Iowa breach law arrives a bit early

On May 10, Iowa became the 42nd U.S. state (counting D.C. as a state) with a breach notification law. The law itself is not remarkable. If anything, it is notably weaker than many other states’ laws.
When can we expect to see the last stragglers finally pass their laws? Here’s a plot of each state’s date of law passage, expressed in days since the Choicepoint episode became public. The x-axis is logarithmic.
Looks like a decent fit to me. In fact, a tad over under 3% of the variance remains unexplained. Assuming that whatever accounts for this exponential decay remains for a while, the last state should have a law in place October 9, 2011 :^).

L’affaire Kozinski

Kim Zetter on Threat Level has written about Larry Lessig’s comments about Judge Alex Kozinski’s problems with having files on a personal server made public.

Zetter has asked to hear people’s opinions about the issue. I thought I’d just blog about mine.

Basically, I agree with Lessig. The major place that I disagree with Lessig is in his metaphor of someone jiggling open a lock. I think I would use the metaphor of someone pressing a camera to the judge’s window, and shooting pictures of the library through the gauze curtains. It was rude and inappropriate, whatever we might think of Kozinski as a judge. It was a privacy violation, and yes, a form of trespass. Perhaps somewhere in there it shows some hypocrisy, but privacy advocates who cheer showing someone’s hypocrisy by violating their privacy are hypocrites, too. (I am not accusing any specific people of this hypocrisy, I’m making a point.)

As Lessig and others have noted, nothing Kozinski did was illegal. Even in the case of his having MP3s, this was not illegal nor infringing, given what we know. It is completely legal in the US to make MP3s from your other media. It is not legal in the UK, nor in other countries, but he’s not a judge there. It’s also not infringing to set up a private server for family and friends.

RIAA, the MPAA, and other alleged defenders of intellectual property frequently deny that these things are legal, but if someone wants to show Kozinski’s hypocrisy by taking up those arguments, they’re essentially carrying RIAA’s and the MPAA’s water. This may be hypocrisy itself, if the people wanting to play gotcha consider themselves anti-RIAA/MPAA. It might also be simple stupidity, too. The media companies often and repeatedly advance opinions that if there were any reasonable regulation of the lawyers would get the media lawyers disbarred. Bringing those cracked opinions to bear against Kozinski only gives them credibility they do not otherwise have.

The one place I do wish to take issue with Zetter’s article is this:

On a separate note, the ABA Journal, a publication of the American Bar Association, has a good story today that examines the MP3 issue, noting that Kozinski wrote the dissenting opinion in a copyright case last year in which he sided with the copyright holder in saying that credit card companies that process payment for material that violates copyright should be liable for facilitating illegal sales of copyrighted material. This would imply that if it turns out that Kozinski’s site was making MP3 files available for download, he would consider himself liable for facilitating the illegal trade of copyrighted material.

I’ll again note that I think I’m disagreeing with the ABA Journal, not with Zetter’s remarks on it.

No, this doesn’t imply that. The Home Recording Act specifically allows one to time-shift content, media-shift content, and to share that content with family and friends. If Kozinski’s son implemented an el-cheapo equivalent of a Slingbox or iTunes Music Sharing and there were bugs in that implementation that let a clever person make unauthorized, infringing copies of the Kozinski Clan’s media, that’s an embarrassment. I am quite certain that Kozinski fils and père are quite properly embarrassed now. Unless we’re going to move from carrying the RIAA’s water to insisting on software liability for amateur programmers (won’t the FOSS crowd love that), then let’s let it drop.

Freedom isn’t doing what you want, freedom is defending people you disagree with. I actually don’t know if I disagree with Kozinski. I do know that I agree with Lessig. Privacy is an important right, and an intrinsic right. Everyone is deserving of privacy, even judges.

Woodie Guthrie said that some will rob you with a six-gun and some with a fountain pen. It is not as euphonious to note that some will hack you with Metasploit and some will hack you with Google, but it’s no less true. I’m not going to stretch that metaphor much further, but I will note that the technological difficulty of an act doesn’t change its character. There’s good hacking and bad hacking. It isn’t good just because it was easy. Conjuring up dirt on a judge with an easy hack is conjuring up dirt a judge. Here’s Lessig:

Now imagine … some disgruntled litigant … finds some stuff that he knows the local puritans won’t like. He takes it, and then starts shopping it around to newspapers and the like: “Hey look,” he says, “look at the sort of stuff the judge keeps in his house.”

I take it anyone would agree that it would outrageous for someone to publish the stuff this disgruntled sort produced. Obviously, within limits: if there were illegal material (child porn, for example), we’d likely ignore the trespass and focus on the crime. But if it is not illegal material, we’d all, I take it, say that the outrage is the trespass, and the idea that anyone would be burdened to defend whatever someone found in one’s house.

Lessing spoke of illegal material. An infringing MP3 is not illegal material. Infringement is not theft, but even if it were, a stolen Rembrandt is not kiddie porn. Lessig understand that and that’s why he picked the exception he did.

I’m one of Lessig’s anyones. It is outrageous to violate this person’s privacy and trump up their personal quirks (like thinking they can save a few bucks and write their own media server) into imagined crimes. If you believe in the right of privacy as a fundamental human right, then you should be outraged, too. We are all deserving of privacy. Even judges. Even judges who defend copyright. Even judges whose sons write buggy software.

Those of us who believe in the right to control the media we legally have in the way we see fit, not the way the media companies see fit should be defending Kozinski. Those of us who believe that creating software should be an unencumbered right should be defending Kozinski. We need to remember which side we’re on. It’s the side of liberty, not control.

Quantum Pride

Sorry, it's a comic strip

One of the curious features of Quantum Cryptographers is the way they harumph at mathematics. “Don’t trust that math stuff, you should trust physics.”

It’s easy to sneer at this attitude because physics has traditionally gotten its cred because of its foundations in math. Physicists are just mathematicians who don’t squick at canceling dxes. Quantum people had a hard time for a while because some of their math ended up dividing by zero, which squicks many people even more than canceling differentials. Feynman got around that with some clever drumming and some pictures, but I sneer at the Quantum Crypto lack of respect towards mathematics every chance I get.

On the other hand, some of their attitude is justified. A few months ago, I shut up a cryptographer who was railing about the stupidity of religious people by saying, “Oh, yeah? Well, there’s no proof that factoring is hard. You’re taking that on faith. Intelligent Design, RSA, what’s the diff?” just because I hate all forms of certainty.

And so it is impossible to hide the smile on my face as I point you to the arXiv blog entry, “How to build a quantum eavesdropper” in which physicists Yuta Okubo, Francesco Buscemi, and Akihisa Tomita describe an experiment in how to create a quantum eavesdropper on quantum cryptography. The paper is here.

No word on when they’re going to propose to the ESA to do the experiment on the ISS.

The xkcd comic is “Purity” by the talented Randall Munroe.

Can You Hear Me Now?

Debix, Verizon, the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security.

This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have FBI compiled crime statistics. What we have are lost of people with lots of opinions, making lots of noise. It can be hard to get your message heard over the noise.

Tufte talks about credibility as one important outcome of good visualization. How showing your data effectively can make your case for you. In security, we haven’t shown our work very often. That’s why in the New School, Andrew and I made gather and analyze good data two of our key closing points. Some people have suggested they wanted more specifics, and I’m now glad that we didn’t. This outpouring of data makes this a tremendously exciting time to be in security.

Sharing data gets your voice out there. Verizon has just catapulted themselves into position as a player who can shape security.

That’s because of their willingness to provide data. I was going to say give away, but they’re really not giving the data away. They’re trading it for respect and credibility.

Verizon, we can hear you now. We can also hear Debix, the ITRC and the DoJ. Because they’re buying credibility with their data.

(Disclaimer: I’m a Debix shareholder, and I reviewed a draft of their report.)

[Update: Verizon’s report is getting lots of commentary. Interesting bits from Rich Bejtlich, Chris Wysopal, the Hoff or Slashdot.]

Department of Justice on breach notice

There’s an important new report out from the Department of Justice, “Data Breaches: What the Underground World of “Carding” Reveals.” It’s an analysis of several cases and the trends in carding and the markets which exist. I want to focus in on one area, which is recommendations around breach notification:

Several bills now before Congress include a national notification standard. In addition to merely requiring notice of a security breach to law enforcement,200 it is also helpful if such laws require victim companies to notify law enforcement prior to mandatory customer notification. This provides law enforcement with the opportunity to delay customer notification if there is an ongoing criminal investigation and such
notification would impede the investigation. Finally, it is also helpful if such laws do not include thresholds for reporting to law enforcement even if certain thresholds – such as the number of customers affected or the likelihood of customer harm — are contained within customer notification requirements. Such thresholds are often premised on the large expense of notifications for the victim entity, the fear of desensitizing customers to breaches, and causing undue alarm in circumstances where customers are unlikely to suffer harm. These reasons have little applicability in the law enforcement setting, however, where notification (to law enforcement) is inexpensive, does not result in reporting fatigue, and allows for criminal investigations even where particular customers were not apparently harmed. (“Data Breaches: What the Underground World of “Carding” Reveals,” Kimberly Kiefer Peretti U.S. Department of Justice, Forthcoming in Volume 25 of the Santa Clara Computer and High Technology Journal, page 28.)

I think such reports should go not only to law enforcement, but to consumer protection agencies. Of course, this sets aside the question of “are these arguments meaningful,” and potentially costs us an ally in the fight for more and better data, but I’m willing to take small steps forward.

Regardless, it’s great to see that the Department of Justice is looking at this as something more than a flash in the pan. They see it as an opportunity to learn.

Quanta In Space!


What’s the biggest problem with quantum cryptography? That it’s too expensive, of course. Quantum anything is inherently cool, just as certain things are inherently funny. Ducks, for example. However, it’s hard to justify a point-to-point quantum crypto link that starts at one-hundred grand just for the encryptors (fiber link not included, some assembly required), when you can get a couple of routers from CDW that do IPsec at a 99%+ discount.

What to do, then? Why not show the future and down-to-earth practicality of quantum cryptography by — I know! Let’s do it in space!

And so a proposal by thirty-nine co-authors for the Space-QUEST (Quantum Entanglement for Space Experiments) mission describes just that. The New Scientist also has an article, but the proposal is short and readable.

Space-QUEST proposes to the European Space Agency (ESA) that an experiment be taken to the International Space Station (ISS) that will do Quantum Key Distribution between the ISS and a ground station with an ultraviolet laser.

They would establish the one link, which shows “the generation of a provably unconditionally secure key at distance, which is not possible with classical cryptography.”

They would then establish two links with separate keys and XOR the two keys together. This ensures that no one can intercept the communications of the two ground stations, according to the proposal.

Out of that one unconditionally secure key between the two ground stations can be computed. Using such a scheme would allow for the first demonstration of global quantum key distribution.

An important step towards the applicability of quantum communication on a global scale, is to extend single QKD links to a quantum network by key relaying along a chain of trusted nodes using satellites as well as fiber-based systems.

A security analysis of this XOR-and-trusted-relay system is let as an exercise for the reader.

The experimental device will meet ESA standards for a module for the European Columbus laboratory, namely volume of 1.39
× 1.17 × 0.86 m3, mass < 100 kg, and a peak power consumption of < 250W.

Photo extracted from the Space-QUEST proposal. I don’t know about you, but I love the little quantum beams joining the two data rings.

Paper Breach

The Missing Docs

The BBC reports in “Secret terror files left on train” that an

… unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train.

A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police.

We are also told:

Just seven pages long but classified as “UK Top Secret”, this latest intelligence assessment on al-Qaeda is so sensitive that every document is numbered and marked “for UK/US/Canadian and Australian eyes only”, according to our correspondent.

The person who lost them is

… described as a senior male civil servant, works in the Cabinet Office’s intelligence and security unit, which contributes to the work of the Joint Intelligence Committee.

His work reportedly involves writing and contributing to intelligence and security assessments, and that he has the authority to take secret documents out of the Cabinet Office – so long as strict procedures are observed.

Apparently the documents were not encrypted. Cue rimshot.

What’s up with the “New and Used” Pricing on Amazon?

wierd-pricing.jpgSo having a book out, you start to notice all sorts of stuff about how Amazon works. (I’ve confirmed this with other first time authors.) One of the things that I just can’t figure out is the pricing people have for The New School.

There’s a new copy for 46.43. A mere 54% premium over list, and a whopping 234% of Amazon’s discounted price. There’s a used copy for $58.56. What the hell?

This isn’t unique to us. It happens for every book I’ve looked at.

Is this some sort of scheme to hide money from the tax collectors? I mean, I liked Cohen’s book, (incidentally reviewed here) but not to the tune of 600 bucks.

What’s going on? Your thoughts are welcome.

Debix Publishes Data on Identity Theft

Finally, we have some real hard data on how often identity theft occurs. Today, Debix (full disclosure, I have a small financial interest) published the largest study ever on identity theft. Debix combed though the 2007 Q4 data on over 250 thousand of their subscribers and found that there was approximately a 1% attempted fraud rate (380 attempts out of 30,618 authorizations). This is well in-line with the 1.05% fraud rate for new bank accounts. Now as I’ve mention in the past, one of the cool things about Debix is that if you are a subscriber, then all credit requests have to be authorized by you. As a result all 380 fraud attempts were correctly identified as such and were blocked. Pretty damn cool eh? I highly encourage you to read the report as it has lots of other interesting data in it, including some interesting ways in which your identity can be stolen even if you have a fraud report set on your accounts (hint: interesting things can happen if you have have a spouse and they don’t have fraud reports set.)
[Image is Identity Theft!! by Else Madsen]

Hats Banned in Yorkshire to Aid CCTV Identification


The Telegraph reports in “Hats banned from Yorkshire pubs over CCTV fears” that

Pubs in Yorkshire have been ordered to ban people from wearing flat caps or other hats so troublemakers can be more easily recognised.

And in other news this weekend, MPs have stamped their little feet insisting that Britain is not a surveillance society.

Photo “flat cap Harry” by theolip.

Security Prediction Markets: theory & practice

reckless-experimentation.jpgThere are a lot of great comments on the “Security Prediction Markets” post.

There’s a tremendous amount of theorizing going on here, and no one has any data. Why don’t we experiment and get some? What would it take to create a market in breach notification prediction?

Dan Guido said in a comment, “In security, SOMEONE knows the RIGHT answer. It is not indeterminate, the code is out there, your network is accessible to me and so on. There’s none of this wishy-washy risk stuff.”

I don’t think he’s actually right. Often times, no one knows the answer. Gathering it is expensive. Translating from “there’s a vuln” to “I can exploit it” isn’t always easy. For example, one of my co-workers tried exploit a (known, reported, not yet fixed) issue in an internal site via Sharepoint. Something in Sharepoint keeps munging his exploit code. I’ve even set my browser homepage to a page under his control. Who cares what I think, when we can experiment?

What would be involved in setting up an experiment? We’d need, in no particular order:

  • A web site with some market software. Is there a market for such sites? (There is! Inkling will let you run a 45 day pilot with up to 400 traders. There’s likely others.)
  • Terms & conditions. Some issues to be determined:
    1. Can you bet on your employer? Clients? Customers?
    2. Are bets anonymous?
    3. What’s the terms of the payoff? Are you betting company X has a breach of PII, or a vuln? Would Lazard count?
    4. What’s the term of a futures option? What’s the ideal for a quick experiment? What’s the ideal for an operational market?
    5. Are we taking singleton bets (Bank A will have a problem) or comparative (Bank A will have more problems than bank B.)
  • Participants. I think that’s pretty easy.
  • Dispute arbitration. What if someone claims that Amazon’s issue on Friday the 6th was a break-in? Amazon hasn’t yet said what happened.

So, we could debate like mad, or we could experiment. Michael Cloppert asked a good question. Let’s experiment and see what emerges.

Photo: “Better living…” by GallixSee media.

Praises for the TSA

We join our glorious Soviet brothers of the TSA in rejoicing at the final overthrow of the bourgeoisie conception of “liberty” and “freedom of expression” at the Homeland’s airports.

The People’s Anonymous Commissar announced:

This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity.

This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers.

…Passengers that fail to comply with security procedures may be prohibited from entering the secure area of airports to catch their flight.

(“TSA Announces Enhancements to Airport ID Requirements to Increase Liberty“)

Commissar Hawley stated “with this advance, we overcome the latest tactic of the counter-revolutionary, and ensure that our internal passport system is fully functional.”

He went on to explain that this enhances our first ammendment rights to free expression by ensuring that all free expression will be supportive of the new policy, and that under United States v. Biswell, 406 U.S. 311 (1972), a comrade’s entry into a perversely pervasively regulated area permits content-based speech restrictions.

We are also renaming this blog “Imposed Order.”

It is the policy of Imposed Order that all comments will be supportive of this policy and the new name for the blog.

News via Gary Leff. Image via Lenin Internet Archive.

Messing with the RIAA and MPAA

wanted.jpgSome very smart people at the University of Washington figured out how to leverage the bittorrent protocol to cause the RIAA and MPAA to generate takedown notices. From the website:

* Practically any Internet user can be framed for copyright infringement today. By profiling copyright enforcement in the popular BitTorrent file sharing system, we were able to generate hundreds of real DMCA takedown notices for computers at the University of Washington that never downloaded nor shared any content whatsoever.
Further, we were able to remotely generate complaints for nonsense devices including several printers and a (non-NAT) wireless access point. Our results demonstrate several simple techniques that a malicious user could use to frame arbitrary network endpoints.
* Even without being explicitly framed, innocent users may still receive complaints. Because of the inconclusive techniques used to identify infringing BitTorrent users, users may receive DMCA complaints even if they have not been explicitly framed by a malicious user and even if they have never used P2P software!
* Software packages designed to preserve the privacy of P2P users are not completely effective. To avoid DMCA complaints today, many privacy conscious users employ IP blacklisting software designed to avoid communication with monitoring and enforcement agencies. We find that this software often fails to identify many likely monitoring agents, but we also discover that these agents exhibit characteristics that make distinguishing them straightforward.

For more details check out the technical paper.

Security Prediction Markets?

In our first open thread, Michael Cloppert asked:

Considering the contributors to this blog often discuss security in
terms of economics, I’m curious what you (and any readers educated on
the topic) think about the utility of using prediction markets to forecast

So I’m generally a big fan of markets. I think markets are, as Hayek pointed out, a great way to extract information from systems. The prediction markets function by rewarding those who can make better predictions. So would this work for security, and predicting compromises?

I don’t think so, despite being a huge fan of the value of the chaos that emerges from markets.

Allow me to explain. There are two reasons why it won’t work. Let’s take Alice and Bob, market speculators. Both work in banks. Alice thinks her bank has great security (“oh, those password rules!”). So she bets that her bank has a low likelihood of breach. Bob, in contrast, thinks his bank has rotten security (“oh, those password rules!”). So he bets against it. Perhaps their models are more sophisticated, and I’ll return to that point.

As Alice buys, the price breach futures in her bank rises. As Bob sells, the price of his futures falls. (Assuming fixed numbers of trades, and that they’re not working for the same bank.)

But what do Alice and Bob really know? How much experience does either have to make accurate assessments of their employers’ security? We don’t talk about security failures. We don’t learn from each other’s failures, and so failure strikes arbitrarily.

So I’m not sure who the skilled predictors would be who would make money by entering the market. Without such skilled predictors, or people with better information, the market can’t extract the information.

Now, there may be information which is purely negative which could be usefully extracted. I doubt it, absent baselines that Alice and Bob can use to objectively assess what they see.

There may well be more sophisticated models, where people with more or better information could bet. Setting aside ethical or professional standards, auditors of various sorts might be able to play the market.

I don’t know that there are enough of them to trade effectively. A thinly traded security doesn’t offer up as much information as one that’s being heavily traded.

So I’m skeptical.