Gettin’ Real Security? No.

I came prepared. I knew I would be walking in to the lion’s den with my spartan Thinkpad running Windows and Ubuntu. Sure enough there was an eerie sea of glowing white Mac logos in the conference room which reminded me vaguely of Wyndham’s Midwich Cuckoos. I surreptitiously covered the IBM logo with a white Apple sticker which came with my new iPod (a black nano).

You’re no more secure because of that Apple logo. Arthur explains that in the next post.

(Quote from NudeCybot, “Gettin’ Real Yo.”)

Use The Logo Luke

“Decaf” over on DeadBeefCafe, relates the story of a colleague whose response to yet another virus outbreak is to convince management to purchase Macintoshes, with the following justification:

We’re going to buy Mac Minis and run Windows on them because Macs aren’t affected by these security problems.

Decaf breaks down the several fallacies of this statement and sardonically sums it up with:

So we’re left with the best security method I’ve heard of: A different case! By affixing an Apple logo onto the host, we’ve made it more secure, because Macs aren’t subject to the same security problems.

Just when I think that my organization is getting behind the curve for one reason or another, I come across something like this and I feel lucky to be where I am today.
[Image from: ]

A Picture (or Three) Is Worth A Thousand Words

Iang over at Financial Cryptography talks about the importance of not just which cryptographic algorithm to use, but which mode it is implemented with. He uses three pictures from Mark Pustilnik’s paper “Documenting And Evaluating The Security Guarantees Of Your Apps” that are such a great illustration of the problem, that I have to include them here.
Adam and I have both been to Tufte’s courses on Presenting Data and Information and these strike me as the kind of illustrations he would appreciate. The beauty of them is that as a non-cryptographer, you don’t need to understand the technical differences between ECB and CBC modes, because the illustrations demonstrate them far better than any text could.
[Edit: In the comments, nicko points out this extremely cleaver idea was originally done with the Tux logo from Linux and that they can be found on wikipedia in the section on block cipher modes of operation.]
Figure 2a Plaintext
Figure 2b ECB Encryption
Figure 2c CBC Encryption

More on the Military Commissions Act

At the Volokh Conspiracy, Jonathan non-Alder points to the John Yoo op-ed which

…argues that Congress sent a message to the Supreme Court with the passage of the Military Commissions Act: Mind your own business and leave the war on terror alone. In this regard, Yoo argues, the law was, above all else, a “stinging rebuke” to the Supreme Court, particularly insofar as it limited federal court jurisdiction over certain claims.

Alder also points to Marty Lederman’s response, “John Yoo on Court Stripping.” I’d like to add pointers to Kip Esquire’s much simpler and cleaner argument, “Does The MCA ‘Reverse’ The Supreme Court,” and my own, “These aren’t the civil liberties you’re looking for.”

More on Data Reservoirs

Nick Szabo takes issue with an article I pointed to in “Reservoirs of Data” in his post, “Citron’s ‘data reservoirs:’ putting liability at the wrong end of the problem:”

Bottom line: liability should be put on the low-cost avoider. This is not merely a rule of negligence but a guideline for determining where any kind of liability should fall in any new area of commerce. The idea that the data brokers are the low cost avoiders in this system is highly implausible. Rather, here as with most other harms, it is those parties most proximate to the harm who can most easily prevent it. Furthermore, the evidence needed to hold parties liable will be far more reliably available for the proximate harmer than the remote data leaker.

Organizations that use widely distributed and easily leaked data like SSNs as authenticators, and who currently depend on such weak authentications for credit reporting and debt collection, can switch to more secure passwords at lower costs than would be imposed by Citron’s regime. Organizations that fail to use secure authenticators, especially organizations that report information to credit bureaus or attempt to collect debts based on insecure authenticators, should bear the liability for identity theft due to the known insecurity of those authenticators, rather than organizations who inevitably leak already widely distributed data.

Is the low cost avoider really the debt collector? What about the cost to the consumer of a decreased credit score? Isn’t the low cost avoider here the credit agency? Aren’t they well positioned to take note of discrepancies in the reports they aggregate together?

Tearing Steve Wynn a New One


Wynn stepped away from the painting, and there, smack in the middle of Marie-Therese Walter’s plump and allegedly-erotic forearm, was a black hole the size of a silver dollar – or, to be more exactly, the size of the tip of Steve Wynn’s elbow — with two three-inch long rips coming off it in either direction. Steve Wynn has retinitis pigmentosa, an eye disease that damages peripheral vision, but he could see quite clearly what had happened.

“Oh shit,” he said. “Look what I’ve done.”

Via PrivacyClue, “You think *you’ve* lost money in Vegas..” [Update: Brad Feld points to a New Yorker article on the subject.]

Posted in art

Radialpoint Needs People

My friends at Radialpoint are looking for a few great people to help drive their service delivery platform. They need a database development architect, a software architect, and a senior Java developer:

These are leadership level positions in a growing
company with great financial resources. Each of these team members will have
the chance to attend conferences, participate in industry developments, and
will be encouraged to establish their leadership in the industry through
publications and/or presentation opportunities. For a technologist, this is a
chance to make (and be rewarded for) critical contributions to the success of a
company for whom technology is both its heart and lifeblood.

I have fond memories of working with a number of these people when we were at Zero-Knowledge. They’re great folks in a great city, and if you fit the bill, you should give them a chance.

I’m happy to facilitate introductions.

Debix Launches

debix-logo.jpgI’m also really excited to share the news that my friends at Debix have launched their service, and it’s now available to the public. It is, in my opinion, the best identity theft preventative measure available today, and you should seriously consider signing up.

The way it works is that they put a lock on your credit file, so that creditors opening new accounts need to contact you, through Debix, in order to open a new account. This is better than a standard fraud alert because Debix maintains records. So if someone opens an account and you weren’t contacted, it’s not a matter of he said/she said. There’s a neutral party who can vouch for what didn’t happen. This is better than credit monitoring because you prevent problems, rather than try to clean them up.

As Bo Holland, the CEO, says, there’s nothing like putting the person who knows–you–at the center of your credit transactions.

Disclosure: I have a financial relationship with Debix.

Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach

I’m pretty excited that an article, “Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach” is in the November MSDN magazine. The theme of the magazine is “Security Fundamentals.” The article that I wrote with Shawn Hernan, Scott Lambert, and Tomasz Ostwald talks about how we threat model our products at Microsoft. I’m happy to be talking about my work, and look forward to doing more of it as the process and tools evolve.

Also in there at the conceptual level are “Secure Habits: 8 Simple Rules For Developing More Secure Code” by Michael Howard. Michael talks about important habits for ensuring that your software has security properties. In contrast, there’s “Extending SDL: Documenting And Evaluating The Security Guarantees Of Your Apps” by Mark Pustilnik. Mark discusses the concept of treating security feature requirements like other feature requirements and making sure they’re delivered in a way that’s focused on solving real customer problems.

At a more code-oriented level, there are articles on Single Sign On, smart cards, and SQL security.

One of the cool things about writing for MSDN is they translate your article.
So feel free to read “Descubra los errores en el diseño de la seguridad con el método STRIDE,” “Démasquez les défauts de conception en matière de sécurité à l’aide de la méthode STRIDE,” “Aufdecken von Fehlern im Sicherheitsentwurf mithilfe des STRIDE-Ansatzes,” “Обнаружение недостатков безопасности при помощи STRIDE,” “Descoberta de falhas de design de segurança usando a abordagem STRIDE,” or “使用 STRIDE 方法发现安全设计缺陷.” (You can read the other articles in any of those langaugages, too, but thats way more link wrangling than I want to do.)