Dear TSA, How Do We Contact Thee?

Phil Schwan, who was able to read to the end of “Homeland Security tracks travelers’ meals” without blowing a gasket, noticed that they said they’d only gotten 15 comments:

I tried for 30 goddamn minutes to figure out how to comment. That’s
why there are only 15 comments. All I could find was a Privacy
Impact Assessment, authored by their “Chief Privacy Officer”, which
was a total whitewash.

If you can figure out where to send it, I’ll comment. Otherwise, the
terrorists win again.

Can someone help? Where do we send comments about this crap?

We’ll have more, and cheerier, from Phil over the weekend.

The New Transparency

xray.jpgSometimes, we Americans forget how lucky we are to live in a country with 51 legislative bodies, all of which can pass laws which affect all of us. By sheer luck, some of those laws will not stink, and a few actually turn out to be useful, not jarringly out-of-tune with the gestalt, and not trampling of civil liberties.

One such example is the rise of 1386 style laws. There are now 35 of them, of which some stink, and some are good. What interests me most is the commentary surrounding the NationWide laptop loss. NatWest is a `Building Society,’ in the UK, which roughly maps to a credit union in the US. [Natwest is not Nationwide. Thanks, Richard!]

Note both the expectations, and the explicit admission that problems are being swept under the rug, in this BBC story:

Diane Gaston, of the National Consumer Council, told the programme she is angry customers were not told sooner.

“A three-month delay is appalling. People should be able to trust that if a problem has happened they will be told about it straight away.”

And why is that? The UK has no breach notice law, as of yet. Neither does the EU. Ms. Gaston is speaking of an ethical expectation, based on seeing change in the US. It would be my guess that she’s not even aware of the shift. In saying that, I mean no disrespect, only that no one noticed the absence of these notices, but now that they’re here, we would certainly notice their disappearance.
More from the BBC:

But Nationwide said there is no indication that data had been stolen and nobody has lost any money.

Chief executive Philip Williamson told BBC Five Live that he was “genuinely sorry” for the theft and any concern it had caused customers.

But, Barry Stamp, former director of CIFAS, the fraud prevention service, said it was unusual for an entire customer database to be stored on a laptop.

Mr Stamp, who is now joint managing director of, told the BBC: “On the one hand we should say hats off to Nationwide for actually admitting that one of these laptops has been stolen.

“We’ve seen cases like this almost every week at the moment, but on the other hand you have to ask why that information was contained on a laptop and why the security was lax at Nationwide in such a way that you could download the entire database to a laptop.

This was linked by Slashdot, whose lead includes:

This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public?

Again, note the underlying assumption: breaches should be made public, and quickly. What a transformation 1386 has caused, around the world. From one little law in California.

Photo: Radiographica by B3ca.


How’d you like to be the person at British Airways who has to write the letter to 30,000 people explaining that they might have been exposed to a radioactive poison while traveling on BA flights?
Remarkably, authorities will not confirm that the substance detected was Polonium, yet passengers on the flights are being asked to talk to their doctors. About what? The general risks of ionizing radiation? No need for that, since BA helpfully has that information right on its web pages.
I know little about such things, since the only physics lab I studied in had a telescope as its main instrument, but if I am going to ask my doctor how much I need to worry, she’s going to want to know what kind of radiation I was exposed to, and for how long. I don’t see that information as being available, so it seems as though asking the passengers to speak to their doctors is really asking doctors to giver their patients a pat on the head.
Meanwhile, the contrast between the official reaction to this incident, which I would describe as quite measured, and the reaction to the “chemical explosive threat” could hardly be more stark.

More on Godin and Tufte

There’s another good article on Juice Analytics, “Godin, Tufte, and Types of Infographics:” (hey, guys, where are the author names? Author names only show in RSS, not the web page?)

Tufte frustrates on a number of levels. He is enormously influential in business. Businesses send people to his seminars and they come back energized with the essential truthfulness of his message. Yet weeks later those principles are abandoned by the lack of practicality of his message. No one in business is going to design a graph in Adobe Illustrator as he can. They use Excel. Seldom can we spend days or weeks refining and testing a graph. The work must be done and then we move on.

So I totally agree with this, and ask, why aren’t we asking more of Excel? Why can’t we get graphics that are of Tuftian quality from them? As I’ve said, I’m really fond of the ribbon design, and if enough customers were asking for great, and defined improvements in graphical excellence, I suspect Excel would ship it. (A personal example: I’d like to be able to lock a set of graphs to the same scales for the axes, so I can create small multiples more easily. I have some graphs today that slice one data set differently, and I have to work hard to make the scales the same.)

It would be really interesting to see if the community of excellence around Excel could come up with ideas.

(In another post, Zach points to Re-Visions of Minard.)

The Two Minute Rule for Email and Slides?

So I’ve been discomfited by the thoughts expressed by Tom Ptacek and the Juice Analytics guys over what presentations are for, and a post over at Eric Mack’s blog, “A New Two Minute Rule for Email.” The thing that annoys me is the implicit assumption that all issues should be broken down into two minute chunks. That we’re all dumb enough to require summaries like “It’s a slam dunk, Mr. President.” I find myself slipping into this belief. Annoyed that the authors of “A Report on the Surveillance Society” prepared for the UK Information Commissioner didn’t make it shorter. It’s already easy to read, but it’s 102 friggin’ pages. Who wants to read 102 pages? You’re probably already onto the next blog post already.

If you’re not, it may be because you recognize that there are arguments that take longer. There’s also arguments that don’t take so long, and I think I’ve made mine.

PS: I don’t think that Juice or Tom would ever argue for a hard-and-fast rule of this sort, but guidelines with subtlety become rules that people get tied up about.

Fanning the flames, security metrics style

Amidst the to and fro over insider v. outsider threats, whether security metrics can be “gamed”, and so on, and in recognition of the best buddies that security geeks and economists have now become, I offer the following. 

The saying often quoted from Lord Kelvin (though the substance, I believe, is
much older) that “where you cannot measure your knowledge is meagre and
unsatisfactory,” as applied in mental and social science, is misleading and pernicious.
This is another way of saying that these sciences are not sciences in the sense
of physical science, and cannot attempt to be such, without forfeiting their
proper nature and function. Insistence on a concretely quantitative economics
means the use of statistics of physical magnitudes, whose economic meaning and
significance is uncertain and dubious. (Even “wheat” is approximately
homogeneous only if measured in economic terms.) And a similar statement would
apply even more to other social sciences. In this field, the Kelvin dictum very largely means in practice, “if you cannot measure, measure anyhow!” That is,one either performs some other operation and calls it measurement or measures something else instead of what is ostensibly under discussion, and usually not a social phenomena. To call averaging estimates, or guesses, measurement seems to be merely embezzling a word for its prestige value.

Frank H. Knight, “‘What is Truth’ in Economics?”
The Journal of Political Economy
Vol. 48, No. 1, Feb. 1940, 1-32.

Halvar on Vulnerability Economics

Back in July, I wrote:

If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better?

Now, I was actually tweaking F-Secure a little, in a post titled “It’s Getting Worse All The Time?” I didn’t expect Halvar Flake would demonstrate that the answer is yes. Attacks getting worse may well mean that things are getting better. Which is kind of counter-intuitive.

In Client Side Exploits, a lot of Office bugs and Vista, he writes about the other side of the Vista exploit coin, and how good security can drive bugs into widespread use:

ASLR is entering the mainstream with Vista, and while it won’t stop any moderately-skilled-but-determined attacker from compromising a server, it will make client side exploits of MSOffice file format parsing bugs a lot harder…As a result of this, client-side bugs in MSOffice are approaching their expiration date. Not quickly, as most customers will not switch to Vista immediately, but they are showing the first brown spots, and will at some point start to smell.

See also “Economics of vulnerabilities,” and “Vulnerability Game Theory.”

Small Bits of Chaos

Banksy Again

Or how museum security is like information security. Or as Sivacracy put it “Involuntary Art Acquisitions”. Call it what you will, but in all cases it highlights the fact that most security programs be they physical or information focused, tend to be unidirectionally focused. In the case of museums, it is to ensure that nothing illegitimately leaves the premises and in infosec, traditionally it is that no one breaks in.
In this case Banksy walked into several famous New York museums and hung up pieces of his own art.
One can argue that museums shouldn’t worry about people putting up art, but I have to say, I’m worried that it took 3 of the 4 museums multiple days to notice…..

Happy Geeky Thanksgiving

Hey everyone, it’s time to celebrate Thanksgiving here in the U.S. Or in the words of Anya, engage in “ritual sacrifice with pie.” If pie isn’t your thing, perhaps cookies are. kung-foodie points us to Joseph Hall’s Ubuntu and Tux cookie recipes. If they are as tasty as they look, you can always add decorations after the fact and make them into Christmas cookies. This of course makes me wonder how hard it would be to embed a pattern into a potato latke…..

England and Wales to fingerprint motorists at traffic stops

Via the Beeb:

Drivers who get stopped by the police could have their fingerprints taken at the roadside, under a new plan to help officers check people’s identities.
A hand-held device being tested by 10 forces in England and Wales is linked to a database of 6.5m prints.
Police say they will save time because people will no longer have to go to the station to prove their identity.
Officers promise prints will not be kept on file but concerns have been raised about civil liberties.
If the driver does not convince police he is giving them a correct name, they will fingerprint him and verify his identity on the spot, instead of taking him to the police station.

Assuming that 6.5m means 6,500,000, how is it that use of fingerprints can establish identity? The population of England and Wales is about 50,000,000. If 30% of this number are under the legal driving age (an overestimate, since 20% are 15 or younger), then 35,000,000 people are eligible to drive (I assume the number of those prohibited due to, for example, blindness or past offenses is not substantial). The Department for Transport says there are 31,000,000 registered vehicles in the U.K. Let’s be conservative and say that there are 20,000,000 licensed drivers in England and Wales.
If this is so, then a fingerprint obtained at random from a driver will match one the coppers have on file only a third of the time. How is it that this “verifies his identity on the spot”?
Rather than my back of the envelope stuff, I’d love to see some real numbers on the efficacy of this program. Unless there is a match in the database, how can this process do anything?

Selling Security?

Last week, Martin McKeay responded to RaviC’s thougthful discussion of security as a core competence by saying:

I don’t think any business is going to buy into security as a core competence unless you can demonstrate to management that they’ve lost business directly because of a lack of security. And even then, it’s an incident around lack of security that’s more likely to get action rather than the idea of being proactive about security.

I can’t speak to to the business world as a whole, but in my experience Martin is right. More specifically, it will take many many incidents for a company to understand that this is not just a point issue that can be addressed with one patch.
Martin also talks about using the sales team to your advantage:

If your company does operate in an environment where security can be used as a sales tool, think about incorporating your sales department in your efforts to push security up the ladder. If you have your VP of Sales talking about how how security will allow them to approach a market they haven’t been in before or get a sale they missed last year, management will see the dollar signs. It’s probably a lot healthier way to sell security in the organization too.

On a similar vein, use your customers to your advantage. Find out who the biggest customers are and contact the security organizations at those companies and ascertain what their specific concerns are and assist them in making their concerns known. Make yourself an evangelist for the customers. Undoubtedly, if you see issues with the product being sold so do your customers and they just don’t know who to talk to in order to make those concerns known.
Update: I closed a tag on behalf of Arthur. cw.

On Awareness

Last week, Rich Bejtlich posted his common security mistakes to TaoSecurity. His points are all excellent and well thought out, however, I would add one more item to his list: Awareness.
It is very in vogue to say that user education must be eradicated, will never work and is one of the dumbest ideas in computer security. However, all of the authors miss a vital point, and that is: If users don’t know what they are and are not supposed to do, it is no wonder that they break the rules and make mistakes.
It’s all well and good to believe that technology should protect the user and that argument works well for things like spam and spyware (even if the technology doesn’t), but that just doesn’t fly when it comes to policy based issues like sharing of confidential information or writing quality code. At some point, users need to understand why things need to be done a certain way whether for security, safety or just plain profit. How are they going to get that? Osmosis?

Carole King said it best

“It’s too late, baby”
Yeah, I’m dating myself, but Tapestry was huge, and she and Goffin had some serious songwriting chops.
Anyway, the “it” about which it’s too late is, yes, a relationship. An important relationship. A relationship which, while admittedly not exclusive, is “open” in a hopefully honest, fulfilling, respectful way. That relationship is the one you have with your personal information.
Well, bad news. That info is all over town, for anybody who can pay the bills, and you don’t know the half of it. That, at least, is the opinion of David Cowan, a VC at Bessemer Venture Partners, blogging about Lifelock:

It would be quite a stretch for you to imagine that somehow your data remain safely stored among all the vendors, doctors, banks, web sites, and government agenices[sic] whom you’ve engaged in your lifetime. More likely, your personal credentials are all for sale in black market exchanges like this one.
In other words, the horses are out of the barn. There’s little point trying to re-tool or regulate the world’s IT infrastructure to contain consumer data. Even if your concern is future generations whose identities are still safe from thieves, there are so many ways for data to leak that it’s futile to expect brittle secrets like our social security numbers to be both useful and sustainably confidential.

Here, Cowan echoes the response I got over a beer when I asked a knowledgeable observer of the financial industry how he’d estimate the number of compromised identities (I figured he’d know about fraud detection and so on). I knew I was in for some fun when his response began with “You’re not going to like the answer…”. It seems that in his opinion all our PII belongs to them. It’s merely a question of monetizing it. (Listen closely — that sound you hear is Lindstrom saying “Yessss!!!”)
I am not qualified to assess whether Lifelock or Debix, or any other player in this space is a sensible investment. I will say that, as I understand it, their value proposition could be obliterated with a stroke of the pen, which leads me to a conclusion, and to a question.
That smart people are willing to attach their names and wallets to these enterprises shows me that US consumers won’t have true control over access to their personal information for the foreseeable future because legislation providing it is seemingly not forthcoming.
To those who argue that the data are already all out there, my question is “Is that a falsifiable hypothesis?”