Shostack + Friends Blog Archive

 

Rogue One Sequel already being filmed!

There’s some really interesting leaked photos and analysis by Charles Goodman. “Leaked photos from the Rogue One sequel (Mainly Speculation – Possible Spoilers).”

 

Rogue One: The Best Star Wars Yet?

Someone once asked me why I like Star Wars more than Star Trek. I was a bit taken aback, and he assumed that since I use it so much, I obviously prefer it. The real reason I use Star Wars is not that it’s better, but that there’s a small canon, and I don’t have […]

 

Earthrise

Image credit: Bill Anders, Apollo 8, launched this day, Dec 21, 1968.

 

Yahoo! Yippee? What to Do?

[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.] Yesterday, Yahoo disclosed that attackers broke into Yahoo in 2013 and stole details on a billion accounts. Brian […]

 

Seeing the Big Picture

This quote from Bob Iger, head of Disney, is quite interesting for his perspective as a leader of a big company: There is a human side to it that I try to apply and consider. [But] the harder thing is to balance with the reality that not everything is perfect. In the normal course of […]

 

Do Games Teach Security?

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card […]

 

Incentives, Insurance and Root Cause

Over the decade or so since The New School book came out, there’s been a sea change in how we talk about breaches, and how we talk about those who got breached. We agree that understanding what’s going wrong should be a bigger part of how we learn. I’m pleased to have played some part […]

 

Electoral Chaos

[Dec 15: Note that there are 4 updates to the post with additional links after writing.] The Green Party is driving a set of recounts that might change the outcome in one or more swing states. Simultaneously, there is a growing movement to ask the Electoral College to choose a candidate other than Donald Trump […]

 

Gavle Lessons: 56% Is Not Sufficiently More Secure!

In September, we shared the news that for its 50th year, the people of Gävle paid an extra $100,000 to secure the goat. Sadly, it seems to have not helped. Today, the goat tweeted: Oh no, such a short amount of time with you my friends. The obvious lesson is that the Swedes have a […]

 

Mac Command Line: Turning Apps into Commands

I moved to MacOS X because it offers both a unix command line and graphical interfaces, and I almost exclusively use the command line as I switch between tasks. If you use a terminal and aren’t familiar with the open command, I urge you to take a look. I tend to open documents with open […]

 

Election 2016

This election has been hard to take on all sorts of levels, and I’m not going to write about the crap. Everything to be said has been said, along which much that never should have been said, and much that should disqualify those who said it from running for President. I thought about endorsing Jill […]

 

The Breach Response Market Is Broken (and what could be done)

Much of what Andrew and I wrote about in the New School has come to pass. Disclosing breaches is no longer as scary, nor as shocking, as it was. But one thing we expected to happen was the emergence of a robust market of services for breach victims. That’s not happened, and I’ve been thinking […]

 

Secure Development or Backdoors: Pick One

In “Threat Modeling Crypto Back Doors,” I wrote: In the same vein, the requests and implementations for such back-doors may be confidential or classified. If that’s the case, the features may not go through normal tracking for implementation, testing, or review, again reducing the odds that they are secure. Of course, because such a system […]

 

Current Reading

[Update, Feb 20 2017: More reading: Trump and the ‘Society of the Spectacle’.]

 

Gavle Goat, now 56% more secure!

“We’ll have more guards. We’re going to try to have a ‘goat guarantee’ the first weekend,” deputy council chief Helene Åkerlind, representing the local branch of the Liberal Party, told newspaper Gefle Dagblad. “It is really important that it stays standing in its 50th year,” she added to Arbetarbladet. Gävle Council has decided to allocate […]

 

You say noise, I say data

There is a frequent claim that stock markets are somehow irrational and unable to properly value the impact of cyber incidents in pricing. (That’s not usually precisely how people phrase it. I like this chart of one of the largest credit card breaches in history: It provides useful context as we consider this quote: On […]

 

Why Don't We Have an Incident Repository?

Steve Bellovin and I provided some “Input to the Commission on Enhancing National Cybersecurity.” It opens: We are writing after 25 years of calls for a “NTSB for Security” have failed to result in action. As early as 1991, a National Research Council report called for “build[ing] a repository of incident data” and said “one […]

 

Diagrams in Threat Modeling

When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, Interrupted” this paragraph really jumped out at me: One thing that coding and writing fiction […]

 

What Boards Want in Security Reporting

Recently, some of my friends were talking about a report by Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports.” In that report, we see things like: More than three in five board members say they are both significantly or very “satisfied” (64%) and “inspired”(65%) after the typical presentation by IT and […]

 

FBI says their warnings were ignored

There’s two major parts to the DNC/FBI/Russia story. The first part is the really fascinating evolution of public disclosures over the DNC hack. We know the DNC was hacked, that someone gave a set of emails to Wikileaks. There are accusations that it was Russia, and then someone leaked an NSA toolkit and threatened to […]

 

What does the MS Secure Boot Issue teach us about key escrow?

Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden keys and secure boot. This post is not intended to attack anyone; researchers, journalists or […]

 

Consultants Say Their Cyber Warnings Were Ignored

Back in October, 2014, I discussed a pattern of “Employees Say Company Left Data Vulnerable,” and its a pattern that we’ve seen often since. Today, I want to discuss the consultant’s variation on the story. This is less common, because generally smart consultants don’t comment on the security of their consultees. In this case, it […]

 

"Better Safe than Sorry!"

“Better safe than sorry” are the closing words in a NYT story, “A Colorado Town Tests Positive for Marijuana (in Its Water).” Now, I’m in favor of safety, and there’s a tradeoff being made. Shutting down a well reduces safety by limiting the supply of water, and in this case, they closed a pool, which […]

 

Dear Mr. President

U.S. President Barack Obama says he’s ”concerned” about the country’s cyber security and adds, ”we have to learn from our mistakes.” Dear Mr. President, what actions are we taking to learn from our mistakes? Do we have a repository of mistakes that have been made? Do we have a “capability” for analysis of these mistakes? […]

 

Donald Trump Facts

“My father likes to keep some anonymity. It’s who he is. It’s who he is as a person,” Eric Trump said. It should have been obvious. (Quote from Washington Post, July 6, 2016).

 

What's Classified, Doc? (The Clinton Emails and the FBI)

So I have a very specific question about the “classified emails”, and it seems not to be answered by “Statement by FBI Director James B. Comey on the Investigation of Secretary Hillary Clinton’s Use of a Personal E-Mail System .” A few quotes: From the group of 30,000 e-mails returned to the State Department, 110 […]

 

Happy Independence Day!

Since 2005, this blog has had a holiday tradition of posting “The unanimous Declaration of the thirteen united States of America.” Never in our wildest, most chaotic dreams, did we imagine that the British would one day quote these opening words: When in the Course of human events, it becomes necessary for one people to […]

 

Passwords 2016

I’m excited to see the call for papers for Passwords 2016. There are a few exciting elements. First, passwords are in a category of problems that someone recently called “garbage problems.” They’re smelly, messy, and no one really wants to get their hands dirty on them. Second, they’re important. Despite their very well-known disadvantages, and […]

 

A New Way to Tie Security to Business

As security professionals, sometimes the advice we get is to think about the security controls we deploy as some mix of “cloud access security brokerage” and “user and entity behavioral analytics” and “next generation endpoint protection.” We’re also supposed to “hunt”, “comply,” and ensure people have had their “awareness” raised. Or perhaps they mean “training,” […]

 

The Evolution of Apple’s Differential Privacy

Bruce Schneier comments on “Apple’s Differential Privacy:” So while I applaud Apple for trying to improve privacy within its business models, I would like some more transparency and some more public scrutiny. Do we know enough about what’s being done? No, and my bet is that Apple doesn’t know precisely what they’ll ship, and aren’t […]

 

Security Lessons from C-3PO

C-3PO: Sir, the possibility of successfully navigating an asteroid field is approximately 3,720 to 1. Han Solo: Never tell me the odds. I was planning to start this with a C-3PO quote, and then move to a discussion of risk and risk taking. But I had forgotten just how rich a vein George Lucas tapped […]

 

The Rhetorical Style of Drama

There is a spectre haunting the internet, the spectre of drama. All the powers of the social media have banded together to not fight it, because drama increases engagement statistics like nothing else: Twitter and Facebook, Gawker and TMZ, BlackLivesMatter and GamerGate, Donald Trump and Donald Trump, the list goes on and on. Where is […]

 

"Think Like an Attacker" is an opt-in mistake

I’ve repeatedly spoken out against “think like an attacker.” Now I’m going to argue from authority. In this long article, “The Obama Doctrine,” the President of the United States says “The degree of tribal division in Libya was greater than our analysts had expected.” So let’s think about that statement and what it means. First, […]

 

Humans in Security, BlackHat talks

This is a brief response to Steve Christey Coley, who wrote on Twitter, “but BH CFP reads mostly pure-tech, yet infosec’s more human-driven?” I can’t respond in 140, and so a few of my thoughts, badly organized: BlackHat started life as a technical conference, and there’s certain expectations about topics, content and quality, which have […]

 

RSA Planning

Have a survival kit: ricola, Purell, gatorade, advil and antacids can be brought or bought on site. Favorite talk (not by me): I look forward to Sounil Yu’s talk on “Understanding the Security Vendor Landscape Using the Cyber Defense Matrix.” I’ve seen an earlier version of this, and like the model he’s building a great […]

 

Secure Code is Hard, Let's Make it Harder!

I was confused about why Dan Kaminsky would say CVE-2015-7547 (a bug in glbc’s DNS handling) creates network attack surface for sudo. Chris Rohlf kindly sorted me out by mentioning that there’s now a -host option to sudo, of which I was unaware. I had not looked at sudo in depth for probably 20 years, […]

 

Sneak peeks at my new startup at RSA

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]

 

Sneak peeks at my new startup at RSA

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]

 

Kale Caesar

According to the CBC: “McDonald’s kale salad has more calories than a Double Big Mac” In a quest to reinvent its image, McDonald’s is on a health kick. But some of its nutrient-enhanced meals are actually comparable to junk food, say some health experts. One of new kale salads has more calories, fat and sodium […]

 

Superbowls

This is a superb owl, but its feathers are ruffled. It is certainly not a metaphor. Speaking of ruffled feathers, apparently there’s a kerfuffle about Super Bowl 1, where the only extant tape is in private hands, and there’s conflict over what to do with it. One aspect I haven’t seen covered is that 50 […]

 

Threat Modeling: Chinese Edition

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

 

Threat Modeling, Chinese Edition!

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

 

Security Blogger Awards

Voting for the 2016 Security Blogger Awards are now open, and this blog is nominated for most entertaining. Please don’t vote for us. Along with our sister blog, we’re aiming to dominate a new category next year, “most nominations without a win.”

 

"The Pentesters Strike Back"

Offered up without comment: Star Wars Episode IV.1.d: The Pentesters Strike Back from CyberPoint International on Vimeo.

 

The Pogues

Happy New Year! The Pogues are Launching their own brand of whiskey, and whatever you think of the band or of drinking, it’s hard to think of a more “on brand” product creation than this.

 

Cybersecurity Lessons from Star Wars: Blame Vader, Not the IT Department

In “The Galactic Empire Has Terrible Cybersecurity,” Alex Grigsby looks at a number of high-profile failures, covered in “A New Hope” and the rest of the Star Wars canon. Unfortunately, the approach he takes to the Galactic Empire obscures the larger, more dangerous issue is its cybersecurity culture. There are two errors in Grigsby’s analysis, […]

 

Governance Lessons from the Death Star Architect

I had not seen this excellent presentation by the engineer who built the Death Star’s exhaust system. In it, he discusses the need to disperse energy from a battle station with the power draw to destroy planets, and the engineering goals he had to balance. I’m reminded again of “The Evolution of Useful Things” and […]

 

Open Letters to Security Vendors

John Masserini has a set of “open letters to security vendors” on Security Current. Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned […]

 

Phishing and Clearances

Apparently, the CISO of US Homeland Security, a Paul Beckman, said that: “Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government” (Paul Beckman, quoted in Ars technica) Now, I’m sure being in the […]

 

Survey for How to Measure Anything In Cybersecurity Risk

This is a survey from Doug Hubbard, author of How To Measure Anything and he is currently writing another book with Richard Seiersen (GM of Cyber Security at GE Healthcare) titled How to Measure Anything in Cybersecurity Risk. As part of the research for this book, they are asking for your assistance as an information […]

 

What Good is Threat Intelligence Going to do Against That?

As you may be aware, I’m a fan of using Star Wars for security lessons, such as threat modeling or Saltzer and Schroeder. So I was pretty excited to see Wade Baker post “Luke in the Sky with Diamonds,” talking about threat intelligence, and he gets bonus points for crossover title. And I think it’s […]

 

Towards a model of web browser security

One of the values of models is they can help us engage in areas where otherwise the detail is overwhelming. For example, C is a model of how a CPU works that allows engineers to defer certain details to the compiler, rather than writing in assembler. It empowers software developers to write for many CPU […]

 

Adam's new startup

A conversation with an old friend reminded me that there may be folks who follow this blog, but not the New School blog. Over there, I’ve posted “Improving Security Effectiveness” about leaving Microsoft to work on my new company: For the last few months, I’ve been working full time and talking with colleagues about a […]

 

Seeking a technical leader for my new company

We have a new way to measure security effectiveness, and want someone who’ll drive to delivering the technology to customers, while building a great place for developers to ship and deploy important technology. We are very early in the building of the company. The right person will understand such a “green field” represents both opportunity […]

 

The Drama Triangle

As we head into summer conference season, drama is as predictable as vulnerabilities. I’m really not fond of either. What I am fond of, (other than Star Wars), as someone who spends a lot of time thinking about models, is the model of the “drama triangle.” First discussed by Stephen Karpman, the triangle has three […]

 

Security Lessons from Healthcare.gov

There’s a great “long read” at CIO, “6 Software Development Lessons From Healthcare.gov’s Failed Launch.” It opens: This article tries to go further than the typical coverage of Healthcare.gov. The amazing thing about this story isn’t the failure. That was fairly obvious. No, the strange thing is the manner in which often conflicting information is […]

 

On Language

I was irked to see a tweet “Learned a new word! Pseudoarboricity: the number of pseudoforests needed to cover a graph. Yes, it is actually a word and so is pseudoforest.” The idea that some letter combinations are “actual words” implies that others are “not actual words,” and thus, that there is some authority who […]

 

The Web We Have to Save

Hossein Derakhshan was recently released from jail in Iran. He’s written a long and thoughtful article “The Web We Have to Save.” It’s worth reading in full, but here’s an excerpt: Some of it is visual. Yes, it is true that all my posts on Twitter and Facebook look something similar to a personal blog: […]

 

Improving Security Effectiveness

For the last few months, I’ve been working full time and talking with colleagues about a new way for security executives to measure the effectiveness of security programs. In very important ways, the ideas are new and non-obvious, and at the same time, they’re an evolution of the ideas that Andrew and I wrote about […]

 

What Happened At OPM?

I want to discuss some elements of the OPM breach and what we know and what we don’t. Before I do, I want to acknowledge the tremendous and justified distress that those who’ve filled out the SF-86 form are experiencing. I also want to acknowledge the tremendous concern that those who employ those with clearances […]

 

The Unanimous Declaration of the Thirteen United States of America

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

 

PCI & the 166816 password

This was a story back around RSA, but I missed it until RSnake brought it up on Twitter: “[A default password] can hack nearly every credit card machine in the country.” The simple version is that Charles Henderson of Trustwave found that “90% of the terminals of this brand we test for the first time […]

 

Wassenaar Restrictions on Speech

[There are broader critiques by Katie Moussouris of HackerOne at “Legally Blind and Deaf – How Computer Crime Laws Silence Helpful Hackers” and Halvar Flake at “Why changes to Wassenaar make oppression and surveillance easier, not harder.” This post addresses the free speech issue.] During the first crypto wars, cryptography was regulated under the US […]

 

Threat Modeling Crypto Back Doors

Today, the Open Technology Institute released an open letter to the President of the United States from a broad set of organizations and experts, and I’m pleased to be a signer, and agree wholeheartedly with the text of the letter. (Some press coverage.) I did want to pile on with an excerpt from chapter 9 […]

 

Conference Etiquette: What’s New?

So Bill Brenner has a great article on “How to survive security conferences: 4 tips for the socially anxious .” I’d like to stand by my 2010 guide to “Black Hat Best Practices,” and augment it with something new: a word on etiquette. Etiquette is not about what fork you use (start from the outside, […]

 

Boyd Video: Patterns of Conflict

John Boyd’s ideas have had a deep impact on the world. He created the concept of the OODA Loop, and talked about the importance of speed (“getting inside your opponent’s loop”) and orientation, and how we determine what’s important. A lot of people who know about the work of John Boyd also know that he […]

 

The New Cyber Agency Will Likely Cyber Fail

The Washington Post reports that there will be a “New agency to sniff out threats in cyberspace.” This is my first analysis of what’s been made public. Details are not fully released, but there are some obvious problems, which include: “The quality of the threat analysis will depend on a steady stream of data from […]

 

What CSOs can Learn from Pete Carroll

If you listen to the security echo chamber, after an embarrassing failure like a data breach, you lose your job, right? Let’s look at Seahawks Coach Pete Carroll, who made what the home town paper called the “Worst Play Call Ever.” With less than a minute to go in the Superbowl, and the game hanging […]

 

An Infosec lesson from the "Worst Play Call Ever"

It didn’t take long for the Seahawk’s game-losing pass to get a label. But as Ed Felten explains, there’s actually some logic to it, and one of his commenters (Chris) points out that Marshawn Lynch scored in only one of his 5 runs from the one yard line this season. So, perhaps in a game […]

 

The Unexpected Meanings of Facebook Privacy Disclaimers

Paul Gowder has an interesting post over at Prawfblog, “In Defense of Facebook Copyright Disclaimer Status Updates (!!!).” He presents the facts: …People then decide that, hey, goose, gander, if Facebook can unilaterally change the terms of our agreement by presenting new ones where, theoretically, a user might see them, then a user can unilaterally […]

 

Security 101: Show Your List!

Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!” Now, I’m unsure if that’s “security 101” or not. I think security 101 for passwords is “don’t […]

 

IOS Subject Key Identifier?

I’m having a problem where the “key identifier” displayed on my ios device does not match the key fingerprint on my server. In particular, I run: % openssl x509 -in keyfile.pem -fingerprint -sha1 and I get a 20 byte hash. I also have a 20 byte hash in my phone, but it is not that […]

 

Color-Changing Cats

Looking for something festive, holiday-like and chaotic for the blog, I came across color-changing cats. The history of color-changing cats is a fascinating one, involving Carl Sagan and accurate predictions of unfathomable chaos over the next ten thousand years. Because while we don’t know what life will be like that far in the future, consider […]

 

The Cliffs of Insanity!

Today’s “the future is cool” entry is the cliffs of insanity: Actually, I’m lying to you, they’re the Cliffs of Comet Churyumov–Gerasimenko, as photographed by the Rosetta spacecraft. I just think its cool similar they look, and how the physical processes which created the Cliffs of Moher may also have been at work on a […]

 

The Future Is So Cool

When you were growing up, 2014 was the future. And it’s become cliche to bemoan that we don’t have the flying cars we were promised, but did get early delivery on a dystopian surveillance state. So living here in the future, I just wanted to point out how cool it is that you can detect […]

 

Security Lessons from Drug Trials

When people don’t take their drugs as prescribed, it’s for very human reasons. Typically they can’t tolerate the side effects, the cost is too high, they don’t perceive any benefit, or they’re just too much hassle. Put these very human (and very subjective) reasons together, and they create a problem that medicine refers to as […]

 

Hate-watching, breaking and building

Listening to the radio, there was a discussion of how the folks at NBC were worried that people were going to “hatewatch” their new version of Peter Pan. Hatewatch. Like it’s a word. It’s fascinating. They discussed how people wanted to watch it to tweet cynically at its expense. The builder/breaker split isn’t just present […]

 

Chaos and Legitimacy

At BruCon 0x06, I was awoken from a nap to the sound of canons, and looked out my window to see soldiers marching through the streets. It turns out they were celebrating the 200th anniversary of the Treaty of Ghent. As I’m sure you’ll recall from history class Wikipedia, the Treaty of Ghent ended the […]

 

Threat Modeling At a Startup

I’ve been threat modeling for a long time, and at Microsoft, had the lovely opportunity to put some rigor into not only threat modeling, but into threat modeling in a consistent, predictable, repeatable way. Because I did that work at Microsoft, sometimes people question how it would work for a startup, and I want to […]

 

Think Like An Attacker? Flip that advice!

For many years, I have been saying that “think like an attacker” is bad advice for most people. For example: Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They […]

 

Modeling Attackers and Their Motives

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. You should look at the reports for facts you can use to assess your systems, such as filenames, hashes and IP addresses. Most readers should, at most, skim their analysis of the perpetrators. Read on […]

 

Phone Booths

This is a lovely little story about pay phones on Whidbey Island. Warning: those who spent too much time with phone systems in their youth may feel inexplicable nostalgia.

 

Thanks, Bruce!

Bruce Schneier says nice things about my latest book.

 

Employees Say Company Left Data Vulnerable

There’s a recurring theme in data breach stories: The risks were clear to computer experts inside $organization: The organization, they warned for years, might be easy prey for hackers. But despite alarms as far back as 2008, $organization was slow to raise its defenses, according to former employees. The particular quote is from “Ex-Employees Say […]

 

Jolt Award for Threat Modeling

I am super-pleased to report that Threat Modeling: Designing for Security has been named a Jolt Finalist, the first security-centered book to make that list since Schneier’s Secrets and Lies in 2001. My thanks to the judges, most especially to Gastón Hillar for the constructive criticism that “Unluckily, the author has chosen to focus on […]

 

BSides LV: Change Industry Or Change Professionals?

All through the week of BSides/BlackHat/Defcon, people came up to me to tell me that they enjoyed my BSides Las Vegas talk. (Slides, video). It got some press coverage, including an article by Jon Evans of TechCrunch, “Notes From Crazytown, Day One: The Business Of Fear.” Mr. Evans raises an interesting point: “the computer security […]

 

CERT, Tor, and Disclosure Coordination

There’s been a lot said in security circles about a talk on Tor being pulled from Blackhat. (Tor’s comments are also worth noting.) While that story is interesting, I think the bigger story is the lack of infrastructure for disclosure coordination. Coordinating information about vulnerabilities is a socially important function. Coordination makes it possible for […]

 

#Apollo45

July 20, 1969. I’ve blogged about it before. There are people who can write eloquently about events of such significance.  I am not one of them.  I hope that doesn’t stand in the way of folks remembering the amazing accomplishment that the Apollo program was.  

 

Etsy's Threat Modeling

Gabrielle Gianelli has pulled back the curtain on how Etsy threat modeled a new marketing campaign. (“Threat Modeling for Marketing Campaigns.”) I’m really happy to see this post, and the approach that they’ve taken: First, we wanted to make our program sustainable through proactive defenses. When we designed the program we tried to bake in […]

 

Mail Chaos

The mail system I’ve been using for the last 19 years is experiencing what one might call an accumulation of chaos, and so I’m migrating to a new domain, shostack.org. You can email me at my firstname@shostack.org, and my web site is now at http://adam.shostack.org I am sorry for any inconvenience this may cause. [Update: […]

 

What Security Folks Can Learn from Doctors

Stefan Larson talks about “What doctors can learn from each other:” Different hospitals produce different results on different procedures. Only, patients don’t know that data, making choosing a surgeon a high-stakes guessing game. Stefan Larsson looks at what happens when doctors measure and share their outcomes on hip replacement surgery, for example, to see which […]

 

Seattle event: Ada's Books

For Star Wars day, I’m happy to share this event poster for my talk at Ada’s Books in Seattle Technical Presentation: Adam Shostack shares Threat Modeling Lessons with Star Wars. This will be a less technical talk with plenty of discussion and interactivity, drawing on some of the content from “Security Lessons from Star Wars,” […]

 

Threat Modeling: The East Coast Book Tour

I’m planning to be on the East Coast from June 16-27, giving threat modeling book talks. (My very popular “Threat Modeling Lessons from Star Wars.”) I’m reaching out to find venues which would like me to come by and speak. My plan is to arrive in Washington DC on the 16th, and end in Boston, […]

 

There's more than one way to threat model

Today, most presentations on threat modeling talk about each phase of the process. They talk about how to model what you’re building, what can go wrong, and what to do about it. Those tightly coupled processes can be great if you’ve never heard of an approach to threat modeling. But they can add to the […]

 

Threat modeling the Dread Pirate Roberts way

It has to be said that no one in the Princess Bride is great at threat modeling. But one scene in particular stands out. It’s while they’re planning to attack the castle and rescue Buttercup: Westley: I mean, if we only had a wheelbarrow, that would be something. Inigo: Where we did we put that […]

 

Virtual assistant services?

I’m getting ready to announce an East coast book tour. In planning my Silicon Valley tour, I learned that between scheduling, getting the details needed out, making sure I knew where I was sleeping, there was a large amount of administrative work involved. So I’d like to hire someone to take care of all that […]

 

Threat Modeling & Devops: Like Peanut Butter & Jelly

George Hulme interviewed me for Devops.com, and the article is at “Q&A: Speaking DevOps and Threat Modeling.” Its obvious that devops is an important trend, andit’s important to understand how to align threat modeling to that world.

 

Should I Start Threat Modeling from Assets?

A couple of reviewers have commented that they have different perspective on assets. For example, in a review I very much appreciated, Gunnar Peterson says: I have slightly a different perspective on Shostack’s view on assets. The book goes into different views that launch the threat model, the approach advocated for in the book is […]

 

L'Academie Gawker

Via Poynter, we learn that the word “massive” has been banned on Gawker. We want to sound like regular adult human beings, not Buzzfeed writers or Reddit commenters,” new Gawker Editor Max Read says in a memo to the publication’s writers. Words like “epic,” “pwn” and “derp” are no longer welcome on the site. Read […]

 

RSA: Time for some cryptographic dogfood

One of the most effective ways to improve your software is to use it early and often.  This used to be called eating your own dogfood, which is far more evocative than the alternatives. The key is that you use the software you’re building. If it doesn’t taste good to you, it’s probably not customer-ready.  […]

 

Threat Modeling and Operations

One very important question that’s frequently asked is “what about threat modeling for operations?” I wanted to ensure that Threat Modeling: Designing for Security focused on both development and operations. To do that, I got help from Russ McRee. For those who don’t know Russ, he’s a SANS incident handler as well as a collegue […]

 

My Technical Editor: Chris Wysopal

When Wiley asked me about a technical editor for Threat Modeling: Designing for Security, I had a long list of requirements. I wanted someone who could consider the various scenarios where threat modeling is important, including software development and operations. I wanted someone who understood the topic deeply, and had the experience of teaching threat […]

 

Threat Modeling: Designing for Security

I am super-excited to announce that my new book, Threat Modeling: Designing for Security (Wiley, 2014) is now available wherever fine books are sold! The official description: If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and the overall […]

 

Threat Modeling: Designing for Security

I am super-excited to announce that my new book, Threat Modeling: Designing for Security (Wiley, 2014) is now available wherever fine books are sold! The official description: If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and the overall […]

 

P0wned! Don't make the same mistake I did

I fell victim to an interesting attack, which I am recounting here so that others may avoid it. In a nutshell, I fell victim to a trojan, which the malefactor was able to place in a trusted location in my search path. A wrapper obscured the malicious payload. Additionally, a second line of defense did […]

 

On Bitcoin

There’s an absolutely fascinating interview with Adam Back: “Let’s Talk Bitcoin Adam Back interview.” For those of you who don’t know Adam, he created Hashcash, which is at the core of Bitcoin proof of work. Two elements I’d like to call attention to in particular are: First, there’s an interesting contrast between Adam’s opinions and […]

 

Adam’s Mailing List and Commitment Devices

Yesterday, I announced that I’ve set up a mailing list. You may have noticed an unusual feature to the announcement: a public commitment to it being low volume, with a defined penalty ($1,000 to charity) for each time I break the rule. You might even be wondering why I did that. In the New School, […]

 

Getting Ready for a Launch

I’m getting ready for to announce a new project that I’ve been working on for quite a while. As I get ready, I was talking to friends in PR and marketing, and they were shocked and appalled that I don’t have a mailing list. It was a little like telling people in security that you […]

 

Please vote for the social security blogger awards!

Alan Shimmy has the nominations for the 2014 Social Security bloggers award! New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame.

 

Please vote for the social security blogger awards!

Alan Shimmy has the nominations for the 2014 Social Security bloggers award! New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame. Now, I have no idea what it means that Emergent Chaos would represent the security industry. I’m hopeful […]

 

The Worst User Experience In Computer Security?

I’d like to nominate Xfinity’s “walled garden” for the worst user experience in computer security. For those not familiar, Xfinity has a “feature” called “Constant Guard” in which they monitor your internet for (I believe) DNS and IP connections for known botnet command and control services. When they think you have a bot, you see […]

 

Workshop on the Economics of Information Security (WEIS)

The 13th annual Workshop on the Economic of Information Security will be held at Penn State June 23-24, and the call for papers is now open. I’m on the program committee this year, and am looking forward to great submissions.

 

Transparency: When Security Pros Get Popped

Rich Mogul over at Securosis (N.B. I’m a contributing analyst there) has a great post on how, due to human error, some of his AWS credentials got nabbed by some miscreants and abused. We here at the New School love it when folks share how they were compromised and what they did about it. It […]

 

What's Copyright, Doc?

I blogged yesterday about all the new works that have entered the public domain as their copyright expired in the United States. If you missed it, that’s because exactly nothing entered the public domain yesterday. Read more — but only commentary, because there’s no newly free work — at “What Could Have Entered the Public […]

 

What to do for randomness today?

In light of recent news, such as “FreeBSD washing Intel-chip randomness” and “alleged NSA-RSA scheming,” what advice should we give engineers who want to use randomness in their designs? My advice for software engineers building things used to be to rely on the OS to get it right. That defers the problem to a small […]

 

Gavle Goat Goes Later This Year

The Gavle Goat has burned again, according to The Local.Se, and of course, it’s Twitter account (yet one more way in which real name policies inhibit natural behavior). Two quick comments. First, the goat survived longer this year than usual. Second, I think it illustrates something. I’m not sure what. But my yule would be […]

 

What Price Privacy, Paying For Apps edition

There’s a new study on what people would pay for privacy in apps. As reported by Techflash: A study by two University of Colorado Boulder economists, Scott Savage and Donald Waldman, found the average user would pay varying amounts for different kinds of privacy: $4.05 to conceal contact lists, $2.28 to keep their browser history […]

 

Like the birds…

Emergent Chaos has migrated.  It’s a long story, and perhaps better left untold.  Please let us know if you see issues with the new site.

 

A Mini-Review of "The Practice of Network Security Monitoring"

Recently the kind folks at No Starch Press sent me a review copy of Rich Bejtlich’s newest book The Practice of Network Security Monitoring and I can’t recommend it enough. It is well worth reading from a theory perspective, but where it really shines is digging into the nuts and bolts of building an NSM […]

 

What will the archaeologists think?

Over at the BBC, we read that the “home of Anakin Skywalker threatened by dune,” with awesome pictures: So my question is, what will archaeologists think in 1,000 years when they dig this up? How many careers will be wasted trying to link the bizarre architecture to some real culture? How many anthropologists will be […]

 

Academic job opening at Cambridge

At Light Blue Touchpaper, Ross Anderson says “We have a vacancy for a postdoc to work on the psychology of cybercrime and deception for two years from October.” I think this role has all sorts of fascinating potential, and wanted to help get the word out in my own small way.

 

Which and That

Can we just agree that “which” and “that” are pretty much interchangable? If you’re relying on a modern audience to be able to perceive the difference in meaning between restrictive and non-restrictive clauses, you’ve pretty much already lost. Which, as they say, makes a mockery of that rule. Alternately, “That, as they say, makes a […]

 

A Very Late Book Review

I have to start off by apologizing for how very late this review is, an embarrassing long time ago, the kind folks at No Starch Press very kindly gave me a copy of “Super Scratch Programming Adventure” to review. Scratch for those that aren’t familiar is a kids oriented programming language designed by Mitchel Resnick […]

 

Google Reader Going Away

Remarkably, some software that people host on your behalf, where you have no contract or just a contract of adhesion, can change at any time. This isn’t surprising to those who study economics, as all good New School readers try to do. However, this is a reminder/request that when you move, please resubscribe to New […]

 

Google Reader Going Away

Well, the world is full of chaos, some good and some bad, and today’s bad for those of you reading via Google Reader is that it’s going the way of Altavista (can you believe it was still around?) So as you migrate away, please consider including Emergent Chaos in your migration–we’ll have new content here […]

 
 

WordPress Update

I’ve updated to the latest WordPress for security fixes. Please let me know if you notice problems (blogname-at-gmail-com)

 

Privacy Enhancing Technologies Registration now open

The program for the 2013 Privacy Enhancing Technologies Symposium is up, and there’s a lot of fascinating looking papers and talks. If you’re interested, registration is also open. PETS is one of my favorite conferences of the year.

 

Replacing Flickr?

So Flickr has launched a new redesign, and it’s crowded, jumbled and slow. Now on Flickr with its overlays, its fade-ins and loads, it’s unmoving side and top bars, Flickr’s design takes center stage, elbowing aside the photos that I’m there to see. So I’m looking for a new community site where the photo I […]

 

Workshop on the Economics of Information Security

The next Workshop on the Economics of Information Security will be held June 11-12 at Georgetown University, Washington, D.C. Many of the papers look fascinating, including “On the Viability of Using Liability to Incentivise Internet Security”, “A Behavioral Investigation of the FlipIt Game”, and “Are They Actually Any Different? Comparing 3,422 Financial Institutions’ Privacy Practices.” […]

 

TrustZone and Security Usability

Cem Paya has a really thought-provoking set of blog posts on “TrustZone, TEE and the delusion of security indicators” (part 1, part 2“.) Cem makes the point that all the crypto and execution protection magic that ARM is building is limited by the question of what the human holding the phone thinks is going on. […]

 

3D-printed guns and the crypto wars

So there’s a working set of plans for the “Liberator.” It’s a working firearm you can print on a 3d printer. You can no longer get the files from the authors, whose site states: “DEFCAD files are being removed from public access at the request of the US Department of Defense Trade Controls. Until further […]

 

The Onion and Breach Disclosure

There’s an important and interesting new breach disclosure that came out yesterdau. It demonstrates leadership by clearly explaining what happened and offering up lessons learned. In particular: It shows the actual phishing emails It talks about how the attackers persisted their takeover by sending a fake “reset your password” email (more on this below) It […]

 

Security Lessons From Star Wars: Breach Response

To celebrate Star Wars Day, I want to talk about the central information security failure that drives Episode IV: the theft of the plans. First, we’re talking about really persistent threats. Not like this persistence, but the “many Bothans died to bring us this information” sort of persistence. Until members of Comment Crew are going […]

 

The Plateau Effect

The Plateau Effect is a powerful law of nature that affects everyone. Learn to identify plateaus and break through any stagnancy in your life— from diet and exercise, to work, to relationships. The Plateau Effect shows how athletes, scientists, therapists, companies, and musicians around the world are learning to break through their plateaus—to turn off […]

 

A Quintet of Facebook Privacy Stories

It’s common to hear that Facebook use means that privacy is over, or no longer matters. I think that perception is deeply wrong. It’s based in the superficial notion that people making different or perhaps surprising privacy tradeoffs are never aware of what they’re doing, or that they have no regrets. Some recent stories that […]

 

Weekend Photography

An amazing shot by Philipp Schmidli of a cyclist in front of the moon. PetaPixel explains the work involved in getting that shot in “Silhouettes in a Giant Moonrise, Captured Using a 1200mm Lens.” (Thanks to Bob Blakely). Also in the realm of impressive tool use is this: Orangutan from Borneo photographed using a spear […]

 

The Psychology of Password Managers

As I think more about the way people are likely to use a password manager, I think there’s real problems with the way master passwords are set up. As I write this, I’m deeply aware that I’m risking going into a space of “it’s logical that” without proper evidence. Let’s start from the way most […]

 

The Breach Trilogy: Assume, Confirm, Discuss

We’ve been hearing for several years that we should assume breach. Many people have taken this to heart (although today’s DBIR still says it’s still months to detect those breaches). I’d like to propose (predict?) that breach as a central concept will move through phases. Each of these phases will go through a hype cycle, […]

 

The best part of exploit kits

Following up on my post on exploit kit statistics (no data? really folks?), I wanted to share a bit of a head-shaker for a Friday with way too much serious stuff going on. Sometimes, researchers obscure all the information, such as this screenshot. I have no idea who these folks think they’re protecting by destroying […]

 

1Password & Hashcat

The folks at Hashcat have some interesting observations about 1Password. The folks at 1Password have a response, and I think there’s all sorts of fascinating lessons here. The crypto conversations are interesting, but at the end of the day, a lot of security is unavoidably contributed by the master password strength. I’d like to offer […]

 

Exploit Kit Statistics

On a fairly regular basis, I come across pages like this one from SANS, which contain fascinating information taken from exploit kit control panels: There’s all sorts of interesting numbers in that picture. For example, the success rate for owning XP machines (19.61%) is three times that of Windows 7. (As an aside, the XP […]

 

Celebrating 5 Years of New School: 40% off!

Thanks to Addison Wesley, who are offering 40% off the book. Apply code NEWSCHOOL40 to get your discounted copy. (You apply the code after proceeding to checkout.)

 

By looking for evidence first, the Brits do it right

As it happens, both the US Government and the UK government are leading “cyber security standards framework” initiatives right now.  The US is using a consensus process to “incorporate existing consensus-based standards to the fullest extent possible”, including “cybersecurity standards, guidelines, frameworks, and best practices” and “conformity assessment programs”. In contrast, the UK is asking […]

 

5 Years of New School

Five years ago Friday was the official publication date of The New School of Information Security. I want to take this opportunity to look back a little and look forward to the next few years. Five years ago, fear of a breach and its consequences was nearly universal, and few people thought anything but pain […]

 

I swear, I'm just looking at the articles!

Apparently, Playboy (possibly NSFW) has an app on iTunes. However, to get an app through the censors prudes “appropriate content” editors, there’s none of Playboy’s trademark nudes. There hasn’t been such good news for their writers since the braille edition. I’ll leave the jokes to you. It’s worth thinking about this as the sanitized future […]

 

Analyzing The Army's Accidental Test

According to Wired, “Army Practices Poor Data Hygiene on Its New Smartphones, Tablets.” And I think that’s awesome. No, really, not the ironic sort of awesome, but the awesome sort of awesome, because what the Army is doing is a large scale natural experiment in “does it matter?” Over the next n months, the Pentagon’s […]

 

AdaCamp: San Francisco June 8-9

(Posted for friends) AdaCamp is a conference dedicated to increasing women’s participation in open technology and culture: open source software, Wikipedia-related projects, open data, open geo, fan fiction, remix culture, and more. The conference will be held June 8 and 9th in San Francisco. There will be two tracks at the conference: one for people […]

 

Hacking Humans at BlackHat

Hacking humans is an important step in today’s exploitation chains. From “2011 Recruitment plan.xls” to instant messenger URL delivery at the start of Aurora, the human in the loop is being exploited just as much as the machine. In fact, with the right story, you might not even need an exploit at all. So I’m […]

 

Bicycling & Risk

While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking. I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the Risk Hose and SIRA folks. I’m inspired by To Encourage Biking, Cities Lose the Helmets: […]

 

MD5s, IPs and Ultra

So I was listening to the Shmoocon presentation on information sharing, and there was a great deal of discussion of how sharing too much information could reveal to an attacker that they’d been detected. I’ve discussed this problem a bit in “The High Price of the Silence of Cyberwar,” but wanted to talk more about […]

 

New School Thinking At Davos

This week I have experienced an echo of this pattern at the 2013 WEF meeting. But this time my unease does not revolve around any financial threats, but another issue – cyber security. … [The] crucial point is this: even if some companies are on top of the issue, others are not, and without more […]

 

The Death Star: An Inside Job?

Here’s a Friday Star Wars video for you. As Austin Hill tweeted, “Conspiracy revealed! 7 min video that will change the way you think about one of the important events of our lifetime”

 

On Cookie Blocking

It would not be surprising if an article like “Firefox Cookie-Block Is The First Step Toward A Better Tomorrow” was written by a privacy advocate. And it may well have been. But this privacy advocate is also a former chairman of the Internet Advertising Bureau. (For their current position, see “Randall Rothenberg’s Statement Opposing Mozilla’s […]

 

New paper: "How Bad Is It? — A Branching Activity Model for Breach Impact Estimation"

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact estimation method that might apply to Adam’s question.  We use the WTP approach in a […]

 

Paying for Privacy: Enterprise Breach Edition

We all know how companies don’t want to be named after a breach. Here’s a random question: how much is that worth to a CEO? What would a given organization be willing to pay to keep its name out of the press? (A-priori, with at best a prediction of how the press will react.) Please […]

 

Lunar Oribter Image Recovery Project

The Lunar Orbiter Image Recovery Project needs help to recover data from the Lunar Orbiter spacecraft. Frankly, it’s a bit of a disgrace that Congress funds, well, all sorts of things, over this element of our history, but that’s besides the point. Do I want to get angry, or do I want to see this […]

 

Army Calhamer to Heaven

Allan Calhamer, the inventor of the game Diplomacy, has passed away. The NYTimes has an obituary.

 

Gamifying Driving

…the new points system rates the driver’s ability to pilot the MINI with a sporty yet steady hand. Praise is given to particularly sprightly sprints, precise gear changes, controlled braking, smooth cornering and U-turns executed at well-judged speeds. For example, the system awards maximum Experience Points for upshifts carried out within the ideal rev range […]

 

Security Blogger Awards

The Security Bloggers Awards were this week at RSA! Congratulations to Naked Security (best corporate blog), Paul DotCom (best podcast), Krebs on Security (Most educational, best represents the security industry), J4VV4D’s blog (most entertaining), Andy Greenberg’s “Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)” and Jack […]

 

2013 PET Award for Outstanding Research in Privacy Enhancing Technologies

You are invited to submit nominations to the 2013 PET Award. The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Symposium (PETS). The PET Award carries a prize of 3000 […]

 

How to Ask Good Questions at RSA

So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit. First, if you want to ask great questions, pay attention. There are things more annoying than a question that was answered while the questioner was tweeting, but you still don’t […]

 

Is there "Room for Debate?" in Breach Disclosure?

The New York Times has a “Room for Debate” on “Should Companies Tell Us When They Get Hacked?” It currently has 4 entries, 3 of which are dramatically in favor of more disclosure. I’m personally fond of Lee Tien’s “ We Need Better Notification Laws.” My personal preference is of course (ahem) fascinating to you, […]

 

HIPAA's New Breach Rules

Law firm Proskauer has published a client alert that “HHS Issues HIPAA/HITECH Omnibus Final Rule Ushering in Significant Changes to Existing Regulations.” Most interesting to me was the breach notice section: Section 13402 of the HITECH Act requires covered entities to provide notification to affected individuals and to the Secretary of HHS following the discovery […]

 

New School Blog Attacked with 0day

We were hacked again. The vuln used was 0day, and has now been patched, thanks to David Mortman and Matt Johansen, and the theme has also been updated, thanks to Rodrigo Galindez. Since we believe in practicing the transparency we preach, I wanted to discuss what happened and some options we considered. Let me dispense […]

 

Guns, Homicides and Data

I came across a fascinating post at Jon Udell’s blog, “Homicide rates in context ,” which starts out with this graph of 2007 data: Jon’s post says more than I care to on this subject right now, and points out questions worth asking. As I said in my post on “Thoughts on the Tragedies of […]

 

HHS & Breach Disclosure

There’s good analysis at “HHS breach investigations badly backlogged, leaving us in the dark” To say that I am frequently frustrated by HHS’s “breach tool” would be an understatement. Their reporting form and coding often makes it impossible to know – simply by looking at their entries – what type of breach occurred. Consider this […]

 

New York Times gets Pwned, Responds all New School

So there’s a New York Times front page story on how “Hackers in China Attacked The Times for Last 4 Months.” I just listened to the NPR story with Nicole Perlroth, who closed out saying: “Of course, no company wants to come forward and voluntarily say `hey we were hacked by China, here’s how it […]

 

Breach Analysis: Data Source biases

Bob Rudis has an fascinating and important post “Once More Into The [PRC Aggregated] Breaches.” In it, he delves into the various data sources that the Privacy Rights Clearinghouse is tracking. In doing so, he makes a strong case that data source matters, or as Obi-Wan said, “Luke, you’re going to find that many of […]

 

Happy Data Privacy Day! Go check out PrivacyFix

It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and […]

 

Why the Star Wars Prequels Sucked

It is a truism that the Star Wars prequels sucked. (Elsewhere, I’ve commented that the franchise being sold to Disney means someone can finally tell the tragic story of Anakin Skywalker’s seduction by the dark side.) But the issue of exactly why they sucked is complex and layered, and most of us prefer not to […]

 

Privacy and Health Care

In my post on gun control and schools, I asserted that “I worry that reducing privacy around mental health care is going to deter people who need health care from getting it.” However, I didn’t offer up any evidence for that claim. So I’d like to follow up with some details from a report that […]

 

"Cyber" Insurance and an Opportunity

There’s a fascinating article on PropertyCasualty360 “ As Cyber Coverage Soars, Opportunity Clicks” (thanks to Jake Kouns and Chris Walsh for the pointer). I don’t have a huge amount to add, but wanted to draw attention to some excerpts that drew my attention: Parisi observes that pricing has also become more consistent over the past […]

 

Thoughts on the Tragedies of December 14th

I started this post on December 14th, and couldn’t finish it. I’m going to leave the opening as I wrote it then: By now, everyone has heard of the tragic school shooting in Connecticut. My heart goes out to everyone touched by the events. But this isn’t the first school shooting on a December 14th. […]

 

“The Phoenix Project” may be uncomfortable

The Phoenix Project as an important new novel, and it’s worth reading if you work in technology. As I read it, I was awfully uncomfortable with one of the characters, John. John is the information security officer in the company, and, to be frank, John does not come off well at the start of the […]

 

On Disclosure of Intrusion Events in a Cyberwar

[This guest article is by thegruq. I’ve taken the liberty of HTML-ifying it from his original, http://pastie.org/5673568.] On Disclosure of Intrusion Events in a Cyberwar The Nation State’s guide to STFU In a cyberwar (such as the ongoing events on the Internet), all actors are motivated to remain silent about incidents that they detect. However, […]

 

Giant Rubber Ducks

There’s a giant rubber duck in Sydney Harbor right now: It’s apparently by Florentijn Hofman, who does this sort of thing. My only other comment? Seattle, you’re doing it wrong. Where’s our rubber duckie? Via “Sydney Festival Launches Giant Rubber Duck in the Harbor“, Pedestrian TV. (I believe there’s a typo, and the duck is […]

 

The High Price of the Silence of Cyberwar

A little ways back, I was arguing [discussing cyberwar] with thegrugq, who said “[Cyberwar] by it’s very nature is defined by acts of espionage, where all sides are motivated to keep incidents secret.” I don’t agree that all sides are obviously motivated to keep incidents secret, and I think that it’s worth asking, is there […]

 

Negative temperatures?

Absolute zero is often thought to be the coldest temperature possible. But now researchers show they can achieve even lower temperatures for a strange realm of “negative temperatures.” Oddly, another way to look at these negative temperatures is to consider them hotter than infinity, researchers added. (“Atoms Reach Record Temperature, Colder than Absolute Zero“, Charles […]

 

New School Thinking at the European Union

I was pretty excited to see this: An EU official said the aim of the report was to get companies to be more open about cyber attacks and help them fend off such disruption. “We want to change the culture around cyber security from one where people are sometimes afraid or ashamed to admit a […]

 
 

Elevation of Privilege: Drawing Developers into Threat Modeling

In the holiday spirit I wanted to share an academic-style paper on the Elevation of Privilege Threat Modeling card game (EoP_Whitepaper.pdf) The paper describes the motivation, experience and lessons learned in creating the game. As we’ve shared the game at conferences, we’ve seen people’s eyes light up at the idea of a game. We think […]

 

Information Security Risk: A Conversation with CSO

Earlier this month, I spoke with Derek Slater: In early 2008, Adam Shostack and Andrew Stewart released the book The New School of Information Security. And they launched a blog in support of the book and its message. I wondered about how Shostack perceives the state of IT risk management now, and whether he thinks […]

 

The Gavle Goat's Gone!

Gävlebocken har brunnit: Webbkamerabilder visade hur bocken snabbt blev övertänd och totalförstördes innan brandkåren hann fram. Or you can check the webcam: http://www.merjuligavle.se/Bocken/Bockenkamera/

 

The Fog of Reporting on Cyberwar

There’s a fascinating set of claims in Foreign Affairs “The Fog of Cyberward“: Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of 124 active rivals — defined as the most conflict-prone pairs of states in the system […]

 

Can Science Improvise?

My friend Raquell Holmes is doing some really interesting work at using improv to unlock creativity. There’s some really interesting ties between the use of games and the use of improv to get people to approach problems in a new light, and I’m bummed that I won’t be able to make this event: Monday Dec […]

 

Infosec Lessons from Mario Batali's Kitchen

There was a story recently on NPR about kitchen waste, “No Simple Recipe For Weighing Food Waste At Mario Batali’s Lupa.” Now, normally, you’d think that a story on kitchen waste has nothing to do with information security, and you’d be right. But as I half listened to the story, I realized that it in […]

 

Hoff on AWS

Hoff’s blog post “Why Amazon Web Services (AWS) Is the Best Thing To Happen To Security & Why I Desperately Want It To Succeed” is great on a whole bunch of levels. If you haven’t read it, go do that. The first thing I appreciated is that he directly confronts the possibility of his own […]

 

The Gavle Goat is Getting Ready to Burn!

The Telegraph reports that the Gavle Goat for 2012 is up, and surrounded by guards, cameras, flame retardants, and arsonists. Emergent Chaos has reporters on the ground internet, ready to report on this holiday story of a town, a goat, and an international conspiracy of drunken arsonists. Stay tuned! This years goat is shown in […]

 

South Carolina

It’s easy to feel sympathy for the many folks impacted by the hacking of South Carolina’s Department of Revenue. With 3.6 million taxpayer social security numbers stolen, those people are the biggest victims, and I’ll come back to them. It’s also easy to feel sympathy for the folks in IT and IT management, all the […]

 

Control-Alt-Hack: Now available from Amazon!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]

 

Now Available: Control Alt Hack!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]

 

Email Security Myths

My buddy Curt Hopkins is writing about the Patraeus case, and asked: I wonder, in addition to ‘it’s safe if it’s in the draft folder,’ how many additional technically- and legally-useless bits of sympathetic magic that people regularly use in the belief that it will save them from intrusion or discovery, either based on the […]

 

The Questions Not Asked on Passwords

So there’s a pair of stories on choosing good passwords on the New York Times. The first is (as I write this) the most emailed story on the site, “How to Devise Passwords That Drive Hackers Away.” It quotes both Paul Kocher and Jeremiah Grossman, both of whom I respect. There’s also a follow-on story, […]

 

The "Human Action" argument is not even wrong

Several commenters on my post yesterday have put forth some form of the argument that hackers are humans, humans are unpredictable, and therefore, information security cannot have a Nate Silver. This is a distraction, as a moment’s reflection will show. Muggings, rapes and murders all depend on the actions of unpredictable humans, and we can, […]

 

Where is Information Security's Nate Silver?

So by now everyone knows that Nate Silver predicted 50 out of 50 states in the 2012 election. Michael Cosentino has a great picture: Actually, he was one of many quants who predicted what was going to happen via meta-analysis of the data that was available. So here’s my question. Who’s making testable predictions of […]

 

Effective training: Wombat's USBGuru

Many times when computers are compromised, the compromise is stealthy. Take a moment to compare that to being attacked by a lion. There, the failure to notice the lion is right there, in your face. Assuming you survive, you’re going to relive that experience, and think about what you can learn from it. But in […]

 

Bleg: Canon & Apple RAW processing

I’m having a camera issue that’s become more and more noticeable with recent software changes. The raw previews coming out of the camera appear substantially more exposed than when Aperture is finished processing them. The difference is hard to measure (there’s no easy undo for raw processing), but appears to be about a full stop […]

 

Test post

Over the summer, Adam and I were talking and I said that I’d like a place to do some personal blogging as opposed to things I normally do, which are targeted at one place or another. I’d like to be able to blither about security, but also about whatever. Photography, cooking, you know, things that […]

 

Published Data Empowers

There’s a story over at Bloomberg, “Experian Customers Unsafe as Hackers Steal Credit Report Data.” And much as I enjoy picking on the credit reporting agencies, what I really want to talk about is how the story came to light. The cyberthieves broke into an employee’s computer in September 2011 and stole the password for […]

 

9.5 Theses on the Power and Efficacy of Gamification

Sebastian Deterding’s Microsoft research talk is now online: “9.5 Theses on the Power and Efficacy of Gamification“. You may recall that this talk inspired me to blog about “Running a game at work.” It’s worth an hour if you’re interested in serious games, persuasive games, or playful design.

 

I wish we had their problems

Ben Goldacre talks about how physicians are only getting data on tests that come out positive: I look forward to the day when infosec standards are set based on some tests or evidence, and we have to fight to extract more data. The talk is here: here.

 

Compliance Lessons from Lance, Redux

Not too long ago, I blogged about “Compliance Lessons from Lance.” And now, there seems to be dramatic evidence of a massive program to fool the compliance system. For example: Team doctors would “provide false declarations of medical need” to use cortisone, a steroid. When Armstrong had a positive corticosteroid test during the 1999 Tour […]

 

TSA Approach to Threat Modeling, Part 3

It’s often said that the TSA’s approach to threat modeling is to just prevent yesterday’s threats. Well, on Friday it came out that: So, here you see my flight information for my United flight from PHX to EWR. It is my understanding that this is similar to digital boarding passes issued by all U.S. Airlines; […]

 

Big Tex Burns

Something about this story just grabs me. I want to hear him saying “I am the dread pirate Roberts! I am here, but soon you will not be here!” Also, I’m sad that he wasn’t in Galve-ston. Photo by GreyChr

 

Proof of Age in UK Pilot

There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:” It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint […]

 

Running a Game at Work

Friday, I had the pleasure of seeing Sebastian Deterding speak on ‘9.5 Theses About Gamification.’ I don’t want to blog his entire talk, but one of his theses relates to “playful reframing”, and I think it says a lot to how to run a game at work, or a game tournament at a conference. In […]

 

The Boy Who Cried Cyber Pearl Harbor

There is, yet again, someone in the news talking about a cyber Pearl Harbor. I wanted to offer a few points of perspective. First, on December 6th, 1941, the United States was at peace. There were worries about the future, but no belief that a major attack was imminent, and certainly not a sneak attack. […]

 

Reporting Mistakes

In “New System for Patients to Report Medical Mistakes” the New York Times reports: The Obama administration wants consumers to report medical mistakes and unsafe practices by doctors, hospitals, pharmacists and others who provide treatment. Hospitals say they are receptive to the idea, despite concerns about malpractice liability and possible financial penalties for poor performance. […]

 

Choice Point Screening

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“) I don’t want to minimize the issue here. Assuming the allegations are correct, the […]

 

Follow your passion?

Growing up, we were told by guidance counselors, career advice books, the news media and others to “follow our passion.” This advice assumes that we all have a pre-existing passion waiting to be discovered. If we have the courage to discover this calling and to match it to our livelihood, the thinking goes, we’ll end […]

 

Two Models of Career Planning

There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students: There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift […]

 

Have you Run an Elevation of Privilege Tournament?

I got an email recently me asking if I had experience running an Elevation of Privilege tournament. I haven’t, and wanted to ask if anyone out there has done so, please share your experiences and suggestions One element that I thought about is a scoring system to help with the tournament’s goals. For examples, you […]

 

Systems Not Sith: Organizational Lessons From Star Wars

In Star Wars, the Empire is presented as a monolith. Storm Troopers, TIE Fighters and even Star Destroyers are supposedly just indistinguishable cogs in a massive military machine, single-mindedly pursuing a common goal. This is, of course, a façade – like all humans, the soldiers and Officers of the Imperial Military will each have their […]

 

Base Rate & Infosec

At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. What really struck me about this talk was that about a week before, I had […]

 

Lessons from Facebook's Stock Slide

So as Facebook continues to trade at a little over half of their market capitalization of 3 months ago, I think we can learn a few very interesting things. My goal here is not to pick on Facebook, but rather to see what we can take away and perhaps apply elsewhere. I think there are […]

 

What can we learn from the social engineering contest?

I was struck by the lead of Kelly Jackson Higgins’ article on the Defcon Social Engineering Contest: Walmart was the toughest nut to crack in last year’s social engineering competition at the DefCon hacker conference in Las Vegas, but what a difference a year makes: this year, the mega retailer scored the worst among the […]

 

Compliance Lessons from Lance

Recently, Lance Armstrong decided to forgo arbitration in his fight against the USADA over allegations of his use of certain performance enhancing drugs. His statement is “Full text of Armstrong statement regarding USADA arbitration.” What I found interesting about the story is the contrast between what might be termed a “compliance” mindset and a “you’re […]

 

SOURCE Seattle

I’ll be at SOURCE Seattle this week. I’m really excited to be speaking on “Security Lessons from Star Wars” at 10AM today.

 

Smashing the Future for Fun and Profit

I’d meant to post this at BlackHat. I think it’s worth sharing, even a bit later on: I’m excited to have be a part of a discussion with others who spoke at the first Blackhat: Bruce Schneier, Marcus Ranum, Jeff Moss, and Jennifer Granick. We’ve been asked to think about what the future holds, and […]

 

The Very Model of An Amateur Grammarian

I am the very model of an amateur grammarian I have a little knowledge and I am authoritarian But I make no apology for being doctrinarian We must not plummet to the verbal depths of the barbarian I’d sooner break my heart in two than sunder an infinitive And I’d disown my closest family within […]

 

One more request for help

If someone could suggest a specific way to make the blog title image work to bring you to the home page, that’d be most appreciated. Update, I think I fixed most of it. Thanks in particular to commenter “M”, who got me on the path to the fix, removing the inline CSS that the theme […]

 

Theme breakage, help?

The blog header image is repeating because of something in the stylesheets. I can’t see where the bug is. If someone can help out, I’d be much obliged. Expanded to add: It appears that there’s a computed “repeat” on the bg img which is the header, but why that repeat is being computed is unclear […]

 

Emergent Chaos: Romney/Ryan for America!

We here at Emergent Chaos have long been frustrated with the Obama Administration. Their failure to close Guantanamo, their failure to prosecute war crimes including torture, their choice to murder American citizens (never mind without due process), their invocation of the state secrets privilege, their persecution of whistleblowers, their TSA running rampant, the list of […]

 

Don't Share, Publish

I’d like to offer up a thought with regards to the latest swirl of discussion around ‘information sharing’ in security: Don’t share, publish. I want to talk about this because more and more folks are starting to question the value of information sharing frameworks and forums. Andrew and I share that skepticism in The New […]

 

Neil Armstrong, RIP

Neil Armstrong died August 25, aged 82. It’s difficult to properly memorialize this man, because, to a degree almost unheard of in our media-saturated times, he avoided the limelight. A statement by his family notes: As much as Neil cherished his privacy, he always appreciated the expressions of good will from people around the world […]

 

What story was that?

A friend is trying to track down a science fiction story in which the president had a death sentence at the end of their term. I know you’re all smart and good looking and at least one of you will know the exact author and title.

 

The Plural of Anecdote is Anecdotes

Over at Lexology.com, there’s a story which starts: Medical-data blackmail is becoming more common as more health care providers adopt electronic health records systems and store patient data digitally. (“Hackers demand ransom to keep medical records private“) The trouble with this opening sentence is that it has nothing to do with the story. It’s a […]

 

Regulations and Their Emergent Effects

There’s a fascinating story in the New York Times, “Profits on Carbon Credits Drive Output of a Harmful Gas“: [W]here the United Nations envisioned environmental reform, some manufacturers of gases used in air-conditioning and refrigeration saw a lucrative business opportunity. They quickly figured out that they could earn one carbon credit by eliminating one ton […]

 

New Species Discovered on Flickr

There’s a very cool story on NPR about “A New Species Discovered … On Flickr“. A entomologist was looking at some photos, and saw a bug he’d never seen. Check out the photographer’s site or Flickr pages. The paper is “A charismatic new species of green lacewing discovered in Malaysia (Neuroptera, Chrysopidae): the confluence of […]

 

Paul Ryan open thread

Oh, what the heck, it hasn’t been chaotic enough around here. So, I’ll give you a topic: Paul Ryan. Commentary from The Economist starts: IN THE polarised world of American politics, achieving bipartisan agreement on any topic is a rare feat nowadays. So perhaps it’s worth celebrating the fact that, had it been put to […]

 

The Problem With Pollution

National Geographic reports “Caffeinated Seas Found off U.S. Pacific Northwest.” The problem, of course, is salinity. They should totally be pumping that caffine into somewhere we can make good use of it.

 

Your career is over after a breach? Another Myth, Busted!

I’m a big fan of learning from our experiences around breaches. Claims like “your stock will fall”, or “your customers will flee” are shown to be false by statistical analysis, and I expect we’d see the same if we looked at people losing their jobs over breaches. (We could do this, for example, via LinkedIn […]

 

Fascinating Job at PayPal

Someone reached out to me about a job that looks really interesting: The Director of Security Experience, Education & Research (SEER) will be responsible for defining the customer-facing security strategy for PayPal , define product roadmaps to enhance feature security and usability, drive customer security best practices adoption throughout our industry, and drive customer security […]

 

An Argument Against Jargon

Lately I’ve been savoring Kahneman’s “Thinking, Fast and Slow”. Kahneman is one of the originators of behavioral economics and a Nobel prize winner. The book is tremendously thought provoking, insanely well written, jargon-minimizing, and just comes together beautifully. It’s a book where you struggle with the ideas and their implications, rather than struggle through the […]

 

My BlackHat Plans

I’ll be speaking twice at BlackHat. First on the “Smashing the Future” panel with Bruce Schneier, Marcus Ranum, Jeff Moss and Jennifer Granick (10AM Wednesday, main hall). My second talk is also on Wednesday, on a new game, Control-Alt-Hack. I’ve been helping Tamara Denning and Yoshi Kohno create Control-Alt-Hack, and we’ll be speaking Wednesday at […]

 

Aitel on Social Engineering

Yesterday, Dave Aitel wrote a fascinating article “Why you shouldn’t train employees for security awareness,” arguing that money spent on training employees about awareness is wasted. While I don’t agree with everything he wrote, I submit that your opinion on this (and mine) are irrelevant. The key question is “Is money spent on security awareness […]

 

Lives, Fortunes and Sacred Honor

Around the 4th of July, some smart, public minded folks put forth a “Declaration of Internet Freedom“. And while it’s good in a motherhood and apple pie sense of good, wholesome fun for the whole family, it lacks the punch and panache of the Declaration of Independence to which men pledged their lives, fortunes and […]

 

"Quartering large bodies of armed troops among us.."

So following up on our tradition of posting the Declaration of Independence from Great Britain on the 4th, I wanted to use one of those facts submitted to a candid world to comment on goings on in…Great Britain. There, the government has decided to place anti-aircraft missiles on the roof of a residential building near […]

 

The Evolution of Information Security

A little while back, a colleague at the NSA reached out to me for an article for their “Next Wave” journal, with a special topic of the science of information security. I’m pleased with the way the article and the entire issue came out, and so I’m glad that the NSA has decided to release […]

 

we mutually pledge to each other our Lives, our Fortunes and our sacred Honor

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

 

Taxpayers Stuck With Tab, but not in Seattle

In an article with absolutely no relevance for Seattle, the New York Times reports “With No Vote, Taxpayers Stuck With Tab on Bonds.” In another story to which Seattle residents should pay not attention, the city of Stockton is voting to declare bankruptcy, after risking taxpayer money on things like a … sports arena. Of […]

 

Will People Ever Pay for Privacy, Part XVI

Every now and then, a headline helps us see the answer to the question “Will people ever pay for Privacy?” Quoth the Paper of record: The seclusion may be the biggest selling point of the estate belonging to Robert Hurst, a former executive at Goldman Sachs, which was just listed by Debbie Loeffler of the […]

 

A flame about flame

CNET ran a truly ridiculous article last week titled “Flame can sabotage computers by deleting files, says Symantec”. And if that’s not goofy enough, the post opens with The virus can not only steal data but disrupt computers by removing critical files, says a Symantec researcher. ZOMG! A virus that deletes files! Now that is […]

 

Breach Notification in France

Over at the Proskauer blog, Cecile Martin writes “Is data breach notification compulsory under French law?” On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers. The guidance was issued with reference to European Directive […]

 

Active Defense: Show me the Money!

Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t show me the money, show me the data. First, I’m unsure what’s actually meant by […]

 

Age and Perversity in Computer Security

I’ve observed a phenomenon in computer security: when you want something to be easy, it’s hard, and when you want the same thing to be hard, it’s easy. For example, hard drives fail at seemingly random, and it’s hard to recover data. When you want to destroy the data, it’s surprisingly hard. I call this […]

 

Future of Privacy Seeks Input

The Future of Privacy Forum (FPF) is an interesting mix of folks trying to help shape, well, the future of privacy. They have an interesting mix of academic and industry support, and a fair amount of influence. They’re inviting authors with an interest in privacy issues to submit papers to be considered for FPF’s third […]

 

In the Spirit of Feynman

Did you notice exactly how much of my post on Cloudflare was confirmation bias? Here, let me walk you through it. In our continuing series of disclosure doesn’t hurt, Continuing series are always dangerous, doubly so on blogs. I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to […]

 

Mozilla's Vegan BBQ

The fine folks at Mozilla have announced that they’ll be hosting a BBQ in Dallas to thank all their supporters. And the cool thing about that BBQ is it’s gonna be vegan by default. You know, vegan. No animal products. It’s good for you. It’s the right default. They’ll have dead cow burgers, but you’ll […]

 

Feynman on Cargo Cult Science

On Twitter, Phil Venables said “More new school thinking from the Feynman archives. Listen to this while thinking of InfoSec.” During the Middle Ages there were all kinds of crazy ideas, such as that a piece of rhinoceros horn would increase potency. Then a method was discovered for separating the ideas–which was to try one […]

 

Edited Twitter Weekly Updates for 2012-06-10

RT @hellNbak_ @adamshostack @derekcslater anything with Scott Blake has to be worth reading. # RT @Beaker Updated BYOD security profile/policy pushed to my iPhone this morning. String passwords on phone unlock (really?) = PiTA. # Bad password policies give no benefit while absorbing your people's willingness to help with security. #Fail (cc @beaker) # RT […]

 

Twitter Weekly Updates for 2012-06-10

RT @DeathStarPR Easy way to feel like Darth Vader: stand over a heap of dirty laundry and imagine you've just killed a Jedi. #StarWars # RT @runasand We have managed to determine exactly how Ethiopia blocks #Tor and we have developed a workaround: https://t.co/snTjeVbN # RT @derekcslater What I learned when I left security http://t.co/AexcK8NN […]

 
 

CloudFlare's Post Mortem

In our continuing series of disclosure doesn’t hurt, I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to Protect Yourself.” Go take a look, it’s worth reading, especially the updates. I take three lessons from this: Disclosing an attack allows you to control the story, and is better […]

 

Edited Twitter Weekly Updates for 2012-06-03

Cool Stuff RT @SPACEdotcom SPLASHDOWN! @SpaceX #Dragon Space Capsule Ends Historic Mission with Pacific Ocean Splash http://t.co/3H3J1cXz Cool! IE10 in Win8 Release Preview has "Do Not Track" on by default! http://t.co/HHZv8cBw #privacy # RT @gabrielgironda WE ENCOURAGED PEOPLE TO LEARN TO PROGRAM AND JUST LOOK AT WHAT HAPPENED http://t.co/IE9HeNt3 # New blog: "Washington State Frees […]

 

Washington State Frees Liquor Sales: some quick thoughts

I hate to let an increase in liberty go by without a little celebration. For the past 78 years, Washington State has had a set of (effectively) state-operated liquor stores, with identical pricing and inventory. Today, that system is gone, replaced by private liquor sales. The law was overturned by a ballot initiative, heavily backed […]

 

Twitter Weekly Updates for 2012-05-27

Congratulations to the Egyptian people for claiming the right to vote for their President! # The ACLU of WA is looking for a technology & liberty director http://t.co/sUAFuDq7 # Things that shod not surprise me: Koalas smell like eucalyptus. # Powered by Twitter Tools

 

Twitter Weekly Updates for 2012-05-20

RT @votescannell Mother of 3 Arrested for Taking Pictures of Tourist Attraction at Airport http://t.co/Id8TKH9r // I feel safer already. # Freedom gropes for all @seatac! /cc @tsastatus. # RT @ashk4n WiFi Pineapple lets anyone with $90 to "compromise the sh*t out of anyone using WiFi in the area" http://t.co/TnR3n56k #armsrace # Great question for […]

 

My AusCert Gala talk

At AusCert, I had the privilege to share a the gala dinner stage with LaserMan and Axis of Awesome, and talk about a few security lessons from Star Wars. I forgot to mention onstage that I’ve actually illustrated all eight of the Saltzer and Schroeder principles, and collected them up as a single page. That […]

 

Twitter Weekly Updates for 2012-05-13

RT @Ellen_CK It appears that putting a contest in one's internal newsletter leads to people actually reading it #SEingmycoworkers # RT @bfist I like my risk like I like my steak << with blue cheese sauce? # RT @451wendy "Q: How many of the Fortune 500 are hacked right now? A: 500." http://t.co/I090fJmp <- Lovely […]

 

Why Sharing Raw Data is Important

Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs. Issues like this are why it’s important to release data. It enables independent error checking, but also allows […]

 

What Kip Hawley Doesn't Understand About Terrorism

Former TSA Administrator Kip Hawley was on NPR a few minutes ago, opining on the 2nd panty bomber. He said two remarkable things. First, that the operators of nudatrons, who see thousands of naked people per day, would notice the bomb. Second, he didn’t understand why Al Qaeda would continue to focus on underwear bombs. […]

 

Twitter Weekly Updates for 2012-05-06

RT @netik You program in Rails? Check out Brakeman from our security team & make your code safer. http://t.co/nFPQ3cxx (go @presidentbeef!) # RT @KimZetter Equipment Maker Caught Installing Backdoor Vows to Fix After Public Pressure – http://t.co/EZfe7s27 # Pro tip: "Blackhat talks get lots of publicity" is not a reason *your* submission will make a […]

 

Study: More than 90% of Americans Take Action on Privacy

That’s my takeaway from a new study of 2,000 households by Consumer Reports: There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. […]

 

Please Kickstart Elevation of Privilege

Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter. I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here. I would be totally excited for someone to Kickstarter production of Elevation of Privilege. […]

 

When an interrupt is important

So it’s cool that this “S.M.A.R.T” stuff tells the computer when the hard drive is failing. The next step in user interface is to take the message out of /Applications/Utilities/Disk Utility and into an interruptive UI, so that I don’t discover this problem when I happen to get an extra drive for backup. I know […]

 

Toorcamp: Gender Issues, Cognitive Psychology and Hacking

So the announcement for Toorcamp is out, and it looks like an exciting few days. A few talks already announced look very new school, including “How you can be an ally to us females” by Danielle Hulton and Leigh Honeywell, and “Cognitive Psychology for Hackers.” It’s in the far northwester corner of the US, and […]

 

How to get my vote for the ACM Board

I’m concerned about issues of research being locked behind paywalls. The core of my reason is that research builds on other research, and wide availability helps science move forward. There’s also an issue that a great deal of science is funded by taxpayers, who are prevented from seeing their work. One of the organizations which […]

 

Twitter Weekly Updates for 2012-04-22

RT @calyxinstitute We've reached over $50,000 in donations and are 44 donors shy of breaking 1,000! Help us keep the momentum going. # RT @deviantollam "It's a sad day in America when you're driving down the road one of these pulls up next to you: http://t.co/1Ksxn5ja " # RT @markrussinovich Debunking of exaggerated cybercrime stats […]

 

Suck My Underground

Hey! Jam Jarr has a new album and its free today. They asked for a Facebook link, and since I can’t do that, I figured a blog was in the right spirit. So go check it out: Jam Jarr: Suck My Underground. It’s free. Why not take a listen? PS: When I say free, I […]

 

Dennis Fisher's Novel ("Motherless Children") is out

You probably know Dennis Fisher because of his writings on Threatpost or his Digital Underground podcast, where I’ve appeared several times. I wanted to help him spread the news that his first novel “Motherless Children” is now available. You should check it out. I’ll get my review done shortly, but I wanted to help spread […]

 

Calyx and the Market for Privacy

So there’s a new startup in town, The Calyx Institute, which is raising money to create a privacy-protecting ISP and phone company. I think that’s cool, and have kicked in a little cash, and I wanted to offer up some perspective on the market for privacy, having tried to do this before. From 1999 until […]

 

Twitter Weekly Updates for 2012-04-15

RT @bruces http://t.co/7BfPuW40 *TSA really keen on putting the electronics border-crunch on dissidents << Worse, add http://t.co/3qTkucub # RT @justintroutman @csoghoian If there's one thing that will identify the right privacy expert, it's the urinalysis and one-year probation. # I bet Facebook is going to start auto-sepia toning everyone's pictures as they age. # New […]

 

Fascinating Storyline around Instagram & Facebook

First, congratulations to the folks at Instagram, who built something that was so valuable to Facebook and managed to get a great exit. Me, I suspect that Facebook did it so they can gradually sepia-tone all your photos, but that’s not important right now. I was struck by the nature of this article by the […]

 

Checklists and Information Security

I’ve never been a fan of checklists. Too often, checklists replace thinking and consideration. In the book, Andrew and I wrote: CardSystems had the required security certification, but its security was compromised, so where did things goo wrong? Frameworks such as PCI are built around checklists. Checklists compress complex issues into a list of simple […]

 

Edited Twitter Weekly Updates for 2012-04-08

Things I said: Google continues to hobble their services, push accounts/wallet names, now w/ Scholar http://t.co/IIQ7xk15 (cc @rileycrane @tgoetz @skud) # In other words, why not create timelines for every scholar who's published? That would be organizing the worlds info & making it useful. # You need a Google account to get that citation history, […]

 

Chaos Emerges from Demanding Facebook Passwords

On the off chance that you’ve been hiding under a rock, there’s been a stack of news stories about organizations (both private and governmental) demanding people’s Facebook passwords as part of the process of applying for jobs, with much associated hand-wringing. In “I hereby Resign“, Raganwald discusses the downside to employers of demanding to look […]

 

Dear FBI, Who Lost $1Billion?

In a widely discussed op-ed, Richard Clarke wrote: It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the F.B.I. (and its lead agent on cybercrime), […]

 

How Harvey Mudd Brings Women into CS

Back in October, I posted on “Maria Klawe on increasing Women in Technology.” Now the New York Times has a story, “Giving Women The Access Code:” “Most of the female students were unwilling to go on in computer science because of the stereotypes they had grown up with,” said Zachary Dodds, a computer scientist at […]

 

Edited Twitter Weekly Updates for 2012-04-01

That’s what I said: Photographers should check out these awesome lens physics simulations from Stanford http://t.co/hlNrqQT3 # Good article by @elinormills "Why data breach isn't a dirty word anymore" http://t.co/JXtTOTbT # New blog with a TED talk, "Doctors Make Mistakes, can we talk about that?" http://t.co/c00zcvMr # .@RSAConference can we go so far as "highly […]

 
 

How to mess up your breach disclosure

Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers. No, wait, there isn’t a clear statement, but there is rampant speculation and breathless commentary. It’s always nice to see clear reminders that the way to get people […]

 

Cool Optics Flash Applets

Photographers should check out Flash applets on some technical aspects of photography at Stanford. The apps help you understand things like “Variables that Affect Exposure” (the aperture/time/ISO tradeoffs) as well as how lenses work, create depth of field, or how a telephoto lens bends the light. Very cool.

 

Doctors Make Mistakes. Can we talk about that?

That’s the title of this TED Talk, “Doctors Make Mistakes. Can we talk about that?” When was the last time you heard somebody talk about failure after failure after failure? Oh yeah, you go to a cocktail party and you might hear about some other doctor, but you’re not going to hear somebody talking about […]

 

Edited Twitter Weekly Updates for 2012-03-25

I’m continuing to tweak in the hopes of balancing useful & overwhelming. This week I’m not only cutting down the chaos a bit, but adding the emergent categories. Also, my tweets precede the Re-Tweets. Comments welcome. Where can I send people new to infosec for security mentoring, confident that they'll get broad, data-centered advice? (#newschool) […]

 

BSides Las Vegas 2012 Contest

BSides LV 2012 tickets sold out in under 30 hours last week. I have acquired five tickets to give away. More details later, but the tickets will go to the person or people who have the best story of how they applied the principles of the New School in a real life situation. Start planning […]

 

Does 1Password Store Passwords Securely?

In ““Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?” Andrey Belenko and Dmitry Sklyarov write quite a bit about a lot of password management tools. This is admirable work, and I’m glad BlackHat provided a forum for it. However, as a user of 1Password, I was concerned to read the following about that […]

 

Edited Tweets for 2012-03-18

RT @curphey amazing how many serial entrepreneurs, visionaries & thought leaders in security are wanting to contract @ $75/hour # MT @GammaCounter Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: http://t.co/FFnpdJ9p via @adam_orbit # I really want @robinsage to RT this: Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: […]

 

Feelings! Nothing but feelings!

At BSides San Francisco, I met David Sparks, whose blog post on 25 security professionals admit their mistakes I commented on here. And in the department of putting my money where my mouth is, I talked him through the story on camera. The video is here: “Security Guru Tells Tale of How His Blog Became […]

 

Entice, Don't Scold

I really like what Adrian Lane had to say about the cars at RSA: I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. […]

 

Kind of Copyrighted

This Week in Law is a fascinating podcast on technology law issues, although I’m way behind on listening. Recently, I was listening to Episode #124, and they had a discussion of Kind of Bloop, “An 8-Bit Tribute to Miles Davis’ Kind of Blue.” There was a lawsuit against artist Andy Baio, which he discusses in […]

 

Twitter Weekly Updates for 2012-03-11

Photo: "Barcelino Per Donna Welcomes RSA Conference 2012" somehow I perceive a mismatch http://t.co/qlKZIdId # RT @mikko Sony said that they lost Michael Jackson's entire unreleased back catalog in one of the 2011 breaches: http://t.co/KeYM9VyD # I sorta like this print, but I'm not sure I'd pay $12 Trillion for it. http://t.co/dzW8iEEl # RT @normative […]

 

Browser Privacy & Fingerprinting

Ivan Szekely writes in email: A team of young researchers – my colleagues – at the Budapest University of Technology and Economics developed a cross-browser fingerprinting system in order to demonstrate the weaknesses of the most popular browsers. Taking Panopticlick’s idea as a starting point, they developed a new, browser-independent fingerprinting algorithm and started to […]

 
 

How's that secrecy working out?

Last week at RSA, I was talking to some folks who have reasons to deeply understand a big and publicly discussed breach. I asked them why we didn’t know more about the breach, given that they’d been fairly publicly named and shamed. The story seems to be that after the initial (legal-department-driven) clampdown on talking, […]

 

Stop sinning with complaints about the coffee budget

Someone respected wrote on a private mailing list: “If you spend more on coffee than on IT security, then you will be hacked. What’s more, you deserve to be hacked.” — Richard Clarke, keynote address, RSA 2002 To which, verily I say: Doom! Doom! You commit the sin of false comparison! You have angered Furlongeous, […]

 

Twitter Weekly Updates for 2012-03-04

RT @tedfrank If you're having trouble getting Sudafed, here's how to make it with more readily available crystal meth. http://t.co/THaQZzov # RT @digiphile "Privacy breaches keep getting worse. Facebook admits reading txt msgs of users who installed phone app" http://t.co/v8CMM222 # RT @threatpost #Microsoft partners w/ Good Technology to bring encrypted email to Windows Phone. […]

 

Congratulations!

Our sincere congratulations to all the winners of the Social Security Blogger awards.

 

FEAR AND LOATHING IN SAN FRANCISCO (RSA PRE-GAME)

So it’s early Sunday AM, and I’m getting my RSA Schedule together finally.  So here’s what I’m looking forward to this week, leave us stuff in the comments if you’ve identified other cool stuff: =============== Monday:  8 freaking AM – I’m talking with Rich Mogull of @securosis about Risk Management.  Fun! Monday is also Metricon, […]

 

Twitter Weekly Updates for 2012-02-26

RT @internetlibre Twitter Censors Accounts Unfavorable To Nicolas Sarkozy http://t.co/wMGMuifY #netfreedom #internetlibre #sarkoCensure # RT @Dakami Pretty cool: @joncallas looked at all public keys signed by Entrust; none of them had reused RSA primes http://t.co/8JOsYQ9e # New blog: "It's a Lie: Seattle Taxpayers Will Pay for a Stadium" http://t.co/tkg3JxZi (cc @seattletimes) # Help Find the […]

 

Admitting Mistakes

Tripwire’s blog has “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them.” I’m glad to see attention paid to the simple reality that we all make mistakes. Extra points to Bill Brenner, Pete Lindstrom, Andrew Hay, Chris Wysopal, Rob Ton and Larry Ponemon for being willing to talk about mistakes that had […]

 

"Anonymized, of course"

I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it. But today I want to talk about the phrase “anonymized, of course”, what it means, why people might say it, and how members […]

 

Help Find the People Who Killed Ulf Möller

The family of Ulf Möller are asking for help in finding the people who murdered him, and asking for help spreading the word: They have a web site with details in English, German, Polish and Lithuanian: The two men are described as slim, both about 1.75 m to 1.80 m tall, between 20 and 30 […]

 

It's a Lie: Seattle Taxpayers Will Pay for a Staduim

The Seattle Times carries a press release: “Arena plan as solid as it looks?” The intricate plan offered for an NBA and NHL arena in Sodo hinges on the untested strategy of building a city-owned, self-supporting arena, without the aid of new taxes, and with team owners — not taxpayers — obligated to absorb any […]

 

Twitter Weekly Updates for 2012-02-19

RT @csoghoian If Path-like apps that pilfered user contact data suffered a data breach, existing laws wouldn't require disclosure to users. # New quickie blog: Bismark's Voice http://t.co/zk01Biec # RT @paulmadsen Sharingfreude, n. – pleasure derived from inadvertent sharing of personal information on social media by friends & colleagues # .@dakami @jeremiahg @tqbf see also […]

 

New Cyber Security Bill: Crowdsource Analysis?

A lot of people I trust are suggesting that the “Collins-Lieberman” bill has a substantial chance of passing. I have some really interesting (and time-consuming) work tasks right now, and so I’m even more curious than usual what you all think, especially how this According to the press release, the “Collins-Lieberman” bill would: The Department […]

 

Predictably Apathetic responses to Cyber Attack

Wh1t3Rabbit has a great post “Understanding the apathetic response to a cyber attack:” Look, Dana’s right. His business is the organizing and promotion of the UFC fights. Secondary to that business is the merchandising and other aspects of the UFC – but that probably is a significantly smaller portion of the overall company revenue. Now […]

 

Bismark's Voice

Tucked away for decades in a cabinet in Thomas Edison’s laboratory, just behind the cot in which the great inventor napped, a trove of wax cylinder phonograph records has been brought back to life after more than a century of silence. The cylinders, from 1889 and 1890, include the only known recording of the voice […]

 

Twitter Weekly Updates for 2012-02-12

RT @tkeanini Overcoming the fear of disclosure http://t.co/DZdkeyNh << TK is spot on. Our fear blocks feedback loops. # MT @qld_oic ..empowering young people to establish good cyber safety behaviour #oicprivacycomp http://t.co/vkr3VZ3A [$1000 prize for video] # RT @mortman Yet More On Threat Modeling: A Mini-Rant http://t.co/ZPxVa9HE cc @adamshostack @alexhutton #newschool # RT @securityskeptic @mortman […]

 

Book Review: Cloud Security Rules

A while back, Kai Roer graciously sent me an electronic copy of the book Cloud Security Rules that he co-authored with an all-start cast including luminaries Wendy Nather and our very own New School’s Alex Hutton. All in all, it’s a solid read covering the gamut of topics from Risk and Compliance to technology versus […]

 

Have You Seen The Little Piggies?

Apparently, the project manager who found a vendor for the Vermont State Police car decals failed to consider a few things. Such as the risk that prisoners might want to have a little fun at the expense of the police. You can see the fun if you study the image carefully here, or in a […]

 

Why Breach Disclosures are Expensive

Mr. Tripathi went to work assembling a crisis team of lawyers and customers and a chief security officer. They hired a private investigator to scour local pawnshops and Craigslist for the stolen laptop. The biggest headache, he says, was deciphering how much about the breach his nonprofit needed to disclose…Mr. Tripathi said he quickly discovered […]

 

Yet More On Threat Modeling: A Mini-Rant

Yesterday Adam responded to Alex’s question on what people thought about IanG’s claim that threat modeling fails in practice and I wanted to reiterate what I said on twitter about it: It’s a tool! No one claimed it was a silver bullet! Threat modeling is yet another input into an over all risk analysis. And […]

 

On Threat Modeling

Alex recently asked for thoughts on Ian Grigg’s “Why Threat Modeling Fails in Practice.” I’m having trouble responding to Ian, and have come to think that how Ian frames the problem is part of my problem in responding to him. So, as another Adam likes to say, “

 

Twitter Weekly Updates for 2012-02-05

RT @Entropologist Passwords should be a mix of letters, numbers, special characters and longer than 8 characters… like "' or 1=1;–" # RT @ioerror Researchers taking a stand against Elsevier: http://t.co/TMZqj2E9 # RT @ashk4n Even experts are having a hard time differentiating between android malware & mobile ads these days http://t.co/t5qAQANP # Tinker, Tailor is […]

 

Dear Verisign: Trust requires Transparency

On their blog, Verisign made the following statement, which I’ll quote in full: As disclosed in an SEC filing in October 2011, parts of Verisign’s non-production corporate network were penetrated. After a thorough analysis of the attacks, Verisign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the Domain […]

 
 

Threat Modeling Fails In Practice

Would be interested in readers thoughts on Ian G’s post here: https://financialcryptography.com/mt/archives/001357.html

 

Pulling A Stiennon: In The Cloud, The DMZ Is Dead

Calling something in the cloud a DMZ is just weird. Realistically, everything is a DMZ. After all, you are sharing data center space, and if your provider is using virtualization, hardware with all of their other customers. As such, each and every network segment you have is (or should be) isolated and have only a […]

 

Time for an Award for Best Data?

Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award may be premature. However, what I think is sorta irrelevant, absent data. So I’m looking […]

 

More on Real Name Policies

There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path: “Google+ and The Trouble With Tribbles” The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook […]

 

Sharing Research Data

I wanted to share an article from the November issue of the Public Library of Science, both because it’s interesting reading and because of what it tells us about the state of security research. The paper is “Willingness to Share Research Data Is Related to the Strength of the Evidence and the Quality of Reporting […]

 

Yes, Google+ Is a Failure

One of the most common bits of feedback about my post “Google+ Failed Because of Real Names” is that Google+ is now a huge service, and that the word failed is an exaggeration, or a trick of the rhetorician. Some folks might advise me to stop digging a hole, put down the shovel and walk […]

 

A quick pointer

I wrote a blog post regarding the BSidesSF/RSA conf dust-up. (If I knew how to work Adam’s twitter integration thingy, you’d have been spared this)

 

Twitter Weekly Updates for 2012-01-29

Vincent Brown (@politico_ie) should be given an uninterrupted hour with the ECB execs: https://t.co/SZYOtveo # RT @marciahofmann Supreme Court: government installation & use of a GPS device to monitor a vehicle's movements is a 4th Amendment search. # RT @normative RT @thinkprogress: BREAKING: Rand Paul is being detained by TSA in Nashville (via @moirabagley) < […]

 

Aviation Safety

The past 10 years have been the best in the country’s aviation history with 153 fatalities. That’s two deaths for every 100 million passengers on commercial flights, according to an Associated Press analysis of government accident data. The improvement is remarkable. Just a decade earlier, at the time the safest, passengers were 10 times as […]

 

Google+ Failed Because of Real Names

It’s now been a few months since the launch of Google+, and it’s now fairly clear that it’s not a mortal threat to Facebook, or even Orkut. I think it’s worth thinking a bit about why Google+ isn’t doing better, despite its many advantages. Obviously, Google wants to link Google+ profiles to things in the […]

 

Turn Off Javascript

For @weldpond: Please turn off JavaScript. We don’t require it and it only increases your vulnerability.

 

Vendor shout out: Gourmet Depot

You know those random parts of kitchen appliances that break, and the manufacturer is no longer making, and so you buy a new one that breaks after 4 months? Yeah, you know what I’m talking about. Next time, look to Gourmet Depot and see if they have replacement parts. It was easy to find their […]

 

Kudos to Ponemon

In the past, we have has some decidedly critical words for the Ponemon Institute reports, such as “A critique of Ponemon Institute methodology for “churn”” or “Another critique of Ponemon’s method for estimating ‘cost of data breach’“. And to be honest, I’d become sufficiently frustrated that I’d focused my time on other things. So I’d […]

 

Twitter Weekly Updates for 2012-01-22

What's the best history of @Defcon Capture the Flag? (cc @rileycaezar @thedarktangent ) # RT @thedarktangent What's the best history of #DEFCON Capture the Flag? @adamshostack asks, & we need to update the site. Send your links! # RT @jccannon7 My sci fi book launches today. More info at http://t.co/bVd8mUSg # RT @mortman New posts: […]

 
 

Oracle's 78 Patches This Quarter, Whatever…

There’s been a lot of noise of late because Oracle just released their latest round of patches and there are a total of 78 of them. There’s no doubt that that is a lot of patches. But in and of itself the number of patches is a terrible metric for how secure a product is. […]

 

Seattle in the Snow

(From The Oatmeal.) It’s widely understood that Seattle needs a better way to measure snowfall. However, what’s lacking is a solid proposal for how to measure snowfall around here. And so I have a proposal. We should create a new unit of measurement: The Nickels. Named after Greg Nickels, who lost the mayorship of Seattle […]

 

Ulf Muller

I am saddened to pass on the news that Ulf Müller, a colleague at Zero-Knowledge Systems, has died in tragic and violent circumstances. I remember Ulf as quiet, gentle, kind and am tremendously saddened by his loss. The most recent news story is “Computer-Experte in Transporter erschlagen“. Nils Kammenhuber of the Technical University of Munich […]

 

Please Participate: Survey on Metrics

I got an email from my friend John Johnson who is doing a survey about metrics.  If you have some time, please respond… ———————————————————————————————————————————————— I am seeking feedback from others who may have experience developing and presenting security metrics to various stakeholders at their organization. I have a number of questions I’ve thought of, and […]

 

Continuous Deployment and Security

From an operations and security perspective, continuous deployment is either the best idea since sliced bread or the worst idea since organic spray pancakes in a can. It’s all of matter of execution. Continuos deployment is the logical extension of the Agile development methodology. Adam recently linked to an study that showed that a 25% […]

 

Chocolate Waffles

Too good not to share (inspired by: Chocolate-Hazelnut Waffles with Frangelico-Brown-Butter Syrup) Ingredients : 6 oz. (1-1/3 cups) fresh ground whole-wheat flour 2 oz. (2/3 cup) natural cocoa powder 1-1/2 tsp. baking powder 1/2 tsp. baking soda 1 tsp. kosher salt 3/4 cup granulated palm sugar 2 large eggs, at room temperature 3 oz. (6 […]

 

Twitter Weekly Updates for 2012-01-15

New blog: Shocking News of the Day: Social Security Numbers Suck http://t.co/VuMV3faO # RT @PogoWasRight Does *any* federal govt agency actually respond to FOI requests within 20 days? << Send GAO a FOIA with that question? 🙂 # RT @Digital4rensics On Computer Security Incident Information Sharing: http://t.co/GhGYOOjP – New Post Up! # New worst practice: […]

 

Please vote New School

We’re honored to be nominated in three categories for the Security Bloggers Awards: Most Educational Most Entertaining Hall of Fame On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote. We’d also like to urge you to vote for our friends at Securosis […]

 

Please vote New School

We’re honored to be nominated in three categories for the Security Bloggers Awards: Most Educational Most Entertaining Hall of Fame On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote. We’d also like to urge you to vote for our friends at Securosis […]

 

The New School of Software Engineering?

This is a great video about how much of software engineering runs on folk knowledge about how software is built: “Greg Wilson – What We Actually Know About Software Development, and Why We Believe It’s True” There’s a very strong New School tie here. We need to study what’s being done and how well it […]

 

Google+ is not a space for free expression

Earlier today I noticed something funny. My Google profile picture — the picture associated with my Gmail account, my GChat account, my Google+ account, etc — had vanished. A bug? Nope. It turns out, Google — without telling me — went into my account and deleted my profile picture. See “Dear Google+” for the details […]

 

New School Approaches to Passwords

Adam Montville left a comment on my post, “Paper: The Security of Password Expiration“, and I wanted to expand on his question: Passwords suck when they’re not properly cared for. We know this. Any other known form of authentication we have is difficult because of the infrastructure required to pull it off. That sucks too. […]

 
 

Shocking News of the Day: Social Security Numbers Suck

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over […]

 

Twitter Weekly Updates for 2012-01-08

RT @RegoftheDay Happy new year! 40,000 new laws take effect starting today. http://t.co/EOVyRya9 # RT @StevenLevy Always suspected those xray "backscatter" machines will kill more of us than terrorists will. Now this. http://t.co/ag2lFWWc # New podcast with @dgwbirch: http://t.co/HKeKOVyW # New short blog: "The irony overfloweth" http://t.co/6VsrF9JO # Wow. The Wikipedia article on Infosec certifications […]

 

Paper: The Security of Password Expiration

The security of modern password expiration: an algorithmic framework and empirical analysis, by Yingian Zhang, Fabian Monrose and Michael Reiter. (ACM DOI link) This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account’s […]

 

Steve Bellovin's "Lessons from Suppressing Research"

Steve Bellovin has a good deal of very useful analysis and context about “an experiment that showed that the avian flu strain A(H5N1) could be changed to permit direct ferret-to-ferret spread. While the problem the government is trying to solve is obvious, it’s far from clear that suppression is the right answer, especially in this […]

 

New podcast with Dave Birch

I really enjoyed a conversation with Dave Birch for Consult Hyperion’s “Tomorrow’s Transactions” podcast series. The episode is here. We covered the New School, lessons learned from Zero-Knowledge Systems, and games for security and privacy.

 

The Irony Overfloweth

@RobArnold tweeted: “Someone thinks targeted Facebook ads are an effective way to ask for Firefox features. Any other Mozillians see this?” The irony of using a targeted ad, on Facebook, to ask for more privacy protection…

 

Twitter Weekly Updates for 2012-01-01

RT @timoreilly Amazon patents inferring religion from choice of wrapping paper http://t.co/MmCMx2OO << Over the "creepy" line # RT @kevinmitnick Did you ever want a blue box to make free calls? Now you can in the Apple app store. Search for "blue box". EPIC!!! # I wonder what Woz thinks of being able to get […]

 

Cello Wars

For your holiday amusement: Thanks, Jeff!

 
 

Twitter Weekly Updates for 2011-12-25

Weekend NewSchool blog: "APT Didn't Eat our Theme. Adam Did." http://t.co/JDvLTayG (cc @RealGeneKim, @alexhutton ) # Really, TSA? The airline isn't allowed to auto-enter my freakin' date of birth? Has anyone calculated lifetimes wasted on red tape? # RT @BillBrenner70 Stop them before they predict again! http://t.co/7qzuTchU # I predict 90% of 2012 infosec predictions […]

 

Discussing Norm Marks' GRC Wishlist for 2012

Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist.  His blog limits the characters you can leave in a reply, so I thought I’d post mine here. 1.  Norm Wishes for “A globally-accepted organizational governance code, encompassing both risk management and internal control” Norm, if you mean encompassing both so […]

 

Niels Bohr was right about predictions

There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I […]

 

The New School of Security Predictions

Bill Brenner started it with “Stop them before they predict again!:” My inbox has been getting hammered with 2012 vendor security predictions since Halloween. They all pretty much state the obvious: Mobile malware is gonna be a big deal Social networking will continue to be riddled with security holes Technologies A, B and C will […]

 

The Pre-K underground?

Not my headline, but the New York Times: Beyond the effort was the challenge of getting different families to work together. When matters as personal as education, values and children are at stake, intense emotions are sure to follow, whether the issue is snacks (organic or not?), paint (machine washable?) or what religious holidays, if […]

 

Owning Up to Pwnage (Part 2)

On Saturday, I discussed how “I bolluxed our blog theme.” “More to the point, we here at the New School talk a good game about how we need to talk about problems, rather than cover them up. So here’s our money where our mouths are. I, Adam Shostack, screwed up the blog presentation by not […]

 

Twitter Weekly Updates for 2011-12-18

RT @jeremiahg "HBGary not only didnt lose biz customers in the past year, but "got additional business" -Hoglund http://t.co/ap9pP39F # RT @bobblakley @Judgenap "Timid men prefer the calm of despotism to the tempestuous sea of liberty." Thomas Jefferson # Weekend blog "Threat Modeling & Risk Assessment" follows up on conversation with @451wendy http://t.co/iFCRCJW3 # RT […]

 

APT didn’t eat our theme. Adam did.

If you read this blog with a web-reader, you’ll note our (ahem) excellent new theme, and may be saying, wow, guys, “nice job” Yeah. Ooops. I upgraded to WordPress 3.3, and upgraded our theme, and in so doing, overwrote some of the CSS that Alex had tweaked. I didn’t test, and so things were wonky. […]

 

ThreatPost Podcast with Adam Shostack

Last week I did a podcast with Dennis Fisher. In it, we touched on what I might change in the book. Take a listen at: “Adam Shostack on Methods of Compromise, the New School and Learning“

 

Outrage of the Day: DHS Takes Blog Offline for a year

Imagine if the US government, with no notice or warning, raided a small but popular magazine’s offices over a Thanksgiving weekend, seized the company’s printing presses, and told the world that the magazine was a criminal enterprise with a giant banner on their building. Then imagine that it never arrested anyone, never let a trial […]

 

The output of a threat modeling session, or the creature from the bug lagoon

Wendy Nather has continued the twitter conversation which is now a set of blog posts. (My comments are threat modeling and risk assessment, and hers: “That’s not a bug, it’s a creature. “) I think we agree on most things, but I sense a little semantic disconnect in some things that he says: The only […]

 

Top 5 Security Influencers of 2011

I really like Gunnar Peterson’s post on “Top 5 Security Influencers:” Its December and so its the season for lists. Here is my list of Top 5 Security Influencers, this is the list with the people who have the biggest (good and/or bad) influence on your company and user’s security: My list is slightly different: […]

 

"Can copyright help privacy?"

There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.” Key quote: One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two […]

 

Twitter Weekly Updates for 2011-12-11

RT @daveaitel Tests Show Most Store Honey Isn't Honey http://t.co/2oI3O6RK << Will anyone go to jail for fraud? # RT @jdp23 Look at the list of the FTC complaints — huge issues. And basically no consequnces to FB. So why should they change? #privchat # RT @threatpost $56 Billion Later and Airport #Security Is Still […]

 

Threat Modeling and Risk Assessment

Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully. So first, what was said: (Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability […]

 

Outrage of the Day: Police Violence

When the LAPD finally began arresting those of us interlocked around the symbolic tent, we were all ordered by the LAPD to unlink from each other (in order to facilitate the arrests). Each seated, nonviolent protester beside me who refused to cooperate by unlinking his arms had the following done to him: an LAPD officer […]

 

Particularly NewSchool Job Posting

From Keith Weinbaum, Director of Information Security of Quicken Loans Inc. https://www.quickenloanscareers.com/web/ApplyNow.aspx?ReqID=53545 From the job posting: WARNING:  If you believe in implementing security only for the sake of security or only for the sake of checking a box, then this is not the job for you.  ALSO, if your primary method of justifying security solutions […]

 

Podtrac.com and Listener Privacy

It turns out that it’s very hard to subscribe to many podcasts without talking to Podtrac.com servers. (Technical details in the full post, below.) So I took a look at their privacy statement: Podtrac provides free services to podcasters whereby Podtrac gathers data specific to individual podcasts (e.g. audience survey data, content ratings, measurement data, […]

 
 

Twitter Weekly Updates for 2011-12-04

New School blog "'Its Time to Learn Like Experts' by @jayjacobs" http://t.co/lnXTqyp8 # RT @dmolnar Help me shop for furniture http://t.co/rXxLrB4O # RT @moxie__ WhisperSystems has been acquired! http://t.co/M5i1g6D0 < Congratulations! I hope it leads to great things for Twitter privacy # RT @tsastatus A few new features, and a bunch of status updates, at […]

 

Gävle Goat Gambit Goes Astray

It’s a bit of a Christmas tradition here at Emergent Chaos to keep you informed about the Gävle Goat. Ok, technically, our traditions seem hit and miss, but whaddaya want from a site with Chaos in the name? You want precision, read a project management blog. Project management blogs probably set calendar reminders to kick […]

 

Paper: "The Future of Work is Play"

My colleague Ross Smith has just presented an important new paper, “The Future of Work is Play” at the IEEE International Games Innovation Conference. There’s a couple of very useful lessons in this paper. One is the title, and the mega-trends driving games into the workplace. Another is Ross’s lessons of when games work: Over […]

 

Big Brother Watch report on breaches

Over at the Office of Inadequate Security, Dissent says everything you need to know about a new report from the UK’s Big Brother Watch: Extrapolating from what we have seen in this country, what the ICO learns about is clearly only the tip of the iceberg there. I view the numbers in the BBW report […]

 

We Robot: The Conference

This looks like it has the potential to be a very interesting event: The University of Miami School of Law seeks submissions for “We Robot” – an inaugural conference on legal and policy issues relating to robotics to be held in Coral Gables, Florida on April 21 & 22, 2012. We invite contributions by academics, […]

 

Telephones and privacy

Three stories, related by the telephone, and their impact on privacy: CNN reports that your cell phone is being tracked in malls: Starting on Black Friday and running through New Year’s Day, two U.S. malls — Promenade Temecula in southern California and Short Pump Town Center in Richmond, Va. — will track guests’ movements by […]

 

"It's Time to Learn Like Experts" by Jay Jacobs

I want to call attention to a new, important and short article by Jay Jacobs. This article is a call to action to break the reliance on unvalidated expert opinions by raising awareness of our decision environment and the development of context-specific feedback loops. Everyone in the New School is a fan of feedback loops […]

 

Twitter Weekly Updates for 2011-11-27

MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers […]

 

Relentless navel gazing, part MCXII

Two changes here at Emergent Chaos this weekend: first, a new, variable width theme which is a little tighter, so there’s more on a screen. Second, I’ve moved the twitter summary to weekly, as comments were running about 50-50 on the post asking for opinion. I think that may be a better balance. And a […]

 

The One Where David Lacey's Article On Risk Makes Us All Stupider

In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.”  This article is so patently bad, so heinously wrong, that it stuck in my caw enough to write this blog post.  So let’s discuss why Mr. Lacey has no clue […]

 

What's Wrong and What To Do About It?

Let me start with an extended quote from “Why I Feel Bad for the Pepper-Spraying Policeman, Lt. John Pike“: They are described in one July 2011 paper by sociologist Patrick Gillham called, “Securitizing America.” During the 1960s, police used what was called “escalated force” to stop protesters. “Police sought to maintain law and order often […]

 

Twitter Updates from Adam, 2011-11-25

RT @marciahofmann Carrier IQ backpedals on bogus legal threat, apologizes to security researcher. http://t.co/yY5o6JJk < Nice work Marcia! # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-24

RT @risktical #riskhose pocast, Episode 14 http://t.co/5hF9YKlZ @adamshostack & 'feedback loops' – great content! @jayjacobs @alexhutton # New "blog" points to Risk Hose podcast #14 with me, @alexhutton, @risktical @jayjacobs http://t.co/8zaBLD8x # RT @CYBERLAWRADIO About to go live on CLBR with CMU Proff @lorrietweet on Why Johnny Can't Opt Out – on webmasterradio.fm # RT […]

 

Risk Hose Podcast #14 with Adam and Alex

I’m on episode 14 of the Risk Hose podcast, with co-blogger Alex. Chris, Jay and Alex are joined by Adam Shostack and we dig into the topic of feedback loops within Information Security. You should check it out! Episode 14: Feedback Loops

 

Twitter Updates from Adam, 2011-11-23

NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers Say" http://t.co/vlPAH1n0 # New School blog post, "AT&T Hack Attempt" I'm looking for polling software http://t.co/d4YooBv9 # I missed a great opportunity in a recent podcast to say "controls implemented in a way that makes both auditors & attackers happy" # […]

 

AT&T Hack Attempt

First, good on AT&T for telling people that there’s been an attempt to hack their account. (My copy of the letter that was sent is after the break.) I’m curious what we can learn by discussing the attack. An AT&T spokesperson told Fox News that “Fewer than 1 percent of customers were targeted.” I’m currently […]

 

Twitter Updates from Adam, 2011-11-22

RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-21

MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-20

New School blog post "Privacy is Security, Part LXII: The Steakhouse" http://t.co/cEjWix7N # MT @_nomap More on [obvious] Saudi airport fingerprint fail. It was mostly immigrant workers stranded for 12 hours. http://t.co/g3ih69Sk # MT @dgwbirch Heard on BBC that poor people use cash, end up paying up to £185 per annum more for utilities << […]

 

Privacy is Security, Part LXII: The Steakhouse

But in the last year and a half, at least 50 diners at restaurants like the Capital Grille, Smith & Wollensky, JoJo and Wolfgang’s Steakhouse ended up paying for more than just a fine piece of meat. Their card information — and, in effect, their identities [sic] — had been stolen by waiters in a […]

 

Twitter Updates from Adam, 2011-11-19

RT @alexhutton @adamshostack @bobblakley @threatpost I thought blogging was dead? << apparently! # RT @dostlund: NYPD has sidewalk checkpoints requiring ID to pass down Broadway. Iranian-born co-worker said "they used to do that in Tehran" # New Blog: Emergent Chaos endorses @wimremes for ISC(2) Board http://t.co/oAWTljcC # This post by Steve Bellovin reminded me of […]

 
 

Emergent Chaos endorses Wim Remes for ISC(2) Board

Today, we are sticking our noses in a place about which we know fairly little: the ISC(2) elections. We’re endorsing a guy we don’t know, Wim Remes, to shake stuff up. Because, really, we ought to care about the biggest and oldest certification in security, but hey, we don’t. And really, that’s a bit of […]

 

Twitter Updates from Adam, 2011-11-18

MT @ashk4n Most [Android?] Phones Ship w/ CarrierIQ "Rootkit" that allows carrier to keylog & record browser history http://t.co/90vYRCHR # MT @bobblakley @threatpost Orgs that ban social networks on company PCs ++more likely to be hacked http://t.co/z7oy4rYF http://t.co/9iIb4BBg # New School blog, "Block Social Media, Get Pwned" http://t.co/dWzuCyzz quick comments on @TELUSBusiness report. (Thanks @bobblakley!) […]

 

Block Social Media, Get Pwned

At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead) A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that ban employees from using social media suffer 30 percent more computer security breaches than ones […]

 

Twitter Updates from Adam, 2011-11-17

RT @timoreilly TSA Puts Off Safety Study of X-ray Body Scanners http://t.co/GO4uHLN0 Meanwhile, Europe has banned them http://t.co/rmK3ZSTc # Powered by Twitter Tools

 

And there may be many others but they haven't been discovered

Three newly discovered elements were given names on Friday by the General Assembly of the International Union of Pure and Applied Physics at a meeting in London. They are Darmstadtium, or Ds, which has 110 protons in its nucleus and was named after the town in which it was discovered; Roentgenium, or Rg, with 111 […]

 

Twitter Updates from Adam, 2011-11-16

New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n (cc @moxie__ ) # New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n # Powered by Twitter Tools

 

Breach disclosure and Moxie's Convergence

Two weeks ago I finally got a chance to see Moxie’s Convergence/Trust Agility talk in person. (Since this was at work, let me just re-iterate that this blog is my personal opinions about what I saw.) It’s very good stuff, and Moxie and I had a good side chat about enhancing the usability of Convergence […]

 

Twitter Updates from Adam, 2011-11-15

RT @exiledsurfer @KforKallisti: Dan Siegel, Mayor Jean Quan's legal adviser quits over #OccupyOakland police raid http://t.co/c5brsq5u #ows # MT @mikko Somebody forgot a vacuum cleaner in a Swedish nuke plant, causing $267M in damages: http://t.co/kLRbV90h << someone tell stuxnet! # RT @dgwbirch was it a Freeman Dyson? (retires to cheers for making first ever physicist/vacuum […]

 

Twitter Updates from Adam, 2011-11-14

RT @WC2A_2AE Indian Communist Party General Sectry 'Let's fingerprint all Americans entering the country, like Brazil' http://t.co/GRBoQfYC # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-12

Nice of Apple to fix CVE-2011-0997, published in April (http://t.co/kOh6kTvs) # RT @jeremiahg "Steam Web sites hacked, gamer data exposed" http://t.co/daqkExWj < anyone see an attack vector? << Probably social eng 🙂 # RT @josephmenn @daveweigel The winner. RT @KagroX: Why didn't we just make 10/10/10 louder? # RT @WC2A_2AE Anyone interested in border security […]

 

Twitter Tools? Feedback please

So about a month ago, I started flowing my tweets over here. I’d love your thoughts on if it’s helpful, hurtful, or you just ignore it in your reader. [Update: currently arguments run 3:2 against continuing Twitter in the main feed. More (and civil) debate is invited.]

 

Twitter Updates from Adam, 2011-11-11

MT @normative How Far Will the Government Go in Collecting and Storing Data about us? New FBI Documents Shed Light http://t.co/zylCo3ES # RT @tqbf If the infosec community was a real influencer in crypto, we'd all be using Twofish instead of AES because of http://t.co/e21kDcwM # .@tqbf has the crypto or vuln community given us […]

 

Twitter Updates from Adam, 2011-11-10

MT @samablog More States Accept [fail to arrest?] TSA VIPR Teams at Transportation Hubs http://t.co/h3wdaQ3N via @zite # Are others seeing ICMP timeouts for http://t.co/y2uU0Qvt? /cc @moxie__ # RT @arj: @chenxiwang busts out her dog-eared copy of the Orange Book … < I've never seen a dog-eared copy of the Orange Book! # RT @dakami […]

 

Twitter Updates from Adam, 2011-11-09

RT @Fiona: Go watch The Muppets hang out on Google+. Me: Thank you: http://t.co/HacZWzBA << Is "Cookie Monster" an approved name? # RT @Jim_Harper When I describe @Cato's argument–"reasonable expectation of #privacy quot; FAIL–lawyers steeped in doctrine get confused. #Jones # New blog: "Slow thoughts on Occupy Seattle" http://t.co/13RTo5NE # RT @csoghoian Jones oral argument […]

 

Slow Thoughts on Occupy Seattle

I headed down to Occupy Seattle before a recent vacation, and have been mulling a bit on what I saw, because the lack of a coherent message or leadership or press make it easy to project our own opinions or simply mis-understand what the “Occupy” protests mean, and I wanted to avoid making that mistake. […]

 

Twitter Updates from Adam, 2011-11-08

New blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # New School blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # Powered by Twitter Tools

 

Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)

So Verizon has recently released their 2011 DBIR. Or perhaps more accurately, I’ve managed to pop enough documents off my stack that my scribbled-on notes are at the top, and I wanted to share some with you. A lot have gone to the authors, in the spirit of questions only they can answer. Here, I […]

 

Twitter Updates from Adam, 2011-11-07

RT @moxie__ Sarah's reflections on solitary confinement: http://t.co/z46aZjgM # RT @marcan42 RSA keys generated by Ruby didn't actually encrypt anything (e=1). "Oops". http://t.co/9vYNFVlI << I Ruby-encrypted this tweet # RT @ioerror We demand a vapid, condescending, meaningless, politically safe response to this petition: http://t.co/ndtf8tI4 # RT @bratling @mrkoot @adamshostack @ioerror Broken URL, not site. Here's […]

 

Twitter Updates from Adam, 2011-11-06

RT @k8em0 Thanks to speakers, attendees, organizers & volunteers for a fantastic & memorable #bluehat ! # RT @bengoldacre I'm leaving journalism for 6 months. Here's what I've learnt from writing about nonsense for 8 years http://t.co/GZlDnQ18 # RT @AdasBooks Book signing with @johncsh tomorrow at 1pm! http://t.co/pHqhbTv3 # RT @normative Profoundly depressed this is […]

 

Twitter Updates from Adam, 2011-11-05

RT @StephieShaver They say there's no rest for the wicked but at least there's espresso! FridayWHAT? << friday at BlueHat! # RT @Beaker: Congrats to @mortman on joining @enstratus! First @jamesurquhart then @botchagalupe and now Dave! All good friends together # As I watch @moxie__ give his trust talk at BlueHat, I realize how valuable […]

 

Twitter Updates from Adam, 2011-11-04

RT @at1as: Instead of useless Presidential Debates, how about a #wargame where we get to see how candidates respond to crisis situations? # RT @wikidsystems @adamshostack @at1as Kobayashi Maru! << Cyberyashi Maru! # Getting ready to give my #BlueHat talk on "How Computers Are Compromised." # Oooh, @jeremiahg wants us to play a game at […]

 

Twitter Updates from Adam, 2011-11-03

MT @samablog TSA Ignored Cancer Risks from TSA Scanners http://t.co/r72RAw2d via @zite # RT @k8em0 This year's #bluehat should be exciting, check out the lineup – http://t.co/Ee1LoHVK # RT @k8em0 #bluehat is on! Andrew Cushman reflects on past and future threats. http://t.co/w0GpjTQC # What do the comments from ISS World(http://t.co/51Z5ULNQ) mean for surveillance law in […]

 

Twitter Updates from Adam, 2011-11-02

RT @ioerror IEEE Global Humanitarian Technology Conference in Seattle http://t.co/VefGa4yy < Looks very exciting, wish I'd known sooner # Follow @ioerror for reporting of Patrick Ball, @alexvans for London Cyber-security event # New blog because my main email is down: "Email chaos: How to reach Adam Shostack" http://t.co/to9lKHKK # RT @GamingPrivacy reflecting on game design […]

 

Email chaos: How to reach Adam Shostack

The servers that host my personal email have been taken offline by a surprise attack by the evil forces of snow and ice, and my email is likely to start bouncing soon. If you need to reach me, you can use nameofthisblog @ google, or first.last @ microsoft. You can also ask me to follow […]

 

Twitter Updates from Adam, 2011-11-01

Short blog: "McWrap Chevre" http://t.co/K1LkXnFU # RT @lorrietweet Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising http://t.co/5DDWfhVd # My personal email server is down because of the snow on the east coast. # RT @STRATFOR If #Anonymous does #OpCartel it will almost certainly lead to deaths for members: […]

 

EFF on HTTPS

The Electronic Frontier Foundation has published a report on the State of HTTPS Security that promises to be the first in a series and is well worth reading on its own. The TL;DR version:  HTTPS adoption is growing rapidly, but the current system, especially the Certificate Authorities, has much room for improvement before it actually […]

 

McWrap Chevre

Normally, I like the overlap of cultures, the boundaries of exploration and what comes from that exploration. But this three-way Frankenstien’s combination of French cheese, wraps (not sure where to attribute those–I think the US version is mostly from burritos, but there’s also Arabic pita wraps) and American is somehow best posted on Halloween:

 

Twitter Updates from Adam, 2011-10-31

RT @alexhutton Seriously? DHS doesn't *do* threat modeling? My rage is like a 1000 TSA exposed to cancer causing back scatter devices. # RT @ACLU FBI issued 143,074 National Security Letters '03-05 & reported 0 terrorism prosecutions as a result. Zilch. http://t.co/JM8FBFyf # RT @EthanZ Background on @alaa's detention for refusal to accept legitimacy of […]

 

Twitter Updates from Adam, 2011-10-30

"Plankytronixx" has a nice blog post on Elevation of Privilege at http://t.co/CFFrWAfF # RT @mattblaze Attention NYPD sign makers: "Just following orders" is not a great slogan. http://t.co/LHBOvQ8f # I'd missed @BillBrenner70 on Security Horror Show http://t.co/5nS0KHOH What can we do to stop the madness? # RT @AudryT Police confirmed: Pepper spray & rubber bullets […]

 
 

Twitter Updates from Adam, 2011-10-28

RT @dgwbirch I'm sure talks will be fun, but am looking forward to playing the new version of "Privacy" the card game http://t.co/PZGcFf9l # I accidentally clicked allow Firefox to share my location. Where the hell is the undo and why isn't it in privacy preferences? # ("Location" doesn't bring up anything in help) # […]

 

Twitter Updates from Adam, 2011-10-27

RT @PogoWasRight Congressman: Secret Report On #TSA Pat Downs, Body Scanner Failures Will “Knock Your Socks Off” http://t.co/pjFmd0Zz # RT @peterhoneyman i fly DTW where they are testing chat down. i opt out and clam up. they get all dour and nasty. # RT @e3i5: Every picture ULed to Facebook is examined for possible matches […]

 

Twitter Updates from Adam, 2011-10-26

RT @georgevhulme RT @msksecurity: The Dark Side Of Biometrics: 9 Million Israelis' Hacked Info Hits The Web http://t.co/817TMklU # Actually, @danphilpott, the best line is "Crews determined the land mines were benign and removed them from the bag." http://t.co/KobPO94k # RT @k8em0 This year's #bluehat should be exciting, check out the lineup – http://t.co/Ee1LoHVK # […]

 

DLNA Servers for the Mac

Very short version: Finding a DLNA player that supported the Mac and my new Oppo player was time consuming. Twonky is ok, but I would like something prettier, more reliable, and reasonably secure. I wanted to blog my experience in case it helps other folks. Also, as I posted this, I came across Ed Bott’s […]

 

Twitter Updates from Adam, 2011-10-25

New School blog: "Maria Klawe on increasing Women in Technology" http://t.co/NDugVafW # RT @Jim_Harper How Much Homeland Security is Enough? Live now at: http://t.co/XtUXmzp1 << Right question is "how much is too much?" 🙂 # RT @TheOnion American Voices: Should bikers have to register their trips with the government? Tell us #whatdoyouthink http://t.co/1NbLi5Rb # RT […]

 

Maria Klawe on increasing Women in Technology

I talk a lot about the importance of data in enabling us to bring the scientific method to bear on information security. There’s a reason for that: more data will let us know the falsehoods, and knowing the falsehoods will set us free. But discovering what claims don’t stand up to scrutiny is a matter […]

 

Some Thoughts on Binary Risk Assessment

Ben Sapiro showed off his Binary Risk Assessment (BRA) at SecTor recently.   While I didn’t see the presentation, I’ve taken some time and reviewed the slides and read through the documentation.  I thought I’d quickly give my thoughts on this: It’s awesome and it sucks. IT’S AWESOME That’s not damning with faint praise, rather, it’s […]

 
 

Sleepless in Seattle?

Reportedly, Seattle police have begun issuing tickets to drivers who honk their horns after 10 PM in support of the Occupy protest there. To the extent that the police are only doing this to those expressing a specific point of view, there seems to be a legitimate issue. I am certain that the police would […]

 

CIA Reveals Identity of Bin Laden Hunter

In the Atlantic Wire, Uri Friedman writes “Did the CIA Do Enough to Protect Bin Laden’s Hunter?” The angle Friedman chose quickly turns to outrage that John Young of Cryptome, paying close attention, was able to figure out from public statements made by the CIA, what the fellow looks like. After you’re done being outraged, […]

 

Twitter Updates from Adam, 2011-10-09

RT @stuxnet420 #twitter oh, yeah, it's on now. I'll see your Stuxnet and raise u a predator with an irc server. 🙂 http://t.co/hKpfDMBt # RT @drunkenpredator Phew. Think I kicked that software virus. Was really messing with my DEAR SIR I HAVE FOR YOU LUCRATIVE PROPOSAL # RT @runasand The CCC has reverse engineered, analyzed […]

 

Some random cloudy thinking

Thanks to the announcement of Apple’s iCloud, I’ve been forced to answer several inquiries about The Cloud this week.  Now, I’m coming out of hiding to subject all of you to some of it… The thing that you must never forget about The Cloud is that once information moves to The Cloud, you’ve inherently ceded […]

 

Twitter Updates from Adam, 2011-10-08

RT @ethicalhack3r @floatingatoll: The UNIX time zone database has been destroyed by its authors due to a legal threat. http://t.co/1zQIKZm8 # RT @radleybalko Unreal. CA appeals court upholds warrantless cell phone searches during traffic stops. http://t.co/KnklNSat # If you haven't seen it, @ErrataRob "Independent reporting of #OccupyWallStreet quot; http://t.co/qDYxPdFx is a long thoughtful engagement # […]

 

Twitter updates

I’ve decided to experiment with pushing my Twitter feed onto the blog. What do you think? For non-Twitter users, the RT means “re-tweet,” amplifying things that others have said and MT means modified tweet, where the RT plus comment don’t quite fit. If someone has php code to resolve t.co URLs into real URLs, that […]

 

Twitter Updates from Adam, 2011-10-07

Sad to say I can find nothing to say beyond thanks, Steve. # Hey @beaker, if you support http://t.co/ObdJFd79 they have Squirrel t-shirts! # I think that @asteingruebl raises some really good questions in http://t.co/nnbdDNBe # Eric Rachner continues to need to sue for accountability from Seattle police & their videos http://t.co/S3fHkcSM # RT @jilliancyork […]

 

Nothing to add

(I saw this here, would appreciate the right attribution.)

 

New School of Information Security Book Reading at Ada's

Last Sunday, I did a book reading at Ada’s Technical Books. As I say in the video, I was excited because while I’ve talked about the New School, and I’ve given talks about the New School, I hadn’t done a book reading, in part because of the nature of the book, and my personal comfort […]

 
 

The Diginotar Tautology Club

I often say that breaches don’t drive companies out of business. Some people are asking me to eat crow because Vasco is closing its subsidiary Diginotar after the subsidiary was severely breached, failed to notify their reliant parties, mislead people when they did, and then allowed perhaps hundreds of thousands of people to fall victim […]

 

Book Reading in Seattle on Sunday

This Sunday I’ll be reading from the New School at 4PM on Sunday at Ada’s Technical Books in Capitol Hill. If you’re in the area, you should come!

 

Lean Startups & the New School

On Friday, I watched Eric Ries talk about his new Lean Startup book, and wanted to talk about how it might relate to security. Ries concieves as startups as businesses operating under conditions of high uncertainty, which includes things you might not think of as startups. In fact, he thinks that startups are everywhere, even […]

 

Emergent Effects of Restrictions on Teenage Drivers

For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives. Now, though, a nationwide analysis of crash […]

 

Diginotar Quantitative Analysis ("Black Tulip")

Following the Diginotar breach, FOX-IT has released analysis and a nifty video showing OCSP requests. As a result, lots of people are quoting a number of “300,000”. Cem Paya has a good analysis of what the OCSP numbers mean, what biases might be introduced at “DigiNotar: surveying the damage with OCSP.” To their credit, FoxIt […]

 

The Rules of Breach Disclosure

There’s an interesting article over at CIO Insight: The disclosure of an email-only data theft may have changed the rules of the game forever. A number of substantial companies may have inadvertently taken legislating out of the hands of the federal and state governments. New industry pressure will be applied going forward for the loss […]

 

California gets a strengthened Breach Notification Law

Governor Brown of California has signed a strengthened breach notification bill, which amends Sections 1798.29 and 1798.82 of the California Civil Code in important ways. Previous versions had been repeatedly vetoed by Arnold Schwarzenegger. As described[.DOC] by its sponsor’s office, this law: Establishes standard, core content — such as the type of information breached, time […]

 

Best autoresponse message

As Brad Feld says, this is the best auto-responder in a long time: I am currently out of the office on vacation. I know I’m supposed to say that I’ll have limited access to email and won’t be able to respond until I return — but that’s not true. My blackberry will be with me […]

 

15 Years of Software Security: Looking Back and Looking Forward

Fifteen years ago, I posted a copy of “Source Code Review Guidelines” to the web. I’d created them for a large bank, because at the time, there was no single document on writing or reviewing for security that was broadly available. (This was a about four years before Michael Howard and Dave LeBlanc published Writing […]

 

Change.

I’ve left Verizon.  A lot of folks have come up to me and asked, so I thought I’d indulge in a rather self-important blog-post and explain something: It wasn’t about Verizon, but about the opportunity I’ve taken. Wade, Chris, Hylender, Marc, Joe, Dave, Dr. Tippett & all the rest – they were all really, really […]

 

Nymwars: Thoughts on Google+

There’s something important happening around Google+. It’s the start of a rebellion against the idea of “government authorized names.” (A lot of folks foolishly allow the other side to name this as “real names,” but a real name is a name someone calls you.) Let’s start with “Why Facebook and Google’s Concept of ‘Real Names’ […]

 

Securosis goes New School

The fine folks at Securosis are starting a blog series on “Fact-based Network Security: Metrics and the Pursuit of Prioritization“, starting in a couple of weeks.  Sounds pretty New School to me!  I suggest that you all check it out and participate in the dialog.  Should be interesting and thought provoking. [Edit — fixed my […]

 

Tap Tap Snarky

From the app store: I hope this doesn’t cause Apple to ban snarky update messages.

 

Worst.Technology.Application.Ever. (?)

It’s occurring to me this morning that in terms of benefit/cost, purely in “damage to society” terms, the decision to put html in emails could be one of the worst ideas in the past 25 years. But that’s just me.  Your thoughts on others in the comments?

 

Emergent Map: Streets of the US

This is really cool. All Streets is a map of the United States made of nothing but roads. A surprisingly accurate map of the country emerges from the chaos of our roads: All Streets consists of 240 million individual road segments. No other features — no outlines, cities, or types of terrain — are marked, […]

 

Is iTunes 10.3.1 a security update?

Dear Apple, In the software update, you tell us that we should see http://support.apple.com/kb/HT1222 for the security content of this update: However, on visiting http://support.apple.com/kb/HT1222, and searching for “10.3”, the phrase doesn’t appear. Does that imply that there’s no security content? Does it mean there is security content but you’re not telling us about it? […]

 

Thoughts on this Independence Day

Emergent Chaos has a long tradition of posting the American Declaration of Independence here to celebrate the holiday. It’s a good document in many ways. It’s still moving, more than two centuries after it was written. It’s clearly written, and many people can learn from its structured approach to presenting a case. And last but […]

 

MySpace sells for $35 Million, Facebook to follow

So MySpace sold for $35 million, which is nice for a startup, and pretty poor for a company on which Rupert Murdoch spent a billion dollars. I think this is the way of centralized social network software. The best of them learn from their predecessors, but inevitably end up overcrowded. Social spaces change. You don’t […]

 

Breach Harm: Should Arizona be required to notify?

Over at the Office of Inadequate Security, Pogo was writing about the Lulzsec hacking of Arizona State Police. Her article is “A breach that crosses the line?” I’ve been blogging for years about the dangers of breaches. I am concerned about dissidents who might be jailed or killed for their political views, abortion doctors whose […]

 

Goodbye, Rinderpest, we're probably better off without you

On Tuesday in a ceremony in Rome, the United Nations is officially declaring that for only the second time in history, a disease has been wiped off the face of the earth. The disease is rinderpest. Everyone has heard of smallpox. Very few have heard of the runner-up. That’s because rinderpest is an epizootic, an […]

 

Sex, Lies & Cybercrime Surveys: Getting to Action

My colleagues Dinei Florencio and Cormac Herley have a new paper out, “Sex, Lies and Cyber-crime Surveys.” Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings. We are not alone in this judgement. Most research teams who have […]

 

Communicating with Executives for more than Lulz

On Friday, I ranted a bit about “Are Lulz our best practice?” The biggest pushback I heard was that management doesn’t listen, or doesn’t make decisions in the best interests of the company. I think there’s a lot going on there, and want to unpack it. First, a quick model of getting executives to do […]

 

Are Lulz our best practice?

Over at Risky.biz, Patrick Grey has an entertaining and thought-provoking article, “Why we secretly love LulzSec:” LulzSec is running around pummelling some of the world’s most powerful organisations into the ground… for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn’t any. And […]

 

How the Epsilon Breach Hurts Consumers

Yesterday, Epsilon and Sony testified before Congress about their recent security troubles. There was a predictable hue and cry that the Epsilon breach didn’t really hurt anyone, and there was no reason for them to have to disclose it. Much of that came from otherwise respectable security experts. Before I go on, let me give […]

 

ThreatPost goes New School

In “It’s Time to Start Sharing Attack Details,” Dennis Fisher says: With not even half of the year gone, 2011 is becoming perhaps the ugliest year on record for major attacks, breaches and incidents. Lockheed Martin, one of the larger suppliers of technology and weapons systems to the federal government, has become the latest high-profile […]

 

Map of Where Tourists Take Pictures

Eric Fischer is doing work on comparing locals and tourists and where they photograph based on big Flickr data. It’s fascinating to try to identify cities from the thumbnails in his “Locals and Tourists” set. (I admit, I got very few right, either from “one at a time” or by looking for cities I know.) […]

 

The Future of Education is Chaotic, Fun and Unevenly Distributed

After I wrote “The future of education is chaotic and fun“, I came across “The Montessori Mafia” about the unusual levels of successfulness that Montessori produces. In my post, I opened discussing how our current system of funding education in the US is to force everything through a government department. That department is constrained by […]

 

The Flying Spaghetti Monster

In honor of rapture day, the Flying Spaghetti Monster has chosen to manifest his tentacly goodness in Stanley Park in Vancouver:

 

Elevation of Privilege news

I wanted to let people know that Microsoft is making the source files for the Elevation of Privilege game available. They are Adobe Illustrator and InDesign files, and are now on the EoP download site. They’re the 85mb of zipped goodness. They can be used under the same Creative Commons Attribution 3.0 US license under […]

 

"Pirate my books, please"

Science fiction author Walter John Williams wants to get his out of print work online so you can read it: To this end, I embarked upon a Cunning Plan. I discovered that my work had been pirated, and was available for free on BitTorrent sites located in the many outlaw server dens of former Marxist […]

 

A Few Data Points

First, for those who might have missed it, Google has released Google Refine, a free tool for cleaning dirty data sets.  It allows you to pull in disparate data, then organize and clean it for consistency. Next, some interesting thoughts on how “anonymized” data sets aren’t, and some thoughts on the implications of this from […]

 

Photoblogging CHI2011

Last week, I had the pleasure of attending the ACM conference on Computer Human Interaction, CHI. As I mentioned in a work blog post, “Adding Usable Security to the SDL,” I’m now focused on usable security issues at work. I’m planning to say more about the conference in a little bit, but for right now, […]

 

Heaven Forbid the New York Times include Atheists

In “Is Your Religion Your Financial Destiny?,” the New York Times presents the following chart of income versus religion: Note that it doesn’t include the non-religious, which one might think an interesting group as a control. Now, you might think that’s because the non-religious aren’t in the data set. But you’d be wrong. In the […]

 

Representative Bono-Mack on the Sony Hack

There’s a very interesting discussion on C-SPAN about the consumer’s right to know about breaches and how the individual is best positioned to decide how to react. “Representative Bono Mack Gives Details on Proposed Data Theft Bill.” I’m glad to see how the debate is maturing, and how no one bothered with some of the […]

 

The future of education is chaotic and fun

Lately, I’ve seen three interesting bits on the future of education, and I wanted to share some thoughts on what they mean. The first is a quickie by Don Boudreaux at Cafe Hayek, titled “Grocery School.” It starts “Suppose that we were supplied with groceries in same way that we are supplied with K-12 education.” […]

 

New York memorials

There’s an excellent column in the old liberal tradition of celebrating liberty in this week’s New Yorker. It’s Memorials by Adam Goptnick, and includes a quote from John Stuart Mill at his rhetorical peak.

 
 

Quick Quotes For Your Morning

From Krugman (commentary is his): “Without metrics, you’re just another guy with an opinion. — Stephan Leschka, Hewlett Packard When I hear words from almost anyone about how their approach is better than some other approach, I think of this quote. And as Daniel Patrick Moynihan said: Every man is entitled to his own opinion, […]

 

Why Do Outsiders Detect Breaches?

So I haven’t had a chance to really digest the new DBIR yet, but one bit jumped out at me: “86% were discovered by a third party.” I’d like to offer up an explanatory story of why might that be, and muse a little on what it might mean for the deployment of intrusion detection […]

 

Data driven pen tests

So I’m listening to the “Larry, Larry, Larry” episode of the Risk Hose podcast, and Alex is talking about data-driven pen tests. I want to posit that pen tests are already empirical. Pen testers know what techniques work for them, and start with those techniques. What we could use are data-driven pen test reports. “We […]

 

VERIS Community Data

Seriously. Interesting.  Go check this out: http://securityblog.verizonbusiness.com/2011/04/12/veris-community-project-update/ Take a look, impact information!

 

Why Do You Write The Way You Do?

Hey Kids, Reader Mark Wallace wrote in a comment to the blog yesterday, and I wanted to answer the comment in an actual blog post. So here goes: — Mark, Thanks for reading! There’s a point where publicly writing forces me to answer a few questions that I’m not ready to make a quick decision […]

 

Happy Yuri's Night!

Today, April 12, 2011 is the 50th Anniversary of Yuri Gagarin’s historic first flight. Why not join a celebration? Invite to the Kremlin event via Xeni Jardin.

 

What is Risk (again)?

The thread “What is Risk?” came up on a linkedin Group. Thought you might enjoy my answer: ———————- Risk != uncertainty (unless you’re a Knightian frequentist, and then you don’t believe in measurement anyway), though if you were to account for risk in an equation, the amount of uncertainty would be a factor. risk != […]

 

What's the PIN, Kenneth?

There’s a story in the New York Times, “To Get In, Push Buttons, or Maybe Swipe a Magnet” which makes interesting allusions to the meaning of fair trade in locks, implied warranties and the need for empiricism in security: In court filings, Kaba argued that it had “never advertised or warranted in any way that […]

 
 

Ahem: The New School is more than Data

In “Why The New School Is Important,” Alex writes: Being New School won’t solve your problems. What a New School mindset will do for you is help you begin to understand what your problems actually are. So without arguing with the rest of Alex’s post, I’m forced to beg to differ. The New School is […]

 

Why The New School Is Important

I participated in another security metrics and risk discussion yesterday (yeah, me talk about metrics & risk –  you don’t say).  As part of this discussion someone echoed a sentiment I’ve been hearing more and more of recently.  A casual acceptance of the logic of metrics and data followed quickly by a dismissive, skeptical statement […]

 

NewSchool Zombies, Moneyball, & Metrics

Hey!   Tomorrow at 1pm ET reg now: @joshcorman & I redux our (in)famous ‘Metrics are Bunk!?’ debate from RSAC 2011: http://bit.ly/i6z1BL              

 

Hey! SourceBoston is going to be CRAZY!

Not crazy like Sammy-Hagar-has-clearly-abused-his-brain-and-its-giving-him-bad-information-to-come-out-of-his-mouth crazy, but crazy like, there-are-so-many-good-talks-you-can’t-possibly-not-get-value-out-of-the-conference crazy. For example, I’ll be talking twice. Once with Dan Geer and Greg Shannon about Prediction Markets in InfoSec.  Then I’ll be giving one of THE FIRST EVER (!) debriefings of the 2011 DBIR (which is going to be crazy like both of the above). I’m […]

 

Microsoft Backs Laws Forbidding Windows Use By Foreigners

According to Groklaw, Microsoft is backing laws that forbid the use of Windows outside of the US. Groklaw doesn’t say that directly. Actually, they pose charmingly with the back of the hand to the forehead, bending backwards dramatically and asking, “ Why Is Microsoft Seeking New State Laws That Allow it to Sue Competitors For […]

 

I'd like some of that advertising action

Several weeks back, I was listening to the Technometria podcast on “Personal Data Ecosystems,” and they talked a lot about putting the consumer in the center of various markets. I wrote this post then, and held off posting it in light of the tragic events in Japan. One element of this is the “VRM” or […]

 

Sedgwick, Maine versus the Feds

“Maine Town Declares Food Sovereignty, Nullifies Conflicting Laws.” So reads the headline at the 10th Amendment center blog: The Maine town of Sedgwick took an interesting step that brings a new dynamic to the movement to maintain sovereignty: Town-level nullification. Last Friday, the town passed a proposed ordinance that would empower the local level to […]

 

Back to You, Rob!

Rob is apparently confused about what risk management means. I tried to leave this as a comment, but apparently there are limitations in commenting.  So here go:   Rob, Nowhere did I imply you were a bad pen tester.  I just said that you should have a salient view of failure in complex systems (which […]

 

Actually It *IS* Too Early For Fukushima Hindsight

OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet?  Who does that?): http://erratasec.blogspot.com/2011/03/fukushima-too-soon-for-hindsight.html And that’s cool, I’m a big boy, I can take it.  And Twitter doesn’t really give you a means to explain why you […]

 

What does Coviello's RSA breach letter mean?

After spending a while crowing about the ChoicePoint breach, I decided that laughing about breaches doesn’t help us as much as analyzing them. In the wake of RSA’s recent breach, we should give them time to figure out what happened, and look forward to them fulfilling their commitment to share their experiences. Right now we […]

 

Questions about a Libyan no-fly zone

With the crisis in Japan, attention to the plight of those trying to remove Colonel Kaddafi from power in Libya has waned, but there are still calls, including ones from the Arab League, to impose a no-fly zone. Such a zone would “even the fight” between the rebels and Kaddafi’s forces. There are strong calls […]

 

Copyrighted Science

In “Shaking Down Science,” Matt Blaze takes issue with academic copyright policies. This is something I’ve been meaning to write about since Elsevier, a “reputable scientific publisher,” was caught publishing a full line of fake journals. Matt concludes: So from now on, I’m adopting my own copyright policies. In a perfect world, I’d simply refuse […]

 

SIRA Meeting! THURSDAY

THURSDAY, THURSDAY, THURSDAY!!!!!!! Hi everyone! SIRA’s March monthly webinar is this Thursday, March 10th from 12-1 PM EST. We are excited to have Mr. Nicholas Percoco, Head of SpiderLabs at Trustwave, talk to us about the 2011 Trustwave Global Security Report. Block off your calendars now! Hello , Alexander Hutton invites you to attend this […]

 

Fear, Information Security, and a TED Talk

In watching this TEDMed talk by Thomas Goetz, I was struck by what a great lesson it holds for information security. You should watch at least the first 7 minutes or so. (The next 9 minutes are interesting, but less instructive for information security.) The key lesson that I’d like you to take from this […]

 

Measurement Priorities

Seth Godin asks an excellent question: Is something important because you measure it, or is it measured because it’s important? I find that we tend to measure what we can, rather than working toward being able to measure what we should, in large part because some variation of this question is not asked. I’m going […]

 

Fixes to Wysopal’s Application Security Debt Metric

In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”.  I like the general idea, but I have found some problems in his method.  In this post, I suggest corrections that will be both more credible and more accurate, at least for half of the […]

 
 

Unmeddle Housing More

Last month, I wrote: But after 50 years of meddling in the market, reducing the support for housing is going to be exceptionally complex and chaotic. And the chaos isn’t going to be evenly distributed. It’s going to be a matter of long, complex laws whose outcomes are carefully and secretly influenced. Groups who aren’t […]

 

Best Practices for the Lulz

The New School blog will shortly be publishing a stunning expose of Anonymous, and before we do, we’re looking for security advice we should follow to ensure our cloud-hosted blog platform isn’t pwned out the wazoo. So, where’s the checklist of all best practices we should be following? What’s that you say? There isn’t a […]

 

Is Norton Cybercrime Index just 'Security Metrics Theater'?

Symantec’s new Norton Cybercrime Index looks like it is mostly a marketing tool. They present it as though there is solid science, data, and methods behind it, but an initial analysis shows that this is probably not the case. The only way to have confidence in this is if Symantec opens up about their algorthms and data.

 

Police Officers should be able to speak out

I got this in email and wanted to amplify it: Law Enforcement Against Prohibition prides itself on the willingness of our members to stand up and take action against drug prohibition. Last fall, LEAP member Joe Miller did exactly that. A California police officer for eight years before taking a position as a deputy probation […]

 

SIRA Meeting Today at Noon EST! >> RICH MOGULL

HEY Y’ALL @securosis’ own @rmogull for today’s “al desco” SIRA meeting.  Details, details: SIRA’s February monthly online meeting is TODAY; February 10th from 12-1 PM EST. We are excited to have Mr. Rich Mogull from Securosis talk to us with a behind-the-scene look at Securosis’ “2010 Data Security Survey”. Block off your calendars now! The […]

 

Would a CISO benefit from an MBA education?

If a CISO is expected to be an executive officer (esp. for a large, complex technology- or information-centered organization), then he/she will need the MBA-level knowledge and skill. MBA is one path to getting those skills, at least if you are thoughtful and selective about the school you choose. Other paths are available, so it’s not just about an MBA credential.

Otherwise, if a CISO is essentially the Most Senior Information Security Manager, then MBA education wouldn’t be of much value.

 

Elevation of Privilege (Web Edition) Question

Someone wrote to me to ask: A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow? For example: “An attacker can make a client unavailable or unusable but the problem […]

 

What should a printer print?

Over at their blog, i.Materialise (a 3D printing shop) brags about not taking an order. The post is “ATTENTION: ATM skimming device.” It opens: There is no doubt that 3D printing is a versatile tool for materializing your 3D ideas. Unfortunately, those who wish to break the law can also try to use our technology. […]

 

Infosec's Flu

In “Close Look at a Flu Outbreak Upends Some Common Wisdom,” Nicholas Bakalar writes: If you or your child came down with influenza during the H1N1, or swine flu, outbreak in 2009, it may not have happened the way you thought it did. A new study of a 2009 epidemic at a school in Pennsylvania […]

 
 

Egypt and Information Security

Yesterday, I said on Twitter that “If you work in information security, what’s happening in Egypt is a trove of metaphors and lessons for your work. Please pay attention.” My goal is not to say that what’s happening in Egypt is about information security, but rather to say that we can be both professional and […]

 

Self Promotion: A Little Interview about Alex @ RSA

Self Promotion time, sorry for the spam, but I think the stuff I’ll be participating in at RSA is pretty NewSchool.  Here’s an interview that talks about both of the things I’ll be doing and you can see if they’ll be interesting: http://itacidentityblog.com/rsa-podcast-alex-hutton-principal-in-research-and-risk-intelligence-verizon-business

 

Mubarak and TSA agree: No advantage to them leaving

In “TSA shuts door on private airport screening program,” CNN reports that “TSA chief John Pistole said Friday he has decided not to expand the program beyond the current 16 airports, saying he does not see any advantage to it.” The advantage, of course, is that it generates pressure on his agency to do better. […]

 

Another critique of Ponemon's method for estimating 'cost of data breach'

I have fundamental objections to Ponemon’s methods used to estimate ‘indirect costs’ due to lost customers (‘abnormal churn’) and the cost of replacing them (‘customer acquisition costs’). These include sloppy use of terminology, mixing accounting and economic costs, and omitting the most serious cost categories.

 

A critique of Ponemon Institute methodology for "churn"

Both Dissent and George Hulme took issue with my post Thursday, and pointed to the Ponemon U.S. Cost of a Data Breach Study, which says: Average abnormal churn rates across all incidents in the study were slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by […]

 

Requests for a proof of non-existence

So before I respond to some of the questions that my “A day of reckoning” post raises, let me say a few things. First, proving that a breach has no impact on brand is impossible, in the same way that proving the non-existence of god or black swans is impossible. It will always be possible […]

 

Gunnar on Heartland

Analysis of Heartland’s business as a going concern by @oneraindrop. Especially interesting after comments on the CMO video.

 

A Day of Reckoning is Coming

Over at The CMO Site, Terry Sweeney explains that “Hacker Attacks Won’t Hurt Your Company Brand.” Take a couple of minutes to watch this. Let me call your attention to this as a turning point for a trend. Those of us in the New School have been saying this for several years, but the idea […]

 

A few thoughts on chaos in Tunisia

The people of Tunisia have long been living under an oppressive dictator who’s an ally of the US in our ‘war on terror.’ Yesterday, after substantial loss of life, street protests drove the dictator to abdicate. There’s lots of silly technologists claiming it was twitter. A slightly more nuanced comment is in “Sans URL” Others, […]

 

I have a dream

It’s MLK Day. Here’s a pdf of the speech. Or watch it online:

 

Gunnar's Flat Tax: An Alternative to Prescriptive Compliance?

Hey everybody! I was just reading Gunnar Peterson’s fun little back of the napkin security spending exercise, in which he references his post on a security budget “flat tax” (Three Steps To A Rational Security Budget).  This got me to thinking a bit  – What if, instead of in the world of compliance where we […]

 

Dashboards are Dumb

The visual metaphor of a dashboard is a dumb idea for management-oriented information security metrics. It doesn’t fit the use cases and therefore doesn’t support effective user action based on the information. Dashboards work when the user has proportional controllers or switches that correspond to each of the ‘meters’ and the user can observe the effect of using those controllers and switches in real time by observing the ‘meters’. Dashboards don’t work when there is a loose or ambiguous connection between the information conveyed in the ‘meters’ and the actions that users might take. Other visual metaphors should work better.

 

Unmeddling Housing

For a great many years, US taxpayers have been able to deduct interest paid on a home mortgage from their taxes. That made owning property cost roughly 20% less than it otherwise would have (estimating a 25% tax rate on interest on 80% of a property). So everyone could afford 20% “more” house, which meant […]

 

Referencing Insiders is a Best Practice

You might argue that insiders are dangerous. They’re dangerous because they’re authorized to do things, and so monitoring throws up a great many false positives, and raises privacy concerns. (As if anyone cared about those.) And everyone in information security loves to point to insiders as the ultimate threat. I’m tempted to claim this as […]

 

TSA News Roundup

Event: The Carnegie Institute for Science will be hosting “The Stripping of Freedom: A Careful Scan of TSA Security Procedures” Outrage: “SFO pilot exposes airport security flaws.” Apparently, pilots allowed to carry guns give up their free speech rights “causes the loss of public confidence in TSA…” (does anyone have a copy of the letter?) […]

 

CRISC – The Bottom Line (oh yeah, Happy New Year!)

No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments.  Unfortunately, I’m not a very good writer because the majority of readers miss the point.  Let me try again more succinctly: Just because you can codify a standard or practice doesn’t mean that this practice is sane. […]

 

So cute!

There’s just something about skinny girls in pouffy skirts…and stormtrooper helmets. More at http://redandjonny.tumblr.com/

 

Bureaucracy in inaction

Back in September, a group of Czech artists called EPOS 257 camouflaged themselves as city-workers, went to the Palackeho square in Prague and installed a fence. The fence was left on the square with no apparent intent or explanation. At first, the city council didn’t know about it, and when there were told, they didn’t […]

 

Emergent Chaos has TSA "trolls," too

Over at We Won’t Fly, George Donnelly writes: I was about to delete an offensive comment on this blog – one of the very few we get – and thought, hmm, I wonder where this guy is posting from? Because, really, it is quite unusual for us to get nasty comments. Lo and behold, the […]

 

The Only Trust Models You'll Ever Need

Lately there has been quite a bit of noise about the concept of “trust” in information security.  This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having trendy new memes, things to sell you, and I thought that I might as well […]

 

TSA News roundup

Act: Get this 2-page Passenger’s Rights Sheet: http://saizai.com/tsa_rights.pdf Outrage: “Gaping Holes in Airline Security: Loaded Gun Slips Past TSA Screeners” (Matthew Mosk, Angela Hill and Timothy Fleming, ABC News) “TSA + Police + JetBlue Conspire Against Peaceful Individual at JFK” (George Donnelly, WeWontFly.org) “TSA Lies Again Over Capture, Storage Of Body Scanner Images” (Steve Watson, […]

 

The Emergent Chaos of Facebook relationships

This is a fascinating visualization of 10MM Facebook Friends™ as described in Visualizing Friendships by Paul Butler. A couple of things jump out at me in this emergent look at geography. The first is that Canada is a figment of our imaginations. Sorry to my Canadian friends (at least the anglophones!) The second is that […]

 

Managing WordPress: How to stay informed?

We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of our plugins. So I asked Twitter “What’s the best way to track security updates for […]

 

Armoring the Bombers that Came Back

Paul Kedrosky writes: Most of us have heard the story of armoring British bombers, as it’s too good not to share, not to mention being straight from the David Brent school of management motivation. Here is the Wikipedia version: Bomber Command’s Operational Research Section (BC-ORS), analysed a report of a survey carried out by RAF […]

 

Nate Silver in the NYT: A Bayesian Look at Assange

From The Fine Article: Under these circumstances, then, it becomes more likely that the charges are indeed weak (or false) ones made to seem as though they are strong. Conversely, if there were no political motivation, then the merits of the charges would be more closely related to authorities’ zealousness in pursing them, and we […]

 

Can't measure love

But you can still evaluate the quality of the effort Likewise, there’s a lot that you can’t measure about security and risk, but you can still infer something from how the effort is pursued.

 

TSA News roundup

Intrusiveness and outrage: “Homeland Security Is Also Monitoring Your Tweets” “‘Baywatch’ Beauty Feels Overexposed After TSA Scan” (David Moye, AOLnews) “the agent responded, ‘Because you caught my eye, and they’ — pointing to the other passengers — ‘didn’t.’” “POLICE STATE – TSA, Homeland Security & Tampa Police Set Up Nazi Checkpoints At Bus Stations ” […]

 

"Proof" that E-Passports Lead to ID Theft

A couple of things caught Stuart Schechter’s eye about the spam to which this image was attached, but what jumped out at me was the name on the criminal’s passport: Frank Moss, former deputy assistant secretary of state for passport services, now of Identity Matters, LLC. And poor Frank was working so hard to claim […]

 

Lazy Sunday, Lazy Linking

Hey, remember when blogging was new and people would sometimes post links instead of making “the $variable Daily” out of tweets?  Well even though I’m newschool with the security doesn’t mean I can’t kick it oldschool every so often.  So here are some links I thought you might enjoy, probably worth discussion and review even […]

 

The TSA’s Approach to Threat Modeling

“I understand people’s frustrations, and what I’ve said to the TSA is that you have to constantly refine and measure whether what we’re doing is the only way to assure the American people’s safety. And you also have to think through are there other ways of doing it that are less intrusive,” Obama said. “But […]

 

The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]

 

The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]

 

District 9

I really enjoyed District 9. Thought I understood some of it. But that was before I read “becoming the alien: apartheid, racism and district 9” by Andries du Toit. Now I need to watch the movie again.

 

Estimating spammer's technical capabilities and pathways of innovation

I’d like some feedback on my data analysis, below, from anyone who is an expert on spam or anti-spam technologies. I’ve analyzed data from John Graham-Cumming’s “Spammers’ Compendium” to estimate the technical capabilities of spammers and the evolution path of innovations.

 

Repeal Day Rant

Rachel Tayse over at Hounds In The Kitchen, has an awesome Repeal Day Rant on why repeal day isn’t as good as it sounds. Yet again I feel a lot less free.

 
 

Risk & Metrics Interview over Twitter Today at 3pm EST

HEY! – At 3pm today Alex (@alexhutton) will be doing an interview over the twitters with Dark Reading’s (@DarkReading) Kelly Jackson Higgins  (@kjhiggins). Follow along with the hashtag #verizonDR! We’ll be talking risk, metrics, data, – you know, the new school-y stuff.

 

"Towards Better Usability, Security and Privacy of Information Technology"

“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient […]

 

Grope-a-thon: Today's TSA roundup

Outrage “Adam Savage: TSA saw my junk, missed 12″ razor blades” (Ben Kuchera, Ars Technica with video) “DHS & TSA: Making a list, checking it twice” (Doug Hadmann, Canada Free Press) claims that DHS has an internal memo calling those 59% of Americans who oppose pat downs “domestic extremists.” No copies of the memo have […]

 

What is Information Security: New School Primer

Recently, I’ve heard some bits and pieces about how Information Security (InfoSec) can be “threat-centric” or “vulnerability-centric”.  This stuck me funny for a number of reasons, mainly  it showed a basic bias towards what InfoSec *is*.  And to me, InfoSec is too complex to be described as “threat-centric” or “vulnerability-centric” and yet still simple enough […]

 

Israeli Draft, Facebook and Privacy

A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants. Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, […]

 
 

Happy Birthday, Stan

“baseball’s rich in wonderful statistics, but it’s hard to find one more beautiful than Stan Musial’s hitting record.” – George Will “When you first hear about this guy, you say, ‘it can’t be true.’ When you first meet him you say, ‘It must be an act.’ But as you watch him and watch him and […]

 

News Round Up: New blog edition

I’ll be contributing to a new group blog, “I will opt out“. I think that concentrating and combining resources will help the people who care find all the news they want. My first post is at “More news from around the web”

 

Animals and Engineers

It’s been hard to miss the story on cat tongues (“For Cats, a Big Gulp With a Touch of the Tongue:)” Writing in the Thursday issue of Science, the four engineers report that the cat’s lapping method depends on its instinctive ability to calculate the balance between opposing gravitational and inertial forces. …After calculating things […]

 

Games and The New School

On my work (“Microsoft Security Development Lifecycle”) blog, I’ve posted “Make Your Own Game! (My BlueHat lightning talk).”

 

Grope up: Enough is Enough edition

Analysis: “‘Strip-or-Grope’ vs. Risk Management” Jim Harper, Cato@Liberty blog. Really solid thinking, although I usually don’t like asset-centric approaches, I think that for the physical world they make more sense than they do in software threat modeling. TSA more likely to kill you than a terrorist. thread at Flyertalk (thanks Doug!) “Has Airport Security Gone […]

 

Daily Grope Up

Outrage: Transcript: Senate hearing on TSA, full-body scanners (yesterday, not one Senator cared.) Today’s hearing: http://www.c-span.org/Watch/C-SPAN3.aspx TSA Success Story (You can win in line.) If someone had done that to me at a nightclub I’d call the cops. Violated Traveling with scars Search this one for “pump” to learn about a diabetic’s experience. What would […]

 

You are being tracked

In this instance, it’s for science, helping a friend do some work on analyzing web traffic. If you don’t like it, please install software that blocks these 1 pixel images from tracking you. Edit: removed the web bug

 

Visualization for Gunnar's "Heartland Revisited"

You may have heard me say in the past that one of the more interesting aspects of security breaches, for me at least, is the concept of reputation damage.  Maybe that’s because I heard so many sales tactics tied to defacement in the 90’s, maybe because it’s so hard to actually quantify brand equity and […]

 

It's time to call your Senator!

There’s no news roundup today, the stories are flying, unlike people, who are sick and tired of the indignities, the nudeatrons and the groping. If you want to see them, you can follow me on twitter or National Opt Out day Tomorrow, there’s a Transportation Security Administration Oversight Hearing whose only witness is TSA Administrator […]

 

Daily Grope-Up: The Groping Will Continue Until You Drive Edition

“‘Naked’ scanners at U.S. airports may be dangerous: scientists” (National Post) The head of the X-ray lab at Johns Hopkins says “statistically, someone is going to get skin cancer from these X-rays.” “DHS chief tells pilot, tourism reps scans and patdowns will continue ” (Infowars.com) includes link to a CNN story “Growing backlash against TSA […]

 

VERIS Community Incident Reporting

PEOPLE OF EARTH – The VERIS Community Application is out: Announcement here:  http://bit.ly/cDAUhy  Website here:  http://bit.ly/9dZwEJ  From Wade’s announcement: If the VERIS framework describes what information should be shared, the VERIS application provides how to actually share it. Anyone wishing to classify and report an incident can do so responsibly and anonymously using the application. In taking […]

 

Today's TSA news grope-up

“Terror chief tries to board plane with banned liquids” (Mirror, UK) Obviously, the UK needs to get with the TSA program and exempt Ministers from search. Flight attendants union upset over new pat-down procedures “Airport security reaches new levels of absurdity” (Salon’s Ask the Pilot blog) “Know Your Options at the Airport” (ACLU of Massachusetts) […]

 

Facebook and "your" photos

Facebook Changes Photo Memories to No Longer Show Your Ex-Boyfriends or Ex-Girlfriends: In response to numerous complaints, Facebook has changed its Photo Memories sidebar module to no longer display friends who a user was formally listed as in a relationship with. [Sic] But it’s not just about selective remembering because “Your Memories Will Be Rewritten.” […]

 

Flaw Of Averages – Society of Information Risk Analysts Meeting

Another friendly reminder: Alexander Hutton invites you to attend this online meeting. Topic: RISK ANALYST MEETING Date: Thursday, November 11, 2010 Time: 12:00 pm, Eastern Standard Time (New York, GMT-05:00) Meeting Number: 749 697 377 Meeting Password: riskisswell ——————————————————- To join the online meeting (Now from iPhones and other Smartphones too!) ——————————————————- 1. Go to […]

 

Ambrose Bierce Punks Richard Feynman

Via Boing Boing, where Maggie Koerth-Baker gave a delightful pointer to this film of Feynman explaining for seven-and-a-half minutes why he can’t really explain why magnets repel each other. Or attract, either. And trumping him in time and space, Bierce gave us this in 1906: MAGNET, n. Something acted upon by magnetism. MAGNETISM, n. Something […]

 

TSA Body Scanning is COMPLETELY SAFE… unless

Body scanners that the TSA is basically encouraging use of by threatening to otherwise grope, fondle, or molest you or your children are basically perfectly safe.  Well, unless you happen to be any one of the following: a woman at risk to breast cancer a pregnant woman an immunocompromised individual (HIV and cancer patients) a […]

 

SIRA Meeting Thursday – Flaw Of Averages

Hey everyone.  The Society of Information Risk Analysts (SIRA) would like to invite you to our November meeting this Thursday at 12 noon EST. Here’s a link to a meeting invite: http://bit.ly/d7IHn7 This month, we’ll have Sam Savage, author of the excellent book, The Flaw Of Averages join us.  He’ll be talking about the book […]

 

UC San Francisco Faculty on Nudatrons

A number of faculty at UCSF have a letter to John Holdren, the President’s advisor on science and technology. There’s a related story on NPR.org, but I’d missed the letter. It appears the concerns of 3 members of the National Academy of Sciences have been completely ignored.

 
 

Note on Design of Monitoring Systems

Dissent reports “State Department official admits looking at passport files for more than 500 celebrities.” A passport specialist curious about celebrities has admitted she looked into the confidential files of more than 500 famous Americans without authorization. This got me thinking: how does someone peep at 500 files before anyone notices? What’s wrong with the […]

 

Be celebratory, be very celebratory

A reminder for those of you who haven’t read or watched “V for Vendetta” one time too many, it’s Guy Fawkes Day today: The plan was to blow up the House of Lords during the State Opening of Parliament on 5 November 1605… …Fawkes, who had 10 years of military experience fighting in the Spanish Netherlands in […]

 

Cloudiots on Parade

UPDATE: Should have known Chris Hoff would have been all over this already. From the Twitter Conversation I missed last night: Chris, I award you an honorary NewSchool diploma for that one. ——————————————————————————- From:  Amazon Says Cloud Beats Data Center Security where Steve Riley says, “in no uncertain terms: it’s more secure there than in […]

 

TSA Body Scanners News: Why show ID edition

First, a quick news roundup: EPIC is suing DHS for improper rulemaking, violations of the fouth ammendment, the privacy act, the religious freedom restoration act, and the video voyerism prevention act. The ACLU has a news roundup and a form to report on TSA behavior. The Airline Pilots Association advises pilots to show resistance. So […]

 

Turning off the lights: Chaos Emerges.

See what happened when Portishead, England turned off their traffic lights in September 2009 in this video. And don’t miss “Portishead traffic lights set to stay out after trial” in the Bristol Evening Post.

 
 

TSA: Let us Take Nekkid Pics of You Or You Get "Bad Touch"

Apparently, the TSA is now protecting us so well that they make women cry by touching them inappropriately. According to (CNN Employee Rosemary) Fitzpatrick, a female screener ran her hands around her breasts, over her stomach, buttocks and her inner thighs, and briefly touched her crotch. “I felt helpless, I felt violated, and I felt […]

 

"My little piece of privacy"

Very entertaining video: I love it because curtains are privacy people will pay for, but even more, because, ironically for a privacy-enhancing technology, it generates more attention than not using it.

 

It's not TSA's fault

October 18th’s bad news for the TSA includes a pilot declining the choice between aggressive frisking and a nudatron. He blogs about it in “Well, today was the day:” On the other side I was stopped by another agent and informed that because I had “opted out” of AIT screening, I would have to go […]

 

Collective Smarts: Diversity Emerges

Researchers in the United States have found that putting individual geniuses together into a team doesn’t add up to one intelligent whole. Instead, they found, group intelligence is linked to social skills, taking turns, and the proportion of women in the group. […] “We didn’t expect that the proportion of women would be a significant […]

 

A Letter from Sid CRISC – ious

In the comments to “Why I Don’t Like CRISC” where I challenge ISACA to show us in valid scale and in publicly available models, the risk reduction of COBIT adoption, reader Sid starts to get it, but then kinda devolves into a defense of COBIT or something.  But it’s a great comment, and I wanted […]

 

Seriously? Are We Still Doing this Crap? (RANT MODE = 1)

These days I’m giving a DBIR presentation that highlights the fact that SQLi is 10 years old, and yet is still one of the favorite vectors for data breaches. And while CISO’s love it when I bring this fact up in front of their dev. teams, in all deference to software developers and any ignorance […]

 

Re-architecting the internet?

Information Security.com reports that: [Richard Clarke] controversially declared “that spending more money on technology like anti-virus and IPS is not going to stop us losing cyber-command. Instead, we need to re-architect our networks to create a fortress. Let’s spend money on research to create a whole new architecture, which will cost just a fraction of […]

 

Another personal data invariant that varies

Just about anything a database might store about a person can change. People’s birthdays change (often because they’re incorrectly reported or recorded). People’s gender can change. One thing I thought didn’t change was blood type, but David Molnar pointed out to me that I’m wrong: Donors for allogeneic stem-cell transplantation are selected based on their […]

 

Money is information coined

In the general case, you are not anonymous on the interweb, but economically-anonymous, which I propose to label “enonymous”, and that’s not the same thing at all. If you threaten to kill the President, you will be tracked down, and the state will spend the money it takes on it. But if you call Lily […]

 

Call for Questions: 451 & Verizon DBIR Webinar

Hey everyone. I wanted to mention that Josh Corman of the 451 Group has graciously decided to make a webinar with me on the Data Breach Investigations Report , and has even made the webinar open to the public. So as such, Josh is collecting questions ahead of time.  If you want to submit some […]

 

Java Security & Criminals

Brian Krebs has an interesting article on “Java: A Gift to Exploit Pack Makers.” What makes it interesting is that since information security professionals share data so well, Brian was able to go to the top IDS makers and get practical advice on what really works to secure a system. Sorry, dreaming there for a […]

 

Society Of Information Risk Analysts (SIRA) Meeting Thursday!

HEY! SIRA Meeting on Thursday – click here for a calendar invite/reminder thingy/.ics file -> http://bit.ly/b5RKl9 In long format: Topic: SIRA RISK OCT – SANS! Date: Thursday, October 14, 2010 Time: 10:30 am, Eastern Daylight Time (New York, GMT-04:00) Meeting Number: 745 433 825 Meeting Password: sira ——————————————————- To join the online meeting (Now from […]

 

Lessons from HHS Breach Data

PHIPrivacy asks “do the HHS breach reports offer any surprises?” It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s web site, it might be useful to look at some statistics for the first year’s […]

 
 
 

Free Hossein Derakhshan

Apparently, the Iranian Government has sentenced Hossein “Hoder” Derakhshan to 19.5 years in jail for “collaborating with enemy states, creating propaganda against the Islamic regime, insulting religious sanctity, and creating propaganda for anti-revolutionary groups.” If you think putting bloggers or journalists in jail is wrong, please, please take a moment to sign the petition to […]

 

Wrong bra, no bra: Jail bars lawyer

Via the Miami Herald: An underwire bra stopped a Miami attorney from seeing her client held at the Miami Federal Detention Center, setting off controversy over the inmate facility’s dress code. The issue here isn’t so much the dress code (though it is problematic) but inconsistent enforcement of previously agreed upon rules. It’s hard to […]

 

Saturn's Moon Enceladus

NASA claims that: At least four distinct plumes of water ice spew out from the south polar region of Saturn’s moon Enceladus in this dramatically illuminated image. Light reflected off Saturn is illuminating the surface of the moon while the sun, almost directly behind Enceladus, is backlighting the plumes. See Bursting at the Seams to […]

 

Fines or Reporting?

Over at the Office of Inadequate Security, Dissent does excellent work digging into several perspectives on Discover Card breaches: Discover’s reports, and the (apparent) silence of breached entities. I’m concerned that for many of the breaches they report, we have never seen breach reports filed by the entities themselves nor media reports on the incidents. […]

 
 

ID theft, its Aftermath and Debix AfterCare

In the past, I’ve been opposed to calling impersonation frauds “identity theft.” I’ve wondered why the term impersonation isn’t good enough. As anyone who’s read the ID Theft Resource Center’s ‘ID Theft Aftermath’ reports (2009 report) knows that a lot of the problem with longterm impersonation problems is the psychological impact of disassociation from your […]

 

Airplane Crashes Fall Because Experts Pontificate

The New York Times has a story, “Fatal Crashes of Airplanes Decline 65% Over 10 Years:” …part of the explanation certainly lies in the payoff from sustained efforts by American and many foreign airlines to identify and eliminate small problems that are common precursors to accidents. If only we did the same for security. This […]

 

Book review: "The Human Contribution"

James Reason’s entire career was full of mistakes. Most of them were other people’s. And while we all feel that way, in his case, it was really true. As a professor of psychology, he made a career of studying human errors and how to prevent them. He has a list of awards that’s a full […]

 

6502 Visual Simulator

In 6502 visual simulator, Bunnie Huang writes: It makes my head spin to think that the CPU from the first real computer I used, the Apple II, is now simulateable at the mask level as a browser plug-in. Nothing to install, and it’s Open-licensed. How far we have come…a little more than a decade ago, […]

 
 

Fair Warning: I haven't read this report, but…

@pogowasright pointed to “HOW many patient privacy breaches per month?:” As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide […]

 

Fake voting cards in Afghanistan?

NPR is talking about fraudulent ID cards and people voting multiple times. What happened to the purple ink solution? How did we end up exporting bad thinking about security to Afghanistan?

 
 

Use crypto. Not too confusing. Mostly asymmetric.

A little ways back, Gunnar Peterson said “passwords are like hamburgers, taste great but kill us in long run wean off password now or colonoscopy later.” I responded: “Use crypto. Not too confusing. Mostly asymmetric.” I’d like to expand on that a little. Not quite so much as Michael Pollan, but a little. The first […]

 

Don't fight the zeitgeist, CRISC Edition

Some guy recently posted a strangely self-defeating link/troll/flame in an attempt to (I think) argue with Alex and/or myself regarding the relevance or lack thereof of ISACA’s CRISC certification.  Now given that I think he might have been doing it to drive traffic to his CRISC training site, I won’t show him any link love […]

 

Dear CloudTards: "Securing" The Cloud isn't the problem…

@GeorgeResse pointed out this article http://www.infoworld.com/d/cloud-computing/five-facts-every-cloud-computing-pro-should-know-174 from @DavidLinthicum today.  And from a Cloud advocate point of view I like four of the assertions.  But his point about Cloud Security is off: “While many are pushing back on cloud computing due to security concerns, cloud computing is, in fact, as safe as or better than most […]

 

Michael Healey: Pay Attention (Piling On)

Richard Bejtlich has a post responding to an InformationWeek article written by Michael Healey, ostensibly about end user security.  Richard  upbraids Michael for writing the following: Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky… Are we really less secure than we were […]

 

Friday WTF?

CSO Online has an article based on an unlinked Forrester study that claims: The survey of 2,803 IT decision-makers worldwide found improving business continuity and disaster recovery capabilities is the number one priority for small and medium businesses and the second highest priority for enterprises. (emphasis mine). The WTF Pie Chart Says:

 

Dear AT&T

You never cease to amaze me with your specialness. You’ve defined a way to send MMS on a network you own, with message content you control, and there’s no way to see the full message: In particular, I can’t see the password that I need to see the message.

 

SOIRA Presentation/Meeting TOMORROW, 10:30 EST!

Hey everyone! Pete Lindstrom will be giving us his “Risk 2.0” presentation tomorrow via webex at 10:30 EST. I’ve seen the deck, and it will be a great preso. Topic: Risk Analysis Date: Thursday, September 9, 2010 Time: 10:30 am, Eastern Daylight Time (New York, GMT-04:00) Meeting Number: 748 861 569 Meeting Password: risk?whatrisk? ——————————————————- […]

 

Data breach fines will prolong the rot

The UK’s Financial Services Authority has imposed a £2.28 million fine for losing a disk containing the information about 46,000 customers. (Who was fined is besides the point here.) I agree heartily with John Dunn’s “Data breach fines will not stop the rot,” but I’d like to go further: Data breach fines will prolong the […]

 

The lumbering ogre of Enterprise Governance is no replacement for real Quality Management.

Gideon Rasmussen, CISSP, CISA, CISM, CIPP, writes in his latest blog post (http://www.gideonrasmussen.com/article-22.html) about the BP Oil spill and operational risk, and the damages the spill is causing BP.  Ignoring the hindsight bias of the article here… “This oil spill is a classic example of a black swan (events with the potential for severe impact […]

 

Saturday Corn Baking

Well, following on Arthur’s post on baking bread, I wanted to follow up with “how to bake corn:” Please go read “Baked Buttered Corn” A way to bring some happiness to the end of summer is to take this corn and simply bake it with butter. It’s fabulous. The starchy corn juices create a virtual […]

 

Friday Bread Baking

A few folks have asked, so here’s my general bread recipe in bakers percentages. In bakers percentages everything is based on a ratio compared to the weight of the flour. The formula for my bread is: 100% Whole wheat flour (I’m a geek, I grind my own) 72% Water (or whey) 2% Salt 1% Yeast […]

 

Petroski on Engineering

As I was reading the (very enjoyable) “To Engineer is Human,” I was struck by this quote, in which Petroski first quotes Victorian-era engineer Robert Stephenson, and then comments: …he hoped that all the casualties and accidents, which had occurred during their progress, would be noticed in revising the Paper; for nothing was so instructive […]

 

Quantum Crypto is Quantum Backdoored, But It's Not a Problem

Nature reports that Quantum Cryptography has been completely broken in “Hackers blind quantum cryptographers.” Researcher Vadim Makarov of the Norwegian University of Science and Technology constructed an attack on a quantum cryptography system that “gave 100% knowledge of the key, with zero disturbance to the system,” as Makarov put it. There have been other attacks […]

 

OSF looking for DataLossDB help

The folks running the Open Security Foundation’s DataLossDB are asking for some fully tax-deuctible help meeting expenses. I’ve blogged repeatedly about the value of this work, and hope that interested EC readers can assist in supporting it. With new FOIA-able sources of information becoming available, now seems to be a great time to help out.

 

Transparency, India, Voting Machines

India’s EVMs are Vulnerable to Fraud. And for pointing that out, Hari Prasad has been arrested by the police in India, who wanted to threaten and intimidate him question him about where he got the machine that he studied. That’s a shame. The correct response is to fund Hari Prasad’s work, not use the police […]

 

Wikileaks

Friday night an arrest warrant went out, and was then rescinded, for Wikileaks founder Julian Assange. He commented “We were warned to expect “dirty tricks”. Now we have the first one.” Even the New York Times was forced to call it “strange.” I think that was the wrong warning. Wikileaks is poking at a very […]

 

Measurement Theory & Risk Posts You Should Read

These came across the SIRA mailing list. They were so good, I had to share: https://eight2late.wordpress.com/2009/07/01/cox%E2%80%99s-risk-matrix-theorem-and-its-implications-for-project-risk-management/ http://eight2late.wordpress.com/2009/12/18/visualising-content-and-context-using-issue-maps-an-example-based-on-a-discussion-of-coxs-risk-matrix-theorem/ http://eight2late.wordpress.com/2009/10/06/on-the-limitations-of-scoring-methods-for-risk-analysis/ Thanks to Kevin Riggins for finding them and pointing them out.

 

P != NP and Security

There’s been a lot of discussion about the paper written by mathematician Vinay Deolalikar on this interesting problem. The P!=NP problem is so interesting that there’s a million-dollar prize for solving it. It might even be interesting because there’s a million-dollar prize for solving it. It might also have some applicability to computer science and […]

 

Databases or Arrests?

From Dan Froomkin, “FBI Lab’s Forensic Testing Backlog Traced To Controversial DNA Database,” we see this example of the mis-direction of key funds: The pressure to feed results into a controversial, expansive DNA database has bogged down the FBI’s DNA lab so badly that there is now a two-year-and-growing backlog for forensic DNA testing needed […]

 

How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” […]

 

Dating and InfoSec

So if you don’t follow the folks over at OKCupid, you are missing out on some hot data. In case you’re not aware of it, OKCupid is: the best dating site on earth. Compiling our observations and statistics from the hundreds of millions of user interactions we’ve logged, we use this outlet to explore the […]

 

Bleg: Picture editor?

I used to use “Galerie” on my Mac to put nice pretty frames around pictures I posted here. (See some examples.) Galerie was dependent on … blah, blah, won’t work anymore without some components no longer installed by default. So I’m looking for a replacement that will, with little effort, put pictures in a nice […]

 

Making it up so you don't have to

If you don’t have time to develop a data-driven, business focused security strategy, we sympathize. It’s a lot of hard work. So here to help you is “What the fuck is my information security ‘strategy?’ “: Thanks, N!

 

Jon Callas on Comedies, Tragedy and PKI

Prompted by Peter Gutmann: [0] I’ve never understood why this is a comedy of errors, it seems more like a tragedy of errors to me. Jon Callas of PGP fame wrote the following for the cryptography mail list, which I’m posting in full with his permission: That is because a tragedy involves someone dying. Strictly […]

 

New low in pie charts

It’s not just a 3d pie chart with lighting effects and reflection. Those are common. This one has been squished. It’s wider than it is tall. While I’m looking closely, isn’t “input validation” a superset of “buffer errors” “code injection” and “command injection?” You can get the “Application Security Trends report for Q1-Q2 2010” from […]

 

Transparent Lies about Body Scanners

In “Feds Save Thousands of Body Scan Images,” EPIC reports: In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of […]

 

Illogical Cloud Positivism

Last we learned, Peter Coffee was Director of Platform Research for salesforce.com.  He also blogs on their corporate weblog, CloudBlog, a blog that promises “Insights on the Future of Cloud Computing”. He has a post up from last week that called “Private Clouds, Flat Earths, and Unicorns” within which he tries to “bust some myths” […]

 

What They Know (From the WSJ)

Interesting interactive data app from the Wall Street Journal about your privacy online and what various websites track/know about you. http://blogs.wsj.com/wtk/ Full disclosure, our site uses Mint for traffic analytics.

 

Black Hat Slides

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.

 

Credit Scores and Deceptive Advertising

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores. I’d like to add one more danger of credit scores: […]

 
 

Cisco's Artichoke of Attack

Cisco has their security report up – find it here.  My favorite part?  “The Artichoke of Attack”

 

SOUPS Keynote & Slides

This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the […]

 

Society of Information Risk Analysts Webex/Meeting Tomorrow

Hey, just so you all know, SOIRA is having our lunch (or breakfast) Al-Desko Webex.  This month we have the pleasure of watching Chris Hayes show how to use quantitative risk analysis for real, pragmatic business purposes.  It’s going to be seriously useful. Join SOIRA here:  http://groups.google.com/group/InfoRiskSociety?hl=en for the invite.

 

Survey Results

First, thanks to everyone who took the unscientific, perhaps poorly worded survey. I appreciate you taking time to help out.  I especially appreciate the feedback from the person who took the time to write in: “Learn the proper definition of “Control Systems” as in, Distributed Control Systems or Industrial Control systems. These are the places […]

 

A Blizzard of Real Privacy Stories

Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic: Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there […]

 

Risk -> Operational Security Survey

Hi, I’m very interested right now in finding the quality of risk analysis as it relates to operational security. If you’re a risk analyst, a security executive, or operational security analyst, would you mind taking a one question survey? It’s on SurveyMonkey, here: http://www.surveymonkey.com/s/GCSXZ2Q”

 
 

The Next Unexpected Failure of Government

In looking at Frank Pasquale’s very interesting blog post “Secrecy & the Spill,” a phrase jumped out at me: I have tried to give the Obama Administration the benefit of the doubt during the Gulf/BP oil disaster. There was a “grand ole party” at Interior for at least eight years. Many Republicans in Congress would […]

 

GAO report on the state of Federal Cyber Security R&D

This GAO Report is a good overall summary of the state of Federal cyber security R&D and why it’s not getting more traction.    Their recommendations (p22) aren’t earth-shaking: “…we are recommending that the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, direct the Subcommittee on Networking and […]

 

In Congress Assembled, July 4, 1776

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

 

ISACA CRISC – A Faith-Based Initiative? Or, I Didn't Expect The Spanish Inquisition

In comments to my “Why I Don’t Like CRISC” article, Oliver writes: CobIT allows to segregate what is called IT in analysable parts.  Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the risk models are more mature (Infosec / Project Management) and in certain they are not […]

 

Thinking about Cloud Security & Vulnerability Research: Three True Outcomes

When opining on security in “the cloud” we, as an industry, speak very much in terms of real and imagined threat actions.  And that’s a good thing: trying to anticipate security issues is a natural, prudent task. In Lori McVittie’s blog article, “Risk is not a Synonym for “Lack of Security”, she brings up an […]

 
 

RiskIT – Does ISACA Suffer From Dunning-Kruger?

Just to pile on a bit…. You ever hear someone say something, and all of the sudden you realize that you’ve been trying to say exactly that, in exactly that manner, but hadn’t been so succinct or elegant at it?  That someone much smarter than you had already thought about the subject a whole lot […]

 

CRISC? C-Whatever

Alex’s posts on Posts on CRISC are, according to Google, is more authoritative than the CRISC site itself: Not that it matters.  CRISC is proving itself irrelevant by failing to make anyone care.  By way of comparison, I googled a few other certifications for the audit and security world, then threw in the Certified Public […]

 

CRISC -O

PREFACE:  You might interpret this blog post as being negative about risk management here, dear readers.  Don’t. This isn’t a diatrabe against IRM, only why “certification” around information risk is a really, really silly idea. Apparently, my blog about why I don’t like the idea of CRISC has long-term stickiness.  Just today, Philip writes in […]

 

Between an Apple and a Hard Place

So the news is all over the web about Apple changing their privacy policy. For example, Consumerist says “Apple Knows Where Your Phone Is And Is Telling People:” Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you […]

 

Bleh, Disclosure

Lurnene Grenier has a post up on the Google/Microsoft vunlerability disclosure topic. I commented on the SourceFire blog (couldn’t get the reminder from Zdnet about my password, and frankly I’m kind of surprised I already had an account – so I didn’t post there), but thought it was worth discussing my comments here a bit […]

 

Measuring The Speed of Light Using Your Microwave

Using a dish full of marshmallows.  We’re doing this with my oldest kids, and while I was reading up on it, I had to laugh out loud at the following: …now you have what you need to measure the speed of light. You just need to know a very fundamental equation of physics: Speed of […]

 

Alex on Science and Risk Management

Alex Hutton has an excellent post on his work blog: Jim Tiller of British Telecom has published a blog post called “Risk Appetite, Counting Security Calories Won’t Help”. I’d like to discuss Jim’s blog post because I think it shows a difference in perspectives between our organizations. I’d also like to counter a few of […]

 

High Impact Work

Perry Metzger recently drew this to my attention: The title of my talk is, “You and Your Research.” It is not about managing research, it is about how you individually do your research. I could give a talk on the other subject – but it’s not, it’s about you. I’m not talking about ordinary run-of-the-mill […]

 

On Politics

In “Jon Stewart on Obama’s executive power record” Glenn Greenwald writes: When ACLU Executive Director Anthony Romero last week addressed the progressive conference America’s Future Now, he began by saying: “I’m going to start provocatively . . . I’m disgusted with this president.” Last night, after Obama’s Oval Office speech, Jon Stewart began his show […]

 

Bleg: How to Delete Kindle Logs?

Well, Amazon has a new update for Kindle (with folders! OMG!), and I’m planning to apply it. However, last time I installed an update, I noticed that it lost the “wireless off” setting, and was apparently contacting Amazon. I don’t want it to do so, and leave wireless off. It’s safer that way, whatever promises […]

 

Breach Laws & Norms in the UK & Ireland

Ireland has proposed a new Data Breach Code of Practice, and Brian Honan provides useful analysis: The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small […]

 

Redesign BP's Logo

I like this one a lot. Go vote for your favorite at BP Logo Redesign contest.

 

Mobile Money for Haiti: a contest

This is cool: The Bill & Melinda Gates Foundation is using its financial clout to push the Haitian marketplace toward change by offering $10 million in prizes to the first companies to help Haitians send and receive money with their cell phones… The fund will offer cash awards to companies that initiate mobile financial services […]

 

Excellent Post On Maturity Scale for Log Management

http://raffy.ch/blog/2010/06/07/maturity-scale-for-log-management-and-analysis/ Raffael Marty’s great  post on how to measure the maturity level for your log management program.   Excellent as always.

 

Lady Ada books opening May 11

Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer. From the store’s […]

 

Thanks!

Andrew and I want to say thank you to Dave Marsh. His review of our book includes this: I’d have to say that the first few pages of this book had more of an impact on me that the sum of all the pages of any other security-related book I had ever read It’s really […]

 

Decision Making Not Analysis Paralysis

There’s been a lot of pushback against using Risk Management in Information Security because we don’t have enough information to make a good decision. Yet every security professional makes decisions despite a lack of information. If we didn’t we’d never get anything done. Hell we’d never get out of bed in the morning. There’s a […]

 

Facebook Links

Some worthwhile reads on Facebook and privacy: Facebook’s Privacy Reboot: Is That all You’ve Got for Us? “The devil is in the defaults” Entire Facebook Staff Laughs As Man Tightens Privacy Settings

 

30 vs 150,000

For your consideration, two articles in today’s New York Times. First, “How to Remind a Parent of the Baby in the Car?:” INFANTS or young children left inside a vehicle can die of hyperthermia in a few hours, even when the temperature outside is not especially hot. It is a tragedy that kills about 30 […]

 

B-Sides Las Vegas Call For Papers

Friend of the blog and TV’s own <grin> Chris Nickerson has firmed up B-Sides for Las Vegas and is looking for a few good people to submit a few good presos. I spoke last year with David Mortman and it was awesome.  Chris put on some real good event/space for us all. I encourage you […]

 

ANNOUNCEMENT: The Society of Information Risk Analysts

I was talking with (the now nationally famous) Rich Mogull at Secure360 last week in St. Paul (fabulous security gathering, btw, I highly recommend it), and he reiterated his position that we had too much “echo chamber” and not enough engagement with everyone – especially our peers who are down in the trenches and too […]

 

Life

Today will be remembered along with the landing on the moon and the creation of the internet: Researchers at the J. Craig Venter Institute (JCVI), a not-for-profit genomic research organization, published results today describing the successful construction of the first self-replicating, synthetic bacterial cell. The team synthesized the 1.08 million base pair chromosome of a […]

 

We'll always have Facebook…

Waitress Is Fired for Her Complaint on Facebook: Lesson Learned for Employers?. From [German Consumer Protection] Minister Aigner to Mark Zuckerberg: the importance of privacy Farewell, Facebook “Why one super-connected internet enthusiast decided it was time to pull the plug” 5 WTFs: I quit Facebook Today Quit Facebook Day versus 10 Reasons You’ll Never Quit […]

 

This is what science is for

In “The Quest for French Fry Supremacy 2: Blanching Armageddon,” Dave Arnold of the French Culinary Institute writes: Blanching fries does a lot for you – such as: killing the enzymes that make the potatoes turn purpley-brown. Blanching is always necessary if the potatoes will be air-dried before frying. gelatinizing the starch. During frying, pre-cooked […]

 

Where's the Checks and Balances, Mr. Cameron?

[Update: See Barry’s comments, I seem to misunderstand the proposal.] The New York Times headlines “ Britain’s New Leaders Aim to Set Parliament Term at 5 Years.” Unlike the US, where we have an executive branch of government, the UK’s executive is the Prime Minister, selected by and from Parliament. As I understand things, the […]

 

Malware reports? (A bleg)

I’m doing some work that involves seeing what people are saying about the state of malware in 2010, and search terms like “malware report” get a lot of results, they don’t always help me find thinks like the Symantec ISTR, the McAfee threats report or the Microsoft SIR. To date, I’ve found reports from Cisco, […]

 

Welcome to the club!

As EC readers may know, I’ve been sort of a collector of breach notices, and an enthusiastic supporter of the Open Security Foundation’s DataLossDB project. Recently, I had an opportunity to further support DataLossDB, by making an additional contribution to their Primary Sources archive – a resource I find particularly valuable. Unfortunately, that contribution was […]

 

Facebook Privacy

If you haven’t seen http://mattmckeon.com/facebook-privacy/‘s graphic of how Facebook’s default privacy settings have evolved, it’s worth a look:

 

Getting the time dimension right

If you are developing or using security metrics, it’s inevitable that you’ll have to deal with the dimension of time. “Data” tells you about the past. “Security” is a judgement about the present. “Risk” is a cost of the future, brought to the present. The way to marry these three is through social learning processes.

 

Word!

We show that malicious TeX, BibTeX, and METAPOST files can lead to arbitrary code execution, viral infection, denial of service, and data exfiltration, through the file I/O capabilities exposed by TeX’s Turing-complete macro language. This calls into doubt the conventional wisdom view that text-only data formats that do not access the network are likely safe. […]

 

Taxman

Let me tell you how it will be There’s one for you, nineteen for me Chorus: If privacy appear too small Be grateful I don’t take it all Thanks to Jim Harper for the link.

 

"Cyber Economic Incentives" is one of three themes at Federal Cybersecurity R&D Kickoff Event

This event will be the first discussion of these Federal cybersecurity R&D objectives and will provide insights into the priorities that are shaping the direction of Federal research activities. One of the three themes is “Cyber economic incentives — foundations for cyber security markets, to establish meaningful metrics, and to promote economically sound secure practices.”

 

Because Money Is Liberty Coined

I really love these redesigns of the US Dollar: There’s a contest, and I like these designs by Michael Tyznik the most. On a graphical level, they look like money. He’s integrated micro-printing, aligned printing (that $5 in the upper left corner, it’s really hard to print so it works when you look at light) […]

 

A personal announcement

I will be entering the PhD program in Computational Social Science (with certificates in InfoSec and Economic Systems Design) at George Mason University, Fairfax VA, starting in the Fall of 2010.

 

It's Hard to Nudge

There’s a notion that government can ‘nudge’ people to do the right thing. Big examples include letting people opt-out of organ donorship, rather than opting in (rates of organ donorship go from 10-20% to 80-90%, which is pretty clearly a better thing than putting those organs in the ground or crematoria). Another classic example was […]

 

Earth, from the surface of Mars

This is the first image ever taken of Earth from the surface of a planet beyond the Moon. It was taken by the Mars Exploration Rover Spirit one hour before sunrise on the 63rd Martian day, or sol, of its mission. (March 8, 2004) Credit: NASA Goadard’s flickr stream.

 

How to Get Started In Information Security, the New School Way

There have been a spate of articles lately with titles like “The First Steps to a Career in Information Security” and “How young upstarts can get their big security break in 6 steps.” Now, neither Bill Brenner nor Marisa Fagan are dumb, but both of their articles miss the very first step. And it’s important […]

 

Lies, Damned Lies and Inappropriate Baselines

Thomas Ricks wrote a blog on Foreign Policy titled “Another reason to support Obamacare.” In it, he cited a Stars & Stripes report that one of out five veterans under the age of 24 is out of work. However, Stars and Stripes compares total unemployment to 18-24 male vet unemployment. It took me less than […]

 

The Liquids ban is a worse idea than you thought

According to new research at Duke University, identifying an easy-to-spot prohibited item such as a water bottle may hinder the discovery of other, harder-to-spot items in the same scan. Missing items in a complex visual search is not a new idea: in the medical field, it has been known since the 1960s that radiologists tend […]

 

Failure to Notify Leads to Liability in Germany

…a Bad Homburg business man won millions in damages in a suit against the [Liechtenstein] bank for failing to reveal that his information was stolen along with hundreds of other account holders and sold to German authorities for a criminal investigation. He argued that if the bank had informed those on the list that their […]

 

Evil Clown Stalking for your Birthday?

Dominic Deville stalks young victims for a week, sending chilling texts, making prank phone calls and setting traps in letterboxes. He posts notes warning children they are being watched, telling them they will be attacked. But Deville is not an escaped lunatic or some demonic monster. He is a birthday treat, hired by mum and […]

 

Parkour Generations Video

I could pretend to tie this to information security, talking about risk and information sharing, but really, it’s just beautiful to watch these folks learn to play:

 

Source, Data or Methodology: Pick at least one

In the “things you don’t want said of your work” department, Ars Technica finds these gems in a GAO report: This estimate was contained in a 2002 FBI press release, but FBI officials told us that it has no record of source data or methodology for generating the estimate and that it cannot be corroborated…when […]

 

J.C. Penny knew best

JC Penney, Wet Seal: Gonzalez Mystery Merchants JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August […]

 
 

Friday Visualization: Wal-mart edition

I’ve seen some cool Walmart visualizations before, and this one at FlowingData is no exception. The one thing I wondered about as I watched was if it captured store closings–despite the seemingly inevitable march in the visualization, there have been more than a few.

 

Elsewhere…

Things are busy and chaotic, but while I’m unable to blog, here’s some audio and video I’ve done recently that you might enjoy: “Meeting of the Minds” with Andy Jaquith and myself in either text or audio. Face-Off with Hugh Thompson “Has social networking changed data privacy forever?” Video

 

On Uncertain Security

One of the reasons I like climate studies is because the world of the climate scientist is not dissimilar to ours.  Their data is frought with uncertainty, it has gaps, and it might be kind of important (regardless of your stance of anthropomorphic global warming, I think we can all agree that when the climate […]

 

Makeup Patterns to hide from face detection

Adam Harvey is investigating responses to the growing ubiquity of surveillance cameras with facial recognition capabilities. He writes: My thesis at ITP, is to research and develop privacy enhancing counter technology. The aim of my thesis is not to aid criminals, but since artists sometimes look like criminals and vice versa, it is important to […]

 
 

Cyberdeterrence Papers

This just came past my inbox: The National Research Council (NRC) is undertaking a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The project is aimed at fostering a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and the possible utility of these strategies for the U.S. […]

 

Life without Certificate Authorities

Since it seems like I spent all of last week pronouncing that ZOMG!  SSL and Certificate Authorities is Teh Doomed!, I guess that this week I should consider the alternatives.  Fortunately, the Tor Project Blog, we learn what life is like without CA’s Browse to a secure website, like https://torproject.org/. You should get the intentionally […]

 

Going Dutch: Time for a Breach Notification Law

The European Digital Rights Initiative mentions that “Bits of Freedom starts campaign for data breach notification law:” A data breach notification obligation on telecom providers is already to be implemented on the basis of the ePrivacy Directive, but Bits of Freedom insisted that this obligation should be extended also to other corporations and organisations. It […]

 

Your RIVACY is important to us

…so important that we didn’t even proofread our rivacy policy. I’m hopeful that they apply more due care to how they administer their policy, but fear it’s like a dirty restaurant bathroom. If they don’t bother to take care of what the public sees, what are they doing in the kitchen? From “Commercial Terms of […]

 

More Bad News for SSL

I haven’t read the paper yet, but Schneier has a post up which points to a paper “Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow,” by Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang.about a new side-channel attack which allows an eavesdropper to infer information about the contents of an SSL […]

 

Smoke, Fire and SSL

Where there’s smoke, there’s fire, goes the adage. And in the case of an allegedly-theoretical exploit outlined in a new paper by Chris Soghoian and Sid Stamm (the compelled certificate creation attack), the presence of a product whose only use it to exploit it probably indicates that there’s more going on than one would like […]

 

Well that didn't take long…

The Guardian has reported the first official incident of misuse of full-body scanner information The police have issued a warning for harassment against an airport worker after he allegedly took a photo of a female colleague as she went through a full-body scanner at Heathrow airport. The incident, which occurred at terminal 5 on 10 […]

 

The New School on Lady Ada Day

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, Andrew and I want to thank Jessica Goldstein, our editor at Addison Wesley. Without her encouragement, feedback and championing, we never would have published the New School. The first proposal we […]

 

Risks Interconnection Map

The sweet interactive version is here: http://www.weforum.org/documents/riskbrowser2010/risks/# Beyond the cool visualization, I’m really interested in the likelihood/impact of data fraud/data loss over on the left there…

 

Women In Security

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, I wanted to call out the inspiring work of Aleecia McDonald. In a privacy world full of platonic talk of the value of notice and consent, Aleecia did something very simple: […]

 

Counterpoint: There is demand for security innovation

Over in the Securosis blog, Rich Mogull wrote a post “There is No Market for Security Innovation.” Rich is right that there’s currently no market, but that doesn’t mean there’s no demand. I think there are a couple of inhibitors to the market, but the key one is that transaction costs are kept high by […]

 

I look forward to merging your unique visibility into my own

In “White House Cyber Czar: ‘There Is No Cyberwar’,” Ryan Singel writes: As for his priorities, Schmidt says education, information sharing and better defense systems rank high. That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side. “One thing we […]

 

Some Chaotic Thoughts on Healthcare

Passage of this bill is too big for my little brain, and therefore I’ll share some small comments. I’m going to leave out the many anecdotes which orient me around stupid red tape conflicts in the US, how much better my health care was in Canada (and how some Canadian friends flew to the US […]

 

Lessons from Robert Maley's Dismissal

A bit over a week ago, it came out that “Pennsylvania fires CISO over RSA talk.” Yesterday Jaikumar Vijayan continued his coverage with an interview, “Fired CISO says his comments never put Penn.’s data at risk.” Now, before I get into the lessons here, I want to point out that Maley is the sort of […]

 

Kids today

A burglar who spent about five hours on a store’s computer after breaking into the business gave police all the clues they needed to track him down. Investigators said the 17-year-old logged into his MySpace account while at Bella Office Furniture and that made it easy for them to find him. He also spent time […]

 
 

Why I'm Skeptical of "Due Diligence" Based Security

Some time back, a friend of mine said “Alex, I like the concept of Risk Management, but it’s a little like the United Nations – Good in concept, horrible in execution”. Recently, a couple of folks have been talking about how security should just be a “diligence” function, that is, we should just prove that […]

 

National Broadband Plan & Data Sharing

I know that reading the new 376 page US “National Broadband Plan” is high on all your priority lists, but section 14 actually has some interestingly New School bits. In particular: Recommendation 14.9: The Executive Branch, in collaboration with relevant regulatory authorities, should develop machine-readable repositories of actionable real-time information concerning cybersecurity threats in a […]

 

'Experts' misfire in trying to shoot down Charney's 'Internet Security Tax' idea

Industry ‘experts’ misfired when they criticized Microsoft’s Scott Chareney’s “Internet Security Tax” idea. Q: How many of these ‘experts’ know any thing about information economics and public policy responses to negative externalities? A: Zero. Thus, they aren’t really qualified to comment. This is just one small case in the on-going public policy discussions regarding economics of information security, but given the reaction of the ‘experts’, this was a step backward.

 

Asking the right questions

Schneier points me to lightbluetouchpaper, who note a paper analyzing the potential strength of name-based account security questions, even ignoring research-based attacks, and the findings are good: Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge […]

 

Your credit worthiness in 140 Characters or Less

In “Social networking: Your key to easy credit?,” Eric Sandberg writes: In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it’s really being used. … To be clear, creditors aren’t accessing the credit reports […]

 

Elsewhere in the New School department

Dennis Fisher wrote “Why Bob Maley’s Firing is Bad for All of Us:” The news that Pennsylvania CISO Bob Maley lost his job for publicly discussing a security incident at last week’s RSA Conference really shouldn’t come as a surprise, but it does. Even for a government agency, this kind of lack of understanding of […]

 

Head of O'Hare Security says it sucks

In the eight months that I was the head of security under the Andolino administration, the commissioner of the busiest airport of the world, depending on who’s taking the survey, the busiest airport in the world, never once had a meeting with the head of security for the busiest airport in the world. Never once. […]

 

Data void: False Positives

A Gartner blog post points out the lack of data reported by vendors or customers regarding the false positive rates for anti-spam solutions. This is part of a general problem in the security industry that is a major obstical to rational analysis of effectiveness, cost-effectiveness, risk, and the rest

 

Everybody Should Be Doing Something about InfoSec Research

Previously, Russell wrote “Everybody complains about lack of information security research, but nobody does anything about it.” In that post, he argues for a model where Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff but others will be huge winners. One thing for sure — we shouldn’t focus this […]

 

Krebs on Cyber vs Physical Crooks

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them. I can’t help but notice one […]

 

Everybody complains about lack of information security research, but nobody does anything about it

There has been a disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals. No one seems to be able to mobilize any signficant research into breakthrough cyber security solutions. It’s been very frustrating to see so much talk and so little action. This post proposes one possible solution: Information Security Pioneers Fellowship Program (ISPFP), similar to Gene Spafford’s proposal for a Information Security and Privacy Extended Grant (ISPEG) for academic researchers.

 

Free speech for police

David Bratzer is a police officer in Victoria, British Columbia. He’s a member of “Law Enforcement Against Prohibition,” and was going to address a conference this week. There’s a news video at “VicPD Officer Ordered to Stay Quiet.” In an article in the Huffington Post, “The Muzzling of a Cop” former Seattle Police Chief Norm […]

 

Logging practices

Via a tweet from @WeldPond, I was led to a Daily Mail article which discusses allegations that Facebook founder Mark Zuckerberg “hacked into the accounts of [Harvard] Crimson staff”. Now, I have no idea what happened or didn’t, and I will never have a FB account thanks to my concerns about their approach to privacy, […]

 

Elevation of Privilege: The Threat Modeling Game

In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how very new school it is. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).

 

Elevation of Privilege: the Threat Modeling Game

In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how it helps more chaos emerge. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).

 

Adam signing today at RSA

I’ll be in the RSA bookstore today at noon, signing books. Please drop on by. PS: I’m now signing Kindles, too.

 

News from RSA: U-Prove

In “U-Prove Minimal Disclosure availability,” Kim Cameron says: This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual […]

 

Howard Schmidt's talk at RSA

The New York Times has a short article by Markoff, “U.S. to Reveal Rules on Internet Security.” The article focuses first on declassification, and goes on to say: In his first public speaking engagement at the RSA Conference, which is scheduled to open Tuesday, Mr. Schmidt said he would focus on two themes: partnerships and […]

 

The Economist on Breach Disclosure

In “New rules for big data,” the Economist seems to advocate for more disclosure of security problems: The benefits of information security—protecting computer systems and networks—are inherently invisible: if threats have been averted, things work as normal. That means it often gets neglected. One way to deal with that is to disclose more information. A […]

 

Puerto Rico: Biggest Identity Theft ever?

Apparently, the government of Puerto Rico has stolen the identities of something between 1.7 and 4.1 million people Native Puerto Ricans living outside the island territory are reacting with surprise and confusion after learning their birth certificates will become no good this summer. A law enacted by Puerto Rico in December mainly to combat identity […]

 

Human Error and Incremental Risk

As something of a follow-up to my last post on Aviation Safety, I heard this story about Toyota’s now very public quality concerns on NPR while driving my not-Prius to work last week. Driving a Toyota may seem like a pretty risky idea these days. For weeks now, weve been hearing scary stories about sudden […]

 

"We can’t circumvent our way around internet censorship."

That’s the key message of Ethan Zuckerman’s post “Internet Freedom: Beyond Circumvention.” I’ll repeat it: “We can’t circumvent our way around internet censorship.” It’s a long, complex post, and very much worth reading. It starts from the economics of running an ISP that can provide circumvention to all of China, goes to the side effects […]

 

Human Error

In his ongoing role of “person who finds things that I will find interesting,” Adam recently sent me a link to a paper titled “THE HUMAN FACTORS ANALYSIS AND CLASSIFICATION SYSTEM–HFACS,” which discusses the role of people in aviation accidents.  From the abstract: Human error has been implicated in 70 to 80% of all civil […]

 

Symantec State of Security 2010 Report Out

http://www.symantec.com/content/en/us/about/presskits/SES_report_Feb2010.pdf Thanks to big yellow for not making us register!  Oh, and Adam thanks you for not using pie charts…

 

In the "Nothing to Add" department

Nasty psychiatrissstss! Hates them, my precious! They locks uss up in padded cell! They makes uss look at inkblotsss! Tricksy, sly inkblotsss! Nasty Elvish pills burnsss our throat! … Yesss We Hatesss themsss Evil oness yess my preciousss we hatess themsss But They Helpsss us! No they hurtsss usss, hurtsss usss sore! NCBI ROFL: Did […]

 

Can I see some ID?

Or, Security and Privacy are Complimentary, Part MCVII: Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash […]

 

I'm not comfortable with that

The language of Facebook’s iPhone app is fascinating: If you enable this feature, all contacts from your device will be sent to Facebook…Please make sure your friends are comfortable with any use you make of their information. So first off, I don’t consent to you using that feature and providing my mobile phone number to […]

 

Adam & Andy Jaquith: A conversation

In December, Andy Jaquith and I had a fun conversation about info security with Bill Brenner listening in. The transcript is at “Meeting of the Minds,” and the audio is here.

 

Measuring the unmeasurable — inspiration from baseball

The New School approach to information security promotes the idea that we can make better security decisions if we can measure the effectiveness of alternatives.  Critics argue that so much of information security is unmeasurable, especially factors that shape risk, that quantitative approaches are futile.  In my opinion, that is just a critique of our current methods […]

 

Happy Valentine's Day!

They say that Y equals m-x plus b (well, when you remove the uncertainty). So let me reveal a secret confession: You’re the solution to my least squares obsession. stolen from the applied statistics blog

 

Open Security Foundation Looking for Advisors

Open Security Foundation – Advisory Board – Call for Nominations: The Open Security Foundation (OSF) is an internationally recognized 501(c)(3) non-profit public organization seeking senior leaders capable of providing broad-based perspective on information security, business management and fundraising to volunteer for an Advisory Board. The Advisory Board will provide insight and guidance when developing future […]

 

Saltzer, Schroeder, and Star Wars

When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars. When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of […]

 

My Sweet Lord, this is a Melancholy story

There’s an elephant of a story over at the New York Times, “Musician Apologizes for Advertising Track That Upset the White Stripes.” It’s all about this guy who wrote a song that ended up sounding an awful lot like a song that this other guy had written. And how this other guy (that being Mr. […]

 

Podcast on ISM3

Last week, I spoke at the Open Group meeting here in Seattle, and then recorded a podcast with Dana Gardner, Jim Hietala and Vicente Aceituno about ISM3 Brings Greater Standardization to Security Measurement Across Enterprise IT (audio) or you can read the transcript. It was fun, and the podcast is short and to the point. […]

 
 

Does It Matter If The APT Is "New"?

As best as I can describe the characteristics of the threat agents that would fit the label of APT, that threat community is very, very real.  It’s been around forever (someone mentioned first use of the term being 1993 or something) – we dealt with threat agents you would describe as “APT” at MicroSovled when […]

 

Applying Utility Functions To Humans?

From Less Wrong:  http://lesswrong.com/lw/1qk/applying_utility_functions_to_humans_considered/ I’m at The Open Group Security Forum this week in Seattle, speaking about risk and stuff.  Adam gave a great talk about Security: From Art to Science.  One recurring theme all week was the need to borrow from disciplines outside of Comp Sci and Engineering.   When we think about the […]

 

Off with their heads!

In a private conversation, someone said “has anyone in company‘s IT staff been fired for letting people do use that software?” I did some searching for “firing offenses” and I found a bunch of interesting random things. I’d like to quote one, “How can I fire a non-performer in today’s environment:” You may have some […]

 

V-22 Osprey Metrics

Metrics seem to be yet another way in which Angry Bear noticed that the V-22 Osprey program has hidden from its failure to deliver on its promises: Generally, mission capability runs 20% higher than availability, but availability is hidden on new stuff, while shouted about on older stuff, because there would be severe embarrassment if you […]

 

Security Blogger Awards

We’re honored to be nominated for “Most Entertaining Security Blog” at this years “2010 Social Security Blogger Awards.” Now, in a fair fight, we have no hope against Hoff’s BJJ, Mike Rothman’s incitefulness, Jack Daniel’s cynicism, or Erin’s sociability. But, really, there’s no reason for this to be a fair fight. So we’re asking our […]

 

The Best Question In Information Security

Ian Grigg seems to have kicked off a micro-trend with “The most magical question of all — why are so many bright people fooling themselves about the science in information security?.” Gunnar Peterson followed up with “Most Important Security Question: Cui Bono?” Both of these are really good questions, but I’m going to take issue […]

 

'Don't Ask, Don't Tell in Davos' — Act 3 in the Google-China affair

There is no better illustration of the institutional and social taboos surrounding data breach reporting and information security in general than the Google-Adobe-China affair. While the Big Thinkers at the World Economic Forum discussed every other idea under the sun, this one was taboo.

 

That's Some Serious Precision, or Watch Out, She's Gonna Go All Decimal!

So last night the family and I sat down and watched a little TV together for the first time in ages.  We happened to settle on the X-Games on ESPN, purely because they were showing a sport that I can only describe as Artistic Snowmobile Jumping.  Basically, these guys get on snowmobiles, jump them in […]

 

Today in Tyrranicide History

On January 30th, 1649, Charles I was beheaded for treason. He refused to enter a defense, asserting that as monarch, he was the law, and no court could try him. That same defense is raised today by Milošević, Hussien and other tyrants. The story of how John Cooke built his arguments against that claim is […]

 

Privacy and Security are Complimentary, Part MCIV

Privacy and security often complement each other in ways that are hard to notice. It’s much easier to present privacy and security as “in tension” or as a dependency. In this occasional series, we present ways in which they compliment each other. In this issue, the Financial Times reports that “Hackers target friends of Google […]

 

Quote For Today

Their judgment was based on wishful thinking rather than on sound calculation of probabilities; for the usual thing among men, is when they want something, they will, without any reflection, leave that to hope; which they will employ the full force of reasoning in rejecting what they find unpalatable. — Thucydides

 

Help EFF Measure Browser Uniqueness

The EFF is doing some measurement of browser uniqueness and privacy. It takes ten seconds. Before you go, why not estimate what fraction of users have the same transmitted/discoverable browser settings as you, and then check your accuracy at https://panopticlick.eff.org. Or start at http://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking for a bit more detail.

 

Text Size (and testing)

Thank you for all the feedback in email & comments. Testing a new font size, feedback is again invited and welcome.

 
 

Shameless Self-Promotion

Hi, If you like risk, risk management, and metrics, I’ll be giving an online presentation you might want to see tomorrow at 2 EST: Gleaning Risk Management Data From Incidents http://www.brighttalk.com/webcasts/8093/attend

 

Migration

After more than 5 years, nearly 3,300 posts, and 6,300 comments on Movable Type, we’re migrating the blog to WordPress on a new host. Please let us know if I broke something. This is the new machine. Photo: Face the World with a Peaceful Mind, by Ting Hay.

 
 

Emergent Planetary Detection via Gravitational Lensing

The CBC Quirks and Quarks podcast on “The 10% Solar System Solution” is a really interesting 9 minutes with Scott Gaudi on how to find small planets far away: We have to rely on nature to give us the microlensing events. That means we can’t actually pick and choose which stars to look at, and […]

 

People are People, Too!

Apparently, corporations and unions can now spend unlimited funds on campaign advertisements. I’m hopeful that soon the Supreme Court will recognize that people are people too, and have the same free speech rights as corporations. Maybe, too, the Court will recognize that Congress may not limit the right of people to freely associate, and perhaps […]

 

The Face of FUD

A vivid image of Fear, Uncertainty, and Doubt (FUD), from an email promotion by NetWitness.

 

Why I Don't Like CRISC, Day Two

Yesterday, I offered up a little challenge to suggest that we aren’t ready for a certification around understanding information risk.  Today I want to mention why I think this CRISCy stuff is dangerous. What if how we’re approaching the subject is wrong?  What if it’s mostly wrong and horribly expensive? I’m going to offer that […]

 

Why I Don't Like CRISC

Recently, ISACA announced the CRISC certification.  There are many reasons I don’t like this, but to avoid ranting and in the interest of getting to the point, I’ll start with the main reason I’m uneasy about the CRISC certification: We’re not mature enough for a certification in risk management. Don’t believe me?  Good for you, […]

 

Doing threat intelligence right

To improve threat intelligence, it’s most important to address the flaws in how we interpret and use the intelligence that we already gather. Intelligence analysts are human beings, and many of their failures follow from intuitive ways of thinking that, while allowing the human mind to cut through reams of confusing information, often end up misleading us.

 

The Dog That Didn't Bark at Google

So it’s been all over everywhere that “uber-sophisticated” hackers walked all over Google’s internal network. Took their source, looked at email interception tools, etc. What’s most fascinating to me is that: Google’s customers don’t seem to be fleeing Google stock fell approximately 4% on the news they were hacked, while the market was down 2% […]

 

Does it include a launchpad?

The New York Times is reporting that there’s a “Deep Discount on Space Shuttles ,” they’re down to $28.8 million. But even more exciting than getting one of the 3 surviving monstrosities is that the main engines are free: As for the space shuttle main engines, those are now free. NASA advertised them in December […]

 

Wondering about Phenomenon

Yesterday, Russell posted in our amusements category about the avoidance of data sharing. He gives an anecdote about “you,” presumably a security professional, talking to executives about sharing security information. I’d like to offer an alternate anecdote. Executive: “So we got the audit report in, and it doesn’t look great. I was talking to some […]

 
 

Blogs worth reading, an occasional series

Dan Lohrmann’s “Why Do Security Professionals Fail?” So what works and what doesn’t seem to make much difference in getting consistently positive results? My answers will probably surprise you. I’m not the first person to ask this question. Conventional wisdom says we need more training and staff with more security certifications. Others say we need […]

 

Terrorism Links and quotes

Ed Hasbrouck on “Lessons from the case of the man who set his underpants on fire” A Canadian woman who’s been through the new process is too scared to fly. “Woman, 85, ‘terrified’ after airport search.” Peter Arnett reported “‘It became necessary to destroy the town to save it,’ a TSA major said today. He […]

 

Another Week, Another GSM Cipher Bites the Dust

Orr Dunkelman, Nathan Keller, and Adi Shamir have released a paper showing that they’ve broken KASUMI, the cipher used in encrypting 3G GSM communications. KASUMI is also known as A5/3, which is confusing because it’s only been a week since breaks on A5/1, a completely different cipher, were publicized. So if you’re wondering if this […]

 

Ignorance of the 4 new laws a day is no excuse

The lead of this story caught my eye: (CNN) — Legislatures in all 50 states, the District of Columbia, Guam, the Virgin Islands and Puerto Rico met in 2009, leading to the enactment of 40,697 laws, many of which take effect January 1. That’s an average of 753 laws passed in each of those jurisdictions. […]

 
 

Is Quantified Security a Weak Hypothesis?

I’ve recently read “Quantified Security is a Weak Hypothesis,” a paper which Vilhelm Verendel published at NSPW09. We’re discussing it in email, and I think it deserves some broader attention. My initial note was along these lines: I think the paper’s key hypothesis “securtity can be correctly represented with quantitative information” is overly broad. Can […]

 

768-bit RSA key factored

The paper is here. The very sane opening paragraph is: On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve (NFS, [19]). The number RSA-768 was taken from the now obsolete RSA Challenge list [37] as a representative 768-bit RSA modulus (cf. [36]). This result is a record for […]

 

Comments on the Verizon DBIR Supplemental Report

On December 9th, Verizon released a supplement to their 2009 Data Breach Investigations Report. One might optimistically think of this as volume 2, #2 in the series. A good deal of praise has already been forthcoming, and I’m generally impressed with the report, and very glad it’s available and free. But in this post, I’m […]

 

Things Darwin Didn't Say

There’s a great line attributed to Darwin: “It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.” The trouble is, he never said it. Background here. Original sources are important and fun.

 

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!

 

How not to do security, Drone Video Edition

This is probably considered to be “old news” by many, but I’m high-latency in my news at the moment. Much was made of the fact that the US Military’s enemies are now eavesdropping on the video feeds from US Drones on the battlefield using cheaply available commercial technology.  But it’s OK, because according to the […]

 

A Way Forward

Since writing the New School, I’ve been thinking a lot about why seems so hard to get there. There are two elements which Andrew and I didn’t explicitly write about which I think are tremendously important. Both of them have to do with the psychology of information security. The first is that security experts are […]

 

SearchSecurity Top Stories of 2009 Podcast

A few weeks ago, I joined the SearchSecurity team (Mike Mimoso, Rob Westervelt and Eric Parizo) to discuss the top cybersecurity stories of 2009. It was fun, and part 1 now available for a listen: part 1 (22:58), part 2 is still to come.

 

The Spectacle of Street View

Street with a View is an art project in Google Street View, with a variety of scenes enacted for the camera, either to be discovered in Street View, or discovered via the project web site. via David Fraser.

 

Comment Spam

We’ve been flooded with comment spam. I’ve added one of those annoying captcha things that don’t work, and a mandatory comment confirmation page. Please let me know if you have trouble. Blogname @ gmail.com, or adam @ blogname.com I think comments are working, but most won’t show up immediately. I’m digging into more effective solutions.

 
 

To the amazing chaos of the 2010s

I expect that there will be senseless acts of violence, planes destroyed and perhaps a city attacked with effective biological weapons. There will be crazy people with more power than we want to comprehend. There will be a billion malnourished, undereducated folks whose lives don’t improve. The first world will continue to be saddled with […]

 

Airplane Terrorism, Data-Driven Edition

I’m just off a flight from London back to the United States and I’m hesitant to attempt to think while jet-lagged.  I’ll have some more thoughts and first-hand observations once my head clears, however. In the meantime, Nate Silver has broken down the risk of terror attacks on airplanes so I don’t have to.  Summarizing […]

 

The New School of Air Travel Security?

As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways: Failures are rare Partial failures are generally secret Actual failures are analyzed in secret Procedures are secret Procedures seem bizarre and arbitrary […]

 

What the FBI Was Doing on Beethoven's Birthday

This is unfair, but I can’t resist. Nine days before we found out again that PETN is hard to detonate, the FBI was keeping us safe: FBI FINALLY MAKES AN ARREST OVER ‘WOLVERINE’ LEAK The FBI has announced the capture of an individual connected with the leak of 20th Century Fox’s “X-Men Origins: Wolverine.” … […]

 

Abdulmutallab/Flight 253 Airline Terror links

Air Canada is canceling US flights because of security. (Thanks, @nselby!) The New York Times reports that “Britain Rejected Visa Renewal for Suspect.” NPR reported that the State Department may have raised some sort of flag, but I don’t have a link. ABC is reporting that two of the “al Qaeda Leaders Behind Northwest Flight […]

 

Observations on the Christmas Bomber

Since there’s been so much discussion about the Chrismas Bomber, I want to avoid going over the same ground everyone else is. So as much as I can, I’m going to try to stick to lightly-treaded ground. This is a failure for the terrorists. A big one. Think about it; put yourself on the other […]

 

Abdulmutallab/Flight 253 Airline Terror links

The Economist “The latest on Northwest flight 253:” “the people who run America’s airport security apparatus appear to have gone insane” and “This is the absolute worst sort of security theatre: inconvenient, absurd, and, crucially, ineffective.” Business Travel Coalition, via Dave Farber and Esther Dyson, “Aviation Security After Detroit:” “It is welcome news that President […]

 

76% Organic

The back does explain that it’s 76% organic petite sirah, and 24% non-organic grapes. I just thought it was a pretty funny thing to put on the front label, and wonder which consumers are going to be more likely to buy it, knowing that it’s 76% organic.

 
 

New Restrictions: No Using Electronic Devices for the Last Hour

Apparently, in the wake of thousands of deaths from idiots paying more attention to GPS, cell phones, GameBoys, iPods and other such electronic devices, TSA has announced a ban on all use of such devices for the last hour of your commute. No, just kidding. Apparently, they may be imposing new secret restrictions on use […]

 

Brian W Kernighan & Dennis M Ritchie & HP Lovecraft

I never heard of C Recursion till the day before I saw it for the first and– so far– last time. They told me the steam train was the thing to take to Arkham; and it was only at the station ticket-office, when I demurred at the high fare, that I learned about C Recursion. […]

 
 

Burning News: Gavle Goat

USA Today informs us that: Despite surveillance cameras and heavy security, vandals in a small Swedish town have burned down a giant Yuletide straw goat for the 24th time since 1966, the Associated Press reports. Here at Emergent Chaos, we’re deeply concerned that the goat ended up with neither privacy nor even temporary safety. Photo: […]

 

An Open Letter to the New Cyber-Security Czar

Dear Howard, Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but […]

 
 

Biggest Breach Ever

Precision blogging gets the scoop: You’re probably talking about this terrible security disaster already: the largest database leak ever. Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice. The source […]

 

NotObvious On Heartland

I posted this also to the securitymetrics.org mailing list.  Sorry if discussing in multiple  venues ticks you off. The Not Obvious blog has an interesting write up on the Heartland Breach and impact.  From the blog post: “Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they […]

 

Open Thread

I’ll give you a topic, eh, no I won’t. Have at it, but not at each other.

 

For Blog/Twitter Conversation: Can You Defend "GRC"?

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on: “A metric for Governance is only useful inasmuch as it describes an ability to manage risk” True or False, […]

 
 

St. Cajetan's Revenge

For some time, I’ve watched the War on Bottled Water with amusement. I don’t disagree with figuring out how to reduce waste, and so on and so forth, but the railing against bottled water per se struck me as not thought out very well. The major reason for my thinking is that I never heard […]

 

Top Security Stories of the Year?

On Wednesday, I’ll be joining a podcast to discuss “top security stories of the year.” I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year? (I posted this on Emergent Chaos, but forgot to post it […]

 

We Take Your Privacy Seriously

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login. Boy, am I glad […]

 

Data Not Assertions

There have already been a ton of posts out there about the Verizon DBIR Supplement that came out yesterday, so I’m not going to dive into the details, but I wanted to highlight this quick discussion from twitter yesterday that really sums of the value of the supplement and similar reports: georgevhulme: I’m glad we […]

 

Huh, who knew?

We have a comments feed. I suppose we should add that to somewhere sane. In the meanwhile, you should click here. We have smart commenters, and what they say is usually worthwhile.

 

Emerging threat: Social Botnets

We think of botnets as networks of computing devices slaved to some command & control system. But what about human-in-the-loop botnets, where humans are either participants or prime actors? I’m coining this label: “social botnets”. Recent example: “Health Insurers Caught Paying Facebook Gamers To Oppose Reform Bill”.

 

Top Security Stories of the Year?

Next week, I’ll be joining a podcast to discuss “top security stories of the year.” I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year?

 

NEW: Verizon 2009 DBIR Supplement

The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.

 

Monkeys krak-oo krak-oo

According to “Campbell’s Monkeys Use Affixation to Alter Call Meaning:” We found that male alarm calls are composed of an acoustically variable stem, which can be followed by an acoustically invariable suffix. Using long-term observations and predator simulation experiments, we show that suffixation in this species functions to broaden the calls’ meaning by transforming a […]

 

Sweden: An Interesting Demographic Case Study In Internet Fraud

(quietly, wistfully singing “Yesterday” by the Beatles) From my favorite Swedish Infosec Blog, Crowmoor.se. I don’t speak Swedish, so I couldn’t really read the fine article they linked to.  Do go read their blog post, I’ll wait here. Back?  Great.  Here are my thoughts on those numbers: SWEDISH FRAUD STATISTICS RELEASED The World Bank estimates […]

 

Manditory web client scripts analogous to CDOs

The widespread and often mandatory use of client scripts in websites (e.g., JavaScript) are like CDOs [Collateralized Debt Obligations}. They both are designed by others with little interest in your security, they leverage your resources for their benefit, they are opaque, complex, nearly impossible to audit, and therefore untrustworthy.

 

Time to update your threat model to include "friendly fire"

If you work in InfoSec outside of the military, you may be thinking that “offensive cyber capability” don’t doesn’t apply to you. Don’t be so sure. I think it’s worth adding to the threat model for every organization. New “hacking gadgets” could be put in the hands of ordinary soldiers, turning them into the equivalent of “script kiddies”. But what if the potential target knows that such attacks may be coming. They could sets up a deceptive defense and redirect the attack to another network

 

TSA Security Operating Procedures

Via Gary Leff, we learn that “The TSA Puts Their Sensitive Security Screening Procedures Online For All To See (oops).” It’s another “we blacked out the doc without blacking out the data” story. The doc is 93 pages, and I don’t have time to more than skim it right now. I think that the redactions […]

 

All in the Presentation

America’s Finest News Source teaches an excellent lesson on how to spin data: Labor Dept: Available Labor Rate Increases To 10.2% WASHINGTON—In what is being touted by the Labor Department as extremely positive news, the nation’s available labor rate has reached double digits for the first time in 26 years, bringing the total number of […]

 

Engineers vs. Scammers

Adam recently sent me a link to a paper titled, “Understanding scam victims: seven principles for systems security.”  The paper examines a number of real-world (i.e. face-to-face) frauds and then extrapolates security principles which can be applied generically to both face-to-face and information or IT security problems. By illustrating these principles with examples taken from […]

 

A sociologist reads a Twitter feed

So, Adam retweets a hysterical reference to a viral email about an absolute genius of a Xmas light display made to look like an accident with a ladder, and the hapless homeowner left hanging from the gutter of his house. The email explains that the display was taken down after two days in large part […]

 
 
 

Fingerprinted and Facebooked at the Border

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online. That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they […]

 

Dilbert On Reusable Code

A while back I wrote an article on reusable code for ThreatPost. Today’s Dilbert, has an alternate, equally useful take on reusable code.

 

The stupidest post of the year?

George Hulme nominates this as the stupidest blog post of the year. I’m tempted to vote, although we have 30 more days. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period). My take? Anytime someone says that […]

 

Miscommunicating risks to teenagers

A lesson in miscommunication of risk from “abstinence only” sex education aimed at teenagers. The educators emphasize the failure rate of condoms, but never mention the failure rate of abstinence-only policies when implemented by teenagers.

 

We've made piracy a community activity.

From BoingBoing: Somali nautical pirates have established a stock-market where guns and cash are invested in upcoming hijackings, with shares of the proceeds returned to investors Emergent Chaos strikes again…

 

The Market for Fake Police Badges

But in New York, a city that has become almost synonymous with high security, where office employees wear picture IDs and surveillance cameras are on the rise, some officers don’t wear their badges on patrol. Instead, they wear fakes. Called “dupes,” these phony badges are often just a trifle smaller than real ones but otherwise […]

 

Awesome Vendor-Speak

I received an unsolicited ( I’ve tried to unsubscribe several times there, techtarget ) email today, that I actually happened to open because it advertised an “integrated maturity model for governance and security”.  Yeah, I’m a sucker like that.  This is what I read: …a practical maturity model with illustrative use cases that can be […]

 

Chris Soghoian’s Surveillance Metrics

I also posted about this on Emergent Chaos, but since our readership doesn’t fully overlap, I’m commenting on it here as well. Chis Soghoian, has just posted some of his new research into government electronic surveillance here in the US. The numbers are truly astounding (Sprint for instance provided geo-location data on customers eight million […]

 
 

Visualization Monday: Storage

This is cool.  Visualization of relative storage capacities in terms of media and format. Notice that it goes all the way back into pre-digital forms, a subtle tweak that I’ll bet a lot of people miss on first inspection.  Too bad, too, since the ability to seamlessly compare seemingly-different things is a valuable skill when […]

 

2010 Security Prognosticators – Put Your Money Where Your Mouth Is!!!

Just saw where Symantec has released their 2010 Security Trends to watch.  Now not to pick on Symantec (I’m guilty of the same mess in the past myself over on my old blog) but usually these sorts of prognostication lists are full of the same horse@!@#$.  For example: 8.  Mac and Mobile Malware Will Increase […]

 

FBI Gets all New School

“Of the thousands of cases that we’ve investigated, the public knows about a handful,” said Shawn Henry, assistant director for the Federal Bureau of Investigation’s Cyber Division. “There are million-dollar cases that nobody knows about.” … “Keeping your head in the sand on filing a report means that the bad guys are out there hitting […]

 

Tifatul Sembiring Causes Disasters

The BBC reports that “Indonesia minister says immorality causes disasters:” A government minister has blamed Indonesia’s recent string of natural disasters on people’s immorality. Communication and Information Minister Tifatul Sembiring said that there were many television programmes that destroyed morals. Therefore, the minister said, natural disasters would continue to occur. His comments came as he […]

 
 

For Those Not In The US (or even if you are)

I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times, “Baseball’s love of statistics is taking over football“ Those who indulge my passion for analysis and for sport know that […]

 

An advance in the "balance" between security and privacy

Today on Thanksgiving, I’m thankful that the European Parliament has adopted what may be the first useful statement about the balance between security and privacy since Franklin: “… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to […]

 

Less Is More

Great post today over on SecureThinking about a customer who used a very limited signature set for their IDS. Truth of the matter was that our customer knew exactly what he was doing. He only wanted to see a handful of signatures that were generic and could indicate that “something” was amiss that REALLY needed […]

 

Deny thy father and refuse thy gene sequence?

There’s a fascinating article in the NYTimes magazine, “Who Knew I Was Not the Father?” It’s all the impact of cheap paternity testing on conceptions of fatherhood. Men now have a cheap and easy way to discovering that children they thought were theirs really carry someone else’s genes. This raises the question, what is fatherhood? […]

 

Jail Time For ID Fraud

This past Friday, Baltimore resident, Michelle Courtney Johnson, was sentenced to 18 months in jail and a $200K fine for theft and use of PHI. According to her plea agreement and court documents, from August 2005 to April 2007, Johnson provided a conspirator with names, Social Security numbers and other identifying information of more than […]

 
 

Connecticut Attorney General On The March

It’s been a bad couple of weeks for residents of Connecticut and their personal health information. First Blue Cross Blue Shield had a laptop stolen with enough PHI that over 800K doctors were notified that their patients were at risk, including almost 19K in Connecticut. Connecticut’s attorney general said Monday that he’s investigating insurer Blue […]

 

Hackers treated as credible sources of information (D'oh!)

Contrary to popular belief, hackers are not credible sources of information that they themselves have stolen and leaked. Maybe they weren’t “hackers” at all. News organizations and bloggers should think more critically and do more investigation before they add to the “echo chamber effect” for such reports.

 

Poker Faced?

In “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best […]

 
 

Rational Ignorance: The Users' view of security

Cormac Herley at Microsoft Research has done us all a favor and released a paper So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users which opens its abstract with: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore […]

 

UK Confused About Piracy

According to BoingBoing, “Leaked UK government plan to create “Pirate Finder General” with power to appoint militias, create laws:” What that means is that an unelected official would have the power to do anything without Parliamentary oversight or debate, provided it was done in the name of protecting copyright. Mandelson elaborates on this, giving three […]

 

"80 Percent of Cyber Attacks Preventable"

Threatlevel (aka 27B/6) reported yesterday that Richard Schaeffer, the NSA’s information assurance director testified to the Senate Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security on the issue of computer based attacks. If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could […]

 

Questions about Schaeffer's 80% improvement

According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.” I’m trying to find if that’s the FDCC (Federal Desktop Core Configuration), […]

 

FTC Delays Red Flags Enforcement Yet Again

I missed this when it hit the newswires two weeks ago, but the FTC has delayed enforcement of the Red Flags Rule. This change was in response to the American Bar Association successfully suing the FTC and being granted an injunction to prevent the Red Flags Rule being applied to lawyers. Similarly, the American Institute […]

 

ICSA Labs report

In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades. At the Verizon Business blog, Wade Baker writes: Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results […]

 

Can't tell the players without a program

You can’t tell the good guys from the bad guys without knowing the color of their hat. I wish there were some sort of map of the Black Hat ecosystem because it’s hard for non-specialists to tell. Case in point: Virscan.org. Looks like a nice, simple service that scan uploaded files using multiple AV software with latest signatures. But it seems *much* more useful to bad guys (malware writers and distributors) than for good guys. Who does it serve?

 

In the Proudest Traditions of the Royal Navy

The Royal Fleet Auxiliary ship Wave Knight watched a yacht be hijacked for fear of harming its passengers. All stand for a rousing round of “Ain’t gonna study war no more.”

 

Rich Mogull's Divine Assumptions

Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“.  In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions.  And he offers a simple, pragmatic process for assumptions which is mainly scenario development, justification, and action.    […]

 
 

Best Practices in Tax Management

Someone sent me a link to “How to Audit-Proof Your Tax Return: Don’t e-File,” by Paul Caron. In it he quotes a plausible theory that “you are giving the IRS easy electronic access to information it would otherwise have to enter, enabling the agency to examine your return and mine the data more easily than […]

 

CFP: 9th Workshop on the Economics of Information Security (WEIS)

The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science.

 

Practices: Proven vs. Standard?

In comments yesterday, both Kyle Maxwell and Nicko suggested that “standard” is a better adjective than “proven:” I like Kyle’s “standard” practice, since it makes it clear that you are just following the flock for safety by sticking to them. Perhaps we should call them “flocking standard practice” I do think there’s an important difference, […]

 

How to Use the "Think" Best Practice

After I posted the new Best Practice: Think, Dennis Fisher tweeted “Never catch on. Nothing for vendors (or Gartner) to sell.” Which is true, but that’s not the point. The point is to be able to ju-jitsu your best-practice cargo-culter into submission. For example: Cargo-culter: We don’t need a review, this project complied with all […]

 

Quick Thought: Scenario Planning

I spent yesterday in a workshop learning about and practicing scenario planning. It’s a really great tool for planning for (as opposed to predicting) the future. It feels like it’s a great addition to the risk assessment/management process. Check it out.

 

Visual Notetaking

I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have […]

 

"As far as I know, effective immediately"

Asked about the timing, the unbriefed propaganda minister mumbled: “As far as I know, effective immediately.” When that was reported on television, the Berliners were off. Baffled border guards who would have shot their “comrades” a week earlier let the crowd through—and a barrier that had divided the world was soon being gleefully dismantled. West […]

 

Mini Metricon 4.5 Call for Participation

[Posting this here to help get the word out – Chris ] Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the […]

 
 

2 Proposed Breach Laws move forward

See George Hulme, “National Data Breach Law Steps Closer To Reality ” and Dennis Fisher “http://threatpost.com/en_us/blogs/two-data-breach-notification-bills-advance-senate-110609.” Dennis flags this awe-inspiring exception language: “rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.” […]

 

On smelly goats, unicorns, and FUD

Unicorns (of some sort) are not impossible in principle, only non-existent in recent times. As evidence, I offer Tsintaosaurus spinorhinus, a real dinosaur found in China. Though we may be comfortable with our current “smelly, ugly goat” practices, including the ethically questionable FUD tactic, they only perpetuate the problems and, at worst, are like peeing in the swimming pool.

 

Apologies to Richard Bejtlich

The previous blog post, “Just say ‘no’ to FUD”, described Richard Bejtlich’s post at Tao of Security as “FUD in other clothing”. That was over-reaching. I apologize. There was an element of FUD, but my main objection to Richard’s post was due to other reasons.

 

Mini Metricon 4.5 Call For Participation

Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees […]

 

"A Call for Evidence-Based Security Tools"

Via Schneier: From the Open Access Journal of Forensic Psychology, by a large group of authors: “A Call for Evidence-Based Security Tools“: Abstract: Since the 2001 attacks on the twin towers, policies on security have changed drastically, bringing about an increased need for tools that allow for the detection of deception. Many of the solutions […]

 

Pay for your own dog food

At Microsoft, there’s a very long history of ‘eating your own dogfood’ or using the latest and greatest daily builds. Although today, people seem to use the term “self-host,” which seems evidence that they don’t do either. Eating your own dogfood gives you a decent idea of when it starts to taste ok, which is […]

 

Thank you!

For the opportunity to do this:

 

Detecting Malice

I just finished reading RSnake’s new book Detecting Malice and I can say without a doubt that it is one of the best technical books I have ever read. Furthermore, I can tell you that it is, without a doubt, the best web security book I have ever had the pleasure to read. Imagine a […]

 

Tabletop Science

Mordaxus emailed some of us and said “I hope this doesn’t mean MG has jumped the shark.” What was he talking about? Apparently, ThinkGeek now has a “Molecular Gastronomy Starter Kit.” For those of you who’ve been hiding in a Cheesecake Factory for the past few years, molecular gastronomy is the art of using science […]

 

Seattle: Pete Holmes for City Attorney

I don’t usually say a lot about local issues, but as readers know, I’m concerned about how arbitrary ID checking is seeping into our society. It turns out my friend Eric Rachner is also concerned about this, and was excited when a Washington “Judge said showing ID to cops not required.” So when Eric was […]

 

Just say 'no' to FUD

“Fear, uncertainty, and doubt” (FUD) is a distortion tactic to manipulate decision-makers. You may think it’s good because it can be successful in getting the outcomes you desire. But it’s unethical. FUD is also anti-data and anti-analysis. Don’t do it. It’s the opposite of what we need.

 

Ooops! and Ooops again!

Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe: Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an orrery, not an astrolabe?” It appears that I’m going to have to update my commentary. […]

 

Ross Anderson's Psychology & Security page

Ross Anderson has a new Psychology and Security Resource Page. His abstract: A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and undertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as […]

 

Fordham report on Children's Privacy

Following the No Child Left Behind mandate to improve school quality, there has been a growing trend among state departments of education to establish statewide longitudinal databases of personally identifiable information for all K-12 children within a state in order to track progress and change over time. This trend is accompanied by a movement to […]

 

Bob Blakley Gets Future Shock Dead Wrong

Bob Blakley has a very thought provoking piece, “Gartner Gets Privacy Dead Wrong.” I really, really like a lot of what he has to say about the technical frame versus the social frame. It’s a very useful perspective, and I went back and forth for a while with titles for my post (The runner up […]

 

Is responsible disclosure dead?

Jeremiah Grossman has an article in SC Magazine, “Businesses must realize that full disclosure is dead.” On Twitter, I asked for evidence, and Jerimiah responded “Evidence of what exactly?” I think the key assertion that I take issue with is bolded in the context below: Unquestionably, zero-day vulnerabilities have an increasing real-world value to many […]

 

The Conch Republic

Apparently, in a sovereign-in-cheeck move, the the Florida Keys have withdrawn from the United States, and declared themselves to be “The Conch Republic.” Their motto is “We seceded where others failed.” Perhaps you haven’t heard of them because they make all the good jokes, making writing about them hard. I heard about them because of […]

 

On the value of 'digital asset value' for security decisions

What good is it to know the economic value of a digital asset for the purposes of making information security decisions? If you can’t make better decisions with this information, then the metric doesn’t have any value. This post discusses alternative uses, especially threshold or sanity checks on security spending. For these purposes, it functions better as a “spotlight” than as a “razor”. Digital Asset Value has other uses, not the least to get InfoSec people to understand Business people and their priorites and vice versa.

 

Something For Soscia, Girardi, & Charlie Manuel

It’s the probabilistic decision making tool for baseball managers.  On the iPhone.  It’s like a business intelligence application in the palm of your hand 🙂 Basically, it takes the probabilistic models of either Win Expectancy or Run Expectancy (any given action has some probability of contributing a run or a win) and given a situation, […]

 

Prisoners in Iran

There are apparently many people being held without charges by Iranian government. But as far as I know, I’ve only ever met one of them, and so wanted to draw attention to his case: During this entire time, our son has had just two short meetings with us for only a few minutes. Please imagine […]

 

Vista Didn't Fail Because of Security

Bruce Schneier points in his blog to an article in The Telegraph in which Steve Ballmer blames the failure of Vista on security. Every security person around should clear their throat loudly. Security is not what made Vista unpalatable. Many people liked Vista. My tech reporter friends not only adored it, but flat couldn’t understand […]

 

Dear ChoicePoint: Lying like a cheap rug undercuts all that

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized […]

 

How to Value Digital Assets (Web Sites, etc.)

If you need to do financial justification or economic analysis for information security, especially risk analysis, then you need to value digital assets to some degree of precision and accuracy. There is no unversally applicable and acceptable method. This article presents a method that will assist line-of-business managers to make economically rational decisions consistent with overall enterprise goals and values.

 

RSnakes On A Plane

or why RSnake will never be allowed to play video blackjat or poker at Blackhat ever again. Rsnake’s exploits with the game system on a recent flight are a fabulous read. Makes me wonder just how integrated these systems are with the regular flight systems though. Btw, RSnake, I expect a demo as part of […]

 

You've Got To Move It Move It

Josh Corman had an awesome post over on Fudsec on Friday. It’s so awesomely appropriate to this blog, that I’m sharing it with you. My only complaint is that I wish that I had written instead. Go read it right now.

 

Toyota Stalks Woman, Claims She Consented

In a lawsuit filed Sept. 28 in Los Angeles Superior Court, Amber Duick claims she had difficulty eating, sleeping and going to work during March and April of last year after she received e-mails for five days from a fictitious man called Sebastian Bowler, from England, who said he was on the run from the […]

 

Another good metaphor, killed by science

Wired has a First Look: Dyson’s Blade-Free Wonder Fan Blows Our Minds: Future generations will have no idea why the shit hitting the fan is any worse than it hitting anything else.

 

Speaking in Michigan on Tuesday

Andrew Stewart and I will be speaking at the University of Michigan SUMIT_09 on Tuesday. We’re on 10:30-11:25. If you’re in the area, please come by.

 

Are Security "Best Practices" Unethical?

Anton Chuvakin’s been going old school.  Raising the specter of “risk-less” security via best practices and haunting me like the ghost of blog posts past.   Now my position around best practices in the past has been that they are, to use Jack Jones’ phrase, Infosec “shamansim”.  We do these things because our forefathers do them, […]

 

SECTOR Sniffing: It Smells, as does the Response

Apparently, at the SecTor security conference, someone tapped into the network and posted passwords to a Wall of Sheep. At the SecTor speakers dinner, several attendees were approached by colleagues and informed that their credentials appeared on the “Wall of Shame” for all to see. When questioned about how the encrypted and unencrypted traffic was […]

 

New Best Practice: Think

Since anyone can declare anything a best practice in information security, I’d like to add my favorite to your list. Think. Thank you.

 

Another Long Time Fugitive Arrested

Yesterday, Luis Armando Peña Soltren was arrested after forty years on run for hijacking a plane to Cuba. Soltren “will finally face the American justice system that he has been evading for more than four decades,” said U.S. Attorney Preet Bharara. I understand that Woody Allen, Martin Scorsese and David Lynch are already circulating a […]

 

The Presentation of Self and Everyday Photographs

With the kind help of our awesome readership, Amazon and Glazer’s, I’ve acquired a camera, some books, a tripod, a prime 50mm, a flash diffuser, a polarizing filter, a graduated neutral filter, and some other random photography toys tools. You might question this, but I can quit anytime. Really! I even offered to loan my […]

 

Visual Complexity Web Site

VisualComplexity.com intends to be a unified resource space for anyone interested in the visualization of complex networks. While it may not contain any examples specific to information security, there may be some methods and ideas that can be adapted to InfoSec.

 
 

LCROSS Lunar Impact Friday, 4:30 AM Pacific

So the Lunar Crater Observation and Sensing Satellite has one last sensing task which it will carry out tomorrow morning at 4:30 AM Pacific. That is to dig a big hole in Cabeus (proper) and see if there’s water there. Unfortunately for LCROSS, it doesn’t really have landing jets, which means it will dig a […]

 

Hal Finney's news

Hal Finney has posted some news to LessWrong: A man goes in to see his doctor, and after some tests, the doctor says, “I’m sorry, but you have a fatal disease.” Man: “That’s terrible! How long have I got?” Doctor: “Ten.” Man: “Ten? What kind of answer is that? Ten months? Ten years? Ten what?” […]

 

Tetraktys is the Best Cryptographic Novel Ever

I’ve been remiss in not posting a review of Tetraktys, by Ari Juels. Short review: It’s better written and has better cryptographers than the ones in any Dan Brown novel, but that’s really damning it with faint praise, which it doesn’t deserve. It’s a highly readable first novel by Ari Juels, who is Chief Scientist […]

 

Quick Thoughts on the New Blogging Regulations

I want to congratulate the folks at the FTC, who’ve decided we all need to follow some rules about what bloggers can say. See for example, “ Epicenter The Business of Tech FTC Tells Amateur Bloggers to Disclose Freebies or Be Fined” at Wired. These new rules are documented in an easy to read 81 […]

 

The Cost of a Near-Miss Data Breach

Near misses are very valuable signals regarding future losses. If we ignore them in our cost metrics, we might make some very poor decisions. This example shows that there is a qualitative difference between “ground truth data” (in this case, historical cash flow for data breach events) and overall security metrics, which need to reflect our estimates about the future, a.k.a. risk.

 

Botnet Research

Rob Lemos has a new article up on the MIT Technology Review, about some researchers from UC Santa Barbara who spent several months studying the Mebroot Botnet. They found some fascinating stuff and I’m looking forward to reading the paper when it’s finally published. While the vast majority of infected machines were Windows based (64% […]

 

Punditry: Better Security Through Diversity Of Thinking

I am honored that the kind folks at threapost have asked me to write for them occasionally. My first post is about better security through diversity of thinking which was inspired by pastry chef Shuna Fish Lydon. From her post (which I quoted in mine as well) It is my experience that unless you push […]

 

Changing Expectations around Breach Notice

Earlier this month, the Department of Health and Human Services imposed a “risk of harm” standard on health care providers who lose control of your medical records. See, for example, “Health IT Data Breaches: No Harm, No Foul:” According to HHS’ harm standard, the question is whether access, use or disclosure of the data poses […]

 

MA/NY: Using GPS To Track Cars Requires A Warrant

Jennifer Granick reports that in Massachusetts, Cops Can’t Convert Car Into Tracking Device Without Court’s OK. Connolly decided that the installation of the GPS device was a seizure of the suspect’s vehicle. “When an electronic surveillance device is installed in a motor vehicle, be it a beeper, radio transmitter, or GPS device, the government’s control […]

 
 

Some thoughts on the Olympics, Chicago and Obama

So the 2016 Olympics will be in Rio de Janeiro. Some people think this was a loss for Obama, but Obama was in a no-win situation. His ability to devote time to trying to influence the Olympics is strongly curtailed by other, more appropriate priorities. If he hadn’t gone to Copenhagen, he would have been […]

 

Models are Distracting

So Dave Mortman wrote: I don’t disagree with Adam that we need raw data. He’s absolutely right that without it, you can’t test models. What I was trying to get at was that, even though I would absolutely love to have access to more raw data to test my own theories, it just isn’t realistic […]

 

Security is About Outcomes, FISMA edition

Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write: the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ […]

 

Meta-Data?

So awhile back, I posted the following to twitter: Thought of the Day: We don’t need to share raw data if we can share meta-data generated using uniform analytical methodologies. Adam, disagreed: @mortman You can’t test & refine models without raw data, & you can’t ask people with the same orientation to bring diverse perspectives. […]

 

Gates Was Hardly An Exception

There was a lot of news when Henry Lewis Gates was arrested back in July, essentially for mouthing off to a cop. What happened was a shame, but what is more of a shame is that this sort of thing isn’t that rate. Time magazine had a recent article about this, Do You Have the […]

 

Happy Banned Books Week!

Quoting Michael Zimmer: [Yesterday was] the start of Banned Books Week 2009, the 28th annual celebration of the freedom to choose what we read, as well as the freedom to select from a full array of possibilities. Hundreds of books are challenged in schools and libraries in the United States each year. Here’s a great […]

 

Podcasts with Amrit

I had fun recording Beyond the Perimiter Episode 48 and 49 with Amrit. I think Amrit asked some of the broadest, most complex questions I’ve been asked, and it was hard to keep the episodes short. Go have a listen!

 
 

A Little Temporary Safety

So I saw this ad on the back of the Economist. (Click for a larger PDF). In reading it, I noticed this exhortation to “support the STANDUP act of 2009:” The STANDUP Act* (H.R. 1895) creates a National Graduated Driver Licensing (GDL) law that [limits nighttime driving, reduces in-car distractions, puts a cap on the […]

 
 

Metrics Abused

Statistically speaking, 6 out of 7 dwarves are not happy. [via zem42]

 

National Cyber Leap Year Summit reports now available

I believe these are the final deliverables: National Cyber Leap Year Summit 2009 Co-Chairs Report — main discussion of metrics is p 26-28 National Cyber Leap Year Summit 2009 Participants’ Ideas Report – main discussion of metrics is p 44-46, p 50-51, and p 106; with related discussion on p 53-54. Also worth noting is […]

 

Happy Emancipation Proclamation Day!

That on the first day of January in the year of our Lord, one thousand eight hundred and sixty-three, all persons held as slaves within any state, or designated part of a state, the people whereof thenceforward, and forever free; and the executive government of the United States [including the military and naval authority thereof] […]

 

Making Sense of the SANS "Top Cyber Security Risks" Report

The SANS Top Cyber Security Risks report has received a lot of positive publicity. I applaud the effort and goals of the study and it may have some useful conclusions. We should have more of this. Unfortunately, the report has some major problems. The main conclusions may be valid but the supporting analysis is either confusing or weak. It would also be good if this study could be extended by adding data from other vendors and service providers.

 

Private Thoughts on Race

So I’m sitting on the plane home from* Seattle, and I had a really interesting conversation on race with the woman next to me. We were talking, and she asked me, why is it so hard to have conversations like this. I thought that the answer we came to was interesting, and insofar as it […]

 

Visualization Friday – Improving a Bad Graphic

We can learn from bad visualization examples by correcting them. This example is from the newly released SANS “Top Cyber Security Risks” report. Their first graphic has a simple message, but due to various misleading visual cues, it’s confusing. A simplified graphic works much better, but they probably don’t need a graphic at all — a bulleted list works just as well. Moral of this story: don’t simply hand your graphics to a designer with the instructions to “make this pretty”. Yes, the resulting graphic may be pretty, but it may lose its essential meaning or it might just be more confusing than enlightening. Someone has to take responsibility for picking the right visualization metaphor and structures.

 

Secret Photo Apps for the iPhone

If you try searching the App store for photo apps, you find all sorts of things to make your photos sepia. Or blurry. Or to draw on them. Which is great, but if you want apps to help you take photographs, they’re sorta hard to find. So here are some links: First up, a reference […]

 

Proskauer Rose Crows "Rows of Fallen Foes!"

Over on their blog, the law firm announces yet another class action suit over a breach letter has been dismissed. Unfortunately, that firm is doing a fine business in getting rid of such suits. I say it’s unfortunate for two reasons: first, the sued business has to lay out a lot of money (not as […]

 

Notes to the Data People

Over on his Guerilla CISO blog, Rybolov suggests that we ask the Data.gov folks for infosec data using their Suggest a data set page. It sounds like a good idea to me! I took his request and built on it. Rather than breaking the flow with quotes and edit marks, I’ll simply say the requests […]

 

Atoms, Photographed

The pictures, soon to be published in the journal Physical Review B, show the detailed images of a single carbon atom’s electron cloud, taken by Ukrainian researchers at the Kharkov Institute for Physics and Technology in Kharkov, Ukraine….To create these images, the researchers used a field-emission electron microscope, or FEEM. They placed a rigid chain […]

 

12 Tips for Designing an InfoSec Risk Scorecard (its harder than it looks)

An “InfoSec risk scorecard” attempts to include all the factors that drive information security risk – threats, vulnerabilities, controls, mitigations, assets, etc. But for the sake of simplicity, InfoSec risk scorecards don’t include any probabilistic models, causal models, or the like. It can only roughly approximate it under simplifying assumptions. This leaves the designer open to all sorts of problems. Here are 12 tips that can help you navigate these difficulty. It’s harder than it looks.

 

BBC Video of Liquid Explosives

The BBC has some really scary video “Detonation of Liquid Explosives.” However, as I thought about it, I grow increasingly confused by what it purports to show, and the implications. At the end of the day, I think there are two possibilities: It’s a fair representation, or it’s not. I’m leaning slightly towards the second. […]

 

This Friday is “Take an Academic Friend to Work Day”

We need more cross-disciplinary research and collaboration in InfoSec. We start on a small scale, starting with people in our professional network. One fertile area of research and collaboration is to apply the latest research in non-standard logic and formal reasoning (a.k.a. AI) to InfoSec risk management problems. The problem is that most of that research reads like Sanskrit unless you are a specialist. Rather than simply post links to academic papers and ask you to read them, let’s use these papers as a vehicle to start a dialog with an academic friend, or a friend-of-friends. Maybe there are some breakthrough ideas in here. Maybe not. Either way, you will have an interesting experience in cross-discipline collaboration on a small scale.

 

Is risk management too complicated and subtle for InfoSec?

Luther Martin, blogger with Voltage Security, has advised caution about using of risk risk management methods for information security, saying it’s “too complicated and subtle” and may lead decision-makers astray. To backup his point, he uses the example of the Two Envelopes Problem in Bayesian (subjectivist) probability, which can lead to paradoxes. Then he posed an analogous problem in information security, with the claim that probabilistic analysis would show that new security investments are unjustified. However, Luther made some mistakes in formulating the InfoSec problem and thus the lessons from Two Envelopes Problem don’t apply. Either way, a reframing into a “possible worlds” analysis resolves the paradoxes and accurately evaluates the decision alternatives for both problems. Conclusion: risk management for InfoSec is complicated and subtle, but that only means it should be done with care and with the appropriate tools, methods, and frameworks. Unsolved research problems remain, but the Two Envelopes Problem and similar are not among them.

 

Caster Semenya, Alan Turing and "ID Management" products

South African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony. There are reports that: […]

 

National Cyber Leap Year: Without a Good Running Start, There Might Be No Leap

The National Cyber Leap Year (NCLY) report coming out in a few weeks might lead to more US government research funding for security metrics in coming years. But that depends on whether the report is compelling to the Feds and Congress. Given the flawed process leading up to the Summit, I have my doubts. Clearly, this NCLY process is not a good model for public-private collaboration going forward.

 

Rebuilding the internet?

Once apon a time, I was uunet!harvard!bwnmr4!adam. Oh, harvard was probably enough, it was a pretty well known host in the uucp network which carried our email before snmp. I was also harvard!bwnmr4!postmaster which meant that at the end of an era, I moved the lab from copied hosts files to dns, when I became […]

 

Metrics: 50% Chance of Injury by Biscuit

The Telegraph reports: More than half of all Britons have been injured by biscuits ranging from scalding from hot tea or coffee while dunking or breaking a tooth eating during a morning tea break, a survey has revealed. Who knew that cookies could be so dangerous? So forget worrying about AV or even seat belts, […]

 

Some Stuff You Might Find Interesting 9-8-2009

IT’S A TAB DUMP Hey,  because of the holiday, I missed posting some stuff for you all about security & visualization last week. So I thought I’d make it up to you today (plus, I’m about to declare Firefox tab bankruptcy, as I tend to find things to mention on the blog here and then […]

 

Make the Smart Choice: Ignore This Label

He said the criteria used by the Smart Choices™ Program™ were seriously flawed, allowing less healthy products, like sweet cereals and heavily salted packaged meals, to win its seal of approval. “It’s a blatant failure of this system and it makes it, I’m afraid, not credible,” Mr. Willett said. […] Eileen T. Kennedy, president of […]

 

Only an idea after a bunch of calculating

Andrew Koppelman has a post on lawprof blog Balkinization, titled “You have no idea:” This data sits uneasily beside a recent study in the American Journal of Medicine of personal bankruptcies in the United States. In 2007, 62% of all personal bankruptcies were driven by medical costs. “Nationally, a quarter of firms cancel coverage immediately […]

 

Non Commercial

If you haven’t listened to Larry Lessig’s 23C3 talk, it’s worthwhile to listen to the argument he makes. As I was listening to it, I was struck by the term non-commercial, and, having given it some thought, think that we need a better word to describe the goals Creative Commons is pursuing. The term non-commercial […]

 

We're all reputable on this bus

There’s an interesting story at Computerworld, “Court allows suit against bank for lax security.” What jumped out at me was Citizens also had claimed that its online banking services were being provided and protected by a highly reputable company. In addition to the third-party security services, Citizens said it had its own measures for protecting […]

 

Ten Years Ago: Reminiscing about Zero-Knowledge

Ten years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who […]

 

Sunday Linkage Security/Privacy In The UK

Quarter of a million Welsh profiles added to DNA database since 2000. [I forget who linked to this one.] CCTV in the spotlight: one crime solved for every 1,000 cameras [Via the security metrics mailing list.]

 
 

Cures versus Treatment

A relevant tale of medical survival over at The Reality-Based Community: Three years ago a 39-year-old American man arrived at the haematology clinic of Berlin’s sprawling Charité hospital. (The venerable Charité, one of the great names in the history of medicine, used to be in East Berlin, but it’s now the brand for the merged […]

 

I'm OK When The System Works – Even If It Is A False Alarm

——————————— UPDATE:  @lbhuston gives us the dirty low down here: http://stateofsecurity.com/?p=766 ——————————— This was a test of the emergency broadcast system.  This was only a test, had this been a real change in the Threat Landscape….. You may have read in various media outlets about a little incident that happened yesterday concerning the mailing of […]

 

Visualization Friday – Back From Hiatus

Hey all, sorry it’s been so long since I put up some eye candy.  Today’s posts come from the usual sources (flowing data and other various information design blogs) but I also wanted to point you to a new source of cool: http://www.informationisbeautiful.net/ So without futher adieu, your Visualization Friday Posts (some pertinent to the […]

 

We Live in Public

It’s opening in New York this weekend, and the New York Times has a review.

 

Perfecter than Perfect

So I’m having a conversation with a friend about caller ID blocking. And it occurs to me that my old phone with AT&T, before Cingular bought them, had this nifty feature, “show my caller-ID to people in my phone book.” Unfortunately, my current phone doesn’t have that, because Steve Jobs has declared that “Apple’s goal […]

 

What Are People Willing to Pay for Privacy?

So I was thinking about the question of the value of privacy, and it occurred to me that there may be an interesting natural experiment we can observe, and that is national security clearances in the US. For this post, I’ll assume that security clearances work for their primary purpose, which is to keep foreign […]

 

Mike Dahn Wants to NewSchool PCI

And I couldn’t agree more. Capability and Maturity Model Creation in Information Security — PS – sorry for using “NewSchool” as a verb.

 

Social network privacy study finds identity link to cookies

Quick follow up to Adam’s Monday post New on SSRN. Rob Westervelt over at SearchSecurity.com tells us about a social network privacy study finds identity link to cookies. Turns out that passing unique identifiers in referring URLs isn’t such a smart idea after all. Color me shocked. The full paper is linked to from Rob’s […]

 

Moore's Law is a Factor in This

I remember when Derek Atkins was sending mail to the cypherpunks list, looking for hosts to dedicate to cracking RSA-129. I remember when they announced that “The Magic Words are Squeamish Ossifrage.” How it took 600 people with 1,600 machines months of work and then a Bell Labs supercomputer to work through the data. I […]

 

Renaming the Blog to Emergent Chaos (II)

A little more seriously, the identity of a blog is constructed between the authors, commenters and readers, and I’m continually amazed by what emerges here. At the same time, what’s emerging is currently not very chaotic, and I’m wondering if it’s time for some mixing it up. Suggestions welcome.

 

Renaming the blog to Emergent Chaos (I)

In 2007, Artist Kristin Sue Lucas went before a judge to get a name change to…Kristin Sue Lucas. She’s put together a show called “Refresh” and one called “Before and After.” My favorite part is where the judge wrestles with the question “what happens when you change a thing to itself:” JR: And I don’t […]

 

New on SSRN

There’s new papers by two law professors whose work I enjoy. I haven’t finished the first or started the second, but I figured I’d post pointers, so you’ll have something to read as we here at the Combo improvise around Cage’s 2:33. Paul Ohm has written “Broken Promises of Privacy: Responding to the Surprising Failure […]

 

Suing Into the Box

Todays New York Times has an interesting article “A Lawsuit Tries to Get at Hackers Through the Banks They Attack” about the folks over at Unspam who are suing under the Can-Spam Act in an attempt to get the names of miscreants who have been attacking banks. More interestingly, they are hoping to force the […]

 

Entering Our Prime

Today is amazingly enough the fifth anniversary of Adam starting this blog. It’s amazing how fast time flies when things are chaotic. Seems like just yesterday Adam was doing the initial Star Wars posts. Appropriately enough the most recent in the category was just this past Saturday. Thank you to all of our readers for […]

 

What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? I think it’s a fascinating question, and posted my answer over […]

 

What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? My three: De-stigmatize failure. Today, we see the same failures we […]

 

Heartland/TJX/Hannaford hacker caught

I’ve been busy and haven’t had a lot of time to dig in, but Rich Mogull has some really good articles, “Heartland Hackers Caught; Answers and Questions,” and “Recent Breaches- We May Have All the Answers.” I have two questions: Were these custom attacks, or a failure to patch? Reading what’s not in the USSS/FBI […]

 

Mortman/Hutton Security-BSides & Black Hat Presentation Available

Hey y’all, happy Monday morning.   I’ve put Dave & my presentation for Security BSides up on slideshare: http://www.slideshare.net/alexhutton/mortmanhutton-security-bsides-presentation Mortman/Hutton Security B-Sides Presentation View more presentations from alexhutton. Also note that this includes the Black Hat presentation we gave on the Mortman/Hutton Vulnerability/Exploit model.  I hope you will enjoy! PS – There’s probably audio available for […]

 

We Live In Public, The Movie

One of the best ways to upset someone who cares about privacy is to trot out the “nothing to hide, nothing to worry about” line. It upsets me on two levels. First because it’s so very wrong, and second, because it’s hard to refute in a short quip. I think what I like most about […]

 

Spinal Tap, Copyright

There’s a cute little story in the NYTimes, “Lego Rejects a Bit Part in a Spinal Tap DVD.” I read it as I was listening to a podcast on Shepard Fairey vs The Associated Press that Dan Solove pointed out. In that podcast, Dale Cendali (the attorney representing the AP) asserts that licensing is easy, […]

 
 

Hearsay podcast: Shostack on Privacy

Dennis Fisher talks with Microsoft’s Adam Shostack about the Privacy Enhancing Technologies Symposium, the definition of privacy in today’s world and the role of technology in helping to enhance and protect that privacy. As always, a fun conversation with Dennis Fisher. Ran longer than I think either of us expected at 41:15. And speaking of […]

 
 

Heartland CEO and Outrage

Bill Brenner has an interview with Robert Carr, the CEO of Heartland. It’s headlined “Heartland CEO on Data Breach: QSAs Let Us Down.” Some smart security folks are outraged, asserting that Carr should know the difference between compliance and security, and audit and assessment. Examples include Rich Mogull’s “Open Letter to Robert Carr” and Alan […]

 

New Breach Laws

Missouri adds a law with a “risk of harm trigger” aka the full-employment provision for lawyers and consultants. Texas adds health data to their notification list. Most importantly, North Carolina requires notice to their attorney general for breaches smaller than 1,000 people. I think Proskauer here is being a little inaccurate when they characterize this […]

 

Information Security-Don't sweat it

So-called clinical-strength antiperspirants …come with instructions that they be applied before bed for “maximum” protection from wetness and odor. … Even regular-strength antiperspirants work best when applied to underarms at night, experts told us. Bedtime application “really is the best way to use an antiperspirant,” says Daivd Pariser, M.D., president of the American Academy of […]

 

What's in a name?

Brian Jones Tamanaha has an interesting post about our database-driven society. The core of it is that English is bad at recording some names. The solution? Force people to change their official names for the convenience of the database: During public hearings on the voter identification legislation in the House, state Rep. Betty Brown, R-Terrell, […]

 
 
 

Dear $LOCALBANK That I Use

Keeping a database of all of your ATM PINs in a clear (or possibly encrypted but easily reversible) text database is not a good idea. I honestly can’t see any use value for this, especially when they won’t tell you what your PIN is even if you have multiple forms of government issued identification. No […]

 

Quantitative Analysis of Web Application Usefulness (Or Why Your ROSI is wRONG)

The amazing (in both quality and quantity of blog post production) Lori MacVittie of f5 has a blog post up on their corporate blog called,  “A Formula for Quantifying Productivity of Web Applications.” Basically, Lori proposes that we study web server processes and the time to complete them over a period of time rather than […]

 

Television, Explained

So I’m not sure if Michael Pollan’s “Out of the Kitchen, Onto the Couch” is supposed to be a movie review, but it’s definitely worth reading if you think about what you eat. I really like this line: The historical drift of cooking programs — from a genuine interest in producing food yourself to the […]

 

Is Barack Obama an American Citizen?

It might seem, to the average person, that the “Birthers” must have a tough time proving their case. After all, Barack Obama has released his Certification of Live Birth (pictured above), which meets all the requirements for proving one’s citizenship to the State Department. The authenticity of the certificate has been verified by Hawaii state […]

 

Hot Singles Are Waiting for You!

Information anyone gives to Facebook can be used by Facebook to do things Faceook wants to do. Like use your face in a personals ad. Even if Facebook knows you’re married. Facebook used Cheryl Smith’s face this way in an ad that it showed her husband. (“oops”) So go read more in Wife’s face used […]

 

ID Theft Risk Scores?

A bunch of widely read people are blogging about “MyIDscore.com Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.” First, there’s little explanation of how it’s working. I got a 240 when I didn’t give them my SSN, and my score dropped to 40 […]

 
 

To The Moon

One of the really fascinating things about listening to the streaming audio of the first moon landing is how much time was spent debugging the spacecraft, resetting this and that. As the memory fades away, Charlie Stross wrote about the difficulties in going back to the moon: Not only does the cost of putting a […]

 

Identity Theft

Remember Identity Theft isn’t getting your credit card stolen, that’s fraud. Having the records that define who you are to an entire country and determine whether you can get a relatively high paying job get stolen. That’s identity theft…

 

Penetration testing your products

It was built to be impenetrable, from its “super rugged transparent polycarbonate housing” to its intricate double-tabbed lid… Just go read the story. Anything else I say will spoil the punchline.

 

Chris, I'm sorry

I hate the overuse of URL shortners like tinyurl. I like to be able to see what a link is before I click on it. I don’t like that these companies get to be yet another point of surveillance. (To be fair, tinyurl doesn’t seem to be taking advantage of that. I have cookies from […]

 

The Arrest of Gates

A couple of good articles are John McWhorter’s “Gates is Right–and We’re Not Post-Racial Until He’s Wrong,” and Lowry Heussler’s “Nightmare on Ware Street.” The full police report is at “Gates police report.” I think PHB’s comment on Michael Froomkin’s post is quite interesting: You are all missing a rather significant fact, this is the […]

 

Today's Privacy Loss – English Soldiers' Details Published

Demonstrating that no one’s data is safe, the names, pay records, and other personal information of 90,000 English soldiers was placed on the Internet. These soldiers, who served with king Henry V at Agincourt now have their information listed at www.medievalsoldier.org, exposing them to the chance of identity theft after nearly 500 years. They soldiers […]

 

For epistemological anarchism

So Dave Mortman and Alex Hutton have a talk submitted to Security BSides entitled “Challenging the Epistemological Anarchist to Escape our Dark Age.” Now, it would certainly be nice if we could all use the same words to mean the same things. It would make communication so much easier! It would let us build the […]

 

July 20, 1969

The Apollo program took place at just about the right time for me. I was six (or, as I would quickly have pointed out at the time, six *and a half*) when the first lunar landing occurred, and barely ten when Apollo 17 splashed down. This was old enough to be fascinated by the technology […]

 

Color on Chrome OS

New things resemble old things at first. Moreover, people interpret new things in terms of old things. Such it is with the new Google Chrome OS. Very little I’ve seen on it seems to understand it. The main stream of commentary is comparisons to Windows and how this means that Google is in the OS […]

 

We Regret The New York Times’ Error

In “Kindling a Consumer Revolt,” I quoted the New York Times: But no, apparently the publisher changed its mind about offering an electronic edition, and apparently Amazon, whose business lives and dies by publisher happiness, caved. It electronically deleted all books by this author from people’s Kindles and credited their accounts for the price.” What […]

 

Kindle Brouhaha Isn't About DRM

In case you haven’t heard about it, there is a brouhaha about Amazon un-selling copies of two Orwell books, 1984 and Animal Farm. There has been much hand-wringing, particularly since it’s deliciously amusing that that it’s Orwell. The root cause of the issue is that the version of the Orwell novels available on the Kindle […]

 

Kindling a Consumer Revolt

Well, by now it’s all over the blogo/twitter spheres, and everything that might be said has already been said about Eric Blair, a publisher and Amazon: This morning, hundreds of Amazon Kindle owners awoke to discover that books by a certain famous author had mysteriously disappeared from their e-book readers. These were books that they […]

 

Up Again

We had some expected downtime this morning. Thanks for your notes and IMs. If you’re reading this, things are now working again.

 
 

A Black Hat Sneak Preview (Part 2 of ?)

Following up on my previous post, here’s Part 2, “The Factors that Drive Probable Use”. This is the meat of our model. Follow up posts will dig deeper into Parts 1 and 2. At Black Hat we’ll be applying this model to the vulnerabilities that are going to be released at the show. But before […]

 

Not because it is easy, but because it is hard

Forty years ago today, Apollo 11 lifted off for the moon, carrying Buzz Aldrin, Neil Armstrong and Michael Collins. The Boston Globe has a great selection of photos, “Remembering Apollo 11.” (Thanks to Deb for the link.)

 

Happy Bastille Day!

It’s hard not to like a holiday which celebrates the storming of a prison and the end of a monarchy. Photo: Vytenis Benetis .

 

An Example of Our Previous Graph In Action

I wanted to throw it out here as an example of how you would the model from my earlier post in real life. So let’s take the recently released Internet Explorer security vulnerability and see how it fits. Now this is a pretty brain-dead example and hardly requires a special tool, but I think it […]

 

Do Audit Failures Mean That Audit Fails In General?

Iang’s posts are, as a rule, really thought provoking, and his latest series is no exception. In his most recent post, How many rotten apples will spoil the barrel, he asks: So we are somewhere in-between the extremes. Some good, some bad. The question then further develops into whether the ones that are good are […]

 

Wells Fargo vs Wells Fargo

You can’t expect a bank that is dumb enough to sue itself to know why it is suing itself. Yet I could not resist asking Wells Fargo Bank NA why it filed a civil complaint against itself in a mortgage foreclosure case in Hillsborough County, Fla. “Due to state foreclosure laws, lenders are obligated to […]

 

Running from the truth

Robin Hanson has an interesting article, “Desert Errors:” His findings stayed secret until 1947, when he was allowed to publish his pioneering Physiology of Man in the Desert. It went almost entirely unnoticed. In the late 1960s, marathon runners were still advised not to drink during races and until 1977, runners in international competitions were […]

 

Business Week on Heartland

Not much to add, but a good article in Business Week on Lessons from the Data Breach at Heartland. Well worth reading…

 

Social Security Numbers are Worthless as Authenticators

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The findings, published Monday in The Proceedings of the National […]

 

A Black Hat Sneak Preview (Part 1 of ?)

Alex and I will be on a panel, A Black Hat Vulnerability Risk Assessment, at this year’s Black Hat. We’ll be discussing the need to perform a risk assessment of vulnerabilities as you become aware of them in a deeper context then just looking at the CVSS scores. Things to consider are what compensating controls […]

 

Bob Blakely on the Cybersecurity Conversation

Bob Blakely has a thought-provoking blog post which starts: The Cyberspace Policy Review says “The national dialog on cyber-security must begin today.” I agree. Let’s start the dialog with a conversation about what sacrifices we’re willing to make to get to an acceptable worst-case performance. Here are four questions to get the ball rolling: Question […]

 

Thoughts on Iran

Our love affair with the Iranian Tweetolution has worn off. The thugs declared their election valid, told their armed representatives to Sorry, next tweet: go impose some law or order or something, and it was done. Well, as it often turns out, there was more to it than fits in 140 characters, and the real […]

 

The Punch Line Goes at the End

The Black Hat conference in Las Vegas always has its share of drama. This year, it’s happened a month before the conference opens. The researcher Barnaby Jack had to cancel his talk. Risky.biz gives an account of this; his talk was to make an Automated Teller Machine spit out a “jackpot” of cash, in the […]

 

Unthinkable Foolishness from TSA

“Flying from Los Angeles to New York for a signing at Jim Hanley’s Universe Wednesday (May 13th), I was flagged at the gate for ‘extra screening’. I was subjected to not one, but two invasive searches of my person and belongings. TSA agents then ‘discovered’ the script for Unthinkable #3. They sat and read the […]

 

Voltage Predicts the Future

It’s easy to critique the recent Voltage report on breaches. (For example, “2009 started out to be a good year for hackers; in the first three months alone, there were already 132 data breaches reported.” That there were 132 breaches does not mean that hackers are having a good year; most breaches are not caused […]

 

Thanks, Jeffrey Bennett

In “Books that should be in a security manager’s library,” Jeffrey Bennett says nice things about The New School (the book) and suggests that it’s one of eight that “no professional library is complete without.” Thanks!

 

Emergent Traffic Chaos

Paul Kedrosky has an amazing video: As described in the New Scientist: Researchers from several Japanese universities managed the feat by putting 22 vehicles on a 230-metre single-lane circuit (see video). They asked drivers to cruise steadily at 30 kilometres per hour, and at first the traffic moved freely. But small fluctuations soon appeared in […]

 

More Friday Skepticism

Since Adam started it, I’ll add a link to a nice YouTube video about how to be a good skeptic h/t BoingBoing

 

Death-related items

I’m cleaning out my pending link list with couple morbidly-thematic links. Old-but-interesting (2007 vintage) list of relative likelihoods of death compared to dying in a terrorist attack.  For example… You are 1048 times more likely to die from a car accident than from a terrorist attack You are 12 times more likely to die from […]

 

Visualization Friday & More!

OK, so this week for Visualization Friday, I’m going to point you to just one thing: At Last, a Scientific Approach to Infographics A blog post by the awesome visualization expert Stephen Few that praises: Visual Language for Designers: Principles for Creating Graphics that People Understand by Connie Malamed OK, I’ll also mention that I […]

 

Science, Skepticism and Security

Rich Mogull has a great post on “Science, Skepticism and Security” In the security industry we never lack for theories or statistics, but very few of them are based on sound scientific principles, and often they cannot withstand scientific scrutiny. For example, the historic claim that 70% of security attacks were from the “insider threat” […]

 

The Cost of Anything is the Foregone Alternative

The New York Times reports: At least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the […]

 

Economics of Information Security

Ross Anderson is liveblogging the 2009 Workshop on Economics of Information Security. I’m in Seattle, and thus following eagerly. It seems Bruce isn’t liveblogging this time. I know I found it challenging to be a stenographer and a participant at SHB.

 

The emergent chaos of fingerprinting at airports

HONG KONG (Reuters) – A Singapore cancer patient was held for four hours by immigration officials in the United States when they could not detect his fingerprints — which had apparently disappeared because of a drug he was taking. The incident, highlighted in the Annals of Oncology, was reported by the patient’s doctor, Tan Eng […]

 

UnClear where the data will go

So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “ Clear Shuts Down Registered Traveler Lanes.” Clear collected a lot of data: The information that TSA requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration Number (if applicable), current home […]

 

Iran Links

The Economist’s Bagehot writes about his idea of “The chemistry of revolution,” while admitting he’s generalizing from two. Ethan Zuckerman on “Iran, citizen media and media attention.” “Unfortunately, unlike positive online gestures of solidarity (retweeting reports from Iran, turning Twitter or Facebook pictures green), this one does little more than piss off sysadmins, helps Iranian […]

 

Ron Paul supporter inadvertently gets iPhones banned from U.S. aircraft

Via CNN: Steve Bierfeldt says the Transportation Security Administration pulled him aside for extra questioning in March. He was carrying a pocket edition of the U.S. Constitution and an iPhone capable of making audio recordings. And he used them. On a recording a TSA agent can be heard berating Bierfeldt. One sample: “You want to […]

 

Visualization Friday!

Yesterday I got to see what might have been one of the most amazing(ly bad) security dashboards I’ve ever seen.  And those who have read my posts on visualization know that I find the visualization of risk & security to be a pretty fascinating field of study.  So given the quality of the GRC apps […]

 

Happy Juneteenth!

Celebrate Juneteenth, but remember that we have not eliminated the scrouge of slavery.

 

The Trouble With Metrics

Is that they can be gamed. See “ Terror law used to stop thousands ‘just to balance racial statistics’” in the Guardian: Thousands of people are being stopped and searched by the police under their counter-­terrorism powers – simply to ­provide a racial balance in official statistics, the government’s official anti-terror law watchdog has revealed. […]

 

Privacy Enhancing Technologies 2009

The organizers of the 9th Privacy Enhancing Technologies Symposium invite you to participate in PETS 2009, to be held at the University of Washington, Seattle, WA, USA, on Aug 5-7, 2009. PETS features leading research in a broad array of topics, with sessions on network privacy, database privacy, anonymous communication, privacy policies, and privacy offline. […]

 

Green Dam

Update 26 June 2009: The status of Green Dam’s optionality is still up in the air.  See, for example, this news story on PC makers’ efforts to comply, which points out that Under the order, which was given to manufacturers in May and publicly released in early June, producers are required to pre-install Green Dam […]

 

SHB Session 6: Terror

Bill Burns (Suggested reading Decision Research: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike) Response to Crisis: Perceptions, Emotions and Behaviors. Examining a set of scenarios of threats in downtown LA. Earthquake, chlorine release, dirty bomb. Earthquake: likely 100-200 casualties. Dirty bomb, expected casualties: 100 at most. Chlorine may be thousands to […]

 

SHB Session 5: Foundations

Rachel Greenstadt chaired. I’m going to try to be a little less literal in my capture, and a little more interpretive. My comments in italic. Terence Taylor, ICLS (Suggested reading: Darwinian Security; Natural Security (A Darwinian Approach to a Dangerous World)). Thinks about living with risks, rather than managing them. There are lessons from biology, […]

 

SHB Session 4: Methodology

David Livingstone Smith chaired. Angela Sasse “If you only remember one thing: write down everything the user needs to do and then write down everything the user needs to know to make the system work. Results of failure are large, hard to measure. (Errors, frustration, annoyance, impact on processes and performance, coloring user perception of […]

 

SHB Session 3: Usability

Caspar Bowden chaired session 3, on usability. Andrew Patrick NRC Canada (until Tuesday), spoke about there being two users of biometric systems: the purchaser or system operator and the subject. Argues that biometrics are being rolled out without a lot of thought for why they’re being used, when they make sense and when not. Canada […]

 

Publius Outed

The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers […]

 

SHB Session 2: Fraud

Julie Downs studied users who were going through an email inbox full of phishing emails, while doing a talk-aloud. They also did interviews afterwards. People with incidents get very sensitive to risks, but don’t get any better at identifying phishing emails. What really helps is contextualized understanding. Do they know what a URL is? Do […]

 

SHB Session 1: Deception

Frank Stajano Understanding Victims Six principles for systems security Real systems don’t follow logic that we think about. Fraudsters understand victims really well. Working with UK TV show, “the real hustle.” Draft paper on SHB site. Principles: Distraction, social compliance, herd principle, decption, greed, dishonesty David Livingstone Smith What are we talking about? Theoretical definitions: […]

 

Security & Human Behavior

I’m at the Security & Human Behavior workshop, and will be trying to blog notes as we go. I should be clear: these notes aren’t intended to be perfect or complete. Update: Bruce Schneier is also liveblogging. intro. Ross Anderson is blogging in comments to this post.

 

Security & Human Behavior

I’m blogging the Security & Human Behavior Workshop at the New School blog. Bruce Schneier is also blogging it, as is Ross Anderson.

 

A Farewell to Bernstein

From Chandler, who is in China: Adam sent along to the authors of this blog a link to the http://www.nytimes.com/2009/06/08/business/08bernstein.html?_r=1&hpw New York Times obituary for Peter Bernstein yesterday Peter L. Bernstein, an economic historian and a widely read popularizer of the efficient market theory, which changed trading behavior on Wall Street, died Friday at NewYork-Presbyterian/Weill […]

 

Pirate Party Victory in Sweden

“Together, we have today changed the landscape of European politics. No matter how this night ends, we have changed it,” Falkvinge said. “This feels wonderful. The citizens have understood it’s time to make a difference. The older politicians have taken apart young peoples’ lifestyle, bit by bit. We do not accept that the authorities’ mass-surveillance,” […]

 

Links To Interesting Stuff

I have a ton of tabs open in Firefox about stuff I thought would be some sweet newschool-esque reading for everybody out there. 1.) Threat and Risk Mapping Analysis in Sudan Not really about measurement and progress, but a fascinating look at “physical risk management” nonetheless: http://irevolution.wordpress.com/2009/04/09/threat-and-risk-mapping-analysis-in-sudan/ 2.)  I thought Gunnar did a great job […]

 

S&P Risk Models

There was an interesting segement on NPR this morning, “Economy Got You Down? Many Blame Rating Firms” that covered amongst other things the risk model that Standard and Poors used to rate bonds and in specific mortgage backed ones. There are a few choice quotes in the story about how the organizations approached the models […]

 

The Art of Living Dangerously

I haven’t had a chance to read it, but I’ll probably pick up “Absinthe and Flamethrowers: Projects and Ruminations on the Art of Living Dangerously” at some point, if only because of the author’s writing on the relationship between risk and happiness says something I’ve always suspected, that risk takers are happier than risk avoiders […]

 

Pirates, Inc.

I found this short documentary about piracy around the Straits of Malaca to be an interesting view of the reality of pirate life as a last refuge of the unemployed fisherman to be an interesting counterpoint to the NPR Story, “Behind the Business Plan of Pirates, Inc.” which provides an altogether different view of the […]

 

Statistics Police?!

From Gelman’s blog: U.K. Sheriff Cites Officials for Serious Statistical Violations I don’t know if we need an “office” of information assurance in the government sector, but it would be nice to have some penalty on the books for folks who abuse basic common sense statistical principles. Of course, the *real* answer lies in education […]

 

TAKE PART IN PROJECT QUANT (please)!

Hey everyone.  I wanted to let you know that Rich, Adrian & Co. at Securosis are spearheading a research project  called “Quant”.  They currently have a survey up on survey monkey about Patch Management that they’d like participation in.  If you can, please give thoughtful contribution to the survey. http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d There’s something about a registration […]

 

Amusements with Alpha

I just saw a link to someone who had broken Wolfram Alpha. Their breaking question was, “when is 5 trillion days from now?” The broken result is: {DateString[{13689537044,5,13,16,57,18.5796},Hour12Short],:,DateString[{13689537044,5,13,16,57,18.5796},Minute],:,DateString[{13689537044,5,13,16,57,18.5796},Second], ,DateString[{13689537044,5,13,16,57,18.5796},AMPMLowerCase]} | {DateString[{13689537044,5,13,16,57,18.5796},DayName],, ,DateString[{13689537044,5,13,16,57,18.5796},MonthName], ,DateString[{13689537044,5,13,16,57,18.5796},DayShort],, ,13689537044} Which is certainly amusing. A quick check shows that even one trillion days gives a similar error. A bit of the […]

 

New Means of Pie Chart Abuse

Just for Adam, because I know he’ll *love* this. Was reading the “How to transform your ETL tool into a data quality toolkit” post on the data quality blog when I noticed something. In the graphic they’re presenting there: The.Pie.Chart.Spins. Which could be one of the most awesome data visualization abuses.  ever.

 

Voltage Security's Breach Map

The folks over at Voltage have released a really cool interactive map of breaches from around the world.  Tools like this show how important having data is, just imagine how much more impressive and useful something like this could be if more people were willing to share data about breaches or other information security issues […]

 

Open Thread

What’s on your mind? Extra points for mocking other members of the combo for not posting. Me? I’m wondering why the opening of the Parliament of South Africa involves so many bagpipes.

 

Thoughts on Bejtlich's Information Security Incident Ratings

Check out Richard Bejtlich’s Information Security Incident Rating post. In it, he establishes qualitative, color-based scales for various asset-states in relation to the aggregate threat community.  As Richard states, he’s not modeling risk, but rather he’s somewhat modeling half of risk (in FAIR terms, an attempt at TEF/LEF/TCap information, just not the loss magnitude side). […]

 

Democracy, Gunpowder, Literacy and Privacy

In an important sense, privacy is a modern invention. Medieval people had no concept of privacy. They also had no actual privacy. Nobody was ever alone. No ordinary person had private space. Houses were tiny and crowded. Everyone was embedded in a face-to-face community. Privacy, as idea and reality, is the creation of a modern […]

 

TSA Kills Bad Program!

The government is scrapping a post-Sept. 11, 2001, airport screening program because the machines did not operate as intended and cost too much to maintain. The so-called puffer machines were deployed to airports in 2004 to screen randomly selected passengers for bombs after they cleared the standard metal detectors. The machines take 17 seconds to […]

 

Web 2.0 and the Federal Government

This looks interesting, especially in light of the launch of data.gov: The Obama campaign—and now the Obama administration—blazed new trail in the use of Web 2.0 technology, featuring videos, social networking tools, and new forms of participatory and interactive technology. This event will feature government, technology, and new media leaders in addressing the special challenges […]

 

Giving Circles and de Tocqueville

There was an interesting story on NPR the other day about “giving circles.” It’s about groups of people getting together, pooling their money, investigating charities together, and then giving money. The story mentions how the increasing bureaucratization* of fund-raising leads to groups whose involvement is “I write them a cheque each year.” It also mentions […]

 

Secret Questions

Congratulations to Stuart Schechter, A. J. Bernheim Brush (Microsoft Research), Serge Egelman (Carnegie Mellon University). Their paper, “It’s No Secret. Measuring the Security and Reliability of Authentication via ‘Secret’ Questions” has been Slashdotted. It’s really good research, which Rob Lemos covered in “Are Your “Secret Questions” Too Easily Answered?”

 

Can't Win? Re-define losing the TSA Way!

We were surprised last week to see that the GAO has issued a report certifying that, “As of April 2009, TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program and had conditionally achieved 1 condition (TSA had defined plans, but had not completed all activities […]

 

Definitions: cloudenfreude

cloudenfreude — Feeling of happiness at watching the discomfort of others, especially senior management, as they accept in aggregate for *aaS the same risks which were easily accepted piecemeal over time for the analgous service internally.

 

First International Alternative Workshop on Aggressive Computing and Security

Thinking security can not be done without adopting a preferential mode of thought of the attacker. A system cannot be defended if we do not know how to attack it. If the theory is still an interesting approach to formalize things, the operational approach must be the ultimate goal: to talk about security is meaningless […]

 

PCI Data Available

Interesting information was made available today from VISA about PCI Compliance status for Level 1, 2, and 3 merchants.  Find it as a .pdf >>here<< (thanks to Mike Dahn for bringing it to our notice). **UPDATE** You may want to check out what Pete Lindstrom has done with that data, in his Blog Post, “Is […]

 

Richard Bejtlich's Quantum State

Is Statistically Mixed? Richard Bejtlich (whom I do admire greatly in most all of his work) just dug up a dead horse and started beating it with the shovel, and I just happen to have this baseball bat in my hands, and we seem to be entangled together on this subject, so here goes: I […]

 

Twitter Bankruptcy and Twitterfail

If you’re not familiar with the term email bankruptcy, it’s admitting publicly that you can’t handle your email, and people should just send it to you again. A few weeks ago, I had to declare twitter bankruptcy. It just became too, too much. I’ve been meaning to blog about it since, but things have just […]

 

European View on Breaches

I hadn’t seen this article by Peter Hustinix when it came out, but it’s important. He says that “All data breaches must be made public:” The good news is that Europe’s lawmakers want to make it obligatory to disclose data breaches. The bad news is that the law will not apply to everyone. Those exemptions […]

 

I wrote code for a botnet today

There’s a piece of software out there trying to cut down on blog spam, and it behaves annoyingly badly. It’s bad in a particular way that drives me up the wall. It prevents reasonable behavior, and barely blocks bad behavior of spammers. In particular, it stops all requests that lack an HTTP Referer: header. All […]

 

Camera advice bleg

I’m thinking about maybe getting a new camera. Before I say anything else let me say that I understand that sensor size and lens rule all else, and that size does matter, except when it’s megapixel count, which is a glamour for the foolish. That said, I’m off to South Africa in a few weeks, […]

 

The Eyes of Texas Are on Baseboard Management Controllers? WHAT??!!!

OR TEXAS HB1830S IS SWINEFLU LEGISLATION, IT’S BEEN INFECTED BY PORK! **UPDATE:  It looks like the “vendor language” around Section Six has been struck! Given Bejtlich’s recent promises, I thought we’d take a quick but pragmatic look at why risk assessments, even dumb, back-of-the-envelope assessments, might just be a beneficial thing. As you probably know, […]

 

Ban Whole Body Imaging

Congressman Jason Chaffetz has introduced legislation seeking a ban on Whole-Body Imaging machines installed by the Transportation Security Administration in various airports across America. Describing the method as unnecessary to securing an airplane, Congressman Chaffetz stated that the new law was to “balance the dual virtues of safety and privacy.” The TSA recently announced plans […]

 

Seattle Parking Monitoring

Seattle’s King5 TV reports on “Parking enforcement’s powerful new weapon:” An unassuming white sedan is the Seattle Police Department’s new weapon against parking violators. Just by driving down the street, George Murray, supervisor of SPD’s parking enforcement unit, can make a record of every parked car he passes. “What we’re doing here is we’re actually […]

 

Time To Patch, Patch Significance, & Types of Cloud Computing

Recently, a quote from Qualys CTO Wolfgang Kandek struck me kind of weird when I was reading Chris Hoff yet again push our hot buttons on cloud definitions and the concepts of information security survivability.  Wolfgang says (and IIRC, this was presented at Jericho in SF a couple of weeks ago, too): In five years, […]

 

Covering the Verizon Breach Report

As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me to it, as evidenced by the fact […]

 

Cybersecurity Review Turf Battle

Many at RSA commented on the lack of content in Melissa Hathaway’s RSA keynote. The Wall St Journal has an interesting article which may explain why, “Cybersecurity Review Sets Turf Battle:” President Barack Obama’s cybersecurity review has ignited turf battles inside the White House, with economic adviser Lawrence Summers weighing in to prevent what he […]

 

Scalia: Just Because You Can Doesn't Mean You Should

aka it’s not nearly as funny when you are the subject of the probe. At a recent conference Justice Scalia said “”Every single datum about my life is private? That’s silly,” Well, a professor at Fordham University decided to take Mr Scalia at his word, and had one of his classes collect a dossier on […]

 

"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]

 

"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]

 

@Mortman MP3d on Threat Post

I’ll go ahead and promote David.  He’s interviewed over at Threat Post.  Pod/Talk cast it up! In this episode of the Digital Underground podcast, Dennis Fisher talks with David Mortman, CSO-in-residence at Echelon One and longtime security executive, about whether we’ve become too reliant on compliance, the changing nature of the CSO’s job and how […]

 

Security is about outcomes: RSA edition

So last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that. But I did I promise to tell you what I wanted to get […]

 

More breach visualization

I received some excellent comments on my previous breach visualization post, which I wanted to highlight for EC readers and take a stab at addressing.

 

Breach Visualization

I took the latest DataLossDB.org breach database and extracted all breaches involving a third party, omitting all columns other than the reporting entity and the third party. I then ran the resulting two-column CSV file through afterglow, and finally made pretty (3MB) picture with graphviz. This was done more for fun than for insight, but […]

 

Little Bobby Drop tables

In 1999 Syse Data was converted to a limited liability company, and has since been trading under the name Syse Data AS[1]. As the names are so similar, searches for our company in the official Norwegian registry of just-about-anything (Brønnøysundregistrene) often resulted in potential customers looking up the wrong company. To prevent this confusion we […]

 

Dept. of Pre-Blogging: Swine Flu edition

In no particular order, your friendly neighborhood Dept. of Pre-blogging hereby predictively reports on: Increased speculation, coupled with a spike in Twitter activity. Politicization of the event from the Right (blame Mexico and/or Big Government), the Left (if we spent money in the right places, this would not happen), and out in left field (this […]

 

Congratulations, Open Security Foundation

The Open Security Foundation, creators of OSVDB and DataLossDB have won SC Magazine’s Editor’s Choice award for 2009. It’s well deserved. In other Open Security Foundation News, about a dozen people asked me how to get a stylin’ DataLossDB t-shirt. It’s pretty easy-donate. I think you get one at the $100 level.

 

Congratulations to the Social Security Blog award winners!

A huge congratulations to the winners of the Social Security Awards [on Wednesday] PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman […]

 

Registration now open for WEIS 2009

Registration for The Eighth Workshop on the Economics of Information Security (WEIS 2009) is now open. The deadline for the Early Bird registration is 1 June 2009. We’ve written here often (and favorably) about WEIS, and about papers delivered there.

 

Standing Still

Following up on Ben’s comment to s/green/secure/g, infosec generally makes life /harder/ for people (at least in the short-term), all to keep bad things from happening. I’ll argue it’s even worse than that. Since “secure” is neither achievable nor a static state, it can never be done and standing still means falling behind.  One of […]

 

s/green/secure/g

Don’t miss this fascinating article in the New York Times, “Why Isn’t the Brain Green?” You can read it for itself, but then you hit paragraphs like this: It isn’t immediately obvious why such studies are necessary or even valuable. Indeed, in the United States scientific community, where nearly all dollars for climate investigation are […]

 

Breach Notification Law Across the World

“Data Breach Noti?cation Law Across the World from California to Australia” by Alana Maurushat. From the abstract: The following article and table examine the specifics of data breach notification frameworks in multiple jurisdictions. Over the year of 2008, Alana Maurushat of the Cyberspace Law and Policy Centre, with research assistance from David Vaile and student […]

 

Who should be punished for torture?

Normally, I try to post funny bits over the weekend, but I can’t let this week’s news slip by. I have deeply mixed feelings about how to handle those who tortured. On the one hand, they were only following orders. On the other hand, they were following orders which clearly required contortions to see as […]

 

Project Quant: Patch Management Metrics

Rich Mogull, Adrian Lane, (of Securosis) and Jeff Jones (of Microsoft) have started a “transparent” metrics project “to help build an independent model to measure the costs and effectiveness of patch management.”  They’re calling it (for now) Project Quant.  As you can probably guess, I’m all for transparent metrics projects, and I hope you’ll at […]

 

Off to the Moscone Center

Every year around this time, thousands of people converge on the Moscone Center in San Francisco for RSA. I had never given much thought to who Moscone was–some local politician I figured. I first heard about Harvey Milk in the context of the Dead Kennedys cover of I Fought The Law: The law don’t mean […]

 

Evolution of Information Analysis

Real briefly, something that came to me reading Marcus Ranum over at Tenable’s Blog. Marcus writes: Usually, when I attack pseudo-science in computer security, someone replies, “Yes, but some data is better than none at all!”  Absolutely not true! Deceptive, inaccurate, and misleading data is worse than none at all, because it can encourage you […]

 

Black Swan-Proof InfoSec?

I came across an interesting take on Nassim Taleb’s “Black Swan” article for the Financial Times via JP Rangaswami‘s blog “Confused in Calcutta“.   Friends and folks who know me are probably tired of my rants about what I think of Taleb’s work and what I think he’s gotten wrong.  But really, I find his FT […]

 

A Curmudgeon is a Little Confused by the 2009 DBIR

I’ve given Vz’s DBIR a quick perusal.  The data are interesting indeed and the recommendations are obvious.  There is little new here in the way of recommendations – I guess nobody is listening or the controls are ineffective (or a bit of both). Regardless, I have a few items that confuse and irritate me a […]

 

Breaches Conference audio online

Back in March, the Berkeley Center for Law and Technology put on a great conference, the “Security Breach Notification Symposium.” It was a fascinating day, and the audio is now online.

 

Initial Thoughts on the 2009 Verizon DBIR

Last night, the fine folks at Verizon posted the 2009 version of the DBIR.  I haven’t had time to do a full deep dive yet, but I thought I’d share my initial notes in the meantime. Stuff in italics is from the DBIR, regular text is me: 81 percent of organizations subject to PCI DSS […]

 

How to be Cyberscary

The intersection of cime and technology is a fascinating place.  Innovation of fraud, theft, and industrial espionage is occurring at a phenomenal pace and is producing no shortage of real problems that Information Risk and Security professionals need to be learning about and addressing.  Unfortunately, the noise coming from journalists in this space is so […]

 

Events don't happen in a Vacuum

Several commenters on yesterday’s post brought up the excellent point that its hard to talk about outcomes when you think you haven’t had any incidents. (“Consider the bank that had no attempted robberies this year”) Are you right? With a bank, it’s pretty easy to see most robberies. What’s more, we have the FBI showing […]

 

The New School Blog

I’m really excited to announce NewSchoolSecurity.com, the blog inspired by the book. I’ll be blogging with Alex Hutton, Chandler Howell and Brooke Paul. And who knows, maybe we’ll even get a post or two from Andrew? Emergent Chaos will continue. My posts here will be a little more on the privacy, liberty and economics end […]

 

Security is about outcomes, not about process

In some migration or another, this post was duplicated; the real post is at https://adam.shostack.org/blog/2009/04/security-is-about-outcomes-not-about-process/. Editing to avoid linkrot

 

Security is about outcomes, not about process

Nearly a decade ago Bruce Schneier wrote “Security is a process, not a product.” His statement helped us advance as a profession, but with the benefit of hindsight, we can see he’s only half right. Security isn’t about technology. Security is about outcomes, and our perceptions, beliefs and assurance about those outcomes. Here’s a quick […]

 

Microsoft Security Intelligence Report

The Microsoft SIR was released 4/8 and is available for download here.  Some of the interesting stuff they put in graphs is from the Open Security Foundation’s OSF Data Loss Database (http://datalossdb.org).  Among the interesting things in the Microsoft SIR: Good old theft and losing equipment, when combined, still beats the sexier categories hands down. […]

 

Flinging Money Around Never Works

Freeway Drivers Grab Money as Suspects Toss Thousands During Police Chase:” Thousands of dollars worth of hundred dollar bills brought rush hour to an abrupt halt on two San Diego freeways. Drug suspects tossed the money from their car as they were chased by police. Other drivers saw the money and stopped their cars on […]

 

New School Bloggers Speaking Today

So I apologize for short notice.  Hopefully the webmaster will get in gear and put up an event calendar or something, but here are a couple of events you might want to attend today that New School Bloggers are speaking at. First, David Mortman is giving “The Mortman Briefing:  Metrics for the Real World”over at […]

 

Cyber-Spies!

The WSJ has an article up today about how the Russians and Chinese are mapping the US electirical grid.  What I thought was more interesting was the graph they used (which is only mildly related to the article itself). If I’m reading this correctly, the DHS is claiming that there were just under 70,000 breaches […]

 

Hello World?

Thanks for stopping by The New School of Information Security Blog.  We’re very “beta” right now, and anticipate having everything ready by the RSA conference (the week of the 17th).  If you’d like to see some recent content by our authors, I had a recent post on the Verizon/Cybertrust blog about the PCI DSS and […]

 

Building Security In, Maturely

While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model. Lots has been said, so I’d just like to quote one little bit: One could build a maturity model for software security theoretically (by pondering what organizations should […]

 

Deadline extended: Computers, Freedom & Privacy Research Showcase

This year’s Computers, Freedom and Privacy Conference will feature a research showcase in the form of a research poster session as well as a research panel that includes the authors of the best research posters. CFP is the leading policy conference exploring the impact of the Internet, computers, and communications technologies on society. For more […]

 

I Know What I Know

and I’ll sing what he said. Ethan Zuckerman has two great posts lately: “From protest to collaboration: Paul Simon’s “Graceland” and lessons for xenophiles” and “Argentine economics and maker culture.” The Paul Simon post talks about the deep history of the Apartheid boycott, Paul Simon’s approach to creating Graceland. Graceland was a collaboration of the […]

 

Mo-mentum on centralized breach reporting?

A Missouri state bill requiring notification of the state attorney general as well as of individuals whose records have been exposed just took a step closer to becoming law. As reported in the St. Louis Business Journal on April 1: Missouri businesses would be required to notify consumers when their personal or financial information is […]

 

Torture is a Best Practice

I was going to title this “Painful Mistakes: Torture, Boyd and Lessons for Infosec,” but then decided that I wanted to talk about torture in a slightly different way. The Washington Post reports that “Detainee’s Harsh Treatment Foiled No Plots” and [UK Foreign & Commonwealth Office] Finally Admits To Receiving Intelligence From Torture. From the […]

 
 

Metricon 4.0 Call for Papers

I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11. Metricon 4 – The Importance of Context MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable […]

 

Would I self-publish?

A few weeks back, Dave Birch asked me if I’d publish my next book myself. I don’t think I would. I’m really happy with Karen Gettman and Jessica Goldstein at Addison Wesley, and I’ve convinced my co-authors for my next book that we should have a discussion about publishers. So why am I happy with […]

 

Brad DeLong on the bailout

Brad DeLong has a FAQ up about Geithner’s plan to purchase toxic assets on the theory that the market has undervalued them, and will in time price them properly. Among the items: Q: What if markets never recover, the assets are not fundamentally undervalued, and even when held to maturity the government doesn’t make back […]

 

Best Practices?

The BBC reports that the UK Local Government Association has a new banned words list, including our favorite, “best practices.” Andrew asked me in email if this was a best practice, and I wrote back: Does it pass the seven whys test? Why did they ban the phrase? Because it’s meaningless business speak Why is […]

 

Double-take Department, Madoff Division

The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read: The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….” […]

 

The Emergent Chaos of Kutiman

So when someone sent me a link to “The Mother of all Funk Chords,” they didn’t explain it, and I didn’t quite get what I was watching. What I was watching: …is a mash up of videos found on YouTube, turned into an entire album by an Israeli artist, Kutiman.

 

Joseph Ratzinger and Information Security

Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.” Many of you are likely […]

 

"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]

 

Twitter + Cats = Awesome

My smart friend James Thomson of TLA Systems has created a new benchmark in iPhone applications, Twitkitteh. Not only is it the first Twitter client for cats, but it might also be the first iPhone app for cats, as well. I’ve always accused my cats of playing the stereo when I’m not there, and it […]

 

Understanding Users

Paul Graham has a great article in “Startups in 13 Sentences:” Having gotten it down to 13 sentences, I asked myself which I’d choose if I could only keep one. Understand your users. That’s the key. The essential task in a startup is to create wealth; the dimension of wealth you have most control over […]

 

What you talkin' 'bout?

The 110-story Sears Tower, tallest office building in the Western Hemisphere, will be renamed the Willis Tower, global insurance broker Willis Group Holdings said on Thursday. Willis said it was leasing multiple floors in the 1,451-foot (442-meter) structure in downtown Chicago to consolidate offices. As part of the deal, it will become the Willis Tower […]

 

Open Thread

I’d give you a topic, but I’m taking Hilzoy’s advice and going Galt. I’ve taken ads off the blog, given up my lucrative contract for Harry Potter and the Half-Baked Firewall, and so turn this thread over to you with but a single request: civility. So what’s on your mind?

 

The Lastest Big Processor Breach

So it’s now roughly confirmed, except for a few denials from Visa. First there was CardSystems, then Heartland, and maybe there’s at least one more known-to-some criminal breach at a payments processor. A lot of security bloggers have been talking about this, but I figure another day, another breach. Can’t we just get some facts? […]

 

This Data Will Self-Destruct in 5 Seconds

CSO Online has a good article on data destruction, Why Information Must Be Destroyed.” It’s mostly about physical documents, not data, but I can still make a few quibbles. The author, Ben Rothke, gives an example of a financial institution that did not live up to its regulatory requirements for properly disposing documents, and was […]

 

Welcome To The (New) Machine

If you can read this, you are now reading Emergent Chaos on its new server. We’ve also upgraded to the 4.x train of MovableType. Let us know what you think. We’re also considering a site redesign, so let us know any feature requests or design suggestions. Thanks!

 

SDL Threat Modeling Tool 3.1.4 ships!

On my work blog, I wrote: We’re pleased to announce version 3.1.4 of the SDL Threat Modeling Tool. A big thanks to all our beta testers who reported issues in the forum! In this release, we fixed many bugs, learned that we needed a little more flexibility in how we handled bug tracking systems (we’ve […]

 

Security Breach Notification Symposium

Next Friday (March 6th) I’ll be speaking at the “Security Breach Notification Symposium:” A one-day symposium on identity theft and security breaches. Experts from law, government, computer science, and economics will discuss laws that protect personal information and suggest reforms to strengthen them. Although most agree that reforms are needed, leading thinkers clash on what […]

 

Congratulations, Justin!

Justin Mason has won the 2009 Irish Blog Award for Best Technology Blog/Blogger. I don’t know how Justin manages to stay engaged with his blog and others while getting so much work done. When I say others, I mean this blog. Justin found Emergent Chaos back when it was a solo gig and I was […]

 

Don't put Peter Fleischer on Ice

Peter Fleischer is Google’s chief privacy counsel. I met Peter once at a IAPP event, and spoke pretty briefly. We have a lot of friends and colleagues in common. He’s now threatened with three years of jail in Italy. Google took under 24 hours to remove a video which invaded the privacy of someone with […]

 

Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column. Brenner watched the FUD as he spreads it. He moans histrionically, When security is your company’s business, […]

 

MI5 Head Critiques Government on Liberties

The BBC reports: A former head of MI5 has accused the government of exploiting the fear of terrorism to restrict civil liberties. Dame Stella Rimington, 73, stood down as the director general of the security service in 1996…”Furthermore it has achieved the opposite effect – there are more and more suicide terrorists finding a greater […]

 

Closing the Collapse Gap

There’s a very interesting annotated presentation at “Closing the ‘Collapse Gap’: the USSR was better prepared for collapse than the US.” In it, Dmitry Orlov lays out his comparison between the USSR and the USA of 2006. Posting this now because a talk he gave at Long Now is getting lots of attention. In closely […]

 
 

Daily Show on Privacy

(h/t to Concurring Opinions) The Daily Show With Jon StewartM – Th 11p / 10c Bill O’Reilly’s Right to Privacy Daily Show Full EpisodesImportant Things With Demetri Martin Funny Political NewsJoke of the Day

 

Why Didn't SOX Catch The Bank Failures?

Iang recently indicted the entire audit industry with “Two Scary Words: Sarbanes-Oxley”. I’ve excerpted several chunks below: Let’s check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis? No. Not one, not even a single one! Yet, the basic […]

 

$450 per account? No.

So there’s a claim going around, which is that I believe that a breach costs $450 per account. That claim is not accurate. What was said (and the interview was in email, so I can quote exactly): (Interviewer) The Hannaford breach resulted in more than $318,000 in gross fraud losses, according to data reported by […]

 

"A Scientific R&D Approach to Cyber Security"

Charlie Catlett, CIO of Argonne National Labs has released a report on “A Scientific R&D Approach to Cyber Security” (Powerpoint summary, community wiki). It’s a very interesting report. There’s a lot to agree with in terms of a research agenda. They’re looking to compose trustworthy systems from untrusted components, to create self-protective data and software, […]

 
 

Public Perception of Security

So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder: Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. […]

 

That's some fine discourse, Professor Froomkin

I just wanted to draw attention to the comments in Michael Froomkin’s blog post on “Cabinet Confirmation Mechanics.” I am delighted to have had ‘Jim’ concur with my Constitutional analysis by quoting the closing lines of Ulysses. I’m in awe of your commenters, Michael.

 

"EPC RFID Tags in Security Applications"

I just finished an interesting paper, K. Koscher, A. Juels, T. Kohno, and V. Brajkovic. “EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond.” In the paper, they analyze issues of cloning (easy) read ranges (longer than the government would have you believe) and `design drift’ (a nice way of saying […]

 
 

Request your travel records

Speaking of how you’re presented and perceived…”How to request your travel records,” by Ed Hasbrouck. By popular demand, I’m posting updated forms to request your PNR’s and other records of your international travel that are being kept by the U.S. Customs and Border Protection (CBP) division of the Department of Homeland Security (DHS)… If you […]

 

A nudge in the right direction?

I am surprised I hadn’t heard about the book Nudge, by Cass Sunstein and Richard Thaler. I haven’t read it yet, but from the web page it seems to be about how policymakers can take into account the heuristics and biases characteristic of human decision-makers and create a choice architecture which yields “proper” decision-making. I […]

 

Abuse of the Canadian Do Not Call List

The Globe and Mail and the CBC each report that Canada’s Do Not Call list is being used by telemarketers both good and bad (where each term is relative). This is a bit sad for Canada. The US’s DNC list has been very successful, and one of the very few places where the US has […]

 

The New Administration and Security

Quoting first from Obama’s inaugural address: The question we ask today is not whether our government is too big or too small, but whether it works — whether it helps families find jobs at a decent wage, care they can afford, a retirement that is dignified. Where the answer is yes, we intend to move […]

 

Pinch me…

The Freedom of Information Act should be administered with a clear presumption: In the face of doubt, openness prevails. The Government should not keep information confidential merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears. Nondisclosure should never be based on […]

 

Breach Misdirection

While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past. Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost […]

 

Rethinking Risk

Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”: The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable […]

 

President for Ten Minutes

During a chat I had this afternoon, someone brought up an interesting situation to contemplate. The Presidency of George Bush fils ended today at noon EST, but Mr. Obama wasn’t sworn in until 12:10. Who then, the question was, President during those ten minutes. One mildly unsatisfactory answer is Ms. Pelosi. If there is neither […]

 

Change I Can Believe In

From (the new) Whitehouse.gov: Except where otherwise noted, third-party content on this site is licensed under a Creative Commons Attribution 3.0 License. Visitors to this website agree to grant a non-exclusive, irrevocable, royalty-free license to the rest of the world for their submissions to Whitehouse.gov under the Creative Commons Attribution 3.0 License. http://www.whitehouse.gov/copyright/

 

Three short comments on the Inauguration

The reality that a black man is about to become President of the United States is both momentous and moving. It’s hard to say anything further on the subject that hasn’t been said and re-said, but I am simply proud that the pendulum has swung to someone like Obama. I’m excited to have an educated, […]

 

Umami, or why MSG tastes so good

It’s appetizing news for anyone who’s ever wanted the savory taste of meats and cheeses without actually having to eat them: chemists have identified molecular mechanisms underlying the sensation of umami, also known as the fifth taste. … The umami receptor’s shape is similar to that of sweetness receptors, he said, and his team’s research […]

 

Privacy & Healthcare

One of the dirty little secrets of bad privacy law is that it kills. People who are not comfortable with the privacy of their medical care may avoid getting needed care. That’s why privacy features in the Hippocratic oath. But few people want to study this issue, and studying it is hard–people are likely to […]

 

"Get FISA Right" Pointer

[Update: This got to #5 on change.org’s list, and they’re now working to draw attention to the issue on change.gov.] Jon Pincus has asked me for help in drawing attention to his “Get FISA Right” campaign to get votes on change.org. When I’ve tried to look at this, it’s crashed my browser. YMMV–I use a […]

 

Security Blog Awards

In “The Social Security Blogger Awards,” Alan Shimel asks for nominations for blogs. Ironically, to even see the site at http://www.socialsecurityawards.com/, you need to accept Javascript. I think we should have an award for “best vuln in the voting system.” But anyway, please take a minute to go vote. I’ll ask for your vote for […]

 

Patch and Pray…

..or, Spaf‘s DVD players get bricked. In which, lies a tale…

 

Protection Poker

Listening to Gary McGraw’s Silver Bullet #33, Laurie William mentioned protection poker. Protection poker, like planning poker isn’t really poker. Planning poker is a planning exercise, designed to avoid certain common pitfalls of other approaches to planning. The idea behind protection poker is to be a “informal form of misuse case development and threat modeling […]

 

Look how hip I am…

Normally, this would be something for Twitter, but…well…. Officiating at the NY v. Philadelphia game has been poor. Not biased, I don’t think, but poor.

 

Gary McGraw and Steve Lipner

Gary McGraw has a new podcast, “Reality Check” about software security practitioners. The first episode features Steve Lipner. It’s some good insight into how Microsoft is approaching software security. I’d say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy. You […]

 

Reboot the FCC? No, debug the problem

Larry Lessig has a very interesting article in Newsweek, “Reboot the FCC.” The essence is that the FCC is inevitably bound by regulatory capture. He proposes a new agency with three tasks: “The iEPA’s first task would thus be to reverse the unrestrained growth of these monopolies.” “The iEPA’s second task should be to assure […]

 

No Fun

Stooges guitarist Ron Asheton, dead at 60.

 

ITRC Year End Report for 2008

The Identity Theft Resource Center (ITRC) released their year-end breach report: Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. Dissent of PogoWasRight has some analysis. I’ll take […]

 

Cryptol Language for Cryptography

Galois has announced “” Cryptol is a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency. It has been used successfully in a number of projects, and is also in use at Rockwell Collins, Inc. … Cryptol allows […]

 

The Identity Divide and the Identity Archepelago

(I’d meant to post this in June. Oops! Chaos reigns!) Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, […]

 

Security through obscurity

…or, antique car collectors are an honest lot. According to the Times (of London, dear chap), a recently-deceased British surgeon has left his heirs a rather significant bequest: a super-rare, super-fast, antique Bugatti which hasn’t been driven since 1960 and is expected to fetch several million at auction. This is the fabled “Imagine their surprise, […]

 

Biometric Fail reported

A South Korean woman entered Japan on a fake passport in April 2008 by slipping through a state-of-the-art biometric immigration control system using special tape on her fingers to alter her fingerprints, it was learned Wednesday… During questioning, the woman allegedly told the immigration bureau that she had bought a forged passport from a South […]

 

Happy New Year!

Our new year’s resolution is to show a sense of childlike wonder at and acceptance of everything we come across, especially this year’s leap second. Incidentally, this post is scheduled to go live at 2008-12-31 23:59:60. Let’s see what happens! Update: Movable Type complained when I tried to save the post: “Invalid date ‘2008-12-31 23:59:60’; […]

 

Now will you believe MD5 is broken?

I’m just sitting here blinking, having a Brecht moment in which I am laughing at those who are crying and crying at those who are laughing. At the CCC congress, a number of people did something dramatic — they created a forged SSL certificate. It’s dramatic, but nothing special. We’ve known that MD5 is broken […]

 

Happy Newton, everyone!

In honor of Newton’s Birthday festival, I therefore propose the following song, to be sung to the tune of “The Twelve Days of Christmas.” For brevity, I include only the final verse. All together now! On the tenth day of Newton, My true love gave to me, Ten drops of genius, Nine silver co-oins, Eight […]

 

I miss Montreal

When Seattle is covered in snow, it’s easy to miss Montreal. Now, folks in areas that get lots of snow like to make fun of Seattlites for being unable to handle a little snow, but it turns out that there’s another reason (beyond the steep hills) the city has a (ahem) unique approach: “Seattle refuses […]

 

At the tail end of the car series…

Originating from Wootton High School, the parent said, students duplic ate the license plates by printing plate numbers on glossy photo paper, using fonts from certain websites that “mimic” those on Maryland license plates. They tape the duplicate plate over the existing plate on the back of their car and purposefully speed through a speed […]

 

Designing Cars

I was struck by this quote in “Edgy, Yet Still Aerodynamic” an article in the New York Times about how new cars are being designed and tested: , To his surprise, in hundreds of tests at Ford’s Wind Tunnel 8 southwest of Detroit the original edges produced less drag than curved substitutes, Mr. Koester said. […]

 

This is the farewell shoe, you dog

Bloomberg is reporting that “Shoe Hurled at Bush Flies Off Turkish Maker’s Shelves : Baydan has received orders for 300,000 pairs of the shoes since the attack, more than four times the number his company sold each year since the model was introduced in 1999. The company plans to employ 100 more staff to meet […]

 

Thoughts on the Somali Pirates

Stratfor’s podcast on the seizure of that Saudi oil tanker contained a fascinating tidbit: merchant ships are no longer allowed to carry arms at all, which, of course, makes piracy far easier. This is a dramatic transformation of the rights of merchant ships. Historically, private ships carried weapons when sailing far out of their own […]

 

Evidence of Time Travel Found in China

According to Ananova, a Swiss watch-ring has been found covered in dirt in a four-hundred year old Ming dynasty tomb. The watch was found, covered in dirt. It was stopped at the time 10:06 and has the word, “Swiss” engraved on the back. The archaeologists on the dig have requested archaeologists from Beijing to help […]

 

Happy Boston Tea Party Day!

It was 235 years ago today that the Sons of Liberty threw tea into Boston harbor, and they still haven’t been able to clean the place up. Please join me in celebrating this most American response to taxation.

 

Do Security Breaches Cost Customers?

Adam Dodge, building on research by Ponemon and Debix, says “Breaches Cost Companies Customers,” and Alan Shimel dissents in “Do data breaches really cost companies customers?” Me, I think it’s time we get deeper into what this means. First, the customers. Should they abandon a relationship because the organization has a security problem? To answer […]

 

Privacy Rights & Privacy Law

First, the European Court of Human Rights has ruled that the UK’s “DNA database ‘breach of rights’:” The judges ruled the retention of the men’s DNA “failed to strike a fair balance between the competing public and private interests,” and that the UK government “had overstepped any acceptable margin of appreciation in this regard”. The […]

 

Eric Drexler blogging

At Metamodern.com. Way cool. I look forward to what he has to say. Unfortunately, one of his early posts falls into the trap of believing that “Computation and Mathematical Proof” will dramatically improve computer security: Because proof methods can be applied to digital systems, and in particular, will be able to verify the correctness (with […]

 

DataLossDB announces awesome new feature

The Data Loss Database, run by the Open Security Foundation, now has a significant new feature: the inclusion of scanned primary source documents. This means that in addition to being able to determine “the numbers” on an incident, one can also see the exact notification letter used, the reporting form submitted to state government, cover […]

 

Videos of me

The employer has been posting them at a prodigious rate. There’s: “Threat Modeling at EMC and Microsoft,” Danny Dhillon of EMC and myself at BlueHat. Part of the BlueHat SDL Sessions. Also on threat modeling, Michael Howard and I discuss the new SDL Threat Modeling Tool Michael Howard and I also discussed the new SDL […]

 

The Costs of Fixing Problems

I enjoyed reading Heather Gerkin’s article: “The Invisible Election.” I am one of the few people to have gotten a pretty good view of the invisible election, and the reality does not match the reports of a smooth, problem-free election that have dominated the national media. As part of Obama’s election protection team, I spent […]

 

Virgin America

I flew Virgin Atlantic for the first time recently, for a day trip to San Francisco. I enjoyed it. I can’t remember the last time I actually enjoyed getting on a plane. The first really standout bit was when the Seattle ground folks put on music and a name that song contest. They handed out […]

 
 

Travel Chaos

NARA (National Archives) published notice in the Federal Register on October 27, 2008, of TSA’s submission to them (see Schedule Pending #3) of a proposed Records Schedule for Secure Flight Program. The actual Proposed Schedule was not published in the Register, only notice that you can request it and file comments on whether NARA should […]

 

Terrifying Financial Blacklists Falling Down

There’s a list, maintained by the UN security council, of people who can’t have their money. Once you’re on the list, there’s no way to get off. The global blacklisting system for financiers of al-Qaeda and other terrorist groups is at risk of collapse, undermined by legal challenges and waning political support in many countries, […]

 

Ephemeral Anniversary

Yesterday, Nov 17, was the sesquicentenary of the zero-date of the American Ephemeris. I meant to write, but got distracted. Astronomical ephemeris counts forward from this date. That particular date was picked because it was (approximately) Julian Day 1,000,000, but given calendar shifts and all, one could argue for other zero dates as well. The […]

 

Diverse Preferences for Privacy

A Wide Diversity of Consumer Attitudes about Online Privacy shows this picture of Flickr users setting privacy preferences: green is public (default) and red is private. I hope Flickr shares some of the underlying data. I don’t know what anyone would do with it, and there’s two ways to find out. One is to talk, […]

 

The Twain Meeting

Some time ago, was on an extended stay in Tokyo for work. When one is living there, there are things one must do, like make an effort to live up to being a henna gaijin. I must disagree with those who translate that as “strange foreigner.” The proper translation is “crazy foreigner.” I’d never heard […]

 

Actually, Randall, We Tried That

And the reason it doesn’t work is that just because you’re allowed to own something doesn’t mean you’re allowed to export it. The use, ownership, production, etc. of crypto was never restricted, only its export. In an Intenet-enabled world, export control brings lots of hair with it, which is why it was important to fight […]

 

Public Policy and InfoSec

…Armed with my favorite govie (who is actually the lead on this, I’m just a straphanger), The New School of Information Security (Hi Adam and Andrew), some government policy directives, and the National Strategy to Secure Cyberspace, I am teaching an Information Security Management and Public Policy class for Carnegie Mellon’s Heinz School. The more […]

 

An early clue to the new direction?

Obama gave his first press conference as President-elect last Saturday. Pundits have noted his humor in responding to the urgent canine matter, but I was struck by a particular phrase used in response to a question regarding whether he’d be moving quickly to fill key cabinet positions: When we have an announcement about cabinet appointments, […]

 

Chaos, My Desk and Dilbert

The Wall St Journal covers the latest management fad in “Neatness Counts at Kyocera and at Others in the 5S Club:” 5S is a key concept of the lean manufacturing techniques that have made makers of everything from cars to candy bars more efficient. The S’s stand for sort, straighten, shine, standardize and sustain. Lately, […]

 

I Was On NPR, An Unmasking of Sorts

Okay so for a long time now, I’ve been blogging as Arthur. It all started as an excuse to blog without the company I worked for at the time having to worry about anything I said being a reflection on them. Almost three years ago they were acquired by Oracle and I have long since […]

 

Checking in on the Security of Chequing

I remember a conversation back in 1995 or 1996 with someone who described to me how the Automated ClearingHouse (ACH) for checking worked. He explained that once you had an ACH merchant account, you sent in a message of roughly the form (src, dest, amount, reason) and money got moved. I argued with him that […]

 

This just in!!

MSNBC’s live streaming internet election coverage looks like it was filmed from within Second Life. Yuck.

 

The Purple States

As we go into what may well be another very long day of elections for the Presidency of the United States, I wanted to reprise two images from 2004: Click on either for more details and the context four years ago. Despite the electoral college, America isn’t a red country or a blue country, and […]

 

You talk like a delinquent

This is interesting. Not sure how robust the finding is, but according to an analysis of LendingClub data on all past loans, including descriptions of the use for the money, applicants using certain words in their descriptions are much more likely to default. For our purposes define a Delinquency as either being late in your […]

 

Thoughts about Democracy in America

There’s a place in de Tocqueville where he talks about America’s civic strength coming from the way we organize: those voluntary organizations which come together to solve a problem as a community. He pointed out that what we got from that was not merely that particular problem solved, but a sense of community and a […]

 

It was twenty years ago today

It was twenty years ago today Sgt. Morris taught the worms to play They’ve been going in and out of style But they’re guaranteed to last a while So may I introduce to you… the bug you’ve known for all these years Sgt. Morris Lonely worm club band We’re Sgt. Morris’ lonely worm club band, […]

 

Don’t Stay at the Renaissance Amsterdam Hotel

The night of September 29th, I had a room at the Renaissance Amsterdam hotel on Kattengat street. Actually I had two rooms, not that I slept in either of them. The first had too much street noise, and windows that didn’t block out the sound. The second, well, I woke up at 7.30 AM from […]

 

Cheetah Delays Luggage

A cheetah traveling from Oregon to Memphis Tennessee escaped from its cage on a Delta flight from Portland to Atlanta. Luggage was delayed, a baggage worked got a good fright (oh, yeah, imagine finding a cheetah on Halloween), but no baggage was destroyed. I would like to be able to link to the full story, […]

 

Studs Terkel, 1912-2008

No Chicagoan stood up for the common man like Studs Terkel, although Nelson Algren was probably in the running. A security-related anecdote, courtesy of the Chicago Tribune: In 1997 he went to the White House to receive the National Humanities Medal and the National Medal of Arts with a group including Jason Robards, Angela Lansbury, […]

 

Experience and Decision Making

Following on our satirical endorsement of McCain-Palin yesterday, I’d like to talk a little about the experience argument, that is, that Obama lacks the experience to be President. This may well be true. I’d prefer someone with extensive executive experience, ideally running a state, experience matters in one very specific way: it may help you […]

 

Responses to Terror: Boston and Ashdod, Israel

An Israeli teenager has been arrested after he donned a mask and prowled the streets of his town with a big rucksack and toy gun for a school project. The boy, 15, was seized by police in the southern town of Ashdod suspecting he was a Palestinian militant. The student was quoted as saying he […]

 

CTOs, Product Management and Program Management

In “The product manager’s lament,” Eric Ries writes about his view of product managers: Let’s start with what the product manager does. He’s supposed to be the person who specifies what the product will do. He writes detailed specs which lay out exactly what features the team should build in its next iteration. These specs […]

 

Ridiculing the Ridiculous: Terrorist Tweets

A group of soldiers with the US Army’s 304th Military Intelligence Battalion have managed to top previous military research on terrorist use of World of Warcraft. Realizing that mentioning the word “terrorist” can allow researchers to acquire funding to play the popular MMOG, they turned attention to the popular, if architecturally unscalable micro-blogging system, Twitter. […]

 

"Secure Flight" now part of the Bush Administrations Legacy

We welcome the Bush administration’s continuing dedication to excellence and security in developing clear and appropriate rules to prevent terrorists from flying: In this respect, there are major discrepancies between the (nonbinding) description at the start of the regulatory notice issued today, and the actual regulations that follow it (the last 20 pages of the […]

 

Buffett Vs Paulson

I was listening to Joseph Stiglitz on NPR this morning, and he had a very interesting comparison. (Quoting from an op-ed in the Guardian): For all the show of toughness, the details suggest the US taxpayer got a raw deal. There is no comparison with the terms that Warren Buffett secured when he provided capital […]

 

The Costs of Secrecy

Security continues to be crippled by a conspiracy of silence. The ongoing costs of not talking about what’s going wrong are absolutely huge, and today, we got insight into just how huge. Richard Clayton and Tyler Moore of Cambridge University have a new paper on phishing, “The consequence of non-cooperation in the fight against phishing.” […]

 

Investing in the finance crisis

The Wall Street domino has toppled just about everything in sight: U.S. stocks large and small, within the financial industry and outside of it; foreign stocks; oil and other commodities; real-estate investment trusts; formerly booming emerging markets like India and China. Even gold, although it has inched up lately, has lost 10% from its highs […]

 

Open thread

What’s on your mind in October?

 

Emergence Emerges

This paper, “More Really is Different,” may be one of the most important papers of the last half-millenium. It argues that P.W. Anderson’s concept of “emergence” is provable. It may have even proved it. The idea of emergence, from whence this blog gets its name is the opposite of reductionism. It is the idea that […]

 

Death Penalty Protestors are Terrorists

The Washington Post reports upon the further cheapening of the word “terrorism” in, “Md. Police Put Activists’ Names On Terror Lists.” The fifty-three people with “no evidence whatsoever of any involvement in violent crime” who were put on a list of terrorists include anti-death-penanty protestors. It’s really hard to keep from laughing about this. Are […]

 

Identity Manglement

It was Dopplr that drove me over the edge on this rant. I almost feel bad for starting off with them, because as you will see, they’re just the bale of hay that broke the camel’s back. I was updating my travel schedule, which included a trip to St. Louis. It told me that by […]

 

Experiences Threat Modeling at Microsoft

A little bit of cross-polination between blogs: Adam Shostack here. Last weekend, I was at a Security Modeling Workshop, where I presented a paper on “Experiences Threat Modeling at Microsoft,” which readers of [the Microsoft Security Development Lifecycle] blog might enjoy. So please, enjoy!

 

"No evidence the data was misused"

The next time you read a statement that a breached entity has found no evidence of data misuse, remember this: data may have been misused even though entities are unaware of it. Tim Wilson of Dark Reading provides a current example of why entities should inform customers, this one involving the T-Mobile breach that affected […]

 

Researchers Two-Faced over Facebook Data Release

[Update: Michael Zimmer points out that it wasn’t Facebook, but outside researchers who released the data.] I wanted to comment quickly on an interesting post by Michael Zimmer, “ On the “Anonymity” of the Facebook Dataset.” He discusses how A group of researchers have released a dataset of Facebook profile information from a group of […]

 

What's in a name(less)?

Me! I had a great time in a conversation with Dennis Fisher which is now up on his nameless security podcast: Adam Shostack on privacy, data breaches and “The New School of Information Security” Check it out. Update: Amazon seems to be having trouble keeping The New School in stock. (Thank you!!!) Addison Wesley has […]

 
 

The Skype Issue

According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on. A group of security people and human rights workers not only […]

 

Submitted for your consideration

I added Bank Lawyer’s Blog to my set of RSS feeds some time ago, after I came across a decent post about ID theft there. I provide — without comment — the following quotation from a banking industry lawyer, as posted yesterday: Near the end of the Oscar-winning movie “Unforgiven,” the young assassin who calls […]

 

Regulations, Risk and the Meltdown

There are obviously a large set of political questions around the 700+ billion dollars of distressed assets Uncle Sam plans to hold. If you care about the politics, you’re already following in more detail than I’m going to bother providing. I do think that we need to act to stem the crisis, and that we […]

 

Adam on CS TechCast

I did a podcast with Eric and Josh at CS Techcast. It was lots of fun, and is available now: link to the show Welcome to another CSTechcast.com podcast for IT professionals. This week we interview Adam Shostack, author of The New School of Information Security about the essentials IT organizations need to establish to […]

 

And I thought I didn't like Streisand

While Babs’ vocal stylings may be an “acquired taste”, today I have a new appreciation for the Streisand Effect. Thanks to Slashdot, I learned that Thomson Reuters is suing the Commonwealth of Virginia alleging that Zotero, an open-source reference-management add-on for Firefox, contains features resulting from the reverse-engineering of Endnote, a competing commercial reference management […]

 

Blaming the Victim, Yet Again

John Timmer of Ars Technica writes about how we ignore dialog boxes in, “Fake popup study sadly confirms most users are idiots.” The article reports that researchers at the Psychology Department of North Carolina State University created a number of fake dialog boxes had varying sorts of clues that they were not real dialog boxes, […]

 

2008 Breaches: More or More Reporting?

Dissent has some good coverage of an announcement from the ID Theft Resource Center, “ITRC: Breaches Blast ’07 Record:” With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for […]

 

University of Lake Wobegon?

Spaf has an excellent post up about Purdue’s decision to no longer be an NSA Center of Academic Excellence. He makes a number of thought-provoking points, among them that “excellence” loses its meaning if the bar is set too low, and that being an academic center and having a training (as opposed to educating) curriculum […]

 

SDL Press Tour Announcements

Steve Lipner and I were on the road for a press tour last week. In our work blog, he writes: Last week I participated in a “press tour” talking to press and analysts about the evolution of the SDL. Most of our past discussions with press and analysts have centered on folks who follow security, […]

 

Help fund historic computers at Bletchley Park

Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world’s first computers. (If you pick the right set of adjectives, you can say “first.” Those adjectives are apparently, “electronic” and “programmable.”) It has been rebuilt over the last fourteen […]

 

Canadian PM FAIL

Dear Mr Harper, In general people do not care for the government to be tracking their religious affiliation. In particular however, there are few groups who care less for this sort of tracking than Jews. Seriously, you’re not going to get votes by sending Rosh Hashanah cards to your Jewish constituents. It freaks us out, […]

 

Risk Managers Are Just Like Security People

Or is that vice-versa? A few weeks ago, Security Retentive posted about an article in the Economist: “Confessions of a Risk Manager”. Both his analysis and the original story are quite interesting and I encourage you to read them as well as a letter to the editor that was published in last week’s print edition […]

 

Things only An Astrologist Could Believe

There’s a really funny post on a blog titled “Affordable Indian Astrology & Vedic Horoscope Provider:” Such a choice of excellent Muhurta with Chrome release time may be coincidental, but it makes us strongly believe that Google may not have hesitated to utilize the valuable knowledge available in Vedic Astrology in decision making. This is […]

 

Signal Boosting Amrit Williams

File this under “Posts I Wish I’d Written”. Amrit Williams’ “ The 7 Greatest Ideas in Security,” really highlights a lot of my basic thoughts on how security should work. His conclusion sums things up cogently, but go read the entire post: Some may argue that something has been forgotten or that the order is […]

 

Lessons for security from "Social Networks"

There are a couple of blog posts that I’ve read lately that link together for me, and I’m still working through the reasons why. I’d love your feedback or thoughts. A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn’t like the “Social Futilities.” Tyler Cowan has a […]

 
 

TSA Breaks Planes (and a link to infosec)

Aero News Network has a fascinating story, “ANN Special Report: TSA Memo Suggests That Agency ‘Encourages’ Damaging Behavior.” It covers how a TSA goon climbed up a plane using equipment marked “not a handhold,” damaging it and putting the flying public at risk. It continues: While this may be terrifying on a number of levels, […]

 

Diebold/Premier vote dropping

A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges. The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is […]

 

The Omnivore's Hundred

I find it interesting that security people and foodies are strongly correlated. Or at least are strongly correlated among the ones I know. Very Good Taste has a list of things called The Omnivore’s Hundred, a list of things worth trying, modulo this and that. You mark things you have tried, and mark things you […]

 

Disaster Recovery Drills Aren't Just For IT

The Economist has a short but great overview on crisis management. The article is well worth reading completely, but there is one section that bears highlighting: Be well prepared in advance. Potential members of a crisis management “team” should rehearse how they would manage the impact of an incident. It is a bit like learning […]

 

We're all in it together

Ryan Singel reports at 27B/6: The TSA was keeping the names of people who lost their wallets and needed to fly — even after ascertaining their identity and determining they were not a threat and could board a plane. It stored these names in a shared threat database. Then it decided that it won’t store […]

 

Certifiably Silly

Over at “The Security Practice,” Michael Barrett writes about “Firefox 3.0 and self-signed certificates.” Neither he or I are representing our respective employers. …almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only […]

 

That's an address I haven't used in a very long time.

Well, I got a letter from BNY Mellon, explaining that they lost my data. The most interesting thing about it, I think, is where it was sent, which is to my mom. (Hi Mom!) I had thought that I’d moved all of my financial statements to an address of my own more than a decade […]

 

Watchlist Cleaning Law

Former South African President Nelson Mandela is to be removed from U.S. terrorism watch lists under a bill President Bush signed Tuesday… The bill gives the State Department and the Homeland Security Department the authority to waive restrictions against ANC members. This demonstrates that greater scrutiny must be placed on the decisions about who gets […]

 

Instant Ice Age

Science reports in, “The Year the World Froze Over:” It sounds like the stuff of science fiction, but nearly 13 millennia ago Europe was plunged suddenly into a deep freeze that lasted 1300 years–and the change happened in little more than a year, according to new data. The evidence also suggests that strong winds, not […]

 

Black Hat (Live) Blog: Keynote

Ian Angell from the London School of Economics gave a great keynote on complexity in systems and how the desire to categorize, enumerate, and add technology can break things in interesting ways. An example of his: there’s an increasing desire among politicians and law enforcement to create huge DNA databases for forensic purposes, to aid […]

 

Does this mean we can revise our opinion of Friday the 13th?

According to The Daily Telegraph, the Knights Templar are suing the Vatican for all that money they lost in 1307. (The Telegraph has a companion article here as well.) This adds up to a nice round €100 billion. The Telegraph didn’t say whether that is American billions (thousand million, 109) or English billions (million million, […]

 

Cleared Traveler Data Lost

Verified Identity Pass, Inc., who run the Clear service have lost a laptop containing information of 33,000 customers. According to KPIX in “Laptop Discovery May End SFO Security Scare” the “alleged theft of the unencrypted laptop” lost information including names, addresses, birth dates and some applicants’ driver’s license numbers and passport information, but does not […]

 

SOUPS 2008, summarized

I really appreciate the way that Richard Conlan has in-depth blogged all of the sessions from the 2008 Symposium on Usable Privacy and Security. The descriptions of the talks are really helpful in deciding which papers I want to dig into. More conferences should do this. There’s only one request I’d make: There’s no single […]

 

What do you want to know about SDL Threat Modeling?

Over on my work blog, I asked: I’m working on a paper about “Experiences Threat Modeling at Microsoft” for an academic workshop on security modeling. I have some content that I think is pretty good, but I realize that I don’t know all the questions that readers might have. So, what questions should I try […]

 

Call Centers Will Get More Annoying

There’s an article in “destination CRM,” Who’s Really Calling Your Contact Center? …the identity questions are “based on harder-to-steal information” than public records and credit reports. “This is much closer to the chest than a lot of the public data being used in other authentication systems,” she says, adding that some companies using public data […]

 

London’s New Transit Card

Transport for London is trying to get as many people as possible to use Oyster Cards. They are cheaper — and theoretically easier to use — than traditional tube / bus tickets. However, using one means that TfL has a record of your journeys on the transport system, which is something that not everybody is […]

 

Reproducibility, sharing, and data sensitivity

What made this particular work different was that the packets we captured came through a Tor node. Because of this difference, we took extreme caution in managing these traces and have not and will not plan to share them with other researchers. Response to Tor Study I won’t get into parsing what “have not and […]

 

New FISA Analysis

Vox Libertas, a blogger at the Daily Kos has written an analysis of the new US FISA law in his article, “I think I understand the FISA bill. Do I?” Vox Libertas has taken an approach that I can appreciate. On the one hand, many people are unhappy with the telecom immunity. I’m one of […]

 
 

Breaches & Human Rights in Finland

The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen’s personal data. One data protection expert said that the case creates a vital link between data security and human rights. The Court made its ruling based on Article 8 of the European Convention […]

 

Off to Belgium

I’m getting ready to leave for the 2008 Privacy Enhancing Technologies Symposium. I love this event, and I’m proud to have been involved since Hannes Federrath kicked it off as a workshop on design issues anonymity and unobservability. I’m also happy that Microsoft has continued to sponsor an award for outstanding research in Privacy Enhancing […]

 

Putting the fun back in threat modeling

I have an article in the latest MSDN magazine, “Reinvigorate your threat modeling process:” My colleague Ellen likes to say that everyone threat models all the time. We all threat model airport security. We all threat model our homes. We think about threats against our assets: our families, our jewelry, and our sentimental and irreplaceable […]

 

Writing a book: The Proposal

To start from the obvious, book publishers are companies, hoping to make money from the books they publish. If you’d like your book to be on this illustrious list, you need an idea for a book that will sell. This post isn’t about how to come up with the idea, it’s about how to sell […]

 

Security & Human Behavior

There’s a huge amount of interesting stuff from a recent workshop on “Security & Human Behavior.” Matt Blaze has audio, and Ross Anderson has text summaries in the comments on his blog post. Also, see Bob Sullivan, “How magic might finally fix your computer”

 

Laptops and border crossings

The New York Times has in an editorial, “The Government and Your Laptop” a plea for Congress to pass a law to ensure that laptops (along with phones, etc.) are not seized at borders without reasonable suspicion. The have the interesting statistic that in a survey by the Association of Corporate Travel Executives, 7 of […]

 

Leveraging Public Data For Competitive Purposes

The Freakonomics blog pretty much says it all: The latest: importgenius.com, the brainchild of brothers Ryan and David Petersen, with Michael Kanko. They exploit customs reporting obligations and Freedom of Information requests to organize and publish — in real-time — the contents of every shipping container entering the United States. From importgenius.com. There’s a neat […]

 

The Recent History of the Future of Cash

Dave Birch has a really interesting post about The future of the future of cash: The report also identifies three key attributes of cash that make it — still — the dominant payment system. Universality, trust and anonymity. I’m curious about the location of anonymity in the customer mindset and I’m going to post some […]

 

Richard Feynman and The Connection Machine

There’s a fascinating article at The Long Now Foundation, “Richard Feynman and The Connection Machine,” by Danny Hillis. It’s a fun look into the interactions of two of the most interesting scientist/engineers of the last 40 years.

 

Massive Coordinated Vendor Patch For DNS

Dan “Doxpara” Kaminsky today released information about a fundamental design flaw in the architecture of DNS which if properly exploited would allow a malicious party to impersonate any website they wanted to. This issue effects every single version of DNS. The flaw primarily effects the DNS server but it can also effect clients as well […]

 

Writing a book: technical tools & collaboration

When Andrew and I started writing The New School, we both lived in Atlanta, only a few miles apart. We regularly met for beer or coffee to review drafts. After I moved to Seattle, our working process changed a lot. I wanted to talk both about the tools we used, and our writing process. We […]

 

Maryland Breach Notices

Case Number Date Received Business Name No. of MD residents Total breach size Information breached How breach occurred 153504 06/09/08 Argosy University name, social security number, addresses Laptop computer stolen from employee of SunGard Higher Education Maryland Information Security Breach Notices are put online by the most-forward looking Douglas F. Gansler, attorney general. I’m glad […]

 

Freakonomics and Data

There’s a really interesting article in the New Republic, “Freaks and Geeks:” In 2000, a Harvard professor named Caroline Hoxby discovered that streams had often formed boundaries to nineteenth-century school districts, so that cities with more streams historically had more school districts, even if some districts had later merged. The discovery allowed Hoxby to show […]

 

On Banking Security

Dave Maynor comments: Blizzard is going to sell a One Time Password device…Isn’t it kind of funny when an online game has better security than most banks? Blizzard Entertainment, Inc. today introduced an optional extra layer of security for World of Warcraft®, its award-winning massively multiplayer online role-playing game. Designed to attach to a keychain, […]

 

Sounds Like — Chomsky

The New Scientist reports that “Charades reveals a universal sentence structure.” Susan Golden-Meadow, a linguistic psychologist at the University of Chicago, led a team that found that speakers of most languages use the same simple sentence structure when miming, regardless of the structure of the language they speak. A demonstration movie is here. That structure […]

 

Study: Firefox patched quickest, IE a laggard

A new technical report out of ETH Zurich, Understanding the Web browser threat, should appeal to EC readers. The authors were granted access to the USER-AGENT information recorded globally by Google between January2007 and June 2008. By examining the first visit per day by each browser, the authors are able to determine which clients were […]

 
 

Network Security Podcast #109, featuring Adam

I’m the guest on the latest episode of Martin McKeay and Rich Mogull’s Network Security podcast. It was a lot of fun to record, I hope you enjoy listening to it. [Link fixed.]

 

Game Theory and Poe

Julie Rehmeyer of Science News writes in, “The Tell-Tale Anecdote: An Edgar Allan Poe story reveals a flaw in game theory” about a paper Kfir Elias and Ariel Rubenstein called, “Edgar Allan Poe’s Riddle: Do Guessers Outperform Misleaders in a Repeated Matching Pennies Game? The paper discusses a game that Poe describes in The Purloined […]

 

Not quite clear on the subject

Slyck News has a story, “SSL Encrpytion Coming to The Pirate Bay” a good summary of which is in the headline. However, may not help, and may hurt. Slyck says: The level of protection offered likely varies on the individual’s geographical location. Since The Pirate Bay isn’t actually situated in Sweden, a user in the […]

 
 

Science isn't about Checklists

Over at Zero in a Bit, Chris Eng has a post, “Art vs. Science“: A client chastised me once for making a statement that penetration testing is a mixture of art and science. He wanted to believe that it was completely scientific and could be distilled down to a checklist type approach. I explained that […]

 

Water on Mars!

Mars Phoenix Tweets: “We Have ICE!” And yes, they really did announce on Twitter and a press release.

 

Medeco Embraces The Locksport Community

Two days ago, Marc Weber Tobias pointed out that Medeco, the 800 pound gorilla in the high-security lock market, recently published an open letter to the locksport community, welcoming it to the physical security industry: While we have worked with many locksmiths and security specialists in the past to improve our cylinders, this is the […]

 

L'affaire Kozinski

Kim Zetter on Threat Level has written about Larry Lessig’s comments about Judge Alex Kozinski’s problems with having files on a personal server made public. Zetter has asked to hear people’s opinions about the issue. I thought I’d just blog about mine. Basically, I agree with Lessig. The major place that I disagree with Lessig […]

 

Can You Hear Me Now?

Debix, Verizon, the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security. This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have […]

 

Paper Breach

The BBC reports in “Secret terror files left on train” that an … unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train. A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police. We […]

 

What’s up with the "New and Used" Pricing on Amazon?

So having a book out, you start to notice all sorts of stuff about how Amazon works. (I’ve confirmed this with other first time authors.) One of the things that I just can’t figure out is the pricing people have for The New School. There’s a new copy for 46.43. A mere 54% premium over […]

 

In the "couldn't have happened to a better set of people" department…

Fifteen people have escaped unharmed in the US state of Indiana after a sky-diving plane lost power 7,000ft (2,100m) from the ground. The pilot told the 14 skydivers on board to jump to safety, then crash-landed the plane. And the pilot was un-injured, according to the AP story. From Skydiving plane fails at 7,000ft, BBC. […]

 

8th Pet Symposium Early Registration Deadline

We kindly invite you to attend the next PET Symposium, that will take place in Leuven (Belgium) on July 23-25, 2008. The PET Symposium is the leading international event for the latest research on privacy and anonymity technologies. This year, four other events are co-located with PETS 2008, including the Workshop On Trustworthy Elections (WOTE […]

 

Open thread

What the heck. Let’s see what happens. Comment on what you will.

 

Because it is the weekend and I am lazy

Chris’s beach reading recommendations John Maynard Smith, Evolution and the Theory of Games James S. Coleman, Foundations of Social Theory Ken Binmore, Natural Justice

 

Jonathan Ive's Sharia Style

I was on a business commuter flight the other day, which was also the maiden voyage of my MacBook Air. I had it out before takeoff. This was an international flight and I was in bulkhead. On international flights, they’re not as strict about not having your laptop on your lap during takeoff. This flight […]

 

Does the UK need a breach notice law?

Chris Pounder has an article on the subject: In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals […]

 

Why the heck don't I ever have ideas this good?

Walkscore.com. Calculates a location’s “walkability” by using Google Maps to figure out how close various amenities (such as grocery stores, public transit, parks, etc.) are. Not a perfect service, but a great idea.

 

Sing it shrdlu

Over at Layer8, shrdlu lays it out there and tells us what it takes to appear to be effective: In all the initiatives I’ve rolled out in my (checkered) career, the ones that have gotten the most acclaim from my management have always been the ones that were most visible to the users. They turned […]

 

New School Reviews

Don Morrill, IT Toolbox: If you want to read a book that will have an influence on your information security career, or if you just want to read something that points out that we do need to do information security differently, then you need to go pick up a copy of “The new school of […]

 

"The Black Hat Tax?" Show me the money

A number of people have sent me links to “Black Hat Tariffs – The Black Hat Taxes on consumer Internet companies are on the rise:” In May 2006, I made mention of the Black Hat Tax, in which most consumer Internet sites have an inherent time, resource, and mindshare tax of roughly 25% due to […]

 

Apparently The State Department Didn’t Learn From Regular Passports

The Washington Times reports that the State Department is going to be producing “passport cards” for people who regular travel by car or boat to/from Canada, Mexico and Carribean. About the size of a credit card, the electronic-passport card displays a photo of the user and a radio frequency identification (RFID) chip containing data about […]

 
 

Let's not ask the experts?

Can Sips at Home Prevent Binges? is a fascinating article in the New York Times. It turns out there’s very solid evidence about this: “The best evidence shows that teaching kids to drink responsibly is better than shutting them off entirely from it,” he told me. “You want to introduce your kids to it, and […]

 

Uncle Harold and Open Source

Uncle Harold (not his real name, not our real relationship, and I never even called him “Uncle”) was a cool guy who always fixed his own cars. Most of my life, Uncle Harold has been complaining. It used to be you could actually fix a car. You could put things in, take them out, adjust […]

 

6/16ths of Chileans personal information leaked by hacker

A hacker in Chile calling himself the ‘Anonymous Coward’ published confidential data belonging to six million people on the internet. Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records. Chile has a population of about 16 million, so that’s 3/8ths of the country. […]

 

UK Information Commissioner's Office Can Now Fine Your Ass

From the article: The Criminal Justice and Immigration Act has received Royal Assent creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO). This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act. It’s about time […]

 

Call me crazy?

There’s an article in the New York Times, “‘Mad Pride’ Fights a Stigma” “It used to be you were labeled with your diagnosis and that was it; you were marginalized,” said Molly Sprengelmeyer, an organizer for the Asheville Radical Mental Health Collective, a mad pride group in North Carolina. “If people found out, it was […]

 

Credit Bureaus and Outsourcing

The “I’ve Been Mugged” blog has a great three part series on outsourcing by credit bureaus: “Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1),” “part 2” and “part 3.” He digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that […]

 

A question of ethics

Various estimates have been made regarding the quantity of personal identifying information which has been exposed by various mechanisms. Obviously, though, we only know about what we can see, so seeing more would make such estimates better. One way to see more would be to look in more places, for example on peer-to-peer file sharing […]