Category: books

The New School of Information Security


A few days ago, we turned in the very last edits to The New School of Information Security to Addison-Wesley.

My co-author, Andrew Stewart, and I are both really excited. The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make things better. We think there’s an emerging way of approaching the world, which we call the New School.

We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn’t just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new sources of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.

Incidentally, this isn’t an official project for either of us. (We wouldn’t want anyone to get confused about who gets the credit or blame.)

Scott Page’s The Difference

A lot of people think of calls for diversity as fuzzy headed liberalism at its worst. If you’re one of them, please keep reading. Or you could click here and just buy Scott Page’s book and read that, which is what I’d like to convince you to do.

This is a book about problem solving. He starts with a set of observations about how we see the world, and how different people bring different approaches and perspectives to the same problem. His approach is mathematically grounded, although you can skip the math or delve into it. He talks about how bringing different perspectives, heuristics, interpretations and predictive models to a problem can result in super-addative results, as one person helps another overcome blockers.

From there, he looks at how groups compare to experts, and looks at those situations where a group will do better than an expert, even when no member of the group is as sophisticated or broad as the expert. He also looks at those places where averaging over the crowd can get you better results–that if the perspectives are different (and relevant) then a crowd may well have a more intricate model than any one expert.

He also talks about differences between instrumental and fundamental preferences. (We should walk to the park, we should bike to the park, versus we should go to the park or the movies) and how diversity in the latter doesn’t always lead to better results.

He doesn’t make the point that such fundamental diversity of preferences should lead us to prefer liberty. I’m somewhat surprised by this, because it ties to his main points so well. If we want very different things, then we gain a lot by allowing people to make their own choices: some good, some bad, but reducing coordination costs.

It’s been a fascinating read, and I think it will have substantial long-term impact on my thinking. Thanks to Jon Pincus for the pointer. Also, I’ve decided to experiment a bit with Amazon affiliate links, and wanted to disclose that before Threat Level got revenge.

Computer Capers and Progress

We’re coming up on the 30th anniversary of the publication of “Computer Capers: Tales of electronic thievery, embezzlement, and fraud,” by Thomas Whiteside.

What, might you ask, can we learn from a 30 year old text?

Nothing has changed.

Except, for some of the names. Donn Parker is in there, as are a melange of consultants. But read this:

As the result of such revelations of security weaknesses in IRS computer systems–and, in particular, the critical [date] GAO report–the commissioner of the IRS, while conceding that the IRS had not been as aggressive in the past as it might have been in correcting situations that potentially weakened its overall security, declared that he is committing the IRS to a “vigorous course of improvement” in the management of computerized tax data in order to assure the maximum security for information on taxpayers. (pp71 of the paperback)

That was in 1977. Compare and contrast this 2008 Associated Press article:

IRS records, including taxpayer information, are vulnerable to tampering or disclosure because it has not yet fixed dozens of information security weaknesses, according to a government report issued Tuesday.

The existing problems, the GAO said, included giving too many people access to sensitive material, failure to encrypt all sensitive data and weak physical security controls.

Acting IRS Commissioner Linda Stiff, in response to the report, wrote that the agency recognizes “there is significant work to be accomplished to address our information security deficiencies and we are taking aggressive steps to correct previously reported weaknesses.” (Associated Press, 2008, “Report Cites IRS Security Flaws

I could go on about similarities between what’s in Computer Capers, oh, ok, one more:

Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil… (Computer Capers, page 72)

I could go on quoting, but can we as a profession go on making the same mistakes?

The fetishization of secrecy has got to stop, or in thirty years, we’ll be looking back at the same problems.

How taxing is it to read a tape?

3410-tape.jpgIn “Athenian Economy and Society: a banking perspective,” Edward Cohen uses the fascinating technique of trusting in offhand comments. He uses the technique to analyze court records to reconstruct banking. You might not be able to trust the main testimony in a trial, but no one will offhandedly say something shocking and strange, because it will undermine their credibility. (For example, “it’s snowing in Jamaica” makes no sense as a parenthetical, and would undermine my credibility if I said it.)

So I found an offhand comment reported by Beth Pariseau in “IRS sent tax database on unencrypted tapes” to be fascinating:

The IRS confirmed to that copies of its tax database were distributed to state agencies on unencrypted tapes before Sept. 30, 2007. A source at one state agency said the tapes were also sent using common carriers, such as FedEx.

The source, whose agency received the database information on a regular basis, said the IRS had formal guidelines for agencies to place the tapes behind three layers of physical security — inside a locked box, for example — and restrict access to “need-to-know” personnel. He added a fourth layer of physical security, but that still didn’t make him feel comfortable. “These were standard IBM mainframe tapes,” he said. “It didn’t take anything special to read them.”

I found this really interesting because our anonymous source tosses off the idea that reading a tape is easy. This is in stark contrast to everyone who reports breaches, who goes on and on about how hard it would be to read their DLTs.

This expert didn’t give that nonsense a second thought. Journalists should be more skeptical, and so should you.

Interestingly, there’s a second tie to Cohen’s book. In it, he lays out how the Athenians, worried about the taxman, created private banking. The taxman has rarely worried about the welfare of the taxed.

[Update: An anonymous correspondent points to “Who Must File Magnetically,” which points to IRS publication 1220. Encryption is specifically forbidden (“Do not send encrypted data.”), and the tape format is clearly documented. See part C.05 on page 35 of the PDF, or printed page #29.]

Photo: IBM 3410 tape system. Image courtesy of IBM. Story via PogoWasRight.

Book on Boyd

osinga-boyd.jpgFrans Osinga’s book on Boyd, “Science, Strategy and War: The Strategic Theory of John Boyd” has been issued in paperback. Previously, it was $90 for a copy. The new paperback edition is $35.95, and is easily worthwhile at that price.

Science, Strategy and War is an academic analysis of the John Boyd’s thinking and its origin. It may not be as good an introduction as Coram’s book but it goes into far more detail about the theories he put forth, challenges narrow views of them, and provides a degree of academic respectability the work hasn’t previously had.

Via Global Gureillas.

A quick pointer

Adam has made several posts about it being ‘good for you’ to open up about data breaches. Unfortunately, keeping a lid on the info is a stable equilibrium.
This situation is what economists would call an Assurance Game. A quick pointer to a post I made reviewing a very good book on how to get out of this mess.

She’s Such A Geek

Longtime geek author Annalee Newitz and Charlie Anders, published She’s Such A Geek last year. I’ve been meaning to blog about this for a while It’s a collection of over 20 essays by women geeks. These essays cover the trials, tribulations and joys of being a female geek. At times entertaining and other times depressing, the book highlights both how far feminism has gotten over the last hundred years and how much more it has to accomplish. I can’t recommend the book or the associated blog enough.

Cleaning Up

John Snow Pub Sign

If you haven’t read Steven Johnson’s The Ghost Map, you should. It’s perhaps the most important book in print today about the next decade of computer security.

John Snow was a physician who was a pioneer in anaesthesia who turned his attention to cholera when the worst epidemic hit the London where he lived in 1854. It’s not just about Snow, however, it’s about theories, information, and how to select the right model.

The prevailing model at the time (this was pre-germ-theory) was that cholera was airborne, carried by “miasma,” namely stink. If it smelled bad, it was probably disease-ridden. It’s not a bad theory, actually, it’s just wrong. Snow came to the belief that cholera was waterborne, despite the fact that the suspect wells in London were known to be largely sweet-tasting.

Despite the fact that I’m giving away the plot (spoiler — we beat cholera and major cities in Europe no longer have epidemics), Snow got there by examining data and coming up with the proper visualization of the data (the Ghost Map) to show that cholera spread along water flow not along air flow.

Before Adam used Snow and Johnson’s book in his recent “Why Security Breaches Are Good For You,” I read the book and was thinking about it and security.

I believe that our security problems need to be looked at both from the viewpoint of public health issues, but also from the viewpoint of quality. Snow beat cholera because he was fortunate enough to have the right insight, but insight isn’t enough. You need data. Fortunately, there was lots of data available, and the data was available to him and the people who disagreed with him. Data was also part of the problem, as Johnson points out, because the larger problem was sorting through the data. However, when it comes to computer security, we don’t yet have the luxury of too much data.

Everyone’s data center has its own little cesspool. Mine does, yours does. We have to figure out how to clean them up. We need to have more data. We therefore need to remove the stigma of disclosing data as well as insisting on it. This is why The Ghost Map is an important book for computer security, it will take you back a sesquicentury to the problems of creating cities with millions of people in them, and in that history you can think about the problems of making networks with billions of people in them.

Johnson himself has a chapter on the future of cities and urbanization, which I wasn’t as impressed with. The book shifts from being a page-turner to a page-flipper when he gets away from the past and considers the future. Nonetheless, read it and think.

I was fortunate enough to be in London recently and made a pilgrimage to Broad Street (now Broadwick Street) and the pub in his honor. I also made a point to use the modern public convenience on Broadwick Street and was amused by the washing gizmo that soaps, waters, rinses, and dries one’s hands without one having to touch anything.

Photo of the pub sign for the John Snow pub courtesy of Mordaxus. I apologize for leaving the decent camera at home, and thus having to make do with the camera in my mobile.

Pragmatic Redux

Late on Friday night, Mike Rothman finally posted a response to some of my questions from last week. Most notably he reveals who the Mike in his “Ad” is:

The answers are pretty straightforward. Mike, the Pragmatic CSO, is a fictional character. For those of you a little slow on the uptake, that means he doesn’t exist. Well, not really. Mike is a representation (some would say a caricature) of the thousands of CSOs and security professionals I’ve met through the years. Both the good traits, and not so good traits.

I was all set to ask Mike how a fictional character could spend $97 on a book let alone drink that much product from Starbucks, only to discover that Rothman had edited the website. It now says:

think buying the Pragmatic CSO book will be the best $97 you’ll spend all year. For less than you probably spend at Starbucks a month, you’ll be able to get back in control of your security environment. Dare I say it, but it’s worth 20 times the price. Even better, YOU HAVE NOTHING TO LOSE. If you don’t like the book, just ask Mike Rothman for your money back within 30 days – no questions, no heartburn.

While I appreciate the corrections, I do find the silent revisions somewhat worrisome. I guess that comes under the not so good traits Rothman refers to above…
Mike closes out with:

He [Arthur] also wondered a bit if he could meet Mike, the Pragmatic CSO at RSA. Maybe I’ll get a life size poster of Mike, and then Arthur can have a conversation with him.

I have to say I’ve certainly had worse conversations on the vendor floor at RSA than I would have with a cardboard cutout, so bring it on. I can out-argue a cardboard-cut out any day.

The Pragmatic Reviewer

pragmatic frame.jpg
Today Mike Rothman launched his new book “The Pragmatic CSO” at the astounding price of $97. I took the plunge and downloaded the introduction and it isn’t half bad, but aside from a cute dialogue at the beginning it doesn’t really read differently than any number of other security books I have on my shelf. The big difference seems to be the price tag. The other security books in my collection seem to be priced in the $50-$60 range and are professionally bound versus The Pragmatic CSO which is a downloadable pdf. So at this point not only is it nearly twice as expensive, but if I want a hard copy I need to spend even more money printing it out myself. On the plus side, Mike does have a 30 day money back guarantee, so I suppose I could shell out the money and then decide if I like it or not.
I do have a question for Mike though. On the website, under “Still Skeptical” is a short essay extolling the book by “Mike (the security products addict)”. I’m curious who this might be, care to share? No one has ever quoted me as Arthur for a product pitch, but they have under my real name. So even though it’s a little ironic for someone blogging under a pseudonym to call someone else on it, come on, name names. Whomever they are, this quote in particular caught my attention:

I can say that buying the Pragmatic CSO book was the best $97 I spent all year. For less than I spend at Starbucks a month, I was able to get back in control of my security environment. In hindsight I would have paid 20 times the price. Even better, YOU HAVE NOTHING TO LOSE. If you don’t like the book, just ask Mike Rothman for your money back within 30 days – no questions, no heartburn.

That’s quite a powerful statement coming from in response to a
newly published book. I’d love to hear more about how the book helped them. Perhaps you could broker a conversation with them at RSA? Or is this just one of those PR generated quotes that, as an analyst, you hate so much?
[Image from Z Production]