Twitter Weekly Updates for 2011-12-25

Powered by Twitter Tools

Niels Bohr was right about predictions

There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I figured I’d share.

With minor formatting changes, the following is from my email of April, 2010.

Prediction 1

Regulation E style accountholder liability limitation will be extended
to commercial accountholders with assets below some reasonably large
value by 12/31/2010.

Why:  ACH and wire fraud are an increasingly large, and increasingly
public, problem.  Financial institutions will accept regulation in order
to preserve confidence in on-line channel.


Prediction 2

An episode of "state-sponsored SSL certificate fraud/forgery" will make
the public press.

Why: There is insufficient audit of the root certs that browser vendors
innately trust, making it sufficiently easy for a motivated attacker to
"build insecurity in" by getting his untrustworthy root cert trusted by
default.  The recent Mozilla kerfuffle over CNNIC is an harbinger of
this[1].  Similarly, Chris Soghoian's recent work[2] will increase
awareness of this issue enough to result in a governmental actor who has
done it being exposed.


But only because for this one I forgot to put in a date (I meant to also say “by 12/31/2010”, which makes this one WRONG! too.

I was motivated to make this post because I once again came across Soghoian’s paper just the other day (I think he cited it in a blog post I was reading). He really nailed it. I predict he’ll do so again in 2012.

The Pre-K underground?

Not my headline, but the New York Times:

Beyond the effort was the challenge of getting different families to work together. When matters as personal as education, values and children are at stake, intense emotions are sure to follow, whether the issue is snacks (organic or not?), paint (machine washable?) or what religious holidays, if any, to acknowledge. Oh, and in many cases, forming a co-op school is illegal, because getting the required permits and passing background checks can be so prohibitively expensive and time-consuming that most co-ops simply don’t. (“The Pre-K Underground“, The New York Times, December 16)

Read the whole thing, and then give some thought to how effectively those policies, combined with the drug war, are de-legitimizing governments, and convincing people that to live their lives involves avoiding government rules. Eventually, even legitimate and necessary functions of government like courts will fall apart.

Think I’m exaggerating?

“There’s a fairly stringent code and byzantine process for getting certified and code-compliant,” said City Councilman Brad Lander, a Democrat from Brooklyn, whose office held a meeting over the summer for any co-ops interested in pooling their resources and securing permits. “Some are genuinely for the safety of kids, and some are more debatable.”

There’s a city councilman driving doubt over the system. What does that do to the legitimacy? What happens to the social contract?

Will the war on coop kindergardens join the war on drugs?

Twitter Weekly Updates for 2011-12-18

Powered by Twitter Tools

Outrage of the Day: DHS Takes Blog Offline for a year

Imagine if the US government, with no notice or warning, raided a small but popular magazine’s offices over a Thanksgiving weekend, seized the company’s printing presses, and told the world that the magazine was a criminal enterprise with a giant banner on their building. Then imagine that it never arrested anyone, never let a trial happen, and filed everything about the case under seal, not even letting the magazine’s lawyers talk to the judge presiding over the case. And it continued to deny any due process at all for over a year, before finally just handing everything back to the magazine and pretending nothing happened. I expect most people would be outraged. I expect that nearly all of you would say that’s a classic case of prior restraint, a massive First Amendment violation, and exactly the kind of thing that does not, or should not, happen in the United States.

But, in a story that’s been in the making for over a year, and which we’re exposing to the public for the first time now, this is exactly the scenario that has played out over the past year — with the only difference being that, rather than “a printing press” and a “magazine,” the story involved “a domain” and a “blog.”

Read the whole thing at “Breaking News: Feds Falsely Censor Popular Blog For Over A Year, Deny All Due Process, Hide All Details…

The output of a threat modeling session, or the creature from the bug lagoon

Wendy Nather has continued the twitter conversation which is now a set of blog posts. (My comments are threat modeling and risk assessment, and hers: “That’s not a bug, it’s a creature. “)

I think we agree on most things, but I sense a little semantic disconnect in some things that he says:

The only two real outputs I’ve ever seen from threat modeling are bugs and threat model documents. I’ve seen bugs work far better than documents in almost every case.

I consider the word “bug” to refer to an error or unintended functionality in the existing code, not a potential vulnerability in what is (hopefully) still a theoretical design. So if you’re doing whiteboard threat modeling, the output should be “things not to do going forward.”

As a result, you’re stuck with something to mitigate, probably by putting in extra security controls that you otherwise wouldn’t have needed. I consider this a to-do list, not a bug list.
(“That’s not a bug, it’s a creature. “, Wendy Nather)

I don’t disagree here, but want to take it one step further. I see a list of “things not to do going forward” and a “todo list” as an excellent start for a set of tests to confirm that those things happen or don’t. So you file bugs, and those bugs get tracked and triaged and ideally closed as resolved or fixed when you have a test that confirms that they ain’t happening. If you want to call this something else, that’s fine–tracking and managing bugs can be too much work. The key to me is that the “things not to do” sink in, and to to-do list gets managed in some good way.

And again, I agree with her points about probability, and her point that it’s lurking in people’s minds is an excellent one, worth repeating:

the conversation with the project manager, business executives, and developers is always, always going to be about probability, even as a subtext. Even if they don’t come out and say, “But who would want to do that?” or “Come on, we’re not a bank or anything,” they’ll be thinking it when they estimate the cost of fixing the bug or putting in the mitigations.

I simply think the more you focus threat modeling on the “what will go wrong” question, the better. Of course, there’s an element of balance: you don’t usually want to be movie plotting or worrying about Chinese spies replacing the hard drive before you worry about the lack of authentication in your network connections.

“Can copyright help privacy?”

There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.”

Key quote:

One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two demerits: it is unconstitutional, and it is insane. Otherwise, it seems fine.

As an aside, Bambauer is incorrect. The idea has a third important problem, which he also points out in his post: “It’s also stupid.”

Read the whole thing here.

Twitter Weekly Updates for 2011-12-11

  • RT @daveaitel Tests Show Most Store Honey Isn't Honey << Will anyone go to jail for fraud? #
  • RT @jdp23 Look at the list of the FTC complaints — huge issues. And basically no consequnces to FB. So why should they change? #privchat #
  • RT @threatpost $56 Billion Later and Airport #Security Is Still Junk – – via @wired << a touching story! #
  • White House unveils cybersec strategy incl "Inducing Change", "Developing Science Foundations" (Could be New School-y) #
  • New White House cybersec strategy "Inducing Change", "Developing Science Foundations" seems fairly New School #
  • New blog " and listener privacy" #
  • "In Major Gaffe, Obama Forgets To Dumb It Down" #
  • This shows the success of our current "information sharing" "infrastructures": Data gathering for ssh attacks: #
  • MT @alexhutton I'll be on a webinar w/ @joshcorman in an 1/2 hour. It will only be fun if you join us #
  • RT @nickm_tor The key idea from our field that we need most to export to other system designers is not IMO anonymity but unlinkability. #
  • RT @alexhutton Best security/risk job description I've ever seen: << this link is dangerous! (Dangerously New School.) #
  • RT @_nomap Proud to announce that I'm officially a PhD. Now looking forward to new challenges! << Congratulations! #
  • RT @techdirt Breaking News: Feds Falsely Censor Popular Blog For Over A Year, Deny All Due Process, Hide All Details.. #
  • RT @marciahofmann Join me in fighting for the users! Become an @EFF member today and your donation will get a 4x match #
  • New blog: Outrage of the Day: Police Violence #
  • MT @josephmenn Very good books from many perspectives: Important 2011 Tech Policy & Law Books < Nothing new in infosec? #
  • For bloggers – "Conbis" is stealing New School & other blog content. Their "about us" is Lorum Ipsum. #
  • RT @ehasbrouck I'd rather pay for Twitter than pay w/wasted time, distracting features that earn them $, & have them monetize info about me #
  • New blog: "Threat Modeling & Risk Assessment" follows up on conversation with @451wendy #
  • Wow. IEEE won't even give me a citation without an account. Why do people let IEEE lock up their work? #

Powered by Twitter Tools

Threat Modeling and Risk Assessment

Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully.

So first, what was said:

(Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability too.
(me) Thanks! I’m not advocating against risk, but asking when. Do you evaluate bugs 2x? Once in threat model & once in bug triage?
(Wendy) Yes, because I see TM as being important in design, when the bugs haven’t been written in yet. 🙂

I think Wendy and I are in agreement that threat modeling should happen early, and that probability is important. My issue is that I think issues discovered by threat modeling are, in reality, dealt with by only a few of Gunnar’s top 5 influencers.

I think there are two good reasons to consider threat modeling as an activity that produces a bug list, rather than a prioritized list. First is that bugs are a great exit point for the activity, and second, bugs are going to get triaged again anyway.

First, bugs are a great end point. An important part of my perspective on threat modeling is that it works best when there’s a clear entry and exit point, that is, when developers know when the threat modeling activity is done. (Window Snyder, who knows a thing or two about threat modeling, raised this as the first thing that needed fixing when I took my job at Microsoft to improve threat modeling.) Developers are familiar with bugs. If you end a strange activity, such as threat modeling, with a familiar one, such as filing bugs, developers feel empowered to take a next step. They know what they need to do next.

And that’s my second point: developers and development organizations triage bugs. Any good development organization has a way to deal with bugs. The only two real outputs I’ve ever seen from threat modeling are bugs and threat model documents. I’ve seen bugs work far better than documents in almost every case.

So if you expect that bugs will work better then you’re left with the important question that Wendy is raising: when do you consider probability? That’s going to happen in bug triage anyway, so why bother including it in threat modeling? You might prune the list and avoid entering silly bugs. That’s a win. But if you capture your risk assessment process and expertise within threat modeling, then what happens in bug triage? Will the security expert be in the room? Do you have a process for comparing security priority to other priorities? (At Microsoft, we use security bug bars for this, and a sample is here.)

My concern, and the reason I got into a back and forth, is I suspect that putting risk assessment into threat modeling keeps organizations from ensuring that expertise is in bug triage, and that’s risky.

(As usual, these opinions are mine, and may differ from those of my employer.)

[Updated to correct editing issues.]

Outrage of the Day: Police Violence

When the LAPD finally began arresting those of us interlocked around the symbolic tent, we were all ordered by the LAPD to unlink from each other (in order to facilitate the arrests). Each seated, nonviolent protester beside me who refused to cooperate by unlinking his arms had the following done to him: an LAPD officer would forcibly extend the protestor’s legs, grab his left foot, twist it all the way around and then stomp his boot on the insole, pinning the protestor’s left foot to the pavement, twisted backwards. Then the LAPD officer would grab the protestor’s right foot and twist it all the way the other direction until the non-violent protestor, in incredible agony, would shriek in pain and unlink from his neighbor.

It was horrible to watch, and apparently designed to terrorize the rest of us. At least I was sufficiently terrorized. I unlinked my arms voluntarily and informed the LAPD officers that I would go peacefully and cooperatively. I stood as instructed, and then I had my arms wrenched behind my back, and an officer hyperextended my wrists into my inner arms. It was super violent, it hurt really really bad, and he was doing it on purpose. When I involuntarily recoiled from the pain, the LAPD officer threw me face-first to the pavement. He had my hands behind my back, so I landed right on my face. The officer dropped with his knee on my back and ground my face into the pavement. It really, really hurt and my face started bleeding and I was very scared. I begged for mercy and I promised that I was honestly not resisting and would not resist.

Go read My Occupy LA Arrest, by Patrick Meighan and Listener Privacy

It turns out that it’s very hard to subscribe to many podcasts without talking to servers. (Technical details in the full post, below.) So I took a look at their privacy statement:

Podtrac provides free services to podcasters whereby Podtrac gathers data specific to individual podcasts (e.g. audience survey data, content ratings, measurement data, etc). This podcast data is not considered personally identifiable information and may be shared by Podtrac with member advertisers. (“Podtrac Client Privacy Statement,” undated, unversioned.)

It’s not clear to me who doesn’t consider what they collect to be personal data, because the passive voice is annoyingly used. So I’ll ask: precisely what data is collected? And under what set of laws or even perspectives is the data they’re collecting is not considered personally identifiable? For example, are they collecting IP addresses, which I understand are PII in the EU?

Enquiring minds with privacy officials might want to ask those officials.

Continue reading

Twitter Weekly Updates for 2011-12-04

  • New School blog "'Its Time to Learn Like Experts' by @jayjacobs" #
  • RT @dmolnar Help me shop for furniture #
  • RT @moxie__ WhisperSystems has been acquired! < Congratulations! I hope it leads to great things for Twitter privacy #
  • RT @tsastatus A few new features, and a bunch of status updates, at, more info on the blog #
  • New blog: "Telephones and Privacy" #
  • New blog: "We Robot: The Conference" #
  • New bloggage: "Telephones and Privacy" #
  • RT @securityninja @realex_tracy everyone that walks past my desk has to play with the elevation of privilege cards, eye catching! #
  • New blog: Big Brother Watch Report on Breaches (ht @PogoWasRight) #
  • NPR has a story on FAA/SSA violations of Privacy act going to Supreme Court #
  • RT @hvyboots: So apparently, Carrier IQ is on iPhones too #
  • RT @Jim_Harper Looking for Sen. Schumer's statement re: TSA tracking of cell phones. Anyone know where I can find it? #
  • New School blog post: "The Future of Work is Play" #
  • RT @srbaker Film producers: if your film isn't on Netflix, I'll find it on BitTorrent. You might as well make some money on it. #
  • RT @AdasBooks Today is such an exciting day! The first big news is that our webstore is now live! #
  • RT @ggreenwald Surreal: Sen Feinstein had an amendment to say: you can't imprison US citizens w/o charges – it failed: #
  • .@rmogull I don't think it's hypocrisy, I think people are tired of privacy disempowerment, confusion and the short end of the stick #
  • Oops, violated my own medical privacy, darnit! Can I be in datalossdb now? 🙂 #
  • RT @lorrietweet Speaking today at Silicon Flatirons Privacy Economics event – live stream available < Yay, looks great! #
  • RT @WeldPond It should be in the public's best interest to allow researchers to tell us what the software on our phones does. #carrieriq #
  • Julie Cohen's comments are frames embedded in information systems is really well stated. #flatirons privacy economics #
  • "Let's make sure the system is not set up to thwart consumer desire for privacy" Joseph Farrell @ silicon flatirons #
  • "What we call disclosures are often when someone wants to say they disclosed it but they don't want you to know it" Joseph Farrell #flatiron #
  • "We have effective disclosure, they're called ads" Joseph Farrell #flatiron discussing privacy "disclosure" #
  • RT @liorjs Here's the livestream for Economics of Privacy Conf. Catch @ericgoldman, @paulohm, @rcalo, @laguarda, etc. #
  • ~"Aleecia has a knack for stating the controversial in a non-controversial way" @rcalo #flatiron #privacy #
  • Great question from @rcalo to venture capitalist Seth Levine: Do you worry about privacy as a risk in investing? #
  • Did anyone mention the work on organ donation rates and defaults, tie it to privacy? #flatirons #
  • UStream is reaching out to 14 different websites as I listen to the Silicon #flatirons event on Privacy economics #
  • RT @kbcran #flatirons Thwarting facial recognition with Blade Runner makeup #
  • EyeLink has some really amazing & scary iris recognition tech. Way beyond what i thought was state of the art. Can't find link (@dmolnar?) #
  • Peter Swire has a depressing view of the impact of Sorrel vs IMS #flatirons #
  • Yay @hoofnagle for bringing up the compelled nature of speech in Sorrel. #flatirons #
  • Gävle Goat Gambit Goes Astray #
  • Did he just say "You won't have Herman Cain to kick around anymore"? #

Powered by Twitter Tools

Gävle Goat Gambit Goes Astray

Gavle Goat 2011
It’s a bit of a Christmas tradition here at Emergent Chaos to keep you informed about the Gävle Goat. Ok, technically, our traditions seem hit and miss, but whaddaya want from a site with Chaos in the name? You want precision, read a project management blog. Project management blogs probably set calendar reminders to kick off a plan with defined stakeholders, success metrics and milestones to ensure high quality blog posts. Us, we sometimes randomly remember.

But, but! This year, we actually have a plan with 8×10 color gannt charts with circles and arrows explaining how to set up a market to predict when the goat would burn.

We even have prizes.

Unfortunately, chaos (and flames) emerged, and the goat was burned before we set up the market.

You can read the full story of “Sweden’s Christmas goat succumbs to flames.”