Jonathan Ive’s Sharia Style

I was on a business commuter flight the other day, which was also the maiden voyage of my MacBook Air. I had it out before takeoff. This was an international flight and I was in bulkhead. On international flights, they’re not as strict about not having your laptop on your lap during takeoff. This flight was only an hour and ten, and if I had to wait ’til cruising altitude, I’d never get any work done.

I slid it into the middle of my Economist (manila envelopes are the only think it fits in), but other guys had their mondo Dells out, so I stopped hiding it.

One of the flight attendants saw it and came over, pouncing on me. Drat. Nabbed.

I blinked when she cooed, “Ooooooo, is that the new MacBook? Can I touch it?”, because this wasn’t what I would think of as a nerd-bird. It was Etihad from DMM to AUH, and after a few days in Al Khobar, I found the fact that the flight attendants had neither an abaya nor hijab to be a pleasant surprise.

I handed it to her. She called over another flight attendant, who also cooed over it. They passed it back and forth extolling, “It’s so light! It’s so smooth! It feels sooooo good!”

They called over a third young woman who turned up her her nose and sniffed, unimpressed, “My brother has one of those.” She thus put the others in their place for being so unsophisticated as to not be totally bored by it yet. It’s a good thing that SAFEE isn’t implemented, yet, or we’d never have gotten off the ground. If looks could kill….

Pointedly ignoring her, my pair of flight attendants marveled over the Air for a bit longer and then handed it off to me so they could play with seatbelts and oxygen masks.

After they left, the guy across the aisle turned to me and said, “My god, I never thought I’d see the day when a laptop was better at picking up girls than a Ferrari. That’s it, I’m ditching Windows.”

CSO’s FUD Watch

Introducing FUD Watch:”

Most mornings, I start the work day with an inbox full of emails from security vendors or their PR reps about some new malware attack, software flaw or data breach. After some digging, about half turn out to be legitimate issues while the rest – usually the most alarming in tone – turn out to be threats that have little or no impact on the average enterprise.

The big challenge for security writers is to separate the hot air from the legitimate threats. This column aims to do just that.

But for this to work, audience participation is a must.

I’m highly in favor of reducing the FUD. I hope that Bill Brenner’s efforts will help constrain and shame some of the worst of the FUD. However, it won’t go all the way. Bill admits that he’s working from opinion not data. In The New School, we talk about how we need data on how often various problems actually manifest. When we get that data, we won’t need as much audience participation. In the meantime, go mock the FUDsters.

RIM speaks out on BB security


El Reg writes that the India Times writes that RIM has “blackballed” (El Reg’s words) the Indian Government’s requests to get BB keys, saying what we suspected, that there are no keys to give.

The India times says:

BlackBerry vendor Research-In-Motion (RIM) said it cannot hand over the message encryption key to the government as its security structure does not allow any ‘third party’ or even the company to read the information transferred over its network.

The full RIM letter to its customers says:

Dear Valued BlackBerry Customer:

Research In Motion (RIM) is more excited than ever to be doing business in India and is extremely pleased by the enthusiasm of Indian customers toward the BlackBerry platform.

RIM recognizes that some customers are curious about the discussions that occurred between RIM and the Indian government regarding the use of encryption in BlackBerry products and understands that the confidential nature of these discussions has consequently enabled an opportunity for a variety of speculation and misinterpretation to arise.

RIM regrets any concern prompted by incorrect speculation or rumors and wishes to assure customers that RIM is committed to continue serving security-conscious businesses in the Indian market with highly secure and innovative products that satisfy the needs of both business and government.

RIM respects the needs of governments to balance regulatory requirements alongside the corporate security and individual privacy needs of its citizens and RIM will not disclose confidential discussions that take place with any government. However, many public facts about the BlackBerry security architecture have been well established over the years and remain unchanged. A recap of these facts, along with other general industry facts, can help customers easily debunk incorrect rumors and speculation and maintain confidence about the security of their information.

  • RIM understands and respects the concerns of governments. RIM operates in over 135 countries today and provides a security architecture that has been widely scrutinized over the last nine years and has been accepted and embraced by security-conscious corporations and governments around the world.
  • Governments have a wide range of resources and methodologies to satisfy national security and law enforcement needs without compromising commercial security requirements.
  • The use of strong encryption in wireless technology is not unique to the BlackBerry platform. Strong encryption is a mandatory requirement for all enterprise-class wireless email services.
  • The use of strong encryption in information technology is not limited to the wireless industry. Strong encryption is used pervasively on the Internet to protect the confidentiality of personal and corporate information.
  • Strong encryption is a fundamental requirement for a wide variety of technology products that enable businesses to operate and compete, both domestically and internationally.
  • The BlackBerry security architecture was specifically designed to provide corporate customers with the ability to transmit information wirelessly while also providing them with the necessary confidence that no one, including RIM, could access their data.
  • The BlackBerry security architecture for enterprise customers is based on a symmetric key system whereby the customer creates their own key and only the customer ever possesses a copy of their encryption key. RIM does not possess a “master key”, nor does any “back door” exist in the system that would allow RIM or any third party to gain unauthorized access to the key or corporate data.
  • The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.
  • The BlackBerry security architecture was also purposefully designed to perform as a global system independent of geography. The location of data centers and the customer’s choice of wireless network are irrelevant factors from a security perspective since end-to-end encryption is utilized and transmissions are no more decipherable or less secure based on the selection of a wireless network or the location of a data center. All data remains encrypted through all points of transfer between the customer’s BlackBerry Enterprise Server and the customer’s device (at no point in the transfer is data decrypted and re-encrypted).
  • The same BlackBerry security architecture is maintained in all 135+ countries where the BlackBerry solution is commercially available and it continues to be validated through various formal and independent security certifications, including FIPS-140-2 (USA), @Stake security assessment, Common Criteria EAL 2+ (International) and CAPS (United Kingdom), as well as several other independent government approvals and customer assessments.

Once again, RIM is extremely pleased by the reaction of the Indian market to the BlackBerry platform and excited about the future in India. RIM also remains positive about the ongoing use of strong encryption in enterprise-class information technologies and believes that governmental security requirements in countries around the world, including India, will continue to be achieved in tandem with the domestic and international security needs of corporate customers.

My major grumble remaining is that while RIM has been very good at some assessments (FIPS 140 and CAPS are worth something, CC is not), Those of us in the real world haven’t seen the BlackBerry architecture.

I still hear people say, “Oh, you can’t trust that because the French government banned them,” which is also FUD, but absent an open attitude about public review, is going to keep happening. My response to that FUD is to counter-FUD by pointing out that there’s no better way to spy on someone than to FUD their existing security system.

It’s worth something to know that Charlie Miller hasn’t broken the BlackBerry, but it would be better to have more to go on. Thank you for the discussing rather than ignoring this, RIM. Please, may we have another?

Photo “Indian BB” by Edlimagno.

Does the UK need a breach notice law?

Chris Pounder has an article on the subject:

In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals are protected because they have simple and free access to the Information Commissioner, who has powers to investigate any complaint and fine. Compensation for aggrieved individuals could arise from any significant security lapse.

In other words, all the features of a security breach notification law are now found in existing data protection legislation. (“Why we don’t need a security breach notification law in the UK.”)

It’s an interesting analysis that breaches are already covered, and I think he’s probably right. However, he’s not certainly right. Attorneys are paid (in part) to argue, and I think most decent attorneys could construct an argument that the law is unclear.

I think there are two strong reasons to support a breach disclosure law: clarity and learning.

The argument for clarity is just that: the law may not be clear, and it will save U.K. organizations money to have a simple, clear law on the subject. (It can’t cost more for notifications, because that cost, according to Pounder, is already present. Similarly, there’s no increase in liability, that cost is already present.) But with a clear law, attorneys can’t charge as much for analysis.

The second reason for a law is to charge a public agency with collecting and sharing information about what happened and why.

As organizations go through this pain, we should learn from it. Not learning from it entails going through it again and again.

There’s a third reason, which is that even in the case of clear law, which exists in the US, only 3 of 21 retailers breached had told their customers. (Based on a Gartner survey, n=50.)

[Gartner analyst Avivah] Litan didn’t know whether the retailers had broken state laws by not informing their customers of the breaches, but she said it was a possibility. Some of the breaches may have happened before applicable state laws were in effect. (“Most Retailer Breaches Are Not Disclosed, Gartner Says.”)

Update: A friend in the UK pointed out privately that I could have been clearer about the evolution of common law, and how decisions establish law. The UK has not yet had many official rulings, and so both the law and practice are evolving rapidly. Their courts and regulators may look to other countries for guidance, and find that prompt notification is essential, both under many US laws and under evolving Canadian jurisprudence. For example, the “[British Columbia Office of Information Privacy Commissioner] says 41 days too long for breach notification.”

Visualizing Risk

I really like this picture from Jack Jones, “Communicating about risk – part 2:”


Using frequency, we can account for events that occur many times within the defined timeframe as well as those that occur fewer than once in the timeframe (e.g., .01 times per year, or once in one hundred years). Of course, this raises the question of how we determine frequency, particularly for infrequent events. In the interest of keeping this post to a reasonable length, I’ll cover that another time (soon).

And I’m looking forward to how to Jack says we should determine those frequencies.

One suggestion for improvement: state the timeframe on the chart label: “Loss Event Frequency (per year).”

Please read more carefully.

A paper by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti to be presented at the upcoming WEIS workshop examines the impact of breach disclosure laws on identity theft. The authors

find no statistically [significant] evidence that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce

The folks at Bank Technology News pick up this ball and run with it, proclaiming in a headline:

Study: Data Breach Laws Don’t Reduce ID Theft

This is, quite simply, wrong. Absence of evidence is not evidence of absence. Maybe the data just aren’t good enough (something we at EC have been complaining about — and even trying to fix — for some time).
Since the Bank Technology News article is behind a pay wall, I can’t read it. I hope it is more accurate in conveying Romanosky, et. al.’s recommendations than it is regarding their conclusions.
Those recommendations will be familiar to EC readers, and are worth quoting at length:

Proper research on the effectiveness of data breach disclosure laws is hampered by the lack of sufficient, high quality data. Hoofnagle argues that the current collection of identity theft records come from surveys and anecdotal accounts (Hoofnagle, 2007). He claims that current information is not sufficient and that banks and other organizations should be
required to release identity theft data to the public for proper research. We certainly agree with this view. To the extent that reporting and other biases can be reduced, it will allow researchers to more accurately measure the impact of disclosure laws. Moreover, we believe that the proper collection of identity theft victimization, and consumer and firm loss data will be a valuable tool for researchers, policy makers and consumers. We therefore join others (Samuelson, 2007) in supporting the
following recommendations to policy makers:
• Create a single, federal data breach disclosure law that covers all persons, private organizations, data brokers and state and federal agencies. This single law should reduce conflict between states laws and lower the barrier for compliance.
• Standardize the content of notifications to include only pertinent information (no marketing brochures) that includes actionable information for the consumer (e.g. date of breach, type of personal information lost, and customer support contact information).
• Define an oversight committee to be notified of all breaches. This will create an authoritative source of breach data that can be made available to policy makers, researchers and consumers.

I haven’t given this paper the time it deserves, so I’ll reserve comment. I’ve read it attentively enough to know that contrary to what some in the trade press may think, the jury is definitely still out on whether identity theft is decreased by breach laws.

Sing it shrdlu

Over at Layer8, shrdlu lays it out there and tells us what it takes to appear to be effective:

In all the initiatives I’ve rolled out in my (checkered) career, the ones that have gotten the most acclaim from my management have always been the ones that were most visible to the users. They turned out to be popular if they:
– were used directly by the users
– allowed the users to do something better, or faster, or better AND more securely
– helped reduce the risk of a legal problem


In the eyes of the business—the ultimate risk decision maker—the more it affects/helps the users, the bigger the win. So from a practical point of view, they’re using a very different set of risk factors than we are from behind our consoles and our dashboards.

These are both huge points, that highlight the difference between what we as practitioners often think is important and what the business thinks is important. The trick of course is balancing the two correctly. My recommendation is whenever possible leverage adding security by packaging it with a new offering that users want. For instance, at one employer, there was a big push from users to be allowed to move from dial-up to VPN over their home broad-band connections. We gave it to them, but took the opportunity to move from passwords for authentication to tokens. We got almost no complaints from users about it being harder or more complicated because it was bundled with something they really wanted. This had the added bonus, that down the road when we later required it for accessing certain critical systems, it was a well understood technology that people were used to using, so we got very little push-back and got compliments from our auditors for being so conscientious.

This May Be FUD


You may have seen this article from the India Times, “Govt may get keys to your BlackBerry mailbox soon.” Many people have been commenting on it, and the hand-wringing should build up to a good storm in a few days.

The gist of the article is that the Indian Government has told RIM that if they can’t read BlackBerry email, they might just ban all BlackBerries from India, and that RIM is caving.

Being the sort of person I am, I called someone who actually knows something. I can’t tell you anything more, precisely because they actually know something.

What I was told is that this is complete FUD and false. The BlackBerry crypto is real crypto, just like SSL, PGP, S/MIME or anything else. The keys are generated on the handsets and on the BES server. There is end-to-end crypto, using real protocols like SPEKE. RIM doesn’t have the keys to give. RIM cannot give the keys over because only the devices have them.

Of course, as is true in all hatchet jobs, the lead is with weasel-words:

In a major change of stance, Canada-based Research In Motion (RIM) may allow the Indian government to intercept non-corporate emails sent over BlackBerrys.

See that? It’s the word may.

Here’s my own text, which I know may be true because I just may have made it up:

In a major cryptographic breakthrough, Canada-based Research In Motion (RIM) may soon put quantum cryptography in all new handsets, preventing any interceptions, because it’s well, you know, quantum, and quantum is cool.

Or this:

In a major scientific advancement, Canada-based Research In Motion (RIM) may have accepted an order for 10 million BlackBerrys from space aliens living on Epsilon Erandi. A faster-than-light (FTL) email relay server may be installed at Barnard’s Star as part of this groundbreaking, er, space-breaking agreement.

And even:

In a major economic development, Canada-based Research In Motion (RIM) may have purchased the Large Hadron Collider from CERN. According to officials close to the development, Canadian High Commissioner David Malone may have approved the deal not merely despite, but actually because of the chance that the LHC could create a small black hole that would devour all of France. “Canada is just fed up with the pointy-lips in France making fun of their accents and may have decided to take proactive action. Details on this one will be provided in two or three weeks,” sources close to the deal may have told Emergent Chaos. No comment was available from the United Nations at posting time.

May, while a merry month, may also be the tool of liars.

RIM, I know you’re reading this, not only because we are one of the top 25 blogs, and not at all because we speak for the President of the United States, but because Adam used to live in Montréal and is no pointy-lips. Please, please give us a definitive statement. You have to call bullshit on this sort of thing before it becomes destructive.

I know and you know that there would be no better publicity for you than to call their bluff and say, “D’accord, pas des mûres pour vous.” We would all cheer. BlackBerry sales will soar.

Photo “Indian BB” by Edlimagno.

The Costs of Security and Algorithms

I was struck by this quote in the Economist special report on international banking:

There were navigational aids to help investors but they often gave false comfort. FICO scores, the most widely used credit score in America, were designed to assess the creditworthiness of individual borrowers, not the quality of pools of mortgages. “’Know your customer’ is a staple of banking that has largely been forgotten because of the disaggregation of the supply chain,” says Mark Greene, the chief executive of Fair Isaac, the company behind FICO scores. (“Ruptured credit)

“Know your customer” actually hasn’t been forgotten, it’s been co-opted. It’s been co-opted by the “AML” (Anti-Money Laundering) crowd. (The Google search is also fascinating. Look at all those ads!) But “know your customer” has been co-opted by the surveillance state. The people who want to know where your money is going in case they need to investigate you.

Bruce Schneier has a 5 step process for evaluating security:

  1. What problem does it solve?
  2. How well does it solve the problem?
  3. What new problems does it add?
  4. What are the economic and social costs?
  5. Given the above, is it worth the costs?

To be clear, the whole idea of AML doesn’t pass this test. But let’s set that aside, and test the re-definition of knowing your customer. We can then look at step 2 and 3, and ask “is re-defining a known element of good advice worthwhile?” I don’t think it is. I think it’s an example of how we let process and algorithms replace clear thinking.

It used to be that part of getting a mortgage was talking to a banker. You talked to an officer of the bank who was going to be collecting money from you for twenty years. And he made a call. That’s been replaced by the FICO algorithms and checking your ID. There’s now a process and an audit trail. And there’s no common sense. There’s no senior person who can see trends. To be fair, with common sense, it’s become harder to impose racist lending standards. That senior person can’t imagine trends.

Back to the topic at hand, we’ve moved from “know your customer” as sage advice to trite bits of checklist faux diligence. We’ve lost something important.

Really, what we’ve done is substituted a knowing a person with a knowing their data shadow. That’s not the only problem, but it’s one of a set of synergistic changes that will cost us hundreds of billions to clean up.

(Data shadows is a great term, defined by Alan Westin. Bruce Schneier used it recently in his excellent essay “Our Data, Ourselves,” which I hope to shadow shortly.)

Image: “Sinister,” by Adactio.

New School Reviews

Don Morrill, IT Toolbox:

If you want to read a book that will have an influence on your information security career, or if you just want to read something that points out that we do need to do information security differently, then you need to go pick up a copy of “The new school of information security” by Adam Shostack and Andrew Stewart.

Amateurs Study Cryptography; Professionals Study Economics:

Adam and his co-author have produced a readable, compact tour of the information security field as it stands today – or perhaps as it lies in its crib. What we know intuitively the authors bring forward thoughtfully in their analysis of the information security industry: it is struggling to keep up with the defects in online communication, data storage, and business processes.

La industria de la seguridad: Vende desde la inseguridad:

Revisando el capítulo 2 titulado “The security industry”, del libro de SHOSTACK y STEWART publicado por Addison Wesley en 2008 denominado The New School of Information Security, se presentan de manera clara y abierta la forma como la industria se da a la tarea de vender la distinción de seguridad de la información, tanto en el tema de productos y servicios, así como en buenas prácticas, listas de chequeo y estándares.

It makes me strangely happy to have our first non-English review.

Finally, Keith Shaw at Network World interviewed me, the podcast is “Why security is failing.”

“The Black Hat Tax?” Show me the money

A number of people have sent me links to “Black Hat Tariffs – The Black Hat Taxes on consumer Internet companies are on the rise:”

In May 2006, I made mention of the Black Hat Tax, in which most consumer Internet sites have an inherent time, resource, and mindshare tax of roughly 25% due to scamming, phishing, hacking, and government requests. And this drainage has gotten worse two years later which is extremely troubling.

All these little, annoying things consume time … and not just the time of customer service people, but time of the company’s executives and engineers as well. The Black Hat Tax exceeds 25% for most consumer Internet companies right now, with some approaching 40%. That means that 25% of your engineering and management time is about preventing fraud or dealing with these annoyances. That is one onerous tax!

So I’m curious: what’s the sample size? How does that 40% break out? Who’s spending all that time, and what are they doing? Are there things that could be outsourced? (Seems like a possibly huge business opportunity.) Are there design flaws that are being paid for? What size companies are in the set?

I don’t know Auren. Reading his blog, he seems like a smart guy. I’m just looking for more on where the 40% number comes from, where it’s happening, and where it goes.

Apparently The State Department Didn’t Learn From Regular Passports

passport-card-frame.jpgThe Washington Times reports that the State Department is going to be producing “passport cards” for people who regular travel by car or boat to/from Canada, Mexico and Carribean.

About the size of a credit card, the electronic-passport card displays a photo of the user and a radio frequency identification (RFID) chip containing data about the user. The State Department announced recently that it will begin producing the cards next month and issue the first ones in July.

That’s right RFID just like booklet style passports. Only it won’t be encrypted and it won’t be shielded. It will even be “vicinity” aka long range RFID, so the very intent is to read them from a distance. While the card isn’t supposed to have any personal information on it, it will link back to a database that does contain personal information. I for one don’t have a lot of confidence that that database can be kept properly secure.

Security specialists told The Washington Times that the electronic-passport card can be copied or altered easily by removing the photograph with solvent and replacing it with one from an unauthorized user.

And if that wasn’t bad enough only about 10% of border sites will actually have readers:

Kelly Klundt, a spokeswoman for U.S. Customs and Border Protection, said the deployment of passport card readers to the largest and busiest 39 border-entry points was intended to expedite travel. The more than 300 remaining points of entry without passport card scanners are in remote locations, and officials will visually inspect passport cards at those entry points, she said.

Joel Lisker, a former FBI agent who spent 18 years countering credit-card fraud at MasterCard, said the new cards pose a serious threat to U.S. security. “There really is no security with these cards,” he said.

So there you have it. Once again the government is engagins in security theater rather than actual security.
[Image from:]