I really enjoyed watching the podcast version of a talk that Jack Jones gave at Purdue, "Shifting focus: Aligning security with risk management."

I liked the opener, about what it's like for executives to talk to security professionals, and the difference between what might happen and what's likely to happen. The screenshot is from a discussion of how to play Russian Roulette.

I also like the way he critiqued best practices (you'll have to watch). It's a little hard for me to assess his risk management methodology from a podcast, but it's a very worthwhile 45 minutes.

(Now only if he had some Kandinsky in there, I'd have no doubt that the Risk Management Insight Institute, which Jack heads, is part of what we call the "New School.")

]]> information security adam 2008-05-12T11:13:11-05:00 http://www.emergentchaos.com/archives/2008/05/call_me_crazy.html ‘Mad Pride’ Fights a Stigma"

“It used to be you were labeled with your diagnosis and that was it; you were marginalized,” said Molly Sprengelmeyer, an organizer for the Asheville Radical Mental Health Collective, a mad pride group in North Carolina. “If people found out, it was a death sentence, professionally and socially.”

She added, “We are hoping to change all that by talking."

...
Participants write and distribute publications, stage community talks, trade strategies for staying well and often share duties like cooking or shopping.

...
Many psychiatrists now recognize that patients’ candid discussions of their experiences can help their recoveries. “Problems are created when people don’t talk to each other,” said Dr. Robert W. Buchanan, the chief of the Outpatient Research Program at the Maryland Psychiatric Research Center. “It’s critical to have an open conversation.”

]]> breach analysis adam 2008-05-10T14:01:42-05:00 http://www.emergentchaos.com/archives/2008/05/credit_bureaus_and_outsou.html Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1)," "part 2" and "part 3."

He digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that their privacy policy is at least honest. They make no claim that they care about your privacy, nor any that they apply the highest standards of security to your information.

]]> background checks adam 2008-05-09T11:03:18-05:00 http://www.emergentchaos.com/archives/2008/05/security_cameras_function.html

Use of CCTV images for court evidence has so far been very poor, according to Detective Chief Inspector Mick Neville, the officer in charge of the Metropolitan police unit. "CCTV was originally seen as a preventative measure," Neville told the Security Document World Conference in London. "Billions of pounds has been spent on kit, but no thought has gone into how the police are going to use the images and how they will be used in court. It's been an utter fiasco: only 3% of crimes were solved by CCTV. There's no fear of CCTV. Why don't people fear it? [They think] the cameras are not working." (BBC, "CCTV boom 'failing to cut crime.'")

Our thought? Their chocolate ration needs to be increased to 20 grammes. Action this day.

Image credit: Emergent Chaos]]> Privacy adam 2008-05-07T11:14:14-05:00 http://www.emergentchaos.com/archives/2008/05/hiring_fraudsters.html

PARIS — Jérôme Kerviel, the Société Générale trader who used his knowledge of the French bank’s electronic risk controls to conceal billions in unauthorized bets, has a new job — at a computer consulting firm.

Mr. Kerviel, who was given a provisional release from prison on March 18, started work last week as a trainee at Lemaire Consultants & Associates, which specializes in computer security and system development, a spokesman for the former trader, Christophe Reille, confirmed on Friday. (" After Trading Scandal, Banker Gets I.T. Job," The New York Times.)

Kerviel clearly understands how to get around IT controls. I expect that there's a great deal which he might be able to teach people about what's important in security design, and some about what isn't. (His ability to generalize his approach hasn't been tested yet.)

At the same time, he hasn't yet been tried for his actions. What would be the right framework for making a hiring decision like this?

Photo: REUTERS/Benoit Tessier]]> background checks adam 2008-05-05T11:00:22-05:00 http://www.emergentchaos.com/archives/2008/05/spending_to_protect_asset.html There's a story in the New York Times about a bike rental program in Washington DC. It's targeted at residents, not tourists, and has a subscription-based model.

Improved technology allows programs to better protect bicycles. In Washington, SmartBike subscribers who keep bicycles longer than the three-hour maximum will receive demerits and could eventually lose renting privileges. Bicycles gone for more than 48 hours will be deemed lost, with the last user charged a $200 replacement fee.

That technology comes with a price, which is one reason cities and advertisers started joining forces to offer bike-sharing. The European programs would cost cities about $4,500 per bike if sponsors did not step in, Mr. DeMaio said. "Bicycle-Sharing Program to Be First of Kind in U.S."

This is (obviously) an incomplete analysis. But the cost of protection jumped out at me. Maybe it's typical for how people in Washington think about asset protection.

]]> Economics adam 2008-05-04T13:02:18-05:00 http://www.emergentchaos.com/archives/2008/05/a_question_of_ethics.html Various estimates have been made regarding the quantity of personal identifying information which has been exposed by various mechanisms. Obviously, though, we only know about what we can see, so seeing more would make such estimates better. One way to see more would be to look in more places, for example on peer-to-peer file sharing networks. So here's the question: would it be ethical (and if so, under what conditions) to deliberately seek out files containing PII as made available via P2P networks, in order to better understand the extent to which such information is exposed, and how? I have an opinion on this question, but I'm very interested in what others think. breach analysis cwalsh 2008-05-03T18:58:39-05:00 http://www.emergentchaos.com/archives/2008/05/fasilyce_upon_reading.html Dear Mr. Banks,

Much as I enjoy your work, it is entirely dis-congruous to your readers to insert words known to neither the Oxford English Dictionary or the internet (as indexed here, here or here) whose meanings are not rapidly comprehensible.

Thank you for your future attention to this matter.

I remain, etc, etc.

]]> books adam 2008-05-03T13:39:26-05:00 http://www.emergentchaos.com/archives/2008/05/brightening_up_the_day_fr.html

I would estimate that 2/3 of the calls I get are from people trying to sell me things I neither need nor want. Of those, over half are outsourcing services. Of the remainder, recruiters are over half.

There are also people who call me for their services once a week. There's one particular outsourcing firm whose name is burned into my brain because of the number of times I've been subjected to it. I don't know how to spell their name, but I can sure pronounce it. There's also a recruiting firm that I know well, too. Each of these people I have asked to take me off their list, asked to talk to supervisors, talked to supervisors, yelled at them, ranted at them, and finally sworn at them, and yet I still get my weekly call.

As I was doing office stuff a few moments ago, I played a voicemail, and it was from my friends at Hadron Infotech, letting me know about their services just in case I have (a) developed a need I didn't have last week and (b) forgot their name. (One of my rants included telling them that when I do need such services, they will be the last people I call and sadly for them, I have no trouble remembering their name.)

Since I was doing office stuff, I let the message drone on, and got the litany of things they can do for me including, Java, Jay-mumble-E, Dot-Net, Pee-Haitch-Pee, AJAX, Perl, Ruby on Trains, updating your web site, ....

Wait a minute. Did he say what I thought he said? Ruby on what? I ran over to my computer, backed up the player, and ... Yes! Ruby on Trains! How delightful!

I'm still laughing. I hope you are, too. Maybe I'll get another laugh next week.

Photo "Ruby on Train" by theresa_l_reed.]]> Amusements mordaxus 2008-05-01T19:29:30-05:00 http://www.emergentchaos.com/archives/2008/05/italy_posts_tax_return_da.html How much do you make? How surprised would you be to learn that your magic number had been posted on the Internet by the government? And that it was not by mistake, as in other recent breaches of privacy. How Much Do You Make? The Nation Already Knows. The data has already been removed from easy web access at the official site. Bloomberg's report indicates that it wasn't simply posted to the web, but offered up as spreadsheets:

A ministry Web site was bombarded by Italians curious to see what their neighbors or favorite actors declared as income, making it often impossible later in the day to download spreadsheets with the name, date of birth, total income and amount each taxpayer paid.

If anyone knows where the mirrors are, please share.

I ask not out of prurient interest, but because it's not so easy as taking data off the website.

]]> breach analysis adam 2008-05-01T12:14:58-05:00 http://www.emergentchaos.com/archives/2008/04/quantum_debate.html The debate about Shor's Algorithm (which I blogged about a couple days ago) continues. Rod Van Meter has a good blog post about it here.

While there are plenty of people who have just wholesale dismissed the Hill/Viamontes paper outright, apparently because they know Shor's algorithm works and that building a working quantum computer is obviously merely a matter of making some qubits, Van Meter is more to my thinking about the whole thing.

I have read it, but not studied it in major detail yet. I don't know either of the authors personally, but the second author has done good work; he is certainly no dummy.

The argument is pretty straightforward, arguably naive. That doesn't mean it's wrong, but there are a lot of assumptions and simplifications in the work, and they need to be examined carefully.

He also says:

Anyway, I hope this at least short-circuits any rush to burn Peter Shor in effigy. He's way too smart and sweet for that.

Here's where I think I need to rant a bit. I'm certainly not calling for anyone to be burned in effigy or reality. I can't testify to how sweet Peter Shor is, but I agree that he's brilliant and I admire him.

However, Leibniz was also smart and worked in the forefront of calculation as well. His calculator had issues with propagating carry with two-digit or three-digit multipliers. That doesn't make Leibniz any less brilliant or his achievements any less.

Peter Shor is brilliant, and his algorithms are marvelous works. If no one implements them, for whatever reasons, they won't be any less marvelous, and he won't be any less brilliant.

And for that matter, Hill and Viamonthes may turn out to be wrong, too. Or they may inspire someone to a tweak that makes Shor's algorithm work (or work better).

The present spectator sport is how science works. It's what makes it exciting.]]> Science mordaxus 2008-04-30T19:40:21-05:00 http://www.emergentchaos.com/archives/2008/04/bushs_law_less_safe_less.html I'd like to review two recent books on the war on terror: "Bush's Law: The Remaking of American Justice" by by Eric Lichtblau, and "Less Safe, Less Free: Why America Is Losing the War on Terror" by David Cole and Jules Lobel. Both are well written assaults on the way in which the Bush administration is conducting itself, although each takes a tact aligned with the author's background and history. Lichtblau is a reporter, currently for the New York Times, and Cole and Lobel are law professors.

Bush's Law is an extended view into some of the major stories that Lichtblau has covered. Included are the NSA's warrant-less wiretapping, the SWIFT following of the money, and the Comey/Ashcroft hospital story. Even as someone who follows these stories fairly closely, I still learned quite a bit-some new, some not previously reported, and all better organized and more readable than in the newspaper. The theme that emerges from Bush's Law is one of secrecy, and the conflict which a free society faces when repeatedly begged to `trust us' by an administration which seems to not understand how its actions undermine trust.

The undermining of trust is also a major theme of Less Safe, Less Free. Before getting into the meat of the book, let me say that this is law professor writing at its best. It's clear and compelling, and the notes are at the end. They lay out a strong case that the Bush administration's concept of how to engage with the world is is at its core, preventative, rather than reactive. In theory, this seems like a great plan. In practice Cole and Lobel show how it inevitably undermines the concepts of justice on which our society is founded, as well as our reputation with the rest of the world. That is, it is not merely a practical failure, it was inevitably going to be a practical failure. Predictions are hard, especially about the future. Reasonable people may disagree on the reasonableness of a preventative action. The difficulty of reaching proof "beyond a reasonable doubt" about what would have happened undermines the legitimacy of claims about the future.

The essence of their argument is that prevention, be it preventative war, such as in Iraq, or preventative law enforcement, such as with the justice, always requires the showing of evidence. You can't simply detain someone because they might in the future commit a crime. In a court, no single body acts as judge, jury and executioner. Each party gets their day in court, with an opportunity to examine the evidence against them. These things are impossible in the preventative paradigm. Not only are sources and methods secret (sometimes with good reason), but the evidence is often lacking. In the case of war, the court is that of public opinion in many places. They also show a plethora of historical cases where preventative war went horribly wrong, and relate preventative war to a set of regimes with which no reasonable person wants to be associated.

The core reason which we demand that justice be reactive, or, at its fastest, at the instant of a crime, is that we rightfully fear the powers we invest in our government. It is a mighty and fearsome machine which can crush anything in its path. When it is allowed to do so, we are all less safe, and less free.

Two asides: I paid for both books, and I love the endnote styling of page number, excerpt, note used in Bush's Law.]]> books adam 2008-04-30T01:10:12-05:00 http://www.emergentchaos.com/archives/2008/04/everybody_run_crispins_go.html Crispin Cowan has started a blog. The first post is "Security Is Simple: Only Use Perfect Software."

[Update: Added a link to Crispin's home page, because some readers apparently have trouble with a search engine.]

]]> blogging adam 2008-04-29T22:25:30-05:00 http://www.emergentchaos.com/archives/2008/04/quantum_uncertainty.html Technology Review has a pair of articles on D-Wave's adiabatic quantum computer. Quantum pioneer Seth Lloyd writes in "Riding D-Wave" about quantum computing in general, adiabatic quantum computing, and D-Wave's efforts to show that they've actually built a quantum computer.

Linked to that is Scott Aaronson's article, "Desultory D-Wave," in which Lloyd's nail-biting is made a bit more plain. I hate giving away the punch line, but here's what Aaronson sums up with:

Let me be clear: I think that quantum computers are possible in principle, and that D-Wave's approach might even get us there. I've also met people from D‑Wave; I don't think they're frauds. But the human capacity for self-deception being what it is, scientists train themselves to look for red flags--and D-Wave is pretty much a red-flag factory.

Beyond that, there's a new paper that shows problems not in just one implementation of quantum computing, but about its very theoretical core. In "Operator Imprecision and Scaling of Shor's Algorithm," authors C. Ray Hill and George F. Viamontes claim that Shor's Algorithm doesn't work at an interesting scale.

The reason is that errors in the quantum fourier transforms accumulate faster than quantum error correcting codes can get rid of them, particularly when factoring the sort of numbers that a sane person might use for a public key. Hill and Viamontes seem to think that it is not possible to factor a key much more than 256 bits in length. Most importantly of all, the errors accumulate linearly with the number of quantum operations and the number of operations increases polynomially with the size of the integer. My peeks at the error rate graph lead me to guess that a hard limit is reached before you get to a 512-bit number, which is no longer considered interesting using conventional sieve methods.

Here is their abstract:

Shor's algorithm (SA) is a quantum algorithm for factoring integers. Since SA has polynomial complexity while the best classical factoring algorithms are sub-exponential, SA is cited as evidence that quantum computers are more powerful than classical computers. SA is critically dependent on the Quantum Fourier Transform (QFT) and it is known that the QFT is sensitive to errors in the quantum state input to it. In this paper, we show that the polynomial scaling of SA is destroyed by input errors to the QFT part of the algorithm. We also show that Quantum Error Correcting Codes (QECC) are not capable of suppressing errors due to operator imprecision and that propagation of operator precision errors is sufficient to severely degrade the effectiveness of SA. Additionally we show that operator imprecision in the error correction circuit for the Calderbank-Shor-Steane QECC is mathematically equivalent to decoherence on every physical qubit in a register. We conclude that, because of the effect of operator precision errors, it is likely that physically realizable quantum computers will be capable of factoring integers no more efficiently than classical computers.

Hill and Viamontes also claim that this brings up a serious question about quantum computing in general. Take a deep breath and read this:

It is natural to ask whether these results have wider implications about the power of quantum computers relative to classical computers. While the results presented in this paper do not answer this question definitively, it is important to note the singular stature of Shor’s algorithm as the only quantum algorithm that appears to efficiently solve a classically intractable problem. The fact that Shor’s algorithm is not more efficient than classical algorithms removes the only strong evidence for the superior computational power of quantum computers relative to classical computers.

Wow. They have by no means the last word on this, but this means that quantum computing is going to get much more interesting as a spectator sport. And perhaps this fall's Post-Quantum Cryptography workshop will be a little less interesting.]]> emergent chaos mordaxus 2008-04-29T00:50:45-05:00 http://www.emergentchaos.com/archives/2008/04/the_messenger_is_the_mess.html In a blog post entitled "Lending Tree A Little Late In Cutting Off Network Access?", I read that in the recent Lending Tree breach:

several former employees may have helped a handful of mortgage lenders gain access to Lending Tree's customer information by sharing confidential passwords with the lenders.

Later, the author describes "an obvious chink in Lending Tree's information security armor", (reprinting a U.S. News quotation from Brian Cleary):

These are former employees—how can those user accounts to critical customer data still be active? Those should be shut down. So, their access to all of the information and resources should be revoked on the day of their termination.

Finally, he observes that

If you're going to rely primarily on human beings to implement the policies, then you'd better make sure that those human beings are either themselves subject to checks and reviews to make certain that they're following the policies.

All of this is nothing new to EC readers. What surprised me, and what I think is noteworthy here, is that the guy writing this is not some CISSP, CISA, or even CISO. He's the voice behind the Bank Lawyer's Blog, an attorney with banking and other corporate clients.

Not to read too much into this, but when the legal profession starts commenting knowledgeably about access termination policies, there's something interesting afoot.