Friday, November 14, 2008

Non Fiction: Risk

From Alex Roy's The Driver:

"Our second hour of 150 mph or more inspired a highly unscientific analysis of the actual danger we faced. I concocted what I called The Danger Coefficient (DC). I guessed the average NASCAR driver, in a thirty-six race season including practice, probably drove 15,000 miles -- with a safety cage and onboard active fire suppression -- on highly prepared tracks, with hospitals less than 14 minutes away by choppers on standby. Assuming this represented a DC of ten, Gumball's 3,000 miles meant our DC was two.... until factoring our relative safety deficiencies. High speeds over potholes had to triple our DC to six. Civilian traffic doubled it again, to twelve. Time and distance to medical help? Double again, to twenty-four. Lack of roll cages, harnesses and HANS devices? My guesses ended when I realized Gumball -- at least the way I did it -- was at least five times more dangerous than NASCAR."
From Wright and Decker's Burglars on the Job:
They referred to this process as "burning bread on yourself."

"Thieves got a thang they say [about getting caught,] "If you think about thangs like that, you burnin' bread on yourself" So you don't think about it... Just go for it. [No. 011]

Several of the subjects found it difficult to speak about the risk of apprehension, fearing that such talk would jinx their future illegal activities.
Some of the offenders also tried not to think about getting caught because such thought generated an uncomfortably high level of mental anguish. They believed that the best way to prevent this from happening was to forget about the risk and leave matters to fate.

Wednesday, November 12, 2008


From Ed Park's Personal Days:

"Every employee would soon be required to create a new log-on password consisting of a mix of nonsequential capital letters and a three-digit prime number and a punctuation mark, and then change it once a month by sending an Excel form to a secure website in Oakland. This was just standard operating procedure.

Each demand felt like the securing of a strap on a straitjacket."

Wednesday, September 17, 2008

4th Quadrant

My favorite ex-quant, N. N. Taleb, outlines the 4th Quadrant.
Thoroughly enjoyable, but I'm a fan.

This table made sense to me:

In information risk management, what sort of events are fat tailed with complex payoff? Or which are not?
I've suspected that there is a parallel between software and markets, as both proxy human behavior, yet are percieved as acting autonomously.

Tuesday, August 26, 2008

The Wisdom of Mobs

Alex mentions stock prices as a potential input into information risk assessment. I'm skeptical of the value of market driven metrics, and the collective wisdom of the market's crowd in assessing value of an asset. The forces driving stock prices in the short term are not afraid to work with rumor, fact, unrelated fact, remotely disjointed misreported fact and insinduendo.* Corporate stock value can be maintained by close Internet monitoring of cowboy executives, especially if you are in the vicinity of 6th and Lamar in Austin, Texas (a couple of e-mail datapoints: GSD&M and Whole Foods ) Must be something in the bottled water. I've said it before (probably), bad stuff will happen long term if you are a third party managing privacy related data, and you blow it. Because your customers will likely have better information, and have the power to put a long term hurt on your bottom line. If you come clean.

And, of course, out asswards talking I am.

And why haven't I written more in the last few months? I'll let my son answer that:

*not a word, but I like it anyway.

Monday, June 16, 2008

Visualize World Data Breach

38.2% of the known universe has blogged about the Verizon data breach report and how it has changed their life, and opened their eyes, busted icons and confirmed suspicions. But I looked right at the facts there, but I might as well have been completely blind.

My thoughts are simply:

  • What? No scatterplots? Bar charts and pie charts combined with narrative paragraphs that don't describe either are sort of lame. Give us an idea if there are two or three mammoth breaches that are skewing your stats. A little creativity would have helped. Don't just think the data breach. Be the data breach.
  • It would have helped to have "data breach" defined. Sometimes, the stats are describing a leak of GLB-style NPI, other times credit card info, other times website defacements. What do you want to bet that the threats and controls for a theft of trade secrets is different than for a credit card data from a Bennigan's POS terminal? Is it enlightening to lump this data together? I recall reading many years ago an essay in a scholarly computer science jounal on Computer Crime. They including the classic network hacking and phone phreaking in their analysis, as well as people hijacking trucks carrying motherboards. So, if I hit someone over the head with a laptop that stores unencrypted SSNs, is that a data breach?
  • I will give the Verizon guys extra bonus points for not using the report as a sales lead generation tool. I'll rant more on that later.

Photo of Gene Clark courtesy of Find-A-Grave. Think Gene Clark, not Eagles.

Monday, April 28, 2008

Cruel But Fair: The IT Auditor's Ball

There is no need to remind me how I dislike Las Vegas. As the woman walking away from the conference this afternoon said, "casinos are full of weird people." And she wasn't talking about her fellow information systems governance professionals.

Well, I'm almost live blogging the event (no wireless connectivity? 20 lbs of printed procedings? CACS is old school, baby!) from the IT Audit bloggers meetup (the attendees so far: me & a bottle of cheap scotch).
So what did I learn on my first day at the North American Computer Audit Control and Security Conference?

1. Dumb user jokes still get a laugh. The dumb user jokes need to end now. Really. It adds nothing, and only confirms everyone's opinion that security and audit people are arrogant and condescending. More on this later.

2. The "I am not a lawyer" defense to compliance. If something is too unpleasant, or unsavory, yet explicitly outlined in law and regulation, there is a tendency to punt the enforcement to legal. Cause, you don't want to practice law without a license. You know, cops aren't lawyers, either. Nonetheless they enforce the laws. This is an issue that can be solved, and likely has been, between auditors, security practitioners and lawyers.

3. The ice machine on the 13th floor of the Rio is broken. This is the thoughest lesson I've learned. But experience is a bitter and effective teacher.

4. Can gaussian distributions be helpful in analysis of breach disclosure? My butt was in the wrong seat to attend this talk, but the slides were curious (mostly because the color-coding in the pie charts didn't work in the B&W procedings). I would have been interested in hearing how that would work. I don't have the depth in stats to have flung anything at the presenter, but I may have had the guts to shout "HERETIC."

Soundtrack for today: "Raving & Drooling"

Wednesday, April 16, 2008

Metrics Gone Wrong: Horsepower at 100% Throttle

In the April issue of Bike magazine, Simon Hargreaves examines the myth of the dyno. The rise of the the Dynojet Dynamometer provided a cheap, standard way to measure motorcycle horsepower, allowing a common manner to rate the impact of your performance tweak. Roll your bike up to the rollers, and wind it up to full throttle. Moments later, the dyno spits out a pretty graph with torque and horsepower. (I recall a sweaty, restless July night at Texas World Speedway, the motorsport jewel of the Bryan/College Station where my buddy and I parked the VW camper van next to the dyno. Yosh pipes howling through 100% throttle get old after about the 15th carb rejetting, but the dyno truck's jam box pumping out interstitial "Give It Away" got old after the 5th round. )

None the less, Hargreaves cites the problem with a standard measure:

First, higher horsepower figures than the manufacturer next door sells more bikes than him, though - second - higher horsepower figures bring anti-biking legislation closer and closer, despite the fact that - third - accident figures aren't related to increased power, even though - fourth - the performance of your three 160hp models comfortably exceeds the ability of your customer to get anywhere near using it all without crashing.
The answer is measuring 40% and 20% throttle as well. The nebulous corner exit power that was measured only in sphincter tension or nebulous terms like "grunt" and "oomphus" is now a value that can be colored red, blue or green and plotted on a pretty graph. And a telling graph it is, as the GSX-R1000 appears to have dropped power at 20% throttle (to reduce highsideability) while maintaining the pornographic 160hp at top.

So, the top number, the easy number, the number of honorable tradition, means less and less once it is maxed. The tweaks underneath where there, and important. But you are stuck with your gut feeling until you plot it with a pretty blue line.

Monday, April 14, 2008

Metrics Gone Wrong: Body Count

From the Washington Post, and which also I heard on the radio this morning, the Colombian army finds a twisted method to meet their performance metrics:

But under intense pressure from Colombian military commanders to register combat kills, the army has in recent years also increasingly been killing poor farmers and passing them off as rebels slain in combat, government officials and human rights groups say. The tactic has touched off a fierce debate in the Defense Ministry between tradition-bound generals who favor an aggressive campaign that centers on body counts and reformers who say the army needs to develop other yardsticks to measure battlefield success.
This is the most extreme example of how a metric intended to track progress toward a goal becomes a measure of performance for the implementers. Focussed on the finger pointing at the moon, rather than the moon itself, the implementers manage the metric but undermine the goal. I don't believe this behavior is uncommon. I saw this sort of behavior in a past life as a fraud examiner. An individual forged a stack of documents, because he understood more documents were good for the company, their legitimacy only an inconvenience.

Monday, March 17, 2008

Releative Position and Privacy

Ed Felton recently wrote two posts on the failure of the marketability of privacy, and how corporations and consumers should respond. According to Felton:

There’s an obvious market failure here. If we postulate that at least some customers want to use web services that come with strong privacy commitments (and are willing to pay the appropriate premium for them), it’s hard to see how the market can provide what they want.
In the follow-up, Felton describes a standard contract and a sort of privacy escrow protocol to protect individuals against the desperate actions of a cratering start-up.

The more I read and think about privacy, the theory that an individual's privacy has a value that can be exchanged on the market becomes less and less compelling. Frank Pasquale wrote at Concurring Opinions that in the market model, you trade your privacy for efficiency and convenience, using Gmail as an example:
[C]onsider the type of suspicions that might result if you were applying to a new job and said "By the way, in addition to requiring 2 weeks of vacation a year, I need to keep my email confidential." The bargaining model is utterly inapt there. . . . just as it would have been for women to "bargain" for nondiscrimination policies, or mineworkers to bargain, one by one, for safety equipment.
He concludes that people who trade their privacy will outcompete those who do not, and that
"[a] collective commitment to privacy may be far more valuable than a private, transactional approach that all but guarantees a 'race to the bottom.' " The paper he cites on cost benefit analysis and relative position was interesting (to me at least) when read in terms of privacy. From the abstract:
When a regulation requires all workers to purchase additional safety, each worker gives up the same amount of other goods, so no worker experiences a decline in relative living standards. The upshot is that an individual will value an across-the-board increase in safety much more highly than an increase in safety that he alone purchases.
"Privacy" can be substituted for "safety." Can "security" also be considered in this context? Is it already?

Monday, March 3, 2008

From Rothman, an article at CSOnline discusses Moody's infosec risk rating service.

I personally dig this quote:

The idea for such an at-a-glance rating is appealing to risk executives such as Andre Gold, head of security and risk management for ING’s U.S. Financial Services business... Last year Gold oversaw reviews of 176 new technology vendors; his team visited sites as far away as South Africa to conduct security assessments. “It’s a service that we must do, but I think it’s a non-value-add service,” he says.
A non-value-add service? To quote Michael Scott, that's what she said.

photo from Dwight K. Schrute.

Wednesday, February 27, 2008

Now That's a Complaint.....

From Concurring Opinions (and elsewhere), a paper by Chris Hoofnagle "Measuring Identity Theft at Top Banks." Hoofnagle is asking the question: How does a consumer or regulator measure the incidence of identity theft from a financial institution? In an attempt to answer, Hoofnagle took the number of identity theft complaints collected by the FTC and matched them up with institutions listed on the complaint, with the intent of coming up with a score that could be used by consumers to judge how well the institution protects identity.

Call me crazy if I'm wrong, but Mr. Hofnagle seems to be pushing the data way beyond its utility.
Is a complaint to the FTC via a web form a reliable indicator of fraud controls at an institution? In my past experience as an investigator, I handled many cases of identity theft. I'd estimate that at least half, if not two thirds of the allegations of "identity theft" were not, in fact, identity theft. A suspicious charge on a bill, a bad skiptrace, or even a breach disclosure notice could result in complaint of "identity theft." Crime statistics that involve prosecutions of actual criminals may provide an underreported, but more reliable measure.

Hoofnagle mentions that he believes the number of FTC complaints may be low, due to historic underreporting of identity theft to criminal authorities. Again, according to my experience, which may be non-representative, I'd say that people will fill out a web form that belongs to the FTC sooner than they'd call the police. The FTC is more analogous to the Better Business Bureau than law enforcement.

I was going to write something about my frustration with the publicity that the FTC complaint statistics were receiving. Complaints are easy to count and a handy metric. But I don't think that they mean much without some evaluation of the validity of the complaint. That is, what is interesting is hard to find out.

Right before I read Hoofnagle's paper, I read this post from the Microsoft Security Development Lifecycle blog. The author makes the following statement regarding using vulnerability counts as a measure of software security:

"Measuring security is a real challenge, and while we may debate the
merits of vulnerability counts, right now it's the only concrete metric
we have."
I guess I'm saying that the only concrete metric one may have may be misleading, inaccurate, or irrelevant. Concrete isn't synonymous with valid. I may have issues with "metrics" but I love Metric. Need less, use less, we're asking for too much I guess, cause all we get is...

Wednesday, February 6, 2008


Dental countdown:

4. Juicy stuff from re: The Auditors on SocGen.

Latest news out of France has Finance Minister Christine's Lagarde's report saying that in addition to controls being lax, (duh!), someone who understand the controls should have never been able to be a trader.
With all due respect to Ms. Lagarde, this is ridiculous. Just look at their annual report. They've got "controls" up the wazoo...This is a lame, puppy-dog, excuse.
It's the management, stupid!

3. On the local front, an unhappy IT laborer hacks into bosses e-mail, sends naughty messages.
The affidavit says that Das told Southerland he was holding the Web site hostage until he received his paycheck. Though Southerland said that checks weren’t being dispersed until the following week, Das hacked into Southerland’s e-mail account and sent e-mails to Southerland’s clients and family defaming the company, according to the affidavit.
One of the hostage servers was a database for a site called Rotten Neighbors, where you can be a neighborhood fussbudget without putting on your slippers and yelling at passing cars in your driveway. Such an operation may not provide a gruntle-rich environment that would provide the last paycheck patience that is in such short supply nowadays.

2. And if we learned anything from SocGen, we learned that misbehaving employees are not always motivated by greed, as local community radio KOOP learned recently as they were arsonized. Like French bankers, they were SHOCKED that a buzz kill playlist would lead to wanton destruction of assets.

1. From toohotfortnr, this article identifies scooters as weapons of insurgency. Have we learned nothing?

Friday, February 1, 2008

He begged me to follow but legions of sorrow defied me

I may not be sure what my point is. Black Swans with trading accounts? The letter U and the numeral Two? Or that it actually does take two ringy-dingys. I only know that the following illustrates it in the most vivid fashion possible.

Sunday, January 27, 2008

Data Privacy Day

To appropriately observe Data Privacy Day, I will not ask you how it is hanging.
That is strictly a matter between you and whatever hangs off you.

Photo of sloth having its privacy violated from sfPhotocraft.

Thursday, January 24, 2008

Segregation of Obscurity

From Forbes account of the Societe Generale billion dollar fraud:

"It's Nick Leeson, the story is exactly the same," said Celent's Pierron. "We have a trader who trades futures, or derivatives, who hides his losses by using weaknesses in the risk-management system." He said that as long as traders had knowledge of back-office operations, the risks of
abuse would always be there.

A spokesperson for Societe Generale said that there would be thorough reviews of internal controls, but noted that this particular case of fraud was "very, very sophisticated."
So, segregate controls, but keep them obscure.

I got some groceries, some peanut butter

From the maddingly brilliant book of the Naples System, Gomorrah, a description of security during the Secondigliano War between the Spanish and DiLauro clans:

I would ride my Vespa through this pall of tension. In Secondigliano I'd be frisked at least ten times a day. If I'd had so much as a Swiss Army knife on me, they would have made me swallow it. First the police would stop me, then the cararbinnieri, sometimes the financial police as well, and then the Di Lauro and Spanish sentinels. All with the same simple authority, the same mechanical gestures and identical phrases. The law enforcement officers would look at my driver's license, then search me, while the sentinels would search me first, then ask lots of questions, listening for the slightest accent, scanning for lies. During the heat of the conflict the sentinels searched everyone, poked their heads into every car, cataloging your face, checking if you were armed. To motorini would arrive first, piercing your very soul, then the motorcycles, and finally the cars on your tail.
I was struck by the difference in approaches to the basic "airport security problem" between those who were obliged to obey the rule of law, and those who knew an error in their judgment would likely mean their own death.

Foto of the arrest of Cosimo Di Lauro from La Repubblica.

Monday, January 14, 2008

White Knuckles

This looks interesting, in the context of cultural cognition of risk. Entertaining legal wonking on the issue at Concurring Opinions and Volokh.

Amazing the lack of agreement as to when "Yee haw!" becomes "Holy Crap!" while behind the wheel.

Photo courtesy Marie Rose Ferron / Flickr

Sunday, January 6, 2008

Die Doing Something You Love

"To die doing something you love."
I encountered variations of this phrase three times Saturday.

1. In Chris Jonnum's biography of the Haydens, the on track death of flat-tracker Will Davis. Davis was a hero of Nick Hayden's. Mourning his death, Nick said that there is no tragedy if you die doing something you love. Nick did run his next road racing victory lap backwards in Davis' honor.

2. On the DVD of The Race to Dakar, Andy Caldicott died doing the thing he loved, as described by Charlie Boorman. No one will be permitted to die this way this year, since ASO has cancelled the Dakar race due to threats for terrorism. (You can die doing what you love, not what Al Qaeda loves.)

3. Andy Olmstead states in his posthumous blog post that he died doing the job he loved.

If you love your job, you can accept any level of risk.