Don't Share, Publish

I’d like to offer up a thought with regards to the latest swirl of discussion around ‘information sharing’ in security: Don’t share, publish.

I want to talk about this because more and more folks are starting to question the value of information sharing frameworks and forums. Andrew and I share that skepticism in The New School, and I’m glad more people are starting to question these assumptions. These questions exist, and are debated, because of secrecy. If the forums would show the data that’s being shared, or what was shared a year or three ago, we could evaluate it, rather than offer up opinions. And those of you that listen to me know that I’m bored with opinions, and like data, observation, and analysis. (Not to mention, when helpful, the Oxford Comma.)

So let’s talk about publishing. Publishing is when you put the information out there. We all agree, it’s appropriate when the victim is known and the vulnerability addressed, or when the victim is anonymized. The victim may be known because of breach disclosure, or because the hackers engaged in defacement or data dumping. Contrast that with ‘sharing’ under some constrained set of conditions.

The instant you go from publish to sharing, you start spending time and money on controlling who can see the data. That time and money is always limited, and so we should evaluate the return on that investment. Further, the instant that you start to de-contextualize an incident, by definition, you’re removing information that someone might use to gain understanding.

In some recently announced initiatives, there’s controls on who can join in, and effort spent on anonymizing the data. Now, maybe what comes out is useful to you. Maybe it’s not. Maybe all that effort spent on controlling the flow of data would be better spent on its quality.

For years, people have asked me to justify my calls for public breach disclosure. I think it’s now time to level the playing field, and demand explanations from the advocates of sharing. Why are you advocating for sharing over publishing?

If you think that effort to anonymize the breach is worthwhile, I’d like to invite you to justify what effort is worthwhile, and under what conditions it’s worthwhile. There are some good reasons, including that the vulnerability exploited is not yet fixed or to protect an active investigation. If you think your data sharing initiative is worthwhile, please show us the data that you were sharing years back. Let’s compare the models and see how it’s working out, and let’s work to do better.

Otherwise, let’s stop talking about sharing, and show me — and everyone else — the data.

Neil Armstrong, RIP

Neil Armstrong in Eagle, photographed by Buzz Aldrin

Neil Armstrong died August 25, aged 82.

It’s difficult to properly memorialize this man, because, to a degree almost unheard of in our media-saturated times, he avoided the limelight. A statement by his family notes:

As much as Neil cherished his privacy, he always appreciated the expressions of good will from people around the world and from all walks of life.

EC has a certain fondness for privacy and for Apollo. If you do, too, please consider this suggestion made by Armstrong’s family:

For those who may ask what they can do to honor Neil, we have a simple request. Honor his example of service, accomplishment and modesty, and the next time you walk outside on a clear night and see the moon smiling down at you, think of Neil Armstrong and give him a wink.

Image source: NASA

The Plural of Anecdote is Anecdotes

Over at, there’s a story which starts:

Medical-data blackmail is becoming more common as more health care providers adopt electronic health records systems and store patient data digitally. (“Hackers demand ransom to keep medical records private“)

The trouble with this opening sentence is that it has nothing to do with the story. It’s a throw-away assertion. There’s no evidence offered up. There are lots of alternate hypotheses, such as more health care providers are talking to their attorneys about blackmail. Maybe it’s true, but the article totally fails to make a case.

Regulations and Their Emergent Effects

There’s a fascinating story in the New York Times, “Profits on Carbon Credits Drive Output of a Harmful Gas“:

[W]here the United Nations envisioned environmental reform, some manufacturers of gases used in air-conditioning and refrigeration saw a lucrative business opportunity.

They quickly figured out that they could earn one carbon credit by eliminating one ton of carbon dioxide, but could earn more than 11,000 credits by simply destroying a ton of an obscure waste gas normally released in the manufacturing of a widely used coolant gas. That is because that byproduct has a huge global warming effect. The credits could be sold on international markets, earning tens of millions of dollars a year.

That incentive has driven plants in the developing world not only to increase production of the coolant gas but also to keep it high — a huge problem because the coolant itself contributes to global warming and depletes the ozone layer.

Writing good regulation to achieve exactly the effects that you want is a hard problem. It’s not hard in the “throw some smart people” at it sense, but hard in the sense that you’re generally going to have to make hard tradeoffs around behavior like this. Simple regulations will fail to capture nuance, but as the regulation becomes more complex, you end up with more nooks and crannies full of strange outcomes.

We as people and as a society need to think about how much of this we want. If we want to regulate with a fine-toothed comb, then we’re going to see strange things like this. If we want to regulate more broadly, we’ll likely end up with some egregious failures and frauds like Enron or the mortgage crisis. But those failures are entirely predictable: companies occasionally fake their books, and bankers will consistently sell as much risk as they can to the biggest sucker. For example, Bush administration’s TARP program or Seattle taking on $200 million in risk from a hedge fund manager who wants to build a new sports stadium. At least that risk isn’t hidden in some bizarre emergent effect of the regulation.

That aside, long, complex regulations are always going to produce emergent and chaotic effects. That matters for us in security because as we look at the new laws that are proposed, we should look to see not only their intended effects, but judge if their complexity itself is a risk.

I’m sure there’s other emergent effects which I’m missing.

New Species Discovered on Flickr

Semachrysa Jade

There’s a very cool story on NPR about “A New Species Discovered … On Flickr“. A entomologist was looking at some photos, and saw a bug he’d never seen. Check out the photographer’s site or Flickr pages. The paper is “A charismatic new species of green lacewing discovered in Malaysia (Neuroptera, Chrysopidae):
the confluence of citizen scientist, online image database and cybertaxonomy

The online images were then randomly examined by the senior author (SLW) who determined that this distinctive species was not immediately recognizable as any previously described species. Links to the images were forwarded to additional experts in chrysopid taxonomy to elicit comment on its possible taxonomic identity. After extensive discussion it was concluded that the species was likely new to science but its generic placement inconclusive based solely upon the images at hand.

I find it fascinating that the distinction of a new species is keyed on a morphological difference like this. While I know nothing about the chryopidae, and this is just a lay comment, but substantially larger variations occur in dogs without driving the claim of a new species. Does anyone know what makes for a new chryopid?

Photo by Kurt, aka Hock Ping Guek.

Paul Ryan open thread

Oh, what the heck, it hasn’t been chaotic enough around here. So, I’ll give you a topic: Paul Ryan. Commentary from The Economist starts:

IN THE polarised world of American politics, achieving bipartisan agreement on any topic is a rare feat nowadays. So perhaps it’s worth celebrating the fact that, had it been put to a vote, the pick of Paul Ryan as Mitt Romney’s running-mate likely would’ve gained support from both parties.

Please, continue. Was it a hail mary move? Will Ryan energize the Republican base enough to get out more votes? Will he drive votes to the Democrats?

What do you think?

Oh, and bonus points if you can tie in internet security.

Your career is over after a breach? Another Myth, Busted!

I’m a big fan of learning from our experiences around breaches. Claims like “your stock will fall”, or “your customers will flee” are shown to be false by statistical analysis, and I expect we’d see the same if we looked at people losing their jobs over breaches. (We could do this, for example, via LinkedIn and DatalossDB.)

There’s another myth that’s out there about what happens after a breach, and that is that the breach destroys the career of the CISO and the entire security department. And so I’m pleased today to be able to talk about that myth. Frequently, when I bring up breaches and lessons we can learn, people bring up ChoicePoint as the ultimate counterexample. Now, ChoicePoint is interesting for all sorts of reasons, but from a stock price perspective, they’re a statistical outlier. And so I’m extra pleased to be able to discuss today’s lesson with ChoicePoint as our data point.

Last week, former ChoicePoint CISO Rich Baich was [named Wells Fargo’s] first chief information security officer. Congratulations, Rich!

Now, you might accuse me of substituting anecdote for data and analysis, and you’d be sort of right. One data point doesn’t plot a line. But not all science requires plotting a line. Oftentimes, a good experiment shows us things by being impossible under the standard model. Dropping things from the tower of Pisa shows that objects fall at the same speed, regardless of weight.

So Wells Fargo’s announcement is interesting because it provides a data point that invalidates the hypothesis “If you have a breach, your career is over.” Now, some people, less clever than you, dear reader, might try to retreat to a weaker claim “If you have a breach, your career may be over.” Of course, that “may” destroys any predictive value that the claim may have, and in fact, the claim “If [X], your career may be over,” is equally true, and equally useless, and that’s why you’re not going there.

In other words, if a breach always destroys a career, shouldn’t Rich be flipping burgers?

There’s three more variant hypotheses we can talk about:

  • “If you have a breach, your career will require a long period of rehabilitation.” But Rich was leading the “Global Cyber Threat and Vulnerability Management practice” for Deloitte and Touche, which is not exactly a backwater.
  • “If you have a breach, you will be fired for it.” That one is a bit trickier. I’m certainly not going to assert that no one has ever been fired for a breach happening. But it’s also clearly untrue. The weaker version is “if you have a breach, you may be fired for it”, and again, that’s not useful or interesting.
  • “If you have a breach, it will improve your career.” That’s also obviously false, and the weaker version isn’t faslifiable. But perhaps the lessons learned, focus, and publicity around a breach can make it helpful to your career. It’s not obviously dumber than the opposite claims.

So overall, what is useful and interesting is that yet another myth around breaches turns out to be false. So let’s start saying a bit more about what went wrong, and learning more about what’s going wrong.

Finally, again, congratulations and good luck to Rich in his new role!

Fascinating Job at PayPal

Someone reached out to me about a job that looks really interesting:

The Director of Security Experience, Education & Research (SEER) will be responsible for defining the customer-facing security strategy for PayPal , define product roadmaps to enhance feature security and usability, drive customer security best practices adoption throughout our industry, and drive customer security education and engagement in coordination with PayPal’s marketing and global operations teams. The SEER Director will also play a leadership role in helping set the authentication strategy, research agenda, and lead a team to establish a customer-centric culture …

I think the hiring manager has put together a fascinating set of tasks, which, combined with Paypal’s reach, that has a real potential to make the world a better place, and so wanted to help him find the right candidate.