Black Hat Speaker Selection

Black Hat USA News:
We’re very proud to announce a new feature for paid Black Hat attendees
starting with the USA show in August – delegate access to our CFP system!
Paid delegates can now log into our CFP database, read and review our
proposed presentations and share their ratings and comments with Black Hat.

Your ratings will help us create the show you want to attend, and even help
focus presentations as they’re being created. We are excited to see what
kind of information we learn about what interests our delegates and what
kind of talks meet their needs best. We’ve always said that our delegates
make Black hat the experience it is, and we’re glad to have the opportunity
to extend their influence on the final product. To read more about this new
opportunity, go to:

I think this is tremendously cool for a couple of reasons.

  • First, attendees get to influence what Black Hat selects. Help build the conference of your dreams!
  • Second, I’ve heard griping over the years about BlackHat’s selection process being opaque. I’ve helped out occasionally with talk selection, and let me tell you, what’s also opaque are a lot of the submissions that come in. Sometimes, it’s really hard to decide if a given submission would be good or not.
  • Another complaint is “the same speakers speaking every year.” A lot of times, these are easy accepts. The submissions are clear, the value prop is there, and they pack rooms.

I’m a big fan of transparency and openness, and I think that BlackHat and its attendees will all benefit from this move.

Now please go vote for me as a speaker.

(Just kidding, I haven’t submitted. Yet.)

Wendy Richmond’s Surreptitious Cellphone


At the International Association of Privacy Professionals meeting last week, I had the pleasure of meeting Wendy Richmond.

Richmond is intrigued with the ways in which we share our public space. Some of us create invisible buffer zones for quiet reverie; others enhance or negate reverie through portable technology like iPods, cell phones and laptops. These zones become the subject of her videos and stills. Satisfying in both form and content, they are psychologically riveting, intentionally beautiful, and surprisingly witty portraits of our private lives lived publicly.” (From “Public Privacy” site.)

I think it’s tremendously cool to add an artist and their art to a business conference. Too often, we find ourselves focused entirely on questions such as cost of compliance, or forthcoming regulation. Bringing in new and different perspectives may be uncomfortable or challenging, but it’s important to remember the people for whom we’re doing this work.

I’d encourage anyone running a conference to consider bringing in artists whose work touches, even tangentially, on the subject at hand.

Who knows, you might have some chaos in an otherwise too-well-oiled machine.

Photo: Wendy Richmond, photo with Adam’s cell phone and permission.

A Crime That Flourishes Because Victims Remain Silent

There’s a fascinating article in the New York Times, “Report Sketches Crime Costing Billions: Theft From Charities.”

“I gave a talk to a group of nonprofit executives a few weeks ago, and every single one of them had a fraud story to tell,” said one of the report’s authors, Janet S. Greenlee, an associate professor of accounting at the University of Dayton. “This has been going on for years, but there’s a feeling that it shouldn’t be discussed,” because of the effect it might have on donations.

But it will now be harder for charities to hide fraud, because beginning with tax forms they must file for 2008, the Internal Revenue Service has added a question requiring them to disclose whether they have experienced theft, embezzlement or other fraud during the year.

This resonated pretty strongly with points we make in the New School. It’s about how problems fester when we don’t talk about them. There’s a principal-agent problem here, where charities, acting as agents for their donors, are actively concealing problems. And it shows yet another example of diverse perspectives helping to solve problems.

The report is available at “An Investigation of Fraud in Nonprofit Organizations.”

Dan Solove’s books free and online

Dan Solove has put his two current books, “The Future of Reputation” and “The Digital Person” online for free.

I’ve felt bad in not reviewing The Future of Reputation, because I really enjoyed it, and have been trying to figure out what to say. Solove does a great job of surveying reputation in its many forms, and offering up an interesting framework for making tradeoffs about how to manage some of the costs and benefits of being able to speak freely about people online.

Check them out!

Saving the Taxpayers Money

The Washington Times reports, “Outsourced passports netting govt. profits, risking national security.” It is the first of a three-parter.

Interesting comments:

The United States has outsourced the manufacturing of its electronic passports to overseas companies — including one in Thailand that was victimized by Chinese espionage — raising concerns that cost savings are being put ahead of national security, an investigation by The Washington Times has found.

The Government Printing Office’s decision to export the work has proved lucrative, allowing the agency to book more than $100 million in recent profits by charging the State Department more money for blank passports than it actually costs to make them, according to interviews with federal officials and documents obtained by The Times.

The GPO tells us we don’t need to worry, because the blanks are moved by armored car. I feel better already, but can’t stop giggling.

Science in Action


The New Scientist reports in, “Have peacock tails lost their sexual allure?

A controversial study has found no evidence for the traditional view – practically enshrined in evolutionary lore – that peahens choose their partners depending on the quality of the peacocks’ tails.

Obviously, traditionalists have many things to say about the quality of the study. Because, of course, everyone knows it’s true.

New, Improved Indiana Breach Law

Thanks to infosec expert (and Indiana resident) Chris Soghoian, and a receptive state legislator who listened to an informed constituent, Indiana now has a much improved breach notification law , closing a loophole we discussed previously.
We’ve written about expert involvement in crafting improved state laws before, most recently here.
BTW, the loophole Indiana has fixed still has a tenacious grasp on the press. As folks on the Dataloss Mailing List know all too well, nary a week goes by without a reportedreporter dutifully and unquestioningly stating that “risk is said to be small, since the stolen laptop was protected by a password”. More on this in a future post.

The Principal-Agent Problem in Security

There’s a fascinating article in the New York Times, “At Bear Stearns, Meet the New Boss.” What makes it fascinating is the human emotion displayed:

“In this room are people who have built this firm and lost a lot, our fortunes,” one Bear executive said to Mr. Dimon with anger in his voice. “What will you do to make us whole?”

The packed room of senior managing directors applauded.

Mr. Dimon responded gingerly. “You’re acting like it’s our fault, and it’s not. If you stay we will make you happy.”

But the Bear employee was not satisfied. “I think it’s galling you come into our house and you call this a ‘merger,’ ” the Bear executive went on.

Now, there’s an easy slam on that exec, but I’d like to do better than that. There’s a very real desire to not go from the mansion to the poorhouse overnight. Picking arbitrary numbers of shares, on Friday, this fellow might have held 10,000 shares, worth $300,000, representing a large fraction of his savings. Monday morning, it was worth $20,000. He’s worried about how he’s going to pay for his kid’s education or his next vacation. (There’s more excellent analysis in Jeffrey Lipshaw’s “Exuberant Bulls, Rueful Bears, and Rational Frogs

People’s concerns, first and foremost, are for themselves.

People who work in security are often deeply concerned with security, because it’s the thing that makes or breaks their careers. They’re focused on the impact of security on them, as well as their business. So sometimes they make choices which aren’t perfect for the business, but take their perspectives into account. It’s only human.

Nick Owen talks a bit about the motives of security chiefs in “On the short tenure of CISOs and low-frequency, high-impact events.” (Damnit, Nick, I should have seen that. Now you’re banned from the prom.) ((Which is yet another instance of a principal-agent problem. I’d like to appear smarter and more insightful than Nick, so I have to ensure I don’t link to him.))

Economists call this set of issues principal-agent problems, with the classic example being Alice hiring Bob to sell a car that she doesn’t have time to sell. How does she know that he’s not selling it to a friend? Economists are generally worried about the CEO, but the thinking can and should be applied across a company. How do you ensure people’s motives are well aligned with that of the business and it’s shareholders?

Nick Szabo has some interesting points about “representation distances” in a political analysis of principal agent problems. I’m surprised that he talks about the distance from one agent to a group. I would think that the interesting questions involve average distances between various groups and agents, and the tensions between them.

On the Frequency of Fake bin Laden Messages

I’ve noticed that every time there’s a new message from Osama bin Laden, the press very carefully calls into question its authenticity. For example, CNN’s article “Purported bin Laden message: Iraq is ‘perfect base’” opens:

Al-Jazeera broadcast on Thursday an audiotape on which a voice identified as Osama bin Laden declares “Iraq is the perfect base to set up the jihad to liberate Palestine.”

The voice calls on “Muslims in neighboring countries” to “do their best in supporting their mujahedeen brothers in Iraq.”

So I’m wondering, have there been fake messages?

My understanding is that bin Laden’s manner of speaking, his words and phraseology, are quite unusual and hard to capture. What’s more, it doesn’t make sense for his followers to fake messages from him. As a leader who inspires through his words, the authenticity of those words is very important. It doesn’t jibe with my (admittedly limited) understanding to think that anyone would fake a message from him.

I understand that the intelligence community would like us to believe that they’re on the verge of catching him, that he might be dead, and that he can’t get messages out of his base in Pakistan’s Waziristan region.

But why does the media play along? Is there a problem with fake messages, or an expectation that there might be?

Ain’t Nobody’s Business But My Own


A year ago, I discussed stupid email disclaimers in, “If I Screw Up, It’s Your Fault!” This week, Brian Krebs of the Washington Post comes over the same issue, indirectly, in his “They Told You Not To Reply.”

Krebs tells the story of Chet Faliszek, who owns the domain, which he bought in 2000 as a lark. The interesting situation is that many otherwise sane people will send broadcast messages with a return address that has in it. And of course, people reply. When they reply, he gets the mail.

He gets customer service mail from Charbroil grills; financial service from Capital One and Merrill Lynch; network diagrams and vulnerabity data from Yardville National Bank; faxes from Iraq contractor and former subsidiary of Halliburton, Kellog Brown & Root; and of late very interesting mail from the Department of Homeland Security.

Krebs quotes Faliszek:

“I’ve had people yell at me, saying these e-mails are marked private and that I shouldn’t read them.”

“They get all frantic like I’ve done something to them, particularly when you talk to the non-technical people at these companies.”

The most delicious emails end up on his blog. He will remove them if you show proof of a donation to an animal protection league or humane society.

Note that if you send your email to Mr Faliszek, it becomes his email. No one suggests that there is anything untoward in owning No one suggests that the disclaimer has any standing. No one suggests that there is anything wrong with his letting you ransom those emails through good works.

Certainly, it’s stupid to use a domain like It’s a legal domain. There are some reserved domain names, and they are documented in RFC 2606. For Heaven’s sake, use donotreply@yourdomain! However, it’s worse to have the disclaimer. Non-expert, non-technical people might think that it has standing. Note what Mr Faliszek said, that people think that because they’re marked private, he shouldn’t read what’s delivered to his domain. I have every sympathy with these people. They think they’re protected, and they’re not. Fortunately for us all, Mr Faliszek is a nice guy who loves animals. Take it away, bandleader.

Photo “its just sad” by Quiz….

Avoid ID theft: Don’t run for President

The Washington Post reports:

The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama’s passport file.
Obama’s presidential campaign immediately called for a “complete investigation.”
State Department spokesman Tom Casey said the employees had individually looked into Obama’s passport file on Jan. 9, Feb. 21 and March 14. To access such a file, the employees must first acknowledge a pledge to keep the information private.
The employees were each caught because of a computer-monitoring system that is triggered when the passport accounts of a “high-profile person” are accessed, he said. The system was put in place after the State Department was embroiled in a scandal involving the access of the passport records of then-presidential candidate Bill Clinton in 1992.
“The State Department has strict policies and controls on access to passport records by government and contract employees,” Casey said.
The department uses contract employees to help with data entry, customer service and other administration tasks. The employee involved in the March 14 incident has only been disciplined so far, because the probe of that incident is continuing, an official said.

My translation is that the State Department, “in order to serve you better”, violates the principle of separation of privilege and allows individual contract call center people to access the passport data for everybody in the country. Then, after a high-profile person has his privacy grossly violated (they ran Clinton’s file because of malicious, false rumors he renounced his US citizenship during the Viet Nam era), they put in detective controls (not preventative — too obvious), but these only work for important people.
Luckily, Bill Burton, spokesman for Senator Obama, has a keen grasp of the issues:

“This is a serious matter that merits a complete investigation, and we demand to know who looked at Senator Obama’s passport file, for what purpose, and why it took so long for them to reveal this security breach.”

One way to learn some of that, as I am sure Mr. Burton’s boss knows, is to get a decent national breach notification law.
While State may have been slow, they did the right thing, and canned the violators. Nothing reinforces a security policy better than a public execution, and nothing undermines one more effectively than blatant non-enforcement. With recent privacy breaches affecting not just semi-celebs like Presidential candidates, but also really important people, making sure that punishment is swift and sure seems like an obvious way to “incentivize good behavior”.

First in-depth review

Andre Gironda writes “Implications of The New School:”

Additionally, the authors immediately begin the book with how they are going to write it — how they don’t reference anything in great detail, but that the endnotes should suffice. This also put me off a bit… that is — until I got to the endnotes! Certainly from the beginning to the end of the book I was also kept in a state of constant interest thanks to the excellent writing. Even if you have read all of their past work, this book is certainly worth a read or two or three, maybe even quarterly.

He has a lot of detail in his review, while I’m just quoting the intro, blown away and grateful that someone would suggest reading it quarterly.

Thanks Andre!

Algorithms for the War on the Unexpected

Technology Review has an article, “The Technology That Toppled Eliot Spitzer.” What jumped out at me was the explicit statement that strange is bad, scary and in need of investigation. Bruce Schneier is talking a lot about the war on the unexpected, and this fits right into that.

Each category is analyzed to determine patterns of ordinary behavior. Every single transaction by customers in these groups, and even patterns of transactions stretching back as far as a year, are then scrutinized for evidence of deviation from this norm using measures such as the number, size, or frequency of transactions, among others.

When “not behaving normally” is considered grounds for investigation, there’s an inevitable chilling effect. The willingness of people to do new, exciting things is reduced by the risk that they’ll get on some financial blacklist, and be unable to buy a house or a car.

(Via Paul Kedrosky)

Context, please!

Chess masters will sometimes play chess against a dozen or more competitors at once, walking from board to board and making a move. The way they do this isn’t to remember the games, but to look at the board, and make a decent (to a master) move each time. They look at the board, get all the information they need, and act. Remember that as context as you read the rest of this post.

So over the past few months, I’ve been noticing more and more people cutting the context out of their email, and replying in a way which can be read on a single screen. This is nice. Concise replies are often good. But where’s the context? Why are you removing all the conversation which happened before? I get and send a lot of email. I send roughly 15-20 messages a day from my personal account, and probably 30-50 a day at work. How many I get is a little hard to count because of all the spam, but it’s probably around the same into my inboxes.

The context of a conversation helps me remember what’s being said, and why. (This, incidentally, is why top-posting is good for short conversations that stay short, and bad for long ones.)

For example, I’m trying to set up an appointment to talk to a former co-worker about some stuff. I haven’t added him to my IM address book, and in his response agreeing on a time, he cut that information. Not only that, there was effort involved in cutting it. Maybe it’s only 1 or 2 clicks, or 10-15 characters of typing to find the rest of the conversation, but that’s still more work than having it all right there.

So please, think about context when you send email. Just like chess masters can see the board, let your co-respondent see what you’re responding to.

If you do, you’ll get more complete and useful responses faster. It’s in your best interest. That’s not just with me. Think about the usability of what you send to people–it pays off.