Another Set of Teeth

Bingo

2011-04-28T20:19:00.000-07:00

Best Practice

The details are too boring to recount. Impossibly large amount of records “exposed” due to human error. Nothing new, same old.

The only reason to watch is to see how the impact plays out. It is Texas Politics, after all, and the Lege is in session, and this could prove to be a mild distraction from birthers and budgeteers.

The data loser in this instance is an elected official, with aspirations to higher office. Ms. Combs was angling to grab one of the vacant seats when Lite Gov Dewherst runs for US Senate. So, there’s that. I doubt many folks enter politics hedging against the risk of career flameout by batch job misconfiguration. Time to update some campaign risk models.

The lawsuit loser in this instance has tapped into the type of outrage commonly expressed in writers of comments in newspaper websites - the "SOMEONEOTTAPAY tiny fist shaking, foot stamping" yadayada. Sure, they wanna get to the bottom of this for the dignity of the victims. With no damage, the victims will have a tough road to hoe. Maybe they are discovering for attack ad quotes.

At about six minutes in to her interview, we get the biggest loser. Comptroller Combs says Gartner and Deloitte are on the case to advise on "best practices." (It looks like Deloitte may be getting a small return on their campaign investment. ) This sort of reaction chafes me to no end, and is an assault on my dignity. I might be wrong on this, but the evolving SOP for privacy incident response appears to be to spend money willy-nilly on whatever threat is foremost in the populace's mind regardless of the proximal cause of the incident. One company's reaction to some speed freaks carrying away a safe with a couple of DVDs of data was to air gap their production environment and embark on a FISMA compliance project. This firehose approach appears to be designed to make the potential victims feel better, I guess, but only enriches the best practitioners and "safe bet" consultants. To me, it just seems a waste, and decreases my confidence in the competence of the organization.

And, to quote the Comptroller, "oh my gosh, think of Sony... and think of you grocery store loyalty card."

Well, at least country music is alive and kicking every night south of Round Rock, Texas. (The sight of a youthful Dale Watson and the State Capitol restores a measure of my Texan dignity. That, and Chicken Shit Bingo.)

Best Practices in Risk Management Image courtesy of KoryeLogan.

Up Yours

2011-04-25T18:58:00.000-07:00

Nice metric courtesy of Grits - the costs of false alarms. And the casualties found at the intersection of reliable metrics and public policy. To quote Grits:

But as [Former Dallas Police Chief] Kunkle says, this is an instance where tuff-on-crime politics interferes with good public policy and common sense. The small minority being subsidized by police responses to alarms are extremely vocal and well-organized by alarm companies, who have lists with contact info of concerned customers that would be the envy of any political consultant. Plus, those with alarms almost by definition are relatively wealthier - after all, they got an alarm because they have stuff to steal - and therefore also more politically influential. By contrast, the 86% of Dallasites without burglar alarms who're footing most of the bill are unorganized, unaware of the subsidy, and may not even perceive they have a dog in the fight.

This balance of this conflict is similar to those that are duked out in meeting rooms, with varied stakes and different arguments.
Maybe a similar "verified response" should be assessed consultants or auditors who elevate low impact / low frequency risks up to the Board.

Or for the one who turned the risk management dashboard day glo.

Or fought the crisis you can't see.

(So RIP Poly Styrene, unless this is a false alarm.)

Audit Drips

2011-04-19T19:43:00.000-07:00

I was catching up on the podcast backlog today. I listened for the first time to the Risk Hose, which had a meaty midsection on the internal auditing profession, and whether and how internal auditors assess, analyze and otherwise manage and misconstrue risk.
(A couple caveats. I speak as an internal auditor, with a background in food service and deckhanding. I'm ISACA Platinum, which is more like Centruum Silver than American Express Gold, i.e., it is bestowed upon age. I'm an autodidact when it comes to information risk analysis, but I'm trying to learn.)

Firstly, the standards. The Red Book, or more correctly, the International Professional Practices Framework, includes the following standard (2010 A1)

The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

So, every internal audit shop has to perform a risk assessment annually, and use it to plan which audits will be performed in the next year.
This type of risk assessment evaluates "audit risk," defined in Sawyer's Internal Auditing (from my raggedy 4th edition, Part 3 Scientific Methods* Chapter 8 "Risk Assessment") as the following:

Audit Risk = Inherent Risk x Control Risk x Detection Risk

A heavy dose of "professional judgment" (also known as "the gut") is used in this method. The output of this assessment prioritizes the auditable units (chunks of business functions which make up the audit universe), and crank them through the cycle to maintain "coverage." Purchasing on even years, Accounts Payable on odd, et cetera. Area with weak controls and lots of potential loss should probably float to the top. This method is old fashioned even for the conservative internal audit profession, but has the backing of some of the AICPA's more ancient Statements of Auditing Standards. The resulting assessment is used internally for audit's planning purposes, and, from talking to my peers in industries without a regulatory mandate to perform risk assessment, it may be the only organization-wide assessment that gets performed. The methods vary, as do the results.

The recent revisions to the Red Book standards state that internal auditors "must evaluate the effectiveness and contribute to the improvement of risk management processes." So a shop that follows standards will be in the business of whoever is performing the "risk management" function, including "information systems." Internal auditors can't manage risk, but can help assess.

From my perspective, a lot of internal auditors have a lot of experience in an old fashioned style of risk assessment, and end up with a gut quantification exercise. There may be some bet hedging, vindictiveness and four tons of politics involved in the process (see above as to who must have input into it), and, in the end, the board will get what it wants. Quality and sophistication of boards will vary widely, and if they want red, yellow, and green heat maps, by gum they are going to get it. If they want quant analysis, they'll get that too, especially if there is overlap between the Audit Committee and the Risk Committee.

Personally, it is approaching risk assessment season for my shop, and, with Hubbard and FAIR in hand, I'm working with our CAE to get together at least some quantitative analysis. Gotta start somewhere. I'll get the blame regardless.

*I think I hear a head exploding somewhere.

The Professional

2010-10-06T20:12:00.000-07:00

An interesting narrative, trapped unfortunately behind a pay wall, comes from the Chronicle of Higher Education - "Chapel Hill Researcher Fights Demotion After Security Breach"

A cancer researcher's database of gets potentially pwnd (two years from incident to discovery), spurring the usual breach notification process. Her bosses cut the researcher's pay and reduced her status to associate from full professor. The justification was that she, as principal investigator, was responsible for the security of the personal data entrusted her by the subjects of the study.

The meat from the article (emphasis added):

The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas countered that the staff member, who has since left, had worked for the university's technology office and that the employee never submitted a formal request for additional training.

"I had an employee who I trusted who told me things were OK," she added. "I would have no way to get on the computer and tell if it was secure. Unless I assumed my employee was lying to me, I don't know what I could have done."

Working in the Public Interest

I believe that there is a another option. Some folks are in charge of security but are not liars, but are incompetent. And, yes, it is hard to tell them apart.

If it was money that was stolen, and someone said "I have no way of telling if the books were correct. I trusted the accountant. He was an experienced bank teller" what would be the response. Why didn't you hire a forkin' CPA? CPAs have professional knowledge, and ethical obligations, and if they fail to meet them, you can have their license pulled.

No so with security folks. Why is it acceptable to treat for others to manhandle your personal, private data more cavalierly then your accounting records?

I'm tempted to start my rant on certification, psuedo-science and "computer forensic professionals" but I'll save it for the next post.

Risk a Harm?

2010-09-22T19:54:00.000-07:00

Interesting post and comments on privacy risk from Solove at Concurring Opinions. Despite being raised by a pack of feral solicitors, I can't claim to understand all the legal theories involved. I'm attracted to the liquidated damages idea for a number of reasons, including the ability to build a reserve or get underwriting to mitigate potential incidents.

Harms at Risk

On the other hand, this is where the disclosure rules suck. For example, an organization loses track of a hunk of physical media that contains a couple hundred thousand records that contain personally identifiable information (but not financial information - no bank or credit card account number). In this example, there is a very high probability that the media was subsequently destroyed. Are the individuals identified on the media well served by being notified?

Imagine there was a method to calculate the likelihood of financial damage to the individual due to the loss of the media. Lets imagine that there is less than 1% chance that the information will be used in a crime in the next 2 years, and it decreases by half every year that follows. However, if it is used in a crime, it is likely that the crime will be of a significant impact - a genuine fraud involving a false credentials that would take more than $100,000 for the victim to unravel. Is notifying the victim of the risk, and making him feel uneasy (since humans perceive risk differently than equations) responsible?

Or is this just an excuse for me to illustrate a post with a picture of Harms at risk?

DBR600RR - The Verizoning

2010-08-06T22:12:00.000-07:00

I admit I genuinely enjoyed the latest Data Breach Report courtesy the stalwart boffins at Verizon Business. My personal benchmark of genuineness is derived from my ability to almost immediately put it to use in my job. Nonetheless, I'd like to see the data hashed up one more way.

The following quotes from page 14 -

"Though we do not assert that the full impact of a breach is limited to the number of records compromised, it is a measurable indicator of it."

and

“There is not a linear relationship between frequency and impact; harm done by external agents far outweighs that done by insiders and partners. This is true for Verizon and for the USSS and true for this year and in years past … We could provide commentary to Figure 9, but what could it possibly add? If a chart in this report speaks with more clarity and finality we aren’t sure what it is.”

I’ll tell you what you can add, cause I’m that way. And the suggestion comes from the assumption that records=impact. I'm groovy with the assumption that number of records compromised is a measurable indicator for the top three categories of records listed on Fig. 31 on page 41 (regulated data that requires breach disclosure). However, it seems that an incident that involves the theft of proprietary source code, non-public financial statements, or trade secrets, or whatever else comes under the umbrella of "data breach," is it counted as a single record just as one credit card transaction record counts as one record.

I'd like to see the PCI DSS and PII/PHI database breaches broken out from the other (information property, trade secret, national security) breaches. Looking at the data where they are detailed (p 41), there are not a whole lot of them. Based on the statement on page 18, viz:

”It is worth noting that while executives and upper management were not responsible for many breaches, IP and other sensitive corporate information was usually the intended target when they were.”

NPI/PII/PHI mandatory disclosure type breaches may be characterized by a different set of threats, impacts, frequencies, and require a differing set corresponding controls than the breaches associated with occupational fraud. Yeah, I said "fraud" not "insider." And I'd like to keep on saying "fraud" until I'm comfortable that the internal controls over non-regulated data are targeted at management override rather than external organized crime. Is organized crime recruiting from the sysadmins and call centers? Or is the insider a fraud (corruption/breach of fiduciary duty) issue? Little help and we'll all be safer.

(I personally believe in Solove's assertion that management should have a fiduciary duty to the privacy of data, but from what I've seen, we ain't there yet, and it is still all about compliance.)

On a side note, the other category of data - authentication credentials - interests me. Do bad guys just stop at root? Or do they start at root? Do the executives/upper management types rely on their organizational credentials, or do they use their authority to con an underling to hand them over? I've got the anecdotes, but I'd like the data.

Some other comments:

Figure 27 (p38) – People? A person is a compromised asset and contains records? I’m not sure I follow the taxonomy (or is it taxidermy?) here.

P 40 and 41 – Thanks! These charts help quite a bit in understanding the data.

Fig. 35 (p46) Is not only hard on my eyes, but my brain. Why is the scale broken into non-proportional time units? Does the data naturally break down this way? A continuous timeline would give me more confidence how stuff happens. It tapers off dramatically since each “timespan” is considerably bigger than the previous. My brain could handle a logarithmic scale, but 60 / 12 / 7 / 4 / 12 / (sideways eight) is kinda hard. I’m a simple country auditor, dadgummit. The accompanying text

“In over 60% of breaches investigated in 2009, it took days or longer for the attacker to successfully compromise data.”

is not fully illustrated in the graph (to my humble eyes). Also, it could be more informative. (e. to the extreme g., my kitchen remodel is taking "days or longer" and yet, three months later, the fridge is in living room. But my bourbon is appropriately iced! (This is a footnote, really, rather than a parenthetical, so there you go.))

Good thing it the follow up on page 50 struck me like a diamond, a diamond bullet right through my forehead:

Internal audit methods—both financial and technical—are the bright spot in all of this.

Yeah! Give the auditor some!

(Image of Roger Lee Hayden's Moto2 Moriwaki Amerigasm courtesy Motorcycle News, American Honda and USA! USA! USA! because a) it is not wholly unlike a CRB600RR and CBR sounds like DBR, b) all information security can be seen as a metaphor for motorcycle roadracing (technology, engineering, empiricism, piloted by moody irrational egomaniacs who are only in it for the birds & booze) and c) it looks totally awesome! Porkchop better clean the clock of some euro trash come Indy what with big ol' #34 plastered on the faring)

Live Twice

2010-02-24T18:45:00.000-08:00

Chandler at the New School made me collect, collate and sort my thoughts on the whole recall issue. Although what follows is more like bend, fold and mutilate.

The greatest risk Toyotas pose to me is that I get drowsy rolling down the highway with nothing more interesting to divert me than continual rivulet of pale metallic four door boredom.

Not incongruent to their exterior aesthetics, my personal reaction to the Toyotathon of Death falls in two barrels.

Risk of correctly engineered and manufactured product v. risk of incorrectly engineered and faulty product. A base assumption in driving a recently produced auto is that, not only will it advance the spark automatically and not require a crank to start, but also that the accelerator will not get stuck open. If Toyota had labeled one of their transportation appliances with the label “May very rarely yet randomly accelerate,” prudent drivers would familiarize themselves with the emergency stopping procedures. However, Toyota did not disclose this information until much later, so the information was not available for calculation into a driving risk scenario. Drivers were operating under a “Toyota quality” assumption. Would the driver of a Trabant exercise the same risk equation as a Prius or Highlander driver?

The Mediation of the Road. The current Toyota passenger car philosophy appears to be a closer cousin to Kitchen Aid than TF109. This transportation appliance paradigm isolates the user (no longer a driver) from the grit, grime and smells of the road, substituting an ego coddling display of eco-righteousness and pretty maps. How could the impolite fangs of risk driven adrenaline ever intrude into the quiet gentle rocking motions of hybrid power in a sarcophagus of LED illuminated soft plastics? The white knuckling pilot of the beater Pinto or the hyper vigilant motorcyclist know no such peace. They know the road is a dangerous place, and that they are engaged in high risk behavior. Unintended acceleration is one of myriad annihilation scenarios coursing ten thousand times a second through their oxygen deprived neurons. Driving for them is like conducting transactions of the internet.

Tangentially, yet incongruously, I once had a notion (but with a bit of backing...) that the ultimate design for a website used to conduct high dollar Internet transactions would be modeled after a mid-90s "adult" entertainment website – HTTP Auth pop-up, sloppy HotDog generated HTML, broken icon indicating missing plug-ins, probably registered at .biz, .info, .ru or .cx. The customers would perceive the risk and exercise due caution, such as verifying the SSL certificate, maybe out-of-band telephone call to the institution, and routine changes of password for every session. The site could be state of the art secure (y’know, SSL + firewall ), but the appearance of danger and perception of risk would make it Yet Still Even More So. Of course, the crappiness would have to have a periodic refresh just to keep the users’ adrenaline up.

Toyota photo courtesy Wikimedia Commons.

Posing

2010-01-21T18:30:00.000-08:00

Read this bit of oddness from the Statesman this morning - "Pflugerville man posed as model online to elicit cash." A young man with "very effeminate voice" managed to spend four years shaking down lonely men for cash while posing as model Bree Condon, who (according to a quick Google image search) poses mostly whilst bikini'd.

I appreciate the opportunity seized by the falsettoed Pfugervillian. And, of course, Ms. Condon should have checked her credit reports and shredded her bank statements to prevent this identity theft.

Wait, that wouldn't have worked. More from the article:

Her reputation also has taken an online beating.
A commenter — the person used the name Justin Brown — on the Web site whosdatedwho.com said Condon was "really sweet at first, then it's $5,000 a month just to be one of her boyfriends."
Another wrote, "She scams men for money and she is extremely psychotic."

Gracious. It's reputation theft. But only among a slightly deluded public who can "date" a 24 year old man in Pflugerville and think he's a female model.

Sociables

2009-10-06T18:52:00.000-07:00

When I read this commentary on privacy from Andrea Dimaio from Gartner, I was mildly surprised that people still thought like this, that privacy is tied to secrecy.

Bob Blakley responds at the Burton Group. I agree with his analysis, so it must be brilliant. The back and forth in the comments is worth reading.

Fingertips

2009-10-02T18:31:00.000-07:00

From today's Austin American Statesman, this article discusses the fraud deterrent effect of fingerprinting applicants for food stamps, and if it is worth the delay it may be causing in processing (Department of Agriculture says it isn't).
There are lessons to be learned at Texas HHSC.
Starting here:

The electronic fingerprinting program costs $3 million a year: $1.6 million for a contract with Cogent Systems for the imaging and $1.4 million for state workers' time. The state and federal governments split the cost.

Last year, the fingerprint program led to the state investigating just four applicants for fraud.

But state officials say it's impossible to know how many people are deterred from applying multiple times because of the fingerprinting.

But later in the article:

The state estimates that the deterrent effect of fingerprinting saves $6 million to $11 million a year.

I imagine the latter figure could have been pulled from cost justification of the project, or from the vendor's response to the RFP, or even the LBB when the law was passed. (Does the cost include the initial implementation of the system?) But measuring the actual decrease in applicant fraud is a solvable problem. To say that there is "no way of knowing" the deterrent effect is not defensible. If they never measured a baseline of applicant fraud to begin with, how would they have known how much to spend on an anti-fraud measure? If they don't try to measure the change post implementation, how do they know it's working?

On the other, more cynical, hand, why should they care? They are in compliance with the state law, and the system was implemented. The only people who suffer are the citizens who need help to buy food. Folks who may not be able to take off from their minimum wage job, or don't have the transportation, to go be fingerprinted. Measuring the dignity of your customers is harder than measuring your fraud deterrence cost.

You tell 'em Stevie.

Intent

2009-09-14T18:36:00.000-07:00

There’s a whole bunch of the IDC/RSA white paper on insider risk management that puzzles me on one level or another.

“Whether the threats are accidental or deliberate, the costs are still the same.”

I didn’t see much data in the report regarding costs. I'm not sure if they are talking about dollars. Regardless, the controls to prevent either accidental or deliberate data loss probably overlap in most scenarios, so that cost may be similar. It’s the cost of response and recovery could be wildly different. I would rather pay to have a document restored from backup than pay for the costs of a data falling into the hands of someone who would steal it. Intent is material in incident response cost. ( I'm not married to this idea yet, but I've taken it out to dinner a couple times.)

“Malware and spyware attacks are another example of the risk of good employees doing bad things.”

I don’t think good employees are doing the bad things in malware and spyware attacks. I think it's bad people doing bad things. I’d categorize the real threat as the operator of the malware or spyware. The employee's behavior is a control, but given the sophistication of much of the malware around, it is not surprising that this control occasionally fails (Is visiting NYTimes.com a “bad thing”?) If the security of data is breached due to malware on a desktop, it has gone to bad people. I think this sort of incident belongs in a different category from an error, omission or mistake. There is an intelligent actor intending harm behind the action. Not so with a lost laptop.

Under “Key Findings”

"14.4 incidents of unintentional data loss through employee negligence in the past 12 months'

So, what does this mean “unintentional data loss”? Dropping the wrong table? Hitting “Save” rather than “Save As” ? Losing a laptop? That number is not as exciting to me as the 11 incidents of internal fraud a year cited a couple rows down. Response to "unintentional data loss” could be as simple as pulling a back-up, but fraud incidents are going to burn more organizational cycles and have a demonstrated loss.

Policy and Ethics

2009-09-10T18:40:00.000-07:00

The excellent Grits for Breakfast posted several stories of alleged misbehavior at the Bexar County probation office, including a link to the following story from the San Antonio Current. The following passage caught my attention:

According to former Bexar County probation IT Director Natalie Bynum, [Director of Operations] Cline kept a list of known and suspected union members she wanted out of the department. To weed them out and quash the union, she had Bynum meet her repeatedly during and after work to comb through employee email accounts.

“She wanted their computers monitored in order to find out if they were doing any union activities while on the job, also to see what was going on with the union,” said Bynum, who now lives in Arizona and spoke with the Current by phone. “We’d go to the bar and then we’d go back to work afterwards. It would be just us in the office, often-time.”

Bynum, a close confidant of Cline’s during her tenure, says she was motivated by curiosity since she was “not allowed” to speak with known members of the Central Texas Association of Public Employees, a division of the United Steelworkers. Cline and Bynum’s alleged searches weren’t limited to the “five to 10” employees targeted by Cline, either. Bynum told the Current this week that Cline also regularly tapped into her boss’s account to see if Fitzgerald was talking about her.

In most workplaces, this sort of activity may not be illegal, and is probably not even against policy. Still, I sense some ethical boundary is crossed when you start reading your boss' e-mail. Am I alone? On what grounds could the e-mail administrator deny an "authorized" request for reading e-mail, other than his/her own sense of ethical obligation?

Data Rustler

2009-04-17T18:23:00.000-07:00

The best thing to come out of the Texas Lege since....ever.
A bill passed through the state senate increasing the penalty on hacking at the critical infrastructures we got down here Texas-way. (State jail penalty, no less.)

But I'm not talking about the law, but the language of the lawmaker. From the Austin American Statesman -

"[Sen. Kel S]eliger, R-Amarillo, who on Thursday passed through the Senate a bill that would increase penalties for cattle rustling, laughed at the suggestion that today’s bill was of the same genre.

“Yes, it’s going after data rustlers,” he said."

DATA RUSTLERS! YES! I now abandon "hacker," "cracker," "identity thief," and all other similarly situated nouns in favor of the term coined by the gentleman from Amarillo.

Cyber

2009-04-15T17:03:00.000-07:00

After a once over, I'm curious as to the value of the Verizon Business "Data Britches Report."
http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/

A couple questions/comments I had on the first read:
1. The document really needs a glossary. It's hard to parse the special meaning assigned to certain words and phrases as they recur throughout the document. For example: "data breach" "record" "incident" and "errors and omissions," the last of which didn't mean what I thought it would mean ("negligence and "non-compliance" seem to convey more of what was intended. When I think E&O, I think "malpractice.")
2. Is the skew toward "outsider" threats due to the type of service that VB offers? Actually, is the skew of all the data because of the type and quality of service that VB offers? Hell, VB admits to whacked out skew. So give me some damages! Or, at least give me a standard deviation, if you are going to skew that way.
3. Where are my scatter plots? Some get these guys some visualization skills.
4. Lumping intellectual property breaches with credit card and NPI in cumulative stats seems wrong to me. I reminds me of an article I read about computer crime that included statistics on hacking, toll fraud and the hijacking of trucks that carried computer chips. That was maybe 12 years ago, or more. This sort of loose affiliation of crimes, torts and misbehavior shovelled under a skirt called "cyber" makes less sense everytime I read a "cyber" this or that. How about words like fraud, impersonation, crime, non-compliance?
5. About half way through, I got the feeling that I was reading a DEA document about the War on Crime. A focus on the incident, without a look at what caused the incident. Who got the money? Why are they stealing data? Is this "cyber" or just fraud? Is it a war we can win? Have we just turned the corner?

Gimme something substantive for a conversation, not just re-hashed status reports that may be misleading.

(Just noticed that Brooke at New School wrote similar comments. I am not alone.

Tea Risk

2009-03-23T18:03:00.001-07:00

At the Tea Risk conference today. Heard a woman keynote all over me, until my brain sploded. Her talk was divided into two part:
1. A retrospective of headlines indicate that there has been no progress in information security in the past twenty years. This trip down corrupted memory lane came with wistful recollections of the punch-card, suspender snapping variety. Vax is what we should nostagicate on now. And despite her involvement in security, and yelling the same thing over and over again, No Progress Has Been Made. I was waiting for her confession that she was part of the problem, doing the same thing over and over, expecting different results. Didn't come. A slight whiff of the "stoopid luzers" but the topic was dropped without conclusion.
2. A detailed trip through her personal hell of IDENTITY THEFT! Here's what happens: on some records somewhere, her Social Security number is associated with SOMEONE ELSE! Of course, no fraudulent loans were made, no bogus entries on her credit bureaus reports, and the person used a different name, different gender, different address, different date of birth, etc. And yet, she was upset that the police were somewhat reluctant to send out an APD and marshal all available resources to investigate her claim. She hinted that she used less than legal means to get the other individual's address and driver's license, and carried around a stack of papers with all her info into a Kafkaesque morass of bureaucracy. I've seen this sort of thing before in my previous life as an investigator. It's not IDENTITY THEFT, it's a typo. I've been brewing a rant in my head about the words "identity theft," but it probably needs a while longer to attain the desired proof.
This woman's bio lists her as a "risk consultant." Maybe that's why security sux.

Morning at Tea Plantation, by Docbudie via Flickr.

Non Fiction: Risk

2008-11-14T08:00:00.000-08:00

From Alex Roy's The Driver:

"Our second hour of 150 mph or more inspired a highly unscientific analysis of the actual danger we faced. I concocted what I called The Danger Coefficient (DC). I guessed the average NASCAR driver, in a thirty-six race season including practice, probably drove 15,000 miles -- with a safety cage and onboard active fire suppression -- on highly prepared tracks, with hospitals less than 14 minutes away by choppers on standby. Assuming this represented a DC of ten, Gumball's 3,000 miles meant our DC was two.... until factoring our relative safety deficiencies. High speeds over potholes had to triple our DC to six. Civilian traffic doubled it again, to twelve. Time and distance to medical help? Double again, to twenty-four. Lack of roll cages, harnesses and HANS devices? My guesses ended when I realized Gumball -- at least the way I did it -- was at least five times more dangerous than NASCAR."

From Wright and Decker's Burglars on the Job:

They referred to this process as "burning bread on yourself."

"Thieves got a thang they say [about getting caught,] "If you think about thangs like that, you burnin' bread on yourself" So you don't think about it... Just go for it. [No. 011]

Several of the subjects found it difficult to speak about the risk of apprehension, fearing that such talk would jinx their future illegal activities.
...
Some of the offenders also tried not to think about getting caught because such thought generated an uncomfortably high level of mental anguish. They believed that the best way to prevent this from happening was to forget about the risk and leave matters to fate.

Fiction

2008-11-12T19:57:00.000-08:00

From Ed Park's Personal Days:

"Every employee would soon be required to create a new log-on password consisting of a mix of nonsequential capital letters and a three-digit prime number and a punctuation mark, and then change it once a month by sending an Excel form to a secure website in Oakland. This was just standard operating procedure.

Each demand felt like the securing of a strap on a straitjacket."

4th Quadrant

2008-09-17T19:49:00.000-07:00

My favorite ex-quant, N. N. Taleb, outlines the 4th Quadrant.
Thoroughly enjoyable, but I'm a fan.

This table made sense to me:

In information risk management, what sort of events are fat tailed with complex payoff? Or which are not?
I've suspected that there is a parallel between software and markets, as both proxy human behavior, yet are percieved as acting autonomously.

The Wisdom of Mobs

2008-08-26T18:34:00.000-07:00

Alex mentions stock prices as a potential input into information risk assessment. I'm skeptical of the value of market driven metrics, and the collective wisdom of the market's crowd in assessing value of an asset. The forces driving stock prices in the short term are not afraid to work with rumor, fact, unrelated fact, remotely disjointed misreported fact and insinduendo.* Corporate stock value can be maintained by close Internet monitoring of cowboy executives, especially if you are in the vicinity of 6th and Lamar in Austin, Texas (a couple of e-mail datapoints: GSD&M and Whole Foods ) Must be something in the bottled water. I've said it before (probably), bad stuff will happen long term if you are a third party managing privacy related data, and you blow it. Because your customers will likely have better information, and have the power to put a long term hurt on your bottom line. If you come clean.

And, of course, out asswards talking I am.

And why haven't I written more in the last few months? I'll let my son answer that:

*not a word, but I like it anyway.

Visualize World Data Breach

2008-06-16T22:11:00.000-07:00

38.2% of the known universe has blogged about the Verizon data breach report and how it has changed their life, and opened their eyes, busted icons and confirmed suspicions. But I looked right at the facts there, but I might as well have been completely blind.

My thoughts are simply:

What? No scatterplots? Bar charts and pie charts combined with narrative paragraphs that don't describe either are sort of lame. Give us an idea if there are two or three mammoth breaches that are skewing your stats. A little creativity would have helped. Don't just think the data breach. Be the data breach.
It would have helped to have "data breach" defined. Sometimes, the stats are describing a leak of GLB-style NPI, other times credit card info, other times website defacements. What do you want to bet that the threats and controls for a theft of trade secrets is different than for a credit card data from a Bennigan's POS terminal? Is it enlightening to lump this data together? I recall reading many years ago an essay in a scholarly computer science jounal on Computer Crime. They including the classic network hacking and phone phreaking in their analysis, as well as people hijacking trucks carrying motherboards. So, if I hit someone over the head with a laptop that stores unencrypted SSNs, is that a data breach?
I will give the Verizon guys extra bonus points for not using the report as a sales lead generation tool. I'll rant more on that later.

Photo of Gene Clark courtesy of Find-A-Grave. Think Gene Clark, not Eagles.

Cruel But Fair: The IT Auditor's Ball

2008-04-28T20:13:00.000-07:00

There is no need to remind me how I dislike Las Vegas. As the woman walking away from the conference this afternoon said, "casinos are full of weird people." And she wasn't talking about her fellow information systems governance professionals.

Well, I'm almost live blogging the event (no wireless connectivity? 20 lbs of printed procedings? CACS is old school, baby!) from the IT Audit bloggers meetup (the attendees so far: me & a bottle of cheap scotch).
So what did I learn on my first day at the North American Computer Audit Control and Security Conference?

1. Dumb user jokes still get a laugh. The dumb user jokes need to end now. Really. It adds nothing, and only confirms everyone's opinion that security and audit people are arrogant and condescending. More on this later.

2. The "I am not a lawyer" defense to compliance. If something is too unpleasant, or unsavory, yet explicitly outlined in law and regulation, there is a tendency to punt the enforcement to legal. Cause, you don't want to practice law without a license. You know, cops aren't lawyers, either. Nonetheless they enforce the laws. This is an issue that can be solved, and likely has been, between auditors, security practitioners and lawyers.

3. The ice machine on the 13th floor of the Rio is broken. This is the thoughest lesson I've learned. But experience is a bitter and effective teacher.

4. Can gaussian distributions be helpful in analysis of breach disclosure? My butt was in the wrong seat to attend this talk, but the slides were curious (mostly because the color-coding in the pie charts didn't work in the B&W procedings). I would have been interested in hearing how that would work. I don't have the depth in stats to have flung anything at the presenter, but I may have had the guts to shout "HERETIC."

Soundtrack for today: "Raving & Drooling"

Metrics Gone Wrong: Horsepower at 100% Throttle

2008-04-16T19:12:00.000-07:00

In the April issue of Bike magazine, Simon Hargreaves examines the myth of the dyno. The rise of the the Dynojet Dynamometer provided a cheap, standard way to measure motorcycle horsepower, allowing a common manner to rate the impact of your performance tweak. Roll your bike up to the rollers, and wind it up to full throttle. Moments later, the dyno spits out a pretty graph with torque and horsepower. (I recall a sweaty, restless July night at Texas World Speedway, the motorsport jewel of the Bryan/College Station where my buddy and I parked the VW camper van next to the dyno. Yosh pipes howling through 100% throttle get old after about the 15th carb rejetting, but the dyno truck's jam box pumping out interstitial "Give It Away" got old after the 5th round. )

None the less, Hargreaves cites the problem with a standard measure:

First, higher horsepower figures than the manufacturer next door sells more bikes than him, though - second - higher horsepower figures bring anti-biking legislation closer and closer, despite the fact that - third - accident figures aren't related to increased power, even though - fourth - the performance of your three 160hp models comfortably exceeds the ability of your customer to get anywhere near using it all without crashing.

The answer is measuring 40% and 20% throttle as well. The nebulous corner exit power that was measured only in sphincter tension or nebulous terms like "grunt" and "oomphus" is now a value that can be colored red, blue or green and plotted on a pretty graph. And a telling graph it is, as the GSX-R1000 appears to have dropped power at 20% throttle (to reduce highsideability) while maintaining the pornographic 160hp at top.

So, the top number, the easy number, the number of honorable tradition, means less and less once it is maxed. The tweaks underneath where there, and important. But you are stuck with your gut feeling until you plot it with a pretty blue line.

Metrics Gone Wrong: Body Count

2008-04-14T16:34:00.000-07:00

From the Washington Post, and which also I heard on the radio this morning, the Colombian army finds a twisted method to meet their performance metrics:

But under intense pressure from Colombian military commanders to register combat kills, the army has in recent years also increasingly been killing poor farmers and passing them off as rebels slain in combat, government officials and human rights groups say. The tactic has touched off a fierce debate in the Defense Ministry between tradition-bound generals who favor an aggressive campaign that centers on body counts and reformers who say the army needs to develop other yardsticks to measure battlefield success.

This is the most extreme example of how a metric intended to track progress toward a goal becomes a measure of performance for the implementers. Focussed on the finger pointing at the moon, rather than the moon itself, the implementers manage the metric but undermine the goal. I don't believe this behavior is uncommon. I saw this sort of behavior in a past life as a fraud examiner. An individual forged a stack of documents, because he understood more documents were good for the company, their legitimacy only an inconvenience.

Releative Position and Privacy

2008-03-17T08:05:00.000-07:00

Ed Felton recently wrote two posts on the failure of the marketability of privacy, and how corporations and consumers should respond. According to Felton:

There’s an obvious market failure here. If we postulate that at least some customers want to use web services that come with strong privacy commitments (and are willing to pay the appropriate premium for them), it’s hard to see how the market can provide what they want.

In the follow-up, Felton describes a standard contract and a sort of privacy escrow protocol to protect individuals against the desperate actions of a cratering start-up.

The more I read and think about privacy, the theory that an individual's privacy has a value that can be exchanged on the market becomes less and less compelling. Frank Pasquale wrote at Concurring Opinions that in the market model, you trade your privacy for efficiency and convenience, using Gmail as an example:

[C]onsider the type of suspicions that might result if you were applying to a new job and said "By the way, in addition to requiring 2 weeks of vacation a year, I need to keep my email confidential." The bargaining model is utterly inapt there. . . . just as it would have been for women to "bargain" for nondiscrimination policies, or mineworkers to bargain, one by one, for safety equipment.

He concludes that people who trade their privacy will outcompete those who do not, and that
"[a] collective commitment to privacy may be far more valuable than a private, transactional approach that all but guarantees a 'race to the bottom.' " The paper he cites on cost benefit analysis and relative position was interesting (to me at least) when read in terms of privacy. From the abstract:

When a regulation requires all workers to purchase additional safety, each worker gives up the same amount of other goods, so no worker experiences a decline in relative living standards. The upshot is that an individual will value an across-the-board increase in safety much more highly than an increase in safety that he alone purchases.

"Privacy" can be substituted for "safety." Can "security" also be considered in this context? Is it already?

2008-03-03T18:14:00.000-08:00

From Rothman, an article at CSOnline discusses Moody's infosec risk rating service.

I personally dig this quote:

The idea for such an at-a-glance rating is appealing to risk executives such as Andre Gold, head of security and risk management for ING’s U.S. Financial Services business... Last year Gold oversaw reviews of 176 new technology vendors; his team visited sites as far away as South Africa to conduct security assessments. “It’s a service that we must do, but I think it’s a non-value-add service,” he says.

A non-value-add service? To quote Michael Scott, that's what she said.

photo from Dwight K. Schrute.

Now That's a Complaint.....

2008-02-27T17:07:00.000-08:00

From Concurring Opinions (and elsewhere), a paper by Chris Hoofnagle "Measuring Identity Theft at Top Banks." Hoofnagle is asking the question: How does a consumer or regulator measure the incidence of identity theft from a financial institution? In an attempt to answer, Hoofnagle took the number of identity theft complaints collected by the FTC and matched them up with institutions listed on the complaint, with the intent of coming up with a score that could be used by consumers to judge how well the institution protects identity.

Call me crazy if I'm wrong, but Mr. Hofnagle seems to be pushing the data way beyond its utility.
Is a complaint to the FTC via a web form a reliable indicator of fraud controls at an institution? In my past experience as an investigator, I handled many cases of identity theft. I'd estimate that at least half, if not two thirds of the allegations of "identity theft" were not, in fact, identity theft. A suspicious charge on a bill, a bad skiptrace, or even a breach disclosure notice could result in complaint of "identity theft." Crime statistics that involve prosecutions of actual criminals may provide an underreported, but more reliable measure.

Hoofnagle mentions that he believes the number of FTC complaints may be low, due to historic underreporting of identity theft to criminal authorities. Again, according to my experience, which may be non-representative, I'd say that people will fill out a web form that belongs to the FTC sooner than they'd call the police. The FTC is more analogous to the Better Business Bureau than law enforcement.

I was going to write something about my frustration with the publicity that the FTC complaint statistics were receiving. Complaints are easy to count and a handy metric. But I don't think that they mean much without some evaluation of the validity of the complaint. That is, what is interesting is hard to find out.

Right before I read Hoofnagle's paper, I read this post from the Microsoft Security Development Lifecycle blog. The author makes the following statement regarding using vulnerability counts as a measure of software security:

"Measuring security is a real challenge, and while we may debate the
merits of vulnerability counts, right now it's the only concrete metric
we have."

I guess I'm saying that the only concrete metric one may have may be misleading, inaccurate, or irrelevant. Concrete isn't synonymous with valid. I may have issues with "metrics" but I love Metric. Need less, use less, we're asking for too much I guess, cause all we get is...

Fillings

2008-02-06T17:03:00.000-08:00

Dental countdown:

4. Juicy stuff from re: The Auditors on SocGen.

Latest news out of France has Finance Minister Christine's Lagarde's report saying that in addition to controls being lax, (duh!), someone who understand the controls should have never been able to be a trader.
With all due respect to Ms. Lagarde, this is ridiculous. Just look at their annual report. They've got "controls" up the wazoo...This is a lame, puppy-dog, excuse.
It's the management, stupid!

Schweet.

3. On the local front, an unhappy IT laborer hacks into bosses e-mail, sends naughty messages.

The affidavit says that Das told Southerland he was holding the Web site hostage until he received his paycheck. Though Southerland said that checks weren’t being dispersed until the following week, Das hacked into Southerland’s e-mail account and sent e-mails to Southerland’s clients and family defaming the company, according to the affidavit.

One of the hostage servers was a database for a site called Rotten Neighbors, where you can be a neighborhood fussbudget without putting on your slippers and yelling at passing cars in your driveway. Such an operation may not provide a gruntle-rich environment that would provide the last paycheck patience that is in such short supply nowadays.

2. And if we learned anything from SocGen, we learned that misbehaving employees are not always motivated by greed, as local community radio KOOP learned recently as they were arsonized. Like French bankers, they were SHOCKED that a buzz kill playlist would lead to wanton destruction of assets.

1. From toohotfortnr, this article identifies scooters as weapons of insurgency. Have we learned nothing?

He begged me to follow but legions of sorrow defied me

2008-02-01T19:11:00.000-08:00

I may not be sure what my point is. Black Swans with trading accounts? The letter U and the numeral Two? Or that it actually does take two ringy-dingys. I only know that the following illustrates it in the most vivid fashion possible.

Data Privacy Day

2008-01-27T20:18:00.001-08:00

To appropriately observe Data Privacy Day, I will not ask you how it is hanging.
That is strictly a matter between you and whatever hangs off you.

Photo of sloth having its privacy violated from sfPhotocraft.

Segregation of Obscurity

2008-01-24T19:49:00.000-08:00

From Forbes account of the Societe Generale billion dollar fraud:

"It's Nick Leeson, the story is exactly the same," said Celent's Pierron. "We have a trader who trades futures, or derivatives, who hides his losses by using weaknesses in the risk-management system." He said that as long as traders had knowledge of back-office operations, the risks of
abuse would always be there.

A spokesperson for Societe Generale said that there would be thorough reviews of internal controls, but noted that this particular case of fraud was "very, very sophisticated."

So, segregate controls, but keep them obscure.

I got some groceries, some peanut butter

2008-01-24T19:14:00.000-08:00

From the maddingly brilliant book of the Naples System, Gomorrah, a description of security during the Secondigliano War between the Spanish and DiLauro clans:

I would ride my Vespa through this pall of tension. In Secondigliano I'd be frisked at least ten times a day. If I'd had so much as a Swiss Army knife on me, they would have made me swallow it. First the police would stop me, then the cararbinnieri, sometimes the financial police as well, and then the Di Lauro and Spanish sentinels. All with the same simple authority, the same mechanical gestures and identical phrases. The law enforcement officers would look at my driver's license, then search me, while the sentinels would search me first, then ask lots of questions, listening for the slightest accent, scanning for lies. During the heat of the conflict the sentinels searched everyone, poked their heads into every car, cataloging your face, checking if you were armed. To motorini would arrive first, piercing your very soul, then the motorcycles, and finally the cars on your tail.

I was struck by the difference in approaches to the basic "airport security problem" between those who were obliged to obey the rule of law, and those who knew an error in their judgment would likely mean their own death.

Foto of the arrest of Cosimo Di Lauro from La Repubblica.

White Knuckles

2008-01-14T17:33:00.000-08:00

This looks interesting, in the context of cultural cognition of risk. Entertaining legal wonking on the issue at Concurring Opinions and Volokh.

Amazing the lack of agreement as to when "Yee haw!" becomes "Holy Crap!" while behind the wheel.

Photo courtesy Marie Rose Ferron / Flickr

Die Doing Something You Love

2008-01-06T19:47:00.000-08:00

"To die doing something you love."
I encountered variations of this phrase three times Saturday.

1. In Chris Jonnum's biography of the Haydens, the on track death of flat-tracker Will Davis. Davis was a hero of Nick Hayden's. Mourning his death, Nick said that there is no tragedy if you die doing something you love. Nick did run his next road racing victory lap backwards in Davis' honor.

2. On the DVD of The Race to Dakar, Andy Caldicott died doing the thing he loved, as described by Charlie Boorman. No one will be permitted to die this way this year, since ASO has cancelled the Dakar race due to threats for terrorism. (You can die doing what you love, not what Al Qaeda loves.)

3. Andy Olmstead states in his posthumous blog post that he died doing the job he loved.

If you love your job, you can accept any level of risk.

Confusion In My Eyes That Says It All

2007-11-27T13:56:00.000-08:00

I figured I'd wait until after my paternity leave was over before I started thinking seriously about words like "control" and "compliance," but I felt the need to say something after reading Bejtlich's post "Controls are Not the Solution to Our Problem."

He illustrates through citing an example of a control, and identifying ways that it fails to achieve total effectiveness. The control may not work and could be superfluous. His alternate approach is a system of assessments, tests and monitoring coupled with a rigorous set of metrics.

If someone describes an asset as "secure," "safe" or "reliable," my job as an auditor is to ask the question "How do you know?" The answer is a control. Bejtlich's "field-assessed" approach is another set of controls, mostly detective rather than preventative. What happens when his approach is codified into a government procedure or a vendor contract? A security practitioner with a preventative approach could grouse about how these pen tests and honeynets don't address the security needs in his shop (due to scale of operations or type and level of risk).

Tossing out controls is also just not an option. Effective or not, compliance keeps you out of jail. I don't always feel that on some roads a 55 mph limit is a necessary control to prevent accidents, but that will mean I am not breaking the law when I speed.

I'm not as big a proponent of metrics as a control solution, but I'll leave that to another post.

Tonight, We Dine in Utica!

2007-10-23T19:27:00.000-07:00

So, despite a workload that would stun an ox, I still manage to read my Internet privacy stories. Like this one from Ars Technica about the University of Utica and their Secret Service data wrangling on identity theft.

I click over to the .edu to read what they had to say in the original text. But, curiously enough, they asked me for my contact information. Well, o.k. - but what is your privacy policy? I hit the link to their privacy policy. This is madness!. No. This Is Utica!

Island of Lost Laptops

2007-10-03T15:53:00.000-07:00

Why are people still all wound up about losing laptops? For crying out loud, there's a reason why the press doesn't report about it anymore. Because it is Bo-Ring. I mean, I'm putting myself to sleep just typing this.

What I want, nay, what I demand is in-depth reporting on what happens to the laptops after they are lost. Gimme some intrigue, some action, and a taste of science gone horribly wrong. I'm guessing there's some island somewhere, a man with a whip and a SOX auditor's idea of discipline, and a crew of sad... well they're not Dells and they're not Compaqs, they're things. Toss in the seductive animal lure of the Apple OSX 10.3-woman, maybe a house of pain or two. Now we're talking.

Auditor: What is the law?
Regulator: Not to spill data. That is the law. Are we not men?

But, as you can see below, strict compliance to standards does not alway result in a social benefit.

Howls of Derisive Laughter, Bruce!

2007-09-07T16:16:00.000-07:00

By now, we all know that the concentric perimeter devised by the kangaroo jockeys assigned to protect the best and brightest of Asia and the Pacific were ineffective against comedian pranksters. (Perilocity has the lowdown.)

But what if they had been REAL pranksters? The NYC could teach those koala huggers a lesson in deterring those cats. They successfully defended the Republican National Convention against a variety of threats ranging from partial nudity, Johnny Cash impersonators, poetry, wet T-shirts and rock 'n roll. I'm confident that a couple of pranksters with a Canadian flag and a limo would not have escaped the attention of The Finest, and would have at least one entry in a database. And, oh, yes, their data would be aggregated, sooner or later. Yes.

I guess my point is two-folded:

1. A system meant to trap terrorists may not trap your prototypical Prankster 2.0, just as a system designed to trap thieves may not trap auditors. (I believe I have railed on this before.)

2. A system meant to trap terrorists may also trap Johnny Cash impersonators.

Compliance for Road and Track

2007-08-29T16:38:00.000-07:00

My Alfa, a 72 GTV coupe, like all GTVs of its approximate vintage, has a recessed panel in the headliner over the back seats. It has proven to be a mystery to passengers in the car, looking like the cruelest joke of a sun roof for the rear passengers who are otherwise treated poorly by the car's design. So cruel, in fact, that a sticker was placed on the rear windows by Alfa. When viewed from the outside, it read:

ALFA ROMEO "2000" GT VELOCE
GROUP 2 TOURING CHAMPION 1971
EUROPEAN MANUFACTURES SERIES

This side of the sticker explains in part the pseudo-sun roof. The GTV raced in the sedan class. To comply with sedan class regulation, there had to be a specific number of inches of headroom for the two passengers in the back seat. Hence the "cheat" of recessing a spot in the headliner, because the seats were as low as they could go. So you can race, and sometimes beat, Minis, BMW 2002s and Datsun 510s.

From the inside, the other story of compliance was visible. From a knees-to-chin head-ducked position, the contorted rear seat passenger could read the obverse:

REAR SEATS ARE NOT DESIGNATED
TO BE OCCUPIED BY PASSENGERS
WHILE VEHICLE IS IN MOTION

The other set of regulations the GTV had to comply with were written by the US Department of Transportation, that defined of sports cars and sedans. Being classified by the DOT as a two-seater would require less modification of Alfa's aging (yet still stylish) design - less in the way of bumper protection for the would be passengers. Actually taking the seats out and putting in a package shelf (a la 911) would make it race in an uncompetitive class. Hence the sticker forbidding rear seat passenger, which attempts to serve both masters. (I'm guessing the seat belts back there are for securing cases of Chianti and bundles of pastrami.)

The different approaches in compliance reflect the different levels of enforcement. Perhaps Alfa felt it could convince the DOT that, really, who would ever be so silly as to sit back there? This is a sporting coupe, not a sedan. However, Alfa knew that the sanctioning bodies for the racing series they participated in would be out there with tape measures and calipers before every single race for tech inspection. Alfa's compliance would be challenged by every other team on the track.

I don't believe it would be too far off the mark to say that an implementation of a control, especially a compliance control that may not have a palpable financial return, will be as effective as the perceived enforcement.

(Read the story of the 2.5 liter Trans-Am at 1971 Laguna Seca for more sad stories of compliance. The Datsun version, the Alfa version. "Oversize fuel lines" vs "expanding gas tanks." )

(sticker image courtesy Papajam at the AlfaBB)

Market Fresh

2007-08-21T17:17:00.001-07:00

A curious discussion of terror risk, and a terror prediction futures market by some GMU economist types and at the Chronicle's Footnoted blog.

I don't know enough to about econ to assess the value of such a market, but I do wish that some one would set up a Privacy Breach Futures Market so we could make the security analystas put their magic quadrants where their mouths are. (Or vice versa: whichever would be more unpleasant.) Viz, the TJX OMG!!1! MILLIONS IN PWNAGE!! NO!!BILLIONS! analysis found on Computerworld. Maybe something more along the lines of buying squares in a football pool would offer as much predictive value as the collective voices of these cats.

Photo courtesy The Prodigal Son.

And yes, this is the second consecutive post with a Broken Social Scene related title. Because Broken Social Scene are one of my top five most favorite things that are Canadian.

I Feel That It's Almost Crime

2007-08-20T16:14:00.000-07:00

Imagine Monster put a click-through license on the malware, adjusted the privacy policy a tad (include an opt-out for additional "services"), and voila! It's not a privacy breach, it's an additional revenue stream! The 1.6M bits of Monster job hunter data is at least as hot as the Glengarry leads.

Imagine that Certegy/Fidelity records were not sent in wild cascading romp through the land of data brokery by the actions of a rogue database administrator, but through a perfectly legal contract. (As Mr. Certegy assures us, the data was sold to legitimate data brokers.) So the whole thing is a just a crossed "T" or dotted "I" away from being 110% on the up and up. Instead of class action, we'd be talking steak knives and Eldorados!

It's just semantics. "Data broker" = "Identity Thief." "Lead Generation" with "Privacy Breach."
It's all the same. But the Yukon keeps me up all night, and it feels like it's almost crime.

Everyday Privacy and Security: Buying Age Restricted Products

2007-08-15T16:03:00.000-07:00

So, I go into an Exxon, looking to buy a pack of butts. (An evil, nasty habit I am trying to quit, but the demon weed still has its claws in me.) I ask for a pack of what they had that was closest to my brand, and it was slapped on the counter. Then the clerk asked for my ID.

O.k. Tobacco, along with pornography, beer, and sometimes phen-phen, is an age restricted product available at some convenience stores/gas stations. Despite my advanced grizzledness and paunchitude, and my sincere doubt that the woman behind the counter was trying to flatter me by insinuating I could be mistaken for a teenager, I complied.

And I was ready. I had recently traveled by air to San Francisco, renewed my license, but still had the printed paper companion from the DPS to accompany my laminated driver's license with an older, but still somewhat grizzled image of my mug on it.

No dice. My license was expired, therefore I was probably under 18. The fact I had renewed my license was no good. "Policy," the woman said. "But....But..." I objected. "Policy."

In my nicotine deprived state, muttered my way back to my car, curses ranging from Kip Hawley to Captain Hazelwood. And of course, the X-Ray Spex wormed into my brain:

IDENTITY IS THE CRISIS YOU CAN'T SEE
IDENTITY IDENTITY IDENTITY

Impacted Molars: Pay Hell Gettin' It Done Edition

2007-08-02T17:05:00.000-07:00

Random Eye-tooth:
I've been reading the Counterinsurgency Manual, and I'm figuring there is some analogue to a corporate approach to minimize the "insider threat."

Extraction:
Mr. Loblaw describes a grisly example of privacy abuse in a recent decision du jour, selecting the choicest text of a 6th Circuit decision so I don't have to. But I will.

As the plaintiffs’ complaint explains, prisoners have threatened and taunted the officers, often incorporating the plaintiffs’ social security numbers (which they have committed to memory) into the taunts. Some prisoners wrote the social security numbers of some of the plaintiffs on slips of paper that they threw out of their cells.

Now that's what I call abuse of NPI, a sort of SSN gassing. But do the plaintiffs get relief? No.

[T]he guards’ social securities numbers are not sensitive enough and the threat of retaliation from prisoners was not substantial enough to warrant constitutional protection.

Ride the NPI Country:
Courtesy the continual compendium of outrages privacy related, i.e, Pogo, come this story hashes ID crime stats. The conclusion it appears to draw is that Big Sky Country is a den of ID thieves. All the big increases in identity crime occur in North Dakota and Montana, with the notable exception of Springfield, IL, which can be attributed to Groundskeeper Willie and Apu. Considering that there are more people in my MSA than all of Montana or North Dakota, I wish I could get a thorough look at the stats. Not so bad that I'm going to request data from a "marketing@" e-mail address, which ID Analytics requires.

Computer Security for Trainables:
From the Chronicle tech blog, the winners of Educause's security awareness video contest. I dunno. These videos will not be a part of my infosec counterinsurgency program. No beat, can't dance to 'em.

Bonus:
"Sweet fancy moses": the whole shocking story. Discuss.

Describing Difficult Procedures

2007-08-01T09:53:00.000-07:00

Lately, I've been working on my 1972 Alfa Romeo GTV. What I've learned about project management seems to evaporate into red mist in my garage. Currently, as part of changing my fuel system from the wonderful yet arcane SPICA mechanical fuel injection to the elegant and infinitely adjustable Weber carburetor, I am pulling the head off the twin overhead cam beast.

The head pulling process is described in the Alfa Romeo Giulia Owners Workshop Manual thusly:

"Remove the head nuts and the two screws fixing the front cover to the head, then lift off the head."

As it represents the official, legally vetted process described by the vendor, the above advice can be called "the standard."

Pat Braden's definitive "Alfa Romeo's Owner's Bible" describes the procedure thusly:

"The head bolts should be loosened incrementally following a spiral from the center out. Work slowly around the engine double-checking that everything is removed before trying to lift the head free. Typically, the head won't come free."

This passage is followed by several paragraphs of recommended procedures for freeing the stuck head, including "factory tool" and "rope trick." Having been codified in book, written by an expert, these are clearly "best practices."

On the Alfa Bulletin Board, a search on "head removal" will generate a multiple page jeremiad of head pulling frustration and anxiety. Tools as diverse as crow bars, bottle jacks, concrete rust remover and improvised pullers are deployed to extract head from block. Results vary. I'll call this "how things happen in real life."

Half Baked

2007-07-18T18:36:00.000-07:00

What follows are annoying thoughts that have been ground to meaningless gravel in my head for the past month or so. As soon as I think them through, and dismiss them, my brain belches them back up. Committing them to the ether seems the only way to purge them, but I've been wrong before:

Proximity and Privacy: Privacy breaches due to negligence occur when there is a distant relationship between the identity custodian and the individual. Malicious breaches occur when there is a close relationship between the two. (Half baked corollary: Web applications proxy a close relationship with distant actors.)

Metrics Will Be Juked: The compiling of stats is the prelude to the inevitable juking of stats. Observing, recording and reporting the data underlying a performance metric corrodes its value. The reason data that is difficult to access and compile is compelling is because it is difficult to access and compile. Once people realize that their behavior, or the results of their behavior are being observed and measured, their behavior will change, not necessarily to impact the desired results, but to change the metric. This change will be multiplied if the measure is tied to compensation or perceived to be tied to compensation.

Lone Gunmen Theory of Privacy Risk: Measuring a corporation's loss due of breach of privacy is futile and meaningless. This loss is not related to the harm to individuals whose privacy was violated. It makes no difference if the data is lost, stolen, or sold, or if it occurred within or without the bounds of the law. I don't see any equation that will match corporate postage, legal fees, data broker accounts receivables, or public relations consulting with personal financial trials, embarrassment, loss of employment, prohibition of travel, or physical detention. Privacy risk is borne by individuals, not corporations. Which is why I was a bit distressed when I read this:

If you are not suffering any damage due to these breaches, then why are you even trying to deter, detect, and respond to them in the first place?

In privacy, it's always the other guy that suffers the real damage.

Now I can concentrate on the important things: sorting out my emotions regarding the preemption of TV coverage of the German GP by live broadcast of Lady Bird's burial and Laguna Seca.

Privacy is a Technological Imperative

2007-07-16T14:58:00.000-07:00

My seasonal July funk has been working on me and my attitude, but not so much that I can't find some perverse humor in the slashdot discussion on privacy as a biological imperative.

Ms. Sweeney's correlation of privacy to the stealth required by the predator stalk and consume prey was latched on to by the /.ers like an antelope at a watering hole. I don't see it myself. There is a fundamental difference between the biological need to eat and personal need for privacy. The development of information technologies creates the need for personal identity, and creates the tools to destroy it. Examples include the portable camera (which drove Warren & Brandeis to define the right to privacy in the context of the US Constitution), the telephone, punch-cards and TCP/IP.

These aren't new or original thoughts, but just how I see it.

Lion enjoying a private moment courtesy hannes.steyn.

The Easy No

2007-07-04T10:09:00.000-07:00

From Concurring Opinions, this commentary on a recent New York Times article on Hypercompliance on the HIPAA front. Health care folks have been intimidated into denying access to PHI to people who have legitimate inquiries and a legal right to it.

This type of behavior is born out of fear and poor understanding of rules filtered through complicated reports written by obfuscating contractors. It seems reactionary, and unreasonable, but a means to the safety only an ass well-covered provides. As Mr. McGeveran points out, "it is always easier to say 'no' than to figure out how to say 'yes.'" I believe mistaken "safe" attitudes like this is often how security policies end up being implemented, and are difficult to purge once they become corporate folklore.

The "easy no" is not uncommon in security management, and enables ten thousand wannabe Kip Hawleys to exercise passive aggressive nonsense in its name.

Beats thinking.

Dog of War or McGriff the Crime Dog?

2007-06-27T15:49:00.000-07:00

So, solider or cop? War or Crime? Or both?

I ask this question of my own self after reading (and enjoying) Michael C. W. Research's recent posts on security framed in the context of Clauswitz. Thinking it through, though, I began to wonder if war is the context information security should frame itself. After all, as an info security practitioner, you are denied both first strike and retaliation with like force. Hampered by a bureaucracy, limited by budget and laden with metrics of questionable value, you perform awareness and outreach to a resistant, often resentful community that harbors potential adversaries. When the adversary attacks, your response is defensive, forensic, and heavily regulated. In the initial analysis, it sounds more like a cop than a soldier.

Like Mr. Peterson, I recently finished reading Robb's Brave New War. Robb describes the decline of wars between states or their proxies and the rise of the global guerrilla. The global guerrilla uses system disruption and open source warfare to break down the brittle security systems of organized and highly interdependent states. Mobile and rapidly adapting to changing tactics, this adversary is usually hidden in the state it is trying to hollow it out, cooperating with or participating in transnational organized crime. Now that threat sounds more familiar; Robb describes the phishing marketplace as a example of open source warfare.

Is War now Crime? Is the infosec defense model Clear Hold Build or Broken Windows?

New Concepts in Data, Compliance and Marketing or The Overly Dramatic Truth

2007-06-19T16:22:00.000-07:00

Like the rest of the world, I read J. Cline's article on the upcoming data eclipse while listening to El P's I'll Sleep When You're Dead, which is the best way to read it.

J. Cline is prophesyin' the impending darkness where all corporations will crumble 'neath the cleated boot of data governance.

Mr. Cline identifies the signs of the data eclipse endtimes: Ford has abandoned autos to focus on quality improvement. Wal Mart has unburdened themselves of the lucrative Chinese tube sock trade for supply chain management. In the post-eclipse world, we must surrender control of our enterprises to the wanton desires of regulators, lawyers and audit chimps such as myself. We no longer make the decisions, but wait for them to be passed down from these distant parties who ponder our fate far from the red meat and hot breath of corporate operations. It's not the moon, after all, but the pointing finger of compliance and legality we should focus on.

I may have been born yesterday, sir, but I've been up all night. Like a diamond bullet between the eyes, I was struck with an aces-on Notion (with a little backing I think I could turn it into an Idea) which will make me the fortune I frankly deserve. A methodology that will empower the document generating wherewithal of ten thousand legions of certified information control professionals.

I will call it the Compliance Legal Object Audit Client Architecture: CLOACA. Look for my booth at a tradeshow near you.

CLOACA: You'll Be Surprised What Can Come Out Of It!

Vulnerabilty v. Threat

2007-06-12T05:09:00.000-07:00

Jeremiah Grossman's analysis of the MSNBC stock contest cheat.

It seems to me that this sort of flaw would rise to the surface quickly from a threat perspective, but slower from a vulnerability perspective. I'm not sure why though.

The Italian Job

2007-06-11T18:16:00.000-07:00

Odd ball kidnapping heist documented at MCN and Roadracing World illustrates the danger of the insider beyond the pilfered laptop or unexpired system credentials.

Apparently the Alto Evolution World Superbike team "reduced the responsibilities" of Sergio Bertocchi, their erstwhile manager, after the race at Monza a while back.

On the way back to Italy from the most recent race at Silverstone, UK, the Alto truck gets hijacked at a border crossing. According to the Alto Evolution press release:

The driver was kidnapped for more than six hours and the truck diverted. The driver was able to escape in Bruxelles - Belgium, where he alerted the police and confirmed the names of the people of the gang which had kidnapped him and stolen the truck. Amongst the members of the gang have been recognised four people: one of them was Mr. Sergio Bertocchi.

Policemen from Belgium have immediately started investigations and, at the same time, Carabinieri in Italy have been alerted. Investigations have gone on strenuously and with outmost secrecy. On the 6th a van of ours was sent to Trieste to recover other spare parts and accessories still in Trieste's warehouse. On the way back, in the first rest/service area out of Trieste, the same criminals have stolen the van and its content. Unluckily for them, following a great effort of electronic interception and lots of their's tailing, law-enforcement personnel has had the opportunity to see the criminals in action in first person. Carabinieri have been on the van's tail for a couple of hours and at last they have recovered the vehicle and its content and put them under sequestration.

Meanwhile the subject liable for theft have been blocked. On Friday the 8th Carabinieri have given us communication that the truck has been found and is now in a safe place in Trieste, again judges have disposed sequestration of the goods.

Although it reads as if they got Alto's rider Muggas to do the translating directly from Italian to Tweed Headsian blindfolded, at first blush appears to be a story of justice served. The former manager plays the archetypical role of the disgruntled employee who turns against his employer by hacking, vandalizing, stealing office supplies, truck hijacking and/or kidnapping. His fiendish plot is foiled due to surveillance and electronic tracking. Chalk one up to the gallant carabinieri and their high tech tracking equipment!

And interesting question regarding identity, though. Did former manager Sergio use his identity to gain confidence and access to the truck? Seems that would be an enormously boneheaded maneuver for a hijacker. I've got issues trying to correlate the motivation of the attacker with his techniques.

Maybe it was just a denial of service attack. Check that word "sequestration" in the above quote, on which the Alto Evolution team elaborates:

This, and only this, is the reason for which we will not be able to partecipate to the race in Misano on the 17th of June.

Not too difficult to imagine Sergio in his Italian jail cell rubbing his hands together, mumbling about how they'll never race in Misano...never in Misano..

Sufficiency, Competence, Relevance

2007-06-07T19:55:00.000-07:00

I returned to work after a refreshing and invigorating vacation in Wisconsin and greater Chicagoland. After marking random e-mails as "Read," I look over some notes I took in a prefreshed state, most particularly this line:

"Reality vs. ????"

I figure I was on track to bust my epistemological crisis wide open, and instead I caved into some ontological audit chasm. Not quite a zombie, but brains are starting to smell real good.

"Reality vs. ????" I think I was getting into a Rashomon fugue state, with folks skating around conflicting stories, but nodding in agreement. I wanted to know: When evaluating perception, what evidence is more reliable than testimonial evidence? Is the written as as important as the thought which drives the action? Can or should the common testimony of a dozen individuals be sufficient to assert a common perception, and be used to predict a likely action?

I searched the Red Book and Yellow Book for the answer. To make sure I didn't miss anything, I checked the Blue Book, too. (Man, that Mazdaspeed3 looks SWEET!) Their answers rang as hollow as a Sturtevant kringle, just not as tasty. "Sufficient and appropriate," "competent and relevant," "better if supported by documentary evidence," "yada yada yada." Not helping me out.

I was looking in the wrong places, of course. In my backpack was the unfinished beach reading: King of the Jews by Nick Tosches. I dig Tosches in a serious way; he is a relentless researcher with a full appreciation of the negative case. From the Book of Esther to Abe Lincoln to Mayor Bloomberg, Tosches makes clear that evidence - competent, appropriate, sufficient or otherwise - winds up as whatever is said most often, and what is said most often is often enough wrong. Still not much of an answer. Really sort of grim.

Nonetheless, with that cryptic fugue out of my system, I'll go back to work. Less episteme, more hax0rme.

The Red Duck

2007-05-29T16:58:00.000-07:00

Yesterday was a tough one at work, made especially tougher by the fact that the House of Tooth is flying out on vacation tomorrow, earlier than I feel comfortable contemplating.
But if Mr. Howell is going to write about motor vehicular risk, so will I.

When I got home last night, I watched Race 1 of the WSBK at Silverstone. Nasty conditions: standing water on the track, filthy visor-coating mist flung up from rear tires, cold rain, poor visibility, and very heavy very aggressive traffic. So nasty that the second race was red flagged. Sounds like Chandler's Chicago commute, with the following exceptions:

Everyone is on two wheels (except for the Alfa 159, which follows only on the warm up lap, and at a discrete distance).
The cycles have been freshly massaged by well paid mechanics, sparing no expense in picking the fly poop from the pepper in handling, power delivery and suspension according to the desires of the rider. When the track is hot, statuesque women in high heels hold umbrellas over the motorcycles to keep them cool.
Everyone on the track is wearing leathers, gloves, boots, back protector and a full-face helmet.
No one is chatting on a cell phone or drinking coffee whilst riding round the track. The only communication is through flags waved by officials and corner workers, and the pit board with a couple of numbers hung out for the rider to read as he speeds past. None of this NASCAR-style chit chat and sippy cups.

All the WSBK machines are produced to a regulation, a formula that is more rigorously enforced than PCI, Basel II or the FFIEC guidelines. Sunday's race at Silverstone revealed the difference of how a regulation is interpreted, viz., traction control. Despite the best efforts of a well funded Ten Kate team, with full support of the mammoth Honda Racing Corporation, and a skilled and extra-dreamy rider at a home course, Mr. Toseland's CBR1000RR ended up like this after only a few laps. Nonetheless, water spewing from his radiator, and mud in the engine, he picked it up and rode on, finishing 8th. He was lapped by the pack who had figured out traction control: Xerox Ducati and Yamaha. And the Ducati bike is a year old.

Are strictly enforced regulations and technical innovation what makes for great racing? Is it all physics, themodynamics, fluid mechanics, geometry and friction?

No. What makes for great racing is the fact that these machines are piloted by the world's finest chaos generating engines, i.e., motorcycle road racers. Otherwise, why does nutso "Nori" get wear a rainbow wig on the podium, while his stoic Wollongongian team mate does not? What is to prevent a twitchy Frenchman on an equally twitchy Kawasaki from having a fleeting existential moment, resulting in a high velocity green missile smashing into a focused Texan's perfect line round Ascari? Nothing. The black swan rides the track along with the red Ducks.

Like any enterprise, you can comply with the regulations. You can follow the rules. You can become technically innovative. But the enterprise is run by chaos driven humans. All you can do is strap them in leathers and hope they don't lose any more fingers than is absolutely necessary.

Signals, Calls and Marches

2007-05-22T17:38:00.000-07:00

Two stories stuck in my craw this past week. Now, I'm spitting them out, for your pre-masticated pleasure.

Firstly:
Tim Wilson's post at Dark Reading figures we shouldn't buy IBM security services because one of their contractors lost a storage tape with NPI on it. And that a public wireless company should not be patronized because they had a crooked options administrator. The TSA loses some employee data, so what..? We find some off-brand liquid & gel manhandler? The causality between the security products and services offered and the lapses in security and anti-fraud controls seems spurious. Does TJ Maxx not still shop continuously so I can find fabulous fashion bargains? That I'll pay cash for?

Segundo:
I can't believe the guy playing Punk'd with Google AdWords got so much press. The SANS dudes creamed themselves into a fit self-righeous suspender-snapping ecstacy in their newsletter over this DARING SOCIAL EXPERIMENT! The story was lame, proved nothing, but did allow the SANSabelters a chance to feel so superior to the l00zerz that would click on a link that says "Infect your computer." All that energy parsing stats THAT MEANT NOTHING! Dismissing your customers as ignoramuses, and pointing to practical jokes as proof is no way to run a "profession." If you must, at least do it behind closed doors.

Cause in the words of Mission of Burma:
So make sure that you are sure of everything I do
'Cause I'm not, not, not, not, not, not, not, not your academy.

Motoprox

2007-05-17T16:54:00.000-07:00

Yesterday I was barreling down the concrete slab choked with tractor-trailers and nitro-burnining funny trucks laden with oily 2x4s and spent joint compound jugs, I was engaging my left brain in random problem solving ("Resolved: The world is as random as it is not.") and engaging my right wrist in focussed throttle control on my Triumph Bonneville. I hate the road - a stretch of oversubscribed interstate that at an unfamiliar time (around 3:00 pm) and was unfamiliar with how the traffic would be flowing. The part of the brain that controls motorcycle function became increasingly engaged.

Fortunately, it didn't come out of nowhere: some set of clues were processed so I was pretty sure the black sedan was going to dart into the part of highway I was occupying. I braked as much as I could, as the pickup behind was riding my exhaust, and I moved as far to the left of the lane as I could. Just as his door was nearing my knee, the driver of the sedan spotted me, and made a panic swerve back to his lane. No harm, no foul, just a cortex soaked in adrenaline. People pay good money for that.

Which led me to my thought. Do near misses count?

UK Civilian Aviation Authority Airprox Board thinks so. They are dealing with potential accidents, however, with an not unreasonable assumption that neither party wishes a collision. There is no attacker, so it is easier to get both sides of the story, and a clearer, truer account of the incident, and quality information to improve the process. In a security incident, you will rarely get the other side of the story, so the account is skewed to what the defender has observed, and the attacker has failed to hide.

The Risk Management and Decision Process Center at the Wharton School has this brief description of its Near Miss Management study.

It may be nothing useful, but I'm wondering how "near miss" security incidents are handled. How are the elements of "luck" and "skill" (i.e, controls, response,etc.) allocated? Since the bullet was dodged, is there a increase in comfort in the level of security, even though it may have just been luck, or the actions of the attacker, that made it a "miss"?

I don't know, but I've been hyperaware of traffic lately, and my head is encased in Shoei and my body in Tourmaster. (And for more on motorisks, see Chandler's post from last September.)

Hot Honda on Duck action courtesy PhillC.

Everyday Privacy & Security Part 2: Fear Factor Authentication, or I Won't Forget You Baby, Even Though I Should

2007-05-14T15:48:00.000-07:00

If you are like me, or, if in fact, you are me, your online financial transacting experience has gone all Security 2.0 by the factor of WOW!

Over the weekend, I had an unpleasant experience. The clerk at our local What-Nots 'N Such franchise denied me use of my cash card. I figured my financial institution was trying to protect me whilst humiliating me, so I scurried home and logged into my financial institution's websperience.

But! Wait! My financial institution has gone all Fort Knoxy on my ass since the last time I websperienced them. They want to really get to know me before I can check out my balance. It went like this:

Dude! We're all secure and stuff now. It may be a pain in the back-end, but you will thank us because we will know you better. It's all legal. As a matter of fact, we wouldn't even be doing this unless we had to, but banking is mostly about money, and partly about pretending. So let's pretend.
Please enter your account number.

O.k.. But, no, that was your SSN.

Wait. Ooops. O.k. Let's call it an account number for now and move on.

Here are some fun disclosures for you to read. I'll wait here whilst you peruse them. Our attorneys wrote them to be concise but with a hint of whimsy, sort of P.G. Wodehouse meets Sartre.

Done already? Man, took our lawyers a bit longer, but whatever. Let us begin.

Type in some random characters.

More... More.... TOO MANY.
Did you include some numbers? Try that.
And some non-alphanumerics.

O.k. Hope you remembered that. It could be your new password, or your new account number or what the tellers will whisper under their breaths when you come in to get a loan.

Now comes the fun part. To your right you will see pictures of six different semi tractor trailers. We're going to use these pictures to identify you in the future.

Please pick the truck that most resembles your maternal grandmother.

Interesting choice.

Now some questions. Answer using your gut, and pretend that this is just between you and us. We'll use these questions for something in the future, probably resetting your password when you realize that your keyboard doesn't have a cent symbol on it. But pretend it's a legit reason.

Answer the following to the best of your knowledge:

Your favorite color.

The brand undergarment you are wearing right now.

Your favorite place for making whoopee (City and State only, please!)

Your favorite Poison lyric.

Interesting. You know you just qualified for a boat loan the way you answered that last one.

Now just press enter. (I hope you have Javascript, ActiveX and are typing this from a Internet Explorer 6 on Windows XP cause else I don't know what's going to happen.)

Sorry! You chose the wrong truck. Let's start again. Hit the back button. NO, NOT THAT BACK BUTTON!

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5

SSNS ON THE LOOSE! (Legacy Edition)

2007-05-08T16:04:00.000-07:00

I'm trying to understand the newsworthiness of the latest episode of "SSNS On The L0OzE. OMG!!1!!"

Some dude in the mail room puts a bunch of computer tapes in the wrong slot, according to the AP report in the Houston Chronicle. State agency looks for 'em. Contractor looks for 'em. Then they find 'em, in the wrong slot. A problem as old as the mainframe.

My guess: the missing tape was a quarterly report (WITH SSNS!!), there was some turnover in the computer room, and the folkloric control vanished with the last operator who performed it. The article doesn't state the format of the tapes, but I'm guessing it's EBCDIC flavored, with a chewy center of either DB2, Adabas or Model204. (The New Russian mob has standardized on Unicode, leaving behind Blofeld and his "legacy" villainy.)

Solution? Document the process, develop a tracking spreadsheet. People have been exchanging tapes for decades, and there are simple ways to track it. You could even buy some bar code software, or something. (As it says on the wall in the illustration: If In Doubt ASK".)

What is the solution proposed by the contractor?

The company is now exploring transferring the data electronically to improve security, [contractor spokesman] Lightfoot said.

I think my way is cheaper. And safer. And easier to track. I only know what I read in the papers, though.

Diamonds Are Forever image courtesy Xeni.

Throwing Scorpion Out With the Frog Water

2007-05-07T15:49:00.000-07:00

Declan McCullagh says that the federal government is unlikely to implement the National Research Council's privacy recommendations, in particular, a privacy commissioner, because it isn't in the federal government's scorpion-like nature. Ars Technica also has coverage. (And why must it always be a czar?)

The US is having the same issue with privacy legislation that it had with television resolution. We adopted early, because we needed to see our Felix the Cat on the airwaves, and 441 lines of resolution are all that NBC in 1941 could muster. Likewise, the privacy principles developed by the US government in the 1970s were developed too soon, when databases were just creeping out of the punch card era. US privacy law ends up like broadcast TV sets - an archaic lo-res standard, while other parts of the world lagged behind, but adapted a more advanced standard. Think of Europe's Privacy Directive as PAL.

From what I've read of the NRC's paper (the Executive Summary), it seems they are going for a full blown HiDef 1080p Dolby Surround sort of privacy regime. Just as the networks dragged their feet on the 441 lines of resolution until they were forced to move ahead with HD by the FCC, so will industry drag their feet on privacy until a privacy czar, prince or archbishop cajoles them into the 21st century. I'm being optimistic, but at least the frog was committed.

Lo-Res Felix from FelixtheCat.com

Waffle are Just Pancakes with Little Squares On 'Em

2007-05-04T22:52:00.000-07:00

I've been working on something, but I don't know if it will make by race time in Shanghai.

In the meantime, the most important part of internal auditing is "production value." And we know what that means.

So, is it on spec?

Impacted Molars

2007-05-01T15:34:00.000-07:00

Brighter Teeth

From Educational Security Incidents via Pogo comes this terrifying story of privacy laden scratch paper from the land of the gigantic stone Texan. Apparently Sam Houston State U. uses a student ID number that is not their SSN. Hooray! But they do sometimes print out sheets that correlate the student ID with the SSN for the math lab to use as scratch paper. Boo! But this was strictly against policy, and was surely attributable to the Soviets since:

"After a security briefing last summer, we no longer use SSN's, we only use Sam ID numbers to keep Identity Fraud down," Harris said. "It is against the University's procedures to use SSN, so if it prints off, we automatically white the information out." [emphasis all mine]

Teacher's high indeed!

Fresher Breath
From Dark Reading, a grim story of my home town, in which it is portrayed as a the hipsterest most l337 joint for the securi-hacker community. The worst part is that it mentions my coffee shop. I'll never feel safe using wi-fi again. (Actually, I usually limit myself to consumption of paper based information at coffee shops. But that's just me.) (And the coffee shop is not the one that is fully populated with jaded 21 year old grad students.) (It's the other one.)

Extra tooth
I agree with this comment to this Dark Reading article on the e-Gold dust-up. However, I believe that the phrase "going for the juggler" was an error. I've generally expressed the sentiment as "going for the juggalo." The powers that be are generally in a state of going for the juggalo.

Romanian toothpaste from Jessamyn

Go Ask Alec Baldwin

2007-04-26T18:35:00.000-07:00

SSL apostate Ian G. refers to an article on estimation of loss due to a privacy breach.

I think we are measuring the wrong thing, and operating on these assumptions is dangerous.

From the article, a Forrester analyst says:

"After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number."

The $90 - $305 range smacks of too much precision and not enough accuracy. Only software project managers can get away with ranges like that. These numbers are more harmful that worthwhile. Most of these factors are not driven by record count (legal fees, stock plummets or lost productivity). Record specific costs are generally lower (call center and postage - and if you lose enough records, you don't even have to mail notices). So let's just call it BTUs per furlong and call it a day. And I don't think "customer losses" is as important in assessing the risk as "losses to customer."

The next Forrester quote underlines the problem I have with the general corporate thinking about privacy breaches:

"Previously, when a company had a data breach, a response team would fix the problem and test the mitigation, then the company would resume normal activities. Now we have to spend time on public relations efforts, as well as assuring both customers and auditors that new processes are in place to guard against such breaches in the future."

The reason you could get away with just fixing it and moving on was because the company did lose anything it owned. What it lost was owned by its customers. Losing one bit of highly sensitive data about one litigious customer could cause more damage that a dozen laptops filled with the SSNs of 10 million people.

It's the "loss to the customer" that will drive your high dollar PR and legal efforts, which have scale, and can dwarf your call center and postage costs in an afternoon.

I'd like to take the data, rehash it according to type of breach, sensitivity of data and litigiousness of customer. Then I think you'd start on the road to a meaningful metric.

The Red, Yellow and Green Legos of Judgment

2007-04-24T18:17:00.000-07:00

I'm out here in Coyote and Roadrunner land, knee deep in internal auditing. I co-presented yesterday on privacy, as a co-author of an Institute of Internal Auditing publication.

It's been a interesting couple of days, driven in part by the isolation of the location. As attractive as a golf/casino resort may sound, it's not so groovy if you don't golf, don't gamble and didn't have the foresight to rent a car. I can meditate on the cacti, and read. I packed a couple of books to get me in and out of the Internal Auditing mindset: The Digital Person by Daniel Solove (highly recommended), a Kierkegaard anthology (because what is auditing but fear, trembling, and sickness unto death?) and Nassim Nicholas Taleb's The Black Swan (I've been alternately writing "YES!" and "BULLSH*T!" in the margins. (It's my policy to keep the margins safe for work.))

But this morning I had my own inverse Damascus moment, as Bill Power (if that is his real name) of the PCAOB was giving the assembled throng his information technology application auditing method, as demonstrated through a manufacturing case study. It was interesting enough as analysis of manufacturing financial systems go (yes, exactly that interesting), but at the end of his case study it seemed to me that he just plopped Red, Yellow and Green Legos into the risk spaces in his spreadsheet, and chalked it up to judgment. In fact, one of the slides read something like "RISK ASSESSMENT IS ALL JUDGEMENT" (I'd quote directly, but his presentation is not on the conference CD-ROM. I do remember he spelled "Judgment" with two "E"s.)

O.k. Sure. Risk assessment without judgment is pretty worthless. And auditors have an obligation to use their judgment to assess risk. Nonetheless, it doesn't seem worthwhile to go through all this spreadsheetin' and flowchartin' just to get to the point where you pull red, yellow and green Legos out of your velvety Audit Sack of Judgment and snick-snack them on financial information systems and processes master control grid. How about the stuff you don't understand well enough to apply judgment? I'm getting the idea that it's called "Out of Scope."

At what point does "judgment" intersect with "caprice"?

Go ahead, call me naive (if you haven't already). But it's getting dark, and I'm going to see if the cows come back to the hotel parking lot again tonight. This time I'll be ready.

Photo courtesy of The Bill.

Apocalypse Pooh

2007-04-17T17:45:00.000-07:00

It's a grim world around us. A mass murder turns into a cynical ploy to promote and condemn any issue you care to name, or exploit the grief for naked profit.

How can I deal, in the short term, except for a brief absurd laugh?

Adblock

Thanks to the Moonshine Mountaineer for the Youtoobage.

Sweet Fancy Moses

2007-04-11T19:28:00.000-07:00

Lots of odd stuff (mostly from Pogo & Fergie):

Why Justice Went Blind The courthouse security folks in El Paso County can see you nekkid.
"The new machine will not replace the metal detectors already in use at the judicial complex. Instead, it will replace two of the security guards who use wands to screen entrants that set-off the metal detectors. The board of commissioners estimates by replacing the guards with the body scanner the county will save $64,704 a year."
Outstanding! You can see my ass, and fire two guards!

Consumers Are JUMPY! "77 percent of Javelin's respondents said they intend to stop shopping at sites that have experienced data breaches." Well, I'm firing Trans Union, the IRS & Travis County!

ID Theft-O-Meter! - Hold on, where do I put the cost of monitoring my own credit, talking to the police, time spent in jail on false arrest, higher interest rates after a company is careless with my own date? Oh... It for the corporations that lost it. The REAL victims!

NETCOSM! - Just plain cool. I remember something similar years ago, where you used DOOM maps to kill processes on FreeBSD. Yes! PSDOOM.

In defense of controls

2007-04-11T15:34:00.000-07:00

Alex is pretty down on ISO 17799.

I think the reasons are that he sees organizations substituting ISO 17799 for risk management FAIR style. Instead of calculating a realistic, customized risk profile, an organization pulls ISO 17799 (or COBIT, though COBIT is less specific to security) off the shelf. The specific controls in the 10 areas are implemented, and therefore they are secure, and risk-free. However, a focus on these areas may not appropriately address the real risk to the organization, and may result in inefficient and ineffective use of resources. (I hope he'll correct me if I'm wrong.)

I think he's right if that is how the standards are implemented, but it is not necessarily the only way they can be used. I'm thinking that if used properly, ISO 17799 could help in implementing controls to reduce the risk identified. He cites an example of using metrics to manage patches. I see it this way:

Risk analysis identifies areas for control.
High value assets on exposed servers are vulnerable to complete compromise from any weak-ass hax0r wannabe, because of well known problems in the OS. The vendor has issued patches, and continues to issue patches on a routine basis.

The control is implemented.
Defining the control is where ISO and Cobit would come in. Once you have decided that it should be done, it can answer the question of how. If others have discovered a way to control the situation that works reliably, I don't see why you wouldn't want to use it. Engineers and accountants do it all the time. At the same time, it must be optimized to meet not only your specific risks, but also your environment and culture. Striking the balance between the universal and specific is the challenge that standards face.

The effectiveness of the control is measured.
A metric could be used to determine the effectiveness of the control, as well as the appropriateness. If you are unable to tell if a control is functioning, it is hard to tell if it is effective. If the server team does not adequately test the patches, or places lower risk items higher in the work queue, your risk is not being mitigated when you think it should be. An armed guard isn't an effective control if he's asleep all the time.

The way I see it, risk assessment is necessary to prioritize controls. Controls are used to manage risk. And metrics are used measure the effectiveness of controls. There are multiple ways any of these can go wrong, but it's a beautiful evening and my motorcycle needs exercise.

Invincible

2007-04-05T15:58:00.000-07:00

New York Magazine article "The Young Invincibles: A Generation Uninsured" discusses the way uninsured 20-30 year olds in New York deal with health risks (link and commentary from Concurring Opinions.)

The article is interesting study of people who do not participate in the most common health risk management strategy: insurance. Unable to afford it, or "rationally" choosing to be uninsured, they have created their own strategies to minimize exposure. Curtailing snowboarding activities (only the half pipe), daily brushing, and yoga are balanced with careers as bike messengers and retailers. There is a wide range of risk appetites: the bike messenger who feels that "helmets are cumbersome," and artist who eschews bicycling completely. Maintenance and prevention are expensive or inconvenient, so the Invincible's focus is on the severe or catastrophic cases.

Are there corporations out there that believe themselves to be "invincible"? Is this the sort of attitude that prevents real security from becoming embedded into a corporate culture? No doubt possible. Also likely is the false sense of security associated with "compliance" as a risk mitigation technique. SOX is like a bicyclist's helmet ("too cumbersome"). PCI is like brushing your teeth every day. No one condemns daily brushing, but it won't help when you get a kick in the teeth.

(I recall my own period of "invincibility." Working without insurance as a deckhand on a towboat on the Ohio, Tennessee and Cumberland Rivers, I didn't see the dangers of hopping from barge to coal soot covered barge, lugging 90-lb ratchets and wire, all risk mitigated by my Redwings and a bump hat. Not until a near death experience while epoxying the inside of a fresh water tank did I think "Hey, what if I get crushed? What if my brain is actually damaged, and no one will ever get my jokes?" Then I sought less perilous employment. With a health and dental plan. So I found my way to the Guild of the Green Eyeshade.)

Men's 8-inch work boot with metatarsal guard courtesy Redwing.

One Man's Trash

2007-04-04T17:00:00.000-07:00

The righteous fury of Texas Attorney Abbott was last month stymied by an elite cadre of county clerk ninjas who conjured a shambling legislative behemoth to crush his valiant effort to protect the privacy of Texans.
Abbott screwed his courage to the sticking place, and was not to be denied.

Laying down the latex gauntlet, and taking a dog-eared chapter from a 1987 hacker's playbook, he strikes a meaty vein of SSN laden paydirt in the dumpsters of Radio Shack, a beauty school and a talent agency.

Having done of bit of professional dumpster diving myself, I laud the AG's efforts. Nothing increases a man's disposal awareness more than seeing a dude in a suit digging through garbage.

No doubt the most disturbing part of the story is the sample recovered receipt displayed on the AG's website. I mean, $99.97 for a 2 GB portable drive? With $17.99 for a 12 month warranty? Now that's obscene.

Illustration courtesy Speas.

Auditing Privacy Part 2 - Risk Assessment of Data Loss

2007-03-30T15:55:00.000-07:00

The easy way to assess privacy risks is to focus on the impact of data theft to the organization by including the private data as a corporate asset. There are well documented methods to identify the vulnerabilities in means of collecting, storing and sharing the data. Similarly, there are methods to identify and list the data's threats (hackers, "insiders," and negligent loss). The impacts will likely shake out along the lines of direct costs (postage, call center, other incident response costs), potential legal and regulatory actions and reputation damage. (For an example, Protegrity assessed the TJX data breach at $1.7 billion, though TJX was not strictly a privacy issues, it has parallels*).

This would be the easy way, but may not result in the most accurate results. The problem lies in identifying the impacts of a privacy breach. The attribute of “privacy” assigned to the data is what makes the data valuable, and worthy of protection. However, "privacy" is not an attributed that belongs to the corporation, but to the individual the data describes. So an assessment of risk to the corporation of privacy loss should start at looking at the impact of the loss to the individual.

Why do many corporations, when disclosing losses of tremendous amounts of data, appear to suffer only short term damage to their reputation. I posit that the potential damage to a corporation is proportional to the actual real damage to privacy of the individuals described in the lost damage. (See Guin v Brazos)

The real impact of a privacy incident on individuals has been hidden behind a cloud of security vendor fear mongering and media induced panic. The common problems with the data is equating data loss with a privacy breach. Identity theft properly defined is likely a higher impact, lower frequency event than is commonly reported.

The SB1386-style disclosure laws have been a boon to identifying the frequency of data loss, but the information that has to be disclosed does little to help identify the impact. An auditor concerned strictly with compliance would have to place equal risk to any loss of private data. But the auditor should take the risk assessment to the next step and focus on the individuals, identifying the risks that lead to actual harm to the privacy of individuals. Compliance risk is equivalent for the loss of a laptop carrying an encrypted database of private data and the same databases being heisted off a web server unencrypted by a criminal with the intent to exploit the identities. The real risk to the privacy of the individuals described in the database is clearly different.

Beyond the risk of a data loss, the auditor should also consider the equally important risks of the collection of private data and the dossier-ification of data. More on that later.

*Why the high risk to TJX? Though not strictly a privacy issue, the damages related are an issue of a loss to a third party - the banks - rather than TJX itself.

"Some would call this good fortune" from s2art

Impacted Molars II

2007-03-27T19:30:00.000-07:00

Occlusal
Panopticonistas Cyveillance say ID theft is so bad, we are all going to die. Seems like shutting down copyright scofflaws got a little too Web 1.0 for them, so they've unleashed their vicious crawling spiders on a search for contraband identities. And guess what they found out? EVERYBODY'S IDENTITY IS ALREADY PWN'D! Now that they've collected this data, I'm curious as to what are they going to do with all those credit card numbers, SSNs and mothers' maiden names. Did they help shut down the sites hosting the illicit data? Did they notify the victims? This sort of research is on an odd ethical footing. I hope they get it all sorted before they do their research on other forms of digital contraband.

Distal
California Secretary of State Debra Bowen kicks ass in the name of privacy for Californians. She gets privacy, and maybe even cares about the citizens of California. I wish she could impart some of her knowledge to the Texas county clerks.

Mandibular
CDT publishes their draft Privacy Principles for Identification. Seem pretty much like Fair Information Practices to me, which is not necessarily a bad thing.

Fake Teeth Resting on Image of Monk courtesy jsdart

Insider Threat Assessment

2007-03-26T18:36:00.000-07:00

Step one: Play a crappy new-agey cover of "All Along the Watchtower."

Panopticon Enabled Desktops Increase Productivity!

2007-03-22T15:51:00.000-07:00

From Dark Reading, the joys of workforce monitoring software with Ascentive!:

"We call it 'workforce activity management,'" says Schran. "Our latest edition provides all the insight necessary to eliminate time-wasting, increase productivity, and protect private company data."

Or, in the words of Ascentive's VP of Customer Relations Jeremy Bentham,

Morals reformed - health preserved - industry invigorated - instruction diffused - public burthens lightened - Economy seated, as it were, upon a rock - the gordian knot of Gramm Leach Bliley and Sarbanes-Oxley are not cut, but untied - all by a simple idea in Software Architecture!

Auditing Privacy Part 1 - Ethics and the Canon

2007-03-20T15:26:00.000-07:00

It would comfort many compliance auditors to discover the ultimate checklist and tear after their organization's privacy program, collecting tick marks and developing the dreaded deficiency finding. I say to them, "Google is your friend." For the more enlightened internal auditor, the first step in evaluating their organizations privacy practices should be a step back.

The Canon
There are best practices, and there are benchmarks. There are torts, laws, and rational fear of the irrational regulator. However, for most every auditable area there is also The Canon. Take a file to the gilded crust of Sarbanes-Oxley and the PCOAB (and all their works and all their ways), you eventually uncover the Generally Accepted Accounting Principles. Take a snowblower to the myriad layers of dust and ash of the Code of Federal Regulations. If you squint and hold your head just right, you'll see a vague outline of the Decalogue. And somewhere below ornate filigree and baroque ornamentation of HIPAA, Gramm Leach Bliley and SB1386 is the shape of the Fair Information Practices of the US Department of Health, Education and Welfare, 1973.

From the link above, here are the five practices of the modern privacy canon:

Collection limitation
Disclosure
Secondary usage
Record correction
Security

These five principles will be your mantra for your audit. They will guide your question and inform your issues. Advanced practitioners may chose from the following according to their path:

The 10 AICPA's Generally Accepted Privacy Principles

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

The Ethos
Like the Torah, the Sermons of Buddha, the Qur'an, the Gospels, or Fermat's Principle, a canon is only meaningful if applied. You must ask the CEO, the CIO, the Chief Marketeer, the General Counsel, and listen, and interpret their answers accordingly. Are the principles used as values to guide their decisions, obstacles to be worked around, or are they simply unknown? Read your corporate policies regarding privacy. Do you see in them evidence of the Fair Information Practices, or do they appear to be more oriented to a specific set of industry specific regulations? Interview the folks who handle the data. Do they treat the data with the care they would treat their own? The answers to these questions will begin to lead you to determining if your organization has the ethical basis for a privacy program.

What Does This Mean?
A compliance oriented organization may maintain reasonable concordance with Fair Information Practices without even knowing what they are. However, the organization may be reactive, and inefficient. The organization's privacy direction will be dictated by outside entities, rather than developed within.
A organization with a firm foundation in privacy practices, coupled with an ethic duty to privacy, will be more efficient, more effective, and retain a better reputation in the face of an incident.

I Am Not A Cop

2007-03-19T18:27:00.000-07:00

A couple posts on the role of internal audit in the information security controls of a company got me thinking.
First, Anton describes an auditor as "policing agent" model:

InfoSec develops controls.
Operations operationalizes them.
Audit goes around with a checklist to make sure they got done

Farnum at Computerworld comments, as does Rothman.

The issue I have with this model is that if what InfoSec develops are inadequate, they could still be well implemented. InfoSec should take ownership in the controls, and insure they are implemented and monitor their performance after they are implemented. When the auditor comes along, he or she should be looking not only at the implementation, but if the system as designed by InfoSec achieves the requisite goals of risk reduction acceptable to the board. Unlike the crime, systems development or drug prescription analogies, information security is an ongoing management process.

So I'm looking through rose colored glasses rather than my usual green eyeshade, but I'm not going to play Kavenaugh to bunch of Mackeys.

Repost Redux: Special SXSW Edition

2007-03-14T15:28:00.000-07:00

Having read a few additional commentaries, I began to think some more on two issues I posted about earlier.

Greg Abbott vs. The County Clerks
Mordaxus at Emergent Chaos says we need to chill, which made me wonder if there was less to this issue than I previously thought. The more I think of it, thought, the less appealing the whole mess appears. The clerks routinely sell the data in their charge to data brokers. The Open Records Act (Texas' FOIA) allows the clerks to charge for the records. By redacting the confidential parts, the data would be less attractive to the brokers, and the clerks revenue stream might dry up.
The clerks are digitizing and distributing information on the Internet beyond the scope of its original purpose, and counter to Texas law. I don't have a problem holding these folks accountable to the law and their duty as custodians of the data. I will be having a beer or three at SXSW, though, probably at the Yard Dog and at Woody's.

The Hacker vs. The Corporation
Both Emergent Chaos and ArsTechnica have things to say about the study I posted about yesterday. EC posted a link to the study, but after reading it, I don't think I've changed my mind. I am, in fact, more confused about the purpose of the study than before. The distinction between "hacker" and "corporate malfeasance" does not strike me as interesting as the distinction between "stolen" and "lost." The question for me as a consumer remains a question of risk. Am I more likely to suffer damage to my reputation or finances if my personal data is "lost" or if it is "hacked"? No doubt frequency is part of the equation, but so are the capabilities and intention of the threat.

Photo of the Casting Couch in action by me.

Charts 'n Graphs

2007-03-13T15:54:00.000-07:00

From Pogo, this article from Physorg on the classic Evil Hacker v. Evil Suit dilemma. From the article:

If Phil Howard’s calculations prove true, by year’s end the 2 billionth personal record – some American’s social-security or credit-card number, academic grades or medical history – will become compromised, and it’s corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year.

Goodness. This article seems to do more damage than good in increasing awareness of the privacy issue. The key bit of data that seems to be missing is the damage. More from the article:

Malicious intrusions by hackers make up a minority (31 percent) of 550 confirmed incidents between 1980 and 2006; 60 percent were attributable to organizational mismanagement such as missing or stolen hardware; the balance of 9 percent was due to unspecified breaches

So, how many fraudulent charges were made, fake IDs manufactured or reputations horribly disfigured by each category? The author of the study adds:

"And the surprising part is how much of those violations are organizationally prompted – they’re not about lone wolf hackers doing their thing with malicious intent."

So, would you rather Big Nameless Credit Card Company notify you:

A. that your name/credit card/SSN/date of birth were lost at an airport while stored on an encrypted laptop hard drive

OR

B. that Lone Wolf Hacker sniped your digits of their server (running unpatched IIS 2.0 on unpatched Win98)

Of course I can't prove that either scenario is inherently more dangerous for the consumer. I can just shake my angry fist at the data.

SSN Panic, Texas Style

2007-03-08T15:43:00.000-08:00

Here's the Computerworld run-down. And here's the Attorney General's letter (worth reading) and the proposed bill to change the law Texas HB 2061 so as all the county clerks don't get thrown in jail.

The AG letter says it in fourteen different ways NO, YOU CANNOT RELEASE SSNs, quoting an imperial raftload of laws, state and federal, why, and why you should even be asking the question. The clerks need to grab a big ol Sharpie and start their redactin'. Shut down your infonet tube, and stop selling your goods to some skanky information brokers from the desolate wasteland known as "Not Texas." Good on the OAG. Shame on collective elected doofi that are trying to find them an out.
I can only take solace in knowing the traditional efficiency and effectiveness of Our Lege.

This fiasco is an example of why privacy principles rather than mere compliance is important to an organization. Even if the Ft. Bend clerks were ignorant of the law, they reflected a disregard for the citizens they are charged to serve.

Learn to Play Sonic Reducer

2007-03-07T16:39:00.000-08:00

I was going to write about this article on Dark Reading, that includes this power-quote of insight and mind-blowitude:

"A lot of blogs now have become very big on the Internet," noted OSC Director Douglas Naquin in an interview with The Washington Times.

...but I figured my time (and yours) would be better spent learning to play "Sonic Reducer" with Cheetah Chrome.

E flat, C sharp, and lots of feedback.

Photo of Mr. Chrome from John Santanello

It's the Crime, Not the Tool

2007-03-06T14:51:00.000-08:00

Tim Wilson at Dark Reading on IT Security: The New Big Brother:

"To identify potential insider threats, IT must monitor end users' behavior by scanning email, tracking network activity, and even watching employees for "trigger" events that might cause disgruntlement. Right now, I'm working on a story about ways corporations might monitor their employees outside the workplace to determine whether their out-of-office conduct might cause data leaks."

This is how the TSA dealt with the "insider threat" (i.e., passengers) on airplanes. Like the TSA, Mr. Wilson's focus appears to be on the tools that commit the crime (box cutters, e-mail, 3 oz. containers of fluid, USB drives) rather than the crime itself. Schneier has harped on this non-stop since 9/11. The proposed regime of surveillance will result in myriad false positives and employees as happy as your average passenger who has to remove his shoes and toss his shampoo and nail clippers into the trash at the security checkpoint.

In addition, what qualifies your IT Security department to be skilled in identifying what is legitimate and what is suspicious? How many eyes does the CEO want looking at legitimate confidential traffic? This filtering and monitoring scheme seems to be increasing risk of exposure rather than decreasing it.

Part of the solution does not involve any IT at all. Supervisors supervise. Their job is to monitor the employee activities. Managers should insure this happens.

Another part is development of an ethical culture within the corporation, where people have a channel to report if someone is acting "hinky." Internal and external auditors and ethics officers play an important role in an ethical environment. All the monitoring software in the world couldn't have prevented Enron, but an internal auditor put a stop to it.

Privacy and Security Lessons from Criminal Enterprises: The Corner & PCI

2007-03-05T16:33:00.000-08:00

Either you have heard the stories, or encountered first hand the difficulty in convincing an organization's leaders to take adequate precautions to insure the privacy of identity related data, and maintain the integrity, confidentiality and availability of their information assets. Privacy and security have to be marketed to management since privacy and security are "non-functional" without a "ROI." As a last ditch effort, privacy and security can be pitched as a compliance effort; these activities must be performed to satisfy the requirements of an
independent, potentially hostile third party.

Nonetheless, criminal organizations, which by definition care not one whit about compliance, and have a vigorous appreciation of the bottom line, focus significant efforts on the privacy of personal data and the security of transactions and communications. For example the following story of touts, runners, ground stashes* and the electronic processing of credit cards.

The typical drug transaction occurs thusly:

Junkie finds slinger. Junkie's selection may be based on the Slinger's reputation, effectiveness of the Touts, past business practices or location.
Slinger takes order, collects cash from Junkie.
Slinger signals the order to a Runner.
Runner distributes product to Junkie, either from minimum amount on person, or collected from ground stash.
Junkie moves on to consume product.

So the slinger is the payment processor, and the merchant is the runner. Both will be held accountable for inventory, and separation of duties not only minimizes the compliance risk (i.e., being observed by law enforcement), but also provides an accounting control. The corner boy who put out the package knows that even if the slinger and the runner collude, the collusion will result in a wrong count at the end of the day.

So what part of this transaction is so hard for folks like TJX to understand? A couple items to consider:

Although the merchant may mitigate risk by gaining distance from the transaction (Verified by Visa, PayPal), the merchant is more interested in the customers than the Slinger is in the Junkies. The merchant and the processor want to keep all that secondary data and compile it, and convert it into cash. The Slinger wants only not to get burned by a counterfeit bill.

No one is responsible for the "count" on credit card transactions. Unlike the corner, the matching of goods, customer and payment is out of order in electronic commerce, with each party shirking responsibility for the transaction.

Each has to deal with impostors, though. The seller of baking soda is the "phisher" of the drug trade.

Next, yelling "5-0" as an intrusion detection mechanism.

*taken largely from Simon & Burns terrific book The Corner
or on most episodes of Simon's The Wire.

Impacted Molars: Insurance, Banks and Godzilla

2007-03-02T16:03:00.000-08:00

A Risk Management & Assessment Deathmatch

Gunnar Peterson's interpretation of Warren Buffet's risk management .

vs.

The Bank Lawyer's outstanding post on bank risk managers and regulators

vs.

Alex's Godzilla pandemic risk deflation.

One, but he gets 3 hours credit.

2007-03-01T16:59:00.000-08:00

The official TAMU account of a hack into their authentication system.

The Eagle has the most entertaining coverage of Aggie Hack 07.

"We learn from our mistakes," said Pierce Cantrell, vice president and
associate provost for information technology. "These are complicated
systems, and there is a huge learning curve. It's a computer
cat-and-mouse game in this business, and I think we do a really good
job handling account security."

Provost Cantrell is a member of Tom & Jerry school of threat assessment.
It's all about cheese and butcher knives and tails in light sockets. You get some soot on your face after the mouse hands you dynamite, sure, but what can you do? Despite what Tom may say, Jerry is really doing a heckuva job.

From the trenches comes another approach:

[Executive director of computing and information services] Putnam said
he's unsure why anyone would want to break into the university computer
system, but hackers try to test their limits and see how far they can
get into a secure system.

"You can speculate, but that's all you can do," he said. "It's like why
do you climb a mountain? Because it's there."

Director Putnam is more of the Edmund Hilary school of threat assessment. It's so effing ineffable why these meddling kids would want to monkey with the authentication mechanism of Aggie U, you are just spinning your wheels looking into it. To paraphrase Nigel Tufnel, some mysteries are better left unsolved.

The appropriate aggie joke is left as an exercise for the reader.

Privacy & Security Sing-a-long: Monster Hospital

2007-02-28T13:52:00.000-08:00

(Medical privacy sing-a-long with Metric)

Monster hospital, can you please release me?
You hold my hands down, I've been bad.
You hold my arms down, I've been bad.
I've been bad, I've been bad.
I fought the war but the war won't stop for the love of god.
I fought the war but the war won

(Watch the video)

Impacted Molars: Misguided Ninja Dudes and PCI Awareness

2007-02-26T15:54:00.000-08:00

MESIAL
Dark Reading continues its obsession with physical security:
Network dude rassels potential bad guy, followed by a stern warning on what a scary world it is out there, cause physical attacks hurt.
Forgive me if I'm out of line, but why would I hire a network security guy to dress up as a maintenance dude to steal a laptop out from under an executive? Especially since there are skilled investigators who could get a signed confession and all his passwords from just talking to the accused. I wouldn't going to hire an investigator to secure my network, and I shouldn't ask a network security guy to conduct fraud investigations. I'm not going to hire the network guy to run my HR department either.

LINGUAL
The Bank Lawyer celebrates PCI Awareness Month early, with his take on the TJX Incident. Nice run down of all the parties involved. His characterization of the consumer is incomplete:

The consumers' concern for nuance extends only to the following extent: "I see a sturdy live oak right over yonder. Let's get us a rope and hang him."

The consumer is likely to be distracted by a shiny object on the way to the noose dealership, since he or she has no loss. Credit card numbers are becoming more a disposable commodity, unlike SSNs, HDL levels or Sudafed consumption. Coming this summer: Retailers v. Credit Cards v. Banks Smackdown at the Legislative Arenadome.

Photo from Henrier.

Everyday Privacy and Security: The Drug Store

2007-02-25T17:25:00.000-08:00

After a conversation with a friend, I thought I'd cite some examples of how privacy and security impact day-to-day life. Here's the first in the series; though I admit, dissecting the CMEA would take more effort than I have time to fully understand. My ear is still ringing and Battlestar is on in 20 minutes.

The scenario:
Last week I went to see the doctor about my tendinitis and a persistent ringing in my right ear. I rarely go to the doctor, so you must take my word that these were annoying, persistent and painful condititions, resulting in grouchiness, restlessness, nonsensicalitude and Irritable Spouse Syndrome (ISS). I was processed through the HMO machine like a burger at Jack in the Box, with a shot of cortisone in my arm and an Rx for some OTC pseudo-ephedrine.

At Walgreens, I scan the aisles for Sudafed, a rare purchase since I'm not normally an allergy sufferer. I pick up a card for the store-branded Wal-Phed and head over to the pharmacy. The pharmacist asked for my drivers license. I show it to her, figuring it was an age requirement. She asks me to take it out of my wallet. I hand it to her, and she types my information into the cash register. She asks me to sign what looks like a receipt. What for? I'm paying cash. It's the law. It's for the Wal-Phed. So I pay her the $3.50 or so, grab the receipt, my license and leave.

What Just Happened Here:
An ingredient in the Wal-Phed is used to manufacture bathtub methamphetamines (speed/crank). To stem this scourge, the Combat Methamphetamine Epidemic Act (CMEA: part of the USA PATRIOT Act Reauthorization of 2005) placed additional controls on retail sale of ephedrine, pseudoephedrine, and phenylpropanolamine.
Consumers have to show ID and be tracked by retailers so they get just enough to take care of their stuffy nose, but not enough to start up a meth lab. The retailers have to protect the privacy of their congested customers according to the law, thusly:

C) PRIVACY PROTECTIONS.—In order to protect the privacy of individuals who purchase scheduled listed chemical products, the Attorney General shall by regulation establish restrictions on disclosure of information in logbooks under subparagraph (A)(iii). Such regulations shall— ‘‘(i) provide for the disclosure of the information as appropriate to the Attorney General and to State and local law enforcement agencies; and ‘‘(ii) prohibit accessing, using, or sharing information in the logbooks for any purpose other than to ensure compliance with this title or to facilitate a product recall to protect public health and safety.

The Data the Walgreens Now Has On Me:
Well, my name and my Texas Drivers License information (DOB, address, glasses wearer, motorcycle rider). According to the DEA website, I could also show my passport, or, if I were under 18, my report card. They also know that I bought Wal-Phed and paid cash.

What About the Data Now?
Good question. The CMEA states that the retailer has to keep it for 2 years. There is also a raft of conflicting state laws, some requiring the logbooks to be kept electronically. The retailers' association raises concerns regarding HIPAA, tracking consumer behavior (e.g., can Walgreens send me a coupon for Wal-Phed now?) and real-time tracking versus logbook maintenance. Ever since it went behind the counter, pseudoephedrine sales have decreased, so does it really matter anymore?

Everyday Privacy For Me?
Walgreens knows I ride a motorcycle because my ear rings.
This data for a cash transaction will be maintained for two years.
It may or may not be subject to any privacy rules, depending on when/if the DEA writes the regulation.
I may have no recourse if Walgreens decides to use the information in a way to which I haven't consented.
I may have no recourse if Walgreens loses, misplaces, or sells the information to unsavory third parties.

Infosecalypse Now

2007-02-22T15:54:00.000-08:00

A number of links in the chain:
Mr. Walsh asks Why We Fight?
Which spurs Mr. Hoffman's Nam flashback.
Bloginfosec says it's safe to surf this beach, so its safe to surf this beach.
Meanwhile, Charlie squats in the bush, everyday getting stronger, and the BS piles up so fast, you need wings to stay above it.

Me? I'm an errand boy sent by grocery clerks to collect the bill.

With The AM Radio On

2007-02-20T15:49:00.000-08:00

The imperial raftload of opinions on who really is the victim of credit card fraud, stemming from the Boston Globe article on the legislative reactions to the Stop and Shop Skimming Shenanigans, is centered around this quote as much as any:

"If this legislation passes, all retailers, all companies, and all
banks will know they'll be responsible for absorbing every cost
associated with a data breach."

Of course that quote doesn't make a whole lot of sense once you parse it, it just seems to be pluralizing the victims in a bizarre twist on bystanderism, i.e., if were just going to sit around and watch the crime happen, let's all be victims!

Most puzzling to me are the voices of the outraged merchants on the Slashdot thread, sounding too much like a hoodlum's fence pleading ignorance to the cops on the legal state of goods in his possession. The merchants are no doubt getting the shaft in the current credit card fraud scheme. They may not have the financial resources and high powered lobby as the banks and credit card outfits, but the merchants do have the capacity to do more to validate a transaction that to make sure the magnetic strip is functional. Are credit card transactions getting to the point were they need to be validated as vigorously as a personal check. Remember those?

I see a business opportunity here. Heck, I'm in love with the modern world and I'll be out all night.

No Ethics, No Guild, No Credibility

2007-02-18T13:17:00.000-08:00

An article in the hometown press on our great state's efforts to protect its citizens from crooked locksmiths and security guards with misdemeanors.

Like many state licensing agencies, such as those watching over doctors, electricians and architects, the Private Security Bureau checks the criminal backgrounds of applicants. But unlike virtually every other such agency, the bureau doesn't then evaluate whether applicants' past behavior has any relevance to their current work, how long ago the crime occurred or whether they have tried to rehabilitate themselves. Instead, applicants with a record sullied by most crimes above a traffic ticket are automatically rejected.

The result: Locksmiths and other professions regulated by the Private Security Bureau must have cleaner legal backgrounds than child care workers.

I also thought about the numerous unlicensed, unmonitored quasi-professionals that serve the security of consumers, businesses and government in the electronic rather than physical realm. Configuring a server, or setting up a home PC may grant access as lucrative as whatever a locksmith or security guard may obtain. Who configured the server for the accounting firm who does your taxes? Is the guy from Geek Squad who just serviced your computer a part-time carder? (I tried to see if there are any ethical or background requirements to become a member of the Geek Squad, but my mind boggled at their Ranks and Titles page. It's the Masons meets Homeland Security. I'd wager their pee is clear of non-approved substances, though.)

I'm not calling on the State of Texas to regulate this issue, but ethics and compliance with ethics doesn't seem a priority for the ISC2 and the CISSP designation, a point made eloquently elsewhere. I have more thoughts on how the CISSP could be salvaged, but I'll make them later.

photo by Monceau

Too important to be left to the generals

2007-02-16T15:43:00.000-08:00

Interesting discussion on the secret language of security.

Which shovetails nicely into a panel discussion I saw yesterday. An assortment of CSOs and a Forrester analyst discussed the future of security. Essentially all the tech stuff is being outsourced, and the head of security is being molded into a Risk Officer. I can infer from this that the tech stuff (firewalls, antivirus, and the three letter acronyms) can scale. But the risk cannot. Risk is corporation's own, to be honed, polished and cherished like a treasured logo that no can quite figure out what it means. Risk is the new black, a point made elsewhere, and with more vigor.

One of the CSOs also mentioned that privacy will be shoved aside as a compliance thing, over with the lawyers. I stifled my desire to spring up and shout "HERESY!" for fear that it would awake my CEU seeking comrades from their deep and well deserved slumber.

The Plural of Anecdote is Boring

2007-02-15T16:05:00.000-08:00

Dark Reading has an article on identifying the insider threat, although it seems to be more focused on how to spot a bad employee. The article, which seems to be anecdote-based information from Rob Enderle and RSnake, lists the top ten warning signs that you may have a bad employee, or, as they term it, an "insider."

Sure, the insider threat may be a subset of the bad employee, but these ten warning signs don't seem to indicate anything else. The IP thief is not the same as the disgruntled vandal is not the same as the black market carder. The article conflates all these threats, and winds up with recommendations so broad as to be meaningless. For example:

Excessive absences

Well, this is bad employee behavior. But an employee who is about to leave is no less damaging a threat than an employee who has an ongoing scheme that requires constant maintenance. The classic anti-fraud control of requiring an employee to take vacation seems to run counter to the cited behavior. Is the dude taking extra sick days as dangerous as the dude who routinely funnels dozens of credit card numbers or SSNs to his buddy on CarderPlanet but keeps a low profile?

Unusual behavior / Office romance gone bad

Bad stuff, but is there really a high enough incident rate to justify it as a "red flag" for a potential bad guy? If not, this advice seems to confuse as much as clarify.

Employee is terminated / Employee resigns

I believe the employee would be participating in the "outsider threat" at that point.

The real meaty threats and red flags associated with them are a bit more nuanced, and have been hashed out in the fraud investigation field for years. Computer crime is just crime. Vandals are vandals. The computer security industry seems to be genuinely befuddled when encountering a threat that doesn't have a 8P8C modular connector jack.

Image from oronzo.

Bystanders and Heroes

2007-02-13T15:43:00.000-08:00

From the Chronicle of Higher Ed comes this link to The Banality of Heroism. It's worth reading, as are a couple other articles that are part of the Greater Good, which I was heretofore unaware.

Some basic questions in the article (co-authored by one of the researchers behind the Stanford Prison Experiment) can be applied to the corporate realm.

This article on the bystander syndrome is also worth reading. If resistance to the bystander syndrome can be learned, it should be part of training for every auditor.

Privacy raised to level of Terrorism, Drugs

2007-02-12T15:57:00.000-08:00

This bit from my hometown paper, written by ace real estate appraiser David Lewis, uses privacy, identity theft and terrorism to support his objection to a law requiring disclosure of the amount of real estate transactions. In some ways,

The proposed law is also dangerous. This is the era of terrorism and identity theft. Even the individual investors who make a $1 million or less on a property sale can become targets.

When these sales prices are reported, the information won't become dusty trivia hidden away in the basement of a rural courthouse. The prices will be on the Internet, easily accessible from anywhere in the world. Texans will be exposed. Should the elderly widow have her real estate wealth advertised to crooks and con artists? If we lift the veil on real estate sales prices, we will open the door of opportunity to the criminal element who will misuse this information. These incidences may be rare, but even one tragic case is too many.

According to Mr. Lewis' byline, he was a founding board member of the Harris County Appraisal District. Check out the website. I remember when they used to have sketches of the houses, they aren't there anymore. According to the website disclaimer:

Texas law prevents us from displaying residential sketches on our website. You can see the sketch or get a copy at HCAD's information center at 13013 NW Freeway.

Although hoisting his argument on the image of an elderly Texas widow being robbed of her ranch then being bombed by terrorists is naked fear mongering, there is some point to be made here. As Texas law has acknowledged, there is different level of privacy between public records available on the Internet, and public records you can only get by waltzing into an office and get face to face with a human, J. J. Gittes style.

I don't give a damn about my bad reputation

2007-02-09T15:36:00.000-08:00

No. No. Not me.

I was meditating on reputation risk the other day, and behold, the Daily Dave belches forth the documents I sought. (I remembered something on Emergent Chaos on this topic, but hadn't dug deep enough into their archives.)
The study I remembered and cited by Adam Shostack was "Is There a Cost to Privacy Breachs? An Event Study."

The salient quote:

"[Privacy breach] impact is statistically significant and negative, although it is
short-lived."

Which is supported by anecdote (check out the TJX stock price).

So how do you convince your management to follow privacy principles? Appeal to the better angels of their nature? Start eavesdropping and pretexting them and see how they like it? (HP probably did as much good as the CDT, EFF or ACLU as far as advancing the privacy agenda in Congress).

I'm guessing the shift, as a result of the "privacy fatigue" and the "identity theft fatigue" should be to the high risk transactions, that expose the data's subject to verifiable risks, not just the lost computer tape or missing laptop. But I need data to support that, dagnabit. Else:

An' everyone can say what they wanna say, it never gets better anyway.

Stupid, powerless, uneducated.

2007-02-08T15:43:00.000-08:00

Infoworld on a session at RSA: The Cybercrime Blame Game.
Although a conference center ballroom may not be conducive to rational discourse (see: US Political Party Conventions), this discussion appears a bit over the top:

More people complaining about identity theft does not necessarily mean there is more identity theft. I'm sure there was a dramatic increase in complaints about anthrax without a corresponding increase in anthrax attacks. (See the corresponding stat later in the article citing an 11.5% decrease in dollar losses due to identity theft.)

FTC Gorman is right: Calling people stupid doesn't solve anything. I've never been a fan of Winkler's ideas nor his rhetorical method.

The job of an ISP is to move packets, not to sit in loco parentis for everyone with a broadband connection. (Why was this applauded? Were all the NANOG guys still in Toronto?)

What makes an empowered consumer is not education, but power. Give the consumer the right and responsibility to take care of their own data. Not the credit bureau, federal law enforcement, the ISPs or Wal-Mart. The consumer. Build an infrastructure around that idea. The consumer isn't stupid, he just doesn't care and when he does care, he has no standing. Maybe the empowered consumer idea is just too European.

Safe Internet Day

2007-02-06T15:42:00.000-08:00

I find few concepts as boring as "Safe Internet Day." Except maybe "Is Open Source as Secure as Closed Source?" I mean good grief. If it weren't for my incredibly uncomfortable shoes digging trenches into my Achilles tendon, I would have fallen asleep just thinking about writing the above sentence.

How about a pretty chart and a map with like scans and stuff on it?

Still pretty boring.

To hold off the stultification, I've decided to rename the blog. Also, there are other blogs out there about being alone, or cheese, or being alone with cheese, that I feel would dilute my burgeoning brand. And maybe not everyone gets the Omar reference.

So the new name will be:

"Another Set of Teeth" - from "Teeth" by the Mekons

What, no, not another set of teeth
each crisis bites, but not so deep.
What, no, not another set of teeth
And through the shadows we always creep.

I think "through the shadows we always creep" is part of the CISSP Code of Ethics, but I'd have to look it up.

Testing the User or Phunk'd

2007-02-05T15:43:00.000-08:00

The Harvard/MIT study of Bank of America's web site security, including SiteKey system and SSL certificate verification (see New York Times and Slashdot), tackles the problem of real users using real websites to see how they respond to the authentication protocols. The security, for the most part, failed the users, with the researchers citing difficulties in testing the usability of these controls.

Slashdot comments, as expected, complain about the intractability of the Trainables in their charge, diminishing the argument to "Users == Lusers."

I couldn't find a fleshy threat model in the study's methodology. The subjects (recruited from Harvard Yard) were asked to log on to the bank's legitimate website on a university computer under the guise of testing usability. Meanwhile, the researchers played pranks on their browsers, causing it to display incorrect information regarding SiteKey and SSL certificates. It seems to me that the researchers were solving for a very narrow set of threats, primarily a man-in-the-middle or a DNS spoofing attack. My understanding of published incidents is that phishing generally originates with a convincingly deceptive e-mail containing a link to a phony banking site, or through a keystroke logger. A more interesting question for me would be "Would the users pay more attention to the security clues if they were following an e-mail link?" The common credential collection trojan appears to be outside the scope of the research.

Since Harvard students should probably pride themselves on not being representative of the populace as a whole, I can't see that there's a tremendous amount that can be taken from this research. The approach seems more like an episode of "Punk'd" (even though I've never watched it) or "Candid Camera" (which I have) or the Jim Coyle/Mel Sharpe stuff (which I love, but no link! I'm shocked!). Is there a difference between a drawing a valid audit (or research) conclusion and just giving a Muntz-esque "Ha Ha" followed by a "Stop hitting yourself"?

Harry Potter and the Hacking the 1098

2007-01-31T16:05:00.000-08:00

A couple brief notes.
From Pogo Was Right, a link to the Boston Globe op-ed on privacy, security and Harry Potter hackers. The nut of the argument of Mr. Peters, CISSP:

People take to the streets to protest the Patriot Act or the search of phone records even though the payoff may be stopping a terrorist. But the same people freely give their phone number or address to a checkout clerk when the only payoff is an abundance of junk marketing.

I remember hearing a guy named Maple quote an IBM study stating the Americans love their privacy, but will trade it away for a fifty cent off coupon. That was 1998, and I don't think much has changed.

I'm not quite ready to give up on the power of consumer, but this chart is the most distressing for me. The consumer doesn't matter if the shareholder get his bit.

And I was flattered that the Periodical of Record for Road Racing in North America picked up my post on the Ducati laptop lost and found. I should let Ducati know that I'd be happy to test the security of the USB Ducati Data Analysis on the 1098S just to make it is, you know, compliant with EU Privacy Directive. Maybe hook it up with some 802.11n and turn the 1098 into the only Desmo driven war driving device.

Kim Possible vs. The TSA

2007-01-30T15:33:00.000-08:00

or the Mysterious Case of Kim and the Rights of Parking.
Briefly put, a City Council member wants to meet and greet visiting dignitaries at the airport gate, not at baggage claim. The memo that came with her special airport free parking badge (sweet!) appears to confer this privilege. Councilwoman Kim figured (not unreasonably, looking at the memo linked on the Statesman site), that the parking badge was like a home generated Northwest Airlines boarding pass.

But the memo was outdated, and caprice of the TSA being as it is, the offer of gateside greetings had expired. Kerfluffle (or a dust-up, maybe) ensues. City Manager sorts things out.

Personally, I think free airport parking is a pretty good perk in itself, especially if it's in the covered garage rather than in lot F (also known as Rosanky). And Austin Bergstrom beyond the security checkpoint is a not a bad destination with live music and good bar-b-q. (I've had friends who've had gigs there, but none of the regulars showed up. Go figure.) All reasonable folks know that security should be checked at the gate, so you don't have a race condition between check-in and boarding. Unfortunately, the set of TSA policy makers is not a subset of reasonable folks.

Not All Lost Laptop Stories Are Bad

2007-01-29T15:49:00.000-08:00

The lost laptop story has become tiresome. Some individual, proving themselves to be careless, or even just human, loses a laptop with some sort of confidential information. SB1386 has made this the most banal folk tale of the 2000s.

Fortunately, after perusing the results of the MotoGP tests in Jerez, I read the Roadracing World's version of the lost laptop story. Four cats from DC head out early to the Laguna Seca track on the Wednesday before the big MotoGP race. They find a carry-on piece of luggage, which contained a passport, tickets, MotoGP credentials and (yes) a laptop containing precious Ducati Corse data. So, instead of heading over to Repsol Honda, or eBay, these gentlemen returned the baggage to the Corse engineer it belonged. In return, the Ducati folks treat them like royalty throughout that weekend, and invite them to the season closer at Valencia. Hanging out with umbrella girls, scooter rides with Randy Mamola, asking Garry McCoy where it hurts, watching Nicky Hayden win the championship, all worthy activities paid in gratitude from Ducati.

Admittedly, Ducati Corse is cooler than the Department of Veterans Affairs or Wells Fargo will ever be. But if people knew that they could go on a scooter ride with Randy Mamola if they returned laptops loaded with trade secrets or personally identifiably information, our privacy problems here would soon be over.

Steve McQueen's Credit Card

2007-01-26T15:30:00.000-08:00

The Bonham & Butterfield auction of Steve McQueen's motor related ephemera included his credit card. According to February's Sports Car Market, the unsigned Wells Fargo MasterCharge (exp 07/80) was purchased for $9,945. (some coverage here of the auction).

According to this Tao Security link, you can get a better deal on credit cards on IRC.

Shake Hands With Danger

2007-01-25T15:30:00.000-08:00

or the Mysterious Case of the Substitute Teacher and the Depraved Pop Ups. Krebs has the details, more or less. And some comments. Lotsa comments.
I am of several minds on this incident.

The Forensics
Network Performance Daily has a couple of CSI:Connecticut posts the about the forensic evidence from folks who have seen it.
The Defense - The few details included don't support forensic discipline. The statement "[d]uring the copy process we received several "Security Alerts!" from our antivirus program" appears to indicate that the forensic data was being copied (not imaged) over to a general purpose computer (that runs antivirus). Generally, forensics is done off an image mounted as read-only. Copied files don't have much in the way of chain of custody, and copying data can change some of its properties.
The Prosecution - This post is just unreadable. I can't tell what's going on, but that the cop may have used a forensic program to examine the data.

Whatever
I mean, whatever. The forensic evidence doesn't really establish who was at the keyboard when the nasty images came up. Could have been seventh graders, could have been the teacher. The teacher didn't shut off the computer (or even turn off the monitor) when she left the room, though. I mean, in the words of G.O.B. "COME ON!"

So Shake Hands With Danger
When you log on to the Internet, you shake hands with danger. Computers are dangerous. If you aren't checked out on the equipment, you shouldn't operate it! You could be a danger to yourself and those around you. Don't end up like Three Fingered Joe!