Keynoting at ISSA tomorrow

I’ll be delivering the keynote at “ The Fourth Annual ISSA Northwest Regional Security Conference” tomorrow in Olympia, Washington. I’m honored to have been selected, and really excited to be talking about “the crisis in information security.”

The topics will be somewhat familiar to readers of this blog, but in a longer, more coherent format than the emergent chaos which makes it here.

I should mention, I’m doing this wearing my own hat, not a Microsoft one, and will avoid most any mention of threat modeling or SDL.

WEIS 2008: Register now

Registration is under way for the seventh Workshop on the Economics of Information Security , hosted by the Center for Digital Strategies at Dartmouth’s Tuck School of Business June 25-28, 2008
The call for papers, and archives of past workshops give a good sense of what you’ll find (and it is awesome and well worth your time).
Unfortunately, the complete program for this year is not up yet on the site, although hotel discounts end on April 24.
I’m going, and may show up a 2-3 days early. EC readers who also will be in town early and want to do some hiking, drop me a line and maybe we can arrange something.

More New School Reviews

Gary McGraw says buy it for the cover:

The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become a Microsoft guy), I saw his book at RSA, bought it for the cover, and only then discovered that he was the author! My plan was to give the book to a good friend who I know is a huge Kandinski fan. On the way to complete that errand, I had a chance to look though the book and now I need a copy of my own! If you’re a follower of the economics of security school (which Ross and Bruce Schneier have helped spearhead), you’ll like this book. (Gary McGraw)

while Ben Rothke says buy it for what’s in between:

The New School of Information Security is a ground-breaking text in that it attempts to remove the reader from the hype of information security, and enables the reader to focus on the realities of security. The fact that such a book needs to be written in 2008 shows the sorry state of information security.

Let’s hope The New School of Information Security is indeed a new start for information security. The book is practical and pragmatic, and one of the most important security books of the last few years. Those serious about information security should definitely read it, and encourage others to do the same.
(Ben Rothke’s review on Slashdot)

Thanks very much for the awesome review, Ben!

Why Aren’t there More Paul Grahams?

Paul Graham has an interesting essay “Why There Aren’t More Googles.” In it, he talks about how VC are shying away from doing lots of little deals, and how the bold ideas are the ones that are hardest to fund:

And yet it’s the bold ideas that generate the biggest returns. Any really good new idea will seem bad to most people; otherwise someone would already be doing it. And yet most VCs are driven by consensus, not just within their firms, but within the VC community. The biggest factor determining how a VC will feel about your startup is how other VCs feel about it. I doubt they realize it, but this algorithm guarantees they’ll miss all the very best ideas. The more people who have to like a new idea, the more outliers you lose.

Paul is absolutely right. The more people who have to like a new idea, the more outliers you miss. However, any really good new idea is likely a combination of one really good insight, and several bad ones. It’s hard to dis-entangle them until you engage with the market. There’s a real question of how expensive that will be. There’s also the question of will a really bold new inventor listen enough to make the idea successful?

When I was at Zero-Knowledge, we spent a lot of time exploring ideas which have now come to fruition. Zero-Knowledge, under the name RadialPoint, is thriving. Selling security and privacy to consumers makes sense as part of an ISP package. Making it work, and figuring out what people were ready for, took a while. Some of the bits that they weren’t ready for, and perhaps weren’t ready for the market include the IP level privacy, a problem that the Tor Project is hard at work on. We also worked hard on ‘private credentials, which Credentica launched as U-Prove, and has since been acquired by Microsoft.

We had lots of new ideas at Zero-Knowledge, and a set of happy outcomes (as shareholders know).

But Zero-Knowledge, while bold, wasn’t even absolutely new. It was built on the ideas of the cypherpunks, and we even had a Chief Cypherpunk. Similarly, Google wasn’t the first of the search engines. It was innovative in how it worked, but it was several years after Yahoo!, AltaVista, and Ask. The bold ideas took a while to become profitable ideas.

So I think that it’s absolutely wonderful that we have a creative, chaotic froth of very little companies, and that Paul helps make that happen. I wish there were more. I love seeing what emerges from that chaotic experimentation. But that experimentation can be tremendously expensive, with people chasing many variations of the ideas.

Paul is chasing a variation on how funding happens. He believes passionately in that vision, and is putting his money where his mouth is. Will it work? Who knows? I’m glad there’s chaotic experimentation, and if Paul succeeds, I’m sure he’ll have many imitators.

Congratulations to the CVE team!

The CVE Web site now contains 30,000 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers.

See the CVE News page. I remember proposing that we have a CVE-1. I’m tremendously proud to have helped get such a useful thing off the ground, and really happy for the CVE team.

Center for Innovative Financial Technology Launches at Berkeley

Congratulations to Berkeley on setting up a “Center for Innovative Financial Technology“, but I wonder why their mission is so conservative?

The mission of the Center is to conduct and facilitate innovative research and teaching on how new technologies impact global electronic markets, investment strategies, and the stability of the financial system.

The information people use to make financial decisions is changing. Brokers are disintermediated by electronic market access. Reporter/editor/reader relationships are disintermediated by web access to primary sources. Technology has provided the means to deliver a great deal of financially relevant information. It has lagged in providing the means to make sense of it in a timely manner. This is an important focus of CIFT research.

As Digicash was saying back in 1994, numbers are money now. Studying technology in its impact on information, without paying attention to now the information is money seems like studying how compression algorithms will allow us to deliver music to record stores, to be pressed on demand into fresh vinyl.

Virginia gets it

[…]an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay.

Virginia’s new breach law
Emphasis added.

One Nation Under CCTV


Banksy has done a wonderful service. The well-known artist has given us delightful commentary on surveillance.

Better than that, he did it in a site above a Post Office yard in London (Newman Street, near Oxford Circus), behind a security fence and under surveillance by CCTV. His team erected three stories of scaffolding on Saturday, did their work, and removed the scaffolding on Sunday.

The Daily Mail has photos that include the CCTVs overlooking the work.

Photo courtesy of Herschell Hershey’s photostream.

Bot construction kit for non-programmers

We all know that ID theft and extortion bots are ubiquitous. Perhaps it is some consolation that a modicum of technical skill is needed to construct such things. That has changed.
I (a complete non-programmer) have just built not one but two “bots” using materials available here and here! With these templates, any 8 year-old can do the same!!!

Generativity, Emergent Chaos and Adam Thierer

Jonathan Zittrain, a professor at Oxford, has a new book, “The Future of The Internet.” He’s adapted some of the ideas into a long and worthwhile essay, “Protecting the Internet Without Wrecking It.”

In that essay, he uses the term “generativity” to refer to a system which has what I would call ’emergent chaos.’ A generative system is one which is open enough that people do strange things on it, and new stuff emerges. There’s no need to get permission. In The New School, we talk about the difference between the internet, where anyone can run anything, and the old phone network, where only Ma Bell had any way to innovate. And never did.

In commenting on these ideas, Adam Thierer says some things I want to respond to:

I see no reason why we can’t have the best of both worlds–a world full of plenty of tethered appliances, but also plenty of generativity and openness. In a follow-up essay, I pointed out how Apple’s products create a particular problem for Zittrain’s thesis because even though they are “sterile and tethered,” there is no doubt that the company’s approach has produced some wonderful results.

And what’s wrong with this? Answer: Nothing! People are getting the choices and configurations they want. Older generations are simply not comfortable with the “general purpose” devices that tinker-happy gadgeteers like Zittrain and me prefer.

(From “another problem for the Zittrain thesis — old people!“)

So I’m all for choice in who gets what. At the same time, I think that
Thierer makes the mistake of thinking that generativity happens in a vacuum. I don’t think it does. I think that the more generative devices you have, the more chaos (both good and bad) emerges. If only a few hundred people have Chumbys, then no one is going to write the alarm clock my buddy Nathan wants.

On the other hand, if there are a million Chumbys then someone might.

I think anyone writing for a blog entitled “The Technology Liberation Front” would get this, but let me lay out it. If I’m thinking of creating a widget to connect an ipod to a stereo, then I have to pay for my R&D out of the sale price of each device. If I’m spend a million bucks on R&D, then if I sell a million units, I can add a buck to the price of each. If I sell 10, then I’m going to lose money.

Entrepreneurs know this. They learn to prefer larger markets. They gravitate to larger markets. And thus the larger markets develop an advantage, which is that people want to participate, there’s a talent pool available, there’s a greater opportunity to partner, more investors willing to invest, etc. It’s a virtuous circle. You can buy a wider variety of parts to customize a Scion or a Mini than you can with a Ferrari. There just aren’t enough Ferarris to support a broad ecosystem of innovation. (There may be a network of engineers who wouldn’t bother touching a lower end car.)

And so each “tethered” device may reduce generativity by reducing the chaotic froth which exists in the generative world. I’m not saying that such devices have no innovation. I have (and enjoy) an iphone. I’d love to be able to SMS people URLs or contacts. And maybe when we get the SDK, and the iPhone becomes generative, I’ll be able to.

Until then, generativity has existed in active conflict tension with the tethering. I think that generative and tethered systems can co-exist. But it’s not the “best of both worlds.”

Privacy Act and “actual damages”

Lauren Gelman writes:

I’m breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act’s requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed’n of Gov’t Employees v. Hawley, D.D.C., No. 07-00855, 3/31/08.

[T]he plaintiffs’ alleged injury is not speculative nor dependent on any future event, such as a third party’s misuse of the data, the court said. The court finds that plaintiffs have standing to bring their Privacy Act claim.

This follows the Supreme Court’s holding in Doe v. Chao, 540 U.S. 614 (2004) that a plaintiff must prove actual damages to succeed on an alleged Privacy Act violation, however in that case, the court never defined “actual damages.”

Links: Her post, “Am. Fed’n of Gov’t Employees v. Hawley.pdf.”

I think this is a fascinating decision. The assertion that privacy damages are primarily financial is a very narrow one. We have already entered an age in which information is widely understood to have great value. Much of that value derives from a mind-numbing array of intrusions on seclusion, and allows for action on a poor shadow of what we used to call reputation.

As the value and use of that data grows, the costs and risks of abuse or negligence in the gathering, storage or application of that data also grows. There’s every reason to expect that the law will find a way to sort out those torts.

Attrition ends Dataloss — NOT!

UPDATE: This was a belated April Fools’ from the Attrition people, which clearly suckered me in.’s Lyger has announced the end of Attrition’s Dataloss project (presumably including both the DLDOS and Dataloss mailing list).

In the past few weeks, it has come to our attention that
too many people are more concerned with making a profit off of our work
without any offer of acknowledgement or compensation. For those who aren’t
familiar with Attrition, we’re a non-profit hobby site that takes on
“projects” as we see fit, when we want to, and when we have time. For
those who *are* familiar with Attrition, you probably know that we don’t
take kindly to being dealt with unfairly. Commercial entities, including
“identity-theft prevention” upstarts and book authors, will gladly contact
us, ask for information and advice, and then not even offer us the
equivalent of a reach-around when selling their materials. We don’t pimp
our resources to others; they come to us. Unfortunately, more often than
not, they won’t even send us a “thank you”. We’ve mentioned it in the
past, but we’re not going to mention it in the future. This is the last

It’s too bad that leeches have spelled the end of this resource. Hopefully, others will step into the breach (pun intended), and offer something similar. Ideally, this would be done by an organization with the inclination and legal muscle to enforce a license requiring proper attribution from those using the material.