tag:blogger.com,1999:blog-7301404162712726362024-03-19T03:49:27.160-07:00Another Set of TeethPrivacy, Security, Ethics, FraudDutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.comBlogger113125tag:blogger.com,1999:blog-730140416271272636.post-77570374271282165802011-04-28T20:19:00.000-07:002011-04-28T20:19:31.820-07:00Bingo<span class="Apple-style-span" style="border-collapse: collapse;"><span class="Apple-style-span" style="font-family: inherit;"></span></span><br />
<div><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMoLpfTVkmfAP1aMtkOekq-DVsLzhij06Q3vkvHtjEb3YdTHycZJEUVycQSoycqGKsC6rQU5nFYUcTBvVvB8z2Z3TVQgH5AaJaDR3jifaeWyeCIazTHR16uMhLkBECWcnry4zfjWMeCNw/s1600/csbingo.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMoLpfTVkmfAP1aMtkOekq-DVsLzhij06Q3vkvHtjEb3YdTHycZJEUVycQSoycqGKsC6rQU5nFYUcTBvVvB8z2Z3TVQgH5AaJaDR3jifaeWyeCIazTHR16uMhLkBECWcnry4zfjWMeCNw/s1600/csbingo.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Best Practice</td></tr>
</tbody></table><span class="Apple-style-span" style="font-family: inherit;"><a href="http://www.texastribune.org/texas-taxes/comptroller-of-public-accounts/texas-comptroller-takes-responsibility-for-breach/">The details are too boring to recount.</a> Impossibly large amount of records “exposed” due to human error. Nothing new, same old. </span></div><div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: inherit;">The only reason to watch is to see how the impact plays out. It is Texas Politics, after all, and the Lege is in session, and this could prove to be a mild distraction from birthers and budgeteers. </span></div><div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: inherit;">The data loser in this instance is an elected official, with aspirations to higher office. <a href="http://www.window.state.tx.us/about/">Ms. Combs</a> was angling to grab one of the vacant seats when Lite Gov Dewherst runs for US Senate. So, there’s that. I doubt many folks enter politics hedging against the risk of career flameout by batch job misconfiguration. Time to update some campaign risk models. </span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div></div><div><span class="Apple-style-span" style="font-family: inherit;">The<a href="http://www.texastribune.org/texas-state-agencies/teacher-retirement-system/group-wants-investigation-into-texas-data-exposure/"> lawsuit loser</a> in this instance has tapped into the type of outrage commonly expressed in writers of comments in newspaper websites - the "SOMEONEOTTAPAY tiny fist shaking, foot stamping" yadayada. Sure, they wanna get to the bottom of this for the dignity of the victims. With no damage, the victims will have a tough road to hoe. Maybe they are discovering for attack ad quotes. </span></div><div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: inherit;">At about six minutes in to her interview, we get the biggest loser. Comptroller Combs says Gartner and Deloitte are on the case to advise on "best practices." (It looks like Deloitte may be<a href="http://www.statesman.com/news/texas/firms-tied-to-texas-comptroller-hired-after-breach-1437282.html"> getting a small return on their campaign investment.</a> ) This sort of reaction chafes me to no end, and is an assault on <i>my</i> dignity. I might be wrong on this, but the evolving SOP for privacy incident response appears to be to spend money willy-nilly on whatever threat is foremost in the populace's mind regardless of the proximal cause of the incident. One company's reaction to some speed freaks carrying away a safe with a couple of DVDs of data was to air gap their production environment and embark on a FISMA compliance project. This firehose approach appears to be designed to make the potential victims feel better, I guess, but only enriches the best practitioners and "safe bet" consultants. To me, it just seems a waste, and decreases my confidence in the competence of the organization. </span></div><div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: inherit;">And, to quote the Comptroller, "oh my gosh, think of Sony... and think of you grocery store loyalty card." </span></div><br />
Well, at least country music is alive and kicking every night south of Round Rock, Texas. (The sight of a youthful Dale Watson and the State Capitol restores a measure of my Texan dignity. That, and<a href="http://thehighhat.com/Detritus/003/bingo.html"> Chicken Shit Bingo</a>.)<br />
<iframe allowfullscreen="" frameborder="0" height="390" src="http://www.youtube.com/embed/17uBi8wOVsU" width="480"></iframe><br />
<br />
Best Practices in Risk Management Image courtesy of <a href="http://www.flickr.com/photos/30499760@N00/">KoryeLogan</a>.Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-7448530671883102242011-04-25T18:58:00.000-07:002011-04-25T18:58:24.284-07:00Up YoursNice metric courtesy of Grits - the <a href="http://gritsforbreakfast.blogspot.com/2011/04/false-alarms-are-single-greatest-waste.html">costs of false alarms</a>. And the casualties found at the intersection of reliable metrics and public policy. To quote Grits:<br />
<blockquote><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVrSlGdOd-W1ZI_rEkoDUmxOYUmd0kjLU3XXUgufnq-4oO2WBfhKdxzjkIKniRm6cAQDFOLcjKVfAzDFuJ6HlEHHQJuLZUhXZ3K8SJhQyk-u0SlISggwJPdDDMinHcpTsv0yIFZcVtI9Q/s1600/poly-styrene.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVrSlGdOd-W1ZI_rEkoDUmxOYUmd0kjLU3XXUgufnq-4oO2WBfhKdxzjkIKniRm6cAQDFOLcjKVfAzDFuJ6HlEHHQJuLZUhXZ3K8SJhQyk-u0SlISggwJPdDDMinHcpTsv0yIFZcVtI9Q/s320/poly-styrene.jpg" width="160" /></a><span class="Apple-style-span" style="color: #333333; font-family: Georgia, Times, serif; font-size: 14px; line-height: 22px;">But as [Former Dallas Police Chief] Kunkle says, this is an instance where tuff-on-crime politics interferes with good public policy and common sense. The small minority being subsidized by police responses to alarms are extremely vocal and well-organized by alarm companies, who have lists with contact info of concerned customers that would be the envy of any political consultant. Plus, those with alarms almost by definition are relatively wealthier - after all, they got an alarm because they have stuff to steal - and therefore also more politically influential. By contrast, the 86% of Dallasites without burglar alarms who're footing most of the bill are unorganized, unaware of the subsidy, and may not even perceive they have a dog in the fight.</span></blockquote>This balance of this conflict is similar to those that are duked out in meeting rooms, with varied stakes and different arguments. <br />
Maybe a similar "verified response" should be assessed consultants or auditors who elevate low impact / low frequency risks up to the Board. <br />
<br />
Or for the one who turned the risk management dashboard day glo. <br />
<iframe allowfullscreen="" frameborder="0" height="390" src="http://www.youtube.com/embed/rSrOJ1ig6tI" title="YouTube video player" width="480"></iframe><br />
<br />
Or fought the crisis you can't see. <br />
<br />
<iframe allowfullscreen="" frameborder="0" height="390" src="http://www.youtube.com/embed/Ue5jyj_nosc" title="YouTube video player" width="480"></iframe><br />
<br />
<br />
<br />
<br />
(So RIP Poly Styrene, unless this is a false alarm.)Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-39782559187493364212011-04-19T19:43:00.000-07:002011-04-19T19:56:45.987-07:00Audit Drips<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyySBPgsm1O13Y3cO22MW_DJTDxonjV27R2lj1FPj27dtdG7MceTJkIHkuO9qFIkeBF9ar-fh2bsEpN-rri_zdE85yC36s3g1Zkbednt2yLVLjUV_IIDihHGvKZ8FB0HcSBCe42lGauAc/s1600/Street+Wars.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyySBPgsm1O13Y3cO22MW_DJTDxonjV27R2lj1FPj27dtdG7MceTJkIHkuO9qFIkeBF9ar-fh2bsEpN-rri_zdE85yC36s3g1Zkbednt2yLVLjUV_IIDihHGvKZ8FB0HcSBCe42lGauAc/s320/Street+Wars.jpg" width="320" /></a></div>I was catching up on the podcast backlog today. I listened for the first time to the <a href="http://riskhose.com/">Risk Hose</a>, which had a meaty midsection on the internal auditing profession, and whether and how internal auditors assess, analyze and otherwise manage and misconstrue risk. <br />
(A couple caveats. I speak as an internal auditor, with a background in food service and deckhanding. I'm ISACA Platinum, which is more like Centruum Silver than American Express Gold, i.e., it is bestowed upon age. I'm an autodidact when it comes to information risk analysis, but I'm trying to learn.)<br />
<br />
Firstly, the standards. The Red Book, or more correctly, the<a href="http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/full-standards/"> International Professional Practices Framework</a>, includes the following standard (2010 A1) <br />
<br />
<blockquote>The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.</blockquote>So, every internal audit shop has to perform a risk assessment annually, and use it to plan which audits will be performed in the next year.<br />
This type of risk assessment evaluates "audit risk," defined in Sawyer's Internal Auditing (from my raggedy 4th edition, Part 3 Scientific Methods* Chapter 8 "Risk Assessment") as the following:<br />
<br />
<blockquote><span class="Apple-style-span" style="border-collapse: collapse; font-size: x-small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Audit Risk = Inherent Risk x Control Risk x Detection Risk</span></span></blockquote>A heavy dose of "professional judgment" (also known as "the gut") is used in this method. The output of this assessment prioritizes the auditable units (chunks of business functions which make up the audit universe), and crank them through the cycle to maintain "coverage." Purchasing on even years, Accounts Payable on odd, et cetera. Area with weak controls and lots of potential loss should probably float to the top. This method is old fashioned even for the conservative internal audit profession, but has the backing of some of the AICPA's more ancient Statements of Auditing Standards. The resulting assessment is used internally for audit's planning purposes, and, from talking to my peers in industries without a regulatory mandate to perform risk assessment, it may be the only organization-wide assessment that gets performed. The methods vary, as do the results.<br />
<br />
The recent revisions to the Red Book standards state that internal auditors "<b>must</b> evaluate the effectiveness and contribute to the improvement of risk management processes." So a shop that follows standards will be in the business of whoever is performing the "risk management" function, including "information systems." Internal auditors can't manage risk, but can help assess. <br />
<br />
From my perspective, a lot of internal auditors have a lot of experience in an old fashioned style of risk assessment, and end up with a gut quantification exercise. There may be some bet hedging, vindictiveness and four tons of politics involved in the process (see above as to who must have input into it), and, in the end, the board will get what it wants. Quality and sophistication of boards will vary widely, and if they want red, yellow, and green heat maps, by gum they are going to get it. If they want quant analysis, they'll get that too, especially if there is overlap between the Audit Committee and the Risk Committee. <br />
<br />
Personally, it is approaching risk assessment season for my shop, and, with Hubbard and FAIR in hand, I'm working with our CAE to get together at least some quantitative analysis. Gotta start somewhere. I'll get the blame regardless.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="390" src="http://www.youtube.com/embed/32xWaD6dhEU" title="YouTube video player" width="640"></iframe><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
*I think I hear a head exploding somewhere.Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-64983110026754732892010-10-06T20:12:00.000-07:002010-10-06T20:12:17.793-07:00The ProfessionalAn interesting narrative, trapped unfortunately behind a pay wall, comes from the Chronicle of Higher Education - "<a href="http://chronicle.com/article/Chapel-Hill-Researcher-Fights/124821/">Chapel Hill Researcher Fights Demotion After Security Breach"</a><br />
<br />
A cancer researcher's database of gets potentially pwnd (two years from incident to discovery), spurring the usual breach notification process. Her bosses cut the researcher's pay and reduced her status to associate from full professor. The justification was that she, as principal investigator, was responsible for the security of the personal data entrusted her by the subjects of the study. <br />
<br />
The meat from the article (emphasis added):<br />
<span class="Apple-style-span" style="border-collapse: collapse; font-family: Calibri, sans-serif; font-size: small;"></span><br />
<blockquote><span class="Apple-style-span" style="font-size: medium;">The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas countered that the staff member, who has since left, had worked for the university's technology office and that the employee never submitted a formal request for additional training.</span></blockquote><blockquote><span class="Apple-style-span" style="font-size: medium;"><b>"I had an employee who I trusted who told me things were OK</b>," she added. <b>"I would have no way to get on the computer and tell if it was secure. Unless I assumed my employee was lying to me, I don't know what I could have done</b>."</span></blockquote><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2JPG1-1CoCYUvzhMEDHKkFtlGjOvGKZXlyJhstFDAvTU451Su94NOJMdDVYwxPP1bZuXYJCWpri5r_ayFavTi8Qqeo7oI5Gx58KrWC796CLaA-kypwnMthRf2bUns4E2FrNfCss_J0JQ/s1600/leon-the-professional-black-and-white.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2JPG1-1CoCYUvzhMEDHKkFtlGjOvGKZXlyJhstFDAvTU451Su94NOJMdDVYwxPP1bZuXYJCWpri5r_ayFavTi8Qqeo7oI5Gx58KrWC796CLaA-kypwnMthRf2bUns4E2FrNfCss_J0JQ/s400/leon-the-professional-black-and-white.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Working in the Public Interest</td></tr>
</tbody></table><div><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="font-family: inherit;">I believe that there is a another option. Some folks are in charge of security but are not liars, but are incompetent. And, yes, it is hard to tell them apart.</span></span></div><div><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></span></div><div><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="font-family: inherit;">If it was money that was stolen, and someone said "I have no way of telling if the books were correct. I trusted the accountant. He was an experienced bank teller" what would be the response. Why didn't you hire a forkin' CPA? CPAs have professional knowledge, and ethical obligations, and if they fail to meet them, you can have their license pulled. </span></span></div><div><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></span></div><div><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="font-family: inherit;">No so with security folks. Why is it acceptable to treat for others to manhandle your personal, private data more cavalierly then your accounting records? </span></span></div><div><span class="Apple-style-span" style="font-size: medium;"><br />
</span></div><div><span class="Apple-style-span" style="font-size: medium;">I'm tempted to start my rant on certification, psuedo-science and "computer forensic professionals" but I'll save it for the next post. </span></div><div><span class="Apple-style-span" style="font-size: medium;"><br />
</span></div><div><span class="Apple-style-span" style="font-size: medium;"><br />
</span></div>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-3093544938329156882010-09-22T19:54:00.000-07:002010-09-22T19:54:57.684-07:00Risk a Harm?<span class="Apple-style-span" style="font-family: 'Lucida Grande';"><a href="http://www.concurringopinions.com/archives/2010/09/are-people-really-harmed-by-a-data-security-breach.html">Interesting post</a> and comments on privacy risk from Solove at Concurring Opinions. Despite being raised by a pack of feral solicitors, I can't claim to understand all the legal theories involved. I'm attracted to the liquidated damages idea for a number of reasons, including the ability to build a reserve or get underwriting to mitigate potential incidents. </span><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikHxxYHtZ1Afvo_5KDoGEpb_2ZrXWGgE-He2opuqY-w5HhwmirMsVtlMuLDfa7V-NAFMx6F-Mihc0r-1cAncSuwkhla4QeBVwI79bzo0-a8AKQCzhUu_sUuL1iw8HyeLhv-cH1PMBzn8g/s1600/05-09_Monza_Robin-Harms-styrtet_01-%5BRacingNews-Danmark%5D.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikHxxYHtZ1Afvo_5KDoGEpb_2ZrXWGgE-He2opuqY-w5HhwmirMsVtlMuLDfa7V-NAFMx6F-Mihc0r-1cAncSuwkhla4QeBVwI79bzo0-a8AKQCzhUu_sUuL1iw8HyeLhv-cH1PMBzn8g/s320/05-09_Monza_Robin-Harms-styrtet_01-%5BRacingNews-Danmark%5D.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span class="Apple-style-span" style="font-size: medium;">Harms at Risk</span></td></tr>
</tbody></table><div><span class="Apple-style-span" style="font-family: 'Lucida Grande';"><br />
</span></div><div><span class="Apple-style-span" style="font-family: 'Lucida Grande';">On the other hand, this is where the disclosure rules suck. For example, an organization loses track of a hunk of physical media that contains a couple hundred thousand records that contain personally identifiable information (but not financial information - no bank or credit card account number). In this example, there is a very high probability that the media was subsequently destroyed. Are the individuals identified on the media well served by being notified? </span></div><div><span class="Apple-style-span" style="font-family: 'Lucida Grande';"><br />
</span></div><div><span class="Apple-style-span" style="font-family: 'Lucida Grande';">Imagine there was a method to calculate the likelihood of financial damage to the individual due to the loss of the media. Lets imagine that there is less than 1% chance that the information will be used in a crime in the next 2 years, and it decreases by half every year that follows. However, if it is used in a crime, it is likely that the crime will be of a significant impact - a genuine fraud involving a false credentials that would take more than $100,000 for the victim to unravel. Is notifying the victim of the risk, and making him feel uneasy (since humans perceive risk differently than equations) responsible? </span></div><div><span class="Apple-style-span" style="font-family: 'Lucida Grande';"><br />
</span></div><div><span class="Apple-style-span" style="font-family: 'Lucida Grande';">Or is this just an excuse for me to illustrate a post with a picture of <a href="http://www.robbinharms.dk/">Harms at risk</a>? </span></div><div><span class="Apple-style-span" style="font-family: 'Lucida Grande'; font-size: small;"><span class="Apple-style-span" style="font-size: 11px;"><br />
</span></span></div>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-55568441615883704382010-08-06T22:12:00.000-07:002010-08-06T22:12:40.219-07:00DBR600RR - The Verizoning<span style="font-family: inherit; font-size: small;"></span><div style="font-family: inherit;"><span style="font-size: small;">I admit I genuinely enjoyed the latest Data Breach Report courtesy the stalwart boffins at Verizon Business. My personal benchmark of genuineness is derived from my ability to almost immediately put it to use in my job. Nonetheless, I'd like to see the data hashed up one more way. </span><br />
<span style="font-size: small;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://www.motorcyclenews.com/upload/269672/images/American-Honda-Moto2-Moriwaki-MD600-Drudi-Performance.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="212" src="http://www.motorcyclenews.com/upload/269672/images/American-Honda-Moto2-Moriwaki-MD600-Drudi-Performance.jpg" width="320" /></a></div><span style="font-size: small;">The following quotes from page 14 - </span><br />
<span style="font-size: small;"> </span></div><div style="font-family: inherit;"><span style="font-size: small;"><br />
</span></div><blockquote style="font-family: inherit;"><div><span style="font-size: small;">"Though we do not assert that the full impact of a breach is limited to the number of records compromised, it is a measurable indicator of it."</span></div></blockquote><div style="font-family: inherit;"><span style="font-size: small;">and </span><br />
<span style="font-size: small;"><br />
</span></div><blockquote style="font-family: inherit;"><div><span style="font-size: small;">“There is not a linear relationship between frequency and impact; harm done by external agents far outweighs that done by insiders and partners. This is true for Verizon and for the USSS and true for this year and in years past … We could provide commentary to Figure 9, but what could it possibly add? If a chart in this report speaks with more clarity and finality we aren’t sure what it is.”</span></div></blockquote><div style="font-family: inherit;"><span style="font-size: small;">I’ll tell you what you can add, cause I’m that way. And the suggestion comes from the assumption that records=impact. I'm groovy with the assumption that number of records compromised is a measurable indicator for the top three categories of records listed on Fig. 31 on page 41 (regulated data that requires breach disclosure). However, it seems that an incident that involves the theft of proprietary source code, non-public financial statements, or trade secrets, or whatever else comes under the umbrella of "data breach," is it counted as a single record just as one credit card transaction record counts as one record. </span><br />
<span style="font-size: small;"><br />
</span><br />
<span style="font-size: small;">I'd like to see the PCI DSS and PII/PHI database breaches broken out from the other (information property, trade secret, national security) breaches. Looking at the data where they are detailed (p 41), there are not a whole lot of them. Based on the statement on page 18, viz:</span><br />
<blockquote><span style="font-size: small;">”It is worth noting that while executives and upper management were not responsible for many breaches, IP and other sensitive corporate information was usually the intended target when they were.” </span></blockquote><span style="font-size: small;">NPI/PII/PHI mandatory disclosure type breaches may be characterized by a different set of threats, impacts, frequencies, and require a differing set corresponding controls than the breaches associated with occupational fraud. Yeah, I said "fraud" not "insider." And I'd like to keep on saying "fraud" until I'm comfortable that the internal controls over non-regulated data are targeted at management override rather than external organized crime. Is organized crime recruiting from the sysadmins and call centers? Or is the insider a fraud (corruption/breach of fiduciary duty) issue? Little help and we'll all be safer. </span><br />
<span style="font-size: small;"><br />
</span><br />
<span style="font-size: small;">(I personally believe in Solove's assertion that management should have a fiduciary duty to the privacy of data, but from what I've seen, we ain't there yet, and it is still all about compliance.)<br />
</span><br />
<span style="font-size: small;"><br />
</span></div><div style="font-family: inherit;"><span style="font-size: small;">On a side note, the other category of data - authentication credentials - interests me. Do bad guys just stop at root? Or do they start at root? Do the executives/upper management types rely on their organizational credentials, or do they use their authority to con an underling to hand them over? I've got the anecdotes, but I'd like the data. </span></div><div style="font-family: inherit;"><span style="font-size: small;"><br />
</span></div><div style="font-family: inherit;"><span style="font-size: small;">Some other comments: </span></div><div style="font-family: inherit;"><span style="font-size: small;">Figure 27 (p38) – People? A person is a compromised asset and contains records? I’m not sure I follow the taxonomy (or is it taxidermy?) here. </span></div><div style="font-family: inherit;"><span style="font-size: small;">P 40 and 41 – Thanks! These charts help quite a bit in understanding the data. </span></div><div style="font-family: inherit;"><span style="font-size: small;">Fig. 35 (p46) Is not only hard on my eyes, but my brain. Why is the scale broken into non-proportional time units? Does the data naturally break down this way? A continuous timeline would give me more confidence how stuff happens. It tapers off dramatically since each “timespan” is considerably bigger than the previous. My brain could handle a logarithmic scale, but 60 / 12 / 7 / 4 / 12 / (sideways eight) is kinda hard. I’m a simple country auditor, dadgummit. The accompanying text </span><br />
<blockquote><span style="font-size: small;">“In over 60% of breaches investigated in 2009, it took days or longer for the attacker to successfully compromise data.” </span></blockquote></div><div style="font-family: inherit;"><span style="font-size: small;">is not fully illustrated in the graph (to my humble eyes). Also, it could be more informative. (e. to the extreme g., my kitchen remodel is taking "days or longer" and yet, three months later, the fridge is in living room. But my bourbon is appropriately iced! (This is a footnote, really, rather than a parenthetical, so there you go.))</span><br />
<span style="font-size: small;"><br />
</span><br />
<span style="font-size: small;">Good thing it the follow up on page 50 struck me like a diamond, <a href="http://www.imdb.com/title/tt0078788/quotes">a diamond bullet right through my forehead</a>:</span></div><blockquote style="font-family: inherit;"><span style="font-size: small;">Internal audit methods—both financial and technical—are the bright spot in all of this.</span></blockquote><div style="font-family: inherit;"><span style="font-size: small;">Yeah! Give the auditor some! </span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"><object height="385" width="480"><param name="movie" value="http://www.youtube.com/v/t_vSGkS3tCQ&hl=en_US&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/t_vSGkS3tCQ&hl=en_US&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object></span><br />
<br />
<br />
<br />
<span style="font-size: small;"><span style="font-size: x-small;"> (Image of Roger Lee Hayden's Moto2 Moriwaki Amerigasm courtesy Motorcycle News, American Honda and USA! USA! USA! because a) it is not wholly unlike a CRB600RR and CBR sounds like DBR, b) all information security can be seen as a metaphor for motorcycle roadracing (technology, engineering, empiricism, piloted by moody irrational egomaniacs who are only in it for the birds & booze) and c) it looks totally awesome! Porkchop better clean the clock of some euro trash come Indy what with big ol' #34 plastered on the faring)</span></span><br />
</div><div style="font-family: inherit;"></div><div style="font-family: inherit;"><span style="font-size: small;"></span></div>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-4443384056416824702010-02-24T18:45:00.000-08:002010-02-24T18:45:01.685-08:00Live Twice<span style="font-family: Calibri,sans-serif; font-size: x-small;"></span><br />
<div style="font-family: Georgia,"Times New Roman",serif;"><div class="separator" style="clear: both; text-align: right;"><a href="http://upload.wikimedia.org/wikipedia/commons/f/fb/Toyota_F1_Canada_2006_%28crop%29.PNG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="166" src="http://upload.wikimedia.org/wikipedia/commons/f/fb/Toyota_F1_Canada_2006_%28crop%29.PNG" width="200" /></a></div><span style="font-size: small;">Chandler at the <a href="http://newschoolsecurity.com/2010/02/human-error-and-incremental-risk/">New School</a> made me collect, collate and sort my thoughts on the whole recall issue. Although what follows is more like bend, fold and mutilate.</span><br />
<br />
<span style="font-size: small;"> </span></div><div style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;">The greatest risk Toyotas pose to me is that I get drowsy rolling down the highway with nothing more interesting to divert me than continual rivulet of pale metallic four door boredom. </span></div><div style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;">Not incongruent to their exterior aesthetics, my personal reaction to the <a href="http://www.thedailyshow.com/watch/tue-february-23-2010/toyotathon-of-death---unintended-acceleration-problem">Toyotathon of Death</a> falls in two barrels.</span></div><ol style="font-family: Georgia,"Times New Roman",serif; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span style="font-size: small;">
<li><i>Risk of correctly engineered and manufactured product v. risk of incorrectly engineered and faulty product.</i> A base assumption in driving a recently produced auto is that, not only will it advance the spark automatically and not require a crank to start, but also that the accelerator will not get stuck open. If Toyota had labeled one of their transportation appliances with the label “May very rarely yet randomly accelerate,” prudent drivers would familiarize themselves with the emergency stopping procedures. However, Toyota did not disclose this information until much later, so the information was not available for calculation into a driving risk scenario. Drivers were operating under a “Toyota quality” assumption. Would the driver of a Trabant exercise the same risk equation as a Prius or Highlander driver? </li>
<li>The Mediation of the Road. The current Toyota passenger car philosophy appears to be a closer cousin to Kitchen Aid than <a href="http://en.wikipedia.org/wiki/Toyota_TF109">TF109</a>. This transportation appliance paradigm isolates the user (no longer a driver) from the grit, grime and smells of the road, substituting an ego coddling display of eco-righteousness and pretty maps. How could the impolite fangs of risk driven adrenaline ever intrude into the quiet gentle rocking motions of hybrid power in a sarcophagus of LED illuminated soft plastics? The white knuckling pilot of the beater Pinto or the hyper vigilant motorcyclist know no such peace. They know the road is a dangerous place, and that they are engaged in high risk behavior. Unintended acceleration is one of myriad annihilation scenarios coursing ten thousand times a second through their oxygen deprived neurons. Driving for them is like conducting transactions of the internet. </li>
</span></ol><div style="font-family: Georgia,"Times New Roman",serif; padding-left: 18pt;"></div><div style="font-family: Georgia,"Times New Roman",serif; padding-left: 18pt;"><span style="font-size: small;">Tangentially, yet incongruously, I once had a <a href="http://torp.priv.no/woody/films/annie.html">notion </a>(but with a bit of backing...) that the ultimate design for a website used to conduct high dollar Internet transactions would be modeled after a mid-90s "adult" entertainment website – HTTP Auth pop-up, sloppy HotDog generated HTML, broken icon indicating missing plug-ins, probably registered at .biz, .info, .ru or .cx. The customers would perceive the risk and exercise due caution, such as verifying the SSL certificate, maybe out-of-band telephone call to the institution, and routine changes of password for every session. The site could be state of the art secure (y’know, <a href="http://1raindrop.typepad.com/">SSL + firewall</a> ), but the appearance of danger and perception of risk would make it Yet Still Even More So. Of course, the crappiness would have to have a periodic refresh just to keep the users’ adrenaline up. </span></div><span style="font-family: Calibri,sans-serif; font-size: x-small;"><br />
<object height="340" width="560"><param name="movie" value="http://www.youtube.com/v/K6xy50n99FQ&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/K6xy50n99FQ&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="560" height="340"></embed></object></span><br />
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><br />
</span><br />
<span style="font-family: Calibri,sans-serif; font-size: x-small;">Toyota photo courtesy <a href="http://commons.wikimedia.org/wiki/File:Toyota_F1_Canada_2006_%28crop%29.PNG#file">Wikimedia Commons</a>.<br />
</span><br />
<div style="padding-left: 18pt;"></div><div style="padding-left: 18pt;"></div><span style="font-family: Calibri,sans-serif; font-size: x-small;"></span>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-44496174094519892492010-01-21T18:30:00.000-08:002010-01-21T18:55:31.229-08:00PosingRead this bit of oddness from the Statesman this morning - "<a href="http://www.statesman.com/news/local/pflugerville-man-posed-as-model-online-to-elicit-188174.html">Pflugerville man posed as model online to elicit cash</a>." A young man with "very effeminate voice" managed to spend four years shaking down lonely men for cash while posing as model Bree Condon, who (according to a quick Google image search) poses mostly whilst bikini'd. <br /><br />I appreciate the opportunity seized by the falsettoed Pfugervillian. And, of course, Ms. Condon should have checked her credit reports and shredded her bank statements to prevent this identity theft. <br /><br />Wait, that wouldn't have worked. More from the article:<br /><br /><p></p><blockquote><p>Her reputation also has taken an online beating.</p><p>A commenter — the person used the name Justin Brown — on the Web site whosdatedwho.com said Condon was "really sweet at first, then it's $5,000 a month just to be one of her boyfriends."</p><p>Another wrote, "She scams men for money and she is extremely psychotic."</p></blockquote><p></p><br />Gracious. It's reputation theft. But only among a slightly deluded public who can "date" a 24 year old man in Pflugerville and think he's a female model.Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-82861111654348375182009-10-06T18:52:00.000-07:002009-10-06T19:08:02.250-07:00Sociables<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYZ-r8GZB1rapYY0LQk3HI_fLfgnYFJtPifcKqE9kOH6zTadSS7kN70ysJPFPDsruoMyS7OAw8xXHvaQWBTwXCZnx2vTB_6VAAzwjKu8ZI4bRvu1zt6jWySPw0KNbPXBW6KfzqijPPSZk/s1600-h/snacks4.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 171px; height: 200px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYZ-r8GZB1rapYY0LQk3HI_fLfgnYFJtPifcKqE9kOH6zTadSS7kN70ysJPFPDsruoMyS7OAw8xXHvaQWBTwXCZnx2vTB_6VAAzwjKu8ZI4bRvu1zt6jWySPw0KNbPXBW6KfzqijPPSZk/s320/snacks4.jpg" alt="" id="BLOGGER_PHOTO_ID_5389673794639092562" border="0" /></a><br />When I read this<a href="http://blogs.gartner.com/andrea_dimaio/2009/09/28/forget-privacy-it-is-just-an-illusion/"> commentary on privacy</a> from Andrea Dimaio from Gartner, I was mildly surprised that people still thought like this, that privacy is tied to secrecy.<br /><br />Bob Blakley <a href="http://identityblog.burtongroup.com/bgidps/2009/10/gartner-gets-privacy-dead-wrong.html">responds</a> at the Burton Group. I agree with his analysis, so it must be brilliant. The back and forth in the comments is worth reading.Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-11602753436685784252009-10-02T18:31:00.000-07:002009-10-02T19:24:19.802-07:00FingertipsFrom today's Austin American Statesman, <a href="http://www.statesman.com/news/content/region/legislature/stories/2009/10/02/1002foodstamps.html">this article </a>discusses the fraud deterrent effect of fingerprinting applicants for food stamps, and if it is worth the delay it may be causing in processing (Department of Agriculture says it isn't).<br />There are lessons to be learned at Texas HHSC.<br />Starting here:<br /><span class="cxnshared"><p></p><blockquote><p>The electronic fingerprinting program costs $3 million a year: $1.6 million for a contract with Cogent Systems for the imaging and $1.4 million for state workers' time. The state and federal governments split the cost.</p> <p>Last year, the fingerprint program led to the state investigating just four applicants for fraud.</p> <p>But state officials say it's impossible to know how many people are deterred from applying multiple times because of the fingerprinting.</p></blockquote><p></p><p>But later in the article:</p><p><span class="cxnshared"><blockquote>The state estimates that the deterrent effect of fingerprinting saves $6 million to $11 million a year.</blockquote></span></p><p>I imagine the latter figure could have been pulled from cost justification of the project, or from the vendor's response to the RFP, or even the LBB when the law was passed. (Does the cost include the initial implementation of the system?) But measuring the actual decrease in applicant fraud is a solvable problem. To say that there is "no way of knowing" the deterrent effect is not defensible. If they never measured a baseline of applicant fraud to begin with, how would they have known how much to spend on an anti-fraud measure? If they don't try to measure the change post implementation, how do they know it's working?<br /></p><p>On the other, more cynical, hand, why should they care? They are in compliance with the state law, and the system was implemented. The only people who suffer are the citizens who need help to buy food. Folks who may not be able to take off from their minimum wage job, or don't have the transportation, to go be fingerprinted. Measuring the dignity of your customers is harder than measuring your fraud deterrence cost. <br /></p><p><br /></p><p>You tell 'em Stevie. <br /><object height="344" width="425"><param name="movie" value="http://www.youtube.com/v/lnoSAIVpb8c&hl=en&fs=1&"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed src="http://www.youtube.com/v/lnoSAIVpb8c&hl=en&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" height="344" width="425"></embed></object><br /></p><p><span class="cxnshared"><br /></span></p><p><br /></p></span>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-21788513861048765772009-09-14T18:36:00.000-07:002009-09-14T19:11:51.823-07:00Intent<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4SgUp5kMP-8_GPIeccEEutTfCV-8MzbwSDdoWR88jqq1z1WdBJPGEL4Z_Va755eEtjJcR3qSqdeQcoMud4fXnpVa47z7VfEyL4wl0VNzrMiSvujGFp9uT8gLhHVa8IZo9JHHkaWNZiuc/s1600-h/909RZA_.jpg"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 320px; height: 202px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4SgUp5kMP-8_GPIeccEEutTfCV-8MzbwSDdoWR88jqq1z1WdBJPGEL4Z_Va755eEtjJcR3qSqdeQcoMud4fXnpVa47z7VfEyL4wl0VNzrMiSvujGFp9uT8gLhHVa8IZo9JHHkaWNZiuc/s320/909RZA_.jpg" alt="" id="BLOGGER_PHOTO_ID_5381508251042042610" border="0" /></a><span style="font-family: times new roman; color: rgb(0, 0, 0);font-family:Calibri, sans-serif;font-size:100%;" ><div>There’s a whole bunch of the IDC/RSA white paper on <a href="http://www.rsa.com/solutions/business/insider_risk/wp/10388_219105.pdf">insider risk management</a> that puzzles me on one level or another. </div> <div><a href="http://www.rsa.com/solutions/business/insider_risk/wp/10388_219105.pdf" target="_blank"><u></u></a></div> <div style="font-style: italic;"><blockquote> “Whether the threats are accidental or deliberate, the costs are still the same.” </blockquote></div> <div>I didn’t see much data in the report regarding costs. I'm not sure if they are talking about dollars. Regardless, the controls to prevent either accidental or deliberate data loss probably overlap in most scenarios, so that cost may be similar. It’s the cost of response and recovery could be wildly different. I would rather pay to have a document restored from backup than pay for the costs of a data falling into the hands of someone who would steal it. Intent is material in incident response cost. ( I'm not married to this idea yet, but I've taken it out to dinner a couple times.)</div> <div style="font-style: italic;"><blockquote>“Malware and spyware attacks are another example of the risk of good employees doing bad things.”<br /></blockquote></div> <div>I don’t think good employees are doing the bad things in malware and spyware attacks. I think it's bad people doing bad things. I’d categorize the real threat as the operator of the malware or spyware. The employee's behavior is a control, but given the sophistication of much of the malware around, it is not surprising that this control occasionally fails (Is visiting <a href="http://bits.blogs.nytimes.com/2009/09/14/times-site-was-victim-of-a-malicious-ad-swap/?hpw">NYTimes.com</a> a “bad thing”?) If the security of data is breached due to malware on a desktop, it has gone to bad people. I think this sort of incident belongs in a different category from an error, omission or mistake. There is an intelligent actor intending harm behind the action. Not so with a lost laptop.<br /></div> <div></div><blockquote style="font-style: italic;"><div>Under “Key Findings” </div> <div>"14.4 incidents of unintentional data loss through employee negligence in the past 12 months'</div></blockquote><div></div> <div>So, what does this mean “unintentional data loss”? Dropping the wrong table? Hitting “Save” rather than “Save As” ? Losing a laptop? That number is not as exciting to me as the 11 incidents of internal fraud a year cited a couple rows down. Response to "unintentional data loss” could be as simple as pulling a back-up, but fraud incidents are going to burn more organizational cycles and have a demonstrated loss.<br /><br /></div> <div> </div><br /><div> </div></span>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-78238652794634279772009-09-10T18:40:00.000-07:002009-09-13T08:45:56.346-07:00Policy and Ethics<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.arago.si.edu/media/000/016/446/16446_lg.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 251px; height: 300px;" src="http://www.arago.si.edu/media/000/016/446/16446_lg.jpg" alt="" border="0" /></a><br />The excellent <a href="http://gritsforbreakfast.blogspot.com/">Grits for Breakfast</a> posted several stories of alleged misbehavior at the Bexar County probation office, including a link to the<a href="http://www.sacurrent.com/news/story.asp?id=70396"> following story from the San Antonio Current</a>. The following passage caught my attention:<br /><br /><div><span style="font-family:Calibri, sans-serif;"><a href="http://www.sacurrent.com/news/story.asp?id=70396" target="_blank"><span style="color:#0000ff;"><u></u></span></a></span></div><blockquote><div><span style="font-family:Calibri, sans-serif;"><a href="http://www.sacurrent.com/news/story.asp?id=70396" target="_blank"><span style="color:#0000ff;"><u><br /></u></span></a></span></div> <div style="margin-bottom: 7pt;"><span style="font-family:Verdana, sans-serif;font-size:85%;color:#666666;">According to former Bexar County probation IT Director Natalie Bynum, [Director of Operations] Cline kept a list of known and suspected union members she wanted out of the department. To weed them out and quash the union, she had Bynum meet her repeatedly during and after work to comb through employee email accounts.</span></div> <div style="margin-top: 7pt; margin-bottom: 7pt;"><span style="font-family:Verdana, sans-serif;font-size:85%;color:#666666;">“She wanted their computers monitored in order to find out if they were doing any union activities while on the job, also to see what was going on with the union,” said Bynum, who now lives in Arizona and spoke with the <i>Current</i> by phone. “We’d go to the bar and then we’d go back to work afterwards. It would be just us in the office, often-time.”</span></div> <div style="margin-top: 7pt; margin-bottom: 7pt;"><span style="font-family:Verdana, sans-serif;font-size:85%;color:#666666;">Bynum, a close confidant of Cline’s during her tenure, says she was motivated by curiosity since she was “not allowed” to speak with known members of the Central Texas Association of Public Employees, a division of the United Steelworkers. Cline and Bynum’s alleged searches weren’t limited to the “five to 10” employees targeted by Cline, either. Bynum told the <i>Current</i> this week that Cline also regularly tapped into her boss’s account to see if Fitzgerald was talking about her.</span></div></blockquote><div style="margin-top: 7pt; margin-bottom: 7pt;"><span style="font-family:Verdana, sans-serif;font-size:85%;color:#666666;"></span></div> <div><span style="font-family:Calibri, sans-serif;"> </span></div><br />In most workplaces, this sort of activity may not be illegal, and is probably not even against policy. Still, I sense some ethical boundary is crossed when you start reading your boss' e-mail. Am I alone? On what grounds could the e-mail administrator deny an "authorized" request for reading e-mail, other than his/her own sense of ethical obligation?Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-6548220663801996032009-04-17T18:23:00.000-07:002009-04-17T18:43:48.268-07:00Data Rustler<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://ecx.images-amazon.com/images/I/615SVV6TE2L.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 310px; height: 475px;" src="http://ecx.images-amazon.com/images/I/615SVV6TE2L.jpg" alt="" border="0" /></a><br /><br />The best thing to come out of the Texas Lege since....ever.<br />A bill passed through the state senate increasing the penalty on hacking at the critical infrastructures we got down here Texas-way. (State jail penalty, no less.)<br /><br />But I'm not talking about the law, but the language of the lawmaker. From the <a href="http://www.statesman.com/blogs/content/shared-gen/blogs/austin/politics/entries/2009/04/17/hacking_to_become_a_felony.html">Austin American Statesman</a> -<br /><blockquote style="font-style: italic;"><br />"[Sen. Kel S]eliger, R-Amarillo, who on Thursday passed through the Senate a bill that would increase penalties for cattle rustling, laughed at the suggestion that today’s bill was of the same genre.<br /><br />“Yes, it’s going after <span style="font-weight: bold;">data rustlers</span>,” he said.<span style=";font-family:Arial,sans-serif;font-size:85%;" ></span>"</blockquote><br />DATA RUSTLERS! YES! I now abandon "hacker," "cracker," "identity thief," and all other similarly situated nouns in favor of the term coined by the gentleman from Amarillo.Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-63299242773853750272009-04-15T17:03:00.000-07:002009-04-15T19:20:26.195-07:00CyberAfter a once over, I'm curious as to the value of the Verizon Business "Data Britches Report." <br />http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/<br /><br />A couple questions/comments I had on the first read:<br />1. The document really needs a glossary. It's hard to parse the special meaning assigned to certain words and phrases as they recur throughout the document. For example: "data breach" "record" "incident" and "errors and omissions," the last of which didn't mean what I thought it would mean ("negligence and "non-compliance" seem to convey more of what was intended. When I think E&O, I think "malpractice.")<br />2. Is the skew toward "outsider" threats due to the type of service that VB offers? Actually, is the skew of all the data because of the type and quality of service that VB offers? Hell, VB admits to whacked out skew. So give me some damages! Or, at least give me a standard deviation, if you are going to skew that way. <br />3. Where are my scatter plots? Some get these guys some visualization skills. <br />4. Lumping intellectual property breaches with credit card and NPI in cumulative stats seems wrong to me. I reminds me of an article I read about computer crime that included statistics on hacking, toll fraud and the hijacking of trucks that carried computer chips. That was maybe 12 years ago, or more. This sort of loose affiliation of crimes, torts and misbehavior shovelled under a skirt called "cyber" makes less sense everytime I read a "cyber" this or that. How about words like fraud, impersonation, crime, non-compliance? <br />5. About half way through, I got the feeling that I was reading a DEA document about the War on Crime. A focus on the incident, without a look at what caused the incident. Who got the money? Why are they stealing data? Is this "cyber" or just fraud? Is it a war we can win? Have we just turned the corner? <br /><br />Gimme something substantive for a conversation, not just re-hashed status reports that may be misleading.<br /><br />(Just noticed that <a href="http://newschoolsecurity.com/2009/04/a-curmudgeon-is-a-little-confused-by-the-2009-dbir/">Brooke at New Schoo</a>l wrote similar comments. I am not alone.Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com2tag:blogger.com,1999:blog-730140416271272636.post-3562434551400120232009-03-23T18:03:00.001-07:002009-03-23T18:39:56.147-07:00Tea Risk<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://farm4.static.flickr.com/3266/2812781281_1ee46e7881_m.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 240px; height: 160px;" src="http://farm4.static.flickr.com/3266/2812781281_1ee46e7881_m.jpg" alt="" border="0" /></a><br />At the <a href="http://trisc.org/">Tea Risk</a> conference today. Heard a woman keynote all over me, until my brain sploded. Her talk was divided into two part:<br />1. A retrospective of headlines indicate that there has been no progress in information security in the past twenty years. This trip down corrupted memory lane came with wistful recollections of the punch-card, suspender snapping variety. Vax is what we should nostagicate on now. And despite her involvement in security, and yelling the same thing over and over again, No Progress Has Been Made. I was waiting for her confession that she was part of the problem, doing the same thing over and over, expecting different results. Didn't come. A slight whiff of the "stoopid luzers" but the topic was dropped without conclusion.<br />2. A detailed trip through her personal hell of IDENTITY THEFT! Here's what happens: on some records somewhere, her Social Security number is associated with SOMEONE ELSE! Of course, no fraudulent loans were made, no bogus entries on her credit bureaus reports, and the person used a different name, different gender, different address, different date of birth, etc. And yet, she was upset that the police were somewhat reluctant to send out an APD and marshal all available resources to investigate her claim. She hinted that she used less than legal means to get the other individual's address and driver's license, and carried around a stack of papers with all her info into a Kafkaesque morass of bureaucracy. I've seen this sort of thing before in my previous life as an investigator. It's not IDENTITY THEFT, it's a typo. I've been brewing a rant in my head about the words "identity theft," but it probably needs a while longer to attain the desired proof.<br />This woman's bio lists her as a "risk consultant." Maybe that's why security sux.<br /><br /><br /><a href="http://www.flickr.com/photos/docbudie/2812781281/">Morning at Tea Plantation, by Docbudie via Flickr.</a>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com1tag:blogger.com,1999:blog-730140416271272636.post-60368025546443446402008-11-14T08:00:00.000-08:002008-11-14T08:00:00.545-08:00Non Fiction: RiskFrom Alex Roy's <a href="http://www.teampolizeihq.com/the-driver/">The Driver</a>:<br /><blockquote style="font-family:georgia;">"Our second hour of 150 mph or more inspired a highly unscientific analysis of the actual danger we faced. I concocted what I called The Danger Coefficient (DC). I guessed the average NASCAR driver, in a thirty-six race season including practice, probably drove 15,000 miles -- with a safety cage and onboard active fire suppression -- on highly prepared tracks, with hospitals less than 14 minutes away by choppers on standby. Assuming this represented a DC of ten, Gumball's 3,000 miles meant our DC was two.... until factoring our relative safety deficiencies. High speeds over potholes <span style="font-style: italic;">had</span> to triple our DC to six. Civilian traffic doubled it again, to twelve. Time and distance to medical help? Double again, to twenty-four. Lack of roll cages, harnesses and HANS devices? My guesses ended when I realized Gumball -- at least the way I did it -- was at least five times more dangerous than NASCAR."</blockquote>From Wright and Decker's <a href="ttp://www.amazon.com/Burglars-Job-Streetlife-Residential-Break-ins/">Burglars on the Job</a>:<br /><blockquote>They referred to this process as "burning bread on yourself."<br /><br /><span style="font-style: italic;">"Thieves got a thang they say [about getting caught,] "If you think about thangs like that, you burnin' bread on yourself" So you don't think about it... Just go for it. [No. 011]<br /><br /></span>Several of the subjects found it difficult to speak about the risk of apprehension, fearing that such talk would jinx their future illegal activities.<br />...<br />Some of the offenders also tried not to think about getting caught because such thought generated an uncomfortably high level of mental anguish. They believed that the best way to prevent this from happening was to forget about the risk and leave matters to fate.</blockquote>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-49726437848051550562008-11-12T19:57:00.000-08:002008-11-12T20:06:35.847-08:00FictionFrom Ed Park's <a href="http://www.ed-park.com/">Personal Days</a>:<br /><blockquote><br />"Every employee would soon be required to create a new log-on password consisting of a mix of nonsequential capital letters and a three-digit prime number and a punctuation mark, and then change it once a month by sending an Excel form to a secure website in Oakland. This was just <span style="font-style: italic;">standard operating procedure</span>.<br /><br />Each demand felt like the securing of a strap on a straitjacket."</blockquote>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-87119331056024309322008-09-17T19:49:00.000-07:002008-09-17T20:01:55.086-07:004th QuadrantMy favorite ex-quant, N. N. Taleb, outlines the<a href="http://www.edge.org/3rd_culture/taleb08/taleb08_index.html"> 4th Quadrant</a>. <br />Thoroughly enjoyable, but I'm a fan. <br /><br />This table made sense to me:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.edge.org/3rd_culture/taleb08/images/1.jpg"><img style="cursor: pointer; width: 320px;" src="http://www.edge.org/3rd_culture/taleb08/images/1.jpg" alt="" border="0" /></a><br />In information risk management, what sort of events are fat tailed with complex payoff? Or which are not?<br />I've suspected that there is a parallel between software and markets, as both proxy human behavior, yet are percieved as acting autonomously.Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com1tag:blogger.com,1999:blog-730140416271272636.post-4640612286968819492008-08-26T18:34:00.000-07:002008-08-26T18:53:56.994-07:00The Wisdom of Mobs<p style="font-family: arial;"><span style=";font-size:100%;" ><a href="http://riskmanagementinsight.com/riskanalysis/?p=387">Alex mentions</a> stock prices as a potential input into information risk assessment. I'm skeptical of the value of market driven metrics, and the collective wisdom of the market's crowd in assessing value of an asset. The forces driving stock prices in the short term are not afraid to work with rumor, fact, unrelated fact, remotely disjointed misreported fact and insinduendo.* Corporate stock value can be maintained by close Internet monitoring of cowboy executives, especially if you are in the vicinity of 6th and Lamar in Austin, Texas (a couple of e-mail datapoints: <a href="http://www.mediabistro.com/agencyspy/gsdm/agencyspy_exclusive_gsdms_fires_cd_over_email_scandal_internal_paranoia_skyrockets_92281.asp">GSD&M</a> and <a href="http://online.wsj.com/article/SB118418782959963745.html">Whole Foods</a> ) Must be something in the bottled water. I've said it before (probably), bad stuff will happen long term if you are a third party managing privacy related data, and you blow it. Because your customers will likely have better information, and have the power to put a long term hurt on your bottom line. If you come clean.<br /></span></p><p style="font-family: arial;"><span style="font-size:100%;">And, of course, out asswards talking I am.<br /></span></p><p style="font-family: arial;"><span style="font-size:100%;">And why haven't I written more in the last few months? I'll let my son answer that:</span></p><p><br /><a style="left: 0px ! important; top: 15px ! important;" title="Click here to block this object with Adblock Plus" class="abp-objtab-05383154893204728 visible ontop" href="http://www.flickr.com/apps/video/stewart.swf?v=59154"></a><a style="left: 0px ! important; top: 15px ! important;" title="Click here to block this object with Adblock Plus" class="abp-objtab-05383154893204728 visible ontop" href="http://www.flickr.com/apps/video/stewart.swf?v=59154"></a><object type="application/x-shockwave-flash" data="http://www.flickr.com/apps/video/stewart.swf?v=59154" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" height="327" width="400"> <param name="flashvars" value="intl_lang=en-us&photo_secret=d710c30f9b&photo_id=2749138787"> <param name="movie" value="http://www.flickr.com/apps/video/stewart.swf?v=59154"> <param name="bgcolor" value="#000000"> <param name="allowFullScreen" value="true"><embed type="application/x-shockwave-flash" src="http://www.flickr.com/apps/video/stewart.swf?v=59154" bgcolor="#000000" allowfullscreen="true" flashvars="intl_lang=en-us&photo_secret=d710c30f9b&photo_id=2749138787" height="327" width="400"></embed></object><br /><br /><br /></p><p><span style=";font-family:Arial;font-size:85%;" ><wbr></span></p><p><br /></p><p><br /></p><p><span style=";font-family:Arial;font-size:85%;" >*not a word, but I like it anyway.<br /></span></p>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com1tag:blogger.com,1999:blog-730140416271272636.post-90561332452525064542008-06-16T22:11:00.000-07:002008-06-17T20:00:59.617-07:00Visualize World Data Breach<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://s3.amazonaws.com/findagrave/photos/2001/222/clarkgenebio.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 320px;" src="http://s3.amazonaws.com/findagrave/photos/2001/222/clarkgenebio.jpg" alt="" border="0" /></a><br />38.2% of the known universe has blogged about the <a href="http://www.verizonbusiness.com/resources/security/databreachreport.pdf">Verizon data breach report</a> and how it has changed their life, and opened their eyes, busted icons and confirmed suspicions. But I looked right at the facts there, but <a href="http://www.geneclark.com/songarchive/trainleaves.html">I might as well have been completely blind.<br /></a><br /><br /><br />My thoughts are simply:<br /><br /><br /><ul><li>What? No scatterplots? Bar charts and pie charts combined with narrative paragraphs that don't describe either are sort of lame. Give us an idea if there are two or three mammoth breaches that are skewing your stats. A little creativity would have helped. Don't just <span style="font-weight: bold;">think</span> the data breach. <span style="font-weight: bold;">Be</span> the data breach. </li><li>It would have helped to have "data breach" defined. Sometimes, the stats are describing a leak of GLB-style NPI, other times credit card info, other times website defacements. What do you want to bet that the threats and controls for a theft of trade secrets is different than for a credit card data from a Bennigan's POS terminal? Is it enlightening to lump this data together? I recall reading many years ago an essay in a scholarly computer science jounal on Computer Crime. They including the classic network hacking and phone phreaking in their analysis, as well as people hijacking trucks carrying motherboards. So, if I hit someone over the head with a laptop that stores unencrypted SSNs, is that a data breach? </li><li>I will give the Verizon guys extra bonus points for not using the report as a sales lead generation tool. I'll rant more on that later. </li></ul><br />Photo of Gene Clark courtesy of <a href="http://www.findagrave.com/cgi-bin/fg.cgi?page=gr&GRid=10074">Find-A-Grave.</a> Think <a href="http://youtube.com/watch?v=UFPnO__XfY0">Gene Clark</a>, not Eagles.Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com1tag:blogger.com,1999:blog-730140416271272636.post-30061390914592618472008-04-28T20:13:00.000-07:002008-04-28T21:02:25.385-07:00Cruel But Fair: The IT Auditor's BallThere is no need to remind me how I dislike Las Vegas. As the woman walking away from the conference this afternoon said, "casinos are full of weird people." And she wasn't talking about her fellow information systems governance professionals. <br /><br />Well, I'm almost live blogging the event (no wireless connectivity? 20 lbs of printed procedings? CACS is old school, baby!) from the IT Audit bloggers meetup (the attendees so far: me & a bottle of cheap scotch). <br />So what did I learn on my first day at the North American Computer Audit Control and Security Conference? <br /><br />1. Dumb user jokes still get a laugh. The dumb user jokes need to end now. Really. It adds nothing, and only confirms everyone's opinion that security and audit people are arrogant and condescending. More on this later. <br /><br />2. The "I am not a lawyer" defense to compliance. If something is too unpleasant, or unsavory, yet explicitly outlined in law and regulation, there is a tendency to punt the enforcement to legal. Cause, you don't want to practice law without a license. You know, cops aren't lawyers, either. Nonetheless they enforce the laws. This is an issue that can be solved, and likely has been, between auditors, security practitioners and lawyers. <br /><br />3. The ice machine on the 13th floor of the Rio is broken. This is the thoughest lesson I've learned. But experience is a bitter and effective teacher.<br /><br />4. Can gaussian distributions be helpful in analysis of breach disclosure? My butt was in the wrong seat to attend this talk, but the slides were curious (mostly because the color-coding in the pie charts didn't work in the B&W procedings). I would have been interested in hearing how that would work. I don't have the depth in stats to have flung anything at the presenter, but I may have had the guts to shout "HERETIC." <br /><br />Soundtrack for today: "Raving & Drooling"<br /><br /><object width="425" height="355"><param name="movie" value="http://www.youtube.com/v/VJu7irOlNZo&hl=en"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/VJu7irOlNZo&hl=en" type="application/x-shockwave-flash" wmode="transparent" width="425" height="355"></embed></object>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com2tag:blogger.com,1999:blog-730140416271272636.post-14746213332432913802008-04-16T19:12:00.000-07:002008-04-16T20:40:33.247-07:00Metrics Gone Wrong: Horsepower at 100% Throttle<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.ferracci.com/shopservices/images/eraldo-on-dyno.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 320px;" src="http://www.ferracci.com/shopservices/images/eraldo-on-dyno.jpg" alt="" border="0" /></a><br />In the April issue of <a href="http://www.bikemagazine.co.uk/">Bike</a> magazine, Simon Hargreaves examines the myth of the dyno. The rise of the the <a href="http://www.dynojet.com/motorcycle_dyno/">Dynojet Dynamometer</a> provided a cheap, standard way to measure motorcycle horsepower, allowing a common manner to rate the impact of your performance tweak. Roll your bike up to the rollers, and wind it up to full throttle. Moments later, the dyno spits out a pretty graph with torque and horsepower. (I recall a sweaty, restless July night at Texas World Speedway, the motorsport jewel of the Bryan/College Station where my buddy and I parked the VW camper van next to the dyno. Yosh pipes howling through 100% throttle get old after about the 15th carb rejetting, but the dyno truck's jam box pumping out interstitial "<a href="http://youtube.com/watch?v=WESs2U_avdU">Give It Away</a>" got old after the 5th round. )<br /><br />None the less, Hargreaves cites the problem with a standard measure:<br /><br /><blockquote><span style="font-style: italic;">First, higher horsepower figures than the manufacturer next door sells more bikes than him, though - second - higher horsepower figures bring anti-biking legislation closer and closer, despite the fact that - third - accident figures aren't related to increased power, even though - fourth - the performance of your three 160hp</span><span style="font-style: italic;"> models comfortably exceeds the ability of your customer to get anywhere near using it all without crashing. </span> </blockquote>The answer is measuring 40% and 20% throttle as well. The nebulous corner exit power that was measured only in sphincter tension or nebulous terms like "grunt" and "oomphus" is now a value that can be colored red, blue or green and plotted on a pretty graph. And a telling graph it is, as the GSX-R1000 appears to have dropped power at 20% throttle (to reduce highsideability) while maintaining the pornographic 160hp at top.<br /><br />So, the top number, the easy number, the number of honorable tradition, means less and less once it is maxed. The tweaks underneath where there, and important. But you are stuck with your gut feeling until you plot it with a pretty blue line.<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.motorapido.co.uk/bikes/1098/images/power_gsxr_1098.jpg"><img style="cursor: pointer; width: 320px;" src="http://www.motorapido.co.uk/bikes/1098/images/power_gsxr_1098.jpg" alt="" border="0" /></a>Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-41099691925543401572008-04-14T16:34:00.000-07:002008-04-14T17:03:08.178-07:00Metrics Gone Wrong: Body CountFrom the <a href="http://www.washingtonpost.com/wp-dyn/content/article/2008/03/29/AR2008032901118.html">Washington Post</a>, and which also I heard on the <a href="http://www.npr.org/templates/story/story.php?storyId=89612959">radio</a> this morning, the Colombian army finds a twisted method to meet their performance metrics:<br /><br /><blockquote><span style="font-style: italic;">But under intense pressure from Colombian military commanders to register combat kills, the army has in recent years also increasingly been killing poor farmers and passing them off as rebels slain in combat, government officials and human rights groups say. The tactic has touched off a fierce debate in the Defense Ministry between tradition-bound generals who favor an aggressive campaign that centers on body counts and reformers who say the army needs to develop other yardsticks to measure battlefield success.</span><br /></blockquote>This is the most extreme example of how a metric intended to track progress toward a goal becomes a measure of performance for the implementers. Focussed on the finger pointing at the moon, rather than the moon itself, the implementers manage the metric but undermine the goal. I don't believe this behavior is uncommon. I saw this sort of behavior in a past life as a fraud examiner. An individual forged a stack of documents, because he understood more documents were good for the company, their legitimacy only an inconvenience.Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com2tag:blogger.com,1999:blog-730140416271272636.post-78940401434445720062008-03-17T08:05:00.000-07:002008-03-17T09:35:33.479-07:00Releative Position and Privacy<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.gov.mb.ca/labour/safety/images/safework.gif"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 320px;" src="http://www.gov.mb.ca/labour/safety/images/safework.gif" alt="" border="0" /></a><br />Ed Felton recently wrote <a href="http://www.freedom-to-tinker.com/?p=1264">two</a> <a href="http://www.freedom-to-tinker.com/?p=1263">posts</a> on the failure of the marketability of privacy, and how corporations and consumers should respond. According to Felton:<br /><blockquote>There’s an obvious market failure here. If we postulate that at least some customers want to use web services that come with strong privacy commitments (and are willing to pay the appropriate premium for them), it’s hard to see how the market can provide what they want.<br /></blockquote>In the follow-up, Felton describes a standard contract and a sort of privacy escrow protocol to protect individuals against the desperate actions of a cratering start-up. <br /><br />The more I read and think about privacy, the theory that an individual's privacy has a value that can be exchanged on the market becomes less and less compelling. <a href="http://www.concurringopinions.com/archives/2008/02/siva_vaidhyanat.html">Frank Pasquale wrote at Concurring Opinions</a> that in the market model, you trade your privacy for efficiency and convenience, using Gmail as an example:<br /><blockquote>[C]onsider the type of suspicions that might result if you were applying to a new job and said "By the way, in addition to requiring 2 weeks of vacation a year, I need to keep my email confidential." The bargaining model is utterly inapt there. . . . just as it would have been for women to "bargain" for nondiscrimination policies, or mineworkers to bargain, one by one, for safety equipment.</blockquote>He concludes that people who trade their privacy will outcompete those who do not, and that<br />"[a] collective commitment to privacy may be far more valuable than a private, transactional approach that all but guarantees a 'race to the bottom.' " The paper he cites on<a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=237665"> cost benefit analysis and relative position</a> was interesting (to me at least) when read in terms of privacy. From the abstract:<br /><span style="font-family:ARIAL, HELVETICA;"><blockquote>When a regulation requires all workers to purchase additional safety, each worker gives up the same amount of other goods, so no worker experiences a decline in relative living standards. The upshot is that an individual will value an across-the-board increase in safety much more highly than an increase in safety that he alone purchases. </blockquote></span>"Privacy" can be substituted for "safety." Can "security" also be considered in this context? Is it already?Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0tag:blogger.com,1999:blog-730140416271272636.post-5445682296181813982008-03-03T18:14:00.000-08:002008-03-03T18:33:54.482-08:00<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://farm1.static.flickr.com/20/73840290_15afd1dd3a.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 320px;" src="http://farm1.static.flickr.com/20/73840290_15afd1dd3a.jpg" alt="" border="0" /></a><br />From <a href="http://securityincite.com/blog/mike-rothman/the-daily-incite-march-3-2008Infosec">Rothman</a>, an article at CSOnline discusses Moody's<a href="http://www2.csoonline.com/exclusives/column.html?CID=33575"> infosec risk rating service</a>.<br /><br />I personally dig this quote:<br /><blockquote><br /><span><span class="body">The idea for such an at-a-glance rating is appealing to risk executives such as Andre Gold, head of security and risk management for ING’s U.S. Financial Services business... </span></span><span><span class="body">Last year Gold oversaw reviews of 176 new technology vendors; his team visited sites as far away as South Africa to conduct security assessments. “It’s a service that we must do, but <span style="font-weight: bold; font-style: italic;">I think it’s a non-value-add service,</span>” he says.</span></span></blockquote> A non-value-add service? To quote Michael Scott, <a href="http://www.youtube.com/watch?v=pwyznJ4U-pA">that's what she said</a>. <br /><br /><br />photo from <a href="http://www.flickr.com/photos/51942241@N00/73840290/">Dwight K. Schrute</a>.Dutcher Stileshttp://www.blogger.com/profile/04402646159787710342noreply@blogger.com0