National breach list? Pinch me!

H.R. 3997, the Financial Data Protection Act, is one of the many pieces of legislation proposed in the US to deal with identity theft or notification of security breaches. It was approved by the Financial Services Committee of the House of Representatives on 3/16.
I haven’t read the full text of the bill (and it has been roundly criticized by folks whose opinions I trust) but I was happy to see this in the press release from the commitee:

An amendment offered by Rep. Barbara Lee (CA) would require the Federal Trade Commission to coordinate with other government entities to create a publicly available list of data security breaches that have triggered a notice to consumers within a twelve month period.

Another piece of legislation, which has been received rather better by privacy advocates and consumer rights groups, is the Data Accountability and Trust Act. Guess what? It also requires central reporting of breaches:

Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data–
(2) notify the [Federal Trade] Commission;
The Commission shall place, in a clear and conspicuous location on its Internet website, a notice of any breach of security that is reported to the Commission under subsection (a)(2).

I am happy to see these elements make their way into national legislation.

Metricon 1.0 Announced


At this year’s RSA show, a decent portion of the securitymetrics mailing list (about 30 people) convened for lunch. I enjoyed meeting my colleagues immensely, and I received good feedback from others who attended.

One thing everyone agreed on is there is enough activity in the security metrics area to merit convening the group a bit more formally. Thus, I am pleased to announce Metricon 1.0, the first-ever convention devoted exclusively to security metrics.

Metricon 1.0 will be held in Vancouver on August 1, 2006. The program chair is Pete Lindstrom. The program committee includes me and Dan Geer, who managed to persuade the USENIX folks to allow us to attach Metricon 1.0 to their own gathering.

(From Andrew Jaquith, at the Security Metrics blog. Photo from Stock.xchng.)

Privacy Enhancing Technologies Award/Call for Nominations

pet-award.jpgWe’re looking for nominations of great work in Privacy Enhancing Technologies:

The PET Award is presented annually to researchers who have made
an outstanding contribution to the theory, design, implementation,
or deployment of privacy enhancing technology. It is awarded at
the annual Privacy Enhancing Technologies Workshop (PET). The PET
Award carries a prize of 3000 Euros thanks to the generous support
of Microsoft.








See for more details.

Lapel Pins?!?

There is an AP article in todays Washington Post about Cynthia McKinney, a Georgia Congresswoman who was in a scuffle with the police today after refusing to identify herself upon entering one of the House buildings in the “Capitol Complex”. The truly scary part of the article was this:

Members of Congress do not have to walk through metal detectors as they enter buildings on the Capitol complex. They wear lapel pins identifying them as members.

National security is being protected by lapel pins? What’s the deal with that? It’s comforting to know that we’re having our international phone calls tapped and that anyone with the right lapel pin can walk right into a capitol building with a lapel pin on.
(Photo cred: AP Photo/Ric Feld, File)

How New Ideas Emerge From Chaos

einstein-blackboard.jpgThere’s an interesting contrast between “The Problem With Brainstorming” at Wired, and “Here’s an Idea: Let Everyone Have Ideas” at the New York Times.

The Problem with Brainstorming starts out with some history of brainstorming, and then moves to its soft underbelly: The tendency of groupthink to emerge from groups:

Thinking in teams, and pitching other people’s ideas rather than my own, I quickly found my freshest thoughts blending into a kind of generalized banality, a dollar-green cookie dough. Quantity there was, but the lack of a personal moral framework and the impossibility of being negative took quality off the agenda.

In sharp contrast, Let Everyone Have Ideas starts out:

[T]hey focus on an internal market where any employee can propose that the company acquire a new technology, enter a new business or make an efficiency improvement. These proposals become stocks, complete with ticker symbols, discussion lists and e-mail alerts. Employees buy or sell the stocks, and prices change to reflect the sentiments of the company’s engineers, computer scientists and project managers — as well as its marketers, accountants and even the receptionist.

The question of how to go from a stream of ideas to selecting and executing on the right ideas is a fascinating one. Serving your existing customers, by focusing on compatibility issues and gradual improvement, prevents you from making some leaps that a company with a smaller customer base can make. This is one of the reasons startups can bring new things to market quickly. (Clayton Christensen talks about this in The Innovator’s Dilemma.)

Let Everyone Have Ideas focuses not only on how to select ideas, but a way to execute on them, which is to turn effort and evangelism into shares on that internal market, so that if ideas pay off, when they do, those who backed them can get an ROI. Fascinating.

(Einstein blackboard from Hetemeel’s Dynamic Images page.)

Security Flaws and The Public Conciousness

Monique_Lhuillier.jpgIn “Duped Bride Gets No Sympathy,” Kim Cameron writes about an Ebay scam. What’s interesting to me is some of the language that the scammer used to justify their requests:

“Her attacker convinced her to use Western Union due to “a security breach at Paypal”.” (Kim Cameron, summarizing video)….
“Another red flag was the wire-transfer “Kate” requested, saying her account on PayPal, eBay’s own payment system, had been frozen because of — what else? — a scammer’s intrusion.” (South Bend Tribune)

People have very real challenges in dealing with con men, online or off. In the online world, a whole set of indicia that we might be able to use are not present. Trust boundaries are abstracted. Offline, we use where we meet someone as important information. Figuring out how to protect ourselves online requires knowledge, it requires analysis of that knowledge, and it requires sharing effective defensive techniques.

With the rise of breach reporting, we’re starting to get anecdotes. I’m hopeful that those anecdotes can be turned into data. Unfortunately, those affected by the breaches are pushing back, and hard, against the mandatory release of information. This is clearly in their short-term interest, to avoid having customers flee. It probably isn’t in their long-term interest, and it’s certainly not in the public interest to have these failures swept under the rug.

After the break, more on why breach disclosure is in the long term interest of companies.

Continue reading

“Suffering in Silence With Data Breaches”

That’s a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of, a company that tracks the sale of stolen credit cards on the Web. Every law enforcement agency that receives a crime report is going to consider the case “under investigation,” he said.

“Only about 10 percent of the merchants do the right thing and notify customers when there is a compromise,” Clements said. “Most want to sweep the hack under the rug. Their motivation is clear; they don’t want to lose their customers’ trust.”

From “Suffering in silence with data leaks,” by Greg Sandoval. That’s a stunning assessment of how bad the problems are. No wonder businesses are lobbying like mad to be allowed to keep customers in the dark.

Privacy Grants from the Canadian Privacy Commissioner

The Privacy Commissioner of Canada,
Jennifer Stoddart, today announced the renewal of funding through her Office’s
Contributions Program which, for the last three years, has allowed some of
Canada’s brightest privacy experts to develop a wealth of information on
various privacy challenges of the 21st century.

From “Privacy Commissioner’s Office renews its cutting-edge privacy research program,” via Michael Geist.

196,000 HP Employee SSNs, Fidelity Laptop

A laptop lost by Fidelity this month has exposed 196,000 current and former HP employees, staff were told last night.

“This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and compensation,” employees learned via email. (From The Register.)

How Private Are Your Tax Records?

hrblock.jpgIn “How private are your tax records? You’ll be surprised,” Bob Sullivan illustrates why the “opt-in/opt-out” way of discussing privacy is so destructive:

Any information you give to a company that helps you prepare your taxes can be sold to anyone else. Only a single signature on a permission slip stands between you and the complete loss of your privacy. While that seems shocking -– aren’t tax records sacred? — this isn’t new. The IRS says it’s a long-standing practice.

Worse yet, the government and the nation’s tax preparers are steering you to use one of these third-party tax preparation companies. Anyone who wishes to file a return electronically — the only rational way to file in the 21st century — must use a private company to do so. And that private company has the right to share everything it knows about you.

We Make A Bad Situation Worse” graphic from mlcsmith.

Congratulations, Professor Ian!

professor-ian-goldberg.jpgI’m very happy to report that Ian Goldberg has accepted a position, starting in the fall, at the University of Waterloo. I had the privilege of working with Ian while he was Chief Scientist and Head Cypherpunk for Zero-Knowledge Systems, and he spans academic and practical computer security in a way that’s all too rare. He’s looking for outstanding Master’s degree candidates in security and privacy.

If you’re interested, send mail to iang at cs dot uwaterloo dot ca. [Corrected. Canadian Universities are all too cool to use .edu.]

Congratulations to both Ian and the University of Waterloo, who gains an outstanding addition to their faculty.

[Photo by Kat Hanna.]

Destructive Chaos

Sorry about the unavailability over the last (unknown time period)
My DNS registrar, was under DDOS attack. If you’re reading this, you either have a cache, or the attack has been mitigated in some way.
We now return you to your regularly scheduled list of stolen laptops, lost backup tapes, and who knows, maybe even a Friday Star Wars Security post sometime soon.