“Internet isolationism is bad for business”

don-corleone.jpgDan Kaminsky has a good essay on internet isolationism, which is his name for the opposite of net neutrality. It starts:

Oh, sure, there’s UPS and DHL and the US Postal Service. But imagine if they were all proposing that, because people make money based on the contents of packages other people shipped, that they should see some of that money. Imagine they implied that, if you or your company did not pay a reception fee… well, things might happen. Packages might get lost, you see.

Read “Internet Isolationism is bad for business.”

Me, I’m fond of noting when business tactics can be compared to the mafia. Anyway, it’s a good essay, and worth realizing that the opposite of neutrality isn’t opinion, it’s isolationism and an end to innovation on the internet.

Questions about ‘Ignoring The “Great Firewall of China”‘

Later today at the Privacy Enhancing Technologies workshop, , Richard Clayton will be presenting a talk on “Ignoring the Great Firewall of China.” I’ll be the ‘session chair’ for the session, which usually means I make sure the speaker is in the room, has some slides on a computer, and knows how much time they have remaining. It also means I’ll get to ask a question if I have a good one. Right now, I don’t, but suggestions are welcome.

(I will try to read through the comments on the links below, as well.)

See Richard’s blog post, via Schneier or Slashdot.

Indistinguishable from magic

The press relase you won’t see.

For Immediate Release
The Catawba County Public School System (NC)  announced today that
district web site administrators have remedied a configuration error which
accidentally resulted in the social security numbers and names of several
hundred students being made available via the popular Google search engine.
Officials were alerted to the misconfiguration when the confidential data
was found by a district parent seeking information on a beauty pageant
Catawba County Schools chief technology officer Judith Ray explained that,
although the district's site password-protects areas containing non-public
information, the area containing the student information had inadvertently
been excluded.  "Our web masters immediately recognized their error", Ray
added, "and made the change needed to protect this information".  All
affected individuals have been notified, and the district has modified
both its web site configuration, and its document management processes to
provide an additional layer of checking against a repetition of the error.
Moreover, added Ray, the district has begun a process of removing social
security numbers as identifiers from files it maintains.  "This information
was gathered in another era.  Today, it's simply inappropriate.  We're
updating our databases, just as we've updated our procedures", she explained.
The district's quick response was matched by Google.  A day after being
informed of the exposure, the information was no longer available via
the popular search engine.

What you will see instead:

Q. How did this happen?

A. School system officials say Google broke through the password and
username protected server the information was stored in and took a photo
of the page, which it posted to the Internet.

(Hat tip to lyger)

I’m Joining Microsoft

I’m very pleased to announce that I’ve accepted a position with Microsoft. I’ll talk in a bit about the work I’ll be doing, but before I do, I’d like to talk a bit about the journey that’s brought me here, and the change I’ve seen in Microsoft that makes me feel really good about this decision.

I started my career as a UNIX sysadmin. You can find really old email from me to Sun-managers, or a 1994 “Introduction to S/Key.” In the past, I’ve heaped scorn on Microsoft’s security related decisions. Over the last few years, I’ve watched Microsoft embrace security. I’ve watched them make very large investments in security, including hiring my friends and colleagues. And really, I’ve watched them produce results.

In making this decision, I’ve had conversations with many people and organizations. The one theme that stands out was the difference in the conversations I had with Microsoft versus other software producers. Some of things that Microsoft does and are looking to improve haven’t even made it in rudimentary form anywhere else. I found myself having to shift gears and explain Microsoft’s Security Development Lifecycle. I noticed no one else with a Blue Hat conference. No one else stopping feature development to hunt for bugs. I (re-)discovered how few organizations have even basic formal security processes in place, and how few of those have audit to make sure that their processes are followed.

I realized just how many smart people are thinking about these questions at Microsoft, and I’m glad to be joining them. I’ll be working on threat modeling and improving that afore-mentioned Security Development Lifecycle.

Part of the process that’s taken a long time and has been hard for me is that Microsoft is adamant on minimizing risks of intellectual property contamination, and that includes technical advisory boards (TABs). Looking around, I found exactly two Microsoft employees on commercial TABs. One was John Conners, CFO, the other is Rob Willis, who founded the company he now advises. Two people. Six years. I might have had a slightly better chance if I wasn’t taking the role I’m taking, in a central security group. I want to be clear that my decision is about the tremendously cool opportunity within Microsoft, not a lack of confidence or enthusiasm for the companies I have had the pleasure of working with. I remain enthusiastic, and wish all of them them great success.

That said, Microsoft didn’t offer to buy this blog. It remains mine, with a healthy dose of Chris and Arthur, and lots of great reader comments. I am free to say what I want here, and they’re free to question my judgment. At the same time, I’m going to shy away from some topics: Microsoft. How other companies do security processes. Why you should use IE. I’m going to shy away from these, at least initially, because there’s a tendency to take everything Microsoft employees say as company gospel, regardless of disclaimers, etc. I expect to speak more about liberty, privacy, breaches, usability, and as I find them, giant animals.

So, I’ve joined Microsoft, and I look forward to doing great things here.

More on Risk Tolerance

funky-dice.jpgThere’s a number of good comments on “Risk Appetite of Volatility Appetite,” and I’d like to respond to two of the themes.

The first is “risk appetite is an industry-standard term.” I don’t dispute this. I do question if I should care. On the one hand, terms that an industry picks up and uses tend to be useful and revelatory. Sometimes, they are also distortive. Risk appetite makes sense from the perspective of the financial industry, which is selling products of various riskiness. Knowing their customer’s appetite for risk makes sense. It makes sense even if that appetite is formed on false premises, that you must accept higher risk for a higher return. This is clearly false-just look at interest rates on insured savings accounts. A great deal of return is a function of information, and the willingness to find and use it. (Admittedly, a high interest rate may correlate with moral hazard on the part of the insured bank, and you may have to accept getting your money back later.) I think that the term risk appetite is also distortive, in that it influences the way people look at risk. I once caught myself looking for a risky investment, rather than one with a high expected upside. That high-reward investments often include lots of risk doesn’t mean it’s what I’m looking for.

The second is that I misunderstand risk. That may well be true, but I think that the goal of disaggregating risk from reward is useful. Anyone who’d like to offer up a more purely disaggregated risk is free to do so. It’s an interesting thought experiment, one that’s clearly making many readers uncomfortable. That’s not my usual goal, but I’m willing to accept it now and then in exchange for a rewarding conversation.

(These dice are from NelC, too.)

Proud Comments About Bank Spying

spies.jpgOver at the Counterterrorism Blog, Dennis Lormel writes “Initial Comments about Terrorist Financing and “The One Percent Doctrine”” and “U.S. Government Terrorist Financing Initiative Involving SWIFT:”

…I was in the FBI in a leadership role responsible for terrorist financing. Immediately after 9/11, we realized we had to develop financial investigative methodologies different than anything we had done before. We had to think outside the box by developing and implementing time sensitive and time urgent investigative techniques. To succeed, we needed the assistance of the financial community. At all times, we were cognizant of privacy rights and civil liberties.

He seems hurt that people don’t understand the programs, and how the FBI carefully balanced their interests with those of society, as they’d been instructed to do by Congress and the public, when we passed the “Hey, you guys figure it out” law. (Snark aside, Congress did seem to take that attitude for a while.) The American people are worried about the unfettered exercise of power. One subpoena doesn’t seem to balance with “probable cause,” or our expectations of how these things ought to be done.

We should be having debates about these things, and the debates require information.

There’s good information in both posts, especially about how the counterterror groups view what they’ve done. See also, “Provider of financial records to US had assurances,” by Reuters.

Gartner to Google: Learn to read minds

Concerning a school district which misconfigured its web server and wound up posting student social security numbers for all — including Google’s spiders — to see, Gartner’s Avivah Litan weighs in:

They say the Internet is free and open, and you can’t stop them,” Litan said. “But they ought to scrutinize some of the content and, at least, send a warning to Web sites that they’re exposing this information.

Google doesn’t honor robots.txt? Wow. Gartner really does know something everyone else doesn’t.

SWIFT spies

The United States Treasury Department has had secret access to records maintained as part of the SWIFT system, which it has been using secretly for years to identify financial ties to terrorist entities.
The Washington Post has more.

The FBI’s Use of Data Brokers

Although the federal government and local law enforcement agencies nationwide use private data brokers, the FBI said that practices used by these companies to gather private phone records without warrants or subpoenas is illegal, according to an Associated Press article on Chron.com.

A senior FBI lawyer, Elaine N. Lammert, told lawmakers the bureau was still surveying agents around the United States, but so far has found no “systemic” use of data brokers by the FBI.

That’s from the CSO Blog, “Data Brokers May Act Illegally.” In other news, “ChoicePoint-FBI Deal Raises New Privacy Questions.”

So what are we paying for?

Presentations and the Web

bad-presentation.jpgIt’s easy to put presentations on the web, just like it’s easy to create them. Neither is easy to do well. I’d like to talk not only about good slide creation, but how to distribute a presentation in a useful way. It’s not easy to create good presentations, even when you have good content. Simson Garfinkel pointed me to a great source on “The Design of Presentation Slides.” It’s based on actual research about presentation style and retention. It turns out that a full sentence headline, graphical representation of data, and conclusions to draw from the data presented is far more memorable than bulleted sentence fragments (right).

This style also works well when the presentation is actually a presentation of some other organized thinking, such as a scientific paper, or progress report. When the presentation is accompaniment to something, I believe the research that says the headline sentence, data and conclusion style lead to better retention. What about when there is no other handout?

There’s an expectation that speakers at a conference or workshop will provide slides. From the perspective of the conference organizers, requesting slide offers some small assurance that the speaker has prepared, and allows the conference attendees to have the slides as a reminder of the talk. From the reminder perspective, outline slides are actually very useful. There’s rarely an expectation of handouts that aren’t the slides. Perhaps the most useful (generically) is an actual outline, created with a tool designed for that purpose. A real outline is useful because it is less constrained by the genre: ideas can be more than active fragments, and the printed page imposes fewer constraints on both sentence and block than the slide. An outline’s not so useful as data, but who has data these days?

So I think I may move away from my habit of providing multiple formats of the slides themselves, and move to putting up a three-part web page with outline, references, and any details of the argument that seem to require elucidation. Perhaps even a short essay.

I would do this because the two scenarios are so different: One involves having me at the front of a room, using slides to illustrate and orient around my words. The other, without me there, means that the message needs to be self-contained.

Risk Appetite or Volatility Appetite?

lucky-dice.jpgOver at “Not Bad For A Cubicle,” Thurston (who is always worth reading) manages to tickle a pet-peeve of mine in “A super-size risk appetite?” No rational business has a risk appetite. They accept risk. They may even buy risk in fairly explicit ways (some financial derivatives) if they think that those risks are mis-priced because of either asymmetric information or different risk models. No rational person has a risk appetite. Some rational people have a thrill appetite, which may include elements of risk taking. Gamblers, extreme sports devotees and idiots may all do things in search of a thrill that includes a risk of serious injury or death. That risk may even increase their thrill, but what they’re seeking is the thrill, and they take risk as part of that package.

If you think you have a risk appetite, I have a simple game for you. We flip a coin. If it lands heads, you give me a dollar. If it lands tails, you may choose to play again. This is pure risk. I’ve removed any possible gain. Feel free to play, I’ll send you my address.

The picture is NelC’s “My Lucky Dice.”

[I’ve responded to some of the comments at More on risk tolerance“.]

Responsible Transparency?

duck-alien-xray.jpgOver at the ncircle blog, Mike Murray* takes me to task for advocating transparency, and argues for “Responsibility and Disclosure.” His argument is solid:

We’ve had a “responsible disclosure” debate in the vulnerability research community for a whole lot of years – the point is simply that, while disclosure forces everyone to be responsible, sometimes, you can have too much of a good thing.

I do have to point out that the move to responsible disclosure took pain and suffering on all parts: the researchers, the vendors, and the innocent sysadmins. At the same time, that pain was needed to force vendors to move to a new position. Some vendors have embraced that new position really well. Others haven’t. There’s still a great deal of resistance to the new transparency. There are active efforts under way to roll it back. To impose federal “fox guards the henhouse” clauses on the state laws.

Those efforts will fail. They’ll either fail to be passed, or a liability suit will make the escape clause too expensive to invoke. Unfortunately, I expect we need to go through this painful phase to get to the good point of having a “national breach victimization survey,” and enabling a market for cool ID-theft prevention techniques like those coming from Debix.

I had a really interesting conversation with my friend S the other night. He asked if I’d give up 1386 notices to individuals in exchange for mandatory reporting to a central data collection authority. My answer was “if we still get notices where there’s reason to believe an individual will be affected.” Now I’m less sure. I think that notices to individuals serves important and still hard to discern processes. It feels right, even if I’m as yet unsure what the other arguments for it will be.

* Really, make that m “I need real names on the blog” murray. Photo from National Geographic via Bullockdi on Flickr.