Twitter Weekly Updates for 2012-05-20

  • RT @votescannell Mother of 3 Arrested for Taking Pictures of Tourist Attraction at Airport // I feel safer already. #
  • Freedom gropes for all @seatac! /cc @tsastatus. #
  • RT @ashk4n WiFi Pineapple lets anyone with $90 to "compromise the sh*t out of anyone using WiFi in the area" #armsrace #
  • Great question for @beaker: why has innovation in sanitation exceeded innovation in security? #
  • RT @DanaEpp In DC @ the security dev conference. Missing you both. Adam, I taught some people EoP at the reception tonight 😉 << cool! #
  • RT @jeremiahg it really is stunning how silly infosec's historical list of "best-practices" look when contrasted with data. #
  • RT @JohnLaTwC Nice job @adamshostack for your work on the Autorun update. Dropping infections by 60+% #
  • RT @jeremiahg RT @adamshostack: @jeremiahg Is that clueless, or cynical that the assessments are assessing the right things? < C) Both #
  • For those at AusCERT, quick pointer to additional Star Wars & Information security content: #

Powered by Twitter Tools

My AusCert Gala talk

At AusCert, I had the privilege to share a the gala dinner stage with LaserMan and Axis of Awesome, and talk about a few security lessons from Star Wars.

I forgot to mention onstage that I’ve actually illustrated all eight of the Saltzer and Schroeder principles, and collected them up as a single page. That is “The Security Principles of Salzter and Schroeder, Illustrated with Scenes from Star Wars“. Enjoy!

Twitter Weekly Updates for 2012-05-13

  • RT @Ellen_CK It appears that putting a contest in one's internal newsletter leads to people actually reading it #SEingmycoworkers #
  • RT @bfist I like my risk like I like my steak << with blue cheese sauce? #
  • RT @451wendy "Q: How many of the Fortune 500 are hacked right now? A: 500." <- Lovely example of FUD << "lovely"? #
  • .@451wendy @dakami @attritionorg agree with Dan, we need data; Wendy this is testable Can I have a side helping of confirmation bias? 🙂 #
  • RT @Privacymatters Just updated iOS. More T&Cs include Apple WILL make public a basic profile which I can switch off afterwards #privacyfail #
  • RT @shawnmoyer Defenders: I'm the track chair for the defensive track (yes, there is one) for @BlackHatHQ. We need submissions! #
  • Why does @wsdot not have any "special events" here when there's a Mariner's game tonight? #
  • Spending time prepping my AusCERT talk. All that energy watching Star Wars for good examples, it's rough. #
  • New blog: "What Kip Hawley of the TSA Doesn't Understand about Terrorism" #
  • RT @AlecMuffett "#Cybersecurity: Demand An Evidence-Based Approach" ( at Computerworld ) #
  • MT @resnikoff Eagerly awaiting president's evolution on drone strikes, surveillance, drug war, mass imprisonment, secrecy, deportation, etc #
  • RT @aionescu Seriously? Flashing firmware with crap was a "revelation" & "life changing experience" for Dell & HP CEO? #
  • .@aionescu The trouble with classified briefings is they exclude skeptics & prevent discussion. #
  • We seem to be made to suffer. It's our lot in life. #
  • Look sir! Droids! #
  • What I really need is a droid that understands the binary language of power converters. #
  • He suggests that if you remove the restraining bolt, he might be able to play back the entire message. #
  • RT @normative U.S. Military Taught Officers: Use ‘Hiroshima’ Tactics for ‘Total War’ on Islam << Holy fuck #
  • RT @geekwire Ready Indian food fans? A Vij’s offshoot is coming to ‘Amazonland’ with help from Paul Allen << woot! #
  • Just cast my ballot for an open-access set of candidates for the ACM. Thanks to Brighten Godfrey for data: #
  • RT @BlackHatHQ Reminder: #BlackHat USA 2012 Call for Papers closes in 4 days on May 15. Time to deliver submissions #
  • RT @ericlaw: @jeremiahg: So if I see ".secure" in the URL, I'm good to go right? 😛 << Nah, you also have to look for the lock. #
  • RT @jeremiahg a "lock," how quaint. .secure needs an ominous icon. Like a bigass vault door w/ electric razor …<< TSA's blogger bob? #
  • We should start by understanding mental models, testing what people can learn, then decide how to secure it. #
  • If we spend a dollar educating everyone online about a new security measure, that's $2B. Seems worth a lot of up-front design. #
  • Quick blog on "Why Sharing Raw Data is Important" cc @hrbrmstr #
  • Where do I find the Youtube-nocookie link? Wasn't it under embed, options? #

Powered by Twitter Tools

Why Sharing Raw Data is Important

Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs.

Issues like this are why it’s important to release data. It enables independent error checking, but also allows people to slice and dice the issues in ways that otherwise are only accessible to a privileged few with the raw numbers.

What Kip Hawley Doesn't Understand About Terrorism

Former TSA Administrator Kip Hawley was on NPR a few minutes ago, opining on the 2nd panty bomber. He said two remarkable things. First, that the operators of nudatrons, who see thousands of naked people per day, would notice the bomb. Second, he didn’t understand why Al Qaeda would continue to focus on underwear bombs.

Once again, Kip’s wrong.

First, Kip is wrong, and ought to know he’s wrong about those operators. Those operators are likely to get bored and be unable to focus on the images after a while. That’s why the TSA inserts fake images of weapons in its XRays. Detecting these anomalies is hard. (Perhaps TSA inserts fake images in the nudatron images, but I didn’t see any mention of such functionality in the system requirements that EPIC forced TSA to release.

Second, he doesn’t understand why Al Qaeda would focus on underwear bombs. Really? You don’t get that for a failed attempt, millions of people will be photographed naked, groped and humiliated? They focus on the things that make the bureaucracy that Hawley built convulse. That bomb didn’t even make it onto the plane, and we’re all expecting the next shoe to drop.

Twitter Weekly Updates for 2012-05-06

  • RT @netik You program in Rails? Check out Brakeman from our security team & make your code safer. (go @presidentbeef!) #
  • RT @KimZetter Equipment Maker Caught Installing Backdoor Vows to Fix After Public Pressure – #
  • Pro tip: "Blackhat talks get lots of publicity" is not a reason *your* submission will make a great BH talk" #
  • RT @mattblaze "It is a rare foray by Facebook into social engineering…" << Not rare at all; eg privacy, timeline. #
  • . @mattblaze maybe they meant it was rare for Facebook's social engineering to be for the public good? #
  • RT @jeremiahg #sansappsec panelist from ADP says the Elevation of Priviledge card game has proved remarkably engaging w/ DEVs & found bugs #
  • RT @Wh1t3Rabbit Just recorded another episode of Down the Rabbithole, this one with @adamshostack on "New School Security" – what a blast. #
  • RT @bccla: Cuts 2 CSIS watchdog actually close the office completely; no more oversight 4 Canada's spy agency: #cdnpoli #
  • RT @jatiki Anyone got source for a printed version of EOP card game My printer will not do less than 108 sets #
  • Added some rough costs to "Please Kickstarter Elevation of Privilege" #
  • RT @BlackHatHQ First round of #BlackHat speaker selections has been released! #
  • RT @tqbf We are in year ~32 of "security managed by folks who think strategically, don't break things". How's that going for us? #
  • Call me when he's done something dastardly, like painted the space needle orange, or stolen a bridge. (h/t @normative) #
  • RT @jayjacobs We've started a new blog series called "Ask the Data", first post is on Log Analysis: << yay, data! #
  • RT @rsingel The story behind the feds seizing a hip-hop site at RIAA behest for a year << Very sad abuse of power #
  • New blog: "More than 90% of Americans Take Action on Privacy" #
  • May the fourth be with you! I'm spending Star Wars Day on my AusCert talk, "This Technological Terror: Security Lessons from Lord Vader" #
  • New blog: More than 90% of Americans take action on privacy #
  • We have a hard enough time writing secure code without needing to code in back doors. #
  • Listening to Rhythms Del Mundo cover Bohemian Rhapsody in Spanish and wondering why language classes don't use more music. #
  • RT @dakami Everyone's been hacked. Now what? << Now we talk about it, learn from each others mistakes (cc @KimZetter) #
  • RT @dakami there is evidence that we're not wired to trust evidence. << Yeah, but I don't trust it. (Sorry, couldn't resist. 🙂 #
  • RT @csoghoian Facebook ad revenue by region. The company violates American users' privacy for just $9.51/ year. Sad #

Powered by Twitter Tools

Study: More than 90% of Americans Take Action on Privacy

That’s my takeaway from a new study of 2,000 households by Consumer Reports:

There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. (“Study: 13 Million People Haven’t Touched Facebook Privacy Settings“, Consumerist)

Consumerist’s headline focused on the small portion who haven’t touched their privacy settings. I think much more interesting is that based on the Consumer Report numbers, 91% of Americans have taken the time to dig into Facebook’s privacy controls. Also, 72% lock down their wall posts. Those are privacy protective actions, and we regularly hear how those privacy controls are hard to use, and how frequently Facebook changes them.

We often hear privacy-invaders making claims that Americans don’t care about privacy, or won’t do anything about it. Those claims are demonstrated to be false, and false amongst even those least likely to be privacy-concerned (young, willing to be on Facebook).

So next time you hear someone make one of those claims, ask them why 91% of Americans change their privacy settings.

As an aside, the article has a really clear summary of the many privacy problems around Facebook.

Please Kickstart Elevation of Privilege

Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter.

I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here.

I would be totally excited for someone to Kickstarter production of Elevation of Privilege. Letting other people make it, and make money on it, was an explicit goal of the Creative Commons license (CC-BY-3.0) that we selected when we released the game.

So why don’t I just set up a Kickstarter? In short, I think it’s a caesar’s wife issue. I think there’s a risk that it looks bad for me to decide to release things that Microsoft paid me to do, and then make money off of them.

Now, that impacts me. It doesn’t impact anyone else. I would be totally excited for someone else to go make some cards and sell them. I would promote such a thing, and help people find whatever lovely capitalist is doing it. I would be happy to support a Kickstarter campaign, and would be willing to donate some of my time and energy with things like signing decks, doing a training sessions, or whatnot. I even have some joker cards that you could produce as a special bonus item.

So, if you think Elevation of Privilege is cool, please, go take advantage of the license we released it under, and go make money with it.

[Update: I don’t have exact numbers, but have seen quotes for quantities around 5,000 decks, production might be around $2-3 a deck. At smaller quantities, you might end up around $5-7 a deck. YMMV. So a Kickstarter in the range of $5-10K would probably be workable, although you’d certainly want to think about shipping and handling costs.]