The Words of our (Founding) Fathers

There’s an article in the Washington Post, “In the Course of Human Events, Still Unpublished.” It’s about how the papers of the founding fathers of the United States are still not available except in physical form, and the scholarly practice that keeps them there.

Many of the founding fathers’ letters have been transcribed and made available over the years, and the original documents can increasingly be found online. But it is the painstaking annotation of these thousands of documents — their detailed explanation — that takes so long. Scholars check and double-check each reference and then try to explain each one and put it in context. A page of the massive annotated tomes can contain a snippet of a document and then a long footnote of explanation.

It seems to me that, while useful, footnotes and explanations inevitably reflect the time in which they’re written. The writings of those brilliant men usually speak for themselves. There’s certainly context and explanation that adds to it, but for heaven’s sake, get the originals out there. They’re far more important than the footnotes.

Deloitte & Touche, Ponemon Study on Breaches

According to Dark Reading, “Study: Breaches of Personal Data Now Prevalent in Enterprises:”

According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed — some 800 individuals — claimed at least one reportable security incident in the past 12 months.

Sixty-three percent said they have experienced between six and 20 breaches affecting personally identifiable information (PII) in the past year.

Most of the reporting is on that 85% number. I think the second number is far more interesting — 63% have experiences more than 5 breaches–that shocks me. I’m way behind on Ponemon Institute research, and I hope to say more shortly.

[Update: see the comments for some excellent analysis.]

Clark Kent Ervin on TSA Security

Normally, it’s not news when someone takes aim at TSA policies like this:

If you are someone who suspects that what is billed as “aviation security” is often more show than substance, you are not alone. In fact, you are part of what Nixon aides used to call the “silent majority.” The security bureaucracy seems to think that as long as it is seen as doing something, and so long as another terror attack does not occur, the public will at least feel secure enough not to insist that it do whatever needs to be done actually to make us secure.

It’s a bit more unusual when that someone is the former inspector general of the Department of Homeland Security. Go read what Ervin has to say in “Screening Dreams.” is not asking “Will Privacy Sell”

There’s a bunch of press around’s marketing of their new privacy service. I applaud them for thinking about this, and for drawing attention to the issue of search privacy. The New York Times had a story, “ Puts a Bet on Privacy” and now Slashdot jumps in with “Will Privacy Sell?” This is the wrong question to ask, and is going to lead to bad thinking for a long time, because what is selling is not privacy, and it’s not a complete product. I’ll explain what it is, why it’s not privacy, and why it’s not going to sell.

The idea is that if you use AskEraser, Ask will not log what you’re doing. Sounds good, right? No AOL embarrassing disclosures! What could possibly go wrong?

the information typed by users of AskEraser into will not disappear completely. relies on Google to deliver many of the ads that appear next to its search results. Under an agreement between the two companies, will continue to pass query information on to Google. Mr. Leeds acknowledged that AskEraser cannot promise complete anonymity, but said it would greatly increase privacy protections for users who want them, as Google is contractually constrained in what it can do with that information.

So the user doesn’t really get privacy. They get privacy with regards to, but not with respect to Google. That’s not compelling. So I agree with Larry Ponemon, this isn’t going to be competitive advantage, but he’s wrong when he says “Privacy only becomes important to the average consumer when something blows up.” Privacy is important to people, and they pay for it on a very regular basis, under two conditions:

  • First, they understand the threat.
  • Second, they understand the product being sold, and how it will protect them.

If you meet both of those conditions, and have an otherwise good product, you’re golden. Ask fails on both. Curtains, mailboxes, and single family detached houses are all sold on the basis of privacy. People understand others looking in their windows, and they understand curtains protect them. People don’t deeply get search engine record retention, and if they do, those who dig into AskEraser discover that Google can still keep its records.

So, what is doing is offering a half-baked product. So if the question is “will half-baked products sell,” then I think we all know they won’t.

It’s too bad that this is going to be seen as a nail in privacy’s coffin. Nice move, Slashdot.

(This post draws heavily on my talk at the 2nd
Annual Workshop on Economics and Information Security
, where I presented
on Paying for Privacy: Consumers and
(or PDF or PPT) in
which I look at consumer’s willingness to pay for privacy.)

Image: Google Street View looks through a window.

So when’s the Chicago gig, gents?

'Good Times Bad Times'
'Ramble On'
'Black Dog'
'In My Time Of Dying' (full version)
'For Your Life'
'Trampled Under Foot'
'Nobody's Fault But Mine'
'No Quarter'
'Since I've Been Loving You'
'Dazed And Confused'
'Stairway To Heaven'
'The Song Remains The Same'
'Misty Mountain Hop'
'Whole Lotta Love'
'Rock And Roll'

Playlist via:

Apparently, it was a righteous show…
Updated: Links to video added.

Data Thefts Triple This Year?

So says USA Today, in “Theft of personal data more than triples this year.” A few small quibbles:

  • I’d prefer if Byron Acohido had said “reported” thefts
  • It’s not clear if thefts or reports tripled. I suspect the reports, but proving that would be tough.

Both of those things said, it’s a good article, and helps get the word to a much wider audience.

Congratulations to the folks at attrition whose data is quoted. I think they do great work.

One other quick comment, I expect someone will do some simple math, and note that 162 is more than half of 300, and jump to the conclusion that “more than half of all Americans had their data stolen.” This would ignore that 25mm of those records were in the UK. Even if that were not the case, odds are some people have had their data stolen repeatedly, and are thus multiply represented.

The Emergent Chaos of the US Presidential Campaign

This New York Times really is interesting. It’s all about how candidates are losing control of their campaigns, and they’re in a new relationship with emergent phenomenon on the internet.

Now, as we come to the end of a tumultuous political year, it seems clear that the candidates and their advisers absorbed the wrong lessons from Dean’s moment, or at least they failed to grasp an essential truth of it, which is that these things can’t really be orchestrated. Dean’s campaign didn’t explode online because he somehow figured out a way to channel online politics; he managed this feat because his campaign, almost by accident, became channeled by people he had never met.

Meanwhile, those candidates who have amassed roomfuls of well-paid online experts have frequently found themselves buffeted or embarrassed (or sometimes both at once) by mysterious forces outside their grasp. (“The Web Users’ Campaign,” The New York Times.)

Stupid Safety Feature Of The Week

I love my Prius. It’s fun to drive, eco-friendly and even has lots of geek appeal. However it has one incredibly moronic safety feature which I was reminded of while driving through the snow the other day. Now I have the base model which means I don’t have fancy features like the automatic skid prevention. Instead, what I have is a flashing light. When the wheels lose traction, a little icon starts flashing on the dashboard. Now that’s what’s useful, a distraction as the car starts to slide. More of a danger than anything else. Maybe next time, they can add an audible alarm as well. Then the car will feel even more like an airplane cockpit….

CA1386 meet AB1298

Life is about to get a lot more complicated for companies that do business in California. I completely missed this getting signed back in October, but on 10/14, the Governator signed AB1298 which updates CA1386 to mandate that medical and health insurance policy information also are to be treated as PII. To say that this is a huge quantity of information that now needs to be encrypted is an understatement. To make things even more challenging for companies that handle this sort of data, AB1298 goes into effect on January 1, 2008, lots of folks are going to be scrambling to implement encryption or be crossing a lot of fingers and hoping they don’t have a breach before they can come into compliance. It will definitely be interesting to see who publishes a breach first and if these new breaches follow the trends of the breaches we’ve already been seeing with financially oriented PII. It should also be interesting to see if any of the other 39 states (and Washington DC) follow suit and if so, how long it takes for them to do so.
[via the IAPP and Rebecca Herold]

Working on the Traveling Band

traveling-band.jpgIf you travel a lot, you’re used to dealing with many network difficulties. For a while now, I’ve been traveling with an Airport Express, which has made life a lot easier. I set it up to use DHCP, plug it into the hotel Ethernet, and go. At the very least, it means I can work from the bed, rather than from a desk that is inevitably at the wrong height.

Even more so, I now travel with at least three devices that have WiFi — my laptop, my phone, and my iPod. I travel about half the time with my SO, who also has a laptop and an iPod with a network. I said “at least” because I also have a Nokia slate, which is a specialized device (I lug it along when I don’t want to lug a laptop, for example).

Also, for some reason the better the hotel you stay in, the more they charge you for Internet access. Sleep in a cheap hotel, and the network is free. Stay in an expensive one, and they charge you $10 to $15 a night. Stay in the UK, and you can face £18 a day for your net.

This is changing. Ramada and Radisson, are doing a lot of free Internet. Fairmont gives free Internet to their President’s Club members (no better reason to join, for me). However, this still means that you have to figure out how to share your one obscenely expensive net connection with the coalition of devices in your room.

However, another way that this is changing is that there’s more and more wireless going into hotel rooms, and less wired. For us, wired is good, because you just plug a basestation into the net and you go. But with wireless, you need a basestation that listens on a wireless connection while re-broadcasting another.

For quite some time, I’ve been complaining that the appropriate router doesn’t exist. A few weeks ago, however, a friend told me about the D-Link DWL-G730AP, which purports to do what I want. I also found on my own research the Linksys WTR54-GS. They appear on the surface to be mostly equivalent. The Linksys comes in a compact package that has an AC plug bundled into the unit. The D-Link has a separate transformer, but can also be powered from USB.
I ended up getting the Linksys. The deciding factor was that both units have manuals on the web, and the D-Link manual is a high-level installation guide that describes several possible configurations, but the one I want is missing. The Linksys has a detailed manual that tells how to set it up from its internal web server, do MAC address spoofing, port mapping and redirection, and so on. A manual that told how to set up what I want was the clincher. I bought it right before a trip to the UK, and wanted to avoid buying wireless access.
There are a couple of annoying things about the Linksys. It cannot be a client onto a secured network, which meant that I didn’t set it up before I left. I would have taken time I didn’t have to pull the “security” off of my my G network to experiment. (It’s just WEP, hence the quotes around “security.” I consider it a no-tresspassing sign.) Once in a hotel, I have not yet figured out how to put a password on the network it broadcasts. Each of my attempts resulted in having to hard-reset the device. It has a nice, convenient hard-reset button. On the other hand, I’ve been busy and in various stages of sleep-deprived brain damage, so I don’t know that it’s their fault that I haven’t figured it out. I settled for hiding the SSID. I don’t actually care if someone mooches on my hotel wireless, if they leave enough bandwidth for me.
If the D-Link will work as a wireless-to-wireless router, it has an advantage over the Linksys in being USB-powered. That means you can easily plug it in to your laptop while using paid wireless, and rebroadcast for your phone or iPod or SO. I just don’t know that you can. If someone has a definitive answer, place a comment below. If you’re from D-Link and reading this, make a note that you lost a sale solely because your manual confused me.

Thoughts on “Internet Miscreants”

I’ve been thinking about Franklin, Perrig, Paxson, and Savage’s “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants” for about three weeks now.
This is a very good paper. For the infosec empiricist, the dataset itself is noteworthy. It consists of 13 million public IRC messages (that is, in-channel stuff, not PRIVMSGs) obtained from several networks and channels, collected over a 7 month period. These messages contain sensitive information (such as PII) and offers to sell various illicit goods. The authors provide no information concerning the process by which the IRC networks and channels were selected for monitoring, a matter which may be relevant for those seeking to replicate their findings. For the CS crowd, they use a nifty machine-learning technique to identify and categorize messages which are advertisements.
The authors are able to present a number of fascinating descriptive statistics about the market they study, including the number and activity level of market participants, price history, measures of flow of goods into the market, statistics on which goods are offered for sale most often, etc.
This paper has gotten some attention in the trade press because it discusses methods which could potentially be used to disrupt this IRC-based underground economy. In a nutshell, the key is to make it impossible to tell good sellers from bad, thereby deliberately creating a market for lemons and driving out customers.
Ultimately, there are way more questions than answers. This has nothing to do with the paper, which is excellent. It has to do with disciplinary maturity, which we in information security lack, and with quality data, which we lack even more.
But dwelling on the positive for a moment, it is interesting to consider what we might be able to investigate using a dataset like this. At a macro level, we might be able to observe the price reaction given a sudden increase in supply. For example, if we have independent confirmation that at a particular time 100 million credit card numbers became available for sale, it would be interesting to see if this was followed by a drop in the asking price, and if so, how large a drop.
Even more interesting: if we already have an idea about the elasticity of price with respect to supply, we can estimate the size of the market based on observed price movements given a supply shock of known size. If, similarly, we observe an unexplained drop in price, we may presume that an unreported supply shock has taken place. This is an indirect estimator of the amount of the personal information iceberg existing below the waterline. Cool!
There’s also a certain practical value. Consider the recent UK data breach. Already, there are reports that personal information from this incident are appearing on the underground market. Franklin, et. al. have provided us with an estimate of how much traffic in UK PII existed prior to this breach. The same surveillance techniques which informed their analysis are undoubtedly still under way today. Perhaps three, six, or twelve months from now a second analysis will show a dramatic increase in the amount of UK PII flowing through the market. The policy ramifications of knowing how great the lag is between PII being pilfered and its appearance on the market are significant. What use is a twelve month credit freeze, for example, if the lag is 24 months?
A final question that data like this can help answer concerns the relationship between breaches and identity theft. Since British banks reportedly are balking at monitoring all the accounts involved for fraud, this opportunity may be squandered. I commented on the important role banks could play back in June:

One way to estimate the extent to which having your PII exposed in a breach increases the probability of your becoming an identity theft victim is to watch for the exposed data elements using a fraud detection network
Other than using banks as a focal point and having them report on fraud using these stolen elements, I cannot think of another way.
I suppose one could try to determine whether the stolen elements were in the inventory of any black-market sellers, but I do not see how one can gain access to their inventory information. It’s clear that the illicit trade in this stuff is non-trivial, but I honestly do not know that we have anything approaching a comprehensive picture of the landscape.

(emphasis added)
I now see that I was overly pessimistic in my last two sentences, and I am thankful for that.
Let me close with a quotation about price data which reflects my current mood:

Certainly they tell us a great deal, some but not all of
which is reflected in policy debates.
At the same time much remains unknown. Given the number of instances in which deductive
arguments have been promulgated with great confidence only to be refuted by empirical
evidence, it seems wise to be somewhat cautious in drawing conclusions that go beyond the
scope of the data.
Although some of what is not known is probably unknowable–at least in the medium term–there
are considerable opportunities for expanding the range of questions that have been addressed
empirically. Price data are much more accessible than data pertaining to prevalence or quantity.
A relatively modest investment of resources could substantially increase both the quantity and the quality of the price data available for analysis.

This observation is from “What price data tell us about drug markets”, a 1998 paper. I fervently hope its applicability to the information security world is demonstrated by a stream of papers stimulated by Franklin, et. al.

Toasting Repeal Day

Today marks the 64th 74th anniversary of the repeal of Prohibition in the United States.

For 14 years, Americans were unable to legally have a drink. This led to a dramatic growth in the acceptance of organized crime and violence. Al Capone made his money in the demon rum, and was willing to fight for income and market share. It led millions of otherwise law abiding Americans to speakeasys. The imposition of controls made the problem worse.

Back then, Congress had the wisdom and backbone to recognize a broken policy when they saw it, and passed the 21st Amendment to repeal prohibition.

An awful lot of chaos emerged from that day. People can now buy a staggering variety of vodkas, all perfectly identical in taste. There are thousands of wineries, all around the country, some internationally famous, and others providing great value wines. There’s a movement for the quality brewing of beer, ranging from stores providing everything you need to brew at home to Michelob trying to redefine their industrial process as craft brewing.

So raise a toast to the fact that you can buy booze from a wide variety of producers, and forget, for a moment, the worries of the day.* Enjoy the blessings of liberty which the Constitution aspires to, and hope that they’ll be expanded one day to the entire United States, to our youth, and to a wider variety of intoxicants.

Image: Enoteca, by Conmani, via

* Void where prohibited by law. Advice not intended for people under 21. Emergent Chaos encourages you to enjoy our products responsibly.

[Update: I can’t subtract. Thanks, Puck!]

Gartner the omniscient

This in reference to the recent HMRC breach…

However, [Gartner VP Avivah] Litan warned that the chance of identity theft was actually small, at just 1%.

The probability of this estimate being scientifically defensible is 0.00%.
I’ll have something to say about learning (for real) from the HMRC breach in a soon-to-come post.

Book on Boyd

osinga-boyd.jpgFrans Osinga’s book on Boyd, “Science, Strategy and War: The Strategic Theory of John Boyd” has been issued in paperback. Previously, it was $90 for a copy. The new paperback edition is $35.95, and is easily worthwhile at that price.

Science, Strategy and War is an academic analysis of the John Boyd’s thinking and its origin. It may not be as good an introduction as Coram’s book but it goes into far more detail about the theories he put forth, challenges narrow views of them, and provides a degree of academic respectability the work hasn’t previously had.

Via Global Gureillas.