It’s not all about “identity theft”

handshake.jpgThere’s a fascinating conversation going on between Chris and Andy Steingruebl in the comments to Data on Data Breaches. In it, Chris writes:

If what we care about is reducing ID theft, then maybe all this effort about analyzing breach reports is a sideshow, since for all we know 80% of the revealed PII never gets detected as having been revealed.

Data breaches are not meaningful because of identity theft.

They are about honesty about a commitment that an organization has made while collecting data, and a failure to meet that commitment. They’re about people’s privacy, as the Astroglide and Victoria’s Secret cases make clear.

We shouldn’t allow the discussion to center on ID theft. It should center around the meeting of the minds, and the exchange of value.

That was my point of my privacy enhancing technologies talk: that we’ve got to look at these things as privacy issues, not just security issues.

Photo: “Handshake through TFT screen,” by Henkster on

Data on Data Breaches

At the FIRST conference in Seville, Spain, I delivered a presentation about “Data on Data Breaches” that Adam and I put together. The slides, with the notes I made to act as “cue cards” for me, are available as a large PDF file on a slow web server.
The main points I tried to make are:
That with the availability of breach reports direct from states with central reporting, such as New York, it is possible to measure part of our ignorance when we rely solely on published breach reports — even the best available sources (such as Attrition’s DLDOS) undercount breaches dramatically, and are biased toward larger incidents.
That we are still at the leading edge of an explosion of information, and that we should not draw hasty conclusions until more facts are in.
That, as Emil Faber might put it, “Knowledge is Good” and is not that painful to provide.
And finally, primary materials such as breach reports are useful artifacts not only because they tell us dry facts in a standardized format (but that IS nice), but also because the notices themselves are interesting evidence of how firms talk to their customers about a difficult topic.
I’ll be writing more on this subject now that I have received the fourth batch of breach reports from my pals in New York, and my other pals in New Hampshire have made such materials available on-line.

Doctors want more study on overuse of books

(Adds psychiatrist interview, industry comment, paragraphs 4, 7-17)

CHICAGO, June 27 (EmergentChaos)- The American Medical Association called for more research into the public health risks of books and reading on Wednesday but stopped short of declaring them addictive.

The AMA, which recommended a review of the current publishing system, also said it would leave it up to the American Psychiatric Association and other experts to decide whether reading addiction should be designated a mental illness.

“While more study is needed on the addictive potential of books, the AMA remains concerned about the behavioral, health and societal effects of book and library overuse,” said AMA president Dr. Ronald Davis. Davis said research has linked exposure to media violence with increased aggressive behavior.

The AMA’s debate over reading addiction at the group’s annual meeting touched a nerve among doctors, who are not sure what to tell patients and worried parents.

“To the extent that a book is controlling someone’s behaviors and taking over their daily life, then you are talking about a compulsive use, whether you categorize it in a psychiatric manual or not,” Davis told reporters at a news briefing.

Dr. Timothy Fong, a psychiatrist at the University of California at Los Angeles who specializes in addiction, said books could be a problem for some.

“Anything in the world can be addictive if you have that biological vulnerability to develop an addiction,” he said in a telephone interview.

“This is a brain disease for a very small percentage of kids, but not all kids can become addicted to books.”

Fong said there needs to be more empirical research into the effects of books, especially on children.

“Otherwise, we are just spouting out myths and stereotypes,” he said.


Addiction experts strongly opposed a push earlier this week at the AMA’s annual meeting to declare video game addiction a mental illness and recommend its inclusion in the American Psychiatric Association’s Diagnostic and Statistical Manual of Mental Disorders.

Fong said parents should be involved in what their children are playing, because different children experience games differently.

He compared two adolescents he recently saw, one with a games problem. “His grades are suffering. He is trying to hide his game play from his parents,” Fong said.

The other boy plays sports as well as reads and has “a wonderful home life.” “He has other interests,” Fong said. “That is someone who does not have an addiction.”

Ray Bradbury, president of the National Publishers Forum, which represents the $30 billion global publishing industry, said the group understands parents’ concerns.

“Our industry encourages consumers to enjoy books just as they do any other leisure activity: responsibly and in moderation as part of a well-rounded, well-adjusted lifestyle,” he said. “As a science fiction author, I predicted medicalizing childish behaviors decades ago, so it’s not like this is surprise to us.”

Update (27 June): During the transcription of this article, a number of errors were inadvertently introduced. Among them, the words “video game” was accidentally rendered as “book.” Also, the second part of Mr. Bradbury’s quote does not appear in the original article, nor was it Mr. Bradbury who made the comment. Emergent Chaos regrets the error.

My Privacy Enhancing Technologies talk

At the Privacy Enhancing Technologies workshop, there is a ‘rump’ session, designed for work that’s not of sufficient quality to make it into the workshop. (And given that the workshop now has a 20% acceptance rate, there’s some pretty interesting stuff that doesn’t make it in.)

I didn’t use it for that, I used it to share an idea with the attendees. And that is that the loss of control of personal information are being reported on not as privacy stories, but as security stories. I’m hoping that we’ll see more on privacy in these stories, and exhorted people to pay attention to that aspect in “Privacy Enhancing Technologies and Breach Disclosures.”

Maybe things are different (maybe they’re the same)

The article to which Adam linked in his post about Dark Side of the Moon mentioned derivative versions of the album as performed by other artists. That got me thinking of memorable covers, such as Senor Coconut’s classic renditions of Kraftwerk tunes (like The Robots and Autobahn).
Ultimately, I just gotta throw in a quick mention of an awesome remake of Brian Eno’s Taking Tiger Mountain by Strategy.
If you like Eno’s album, you’ll like the CD by Doug Hilsinger with Caroleen Beatty.
(Picture via

All That You Buy, Beg, Borrow or Steal

dark-side.jpgLet’s face it. There hasn’t been a better pressing of Dark Side (with the possible exception of the original vinyl, which I haven’t heard) than the Mobile Fidelity gold disk. Which doesn’t prevent EMI from releasing it over and over again. That makes perfect sense, it keeps selling like mad. As bbum points out in “Dark Side of the Moon: The Porn of Audio Media:”

Back when CDs were launched in the early ’80s, Dark Side of the Moon dominated the CD sales charts for years and years. Similarly, it had been one of the hottest selling LPs back in the days when vinyl was king. As of today (6/07), the album has been in the top 100 — typically in the top 5 — for 1,558 weeks. Almost 30 years!!

So, I watched with quite a bit of amusement to see Dark Side of the Moon quickly take and hold the #1 (now #2) position in iTunes Plus. A 350% increase in sales was reached in the week after the launch of iTunes Plus. Thus, iTunes is following the same pattern as other audio oriented media; DSotM dominates sales as soon as a high quality recording is available in that format.

I wonder if DSotM on itunes plus will create or destroy physical media sales?

(Via Josh Gruber’s link blog.)

Posted in art


Last Friday, Amrit again said that no wars are won through awareness and although he repeatedly claims that he’s not against user awareness training, he doesn’t really tell us where he thinks it should fit in. Instead he shows his bias as a former product manager and Gartner analyst and focuses purely on tools by providing a truly massive list of differing technologies that he feels shouldn’t be “de-prioritized”. Tools don’t mean jack if users don’t understand why they are there and how to appropriately use them. The appropriate time to being user awareness training is not after everything else is in place or even after “bare bones security measures” but right away.
The time (as Amrit puts it) to “skip barefoot and joyfully through the glass shards that are human behavior” is day one. That’s why at most large companies new employee orientation includes a copy of the employee handbook and includes a review of the contents. How hard would it really be to add in a bit about appropriate use? For that matter, companies that fall under SOX already have employees annually signing that they understand the corporate ethics rules, again a prime time to also remind them of information security. Sure it’s only once a year but combine that with monthly postings to an intranet site or email newsletter and suddenly with a minimum of effort you can make a huge difference. Will users occasionally still click on a virus infected email? Sure. Are they less likely to leave their laptops in the back seat of their cars if you give them an occasional reminder not to? You betcha and if I can reduce laptop loss by even a couple of percent or don’t have to fire an employee for misconduct, then it’s more than worth that minimum effort.

Defending Metrics

Yesterday, I attacked metrics claiming that the way they are being used today, they were useless to upper management and didn’t relate the value of the InfoSec team to the business. While I stand behind that claim, also believe that a lot of metrics being performed today are very useful to technical management especially those with operation responsibilities. With that in mind, I’d like to point our readers to a newish blog, Security Retentive by Andy Steingruebl. Andy and I worked together way back when and I can’t say enough nice things about him. On Sunday, Andy talked about building effective metrics. In this case, he talked about vulnerability management though he promises to cover anti-virs software and software security in later posts. I for one will be on the lookout for the follow-ups. Andy covers a good strategy for launching and measuring a vulnerability management program. I don’t want to steal his thunder, so go read what he has to say.

Attacking Metrics

Last week I had the pleasure of having lunch with Alex Hutton from RMI and we got to talking about metrics. Specifically, we talked about how most metrics that we security folks come up with are well boring are effectively useless to upper management. At best they are focused on technical management such as the CIO and CSO. Like much of the rest of our industry, we metrics folks have again failed to relate our services to the business at large. Yesterday, Alex posted a great article on the sad state of metrics in our industry. I claim no credit what so ever for any of Alex’s content (his thoughts here go far deeper than anything we covered over bowls of Pho), I heartily encourage you all to read what he has to say as he covers far more ground than what I’ve hinted at above.

One Company Gets The Privacy Thing

I currently love my mortgage company. Those that know me in real life, know that I recently bought a house. Yesterday, I received a privacy notice in the mail from them. I figured it was the standard template that everyone uses saying that if I didn’t want my information shared, I should call them up/email them/fill out the stupid little form and mail it to them. I was pleasantly surprised however to discover that in fact they were doing the exact opposite. The letter was actually an opt-in for data sharing. I really love it when companies make things easier for me. Interestingly, their posted privacy policy claims that the opt-in is only for residents of California and Vermont and I’m not living in either of those states. So I guess they’ve expanded their process beyond those states. Regardless of the reason, I appreciate the way these folks have done things.

The ‘Gay Marriage’ of Computer Security?

Reading Dale Carpenter’s post on Volokh,”Big win for SSM in Massachusetts,” I was struck by how similar his narrative is to my thinking around breach notice. He writes (and I emphasize):

What’s so striking about the vote today is how dramatically support for SSM has grown in the legislature (and in state public opinion polls) since the state supreme court ordered the recognition of gay marriages in 2004. Back then, before the state had any experience with such marriages, there was overwhelming opposition to the idea. Only about a third of the state’s 200 legislators fully supported gay marriage. The only real disagreement was whether the state should constitutionally ban both civil unions and gay marriages or just ban gay marriages. Opponents of gay marriage back then gambled that they could hold out for a broad ban — a tactical decision that cost them.

The delay … let the initial anxiety subside. More than 8,500 same-sex couples got married in the state with no obvious or immediate effect on Massachusetts families or existing marriages.

I think we’re seeing something very similar around broad breach disclosure. There was overwhelming opposition to the idea, but as it’s happening, and the initial anxiety is subsiding, we can have a much more rational discussion.