Emergent Chaos

New breach blog

Evan Francen is maintaining a breach blog with more structure and commentary than either PogoWasRight or Attrition.

As I looked at it, I had a couple of thoughts.

1. The first is that he doesn't reference Attrition DLDOS numbers. (Then again, Pogo doesn't either.) I think this is a mistake. When we founded CVE, it was because there were lots of independently maintained data sets like this, and correlation had become a problem. It feels like this is the same sort of data, and so getting coordination around cross-referencing would be great.
2. My second thought is that in posts like his "The Breach Blog Month in Review November, 2007," he attempts to derive cost information from the Ponemon Institute's $197 number and multiplying it by the number affected. I think it's possible to do better in several ways:
   • The numbers are broken out in the reports, and some of them are per-individual, and others are per breach. People deriving numbers should use the detailed information that the Institute offers.
   • There's also the cost of lost business. Of the 5 organizations reporting a second (or later) breach, 4 were governments or government agencies: HMRC, Montana State University, the US Department of Veterans Affairs, and the Commonwealth of Massachusetts. It's quite difficult for someone to stop interacting with HMRC or Massachusetts. It's not possible to lose veteran status. It may be possible to get Montana State to destroy all personal data about you, but I doubt it. The fifth, Capital Health, is likely one or one of a very few health care options available to their customers. Given that the 2007 Ponemon report states:

     The cost of lost business continued to increase at more than 30 percent, averaging $4.1 million or $128 per record compromised. Lost business now accounts for 65 percent of data breach cost

     For those organizations, the cost of a breach could justifiably be counted as no more than $69. ($197-$128=$69)

Anyway, it's great for a wide spectrum of breach analysis to emerge. That chaos and competition will lead to better analysis and better security for us all.

Image: "The Breaking Dam," by ReubenInStt

"Security Vulnerability Research & Defense"

My co-workers in SWI have a new blog up, "Security Vulnerability Research & Defense." They're planning to...well, I'll let them speak for themselves:

...share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities...

The two posts below are examples of the type of information we’ll be posting. We expect to post every “patch Tuesday” with technical information about the vulnerabilities being fixed. During our vulnerability research, we discover a lot of interesting technical information. We’re going to share as much of that information as possible here because we believe that helping you understand vulnerabilities, workarounds, and mitigations will help you more effectively secure your organization.

I'm excited. I see the good work that the team does in understanding vulnerabilities, and I'm glad that we're sharing more of it.

Announcing...The Security Development Lifecycle Blog

My team at work announced the launch of "The Security Development Lifecycle" blog today. After the intro post, Michael Howard leads off with "Lessons Learned from the Animated Cursor Security Bug."

I'm pretty excited. We're focused on transparency around what we're learning as we continue to develop the SDL.

How to Treat Customers

My friend Austin Hill has a new blog, Billions With Zero Knowledge. He's got a really good post up "Crowdsourcing or Community Production - An Interview with Hugh McGuire from Librivox."

What's most interesting to me is how new companies are trying to tap into customer enthusiasm to build not only value for their customers, but a community. The companies that really succeed at building a community will find it a double edged sword--their communities will be their biggest asset, and the hardest thing to change. At the same time, it's done great things for companies like Flickr, and it's a welcome change to be treated as a person, rather than as a monetizable eyeball.

Blog finds

I've come across some blogs I find interesting. Maybe others will, too.

1. Statistical Modeling, Causal Inference, and Social Science
2. Weblog of a Syrian Diplomat in America
3. Decision Science News
4. Social Science Data and Software (SSDS) Blog
5. SecuritySauce (Marty "Snort" Roesch's blog)

Plus, a special bonus non-blog: UCSB's Cylinder Preservation and Digitization Project

In every dream home, a heartache

Barry Ritholz, an NYC hedge fund manager, blogs about a WSJ story. The gist:

On Sept. 21, 2001, rescuers dug through the smoldering remains of the World Trade Center. Across town, families buried two firefighters found a week earlier. At Fort Drum, on the edge of New York's Adirondacks, soldiers readied for deployment halfway across the world.

Boards of directors of scores of American companies were also busy that day. They handed out millions of bargain-priced stock options to their top executives.

[...]

A review of Standard & Poor's ExecuComp data for 1,800 leading companies indicates that from Sept. 17, 2001, through the end of the month, 511 top executives at 186 of these companies got stock-option grants. The number who received grants was 2.6 times as many as in the same stretch of September in 2000, and more than twice as many as in the like period in any other year between 1999 and 2003.

WSJ, 7/15/2006

I find myself surprised at the instinctive greed this story reveals to us. As Mr. Ritholz says:

What makes this so pathetic is that corporate executives could have stepped up AND BOUGHT STOCKS IN THE OPEN MARKET if they believed they were so cheap. It would have been reassuring to a nation to see the leaders of industry voting with their own dollars.

[...]

In 1929, when the stock market crashed, JP Morgan (and others) stepped in. They bought stock with their own dollars, they saved Wall Street. Oh, and they were rewarded for it -- both monetarily, and in the history books.

Amen.

As an aside, Ritholz's two blogs are worth a few minutes.

Metasploit blogging

"Official blog of the Metasploit Project." Either you know who Metasploit is, in which case you've already clicked through, or you're unlikely to understand their subject matter.

PS to Vinnie: Where's the Smallpox-making post?

"Security To The Core"

In a post titled "self-evidently wrong post title" "Blog Posts Do Not Include The Words 'dizzying array of talent,'" Tom Ptacek points out that Arbor Networks has a blog. Jose Nazario's "The Market-Driven (Vulnerability) Economy" post is pretty good.

However, I think we need video of Dug Song reading this text, which in "News Flash: Arbor Networks Joins the Security “Blogosphere,”" is attributed to him:

Our holistic approach to network security reflects the dizzying array of talent represented here, with backgrounds ranging from biochemistry to Internet infrastructure research, network processing hardware to mission-critical network operations. In the coming months, we hope you will be entertained, pleasantly surprised and maybe even enlightened by what we have to share. It is just another way for us to give a little back to the community.

In fact, I want video of Dug walking into a room, sitting down, and then reading that text, because I don't think he could do it without giggling. I know I couldn't.

Risk aggregation and the living dead

Light blue touchpaper is a new web log written by researchers in the Security Group at the University of Cambridge Computer Laboratory. You should read it.

As for the headline, zombies eat brains. There's plenty of 'em [edited to add: brains, that is!!] in close proximity in Ross Anderson's group. 'nuff said.

Nick Szabo Blogging

Nick is a premier thinker about history, law and economics, and the lessons they have for security. Take this brief sample from "Origins of the joint-stock corporation:"

The modern joint-stock corporation has many sources in medieval Europe. First among these was corporate law itself. Although the era is commonly referred to as "feudalism," for the hierarchy of individually owned "fiefs" of land and control of serfs as fixtures of that land, large amounts of wealth in Europe were actually controlled by corporate entities. Chief among these were church lands, the corporate entities being dioceses, religious orders and the Roman Church itself. These entities controlled a substantial fraction of the land in Western Europe. Furthermore cities (with varying degrees of political independence), merchant guilds, craft guilds, and many charitable entities (such as hospitals) were legal "corporations," i.e. artificial and perpetual legal persons under law. Some basic issues in corporate law (for example, when are officers individually liable for acts of the corporation, and when the corporation is liable for acts of its agents) had already been solved in canon law and urban law long before the joint-stock corporation.

Wilcox Memorial Hospital (Kauai), 120,000 SSNs+ Medical Records, misplaced computer disk

Last month, Wilcox Memorial Hospital in Kauai had to inform 120,000 past and present patients that their private information had been misplaced. Their names, addresses, Social Security numbers, even medical record numbers had been placed on one of those tiny USB flash drives -- and now, according to a letter sent home, the drive was missing.

From "Help! I left my identity in the backseat of a taxi," by Bob Sullivan. Bob has done a fantastic job of covering these stories since he broke the Choicepoint story on Feb 14th ("Database giant gives access to fake firms"), and caused me to have both a breaches and a Choicepoint category. But I'd missed that he'd set up a blog, at The Red Tape Chronicles.)

Thanks to Bryan Fordham for the pointers.

Introducing Arthur

I'd like to introduce Arthur, our newest guest. I was going to say Arthur is not his real name, but that would be a lie. It is his real name for purposes of this blog. It might, however, not be what his wife calls him. ("Sweetie.")

Arthur is, however, the chief information security officer for a billion dollar company. (That relates slightly to his use of a nickname.) We'd like to be clear that what he says here are not the opinions of his employer.

The Importance of Attitude

Tom Peters has a blog, and in "The Days of Our Lives," writes about the importance of being present for your customers, not for yourself. I really like his blog. It has a good mix of hubris and humility:

This may be day 45 and mile 76,000 for me, but for the Client it is D-Day for an Important Event (often their year's #1 event, for God's sake); hence my exhaustion and accompanying short temper must be thrust aside ... and downright cheeriness and spirited engagement must become the invariant orders of the day. Besides, such cheeriness, even if feigned, cheers me up first and foremost!

(Via Paul Kedrosky's Infectious Greed.)

Flogging The Simian Is Back

In "A Life, Observed," I mentioned that I'd been enjoying "Flogging The Simian," and that she'd left due to privacy issues. Well, she's back, and so are her "PDBs," her summaries of what's interesting: '" read approximately 50 newspapers every morning and report what I find there, with an emphasis on foreign or international events." I usually find stuff I'd otherwise miss.

Delicious Offload

I've set up a Delicious feed for stuff that I want to point to, but don't have either anything to add, or time to add it. I feel sort of bad doing this; I'd like to discuss John Gilmore on the New York Times, but all I have to say is bravo!

Interesting Tidbits (Adam)

• John Gruber has an interesting article on the economics of being a one-man software shop, "The Life." He uses the case of Brent Simmons and NetNewsWire to shed light on why the life of a small software development shop is so hard.
• Jeff Veen of Adaptive Path has announced "MeasureMap," a new blog-focused log analysis program. I currently use AWStats, and its not great for blogs. It doesn't help me see where links come from and go, it doesn't give me good indications of spike or trends or context. So I look forward to seeing MeasureMap.
• Bruce Schneier pointed to a lovely story about a French fraudster with panache:

  During the final call he asked for the names of her six richest customers. When she revealed them, he said that one was involved in financing terrorism and was about to withdraw a large sum.

  Gilbert then demanded all the cash at the bank so he could mark the notes with microchips and keep track of the terrorist. A total of €358,000 was to be put in an briefcase and slipped under the door of a brasserie lavatory. The manager did as she was told. The money disappeared.

• Tom Ptacek explains how Sarbox interacts with security vulnerability announcements in "Today's Contribution To 'Vulnerability Science.' "
• Ian Grigg points out that Ben Laurie is blogging at Links.org. Ben is taking issue with Kim Cameron's "Laws of Identity." It should be interesting to watch.

Concurring Opinions Has a Privacy Policy

Daniel Solove and company have launched a new blog, "Concurring Opinions." Today, they posted their privacy policy.

I think they'll be sued shortly by Experian, for copyright infringement.

Small Bits: Alex Haislip, Chinese Censorship, TSA Xrays

• Alex Haislip is blogging up a storm at VC Action. I love journalist bloggers; there's so much interesting backstory that they talk about. And working at Red Herring, Alex has more dirt than he could dish and stay in business. ;)
• Curt Hopkins points to a fascinating story about the folks who run the great firewall of China, translated from Chinese. I was going to comment on it, but Rebecca MacKinnon comes along and says not only what I was thinking, but a whole lot more, and more insightfully:

  But as with many Chinese news stories, the conclusion is less interesting than the debate raging within the body of the article. And what the article reveals is that there is a lot of pushing back and forth amongst the various players when it comes to the future of Chinese cyberspace. Internet entrepreneurs like the CEO of Bokee.com Fang Xingdong come out against proposals that Chinese internet users must register their real idenities at all times. The internet portal sites conducted surveys showing that their customers (not surprisingly) favor online anonymity...

• Bruce Schneier points to new research that may obviate any justification for the TSA to look through your clothes:

  Here's a piece of interesting research out of Ohio State: it's a passive sensor that could be cheaper, better, and less intrusive than technologies like backscatter X-rays:

  "Unlike X-ray machines or radar instruments, the sensor doesn't have to generate a signal to detect objects ¬ it spots them based on how brightly they reflect the natural radiation that is all around us every day."

  "It's basically just a really bad tunnel diode," he explained. "I thought, heck, we can make a bad diode! We made lots of them back when we were figuring out how to make good ones."

Demand Your Records

In her "On the Record" blog, Ann Harrison (Hi Ann!) covers how to use the privacy act to request the records TSA collected, illegally, on millions of innocent people.

Incidentally, Arthur Anderson was shut down for destroying data like this.

New Blog Pointers

Frequent commenter Allan Friedman has started Geek/Wonk. In "Speaking of duct tape," he links to an interesting essay Duct Tape Risk Communication.

And Mario's comments on tor vs the Freedom Network are interesting:

Interestingly, the usability issues are _exactly_ the same as they were ~5 years ago! It's sometimes s-l-o-w!

While I agree with this, I think there's an interesting twist: Tor, having no visible user interface, is less likely to become associated with slowness. The Freedom client, in contrast, told you it was doing stuff, and, in hindsight, I think this may have been a problem.

(PS: Mario, you need an RSS feed.)