Emergent Chaos

Keynoting at ISSA tomorrow

I'll be delivering the keynote at " The Fourth Annual ISSA Northwest Regional Security Conference" tomorrow in Olympia, Washington. I'm honored to have been selected, and really excited to be talking about "the crisis in information security."

The topics will be somewhat familiar to readers of this blog, but in a longer, more coherent format than the emergent chaos which makes it here.

I should mention, I'm doing this wearing my own hat, not a Microsoft one, and will avoid most any mention of threat modeling or SDL.

WEIS 2008: Register now

Registration is under way for the seventh Workshop on the Economics of Information Security , hosted by the Center for Digital Strategies at Dartmouth's Tuck School of Business June 25-28, 2008

The call for papers, and archives of past workshops give a good sense of what you'll find (and it is awesome and well worth your time).

Unfortunately, the complete program for this year is not up yet on the site, although hotel discounts end on April 24.

I'm going, and may show up a 2-3 days early. EC readers who also will be in town early and want to do some hiking, drop me a line and maybe we can arrange something.

Black Hat Speaker Selection

Black Hat USA News: We're very proud to announce a new feature for paid Black Hat attendees starting with the USA show in August - delegate access to our CFP system! Paid delegates can now log into our CFP database, read and review our proposed presentations and share their ratings and comments with Black Hat.

Your ratings will help us create the show you want to attend, and even help focus presentations as they're being created. We are excited to see what kind of information we learn about what interests our delegates and what kind of talks meet their needs best. We've always said that our delegates make Black hat the experience it is, and we're glad to have the opportunity to extend their influence on the final product. To read more about this new opportunity, go to: https://www.blackhat.com/html/blackpages/blackpages.html

I think this is tremendously cool for a couple of reasons.

• First, attendees get to influence what Black Hat selects. Help build the conference of your dreams!
• Second, I've heard griping over the years about BlackHat's selection process being opaque. I've helped out occasionally with talk selection, and let me tell you, what's also opaque are a lot of the submissions that come in. Sometimes, it's really hard to decide if a given submission would be good or not.
• Another complaint is "the same speakers speaking every year." A lot of times, these are easy accepts. The submissions are clear, the value prop is there, and they pack rooms.

I'm a big fan of transparency and openness, and I think that BlackHat and its attendees will all benefit from this move.

Now please go vote for me as a speaker.

(Just kidding, I haven't submitted. Yet.)

Wendy Richmond's Surreptitious Cellphone

At the International Association of Privacy Professionals meeting last week, I had the pleasure of meeting Wendy Richmond.

Richmond is intrigued with the ways in which we share our public space. Some of us create invisible buffer zones for quiet reverie; others enhance or negate reverie through portable technology like iPods, cell phones and laptops. These zones become the subject of her videos and stills. Satisfying in both form and content, they are psychologically riveting, intentionally beautiful, and surprisingly witty portraits of our private lives lived publicly." (From "Public Privacy" site.)

I think it's tremendously cool to add an artist and their art to a business conference. Too often, we find ourselves focused entirely on questions such as cost of compliance, or forthcoming regulation. Bringing in new and different perspectives may be uncomfortable or challenging, but it's important to remember the people for whom we're doing this work.

I'd encourage anyone running a conference to consider bringing in artists whose work touches, even tangentially, on the subject at hand.

Who knows, you might have some chaos in an otherwise too-well-oiled machine.

Photo: Wendy Richmond, photo with Adam's cell phone and permission.

Thank you, Usenix!

I'm delighted to report that USENIX, probably the most important technical society at which I publish (and on whose board I serve), has taken a long-overdue lead toward openly disseminating scientific research. Effective immediately, all USENIX proceedings and papers will be freely available on the USENIX web site as soon as they are published. (Previously, most of the organization's proceedings required a member login for access for the first year after their publication.)

For years, many authors have made their papers available on their own web sites, but the practice is haphazard, non-archivial, and, remarkably, actively discouraged by the restrictive copyright policies of many journals and conferences. So USENIX's step is important both substantively and symbolically. It reinforces why scientific papers are published in the first place: not as a proprietary revenue source, but to advance the state of the art for the benefit of society as a whole.

From Matt Blaze, "USENIX to make all conference proceedings freely available."

WOOT08 Call for Papers

Progress in the field of computer security is driven by a symbiotic relationship between our understandings of attack and of defense. The USENIX Workshop on Offensive Technologies aims to bring together researchers and practitioners in system security to present research advancing the understanding of attacks on operating systems, networks, and applications.

2nd USENIX Workshop on Offensive Technologies (WOOT '08)
July 28, 2008
San Jose, CA

Sponsored by USENIX, the Advanced Computing Systems Association

WOOT '08 will be co-located with the 17th USENIX Security Symposium (USENIX Security '08), which will take place July 28–August 1, 2008.

Important Date: Submissions due: June 1, 2008

WOOT '08 Call for Papers.

(I'm on the program committee.)

A Cha-cha all the way to the bank

On the beaches of Mexico, they're talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons.

First is the price. About €9,000. Second, there's the performance. A complete DES keyspace sweep in a fortnight. That's not bad. If you think about Deep Crack and what you'd expect from normal semiconductor advances.

The news, however, is that apparently there are banks using two-factor authentication tokens with DES-based keys, and if you're clever, you can break this token with far less than a full key search. You only need to observe the supposedly one-time password (or two or three of them), and then with a fortnight's of computing, you can generate any one-time password the real owner can.

Maddeningly, there are other systems based on AES or some other crypto that aren't at all vulnerable to this attack -- because they have better keys. People who are vulnerable to this attack need not be.

Apparently, these banks have fallen in love with DES. But falling in love is dangerous. It's also negligent, when it's so easy to get shot.

Photo courtesy of Imagem Compartilhada.

WEIS 2008 Call for papers

The call for papers for the 2008 Workshop on Economics and Information Security, to be held at Dartmouth's Tuck School of Business in late June, has just been issued.

[...] The 2008 Workshop on the Economics of Information Security invites original research papers focused on the economics of information security and the economics of privacy. We encourage economists, computer scientists, business school researchers, law scholars, security and privacy specialists, as well as industry experts to submit their research and attend the Workshop. Suggested topics include (but are not limited to) empirical and theoretical economic studies of:

- Optimal investment in information security
- Privacy, confidentiality and anonymity
- Cybertrust and reputation systems
- Intellectual property protection
- Information access and provisioning
- Risk management and cyberinsurance
- Security standards and regulation
- Behavioral security and privacy
- Cyberterrorism policy
- Organizational security and metrics
- Psychology of risk and security
- Phishing, spam, and cybercrime
- Vulnerability discovery, disclosure, and patching
Important dates

Submissions due: March 1, 2008
Notification of acceptance: April 10, 2008
Workshop: June 25-27, 2008

Papers should be submitted online by 11:59 EST on Saturday, March 1, 2008, preferably in PDF format.
[...]

This is a great event. Mark your calendars. And by the way, there are worse places to be than New Hampshire in June.

Welcome iouhgijudgviujs, please log in!

Ben Laurie has shown time and again that OpenID is Phishing Heaven. It's also a huge boon for anyone who wants to start tracking on the web. I firmly agree that if you want to steal from people or invade their privacy, OpenID is for you.

I also know that there are people I respect who disagree with this harsh opinion. I believe that the ultimate decider of who is right on this is depends on whether an effective OpenID exploit gets created, either in vitro or in vivo, and how well the OpenID people can fix it. My money is on the exploiters, but that's what makes horse races fun, as Twain put it.

At Black Hat last week, Eugene and Vlad Tsyrklevich gave a talk on OpenID security, and I just nodded as they outlined mechanism after mechanism to show how OpenID can be hijacked, MiTMed, spoofed and so on. They had short examples to show the HTML for how to do all the things that Laurie has described in words.

But then they summed up with saying that they like OpenID, they think it's kinda cool, and despite its flaws, it gives people a single sign on system that is good for -- I don't know, giving criminals a way to ruin your reputation on LiveJournal, eBay, and your employer all at the same time. I can't adequately relate it, because I just blinked a lot.

There's an old joke that exists only as a punch line: "But other than that, Mrs Lincoln, how was the play?" It's as if they summed up their presentation with, "Well, Booth's bit of performance art was over-dramatic with all that shouting Latin, but the characterization of the American Cousin was quite touching, and I thought the acting up to Ford's usual high standards."

I went up to talk to the speakers, hoping I could be more eloquent than "WTF?!" As I waited, I heard someone say that he just didn't get it at all, because he's been using the username/password saving and forms-filling in Firefox. He said that he likes it because now he picks web site names and passwords by just running his hand over the keyboard randomly. He added something like, "I know all of the problems with what I'm doing, but at least they are all on my machine." Inevitably, several people pointed out that the Mac has had that for years.

There then seemed to be a murmured assent that handing the problem locally may be a better solution.

I'm fascinated by the possibility that identity management might be headed the way of "push." I also wonder that while making fun of Microsoft cloning things is a sport rivaled only by grousing about Apple's disdain for battery compartments, this would be a case where it's called for. Out with InfoCardSpace, in with KeyChain.

Photo "Trunk 'n Branches" by slightly-less-random.

Metricon 2.0 Registration Closes Friday

Metricon 2.0 looks to be a great set of papers. I'd tell you what I'm looking forward to, but really, I'm looking forward to the whole day.

And it's only $225, but you have to register by Friday.

Why Customers Don't Flee

At Toorcon Seattle yesterday, I presented "Security Breaches are Good for You (like a root canal)." It's similar to "Security Breaches Are Good for you" (my shmoocon talk) but added a number of points about people agreeing, but not wanting to change. "Psychology & Security & Breaches (Oh My!?)" and "When Do Customers Flee." I also talked about TJX being well publicized as the largest breach out there, and their increased profits.

One of the questions that someone asked was "Why don't customers flee?" I offered up several reasons for this:

1. Customers view these things as mistakes, and are willing to accept a single mistake. (I covered this in "When do customers flee?"
2. People don't have the opportunity to leave because they no longer have a relationship with the entity who made a mistake. For example, the USC admissions breach covered eight years of applicants.
3. My final reason was that many breaches are by government agencies, and even regime change is unlikely to curb the state's enthusiasm for identifiers. For example, Massachusett's mandatory health care apparently requires a company that prints the SSN on your health card.

Frank Heidt of Leviathan offered up a fourth reason, which is the "Jack in the Box" effect. After an e. coli incident killed four customers, sales apparently went up, as people expected that they'd clean up their act.

Another questioner challenged the idea that people had heard about TJX, or associated it with TJ Max. I think the later is more likely, since the incident got major play on TV and in newspapers.

Toorcon, incidentally, was loads of fun, and props for the best badge presentation I've seen. (Photo by Mattdork.) The badges were in the form of a Willy Wonka candy bar, and were wrapped in a golden ticket to get you into ToorCon.Seattle 09.

WOOT! Looks Exciting

Via Nate, "WOOT = Usenix + Blackhat:"

The call for papers is now up for a new Usenix workshop, WOOT (Workshop On Offensive Technologies, but don’t think the name came before the acronym.) The workshop will be co-hosted with Usenix Security and will focus on new practical attacks.

I was recently saying that vulnerability research could use more Peer Review instead of the other kind of PR (i.e., vague news stories, user-scaring Month of X Bugs). So help the community out here by submitting quality papers, especially if you’ve never submitted one before. I think the goal of bridging the gap between slideware (e.g., Blackhat) and 15th generation theoretical overlay network designs (e.g. Usenix Security) is a great one.

I think this is great.

Security Breaches Are Good for You: My Shmoocon talk

At Shmoocon, I talked about how "Security Breaches are Good for You." The talk deviated a little from the proposed outline. I blame emergent chaos.

Since California's SB 1386 came into effect, we have recorded public notice of over 500 security breaches. There is a new legal and moral norm emerging: breaches should be disclosed. This is the most significant event in information security since Aleph1 published "Smashing the Stack for Fun and Profit," and brought stack-smashing to the masses.

The reason that breaches are so important is is that they provide us with an objective and hard to manipulate data set which we can use to look at the world. It's a basis for evidence in computer security. Breaches offer a unique and new opportunity to study what really goes wrong. They allow us to move beyond purely qualitative arguments about how bad things are, or why they are bad, and add quantifatication. The public awareness of the data lost on laptops is one example of this. There's no doubt that the data we get from these laws is imperfect, but look at the alternative: the FBI/CSI survey.

The talk will cover why breaches are an important opportunity, cover some threats to the emergent data, and discuss what we can do to improve the quality and quantity of the data that can drive security science.

Rather than posting slides, I've posted slides with a running commentary, because I didn't think the slides were particularly self explanatory.

[Update: fixed spelling.]

Advances in Conference Usability

A little bird reports that at the Usable Security Conference they handed out conference proceedings in PDF form on a flash drive. I'm told that the flash drive was cheaper than printing on paper. I hope this trend spreads, as I'm always lugging back paper from conferences along with the inevitable bag or t-shirt. Flash drives are easier to carry, and if I get too many of them, I can always put them together into a RAID drive. Those clever usability experts. What will they think of next? Photo "Gersterbrot" courtesy of hannesstruss

Professional Ethics

Cutaway's post about ethics at RSA reminded me that I wanted to post about this as well. Like Cutaway, I attended “Professional Ethics in the Security Disciplines” which was chaired by Howard Schmidt and the panelists were representatives of SANS, (ISC) , ASIS and ISACA. All in all, despite Howard's expert moderation, I remain under-whelmed by the idea of certification authorities enforcing ethical standards. All of the panelists avoided answering questions related to the number of complaints they had received and number of members actually disciplined.

I'm going to limit my comments for the most part to (ISC) since I haven't had any interactions nor am I member of the other organizations. My first issue is a lack of transparency to the process by which investigations are done and the apparent lack of any appeals process. After talking privately with Cutaway, I found out that at least in the case of SANS, the ethics committee is not part of the GIAC certification team, which is an excellent start to improving things.

My next issue is that (ISC) requires that potential CISSPs read and sign a statement of ethics. That's all well and good, except at no point is there any reminder of what you signed or any requirement to reaffirm that such a code exists. Even my employer requires that I sign a document like that each year.

Finally, at least one speaker (unfortunately I don't remember which one) made the statement which the rest of the panel agreed with: "We certify knowledge, not qualifications for employment". I'm curious how they are certifying my knowledge of ethics when:

• There is no discussion of ethics in any of the training.


• There are no questions about ethics on the CISSP exam.


• Ethics is not part of the CBK
  

So what it sounds like to me is that (ISC) is really using the ethics requirement as a reason to protect the name of the certification and not to advance either the individual or the profession. (ISC) and other groups like to equate security professionals to lawyers and doctors, if they are really interested in doing so, they should be providing actual training and discussion about it and not just use it as a hammer when convenient.

Update: Since some folks have asked me, the California State Bar publishes the Ethics Hotliner which covers news and developments covering ethics issues. Bar rules are handed on a state by state basis, presumably other states have similar offerings. Also I'm told that chiropractors are required to take safety and/or ethics classes as part of maintaining their certification which is good for four years. Several states including Texas and Nevada specificly require ethics training as part of the mandatory continuing education needed to maintain medical licenses while other states such as Massachusetts requires both a course of study on current regulations and a course on risk management study.

[Image is Ethic&Disciplin from NathanaelArcher]

Ignite Seattle

I attended Ignite Seattle last night. It was awful. Don't attend next time. No, just kidding. It was great, and very crowded. There were some really awesome talks. I'm inspired to put a talk together for next time. My favorites from last night were:

Elisabeth Freeman gave a great talk on how the Head First folks use Csikszentmihalyi's flow theory to write books that teach you stuff, rather than poking you in the eye. I'm all in favor of not being poked in the eye.

Hillel from Tastingmenu.com talked about how to enjoy food.

Finally, even if the fellow hadn't been a jolt of extroprian goodness, how could I not love a blog called Embracing Chaos?

When they get the videos up, I'll link to these.

[updating regularly with more URLy goodness. Early goodness? Late goodness?]

Coviello: RSA 2010 Will be Last Conference

Okay, that's not precisely what he said. What he said was that in "two to three years" there will be no more "standalone security solutions." Meanwhile, the tradeshow floor of the RSA conference seems to be enjoying something of a renaissance, which is good to know, as the theme of the conference is, well, The Renaissance.

Sure, after you've been swallowed up into a behemoth, it's easy to think that in a few years everyone else will be, too. However, carrying that idea to its end leads to precisely the absurd headline I put there. If, in two or three years, there really are no more standalone companies, then why put on a show just to see EMC, MSFT, Cisco, and Symantec? Press releases will suffice.

Of course, RSA keynotes have always had their wacky absurdities. There was 2004, when we learned that there will be no more spam in two years, and that was called "silliness" even at the time.

More ominously, there was the year where scholars like Rivest and Shamir talked about coming invasions of privacy, and the product pitches to follow made the point that they weren't just ivory-tower hand-wringers.

But this year, Coviello implied that we should all just hang it up, because security is now owned by EMC and Microsoft. He also praised how there's "so much security" in Vista. Of course, last week CNet thought otherwise.

And as for Microsoft, they're jumping on OpenID, an identity management system that may be a huge boon for phishing. It's a good thing they solved spam and phishing last year, and can move on to this.

Speaking of Secret Events You're Not Invited To

There's a blogger get together at the Foreign Cinema Wednesday night of RSA. 5PM - 8PM. We've been trying to coordinate via email, I but figured we should publicize our secret conference now.

Remember, this will be the most blogged event of RSA.

If you want in, blog about the event and trackback Martin McKeay.

Also covered in "Information Security Sell Out," who comments:

Wow, the bloggers are almost outnumbering the vendors. Perhaps next year RSA will have a separate conference for Bloggers and another for those that actually matter to security.

Navel, for gazing, courtesy of mezone, and unlikely to appear at the party.

Secrecy is not Privacy

So, I'm really irked by headlines like "Microsoft's 'Secret' Security Summit."

• First, it wasn't Microsoft's summit. It was an ISOTF meeting that had public web pages. Microsoft provided conference facilities and lunch. I don't think we even bought the beer.
• Second, it wasn't a secret. It has web pages: "Internet Security Operations and Intelligence II - a DA Workshop." Things with web pages are rarely secret.
• Finally, it was a security summit, but hell, 50% is a rotten ratio for a headline.

So let me delve in to the words "secrecy" and "privacy" just a little. The meeting was private: you had to know the secret handshake to get in. You had to agree not to talk about what was said. That's about privacy. It also includes some secrecy about what, precisely, was said. As I've said before, privacy is a good way to build trust. It allows people to speak openly, because they can rely on anyone who blogs about it not being invited back.

I'm speaking for myself here.