Emergent Chaos

Quantum Cryptography Cracked!

Nature reports that, "Simulation proves it's possible to eavesdrop on super-secure encrypted messages." A summary of the attack is that the attacker instigates a quantum entanglement of properties of the photons so that they can infer the information (encoded in polarization) by measuring the entangled property (like momentum). It isn't a real attack, but as they say, attacks don't get worse, they only get better.

Despite the fact that quantum cryptography is an extremely cool technology, the quantum crypto crowd has hyped it to the point of being snake oil salesfolks.

It's understandable why they get overenthusiastic. Let's suppose you have two buildings and you want a secure link between them. You can set up quantum crypto, or you could use something off-the-shelf, like IPsec. IPsec is cheap. A couple of vpn boxes costing about $50 each would do it. Or you could set it up yourself using open source. On the other hand, a quantum crypto box costs about $50,000. They have to justify why you'd spend three orders of magnitude more for the coolness.

In the past, their justification has included some non-entirely-unfair slams at mathematical cryptography (there is, for example, no proof that factoring is hard), but it's been followed up with claims that somehow quantum mechanics is better than math.

This has ignored the fact that the math of quantum mechanics has had to dance around dividing by zero as one of the least of the counter-intuitive things in it. If you believe in RSA, you have to believe factoring is hard. If you believe in quantum crypto, you have believe that we understand quantum mechanics and there's nothing else really weird in it. As near as we can tell, Einstein was wrong when he grumbled about God not playing with dice. It's a stretch to think that God plays with dice, but doesn't make them come up snake eyes when someone's getting pompous.

Apparently, not only does God play with dice, but God has an evil sense of humor, is making faces, thumbing his nose, and snickering behind our backs. Me, I like it that way.

A Market To Be Tapped

I've often talked about how people will pay for privacy when they understand the threat. In that light, the New York Times article "Phone Taps in Italy Spur Rush Toward Encryption" is fascinating:

Drumming up business would seem to be an easy task for those who sell encrypted cellphones in Italy. All they have to do is browse the major newspapers for likely customers.

Piero Fassino, national secretary of the Democratic Left Party, could have benefited from an encrypted phone before comments he made regarding a sensitive bank takeover made the front pages.

Of course, selling phones one off misses the (ahem) fax effect, where the more people you can use your encryption with, the more valuable it becomes. Also, the phones are still pretty expensive:

The high-end package, which runs about $2,200 at both companies, includes a phone, which must be a model capable of using the encryption software.

WOOT! Looks Exciting

Via Nate, "WOOT = Usenix + Blackhat:"

The call for papers is now up for a new Usenix workshop, WOOT (Workshop On Offensive Technologies, but don’t think the name came before the acronym.) The workshop will be co-hosted with Usenix Security and will focus on new practical attacks.

I was recently saying that vulnerability research could use more Peer Review instead of the other kind of PR (i.e., vague news stories, user-scaring Month of X Bugs). So help the community out here by submitting quality papers, especially if you’ve never submitted one before. I think the goal of bridging the gap between slideware (e.g., Blackhat) and 15th generation theoretical overlay network designs (e.g. Usenix Security) is a great one.

I think this is great.

Announcing...The Security Development Lifecycle Blog

My team at work announced the launch of "The Security Development Lifecycle" blog today. After the intro post, Michael Howard leads off with "Lessons Learned from the Animated Cursor Security Bug."

I'm pretty excited. We're focused on transparency around what we're learning as we continue to develop the SDL.

Security Through Stupidity

In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention.

Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you play MP3s, etc. through your stereo. I got it because it was a cute little system running Linux, had a MIPS processor, a web site for developers, extension and enhancement tools in Java, and so on.

I used it for a couple of months, and played with the Java-based remote control application for it and then decided to do some more serious work on it. I rolled my eyes that it only had telnet to get to it, but telnetted to it and was met with:

#

which I just stared at for a moment. It didn't even register for a good twenty or thirty seconds before I had the wit to type

ls

and was met with something akin to:

bin   dev  home  mnt  proc  tmp
boot  etc  lib   usr  sbin

and that didn't even register with me until I finally then typed

pwd

and was met with

/

and I made a loud two-word exclamation, of which the former was "oh" and the latter is left as an exercise for you, Gentle Reader, but there are two obvious candidates.

Yup, for the last couple of months, sitting bear-ass nekkid on the Internet was a Linux box with open telnet and a root shell. No username, no password, just a root shell. I said the other obvious candidate word. I also considered (again) getting a firewall. My network doesn't have a firewall. Part of it is that I like the road feel of the packets whizzing by. Part of it is that by the time I open up enough ports to do useful things, I'm just closing down the ones that don't have services on them anyway. Part of it is also that of the three times I've had serious security problems on my network, one of them was because my IDS box got rooted, and one was because the firewall got rooted. For me, adding a firewall adds complexity, and that lowers security. (That last time was when I was traveling with my SO who wanted to send me an email from an utterly ancient netnews program that knows nothing of SMTP-AUTH. Never reconfigure your email infrastructure from five thousand miles away while jetlagged. A couple of days later, you will ask yourself, "I wonder why the SMTP server logs have gotten so big." Fortunately for me, I caught it before the blacklists did.)

I yanked the music box off the network and connected to it directly (one cable, just it and me). Looking through the thing, I didn't see what anyone who was now using it for anything. I checked the IDS logs and there was nothing that leapt out at me to as suspicious traffic. That seemed odd, because how could it not have been owned? I thought about it for a bit, and thought about it more as I reflashed the critter. Then I laughed, because I realized that the tools that probe for vulnerable boxes are not going to be looking for #. It was then too late to tell, but I allowed myself to think that maybe the box hadn't been compromised, as the evidence suggested.

With the machine rebuilt, I connected to it directly with telnet and started probing around for putting a password (like /etc/passwd). There was none. There was no SSH, either. I fulminated on the developer fora about this security stupidity. I found the instructions on how to build the right cross-compiled Linux setup to build binaries for it, and it was filled full of warnings about how to make sure you did this, set that compiler switch, and if you didn't, things wouldn't work, and you get to reflash the box.

This wasn't how I was wanting to spend my Saturday, so I turned the box off, and went to do something else. As I did, I thought about the situation. I became increasingly amused that (apparently) the box hadn't been compromised. I convinced myself that this is because the bad guys wouldn't recognize the box as vulnerable.

As I grumbled and thought more about how to lock down the box and then something occurred to me -- anyone who wants to own the box has to go to the same trouble to make it be a productive member of their botnet community as I do to do the opposite, but they're at a disadvantage because they also have to protect it from me. Since it's easier to find some unpatched Windows box than it is to set up a MIPS cross-compile sandbox, even if they can tell that has an open root shell, it's not economically viable. Think of it as Mutual Assured Annoyance, Economic-Based Intrusion Prevention, Security Through Stupidity, or proving old adage, "In the land of the blind lion, the one-eyed zebra doesn't have to run very fast."

A couple of weeks later, I solved the whole problem when a new product was introduced that did exactly what I wanted (to be able to play music on my laptop on my stereo) at half the price and no icky telnet. The poor little music box now sits face-down, forlorn, and dust-covered on a shelf.

Gartner Discovers Offshoring

According to CIO Forum, Gartner has discovered some amazing things. There's offshoring to India, and it's growing at a "staggering" 16% per year. And lots of manufacturing is being done in China now. And the US better wake up ASAP because it is "in imminent danger of becoming an industry of failure."

This is a wake-up call. Unfortunately, it's a wake-up call coming at tea-time. Apparently, Gartner doesn't get the phone calls and emails from offshoring companies I do -- about four cold-calls and a half-dozen emails per week. They also stagger easier than I do. Sixteen percent is very good. It is not staggering.

I expect that in the 2010 Gartner Expo, they may tell us that a number of people are "onshoring" to places like Nebraska and Utah. They may talk about the problems that everyone, including Infosys (who grew last year at the -- uh, what's twice staggering? -- rate of 31%), finding good people to hire, particularly ones with acceptable social skills. (Hint to offshoring companies -- my voicemail has in it, "in an emergency call my mobile." Setting up a meeting to explore my future needs is not an emergency. I take great pleasure in giving my business to your competitors.) They could find out all these things by learning about "search engines." I hear there's going to be a big IPO in that space soon.

One Third of McAfee Survey Respondents Are Not Paying Attention

So reports Sharon Gaudin in Information Week. Actually, I think she picked up the story as McAfee spun it: "Companies Say Security Breach Could Destroy Their Business:"

One-third of companies said in a recent poll that a major security breach could put their company out of business, according to a report from McAfee.

The security company unveiled a study Tuesday showing that 33% of respondents said they believe a major data-loss incident involving accidental or malicious distribution of confidential data could put them out of business. The study, called Datagate, is based on a survey of more than 1,400 IT professionals at companies with at least 250 employees in the United States, the United Kingdom, France, Germany, and Australia.

The number of companies that have gone under because of a breach is statistically indistinguishable from zero. That's the case if you express it as a percentage of companies breached, or as a percentage of companies going out of business. McAfee should do better than spread this sort of FUD, especially when we can measure what's really happening.

If you're a customer, you should call your McAfee salesperson, and ask for examples, and ask why they're spreading this FUD.

Save Chocolate

"Don't Mess With Our Chocolate," says Guittard.

Summary: the FDA is considering changing the definitions of "chocolate" and "chocolate flavored" and "chocolaty" so that they don't have to put as much cocoa solids in it to make it be "chocolate."

The FDA is soliciting comments, and the cutoff is April 25, so that's not much time. It's uh, like today.

Speaking for the President of the United States, we suggest commenting in favor of the change. There's nothing like the government empowering companies to engage in fair and deceptive trade practices. That also means more 70% to 80% Scharff, Valhrona, etc. for us.

The nice people at Guittard have links to a web page at the FDA that you can use to comment. Do it now! I have.

Update: The FDA has extended the comment period by a month. Do it today anyway.

When Do Customers Flee?

So I've long thought that consumers treat breaches as mistakes, and generally don't care. In reading the Ponemon reports, it seems that the average customer churn is 2%. (I'll come back to that number.) But it gets worse when you have repeated breaches.

In the CSO blog, "What, When and How to Respond to a Data Breach," we read about a story of a third breach hitting the same customers:

"The worst thing is to have additional breaches, or to assume that additional ones will have the same impact as the first," Ponemon warned. "One bank that we studied had a 2 percent customer churn [loss] rate in the first six months after a breach. Then there was a second breach, with some overlap with the victims of the first breach. The churn was 30 percent in the overlap population. Then about 2,000 people who were involved in those two breaches were involved in a third breach, and rate of churn among those 2,000 was nearly 100 percent."

Makes sense that they leave, but would the bank have deleted their personal information after the breach? Law enforcement won't let them. Banks are required to demand, and keep, all sorts of information about you. And neither banks nor law enforcement pays the price. Expect breaches to continue for as long as the rational risk tradeoffs a bank makes includes a threat of being shut down for not collecting that data.

Some other thoughts on that customer churn number. Looking at the chart in Ponemon's 2006 study, there are only 3 breaches where it's above 5%, and one more where it's above 4%. There's no statement of what average means (or medians...) There's no comparison for customer loss rates in equivallent firms not reporting breaches. There's no statement of the baseline levels, or of the variance. It's marked in the graph as "abnormal churn" but we don't know how that's defined. Is that an extra 2% on top of 1%, or is it an extra 2% of the normal 1%?

I'd link to the study, but you have to register with PGP to get a copy. Register and download here.

Why I love the Internet

Emergent Chaos, indeed.

Disclosure, Discretion and Statistics

One of the very interesting things about mandatory disclosure of breaches is that it adds a layer of legitimacy to the data. If all we have are self-selected reporters, we must investigate what bias that adds. This makes the FBI-CSI report and many others even less useful. New laws that require disclosure give us not only more data, but better data.

Unfortunately, some of the laws that are out there add a degree of human decisionmaking to the process. They assert that disclosure is only required if there's a "reasonable belief" that the data might be misused. This is an odd loophole. As Philip Alexander writes in "Data Breach Notification Laws: A State-by-State Perspective:"

Kansas, Colorado and Delaware are among 18 states that have provisions exempting companies from disclosure if, upon investigation, it is believed that the stolen data will likely not be misused. I would caution companies from relying too heavily on such a provision. For one thing, there is a clear conflict of interest for a company to conduct its own investigation to determine if the data stolen as a result of a security breach is likely to be misused or not. In addition, how can anybody know the hacker's intent? The risk, then, is the negative public perception if it gets out that your company had a data breach and unilaterally decided that the data wasn't likely to be misused.

So not only is this provision poor shelter, but it corrupts the data, by restoring sampling bias. Lawmakers should understand that there's policy goals here beyond the individual breach, and not re-introduce biases.

Buy Gas, Get Busted for Pedophilia?

The BBC reports "Motorists hit by card clone scam:"

Thousands of motorists who use a bank card to buy petrol are thought to have lost millions of pounds in an international criminal operation. It is believed cards are being skimmed at petrol stations, where the card details and pin numbers are retrieved and money withdrawn from the account.

About 200 of the UK's 9,500 petrol stations are thought to have been hit.

That's impressive if the thieves have gone to the stations one by one, less so if they cracked a central billing computer. Hard to tell, because the U.K. doesn't (yet) require breach notification.

As to the effects of credit card theft, which I said were low, Ross Anderson has an article at Light Blue Touchpaper, "Extreme Online Risks:"

An article in the Guardian, and a more detailed story in PC Pro, give the background to Operation Ore. In this operation, hundreds (and possibly thousands) of innocent men were raided by the police on suspicion of downloading child pornography, when in fact they had simply been victims of credit card fraud. The police appear to have completely misunderstood the forensic evidence; once the light began to dawn, it seems that they closed ranks and covered up.

See Ross's story for links and more details.

What I'd like to know is, are all those cameras helping reduce crime over in the UK?

On Liquid Explosives

Wired's Danger Room blog has an interesting quote from the inventor of a liquid explosive in "'Liquid Landmine,' Qaeda Tool?:"

My advice would be to stick with PETN [a high explosive] and rattlesnakes.

"What security people won't share with each other"

Scott Blake has a really interesting 3-part podcast interview with Mike Murray. See Mike's post, "it never ceases to amaze me what security people won't share with each other," and go understand why you should give Scott a demerit.

(I'd meant to post this months ago, when Scott did the interview. Oops!)

Users force Dell to resurrect XP

The Beeb reports. This means that if you want to start speculating in copies of XP, you probably have even longer to wait.

Weak Crypto Contest

The 2007 Underhanded C Contest has a marvelous theme -- weak crypto.

The object of this year’s contest: write a short, simple C program that encrypts/decrypts a file, given a password on the command line. Don’t implement your own cipher, but use a bog-standard strong cipher from a widely available library.

[...]

Your challenge: write the code so that some small fraction of the time (between 1% and 0.01% of files, on average) the encrypted file is weak and can be cracked by an adversary without the password. The poorly encrypted file must still decrypt properly by your own software.

Other great comments:

Short programs are innocent, and more impressive. If your source file is over 200 lines, you are not likely to win. You can hide a semi truck in 300 lines of C.

[...]

Of course, there are other factors: we award points for humor value and irony. I have always been impressed with the winner of the 2004 Obfuscated V contest, who concealed an error in a vote-counting program by adding a voter-verifiable paper trail function that overflowed a buffer. That’s evil with style.

What a great idea.

Credentica White Paper & Presentation

The title of Stefan Brands' blog post, "New Credentica white paper and other materials," pretty much says it all. If you think about identity management, you should go check these out.

Our white paper discusses all of the features of the U-Prove SDK without going into technical detail. The basic features are: transient ID Tokens; long-lived ID Tokens; protection against forgery, modification, eavesdropping, and phishing; universally unique token identifiers; encoding of token attribute information; user-authenticated presentation transcripts; digital signing with ID Tokens; and, user-driven and verifier-driven revocation. The advanced features include: untraceability; unlinkability; hiding attribute information from verifiers; removing attribute information from presentation transcripts; hiding attribute information from issuers; protecting against transferring and discarding of ID Tokens (software-only); issuer-driven revocation; limiting reuse of ID Tokens; and a range of device-based security measures that can protect against any imaginable unauthorized actions with ID Tokens (without contravening their privacy properties). The white paper also explains how to use the U-Prove SDK to protect identity-related assertions in frameworks such as SAML, Liberty ID-WSF, and Windows CardSpace.

Frontiers of Data Disclosure

Howard Schmidt made a glib suggestion that made me laugh, but he has a point. He asked why don't we just take names, social security numbers, and everyone's mother's maiden name and put it in a huge searchable database, so everyone knows that it's not security information and we can once and for all stop using SSNs for anything. I'm still chuckling over it, but you know -- it's not a bad idea.

More on Crappy Credit Reports

In October, 2006, I commented on the story of a man in Acarta, California whose credit report bizarrely includes a claim he's the son of Saddam Hussein. ("The Crap in Credit Reports") Now, via Educated Guesswork, "If OBL can buy a used car, the terrorists have won" we learn of a fellow who can't buy a car in northern California:

Tom Kubbany is neither a terrorist nor a drug trafficker, has average credit and has owned homes in the past, so the Northern California mental-health worker was baffled when his mortgage broker said lenders were not interested in him. Reviewing his loan file, he discovered something shocking. At the top of his credit report was an OFAC alert provided by credit bureau TransUnion that showed that his middle name, Hassan, is an alias for Ali Saddam Hussein, purportedly a "son of Saddam Hussein."

Sounds like the same guy, unable to solve his problem. From Free Internet Press, "Private Businesses Flag Ordinary Customers As Terrorists." Different first and last names. Different years and days of birth. Different countries of birth. Should TransUnion be held accountable for inserting that OFAC alert? When?

Month of Owned Corporations

Richard Bejtlich points to a very dangerous trend in his TaoSecurity blog, the "Month of Owned Corporations":

Thanks to Gadi Evron for pointing me towards the 30 Days of Bots project happening at Support Intelligence. SI monitors various data sources to identify systems conducting attacks and other malicious activity. Last fall they introduced their Digest of Abuse (DOA) report which lists autonomous system numbers of networks hosting those systems.

SI published the latest DOA report Monday and they are now using that data to illustrate individual companies hosting compromised systems. They started with 3M, then moved to Thomson Financial, AIG, and now Aflac. For these examples SI cites corporate machines sending spam, among other activities. Brian Krebs reported on other companies exhibiting the same behavior based on his conversations with SI.

He irresponsibly spreads... Oh, heck. I can't do it. This is great stuff. Let's actually look at what networks are spreading junk. I like this as a start, and the weekly Digest of Abuse claims to look at:

We analized over 22,000 ASNs for every kind of eCrime including DDoS, Scanning, hosting Malware, sending Spam, hosting a phish, or transmitting virous.

Hmmm, so while I'm glad that they're collecting and sharing data, what does it mean to be scanning? How do they define "hosting malware?" I really like the idea, and would suggest that Support Intelligence share more about what their data gathering methods look like, how they define each term, and how many of the incidents they see are of each type. (I've looked in their FAQ, how it works page, and product tour.)

Photo: The Exxon Valdez, courtesy of the Alaska Fisheries Science Center. Why? Because talking about breaches helps get them noticed and cleaned up.

Micropayments Company Bought or is that Sold?

Micropayments company Peppercoin, started with technology by Rivest and Shamir has been bought by Chockstone, a company doing loyalty programs. Supposedly, they bought Peppercoin because it will "increase consumer 'stickiness' and brand affinity" and "increase average ticket price more than 12%." Okay.... I thought that the reason for bearer-level micropayments was the opposite. Right here on the label that the payment-punks have been pushing, it says that you get increased market efficiencies, lower costs, and liberty for the end user. We'll have to see how this one turns out. I suppose if this lets you buy books with airline miles, or something like that, you could get both.

Psychology & Security & Breaches (Oh My!?)

I've been talking about disclosure, and how it has the potential to change the way we work. Before it does that, it needs to change the way we think. Change is hard. There's a decent argument that many things are the way they are because they've emerged that way. There existed a froth of competing ideas or ways of doing things, and the best one(s) won. Some may have hitched themselves to a winning idea. They may be bad ideas. But on both a design and a psychological level, change is hard.

On the design side, there are arguments that I haven't heard. Some of which may be good. Someone may think that our situation isn't really so bad, and so we don't need change. I think that they are wrong, but I have to overcome that argument. I'll set aside the origin of our situation and the argument from conservativeness, and turn to the psychological.

At a human level, change involves loss and and the new. When we lose something, we go through a process, which often includes of shock, anger, denial, bargaining and acceptance. The new often involves questions of trying to understand the new, understanding how we fit into it, if our skills and habits will adapt well or poorly, and if we will profit or lose from it.

These are the sorts of issues which confront managers as a company goes through changes, and they are difficult and challenging. Companies change because the market changes when new competitors or new products emerge, or old ones go away. Often times, it is easier to ignore these changes and keep doing what you have been doing, rather than to change.

Many American companies chose to react this way. They created a rust belt.

The world in which we worked as security professionals has gone through upheavals in the past. Things changed when UIUC released the Mosaic web browser, things changed when Aleph1 released 'Smashing the Stack for Fun and Profit,' and things changed when Cantor and Seagul sent their email. Things will change again.

Preventing the effective flow of information is one way to avoid change. If we can claim everything is the same as it has been, or if we can sweep things under the rug, we can keep doing what we've been doing. We can avoid change because change is hard, and the consequences long term. We're supposed to be good at thinking about such things here in security.

Sometimes, in security, when we talk about psychology, it's interpreted as an attack. This not intended as an attack on anyone. I'm trying to draw out all of the reasons why people are opposed to change in disclosure habits, so we can overcome them.

Sometimes true things are uncomfortable. Sometimes going to the dentist is uncomfortable. Being in denial about the state of things is often worse.

Bejtlich gets it: It's about empiricism

When he mentioned my post he cited a new paper titled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006 by Phil Howard and Kris Erickson. Adam highlighted this excerpt

60 percent of the incidents involved organizational mismanagement

as a way to question my assertion that insiders account for fewer intrusions than outsiders.

At the outset let me repeat how my favorite Kennedy School of Government professor, Phil Zelikow, would address this issue. He would say, "That's an empirical question." Exactly -- if we had the right data we could know if insiders or outsiders cause more intrusions. I would argue that projects like the Month of 0wned Corporations give plenty of data supporting my external hypothesis, but let's take a look at what the Howard/Erickson paper actually says.

I think Richard's analysis ("Exaggerated Insider Threats") is spot on, and I admit to slightly twisting Howard and Erickson's words a little to make a point. Security is all about the empirical questions. Answering them involves having data, having collection methodologies, and having conversations and debates about their validity. As I say in the PDF version of the talk:

We can use data to answer questions, like what fraction of incidents are caused by insiders? This has long been contentious, but if we can agree on what an incident is, what an insider is, and what cause is, we can learn something.

One question for Richard. You write:

In brief, this report defends the insider threat hypothesis only in name, and really only when you cloak it in "organizational ineptitude" rather than dedicated insiders out to do the company intentional harm.

Why should I care about motives? Shouldn't I be first focused on the insider/outsider question, then on the methodology, and only then on the motives?

Bad Advice on Tax Shelter Patents

Techdirt carries marvelous coverage of the increasing devolution of our intellectual property system. However there is some bad advice in "Be Careful Not To Use Any Patented Tax Shelters This Tax Season."

The bad advice is in the last sentence:

So as we get to tax day, besides going over all your tax forms and deductions carefully, you may need to spend an extra day pouring over patents to make sure you're not infringing.

This is bad advice because of of the way that intellectual property, especially patents work. It is the responsibility of the intellectual property holder to police their property. In other words, it's not up to me to see what patents I might be infringing, it's the patent holder's job.

There are lots of good reasons for this, including that it's hard to know exactly what infringes and what doesn't, especially as patents get more complex and ubiquitous. Many patent holders aren't vigorous in their enforcement. I recommend that in most cases, it's best to use patents defensively, rather than offensively. If I am using a patent defensively, that means I don't really care if you're infringing, as long as you're not trying to get me to pay you for your patents. (And in such a case, the more infringers, the better.) So if you patent breathing oxygen, I pull out my patent on picking one's nose and say, "Let's cross-license!"

That's just the start however. Patent law has a provision in it that there are triple damages for knowing infringement. Consequently, if you are in a situation where you might stumble over some stupid patent or other, don't check to see if you might be infringing. If you don't know you're infringing, you might be surprised and have to pay some royalties. If you know you're infringing, you'll have to pay triple damages. We technologists have been lectured by our attorneys about this issue. You may think it stupid, but ignorance is a defense in intellectual property.

As a practical matter here, if you have taken some deduction that might be patented, it's up to the patent holder to find you and shake you down. Given that tax records are considered private, that puts them at a disadvantage. If you know you're infringing, you could get triple damages. The patent holder will probably be shaking down accountants, makers of tax preparation software, and others. They aren't going to be shaking you down, and even if they do, a reasonable royalty on a license would be about 1%. That's another reason they will go after the other folks.

So as stupid as tax deduction patents are, and as much as I agree with Techdirt on the rest of the article, trust me, it's better for you to never read a patent than to read lots of them.

Photo "TaxMan" courtesy of pixieclipx.

How Long To Be Identified?

Today I spent nine (9) (no, that’s not a typo) hours in line to apply for a passport.

What happened was, since the U.S. changed the rules to say everyone’s gotta have a passport, a lot of Americans and Canadians who were used to going back and forth between the countries suddenly needed passports, and the systems are buckling under the strain. (Hmm... I wonder if Mexico’s is as well?)

My passport’s good till July, but I’m traveling a whole bunch and don’t have much time here in Vancouver. Last Monday, April 3rd, was the start of two no-international-travel weeks. I’d heard about the line-ups but had no idea, so I went down there after lunch and got in front of a human being by 3:30. She sent me away because I was applying for an expedited passport but hadn’t brought documents to prove I was traveling. When I told people this story they were astounded, saying the only way to be sure of getting in on any given day was to be waiting at 6AM when the building doors opened. So writes Tim Bray in "Passport Hell." I figure that if a day's time is worth $100, and every Canadian needs to get a passport to enter the US, this will cost the 30 million people of Canada $3 billion. That's ignoring the roughly $100 cost of each passport (total, $6 billion), and the $100 is just about minimum wage for a day. Still, it seems an awful lot to pay to make Canadians all have more bits of identification.

The photo is of Japanese Americans waiting in line, courtesy of the US government. It's from "Camp Harmony" exhibit at UW Libraries.

[Update: clarified writing around estimates.]

[Update 2: Yoshi, in comments, calls my use of the original photo here insenstive and offensive. See the comments for my thinking, and I've moved the photo out of the post so as not to be offensive. Apologies to those who were offended.]

Investment Opportunity of the Year

El Reg reports that Microsoft claims to be sticking to its timetable for shutting down XP.

No fewer than three people told me yesterday, "This means I have to buy that Mac Book Pro this year. They can't be alone. I have several co-workers running Vista running on laptops, and even without the overhead of a VM, it's slow.

Thus, an investing opportunity presents itself -- buy a number of copies of XP this year, and then resell them at a profit. There are, of course, many risks in this strategy too obvious to name, but hey, money is risk.

If during the holiday shopping season, you see a run on copies of XP, take note.

Your Bribe, Should You Choose to Accept It

In the secret language of corruption in India, an official expecting a bribe will ask for Mahatma Gandhi to “smile” at him. The revered leader of the independence movement is on all denominations of rupee notes.

With rampant dishonesty ingrained in the bureaucratic culture, an anticorruption group has decided to interpret the euphemism literally by issuing a zero-rupee note.

From the Times Online, "Can this note stamp out corruption in a land where it’s the norm?" Image from India Watch. I forget who sent me the link, sorry!

From The "Wish I'd Posted That" Files

Gunnar (as usual) has a great post highlighting the lack of a real cohesive strategy in the security products arena and IT security teams losing site of the big picture. In particular, he highlights a comment from Andrew van der Stock about using SMS as an out of band authentication mechanism. Man I wish I'd thought of that...

On Credit Cards and Being Behind

Just a quick note--you've convinced me that my thoughts on credit cards were wrong. ("The Cost of Disclosures, and a Proposal.") Iang, rG0d and Nick are right. I should have remembered that disclosure is a moral imperative.

I've also enjoyed the debate with Ken Belva, and will have one final closing post to respond to his challenge as soon work lets up and I can I get my thoughts in order.

So it goes

Kurt Vonnegut, dead at 84.

New Hampshire joins the club

The Granite State requires that security breaches involving PII be reported to the Attorney General:

Any person engaged in trade or commerce that is subject to RSA 358-A:3, I shall also notify the regulator which has primary regulatory authority over such trade or commerce. All other persons shall notify the New Hampshire attorney general's office. The notice shall include the anticipated date of the notice to the individuals and the approximate number of individuals in this state who will be notified.

NH Revised Statutes Annotated

This makes New Hampshire the fourth state (by my count) to require such central reporting, joining New York, Maine, and North Carolina.

Illinois requires reporting only when State Agencies are breached, and New Jersey requires reporting to the State Police (who keep the reports secret).

[Update: Missing quote added. Grr.]

UK Story On Breaches and Silence

IT Week in the UK writes, "Companies keep silent on data breaches."

There are a couple of interesting quotes:

Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about the incident within 24 hours,” he said.

I raise my eyebrow a bit because of the words "often" and "invariably" appearing together. I side with the reporter on "often" and just don't buy "invariably." Nonetheless, if people believe that telling the police is the same as telling the press, they'll refrain from telling the police.

However, Maxine Holt of analyst firm Butler Group argued that corporate victims not reporting crimes “is of no use to anybody”.

I concur, and so the question is how to make sure that the proper notifications happen to the proper people at the proper time. That's why there's no rule set on this. More in another post.

Daft Bloggers' Code of Conduct

Tim O'Reilly with the help of others has posted a "Draft Blogger's Code of Conduct" in reaction to l'affaire Sierra. Forgive me the pedantry, but I've corrected the plural in my derivative topic line above. There have been other comments about this in many other places. I'm not a friend of Sierra's, but I have read and enjoyed her blog from time to time. As I've said before, in no way do I condone the way she's been treated, and I will smile when the perps get their just desserts.

Nonetheless, I feel obligated to engage in one of the most odious tasks there is in a free society -- defending free speech. It is an odious task because one has to do it in the wake of things that are at best barely defensible. If one is lucky, one defends it because the offense of the day is outraging parents. Those almost always have a snicker factor in them, making it easy to defend free speech. Video game outrages, especially those involving Rockstar Games are the most satisfying.

One notch below that is a childish (to one) brouhaha among people who basically (it seems to one) don't believe in free speech anyway, who intrude upon us decadent Westerners. Every one of the [Insert Nation Here] Bans You Tube incidents fall into this broad category. This category gets more eye-rolling than snickering. However, if You Tube does anything other than stonewall, there's often some nice meta-free-speech dudgeon and perhaps the opportunity for some good old ZOMG! Google is EEEEEVILLLL hyperventilating.

If one is less lucky, there's a bad movie or book or art exhibit that has offended some group of people that the offender is a member or ex-member of. If one is even less lucky, the offense is cross-group. Even worse is when it's some artist so talentless they can only get attention by incorporating into their art elements best left in a discussion of John Snow.

Worst of all is when one has to defend free speech when the no one is defending the offense. That's where we are. I haven't seen anyone defend the punks. Perhaps that says more about how few blogs I read than anything else, but I haven't seen anyone of consequence saying, "...I know that this is offensive but..." We all seem to agree that this one is over the line. Yelling "Fire" in theatre -- bad. Death threats -- bad. Colorful death threats -- worse. If we're all in agreement that this is out of line, then, where is the need for the code of civility? We all agree this was unacceptably uncivil.

The basic problem with codes of civility is that they are on the other side of the scale from rights. They may be close to the fulcrum, but they are on the other side of the scale. Civil people don't need rights. You only need rights when you're going to be uncivil. A code of civility is censorship. Let's not mince words here. The only question is if it is needed censorship, or perhaps we could lead by example, and limit ourselves to being acceptably uncivil. Why the code, except to regulate the speech of -- whom? It appears it's to regulate the speech of people who can be fractious, but don't need their speech regulated.

I am bothered by this because I wonder how the heck it's going to solve the problem it's aimed at. Many of the modern outrages we suffer are because there's some solution that misses the problem and punishes the innocent rather than the guilty. Go to an airport, if you wonder what I mean. Why do we all have to submit to a civility code because the are -- shock horror -- a bunch of gits on the Internet? It's not news that there are a bunch of gits on the Internet. The Internet has been the playground of gits for three or four decades.

In the opening paragraph of O'Reilly's draft code, you can hear the overly-sanitized tone of voice they used when they doled out mass punishment in seventh grade. Blah, blah, one bad apple, blah, it's with great sadness that I'm forced, blah, blah, because after all I'm the adult here. "Celebrate," indeed, Mr O'Reilly.

Looking at section 1, libel is already illegal, as is harassment and stalking. The DMCA already obligates us to take down copyright infringement. I'm saddened that we can no longer fight or mock DMCA takedowns. I see that O'Reilly will be siding with Apple the next time they want to shut down a leaker, but whatever. And I suppose that infringing on trademarks means no more company-sucks.com domains, and that we will side with the movie industry when they want to seize a domain for a summer blockbuster.

It does bother me to read, "We won't say anything online that we wouldn't say in person. " I wouldn't say this in person. I wouldn't make a grumpy pun on "draft" in person. I wouldn't correct someone's punctuation in person. I did both of those to make this point, that there's nothing wrong with a little mixing it up in the blogosphere, and that would be inappropriate at a cocktail party. Furthermore, this empowers the sort of bully who would suggest in person, for example, that a Supreme Court Justice with whom they disagree should be poisoned to say pretty much anything they want to in a blog, but the rest of us are constrained. I make a point not to mention that particular person, but a code of conduct that lets such a person say what they want and stifles Scoble has an odd definition of civility.

It's easier for the members of the blogorati who have each other on speed dial (or on their IM buddy lists) to connect privately. And let's face it, if someone is going to act inappropriately, they're not going to call their target up and say, "Hey, I'm going to make some obscenely grotesque death threats and photoshop your image into things that will really tick you off. I really hope you don't mind, it's nothing personal, I just hate your blogging and want to bully you into silence." Again, this sounds good on the surface, but it won't solve the problem and only punishes the innocent.

I like the "Don't respond to trolls" item. I like how wonderfully, unintentionally ironic it is. I'm somewhat slow to post on this in part because I believe in measured response (if not always civil -- I can't tell if I'm being civil in this post, myself). But I wondered as I read it if it was O'Reilly's own version of a troll. There are obvious ways to troll, and subtle ones. If one writes a post and thinks, "This will get a lot of responses." then one is trolling. Again, however, no matter how good that advice is, how does it relate to l'affaire Sierra? Am I merely too busy with work to be madly searching every blog?

When we get to the "no anonymity" part, this gets past the snickers and eye-rolling and into the exasperated sighs. Various national and state governments have tried this, and usually we explain slowly that this is not only undesirable, but probably impossible. And besides, anonymity is harder than you think. Ask the Chinese bloggers who've been jailed or the guy who wrote John Siegenthaler's bio in Wikipedia.

Calling for an end to anonymity on the Internet is kicking the ant hill, largely doomed to failure, and few people who want anonymity actually get it. It's one thing to call for something that people will hate you for, but why do something people will hate you for that you will fail at? What's changed? Do we all believe that a surveillance-enabled blogosphere is a good thing? Is the Chinese government now what we look to as a rôle model? Again, I will also add O'Reilly's suggestion about IP addresses and a valid email address isn't going to solve the problem.

Along with this retreat from what we generally stand for are other comments, such as those by Cynthia Brumfield in her "Blogging Guidelines Could Help Protect Free Speech." Brumfield is in general, timid; Brumfield is loathe to write the word "porn." I can hypothesize why, but Brumfield writes "p*rn" for whatever reasons. Fair enough, but there are many ways to respond to "Such a code constitutes peer pressure, perhaps, but it doesn’t take away anybody’s right to speak." [Brumfield's emphasis.] "Only if such a code were to become law, enforced by the government, would it represent a real threat to free speech." And lastly, "In other words, self-regulation is a far better alternative than government regulation, an admittedly distant outcome right now but one that could become all too real if things get out of hand."

Searching for a response, I rummage through my Closet Of Clichés, and I can find, "...burn the village to save it;" that overused bit from Franklin about security and liberty and deserving neither; some holier-than-thou tongue-clucking about my ancestors' military service; as well as some sniggering over "admittedly distant;" a few allusions to Rushdie, Theo Van Gogh, or perhaps Pim Fortuyn to make it spicy; and oh, look -- several relevant Princess Bride quotes are waving at me and leering (it's a miracle that I've avoided those so far); but I think it might be best to go for a Jon Stewart boggle and push-back of the chair.

Come on, people, you don't mean what you're saying! Yes, Sierra's been treated badly, but does this mean that the next time some high school kid with more HTML skills than sense Photoshops the principal's photo you're going to advocate ruining the kid's life because oh, my God, this could have been another Columbine? Does it mean that when some loony shoots up their workplace that you're going to be against anonymous bitch sites? If there is a genuine terrorist attack somewhere will you then think that thought crimes aren't such a bad idea? No, you don't think that and you won't do those things. You're smarter than that. You're just caught up in the heat of the moment because an ugly thing has happened to a friend of yours. Take a few more deep breaths, and a few drops of Rescue Remedy.

Ugly things happen to good people, especially good people who write. Take a look at what's been happening to Russian journalists of late. We're not there, thank God. We are merely dealing with bullies. There are many ways to deal with bullies, and the ones that work include standing up more often than hunkering down. A code of civility is punishment for the innocent and is thus hunkering down.

It's much better to be bold, to go on with life with enough courage to correct other people's punctuation, and a thick enough skin to have your punctuation corrected. We'd be better off if we created an anonymous site with horrible pictures and depictions of what we'd do to those creeps. Giving them a taste of their own medicine is less destructive than treating all bloggers like wayward adolescents. I know several bloggers who are not wayward, and many more who are not adolescents. If we let this ugly incident eliminate what is vibrant about blogging, then, then -- you -- yes, you, with the "have won" on your shirt. Back in the Closet of Clichés, now. I mean it, and yes, it does mean what I think it means. And all of you Gentle Readers, you know what I mean, too. Let us fight madness with sanity. Photo "Scold" courtesy of nami_jun. (And my apologies for not including credit for a couple hours.)

Disclosure Laws, State-by-State

Philip Alexander writes in Intelligent Enterprise about "Data Breach Notification Laws: A State-by-State Perspective." The article is short and readable, and points to his new book, which is likely a good read.

The Cost of Disclosures, and a Proposal

So there's a spectre haunting my arguments for disclosure, the spectre of cost. I'm surprised none of my critics have brought it up yet.

Mailing notices to people, and handling their questions can be expensive. When the personal data being lost is a credit card number, I don't care that much. When it's medical data, my national id number, or other data which can be used to harm people, I care more.

I'd be perfectly willing to forgo personal notification of the theft of credit card numbers. I just don't think it's that important, and the liability lies with the banks and the merchants. In contrast, the outcome of my SSN being abused falls back to me, in credit reports, false arrests, etc. Personal notification regarding SSNs will be important until we have a society where I'm in control of my personal information and how it's used to identify and authenticate me. Personal notification around medical and other information will always be important.

The tradeoff I'll offer up is I'll stop caring about personal notification of credit card breaches, if we can agree that a decent, in-depth analysis of what goes wrong should be filed in some public way, and that any organization who does that should get some degree of protection against negligence claims. That analysis is being done anyway, so the additional costs are pretty minimal. The additional legal concerns that raised by telling what happened can be addressed by adding some protections. It's essentially trading the public good of more information to analyze for protection against legal claims being built on that information.

See, it can be done

I'll keep this short since you should all be reading Mordaxus' latest, not this, but speaking of data... This breach report [pdf] from Community National Bank wasn't sent to consumers, but you can't say it was short on details.

Cleaning Up

If you haven't read Steven Johnson's The Ghost Map, you should. It's perhaps the most important book in print today about the next decade of computer security.

John Snow was a physician who was a pioneer in anaesthesia who turned his attention to cholera when the worst epidemic hit the London where he lived in 1854. It's not just about Snow, however, it's about theories, information, and how to select the right model.

The prevailing model at the time (this was pre-germ-theory) was that cholera was airborne, carried by "miasma," namely stink. If it smelled bad, it was probably disease-ridden. It's not a bad theory, actually, it's just wrong. Snow came to the belief that cholera was waterborne, despite the fact that the suspect wells in London were known to be largely sweet-tasting.

Despite the fact that I'm giving away the plot (spoiler -- we beat cholera and major cities in Europe no longer have epidemics), Snow got there by examining data and coming up with the proper visualization of the data (the Ghost Map) to show that cholera spread along water flow not along air flow.

Before Adam used Snow and Johnson's book in his recent "Why Security Breaches Are Good For You," I read the book and was thinking about it and security.

I believe that our security problems need to be looked at both from the viewpoint of public health issues, but also from the viewpoint of quality. Snow beat cholera because he was fortunate enough to have the right insight, but insight isn't enough. You need data. Fortunately, there was lots of data available, and the data was available to him and the people who disagreed with him. Data was also part of the problem, as Johnson points out, because the larger problem was sorting through the data. However, when it comes to computer security, we don't yet have the luxury of too much data.

Everyone's data center has its own little cesspool. Mine does, yours does. We have to figure out how to clean them up. We need to have more data. We therefore need to remove the stigma of disclosing data as well as insisting on it. This is why The Ghost Map is an important book for computer security, it will take you back a sesquicentury to the problems of creating cities with millions of people in them, and in that history you can think about the problems of making networks with billions of people in them.

Johnson himself has a chapter on the future of cities and urbanization, which I wasn't as impressed with. The book shifts from being a page-turner to a page-flipper when he gets away from the past and considers the future. Nonetheless, read it and think.

I was fortunate enough to be in London recently and made a pilgrimage to Broad Street (now Broadwick Street) and the pub in his honor. I also made a point to use the modern public convenience on Broadwick Street and was amused by the washing gizmo that soaps, waters, rinses, and dries one's hands without one having to touch anything.

Photo of the pub sign for the John Snow pub courtesy of Mordaxus. I apologize for leaving the decent camera at home, and thus having to make do with the camera in my mobile.

Replacing Evite

So I hate Evite, even when it brings me to cool parties. You know who you are. Encouraging my friends to enter social network information, and then using it to contact me feels tremendously invasive. Failing to understand that annoys me. Their lame privacy policy infuriates me. Their success at co-opting my friends to sucking out my privacy infuriates me.

Their failure to include information in their emails infuriates Scoble:

The evite email that I have doesn’t have any information on it. It doesn’t tell me where the party is. It doesn’t tell me when it starts. It forces me to click over to the Web site to look at all that info. I really, really hate that (because I drag emails from people to my calendar to keep the date and I hate clicking away from my calendar just to learn pertinent information because the service an inviter used is trying to collect page views by forcing me to visit the site).

And so I look forward to their contempt for their users killing them. Scoble mentions MyPunchBowl.com. I've been looking at Darkguest--I'd love it if they'd open source their code. I could run darkguest on my site, and control the privacy issues myself. Anyway--use one of these. Not Evite. You'll be the cool kid with the best new party toy.

Photo: "Letter" by Just4you.

Three on Information Sharing

The New York Times has a story, "Teaching the Police to Stay a Step Ahead of Car Theft:"

The police have traditionally kept such conversations quiet, fearing they could tip off aspiring thieves. Mr. Bender’s mission is to bring investigators into the digital age and get them to share information, just as their adversaries are doing on Web sites, message boards and forums like YouTube, where dozens of videos show off car-hacking and street-racing techniques.

“I don’t think there is anything we talk about at the seminars that isn’t on the Internet, being discussed by the other side,” Mr. Bender said. “In the past, we have only been keeping information from ourselves.”

NPR has a story about the National Counter Terrorism Center, "Absences at Intel Center Raise Questions:"

"I think essentially, it boiled down to the amount of information-sharing that's needed to go forth in order to defend the homeland," Cunningham said. "So that was what was lacking."

A second military official, who requested anonymity while discussing intelligence matters, said: "The priority was to make sure our commanders were receiving the intelligence they needed. That wasn't happening."

Me, I thought it was just the ISACs that didn't share information.

Finally, Ken Belva discusses a personally discovered issue in "Exclusive: Tribeca Film Festival Discloses Ticket Holder Information:"

The voicemail was from a gentleman named Mark who saw my billing information on his screen and called me to tell me my information was disclosed to him. He also told me to monitor my Amex card. He took note that my AmEx account number was not disclosed to him. And, one should note other people’s AmEx numbers were not disclosed to me either, as represented in the two images posted on my site.

You might think it's a trend or something.

Phriday Phish Blogging: Randomly Flagged

One of the things I really appreciate about phishing is that we pay people to discover the zeitgeist and share it with us.

There's little spam advertising fallout shelters or other ways to deal with the Red Menace. I rarely see advocacy about bimetallism in the currency in my inbox. We see what we see because spammers and phishers are motivated to get our attention. They do it by constructing plausible subject lines, like "Ebay question from seller," or, in the case of this week's Phriday Phish, "Security Measures. Your account has been randomly flagged !" That was the subject, here's the text:

Flagstar Bank Security Measures.

Dear Flagstar Bank Member,

Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your Flagstar Bank account . experience. We require all flagged accounts to verify their information on file with us. To verify your information at this time, please visit our secure server webform by clicking the link below: http://0xd2.0xFF..../cgi/www.flagstar.com/ [URL edited for safety.]

I love how they claim your account was randomly flagged. It's as if people are expecting the computers to spew garbage like this.

And dig that URL! Why are banks sending email which normal people think look like that? How well can we train the public to be confused?

Photo: Mackrel, by Marainne.

We Have Nothing to Fear But Fear Itself

So Ken Belva suggests that we should cordially agree to disagree. ("My Response to Adam Shostack’s Reply on Transparency & Breaches") I'm happy to be cordial, but I feel compelled to comment on his response. Before I do, I should be clear that I have respect for Ken as a professional, and as someone willing to engage in this debate. A number of people have argued privately with me, and I suspect Ken is being cheered on by a lot of people who feel as he does. At the same time, I'd like to think that the smart people in our industry, including Ken, can be swayed by the arguments and logic.

So, quoting Ken:

But security operations are a different ball game. Perhaps my using the term competitive advantage was not correct. What I mean is that it’s more along the line of disclosing sensitive operational information. As security professions we are adverse to leak any information pertaining to operations and I view breach disclosure in the same way. There was a point when security professionals were afraid that posting technical job requirements for new positions on monster.com would leak information about the internal systems used in a corporate environment and give the attacker information.

So I understand and agree that we're averse as a profession, and I believe that to be dysfunctional. To the particulars of leaking information via job postings--did you check to see if that information was already available via search engine? When I have done so, I found employees participating in mailing lists about products from their work accounts. So the information is out there, we just don't know it. If that's the case (and I don't know if my experience generalizes), then you're making HR's life harder for no payback.

More broadly, I think we need to get beyond fear (to coin a phrase) and be looking for data.

The first lesson of 1386 should be that the sky doesn't always fall when we expect it to fall.

Just as we have an understanding of responsible disclosure now for technical information security vulnerabilities, we need the same for breach disclosure.

I don't think these are the same thing. Disclosing information about vulnerabilities creates clear future risk on a broad scale. Disclosing information about what's gone wrong in the past may expose no data that's not already available on a search engine. More importantly, it allows us to evaluate our practices and replace fear with data.

If not through a centralized (not necessarily government) body Adam, what do you propose that would allow for better, more accurate and confidential disclosure that does not leak sensitive information?

I'm not proposing any such thing. I'm proposing widely shared data. We have a set of organizations that have attempted to slice the Gordian knot with confidentiality. There's CERT, FIRST, and the ISACs. CERT collects data, but their sampling has minimal statistical validity, because it's self-selected reporters. FIRST has all sorts of hoops to jump through, but their members don't share data. Ditto ISAC (from why my sources tell me.) If I'm wrong, Dan Geer would like a month of your anonymized firewall logs to do some correlation analysis.

So I think that what you've suggested has been tried, and hasn't worked. I think that I've provided a number of reasons it hasn't worked (regulatory capture, lack of competition) and don't expect those reasons to be overcome by yet another data sharing club.

My point is that sharing data has lots of possible upside, and the downsides are being shown to be less painful than we expect. However, there's a way we've done things, and it has worked in some ways, and so we fear change.

I am challenging everyone to face those fears, and work to overcome them. I believe that there's tremendous value waiting to be unlocked.

Another Side Of Copyright

These days when you read an article about copyright that involves students, it also involves the RIAA or the MPAA. This article in the Chronicle of Higher Education, on the other hand, is about two high-school students taking on Turnitin. The students specifically asked that certain papers of theirs not be included in Turnitin's database and despite this, the papers were included. The students are claiming that this is a violation of their copyright. Should be an interesting case to watch, regardless of the outcome, it's great to see students standing up for themselves.

[via: Sivacracy]

How to Allocate Resources

The other day, I wrote:

I also don't buy the bad management argument. Allocating resources to security is an art, not a science. I'll offer up a simple experiment to illustrate that shortly.

So here's the experiment. It works better in person than in blog comments. Ask two experts to write down how they'd allocate $100 to secure information. Pick a business that both know. Compare. Then watch them argue.

Now imagine that you're a CEO, and ask yourself what you'd do to resolve this debate.

UK NHS & Disclosure: A Moral Imperative Example

From Silicon.com, "Pressure grows for UK data loss disclosure:"

As a spokeswoman for the Information Commissioner's Office told silicon.com last year: "There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur."

But, from the BBC, "Children's details taken in theft:"

Health bosses in Nottinghamshire have issued a warning after a laptop containing information on about 11,000 young children was stolen.

I believe this to be an example of the moral imperative around breach disclosure. There's no legal obligation, but there is an ethical one, and the NHS knows it.

Thanks to Antonomasia for the BBC story; the laptop has since been recovered, but it's unclear if any data was copied.

Stop REAL-ID From Wasting Real Money and Liberty

Welcome to the Stop Real ID Now blog. Not surprisingly, we'll be talking a lot here about the Real ID Act of 2005... and more specifically about an activism campaign that will use the power of blogs, social networks and art as well as creating partnerships and using media outreach to, we hope, stop the Real ID Act in its tracks. To stop it, however, we need you... and lots of "yous"... to help out.

http://stoprealidnow.blogspot.com/

Response to Ken Belva on Transparency & Breaches

Over at bloginfosec, Ken Belva takes issue with my claim that "security breaches are good for you," in the aptly titled "Why security breaches are still bad for you…"

His summary and response are well thought out, and I'd like to respond to a few of his points. This is a long post because I think these issues deserve more than a flip response.

Some of this breach information, while important, may not be best suited for direct public disclosure. Shostack’s best counter argument is point one: if breaches really do not create much of an impact, what’s the harm of disclosing the details of the breach? Well my reply is that it’s generally bad business practice to disclose the details of one’s operations: one should not engage in practices which may diminish one’s source of competitive advantage.

On the specifics of the disclosure in information security, I agree there are times that secrecy can be a useful part of a process. I usually follow Swire on this: the value of secrecy depends on risk to the attacker to pierce the secrecy, and is often mis-estimated, as I discussed in "Friday Star Wars: Open Design."

To the broader point of discussing competitive advantage, I look to Honda's discussion of their manufacturing techniques, or WalMart's discussion of their lean operations. These companies talk regularly about the source of their competitive advantages. Talking about operations doesn't generally impact competitive advantage.

Most importantly, I'm unaware of anyone getting sustainable competitive advantage from information security operations. I know companies who are getting operational efficiency, which, all else equal, leads to advantage. You can borrow money more cheaply, you can price your products better, and you can derive advantage from these things. That's not the same as a sustainable competitive advantage.

Rather than direct and inconsistent corporate/government breach disclosures, a more apt way to do it is as following: by law, a breached organization must report the breaches to a centralized authorized repository which will collect specific details of the breach in order to begin to amass worthwhile breach statistic for both public and private use. The specifics of what must be reported are universal standards required by all breach filers.

Up to here, I mostly agree--I do appreciate the competition to create good reporting standards.

Most specifics are kept confidential, but the relevant information about each particular breach is publicly disclosed depending upon the nature (category of severity) of the breach. An additional independent body (which could already exist) should have oversight of this centralized breach repository. The repository should be audited by an additional third party to ensure accuracy of information. The aggregated information should be tabulated, scrubbed of any organizational specifics and released publicly so that all organizations and individuals may benefit.

I don't agree here. This is quite similar to Schwartz and Janger's model 4 from their Notification of Data Security Breaches Michigan Law Review paper. My issues with that are around the need for innovative research. We are at the inception of a new field, with a great deal of exciting work being done. I know of no better way to stifle new research than to hand control of the data to a government agency. We are seeing great research (and some not so great). We are seeing people apply legal, economic, media, and security perspectives to the data, and new things keep emerging from that. To hand exclusive access to a central agency, absent real harms from the data being widely available, seems unjustified.

Worse, I fear regulatory capture, where a few very interested parties work closely with the central repository to set rules for access that will slow the research and emergence of better analysis.

Freely available data, with low transactional barriers to acquisition will lead to more research, more competition to do great research, and more competition to perform actionable research.

Yes, this is a change, and change can be hard on those of us who have been working under a set of known rules. We can do better, and owe it to our employers and our profession to do so.

TJX Commentary

I keep trying to avoid commenting on TJX, and keep getting drawn back in. The amount of news and analysis out there is large, and I'm selecting islands in the clickstream. (Any advice on who's covering it well would be appreciated.)

In "TJX Lawsuits -- 45 Million Credit Cards," Pete Lindstrom mentions that there are 18 lawsuits listed in a TJX 10K. Pete discusses the legal situation. My personal opinion is that the 451,000 people whose ID numbers were taken will have a better chance at getting damages from TJX than those whose credit cards were taken. Companies using return management tools that rely on drivers license swipes should consider their risks.

See also "Why Encryption Didn't Save TJX." We need layered defenses, and we need to have honest conversations about what's happening. Getting from here to there might be painful-change often is-but that doesn't mean it's not worthwhile.

Secure Flight @ Home

Prof. R. H. Anssen of the Univeristy of Florence, Colorado working under a Department of Homeland Security Advanced Research Projects grant has released a new paper discussing improvements to SecureFlight that make it much more scalable, while adding in grid-computing and privacy-friendly aspects as well. Expanding upon the ideas of K. P. Hilby and J. W. Alker, Prof. Anssen and students have created a "glosses-based" security authenticator. This new mechanism combines statistical meta-analysis and secure multiparty computation to be able to identify problem flyers with zero false-positives.

Their software system is called SecureFlight@Home, and uses the background computations of potentially millions of computers to create the meta-analytic glosses which identify problem travelers. Additionally, individuals who have an e-Passport from the USA or any other e-Passport-issuing country can use their e-Passport to authenticate themselves to the SecureFlight@Home network and determine if they are on the international no-fly list. Version 0.9 of the SecureFlight@Home client is available from http://www.secure-flight-at-home.gov/

"What the TSA fails to realize is that without adequate protections, the contents of the no-fly list are accessible to millions of people, " said Prof. Ian Goldberg, noted privacy researcher at the University of Waterloo. "Worse, those people potentially have the power to modify the list as well. Hmm. How do you spell 'Hawley'?" he added.

TSA administrator Kip Hawley stated "some privacy fundamentalists have raised privacy questions, but we're confident we can address those after the system is up and operational on April 1st."