promotion of the UFC fights. Secondary to that business is the merchandising and other aspects of the UFC – but that probably is a significantly smaller portion of the overall company revenue. Now where does the UFC.com website figure into all this? Sure, it’s the web home of the UFC, and people probably hit it a million times a day to get the information on upcoming fights, video clips and such … but at the core of the question is does the website make Dana White money? Judging by his response (NSFW) to the hack – the answer is probably “not enough for him to care a whole lot”. This is interesting.

I wish he’d stopped there. The answer is that business often doesn’t care, because we don’t communicate effectively about why the business should care.

We as a community have two choices. We can bitch and moan about what the people who pay us need to do, or we can ask what we need to do to change things.

I have a strong opinion about which will make us happier in the long run.

Raf (Wh1teRabbit) goes on to make some really good points about why the business should care. So why do I wish he’d stopped? Because it distracts from the issue that he drew attention to, which is our failure to effectively communicate with the folks who pay us. Here’s a guy who might be making a boatload of money from his website, but doesn’t get how it contributes to his bottom line. That’s a failure on the part of the CEO’s geeks to make sure they get credit for a revenue stream. And that leads to a failure on the CEO’s part to care about what they do.

So, how much time are you spending learning to speak executive?

Bismark's Voice

Tucked away for decades in a cabinet in Thomas Edison’s laboratory, just behind the cot in which the great inventor napped, a trove of wax cylinder phonograph records has been brought back to life after more than a century of silence.

The cylinders, from 1889 and 1890, include the only known recording of the voice of the powerful chancellor Otto von Bismarck. Two preserve the voice of Helmuth von Moltke, a venerable German military strategist, reciting lines from Shakespeare and from Goethe’s “Faust” into a phonograph horn. (Moltke was 89 when he made the recordings — the only ones known to survive from someone born as early as 1800.)

Restored Edison Records Revive Giants of 19th-Century Germany” NYTimes, Jan 30, 2012.

Nothing to add. Just way cool.