Emergent Chaos
Dan Kaminsky has a good essay on internet isolationism, which is his name for the opposite of net neutrality. It starts:
Oh, sure, there's UPS and DHL and the US Postal Service. But imagine if they were all proposing that, because people make money based on the contents of packages other people shipped, that they should see some of that money. Imagine they implied that, if you or your company did not pay a reception fee... well, things might happen. Packages might get lost, you see.Read "Internet Isolationism is bad for business."
Me, I'm fond of noting when business tactics can be compared to the mafia. Anyway, it's a good essay, and worth realizing that the opposite of neutrality isn't opinion, it's isolationism and an end to innovation on the internet.
Bookmark this post:
"Email Thread Visualization" via infoesthetics.
Bookmark this post:
(I will try to read through the comments on the links below, as well.)
See Richard's blog post, via Schneier or Slashdot.
Bookmark this post:
For Immediate Release
CATAWBA COUNTY SCHOOL SYSTEM, June 26 --
The Catawba County Public School System (NC) announced today that
district web site administrators have remedied a configuration error which
accidentally resulted in the social security numbers and names of several
hundred students being made available via the popular Google search engine.
Officials were alerted to the misconfiguration when the confidential data
was found by a district parent seeking information on a beauty pageant
contestant.
Catawba County Schools chief technology officer Judith Ray explained that,
although the district's site password-protects areas containing non-public
information, the area containing the student information had inadvertently
been excluded. "Our web masters immediately recognized their error", Ray
added, "and made the change needed to protect this information". All
affected individuals have been notified, and the district has modified
both its web site configuration, and its document management processes to
provide an additional layer of checking against a repetition of the error.
Moreover, added Ray, the district has begun a process of removing social
security numbers as identifiers from files it maintains. "This information
was gathered in another era. Today, it's simply inappropriate. We're
updating our databases, just as we've updated our procedures", she explained.
The district's quick response was matched by Google. A day after being
informed of the exposure, the information was no longer available via
the popular search engine.
What you will see instead:
Q. How did this happen?(Hat tip to lyger)
A. School system officials say Google broke through the password and username protected server the information was stored in and took a photo of the page, which it posted to the Internet.
Bookmark this post:
I started my career as a UNIX sysadmin. You can find really old email from me to Sun-managers, or a 1994 "Introduction to S/Key." In the past, I've heaped scorn on Microsoft's security related decisions. Over the last few years, I've watched Microsoft embrace security. I've watched them make very large investments in security, including hiring my friends and colleagues. And really, I've watched them produce results.
In making this decision, I've had conversations with many people and organizations. The one theme that stands out was the difference in the conversations I had with Microsoft versus other software producers. Some of things that Microsoft does and are looking to improve haven't even made it in rudimentary form anywhere else. I found myself having to shift gears and explain Microsoft's Security Development Lifecycle. I noticed no one else with a Blue Hat conference. No one else stopping feature development to hunt for bugs. I (re-)discovered how few organizations have even basic formal security processes in place, and how few of those have audit to make sure that their processes are followed.
I realized just how many smart people are thinking about these questions at Microsoft, and I'm glad to be joining them. I'll be working on threat modeling and improving that afore-mentioned Security Development Lifecycle.
Part of the process that's taken a long time and has been hard for me is that Microsoft is adamant on minimizing risks of intellectual property contamination, and that includes technical advisory boards (TABs). Looking around, I found exactly two Microsoft employees on commercial TABs. One was John Conners, CFO, the other is Rob Willis, who founded the company he now advises. Two people. Six years. I might have had a slightly better chance if I wasn't taking the role I'm taking, in a central security group. I want to be clear that my decision is about the tremendously cool opportunity within Microsoft, not a lack of confidence or enthusiasm for the companies I have had the pleasure of working with. I remain enthusiastic, and wish all of them them great success.
That said, Microsoft didn't offer to buy this blog. It remains mine, with a healthy dose of Chris and Arthur, and lots of great reader comments. I am free to say what I want here, and they're free to question my judgment. At the same time, I'm going to shy away from some topics: Microsoft. How other companies do security processes. Why you should use IE. I'm going to shy away from these, at least initially, because there's a tendency to take everything Microsoft employees say as company gospel, regardless of disclaimers, etc. I expect to speak more about liberty, privacy, breaches, usability, and as I find them, giant animals.
So, I've joined Microsoft, and I look forward to doing great things here.
Bookmark this post:
There's a number of good comments on "Risk Appetite of Volatility Appetite," and I'd like to respond to two of the themes.
The first is "risk appetite is an industry-standard term." I don't dispute this. I do question if I should care. On the one hand, terms that an industry picks up and uses tend to be useful and revelatory. Sometimes, they are also distortive. Risk appetite makes sense from the perspective of the financial industry, which is selling products of various riskiness. Knowing their customer's appetite for risk makes sense. It makes sense even if that appetite is formed on false premises, that you must accept higher risk for a higher return. This is clearly false-just look at interest rates on insured savings accounts. A great deal of return is a function of information, and the willingness to find and use it. (Admittedly, a high interest rate may correlate with moral hazard on the part of the insured bank, and you may have to accept getting your money back later.) I think that the term risk appetite is also distortive, in that it influences the way people look at risk. I once caught myself looking for a risky investment, rather than one with a high expected upside. That high-reward investments often include lots of risk doesn't mean it's what I'm looking for.
The second is that I misunderstand risk. That may well be true, but I think that the goal of disaggregating risk from reward is useful. Anyone who'd like to offer up a more purely disaggregated risk is free to do so. It's an interesting thought experiment, one that's clearly making many readers uncomfortable. That's not my usual goal, but I'm willing to accept it now and then in exchange for a rewarding conversation.
(These dice are from NelC, too.)
Bookmark this post:
This week's roundup is large. Rather than push other newish posts off the bottom of most people's screens, it has been deemed preferable to prepend this introductory paragraph, at the bottom of which readers may elect to see more.
Multiple servers breached. University loses SSNs and other data on 200,000 to 240,000 current and previous students, as well as credit-card information on those using the university bookstore or hotel. According to a response received from WIU's official "Security Alert" email address:
A majority of students potentially affected are students who took courses from
1983 to the present. A smaller number of records from 1978 to 1982
(approximately 1,000 records) may have been at risk of exposure. Anyone who
has performed an online purchase through the University bookstore or who has
stayed in the University Union Hotel may also potentially be affected
Interestingly, the Division of Student Services, which seemingly runs on-line bookstore sales, says that they "Don't retain credit card information after credit card sales have been processed."
Official version of events is at http://www.wiu.edu/securityalert/
Social Security Numbers and other info on 13,000 Washington, D.C. residents obtained when a thief stole a laptop from the home of an ING U.S. employee. No password, no encryption. Theft occurred June 12.
Washington Post has more.
Laptop stolen May 29th contained name and SSN info on up to 2500 of their employees.
(AP, via Dataloss)
The tide of theft continues. An office computer containing names, SSNs, and medical information for 9,800 kidney donors, recipients, and potential recipients was stolen in February, but "the affected people weren't notified until earlier this month because it took months for school officials to reconstruct the missing database".
Visa admits there's a problem it has known about since February, but reveals no numbers or names. Thanks, guys. AP has the story.
Names, SSNs of 28,000 Navy personnel and some family members show up on a web site. Navy discovers it, has info removed. Congress is asking for more information (such as the name of the site).
(AP, via MSN)
SSNs and test scores for 619 students show up on web. School blames Google.
(HeraldToday.com, via Dataloss)
In other news, Surgeon General caught smoking under bleachers.
In a statement, the FTC said two employee laptops were stolen from a locked vehicle. The PCs contained data on about 110 people that was "gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers."
3,000 former and current students' SSNs, names, grades lost via a...laptop theft!
Although use of SSNs as student idenfifiers is now banned, apparently it's just too much work to clean up the years of cruft that faculty have accumulated. An interesting research question: what is the half-life of information like this?
(SFGate.com, via Dataloss)
Names, photos, and SSNs of 26,000 workers revealed when a hacker was able to get into a USDA server.
(SeattlePI.com, via Dataloss)
Bookmark this post:
Over at the Counterterrorism Blog, Dennis Lormel writes "Initial Comments about Terrorist Financing and “The One Percent Doctrine”" and "U.S. Government Terrorist Financing Initiative Involving SWIFT:"
...I was in the FBI in a leadership role responsible for terrorist financing. Immediately after 9/11, we realized we had to develop financial investigative methodologies different than anything we had done before. We had to think outside the box by developing and implementing time sensitive and time urgent investigative techniques. To succeed, we needed the assistance of the financial community. At all times, we were cognizant of privacy rights and civil liberties.He seems hurt that people don't understand the programs, and how the FBI carefully balanced their interests with those of society, as they'd been instructed to do by Congress and the public, when we passed the "Hey, you guys figure it out" law. (Snark aside, Congress did seem to take that attitude for a while.) The American people are worried about the unfettered exercise of power. One subpoena doesn't seem to balance with "probable cause," or our expectations of how these things ought to be done.
We should be having debates about these things, and the debates require information.
There's good information in both posts, especially about how the counterterror groups view what they've done. See also, "Provider of financial records to US had assurances," by Reuters.
Bookmark this post:
Concerning a school district which misconfigured its web server and wound up posting student social security numbers for all -- including Google's spiders -- to see, Gartner's Avivah Litan weighs in:
They say the Internet is free and open, and you can't stop them," Litan said. "But they ought to scrutinize some of the content and, at least, send a warning to Web sites that they're exposing this information.
Google doesn't honor robots.txt? Wow. Gartner really does know something everyone else doesn't.
Bookmark this post:
The United States Treasury Department has had secret access to records maintained as part of the SWIFT system, which it has been using secretly for years to identify financial ties to terrorist entities.
The Washington Post has more.
Bookmark this post:
Although the federal government and local law enforcement agencies nationwide use private data brokers, the FBI said that practices used by these companies to gather private phone records without warrants or subpoenas is illegal, according to an Associated Press article on Chron.com.That's from the CSO Blog, "Data Brokers May Act Illegally." In other news, "ChoicePoint-FBI Deal Raises New Privacy Questions."A senior FBI lawyer, Elaine N. Lammert, told lawmakers the bureau was still surveying agents around the United States, but so far has found no "systemic" use of data brokers by the FBI.
So what are we paying for?
Bookmark this post:
It's easy to put presentations on the web, just like it's easy to create them. Neither is easy to do well. I'd like to talk not only about good slide creation, but how to distribute a presentation in a useful way. It's not easy to create good presentations, even when you have good content. Simson Garfinkel pointed me to a great source on "The Design of Presentation Slides." It's based on actual research about presentation style and retention. It turns out that a full sentence headline, graphical representation of data, and conclusions to draw from the data presented is far more memorable than bulleted sentence fragments (right).
This style also works well when the presentation is actually a presentation of some other organized thinking, such as a scientific paper, or progress report. When the presentation is accompaniment to something, I believe the research that says the headline sentence, data and conclusion style lead to better retention. What about when there is no other handout?
There's an expectation that speakers at a conference or workshop will provide slides. From the perspective of the conference organizers, requesting slide offers some small assurance that the speaker has prepared, and allows the conference attendees to have the slides as a reminder of the talk. From the reminder perspective, outline slides are actually very useful. There's rarely an expectation of handouts that aren't the slides. Perhaps the most useful (generically) is an actual outline, created with a tool designed for that purpose. A real outline is useful because it is less constrained by the genre: ideas can be more than active fragments, and the printed page imposes fewer constraints on both sentence and block than the slide. An outline's not so useful as data, but who has data these days?
So I think I may move away from my habit of providing multiple formats of the slides themselves, and move to putting up a three-part web page with outline, references, and any details of the argument that seem to require elucidation. Perhaps even a short essay.
I would do this because the two scenarios are so different: One involves having me at the front of a room, using slides to illustrate and orient around my words. The other, without me there, means that the message needs to be self-contained.
Bookmark this post:
June 26-July 1, I'll be at the the Workshop on Economics of Information Security, and then Privacy Enhancing Technologies next week.
Mindless ranting on the blog will be replaced by mindless ranting over beer.
Bookmark this post:
Over at "Not Bad For A Cubicle," Thurston (who is always worth reading) manages to tickle a pet-peeve of mine in "A super-size risk appetite?" No rational business has a risk appetite. They accept risk. They may even buy risk in fairly explicit ways (some financial derivatives) if they think that those risks are mis-priced because of either asymmetric information or different risk models. No rational person has a risk appetite. Some rational people have a thrill appetite, which may include elements of risk taking. Gamblers, extreme sports devotees and idiots may all do things in search of a thrill that includes a risk of serious injury or death. That risk may even increase their thrill, but what they're seeking is the thrill, and they take risk as part of that package.
If you think you have a risk appetite, I have a simple game for you. We flip a coin. If it lands heads, you give me a dollar. If it lands tails, you may choose to play again. This is pure risk. I've removed any possible gain. Feel free to play, I'll send you my address.
The picture is NelC's "My Lucky Dice."
Bookmark this post:
Over at the ncircle blog, Mike Murray* takes me to task for advocating transparency, and argues for "Responsibility and Disclosure." His argument is solid:
We've had a "responsible disclosure" debate in the vulnerability research community for a whole lot of years - the point is simply that, while disclosure forces everyone to be responsible, sometimes, you can have too much of a good thing.I do have to point out that the move to responsible disclosure took pain and suffering on all parts: the researchers, the vendors, and the innocent sysadmins. At the same time, that pain was needed to force vendors to move to a new position. Some vendors have embraced that new position really well. Others haven't. There's still a great deal of resistance to the new transparency. There are active efforts under way to roll it back. To impose federal "fox guards the henhouse" clauses on the state laws.
Those efforts will fail. They'll either fail to be passed, or a liability suit will make the escape clause too expensive to invoke. Unfortunately, I expect we need to go through this painful phase to get to the good point of having a "national breach victimization survey," and enabling a market for cool ID-theft prevention techniques like those coming from Debix.
I had a really interesting conversation with my friend S the other night. He asked if I'd give up 1386 notices to individuals in exchange for mandatory reporting to a central data collection authority. My answer was "if we still get notices where there's reason to believe an individual will be affected." Now I'm less sure. I think that notices to individuals serves important and still hard to discern processes. It feels right, even if I'm as yet unsure what the other arguments for it will be.
* Really, make that m "I need real names on the blog" murray. Photo from National Geographic via Bullockdi on Flickr.
Bookmark this post:
The Associated Press pushed a story to the wires about the Data Surveillance workshop which I'd mentioned a while back:
As new disclosures mount about government surveillance programs, computer science researchers hope to wade into the fray by enabling data mining that also protects individual privacy.So let's talk about that. The argument can be re-stated as "we can take data, sift it, and then start an investigation based on the sifted data, and go through the warrants process."Largely by employing the head-spinning principles of cryptography, the researchers say they can ensure that law enforcement, intelligence agencies and private companies can sift through huge databases without seeing names and identifying details in the records.
This requires both willful ignorance of the quality of the data being mined, and a rose-tinted willingness to trust the justice system.
The quality of data in a privately data-mined system will be no greater than that in any other system, and will likely be lower. It will be lower because inaccurate data will not be visible for correction. Fair information practices such as accuracy and access are deeply impeded.
Once the data mining system has come out and said "Alice is a suspect," Alice will enter into a Kafka-esque bureaucratic nightmare. The computer found something. How "the computer found something" can translate into a warrant is system dependent. Some systems may unmask the "data." Others may be presented to a judge as "the computer thinks we need to investigate this person." Either way, Alice's innocence will be viewed with suspicion. Either she's really good at hiding her guilt, or we've caught a sleeper.
Research into ways in which data mining can occur in ways that are respectful of the fair information practices is useful and worthwhile. Today's privacy-destroying impulses need to be brought into check by a Congress and Judiciary balancing the executive. (Of course, the legislatures are contributing, as documented in stories like "Police to Get Access to Student Data." Thanks, Alice!) Giving them a set of tools is worthwhile, but we should be aware of the limits of the tools we have today.
Photo, Implement of Destruction by Canardo.
Bookmark this post:
Bookmark this post:
I never knew they did such things.
Bookmark this post:
Bookmark this post:
I'm deeply in favor of holidays which celebrate freedom. We need more of them.
Juneteenth, also known as Freedom Day or Emancipation Day, is an annual holiday in the United States. Celebrated on June 19, it commemorates the announcement of the abolition of slavery in Texas. The holiday originated in Galveston, Texas; for more than a century, the state of Texas was the primary home of Juneteenth celebrations.(Photo by MizJellyBean.)
Bookmark this post:
To protect the rights of the official beer they were denied entry, so the male fans promptly removed the trousers and watched the game in underpants.The BBC asserts that up to 1,000 fans were told to strip off their orange pants in "Fans Lose Trousers to Gain Entry." Markus Siegler, the control-freak in charge of press for FIFA, said:
"Of course, FIFA has no right to tell an individual fan what to wear at a match, but if thousands of people all turn up wearing the same thing to market a product and to be seen on TV screens then of course we would stop it."Of course. That doesn't make it normal or right. You do have to appreciate a nation which prefers nudity on their TV screens to advertising. Of course, FIFA is trying to minimize the numbers, and invent the term "ambush marketing" to make it seem unusual that there's marketing involved in a sports event.
I tried to find a good picture, but this is a family blog.
Bookmark this post:
From Maine's Public Law, Chapter 583, passed April 2006:
Sec. 9. 10 MRSA §1348, sub-§5, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read: 5 . Notification to state regulators. When notice of a breach of the security of the system is required under subsection 1, theinformation brokerperson shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if theinformation brokerperson is not regulated by the department, the Attorney General.
Maine now joins an exclusive club. Now all breaches, not just those of information brokers, must be reported to the AG's office. Only New York has a similar law. The duty to notify applies to every "person", now defined as:
an individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity, including agencies of State Government, the University of Maine System, the Maine Community College System, Maine Maritime Academy and private colleges and universities.
The emphasized portion is new law. Government agencies, colleges, and Universities just had new responsibilities placed on them. Among reported breaches, these are the most often seen types of institutions. Coincidence?
Update 7/18/2006: North Carolina's law does the right thing, too.
Bookmark this post:
In "Scots Crush Cars Over 'Document Offenses,'" Rogier van Bakel writes about bad new UK law:
The idea that the police have the power to impose sentences is quite troubling, but more troubling to me is the idea that databases are now presumed correct. I don't know if this is the case in Scotland, but many US states are going to "electronic proof of insurance."Now cars can be seized and crushed if document offences are detected — and the region’s top police officer said yesterday a “clear message” is being sent to would-be offenders. ... Tough new powers in the Serious Organised Crime and Police Act 2005 will allow officers to put the squeeze on “irresponsible and selfish” motorists.The "would-be offenders," in this case, are not only people who drive without a license, but also those who get behind the wheel without insurance. I don't disagree that they need to be caught and corrected, but there's something very unsettling about the fact that they apparently can't have their day in court — that it's within a mere cop's powers to order a vehicle destroyed.
So let's say that your insurance company computer is offline, and can't provide proof of insurance. You know, sort of like AIG fumbled this week. Recall that AIG's computer was stolen March 31, and they didn't get around to telling anyone until June. A similar screw up could now get your car impounded and crushed. Odds are very good that AIG's contracts will states that their failure to be online isn't their problem, and you can't recover damages for your time, loss of vehicle, or distress without taking them to court.
In the IT world, we used to talk about "Garbage in, Garbage Out." It was an acknowledgment that data quality problems happened, and that they were often the fault of the system owner, not the customer. It was also a driver for the access provisions of privacy law. You have the right to access and correct certain data about you. (In the US, this applies mostly to the government, and certain aspects of the credit bureaus.)
With that loss of understanding comes a serious loss of liberty. The computer is presumed correct, and you are presumed to be a "demon customer."
Car crush photo from the US Army.
Bookmark this post:
(From Bram Cohen and Nick Mathewson.)
The players are three reclusive artists. Their real names are Anaïs, Benoît,
and Camille, but they sign their works as "A," "B," and "C" respectively in
order to cultivate an aura of mystery. Every week, each artist paints a new
work in one of two styles: X and Y.
The art world despises uniformity: if all three artists paint in the same style, their paintings don't sell, and they get no points. If one of them paints in a style different from the others, the different artist is avant-garde and receives a point.
Because the artists are reclusive, the players can't communicate with each other. All they learn from one week to another is what style the other players used in the previous week. (They learn this when gallery manager passes them the latest gossip from the art world.)
What is the ideal strategy? Clearly, it's bad when all three paint in the same style. If the players could communicate, they could agree to take turns being avant-garde, so that one week A wins, the next week B wins, the next week C wins, and so on. Also, if they could communicate, A and B could conspire to shut out C by always using opposite styles. (If A and B always differ, C will always match one of them, and the other will win.) But since the players can't communicate except through their plays, how can they arrange to coordinate in twos or threes?
If somebody ran an iterated tournament of this game in the style of Axelrod's Prisoners' Dilemma challenge, what program would you submit? (Remember that your program would often be playing against instances of itself, without knowing it.)
Variation: what happens when the artists are so reclusive that they won't even speak to their gallery manager? In this variation, they only learn whether they won the last week or not (by checking for their check in the mail).
The painting is Picasso's Three Musicians.
Bookmark this post:
Bookmark this post:
Bookmark this post:
...but we can't be right all the time.
Bookmark this post:
Also, Nick Owen has some good analysis of the Ohio State comedy of errors in "Repurcussions of data loss at Ohio University." I'm hoping Chris will cover the N+1 Ohio State breaches, just as soon as they stop auto-incrementing.
Bookmark this post:
What would be the Exxon Valdez of privacy? I’m not sure. I don’t think it will just be a loss of money — Scott explained why it won’t be many small losses, and it’s hard to imagine a large loss where the privacy harm doesn’t seem incidental. So it will have to be a leak of information so sensitive as to be life-shattering. I’m not sure exactly what that is.("The Exxon Valdez of Privacy.") Privacy advocates have been waiting for this for a long time. It's important to remember that the Exxon Valdez followed Silent Spring by nearly 30 years. The environmental movement had time to evolve memes. Privacy still has many meanings. The parade of breaches or overflows hasn't done it, despite medical data, financial data, and just about anything you can imagine being leaked.
This past weekend, I was speaking to a vet friend, and he didn't care about the VA leak. He said that military SSNs are so public anyway, you'd drive yourself nuts worrying.
Part of the problem is that alternatives are hard. Consumers can't switch to hydro for their credit. (How's that for mixing a metaphor?) Background checks are being made a liability issue, despite the base rate fallacy and their general failure modes. Driver's licenses are being made machine readable.
We're not going to have a privacy Chernobyl.
Bookmark this post:
...in the incident last September, somewhat similar to recent problems at the Veterans Affairs Department, senior officials were informed only two days ago, officials told a congressional hearing Friday. None of the victims was notified, they said.It used to be that security breaches were closely held secrets. Thanks to new laws, that's no longer possible. We have some visibility into how bad the state of computer security is. We have some visibility into the consequences of those problems. For the first time, there's evidence that I can point to to explain why I tremble with fear at phrases like "we use industry-standard practices to protect data about you."...
"That's hogwash," Rep. Joe Barton, chairman of the Energy and Commerce Committee, told Brooks. "You report directly to the secretary. You meet with him or the deputy every day. ... You had a major breach of your own security and yet you didn't inform the secretary." (From Associated Press, "DOE computers hacked; info on 1,500 taken.")
The new laws are not yet well understood. They're not well understood by computer security professionals. They're certainly not the basis for a set of case law that establishes the meaning of some key terms, like encryption. (I expect that juries will frown on using rot-13 to encrypt secrets, even if it might be within the letter of the law.) The only place where they're understood is by the public, who expects to hear when they're at risk.
The change in expectations will have exceptionally beneficial long term effects. We will get data that we can use to measure aspects of computer security. What a set of real attack vectors look like. (We may not learn about insiders or super-hackers.) With that data, we can focus our efforts on putting better security measures in place.
Requiring companies to own up to problems will drive them to ask their vendors for better software. They will ask the experts how to distinguish good software from bad. This may have the effects that some experts hope liability would bring about.
There will be a lot of short-term pain as we discover the shape of the new normal. The transition is well worth it.
The image is X Ray 4, by Chris Harve, on StockXpert.
Bookmark this post:
What makes me sadder, and makes you appear stupid, is that it was the print version. There weren't any ads. So your bad design only served to prevent me from reading your story. You didn't even make any money on it. If I could remember what web site it was, I'd give you a special link, helping you sell more ads, so you could hire a competent web developer.
Bookmark this post:
I have a proposal for all British and American faculty who care about global justice:Siva Vaidhyanathan asks that we boycott him in "A Modest Proposal: Boycott me." I think its the best response I've seen to the British boycott of Israeli academics.Please boycott me.
Bookmark this post:
Via Netsec blog. I'd love to know if this is a real billboard improvement, or a photoshop job?
Bookmark this post:
A merchant is going to feel some pain from the FTC. Visa and MC are going to look bad for not talking about who this merchant is.
Jun. 8--Federal officials cannot disclose what national merchant or merchants were involved in a recent debit card security breach that spurred at least two local banks to reissue customers' debit cards.(Source)"FTC investigations are nonpublic with a narrow exception that would not be met in this case -- when a company itself discloses that it is the subject of an investigation," said Claudia Bourne Farrell, spokeswoman for the Federal Trade Commission in Washington, D.C.
In this case, the company has not disclosed it, she explained.
Sounds like Claudia Farrell of the FTC confirmed that there is an investigation of a merchant.
Instances such as this are the "really big and bad" breaches I referred to yesterday. When Congress closes this loophole, fur will fly.
Bookmark this post:
Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel — including nearly 80 percent of the active-duty force — were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as identity theft.From the Washington Post, "Data theft hit 80 percent of active military," via Bob Sullivan, "Lost VA Data: Who's on The List," which includes useful what-happened bits:
Thanks to NBC's Pete Williams, we can offer a few more details about why the VA has been so vague. The data apparently was taken home by an employee on either DVDs or CDs. Some of those CDs or DVDs were copied to the employees computer, but no one knows how many. In the best case scenario, only some of the data was copied before the computer was stolen.Active duty personnel should be aware that there's an "active duty" alert they can put on their credit reports. For details, see "'Active Duty' Alerts Help Protect Military Personnel from Identity Theft" (Federal Trade Commission).
Bookmark this post:
Pop quiz time! What do you call a set of regulations that the government won't enforce?
HIPAA.
In the three years since Americans gained federal protection for their private medical information, the Bush administration has received [nearly 20,000] complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases."Medical Privacy Law Nets No Fines." Dan Solove suggests a right of private action in "HIPAA's Lax Enforcement."
Photo by James Tran.
Bookmark this post:
Gartner's Avivah Levitan says it's better to spend money on encryption than on cleaning up after a data breach, according to a news report on her recent testimony before the US Senate.
The problem?
Gartner's method in researching this claim, as best I can tell, relies on looking at a few high-profile cases. Sure, if they are representative of the actual breach population (about which we, and Gartner, know next to nothing) then encryption is cheaper than being hit with a breach. But, in deliberations over national policy the plural of "anecdote" is not "data".
But wait -- we also don't know the likelihood that you'll get hit with a breach. Gartner's report doesn't discuss this, but it does say a breach costs 15X more than encryption.
Cool. So, if you're risk-neutral and you believe you have a one in fifteen chance of losing large amounts of personal information, you should encrypt. But how to tell what your chance of being hit are?
I'd guesstimate that over the last two years or so, we have heard about maybe 300 breaches. I dare say there are vastly more than 4500 organizations handling personal information. We have more colleges and universities than that, for example.
So, either breaches are grossly under-reported, or Gartner's case for encryption is not a case at all -- this is a mountain being made out of a molehill, or Gartner's estimate of cost is too low (for example, by not including loss in stock price).
My personal opinion:
Breaches are vastly underreported. Those about which we do not hear are "dog bites man" stuff, or are really big and bad, but thanks to loopholes, no reports need be made. The impact of a breach outside the "dog bites man" category, not counting the externality imposed on those whose info is revealed, is primarily reputational, and for publicly-traded firms manifests itself via abnormally low returns.
Real research concerning these matters is being done. It'd be highly desirable for our legislators to hear about some of it.
[Additional observations on this topic were posted over at Security Curve, which prompted me to move this out of the Drafts folder and into the light of day.]
Bookmark this post:
Bookmark this post:
Thanks, Rob!
Bookmark this post:
Apparently, they haven't yet learned that transparency is good. Related, "Royal Ahold Execs Fined After Conviction."
Bookmark this post:
Pete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What's the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories.
For example, we know of 800 ID thefts from the 167,000 Choicepoint victims, all of which happened before notification. We don't know how many more of those people have been victimized, because no one is collecting data. The breach data we have is collected by three amateur volunteer efforts: ourselves, here at Emergent Chaos, the Privacy Rights Clearinghouse "Chronology of Data Breaches," and Attrition.org's Dataloss list. There are also regular reports through ISN, and Dave Farber's Interesting People List.
While we're happy that there are amateur efforts, it's hard to measure the results. To the best of my knowledge, there is no central database of ID theft victims. There is no repository of who's gotten notices. And thus, no easy way to measure the real human impact of breaches, or see how much crime they enable.
"Dam Water" photo by Ed Hidden.
Bookmark this post:
Nick Szabo has a fascinating article on "Jurisdiction as property and peer-to-peer government." I'm not going to attempt to summarize it, but will simply quote the opening:
Modern civics and political science is often taught as an absurd dichotomy: that government is a "monopoly over the use of force" and that the absence of government is anarchy. Using this fallacious dialectic, many highly lawful societies, such as most of medieval Europe, and in particular medieval and renaissance England, were "anarchies." Even the United States is really an "anarchy": jurisdictions are divided up among federal, state, county, municipal and other entities, including shopping malls and mass transit authorities whose security guards can legally arrest probable criminals.I have two quibbles: I think the term peer-to-peer is at best misleading. It is a continuum of power relationships, some of which were between peers, and others were not. Also, I think the devolution of franchise may be interesting. It's not only used for utilities and such, but also by businesses like McDonalds, which allow the franchisee certain rights over brand, symbols, and policies and processes owned by the franchiser, and also charge a tax of the franchisees.
Bookmark this post:
"Well, hell, folks, no wonder you're leading the country in identity (or credentials) theft."
Bookmark this post:
Pete Lindstrom, who knows a good phrase when he reads one, puts forward the claim that the theft of veterans SSNs doesn't put them at increased risk of fraud. His basic argument is that there's a lot of people out there with access to lots of SSNs, and monetizing an SSN takes effort.He's right. Monetizing an SSN does take effort. But the SSNs don't really expire. If the people who stole them know what they have, they have years in which to exploit the data. The best way to do that is to wait a year or two for the news to disappear, the credit monitoring to go away, and the pickings to get easy.
If this were credit cards, we could just re-issue them. The lack of compartmentalization around SSNs which makes them convenient identifiers, also means they're hard to change.
I don't know why Pete thinks that entrepreneurial criminals won't rise to the challenge of monetizing a large fraction of a motherlode of ore. There are criminal syndicates who do this already. They'll scale. If they don't, other syndicates will show up who will scale.
I look forward to hearing from Pete or Mike Rothman, who wrote "there is no way the bad guys can get to all 26 million records." Next you'll be telling me that bad guys couldn't exploit hundreds of thousands of pwned home computers, the management tools are too hard to create.
[Fixed headline. Thanks Pete.]
Bookmark this post:
There's a great story in Wired "Don't Try This at Home," about how our obsessions with terrorism and safety have destroyed the ability of our children to learn chemistry:
The chemophobia that’s put a damper on home science has also invaded America’s classrooms, where hands-on labs are being replaced by liability-proof teacher demonstrations with the explicit message Don’t try this at home. A guide for teachers of grades 7 through 12 issued by the American Chemical Society in 2001 makes the prospect of an hour in the lab seem fraught with peril: “Every chemical, without exception, is hazardous. Did you know that oxygen is poisonous if inhaled at a concentration a bit greater than its natural concentration in the air?” More than half of the suggested experiments in a multimedia package for schools called “You Be the Chemist,” created in 2004 by the Chemical Educational Foundation, are to be performed by the teacher alone, leaving students to blow up balloons (with safety goggles in place) or answer questions like “How many pretzels can you eat in a minute?”A little bit of chaos and risk are worth it to preserve American science education. Photo via Eccentrix.com.
Bookmark this post:
Well, its been a week since DaveG threatened to "run [undodb] on itself and cause a rift in the space-time continuum."
Has anyone heard from him since?
(Light cone image from Patricia Schwarz.)
Bookmark this post: