More thoughts on blogging

Thanks for the kind introduction Adam. This has been an interesting summer as I reach out to various security bloggers. I hope my “Meet The Bloggers” podcast series will help people to get to know the various “personalities” out there. We are an interesting bunch.
The one question I have for everyone, bloggers and blog readers alike, is what is the impact of blogging on the security space? Obviously bloggers are doing a better job in general than journalists in exposing what is happening in the security space. But it is still disjoint. You have to tune into at least four or five and maybe ten blogs on security just to stay in touch. In the mean time you have to check in on reddit, digg, techmeme, a couple of times a day and subscribe to a bunch of feeds from Haval Daar. Are bloggers adding to or helping reduce the chaos? I hope it is the latter.
As I see it security bloggers are accomplishing three things. First they are disseminating information. By sifting through all of those feeds and posting on the “important” stuff they help filter out the good bits from the bad for the security professional. Second, they take a stand. They are advocates for good security and typically defenders of digital rights. They do not let topics die. I for one will be blogging about the Sumitomo Bank Heist and asking my questions until I get answers. And finally, they sway decision making. Through the forum created between bloggers and their commenters, actionable advise is derived that I believe helps individuals and corporate IT departments ultimately improve their security posture.
Comments? Concerns? Are there three things that security bloggers don’t do but they should?

The Down Side of “Strong” Authentication

Brad Stone has a great article in Wired about his car being stolen and the insurance company insisting that he must be lying because he still had all of his fancy RFID enabled keys. This assumption that the security system is perfect is going to continue to bite consumers especially as banks move to two-factor authentication. I see scenarios where malicious parties will make use of trojans or man in the middle attacks to steal and banks and vendors, leaning on the use of products like SecurID, will shift the liability to the customer. Fortunately for Brad he got his car back in the end, read the full article, he has a great analysis of the moving target that is security.

Don’t Cross the Streams?

cross-the-streams.jpgSo this week I’m off to Metricon and Usenix Security. Many of my co-workers are off (to present an entire track) at Blackhat. What I find really interesting is that there are these two separate streams of security research, one academic and one hacker, in the most positive sense of the word. Both have produced excellent research. Both have their own forums, conferences, journals and jargon. Both have strong traditions of acknowledging the work you build on. “What’s new about this?” is a fair question in both communities. Sometimes, that question crosses the boundary.

See, for example, the 4th comment on “Ignoring the ‘Great Firewall of China’,” where Bill Xia complains that “I explained this mechanism in 5th HOPE conference” and then adds in a burst of honesty, “Sorry the slides are hard to read without the video presentation.”

These two streams of research are so separate that I’ve heard few complaints that the two conferences are overlapping. That’s a shame, because there’s good work being done in both of them. The highly practical orientation of the hackers finds real flaws. Ideally, that would dovetail with the theoretical underpinnings that the academic community has.

The picture, of course, is from Ghostbusters.

Drowing in Notices?

In “Access controlled by a password,” Phillip Hallam-Baker writes:

It probably makes sense to have an exception of this type in the first instance when the law is enacted. Otherwise we may well drown in privacy disclosure notices.

I must say, I don’t get this objection. Does it apply to any other bit of information disclosure? Are we drowning in SEC regulatory filings? National Crime Victimization Surveys? Statistical Abstracts of the United States? (How ought one pluralize that, anyway?)

Sure, there may be lots of notices. Sure, those notices may, to a degree, be fiscally inefficient. However, the stock market doesn’t think they matter a great deal (see “Does Lost Data Matter?“) At the same time, as Phill points out:

In the longer term the problem with such exceptions is that lost laptops are a major cause of data loss and there is at least anecdotal evidence to suggest that stolen laptops do trade for the information on them. A few months ago I had lunch with Simson Garfinkel who remarked that there is a correlation between the price of used disk drives on EBay and the purposes that they appear to have been used for.

We should sweep any such evidence under the rug, before it becomes apparent that there are material weaknesses in all sorts of controls.

The reality is that while companies are actually working to improve the security of their data with things like drive encryption, consumers are not (near as I can tell) getting either bored or overwhelmed with notices. Seems like sunlight is a fine disinfectant.

Yet Another Coding Standard?

Over at Matasano, Tom Ptacek skewers the new CERT Secure Programming Standard by asking: Do We Need an ISO Secure Coding Standard?. The entire article is well worth reading, but it sums up nicely with this:

There are already a myriad of good sources of information about
secure programming, including books targeted specifically to
developers that don’t have experience with secure
programming. I don’t understand why a wiki or an ISO standard
would be more accessible to these developers, who write the
majority of all code.

Thanks Tom.

Indiana’s Breach Law

Indiana’s breach notification law went into effect on July 1, 2006. An excerpt relevant the “lost laptop” phenomenon:

Sec. 2. (a) As used in this chapter, "breach of the security of the system"
means unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal information maintained by a state or
local agency.
(b) The term does not include the following:
(1) Good faith acquisition of personal information by an agency or
employee of the agency for purposes of the agency, if the personal information
is not used or subject to further unauthorized disclosure.
(2) Unauthorized acquisition of a portable electronic device on
which personal information is stored if access to the device is protected
by a password that has not been disclosed.

DHS Has Nothing Better To Do, Apparently


A federal Department of Homeland Security agent passed along information about student protests against military recruiters at UC Berkeley and UC Santa Cruz, landing the demonstrations on a database tracking foreign terrorism, according to government documents released Tuesday.

From San Francisco Chronicle, “Terror database tracks UC protests
U.S. agent reported on ’05 rallies against military recruitment

Let me be clear. I’m fully in favor of saving American lives, and also the American way of life. When DHS is wasting its time on student protests, corn stands and flea markets, more and more people are going to decide that its a waste of money. So, DHS, stop thinking about this as a matter of civil rights.

This is going to be about your budget. If you’d like your budget to be there in five years, stop spying on Americans. Because if you don’t, Americans will decide you have more money and less sense than a drunken sailor.

Peeping Tom photo by WebLoes.

Return on (Other People’s) Investment

‘The Australian’ has a great story on “Focus key to crack money-laundering.” Its focused on the testimony of a British expert on “money laundering” and includes:

Last year, British banks, accountants and lawyers made some 200,000 reports to the authorities. But in the three years since Britain’s law was implemented, there had been only one successful prosecution in 2003.

“A common picture is emerging across the world that banks and accountants are complying with their obligations, but little seems to be done with the information.

It cost the British financial services sector pound stg. 60 million (AU$146 million) to just set up the compliance system.

I don’t know what else £60 million could buy, but one prosecution, and the privacy of 200,000 violated? Seems like a poor use, even if it’s other people’s money. Maybe they should have offered some huge rewards with it instead.

Previously on this topic, “FinCEN Effectiveness,” “The Cost of Following the Money” and
The Remittor and the Money Launderer.”

It’s Getting Worse All The Time?

So there’s a post over at F-Secure’s blog:

There’s a growing trend here. We’ve been saying for some time that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better. The bad guys want to make money – not make attention. So as a malware author, if you want to target a few prominent companies for the purpose of industrial espionage, you design your exploit to attack them within and then lay low. Spoofed e-mails are sent to company insiders and they, thinking it’s just another document that they need to review, open it up and the backdoor gets installed.

So while I follow the logic, I have a question: If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better? If not, is there any evidence possible of things getting better, or are they always getting worse?

[Update: Linked to the post. Sorry about that! F-Secure doesn’t have per-post archive pages, but the post is titled “Exploit Wednesday.”

Also, lacking deep insight, I don’t dispute what they’re seeing or saying. I’m simply asking if it were to be the case that things were getting better, what would the evidence look like?]

On Provable Security

Eric Rescorla writes:

Koblitz and Menezes are at it again. Back in 2004, they published
Another Look at “Provable
arguing that the reduction proofs that are de rigeur
for new cryptosystems don’t add much security value. (See
for a summary.) Last week, K&M returned to the topic with
Another Look at “Provable
which is about the difficulty of interpreting
the reduction results. They take on the proofs for a number
of well-known systems and argue that they don’t show what you
would like.

See “Provable Security (II)” if you want the rest of the details.

Sky Marshalls Have Suspicious Behavior Quotas?

The air marshals, whose identities are being concealed, told 7NEWS that they’re required to submit at least one report a month. If they don’t, there’s no raise, no bonus, no awards and no special assignments.

Even better, the people who are “suspicious” are put into secret databases with no way to find out why their travel life suddenly became hell.

When you have nothing to measure, and the threat you’re coping with is very rare, sometimes you invent things. I like Schneier’s comment, “I have been stunned before by the stupidity of the Department of Homeland Security.” (Story is at “Marshals: Innocent People Placed On ‘Watch List’ To Meet Quota” at the Denver ABC affiliate.

[Update: See Brock Meeks’ comments on the issue, at Dave Farber’s Interesting People List.]

“Privacy” International

As mentioned by Ben Laurie; Simon Davies, the Director of Privacy International, was quoted in IT Weeks’s Will industry rescue the identity card? as saying:

“I’ve believed for some months that a ‘white knight’ consortium from industry is needed,” Davies said. “Companies that can see the benefits of the ID card idea should approach the government about effectively taking over the project.”

I find this particularly galling from a group dedicated to privacy. They are in their own words: “a human rights group formed in 1990 as a watchdog on surveillance and privacy invasions by governments and corporations.”
Like Ben, I am speechless.

Fu-Sec, Dunbar Numbers, and Success Catastrophes

In “I Smell a Movement,” Chris talks about the City-sec movement, of security people getting together for beer, and about groups like ISSA.

So the question I’d like to ask is why do these groups keep emerging so chaotically? Why can’t the extant groups, usually formed for the same reasons, succeed?

I think there are two main reasons, the first involving group dynamics, and the second involving group dynamics success catastrophes.

As a group grows, there are lots of dynamics. One of those is that functional groups can get more done than individuals. There are also communication and alignment costs, which is why adding more programmers to a late project makes it later. Christopher Allen has written extensively about this in his posts on Dunbar numbers, such as “The Dunbar Number as a Limit to Group Sizes.”

As a professional networking group hits some critical mass of interested early adopters, those early adopters put in work and get lots of value. Since a goal of the group is networking, they excitedly invite more people, telling them how great it is. The group grows. Newcomers may not invest the same level of energy (after all, things are working great, let’s drink more!) As that happens, the selection functions that controlled early membership: Did you find out about it because you read the right blogs? Did you make time to attend?

As the group grows, the activities and energy that made it work may no longer suit what the group has become. This is why lots of startup founders leave: They’re great in the early stages, but as they build the company, the very skills that made the early days work become dysfunctional. Startups often do this, at great cost, because there’s a board of directors who are focused on a financial outcome. Professional societies, who take their boards from the enthusiastic membership, may not have that same focus. These groups want more of what made them valuable early on.

Thus, the habits and skills that make a group successful can end up holding it back. It’s the catastrophe that follows success, and its why we have a growing list of professional organizations that don’t do quite what some people want. When the groups don’t serve the purpose, some enthusiastic people will set out to fill that gap, either in a market or in a social setting.

So what can you do about it? Me, I plan to drink lots of beer at the next SeaSec.

Photo: Zombarmy06 by Father.Jack.