Shostack + Friends Blog Archive

 

Rogue One Sequel already being filmed!

There’s some really interesting leaked photos and analysis by Charles Goodman. “Leaked photos from the Rogue One sequel (Mainly Speculation – Possible Spoilers).”

 

Rogue One: The Best Star Wars Yet?

Someone once asked me why I like Star Wars more than Star Trek. I was a bit taken aback, and he assumed that since I use it so much, I obviously prefer it. The real reason I use Star Wars is not that it’s better, but that there’s a small canon, and I don’t have […]

 

Earthrise

Image credit: Bill Anders, Apollo 8, launched this day, Dec 21, 1968.

 

Yahoo! Yippee? What to Do?

[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.] Yesterday, Yahoo disclosed that attackers broke into Yahoo in 2013 and stole details on a billion accounts. Brian […]

 

Seeing the Big Picture

This quote from Bob Iger, head of Disney, is quite interesting for his perspective as a leader of a big company: There is a human side to it that I try to apply and consider. [But] the harder thing is to balance with the reality that not everything is perfect. In the normal course of […]

 

Do Games Teach Security?

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card […]

 

Incentives, Insurance and Root Cause

Over the decade or so since The New School book came out, there’s been a sea change in how we talk about breaches, and how we talk about those who got breached. We agree that understanding what’s going wrong should be a bigger part of how we learn. I’m pleased to have played some part […]

 

Threat Modeling the PASTA Way

There’s a really interesting podcast with Robert Hurlbut Chris Romeo and Tony UcedaVelez on the PASTA approach to threat modeling. The whole podcast is interesting, especially hearing Chris and Tony discuss how an organization went from STRIDE to CAPEC and back again. There’s a section where they discuss the idea of “think like an attacker,” […]

 

Electoral Chaos

[Dec 15: Note that there are 4 updates to the post with additional links after writing.] The Green Party is driving a set of recounts that might change the outcome in one or more swing states. Simultaneously, there is a growing movement to ask the Electoral College to choose a candidate other than Donald Trump […]

 

Gavle Lessons: 56% Is Not Sufficiently More Secure!

In September, we shared the news that for its 50th year, the people of Gävle paid an extra $100,000 to secure the goat. Sadly, it seems to have not helped. Today, the goat tweeted: Oh no, such a short amount of time with you my friends. The obvious lesson is that the Swedes have a […]

 

Mac Command Line: Turning Apps into Commands

I moved to MacOS X because it offers both a unix command line and graphical interfaces, and I almost exclusively use the command line as I switch between tasks. If you use a terminal and aren’t familiar with the open command, I urge you to take a look. I tend to open documents with open […]

 

Election 2016

This election has been hard to take on all sorts of levels, and I’m not going to write about the crap. Everything to be said has been said, along which much that never should have been said, and much that should disqualify those who said it from running for President. I thought about endorsing Jill […]

 

Learning from Our Experience, Part Z

One of the themes of The New School of Information Security is how other fields learn from their experiences, and how information security’s culture of hiding our incidents prevents us from learning. Today I found yet another field where they are looking to learn from previous incidents and mistakes: zombies. From “The Zombie Survival Guide: […]

 

The Breach Response Market Is Broken (and what could be done)

Much of what Andrew and I wrote about in the New School has come to pass. Disclosing breaches is no longer as scary, nor as shocking, as it was. But one thing we expected to happen was the emergence of a robust market of services for breach victims. That’s not happened, and I’ve been thinking […]

 

Secure Development or Backdoors: Pick One

In “Threat Modeling Crypto Back Doors,” I wrote: In the same vein, the requests and implementations for such back-doors may be confidential or classified. If that’s the case, the features may not go through normal tracking for implementation, testing, or review, again reducing the odds that they are secure. Of course, because such a system […]

 

Current Reading

[Update, Feb 20 2017: More reading: Trump and the ‘Society of the Spectacle’.]

 

Gavle Goat, now 56% more secure!

“We’ll have more guards. We’re going to try to have a ‘goat guarantee’ the first weekend,” deputy council chief Helene Åkerlind, representing the local branch of the Liberal Party, told newspaper Gefle Dagblad. “It is really important that it stays standing in its 50th year,” she added to Arbetarbladet. Gävle Council has decided to allocate […]

 

You say noise, I say data

There is a frequent claim that stock markets are somehow irrational and unable to properly value the impact of cyber incidents in pricing. (That’s not usually precisely how people phrase it. I like this chart of one of the largest credit card breaches in history: It provides useful context as we consider this quote: On […]

 

Why Don't We Have an Incident Repository?

Steve Bellovin and I provided some “Input to the Commission on Enhancing National Cybersecurity.” It opens: We are writing after 25 years of calls for a “NTSB for Security” have failed to result in action. As early as 1991, a National Research Council report called for “build[ing] a repository of incident data” and said “one […]

 

Diagrams in Threat Modeling

When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, Interrupted” this paragraph really jumped out at me: One thing that coding and writing fiction […]

 

Journal of Terrorism and Cyber Insurance

At the RMS blog, we learn they are “Launching a New Journal for Terrorism and Cyber Insurance:” Natural hazard science is commonly studied at college, and to some level in the insurance industry’s further education and training courses. But this is not the case with terrorism risk. Even if insurance professionals learn about terrorism in […]

 

What Boards Want in Security Reporting

Recently, some of my friends were talking about a report by Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports.” In that report, we see things like: More than three in five board members say they are both significantly or very “satisfied” (64%) and “inspired”(65%) after the typical presentation by IT and […]

 

FBI says their warnings were ignored

There’s two major parts to the DNC/FBI/Russia story. The first part is the really fascinating evolution of public disclosures over the DNC hack. We know the DNC was hacked, that someone gave a set of emails to Wikileaks. There are accusations that it was Russia, and then someone leaked an NSA toolkit and threatened to […]

 

What does the MS Secure Boot Issue teach us about key escrow?

Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden keys and secure boot. This post is not intended to attack anyone; researchers, journalists or […]

 

Consultants Say Their Cyber Warnings Were Ignored

Back in October, 2014, I discussed a pattern of “Employees Say Company Left Data Vulnerable,” and its a pattern that we’ve seen often since. Today, I want to discuss the consultant’s variation on the story. This is less common, because generally smart consultants don’t comment on the security of their consultees. In this case, it […]

 

"Better Safe than Sorry!"

“Better safe than sorry” are the closing words in a NYT story, “A Colorado Town Tests Positive for Marijuana (in Its Water).” Now, I’m in favor of safety, and there’s a tradeoff being made. Shutting down a well reduces safety by limiting the supply of water, and in this case, they closed a pool, which […]

 

Dear Mr. President

U.S. President Barack Obama says he’s ”concerned” about the country’s cyber security and adds, ”we have to learn from our mistakes.” Dear Mr. President, what actions are we taking to learn from our mistakes? Do we have a repository of mistakes that have been made? Do we have a “capability” for analysis of these mistakes? […]

 

Tacoma Narrows and Security

I always get a little frisson of engineering joy when I drive over the Tacoma Narrows bridge. For the non-engineers in the audience, the first Tacoma Narrows bridge famously twisted itself to destruction in a 42-mph wind. The bridge was obviously unstable even during initial construction (as documented in “Catastrophe to Triumph: Bridges of the […]

 

Donald Trump Facts

“My father likes to keep some anonymity. It’s who he is. It’s who he is as a person,” Eric Trump said. It should have been obvious. (Quote from Washington Post, July 6, 2016).

 

What's Classified, Doc? (The Clinton Emails and the FBI)

So I have a very specific question about the “classified emails”, and it seems not to be answered by “Statement by FBI Director James B. Comey on the Investigation of Secretary Hillary Clinton’s Use of a Personal E-Mail System .” A few quotes: From the group of 30,000 e-mails returned to the State Department, 110 […]

 

Happy Independence Day!

Since 2005, this blog has had a holiday tradition of posting “The unanimous Declaration of the thirteen united States of America.” Never in our wildest, most chaotic dreams, did we imagine that the British would one day quote these opening words: When in the Course of human events, it becomes necessary for one people to […]

 

Passwords 2016

I’m excited to see the call for papers for Passwords 2016. There are a few exciting elements. First, passwords are in a category of problems that someone recently called “garbage problems.” They’re smelly, messy, and no one really wants to get their hands dirty on them. Second, they’re important. Despite their very well-known disadvantages, and […]

 

A New Way to Tie Security to Business

As security professionals, sometimes the advice we get is to think about the security controls we deploy as some mix of “cloud access security brokerage” and “user and entity behavioral analytics” and “next generation endpoint protection.” We’re also supposed to “hunt”, “comply,” and ensure people have had their “awareness” raised. Or perhaps they mean “training,” […]

 

The Evolution of Apple’s Differential Privacy

Bruce Schneier comments on “Apple’s Differential Privacy:” So while I applaud Apple for trying to improve privacy within its business models, I would like some more transparency and some more public scrutiny. Do we know enough about what’s being done? No, and my bet is that Apple doesn’t know precisely what they’ll ship, and aren’t […]

 

Security Lessons from C-3PO

C-3PO: Sir, the possibility of successfully navigating an asteroid field is approximately 3,720 to 1. Han Solo: Never tell me the odds. I was planning to start this with a C-3PO quote, and then move to a discussion of risk and risk taking. But I had forgotten just how rich a vein George Lucas tapped […]

 

The Rhetorical Style of Drama

There is a spectre haunting the internet, the spectre of drama. All the powers of the social media have banded together to not fight it, because drama increases engagement statistics like nothing else: Twitter and Facebook, Gawker and TMZ, BlackLivesMatter and GamerGate, Donald Trump and Donald Trump, the list goes on and on. Where is […]

 

"Think Like an Attacker" is an opt-in mistake

I’ve repeatedly spoken out against “think like an attacker.” Now I’m going to argue from authority. In this long article, “The Obama Doctrine,” the President of the United States says “The degree of tribal division in Libya was greater than our analysts had expected.” So let’s think about that statement and what it means. First, […]

 

Humans in Security, BlackHat talks

This is a brief response to Steve Christey Coley, who wrote on Twitter, “but BH CFP reads mostly pure-tech, yet infosec’s more human-driven?” I can’t respond in 140, and so a few of my thoughts, badly organized: BlackHat started life as a technical conference, and there’s certain expectations about topics, content and quality, which have […]

 

RSA Planning

Have a survival kit: ricola, Purell, gatorade, advil and antacids can be brought or bought on site. Favorite talk (not by me): I look forward to Sounil Yu’s talk on “Understanding the Security Vendor Landscape Using the Cyber Defense Matrix.” I’ve seen an earlier version of this, and like the model he’s building a great […]

 

Secure Code is Hard, Let's Make it Harder!

I was confused about why Dan Kaminsky would say CVE-2015-7547 (a bug in glbc’s DNS handling) creates network attack surface for sudo. Chris Rohlf kindly sorted me out by mentioning that there’s now a -host option to sudo, of which I was unaware. I had not looked at sudo in depth for probably 20 years, […]

 

Sneak peeks at my new startup at RSA

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]

 

Sneak peeks at my new startup at RSA

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]

 

Kale Caesar

According to the CBC: “McDonald’s kale salad has more calories than a Double Big Mac” In a quest to reinvent its image, McDonald’s is on a health kick. But some of its nutrient-enhanced meals are actually comparable to junk food, say some health experts. One of new kale salads has more calories, fat and sodium […]

 

Superbowls

This is a superb owl, but its feathers are ruffled. It is certainly not a metaphor. Speaking of ruffled feathers, apparently there’s a kerfuffle about Super Bowl 1, where the only extant tape is in private hands, and there’s conflict over what to do with it. One aspect I haven’t seen covered is that 50 […]

 

Threat Modeling: Chinese Edition

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

 

Threat Modeling, Chinese Edition!

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

 

Security Blogger Awards

Voting for the 2016 Security Blogger Awards are now open, and this blog is nominated for most entertaining. Please don’t vote for us. Along with our sister blog, we’re aiming to dominate a new category next year, “most nominations without a win.”

 

"The Pentesters Strike Back"

Offered up without comment: Star Wars Episode IV.1.d: The Pentesters Strike Back from CyberPoint International on Vimeo.

 

The Pogues

Happy New Year! The Pogues are Launching their own brand of whiskey, and whatever you think of the band or of drinking, it’s hard to think of a more “on brand” product creation than this.

 

Cybersecurity Lessons from Star Wars: Blame Vader, Not the IT Department

In “The Galactic Empire Has Terrible Cybersecurity,” Alex Grigsby looks at a number of high-profile failures, covered in “A New Hope” and the rest of the Star Wars canon. Unfortunately, the approach he takes to the Galactic Empire obscures the larger, more dangerous issue is its cybersecurity culture. There are two errors in Grigsby’s analysis, […]

 

Governance Lessons from the Death Star Architect

I had not seen this excellent presentation by the engineer who built the Death Star’s exhaust system. In it, he discusses the need to disperse energy from a battle station with the power draw to destroy planets, and the engineering goals he had to balance. I’m reminded again of “The Evolution of Useful Things” and […]

 

Open Letters to Security Vendors

John Masserini has a set of “open letters to security vendors” on Security Current. Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned […]

 

The Evolution of Secure Things

One of the most interesting security books I’ve read in a while barely mentions computers or security. The book is Petroski’s The Evolution of Useful Things. As the subtitle explains, the book discusses “How Everyday Artifacts – From Forks and Pins to Paper Clips and Zippers – Came to be as They are.” The chapter […]

 

Phishing and Clearances

Apparently, the CISO of US Homeland Security, a Paul Beckman, said that: “Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government” (Paul Beckman, quoted in Ars technica) Now, I’m sure being in the […]

 

Survey for How to Measure Anything In Cybersecurity Risk

This is a survey from Doug Hubbard, author of How To Measure Anything and he is currently writing another book with Richard Seiersen (GM of Cyber Security at GE Healthcare) titled How to Measure Anything in Cybersecurity Risk. As part of the research for this book, they are asking for your assistance as an information […]

 

What Good is Threat Intelligence Going to do Against That?

As you may be aware, I’m a fan of using Star Wars for security lessons, such as threat modeling or Saltzer and Schroeder. So I was pretty excited to see Wade Baker post “Luke in the Sky with Diamonds,” talking about threat intelligence, and he gets bonus points for crossover title. And I think it’s […]

 

Towards a model of web browser security

One of the values of models is they can help us engage in areas where otherwise the detail is overwhelming. For example, C is a model of how a CPU works that allows engineers to defer certain details to the compiler, rather than writing in assembler. It empowers software developers to write for many CPU […]

 

Adam's new startup

A conversation with an old friend reminded me that there may be folks who follow this blog, but not the New School blog. Over there, I’ve posted “Improving Security Effectiveness” about leaving Microsoft to work on my new company: For the last few months, I’ve been working full time and talking with colleagues about a […]

 

Seeking a technical leader for my new company

We have a new way to measure security effectiveness, and want someone who’ll drive to delivering the technology to customers, while building a great place for developers to ship and deploy important technology. We are very early in the building of the company. The right person will understand such a “green field” represents both opportunity […]

 

The Drama Triangle

As we head into summer conference season, drama is as predictable as vulnerabilities. I’m really not fond of either. What I am fond of, (other than Star Wars), as someone who spends a lot of time thinking about models, is the model of the “drama triangle.” First discussed by Stephen Karpman, the triangle has three […]

 

Security Lessons from Healthcare.gov

There’s a great “long read” at CIO, “6 Software Development Lessons From Healthcare.gov’s Failed Launch.” It opens: This article tries to go further than the typical coverage of Healthcare.gov. The amazing thing about this story isn’t the failure. That was fairly obvious. No, the strange thing is the manner in which often conflicting information is […]

 

On Language

I was irked to see a tweet “Learned a new word! Pseudoarboricity: the number of pseudoforests needed to cover a graph. Yes, it is actually a word and so is pseudoforest.” The idea that some letter combinations are “actual words” implies that others are “not actual words,” and thus, that there is some authority who […]

 

The Web We Have to Save

Hossein Derakhshan was recently released from jail in Iran. He’s written a long and thoughtful article “The Web We Have to Save.” It’s worth reading in full, but here’s an excerpt: Some of it is visual. Yes, it is true that all my posts on Twitter and Facebook look something similar to a personal blog: […]

 

Improving Security Effectiveness

For the last few months, I’ve been working full time and talking with colleagues about a new way for security executives to measure the effectiveness of security programs. In very important ways, the ideas are new and non-obvious, and at the same time, they’re an evolution of the ideas that Andrew and I wrote about […]

 

What Happened At OPM?

I want to discuss some elements of the OPM breach and what we know and what we don’t. Before I do, I want to acknowledge the tremendous and justified distress that those who’ve filled out the SF-86 form are experiencing. I also want to acknowledge the tremendous concern that those who employ those with clearances […]

 

PCI & the 166816 password

This was a story back around RSA, but I missed it until RSnake brought it up on Twitter: “[A default password] can hack nearly every credit card machine in the country.” The simple version is that Charles Henderson of Trustwave found that “90% of the terminals of this brand we test for the first time […]

 

Wassenaar Restrictions on Speech

[There are broader critiques by Katie Moussouris of HackerOne at “Legally Blind and Deaf – How Computer Crime Laws Silence Helpful Hackers” and Halvar Flake at “Why changes to Wassenaar make oppression and surveillance easier, not harder.” This post addresses the free speech issue.] During the first crypto wars, cryptography was regulated under the US […]

 

Threat Modeling Crypto Back Doors

Today, the Open Technology Institute released an open letter to the President of the United States from a broad set of organizations and experts, and I’m pleased to be a signer, and agree wholeheartedly with the text of the letter. (Some press coverage.) I did want to pile on with an excerpt from chapter 9 […]

 

Conference Etiquette: What’s New?

So Bill Brenner has a great article on “How to survive security conferences: 4 tips for the socially anxious .” I’d like to stand by my 2010 guide to “Black Hat Best Practices,” and augment it with something new: a word on etiquette. Etiquette is not about what fork you use (start from the outside, […]

 

Boyd Video: Patterns of Conflict

John Boyd’s ideas have had a deep impact on the world. He created the concept of the OODA Loop, and talked about the importance of speed (“getting inside your opponent’s loop”) and orientation, and how we determine what’s important. A lot of people who know about the work of John Boyd also know that he […]

 

The New Cyber Agency Will Likely Cyber Fail

The Washington Post reports that there will be a “New agency to sniff out threats in cyberspace.” This is my first analysis of what’s been made public. Details are not fully released, but there are some obvious problems, which include: “The quality of the threat analysis will depend on a steady stream of data from […]

 

What CSOs can Learn from Pete Carroll

If you listen to the security echo chamber, after an embarrassing failure like a data breach, you lose your job, right? Let’s look at Seahawks Coach Pete Carroll, who made what the home town paper called the “Worst Play Call Ever.” With less than a minute to go in the Superbowl, and the game hanging […]

 

An Infosec lesson from the "Worst Play Call Ever"

It didn’t take long for the Seahawk’s game-losing pass to get a label. But as Ed Felten explains, there’s actually some logic to it, and one of his commenters (Chris) points out that Marshawn Lynch scored in only one of his 5 runs from the one yard line this season. So, perhaps in a game […]

 

The Unexpected Meanings of Facebook Privacy Disclaimers

Paul Gowder has an interesting post over at Prawfblog, “In Defense of Facebook Copyright Disclaimer Status Updates (!!!).” He presents the facts: …People then decide that, hey, goose, gander, if Facebook can unilaterally change the terms of our agreement by presenting new ones where, theoretically, a user might see them, then a user can unilaterally […]

 

Security 101: Show Your List!

Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!” Now, I’m unsure if that’s “security 101” or not. I think security 101 for passwords is “don’t […]

 

IOS Subject Key Identifier?

I’m having a problem where the “key identifier” displayed on my ios device does not match the key fingerprint on my server. In particular, I run: % openssl x509 -in keyfile.pem -fingerprint -sha1 and I get a 20 byte hash. I also have a 20 byte hash in my phone, but it is not that […]

 

Color-Changing Cats

Looking for something festive, holiday-like and chaotic for the blog, I came across color-changing cats. The history of color-changing cats is a fascinating one, involving Carl Sagan and accurate predictions of unfathomable chaos over the next ten thousand years. Because while we don’t know what life will be like that far in the future, consider […]

 

The Cliffs of Insanity!

Today’s “the future is cool” entry is the cliffs of insanity: Actually, I’m lying to you, they’re the Cliffs of Comet Churyumov–Gerasimenko, as photographed by the Rosetta spacecraft. I just think its cool similar they look, and how the physical processes which created the Cliffs of Moher may also have been at work on a […]

 

The Future Is So Cool

When you were growing up, 2014 was the future. And it’s become cliche to bemoan that we don’t have the flying cars we were promised, but did get early delivery on a dystopian surveillance state. So living here in the future, I just wanted to point out how cool it is that you can detect […]

 

Security Lessons from Drug Trials

When people don’t take their drugs as prescribed, it’s for very human reasons. Typically they can’t tolerate the side effects, the cost is too high, they don’t perceive any benefit, or they’re just too much hassle. Put these very human (and very subjective) reasons together, and they create a problem that medicine refers to as […]

 

Hate-watching, breaking and building

Listening to the radio, there was a discussion of how the folks at NBC were worried that people were going to “hatewatch” their new version of Peter Pan. Hatewatch. Like it’s a word. It’s fascinating. They discussed how people wanted to watch it to tweet cynically at its expense. The builder/breaker split isn’t just present […]

 

Chaos and Legitimacy

At BruCon 0x06, I was awoken from a nap to the sound of canons, and looked out my window to see soldiers marching through the streets. It turns out they were celebrating the 200th anniversary of the Treaty of Ghent. As I’m sure you’ll recall from history class Wikipedia, the Treaty of Ghent ended the […]

 

Threat Modeling At a Startup

I’ve been threat modeling for a long time, and at Microsoft, had the lovely opportunity to put some rigor into not only threat modeling, but into threat modeling in a consistent, predictable, repeatable way. Because I did that work at Microsoft, sometimes people question how it would work for a startup, and I want to […]

 

Usable Security: History, Themes, and Challenges (Book Review)

Simson Garfinkel and Heather Lipford’s Usable Security: History, Themes, and Challenges should be on the shelf of anyone who is developing software that asks people to make decisions about computer security. We have to ask people to make decisions because they have information that the computer doesn’t. My favorite example is the Windows “new network” […]

 

Think Like An Attacker? Flip that advice!

For many years, I have been saying that “think like an attacker” is bad advice for most people. For example: Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They […]

 

Modeling Attackers and Their Motives

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. You should look at the reports for facts you can use to assess your systems, such as filenames, hashes and IP addresses. Most readers should, at most, skim their analysis of the perpetrators. Read on […]

 

Phone Booths

This is a lovely little story about pay phones on Whidbey Island. Warning: those who spent too much time with phone systems in their youth may feel inexplicable nostalgia.

 

Thanks, Bruce!

Bruce Schneier says nice things about my latest book.

 

Employees Say Company Left Data Vulnerable

There’s a recurring theme in data breach stories: The risks were clear to computer experts inside $organization: The organization, they warned for years, might be easy prey for hackers. But despite alarms as far back as 2008, $organization was slow to raise its defenses, according to former employees. The particular quote is from “Ex-Employees Say […]

 

Jolt Award for Threat Modeling

I am super-pleased to report that Threat Modeling: Designing for Security has been named a Jolt Finalist, the first security-centered book to make that list since Schneier’s Secrets and Lies in 2001. My thanks to the judges, most especially to Gastón Hillar for the constructive criticism that “Unluckily, the author has chosen to focus on […]

 

BSides LV: Change Industry Or Change Professionals?

All through the week of BSides/BlackHat/Defcon, people came up to me to tell me that they enjoyed my BSides Las Vegas talk. (Slides, video). It got some press coverage, including an article by Jon Evans of TechCrunch, “Notes From Crazytown, Day One: The Business Of Fear.” Mr. Evans raises an interesting point: “the computer security […]

 

CERT, Tor, and Disclosure Coordination

There’s been a lot said in security circles about a talk on Tor being pulled from Blackhat. (Tor’s comments are also worth noting.) While that story is interesting, I think the bigger story is the lack of infrastructure for disclosure coordination. Coordinating information about vulnerabilities is a socially important function. Coordination makes it possible for […]

 

Etsy's Threat Modeling

Gabrielle Gianelli has pulled back the curtain on how Etsy threat modeled a new marketing campaign. (“Threat Modeling for Marketing Campaigns.”) I’m really happy to see this post, and the approach that they’ve taken: First, we wanted to make our program sustainable through proactive defenses. When we designed the program we tried to bake in […]

 

Mail Chaos

The mail system I’ve been using for the last 19 years is experiencing what one might call an accumulation of chaos, and so I’m migrating to a new domain, shostack.org. You can email me at my firstname@shostack.org, and my web site is now at http://adam.shostack.org I am sorry for any inconvenience this may cause. [Update: […]

 

What Security Folks Can Learn from Doctors

Stefan Larson talks about “What doctors can learn from each other:” Different hospitals produce different results on different procedures. Only, patients don’t know that data, making choosing a surgeon a high-stakes guessing game. Stefan Larsson looks at what happens when doctors measure and share their outcomes on hip replacement surgery, for example, to see which […]

 

Seattle event: Ada's Books

For Star Wars day, I’m happy to share this event poster for my talk at Ada’s Books in Seattle Technical Presentation: Adam Shostack shares Threat Modeling Lessons with Star Wars. This will be a less technical talk with plenty of discussion and interactivity, drawing on some of the content from “Security Lessons from Star Wars,” […]

 

Threat Modeling: The East Coast Book Tour

I’m planning to be on the East Coast from June 16-27, giving threat modeling book talks. (My very popular “Threat Modeling Lessons from Star Wars.”) I’m reaching out to find venues which would like me to come by and speak. My plan is to arrive in Washington DC on the 16th, and end in Boston, […]

 

There's more than one way to threat model

Today, most presentations on threat modeling talk about each phase of the process. They talk about how to model what you’re building, what can go wrong, and what to do about it. Those tightly coupled processes can be great if you’ve never heard of an approach to threat modeling. But they can add to the […]

 

Threat modeling the Dread Pirate Roberts way

It has to be said that no one in the Princess Bride is great at threat modeling. But one scene in particular stands out. It’s while they’re planning to attack the castle and rescue Buttercup: Westley: I mean, if we only had a wheelbarrow, that would be something. Inigo: Where we did we put that […]

 

Virtual assistant services?

I’m getting ready to announce an East coast book tour. In planning my Silicon Valley tour, I learned that between scheduling, getting the details needed out, making sure I knew where I was sleeping, there was a large amount of administrative work involved. So I’d like to hire someone to take care of all that […]

 

Threat Modeling & Devops: Like Peanut Butter & Jelly

George Hulme interviewed me for Devops.com, and the article is at “Q&A: Speaking DevOps and Threat Modeling.” Its obvious that devops is an important trend, andit’s important to understand how to align threat modeling to that world.

 

Should I Start Threat Modeling from Assets?

A couple of reviewers have commented that they have different perspective on assets. For example, in a review I very much appreciated, Gunnar Peterson says: I have slightly a different perspective on Shostack’s view on assets. The book goes into different views that launch the threat model, the approach advocated for in the book is […]

 

L'Academie Gawker

Via Poynter, we learn that the word “massive” has been banned on Gawker. We want to sound like regular adult human beings, not Buzzfeed writers or Reddit commenters,” new Gawker Editor Max Read says in a memo to the publication’s writers. Words like “epic,” “pwn” and “derp” are no longer welcome on the site. Read […]

 

Account Recovery Fail

“Please note that your password will be stored in clear text in our database which will allow us to send it back to you in case you lost it. Try avoid using the same password as accounts you may have in other systems.” — a security conference’s speaker website This is a silly pattern. At […]

 

Threat Modeling and Operations

One very important question that’s frequently asked is “what about threat modeling for operations?” I wanted to ensure that Threat Modeling: Designing for Security focused on both development and operations. To do that, I got help from Russ McRee. For those who don’t know Russ, he’s a SANS incident handler as well as a collegue […]

 

My Technical Editor: Chris Wysopal

When Wiley asked me about a technical editor for Threat Modeling: Designing for Security, I had a long list of requirements. I wanted someone who could consider the various scenarios where threat modeling is important, including software development and operations. I wanted someone who understood the topic deeply, and had the experience of teaching threat […]

 

Threat Modeling: Designing for Security

I am super-excited to announce that my new book, Threat Modeling: Designing for Security (Wiley, 2014) is now available wherever fine books are sold! The official description: If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and the overall […]

 

Threat Modeling: Designing for Security

I am super-excited to announce that my new book, Threat Modeling: Designing for Security (Wiley, 2014) is now available wherever fine books are sold! The official description: If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and the overall […]

 

On Bitcoin

There’s an absolutely fascinating interview with Adam Back: “Let’s Talk Bitcoin Adam Back interview.” For those of you who don’t know Adam, he created Hashcash, which is at the core of Bitcoin proof of work. Two elements I’d like to call attention to in particular are: First, there’s an interesting contrast between Adam’s opinions and […]

 

Adam’s Mailing List and Commitment Devices

Yesterday, I announced that I’ve set up a mailing list. You may have noticed an unusual feature to the announcement: a public commitment to it being low volume, with a defined penalty ($1,000 to charity) for each time I break the rule. You might even be wondering why I did that. In the New School, […]

 

Getting Ready for a Launch

I’m getting ready for to announce a new project that I’ve been working on for quite a while. As I get ready, I was talking to friends in PR and marketing, and they were shocked and appalled that I don’t have a mailing list. It was a little like telling people in security that you […]

 

Please vote for the social security blogger awards!

Alan Shimmy has the nominations for the 2014 Social Security bloggers award! New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame.

 

Please vote for the social security blogger awards!

Alan Shimmy has the nominations for the 2014 Social Security bloggers award! New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame. Now, I have no idea what it means that Emergent Chaos would represent the security industry. I’m hopeful […]

 

The Worst User Experience In Computer Security?

I’d like to nominate Xfinity’s “walled garden” for the worst user experience in computer security. For those not familiar, Xfinity has a “feature” called “Constant Guard” in which they monitor your internet for (I believe) DNS and IP connections for known botnet command and control services. When they think you have a bot, you see […]

 

Workshop on the Economics of Information Security (WEIS)

The 13th annual Workshop on the Economic of Information Security will be held at Penn State June 23-24, and the call for papers is now open. I’m on the program committee this year, and am looking forward to great submissions.

 

What's Copyright, Doc?

I blogged yesterday about all the new works that have entered the public domain as their copyright expired in the United States. If you missed it, that’s because exactly nothing entered the public domain yesterday. Read more — but only commentary, because there’s no newly free work — at “What Could Have Entered the Public […]

 

What to do for randomness today?

In light of recent news, such as “FreeBSD washing Intel-chip randomness” and “alleged NSA-RSA scheming,” what advice should we give engineers who want to use randomness in their designs? My advice for software engineers building things used to be to rely on the OS to get it right. That defers the problem to a small […]

 

Gavle Goat Goes Later This Year

The Gavle Goat has burned again, according to The Local.Se, and of course, it’s Twitter account (yet one more way in which real name policies inhibit natural behavior). Two quick comments. First, the goat survived longer this year than usual. Second, I think it illustrates something. I’m not sure what. But my yule would be […]

 

What Price Privacy, Paying For Apps edition

There’s a new study on what people would pay for privacy in apps. As reported by Techflash: A study by two University of Colorado Boulder economists, Scott Savage and Donald Waldman, found the average user would pay varying amounts for different kinds of privacy: $4.05 to conceal contact lists, $2.28 to keep their browser history […]

 

Like the birds…

Emergent Chaos has migrated.  It’s a long story, and perhaps better left untold.  Please let us know if you see issues with the new site.

 

What will the archaeologists think?

Over at the BBC, we read that the “home of Anakin Skywalker threatened by dune,” with awesome pictures: So my question is, what will archaeologists think in 1,000 years when they dig this up? How many careers will be wasted trying to link the bizarre architecture to some real culture? How many anthropologists will be […]

 

Academic job opening at Cambridge

At Light Blue Touchpaper, Ross Anderson says “We have a vacancy for a postdoc to work on the psychology of cybercrime and deception for two years from October.” I think this role has all sorts of fascinating potential, and wanted to help get the word out in my own small way.

 

Which and That

Can we just agree that “which” and “that” are pretty much interchangable? If you’re relying on a modern audience to be able to perceive the difference in meaning between restrictive and non-restrictive clauses, you’ve pretty much already lost. Which, as they say, makes a mockery of that rule. Alternately, “That, as they say, makes a […]

 

Small thoughts on Doug Engelbart

I just re-read “A few words on Doug Engelbart.” If you’ve been reading the news lately, you’re probably seen a headline like “Douglas C. Engelbart, Inventor of the Computer Mouse, Dies at 88,” or seen him referred to as the fellow who gave the “mother of all demos.” But as Bret Victor points out, to […]

 

Google Reader Going Away

Remarkably, some software that people host on your behalf, where you have no contract or just a contract of adhesion, can change at any time. This isn’t surprising to those who study economics, as all good New School readers try to do. However, this is a reminder/request that when you move, please resubscribe to New […]

 

Google Reader Going Away

Well, the world is full of chaos, some good and some bad, and today’s bad for those of you reading via Google Reader is that it’s going the way of Altavista (can you believe it was still around?) So as you migrate away, please consider including Emergent Chaos in your migration–we’ll have new content here […]

 
 

WordPress Update

I’ve updated to the latest WordPress for security fixes. Please let me know if you notice problems (blogname-at-gmail-com)

 

Privacy Enhancing Technologies Registration now open

The program for the 2013 Privacy Enhancing Technologies Symposium is up, and there’s a lot of fascinating looking papers and talks. If you’re interested, registration is also open. PETS is one of my favorite conferences of the year.

 

Replacing Flickr?

So Flickr has launched a new redesign, and it’s crowded, jumbled and slow. Now on Flickr with its overlays, its fade-ins and loads, it’s unmoving side and top bars, Flickr’s design takes center stage, elbowing aside the photos that I’m there to see. So I’m looking for a new community site where the photo I […]

 

Workshop on the Economics of Information Security

The next Workshop on the Economics of Information Security will be held June 11-12 at Georgetown University, Washington, D.C. Many of the papers look fascinating, including “On the Viability of Using Liability to Incentivise Internet Security”, “A Behavioral Investigation of the FlipIt Game”, and “Are They Actually Any Different? Comparing 3,422 Financial Institutions’ Privacy Practices.” […]

 

TrustZone and Security Usability

Cem Paya has a really thought-provoking set of blog posts on “TrustZone, TEE and the delusion of security indicators” (part 1, part 2“.) Cem makes the point that all the crypto and execution protection magic that ARM is building is limited by the question of what the human holding the phone thinks is going on. […]

 

3D-printed guns and the crypto wars

So there’s a working set of plans for the “Liberator.” It’s a working firearm you can print on a 3d printer. You can no longer get the files from the authors, whose site states: “DEFCAD files are being removed from public access at the request of the US Department of Defense Trade Controls. Until further […]

 

The Onion and Breach Disclosure

There’s an important and interesting new breach disclosure that came out yesterdau. It demonstrates leadership by clearly explaining what happened and offering up lessons learned. In particular: It shows the actual phishing emails It talks about how the attackers persisted their takeover by sending a fake “reset your password” email (more on this below) It […]

 

Security Lessons From Star Wars: Breach Response

To celebrate Star Wars Day, I want to talk about the central information security failure that drives Episode IV: the theft of the plans. First, we’re talking about really persistent threats. Not like this persistence, but the “many Bothans died to bring us this information” sort of persistence. Until members of Comment Crew are going […]

 

The Plateau Effect

The Plateau Effect is a powerful law of nature that affects everyone. Learn to identify plateaus and break through any stagnancy in your life— from diet and exercise, to work, to relationships. The Plateau Effect shows how athletes, scientists, therapists, companies, and musicians around the world are learning to break through their plateaus—to turn off […]

 

A Quintet of Facebook Privacy Stories

It’s common to hear that Facebook use means that privacy is over, or no longer matters. I think that perception is deeply wrong. It’s based in the superficial notion that people making different or perhaps surprising privacy tradeoffs are never aware of what they’re doing, or that they have no regrets. Some recent stories that […]

 

Weekend Photography

An amazing shot by Philipp Schmidli of a cyclist in front of the moon. PetaPixel explains the work involved in getting that shot in “Silhouettes in a Giant Moonrise, Captured Using a 1200mm Lens.” (Thanks to Bob Blakely). Also in the realm of impressive tool use is this: Orangutan from Borneo photographed using a spear […]

 

The Psychology of Password Managers

As I think more about the way people are likely to use a password manager, I think there’s real problems with the way master passwords are set up. As I write this, I’m deeply aware that I’m risking going into a space of “it’s logical that” without proper evidence. Let’s start from the way most […]

 

The Breach Trilogy: Assume, Confirm, Discuss

We’ve been hearing for several years that we should assume breach. Many people have taken this to heart (although today’s DBIR still says it’s still months to detect those breaches). I’d like to propose (predict?) that breach as a central concept will move through phases. Each of these phases will go through a hype cycle, […]

 

The best part of exploit kits

Following up on my post on exploit kit statistics (no data? really folks?), I wanted to share a bit of a head-shaker for a Friday with way too much serious stuff going on. Sometimes, researchers obscure all the information, such as this screenshot. I have no idea who these folks think they’re protecting by destroying […]

 

1Password & Hashcat

The folks at Hashcat have some interesting observations about 1Password. The folks at 1Password have a response, and I think there’s all sorts of fascinating lessons here. The crypto conversations are interesting, but at the end of the day, a lot of security is unavoidably contributed by the master password strength. I’d like to offer […]

 

Exploit Kit Statistics

On a fairly regular basis, I come across pages like this one from SANS, which contain fascinating information taken from exploit kit control panels: There’s all sorts of interesting numbers in that picture. For example, the success rate for owning XP machines (19.61%) is three times that of Windows 7. (As an aside, the XP […]

 

Celebrating 5 Years of New School: 40% off!

Thanks to Addison Wesley, who are offering 40% off the book. Apply code NEWSCHOOL40 to get your discounted copy. (You apply the code after proceeding to checkout.)

 

5 Years of New School

Five years ago Friday was the official publication date of The New School of Information Security. I want to take this opportunity to look back a little and look forward to the next few years. Five years ago, fear of a breach and its consequences was nearly universal, and few people thought anything but pain […]

 

I swear, I'm just looking at the articles!

Apparently, Playboy (possibly NSFW) has an app on iTunes. However, to get an app through the censors prudes “appropriate content” editors, there’s none of Playboy’s trademark nudes. There hasn’t been such good news for their writers since the braille edition. I’ll leave the jokes to you. It’s worth thinking about this as the sanitized future […]

 

Analyzing The Army's Accidental Test

According to Wired, “Army Practices Poor Data Hygiene on Its New Smartphones, Tablets.” And I think that’s awesome. No, really, not the ironic sort of awesome, but the awesome sort of awesome, because what the Army is doing is a large scale natural experiment in “does it matter?” Over the next n months, the Pentagon’s […]

 

AdaCamp: San Francisco June 8-9

(Posted for friends) AdaCamp is a conference dedicated to increasing women’s participation in open technology and culture: open source software, Wikipedia-related projects, open data, open geo, fan fiction, remix culture, and more. The conference will be held June 8 and 9th in San Francisco. There will be two tracks at the conference: one for people […]

 

Hacking Humans at BlackHat

Hacking humans is an important step in today’s exploitation chains. From “2011 Recruitment plan.xls” to instant messenger URL delivery at the start of Aurora, the human in the loop is being exploited just as much as the machine. In fact, with the right story, you might not even need an exploit at all. So I’m […]

 

Bicycling & Risk

While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking. I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the Risk Hose and SIRA folks. I’m inspired by To Encourage Biking, Cities Lose the Helmets: […]

 

MD5s, IPs and Ultra

So I was listening to the Shmoocon presentation on information sharing, and there was a great deal of discussion of how sharing too much information could reveal to an attacker that they’d been detected. I’ve discussed this problem a bit in “The High Price of the Silence of Cyberwar,” but wanted to talk more about […]

 

New School Thinking At Davos

This week I have experienced an echo of this pattern at the 2013 WEF meeting. But this time my unease does not revolve around any financial threats, but another issue – cyber security. … [The] crucial point is this: even if some companies are on top of the issue, others are not, and without more […]

 

The Death Star: An Inside Job?

Here’s a Friday Star Wars video for you. As Austin Hill tweeted, “Conspiracy revealed! 7 min video that will change the way you think about one of the important events of our lifetime”

 

On Cookie Blocking

It would not be surprising if an article like “Firefox Cookie-Block Is The First Step Toward A Better Tomorrow” was written by a privacy advocate. And it may well have been. But this privacy advocate is also a former chairman of the Internet Advertising Bureau. (For their current position, see “Randall Rothenberg’s Statement Opposing Mozilla’s […]

 

Paying for Privacy: Enterprise Breach Edition

We all know how companies don’t want to be named after a breach. Here’s a random question: how much is that worth to a CEO? What would a given organization be willing to pay to keep its name out of the press? (A-priori, with at best a prediction of how the press will react.) Please […]

 

Lunar Oribter Image Recovery Project

The Lunar Orbiter Image Recovery Project needs help to recover data from the Lunar Orbiter spacecraft. Frankly, it’s a bit of a disgrace that Congress funds, well, all sorts of things, over this element of our history, but that’s besides the point. Do I want to get angry, or do I want to see this […]

 

Army Calhamer to Heaven

Allan Calhamer, the inventor of the game Diplomacy, has passed away. The NYTimes has an obituary.

 

Gamifying Driving

…the new points system rates the driver’s ability to pilot the MINI with a sporty yet steady hand. Praise is given to particularly sprightly sprints, precise gear changes, controlled braking, smooth cornering and U-turns executed at well-judged speeds. For example, the system awards maximum Experience Points for upshifts carried out within the ideal rev range […]

 

Security Blogger Awards

The Security Bloggers Awards were this week at RSA! Congratulations to Naked Security (best corporate blog), Paul DotCom (best podcast), Krebs on Security (Most educational, best represents the security industry), J4VV4D’s blog (most entertaining), Andy Greenberg’s “Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)” and Jack […]

 

2013 PET Award for Outstanding Research in Privacy Enhancing Technologies

You are invited to submit nominations to the 2013 PET Award. The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Symposium (PETS). The PET Award carries a prize of 3000 […]

 

How to Ask Good Questions at RSA

So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit. First, if you want to ask great questions, pay attention. There are things more annoying than a question that was answered while the questioner was tweeting, but you still don’t […]

 

Is there "Room for Debate?" in Breach Disclosure?

The New York Times has a “Room for Debate” on “Should Companies Tell Us When They Get Hacked?” It currently has 4 entries, 3 of which are dramatically in favor of more disclosure. I’m personally fond of Lee Tien’s “ We Need Better Notification Laws.” My personal preference is of course (ahem) fascinating to you, […]

 

HIPAA's New Breach Rules

Law firm Proskauer has published a client alert that “HHS Issues HIPAA/HITECH Omnibus Final Rule Ushering in Significant Changes to Existing Regulations.” Most interesting to me was the breach notice section: Section 13402 of the HITECH Act requires covered entities to provide notification to affected individuals and to the Secretary of HHS following the discovery […]

 

New School Blog Attacked with 0day

We were hacked again. The vuln used was 0day, and has now been patched, thanks to David Mortman and Matt Johansen, and the theme has also been updated, thanks to Rodrigo Galindez. Since we believe in practicing the transparency we preach, I wanted to discuss what happened and some options we considered. Let me dispense […]

 

Guns, Homicides and Data

I came across a fascinating post at Jon Udell’s blog, “Homicide rates in context ,” which starts out with this graph of 2007 data: Jon’s post says more than I care to on this subject right now, and points out questions worth asking. As I said in my post on “Thoughts on the Tragedies of […]

 

Privacy, Facebook and Fatigue

Facebook’s new Graph search is a fascinating product, and I want to use it. (In fact, I wanted to use it way back when I wrote about “Single Serving Friend” in 2005.) Facebook’s Graph Search will incent Facebook users to “dress” themselves in better meta-data, so as to be properly represented in all those new […]

 

HHS & Breach Disclosure

There’s good analysis at “HHS breach investigations badly backlogged, leaving us in the dark” To say that I am frequently frustrated by HHS’s “breach tool” would be an understatement. Their reporting form and coding often makes it impossible to know – simply by looking at their entries – what type of breach occurred. Consider this […]

 

New York Times gets Pwned, Responds all New School

So there’s a New York Times front page story on how “Hackers in China Attacked The Times for Last 4 Months.” I just listened to the NPR story with Nicole Perlroth, who closed out saying: “Of course, no company wants to come forward and voluntarily say `hey we were hacked by China, here’s how it […]

 

Breach Analysis: Data Source biases

Bob Rudis has an fascinating and important post “Once More Into The [PRC Aggregated] Breaches.” In it, he delves into the various data sources that the Privacy Rights Clearinghouse is tracking. In doing so, he makes a strong case that data source matters, or as Obi-Wan said, “Luke, you’re going to find that many of […]

 

Happy Data Privacy Day! Go check out PrivacyFix

It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and […]

 

Why the Star Wars Prequels Sucked

It is a truism that the Star Wars prequels sucked. (Elsewhere, I’ve commented that the franchise being sold to Disney means someone can finally tell the tragic story of Anakin Skywalker’s seduction by the dark side.) But the issue of exactly why they sucked is complex and layered, and most of us prefer not to […]

 

Privacy and Health Care

In my post on gun control and schools, I asserted that “I worry that reducing privacy around mental health care is going to deter people who need health care from getting it.” However, I didn’t offer up any evidence for that claim. So I’d like to follow up with some details from a report that […]

 

"Cyber" Insurance and an Opportunity

There’s a fascinating article on PropertyCasualty360 “ As Cyber Coverage Soars, Opportunity Clicks” (thanks to Jake Kouns and Chris Walsh for the pointer). I don’t have a huge amount to add, but wanted to draw attention to some excerpts that drew my attention: Parisi observes that pricing has also become more consistent over the past […]

 

Thoughts on the Tragedies of December 14th

I started this post on December 14th, and couldn’t finish it. I’m going to leave the opening as I wrote it then: By now, everyone has heard of the tragic school shooting in Connecticut. My heart goes out to everyone touched by the events. But this isn’t the first school shooting on a December 14th. […]

 

“The Phoenix Project” may be uncomfortable

The Phoenix Project as an important new novel, and it’s worth reading if you work in technology. As I read it, I was awfully uncomfortable with one of the characters, John. John is the information security officer in the company, and, to be frank, John does not come off well at the start of the […]

 

On Disclosure of Intrusion Events in a Cyberwar

[This guest article is by thegruq. I’ve taken the liberty of HTML-ifying it from his original, http://pastie.org/5673568.] On Disclosure of Intrusion Events in a Cyberwar The Nation State’s guide to STFU In a cyberwar (such as the ongoing events on the Internet), all actors are motivated to remain silent about incidents that they detect. However, […]

 

Giant Rubber Ducks

There’s a giant rubber duck in Sydney Harbor right now: It’s apparently by Florentijn Hofman, who does this sort of thing. My only other comment? Seattle, you’re doing it wrong. Where’s our rubber duckie? Via “Sydney Festival Launches Giant Rubber Duck in the Harbor“, Pedestrian TV. (I believe there’s a typo, and the duck is […]

 

The High Price of the Silence of Cyberwar

A little ways back, I was arguing [discussing cyberwar] with thegrugq, who said “[Cyberwar] by it’s very nature is defined by acts of espionage, where all sides are motivated to keep incidents secret.” I don’t agree that all sides are obviously motivated to keep incidents secret, and I think that it’s worth asking, is there […]

 

Negative temperatures?

Absolute zero is often thought to be the coldest temperature possible. But now researchers show they can achieve even lower temperatures for a strange realm of “negative temperatures.” Oddly, another way to look at these negative temperatures is to consider them hotter than infinity, researchers added. (“Atoms Reach Record Temperature, Colder than Absolute Zero“, Charles […]

 

New School Thinking at the European Union

I was pretty excited to see this: An EU official said the aim of the report was to get companies to be more open about cyber attacks and help them fend off such disruption. “We want to change the culture around cyber security from one where people are sometimes afraid or ashamed to admit a […]

 
 

Elevation of Privilege: Drawing Developers into Threat Modeling

In the holiday spirit I wanted to share an academic-style paper on the Elevation of Privilege Threat Modeling card game (EoP_Whitepaper.pdf) The paper describes the motivation, experience and lessons learned in creating the game. As we’ve shared the game at conferences, we’ve seen people’s eyes light up at the idea of a game. We think […]

 

Information Security Risk: A Conversation with CSO

Earlier this month, I spoke with Derek Slater: In early 2008, Adam Shostack and Andrew Stewart released the book The New School of Information Security. And they launched a blog in support of the book and its message. I wondered about how Shostack perceives the state of IT risk management now, and whether he thinks […]

 

The Gavle Goat's Gone!

Gävlebocken har brunnit: Webbkamerabilder visade hur bocken snabbt blev övertänd och totalförstördes innan brandkåren hann fram. Or you can check the webcam: http://www.merjuligavle.se/Bocken/Bockenkamera/

 

The Fog of Reporting on Cyberwar

There’s a fascinating set of claims in Foreign Affairs “The Fog of Cyberward“: Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of 124 active rivals — defined as the most conflict-prone pairs of states in the system […]

 

Usable Security: Timing of Information?

As I’ve read Kahneman’s “Thinking, Fast and Slow,” I’ve been thinking a lot about “what you see is all there is” and the difference between someone’s state of mind when they’re trying to decide on an action, and once they’ve selected and are executing a plan. I think that as you’re trying to figure out […]

 

Can Science Improvise?

My friend Raquell Holmes is doing some really interesting work at using improv to unlock creativity. There’s some really interesting ties between the use of games and the use of improv to get people to approach problems in a new light, and I’m bummed that I won’t be able to make this event: Monday Dec […]

 

Should I advertise on Twitter?

Apparently Twitter sent me some credits to use in their advertising program. Now, I really don’t like Twitter’s promoted tweets — I’d prefer to be the customer rather than the product. (That is, I’d like to be able to give Twitter money for an ad-free experience.) At the same time, I’m curious to see how […]

 

Infosec Lessons from Mario Batali's Kitchen

There was a story recently on NPR about kitchen waste, “No Simple Recipe For Weighing Food Waste At Mario Batali’s Lupa.” Now, normally, you’d think that a story on kitchen waste has nothing to do with information security, and you’d be right. But as I half listened to the story, I realized that it in […]

 

Hoff on AWS

Hoff’s blog post “Why Amazon Web Services (AWS) Is the Best Thing To Happen To Security & Why I Desperately Want It To Succeed” is great on a whole bunch of levels. If you haven’t read it, go do that. The first thing I appreciated is that he directly confronts the possibility of his own […]

 

The Gavle Goat is Getting Ready to Burn!

The Telegraph reports that the Gavle Goat for 2012 is up, and surrounded by guards, cameras, flame retardants, and arsonists. Emergent Chaos has reporters on the ground internet, ready to report on this holiday story of a town, a goat, and an international conspiracy of drunken arsonists. Stay tuned! This years goat is shown in […]

 

South Carolina

It’s easy to feel sympathy for the many folks impacted by the hacking of South Carolina’s Department of Revenue. With 3.6 million taxpayer social security numbers stolen, those people are the biggest victims, and I’ll come back to them. It’s also easy to feel sympathy for the folks in IT and IT management, all the […]

 

Control-Alt-Hack: Now available from Amazon!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]

 

Now Available: Control Alt Hack!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]

 

Email Security Myths

My buddy Curt Hopkins is writing about the Patraeus case, and asked: I wonder, in addition to ‘it’s safe if it’s in the draft folder,’ how many additional technically- and legally-useless bits of sympathetic magic that people regularly use in the belief that it will save them from intrusion or discovery, either based on the […]

 

The Questions Not Asked on Passwords

So there’s a pair of stories on choosing good passwords on the New York Times. The first is (as I write this) the most emailed story on the site, “How to Devise Passwords That Drive Hackers Away.” It quotes both Paul Kocher and Jeremiah Grossman, both of whom I respect. There’s also a follow-on story, […]

 

The "Human Action" argument is not even wrong

Several commenters on my post yesterday have put forth some form of the argument that hackers are humans, humans are unpredictable, and therefore, information security cannot have a Nate Silver. This is a distraction, as a moment’s reflection will show. Muggings, rapes and murders all depend on the actions of unpredictable humans, and we can, […]

 

Where is Information Security's Nate Silver?

So by now everyone knows that Nate Silver predicted 50 out of 50 states in the 2012 election. Michael Cosentino has a great picture: Actually, he was one of many quants who predicted what was going to happen via meta-analysis of the data that was available. So here’s my question. Who’s making testable predictions of […]

 

Effective training: Wombat's USBGuru

Many times when computers are compromised, the compromise is stealthy. Take a moment to compare that to being attacked by a lion. There, the failure to notice the lion is right there, in your face. Assuming you survive, you’re going to relive that experience, and think about what you can learn from it. But in […]

 

Bleg: Canon & Apple RAW processing

I’m having a camera issue that’s become more and more noticeable with recent software changes. The raw previews coming out of the camera appear substantially more exposed than when Aperture is finished processing them. The difference is hard to measure (there’s no easy undo for raw processing), but appears to be about a full stop […]

 

Published Data Empowers

There’s a story over at Bloomberg, “Experian Customers Unsafe as Hackers Steal Credit Report Data.” And much as I enjoy picking on the credit reporting agencies, what I really want to talk about is how the story came to light. The cyberthieves broke into an employee’s computer in September 2011 and stole the password for […]

 

9.5 Theses on the Power and Efficacy of Gamification

Sebastian Deterding’s Microsoft research talk is now online: “9.5 Theses on the Power and Efficacy of Gamification“. You may recall that this talk inspired me to blog about “Running a game at work.” It’s worth an hour if you’re interested in serious games, persuasive games, or playful design.

 

I wish we had their problems

Ben Goldacre talks about how physicians are only getting data on tests that come out positive: I look forward to the day when infosec standards are set based on some tests or evidence, and we have to fight to extract more data. The talk is here: here.

 

Compliance Lessons from Lance, Redux

Not too long ago, I blogged about “Compliance Lessons from Lance.” And now, there seems to be dramatic evidence of a massive program to fool the compliance system. For example: Team doctors would “provide false declarations of medical need” to use cortisone, a steroid. When Armstrong had a positive corticosteroid test during the 1999 Tour […]

 

TSA Approach to Threat Modeling, Part 3

It’s often said that the TSA’s approach to threat modeling is to just prevent yesterday’s threats. Well, on Friday it came out that: So, here you see my flight information for my United flight from PHX to EWR. It is my understanding that this is similar to digital boarding passes issued by all U.S. Airlines; […]

 

Big Tex Burns

Something about this story just grabs me. I want to hear him saying “I am the dread pirate Roberts! I am here, but soon you will not be here!” Also, I’m sad that he wasn’t in Galve-ston. Photo by GreyChr

 

Proof of Age in UK Pilot

There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:” It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint […]

 

Running a Game at Work

Friday, I had the pleasure of seeing Sebastian Deterding speak on ‘9.5 Theses About Gamification.’ I don’t want to blog his entire talk, but one of his theses relates to “playful reframing”, and I think it says a lot to how to run a game at work, or a game tournament at a conference. In […]

 

The Boy Who Cried Cyber Pearl Harbor

There is, yet again, someone in the news talking about a cyber Pearl Harbor. I wanted to offer a few points of perspective. First, on December 6th, 1941, the United States was at peace. There were worries about the future, but no belief that a major attack was imminent, and certainly not a sneak attack. […]

 

Reporting Mistakes

In “New System for Patients to Report Medical Mistakes” the New York Times reports: The Obama administration wants consumers to report medical mistakes and unsafe practices by doctors, hospitals, pharmacists and others who provide treatment. Hospitals say they are receptive to the idea, despite concerns about malpractice liability and possible financial penalties for poor performance. […]

 

Choice Point Screening

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“) I don’t want to minimize the issue here. Assuming the allegations are correct, the […]

 

Follow your passion?

Growing up, we were told by guidance counselors, career advice books, the news media and others to “follow our passion.” This advice assumes that we all have a pre-existing passion waiting to be discovered. If we have the courage to discover this calling and to match it to our livelihood, the thinking goes, we’ll end […]

 

Two Models of Career Planning

There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students: There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift […]

 

Have you Run an Elevation of Privilege Tournament?

I got an email recently me asking if I had experience running an Elevation of Privilege tournament. I haven’t, and wanted to ask if anyone out there has done so, please share your experiences and suggestions One element that I thought about is a scoring system to help with the tournament’s goals. For examples, you […]

 

Systems Not Sith: Organizational Lessons From Star Wars

In Star Wars, the Empire is presented as a monolith. Storm Troopers, TIE Fighters and even Star Destroyers are supposedly just indistinguishable cogs in a massive military machine, single-mindedly pursuing a common goal. This is, of course, a façade – like all humans, the soldiers and Officers of the Imperial Military will each have their […]

 

Base Rate & Infosec

At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. What really struck me about this talk was that about a week before, I had […]

 

Lessons from Facebook's Stock Slide

So as Facebook continues to trade at a little over half of their market capitalization of 3 months ago, I think we can learn a few very interesting things. My goal here is not to pick on Facebook, but rather to see what we can take away and perhaps apply elsewhere. I think there are […]

 

What can we learn from the social engineering contest?

I was struck by the lead of Kelly Jackson Higgins’ article on the Defcon Social Engineering Contest: Walmart was the toughest nut to crack in last year’s social engineering competition at the DefCon hacker conference in Las Vegas, but what a difference a year makes: this year, the mega retailer scored the worst among the […]

 

Compliance Lessons from Lance

Recently, Lance Armstrong decided to forgo arbitration in his fight against the USADA over allegations of his use of certain performance enhancing drugs. His statement is “Full text of Armstrong statement regarding USADA arbitration.” What I found interesting about the story is the contrast between what might be termed a “compliance” mindset and a “you’re […]

 

SOURCE Seattle

I’ll be at SOURCE Seattle this week. I’m really excited to be speaking on “Security Lessons from Star Wars” at 10AM today.

 

Smashing the Future for Fun and Profit

I’d meant to post this at BlackHat. I think it’s worth sharing, even a bit later on: I’m excited to have be a part of a discussion with others who spoke at the first Blackhat: Bruce Schneier, Marcus Ranum, Jeff Moss, and Jennifer Granick. We’ve been asked to think about what the future holds, and […]

 

The Very Model of An Amateur Grammarian

I am the very model of an amateur grammarian I have a little knowledge and I am authoritarian But I make no apology for being doctrinarian We must not plummet to the verbal depths of the barbarian I’d sooner break my heart in two than sunder an infinitive And I’d disown my closest family within […]

 

One more request for help

If someone could suggest a specific way to make the blog title image work to bring you to the home page, that’d be most appreciated. Update, I think I fixed most of it. Thanks in particular to commenter “M”, who got me on the path to the fix, removing the inline CSS that the theme […]

 

Theme breakage, help?

The blog header image is repeating because of something in the stylesheets. I can’t see where the bug is. If someone can help out, I’d be much obliged. Expanded to add: It appears that there’s a computed “repeat” on the bg img which is the header, but why that repeat is being computed is unclear […]

 

Emergent Chaos: Romney/Ryan for America!

We here at Emergent Chaos have long been frustrated with the Obama Administration. Their failure to close Guantanamo, their failure to prosecute war crimes including torture, their choice to murder American citizens (never mind without due process), their invocation of the state secrets privilege, their persecution of whistleblowers, their TSA running rampant, the list of […]

 

Don't Share, Publish

I’d like to offer up a thought with regards to the latest swirl of discussion around ‘information sharing’ in security: Don’t share, publish. I want to talk about this because more and more folks are starting to question the value of information sharing frameworks and forums. Andrew and I share that skepticism in The New […]

 

What story was that?

A friend is trying to track down a science fiction story in which the president had a death sentence at the end of their term. I know you’re all smart and good looking and at least one of you will know the exact author and title.

 

The Plural of Anecdote is Anecdotes

Over at Lexology.com, there’s a story which starts: Medical-data blackmail is becoming more common as more health care providers adopt electronic health records systems and store patient data digitally. (“Hackers demand ransom to keep medical records private“) The trouble with this opening sentence is that it has nothing to do with the story. It’s a […]

 

Regulations and Their Emergent Effects

There’s a fascinating story in the New York Times, “Profits on Carbon Credits Drive Output of a Harmful Gas“: [W]here the United Nations envisioned environmental reform, some manufacturers of gases used in air-conditioning and refrigeration saw a lucrative business opportunity. They quickly figured out that they could earn one carbon credit by eliminating one ton […]

 

New Species Discovered on Flickr

There’s a very cool story on NPR about “A New Species Discovered … On Flickr“. A entomologist was looking at some photos, and saw a bug he’d never seen. Check out the photographer’s site or Flickr pages. The paper is “A charismatic new species of green lacewing discovered in Malaysia (Neuroptera, Chrysopidae): the confluence of […]

 

Paul Ryan open thread

Oh, what the heck, it hasn’t been chaotic enough around here. So, I’ll give you a topic: Paul Ryan. Commentary from The Economist starts: IN THE polarised world of American politics, achieving bipartisan agreement on any topic is a rare feat nowadays. So perhaps it’s worth celebrating the fact that, had it been put to […]

 

The Problem With Pollution

National Geographic reports “Caffeinated Seas Found off U.S. Pacific Northwest.” The problem, of course, is salinity. They should totally be pumping that caffine into somewhere we can make good use of it.

 

Your career is over after a breach? Another Myth, Busted!

I’m a big fan of learning from our experiences around breaches. Claims like “your stock will fall”, or “your customers will flee” are shown to be false by statistical analysis, and I expect we’d see the same if we looked at people losing their jobs over breaches. (We could do this, for example, via LinkedIn […]

 

Fascinating Job at PayPal

Someone reached out to me about a job that looks really interesting: The Director of Security Experience, Education & Research (SEER) will be responsible for defining the customer-facing security strategy for PayPal , define product roadmaps to enhance feature security and usability, drive customer security best practices adoption throughout our industry, and drive customer security […]

 

An Argument Against Jargon

Lately I’ve been savoring Kahneman’s “Thinking, Fast and Slow”. Kahneman is one of the originators of behavioral economics and a Nobel prize winner. The book is tremendously thought provoking, insanely well written, jargon-minimizing, and just comes together beautifully. It’s a book where you struggle with the ideas and their implications, rather than struggle through the […]

 

My BlackHat Plans

I’ll be speaking twice at BlackHat. First on the “Smashing the Future” panel with Bruce Schneier, Marcus Ranum, Jeff Moss and Jennifer Granick (10AM Wednesday, main hall). My second talk is also on Wednesday, on a new game, Control-Alt-Hack. I’ve been helping Tamara Denning and Yoshi Kohno create Control-Alt-Hack, and we’ll be speaking Wednesday at […]

 

Aitel on Social Engineering

Yesterday, Dave Aitel wrote a fascinating article “Why you shouldn’t train employees for security awareness,” arguing that money spent on training employees about awareness is wasted. While I don’t agree with everything he wrote, I submit that your opinion on this (and mine) are irrelevant. The key question is “Is money spent on security awareness […]

 

Lives, Fortunes and Sacred Honor

Around the 4th of July, some smart, public minded folks put forth a “Declaration of Internet Freedom“. And while it’s good in a motherhood and apple pie sense of good, wholesome fun for the whole family, it lacks the punch and panache of the Declaration of Independence to which men pledged their lives, fortunes and […]

 

"Quartering large bodies of armed troops among us.."

So following up on our tradition of posting the Declaration of Independence from Great Britain on the 4th, I wanted to use one of those facts submitted to a candid world to comment on goings on in…Great Britain. There, the government has decided to place anti-aircraft missiles on the roof of a residential building near […]

 

The Evolution of Information Security

A little while back, a colleague at the NSA reached out to me for an article for their “Next Wave” journal, with a special topic of the science of information security. I’m pleased with the way the article and the entire issue came out, and so I’m glad that the NSA has decided to release […]

 

Taxpayers Stuck With Tab, but not in Seattle

In an article with absolutely no relevance for Seattle, the New York Times reports “With No Vote, Taxpayers Stuck With Tab on Bonds.” In another story to which Seattle residents should pay not attention, the city of Stockton is voting to declare bankruptcy, after risking taxpayer money on things like a … sports arena. Of […]

 

Will People Ever Pay for Privacy, Part XVI

Every now and then, a headline helps us see the answer to the question “Will people ever pay for Privacy?” Quoth the Paper of record: The seclusion may be the biggest selling point of the estate belonging to Robert Hurst, a former executive at Goldman Sachs, which was just listed by Debbie Loeffler of the […]

 

Breach Notification in France

Over at the Proskauer blog, Cecile Martin writes “Is data breach notification compulsory under French law?” On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers. The guidance was issued with reference to European Directive […]

 

Active Defense: Show me the Money!

Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t show me the money, show me the data. First, I’m unsure what’s actually meant by […]

 

Age and Perversity in Computer Security

I’ve observed a phenomenon in computer security: when you want something to be easy, it’s hard, and when you want the same thing to be hard, it’s easy. For example, hard drives fail at seemingly random, and it’s hard to recover data. When you want to destroy the data, it’s surprisingly hard. I call this […]

 

Future of Privacy Seeks Input

The Future of Privacy Forum (FPF) is an interesting mix of folks trying to help shape, well, the future of privacy. They have an interesting mix of academic and industry support, and a fair amount of influence. They’re inviting authors with an interest in privacy issues to submit papers to be considered for FPF’s third […]

 

In the Spirit of Feynman

Did you notice exactly how much of my post on Cloudflare was confirmation bias? Here, let me walk you through it. In our continuing series of disclosure doesn’t hurt, Continuing series are always dangerous, doubly so on blogs. I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to […]

 

Mozilla's Vegan BBQ

The fine folks at Mozilla have announced that they’ll be hosting a BBQ in Dallas to thank all their supporters. And the cool thing about that BBQ is it’s gonna be vegan by default. You know, vegan. No animal products. It’s good for you. It’s the right default. They’ll have dead cow burgers, but you’ll […]

 

Feynman on Cargo Cult Science

On Twitter, Phil Venables said “More new school thinking from the Feynman archives. Listen to this while thinking of InfoSec.” During the Middle Ages there were all kinds of crazy ideas, such as that a piece of rhinoceros horn would increase potency. Then a method was discovered for separating the ideas–which was to try one […]

 

Twitter Weekly Updates for 2012-06-10

RT @DeathStarPR Easy way to feel like Darth Vader: stand over a heap of dirty laundry and imagine you've just killed a Jedi. #StarWars # RT @runasand We have managed to determine exactly how Ethiopia blocks #Tor and we have developed a workaround: https://t.co/snTjeVbN # RT @derekcslater What I learned when I left security http://t.co/AexcK8NN […]

 

Edited Twitter Weekly Updates for 2012-06-10

RT @hellNbak_ @adamshostack @derekcslater anything with Scott Blake has to be worth reading. # RT @Beaker Updated BYOD security profile/policy pushed to my iPhone this morning. String passwords on phone unlock (really?) = PiTA. # Bad password policies give no benefit while absorbing your people's willingness to help with security. #Fail (cc @beaker) # RT […]

 
 

CloudFlare's Post Mortem

In our continuing series of disclosure doesn’t hurt, I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to Protect Yourself.” Go take a look, it’s worth reading, especially the updates. I take three lessons from this: Disclosing an attack allows you to control the story, and is better […]

 

Edited Twitter Weekly Updates for 2012-06-03

Cool Stuff RT @SPACEdotcom SPLASHDOWN! @SpaceX #Dragon Space Capsule Ends Historic Mission with Pacific Ocean Splash http://t.co/3H3J1cXz Cool! IE10 in Win8 Release Preview has "Do Not Track" on by default! http://t.co/HHZv8cBw #privacy # RT @gabrielgironda WE ENCOURAGED PEOPLE TO LEARN TO PROGRAM AND JUST LOOK AT WHAT HAPPENED http://t.co/IE9HeNt3 # New blog: "Washington State Frees […]

 

Washington State Frees Liquor Sales: some quick thoughts

I hate to let an increase in liberty go by without a little celebration. For the past 78 years, Washington State has had a set of (effectively) state-operated liquor stores, with identical pricing and inventory. Today, that system is gone, replaced by private liquor sales. The law was overturned by a ballot initiative, heavily backed […]

 

Twitter Weekly Updates for 2012-05-27

Congratulations to the Egyptian people for claiming the right to vote for their President! # The ACLU of WA is looking for a technology & liberty director http://t.co/sUAFuDq7 # Things that shod not surprise me: Koalas smell like eucalyptus. # Powered by Twitter Tools

 

Twitter Weekly Updates for 2012-05-20

RT @votescannell Mother of 3 Arrested for Taking Pictures of Tourist Attraction at Airport http://t.co/Id8TKH9r // I feel safer already. # Freedom gropes for all @seatac! /cc @tsastatus. # RT @ashk4n WiFi Pineapple lets anyone with $90 to "compromise the sh*t out of anyone using WiFi in the area" http://t.co/TnR3n56k #armsrace # Great question for […]

 

My AusCert Gala talk

At AusCert, I had the privilege to share a the gala dinner stage with LaserMan and Axis of Awesome, and talk about a few security lessons from Star Wars. I forgot to mention onstage that I’ve actually illustrated all eight of the Saltzer and Schroeder principles, and collected them up as a single page. That […]

 

Twitter Weekly Updates for 2012-05-13

RT @Ellen_CK It appears that putting a contest in one's internal newsletter leads to people actually reading it #SEingmycoworkers # RT @bfist I like my risk like I like my steak << with blue cheese sauce? # RT @451wendy "Q: How many of the Fortune 500 are hacked right now? A: 500." http://t.co/I090fJmp <- Lovely […]

 

Why Sharing Raw Data is Important

Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs. Issues like this are why it’s important to release data. It enables independent error checking, but also allows […]

 

What Kip Hawley Doesn't Understand About Terrorism

Former TSA Administrator Kip Hawley was on NPR a few minutes ago, opining on the 2nd panty bomber. He said two remarkable things. First, that the operators of nudatrons, who see thousands of naked people per day, would notice the bomb. Second, he didn’t understand why Al Qaeda would continue to focus on underwear bombs. […]

 

Twitter Weekly Updates for 2012-05-06

RT @netik You program in Rails? Check out Brakeman from our security team & make your code safer. http://t.co/nFPQ3cxx (go @presidentbeef!) # RT @KimZetter Equipment Maker Caught Installing Backdoor Vows to Fix After Public Pressure – http://t.co/EZfe7s27 # Pro tip: "Blackhat talks get lots of publicity" is not a reason *your* submission will make a […]

 

Study: More than 90% of Americans Take Action on Privacy

That’s my takeaway from a new study of 2,000 households by Consumer Reports: There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. […]

 

Please Kickstart Elevation of Privilege

Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter. I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here. I would be totally excited for someone to Kickstarter production of Elevation of Privilege. […]

 

When an interrupt is important

So it’s cool that this “S.M.A.R.T” stuff tells the computer when the hard drive is failing. The next step in user interface is to take the message out of /Applications/Utilities/Disk Utility and into an interruptive UI, so that I don’t discover this problem when I happen to get an extra drive for backup. I know […]

 

Toorcamp: Gender Issues, Cognitive Psychology and Hacking

So the announcement for Toorcamp is out, and it looks like an exciting few days. A few talks already announced look very new school, including “How you can be an ally to us females” by Danielle Hulton and Leigh Honeywell, and “Cognitive Psychology for Hackers.” It’s in the far northwester corner of the US, and […]

 

How to get my vote for the ACM Board

I’m concerned about issues of research being locked behind paywalls. The core of my reason is that research builds on other research, and wide availability helps science move forward. There’s also an issue that a great deal of science is funded by taxpayers, who are prevented from seeing their work. One of the organizations which […]

 

Twitter Weekly Updates for 2012-04-22

RT @calyxinstitute We've reached over $50,000 in donations and are 44 donors shy of breaking 1,000! Help us keep the momentum going. # RT @deviantollam "It's a sad day in America when you're driving down the road one of these pulls up next to you: http://t.co/1Ksxn5ja " # RT @markrussinovich Debunking of exaggerated cybercrime stats […]

 

Suck My Underground

Hey! Jam Jarr has a new album and its free today. They asked for a Facebook link, and since I can’t do that, I figured a blog was in the right spirit. So go check it out: Jam Jarr: Suck My Underground. It’s free. Why not take a listen? PS: When I say free, I […]

 

Dennis Fisher's Novel ("Motherless Children") is out

You probably know Dennis Fisher because of his writings on Threatpost or his Digital Underground podcast, where I’ve appeared several times. I wanted to help him spread the news that his first novel “Motherless Children” is now available. You should check it out. I’ll get my review done shortly, but I wanted to help spread […]

 

Calyx and the Market for Privacy

So there’s a new startup in town, The Calyx Institute, which is raising money to create a privacy-protecting ISP and phone company. I think that’s cool, and have kicked in a little cash, and I wanted to offer up some perspective on the market for privacy, having tried to do this before. From 1999 until […]

 

Twitter Weekly Updates for 2012-04-15

RT @bruces http://t.co/7BfPuW40 *TSA really keen on putting the electronics border-crunch on dissidents << Worse, add http://t.co/3qTkucub # RT @justintroutman @csoghoian If there's one thing that will identify the right privacy expert, it's the urinalysis and one-year probation. # I bet Facebook is going to start auto-sepia toning everyone's pictures as they age. # New […]

 

Fascinating Storyline around Instagram & Facebook

First, congratulations to the folks at Instagram, who built something that was so valuable to Facebook and managed to get a great exit. Me, I suspect that Facebook did it so they can gradually sepia-tone all your photos, but that’s not important right now. I was struck by the nature of this article by the […]

 

Checklists and Information Security

I’ve never been a fan of checklists. Too often, checklists replace thinking and consideration. In the book, Andrew and I wrote: CardSystems had the required security certification, but its security was compromised, so where did things goo wrong? Frameworks such as PCI are built around checklists. Checklists compress complex issues into a list of simple […]

 

Edited Twitter Weekly Updates for 2012-04-08

Things I said: Google continues to hobble their services, push accounts/wallet names, now w/ Scholar http://t.co/IIQ7xk15 (cc @rileycrane @tgoetz @skud) # In other words, why not create timelines for every scholar who's published? That would be organizing the worlds info & making it useful. # You need a Google account to get that citation history, […]

 

Chaos Emerges from Demanding Facebook Passwords

On the off chance that you’ve been hiding under a rock, there’s been a stack of news stories about organizations (both private and governmental) demanding people’s Facebook passwords as part of the process of applying for jobs, with much associated hand-wringing. In “I hereby Resign“, Raganwald discusses the downside to employers of demanding to look […]

 

Dear FBI, Who Lost $1Billion?

In a widely discussed op-ed, Richard Clarke wrote: It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the F.B.I. (and its lead agent on cybercrime), […]

 

How Harvey Mudd Brings Women into CS

Back in October, I posted on “Maria Klawe on increasing Women in Technology.” Now the New York Times has a story, “Giving Women The Access Code:” “Most of the female students were unwilling to go on in computer science because of the stereotypes they had grown up with,” said Zachary Dodds, a computer scientist at […]

 

Edited Twitter Weekly Updates for 2012-04-01

That’s what I said: Photographers should check out these awesome lens physics simulations from Stanford http://t.co/hlNrqQT3 # Good article by @elinormills "Why data breach isn't a dirty word anymore" http://t.co/JXtTOTbT # New blog with a TED talk, "Doctors Make Mistakes, can we talk about that?" http://t.co/c00zcvMr # .@RSAConference can we go so far as "highly […]

 
 

How to mess up your breach disclosure

Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers. No, wait, there isn’t a clear statement, but there is rampant speculation and breathless commentary. It’s always nice to see clear reminders that the way to get people […]

 

Cool Optics Flash Applets

Photographers should check out Flash applets on some technical aspects of photography at Stanford. The apps help you understand things like “Variables that Affect Exposure” (the aperture/time/ISO tradeoffs) as well as how lenses work, create depth of field, or how a telephoto lens bends the light. Very cool.

 

Doctors Make Mistakes. Can we talk about that?

That’s the title of this TED Talk, “Doctors Make Mistakes. Can we talk about that?” When was the last time you heard somebody talk about failure after failure after failure? Oh yeah, you go to a cocktail party and you might hear about some other doctor, but you’re not going to hear somebody talking about […]

 

Edited Twitter Weekly Updates for 2012-03-25

I’m continuing to tweak in the hopes of balancing useful & overwhelming. This week I’m not only cutting down the chaos a bit, but adding the emergent categories. Also, my tweets precede the Re-Tweets. Comments welcome. Where can I send people new to infosec for security mentoring, confident that they'll get broad, data-centered advice? (#newschool) […]

 

Does 1Password Store Passwords Securely?

In ““Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?” Andrey Belenko and Dmitry Sklyarov write quite a bit about a lot of password management tools. This is admirable work, and I’m glad BlackHat provided a forum for it. However, as a user of 1Password, I was concerned to read the following about that […]

 

Edited Tweets for 2012-03-18

RT @curphey amazing how many serial entrepreneurs, visionaries & thought leaders in security are wanting to contract @ $75/hour # MT @GammaCounter Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: http://t.co/FFnpdJ9p via @adam_orbit # I really want @robinsage to RT this: Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: […]

 

Feelings! Nothing but feelings!

At BSides San Francisco, I met David Sparks, whose blog post on 25 security professionals admit their mistakes I commented on here. And in the department of putting my money where my mouth is, I talked him through the story on camera. The video is here: “Security Guru Tells Tale of How His Blog Became […]

 

Entice, Don't Scold

I really like what Adrian Lane had to say about the cars at RSA: I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. […]

 

Kind of Copyrighted

This Week in Law is a fascinating podcast on technology law issues, although I’m way behind on listening. Recently, I was listening to Episode #124, and they had a discussion of Kind of Bloop, “An 8-Bit Tribute to Miles Davis’ Kind of Blue.” There was a lawsuit against artist Andy Baio, which he discusses in […]

 

Twitter Weekly Updates for 2012-03-11

Photo: "Barcelino Per Donna Welcomes RSA Conference 2012" somehow I perceive a mismatch http://t.co/qlKZIdId # RT @mikko Sony said that they lost Michael Jackson's entire unreleased back catalog in one of the 2011 breaches: http://t.co/KeYM9VyD # I sorta like this print, but I'm not sure I'd pay $12 Trillion for it. http://t.co/dzW8iEEl # RT @normative […]

 

Browser Privacy & Fingerprinting

Ivan Szekely writes in email: A team of young researchers – my colleagues – at the Budapest University of Technology and Economics developed a cross-browser fingerprinting system in order to demonstrate the weaknesses of the most popular browsers. Taking Panopticlick’s idea as a starting point, they developed a new, browser-independent fingerprinting algorithm and started to […]

 
 

How's that secrecy working out?

Last week at RSA, I was talking to some folks who have reasons to deeply understand a big and publicly discussed breach. I asked them why we didn’t know more about the breach, given that they’d been fairly publicly named and shamed. The story seems to be that after the initial (legal-department-driven) clampdown on talking, […]

 

Stop sinning with complaints about the coffee budget

Someone respected wrote on a private mailing list: “If you spend more on coffee than on IT security, then you will be hacked. What’s more, you deserve to be hacked.” — Richard Clarke, keynote address, RSA 2002 To which, verily I say: Doom! Doom! You commit the sin of false comparison! You have angered Furlongeous, […]

 

Twitter Weekly Updates for 2012-03-04

RT @tedfrank If you're having trouble getting Sudafed, here's how to make it with more readily available crystal meth. http://t.co/THaQZzov # RT @digiphile "Privacy breaches keep getting worse. Facebook admits reading txt msgs of users who installed phone app" http://t.co/v8CMM222 # RT @threatpost #Microsoft partners w/ Good Technology to bring encrypted email to Windows Phone. […]

 

Congratulations!

Our sincere congratulations to all the winners of the Social Security Blogger awards.

 

Twitter Weekly Updates for 2012-02-26

RT @internetlibre Twitter Censors Accounts Unfavorable To Nicolas Sarkozy http://t.co/wMGMuifY #netfreedom #internetlibre #sarkoCensure # RT @Dakami Pretty cool: @joncallas looked at all public keys signed by Entrust; none of them had reused RSA primes http://t.co/8JOsYQ9e # New blog: "It's a Lie: Seattle Taxpayers Will Pay for a Stadium" http://t.co/tkg3JxZi (cc @seattletimes) # Help Find the […]

 

Admitting Mistakes

Tripwire’s blog has “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them.” I’m glad to see attention paid to the simple reality that we all make mistakes. Extra points to Bill Brenner, Pete Lindstrom, Andrew Hay, Chris Wysopal, Rob Ton and Larry Ponemon for being willing to talk about mistakes that had […]

 

"Anonymized, of course"

I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it. But today I want to talk about the phrase “anonymized, of course”, what it means, why people might say it, and how members […]

 

Help Find the People Who Killed Ulf Möller

The family of Ulf Möller are asking for help in finding the people who murdered him, and asking for help spreading the word: They have a web site with details in English, German, Polish and Lithuanian: The two men are described as slim, both about 1.75 m to 1.80 m tall, between 20 and 30 […]

 

It's a Lie: Seattle Taxpayers Will Pay for a Staduim

The Seattle Times carries a press release: “Arena plan as solid as it looks?” The intricate plan offered for an NBA and NHL arena in Sodo hinges on the untested strategy of building a city-owned, self-supporting arena, without the aid of new taxes, and with team owners — not taxpayers — obligated to absorb any […]

 

Twitter Weekly Updates for 2012-02-19

RT @csoghoian If Path-like apps that pilfered user contact data suffered a data breach, existing laws wouldn't require disclosure to users. # New quickie blog: Bismark's Voice http://t.co/zk01Biec # RT @paulmadsen Sharingfreude, n. – pleasure derived from inadvertent sharing of personal information on social media by friends & colleagues # .@dakami @jeremiahg @tqbf see also […]

 

New Cyber Security Bill: Crowdsource Analysis?

A lot of people I trust are suggesting that the “Collins-Lieberman” bill has a substantial chance of passing. I have some really interesting (and time-consuming) work tasks right now, and so I’m even more curious than usual what you all think, especially how this According to the press release, the “Collins-Lieberman” bill would: The Department […]

 

Predictably Apathetic responses to Cyber Attack

Wh1t3Rabbit has a great post “Understanding the apathetic response to a cyber attack:” Look, Dana’s right. His business is the organizing and promotion of the UFC fights. Secondary to that business is the merchandising and other aspects of the UFC – but that probably is a significantly smaller portion of the overall company revenue. Now […]

 

Bismark's Voice

Tucked away for decades in a cabinet in Thomas Edison’s laboratory, just behind the cot in which the great inventor napped, a trove of wax cylinder phonograph records has been brought back to life after more than a century of silence. The cylinders, from 1889 and 1890, include the only known recording of the voice […]

 

Twitter Weekly Updates for 2012-02-12

RT @tkeanini Overcoming the fear of disclosure http://t.co/DZdkeyNh << TK is spot on. Our fear blocks feedback loops. # MT @qld_oic ..empowering young people to establish good cyber safety behaviour #oicprivacycomp http://t.co/vkr3VZ3A [$1000 prize for video] # RT @mortman Yet More On Threat Modeling: A Mini-Rant http://t.co/ZPxVa9HE cc @adamshostack @alexhutton #newschool # RT @securityskeptic @mortman […]

 

Have You Seen The Little Piggies?

Apparently, the project manager who found a vendor for the Vermont State Police car decals failed to consider a few things. Such as the risk that prisoners might want to have a little fun at the expense of the police. You can see the fun if you study the image carefully here, or in a […]

 

Why Breach Disclosures are Expensive

Mr. Tripathi went to work assembling a crisis team of lawyers and customers and a chief security officer. They hired a private investigator to scour local pawnshops and Craigslist for the stolen laptop. The biggest headache, he says, was deciphering how much about the breach his nonprofit needed to disclose…Mr. Tripathi said he quickly discovered […]

 

On Threat Modeling

Alex recently asked for thoughts on Ian Grigg’s “Why Threat Modeling Fails in Practice.” I’m having trouble responding to Ian, and have come to think that how Ian frames the problem is part of my problem in responding to him. So, as another Adam likes to say, “

 

Twitter Weekly Updates for 2012-02-05

RT @Entropologist Passwords should be a mix of letters, numbers, special characters and longer than 8 characters… like "' or 1=1;–" # RT @ioerror Researchers taking a stand against Elsevier: http://t.co/TMZqj2E9 # RT @ashk4n Even experts are having a hard time differentiating between android malware & mobile ads these days http://t.co/t5qAQANP # Tinker, Tailor is […]

 

Dear Verisign: Trust requires Transparency

On their blog, Verisign made the following statement, which I’ll quote in full: As disclosed in an SEC filing in October 2011, parts of Verisign’s non-production corporate network were penetrated. After a thorough analysis of the attacks, Verisign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the Domain […]

 

Time for an Award for Best Data?

Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award may be premature. However, what I think is sorta irrelevant, absent data. So I’m looking […]

 

More on Real Name Policies

There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path: “Google+ and The Trouble With Tribbles” The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook […]

 

Sharing Research Data

I wanted to share an article from the November issue of the Public Library of Science, both because it’s interesting reading and because of what it tells us about the state of security research. The paper is “Willingness to Share Research Data Is Related to the Strength of the Evidence and the Quality of Reporting […]

 

Yes, Google+ Is a Failure

One of the most common bits of feedback about my post “Google+ Failed Because of Real Names” is that Google+ is now a huge service, and that the word failed is an exaggeration, or a trick of the rhetorician. Some folks might advise me to stop digging a hole, put down the shovel and walk […]

 

Twitter Weekly Updates for 2012-01-29

Vincent Brown (@politico_ie) should be given an uninterrupted hour with the ECB execs: https://t.co/SZYOtveo # RT @marciahofmann Supreme Court: government installation & use of a GPS device to monitor a vehicle's movements is a 4th Amendment search. # RT @normative RT @thinkprogress: BREAKING: Rand Paul is being detained by TSA in Nashville (via @moirabagley) < […]

 

Aviation Safety

The past 10 years have been the best in the country’s aviation history with 153 fatalities. That’s two deaths for every 100 million passengers on commercial flights, according to an Associated Press analysis of government accident data. The improvement is remarkable. Just a decade earlier, at the time the safest, passengers were 10 times as […]

 

Google+ Failed Because of Real Names

It’s now been a few months since the launch of Google+, and it’s now fairly clear that it’s not a mortal threat to Facebook, or even Orkut. I think it’s worth thinking a bit about why Google+ isn’t doing better, despite its many advantages. Obviously, Google wants to link Google+ profiles to things in the […]

 

Vendor shout out: Gourmet Depot

You know those random parts of kitchen appliances that break, and the manufacturer is no longer making, and so you buy a new one that breaks after 4 months? Yeah, you know what I’m talking about. Next time, look to Gourmet Depot and see if they have replacement parts. It was easy to find their […]

 

Kudos to Ponemon

In the past, we have has some decidedly critical words for the Ponemon Institute reports, such as “A critique of Ponemon Institute methodology for “churn”” or “Another critique of Ponemon’s method for estimating ‘cost of data breach’“. And to be honest, I’d become sufficiently frustrated that I’d focused my time on other things. So I’d […]

 

Twitter Weekly Updates for 2012-01-22

What's the best history of @Defcon Capture the Flag? (cc @rileycaezar @thedarktangent ) # RT @thedarktangent What's the best history of #DEFCON Capture the Flag? @adamshostack asks, & we need to update the site. Send your links! # RT @jccannon7 My sci fi book launches today. More info at http://t.co/bVd8mUSg # RT @mortman New posts: […]

 
 

Seattle in the Snow

(From The Oatmeal.) It’s widely understood that Seattle needs a better way to measure snowfall. However, what’s lacking is a solid proposal for how to measure snowfall around here. And so I have a proposal. We should create a new unit of measurement: The Nickels. Named after Greg Nickels, who lost the mayorship of Seattle […]

 

Ulf Muller

I am saddened to pass on the news that Ulf Müller, a colleague at Zero-Knowledge Systems, has died in tragic and violent circumstances. I remember Ulf as quiet, gentle, kind and am tremendously saddened by his loss. The most recent news story is “Computer-Experte in Transporter erschlagen“. Nils Kammenhuber of the Technical University of Munich […]

 

Twitter Weekly Updates for 2012-01-15

New blog: Shocking News of the Day: Social Security Numbers Suck http://t.co/VuMV3faO # RT @PogoWasRight Does *any* federal govt agency actually respond to FOI requests within 20 days? << Send GAO a FOIA with that question? 🙂 # RT @Digital4rensics On Computer Security Incident Information Sharing: http://t.co/GhGYOOjP – New Post Up! # New worst practice: […]

 

Please vote New School

We’re honored to be nominated in three categories for the Security Bloggers Awards: Most Educational Most Entertaining Hall of Fame On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote. We’d also like to urge you to vote for our friends at Securosis […]

 

Please vote New School

We’re honored to be nominated in three categories for the Security Bloggers Awards: Most Educational Most Entertaining Hall of Fame On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote. We’d also like to urge you to vote for our friends at Securosis […]

 

The New School of Software Engineering?

This is a great video about how much of software engineering runs on folk knowledge about how software is built: “Greg Wilson – What We Actually Know About Software Development, and Why We Believe It’s True” There’s a very strong New School tie here. We need to study what’s being done and how well it […]

 

Google+ is not a space for free expression

Earlier today I noticed something funny. My Google profile picture — the picture associated with my Gmail account, my GChat account, my Google+ account, etc — had vanished. A bug? Nope. It turns out, Google — without telling me — went into my account and deleted my profile picture. See “Dear Google+” for the details […]

 

New School Approaches to Passwords

Adam Montville left a comment on my post, “Paper: The Security of Password Expiration“, and I wanted to expand on his question: Passwords suck when they’re not properly cared for. We know this. Any other known form of authentication we have is difficult because of the infrastructure required to pull it off. That sucks too. […]

 

Shocking News of the Day: Social Security Numbers Suck

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over […]

 

Twitter Weekly Updates for 2012-01-08

RT @RegoftheDay Happy new year! 40,000 new laws take effect starting today. http://t.co/EOVyRya9 # RT @StevenLevy Always suspected those xray "backscatter" machines will kill more of us than terrorists will. Now this. http://t.co/ag2lFWWc # New podcast with @dgwbirch: http://t.co/HKeKOVyW # New short blog: "The irony overfloweth" http://t.co/6VsrF9JO # Wow. The Wikipedia article on Infosec certifications […]

 

Paper: The Security of Password Expiration

The security of modern password expiration: an algorithmic framework and empirical analysis, by Yingian Zhang, Fabian Monrose and Michael Reiter. (ACM DOI link) This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account’s […]

 

Steve Bellovin's "Lessons from Suppressing Research"

Steve Bellovin has a good deal of very useful analysis and context about “an experiment that showed that the avian flu strain A(H5N1) could be changed to permit direct ferret-to-ferret spread. While the problem the government is trying to solve is obvious, it’s far from clear that suppression is the right answer, especially in this […]

 

New podcast with Dave Birch

I really enjoyed a conversation with Dave Birch for Consult Hyperion’s “Tomorrow’s Transactions” podcast series. The episode is here. We covered the New School, lessons learned from Zero-Knowledge Systems, and games for security and privacy.

 

The Irony Overfloweth

@RobArnold tweeted: “Someone thinks targeted Facebook ads are an effective way to ask for Firefox features. Any other Mozillians see this?” The irony of using a targeted ad, on Facebook, to ask for more privacy protection…

 

Twitter Weekly Updates for 2012-01-01

RT @timoreilly Amazon patents inferring religion from choice of wrapping paper http://t.co/MmCMx2OO << Over the "creepy" line # RT @kevinmitnick Did you ever want a blue box to make free calls? Now you can in the Apple app store. Search for "blue box". EPIC!!! # I wonder what Woz thinks of being able to get […]

 

Cello Wars

For your holiday amusement: Thanks, Jeff!

 
 

Twitter Weekly Updates for 2011-12-25

Weekend NewSchool blog: "APT Didn't Eat our Theme. Adam Did." http://t.co/JDvLTayG (cc @RealGeneKim, @alexhutton ) # Really, TSA? The airline isn't allowed to auto-enter my freakin' date of birth? Has anyone calculated lifetimes wasted on red tape? # RT @BillBrenner70 Stop them before they predict again! http://t.co/7qzuTchU # I predict 90% of 2012 infosec predictions […]

 

The New School of Security Predictions

Bill Brenner started it with “Stop them before they predict again!:” My inbox has been getting hammered with 2012 vendor security predictions since Halloween. They all pretty much state the obvious: Mobile malware is gonna be a big deal Social networking will continue to be riddled with security holes Technologies A, B and C will […]

 

The Pre-K underground?

Not my headline, but the New York Times: Beyond the effort was the challenge of getting different families to work together. When matters as personal as education, values and children are at stake, intense emotions are sure to follow, whether the issue is snacks (organic or not?), paint (machine washable?) or what religious holidays, if […]

 

Owning Up to Pwnage (Part 2)

On Saturday, I discussed how “I bolluxed our blog theme.” “More to the point, we here at the New School talk a good game about how we need to talk about problems, rather than cover them up. So here’s our money where our mouths are. I, Adam Shostack, screwed up the blog presentation by not […]

 

Twitter Weekly Updates for 2011-12-18

RT @jeremiahg "HBGary not only didnt lose biz customers in the past year, but "got additional business" -Hoglund http://t.co/ap9pP39F # RT @bobblakley @Judgenap "Timid men prefer the calm of despotism to the tempestuous sea of liberty." Thomas Jefferson # Weekend blog "Threat Modeling & Risk Assessment" follows up on conversation with @451wendy http://t.co/iFCRCJW3 # RT […]

 

APT didn’t eat our theme. Adam did.

If you read this blog with a web-reader, you’ll note our (ahem) excellent new theme, and may be saying, wow, guys, “nice job” Yeah. Ooops. I upgraded to WordPress 3.3, and upgraded our theme, and in so doing, overwrote some of the CSS that Alex had tweaked. I didn’t test, and so things were wonky. […]

 

ThreatPost Podcast with Adam Shostack

Last week I did a podcast with Dennis Fisher. In it, we touched on what I might change in the book. Take a listen at: “Adam Shostack on Methods of Compromise, the New School and Learning“

 

Outrage of the Day: DHS Takes Blog Offline for a year

Imagine if the US government, with no notice or warning, raided a small but popular magazine’s offices over a Thanksgiving weekend, seized the company’s printing presses, and told the world that the magazine was a criminal enterprise with a giant banner on their building. Then imagine that it never arrested anyone, never let a trial […]

 

The output of a threat modeling session, or the creature from the bug lagoon

Wendy Nather has continued the twitter conversation which is now a set of blog posts. (My comments are threat modeling and risk assessment, and hers: “That’s not a bug, it’s a creature. “) I think we agree on most things, but I sense a little semantic disconnect in some things that he says: The only […]

 

Top 5 Security Influencers of 2011

I really like Gunnar Peterson’s post on “Top 5 Security Influencers:” Its December and so its the season for lists. Here is my list of Top 5 Security Influencers, this is the list with the people who have the biggest (good and/or bad) influence on your company and user’s security: My list is slightly different: […]

 

"Can copyright help privacy?"

There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.” Key quote: One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two […]

 

Twitter Weekly Updates for 2011-12-11

RT @daveaitel Tests Show Most Store Honey Isn't Honey http://t.co/2oI3O6RK << Will anyone go to jail for fraud? # RT @jdp23 Look at the list of the FTC complaints — huge issues. And basically no consequnces to FB. So why should they change? #privchat # RT @threatpost $56 Billion Later and Airport #Security Is Still […]

 

Threat Modeling and Risk Assessment

Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully. So first, what was said: (Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability […]

 

Outrage of the Day: Police Violence

When the LAPD finally began arresting those of us interlocked around the symbolic tent, we were all ordered by the LAPD to unlink from each other (in order to facilitate the arrests). Each seated, nonviolent protester beside me who refused to cooperate by unlinking his arms had the following done to him: an LAPD officer […]

 

Podtrac.com and Listener Privacy

It turns out that it’s very hard to subscribe to many podcasts without talking to Podtrac.com servers. (Technical details in the full post, below.) So I took a look at their privacy statement: Podtrac provides free services to podcasters whereby Podtrac gathers data specific to individual podcasts (e.g. audience survey data, content ratings, measurement data, […]

 

Twitter Weekly Updates for 2011-12-04

New School blog "'Its Time to Learn Like Experts' by @jayjacobs" http://t.co/lnXTqyp8 # RT @dmolnar Help me shop for furniture http://t.co/rXxLrB4O # RT @moxie__ WhisperSystems has been acquired! http://t.co/M5i1g6D0 < Congratulations! I hope it leads to great things for Twitter privacy # RT @tsastatus A few new features, and a bunch of status updates, at […]

 

Gävle Goat Gambit Goes Astray

It’s a bit of a Christmas tradition here at Emergent Chaos to keep you informed about the Gävle Goat. Ok, technically, our traditions seem hit and miss, but whaddaya want from a site with Chaos in the name? You want precision, read a project management blog. Project management blogs probably set calendar reminders to kick […]

 

Paper: "The Future of Work is Play"

My colleague Ross Smith has just presented an important new paper, “The Future of Work is Play” at the IEEE International Games Innovation Conference. There’s a couple of very useful lessons in this paper. One is the title, and the mega-trends driving games into the workplace. Another is Ross’s lessons of when games work: Over […]

 

Big Brother Watch report on breaches

Over at the Office of Inadequate Security, Dissent says everything you need to know about a new report from the UK’s Big Brother Watch: Extrapolating from what we have seen in this country, what the ICO learns about is clearly only the tip of the iceberg there. I view the numbers in the BBW report […]

 

We Robot: The Conference

This looks like it has the potential to be a very interesting event: The University of Miami School of Law seeks submissions for “We Robot” – an inaugural conference on legal and policy issues relating to robotics to be held in Coral Gables, Florida on April 21 & 22, 2012. We invite contributions by academics, […]

 

Telephones and privacy

Three stories, related by the telephone, and their impact on privacy: CNN reports that your cell phone is being tracked in malls: Starting on Black Friday and running through New Year’s Day, two U.S. malls — Promenade Temecula in southern California and Short Pump Town Center in Richmond, Va. — will track guests’ movements by […]

 

"It's Time to Learn Like Experts" by Jay Jacobs

I want to call attention to a new, important and short article by Jay Jacobs. This article is a call to action to break the reliance on unvalidated expert opinions by raising awareness of our decision environment and the development of context-specific feedback loops. Everyone in the New School is a fan of feedback loops […]

 

Twitter Weekly Updates for 2011-11-27

MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers […]

 

Relentless navel gazing, part MCXII

Two changes here at Emergent Chaos this weekend: first, a new, variable width theme which is a little tighter, so there’s more on a screen. Second, I’ve moved the twitter summary to weekly, as comments were running about 50-50 on the post asking for opinion. I think that may be a better balance. And a […]

 

What's Wrong and What To Do About It?

Let me start with an extended quote from “Why I Feel Bad for the Pepper-Spraying Policeman, Lt. John Pike“: They are described in one July 2011 paper by sociologist Patrick Gillham called, “Securitizing America.” During the 1960s, police used what was called “escalated force” to stop protesters. “Police sought to maintain law and order often […]

 

Twitter Updates from Adam, 2011-11-25

RT @marciahofmann Carrier IQ backpedals on bogus legal threat, apologizes to security researcher. http://t.co/yY5o6JJk < Nice work Marcia! # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-24

RT @risktical #riskhose pocast, Episode 14 http://t.co/5hF9YKlZ @adamshostack & 'feedback loops' – great content! @jayjacobs @alexhutton # New "blog" points to Risk Hose podcast #14 with me, @alexhutton, @risktical @jayjacobs http://t.co/8zaBLD8x # RT @CYBERLAWRADIO About to go live on CLBR with CMU Proff @lorrietweet on Why Johnny Can't Opt Out – on webmasterradio.fm # RT […]

 

Risk Hose Podcast #14 with Adam and Alex

I’m on episode 14 of the Risk Hose podcast, with co-blogger Alex. Chris, Jay and Alex are joined by Adam Shostack and we dig into the topic of feedback loops within Information Security. You should check it out! Episode 14: Feedback Loops

 

Twitter Updates from Adam, 2011-11-23

NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers Say" http://t.co/vlPAH1n0 # New School blog post, "AT&T Hack Attempt" I'm looking for polling software http://t.co/d4YooBv9 # I missed a great opportunity in a recent podcast to say "controls implemented in a way that makes both auditors & attackers happy" # […]

 

AT&T Hack Attempt

First, good on AT&T for telling people that there’s been an attempt to hack their account. (My copy of the letter that was sent is after the break.) I’m curious what we can learn by discussing the attack. An AT&T spokesperson told Fox News that “Fewer than 1 percent of customers were targeted.” I’m currently […]

 

Twitter Updates from Adam, 2011-11-22

RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-21

MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-20

New School blog post "Privacy is Security, Part LXII: The Steakhouse" http://t.co/cEjWix7N # MT @_nomap More on [obvious] Saudi airport fingerprint fail. It was mostly immigrant workers stranded for 12 hours. http://t.co/g3ih69Sk # MT @dgwbirch Heard on BBC that poor people use cash, end up paying up to £185 per annum more for utilities << […]

 

Privacy is Security, Part LXII: The Steakhouse

But in the last year and a half, at least 50 diners at restaurants like the Capital Grille, Smith & Wollensky, JoJo and Wolfgang’s Steakhouse ended up paying for more than just a fine piece of meat. Their card information — and, in effect, their identities [sic] — had been stolen by waiters in a […]

 

Twitter Updates from Adam, 2011-11-19

RT @alexhutton @adamshostack @bobblakley @threatpost I thought blogging was dead? << apparently! # RT @dostlund: NYPD has sidewalk checkpoints requiring ID to pass down Broadway. Iranian-born co-worker said "they used to do that in Tehran" # New Blog: Emergent Chaos endorses @wimremes for ISC(2) Board http://t.co/oAWTljcC # This post by Steve Bellovin reminded me of […]

 
 

Emergent Chaos endorses Wim Remes for ISC(2) Board

Today, we are sticking our noses in a place about which we know fairly little: the ISC(2) elections. We’re endorsing a guy we don’t know, Wim Remes, to shake stuff up. Because, really, we ought to care about the biggest and oldest certification in security, but hey, we don’t. And really, that’s a bit of […]

 

Twitter Updates from Adam, 2011-11-18

MT @ashk4n Most [Android?] Phones Ship w/ CarrierIQ "Rootkit" that allows carrier to keylog & record browser history http://t.co/90vYRCHR # MT @bobblakley @threatpost Orgs that ban social networks on company PCs ++more likely to be hacked http://t.co/z7oy4rYF http://t.co/9iIb4BBg # New School blog, "Block Social Media, Get Pwned" http://t.co/dWzuCyzz quick comments on @TELUSBusiness report. (Thanks @bobblakley!) […]

 

Block Social Media, Get Pwned

At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead) A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that ban employees from using social media suffer 30 percent more computer security breaches than ones […]

 

Twitter Updates from Adam, 2011-11-17

RT @timoreilly TSA Puts Off Safety Study of X-ray Body Scanners http://t.co/GO4uHLN0 Meanwhile, Europe has banned them http://t.co/rmK3ZSTc # Powered by Twitter Tools

 

And there may be many others but they haven't been discovered

Three newly discovered elements were given names on Friday by the General Assembly of the International Union of Pure and Applied Physics at a meeting in London. They are Darmstadtium, or Ds, which has 110 protons in its nucleus and was named after the town in which it was discovered; Roentgenium, or Rg, with 111 […]

 

Twitter Updates from Adam, 2011-11-16

New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n (cc @moxie__ ) # New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n # Powered by Twitter Tools

 

Breach disclosure and Moxie's Convergence

Two weeks ago I finally got a chance to see Moxie’s Convergence/Trust Agility talk in person. (Since this was at work, let me just re-iterate that this blog is my personal opinions about what I saw.) It’s very good stuff, and Moxie and I had a good side chat about enhancing the usability of Convergence […]

 

Twitter Updates from Adam, 2011-11-15

RT @exiledsurfer @KforKallisti: Dan Siegel, Mayor Jean Quan's legal adviser quits over #OccupyOakland police raid http://t.co/c5brsq5u #ows # MT @mikko Somebody forgot a vacuum cleaner in a Swedish nuke plant, causing $267M in damages: http://t.co/kLRbV90h << someone tell stuxnet! # RT @dgwbirch was it a Freeman Dyson? (retires to cheers for making first ever physicist/vacuum […]

 

Twitter Updates from Adam, 2011-11-14

RT @WC2A_2AE Indian Communist Party General Sectry 'Let's fingerprint all Americans entering the country, like Brazil' http://t.co/GRBoQfYC # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-12

Nice of Apple to fix CVE-2011-0997, published in April (http://t.co/kOh6kTvs) # RT @jeremiahg "Steam Web sites hacked, gamer data exposed" http://t.co/daqkExWj < anyone see an attack vector? << Probably social eng 🙂 # RT @josephmenn @daveweigel The winner. RT @KagroX: Why didn't we just make 10/10/10 louder? # RT @WC2A_2AE Anyone interested in border security […]

 

Twitter Tools? Feedback please

So about a month ago, I started flowing my tweets over here. I’d love your thoughts on if it’s helpful, hurtful, or you just ignore it in your reader. [Update: currently arguments run 3:2 against continuing Twitter in the main feed. More (and civil) debate is invited.]

 

Twitter Updates from Adam, 2011-11-11

MT @normative How Far Will the Government Go in Collecting and Storing Data about us? New FBI Documents Shed Light http://t.co/zylCo3ES # RT @tqbf If the infosec community was a real influencer in crypto, we'd all be using Twofish instead of AES because of http://t.co/e21kDcwM # .@tqbf has the crypto or vuln community given us […]

 

Twitter Updates from Adam, 2011-11-10

MT @samablog More States Accept [fail to arrest?] TSA VIPR Teams at Transportation Hubs http://t.co/h3wdaQ3N via @zite # Are others seeing ICMP timeouts for http://t.co/y2uU0Qvt? /cc @moxie__ # RT @arj: @chenxiwang busts out her dog-eared copy of the Orange Book … < I've never seen a dog-eared copy of the Orange Book! # RT @dakami […]

 

Twitter Updates from Adam, 2011-11-09

RT @Fiona: Go watch The Muppets hang out on Google+. Me: Thank you: http://t.co/HacZWzBA << Is "Cookie Monster" an approved name? # RT @Jim_Harper When I describe @Cato's argument–"reasonable expectation of #privacy quot; FAIL–lawyers steeped in doctrine get confused. #Jones # New blog: "Slow thoughts on Occupy Seattle" http://t.co/13RTo5NE # RT @csoghoian Jones oral argument […]

 

Slow Thoughts on Occupy Seattle

I headed down to Occupy Seattle before a recent vacation, and have been mulling a bit on what I saw, because the lack of a coherent message or leadership or press make it easy to project our own opinions or simply mis-understand what the “Occupy” protests mean, and I wanted to avoid making that mistake. […]

 

Twitter Updates from Adam, 2011-11-08

New blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # New School blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # Powered by Twitter Tools

 

Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)

So Verizon has recently released their 2011 DBIR. Or perhaps more accurately, I’ve managed to pop enough documents off my stack that my scribbled-on notes are at the top, and I wanted to share some with you. A lot have gone to the authors, in the spirit of questions only they can answer. Here, I […]

 

Twitter Updates from Adam, 2011-11-07

RT @moxie__ Sarah's reflections on solitary confinement: http://t.co/z46aZjgM # RT @marcan42 RSA keys generated by Ruby didn't actually encrypt anything (e=1). "Oops". http://t.co/9vYNFVlI << I Ruby-encrypted this tweet # RT @ioerror We demand a vapid, condescending, meaningless, politically safe response to this petition: http://t.co/ndtf8tI4 # RT @bratling @mrkoot @adamshostack @ioerror Broken URL, not site. Here's […]

 

Twitter Updates from Adam, 2011-11-06

RT @k8em0 Thanks to speakers, attendees, organizers & volunteers for a fantastic & memorable #bluehat ! # RT @bengoldacre I'm leaving journalism for 6 months. Here's what I've learnt from writing about nonsense for 8 years http://t.co/GZlDnQ18 # RT @AdasBooks Book signing with @johncsh tomorrow at 1pm! http://t.co/pHqhbTv3 # RT @normative Profoundly depressed this is […]

 

Twitter Updates from Adam, 2011-11-05

RT @StephieShaver They say there's no rest for the wicked but at least there's espresso! FridayWHAT? << friday at BlueHat! # RT @Beaker: Congrats to @mortman on joining @enstratus! First @jamesurquhart then @botchagalupe and now Dave! All good friends together # As I watch @moxie__ give his trust talk at BlueHat, I realize how valuable […]

 

Twitter Updates from Adam, 2011-11-04

RT @at1as: Instead of useless Presidential Debates, how about a #wargame where we get to see how candidates respond to crisis situations? # RT @wikidsystems @adamshostack @at1as Kobayashi Maru! << Cyberyashi Maru! # Getting ready to give my #BlueHat talk on "How Computers Are Compromised." # Oooh, @jeremiahg wants us to play a game at […]

 

Twitter Updates from Adam, 2011-11-03

MT @samablog TSA Ignored Cancer Risks from TSA Scanners http://t.co/r72RAw2d via @zite # RT @k8em0 This year's #bluehat should be exciting, check out the lineup – http://t.co/Ee1LoHVK # RT @k8em0 #bluehat is on! Andrew Cushman reflects on past and future threats. http://t.co/w0GpjTQC # What do the comments from ISS World(http://t.co/51Z5ULNQ) mean for surveillance law in […]

 

Twitter Updates from Adam, 2011-11-02

RT @ioerror IEEE Global Humanitarian Technology Conference in Seattle http://t.co/VefGa4yy < Looks very exciting, wish I'd known sooner # Follow @ioerror for reporting of Patrick Ball, @alexvans for London Cyber-security event # New blog because my main email is down: "Email chaos: How to reach Adam Shostack" http://t.co/to9lKHKK # RT @GamingPrivacy reflecting on game design […]

 

Email chaos: How to reach Adam Shostack

The servers that host my personal email have been taken offline by a surprise attack by the evil forces of snow and ice, and my email is likely to start bouncing soon. If you need to reach me, you can use nameofthisblog @ google, or first.last @ microsoft. You can also ask me to follow […]

 

Twitter Updates from Adam, 2011-11-01

Short blog: "McWrap Chevre" http://t.co/K1LkXnFU # RT @lorrietweet Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising http://t.co/5DDWfhVd # My personal email server is down because of the snow on the east coast. # RT @STRATFOR If #Anonymous does #OpCartel it will almost certainly lead to deaths for members: […]

 

McWrap Chevre

Normally, I like the overlap of cultures, the boundaries of exploration and what comes from that exploration. But this three-way Frankenstien’s combination of French cheese, wraps (not sure where to attribute those–I think the US version is mostly from burritos, but there’s also Arabic pita wraps) and American is somehow best posted on Halloween:

 

Twitter Updates from Adam, 2011-10-31

RT @alexhutton Seriously? DHS doesn't *do* threat modeling? My rage is like a 1000 TSA exposed to cancer causing back scatter devices. # RT @ACLU FBI issued 143,074 National Security Letters '03-05 & reported 0 terrorism prosecutions as a result. Zilch. http://t.co/JM8FBFyf # RT @EthanZ Background on @alaa's detention for refusal to accept legitimacy of […]

 

Twitter Updates from Adam, 2011-10-30

"Plankytronixx" has a nice blog post on Elevation of Privilege at http://t.co/CFFrWAfF # RT @mattblaze Attention NYPD sign makers: "Just following orders" is not a great slogan. http://t.co/LHBOvQ8f # I'd missed @BillBrenner70 on Security Horror Show http://t.co/5nS0KHOH What can we do to stop the madness? # RT @AudryT Police confirmed: Pepper spray & rubber bullets […]

 
 

Twitter Updates from Adam, 2011-10-28

RT @dgwbirch I'm sure talks will be fun, but am looking forward to playing the new version of "Privacy" the card game http://t.co/PZGcFf9l # I accidentally clicked allow Firefox to share my location. Where the hell is the undo and why isn't it in privacy preferences? # ("Location" doesn't bring up anything in help) # […]

 

Twitter Updates from Adam, 2011-10-27

RT @PogoWasRight Congressman: Secret Report On #TSA Pat Downs, Body Scanner Failures Will “Knock Your Socks Off” http://t.co/pjFmd0Zz # RT @peterhoneyman i fly DTW where they are testing chat down. i opt out and clam up. they get all dour and nasty. # RT @e3i5: Every picture ULed to Facebook is examined for possible matches […]

 

Twitter Updates from Adam, 2011-10-26

RT @georgevhulme RT @msksecurity: The Dark Side Of Biometrics: 9 Million Israelis' Hacked Info Hits The Web http://t.co/817TMklU # Actually, @danphilpott, the best line is "Crews determined the land mines were benign and removed them from the bag." http://t.co/KobPO94k # RT @k8em0 This year's #bluehat should be exciting, check out the lineup – http://t.co/Ee1LoHVK # […]

 

DLNA Servers for the Mac

Very short version: Finding a DLNA player that supported the Mac and my new Oppo player was time consuming. Twonky is ok, but I would like something prettier, more reliable, and reasonably secure. I wanted to blog my experience in case it helps other folks. Also, as I posted this, I came across Ed Bott’s […]

 

Twitter Updates from Adam, 2011-10-25

New School blog: "Maria Klawe on increasing Women in Technology" http://t.co/NDugVafW # RT @Jim_Harper How Much Homeland Security is Enough? Live now at: http://t.co/XtUXmzp1 << Right question is "how much is too much?" 🙂 # RT @TheOnion American Voices: Should bikers have to register their trips with the government? Tell us #whatdoyouthink http://t.co/1NbLi5Rb # RT […]

 

Maria Klawe on increasing Women in Technology

I talk a lot about the importance of data in enabling us to bring the scientific method to bear on information security. There’s a reason for that: more data will let us know the falsehoods, and knowing the falsehoods will set us free. But discovering what claims don’t stand up to scrutiny is a matter […]

 
 

CIA Reveals Identity of Bin Laden Hunter

In the Atlantic Wire, Uri Friedman writes “Did the CIA Do Enough to Protect Bin Laden’s Hunter?” The angle Friedman chose quickly turns to outrage that John Young of Cryptome, paying close attention, was able to figure out from public statements made by the CIA, what the fellow looks like. After you’re done being outraged, […]

 

Twitter Updates from Adam, 2011-10-09

RT @stuxnet420 #twitter oh, yeah, it's on now. I'll see your Stuxnet and raise u a predator with an irc server. 🙂 http://t.co/hKpfDMBt # RT @drunkenpredator Phew. Think I kicked that software virus. Was really messing with my DEAR SIR I HAVE FOR YOU LUCRATIVE PROPOSAL # RT @runasand The CCC has reverse engineered, analyzed […]

 

Twitter Updates from Adam, 2011-10-08

RT @ethicalhack3r @floatingatoll: The UNIX time zone database has been destroyed by its authors due to a legal threat. http://t.co/1zQIKZm8 # RT @radleybalko Unreal. CA appeals court upholds warrantless cell phone searches during traffic stops. http://t.co/KnklNSat # If you haven't seen it, @ErrataRob "Independent reporting of #OccupyWallStreet quot; http://t.co/qDYxPdFx is a long thoughtful engagement # […]

 

Twitter updates

I’ve decided to experiment with pushing my Twitter feed onto the blog. What do you think? For non-Twitter users, the RT means “re-tweet,” amplifying things that others have said and MT means modified tweet, where the RT plus comment don’t quite fit. If someone has php code to resolve t.co URLs into real URLs, that […]

 

Twitter Updates from Adam, 2011-10-07

Sad to say I can find nothing to say beyond thanks, Steve. # Hey @beaker, if you support http://t.co/ObdJFd79 they have Squirrel t-shirts! # I think that @asteingruebl raises some really good questions in http://t.co/nnbdDNBe # Eric Rachner continues to need to sue for accountability from Seattle police & their videos http://t.co/S3fHkcSM # RT @jilliancyork […]

 

Nothing to add

(I saw this here, would appreciate the right attribution.)

 

New School of Information Security Book Reading at Ada's

Last Sunday, I did a book reading at Ada’s Technical Books. As I say in the video, I was excited because while I’ve talked about the New School, and I’ve given talks about the New School, I hadn’t done a book reading, in part because of the nature of the book, and my personal comfort […]

 
 

The Diginotar Tautology Club

I often say that breaches don’t drive companies out of business. Some people are asking me to eat crow because Vasco is closing its subsidiary Diginotar after the subsidiary was severely breached, failed to notify their reliant parties, mislead people when they did, and then allowed perhaps hundreds of thousands of people to fall victim […]

 

Book Reading in Seattle on Sunday

This Sunday I’ll be reading from the New School at 4PM on Sunday at Ada’s Technical Books in Capitol Hill. If you’re in the area, you should come!

 

Lean Startups & the New School

On Friday, I watched Eric Ries talk about his new Lean Startup book, and wanted to talk about how it might relate to security. Ries concieves as startups as businesses operating under conditions of high uncertainty, which includes things you might not think of as startups. In fact, he thinks that startups are everywhere, even […]

 

Emergent Effects of Restrictions on Teenage Drivers

For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives. Now, though, a nationwide analysis of crash […]

 

Diginotar Quantitative Analysis ("Black Tulip")

Following the Diginotar breach, FOX-IT has released analysis and a nifty video showing OCSP requests. As a result, lots of people are quoting a number of “300,000”. Cem Paya has a good analysis of what the OCSP numbers mean, what biases might be introduced at “DigiNotar: surveying the damage with OCSP.” To their credit, FoxIt […]

 

The Rules of Breach Disclosure

There’s an interesting article over at CIO Insight: The disclosure of an email-only data theft may have changed the rules of the game forever. A number of substantial companies may have inadvertently taken legislating out of the hands of the federal and state governments. New industry pressure will be applied going forward for the loss […]

 

Best autoresponse message

As Brad Feld says, this is the best auto-responder in a long time: I am currently out of the office on vacation. I know I’m supposed to say that I’ll have limited access to email and won’t be able to respond until I return — but that’s not true. My blackberry will be with me […]

 

15 Years of Software Security: Looking Back and Looking Forward

Fifteen years ago, I posted a copy of “Source Code Review Guidelines” to the web. I’d created them for a large bank, because at the time, there was no single document on writing or reviewing for security that was broadly available. (This was a about four years before Michael Howard and Dave LeBlanc published Writing […]

 

Nymwars: Thoughts on Google+

There’s something important happening around Google+. It’s the start of a rebellion against the idea of “government authorized names.” (A lot of folks foolishly allow the other side to name this as “real names,” but a real name is a name someone calls you.) Let’s start with “Why Facebook and Google’s Concept of ‘Real Names’ […]

 

Tap Tap Snarky

From the app store: I hope this doesn’t cause Apple to ban snarky update messages.

 

Emergent Map: Streets of the US

This is really cool. All Streets is a map of the United States made of nothing but roads. A surprisingly accurate map of the country emerges from the chaos of our roads: All Streets consists of 240 million individual road segments. No other features — no outlines, cities, or types of terrain — are marked, […]

 

Is iTunes 10.3.1 a security update?

Dear Apple, In the software update, you tell us that we should see http://support.apple.com/kb/HT1222 for the security content of this update: However, on visiting http://support.apple.com/kb/HT1222, and searching for “10.3”, the phrase doesn’t appear. Does that imply that there’s no security content? Does it mean there is security content but you’re not telling us about it? […]

 

Thoughts on this Independence Day

Emergent Chaos has a long tradition of posting the American Declaration of Independence here to celebrate the holiday. It’s a good document in many ways. It’s still moving, more than two centuries after it was written. It’s clearly written, and many people can learn from its structured approach to presenting a case. And last but […]

 

MySpace sells for $35 Million, Facebook to follow

So MySpace sold for $35 million, which is nice for a startup, and pretty poor for a company on which Rupert Murdoch spent a billion dollars. I think this is the way of centralized social network software. The best of them learn from their predecessors, but inevitably end up overcrowded. Social spaces change. You don’t […]

 

Breach Harm: Should Arizona be required to notify?

Over at the Office of Inadequate Security, Pogo was writing about the Lulzsec hacking of Arizona State Police. Her article is “A breach that crosses the line?” I’ve been blogging for years about the dangers of breaches. I am concerned about dissidents who might be jailed or killed for their political views, abortion doctors whose […]

 

Goodbye, Rinderpest, we're probably better off without you

On Tuesday in a ceremony in Rome, the United Nations is officially declaring that for only the second time in history, a disease has been wiped off the face of the earth. The disease is rinderpest. Everyone has heard of smallpox. Very few have heard of the runner-up. That’s because rinderpest is an epizootic, an […]

 

Sex, Lies & Cybercrime Surveys: Getting to Action

My colleagues Dinei Florencio and Cormac Herley have a new paper out, “Sex, Lies and Cyber-crime Surveys.” Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings. We are not alone in this judgement. Most research teams who have […]

 

Communicating with Executives for more than Lulz

On Friday, I ranted a bit about “Are Lulz our best practice?” The biggest pushback I heard was that management doesn’t listen, or doesn’t make decisions in the best interests of the company. I think there’s a lot going on there, and want to unpack it. First, a quick model of getting executives to do […]

 

Are Lulz our best practice?

Over at Risky.biz, Patrick Grey has an entertaining and thought-provoking article, “Why we secretly love LulzSec:” LulzSec is running around pummelling some of the world’s most powerful organisations into the ground… for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn’t any. And […]

 

How the Epsilon Breach Hurts Consumers

Yesterday, Epsilon and Sony testified before Congress about their recent security troubles. There was a predictable hue and cry that the Epsilon breach didn’t really hurt anyone, and there was no reason for them to have to disclose it. Much of that came from otherwise respectable security experts. Before I go on, let me give […]

 

ThreatPost goes New School

In “It’s Time to Start Sharing Attack Details,” Dennis Fisher says: With not even half of the year gone, 2011 is becoming perhaps the ugliest year on record for major attacks, breaches and incidents. Lockheed Martin, one of the larger suppliers of technology and weapons systems to the federal government, has become the latest high-profile […]

 

Map of Where Tourists Take Pictures

Eric Fischer is doing work on comparing locals and tourists and where they photograph based on big Flickr data. It’s fascinating to try to identify cities from the thumbnails in his “Locals and Tourists” set. (I admit, I got very few right, either from “one at a time” or by looking for cities I know.) […]

 

The Future of Education is Chaotic, Fun and Unevenly Distributed

After I wrote “The future of education is chaotic and fun“, I came across “The Montessori Mafia” about the unusual levels of successfulness that Montessori produces. In my post, I opened discussing how our current system of funding education in the US is to force everything through a government department. That department is constrained by […]

 

The Flying Spaghetti Monster

In honor of rapture day, the Flying Spaghetti Monster has chosen to manifest his tentacly goodness in Stanley Park in Vancouver:

 

Elevation of Privilege news

I wanted to let people know that Microsoft is making the source files for the Elevation of Privilege game available. They are Adobe Illustrator and InDesign files, and are now on the EoP download site. They’re the 85mb of zipped goodness. They can be used under the same Creative Commons Attribution 3.0 US license under […]

 

"Pirate my books, please"

Science fiction author Walter John Williams wants to get his out of print work online so you can read it: To this end, I embarked upon a Cunning Plan. I discovered that my work had been pirated, and was available for free on BitTorrent sites located in the many outlaw server dens of former Marxist […]

 

Photoblogging CHI2011

Last week, I had the pleasure of attending the ACM conference on Computer Human Interaction, CHI. As I mentioned in a work blog post, “Adding Usable Security to the SDL,” I’m now focused on usable security issues at work. I’m planning to say more about the conference in a little bit, but for right now, […]

 

Heaven Forbid the New York Times include Atheists

In “Is Your Religion Your Financial Destiny?,” the New York Times presents the following chart of income versus religion: Note that it doesn’t include the non-religious, which one might think an interesting group as a control. Now, you might think that’s because the non-religious aren’t in the data set. But you’d be wrong. In the […]

 

Representative Bono-Mack on the Sony Hack

There’s a very interesting discussion on C-SPAN about the consumer’s right to know about breaches and how the individual is best positioned to decide how to react. “Representative Bono Mack Gives Details on Proposed Data Theft Bill.” I’m glad to see how the debate is maturing, and how no one bothered with some of the […]

 

The future of education is chaotic and fun

Lately, I’ve seen three interesting bits on the future of education, and I wanted to share some thoughts on what they mean. The first is a quickie by Don Boudreaux at Cafe Hayek, titled “Grocery School.” It starts “Suppose that we were supplied with groceries in same way that we are supplied with K-12 education.” […]

 

New York memorials

There’s an excellent column in the old liberal tradition of celebrating liberty in this week’s New Yorker. It’s Memorials by Adam Goptnick, and includes a quote from John Stuart Mill at his rhetorical peak.

 
 

Why Do Outsiders Detect Breaches?

So I haven’t had a chance to really digest the new DBIR yet, but one bit jumped out at me: “86% were discovered by a third party.” I’d like to offer up an explanatory story of why might that be, and muse a little on what it might mean for the deployment of intrusion detection […]

 

Data driven pen tests

So I’m listening to the “Larry, Larry, Larry” episode of the Risk Hose podcast, and Alex is talking about data-driven pen tests. I want to posit that pen tests are already empirical. Pen testers know what techniques work for them, and start with those techniques. What we could use are data-driven pen test reports. “We […]

 

Happy Yuri's Night!

Today, April 12, 2011 is the 50th Anniversary of Yuri Gagarin’s historic first flight. Why not join a celebration? Invite to the Kremlin event via Xeni Jardin.

 

What's the PIN, Kenneth?

There’s a story in the New York Times, “To Get In, Push Buttons, or Maybe Swipe a Magnet” which makes interesting allusions to the meaning of fair trade in locks, implied warranties and the need for empiricism in security: In court filings, Kaba argued that it had “never advertised or warranted in any way that […]

 
 

Ahem: The New School is more than Data

In “Why The New School Is Important,” Alex writes: Being New School won’t solve your problems. What a New School mindset will do for you is help you begin to understand what your problems actually are. So without arguing with the rest of Alex’s post, I’m forced to beg to differ. The New School is […]

 

I'd like some of that advertising action

Several weeks back, I was listening to the Technometria podcast on “Personal Data Ecosystems,” and they talked a lot about putting the consumer in the center of various markets. I wrote this post then, and held off posting it in light of the tragic events in Japan. One element of this is the “VRM” or […]

 

Sedgwick, Maine versus the Feds

“Maine Town Declares Food Sovereignty, Nullifies Conflicting Laws.” So reads the headline at the 10th Amendment center blog: The Maine town of Sedgwick took an interesting step that brings a new dynamic to the movement to maintain sovereignty: Town-level nullification. Last Friday, the town passed a proposed ordinance that would empower the local level to […]

 

What does Coviello's RSA breach letter mean?

After spending a while crowing about the ChoicePoint breach, I decided that laughing about breaches doesn’t help us as much as analyzing them. In the wake of RSA’s recent breach, we should give them time to figure out what happened, and look forward to them fulfilling their commitment to share their experiences. Right now we […]

 

Questions about a Libyan no-fly zone

With the crisis in Japan, attention to the plight of those trying to remove Colonel Kaddafi from power in Libya has waned, but there are still calls, including ones from the Arab League, to impose a no-fly zone. Such a zone would “even the fight” between the rebels and Kaddafi’s forces. There are strong calls […]

 

Copyrighted Science

In “Shaking Down Science,” Matt Blaze takes issue with academic copyright policies. This is something I’ve been meaning to write about since Elsevier, a “reputable scientific publisher,” was caught publishing a full line of fake journals. Matt concludes: So from now on, I’m adopting my own copyright policies. In a perfect world, I’d simply refuse […]

 

Fear, Information Security, and a TED Talk

In watching this TEDMed talk by Thomas Goetz, I was struck by what a great lesson it holds for information security. You should watch at least the first 7 minutes or so. (The next 9 minutes are interesting, but less instructive for information security.) The key lesson that I’d like you to take from this […]

 

Unmeddle Housing More

Last month, I wrote: But after 50 years of meddling in the market, reducing the support for housing is going to be exceptionally complex and chaotic. And the chaos isn’t going to be evenly distributed. It’s going to be a matter of long, complex laws whose outcomes are carefully and secretly influenced. Groups who aren’t […]

 

Best Practices for the Lulz

The New School blog will shortly be publishing a stunning expose of Anonymous, and before we do, we’re looking for security advice we should follow to ensure our cloud-hosted blog platform isn’t pwned out the wazoo. So, where’s the checklist of all best practices we should be following? What’s that you say? There isn’t a […]

 

Police Officers should be able to speak out

I got this in email and wanted to amplify it: Law Enforcement Against Prohibition prides itself on the willingness of our members to stand up and take action against drug prohibition. Last fall, LEAP member Joe Miller did exactly that. A California police officer for eight years before taking a position as a deputy probation […]

 

Elevation of Privilege (Web Edition) Question

Someone wrote to me to ask: A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow? For example: “An attacker can make a client unavailable or unusable but the problem […]

 

What should a printer print?

Over at their blog, i.Materialise (a 3D printing shop) brags about not taking an order. The post is “ATTENTION: ATM skimming device.” It opens: There is no doubt that 3D printing is a versatile tool for materializing your 3D ideas. Unfortunately, those who wish to break the law can also try to use our technology. […]

 

Infosec's Flu

In “Close Look at a Flu Outbreak Upends Some Common Wisdom,” Nicholas Bakalar writes: If you or your child came down with influenza during the H1N1, or swine flu, outbreak in 2009, it may not have happened the way you thought it did. A new study of a 2009 epidemic at a school in Pennsylvania […]

 

Egypt and Information Security

Yesterday, I said on Twitter that “If you work in information security, what’s happening in Egypt is a trove of metaphors and lessons for your work. Please pay attention.” My goal is not to say that what’s happening in Egypt is about information security, but rather to say that we can be both professional and […]

 

Mubarak and TSA agree: No advantage to them leaving

In “TSA shuts door on private airport screening program,” CNN reports that “TSA chief John Pistole said Friday he has decided not to expand the program beyond the current 16 airports, saying he does not see any advantage to it.” The advantage, of course, is that it generates pressure on his agency to do better. […]

 

A critique of Ponemon Institute methodology for "churn"

Both Dissent and George Hulme took issue with my post Thursday, and pointed to the Ponemon U.S. Cost of a Data Breach Study, which says: Average abnormal churn rates across all incidents in the study were slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by […]

 

Requests for a proof of non-existence

So before I respond to some of the questions that my “A day of reckoning” post raises, let me say a few things. First, proving that a breach has no impact on brand is impossible, in the same way that proving the non-existence of god or black swans is impossible. It will always be possible […]

 

A Day of Reckoning is Coming

Over at The CMO Site, Terry Sweeney explains that “Hacker Attacks Won’t Hurt Your Company Brand.” Take a couple of minutes to watch this. Let me call your attention to this as a turning point for a trend. Those of us in the New School have been saying this for several years, but the idea […]

 

A few thoughts on chaos in Tunisia

The people of Tunisia have long been living under an oppressive dictator who’s an ally of the US in our ‘war on terror.’ Yesterday, after substantial loss of life, street protests drove the dictator to abdicate. There’s lots of silly technologists claiming it was twitter. A slightly more nuanced comment is in “Sans URL” Others, […]

 

Unmeddling Housing

For a great many years, US taxpayers have been able to deduct interest paid on a home mortgage from their taxes. That made owning property cost roughly 20% less than it otherwise would have (estimating a 25% tax rate on interest on 80% of a property). So everyone could afford 20% “more” house, which meant […]

 

Referencing Insiders is a Best Practice

You might argue that insiders are dangerous. They’re dangerous because they’re authorized to do things, and so monitoring throws up a great many false positives, and raises privacy concerns. (As if anyone cared about those.) And everyone in information security loves to point to insiders as the ultimate threat. I’m tempted to claim this as […]

 

TSA News Roundup

Event: The Carnegie Institute for Science will be hosting “The Stripping of Freedom: A Careful Scan of TSA Security Procedures” Outrage: “SFO pilot exposes airport security flaws.” Apparently, pilots allowed to carry guns give up their free speech rights “causes the loss of public confidence in TSA…” (does anyone have a copy of the letter?) […]

 

So cute!

There’s just something about skinny girls in pouffy skirts…and stormtrooper helmets. More at http://redandjonny.tumblr.com/

 

Bureaucracy in inaction

Back in September, a group of Czech artists called EPOS 257 camouflaged themselves as city-workers, went to the Palackeho square in Prague and installed a fence. The fence was left on the square with no apparent intent or explanation. At first, the city council didn’t know about it, and when there were told, they didn’t […]

 

Emergent Chaos has TSA "trolls," too

Over at We Won’t Fly, George Donnelly writes: I was about to delete an offensive comment on this blog – one of the very few we get – and thought, hmm, I wonder where this guy is posting from? Because, really, it is quite unusual for us to get nasty comments. Lo and behold, the […]

 

TSA News roundup

Act: Get this 2-page Passenger’s Rights Sheet: http://saizai.com/tsa_rights.pdf Outrage: “Gaping Holes in Airline Security: Loaded Gun Slips Past TSA Screeners” (Matthew Mosk, Angela Hill and Timothy Fleming, ABC News) “TSA + Police + JetBlue Conspire Against Peaceful Individual at JFK” (George Donnelly, WeWontFly.org) “TSA Lies Again Over Capture, Storage Of Body Scanner Images” (Steve Watson, […]

 

The Emergent Chaos of Facebook relationships

This is a fascinating visualization of 10MM Facebook Friends™ as described in Visualizing Friendships by Paul Butler. A couple of things jump out at me in this emergent look at geography. The first is that Canada is a figment of our imaginations. Sorry to my Canadian friends (at least the anglophones!) The second is that […]

 

Managing WordPress: How to stay informed?

We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of our plugins. So I asked Twitter “What’s the best way to track security updates for […]

 

Armoring the Bombers that Came Back

Paul Kedrosky writes: Most of us have heard the story of armoring British bombers, as it’s too good not to share, not to mention being straight from the David Brent school of management motivation. Here is the Wikipedia version: Bomber Command’s Operational Research Section (BC-ORS), analysed a report of a survey carried out by RAF […]

 

TSA News roundup

Intrusiveness and outrage: “Homeland Security Is Also Monitoring Your Tweets” “‘Baywatch’ Beauty Feels Overexposed After TSA Scan” (David Moye, AOLnews) “the agent responded, ‘Because you caught my eye, and they’ — pointing to the other passengers — ‘didn’t.’” “POLICE STATE – TSA, Homeland Security & Tampa Police Set Up Nazi Checkpoints At Bus Stations ” […]

 

"Proof" that E-Passports Lead to ID Theft

A couple of things caught Stuart Schechter’s eye about the spam to which this image was attached, but what jumped out at me was the name on the criminal’s passport: Frank Moss, former deputy assistant secretary of state for passport services, now of Identity Matters, LLC. And poor Frank was working so hard to claim […]

 

The TSA’s Approach to Threat Modeling

“I understand people’s frustrations, and what I’ve said to the TSA is that you have to constantly refine and measure whether what we’re doing is the only way to assure the American people’s safety. And you also have to think through are there other ways of doing it that are less intrusive,” Obama said. “But […]

 

The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]

 

The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]

 

District 9

I really enjoyed District 9. Thought I understood some of it. But that was before I read “becoming the alien: apartheid, racism and district 9” by Andries du Toit. Now I need to watch the movie again.

 
 

"Towards Better Usability, Security and Privacy of Information Technology"

“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient […]

 

"Towards Better Usability, Security and Privacy of Information Technology"

“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient […]

 

Grope-a-thon: Today's TSA roundup

Outrage “Adam Savage: TSA saw my junk, missed 12″ razor blades” (Ben Kuchera, Ars Technica with video) “DHS & TSA: Making a list, checking it twice” (Doug Hadmann, Canada Free Press) claims that DHS has an internal memo calling those 59% of Americans who oppose pat downs “domestic extremists.” No copies of the memo have […]

 

Israeli Draft, Facebook and Privacy

A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants. Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, […]

 

News Round Up: New blog edition

I’ll be contributing to a new group blog, “I will opt out“. I think that concentrating and combining resources will help the people who care find all the news they want. My first post is at “More news from around the web”

 

Animals and Engineers

It’s been hard to miss the story on cat tongues (“For Cats, a Big Gulp With a Touch of the Tongue:)” Writing in the Thursday issue of Science, the four engineers report that the cat’s lapping method depends on its instinctive ability to calculate the balance between opposing gravitational and inertial forces. …After calculating things […]

 

Games and The New School

On my work (“Microsoft Security Development Lifecycle”) blog, I’ve posted “Make Your Own Game! (My BlueHat lightning talk).”

 

Grope up: Enough is Enough edition

Analysis: “‘Strip-or-Grope’ vs. Risk Management” Jim Harper, Cato@Liberty blog. Really solid thinking, although I usually don’t like asset-centric approaches, I think that for the physical world they make more sense than they do in software threat modeling. TSA more likely to kill you than a terrorist. thread at Flyertalk (thanks Doug!) “Has Airport Security Gone […]

 

Daily Grope Up

Outrage: Transcript: Senate hearing on TSA, full-body scanners (yesterday, not one Senator cared.) Today’s hearing: http://www.c-span.org/Watch/C-SPAN3.aspx TSA Success Story (You can win in line.) If someone had done that to me at a nightclub I’d call the cops. Violated Traveling with scars Search this one for “pump” to learn about a diabetic’s experience. What would […]

 

You are being tracked

In this instance, it’s for science, helping a friend do some work on analyzing web traffic. If you don’t like it, please install software that blocks these 1 pixel images from tracking you. Edit: removed the web bug

 

It's time to call your Senator!

There’s no news roundup today, the stories are flying, unlike people, who are sick and tired of the indignities, the nudeatrons and the groping. If you want to see them, you can follow me on twitter or National Opt Out day Tomorrow, there’s a Transportation Security Administration Oversight Hearing whose only witness is TSA Administrator […]

 

Daily Grope-Up: The Groping Will Continue Until You Drive Edition

“‘Naked’ scanners at U.S. airports may be dangerous: scientists” (National Post) The head of the X-ray lab at Johns Hopkins says “statistically, someone is going to get skin cancer from these X-rays.” “DHS chief tells pilot, tourism reps scans and patdowns will continue ” (Infowars.com) includes link to a CNN story “Growing backlash against TSA […]

 

Lies, Damned Lies and TSA Statements: Today’s news grope-up

Earlier this week, the White House responded to the UC San Francisco faculty letter on nudatrons. (We mentioned that here.) National Academy of Sciences member John Sedat says “many misconceptions, and we will write a careful answer pointing out their errors.” TSA has claimed that pictures will have blurred genital areas to “protect privacy.” Except […]

 

Today's TSA news grope-up

“Terror chief tries to board plane with banned liquids” (Mirror, UK) Obviously, the UK needs to get with the TSA program and exempt Ministers from search. Flight attendants union upset over new pat-down procedures “Airport security reaches new levels of absurdity” (Salon’s Ask the Pilot blog) “Know Your Options at the Airport” (ACLU of Massachusetts) […]

 

Facebook and "your" photos

Facebook Changes Photo Memories to No Longer Show Your Ex-Boyfriends or Ex-Girlfriends: In response to numerous complaints, Facebook has changed its Photo Memories sidebar module to no longer display friends who a user was formally listed as in a relationship with. [Sic] But it’s not just about selective remembering because “Your Memories Will Be Rewritten.” […]

 

UC San Francisco Faculty on Nudatrons

A number of faculty at UCSF have a letter to John Holdren, the President’s advisor on science and technology. There’s a related story on NPR.org, but I’d missed the letter. It appears the concerns of 3 members of the National Academy of Sciences have been completely ignored.

 
 

Note on Design of Monitoring Systems

Dissent reports “State Department official admits looking at passport files for more than 500 celebrities.” A passport specialist curious about celebrities has admitted she looked into the confidential files of more than 500 famous Americans without authorization. This got me thinking: how does someone peep at 500 files before anyone notices? What’s wrong with the […]

 

TSA Body Scanners News: Why show ID edition

First, a quick news roundup: EPIC is suing DHS for improper rulemaking, violations of the fouth ammendment, the privacy act, the religious freedom restoration act, and the video voyerism prevention act. The ACLU has a news roundup and a form to report on TSA behavior. The Airline Pilots Association advises pilots to show resistance. So […]

 

Turning off the lights: Chaos Emerges.

See what happened when Portishead, England turned off their traffic lights in September 2009 in this video. And don’t miss “Portishead traffic lights set to stay out after trial” in the Bristol Evening Post.

 

"My little piece of privacy"

Very entertaining video: I love it because curtains are privacy people will pay for, but even more, because, ironically for a privacy-enhancing technology, it generates more attention than not using it.

 

It's not TSA's fault

October 18th’s bad news for the TSA includes a pilot declining the choice between aggressive frisking and a nudatron. He blogs about it in “Well, today was the day:” On the other side I was stopped by another agent and informed that because I had “opted out” of AIT screening, I would have to go […]

 

Collective Smarts: Diversity Emerges

Researchers in the United States have found that putting individual geniuses together into a team doesn’t add up to one intelligent whole. Instead, they found, group intelligence is linked to social skills, taking turns, and the proportion of women in the group. […] “We didn’t expect that the proportion of women would be a significant […]

 

Re-architecting the internet?

Information Security.com reports that: [Richard Clarke] controversially declared “that spending more money on technology like anti-virus and IPS is not going to stop us losing cyber-command. Instead, we need to re-architect our networks to create a fortress. Let’s spend money on research to create a whole new architecture, which will cost just a fraction of […]

 

Another personal data invariant that varies

Just about anything a database might store about a person can change. People’s birthdays change (often because they’re incorrectly reported or recorded). People’s gender can change. One thing I thought didn’t change was blood type, but David Molnar pointed out to me that I’m wrong: Donors for allogeneic stem-cell transplantation are selected based on their […]

 

Money is information coined

In the general case, you are not anonymous on the interweb, but economically-anonymous, which I propose to label “enonymous”, and that’s not the same thing at all. If you threaten to kill the President, you will be tracked down, and the state will spend the money it takes on it. But if you call Lily […]

 

Java Security & Criminals

Brian Krebs has an interesting article on “Java: A Gift to Exploit Pack Makers.” What makes it interesting is that since information security professionals share data so well, Brian was able to go to the top IDS makers and get practical advice on what really works to secure a system. Sorry, dreaming there for a […]

 

Lessons from HHS Breach Data

PHIPrivacy asks “do the HHS breach reports offer any surprises?” It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s web site, it might be useful to look at some statistics for the first year’s […]

 

AT&T, Voice Encryption and Trust

Yesterday, AT&T announced an Encrypted Mobile Voice. As CNet summarizes: AT&T is using One Vault Voice to provide users with an application to control their security. The app integrates into a device’s address book and “standard operation” to give users the option to encrypt any call. AT&T said that when encryption is used, the call […]

 

Free Hossein Derakhshan

Apparently, the Iranian Government has sentenced Hossein “Hoder” Derakhshan to 19.5 years in jail for “collaborating with enemy states, creating propaganda against the Islamic regime, insulting religious sanctity, and creating propaganda for anti-revolutionary groups.” If you think putting bloggers or journalists in jail is wrong, please, please take a moment to sign the petition to […]

 

Saturn's Moon Enceladus

NASA claims that: At least four distinct plumes of water ice spew out from the south polar region of Saturn’s moon Enceladus in this dramatically illuminated image. Light reflected off Saturn is illuminating the surface of the moon while the sun, almost directly behind Enceladus, is backlighting the plumes. See Bursting at the Seams to […]

 

Fines or Reporting?

Over at the Office of Inadequate Security, Dissent does excellent work digging into several perspectives on Discover Card breaches: Discover’s reports, and the (apparent) silence of breached entities. I’m concerned that for many of the breaches they report, we have never seen breach reports filed by the entities themselves nor media reports on the incidents. […]

 

ID theft, its Aftermath and Debix AfterCare

In the past, I’ve been opposed to calling impersonation frauds “identity theft.” I’ve wondered why the term impersonation isn’t good enough. As anyone who’s read the ID Theft Resource Center’s ‘ID Theft Aftermath’ reports (2009 report) knows that a lot of the problem with longterm impersonation problems is the psychological impact of disassociation from your […]

 

Airplane Crashes Fall Because Experts Pontificate

The New York Times has a story, “Fatal Crashes of Airplanes Decline 65% Over 10 Years:” …part of the explanation certainly lies in the payoff from sustained efforts by American and many foreign airlines to identify and eliminate small problems that are common precursors to accidents. If only we did the same for security. This […]

 

Book review: "The Human Contribution"

James Reason’s entire career was full of mistakes. Most of them were other people’s. And while we all feel that way, in his case, it was really true. As a professor of psychology, he made a career of studying human errors and how to prevent them. He has a list of awards that’s a full […]

 

6502 Visual Simulator

In 6502 visual simulator, Bunnie Huang writes: It makes my head spin to think that the CPU from the first real computer I used, the Apple II, is now simulateable at the mask level as a browser plug-in. Nothing to install, and it’s Open-licensed. How far we have come…a little more than a decade ago, […]

 
 

Fair Warning: I haven't read this report, but…

@pogowasright pointed to “HOW many patient privacy breaches per month?:” As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide […]

 

Fake voting cards in Afghanistan?

NPR is talking about fraudulent ID cards and people voting multiple times. What happened to the purple ink solution? How did we end up exporting bad thinking about security to Afghanistan?

 

Use crypto. Not too confusing. Mostly asymmetric.

A little ways back, Gunnar Peterson said “passwords are like hamburgers, taste great but kill us in long run wean off password now or colonoscopy later.” I responded: “Use crypto. Not too confusing. Mostly asymmetric.” I’d like to expand on that a little. Not quite so much as Michael Pollan, but a little. The first […]

 

Dear AT&T

You never cease to amaze me with your specialness. You’ve defined a way to send MMS on a network you own, with message content you control, and there’s no way to see the full message: In particular, I can’t see the password that I need to see the message.

 

Data breach fines will prolong the rot

The UK’s Financial Services Authority has imposed a £2.28 million fine for losing a disk containing the information about 46,000 customers. (Who was fined is besides the point here.) I agree heartily with John Dunn’s “Data breach fines will not stop the rot,” but I’d like to go further: Data breach fines will prolong the […]

 

Saturday Corn Baking

Well, following on Arthur’s post on baking bread, I wanted to follow up with “how to bake corn:” Please go read “Baked Buttered Corn” A way to bring some happiness to the end of summer is to take this corn and simply bake it with butter. It’s fabulous. The starchy corn juices create a virtual […]

 

Petroski on Engineering

As I was reading the (very enjoyable) “To Engineer is Human,” I was struck by this quote, in which Petroski first quotes Victorian-era engineer Robert Stephenson, and then comments: …he hoped that all the casualties and accidents, which had occurred during their progress, would be noticed in revising the Paper; for nothing was so instructive […]

 

Rights at the "Border"

“I was actually woken up with a flashlight in my face,” recalled Mike Santomauro, 27, a law student who encountered the [Border Patrol] in April, at 2 a.m. on a train in Rochester. Across the aisle, he said, six agents grilled a student with a computer who had only an electronic version of his immigration […]

 

Transparency, India, Voting Machines

India’s EVMs are Vulnerable to Fraud. And for pointing that out, Hari Prasad has been arrested by the police in India, who wanted to threaten and intimidate him question him about where he got the machine that he studied. That’s a shame. The correct response is to fund Hari Prasad’s work, not use the police […]

 

Wikileaks

Friday night an arrest warrant went out, and was then rescinded, for Wikileaks founder Julian Assange. He commented “We were warned to expect “dirty tricks”. Now we have the first one.” Even the New York Times was forced to call it “strange.” I think that was the wrong warning. Wikileaks is poking at a very […]

 

Databases or Arrests?

From Dan Froomkin, “FBI Lab’s Forensic Testing Backlog Traced To Controversial DNA Database,” we see this example of the mis-direction of key funds: The pressure to feed results into a controversial, expansive DNA database has bogged down the FBI’s DNA lab so badly that there is now a two-year-and-growing backlog for forensic DNA testing needed […]

 

How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” […]

 

Dating and InfoSec

So if you don’t follow the folks over at OKCupid, you are missing out on some hot data. In case you’re not aware of it, OKCupid is: the best dating site on earth. Compiling our observations and statistics from the hundreds of millions of user interactions we’ve logged, we use this outlet to explore the […]

 

Bleg: Picture editor?

I used to use “Galerie” on my Mac to put nice pretty frames around pictures I posted here. (See some examples.) Galerie was dependent on … blah, blah, won’t work anymore without some components no longer installed by default. So I’m looking for a replacement that will, with little effort, put pictures in a nice […]

 

Making it up so you don't have to

If you don’t have time to develop a data-driven, business focused security strategy, we sympathize. It’s a lot of hard work. So here to help you is “What the fuck is my information security ‘strategy?’ “: Thanks, N!

 

Jon Callas on Comedies, Tragedy and PKI

Prompted by Peter Gutmann: [0] I’ve never understood why this is a comedy of errors, it seems more like a tragedy of errors to me. Jon Callas of PGP fame wrote the following for the cryptography mail list, which I’m posting in full with his permission: That is because a tragedy involves someone dying. Strictly […]

 

New low in pie charts

It’s not just a 3d pie chart with lighting effects and reflection. Those are common. This one has been squished. It’s wider than it is tall. While I’m looking closely, isn’t “input validation” a superset of “buffer errors” “code injection” and “command injection?” You can get the “Application Security Trends report for Q1-Q2 2010” from […]

 

Transparent Lies about Body Scanners

In “Feds Save Thousands of Body Scan Images,” EPIC reports: In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of […]

 

Black Hat Slides

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.

 

Credit Scores and Deceptive Advertising

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores. I’d like to add one more danger of credit scores: […]

 
 

Hacker Hide and Seek

Core Security Ariel Waissbein has been building security games for a while now. He was They were kind enough to send a copy of his their “Exploit” game after I released Elevation of Privilege. [Update: I had confused Ariel Futoransky and Ariel Waissbein, because Waissbein wrote the blog post. Sorry!] At Defcon, he and his […]

 

SOUPS Keynote & Slides

This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the […]

 

A Blizzard of Real Privacy Stories

Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic: Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there […]

 

Dear England, may we borrow Mr. Cameron for a bit?

Back when I commented on David Cameron apologizing for Bloody Sunday, someone said “It’s important to remember that it’s much easier to make magnanimous apologise about the behaviour of government agents when none of those responsible are still in their jobs.” Which was fine, but now Mr. Cameron is setting up an investigation into torture […]

 

The Next Unexpected Failure of Government

In looking at Frank Pasquale’s very interesting blog post “Secrecy & the Spill,” a phrase jumped out at me: I have tried to give the Obama Administration the benefit of the doubt during the Gulf/BP oil disaster. There was a “grand ole party” at Interior for at least eight years. Many Republicans in Congress would […]

 

Why we need strong oversight & transparency

[The ACLU has a new] report, Policing Free Speech: Police Surveillance and Obstruction of First Amendment-Protected Activity (.pdf), surveys news accounts and studies of questionable snooping and arrests in 33 states and the District of Columbia over the past decade. The survey provides an outline of, and links to, dozens of examples of Cold War-era […]

 

Between an Apple and a Hard Place

So the news is all over the web about Apple changing their privacy policy. For example, Consumerist says “Apple Knows Where Your Phone Is And Is Telling People:” Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you […]

 

Alex on Science and Risk Management

Alex Hutton has an excellent post on his work blog: Jim Tiller of British Telecom has published a blog post called “Risk Appetite, Counting Security Calories Won’t Help”. I’d like to discuss Jim’s blog post because I think it shows a difference in perspectives between our organizations. I’d also like to counter a few of […]

 

High Impact Work

Perry Metzger recently drew this to my attention: The title of my talk is, “You and Your Research.” It is not about managing research, it is about how you individually do your research. I could give a talk on the other subject – but it’s not, it’s about you. I’m not talking about ordinary run-of-the-mill […]

 

On Politics

In “Jon Stewart on Obama’s executive power record” Glenn Greenwald writes: When ACLU Executive Director Anthony Romero last week addressed the progressive conference America’s Future Now, he began by saying: “I’m going to start provocatively . . . I’m disgusted with this president.” Last night, after Obama’s Oval Office speech, Jon Stewart began his show […]

 

Bleg: How to Delete Kindle Logs?

Well, Amazon has a new update for Kindle (with folders! OMG!), and I’m planning to apply it. However, last time I installed an update, I noticed that it lost the “wireless off” setting, and was apparently contacting Amazon. I don’t want it to do so, and leave wireless off. It’s safer that way, whatever promises […]

 

Breach Laws & Norms in the UK & Ireland

Ireland has proposed a new Data Breach Code of Practice, and Brian Honan provides useful analysis: The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small […]

 

Redesign BP's Logo

I like this one a lot. Go vote for your favorite at BP Logo Redesign contest.

 

Mobile Money for Haiti: a contest

This is cool: The Bill & Melinda Gates Foundation is using its financial clout to push the Haitian marketplace toward change by offering $10 million in prizes to the first companies to help Haitians send and receive money with their cell phones… The fund will offer cash awards to companies that initiate mobile financial services […]

 

Lady Ada books opening May 11

Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer. From the store’s […]

 

Thanks!

Andrew and I want to say thank you to Dave Marsh. His review of our book includes this: I’d have to say that the first few pages of this book had more of an impact on me that the sum of all the pages of any other security-related book I had ever read It’s really […]

 

Facebook Links

Some worthwhile reads on Facebook and privacy: Facebook’s Privacy Reboot: Is That all You’ve Got for Us? “The devil is in the defaults” Entire Facebook Staff Laughs As Man Tightens Privacy Settings

 

30 vs 150,000

For your consideration, two articles in today’s New York Times. First, “How to Remind a Parent of the Baby in the Car?:” INFANTS or young children left inside a vehicle can die of hyperthermia in a few hours, even when the temperature outside is not especially hot. It is a tragedy that kills about 30 […]

 

Life

Today will be remembered along with the landing on the moon and the creation of the internet: Researchers at the J. Craig Venter Institute (JCVI), a not-for-profit genomic research organization, published results today describing the successful construction of the first self-replicating, synthetic bacterial cell. The team synthesized the 1.08 million base pair chromosome of a […]

 

We'll always have Facebook…

Waitress Is Fired for Her Complaint on Facebook: Lesson Learned for Employers?. From [German Consumer Protection] Minister Aigner to Mark Zuckerberg: the importance of privacy Farewell, Facebook “Why one super-connected internet enthusiast decided it was time to pull the plug” 5 WTFs: I quit Facebook Today Quit Facebook Day versus 10 Reasons You’ll Never Quit […]

 

Facebook, Here’s Looking at You Kid

The last week and a bit has been bad to Facebook. It’s hard to recall what it was that triggered the avalanche of stories. Maybe it was the flower diagram we mentioned. Maybe it was the New York Times interactive graphic of just how complex it is to set privacy settings on Facebook: Maybe it […]

 

This is what science is for

In “The Quest for French Fry Supremacy 2: Blanching Armageddon,” Dave Arnold of the French Culinary Institute writes: Blanching fries does a lot for you – such as: killing the enzymes that make the potatoes turn purpley-brown. Blanching is always necessary if the potatoes will be air-dried before frying. gelatinizing the starch. During frying, pre-cooked […]

 

Where's the Checks and Balances, Mr. Cameron?

[Update: See Barry’s comments, I seem to misunderstand the proposal.] The New York Times headlines “ Britain’s New Leaders Aim to Set Parliament Term at 5 Years.” Unlike the US, where we have an executive branch of government, the UK’s executive is the Prime Minister, selected by and from Parliament. As I understand things, the […]

 

Malware reports? (A bleg)

I’m doing some work that involves seeing what people are saying about the state of malware in 2010, and search terms like “malware report” get a lot of results, they don’t always help me find thinks like the Symantec ISTR, the McAfee threats report or the Microsoft SIR. To date, I’ve found reports from Cisco, […]

 

Facebook Privacy

If you haven’t seen http://mattmckeon.com/facebook-privacy/‘s graphic of how Facebook’s default privacy settings have evolved, it’s worth a look:

 

Word!

We show that malicious TeX, BibTeX, and METAPOST files can lead to arbitrary code execution, viral infection, denial of service, and data exfiltration, through the file I/O capabilities exposed by TeX’s Turing-complete macro language. This calls into doubt the conventional wisdom view that text-only data formats that do not access the network are likely safe. […]

 

Taxman

Let me tell you how it will be There’s one for you, nineteen for me Chorus: If privacy appear too small Be grateful I don’t take it all Thanks to Jim Harper for the link.

 

Showing ID In Washington State

Back in October, I endorsed Pete Holmes for Seattle City Attorney, because of slimy conduct by his opponent. It turns out that his opponent was not the only one mis-conducting themselves. The Seattle PD hid evidence from him, and then claimed it was destroyed. They have since changed their story to (apparent) lies about “computer […]

 

Because Money Is Liberty Coined

I really love these redesigns of the US Dollar: There’s a contest, and I like these designs by Michael Tyznik the most. On a graphical level, they look like money. He’s integrated micro-printing, aligned printing (that $5 in the upper left corner, it’s really hard to print so it works when you look at light) […]

 

It's Hard to Nudge

There’s a notion that government can ‘nudge’ people to do the right thing. Big examples include letting people opt-out of organ donorship, rather than opting in (rates of organ donorship go from 10-20% to 80-90%, which is pretty clearly a better thing than putting those organs in the ground or crematoria). Another classic example was […]

 

Earth, from the surface of Mars

This is the first image ever taken of Earth from the surface of a planet beyond the Moon. It was taken by the Mars Exploration Rover Spirit one hour before sunrise on the 63rd Martian day, or sol, of its mission. (March 8, 2004) Credit: NASA Goadard’s flickr stream.

 

How to Get Started In Information Security, the New School Way

There have been a spate of articles lately with titles like “The First Steps to a Career in Information Security” and “How young upstarts can get their big security break in 6 steps.” Now, neither Bill Brenner nor Marisa Fagan are dumb, but both of their articles miss the very first step. And it’s important […]

 

Lies, Damned Lies and Inappropriate Baselines

Thomas Ricks wrote a blog on Foreign Policy titled “Another reason to support Obamacare.” In it, he cited a Stars & Stripes report that one of out five veterans under the age of 24 is out of work. However, Stars and Stripes compares total unemployment to 18-24 male vet unemployment. It took me less than […]

 

The Liquids ban is a worse idea than you thought

According to new research at Duke University, identifying an easy-to-spot prohibited item such as a water bottle may hinder the discovery of other, harder-to-spot items in the same scan. Missing items in a complex visual search is not a new idea: in the medical field, it has been known since the 1960s that radiologists tend […]

 

Failure to Notify Leads to Liability in Germany

…a Bad Homburg business man won millions in damages in a suit against the [Liechtenstein] bank for failing to reveal that his information was stolen along with hundreds of other account holders and sold to German authorities for a criminal investigation. He argued that if the bank had informed those on the list that their […]

 

Evil Clown Stalking for your Birthday?

Dominic Deville stalks young victims for a week, sending chilling texts, making prank phone calls and setting traps in letterboxes. He posts notes warning children they are being watched, telling them they will be attacked. But Deville is not an escaped lunatic or some demonic monster. He is a birthday treat, hired by mum and […]

 

Parkour Generations Video

I could pretend to tie this to information security, talking about risk and information sharing, but really, it’s just beautiful to watch these folks learn to play:

 

Source, Data or Methodology: Pick at least one

In the “things you don’t want said of your work” department, Ars Technica finds these gems in a GAO report: This estimate was contained in a 2002 FBI press release, but FBI officials told us that it has no record of source data or methodology for generating the estimate and that it cannot be corroborated…when […]

 

Credit Checks are a Best Practice in Hiring

The New York Times reports that “As a Hiring Filter, Credit Checks Draw Questions:” In defending employers’ use of credit checks as part of the hiring process, Eric Rosenberg of the TransUnion credit bureau paints a sobering picture. […] Screening the backgrounds of employees “is critical to protect the safety of Connecticut residents in their […]

 

J.C. Penny knew best

JC Penney, Wet Seal: Gonzalez Mystery Merchants JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August […]

 
 

Elsewhere…

Things are busy and chaotic, but while I’m unable to blog, here’s some audio and video I’ve done recently that you might enjoy: “Meeting of the Minds” with Andy Jaquith and myself in either text or audio. Face-Off with Hugh Thompson “Has social networking changed data privacy forever?” Video

 

Makeup Patterns to hide from face detection

Adam Harvey is investigating responses to the growing ubiquity of surveillance cameras with facial recognition capabilities. He writes: My thesis at ITP, is to research and develop privacy enhancing counter technology. The aim of my thesis is not to aid criminals, but since artists sometimes look like criminals and vice versa, it is important to […]

 

Cyberdeterrence Papers

This just came past my inbox: The National Research Council (NRC) is undertaking a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The project is aimed at fostering a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and the possible utility of these strategies for the U.S. […]

 

Going Dutch: Time for a Breach Notification Law

The European Digital Rights Initiative mentions that “Bits of Freedom starts campaign for data breach notification law:” A data breach notification obligation on telecom providers is already to be implemented on the basis of the ePrivacy Directive, but Bits of Freedom insisted that this obligation should be extended also to other corporations and organisations. It […]

 

Your RIVACY is important to us

…so important that we didn’t even proofread our rivacy policy. I’m hopeful that they apply more due care to how they administer their policy, but fear it’s like a dirty restaurant bathroom. If they don’t bother to take care of what the public sees, what are they doing in the kitchen? From “Commercial Terms of […]

 

Dear SSN-publishing crowd

There’s a bunch of folks out there who are advocating for publishing all SSNs, and so wanted to point out (courtesy of Michael Froomkin’s new article on Government Data Breaches ) that it would be illegal to do so. 42 USC § 405(c)(2)(C)(viii) reads: (viii)(I) Social security account numbers and related records that are obtained […]

 

The New School on Lady Ada Day

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, Andrew and I want to thank Jessica Goldstein, our editor at Addison Wesley. Without her encouragement, feedback and championing, we never would have published the New School. The first proposal we […]

 

Women In Security

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, I wanted to call out the inspiring work of Aleecia McDonald. In a privacy world full of platonic talk of the value of notice and consent, Aleecia did something very simple: […]

 

Counterpoint: There is demand for security innovation

Over in the Securosis blog, Rich Mogull wrote a post “There is No Market for Security Innovation.” Rich is right that there’s currently no market, but that doesn’t mean there’s no demand. I think there are a couple of inhibitors to the market, but the key one is that transaction costs are kept high by […]

 

I look forward to merging your unique visibility into my own

In “White House Cyber Czar: ‘There Is No Cyberwar’,” Ryan Singel writes: As for his priorities, Schmidt says education, information sharing and better defense systems rank high. That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side. “One thing we […]

 

Some Chaotic Thoughts on Healthcare

Passage of this bill is too big for my little brain, and therefore I’ll share some small comments. I’m going to leave out the many anecdotes which orient me around stupid red tape conflicts in the US, how much better my health care was in Canada (and how some Canadian friends flew to the US […]

 

Lessons from Robert Maley's Dismissal

A bit over a week ago, it came out that “Pennsylvania fires CISO over RSA talk.” Yesterday Jaikumar Vijayan continued his coverage with an interview, “Fired CISO says his comments never put Penn.’s data at risk.” Now, before I get into the lessons here, I want to point out that Maley is the sort of […]

 

Kids today

A burglar who spent about five hours on a store’s computer after breaking into the business gave police all the clues they needed to track him down. Investigators said the 17-year-old logged into his MySpace account while at Bella Office Furniture and that made it easy for them to find him. He also spent time […]

 

National Broadband Plan & Data Sharing

I know that reading the new 376 page US “National Broadband Plan” is high on all your priority lists, but section 14 actually has some interestingly New School bits. In particular: Recommendation 14.9: The Executive Branch, in collaboration with relevant regulatory authorities, should develop machine-readable repositories of actionable real-time information concerning cybersecurity threats in a […]

 

Your credit worthiness in 140 Characters or Less

In “Social networking: Your key to easy credit?,” Eric Sandberg writes: In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it’s really being used. … To be clear, creditors aren’t accessing the credit reports […]

 

Elsewhere in the New School department

Dennis Fisher wrote “Why Bob Maley’s Firing is Bad for All of Us:” The news that Pennsylvania CISO Bob Maley lost his job for publicly discussing a security incident at last week’s RSA Conference really shouldn’t come as a surprise, but it does. Even for a government agency, this kind of lack of understanding of […]

 

Head of O'Hare Security says it sucks

In the eight months that I was the head of security under the Andolino administration, the commissioner of the busiest airport of the world, depending on who’s taking the survey, the busiest airport in the world, never once had a meeting with the head of security for the busiest airport in the world. Never once. […]

 

Everybody Should Be Doing Something about InfoSec Research

Previously, Russell wrote “Everybody complains about lack of information security research, but nobody does anything about it.” In that post, he argues for a model where Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff but others will be huge winners. One thing for sure — we shouldn’t focus this […]

 

Krebs on Cyber vs Physical Crooks

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them. I can’t help but notice one […]

 

Free speech for police

David Bratzer is a police officer in Victoria, British Columbia. He’s a member of “Law Enforcement Against Prohibition,” and was going to address a conference this week. There’s a news video at “VicPD Officer Ordered to Stay Quiet.” In an article in the Huffington Post, “The Muzzling of a Cop” former Seattle Police Chief Norm […]

 

Elevation of Privilege: The Threat Modeling Game

In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how very new school it is. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).

 

Elevation of Privilege: the Threat Modeling Game

In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how it helps more chaos emerge. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).

 

Adam signing today at RSA

I’ll be in the RSA bookstore today at noon, signing books. Please drop on by. PS: I’m now signing Kindles, too.

 

News from RSA: U-Prove

In “U-Prove Minimal Disclosure availability,” Kim Cameron says: This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual […]

 

Howard Schmidt's talk at RSA

The New York Times has a short article by Markoff, “U.S. to Reveal Rules on Internet Security.” The article focuses first on declassification, and goes on to say: In his first public speaking engagement at the RSA Conference, which is scheduled to open Tuesday, Mr. Schmidt said he would focus on two themes: partnerships and […]

 

The Economist on Breach Disclosure

In “New rules for big data,” the Economist seems to advocate for more disclosure of security problems: The benefits of information security—protecting computer systems and networks—are inherently invisible: if threats have been averted, things work as normal. That means it often gets neglected. One way to deal with that is to disclose more information. A […]

 

Puerto Rico: Biggest Identity Theft ever?

Apparently, the government of Puerto Rico has stolen the identities of something between 1.7 and 4.1 million people Native Puerto Ricans living outside the island territory are reacting with surprise and confusion after learning their birth certificates will become no good this summer. A law enacted by Puerto Rico in December mainly to combat identity […]

 

"We can’t circumvent our way around internet censorship."

That’s the key message of Ethan Zuckerman’s post “Internet Freedom: Beyond Circumvention.” I’ll repeat it: “We can’t circumvent our way around internet censorship.” It’s a long, complex post, and very much worth reading. It starts from the economics of running an ISP that can provide circumvention to all of China, goes to the side effects […]

 

Pie charts are not always wrong

In a comment, Wade says “I’ll be the contrarian here and take the position that using pie charts is not always bad.” And he’s right. Pie charts are not always bad. There are times when they’re ok. As Wade says “If you have 3-4 datapoints, a pie can effectively convey what one is intending to […]

 

In the "Nothing to Add" department

Nasty psychiatrissstss! Hates them, my precious! They locks uss up in padded cell! They makes uss look at inkblotsss! Tricksy, sly inkblotsss! Nasty Elvish pills burnsss our throat! … Yesss We Hatesss themsss Evil oness yess my preciousss we hatess themsss But They Helpsss us! No they hurtsss usss, hurtsss usss sore! NCBI ROFL: Did […]

 

Can I see some ID?

Or, Security and Privacy are Complimentary, Part MCVII: Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash […]

 

The Visual Display of Quantitative Information

In Verizon’s post, “A Comparison of [Verizon’s] DBIR with UK breach report,” we see: Quick: which is larger, the grey slice on top, or the grey slice on the bottom? And ought grey be used for “sophisticated” or “moderate”? I’m confident that both organizations are focused on accurate reporting. I am optimistic that this small […]

 

I'm not comfortable with that

The language of Facebook’s iPhone app is fascinating: If you enable this feature, all contacts from your device will be sent to Facebook…Please make sure your friends are comfortable with any use you make of their information. So first off, I don’t consent to you using that feature and providing my mobile phone number to […]

 

Adam & Andy Jaquith: A conversation

In December, Andy Jaquith and I had a fun conversation about info security with Bill Brenner listening in. The transcript is at “Meeting of the Minds,” and the audio is here.

 

Open Security Foundation Looking for Advisors

Open Security Foundation – Advisory Board – Call for Nominations: The Open Security Foundation (OSF) is an internationally recognized 501(c)(3) non-profit public organization seeking senior leaders capable of providing broad-based perspective on information security, business management and fundraising to volunteer for an Advisory Board. The Advisory Board will provide insight and guidance when developing future […]

 

Saltzer, Schroeder, and Star Wars

When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars. When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of […]

 

Best Practices for Defeating the term “Best Practices”

I don’t like the term “Best Practices.” Andrew and I railed against it in the book (pages 36-38). I’ve made comments like “torture is a best practice,” “New best practice: think” and Alex has asked “Are Security “Best Practices” Unethical?“ But people keep using it. Worse, my co-workers are now using it just to watch […]

 

Nelson Mandela

Twenty years ago today, Nelson Mandela was released from prison on Robben Island, where he was imprisoned for 27 years for considering violence after his rights to free speech and free association were revoked by the government. I learned a lot about the stories when I visited South Africa, and then more when my mom […]

 

My Sweet Lord, this is a Melancholy story

There’s an elephant of a story over at the New York Times, “Musician Apologizes for Advertising Track That Upset the White Stripes.” It’s all about this guy who wrote a song that ended up sounding an awful lot like a song that this other guy had written. And how this other guy (that being Mr. […]

 

Podcast on ISM3

Last week, I spoke at the Open Group meeting here in Seattle, and then recorded a podcast with Dana Gardner, Jim Hietala and Vicente Aceituno about ISM3 Brings Greater Standardization to Security Measurement Across Enterprise IT (audio) or you can read the transcript. It was fun, and the podcast is short and to the point. […]

 
 

Off with their heads!

In a private conversation, someone said “has anyone in company‘s IT staff been fired for letting people do use that software?” I did some searching for “firing offenses” and I found a bunch of interesting random things. I’d like to quote one, “How can I fire a non-performer in today’s environment:” You may have some […]

 

Security Blogger Awards

We’re honored to be nominated for “Most Entertaining Security Blog” at this years “2010 Social Security Blogger Awards.” Now, in a fair fight, we have no hope against Hoff’s BJJ, Mike Rothman’s incitefulness, Jack Daniel’s cynicism, or Erin’s sociability. But, really, there’s no reason for this to be a fair fight. So we’re asking our […]

 

The Best Question In Information Security

Ian Grigg seems to have kicked off a micro-trend with “The most magical question of all — why are so many bright people fooling themselves about the science in information security?.” Gunnar Peterson followed up with “Most Important Security Question: Cui Bono?” Both of these are really good questions, but I’m going to take issue […]

 

How to Make Your Dating Site Attractive

There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that. So from a product management and privacy perspectives I found this article very thought provoking: Bookioo does not give men any way to learn about or contact the female members of the […]

 

Today in Tyrranicide History

On January 30th, 1649, Charles I was beheaded for treason. He refused to enter a defense, asserting that as monarch, he was the law, and no court could try him. That same defense is raised today by Milošević, Hussien and other tyrants. The story of how John Cooke built his arguments against that claim is […]

 

Privacy and Security are Complimentary, Part MCIV

Privacy and security often complement each other in ways that are hard to notice. It’s much easier to present privacy and security as “in tension” or as a dependency. In this occasional series, we present ways in which they compliment each other. In this issue, the Financial Times reports that “Hackers target friends of Google […]

 

The Lost Books of the Odyssey

You should go read The Lost Books of the Odyssey. You’ll be glad you did. I wrote this review in April of 2008, and failed to post it. Part of my reason is that I have little patience for, and less to say about most experimental fiction. I am in this somewhat like a luddite, […]

 

Help EFF Measure Browser Uniqueness

The EFF is doing some measurement of browser uniqueness and privacy. It takes ten seconds. Before you go, why not estimate what fraction of users have the same transmitted/discoverable browser settings as you, and then check your accuracy at https://panopticlick.eff.org. Or start at http://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking for a bit more detail.

 

Text Size (and testing)

Thank you for all the feedback in email & comments. Testing a new font size, feedback is again invited and welcome.

 

The Dog That Didn't Bark at Google

So it’s been all over everywhere that “uber-sophisticated” hackers walked all over Google’s internal network. Took their source, looked at email interception tools, etc. What’s most fascinating to me is that: Google’s customers don’t seem to be fleeing Google stock fell approximately 4% on the news they were hacked, while the market was down 2% […]

 

Wondering about Phenomenon

Yesterday, Russell posted in our amusements category about the avoidance of data sharing. He gives an anecdote about “you,” presumably a security professional, talking to executives about sharing security information. I’d like to offer an alternate anecdote. Executive: “So we got the audit report in, and it doesn’t look great. I was talking to some […]

 

Blogs worth reading, an occasional series

Dan Lohrmann’s “Why Do Security Professionals Fail?” So what works and what doesn’t seem to make much difference in getting consistently positive results? My answers will probably surprise you. I’m not the first person to ask this question. Conventional wisdom says we need more training and staff with more security certifications. Others say we need […]

 

Terrorism Links and quotes

Ed Hasbrouck on “Lessons from the case of the man who set his underpants on fire” A Canadian woman who’s been through the new process is too scared to fly. “Woman, 85, ‘terrified’ after airport search.” Peter Arnett reported “‘It became necessary to destroy the town to save it,’ a TSA major said today. He […]

 

Ignorance of the 4 new laws a day is no excuse

The lead of this story caught my eye: (CNN) — Legislatures in all 50 states, the District of Columbia, Guam, the Virgin Islands and Puerto Rico met in 2009, leading to the enactment of 40,697 laws, many of which take effect January 1. That’s an average of 753 laws passed in each of those jurisdictions. […]

 

Is Quantified Security a Weak Hypothesis?

I’ve recently read “Quantified Security is a Weak Hypothesis,” a paper which Vilhelm Verendel published at NSPW09. We’re discussing it in email, and I think it deserves some broader attention. My initial note was along these lines: I think the paper’s key hypothesis “securtity can be correctly represented with quantitative information” is overly broad. Can […]

 

Comments on the Verizon DBIR Supplemental Report

On December 9th, Verizon released a supplement to their 2009 Data Breach Investigations Report. One might optimistically think of this as volume 2, #2 in the series. A good deal of praise has already been forthcoming, and I’m generally impressed with the report, and very glad it’s available and free. But in this post, I’m […]

 

Things Darwin Didn't Say

There’s a great line attributed to Darwin: “It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.” The trouble is, he never said it. Background here. Original sources are important and fun.

 

A Way Forward

Since writing the New School, I’ve been thinking a lot about why seems so hard to get there. There are two elements which Andrew and I didn’t explicitly write about which I think are tremendously important. Both of them have to do with the psychology of information security. The first is that security experts are […]

 

SearchSecurity Top Stories of 2009 Podcast

A few weeks ago, I joined the SearchSecurity team (Mike Mimoso, Rob Westervelt and Eric Parizo) to discuss the top cybersecurity stories of 2009. It was fun, and part 1 now available for a listen: part 1 (22:58), part 2 is still to come.

 

The Spectacle of Street View

Street with a View is an art project in Google Street View, with a variety of scenes enacted for the camera, either to be discovered in Street View, or discovered via the project web site. via David Fraser.

 

Comment Spam

We’ve been flooded with comment spam. I’ve added one of those annoying captcha things that don’t work, and a mandatory comment confirmation page. Please let me know if you have trouble. Blogname @ gmail.com, or adam @ blogname.com I think comments are working, but most won’t show up immediately. I’m digging into more effective solutions.

 

To the amazing chaos of the 2010s

I expect that there will be senseless acts of violence, planes destroyed and perhaps a city attacked with effective biological weapons. There will be crazy people with more power than we want to comprehend. There will be a billion malnourished, undereducated folks whose lives don’t improve. The first world will continue to be saddled with […]

 

The New School of Air Travel Security?

As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways: Failures are rare Partial failures are generally secret Actual failures are analyzed in secret Procedures are secret Procedures seem bizarre and arbitrary […]

 

Abdulmutallab/Flight 253 Airline Terror links

Air Canada is canceling US flights because of security. (Thanks, @nselby!) The New York Times reports that “Britain Rejected Visa Renewal for Suspect.” NPR reported that the State Department may have raised some sort of flag, but I don’t have a link. ABC is reporting that two of the “al Qaeda Leaders Behind Northwest Flight […]

 

Abdulmutallab/Flight 253 Airline Terror links

The Economist “The latest on Northwest flight 253:” “the people who run America’s airport security apparatus appear to have gone insane” and “This is the absolute worst sort of security theatre: inconvenient, absurd, and, crucially, ineffective.” Business Travel Coalition, via Dave Farber and Esther Dyson, “Aviation Security After Detroit:” “It is welcome news that President […]

 

76% Organic

The back does explain that it’s 76% organic petite sirah, and 24% non-organic grapes. I just thought it was a pretty funny thing to put on the front label, and wonder which consumers are going to be more likely to buy it, knowing that it’s 76% organic.

 
 

New Restrictions: No Using Electronic Devices for the Last Hour

Apparently, in the wake of thousands of deaths from idiots paying more attention to GPS, cell phones, GameBoys, iPods and other such electronic devices, TSA has announced a ban on all use of such devices for the last hour of your commute. No, just kidding. Apparently, they may be imposing new secret restrictions on use […]

 

Brian W Kernighan & Dennis M Ritchie & HP Lovecraft

I never heard of C Recursion till the day before I saw it for the first and– so far– last time. They told me the steam train was the thing to take to Arkham; and it was only at the station ticket-office, when I demurred at the high fare, that I learned about C Recursion. […]

 
 

Burning News: Gavle Goat

USA Today informs us that: Despite surveillance cameras and heavy security, vandals in a small Swedish town have burned down a giant Yuletide straw goat for the 24th time since 1966, the Associated Press reports. Here at Emergent Chaos, we’re deeply concerned that the goat ended up with neither privacy nor even temporary safety. Photo: […]

 

An Open Letter to the New Cyber-Security Czar

Dear Howard, Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but […]

 
 

Biggest Breach Ever

Precision blogging gets the scoop: You’re probably talking about this terrible security disaster already: the largest database leak ever. Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice. The source […]

 

Open Thread

I’ll give you a topic, eh, no I won’t. Have at it, but not at each other.

 
 

Top Security Stories of the Year?

On Wednesday, I’ll be joining a podcast to discuss “top security stories of the year.” I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year? (I posted this on Emergent Chaos, but forgot to post it […]

 

We Take Your Privacy Seriously

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login. Boy, am I glad […]

 

Huh, who knew?

We have a comments feed. I suppose we should add that to somewhere sane. In the meanwhile, you should click here. We have smart commenters, and what they say is usually worthwhile.

 

Top Security Stories of the Year?

Next week, I’ll be joining a podcast to discuss “top security stories of the year.” I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year?

 

Monkeys krak-oo krak-oo

According to “Campbell’s Monkeys Use Affixation to Alter Call Meaning:” We found that male alarm calls are composed of an acoustically variable stem, which can be followed by an acoustically invariable suffix. Using long-term observations and predator simulation experiments, we show that suffixation in this species functions to broaden the calls’ meaning by transforming a […]

 

TSA Security Operating Procedures

Via Gary Leff, we learn that “The TSA Puts Their Sensitive Security Screening Procedures Online For All To See (oops).” It’s another “we blacked out the doc without blacking out the data” story. The doc is 93 pages, and I don’t have time to more than skim it right now. I think that the redactions […]

 

Fingerprinted and Facebooked at the Border

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online. That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they […]

 

The stupidest post of the year?

George Hulme nominates this as the stupidest blog post of the year. I’m tempted to vote, although we have 30 more days. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period). My take? Anytime someone says that […]

 

The Market for Fake Police Badges

But in New York, a city that has become almost synonymous with high security, where office employees wear picture IDs and surveillance cameras are on the rise, some officers don’t wear their badges on patrol. Instead, they wear fakes. Called “dupes,” these phony badges are often just a trifle smaller than real ones but otherwise […]

 

FBI Gets all New School

“Of the thousands of cases that we’ve investigated, the public knows about a handful,” said Shawn Henry, assistant director for the Federal Bureau of Investigation’s Cyber Division. “There are million-dollar cases that nobody knows about.” … “Keeping your head in the sand on filing a report means that the bad guys are out there hitting […]

 

Tifatul Sembiring Causes Disasters

The BBC reports that “Indonesia minister says immorality causes disasters:” A government minister has blamed Indonesia’s recent string of natural disasters on people’s immorality. Communication and Information Minister Tifatul Sembiring said that there were many television programmes that destroyed morals. Therefore, the minister said, natural disasters would continue to occur. His comments came as he […]

 
 

An advance in the "balance" between security and privacy

Today on Thanksgiving, I’m thankful that the European Parliament has adopted what may be the first useful statement about the balance between security and privacy since Franklin: “… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to […]

 

Deny thy father and refuse thy gene sequence?

There’s a fascinating article in the NYTimes magazine, “Who Knew I Was Not the Father?” It’s all the impact of cheap paternity testing on conceptions of fatherhood. Men now have a cheap and easy way to discovering that children they thought were theirs really carry someone else’s genes. This raises the question, what is fatherhood? […]

 

Poker Faced?

In “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best […]

 

UK Confused About Piracy

According to BoingBoing, “Leaked UK government plan to create “Pirate Finder General” with power to appoint militias, create laws:” What that means is that an unelected official would have the power to do anything without Parliamentary oversight or debate, provided it was done in the name of protecting copyright. Mandelson elaborates on this, giving three […]

 

Questions about Schaeffer's 80% improvement

According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.” I’m trying to find if that’s the FDCC (Federal Desktop Core Configuration), […]

 

ICSA Labs report

In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades. At the Verizon Business blog, Wade Baker writes: Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results […]

 

In the Proudest Traditions of the Royal Navy

The Royal Fleet Auxiliary ship Wave Knight watched a yacht be hijacked for fear of harming its passengers. All stand for a rousing round of “Ain’t gonna study war no more.”

 
 

Best Practices in Tax Management

Someone sent me a link to “How to Audit-Proof Your Tax Return: Don’t e-File,” by Paul Caron. In it he quotes a plausible theory that “you are giving the IRS easy electronic access to information it would otherwise have to enter, enabling the agency to examine your return and mine the data more easily than […]

 

Practices: Proven vs. Standard?

In comments yesterday, both Kyle Maxwell and Nicko suggested that “standard” is a better adjective than “proven:” I like Kyle’s “standard” practice, since it makes it clear that you are just following the flock for safety by sticking to them. Perhaps we should call them “flocking standard practice” I do think there’s an important difference, […]

 

How to Use the "Think" Best Practice

After I posted the new Best Practice: Think, Dennis Fisher tweeted “Never catch on. Nothing for vendors (or Gartner) to sell.” Which is true, but that’s not the point. The point is to be able to ju-jitsu your best-practice cargo-culter into submission. For example: Cargo-culter: We don’t need a review, this project complied with all […]

 

"As far as I know, effective immediately"

Asked about the timing, the unbriefed propaganda minister mumbled: “As far as I know, effective immediately.” When that was reported on television, the Berliners were off. Baffled border guards who would have shot their “comrades” a week earlier let the crowd through—and a barrier that had divided the world was soon being gleefully dismantled. West […]

 
 

2 Proposed Breach Laws move forward

See George Hulme, “National Data Breach Law Steps Closer To Reality ” and Dennis Fisher “http://threatpost.com/en_us/blogs/two-data-breach-notification-bills-advance-senate-110609.” Dennis flags this awe-inspiring exception language: “rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.” […]

 

"A Call for Evidence-Based Security Tools"

Via Schneier: From the Open Access Journal of Forensic Psychology, by a large group of authors: “A Call for Evidence-Based Security Tools“: Abstract: Since the 2001 attacks on the twin towers, policies on security have changed drastically, bringing about an increased need for tools that allow for the detection of deception. Many of the solutions […]

 

Pay for your own dog food

At Microsoft, there’s a very long history of ‘eating your own dogfood’ or using the latest and greatest daily builds. Although today, people seem to use the term “self-host,” which seems evidence that they don’t do either. Eating your own dogfood gives you a decent idea of when it starts to taste ok, which is […]

 

Thank you!

For the opportunity to do this:

 

Tabletop Science

Mordaxus emailed some of us and said “I hope this doesn’t mean MG has jumped the shark.” What was he talking about? Apparently, ThinkGeek now has a “Molecular Gastronomy Starter Kit.” For those of you who’ve been hiding in a Cheesecake Factory for the past few years, molecular gastronomy is the art of using science […]

 

Seattle: Pete Holmes for City Attorney

I don’t usually say a lot about local issues, but as readers know, I’m concerned about how arbitrary ID checking is seeping into our society. It turns out my friend Eric Rachner is also concerned about this, and was excited when a Washington “Judge said showing ID to cops not required.” So when Eric was […]

 

Ooops! and Ooops again!

Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe: Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an orrery, not an astrolabe?” It appears that I’m going to have to update my commentary. […]

 

Ross Anderson's Psychology & Security page

Ross Anderson has a new Psychology and Security Resource Page. His abstract: A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and undertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as […]

 

Fordham report on Children's Privacy

Following the No Child Left Behind mandate to improve school quality, there has been a growing trend among state departments of education to establish statewide longitudinal databases of personally identifiable information for all K-12 children within a state in order to track progress and change over time. This trend is accompanied by a movement to […]

 

Bob Blakley Gets Future Shock Dead Wrong

Bob Blakley has a very thought provoking piece, “Gartner Gets Privacy Dead Wrong.” I really, really like a lot of what he has to say about the technical frame versus the social frame. It’s a very useful perspective, and I went back and forth for a while with titles for my post (The runner up […]

 

Is responsible disclosure dead?

Jeremiah Grossman has an article in SC Magazine, “Businesses must realize that full disclosure is dead.” On Twitter, I asked for evidence, and Jerimiah responded “Evidence of what exactly?” I think the key assertion that I take issue with is bolded in the context below: Unquestionably, zero-day vulnerabilities have an increasing real-world value to many […]

 

The Conch Republic

Apparently, in a sovereign-in-cheeck move, the the Florida Keys have withdrawn from the United States, and declared themselves to be “The Conch Republic.” Their motto is “We seceded where others failed.” Perhaps you haven’t heard of them because they make all the good jokes, making writing about them hard. I heard about them because of […]

 

Prisoners in Iran

There are apparently many people being held without charges by Iranian government. But as far as I know, I’ve only ever met one of them, and so wanted to draw attention to his case: During this entire time, our son has had just two short meetings with us for only a few minutes. Please imagine […]

 

Dear ChoicePoint: Lying like a cheap rug undercuts all that

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized […]

 

Toyota Stalks Woman, Claims She Consented

In a lawsuit filed Sept. 28 in Los Angeles Superior Court, Amber Duick claims she had difficulty eating, sleeping and going to work during March and April of last year after she received e-mails for five days from a fictitious man called Sebastian Bowler, from England, who said he was on the run from the […]

 

Another good metaphor, killed by science

Wired has a First Look: Dyson’s Blade-Free Wonder Fan Blows Our Minds: Future generations will have no idea why the shit hitting the fan is any worse than it hitting anything else.

 

Speaking in Michigan on Tuesday

Andrew Stewart and I will be speaking at the University of Michigan SUMIT_09 on Tuesday. We’re on 10:30-11:25. If you’re in the area, please come by.

 

SECTOR Sniffing: It Smells, as does the Response

Apparently, at the SecTor security conference, someone tapped into the network and posted passwords to a Wall of Sheep. At the SecTor speakers dinner, several attendees were approached by colleagues and informed that their credentials appeared on the “Wall of Shame” for all to see. When questioned about how the encrypted and unencrypted traffic was […]

 

New Best Practice: Think

Since anyone can declare anything a best practice in information security, I’d like to add my favorite to your list. Think. Thank you.

 

The Presentation of Self and Everyday Photographs

With the kind help of our awesome readership, Amazon and Glazer’s, I’ve acquired a camera, some books, a tripod, a prime 50mm, a flash diffuser, a polarizing filter, a graduated neutral filter, and some other random photography toys tools. You might question this, but I can quit anytime. Really! I even offered to loan my […]

 
 

LCROSS Lunar Impact Friday, 4:30 AM Pacific

So the Lunar Crater Observation and Sensing Satellite has one last sensing task which it will carry out tomorrow morning at 4:30 AM Pacific. That is to dig a big hole in Cabeus (proper) and see if there’s water there. Unfortunately for LCROSS, it doesn’t really have landing jets, which means it will dig a […]

 

Hal Finney's news

Hal Finney has posted some news to LessWrong: A man goes in to see his doctor, and after some tests, the doctor says, “I’m sorry, but you have a fatal disease.” Man: “That’s terrible! How long have I got?” Doctor: “Ten.” Man: “Ten? What kind of answer is that? Ten months? Ten years? Ten what?” […]

 

Tetraktys is the Best Cryptographic Novel Ever

I’ve been remiss in not posting a review of Tetraktys, by Ari Juels. Short review: It’s better written and has better cryptographers than the ones in any Dan Brown novel, but that’s really damning it with faint praise, which it doesn’t deserve. It’s a highly readable first novel by Ari Juels, who is Chief Scientist […]

 

Quick Thoughts on the New Blogging Regulations

I want to congratulate the folks at the FTC, who’ve decided we all need to follow some rules about what bloggers can say. See for example, “ Epicenter The Business of Tech FTC Tells Amateur Bloggers to Disclose Freebies or Be Fined” at Wired. These new rules are documented in an easy to read 81 […]

 

Changing Expectations around Breach Notice

Earlier this month, the Department of Health and Human Services imposed a “risk of harm” standard on health care providers who lose control of your medical records. See, for example, “Health IT Data Breaches: No Harm, No Foul:” According to HHS’ harm standard, the question is whether access, use or disclosure of the data poses […]

 
 

Some thoughts on the Olympics, Chicago and Obama

So the 2016 Olympics will be in Rio de Janeiro. Some people think this was a loss for Obama, but Obama was in a no-win situation. His ability to devote time to trying to influence the Olympics is strongly curtailed by other, more appropriate priorities. If he hadn’t gone to Copenhagen, he would have been […]

 

Models are Distracting

So Dave Mortman wrote: I don’t disagree with Adam that we need raw data. He’s absolutely right that without it, you can’t test models. What I was trying to get at was that, even though I would absolutely love to have access to more raw data to test my own theories, it just isn’t realistic […]

 

Security is About Outcomes, FISMA edition

Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write: the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ […]

 

Happy Banned Books Week!

Quoting Michael Zimmer: [Yesterday was] the start of Banned Books Week 2009, the 28th annual celebration of the freedom to choose what we read, as well as the freedom to select from a full array of possibilities. Hundreds of books are challenged in schools and libraries in the United States each year. Here’s a great […]

 

Podcasts with Amrit

I had fun recording Beyond the Perimiter Episode 48 and 49 with Amrit. I think Amrit asked some of the broadest, most complex questions I’ve been asked, and it was hard to keep the episodes short. Go have a listen!

 

A Little Temporary Safety

So I saw this ad on the back of the Economist. (Click for a larger PDF). In reading it, I noticed this exhortation to “support the STANDUP act of 2009:” The STANDUP Act* (H.R. 1895) creates a National Graduated Driver Licensing (GDL) law that [limits nighttime driving, reduces in-car distractions, puts a cap on the […]

 

Happy Emancipation Proclamation Day!

That on the first day of January in the year of our Lord, one thousand eight hundred and sixty-three, all persons held as slaves within any state, or designated part of a state, the people whereof thenceforward, and forever free; and the executive government of the United States [including the military and naval authority thereof] […]

 

Private Thoughts on Race

So I’m sitting on the plane home from* Seattle, and I had a really interesting conversation on race with the woman next to me. We were talking, and she asked me, why is it so hard to have conversations like this. I thought that the answer we came to was interesting, and insofar as it […]

 

Secret Photo Apps for the iPhone

If you try searching the App store for photo apps, you find all sorts of things to make your photos sepia. Or blurry. Or to draw on them. Which is great, but if you want apps to help you take photographs, they’re sorta hard to find. So here are some links: First up, a reference […]

 

Proskauer Rose Crows "Rows of Fallen Foes!"

Over on their blog, the law firm announces yet another class action suit over a breach letter has been dismissed. Unfortunately, that firm is doing a fine business in getting rid of such suits. I say it’s unfortunate for two reasons: first, the sued business has to lay out a lot of money (not as […]

 

Notes to the Data People

Over on his Guerilla CISO blog, Rybolov suggests that we ask the Data.gov folks for infosec data using their Suggest a data set page. It sounds like a good idea to me! I took his request and built on it. Rather than breaking the flow with quotes and edit marks, I’ll simply say the requests […]

 

Atoms, Photographed

The pictures, soon to be published in the journal Physical Review B, show the detailed images of a single carbon atom’s electron cloud, taken by Ukrainian researchers at the Kharkov Institute for Physics and Technology in Kharkov, Ukraine….To create these images, the researchers used a field-emission electron microscope, or FEEM. They placed a rigid chain […]

 

BBC Video of Liquid Explosives

The BBC has some really scary video “Detonation of Liquid Explosives.” However, as I thought about it, I grow increasingly confused by what it purports to show, and the implications. At the end of the day, I think there are two possibilities: It’s a fair representation, or it’s not. I’m leaning slightly towards the second. […]

 

Caster Semenya, Alan Turing and "ID Management" products

South African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony. There are reports that: […]

 

Rebuilding the internet?

Once apon a time, I was uunet!harvard!bwnmr4!adam. Oh, harvard was probably enough, it was a pretty well known host in the uucp network which carried our email before snmp. I was also harvard!bwnmr4!postmaster which meant that at the end of an era, I moved the lab from copied hosts files to dns, when I became […]

 

Make the Smart Choice: Ignore This Label

He said the criteria used by the Smart Choices™ Program™ were seriously flawed, allowing less healthy products, like sweet cereals and heavily salted packaged meals, to win its seal of approval. “It’s a blatant failure of this system and it makes it, I’m afraid, not credible,” Mr. Willett said. […] Eileen T. Kennedy, president of […]

 

Only an idea after a bunch of calculating

Andrew Koppelman has a post on lawprof blog Balkinization, titled “You have no idea:” This data sits uneasily beside a recent study in the American Journal of Medicine of personal bankruptcies in the United States. In 2007, 62% of all personal bankruptcies were driven by medical costs. “Nationally, a quarter of firms cancel coverage immediately […]

 

Non Commercial

If you haven’t listened to Larry Lessig’s 23C3 talk, it’s worthwhile to listen to the argument he makes. As I was listening to it, I was struck by the term non-commercial, and, having given it some thought, think that we need a better word to describe the goals Creative Commons is pursuing. The term non-commercial […]

 

We're all reputable on this bus

There’s an interesting story at Computerworld, “Court allows suit against bank for lax security.” What jumped out at me was Citizens also had claimed that its online banking services were being provided and protected by a highly reputable company. In addition to the third-party security services, Citizens said it had its own measures for protecting […]

 

Ten Years Ago: Reminiscing about Zero-Knowledge

Ten years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who […]

 

We Live in Public

It’s opening in New York this weekend, and the New York Times has a review.

 

Perfecter than Perfect

So I’m having a conversation with a friend about caller ID blocking. And it occurs to me that my old phone with AT&T, before Cingular bought them, had this nifty feature, “show my caller-ID to people in my phone book.” Unfortunately, my current phone doesn’t have that, because Steve Jobs has declared that “Apple’s goal […]

 

What Are People Willing to Pay for Privacy?

So I was thinking about the question of the value of privacy, and it occurred to me that there may be an interesting natural experiment we can observe, and that is national security clearances in the US. For this post, I’ll assume that security clearances work for their primary purpose, which is to keep foreign […]

 

Moore's Law is a Factor in This

I remember when Derek Atkins was sending mail to the cypherpunks list, looking for hosts to dedicate to cracking RSA-129. I remember when they announced that “The Magic Words are Squeamish Ossifrage.” How it took 600 people with 1,600 machines months of work and then a Bell Labs supercomputer to work through the data. I […]

 

Renaming the Blog to Emergent Chaos (II)

A little more seriously, the identity of a blog is constructed between the authors, commenters and readers, and I’m continually amazed by what emerges here. At the same time, what’s emerging is currently not very chaotic, and I’m wondering if it’s time for some mixing it up. Suggestions welcome.

 

Renaming the blog to Emergent Chaos (I)

In 2007, Artist Kristin Sue Lucas went before a judge to get a name change to…Kristin Sue Lucas. She’s put together a show called “Refresh” and one called “Before and After.” My favorite part is where the judge wrestles with the question “what happens when you change a thing to itself:” JR: And I don’t […]

 

New on SSRN

There’s new papers by two law professors whose work I enjoy. I haven’t finished the first or started the second, but I figured I’d post pointers, so you’ll have something to read as we here at the Combo improvise around Cage’s 2:33. Paul Ohm has written “Broken Promises of Privacy: Responding to the Surprising Failure […]

 

What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? I think it’s a fascinating question, and posted my answer over […]

 

What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? My three: De-stigmatize failure. Today, we see the same failures we […]

 

Heartland/TJX/Hannaford hacker caught

I’ve been busy and haven’t had a lot of time to dig in, but Rich Mogull has some really good articles, “Heartland Hackers Caught; Answers and Questions,” and “Recent Breaches- We May Have All the Answers.” I have two questions: Were these custom attacks, or a failure to patch? Reading what’s not in the USSS/FBI […]

 

We Live In Public, The Movie

One of the best ways to upset someone who cares about privacy is to trot out the “nothing to hide, nothing to worry about” line. It upsets me on two levels. First because it’s so very wrong, and second, because it’s hard to refute in a short quip. I think what I like most about […]

 

Spinal Tap, Copyright

There’s a cute little story in the NYTimes, “Lego Rejects a Bit Part in a Spinal Tap DVD.” I read it as I was listening to a podcast on Shepard Fairey vs The Associated Press that Dan Solove pointed out. In that podcast, Dale Cendali (the attorney representing the AP) asserts that licensing is easy, […]

 
 

Hearsay podcast: Shostack on Privacy

Dennis Fisher talks with Microsoft’s Adam Shostack about the Privacy Enhancing Technologies Symposium, the definition of privacy in today’s world and the role of technology in helping to enhance and protect that privacy. As always, a fun conversation with Dennis Fisher. Ran longer than I think either of us expected at 41:15. And speaking of […]

 

Heartland CEO and Outrage

Bill Brenner has an interview with Robert Carr, the CEO of Heartland. It’s headlined “Heartland CEO on Data Breach: QSAs Let Us Down.” Some smart security folks are outraged, asserting that Carr should know the difference between compliance and security, and audit and assessment. Examples include Rich Mogull’s “Open Letter to Robert Carr” and Alan […]

 

New Breach Laws

Missouri adds a law with a “risk of harm trigger” aka the full-employment provision for lawyers and consultants. Texas adds health data to their notification list. Most importantly, North Carolina requires notice to their attorney general for breaches smaller than 1,000 people. I think Proskauer here is being a little inaccurate when they characterize this […]

 

Information Security-Don't sweat it

So-called clinical-strength antiperspirants …come with instructions that they be applied before bed for “maximum” protection from wetness and odor. … Even regular-strength antiperspirants work best when applied to underarms at night, experts told us. Bedtime application “really is the best way to use an antiperspirant,” says Daivd Pariser, M.D., president of the American Academy of […]

 

What's in a name?

Brian Jones Tamanaha has an interesting post about our database-driven society. The core of it is that English is bad at recording some names. The solution? Force people to change their official names for the convenience of the database: During public hearings on the voter identification legislation in the House, state Rep. Betty Brown, R-Terrell, […]

 
 

Television, Explained

So I’m not sure if Michael Pollan’s “Out of the Kitchen, Onto the Couch” is supposed to be a movie review, but it’s definitely worth reading if you think about what you eat. I really like this line: The historical drift of cooking programs — from a genuine interest in producing food yourself to the […]

 

Is Barack Obama an American Citizen?

It might seem, to the average person, that the “Birthers” must have a tough time proving their case. After all, Barack Obama has released his Certification of Live Birth (pictured above), which meets all the requirements for proving one’s citizenship to the State Department. The authenticity of the certificate has been verified by Hawaii state […]

 

Hot Singles Are Waiting for You!

Information anyone gives to Facebook can be used by Facebook to do things Faceook wants to do. Like use your face in a personals ad. Even if Facebook knows you’re married. Facebook used Cheryl Smith’s face this way in an ad that it showed her husband. (“oops”) So go read more in Wife’s face used […]

 

ID Theft Risk Scores?

A bunch of widely read people are blogging about “MyIDscore.com Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.” First, there’s little explanation of how it’s working. I got a 240 when I didn’t give them my SSN, and my score dropped to 40 […]

 

To The Moon

One of the really fascinating things about listening to the streaming audio of the first moon landing is how much time was spent debugging the spacecraft, resetting this and that. As the memory fades away, Charlie Stross wrote about the difficulties in going back to the moon: Not only does the cost of putting a […]

 

Penetration testing your products

It was built to be impenetrable, from its “super rugged transparent polycarbonate housing” to its intricate double-tabbed lid… Just go read the story. Anything else I say will spoil the punchline.

 

Chris, I'm sorry

I hate the overuse of URL shortners like tinyurl. I like to be able to see what a link is before I click on it. I don’t like that these companies get to be yet another point of surveillance. (To be fair, tinyurl doesn’t seem to be taking advantage of that. I have cookies from […]

 

The Arrest of Gates

A couple of good articles are John McWhorter’s “Gates is Right–and We’re Not Post-Racial Until He’s Wrong,” and Lowry Heussler’s “Nightmare on Ware Street.” The full police report is at “Gates police report.” I think PHB’s comment on Michael Froomkin’s post is quite interesting: You are all missing a rather significant fact, this is the […]

 

For epistemological anarchism

So Dave Mortman and Alex Hutton have a talk submitted to Security BSides entitled “Challenging the Epistemological Anarchist to Escape our Dark Age.” Now, it would certainly be nice if we could all use the same words to mean the same things. It would make communication so much easier! It would let us build the […]

 

We Regret The New York Times’ Error

In “Kindling a Consumer Revolt,” I quoted the New York Times: But no, apparently the publisher changed its mind about offering an electronic edition, and apparently Amazon, whose business lives and dies by publisher happiness, caved. It electronically deleted all books by this author from people’s Kindles and credited their accounts for the price.” What […]

 

Kindling a Consumer Revolt

Well, by now it’s all over the blogo/twitter spheres, and everything that might be said has already been said about Eric Blair, a publisher and Amazon: This morning, hundreds of Amazon Kindle owners awoke to discover that books by a certain famous author had mysteriously disappeared from their e-book readers. These were books that they […]

 

Up Again

We had some expected downtime this morning. Thanks for your notes and IMs. If you’re reading this, things are now working again.

 
 

Not because it is easy, but because it is hard

Forty years ago today, Apollo 11 lifted off for the moon, carrying Buzz Aldrin, Neil Armstrong and Michael Collins. The Boston Globe has a great selection of photos, “Remembering Apollo 11.” (Thanks to Deb for the link.)

 

Happy Bastille Day!

It’s hard not to like a holiday which celebrates the storming of a prison and the end of a monarchy. Photo: Vytenis Benetis .

 

Wells Fargo vs Wells Fargo

You can’t expect a bank that is dumb enough to sue itself to know why it is suing itself. Yet I could not resist asking Wells Fargo Bank NA why it filed a civil complaint against itself in a mortgage foreclosure case in Hillsborough County, Fla. “Due to state foreclosure laws, lenders are obligated to […]

 

Running from the truth

Robin Hanson has an interesting article, “Desert Errors:” His findings stayed secret until 1947, when he was allowed to publish his pioneering Physiology of Man in the Desert. It went almost entirely unnoticed. In the late 1960s, marathon runners were still advised not to drink during races and until 1977, runners in international competitions were […]

 

Origins of time-sync passwords

In “Who Watches the Watchman” there’s an interesting history of watchclocks: An elegant solution, designed and patented in 1901 by the German engineer A.A. Newman, is called the “watchclock”. It’s an ingenious mechanical device, slung over the shoulder like a canteen and powered by a simple wind-up spring mechanism. It precisely tracks and records a […]

 

Social Security Numbers are Worthless as Authenticators

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The findings, published Monday in The Proceedings of the National […]

 

Bob Blakely on the Cybersecurity Conversation

Bob Blakely has a thought-provoking blog post which starts: The Cyberspace Policy Review says “The national dialog on cyber-security must begin today.” I agree. Let’s start the dialog with a conversation about what sacrifices we’re willing to make to get to an acceptable worst-case performance. Here are four questions to get the ball rolling: Question […]

 

Va Pbaterff Nffrzoyrq, Whyl 4 1776

My usual celebration of Independence day is to post, in its entirety, the Declaration of Independence. It’s very much worth reading, but this year, there’s a little twist, from a delightful story starring Lawren Smithline and Robert Patterson, with a cameo by Thomas Jefferson. Patterson sent Jefferson a letter which read, in part: “I shall […]

 

Thoughts on Iran

Our love affair with the Iranian Tweetolution has worn off. The thugs declared their election valid, told their armed representatives to Sorry, next tweet: go impose some law or order or something, and it was done. Well, as it often turns out, there was more to it than fits in 140 characters, and the real […]

 

Rebellion over an ID plan

What they were emphatically not doing, said Jay Platt, the third-generation proprietor of the ranch, was abiding by a federally recommended livestock identification plan, intended to speed the tracing of animal diseases, that has caused an uproar among ranchers. They were not attaching the recommended tags with microchips that would allow the computerized recording of […]

 

Unthinkable Foolishness from TSA

“Flying from Los Angeles to New York for a signing at Jim Hanley’s Universe Wednesday (May 13th), I was flagged at the gate for ‘extra screening’. I was subjected to not one, but two invasive searches of my person and belongings. TSA agents then ‘discovered’ the script for Unthinkable #3. They sat and read the […]

 

Voltage Predicts the Future

It’s easy to critique the recent Voltage report on breaches. (For example, “2009 started out to be a good year for hackers; in the first three months alone, there were already 132 data breaches reported.” That there were 132 breaches does not mean that hackers are having a good year; most breaches are not caused […]

 

On the Assimilation Process

Three years and three days ago I announced that “I’m Joining Microsoft.” While I was interviewing, my final interviewer asked me “how long do you plan to stay?” I told him that I’d make a three year commitment, but I really didn’t know. We both knew that a lot of senior industry people have trouble […]

 

Thanks, Jeffrey Bennett

In “Books that should be in a security manager’s library,” Jeffrey Bennett says nice things about The New School (the book) and suggests that it’s one of eight that “no professional library is complete without.” Thanks!

 

Emergent Traffic Chaos

Paul Kedrosky has an amazing video: As described in the New Scientist: Researchers from several Japanese universities managed the feat by putting 22 vehicles on a 230-metre single-lane circuit (see video). They asked drivers to cruise steadily at 30 kilometres per hour, and at first the traffic moved freely. But small fluctuations soon appeared in […]

 

Science, Skepticism and Security

Rich Mogull has a great post on “Science, Skepticism and Security” In the security industry we never lack for theories or statistics, but very few of them are based on sound scientific principles, and often they cannot withstand scientific scrutiny. For example, the historic claim that 70% of security attacks were from the “insider threat” […]

 

The Cost of Anything is the Foregone Alternative

The New York Times reports: At least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the […]

 

Economics of Information Security

Ross Anderson is liveblogging the 2009 Workshop on Economics of Information Security. I’m in Seattle, and thus following eagerly. It seems Bruce isn’t liveblogging this time. I know I found it challenging to be a stenographer and a participant at SHB.

 

The emergent chaos of fingerprinting at airports

HONG KONG (Reuters) – A Singapore cancer patient was held for four hours by immigration officials in the United States when they could not detect his fingerprints — which had apparently disappeared because of a drug he was taking. The incident, highlighted in the Annals of Oncology, was reported by the patient’s doctor, Tan Eng […]

 

UnClear where the data will go

So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “ Clear Shuts Down Registered Traveler Lanes.” Clear collected a lot of data: The information that TSA requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration Number (if applicable), current home […]

 

Iran Links

The Economist’s Bagehot writes about his idea of “The chemistry of revolution,” while admitting he’s generalizing from two. Ethan Zuckerman on “Iran, citizen media and media attention.” “Unfortunately, unlike positive online gestures of solidarity (retweeting reports from Iran, turning Twitter or Facebook pictures green), this one does little more than piss off sysadmins, helps Iranian […]

 

Suffering for Art

Joseph Carnevale, 21, was nabbed Wednesday after a Raleigh Police Department investigation determined that he was responsible for the work (seen below) constructed May 31 on a roadway adjacent to North Carolina State University. Carnevale, pictured in the mug shot at right, was charged with misdemeanor larceny for allegedly building his orange monster from materials […]

 

Happy Juneteenth!

Celebrate Juneteenth, but remember that we have not eliminated the scrouge of slavery.

 

The Trouble With Metrics

Is that they can be gamed. See “ Terror law used to stop thousands ‘just to balance racial statistics’” in the Guardian: Thousands of people are being stopped and searched by the police under their counter-­terrorism powers – simply to ­provide a racial balance in official statistics, the government’s official anti-terror law watchdog has revealed. […]

 

Privacy Enhancing Technologies 2009

The organizers of the 9th Privacy Enhancing Technologies Symposium invite you to participate in PETS 2009, to be held at the University of Washington, Seattle, WA, USA, on Aug 5-7, 2009. PETS features leading research in a broad array of topics, with sessions on network privacy, database privacy, anonymous communication, privacy policies, and privacy offline. […]

 

Chaos in Iran

Millions of people in Iran are in the streets, protesting a stolen election. Nate Silver, who did a great job on US election statistics has this: However, given the absolutely bizarre figures that have been given for several provinces, given qualitative knowledge – for example, that Mahdi Karroubi earned almost negligible vote totals in his […]

 

The Art of Mathematics

Paul Nylander has some amazingly beautiful mathematical constructs which he’s ray-tracing. Via Aleks Jakulin.

 

SHB Session 8: How do we fix the world?

(Bruce Schneier has been running a successful prediction attack on my URLs, but the final session breaks his algorithm. More content to follow.) So as it turns out, I was in the last session, and didn’t blog it. Bruce Schneier and Ross Anderson did. Matt Blaze has the audio. I’ll turn my comments into an […]

 

SHB Session 7: Privacy

Tyler Moore chaired the privacy session. Alessandro Acquisti, CMU. (Suggested reading: What Can Behavioral Economics Teach Us About Privacy?; Privacy in Electronic Commerce and the Economics of Immediate Gratification.) It’s not that people act irrationally, it’s that we need deeper models of their privacy choices. Illusion of control, over-confidence, in privacy people seek ambiguity, people […]

 

SHB Session 6: Terror

Bill Burns (Suggested reading Decision Research: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike) Response to Crisis: Perceptions, Emotions and Behaviors. Examining a set of scenarios of threats in downtown LA. Earthquake, chlorine release, dirty bomb. Earthquake: likely 100-200 casualties. Dirty bomb, expected casualties: 100 at most. Chlorine may be thousands to […]

 

SHB Session 5: Foundations

Rachel Greenstadt chaired. I’m going to try to be a little less literal in my capture, and a little more interpretive. My comments in italic. Terence Taylor, ICLS (Suggested reading: Darwinian Security; Natural Security (A Darwinian Approach to a Dangerous World)). Thinks about living with risks, rather than managing them. There are lessons from biology, […]

 

SHB Session 4: Methodology

David Livingstone Smith chaired. Angela Sasse “If you only remember one thing: write down everything the user needs to do and then write down everything the user needs to know to make the system work. Results of failure are large, hard to measure. (Errors, frustration, annoyance, impact on processes and performance, coloring user perception of […]

 

SHB Session 3: Usability

Caspar Bowden chaired session 3, on usability. Andrew Patrick NRC Canada (until Tuesday), spoke about there being two users of biometric systems: the purchaser or system operator and the subject. Argues that biometrics are being rolled out without a lot of thought for why they’re being used, when they make sense and when not. Canada […]

 

SHB Session 2: Fraud

Julie Downs studied users who were going through an email inbox full of phishing emails, while doing a talk-aloud. They also did interviews afterwards. People with incidents get very sensitive to risks, but don’t get any better at identifying phishing emails. What really helps is contextualized understanding. Do they know what a URL is? Do […]

 

SHB Session 1: Deception

Frank Stajano Understanding Victims Six principles for systems security Real systems don’t follow logic that we think about. Fraudsters understand victims really well. Working with UK TV show, “the real hustle.” Draft paper on SHB site. Principles: Distraction, social compliance, herd principle, decption, greed, dishonesty David Livingstone Smith What are we talking about? Theoretical definitions: […]

 

Security & Human Behavior

I’m at the Security & Human Behavior workshop, and will be trying to blog notes as we go. I should be clear: these notes aren’t intended to be perfect or complete. Update: Bruce Schneier is also liveblogging. intro. Ross Anderson is blogging in comments to this post.

 

Security & Human Behavior

I’m blogging the Security & Human Behavior Workshop at the New School blog. Bruce Schneier is also blogging it, as is Ross Anderson.

 

Pirate Party Victory in Sweden

“Together, we have today changed the landscape of European politics. No matter how this night ends, we have changed it,” Falkvinge said. “This feels wonderful. The citizens have understood it’s time to make a difference. The older politicians have taken apart young peoples’ lifestyle, bit by bit. We do not accept that the authorities’ mass-surveillance,” […]

 

Mr. Bureaucrat, Please Report to Room 101

As I’ve said before, all non-trivial privacy warnings are mocked and then come true. Sixty years ago today, George Orwell published 1984. He unfortunately failed to include a note that the book was intended as a warning, not a manual. Today, in England, there are an unknown number of surveillance cameras, including many around Orwell’s […]

 

Bialystock Triumphs in Berlin

The crowd for the premiere seemed pleased. It wasn’t your typical Broadway musical audience, to judge from the number of smart-looking young people with interesting haircuts. A “lively counterpoint to Hollywood productions like ‘Valkyrie’ and ‘Defiance,’ with their impeccable Resistance heroes and clichés,” decided the reviewer for Spiegel Online. “The New York triumph was repeated […]

 

Open Thread

What’s on your mind? Extra points for mocking other members of the combo for not posting. Me? I’m wondering why the opening of the Parliament of South Africa involves so many bagpipes.

 

Democracy, Gunpowder, Literacy and Privacy

In an important sense, privacy is a modern invention. Medieval people had no concept of privacy. They also had no actual privacy. Nobody was ever alone. No ordinary person had private space. Houses were tiny and crowded. Everyone was embedded in a face-to-face community. Privacy, as idea and reality, is the creation of a modern […]

 

It’s a warning, not a manual, part MCMLXXXIV

“He had set his features into the expression of quiet optimism which it was advisable to wear when facing the telescreen…” Photo: “Under surveillance,” Toban Black, in the 1984 Flickr pool.

 

How to Present

As I get ready to go to South Africa, I’m thinking a lot about presentations. I’ll be delivering a keynote and a technical/managerial talk at the ITWeb Security Summit. The keynote will be on ‘The Crisis in Information Security’ and the technical talk on Microsoft’s Security Development Lifecycle. As I think about how to deliver […]

 

TSA Kills Bad Program!

The government is scrapping a post-Sept. 11, 2001, airport screening program because the machines did not operate as intended and cost too much to maintain. The so-called puffer machines were deployed to airports in 2004 to screen randomly selected passengers for bombs after they cleared the standard metal detectors. The machines take 17 seconds to […]

 

Web 2.0 and the Federal Government

This looks interesting, especially in light of the launch of data.gov: The Obama campaign—and now the Obama administration—blazed new trail in the use of Web 2.0 technology, featuring videos, social networking tools, and new forms of participatory and interactive technology. This event will feature government, technology, and new media leaders in addressing the special challenges […]

 

Giving Circles and de Tocqueville

There was an interesting story on NPR the other day about “giving circles.” It’s about groups of people getting together, pooling their money, investigating charities together, and then giving money. The story mentions how the increasing bureaucratization* of fund-raising leads to groups whose involvement is “I write them a cheque each year.” It also mentions […]

 

Secret Questions

Congratulations to Stuart Schechter, A. J. Bernheim Brush (Microsoft Research), Serge Egelman (Carnegie Mellon University). Their paper, “It’s No Secret. Measuring the Security and Reliability of Authentication via ‘Secret’ Questions” has been Slashdotted. It’s really good research, which Rob Lemos covered in “Are Your “Secret Questions” Too Easily Answered?”

 

Can't Win? Re-define losing the TSA Way!

We were surprised last week to see that the GAO has issued a report certifying that, “As of April 2009, TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program and had conditionally achieved 1 condition (TSA had defined plans, but had not completed all activities […]

 

Just Landed in…

Just Landed: Processing, Twitter, MetaCarta & Hidden Data: This got me thinking about the data that is hidden in various social network information streams – Facebook & Twitter updates in particular. People share a lot of information in their tweets – some of it shared intentionally, and some of it which could be uncovered with […]

 

Need ID to see Joke ID card

A bunch of folks sent me links to this Photography License, which also found its way to BoingBoing: Now, bizarrely, if you visit that page, Yahoo wants you to show your (Yahoo-issued) ID to see (Matt’s self-issued) ID. It’s probably a bad idea to present a novelty version of a DHS document to law enforcement. […]

 

First International Alternative Workshop on Aggressive Computing and Security

Thinking security can not be done without adopting a preferential mode of thought of the attacker. A system cannot be defended if we do not know how to attack it. If the theory is still an interesting approach to formalize things, the operational approach must be the ultimate goal: to talk about security is meaningless […]

 

European View on Breaches

I hadn’t seen this article by Peter Hustinix when it came out, but it’s important. He says that “All data breaches must be made public:” The good news is that Europe’s lawmakers want to make it obligatory to disclose data breaches. The bad news is that the law will not apply to everyone. Those exemptions […]

 

Camera thanks!

An enourmous thank you to everyone who offered advice on what camera to get. I ended up with a Canon Rebel after heading to a local camera store and having a chance to play with the stabilization features. It may end up on ebay, but I’m confident I’ll get high quality pictures. If they’re great, […]

 

I wrote code for a botnet today

There’s a piece of software out there trying to cut down on blog spam, and it behaves annoyingly badly. It’s bad in a particular way that drives me up the wall. It prevents reasonable behavior, and barely blocks bad behavior of spammers. In particular, it stops all requests that lack an HTTP Referer: header. All […]

 

Camera advice bleg

I’m thinking about maybe getting a new camera. Before I say anything else let me say that I understand that sensor size and lens rule all else, and that size does matter, except when it’s megapixel count, which is a glamour for the foolish. That said, I’m off to South Africa in a few weeks, […]

 

Ban Whole Body Imaging

Congressman Jason Chaffetz has introduced legislation seeking a ban on Whole-Body Imaging machines installed by the Transportation Security Administration in various airports across America. Describing the method as unnecessary to securing an airplane, Congressman Chaffetz stated that the new law was to “balance the dual virtues of safety and privacy.” The TSA recently announced plans […]

 

Seattle Parking Monitoring

Seattle’s King5 TV reports on “Parking enforcement’s powerful new weapon:” An unassuming white sedan is the Seattle Police Department’s new weapon against parking violators. Just by driving down the street, George Murray, supervisor of SPD’s parking enforcement unit, can make a record of every parked car he passes. “What we’re doing here is we’re actually […]

 

Covering the Verizon Breach Report

As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me to it, as evidenced by the fact […]

 

Cybersecurity Review Turf Battle

Many at RSA commented on the lack of content in Melissa Hathaway’s RSA keynote. The Wall St Journal has an interesting article which may explain why, “Cybersecurity Review Sets Turf Battle:” President Barack Obama’s cybersecurity review has ignited turf battles inside the White House, with economic adviser Lawrence Summers weighing in to prevent what he […]

 

"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]

 

"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]

 

Security is about outcomes: RSA edition

So last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that. But I did I promise to tell you what I wanted to get […]

 

Little Bobby Drop tables

In 1999 Syse Data was converted to a limited liability company, and has since been trading under the name Syse Data AS[1]. As the names are so similar, searches for our company in the official Norwegian registry of just-about-anything (Brønnøysundregistrene) often resulted in potential customers looking up the wrong company. To prevent this confusion we […]

 

Congratulations, Open Security Foundation

The Open Security Foundation, creators of OSVDB and DataLossDB have won SC Magazine’s Editor’s Choice award for 2009. It’s well deserved. In other Open Security Foundation News, about a dozen people asked me how to get a stylin’ DataLossDB t-shirt. It’s pretty easy-donate. I think you get one at the $100 level.

 

Congratulations to the Social Security Blog award winners!

A huge congratulations to the winners of the Social Security Awards [on Wednesday] PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman […]

 

Security is about outcomes, not process (RSA edition)

So I’m getting ready to head over to RSA, and I’m curious. If you believe that “security is about outcomes, not about process,” what outcomes do you want from RSA? How will you judge if the conference was worthwhile?

 

s/green/secure/g

Don’t miss this fascinating article in the New York Times, “Why Isn’t the Brain Green?” You can read it for itself, but then you hit paragraphs like this: It isn’t immediately obvious why such studies are necessary or even valuable. Indeed, in the United States scientific community, where nearly all dollars for climate investigation are […]

 

Breach Notification Law Across the World

“Data Breach Noti?cation Law Across the World from California to Australia” by Alana Maurushat. From the abstract: The following article and table examine the specifics of data breach notification frameworks in multiple jurisdictions. Over the year of 2008, Alana Maurushat of the Cyberspace Law and Policy Centre, with research assistance from David Vaile and student […]

 

Who should be punished for torture?

Normally, I try to post funny bits over the weekend, but I can’t let this week’s news slip by. I have deeply mixed feelings about how to handle those who tortured. On the one hand, they were only following orders. On the other hand, they were following orders which clearly required contortions to see as […]

 

Off to the Moscone Center

Every year around this time, thousands of people converge on the Moscone Center in San Francisco for RSA. I had never given much thought to who Moscone was–some local politician I figured. I first heard about Harvey Milk in the context of the Dead Kennedys cover of I Fought The Law: The law don’t mean […]

 

Breaches Conference audio online

Back in March, the Berkeley Center for Law and Technology put on a great conference, the “Security Breach Notification Symposium.” It was a fascinating day, and the audio is now online.

 

Events don't happen in a Vacuum

Several commenters on yesterday’s post brought up the excellent point that its hard to talk about outcomes when you think you haven’t had any incidents. (“Consider the bank that had no attempted robberies this year”) Are you right? With a bank, it’s pretty easy to see most robberies. What’s more, we have the FBI showing […]

 

The New School Blog

I’m really excited to announce NewSchoolSecurity.com, the blog inspired by the book. I’ll be blogging with Alex Hutton, Chandler Howell and Brooke Paul. And who knows, maybe we’ll even get a post or two from Andrew? Emergent Chaos will continue. My posts here will be a little more on the privacy, liberty and economics end […]

 

Security is about outcomes, not about process

In some migration or another, this post was duplicated; the real post is at https://adam.shostack.org/blog/2009/04/security-is-about-outcomes-not-about-process/. Editing to avoid linkrot

 

Security is about outcomes, not about process

Nearly a decade ago Bruce Schneier wrote “Security is a process, not a product.” His statement helped us advance as a profession, but with the benefit of hindsight, we can see he’s only half right. Security isn’t about technology. Security is about outcomes, and our perceptions, beliefs and assurance about those outcomes. Here’s a quick […]

 

Statebook and Database State

So while Statebook is a pretty entertaining demo, “Database State” is a disturbing look at how real the underlying data collection is in the U.K. Via Boingboing.

 

It’s hard to change a market

This is quite possibly the DEA’s greatest success in disrupting the supply of a major illicit substance. The focus on disrupting the supply of inputs rather than of the drug itself proved extremely successful. This success was the result of a highly concentrated input supply market and consequently may be difficult to replicate for drugs […]

 

New Billboards for the UK

Make your own at http://jamesholden.net/billboard/. I was gonna wait for the weekend, but…via @alecmuffet

 

Flinging Money Around Never Works

Freeway Drivers Grab Money as Suspects Toss Thousands During Police Chase:” Thousands of dollars worth of hundred dollar bills brought rush hour to an abrupt halt on two San Diego freeways. Drug suspects tossed the money from their car as they were chased by police. Other drivers saw the money and stopped their cars on […]

 

Research Revealed Track at RSA

For the past few months, I’ve been working with the folks at the RSA Conference to put together a track entitled “Research Revealed.” Our idea is that security needs to advance by getting empirical, and bringing in a wide variety of analytic techniques. (Regular readers understand that Andrew Stewart and I brought these ideas together […]

 

Building Security In, Maturely

While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model. Lots has been said, so I’d just like to quote one little bit: One could build a maturity model for software security theoretically (by pondering what organizations should […]

 

Deadline extended: Computers, Freedom & Privacy Research Showcase

This year’s Computers, Freedom and Privacy Conference will feature a research showcase in the form of a research poster session as well as a research panel that includes the authors of the best research posters. CFP is the leading policy conference exploring the impact of the Internet, computers, and communications technologies on society. For more […]

 

Mermaids!

Effects shop fulfills amputee’s mermaid dream:

 

I Know What I Know

and I’ll sing what he said. Ethan Zuckerman has two great posts lately: “From protest to collaboration: Paul Simon’s “Graceland” and lessons for xenophiles” and “Argentine economics and maker culture.” The Paul Simon post talks about the deep history of the Apartheid boycott, Paul Simon’s approach to creating Graceland. Graceland was a collaboration of the […]

 

Torture is a Best Practice

I was going to title this “Painful Mistakes: Torture, Boyd and Lessons for Infosec,” but then decided that I wanted to talk about torture in a slightly different way. The Washington Post reports that “Detainee’s Harsh Treatment Foiled No Plots” and [UK Foreign & Commonwealth Office] Finally Admits To Receiving Intelligence From Torture. From the […]

 

Mr Laurie – Don’t do that

Ben Laurie has a nice little post up “More Banking Stupidity: Phished by Visa:” Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders – by training them to expect a process in which there’s […]

 

Suspect and Unusual Photographs

This picture was taken by 4 high school kids with no budget: The Telegraph has the story at Teens capture images of space with £56 camera and balloon. You can click the photo for their amazing Flickr page. It’s a good thing they were in Spain. In the UK, they’d probably have been arrested for […]

 

Would I self-publish?

A few weeks back, Dave Birch asked me if I’d publish my next book myself. I don’t think I would. I’m really happy with Karen Gettman and Jessica Goldstein at Addison Wesley, and I’ve convinced my co-authors for my next book that we should have a discussion about publishers. So why am I happy with […]

 

Best Practices?

The BBC reports that the UK Local Government Association has a new banned words list, including our favorite, “best practices.” Andrew asked me in email if this was a best practice, and I wrote back: Does it pass the seven whys test? Why did they ban the phrase? Because it’s meaningless business speak Why is […]

 

The Emergent Chaos of Kutiman

So when someone sent me a link to “The Mother of all Funk Chords,” they didn’t explain it, and I didn’t quite get what I was watching. What I was watching: …is a mash up of videos found on YouTube, turned into an entire album by an Israeli artist, Kutiman.

 

Identity is Mashed Up

I posted last month about Bob Blakely’s podcast with Phil Windley. Now (by which I really mean last month, wow I’m running behind!) Bob posts that the “Relationship Paper Now Freely Available,” and I’m embarrassed to say I stole Bob’s opening sentence. Now that I’ve actually read the paper, I’d like to remix the ideas […]

 

Joseph Ratzinger and Information Security

Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.” Many of you are likely […]

 

"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]

 

Understanding Users

Paul Graham has a great article in “Startups in 13 Sentences:” Having gotten it down to 13 sentences, I asked myself which I’d choose if I could only keep one. Understand your users. That’s the key. The essential task in a startup is to create wealth; the dimension of wealth you have most control over […]

 

All atwitter

In re-reading my blog post on twittering during a conference I realized it sounded a lot more negative than I’d meant it to. I’d like to talk about why I see it as a tremendous positive, and will be doing it again. First, it engages the audience. There’s a motive to pay close attention and […]

 

Tweet, tweet

A few weeks back, Pistachio twittered about How to Present While People are Twittering. I picked it up, and with the help of Quine, was getting comments from Twitter as I spoke. It was a fun experiment, and it’s pretty cool to be able to go back and look at the back channel. [Update: I […]

 

Open Thread

I’d give you a topic, but I’m taking Hilzoy’s advice and going Galt. I’ve taken ads off the blog, given up my lucrative contract for Harry Potter and the Half-Baked Firewall, and so turn this thread over to you with but a single request: civility. So what’s on your mind?

 

What Should FISA Look Like?

Jim Burrows is working to kick off a conversation about what good reform of US telecom law would be. He kicks it off with “What does it mean to “get FISA right”?” and also here. To “get it right”, let me suggest that we need: One law that covers all spying Require warrants when the […]

 

The Lastest Big Processor Breach

So it’s now roughly confirmed, except for a few denials from Visa. First there was CardSystems, then Heartland, and maybe there’s at least one more known-to-some criminal breach at a payments processor. A lot of security bloggers have been talking about this, but I figure another day, another breach. Can’t we just get some facts? […]

 

Leia With a Pearl Earring

This and other less subtle Star Wars/classical art mashups are at Star Wars as Classic Art. (Originally.) Thanks, Stepto!

 

Will People Ever Pay for Privacy, Redux

A few years back, I gave a talk titled “Will People Ever Pay for Privacy.” As they say, a picture is worth a thousand words: Tiger Woods’s Boat, Privacy, Attracts Plenty of Onlookers. Photo: Tiger Woods’ Yacht, TheLastMinute.

 

Facebook: Conform or else

Robert Scoble, discussing Facebook founder Mark Zuckerberg: He also said that his system looks for “outlying” behavior. He said if you behave like an average user you should never trigger the algorithms that will get you kicked off. Let’s be specific here: if you behave like the system’s Harvard undergraduate founders and primarily-male engineering staff […]

 

SDL Threat Modeling Tool 3.1.4 ships!

On my work blog, I wrote: We’re pleased to announce version 3.1.4 of the SDL Threat Modeling Tool. A big thanks to all our beta testers who reported issues in the forum! In this release, we fixed many bugs, learned that we needed a little more flexibility in how we handled bug tracking systems (we’ve […]

 

Security Breach Notification Symposium

Next Friday (March 6th) I’ll be speaking at the “Security Breach Notification Symposium:” A one-day symposium on identity theft and security breaches. Experts from law, government, computer science, and economics will discuss laws that protect personal information and suggest reforms to strengthen them. Although most agree that reforms are needed, leading thinkers clash on what […]

 

More on Privacy Contracts

Law Prof Dan Solove took the A-Rod question I posted, and blogged much more in depth in A-Rod, Rihanna, and Confidentiality: Shostack suggests that A-Rod might have an action for breach of contract. He might also have an action for the breach of confidentiality tort. Professor Neil Richards and I have written extensively about breach […]

 

Congratulations, Justin!

Justin Mason has won the 2009 Irish Blog Award for Best Technology Blog/Blogger. I don’t know how Justin manages to stay engaged with his blog and others while getting so much work done. When I say others, I mean this blog. Justin found Emergent Chaos back when it was a solo gig and I was […]

 

Don't put Peter Fleischer on Ice

Peter Fleischer is Google’s chief privacy counsel. I met Peter once at a IAPP event, and spoke pretty briefly. We have a lot of friends and colleagues in common. He’s now threatened with three years of jail in Italy. Google took under 24 hours to remove a video which invaded the privacy of someone with […]

 

A-Rod had a privacy contract, and so did you

In 2003 the deal was simple: The players would submit to anonymous steroid testing, and if more than 5 percent tested positive, real testing with real penalties would begin in 2004. But in 2003, the tests were going to be (A) anonymous and then (B) destroyed. Those were the rules of engagement, and in any […]

 

Three on the Value of Privacy

First, the Economist, “Everybody Does It:” WHY is a beer better than a woman? Because a beer won’t complain if you buy a second beer. Oops. There go your correspondent’s chances of working for Barack Obama, America’s president-elect. (Ironically, the Economist’s articles are all anonymous.) Second, Fraser Speirs, “On the Flickr support in iPhoto ‘09:” […]

 

MI5 Head Critiques Government on Liberties

The BBC reports: A former head of MI5 has accused the government of exploiting the fear of terrorism to restrict civil liberties. Dame Stella Rimington, 73, stood down as the director general of the security service in 1996…”Furthermore it has achieved the opposite effect – there are more and more suicide terrorists finding a greater […]

 

Javelin ID theft survey

Salon reports “Identity theft up, but costs fall sharply:” In 2008, the number of identity theft cases jumped 22 percent to 9.9 million, according to a study released Monday by Javelin Strategy & Research. The good news is that the cost per incident — including unrecovered losses and legal fees — fell 31 percent to […]

 

Closing the Collapse Gap

There’s a very interesting annotated presentation at “Closing the ‘Collapse Gap’: the USSR was better prepared for collapse than the US.” In it, Dmitry Orlov lays out his comparison between the USSR and the USA of 2006. Posting this now because a talk he gave at Long Now is getting lots of attention. In closely […]

 

AOL Search Documentary

Lernert Engelberts and Sander Plug have taken the AOL search data which AOL released “anonymously,” and made a movie with the searchs of user #711391. I Love Alaska, via Guerrilla Innovation. Worth checking out, but be warned, it’s a little on the languid side, using pacing and the voice to build the story. Also, note […]

 

$450 per account? No.

So there’s a claim going around, which is that I believe that a breach costs $450 per account. That claim is not accurate. What was said (and the interview was in email, so I can quote exactly): (Interviewer) The Hannaford breach resulted in more than $318,000 in gross fraud losses, according to data reported by […]

 

"A Scientific R&D Approach to Cyber Security"

Charlie Catlett, CIO of Argonne National Labs has released a report on “A Scientific R&D Approach to Cyber Security” (Powerpoint summary, community wiki). It’s a very interesting report. There’s a lot to agree with in terms of a research agenda. They’re looking to compose trustworthy systems from untrusted components, to create self-protective data and software, […]

 

Seattle Tech Universe

The Washington Technology Industry Association has released a very cool map of the Puget Sound Tech Universe. Here’s an excerpt:

 
 

Public Perception of Security

So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder: Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. […]

 

First Impressions of the 2008 Ponemon Report

So the 2008 Ponemon breach survey is out and I’m reading through it, but I wanted to expand on the headline: “Ponemon Study Shows Data Breach Costs Continue to Rise.” This is the report’s figure 3: Left to right, those are “detection and escalation,” notification, “ex-post response” and “lost business.” I note that 2 fell, […]

 

Boundary Objects and Threat Modeling

Ethonomethodologists talk a lot about communities of practice. Groups of people who share some set of work that they do similarly, and where they’ll co-evolve ways of working and communicating. When everyone is part of a given community, this works really well. When we talk about “think like an attacker” within a community of security […]

 

Identities are Created Through Relationships

I’m listening to this really interesting podcast by Bob Blakley and Phil Windley. What really struck me was where Bob said “thinking of identity as an artifact all by itself is unsatisfactory because we can talk about an identity and the attributes of an identity leaves out important details about how identities are created and […]

 

But is it art?

Jackson Pollock.org. [Update: Click the picture. It’s only funny if you click the picture with Flash enabled. The site requires Flash.]

 

That's some fine discourse, Professor Froomkin

I just wanted to draw attention to the comments in Michael Froomkin’s blog post on “Cabinet Confirmation Mechanics.” I am delighted to have had ‘Jim’ concur with my Constitutional analysis by quoting the closing lines of Ulysses. I’m in awe of your commenters, Michael.

 

Politics and Money: Transparency and Privacy

(Or, the presentation of self in everyday donations) So I’ve had a series of fairly political posts about election finance, and in one of them, I said “I’d prefer that the rules avoidance be minimized, and I think transparency is the most promising approach there.” Well, in the interests of transparency, I need to comment […]

 

"EPC RFID Tags in Security Applications"

I just finished an interesting paper, K. Koscher, A. Juels, T. Kohno, and V. Brajkovic. “EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond.” In the paper, they analyze issues of cloning (easy) read ranges (longer than the government would have you believe) and `design drift’ (a nice way of saying […]

 
 

Request your travel records

Speaking of how you’re presented and perceived…”How to request your travel records,” by Ed Hasbrouck. By popular demand, I’m posting updated forms to request your PNR’s and other records of your international travel that are being kept by the U.S. Customs and Border Protection (CBP) division of the Department of Homeland Security (DHS)… If you […]

 

The Presentation of Self in Everyday Tweeting

Chris Hoff pointed to an interesting blog post from Peter Shankman. Someone* tweeted “True confession but I’m in one of those towns where I scratch my head and say ‘I would die if I had to live here!’” Well it turns out that… Not only did an employee find it, they were totally offended by […]

 

Photosynth and the inauguration

So what do you do with the million photos everyone took of the inauguration? Here at Emergent Chaos, we believe that we should throw them all in a massive blender, and see what emerges. A massive blender isn’t a very technical description of Photosynth, but it’s not a bad analogy. The project cleverly figures out […]

 

The New Openness?

This photograph was taken at 11:19 AM on January 20th. It’s very cool that we can get 1 meter resolution photographs from space. What really struck me about this photo was.. well, take a look as you scroll down… What really struck me about this is the open space. What’s up with that? Reports were […]

 

The New Administration and Security

Quoting first from Obama’s inaugural address: The question we ask today is not whether our government is too big or too small, but whether it works — whether it helps families find jobs at a decent wage, care they can afford, a retirement that is dignified. Where the answer is yes, we intend to move […]

 

A few Heartland links

Well, Mordaxus got the story, but I’ll add some links I found interesting or relevant. StoreFront BackTalk has From The Heartland Breach To Second Guessing Service Providers. Dave G at Matasano added “Heartland’s PCI certification.” The Emergent Chaos time travel team already covered that angle in “Massachusetts Analyzes its Breach Reports:” What’s exciting about this […]

 

Three short comments on the Inauguration

The reality that a black man is about to become President of the United States is both momentous and moving. It’s hard to say anything further on the subject that hasn’t been said and re-said, but I am simply proud that the pendulum has swung to someone like Obama. I’m excited to have an educated, […]

 

Children, Online Risks and Facts

There’s an interesting (and long!) “Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States.” Michael Froomkin summarizes the summary.” Adam Thierer was a member of the task force, and has extensive commentary on the primary online safety issue today […]

 

Emergent Forest

Moving Forest is a park on wheels. The park is made of trees in shopping carts that allow the public to rearrange their own little park. The forest is created by Dutch architect firm NL architects in response to the lack of green nature in contemporary urban environments – which in the case of the […]

 

Umami, or why MSG tastes so good

It’s appetizing news for anyone who’s ever wanted the savory taste of meats and cheeses without actually having to eat them: chemists have identified molecular mechanisms underlying the sensation of umami, also known as the fifth taste. … The umami receptor’s shape is similar to that of sweetness receptors, he said, and his team’s research […]

 

Privacy & Healthcare

One of the dirty little secrets of bad privacy law is that it kills. People who are not comfortable with the privacy of their medical care may avoid getting needed care. That’s why privacy features in the Hippocratic oath. But few people want to study this issue, and studying it is hard–people are likely to […]

 

"Get FISA Right" Pointer

[Update: This got to #5 on change.org’s list, and they’re now working to draw attention to the issue on change.gov.] Jon Pincus has asked me for help in drawing attention to his “Get FISA Right” campaign to get votes on change.org. When I’ve tried to look at this, it’s crashed my browser. YMMV–I use a […]

 

Massachusetts Analyzes its Breach Reports

In “Report On The M.G.L. Chapter 93H Notifications,” the Office of Consumer Affairs analyzes the breach notices which have come in. The report is a lot shorter than the “Maine Breach Study,” coming in at a mere four pages. There are many interesting bits in those four pages, but the two that really jumped out […]

 

Security Blog Awards

In “The Social Security Blogger Awards,” Alan Shimel asks for nominations for blogs. Ironically, to even see the site at http://www.socialsecurityawards.com/, you need to accept Javascript. I think we should have an award for “best vuln in the voting system.” But anyway, please take a minute to go vote. I’ll ask for your vote for […]

 

Protection Poker

Listening to Gary McGraw’s Silver Bullet #33, Laurie William mentioned protection poker. Protection poker, like planning poker isn’t really poker. Planning poker is a planning exercise, designed to avoid certain common pitfalls of other approaches to planning. The idea behind protection poker is to be a “informal form of misuse case development and threat modeling […]

 
 

Strange Maps

All from the Strange Maps blog. You could click on the pictures, but this blog is perfect Saturday afternoon “hey look at this” material.

 

Gary McGraw and Steve Lipner

Gary McGraw has a new podcast, “Reality Check” about software security practitioners. The first episode features Steve Lipner. It’s some good insight into how Microsoft is approaching software security. I’d say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy. You […]

 

Reboot the FCC? No, debug the problem

Larry Lessig has a very interesting article in Newsweek, “Reboot the FCC.” The essence is that the FCC is inevitably bound by regulatory capture. He proposes a new agency with three tasks: “The iEPA’s first task would thus be to reverse the unrestrained growth of these monopolies.” “The iEPA’s second task should be to assure […]

 

ITRC Year End Report for 2008

The Identity Theft Resource Center (ITRC) released their year-end breach report: Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. Dissent of PogoWasRight has some analysis. I’ll take […]

 
 

Cryptol Language for Cryptography

Galois has announced “” Cryptol is a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency. It has been used successfully in a number of projects, and is also in use at Rockwell Collins, Inc. … Cryptol allows […]

 

The Identity Divide and the Identity Archepelago

(I’d meant to post this in June. Oops! Chaos reigns!) Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, […]

 

Choose your own prescription (glasses)

Silver has devised a pair of glasses which rely on the principle that the fatter a lens the more powerful it becomes. Inside the device’s tough plastic lenses are two clear circular sacs filled with fluid, each of which is connected to a small syringe attached to either arm of the spectacles. The wearer adjusts […]

 

Biometric Fail reported

A South Korean woman entered Japan on a fake passport in April 2008 by slipping through a state-of-the-art biometric immigration control system using special tape on her fingers to alter her fingerprints, it was learned Wednesday… During questioning, the woman allegedly told the immigration bureau that she had bought a forged passport from a South […]

 

Happy New Year!

Our new year’s resolution is to show a sense of childlike wonder at and acceptance of everything we come across, especially this year’s leap second. Incidentally, this post is scheduled to go live at 2008-12-31 23:59:60. Let’s see what happens! Update: Movable Type complained when I tried to save the post: “Invalid date ‘2008-12-31 23:59:60’; […]

 

Happy Newton, everyone!

In honor of Newton’s Birthday festival, I therefore propose the following song, to be sung to the tune of “The Twelve Days of Christmas.” For brevity, I include only the final verse. All together now! On the tenth day of Newton, My true love gave to me, Ten drops of genius, Nine silver co-oins, Eight […]

 

Gavle Goat Gone

The Gavle goat survived until the 27th this year, but as the BBC reports, “ Festive goat up in flames again.” Previously: “Goat Security,” “13 Meter Straw Goat Met His Match.”

 

I miss Montreal

When Seattle is covered in snow, it’s easy to miss Montreal. Now, folks in areas that get lots of snow like to make fun of Seattlites for being unable to handle a little snow, but it turns out that there’s another reason (beyond the steep hills) the city has a (ahem) unique approach: “Seattle refuses […]

 

At the tail end of the car series…

Originating from Wootton High School, the parent said, students duplic ate the license plates by printing plate numbers on glossy photo paper, using fonts from certain websites that “mimic” those on Maryland license plates. They tape the duplicate plate over the existing plate on the back of their car and purposefully speed through a speed […]

 

Earthrise

40 years ago, NASA released this first [human-taken] photo of the Earth from far away: [Update: The BBC has a nice story.]

 

News and Lessons from the Auto Market

“There are no hot segments,” said George Pipas, Ford’s market analyst. “And there really are no hot products.” So closes an article, “Automakers Report Grim October Sales.” GM, sales down 45%. Ford, -30%. Chrysler, -34.9%. Toyota, -23%. Honda -25%, Nissan -33%. MINI Cooper: Up 56.4%. Soon, Ford will be caring about MINI’s market of “only” […]

 

Designing Cars

I was struck by this quote in “Edgy, Yet Still Aerodynamic” an article in the New York Times about how new cars are being designed and tested: , To his surprise, in hundreds of tests at Ford’s Wind Tunnel 8 southwest of Detroit the original edges produced less drag than curved substitutes, Mr. Koester said. […]

 

This is the farewell shoe, you dog

Bloomberg is reporting that “Shoe Hurled at Bush Flies Off Turkish Maker’s Shelves : Baydan has received orders for 300,000 pairs of the shoes since the attack, more than four times the number his company sold each year since the model was introduced in 1999. The company plans to employ 100 more staff to meet […]

 

Thoughts on the Somali Pirates

Stratfor’s podcast on the seizure of that Saudi oil tanker contained a fascinating tidbit: merchant ships are no longer allowed to carry arms at all, which, of course, makes piracy far easier. This is a dramatic transformation of the rights of merchant ships. Historically, private ships carried weapons when sailing far out of their own […]

 

Citizens, Juries and other Balances

Following on my post on Parliaments, Dukes and Queens, I’d like to talk about other checks on the power of government, besides throwing tea into the harbor. In Britian, “a jury has failed to clear police in the death of Jean Charles de Menezes.” The jury is the first group who, frankly, has not whitewashed […]

 

Happy Boston Tea Party Day!

It was 235 years ago today that the Sons of Liberty threw tea into Boston harbor, and they still haven’t been able to clean the place up. Please join me in celebrating this most American response to taxation.

 

Of Parliaments, Dukes and Queens

Four interesting stories recently, all having to do with the ancient relationship between a sovereign and a parliament, or the relationship of hereditary rulership to democracy. I secretly admire the emergent forms of government which have proven stable despite their chaotic origins. I’m fascinated by these imperfectly republican nations like Canada and the United Kingdom, […]

 

As easy as dialing a phone

People often make the claim that something is “as intuitive as dialing the phone.” As I was listening to “Dave Birch interviewing Ben Laurie,” I was reminded of this 1927 silent film: Ben commented on people having difficulty with the CardSpace user interface, and it not being as intuitive as having your email address being […]

 
 

Working Through Screens

Jacob Burghardt has a very interesting new ebook, “Working Through Screens.” If one was to summarize the status quo, it might sound something like this: when it comes to interactive applications for knowledge work, products that are considered essential are not always satisfactory. In fact, they may be deeply flawed in ways that we commonly […]

 

Do Security Breaches Cost Customers?

Adam Dodge, building on research by Ponemon and Debix, says “Breaches Cost Companies Customers,” and Alan Shimel dissents in “Do data breaches really cost companies customers?” Me, I think it’s time we get deeper into what this means. First, the customers. Should they abandon a relationship because the organization has a security problem? To answer […]

 

Privacy Rights & Privacy Law

First, the European Court of Human Rights has ruled that the UK’s “DNA database ‘breach of rights’:” The judges ruled the retention of the men’s DNA “failed to strike a fair balance between the competing public and private interests,” and that the UK government “had overstepped any acceptable margin of appreciation in this regard”. The […]

 

Two Buck Barack

So the New York Times is breathless that “Obama Hauls in Record $750 Million for Campaign.” A lot of people are astounded at the scale of the money, and I am too. In a long, hard campaign, he raised roughly $2.50 per American, and spent slightly less than that. Unusually, he ended his campaign not […]

 

Eric Drexler blogging

At Metamodern.com. Way cool. I look forward to what he has to say. Unfortunately, one of his early posts falls into the trap of believing that “Computation and Mathematical Proof” will dramatically improve computer security: Because proof methods can be applied to digital systems, and in particular, will be able to verify the correctness (with […]

 

Happy Repeal Day!

Today is the 75th anniversary of the repeal of the blanket prohibition of alcohol sales in the United States. Go pour some Champagne, Cava, or fine California bubbly and read Radley Balko’s excellent “Lessons of Prohibition.” Photo: Jensen.Pernille. Thanks to Sama.

 

Videos of me

The employer has been posting them at a prodigious rate. There’s: “Threat Modeling at EMC and Microsoft,” Danny Dhillon of EMC and myself at BlueHat. Part of the BlueHat SDL Sessions. Also on threat modeling, Michael Howard and I discuss the new SDL Threat Modeling Tool Michael Howard and I also discussed the new SDL […]

 

The Costs of Fixing Problems

I enjoyed reading Heather Gerkin’s article: “The Invisible Election.” I am one of the few people to have gotten a pretty good view of the invisible election, and the reality does not match the reports of a smooth, problem-free election that have dominated the national media. As part of Obama’s election protection team, I spent […]

 

You versus SaaS: Who can secure your data?

In “Cloud Providers Are Better At Securing Your Data Than You Are…” Chris Hoff presents the idea that it’s foolish to think that a cloud computing provider is going to secure your data better. I think there’s some complex tradeoffs to be made. Since I sort of recoiled at the idea, let me start with […]

 

Virgin America

I flew Virgin Atlantic for the first time recently, for a day trip to San Francisco. I enjoyed it. I can’t remember the last time I actually enjoyed getting on a plane. The first really standout bit was when the Seattle ground folks put on music and a name that song contest. They handed out […]

 
 

Chaos in the Airports! Baa! Baa!

Some days the snark just writes itself: The group that created Smokey Bear and McGruff the Crime Dog has a new potential icon: Stephanie the airport screener. A $1.3 million ad campaign launched this month teams the Ad Council and the Transportation Security Administration trying to change behavior of passengers who no longer automatically accept […]

 

Travel Chaos

NARA (National Archives) published notice in the Federal Register on October 27, 2008, of TSA’s submission to them (see Schedule Pending #3) of a proposed Records Schedule for Secure Flight Program. The actual Proposed Schedule was not published in the Register, only notice that you can request it and file comments on whether NARA should […]

 

Crime in Barcelona

While having a wonderful time in Barcelona, I took the metro a fair amount. Over the course of 8 days, I saw 2 turnstile jumpers, (40€ fine) 3 smokers (30€ fine) and didn’t see as one friend got pick-pocketed (reported fine, one beating). So which crime annoyed me most? The apparently worthless invasion of privacy. […]

 

Quis custodiet ipsos custodes?

There have been a couple of interesting stories over the last week that I wanted to link together. Verizon Employees Snoop on Obama’s Cellphone Records (followed shortly by “Verizon fires workers over Obama cell phone records breach“) and “4 more Ohio officials punished in ‘Joe’ data search.” There’s a couple of things happening here. The […]

 

Tidying up Art

In “Tidying up Art” Ursus Wehrli tells the TED audience about not only how to tidy up art, but has a great example of how apparently simple instructions can very quickly lead chaos to emerge. And it’s pretty darn funny after the audience doesn’t know how to respond to his first couple of jokes.

 

Terrifying Financial Blacklists Falling Down

There’s a list, maintained by the UN security council, of people who can’t have their money. Once you’re on the list, there’s no way to get off. The global blacklisting system for financiers of al-Qaeda and other terrorist groups is at risk of collapse, undermined by legal challenges and waning political support in many countries, […]

 

Diverse Preferences for Privacy

A Wide Diversity of Consumer Attitudes about Online Privacy shows this picture of Flickr users setting privacy preferences: green is public (default) and red is private. I hope Flickr shares some of the underlying data. I don’t know what anyone would do with it, and there’s two ways to find out. One is to talk, […]

 

SDL Announcements

I’m in Barcelona, where my employer has made three announcements about our Security Development Lifecycle, which you can read about here: “SDL Announcements at TechEd EMEA.” I’m really excited about all three announcements: they represent an important step forward in helping organizations develop more secure code. But I’m most excited about the public availability of […]

 

Public Policy and InfoSec

…Armed with my favorite govie (who is actually the lead on this, I’m just a straphanger), The New School of Information Security (Hi Adam and Andrew), some government policy directives, and the National Strategy to Secure Cyberspace, I am teaching an Information Security Management and Public Policy class for Carnegie Mellon’s Heinz School. The more […]

 

CTO of the United States?

So Obama wants a CTO for the United States. The job description: Obama will appoint the nation’s first Chief Technology Officer (CTO) to ensure that our government and all its agencies have the right infrastructure, policies and services for the 21st century. The CTO will ensure the safety of our networks and will lead an […]

 

Chaos, My Desk and Dilbert

The Wall St Journal covers the latest management fad in “Neatness Counts at Kyocera and at Others in the 5S Club:” 5S is a key concept of the lean manufacturing techniques that have made makers of everything from cars to candy bars more efficient. The S’s stand for sort, straighten, shine, standardize and sustain. Lately, […]

 

Confirmation Bias and Newspaper Endorsements

We’ve been talking a lot lately about confirmation bias. It turns out that newspaper endorsements are more influential when they are unexpected. The degree of this influence, however, depends upon the credibility of the endorsement. In this way, endorsements for the Democratic candidate from left-leaning newspapers are less influential than are endorsements from neutral or […]

 

Checking in on the Security of Chequing

I remember a conversation back in 1995 or 1996 with someone who described to me how the Automated ClearingHouse (ACH) for checking worked. He explained that once you had an ACH merchant account, you sent in a message of roughly the form (src, dest, amount, reason) and money got moved. I argued with him that […]

 

It’s Morning in America

It’s hard to know what to say after an election that feels so momentous in so many different ways. So, I’ll start from the simple: congratulations to Obama on being elected the 44th President of the United States. Next, let’s add some chaos here and see what emerges. So what’s on your mind? And please, […]

 

The Purple States

As we go into what may well be another very long day of elections for the Presidency of the United States, I wanted to reprise two images from 2004: Click on either for more details and the context four years ago. Despite the electoral college, America isn’t a red country or a blue country, and […]

 

Thoughts about Democracy in America

There’s a place in de Tocqueville where he talks about America’s civic strength coming from the way we organize: those voluntary organizations which come together to solve a problem as a community. He pointed out that what we got from that was not merely that particular problem solved, but a sense of community and a […]

 

It was twenty years ago today

It was twenty years ago today Sgt. Morris taught the worms to play They’ve been going in and out of style But they’re guaranteed to last a while So may I introduce to you… the bug you’ve known for all these years Sgt. Morris Lonely worm club band We’re Sgt. Morris’ lonely worm club band, […]

 
 

Don’t Stay at the Renaissance Amsterdam Hotel

The night of September 29th, I had a room at the Renaissance Amsterdam hotel on Kattengat street. Actually I had two rooms, not that I slept in either of them. The first had too much street noise, and windows that didn’t block out the sound. The second, well, I woke up at 7.30 AM from […]

 
 

Experience and Decision Making

Following on our satirical endorsement of McCain-Palin yesterday, I’d like to talk a little about the experience argument, that is, that Obama lacks the experience to be President. This may well be true. I’d prefer someone with extensive executive experience, ideally running a state, experience matters in one very specific way: it may help you […]

 

Emergent Chaos: For McCain Palin

As we come to the close of the longest campaign in American history, it is time to make a call on who to vote for. In these turbulent and chaotic times, America needs a candidate who will cause more chaos to emerge. Now is not the time for calm and reasoned leadership. Now is not […]

 

Responses to Terror: Boston and Ashdod, Israel

An Israeli teenager has been arrested after he donned a mask and prowled the streets of his town with a big rucksack and toy gun for a school project. The boy, 15, was seized by police in the southern town of Ashdod suspecting he was a Palestinian militant. The student was quoted as saying he […]

 

CTOs, Product Management and Program Management

In “The product manager’s lament,” Eric Ries writes about his view of product managers: Let’s start with what the product manager does. He’s supposed to be the person who specifies what the product will do. He writes detailed specs which lay out exactly what features the team should build in its next iteration. These specs […]

 

100 Mile Constitution Free Zone

Government agents should not have the right to stop and question Americans anywhere without suspicion within 100 miles of the border, the American Civil Liberties Union said Wednesday, pointing attention to the little known power of the federal government to set up immigration checkpoints far from the nation’s border lines. The government has long been […]

 

Insecurity Theatre

“It’s been in the back of my mind since you first came in: How do you get the missile on the trailer into Manhattan?” federal Judge William Pauley III asked. Sachs, from West Babylon, said cops just laughed as he passed through the Queens Midtown Tunnel on his way into the city Sept. 8. Sachs […]

 

Fake Fish and Security

There was a very interesting article in the New York Times, “Fish Tale has DNA Hook,” in which two high school students used DNA testing to discover that nearly 1/4 of the sushi they tested and identified was mis-labeled. The article only identifies one of the vendors: Dr. Stoeckle was willing to divulge the name […]

 

"Secure Flight" now part of the Bush Administrations Legacy

We welcome the Bush administration’s continuing dedication to excellence and security in developing clear and appropriate rules to prevent terrorists from flying: In this respect, there are major discrepancies between the (nonbinding) description at the start of the regulatory notice issued today, and the actual regulations that follow it (the last 20 pages of the […]

 

Canadian Privacy and Private Action

In reading Arthur’s post on “Canadian PM FAIL,” I was thinking of the odds that this would be investigated and dealt with under Canadian privacy law. Now, I’m not an expert on that, but my recollection is that the main private sector law, PIPED complements a Federal Privacy Act which would likely be the relevant […]

 

Buffer Overflows and History: a request

One of my long-term interests in security is the ongoing cost of secrecy. My current favorite example is the stack smashing buffer overflow. These were known and understood no later than 1972, and clearly documented in James P. Anderson’s Computer Security Technology Planning Study: The code performing this function does not check the source and […]

 

Discipline and Art

Stephan Bugaj has a fascinating article up, “Steve Kurtz: Tactical Art.” I wanted to tie this to my post “The Discipline of ‘think like an attacker’” Kurtz only briefly mentioned his four year ordeal with the Department of Justice (this is also a good article about it), and only as a single exemplar of his […]

 
 

Buffett Vs Paulson

I was listening to Joseph Stiglitz on NPR this morning, and he had a very interesting comparison. (Quoting from an op-ed in the Guardian): For all the show of toughness, the details suggest the US taxpayer got a raw deal. There is no comparison with the terms that Warren Buffett secured when he provided capital […]

 

The Costs of Secrecy

Security continues to be crippled by a conspiracy of silence. The ongoing costs of not talking about what’s going wrong are absolutely huge, and today, we got insight into just how huge. Richard Clayton and Tyler Moore of Cambridge University have a new paper on phishing, “The consequence of non-cooperation in the fight against phishing.” […]

 

Investing in the finance crisis

The Wall Street domino has toppled just about everything in sight: U.S. stocks large and small, within the financial industry and outside of it; foreign stocks; oil and other commodities; real-estate investment trusts; formerly booming emerging markets like India and China. Even gold, although it has inched up lately, has lost 10% from its highs […]

 

Security is an Empirical and Social Science

In reading Mordaxus’ post “Quantum Crypto Broken Again,” I was struck by his comment: It is a serious flaw because one of the main arguments about quantum cryptography is that because it is “physics” based as opposed to “computer” based, that it is more secure than software cryptography.” Firstly, security is almost always an outcome […]

 

Open thread

What’s on your mind in October?

 
 

Experiences Threat Modeling at Microsoft

A little bit of cross-polination between blogs: Adam Shostack here. Last weekend, I was at a Security Modeling Workshop, where I presented a paper on “Experiences Threat Modeling at Microsoft,” which readers of [the Microsoft Security Development Lifecycle] blog might enjoy. So please, enjoy!

 

"No evidence the data was misused"

The next time you read a statement that a breached entity has found no evidence of data misuse, remember this: data may have been misused even though entities are unaware of it. Tim Wilson of Dark Reading provides a current example of why entities should inform customers, this one involving the T-Mobile breach that affected […]

 

Researchers Two-Faced over Facebook Data Release

[Update: Michael Zimmer points out that it wasn’t Facebook, but outside researchers who released the data.] I wanted to comment quickly on an interesting post by Michael Zimmer, “ On the “Anonymity” of the Facebook Dataset.” He discusses how A group of researchers have released a dataset of Facebook profile information from a group of […]

 

What's in a name(less)?

Me! I had a great time in a conversation with Dennis Fisher which is now up on his nameless security podcast: Adam Shostack on privacy, data breaches and “The New School of Information Security” Check it out. Update: Amazon seems to be having trouble keeping The New School in stock. (Thank you!!!) Addison Wesley has […]

 

Monsieur Vuitton, I’m ready for my closeup!

This is the window of a Louis Vuitton store. I found it tremendously striking, and so took some pictures. Setting aside the direct message of “everyone will look at this bag,” I thought what’s interesting is the technological replacement of self with avatar. As if the designer is saying “we no longer want to be […]

 
 

What’s in a name? A Candidate by any other name…

For those who haven’t been listening closely to their NPR, it turns out that there are at least eight Barack Obamas running for election in Brazil this year. Yes, you heard that right. Under Brazilian law, it turns out, candidates are allowed to run for office under any name, as long as it’s not offensive. […]

 

Regulations, Risk and the Meltdown

There are obviously a large set of political questions around the 700+ billion dollars of distressed assets Uncle Sam plans to hold. If you care about the politics, you’re already following in more detail than I’m going to bother providing. I do think that we need to act to stem the crisis, and that we […]

 

Adam on CS TechCast

I did a podcast with Eric and Josh at CS Techcast. It was lots of fun, and is available now: link to the show Welcome to another CSTechcast.com podcast for IT professionals. This week we interview Adam Shostack, author of The New School of Information Security about the essentials IT organizations need to establish to […]

 

2008 Breaches: More or More Reporting?

Dissent has some good coverage of an announcement from the ID Theft Resource Center, “ITRC: Breaches Blast ’07 Record:” With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for […]

 

The Discipline of "think like an attacker"

John Kelsey had some great things to say a comment on “Think Like An Attacker.” I’ve excerpted some key bits to respond to them here. Perhaps the most important is to get the designer to stop looking for reasons attacks are impossible, and start looking for reasons they’re possible. That’s a pattern I’ve seen over […]

 

TSA Badges

9Wants to Know has uncovered a new policy that allows airport screeners at Denver International Airport to bypass the same security screening checkpoints that passengers have to go through. … The new policy says screeners can arrive for work and walk behind security lines without any of their belongings examined or X-rayed. … At DIA, […]

 

Think Like An Attacker?

One of the problems with being quoted in the press is that even your mom writes to you with questions like “And what’s wrong with “think like an attacker?” I think it’s good advice!” Thanks for the confidence, mom! Here’s what’s wrong with think like an attacker: most people have no clue how to do […]

 

SDL Press Tour Announcements

Steve Lipner and I were on the road for a press tour last week. In our work blog, he writes: Last week I participated in a “press tour” talking to press and analysts about the evolution of the SDL. Most of our past discussions with press and analysts have centered on folks who follow security, […]

 

Applied Security Visualization

Our publisher sent me a copy of Raffael Marty‘s Applied Security Visualization. This book is absolutely worth getting if you’re designing information visualizations. The first and third chapters are a great short intro into how to construct information visualization, and by themselves are probably worth the price of the book. They’re useful far beyond security. […]

 

More on Confirmation Bias

Devan Desai has a really interesting post, Baffled By Community Organizing: First, it appears that hardcore left-wing and hardcore right-wing folks don’t process new data. An fMRI study found that confirmation bias — “whereby we seek and find confirmatory evidence in support of already existing beliefs and ignore or reinterpret disconfirmatory evidence” — is real. […]

 

No Privacy Chernobyls

Over at the Burton Identity and Privacy Strategies blog, there’s a post from Ian Glazer, “Trip report from the Privacy Symposium,” in which he repeats claims from Jeff Rosen: I got to hear Jeffery Rosen share his thoughts on potential privacy “Chernobyls,” events and trends that will fundamentally alter our privacy in the next 3 […]

 

Things only An Astrologist Could Believe

There’s a really funny post on a blog titled “Affordable Indian Astrology & Vedic Horoscope Provider:” Such a choice of excellent Muhurta with Chrome release time may be coincidental, but it makes us strongly believe that Google may not have hesitated to utilize the valuable knowledge available in Vedic Astrology in decision making. This is […]

 
 

Hans Monderman and Risk

Zimran links to an excellent long article on Hans Monderman and then says: When thinking about human behavior, it makes sense to understand what people perceive, which may be different from how things are, and will almost certainly be very different from how a removed third party thinks them to be. Traffic accidents are predominantly […]

 

TSA’s Brand

Passing through Portland’s PDX Airport, I was struck by this ad for SeaPort Airlines: Things are pretty bad for TSA when right after “faster travel,” a company lists “No TSA” as its second value proposition. (Bottom left corner.) It’s actually sort of impressive how much hate and resentment the TSA has built in the few […]

 

44 Years

Mary Dudziak posted the testimony of Fannie Lou Hamer before the credentials committee of the 1964 Democratic convention. It’s worth reading in full: Mr. Chairman, and to the Credentials Committee, my name is Mrs. Fannie Lou Hamer, and I live at 626 East Lafayette Street, Ruleville, Mississippi, Sunflower County, the home of Senator James O. […]

 

Lessons for security from "Social Networks"

There are a couple of blog posts that I’ve read lately that link together for me, and I’m still working through the reasons why. I’d love your feedback or thoughts. A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn’t like the “Social Futilities.” Tyler Cowan has a […]

 

TSA Breaks Planes (and a link to infosec)

Aero News Network has a fascinating story, “ANN Special Report: TSA Memo Suggests That Agency ‘Encourages’ Damaging Behavior.” It covers how a TSA goon climbed up a plane using equipment marked “not a handhold,” damaging it and putting the flying public at risk. It continues: While this may be terrifying on a number of levels, […]

 

Authenticating Alan Shimel is Certifiably Hard

Alan Shimel got hacked, and he’s blogging about it, in posts like “I’m back.” It sounds like an awful experience, and I want to use it to look at authentication and certificates. None of this is intended to attack Alan in any way: it could happen to any of us. One of the themes of […]

 

Diebold/Premier vote dropping

A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges. The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is […]

 

King Log or King Brutalist

A Christian Science church near the White House filed suit against the city on Thursday, accusing it of trammeling religious freedom by declaring the church a historic landmark and refusing to allow church leaders to tear it down. The building, a stark structure with walls that soar toward the sky, is an eyesore or a […]

 

I’m Certifiably Wrong

So there’s some great discussion going on in the comments to “Certifiably Silly,” and I’d urge you to read them all. I wanted to respond to several, and I’ll start with Frank Hecker: Could we take the cost issue out of this equation please … [Adam: I’m willing to set it aside, because the conversation […]

 

Certifiably Silly

Over at “The Security Practice,” Michael Barrett writes about “Firefox 3.0 and self-signed certificates.” Neither he or I are representing our respective employers. …almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only […]

 

Congratulations to Raffy!

His book, Applied Security Visualization, is now out: Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work […]

 

That's an address I haven't used in a very long time.

Well, I got a letter from BNY Mellon, explaining that they lost my data. The most interesting thing about it, I think, is where it was sent, which is to my mom. (Hi Mom!) I had thought that I’d moved all of my financial statements to an address of my own more than a decade […]

 

Watchlist Cleaning Law

Former South African President Nelson Mandela is to be removed from U.S. terrorism watch lists under a bill President Bush signed Tuesday… The bill gives the State Department and the Homeland Security Department the authority to waive restrictions against ANC members. This demonstrates that greater scrutiny must be placed on the decisions about who gets […]

 

Privacy Enhancing Technologies and Threat Modeling

Steven Murdoch and Robert Watson have some really interesting results about how to model the Tor network in Metrics for Security and Performance in Low-Latency Anonymity Systems (or slides). This is a really good paper, but what jumped out at me was their result, which is that the right security tradeoff is dependent on how […]

 

Solove’s Understanding Privacy

Dan Solove sent me a review copy of his new book, “Understanding Privacy.” If you work in privacy or data protection either from a technology or policy perspective, you need to read this book and understand Solove’s approach. That’s not to say it’s perfect or complete, but I think it’s an important intellectual step forward, […]

 

Aleksandr Solzhenitsyn, RIP

The author of The Gulag Archipelago and other important works on the barbarity of the Soviet Union passed away today. Aleksandr Solzhenitsyn was 89. My sympathies to his family and friends.

 
 

SOUPS 2008, summarized

I really appreciate the way that Richard Conlan has in-depth blogged all of the sessions from the 2008 Symposium on Usable Privacy and Security. The descriptions of the talks are really helpful in deciding which papers I want to dig into. More conferences should do this. There’s only one request I’d make: There’s no single […]

 

What do you want to know about SDL Threat Modeling?

Over on my work blog, I asked: I’m working on a paper about “Experiences Threat Modeling at Microsoft” for an academic workshop on security modeling. I have some content that I think is pretty good, but I realize that I don’t know all the questions that readers might have. So, what questions should I try […]

 

Call Centers Will Get More Annoying

There’s an article in “destination CRM,” Who’s Really Calling Your Contact Center? …the identity questions are “based on harder-to-steal information” than public records and credit reports. “This is much closer to the chest than a lot of the public data being used in other authentication systems,” she says, adding that some companies using public data […]

 

Silver Bullet podcast transcript

I know there’s a lot of people who prefer text to audio. You can skim text much faster. But there are also places where paper or screens are a pain (like on a bus, or while driving). So I’m excited that the Silver Bullet Podcast does both. It’s a huge investment in addressing a variety […]

 

Congratulations to the PET Award Winners

Congratulations to Arvind Narayanan and Vitaly Shmatikov! Their paper, “Robust De-Anonymization of Large Sparse Datasets,” has been awarded the 2008 Award for Outstanding Research in Privacy Enhancing Technologies. My employer has a press release which explains how they re-identified data which had been stripped of identifiers in the Netflix dataset. In their acceptance remarks, they […]

 

London’s New Transit Card

Transport for London is trying to get as many people as possible to use Oyster Cards. They are cheaper — and theoretically easier to use — than traditional tube / bus tickets. However, using one means that TfL has a record of your journeys on the transport system, which is something that not everybody is […]

 
 

Breaches & Human Rights in Finland

The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen’s personal data. One data protection expert said that the case creates a vital link between data security and human rights. The Court made its ruling based on Article 8 of the European Convention […]

 

Off to Belgium

I’m getting ready to leave for the 2008 Privacy Enhancing Technologies Symposium. I love this event, and I’m proud to have been involved since Hannes Federrath kicked it off as a workshop on design issues anonymity and unobservability. I’m also happy that Microsoft has continued to sponsor an award for outstanding research in Privacy Enhancing […]

 

Putting the fun back in threat modeling

I have an article in the latest MSDN magazine, “Reinvigorate your threat modeling process:” My colleague Ellen likes to say that everyone threat models all the time. We all threat model airport security. We all threat model our homes. We think about threats against our assets: our families, our jewelry, and our sentimental and irreplaceable […]

 

Writing a book: The Proposal

To start from the obvious, book publishers are companies, hoping to make money from the books they publish. If you’d like your book to be on this illustrious list, you need an idea for a book that will sell. This post isn’t about how to come up with the idea, it’s about how to sell […]

 

Security & Human Behavior

There’s a huge amount of interesting stuff from a recent workshop on “Security & Human Behavior.” Matt Blaze has audio, and Ross Anderson has text summaries in the comments on his blog post. Also, see Bob Sullivan, “How magic might finally fix your computer”

 
 
 

The Recent History of the Future of Cash

Dave Birch has a really interesting post about The future of the future of cash: The report also identifies three key attributes of cash that make it — still — the dominant payment system. Universality, trust and anonymity. I’m curious about the location of anonymity in the customer mindset and I’m going to post some […]

 

Richard Feynman and The Connection Machine

There’s a fascinating article at The Long Now Foundation, “Richard Feynman and The Connection Machine,” by Danny Hillis. It’s a fun look into the interactions of two of the most interesting scientist/engineers of the last 40 years.

 

Writing a book: technical tools & collaboration

When Andrew and I started writing The New School, we both lived in Atlanta, only a few miles apart. We regularly met for beer or coffee to review drafts. After I moved to Seattle, our working process changed a lot. I wanted to talk both about the tools we used, and our writing process. We […]

 

Maryland Breach Notices

Case Number Date Received Business Name No. of MD residents Total breach size Information breached How breach occurred 153504 06/09/08 Argosy University name, social security number, addresses Laptop computer stolen from employee of SunGard Higher Education Maryland Information Security Breach Notices are put online by the most-forward looking Douglas F. Gansler, attorney general. I’m glad […]

 

Freakonomics and Data

There’s a really interesting article in the New Republic, “Freaks and Geeks:” In 2000, a Harvard professor named Caroline Hoxby discovered that streams had often formed boundaries to nineteenth-century school districts, so that cities with more streams historically had more school districts, even if some districts had later merged. The discovery allowed Hoxby to show […]

 

In Congress Assembled, July 4, 1776

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

 

On Banking Security

Dave Maynor comments: Blizzard is going to sell a One Time Password device…Isn’t it kind of funny when an online game has better security than most banks? Blizzard Entertainment, Inc. today introduced an optional extra layer of security for World of Warcraft®, its award-winning massively multiplayer online role-playing game. Designed to attach to a keychain, […]

 
 

UK Passport Photos?

2008 and UK passport photos now have the left eye ‘removed’ to be stored on a biometric database by the government. It’s a photo that seems to say more to me about invasion of human rights and privacy than any political speech ever could. Really? This is a really creepy image. Does anyone know if […]

 

You Have Confused Me for the Last Time!

I love these boots, via “BoingBoing gadgets.” They’re transgressive on so many levels. Star Wars geek versus fashion. Military versus sexy. I’m glad George Lucas isn’t an obsessive control freak who hunts down anyone who adopts the visual language that he created.

 
 

Network Security Podcast #109, featuring Adam

I’m the guest on the latest episode of Martin McKeay and Rich Mogull’s Network Security podcast. It was a lot of fun to record, I hope you enjoy listening to it. [Link fixed.]

 

I’d bet on security prediction markets

In his own blog, Michael Cloppert writes: Adam, and readers from Emergent Chaos, provided some good feedback on this idea. Even though the general response is that this wouldn’t be a supportable approach, I appreciate the input! This helps me focus my research intentions on the most promising theories and technologies. I’m glad my readers […]

 

Science isn't about Checklists

Over at Zero in a Bit, Chris Eng has a post, “Art vs. Science“: A client chastised me once for making a statement that penetration testing is a mixture of art and science. He wanted to believe that it was completely scientific and could be distilled down to a checklist type approach. I explained that […]

 

Water on Mars!

Mars Phoenix Tweets: “We Have ICE!” And yes, they really did announce on Twitter and a press release.

 

R-E-S-E-P-C-T! Find out what it means to me

The TSA apparently is issuing itself badges in its continuing search for authority. The attire aims to convey an image of authority to passengers, who have harassed, pushed and in a few instances punched screeners. “Some of our officers aren’t respected,” TSA spokeswoman Ellen Howe said. … A.J. Castilla, a screener at Boston’s Logan Airport […]

 

Identity Theft is more than Fraud By Impersonation

In “The Pros and Cons of LifeLock,” Bruce Schneier writes: In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information […]

 

How much work is writing a book?

There’s a great (long) post by Baron Schwartz, “What is it like to write a technical book?” by the lead author of “High Performance MySQL.” There’s a lot of great content about the process and all the but I wanted to respond to this one bit: I can’t tell you how many times I asked […]

 

Can You Hear Me Now?

Debix, Verizon, the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security. This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have […]

 

Department of Justice on breach notice

There’s an important new report out from the Department of Justice, “Data Breaches: What the Underground World of “Carding” Reveals.” It’s an analysis of several cases and the trends in carding and the markets which exist. I want to focus in on one area, which is recommendations around breach notification: Several bills now before Congress […]

 

What’s up with the "New and Used" Pricing on Amazon?

So having a book out, you start to notice all sorts of stuff about how Amazon works. (I’ve confirmed this with other first time authors.) One of the things that I just can’t figure out is the pricing people have for The New School. There’s a new copy for 46.43. A mere 54% premium over […]

 

Security Prediction Markets: theory & practice

There are a lot of great comments on the “Security Prediction Markets” post. There’s a tremendous amount of theorizing going on here, and no one has any data. Why don’t we experiment and get some? What would it take to create a market in breach notification prediction? Dan Guido said in a comment, “In security, […]

 

Praises for the TSA

We join our glorious Soviet brothers of the TSA in rejoicing at the final overthrow of the bourgeoisie conception of “liberty” and “freedom of expression” at the Homeland’s airports. The People’s Anonymous Commissar announced: This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining […]

 

Security Prediction Markets?

In our first open thread, Michael Cloppert asked: Considering the contributors to this blog often discuss security in terms of economics, I’m curious what you (and any readers educated on the topic) think about the utility of using prediction markets to forecast compromises. So I’m generally a big fan of markets. I think markets are, […]

 

The Emergent Chaos of the Elections

First, congratulations to Barack Obama. His organization and victory were impressive. Competing with a former President and First Lady who was the shoo-in candidate is an impressive feat. I’d like to talk about the Obama strategies and a long chaotic campaign in two ways. First in fund-raising and second, on the effects of a long […]

 

Supreme Court Narrows "Money Laundering"

The Supreme Court narrowed the application of the federal money-laundering statute on Monday, ruling for criminal defendants in two cases in which prosecutors had employed broad definitions of two of the law’s major provisions. The two rulings are likely to crimp the government’s ability to bring money-laundering cases, although not necessarily to the degree that […]

 

In the "couldn't have happened to a better set of people" department…

Fifteen people have escaped unharmed in the US state of Indiana after a sky-diving plane lost power 7,000ft (2,100m) from the ground. The pilot told the 14 skydivers on board to jump to safety, then crash-landed the plane. And the pilot was un-injured, according to the AP story. From Skydiving plane fails at 7,000ft, BBC. […]

 

8th Pet Symposium Early Registration Deadline

We kindly invite you to attend the next PET Symposium, that will take place in Leuven (Belgium) on July 23-25, 2008. The PET Symposium is the leading international event for the latest research on privacy and anonymity technologies. This year, four other events are co-located with PETS 2008, including the Workshop On Trustworthy Elections (WOTE […]

 

Open thread

What the heck. Let’s see what happens. Comment on what you will.

 

CSO’s FUD Watch

“Introducing FUD Watch:” Most mornings, I start the work day with an inbox full of emails from security vendors or their PR reps about some new malware attack, software flaw or data breach. After some digging, about half turn out to be legitimate issues while the rest – usually the most alarming in tone – […]

 

Does the UK need a breach notice law?

Chris Pounder has an article on the subject: In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals […]

 

Visualizing Risk

I really like this picture from Jack Jones, “Communicating about risk – part 2:” Using frequency, we can account for events that occur many times within the defined timeframe as well as those that occur fewer than once in the timeframe (e.g., .01 times per year, or once in one hundred years). Of course, this […]

 

The Costs of Security and Algorithms

I was struck by this quote in the Economist special report on international banking: There were navigational aids to help investors but they often gave false comfort. FICO scores, the most widely used credit score in America, were designed to assess the creditworthiness of individual borrowers, not the quality of pools of mortgages. “’Know your […]

 

New School Reviews

Don Morrill, IT Toolbox: If you want to read a book that will have an influence on your information security career, or if you just want to read something that points out that we do need to do information security differently, then you need to go pick up a copy of “The new school of […]

 

"The Black Hat Tax?" Show me the money

A number of people have sent me links to “Black Hat Tariffs – The Black Hat Taxes on consumer Internet companies are on the rise:” In May 2006, I made mention of the Black Hat Tax, in which most consumer Internet sites have an inherent time, resource, and mindshare tax of roughly 25% due to […]

 

To the moon!

In name only, but NASA will be sending a database of names to the moon on the forthcoming Lunar Reconnaissance Orbiter. You can add yours. Oh, the name? seemed right when I wanted one with a quote in it. [Update: Securology posted “ Sending Bobby Tables to the Moon,” which is funnier, if more likely […]

 

Adam on "Silver Bullet Security" Podcast

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book […]

 

Let's not ask the experts?

Can Sips at Home Prevent Binges? is a fascinating article in the New York Times. It turns out there’s very solid evidence about this: “The best evidence shows that teaching kids to drink responsibly is better than shutting them off entirely from it,” he told me. “You want to introduce your kids to it, and […]

 

Check out these great blogs!

I’m excited and grateful to the Industry Standard for including us in their “Top 25 B-to-Z list blogs.” There’s some great stuff in there which I read, like “Information Aesthetics

 

6/16ths of Chileans personal information leaked by hacker

A hacker in Chile calling himself the ‘Anonymous Coward’ published confidential data belonging to six million people on the internet. Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records. Chile has a population of about 16 million, so that’s 3/8ths of the country. […]

 

Jack Jones on Risk Management

I really enjoyed watching the podcast version of a talk that Jack Jones gave at Purdue, “Shifting focus: Aligning security with risk management.” I liked the opener, about what it’s like for executives to talk to security professionals, and the difference between what might happen and what’s likely to happen. The screenshot is from a […]

 

Call me crazy?

There’s an article in the New York Times, “‘Mad Pride’ Fights a Stigma” “It used to be you were labeled with your diagnosis and that was it; you were marginalized,” said Molly Sprengelmeyer, an organizer for the Asheville Radical Mental Health Collective, a mad pride group in North Carolina. “If people found out, it was […]

 

Credit Bureaus and Outsourcing

The “I’ve Been Mugged” blog has a great three part series on outsourcing by credit bureaus: “Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1),” “part 2” and “part 3.” He digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that […]

 

Security Cameras Functional

Use of CCTV images for court evidence has so far been very poor, according to Detective Chief Inspector Mick Neville, the officer in charge of the Metropolitan police unit. “CCTV was originally seen as a preventative measure,” Neville told the Security Document World Conference in London. “Billions of pounds has been spent on kit, but […]

 

Hiring Fraudsters?

PARIS — Jérôme Kerviel, the Société Générale trader who used his knowledge of the French bank’s electronic risk controls to conceal billions in unauthorized bets, has a new job — at a computer consulting firm. Mr. Kerviel, who was given a provisional release from prison on March 18, started work last week as a trainee […]

 

Spending to Protect Assets

There’s a story in the New York Times about a bike rental program in Washington DC. It’s targeted at residents, not tourists, and has a subscription-based model. Improved technology allows programs to better protect bicycles. In Washington, SmartBike subscribers who keep bicycles longer than the three-hour maximum will receive demerits and could eventually lose renting […]

 

Fasilyce, upon Reading

Dear Mr. Banks, Much as I enjoy your work, it is entirely dis-congruous to your readers to insert words known to neither the Oxford English Dictionary or the internet (as indexed here, here or here) whose meanings are not rapidly comprehensible. Thank you for your future attention to this matter. I remain, etc, etc.

 

Italy Posts Tax Return Data on Official Website

How much do you make? How surprised would you be to learn that your magic number had been posted on the Internet by the government? And that it was not by mistake, as in other recent breaches of privacy. How Much Do You Make? The Nation Already Knows. The data has already been removed from […]

 

Bush’s Law — Less Safe, Less Free

I’d like to review two recent books on the war on terror: “Bush’s Law: The Remaking of American Justice” by by Eric Lichtblau, and “Less Safe, Less Free: Why America Is Losing the War on Terror” by David Cole and Jules Lobel. Both are well written assaults on the way in which the Bush administration […]

 

Everybody Run, Crispin's Got a Blog

My buddy, collaborator and co-worker Crispin Cowan has started a blog. The first post is “Security Is Simple: Only Use Perfect Software.” [Update: Added a link to Crispin’s home page, because some readers apparently have trouble with a search engine.]

 

Who Watches the Watchlists?

The idea of “watchlists” has proliferated as part of the War on Terror. There are now more than 63 of them: As part of its regular “risk management” service, which provides screening, tracing, and identity and background checks on potential clients or trading partners, MicroBilt will now offer a “watch list” service that checks these […]

 

Good problems to have

You don’t have much credibility looking for a publisher for a book on rum when you’re sailing in the Caribbean drinking the best rums you can find in the name of research. Most people just didn’t take me seriously that there was even a need for a book on rum. It took quite a while […]

 

University of Miami: Good for the body, bad for the soul?

The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes. The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there’s no financial […]

 

Point Break, Live

The starring role of Johnny Utah is selected from the audience each night, and reads their entire script off of cue-cards. This method manages to capture the rawness of a Keanu Reeves performance even from those who generally think themselves incapable of acting. The fun starts immediately with the “screen test” wherein the volunteer Keanus […]

 

Marty Lederman, on a roll

You see, the CIA apparently uses the less dangerous version of “waterboarding” — not the Spanish Inquisition method, but the technqiue popularized by the French in Algeria, and by the Khmer Rouge — involving the placing of a cloth or plastic wrap over or in the person’s mouth, and pouring or dripping water onto the […]

 

Microsoft Security Intelligence Report V4

Microsoft Security Intelligence Report (July – December 2007) This volume of the SIR focuses on the second half of the 2007 calendar year (from July through December) and builds upon the data published in the previously released volumes of the SIR. Using data derived from several hundred million Windows users, and some of the busiest […]

 

Reality imitates the Onion

I’m somewhat sure this is a real AP story, “Al-Qaida No. 2 says 9/11 theory propagated by Iran.” The Onion scooped them, with “9/11 Conspiracy Theories ‘Ridiculous,’ Al Qaeda Says.” Unfortunately, no progress on the “fake tape” issue: The authenticity of the two-hour audio recording posted on an Islamic Web site could not be independently […]

 

Keynoting at ISSA tomorrow

I’ll be delivering the keynote at “ The Fourth Annual ISSA Northwest Regional Security Conference” tomorrow in Olympia, Washington. I’m honored to have been selected, and really excited to be talking about “the crisis in information security.” The topics will be somewhat familiar to readers of this blog, but in a longer, more coherent format […]

 

More New School Reviews

Gary McGraw says buy it for the cover: The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become […]

 

Why Aren’t there More Paul Grahams?

Paul Graham has an interesting essay “Why There Aren’t More Googles.” In it, he talks about how VC are shying away from doing lots of little deals, and how the bold ideas are the ones that are hardest to fund: And yet it’s the bold ideas that generate the biggest returns. Any really good new […]

 

Congratulations to the CVE team!

The CVE Web site now contains 30,000 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a […]

 

Center for Innovative Financial Technology Launches at Berkeley

Congratulations to Berkeley on setting up a “Center for Innovative Financial Technology“, but I wonder why their mission is so conservative? The mission of the Center is to conduct and facilitate innovative research and teaching on how new technologies impact global electronic markets, investment strategies, and the stability of the financial system. The information people […]

 

Generativity, Emergent Chaos and Adam Thierer

Jonathan Zittrain, a professor at Oxford, has a new book, “The Future of The Internet.” He’s adapted some of the ideas into a long and worthwhile essay, “Protecting the Internet Without Wrecking It.” In that essay, he uses the term “generativity” to refer to a system which has what I would call ’emergent chaos.’ A […]

 
 

Privacy Act and "actual damages"

Lauren Gelman writes: I’m breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act’s requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed’n of Gov’t Employees v. Hawley, D.D.C., No. 07-00855, […]

 

41 and counting

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma) See More Breach Notification Laws — 42 States and Counting at […]

 

RSA Crazy Busy, book notes

I’m sorry blogging has been light, but RSA has been really busy. I did want to post a quick reminder, I’ll be doing a book singing at 2.30 at the RSA bookstore. PS: I know, that should really say “signing,” not “singing” but I decided I like the typo. If enough people show up and […]

 

Amazon and The New School

Several of you have mailed or commented about the New School being “delayed” from Amazon. I apologize, this was a surprise to me. What our publisher says: Because of their set-up, Amazon has been taking longer to get a book available for shipping. As you can see this causes problems when they list the pub […]

 

New School of Information Security: book signing at RSA

I’ll be at RSA next week, and have a book signing scheduled for 2:30 PM Wednesday (April 9) at the RSA bookstore. To be more clear: The RSA bookstore will have copies for sale. I know many of you are waiting for copies. Many of our reviewers emailed me in the last day or two […]

 

The FDIC's Cyber Fraud Report

The FDIC’s Division of Supervision and Consumer Protection didn’t release a report titled “Cyber Fraud and Financial Crime” on November 9, 2007. That release was left to Brian Krebs, a reporter with the Washington Post, in early March, who blogged about it in “Banks: Losses From Computer Intrusions Up in 2007” and “The FDIC Computer […]

 

94% of Philippine IT Professionals Endorse Breach Disclosure

“LOCAL SURVEY SHOWS: Private sector wants breach of information systems reported :” MANILA, Philippines — Local organizations want the breach of information systems and theft of personal information reported, a survey conducted by the Cyberspace Policy Center for Asia Pacific (CPCAP) showed. “A surprising 94 percent favored the imposition by law of [an] obligation upon […]

 

I see you stand like greyhounds in the slips…

…straining upon the start. The game’s afoot! Follow your spirit; and upon this charge Cry ‘God for Harry, England, and Saint George!’ So closes the speech before battle which Shakespeare wrote for Henry V. You know, the one which opens, ““Once more into the breach:” (Thoughts on the cumulative effects of notification letters).” I seem […]

 

Black Hat Speaker Selection

Black Hat USA News: We’re very proud to announce a new feature for paid Black Hat attendees starting with the USA show in August – delegate access to our CFP system! Paid delegates can now log into our CFP database, read and review our proposed presentations and share their ratings and comments with Black Hat. […]

 

Wendy Richmond’s Surreptitious Cellphone

At the International Association of Privacy Professionals meeting last week, I had the pleasure of meeting Wendy Richmond. Richmond is intrigued with the ways in which we share our public space. Some of us create invisible buffer zones for quiet reverie; others enhance or negate reverie through portable technology like iPods, cell phones and laptops. […]

 

A Crime That Flourishes Because Victims Remain Silent

There’s a fascinating article in the New York Times, “Report Sketches Crime Costing Billions: Theft From Charities.” “I gave a talk to a group of nonprofit executives a few weeks ago, and every single one of them had a fraud story to tell,” said one of the report’s authors, Janet S. Greenlee, an associate professor […]

 

Dan Solove's books free and online

Dan Solove has put his two current books, “The Future of Reputation” and “The Digital Person” online for free. I’ve felt bad in not reviewing The Future of Reputation, because I really enjoyed it, and have been trying to figure out what to say. Solove does a great job of surveying reputation in its many […]

 

The Principal-Agent Problem in Security

There’s a fascinating article in the New York Times, “At Bear Stearns, Meet the New Boss.” What makes it fascinating is the human emotion displayed: “In this room are people who have built this firm and lost a lot, our fortunes,” one Bear executive said to Mr. Dimon with anger in his voice. “What will […]

 

On the Frequency of Fake bin Laden Messages

I’ve noticed that every time there’s a new message from Osama bin Laden, the press very carefully calls into question its authenticity. For example, CNN’s article “Purported bin Laden message: Iraq is ‘perfect base’” opens: Al-Jazeera broadcast on Thursday an audiotape on which a voice identified as Osama bin Laden declares “Iraq is the perfect […]

 

First in-depth review

Andre Gironda writes “Implications of The New School:” Additionally, the authors immediately begin the book with how they are going to write it — how they don’t reference anything in great detail, but that the endnotes should suffice. This also put me off a bit… that is — until I got to the endnotes! Certainly […]

 

Algorithms for the War on the Unexpected

Technology Review has an article, “The Technology That Toppled Eliot Spitzer.” What jumped out at me was the explicit statement that strange is bad, scary and in need of investigation. Bruce Schneier is talking a lot about the war on the unexpected, and this fits right into that. Each category is analyzed to determine patterns […]

 

Context, please!

Chess masters will sometimes play chess against a dozen or more competitors at once, walking from board to board and making a move. The way they do this isn’t to remember the games, but to look at the board, and make a decent (to a master) move each time. They look at the board, get […]

 

More New School feedback

Our editor says that the Safari e-book edition of The New School is now available. Hardcopies should be out in a week or so. Jon Pincus gives us a mention in his long article “Indeed! The Economist on “computer science as a social science”” and comments that we “explicitly include discussions of diversity in the […]

 

Bear Stearns

Dan Geer is fond of saying that financial risk management works because everyone knows who owns what risks. Reports are that JPMorgan just bought Bear Stearns for $236MM, a 93% discount to Friday’s closing price, with $30BB of US taxpayer money thrown in (as guarantees) for good measure. Bloomberg also reports that the Bear Stearns […]

 

Liechtenstein Über Alles?

The New York Times had a story, “Tax Inquiry? Principality Is Offended:” After weathering days of criticism from Germany over a spectacular tax evasion case, Liechtenstein — sometimes seen as the inspiration for the satirical novel from the 1950s about a tiny Alpine principality that declared war on the United States — is digging in […]

 

Banks, Privacy and Revenge

Eliot Spitzer made a name for himself attacking banks. Setting aside the legitimacy of those attacks, I find it shocking that he didn’t realize how much banks know about each one of us. It’s doubly shocking that he didn’t expect revenge. The New York Times claimed that the “Revelations Began in [a] Routine Tax Inquiry.” […]

 

Thank you, Usenix!

I’m delighted to report that USENIX, probably the most important technical society at which I publish (and on whose board I serve), has taken a long-overdue lead toward openly disseminating scientific research. Effective immediately, all USENIX proceedings and papers will be freely available on the USENIX web site as soon as they are published. (Previously, […]

 
 

Dan Geer: Economics and Strategies of Data Security

Speaking of books: This book explores the dramatic shift from infrastructure protection to information protection, explaining why data security is critical to business today. It describes how implementing successful data security solutions across sophisticated global organizations requires a new data-centric, risk based and strategic approach, and defines the concepts and economics of a sound data […]

 

Reactions to "The New School:" Thank you!

A big thank you to those of you who picked up the New school in your blogs and mailing lists. Ryan Hurst says: This is a concept I know I beleive in, one I have discussed numerous times with folks over beer; with that being said I can’t wait to get my copy to see […]

 

The New School of Information Security

A few days ago, we turned in the very last edits to The New School of Information Security to Addison-Wesley. My co-author, Andrew Stewart, and I are both really excited. The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make […]

 

Are We Measuring the Right Things?

One of the reasons that airline passengers sit on the tarmac for hours before takeoff is how the FAA Department of Transportation measures “on time departures.” The on time departure is measured by push-back from the gate, not wheels leaving the tarmac. (Airlines argue that the former is in their control.) If you measure the […]

 

WOOT08 Call for Papers

Progress in the field of computer security is driven by a symbiotic relationship between our understandings of attack and of defense. The USENIX Workshop on Offensive Technologies aims to bring together researchers and practitioners in system security to present research advancing the understanding of attacks on operating systems, networks, and applications. 2nd USENIX Workshop on […]

 

You Can't Say That: Blogging Your Failures

I forgot exactly where I saw the link to Ben Neumann’s Views from the Trenches, but the opening lines of his post “Network Outage” are great, doubly for what he’s just gone through: Today was a NIGHTMARE-DAY! Globat.com just emerged from a major outage – the worst in company history and everybody – customers and […]

 

There’s Going to Be a Paper-Scorching Ka-Booom!

The New York Times has a great story about Cai Gou-Qiang, an artist who works in gunpowder. “The Pyrotechnic Imagination.” It’s pretty cool stuff for a lazy weekend afternoon read. [I forgot to mention, he has a show at the Guggenheim, and their press release states, “For publicity images go to http://www.guggenheim.org/press_office.html User ID = […]

 

Microsoft Acquires Credentica’s U-Prove

I am tremendously pleased to say that Microsoft has closed an acquisition of Credentica‘s U-Prove technology. This technology adds a new and important set of choices in how we as a society deal with identity and properties of people. Kim Cameron has the official announcement, “Microsoft to adopt Stefan Brands’ Technology” and Stefan Brands has […]

 

Analyzing the Analysts

In Things Are Looking Up For TJX, or, Javelin Research – Credibility Issues?, Alex takes a look at research released by Javelin, and compares it to some SEC filings. Javelin is making the argument that companies that suffer massive breaches will lose market share. As do these folks at Response Source: “LATEST NATIONAL RESEARCH REVEALS […]

 

Credit Ratings for Governments?

Last week, I talked about consumer credit in “The real problem in ID theft.” Yesterday, the New York Times had a story, “States and Cities Start Rebelling on Bond Ratings:” A complex system of credit ratings and insurance policies that Wall Street uses to set prices for municipal bonds makes borrowing needlessly expensive for many […]

 

I've Made Up My Mind, Don't Bother Me With the Facts

The report, Educational Security Incidents (ESI) Year in Review, spotlights institutions worldwide, and Penn State was included in the report with one data breach last year. … “My goal with ESI is to, hopefully, increase awareness within higher education that not only is information security a concern, but that the threats to college and university […]

 

The real problem in ID theft

In “Reckoning day for ChoicePoint, “Rich Stiennon writes: The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they […]

 

Threat Modeling Blog Series

Over on my work blog, I just wrapped up a series on threat modeling. Because blogs display the content backwards, I’ve put the entire series up as a Word doc: The Trouble With Threat Modeling. [Update: If you want to see all the threat modeling posts, they’re at Threat Modeling SDL blog posts. They’re displayed […]

 

Not Dead Yet

Dan Solove has an interesting article up, “Coming Back from the Dead.” It’s about people who are marked dead by the Social Security Administration and the living hell their lives become: Dan starts with quotes from the WSMV News story, “Government Still Declares Living Woman Dead” According to government paperwork, Laura Todd has been dead […]

 

More airport security toys

“Let’s play ‘airport security’,” says Foriegn Policy. It’s like playing Doctor, only with latex gloves and inappropriate touching. In an effort to help children understand and be comfortable and confident in the need and process of higher security protocols we’ve developed a new play and learning toy and resource web site to promote and educate […]

 
 

Cat Le-Huy, Dubai and the moral high ground

Cat Le-Huy is a friend of friends who has been “detained” entering Dubai. I put detained in quotes, because he’s been thrown into prison, where he’s now spent a few weeks. He claims he was carrying melatonin, which is legal in Dubai, and the authorities have charged that there was .001 gram (1 milligram) of […]

 

A++++ Fast and Professional!! Would Read Again!

In “Crowd control at eBay,” Nick Carr writes: EBay has been struggling for some time with growing discontent among its members, and it has rolled out a series of new controls and regulations to try to stem the erosion of trust in its market. At the end of last month, it announced sweeping changes to […]

 

Where's the Beef?

As I was driving home, listening to the radio, I heard this: We’ve been really astonished by how some of the most high-profile situations actually resulted in increased consumer confidence, because sometimes high-profile issues give us an opportunity to talk about what we do, and that has actually encouraged consumers. No, it’s not a TJX […]

 

Wanted

Via Michael Froomkin.

 

Obama vs. McDonalds

As he was winning contests in Iowa and South Carolina, Senator Barack Obama raised $32 million in January for his presidential bid, tapping 170,000 new contributors to rake in nearly double the highest previous one-month total for any candidate in this election cycle. The New York TImes, “Enlisting New Donors, Obama Reaped $32 Million in […]

 

Breach Laws Charts (updated)

A while back, I posted a list of breach laws. I’ve now added the CSO map, which is pretty cool. Scott and Scott, one page reference chart Perkins, Coie summary of laws Proskauer Rose listing of laws (Updated 1 December 2007) Julie Brill, Assistant Attorney General, Vermont (not online). CSO Magazine has an interactive chart […]

 

Scott Page’s The Difference

A lot of people think of calls for diversity as fuzzy headed liberalism at its worst. If you’re one of them, please keep reading. Or you could click here and just

 

Two brief followups to "Already donated the limit"

First, I’d like to thank everyone for keeping the comments civil and constructive. Second, I’d like to respond to Philll’s comment, “You sure do pick the strangest issues to make non-negotiable.” I picked this because it struck me that the rules in question were being accepted and treated in the various discussions as fixed and […]

 

Parking Meters are Reverse Slot Machines

Raymond Chen has an amusing blog post, “When computer programmers dabble in economics: Paying parking tickets.” This is further dabbling in economics, and I hope you find it amusing. I believe that parking meters–the old fashioned kind where you put coins in and hope to not get a ticket–are precisely the opposite of slot machines. […]

 

"Already donated the limit"

I was listening to the radio yesterday, a show about Super Tuesday. First, a big thank you to all the Democrats who voted

 

Economist Debates Security V Privacy

The Economist emails: Our second series of three debates kicks off today and the first proposition raises important questions about civil rights and the trade-off between Privacy vs. Security. As a blogger and member of the community that The Economist aims to serve with this lively debate, we wanted to extend an invitation to you […]

 
 

Emergent Chaos Primary Endorsements

Well, Super Tuesday is here in the United States, and some millions of people will stand up and vote or caucus for the candidate of their choice. We here at Emergent Chaos have spent tremendous amounts of time watching the election, and we wanted to offer up some of the least-awaited endorsements in the bloggosphere. […]

 

Computer Capers and Progress

We’re coming up on the 30th anniversary of the publication of “Computer Capers: Tales of electronic thievery, embezzlement, and fraud,” by Thomas Whiteside. What, might you ask, can we learn from a 30 year old text? Nothing has changed. Except, for some of the names. Donn Parker is in there, as are a melange of […]

 
 

ANSI on Identity Fraud

Tomorrow at 2 Eastern, ANSI will be hosting a Identity Theft Prevention and Identity Management Standards Panel. Key analysts, industry leaders, and members of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) will lead an online discussion of a new report that promotes access to and implementation of tools and processes that can […]

 

Adam’s Law of Perversity in Computer Security

Rybolov had an interesting comment on my post, “How taxing is it to read a tape?” He wrote about how hard it can be, and closed: I think the key is that it’s hard for the average person to read tapes if they found/stole them, but for a moderately-large organization/attacker, it’s possible. I think this […]

 

The UK Driver's License Applicants Breach and Laws

Dark Reading reported that “Data on 3M UK Drivers ‘Lost in Iowa’.” “In May this year, Pearson Driving Assessments Ltd, a private contractor to the Driving Standards Agency, informed the agency that a hard disk drive had gone missing from its secure facility in Iowa City, Iowa,” Kelly said. “The hard disk drive contained the […]

 

Why some companies hire PR staff

2008, for us, is a big change because up to now we have been more like a terrorist group, threatening to do something and making big claims. Nicholas Negroponte, of the One Laptop Per Child program, speaking on his own web site. Wow. There’s a stunning analogy for you. Maybe “we’ve been more like a […]

 

Welcome, Crispin!

Michael Howard has broken the news: “Crispin Cowan joins Windows Security: I am delighted to announce that Crispin Cowan has joined the core Windows Security Team! For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain […]

 

How taxing is it to read a tape?

In “Athenian Economy and Society: a banking perspective,” Edward Cohen uses the fascinating technique of trusting in offhand comments. He uses the technique to analyze court records to reconstruct banking. You might not be able to trust the main testimony in a trial, but no one will offhandedly say something shocking and strange, because it […]

 

Reporting on breaches

It started with Mark Jewell of the AP, “Groups: Record data breaches in 2007.” Dissent responded to that in “Looking at 2007’s data breaches in perspective:” The following table depicts the number of U.S. incidents reported and the corresponding number of records reported expose by the three main sites that track such data: Attrition.org, the […]

 

Hurricane Ivan From the Space Station

Every now and then, an “Astronomy Picture of the Day” is just breathtaking. Today’s is Hurricane Ivan from the Space Station. Click for the larger view.

 

Risk Assessment is Hard

The BBC reports (TV personality) “Clarkson stung after bank prank” in which he published his bank account numbers in the newspaper: The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people’s personal details on two computer discs. He wanted to prove the story was a fuss […]

 

The Laboratories of Democracy in Action

Chris emailed me a bit before Christmas with a link to the new “New York State Security Breach Reporting Form.” How could we withhold this exciting news? I wanted to wait until people were back from vacation, so they didn’t miss it. The form is important because it’s starting to ask for more data. There’s […]

 

How about a little fire?

At WD-50 I saw something done to the potatoes that makes a cook scream, “yes!” A method of cooking the potatoes with an explanation using true understanding of the molecules inside the potatoes and the effects of heat on them. The potatoes are peeled, sliced, and cooked in a water bath at 65 degrees celsius […]

 

Andy Olmsted

Andy Olmsted, who posted as G’Kar on Obsidian Wings, was killed yesterday in Iraq. I always enjoyed his posts, especially when I disagreed with them, because he was so clearly thoughtful. I find myself terribly sad for the death of a man who I only knew through his words. He asked that we not politicize […]

 

Send data leakers to jail? Heck, no!

In “Data breach officials could be sent to the big house,” we learn: In his update on the HMRC data loss to MPs yesterday, Alistair Darling said: “There will now also be new sanctions under the Data Protection Act for the most serious breaches of its principles. “These will take account of the need not […]

 

New breach blog

Evan Francen is maintaining a breach blog with more structure and commentary than either PogoWasRight or Attrition. As I looked at it, I had a couple of thoughts. The first is that he doesn’t reference Attrition DLDOS numbers. (Then again, Pogo doesn’t either.) I think this is a mistake. When we founded CVE, it was […]

 

Australia dumps National ID

Opponents of Australia’s controversial Access Card received an early Christmas present earlier this month when the incoming Rudd Labor Government finally axed the controversial ID program. Had it been implemented, the Access Card program would have required Australians to present the smart card anytime they dealt with certain federal departments, including Medicare, Centrelink, the Child […]

 

"Security Vulnerability Research & Defense"

My co-workers in SWI have a new blog up, “Security Vulnerability Research & Defense.” They’re planning to…well, I’ll let them speak for themselves: …share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities… The two posts below are examples of the type of […]

 

Aaron Burr and Compulsory Key Disclosure

Orin Kerr has a fascinating tidbit at Volokh, “Encryption, the Fifth Ammendment, and Aaron Burr:” Following my posts last week on encryption and the Fifth Amendment, a few readers asked about how courts have dealt with such issues before. As far as I know, there is only one other judicial decision specifically addressing the Fifth […]

 

Merry Christmas, Dr. Hansen!

A surgeon who allegedly took a photo of a patient’s penis during an operation at a US hospital is no longer working there, it has been announced. Dr Adam Hansen, of Arizona’s Mayo Clinic Hospital, is accused of taking the snap while conducting gallbladder surgery earlier in December. (BBC, “US ‘penis photo doctor’ loses job.”) […]

 

Anarchy in the UK

“Anger as NHS patient records lost” “Patient data loss affects 168,000” “Post Office sends wrong details” “Discs ‘worth £1.5bn’ to criminals” “£20,000 reward offered for discs“* “More firms ‘admit disc failings’” * Readers are invited to comment on the contrast. Thanks to Ant, Cat and Steven Murdoch for links. Image: Teton dam, Wikipedia.

 

Guinness is Good For You, but don’t tell anyone

A pint of the black stuff a day may work as well as an aspirin to prevent heart clots that raise the risk of heart attacks. Drinking lager does not yield the same benefits, experts from University of Wisconsin told a conference in the US. … The researchers told a meeting of the American Heart […]

 

"There’s supposed to be a Mars-shattering Ka-boom!"

Here at Emergent Chaos, we’re big fans of large objects hitting other large objects at high speed. Which is why it’s important to tell you that 2007-WD5 is a 50 meter asteroid that’s set to pass within 48,000 kilometers of Mars next month. “We estimate such impacts occur on Mars every thousand years or so,” […]

 
 

Bonobos!

Check out this amazing video from TED.

 

Six breach reports in the UK: the floodgates are open

In Dissent’s weekly roundup of breaches, there were six breaches reported for the UK, versus nine in the US. It seems that the duty of care approach is really taking off. Newly reported incidents in the U.K. and Ireland: In Ireland, the Driver and Vehicle Licensing Agency has lost the personal details of 6,000 people. […]

 

Flower Chaser

My eyes feel better now. Calla Lily macro 3, by Edwin Bartlett.

 

The Words of our (Founding) Fathers

There’s an article in the Washington Post, “In the Course of Human Events, Still Unpublished.” It’s about how the papers of the founding fathers of the United States are still not available except in physical form, and the scholarly practice that keeps them there. Many of the founding fathers’ letters have been transcribed and made […]

 

Deloitte & Touche, Ponemon Study on Breaches

According to Dark Reading, “Study: Breaches of Personal Data Now Prevalent in Enterprises:” According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed — some 800 individuals — claimed at least one reportable security incident in the past 12 months. Sixty-three percent […]

 

Clark Kent Ervin on TSA Security

Normally, it’s not news when someone takes aim at TSA policies like this: If you are someone who suspects that what is billed as “aviation security” is often more show than substance, you are not alone. In fact, you are part of what Nixon aides used to call the “silent majority.” The security bureaucracy seems […]

 

Ask.com is not asking "Will Privacy Sell"

There’s a bunch of press around Ask.com’s marketing of their new privacy service. I applaud them for thinking about this, and for drawing attention to the issue of search privacy. The New York Times had a story, “Ask.com Puts a Bet on Privacy” and now Slashdot jumps in with “Will Privacy Sell?” This is the […]

 

Data Thefts Triple This Year?

So says USA Today, in “Theft of personal data more than triples this year.” A few small quibbles: I’d prefer if Byron Acohido had said “reported” thefts It’s not clear if thefts or reports tripled. I suspect the reports, but proving that would be tough. Both of those things said, it’s a good article, and […]

 

The Emergent Chaos of the US Presidential Campaign

This New York Times really is interesting. It’s all about how candidates are losing control of their campaigns, and they’re in a new relationship with emergent phenomenon on the internet. Now, as we come to the end of a tumultuous political year, it seems clear that the candidates and their advisers absorbed the wrong lessons […]

 

Paddigton Bear, Illegal Immigrant

In the new book [Paddington] bear, who arrived in the country as a stowaway, is interviewed about his right to stay in England. He has no papers to prove his identity as his Aunt Lucy arranged for him to hide on a ship’s lifeboat from Peru when she went to live in the Home for […]

 

Toasting Repeal Day

Today marks the 64th 74th anniversary of the repeal of Prohibition in the United States. For 14 years, Americans were unable to legally have a drink. This led to a dramatic growth in the acceptance of organized crime and violence. Al Capone made his money in the demon rum, and was willing to fight for […]

 

Book on Boyd

Frans Osinga’s book on Boyd, “Science, Strategy and War: The Strategic Theory of John Boyd” has been issued in paperback. Previously, it was $90 for a copy. The new paperback edition is $35.95, and is easily worthwhile at that price. Science, Strategy and War is an academic analysis of the John Boyd’s thinking and its […]

 

Biometrics are not a panacea for data loss

Ian Brown writes, “Biometrics are not a panacea for data loss:” “What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected.” […]

 

Japanese Breach Disclosure Law

I believe that I follow breach notification pretty closely. So I was surprised to learn that I had missed the passage of a law in Japan. Bird & Bird, Notification of data security breaches explains: In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 […]

 

Is 2,100 breaches of security a lot?

There’s a story in the Yorkshire Post, “2,111 data disasters blamed on disc row bunglers.” At first blush, that’s an awful lot of errors: THE bungling Government department responsible for losing 25 million people’s personal details in the post was hit by more than 2,100 reported breaches of security in the past year alone. And […]

 

A quick comment on the UK lapse

Thanks to all the readers who have written to tell me about the HM Revenue and Customs breach in the UK. I’m on vacation at the moment, and haven’t had a chance to read in depth. However, example stories include the BBC’s “Pressure on Darling over records:” Alistair Darling has apologised for the “extremely serious […]

 

The costs of liability

It’s become common for people thinking about security economics to call for liability around security failures. The idea is that software creators who who ship insecure products could be held liable, because they’re well positioned to address the problems. I don’t think this is a trouble-free idea. There are lots of complexities. As one example, […]

 

Controlling Water

In Controlling Water, Dana writes: …Alex Stupak, […] dropped this bombshell in my ear with the casual effect of a little bird chirping their daily song. With no prompt, he said simply, “You know, it’s really just about controlling water,” and walked away. This simple phrase had the power of a plot changing hollywood one […]

 

Bye-Bye Pay By Touch!

I’ve always been concerned about biometric systems for payment. I don’t want my fingerprint to be able to access my bank account: I leave fingerprints all over the place. I’m glad to see that biometrics pioneer Pay-By-Touch is shifting focus: Pay By Touch, which has made a major push in POS biometric payments, is backing […]

 

How to Blog a Talk

Blogging about your own presentations is tough. Some people post their slides, but slides are not essays, and often make little sense without the speaker. I really like what Chris Hoff did in his blog post, “Security and Disruptive Innovation Part I: The Setup.” I did something similar after “Security Breaches Are Good for You: […]

 

How Government Can Improve Cyber-Security

In “How Can Government Improve Cyber-Security?” Ed Felten says: Wednesday was the kickoff meeting of the Commission on Cyber Security for the 44th Presidency, of which I am a member. The commissionhas thirty-four members and has four co-chairs: Congressmen Jim Langevin and Michael McCaul, Admiral Bobby Inman, and Scott Charney. It was organized by the […]

 

Security is never static

There’s a story in the Wall St Journal, “London’s Congestion Fee Begets Pinched Plates:” This city’s congestion pricing for drivers is heralded around the world for reducing traffic and pollution. It’s also causing an unintended effect: a sharp jump in thieves stealing or counterfeiting license plates. Thieves are pinching plates by the dozens every day […]

 

Measuring the Wrong Stuff

There’s a great deal of discussion out there about security metrics. There’s a belief that better measurement will improve things. And while I don’t disagree, there are substantial risks from measuring the wrong things: Because the grades are based largely on improvement, not simply meeting state standards, some high-performing schools received low grades. The Clove […]

 

"A duty of care" to notify?

Some people have objected to my repeated claims that a new normal is emerging. Those people don’t include Her Majesty’s Revenue and Customs, who, after losing a disk in the mail, said: “There was a thorough search for the item, which went missing at the end of September, but it has not been found. We […]

 

Gordon Brown on liberty

While this great tradition can be traced back to the Magna Carta, it was the rise of the modern state with all the new powers at its disposal that made the 17th century the pivotal period in the struggle against arbitrary and unaccountable government —— as Britain led the way in the battle for freedom […]

 

No Parking, Really

Via Michael Froomkin, who points out that if this were an intellectual property license, people would seriously argue that parking there gave the owners the right to spraypaint your car.”

 

Emergent Breach Analysis

When I started blogging about breaches and breach notices way back in early 2005, a number of friends wrote to say I was sounding like a broken record. They were right, and at the same time, I felt there was something really big going on, and I wanted to push it and shape it. Over […]

 

Beer For a Laptop

A New Zealand company is offering a lifetime supply of beer if someone gives them their lost laptop. See the BBC, “NZ brewery offers beer for laptop.” Thanks to Phillip Hallam-Baker for the pointer. We are indeed happy, and would analyze the clever marketing, ROI on investment, and emergent chaos of the barter system, but […]

 

FEMA’s Fake News Conference

In light of FEMA using our tax dollars to stage a fake news conference, I’d like to take a moment to assure you that none of the Emergent Chaos combo works for the Burton Group, and any softball questions in our interviews are just because we like them. Photo: FEMA news conference, AP. [Update: We […]

 
 

Should Email Address Breaches Be Notification-Worthy?

Brian Krebs raises the issue in his column in the Washington Post, “Should E-Mail Addresses Be Considered Private Data?” The question raises some fascinating economics questions and a possibly unique opportunity for interesting information security signals: A database of e-mail addresses and other contact information stolen from business software provider Salesforce.com is being used in […]

 

Visa says TJX Impacted 94 million accounts, $68MM+ in fraud

“Although TJX suggests that the breach only affected approximately 45.7 million accounts, in fact the breach during a period of 17 months affected more than 94 million separate accounts. To date, Visa has calculated the fraud losses experienced by issuers as a result of the breach to be between $68 million and $83 million on […]

 

Ceremony Design and Analysis

Carl Ellison has been doing some really interesting work on what he calls Ceremonies: The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band […]

 
 

With p=.7, Breach Costs Will Fall by 2009

There’s an article over on Tekrati, “Cost of a sensitive data breach will increase 20 percent per year through 2009, says Gartner.” Near as I can tell, this is the sort of half-thought through analysis which Gartner sometimes spews, to the great detriment of their reputation. (To be fair, I can only see what other […]

 
 

The Pogues Show

What an amazing show. Shane MacGowan slurred a lot, but I just couldn’t care when he sang ‘Brown Eyes’ or ‘The Greenland’ or ‘The Sick Bed Of Cuchulainn.’ They’re touring the western states. Photo: “The Pogues in Seattle on October 17, 2007 – first show of US tour” by Dan10Things.

 

Laboratories of Security?

There’s a story in USA Today, “Most fake bombs missed by screeners.” It describes how screeners at LAX find only 25% of bombs, at ORD, they find 40%, and at SFO, 80%: At Chicago O’Hare International Airport, screeners missed about 60% of hidden bomb materials that were packed in everyday carry-ons — including toiletry kits, […]

 

Breaches: Coverup & Disclosure

There’s an interesting case of breach non-disclosure documented in the Edmonton Sun, “Privacy breach at MacEwan.” It’s interesting for a few reasons. First, the breach wasn’t disclosed: MacEwan College was cited in the auditor general’s report this week after a tipster told the AG’s office about the security breach in 2006. It mirrored access problems […]

 

What's an Identity Oracle (LLPersonas)

Adam: So you say “my oracle.” Who is that? Is it an entity which I control? To be cynical, how does ‘my identity oracle’ differ from Choicepoint? Bob Blakely:My oracle most assuredly does not belong to me. It’s a commercial enterprise. It differs from choicepoint in that it has contracts with its data subjects which […]

 

How to Better Cite Blogs

Via BoingBoing, we learn that the NIH has a guide to citing blogs. Cool! Respectworthy! And a little lacking as a citation format. Here’s their first sample: Bernstein M. Bioethics Discussion Blog [Internet]. Los Angeles: Maurice Bernstein. 2004 Jul – [cited 2007 May 16]. Available from: http://bioethicsdiscussion.blogspot.com/. There are at least two major problems with […]

 

TSA Violates Your Privacy, Ties themselves in Little Knot of Lies

There’s a story in InformationWeek about the latest TSA privacy violation, “TSA Promises Privacy For Subjects Of Clothing-Penetrating Scans:” “We are committed to testing technologies that improve security while protecting passenger privacy,” said TSA administrator Kip Hawley in a statement. “Privacy is ensured through the anonymity of the image: It will never be stored, transmitted, […]

 

Limits of Limited Liability Personas?

Adam: I have some cost questions, but I think more importantly, this can limit my exposure to, say, a credit card, but I can get most of this without paying Delaware a couple of hundred bucks. I get a PO box, a limited credit card, and a voice mail service. What’s the advantage that’s worth […]

 

Bob Blakely on the LLP

Adam: The LLP is a great analogy because that’s exactly what the Limited Liability Partnership was, and is, for-controlling liability in transactions. The growth of the limited liability corporation allows me, as an investor, to invest a set amount of money, and know the limits of my exposure to management errors. But I can’t do […]

 

Mike Neuenschwander on Limited Liability Personas: Intro

I was deeply intrigued when I read an article in the New York Times, “Securing Very Important Data: Your Own.” Mike Neuenschwander of the Burton Group proposed an idea of “limited liability personas.” I thought this was so cool that I emailed him, proposing we interview him for the blog. He’s agreed, and here’s part […]

 

Breach Laws Charts

At The Privacy Symposium that Harvard Law just held, I had a fascinating conversation with Julie Machal-Fulks of the law firm of Scott & Scott. Scott and Scott have published a one page breach laws chart, with just five variables. Julie Brill of the Vermont Attorney General’s office also mentioned that she maintains a chart. […]

 

Bank Note of the Year

Who knew there’s an International Bank Note Society? Or that they have a prize for best bank note of the year? This year’s winner is the “1,000-franc note issued by the Banque Centrale des Comores, the central bank of the Comoros, an archipelago located between Madagascar and the east coast of southern Africa.” Don’t miss […]

 

EWeek on The Gap Breach

Lisa Vaas has a great article in eWeek, “Let’s Demand Names in Data Fumbles” That unnamed vendor should indeed be taken to task. The Gap is now in the process of contacting an enormous number of people in the United States and Canada whose information may have been compromised, and it’s providing credit reporting services […]

 

Sammer at Officer Candidate School

Those of you who don’t know Sameer Parekh can ignore this message. For those of you who do, he’s joined the Marines and is attending Officer Candidate School, and would appreciate your letters: He does not have access to email or phone. Please send him snail mail (US mail) as often as you can. He […]

 

Blogging @ Work: Blue Hat and Threat Modeling

BlueHat 6 was a great event. I had a really good time listening and talking with the attendees and speakers. The team is also looking to share a lot more about what’s happening, and one way they’ve done that is to open up their blog to speakers. There are posts from Rain Forest Puppy, Halvar […]

 

Connecticut Sues Accenture over Ohio Breach

As reported in the Scott and Scott Business and Technology law blog: Connecticut hired Accenture to develop network systems that would allow it to consolidate payroll, accounting, personnel and other functions. Information related to Connecticut’s employees was contained on a data tape stolen from the car of an Accenture intern working on an unrelated, though […]

 

Best Comment in a Long Time

Ian Rae comments “I think Apple demonstrated quite convincingly their inability to compete with their own proprietary hardware and software platforms.”

 

Apple’s Update Strategy is Risky

On Saturday I was going to a party at an apartment building. The buzzer wasn’t working, and I took out my shiny new iphone to call and get in. As I was dialing, a few young teenagers were coming out. They wanted to see the iPhone, and so I demo’d it in exchange for entry […]

 

Sheep outsmart Britons

The BBC reports that in Yorkshire, crafty sheep conquer cattle grids: Hungry sheep on the Yorkshire moors have taught themselves to roll 8ft (3m) across hoof-proof metal cattle grids – and raid villagers’ valley gardens. … A National Farmers’ Union spokeswoman in York said: “We have never seen anything like it. We have looked at […]

 

What Secure Flight Really thinks about you

You can find out, by making a request under the privacy act. “Read Your Own DHS Travel Dossier.” Good commentary and context at Threat Level, “Howto: Check Your Homeland Security Travel File.”

 

SmartHippo Launches

Have you ever wondered how banks make so much money in the mortgage business? If you stop to think about it, mortgages are the ultimate commodity product these days. The bank collects information from you, gives you a loan, outsources the customer service to a loan servicing company, and securitizes your loan. So how do […]

 

Once more into the Ameritrade Breach

Last week, I wrote: It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they’re shaping the news by sending out a press release. On further reading, both from readers commenting on that article, and things like Network World, “Ameritrade customers vent about data breach:” The Ameritrade […]

 

MIT, Logan, the Chilling Effect and Emergent Chaos

If you’re not hidden under a rock, you know about the latest bomb scare in Boston. Some MIT kid forgot that Boston cops think anything with an LED on it is a bomb. A lot of people are saying she got what she deserved, or that she’s lucky to be alive. These people probably think […]

 

Family Guy Does Usability

A funny clip for Saturday. I can’t figure out how to embed the video here, so click on the picture to be taken to Gizmodo.

 

Transparency in Government

The Privacy Commissioner of Canada is blogging. Welcome to the blogosphere! In unrelated news, the Canadian dollar reached parity with the US dollar for the first time in thirty years. See the Canadian Broadcasting Company, “$1 Cdn = $1 US.”

 

TSA knows what you read

Privacy advocates obtained database records showing that the government routinely records the race of people pulled aside for extra screening as they enter the country, along with cursory answers given to U.S. border inspectors about their purpose in traveling. In one case, the records note Electronic Frontier Foundation co-founder John Gilmore’s choice of reading material, […]

 

Those scurvy dogs!

The scurvy dogs at TD Ameritrade may have tricked us! Well, maybe. The comments on “Analyzing the TD Ameritrade Disclosure” and articles like “Lawsuit Raises Questions on TD Ameritrade Breach” and “Ameritrade Customers’ contact information hacked” have been demanding a re-think of what I want to think on the subject. But less importantly, today is […]

 

Motley Fool on SIAC

Case in point: SAIC confessed in July that “information … stored on a single, SAIC-owned, non-secure server at a small SAIC location, and in some cases … transmitted over the Internet in an unencrypted form … was placed at risk for potential compromise.” In the context of other firms having actual knowledge of miscreants accessing […]

 

Analyzing The TD Ameritrade Disclosure

In a press release, TD Ameritrade this morning confirmed reports that it has been informing customers of a potential security breach. The release does not confirm the figure of 6.3 million customers, but a company spokesperson did give that number to reporters in interviews. (Dark Reading, “TD Ameritrade Breach Affects 6.3M Customers.”) It appeared that […]

 

Who Likes a Cheater?

If you don’t follow sports news, the New England Patriots and their coach have been fined about three quarters of a million dollars and a draft pick. This is reported in articles like “Belichick given record fine for video cheating.” (Times Online, UK) That may seem like a lot, until you realize that that’s less […]

 

The Fight Against HSPD12

There’s a fascinating court fight, being run by people at the Jet Propulsion Lab. See “JPL Employees File Suit to End Background Investigations” From the press release: The plaintiffs include highly placed engineers and research scientists at JPL who have been involved in critical roles in NASA’s most successful recent programs, including leading engineers and […]

 
 

Pfizer's little problem

For the third straight month, the pharmaceutical giant is reporting a serious security breach that may have resulted in the loss of personal data belonging to current and/or former employees. The most recent breach, reported last week, involves the potential theft of personal data on some 34,000 current and former workers at the company. … […]

 

1.5 billion, and whaddaya get?

I wrote this post sitting on a plane to Montreal. There were all sorts of announcements about how you had to be on international flights thirty minutes before takeoff, to make Congress happy: Congress mandated that DHS’ Customs and Border Protection (CBP) establish a requirement to receive advance information on international passengers traveling by air […]

 

Inside Carnivore

Ryan Singel has a long article in Wired: “Point, Click … Eavesdrop: How the FBI Wiretap Net Operates.” I was pretty stunned at some of the numbers: FBI endpoints on DCSNet have swelled over the years, from 20 “central monitoring plants” at the program’s inception, to 57 in 2005, according to undated pages in the […]

 

Senator Craig and the Behavior Detection Officers

…airport police Sgt. Dave Karsnia, who was investigating allegations of sexual conduct in airport restrooms, went into a stall shortly after noon on June 11 and closed the door. Minutes later, the officer said he saw Craig gazing into his stall through the crack between the door and the frame. After a man in the […]

 

Harvard Business Review on Breaches

Via Chris Hoff, “Harvard Business Review: Excellent Data Breach Case Study…” we learn that the Harvard Business Review has a case study, “Boss, I think Someone Stole Out Customer Data.” The fictitious company profiled is Flayton Electronics, a regional electronics chain with 32 stores across six states. The premise of the fictitious data breach focuses […]

 

Security Advantage? I Don’t Buy It.

As quoted in Ken Belva’s blog, Larry Gordon writes: However, the above is not the end of the information security story from an economics perspective. If an organization can distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” (at least in short-run, until competing […]

 

The "Too Many Notices" Meme

There’s this idea out there that consumers don’t need to be told when their products are broken. Not for things like lead paint on toys, mind you. No one would believe that. It’s when their personal data goes missing. If the company doesn’t think it’s a problem, they should be able to keep it a […]

 

No, Breach Notification Service is a Good Sign

Over at Dark Reading, there’s a story about First Advantage Membership Services launching a breach notification service. Andrew Conry-Murray starts out: You know data security breaches are way too common when a company builds a business around customer notification of stolen information. and he ends: I applaud companies that comply with notification requirements. It’s the […]

 

Giving Data to Auditors

In light of well-publicized failures to maintain appropriate controls by the ‘final four’ audit firms, giving data to auditors without a clear and compelling business purpose is a bad idea. It’s such a bad idea, even an auto body shop objects: Auto body repair shops in British Columbia are complaining to the province’s privacy commissioner […]

 

I am not an eyeball, I am a free man!

Kim Cameron has a very interesting article on the distinction between accounts and credentials, “Grab them eyeballs! Any cred at all!:” s this logical? It all escapes me. Suppose I start to log in to Dare’s blog using an AOL OpenID. Does that make money for AOL? No. I don’t have to give AOL two […]

 

Second Breach Closure: Verus?

I’ve been fond of saying that no company goes under because of a breach. It used to be there was one exception, CardSystems Solutions. There now appears to be a second, Verus, Inc, a medical information processor that revealed information on customers of at least five hospitals. “Medical IT Contractor Folds After Breaches.” So that […]

 

Cost of a Breach: $6, not $187?

So TJX recently announced a $118m setaside to deal with the loss of control of 45 million records. Now, I’m not very good at math (if I was, I’d say $2.62, not $3), but it seems to me that the setaside is less than $3 per record. That doesn’t line up with the $187 per […]

 

Breach outliers: $118m charge for TJX

The Associated Press reports that “TJX profit plunges on costs from massive data breach:” FRAMINGHAM, Mass. (AP) – TJX’s second-quarter profit was cut by more than a half as the discount store owner recorded a $118 million charge due to costs from a massive breach of customer data….About one-tenth of the charge from the data […]

 

Fake Steve and Real Mackey

So with the small, literal men at the New York Times poking through the veil of anonymity that allowed Fake Steve to produce the best blog since “The Darth Side,” we have a serious threat to the stability of the republic, which is the false hope that by assigning people names, we can control them. […]

 

I can't concieve of a better use for anonymity

There’s a fascinating little sidebar article in the Economist (4 August 2007), “Misconceived:” Now that anonymity is no longer possible, there has been a huge decline in the number willing to donate. So more patients travel for treatment to countries where anonymity is still legal. If this new proposal is implemented, it may give such […]

 

ChoicePoint's data quality

In a comment, Tom Lyons asked: I have two clients who are asking me to investigate matters with Choice Point as it relates to inaccurate employment records provide to prospective employers. I am seeking persons who have similar experiences to determine a “pattern and practice” on the part of Choice Point. I don’t know Mr. […]

 

I love the emergent chaos of breach analysis

[Updated: see below] Over at Storefront backtalk, Evan Schuman writes “TJX Kiosk Rumors Re-Emerge:” Reports that the attack began using a wireless entry point have been confirmed by multiple investigators, but reports that circulated in March that the attacks began via an in-store employment kiosk have re-emerged. Could both be true? It’s unlikely, as both […]

 

In Honor of the New Wiretap Law

I’ve been too busy with travel to Blackhat, WOOT and Metricon to really cover the new wiretap law, or the very encouraging results of de-certifying electronic voting machines. I hope to be less buried soon. In the meanwhile, Photo is “Dan Perjovschi´s installation at the Moma, NYC” by Tibau1.

 

German Biometric Trials

The assessment of the Federal Criminal Police Office (BKA) according to which biometric visual-image search systems are not advanced enough to be used by the police to search for persons has led to mixed reactions. The Federal Criminal Police Office presented the fairly sobering research results of its visual-image search systems project on Wednesday in […]

 

86%: Would you buy an IDS this good?

A number of commenters on yesterday’s post, “Noh Entry: Halvar’s experience and American Legalisms” are taking me to task for being idealistic about rule of law. I agree strongly with what Nicko wrote in the comments: [C]ountries are at liberty to apply “complex, stupid, and complete arbitrary” rules but one of the fundamental tenants of […]

 

Noh Entry: Halvar’s experience and American Legalisms

He writes: It appears I can’t attend Blackhat this year. I was denied entry to the US for carrying trainings materials for the Blackhat trainings, and intending to hold these trainings as a private citizen instead of as a company. A little background: For the last 7 years, I have attended / presented at the […]

 

Help EFF Analyze Formerly Secret FBI Docs

In “Help EFF Examine Once-Secret FBI Docs,” the folks at EFF ask for your help doing what Congress won’t. Engaging in oversight of our civil servants: We’ve already started scouring newly-released documents relating to the misuse of National Security Letters to collect Americans’ private information. But don’t let us have all fun — you, too, […]

 

Metricon 2.0 Registration Closes Friday

Metricon 2.0 looks to be a great set of papers. I’d tell you what I’m looking forward to, but really, I’m looking forward to the whole day. And it’s only $225, but you have to register by Friday.

 

The first salami attack?

A salami attack is when you take a very small amount of money from an awful lot of accounts. The canonical example is a bank programmer depositing sub-cent amounts of interest in a special account. These rounding errors add up. I’m trying to find the first actual documented theft or attempted theft using this attack. […]

 

Should we stop faking phishing data?

In “Stop with the fake phish data,” Justin Mason quotes an anonymous friend complaining about people dumping crap into phishing sites: Is there any way you can get the word out that dropping a couple hundred fake logins on a phishing site is NOT appreciated?? It creates havoc for those monitoring the drop since it’s […]

 

Other comments on the GAO Report

[Added July 21] Roger Grimes, “Identity theft? What identity theft:” Here’s my long-held feeling: If even one customer record is compromised, it should be immediately disclosed to the consumer. None of this, “You need 10,000 or more records stolen before it is reported” or “Only report if likely to be used in financial theft.” Forget […]

 

Analysis of GAO report “Personal Information Data Breaches are Frequent”

(Excerpts from a letter to Mr. David Wood of the GAO. The complete letter is here.) I am writing to you today to comment on your recent report, “Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited, However, the Full Extent Is Unknown” I found GAO’s report and its implied […]

 

Emergent Chaos and Pirates

… pirate ships limited the power of captains and guaranteed crew members a say in the ship’s affairs. The surprising thing is that, even with this untraditional power structure, pirates were, in Leeson’s words, among “the most sophisticated and successful criminal organizations in history.” Leeson is fascinated by pirates because they flourished outside the state—and, […]

 

You can’t change your fingerprint

One of the most useful things you can do to protect your passwords is to change them regularly. This bounds the effect of many attacks which obtain your password, by various cracking techniques or by mistakenly entering it in the wrong place. After you’ve changed your password, the old one doesn’t do any good. This […]

 

The Greek Wiretapping Scandal

“The Athens Affair” is the story all the cool security bloggers are talking about. Now, when Matt Blaze, Bruce Schneier and Steve Bellovin all chime in, it makes life hard for us little guys. I mean, what can I say that they haven’t? Building facilities for wiretapping is dangerous? Covered. Logging is important? Covered. Hah-ha! […]

 

It’s about more than identity theft

Over at his blog, Alex Hutton responds to my claim that data breaches are not meaningful because of identity theft, saying that “Compliance to External Risk Tolerances (PCI) and Government Breach Reporting Laws *DO* make it significantly about Identity Theft.” (“The ‘Insider Statistic’, Good Data, & Risk.”) Alex’s main point is that it’s not insiders, […]

 

Irony at the BBC

The headline, and warning, of a story about how data formats change, “Warning of data ticking time bomb,” BBC web site, 3 July 2007.

 

In Congress Assembled, July 4, 1776

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

 

PET Award

For the last several years, Microsoft has worked with the Privacy Enhancing Technologies community to support a prize for the best work done in the field. I’ve been involved as a member of the selection committee, but when I joined Microsoft, stepped away from that. It’s important to us that the prize is independent. This […]

 

152:1

As governor of Texas, George Bush didn’t see fit to commute any of the 152 death sentences brought before him. (Wikipedia) Good thing Scooter Libby ain’t no poor Texan, because if he was, Bush wouldn’t have ruined his law and order record. (Noted at Discourse.net.) Update: 6 days later, the New York Times notes that […]

 

The CIA’s Family Jewels

Last week, the CIA released a document they called ‘The Family Jewels.’ This compendium of shameful acts has gotten a lot of press, and I have not a lot to add. I did like this bit, mentioned in the Washington Post, “Trying to Kill Fidel Castro:” Maheu made the pitch on Sept. 14, 1960, at […]

 

It’s not all about "identity theft"

There’s a fascinating conversation going on between Chris and Andy Steingruebl in the comments to Data on Data Breaches. In it, Chris writes: If what we care about is reducing ID theft, then maybe all this effort about analyzing breach reports is a sideshow, since for all we know 80% of the revealed PII never […]

 

Stop Real ID, again

Apparently, the forces of evil have inserted themselves a national ID clause into the immigration bill (two bad bills, risen from the dead together?) Please go to Unreal ID’s action page to send a fax. It only takes a minute.

 

My Privacy Enhancing Technologies talk

At the Privacy Enhancing Technologies workshop, there is a ‘rump’ session, designed for work that’s not of sufficient quality to make it into the workshop. (And given that the workshop now has a 20% acceptance rate, there’s some pretty interesting stuff that doesn’t make it in.) I didn’t use it for that, I used it […]

 

All That You Buy, Beg, Borrow or Steal

Let’s face it. There hasn’t been a better pressing of Dark Side (with the possible exception of the original vinyl, which I haven’t heard) than the Mobile Fidelity gold disk. Which doesn’t prevent EMI from releasing it over and over again. That makes perfect sense, it keeps selling like mad. As bbum points out in […]

 

The 'Gay Marriage' of Computer Security?

Reading Dale Carpenter’s post on Volokh,”Big win for SSM in Massachusetts,” I was struck by how similar his narrative is to my thinking around breach notice. He writes (and I emphasize): What’s so striking about the vote today is how dramatically support for SSM has grown in the legislature (and in state public opinion polls) […]

 

On Privacy Law: HIPPA, Library

At Law.com, “Hospitals Fear Privacy Claims Over Medical Records:” The Health Insurance Portability and Accountability Act is raising new legal fears for health care providers in light of tougher government enforcement and recent court rulings that could trigger private lawsuits. Labor and employment attorneys who represent health care providers are especially concerned about the prospect […]

 

Disclosures where they're not required by law

It’s the new normal in the English speaking world. See: “Hard drive stolen from Concordia” hospital in Winnipeg. The Bank of Scotland lost a DVD or DC in the mail, “Bank loses details on 62,000 customers in post.” “Personal banking info goes missing” regarding 120,000 Coastal Community Credit Union in Nanaimo, British Columbia. “Personal information […]

 

Emergent Downtime

We had some downtime after a failure at our hosting facility. We would like to address the power loss which occurred in our Virginia Datacenter on Wednesday, June 13th. We are still investigating the root cause, but in the interest of full disclosure, here are the facts as we know them today. A more complete […]

 

"Whatever happened to Zero-Knowledge Systems?"

Zero-Knowledge Systems was one of the hottest startups of the internet bubble. Unlike internet companies selling pet food or delivering snacks to stoners, Zero-Knowledge was focused on bringing privacy to all internet users. We had some fantastic technology which was years ahead of its time. And people often ask me “whatever happened to them?” The […]

 

Global Biometrics Database, Coming to Soon to You

Raiders News Network quotes an Interpol press release, “G8 Give Green Light For Global Biometric Database:” MUNICH, Germany – G8 Justice and Interior Ministers today endorsed a range of vital policing tools proposed by Interpol Secretary General Ronald K. Noble aimed at enhancing global security. Secretary General Noble exposed the global problem of prison escapes […]

 

Joe Strummer interview, book

There was a great interview on the local NPR station yesterday with Chris Salewicz, who has a new biography out. It’s “Redemption Song: The Ballad of Joe Strummer.” The interview was really well done–the music was well and cleverly integrated into the conversation. If you’re taking it easy, why not listen to the KUOW Weekday […]

 

Dear FBI: Fusion requires critical mass

The FBI runs what they call “Fusion Centers” for intelligence sharing. There’s a fascinating quote in the Washington Technology article, “Boeing to staff FBI Fusion Center:” “As a police chief of the 19th largest city in the nation, and in possession of a top secret clearance, by law I cannot set foot unescorted in the […]

 

Fascinating breach detail: Illinois Department of Financial and Professional Regulation

Here’s detail from a InformationWeek story, “Hackers Blamed For Data Breach That Compromised 300,000:” A hacker broke into the computer network at the Illinois Department of Financial and Professional Regulation this past January and accessed a server that held information on about 1,200,000 people who have licenses or applied for licenses with the department. Susan […]

 

Laurie, Cameron and Brands (Oh My!)

There’s a fascinating exchange going on between Ben Laurie, Kim Cameron, and Stefan Brands. This is utterly fascinating if you have any interest at all in online identity, but haven’t had the time to compare systems. I’d try to contribute, but I’ve been in the midst of a large project at work. Archival links: Stefan: […]

 

Federal Computer Week on SSN Purges

There’s an article in Federal Computer Week explaining that “Agencies face SSN scrubdown.” We mentioned this last week in “White House Data Breach Prevention Guidelines.” I am pleasantly surprised to learn that some data actually will be be declared ‘unnecessary:’ Agencies can eliminate some SSN uses by asking employees not to write their SSNs on […]

 

DVD Player

[Substantially more than] a week ago, I asked what DVD player I should get. I didn’t get the answer, but I did get a lot of “I’d like to know.” I wanted to share that I ended up with a Philips DVP-5140. It was cheap, there’s an easy fix for the region bug explained in […]

 

"An Empirical Approach to Understanding Privacy Valuation"

Luc Wathieu and Allan Friedman have an article in Harvard Business School’s ‘working knowledge,’ titled “An Empirical Approach to Understanding Privacy Valuation.” In it, they present the results of a survey of 647 people with regard to a number of privacy hypotheses. Their results include: Contrary to some research, the chief privacy concern appears based […]

 

Pure Evil Entertainment

My friend Jeff Herrold has a new production company, Pure Evil Entertainment. Jeff is one of the best storytellers I know, and he’s put a short he made a few years back up on YouTube. It’s DEADLINE, and it’s a pretty entertaining bit of twistedness.

 

White House Data Breach Prevention Guidelines

So the Office of Management and Budget sent a memo this week, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.” The cool bit is that the memo directs agencies to act within 120 days, including evaluating their data collection, and continuing collection of personal information only if it’s necessary. Unfortunately, what I […]

 

Ministry of Truth in Advertising

The BBC reports that “Ministers set out plan for waste.”…Usually, they at least claim they’re spending our money wisely.

 

Overwhelmed or Under-notified: Consumers and Breach Notices

In asking why customers don’t leave after a breach, there are two theories that people have put forth that are interestingly contradictory. the first is that they don’t know about the breaches. This was suggested by a questioner at Toorcon Seattle. The second is that customers are overwhelmed with notices. This is popular amongst bankers, […]

 

75% of Britons Want to Know

The European Commission has done an “E-Communications Household Survey,” and found that overwhelmingly, “UK internet users want to be informed of data losses:” Most UK residents want to be informed if their personal data is lost or stolen after a corporate security breach, the latest E-Communications Household Survey from the European Commission (EC) has revealed. […]

 

Reading, Writing, and Arithmetic

I’ve been encountering some really silly software lately. I was trying to visit the homeland stupidity blog, with Safari and the most-excellent pithhelmet, and I get this message: We’re sorry, but we could not fulfill your request for /2007/04/21/astroglide-data-breach-exposes-customer-information/ on this server. An invalid request was received from your browser. This may be caused by […]

 

On Illegal Wiretaps

What, indeed, was the nature of the “program” before Goldsmith, Comey and Ashcroft — those notorious civil libertarian extremists — called a halt to it, and threatened to resign if the President continued to break the law? And what was the nature and breadth of its legal justification? I am hardly alone in realizing that […]

 

893 Million, and Whadda Ya Get?

♫Another DHS network, and we’re not sharing yet.♫ So reports Haft of the Spear, in “You’ll Share and You’ll Like It!” The Homeland Security and Justice departments have spent $893 million on information-sharing networks in the last two years but still do not have effective networks in place, according to a report from the Government […]

 

The War on Cash?

There’s a war on cash? Who knew? Dave Birch uses the phrase in “More from the war on cash” without a whole lot of surprise. Here he’s quoting a McKinsey study. (Unsurprisingly, you need to login to read it.) I liked this gem: Cash needs to be priced appropriately. The fact is that, today, the […]

 

Is that an interesting question?

In a comment on “Why Customers Don’t Flee,” Chris adds “too much work.” I’ll add “too hard to evaluate alternatives.” But before we go much further, I’ll ask, is this the right question? Given that few customers leave after most breaches, is it useful to ask why they’re not leaving, or are there other questions […]

 

Why Customers Don’t Flee

At Toorcon Seattle yesterday, I presented “Security Breaches are Good for You (like a root canal).” It’s similar to “Security Breaches Are Good for you” (my shmoocon talk) but added a number of points about people agreeing, but not wanting to change. “Psychology & Security & Breaches (Oh My!?)” and “When Do Customers Flee.” I […]

 

The Wrong Breach Law

Last week, the Senate Judiciary committee passed the “The Personal Data Privacy and Security Act of 2007” (See more in Security Fix, Federal Data Breach Bills Clear Senate Panel: Much of the debate over the relative strength of the various data-breach notification proposals currently circulating on Capitol Hill centers around the precise trigger for notification. […]

 

Disclosure in The UK

Scotsman.com reports “Standard Life customers are hit by breach in security,” and Computerworld.uk reports that a “Laptop containing Southend children’s social services case notes bought on eBay.” In the US, neither of these would even be news. They’re both small, first time mistakes. Both would probably require notice under state law. However, it’s anarchy in […]

 

.BadIdea, Mikko

Mikko Hypponen suggests in an article that’s getting a lot of press (“Masters of Their Domain“) that banks get their own domain space, ‘.bank.’ He argues that this would make phishing harder, and suggests we could charge banks a lot of money for the domains. I have three problems with this: Crooks are already investing […]

 

TSA Can’t Keep a Secret

Alternate title: “If schadenfreude is wrong, I don’t want to be right.” Ryan Singel reports that the “TSA Lost Sensitive Data on 100,000 Employees.” This is the same agency which wants to collect all your personal data so they can deny you the right to get on a plane without any sort of legal proceedings. […]

 

Interesting Stuff From Microsoft

My colleague Dave Ladd has a post “Security Education v. Security Training:” Unfortunately, there’s an assumption held by many in our (IT) community that the road to better security leads to “drinking from the fire hose” – that is to say, employees are rocketed through week long training classes, then drilled and tested on security […]

 

Breaches in SEC Reports

Gregory Fleischer saw my Shmoo talk, and was kind enough to tell me when he found breaches in SEC reports: At your Shmoocon talk you mentioned that you had difficulty finding SEC filings related to security breaches. I was doing some research and came across several SEC filings that discuss security breaches. Generally, these items […]

 

Stop Real ID

So I was a little curt in my bloviation the other day about the REAL ID forum. There’s good people doing real work to stop this thing, and they deserve your help and support. Over 40 organizations representing transpartisan, nonpartisan, privacy, consumer, civil liberty, civil rights, and immigrant organizations have joined to launch a national […]

 

DHS Sends a Flunky to Do A Man's Job

So DHS has managed to cancel all but one “Town Hall Meeting” about REAL ID. They’re sending a “Richard Barth, Assistant Secretary, Office of Policy Development” to talk to the fine people of San Francisco about the travesty of a national ID card which is REAL ID. We’ll waste $20 billion dollars on this nonsense, […]

 

A Market To Be Tapped

I’ve often talked about how people will pay for privacy when they understand the threat. In that light, the New York Times article “Phone Taps in Italy Spur Rush Toward Encryption” is fascinating: Drumming up business would seem to be an easy task for those who sell encrypted cellphones in Italy. All they have to […]

 

WOOT! Looks Exciting

Via Nate, “WOOT = Usenix + Blackhat:” The call for papers is now up for a new Usenix workshop, WOOT (Workshop On Offensive Technologies, but don’t think the name came before the acronym.) The workshop will be co-hosted with Usenix Security and will focus on new practical attacks. I was recently saying that vulnerability research […]

 

Announcing…The Security Development Lifecycle Blog

My team at work announced the launch of “The Security Development Lifecycle” blog today. After the intro post, Michael Howard leads off with “Lessons Learned from the Animated Cursor Security Bug.” I’m pretty excited. We’re focused on transparency around what we’re learning as we continue to develop the SDL.

 

One Third of McAfee Survey Respondents Are Not Paying Attention

So reports Sharon Gaudin in Information Week. Actually, I think she picked up the story as McAfee spun it: “Companies Say Security Breach Could Destroy Their Business:” One-third of companies said in a recent poll that a major security breach could put their company out of business, according to a report from McAfee. The security […]

 

When Do Customers Flee?

So I’ve long thought that consumers treat breaches as mistakes, and generally don’t care. In reading the Ponemon reports, it seems that the average customer churn is 2%. (I’ll come back to that number.) But it gets worse when you have repeated breaches. In the CSO blog, “What, When and How to Respond to a […]

 

Disclosure, Discretion and Statistics

One of the very interesting things about mandatory disclosure of breaches is that it adds a layer of legitimacy to the data. If all we have are self-selected reporters, we must investigate what bias that adds. This makes the FBI-CSI report and many others even less useful. New laws that require disclosure give us not […]