Author Archive for adam

Page 2 of 10

Lies, Damned Lies and Inappropriate Baselines

Published by adam on April 23, 2010 in Uncategorized. 0 Comments

Thomas Ricks wrote a blog on Foreign Policy titled “Another reason to support Obamacare.” In it, he cited a Stars & Stripes report that one of out five veterans under the age of 24 is out of work.

However, Stars and Stripes compares total unemployment to 18-24 male vet unemployment. It took me less than 5 minutes to find the Bureau of Labor Statistics “Employment Situation of Veterans Summary” which states that “Young male veterans (those ages 18 to 24) who served during Gulf War era II had an unemployment rate of 21.6 percent in 2009, not statistically different from the jobless rate of young male nonveterans (19.1 percent)” and “Male veterans age 18 to 24 were more likely to participate in the labor force in 2009 than were their nonveteran counterparts–79.1 percent versus 69.1 percent.” (Emphasis added.)

The only element where veteran unemployment seems statistically worse is recently separated veterans, at 14.7%. However, they’re entering the worst labor market in decades, and there’s fierce competition for every job.

I expect better of the mainstream media, which is evidence that I’m not a Bayesian.

Failure to Notify Leads to Liability in Germany

Published by adam on April 21, 2010 in breaches. 0 Comments

…a Bad Homburg business man won millions in damages in a suit against the [Liechtenstein] bank for failing to reveal that his information was stolen along with hundreds of other account holders and sold to German authorities for a criminal investigation. He argued that if the bank had informed those on the list that their data had been sold, they could have turned themselves in, receiving temporary amnesty and much lower fines. (“Taxman rakes in hundreds of millions thanks to stolen bank data“, TheLocal.de)

The decision was by the Liechtenstein high court. If anyone knows the details of the case (what duty was violated), I’d appreciate knowing more. Was it a violation of Liechtenstein bank secrecy law, or a general duty to disclose?


Via the web hacking incident database and “German Government Pays Hacker For Stolen Bank Account Data” at TacticalWebAppSec.

Source, Data or Methodology: Pick at least one

Published by adam on April 15, 2010 in Data Analysis. 1 Comment

dr-evil.JPG
In the “things you don’t want said of your work” department, Ars Technica finds these gems in a GAO report:

This estimate was contained in a 2002 FBI press release, but FBI officials told us that it has no record of source data or methodology for generating the estimate and that it cannot be corroborated…when we contacted FTC officials to substantiate the estimate, they were unable to locate any record or source of this estimate within its reports or archives, and officials could not recall the agency ever developing or using this estimate.(“US government finally admits most piracy estimates are bogus,” Ars Technica)

Of course, no one in information security would ever do such a thing.

Going Dutch: Time for a Breach Notification Law

Published by adam on March 29, 2010 in Uncategorized. 0 Comments

The European Digital Rights Initiative mentions that “Bits of Freedom starts campaign for data breach notification law:”

A data breach notification obligation on telecom providers is already to be implemented on the basis of the ePrivacy Directive, but Bits of Freedom insisted that this obligation should be extended also to other corporations and organisations. It drafted an extensive position paper, including a concrete proposal for amending the Dutch Data Protection Act. Simultaneously, it announced the launch of a “black paper” keeping track of all data breaches in The Netherlands.

If anyone has English translations or summaries, please let me know. I do hope that Bits of Freedom understands the broader context of how good data about breaches can help us overcome so many problems in information security.

The New School on Lady Ada Day

Published by adam on March 24, 2010 in Uncategorized. 0 Comments

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science.

For Lady Ada Day, Andrew and I want to thank Jessica Goldstein, our editor at Addison Wesley. Without her encouragement, feedback and championing, we never would have published the New School.

The first proposal we did was for a book to be called “Security Decisions.” Jessica rejected it, and gave us clear reasons why. We pretended to pay attention and re-submitted the same proposal with a new title and a coat of paint. She bought it, and somewhere along the way, we realized she was right. We then wrote the book that inspired this blog.

Thank you, Jessica.

Counterpoint: There is demand for security innovation

Published by adam on March 23, 2010 in argument and data. 1 Comment

Over in the Securosis blog, Rich Mogull wrote a post “There is No Market for Security Innovation.

Rich is right that there’s currently no market, but that doesn’t mean there’s no demand. I think there are a couple of inhibitors to the market, but the key one is that transaction costs are kept high by a lack of data about outcomes. Every one of the startups selling you a product will claim that it blocks “APT” and “Data loss” but none of them have compelling data about efficacy. None of us have great, broad data about what problems lead to breaches, and none of us have data about what solutions products effectively prevent those problems. None of us have data about how often the products are deployed and managed effectively.

So when the salespeople come in with their “$204 per record” and compliance demands and all the rest, there’s no good way to distinguish between it, and as a result, the market is a slog for both real innovation and snake-oil.

If someone could innovate to address these problems, say by collecting and analyzing data about what really happens inside a company, they might have a business.

More broadly, for a market to function, there needs to be supply which exists in plenty, and demand, which exists, and a way to link them. And there’s the chasm.

I’ll also point out that we discussed innovation a bit on pages 126-127 of The New School, where we opine that much security needs to be integrated into your infrastructure and thus will be purchased from larger vendors.

I look forward to merging your unique visibility into my own

Published by adam on March 23, 2010 in disclosure and government. 0 Comments

In “White House Cyber Czar: ‘There Is No Cyberwar’,” Ryan Singel writes:

As for his priorities, Schmidt says education, information sharing and better defense systems rank high.

That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side.

“One thing we are looking at is how do make sure that the private sector has the information it needs from the government,” Schmidt said, referring to what he called “some of the unique visibility the government has from the attacks on our systems.”

An excellent idea, if I do say so myself.

Lessons from Robert Maley’s Dismissal

Published by adam on March 22, 2010 in Doing it Differently and disclosure. 0 Comments

A bit over a week ago, it came out that “Pennsylvania fires CISO over RSA talk.” Yesterday Jaikumar Vijayan continued his coverage with an interview, “Fired CISO says his comments never put Penn.’s data at risk.”

Now, before I get into the lessons here, I want to point out that Maley is the sort of enthusiastic guy who used vacation time to speak at RSA. If you’re looking for a CSO or a leader, you should get in touch.


I think there are two important things to notice here. First, when you’re specifically asked not to speak, don’t speak: “I was specifically asked not to talk about anything in Pennsylvania without explicit permission and to have everything that I would say to be completely reviewed before I said it.” Regular readers know this pains me as an advocate of openness. However, it’s not your data, it’s your employer’s data. Treat it with discretion.

The second, and more interesting thing is that the firing is news. Things that happen regularly are only news on the Weather Channel. So can we jump to “someone is getting fired for speaking up is actually rare?” Job loss is one of the more challenging questions that I regularly hear. It’s scary, doubly so in today’s fiscal climate. Firing is personal. And we don’t really know how often it happens. A lot of the anecdotes are simply inaccurate. Getting data involves a lot of manual effort and the accuracy is low. I’ve done some of it, digging into web sites and archive.org, looking at profiles on LinkedIn, and seen very little evidence that breaches or breach disclosures lead to firings.

I can see three somewhat distinct hypotheses here:

  1. Firings are rare, and thus news
  2. Firings of executives is rare, and thus news
  3. Firings are usually covered up, and thus when they’re not, it’s news

Note that 2 (execs) is strictly a subset of 1 (all firings), and thus less likely as an overall explanation, but firing rates probably differ for execs and staff.


I would be great to have data to help us distinguish, but for now, I consider advocating for #1 a best practice.

National Broadband Plan & Data Sharing

Published by adam on March 17, 2010 in government. 0 Comments

I know that reading the new 376 page US “National Broadband Plan” is high on all your priority lists, but section 14 actually has some interestingly New School bits. In particular:

Recommendation 14.9: The Executive Branch, in collaboration with relevant regulatory authorities, should develop machine-readable repositories of actionable real-time information concerning cybersecurity threats in a process led by the White House Cybersecurity Coordinator.

This is a pretty clear step forward. It will be a much bigger step forward if the data shared includes evidence of effectiveness of defensive steps. Without such evidence, budget and authority are unlikely to flow, therefore, actionability requires such evidence.

Also interesting is section 14.10:

Due to the diffuse nature of cyberattacks, sharing of information is critical when responding to, mounting sufficient defenses against and remediating attacks. However, businesses are often reluctant to share information, either with other private sector entities or the government, due to worries about the potential disclosure of such an attack and related concerns about corporate liability, despite the fact that the resources necessary to successfully respond often exceed those of individual private sector organizations…To ensure that this occurs, protocols and incentives should be developed for the sharing of cybersecurity information, threats and incidents in a non-attributable manner. [Emphasis added]

I think this is a pretty big win in a couple of ways. 14.10 is most interesting because we’ve moved from need to share to discussions of what the blockers are. The use of the term “non-attributable” is a move forward from the typical “anonymous.” I’d prefer to see a strategy that called for protocols and incentives to overcome the problems and concerns, giving us more room for innovation and experimentation.

Is the strategy a silver bullet for information security? No, obviously not. On the other hand, these elements are (as far as I know) new in Federal strategies or plans.

Thanks to Brent Rowe for the pointer.

Elsewhere in the New School department

Published by adam on March 15, 2010 in Uncategorized. 1 Comment

Dennis Fisher wrote “Why Bob Maley’s Firing is Bad for All of Us:”

The news that Pennsylvania CISO Bob Maley lost his job for publicly discussing a security incident at last week’s RSA Conference really shouldn’t come as a surprise, but it does. Even for a government agency, this kind of lack of understanding of what actually matters is appalling and it is a glaring example of the sickness of secrecy that’s infected far too much of the security community.

and Adrian Lane wrote “FireStarter: IP Breach Disclosure, No-Way, No-How:”

On Monday March 1st, the Experienced Security Professionals Program (ESPP) was held at the RSA conference, gathering 100+ practitioners to discuss and debate a few topics… As could be expected, the issue of breach disclosure came up, and of course several corporate representatives pulled out the tired argument of “protecting their company” as their reason to not disclose breaches. The FBI and US Department of Justice representatives on the panel referenced several examples where public firms have gone so far as to file an injunction against the FBI and other federal entities to stop investigating breaches. Yes, you read that correctly. Companies sued to stop the FBI from investigating.

If we had a stamp of approval, I’d be stamping both of these posts. But as is, I’ll just point at them and say “stop what you’re doin’, cause they’re about to ruin it.”