Data Rustler

The best thing to come out of the Texas Lege since....ever.
A bill passed through the state senate increasing the penalty on hacking at the critical infrastructures we got down here Texas-way. (State jail penalty, no less.)

But I'm not talking about the law, but the language of the lawmaker. From the Austin American Statesman -

"[Sen. Kel S]eliger, R-Amarillo, who on Thursday passed through the Senate a bill that would increase penalties for cattle rustling, laughed at the suggestion that today’s bill was of the same genre.

“Yes, it’s going after data rustlers,” he said."

DATA RUSTLERS! YES! I now abandon "hacker," "cracker," "identity thief," and all other similarly situated nouns in favor of the term coined by the gentleman from Amarillo.

Cyber

After a once over, I'm curious as to the value of the Verizon Business "Data Britches Report."
http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/

A couple questions/comments I had on the first read:
1. The document really needs a glossary. It's hard to parse the special meaning assigned to certain words and phrases as they recur throughout the document. For example: "data breach" "record" "incident" and "errors and omissions," the last of which didn't mean what I thought it would mean ("negligence and "non-compliance" seem to convey more of what was intended. When I think E&O, I think "malpractice.")
2. Is the skew toward "outsider" threats due to the type of service that VB offers? Actually, is the skew of all the data because of the type and quality of service that VB offers? Hell, VB admits to whacked out skew. So give me some damages! Or, at least give me a standard deviation, if you are going to skew that way.
3. Where are my scatter plots? Some get these guys some visualization skills.
4. Lumping intellectual property breaches with credit card and NPI in cumulative stats seems wrong to me. I reminds me of an article I read about computer crime that included statistics on hacking, toll fraud and the hijacking of trucks that carried computer chips. That was maybe 12 years ago, or more. This sort of loose affiliation of crimes, torts and misbehavior shovelled under a skirt called "cyber" makes less sense everytime I read a "cyber" this or that. How about words like fraud, impersonation, crime, non-compliance?
5. About half way through, I got the feeling that I was reading a DEA document about the War on Crime. A focus on the incident, without a look at what caused the incident. Who got the money? Why are they stealing data? Is this "cyber" or just fraud? Is it a war we can win? Have we just turned the corner?

Gimme something substantive for a conversation, not just re-hashed status reports that may be misleading.

(Just noticed that Brooke at New School wrote similar comments. I am not alone.

Tea Risk

At the Tea Risk conference today. Heard a woman keynote all over me, until my brain sploded. Her talk was divided into two part:
1. A retrospective of headlines indicate that there has been no progress in information security in the past twenty years. This trip down corrupted memory lane came with wistful recollections of the punch-card, suspender snapping variety. Vax is what we should nostagicate on now. And despite her involvement in security, and yelling the same thing over and over again, No Progress Has Been Made. I was waiting for her confession that she was part of the problem, doing the same thing over and over, expecting different results. Didn't come. A slight whiff of the "stoopid luzers" but the topic was dropped without conclusion.
2. A detailed trip through her personal hell of IDENTITY THEFT! Here's what happens: on some records somewhere, her Social Security number is associated with SOMEONE ELSE! Of course, no fraudulent loans were made, no bogus entries on her credit bureaus reports, and the person used a different name, different gender, different address, different date of birth, etc. And yet, she was upset that the police were somewhat reluctant to send out an APD and marshal all available resources to investigate her claim. She hinted that she used less than legal means to get the other individual's address and driver's license, and carried around a stack of papers with all her info into a Kafkaesque morass of bureaucracy. I've seen this sort of thing before in my previous life as an investigator. It's not IDENTITY THEFT, it's a typo. I've been brewing a rant in my head about the words "identity theft," but it probably needs a while longer to attain the desired proof.
This woman's bio lists her as a "risk consultant." Maybe that's why security sux.


Morning at Tea Plantation, by Docbudie via Flickr.

Non Fiction: Risk

From Alex Roy's The Driver:

"Our second hour of 150 mph or more inspired a highly unscientific analysis of the actual danger we faced. I concocted what I called The Danger Coefficient (DC). I guessed the average NASCAR driver, in a thirty-six race season including practice, probably drove 15,000 miles -- with a safety cage and onboard active fire suppression -- on highly prepared tracks, with hospitals less than 14 minutes away by choppers on standby. Assuming this represented a DC of ten, Gumball's 3,000 miles meant our DC was two.... until factoring our relative safety deficiencies. High speeds over potholes had to triple our DC to six. Civilian traffic doubled it again, to twelve. Time and distance to medical help? Double again, to twenty-four. Lack of roll cages, harnesses and HANS devices? My guesses ended when I realized Gumball -- at least the way I did it -- was at least five times more dangerous than NASCAR."

From Wright and Decker's Burglars on the Job:

They referred to this process as "burning bread on yourself."

"Thieves got a thang they say [about getting caught,] "If you think about thangs like that, you burnin' bread on yourself" So you don't think about it... Just go for it. [No. 011]

Several of the subjects found it difficult to speak about the risk of apprehension, fearing that such talk would jinx their future illegal activities.
...
Some of the offenders also tried not to think about getting caught because such thought generated an uncomfortably high level of mental anguish. They believed that the best way to prevent this from happening was to forget about the risk and leave matters to fate.

Fiction

From Ed Park's Personal Days:

"Every employee would soon be required to create a new log-on password consisting of a mix of nonsequential capital letters and a three-digit prime number and a punctuation mark, and then change it once a month by sending an Excel form to a secure website in Oakland. This was just standard operating procedure.

Each demand felt like the securing of a strap on a straitjacket."

4th Quadrant

My favorite ex-quant, N. N. Taleb, outlines the 4th Quadrant.
Thoroughly enjoyable, but I'm a fan.

This table made sense to me:

In information risk management, what sort of events are fat tailed with complex payoff? Or which are not?
I've suspected that there is a parallel between software and markets, as both proxy human behavior, yet are percieved as acting autonomously.

The Wisdom of Mobs

Alex mentions stock prices as a potential input into information risk assessment. I'm skeptical of the value of market driven metrics, and the collective wisdom of the market's crowd in assessing value of an asset. The forces driving stock prices in the short term are not afraid to work with rumor, fact, unrelated fact, remotely disjointed misreported fact and insinduendo.* Corporate stock value can be maintained by close Internet monitoring of cowboy executives, especially if you are in the vicinity of 6th and Lamar in Austin, Texas (a couple of e-mail datapoints: GSD&M and Whole Foods ) Must be something in the bottled water. I've said it before (probably), bad stuff will happen long term if you are a third party managing privacy related data, and you blow it. Because your customers will likely have better information, and have the power to put a long term hurt on your bottom line. If you come clean.

And, of course, out asswards talking I am.

And why haven't I written more in the last few months? I'll let my son answer that:

*not a word, but I like it anyway.