Conference Etiquette: What’s New?

So Bill Brenner has a great article on “How to survive security conferences: 4 tips for the socially anxious
.” I’d like to stand by my 2010 guide to “Black Hat Best Practices,” and augment it with something new: a word on etiquette.

Etiquette is not about what fork you use (start from the outside, work in), or an excuse to make you uncomfortable because you forgot to call the Duke “Your Grace.” It’s a system of tools to help otherwise awkward social interactions go more smoothly.

We all meet a lot of people at these conferences, and there’s some truth behind the stereotype that people in technology are bad at “the people skills.” Sometimes, when we see someone, there will be recognition, but the name and full context doesn’t come rushing back. That’s an awkward moment, and it’s worth thinking about the etiquette involved.

When you know you’ve met someone and can’t recall the details, it’s rude to say “remind me who you are,” and so people will do a bunch of things to politely encourage reminders. For example, they’ll say “what’s new” or “what have you been working on lately?” Answers like “nothing new” or “same old stuff” are not helpful to the person who asked. This is an invitation to talk about your work. Even if you haven’t done anything new that’s ready to talk about, you can say something like “I’m still exploring the implications of the work I did on X” or “I’ve wrapped up my project on Y, and I’m looking for a new thing to go frozzle.” If all your work is secret, you can say “Oh, still at DoD, doing stuff for Uncle Sam.”

Whatever your answer will be, it should include something to help people remember who you are.

Why not give it a try this RSA?

BTW, you can get the best list of RSA parties where you can yell your answers to such questions at “RSA Parties Calendar.”

Boyd Video: Patterns of Conflict

John Boyd’s ideas have had a deep impact on the world. He created the concept of the OODA Loop, and talked about the importance of speed (“getting inside your opponent’s loop”) and orientation, and how we determine what’s important.

A lot of people who know about the work of John Boyd also know that he rarely took the time to write. His work was constantly evolving, and for many years, the work existed as scanned photocopies of acetate presentation slides.

In 2005, Robert Coram published a book (which I reviewed here and in that review, I said:

His writings are there to support a presentation; many of them don’t stand well on their own. Other writers present his ideas better than he did. But they don’t think with the intensity, creativity, or rigor that he brought to his work.

I wasn’t aware that there was video of him presenting, but Jasonmbro has uploaded approximately 5 hours of Boyd presenting his Patterns of Conflict briefing. The audio is not great, but it’s not unusable. There’s an easy to read version of that slide collection here. (Those slides are a little later than the video, and so may not line up perfectly.)

An Infosec lesson from the “Worst Play Call Ever”

It didn’t take long for the Seahawk’s game-losing pass to get a label.

But as Ed Felten explains, there’s actually some logic to it, and one of his commenters (Chris) points out that Marshawn Lynch scored in only one of his 5 runs from the one yard line this season. So, perhaps in a game in which the Patriots had no interceptions, it was worth the extra play before the clock ran out.

We can all see the outcome, and we judge, post-facto, the decision on that.

Worst play call ever

In security, we almost never see an outcome so closely tied to a decision. As Jay Jacobs has pointed out, we live in a wicked environment. Unfortunately, we’re quick to snap to judgement when we see a bad outcome. That makes learning harder. Also, we don’t usually get a chance to see the logic behind a play and assess it.

If only we had a way to shorten those feedback loops, then maybe we could assess what the worst play call in infosec might be.

And in fact, despite my use of snarky linkage, I don’t think we know enough to judge Sony or ChoicePoint. The decisions made by Spaltro at Sony are not unusual. We hear them all the time in security. The outcome at Sony is highly visible, but is it the norm, or is it an outlier? I don’t think we know enough to know the answer.

Hindsight is 20/20 in football. It’s easy to focus in on a single decision. But the lesson from Moneyball, and the lesson from Pete Carroll is Really, with no second thoughts or hesitation in that at all.” He has a system, and it got the Seahawks to the very final seconds of the game. And then.

One day, we’ll be able to tell management “our systems worked, and we hit really bad luck.”

[Please keep comments civil, like you always do here.]

The Unexpected Meanings of Facebook Privacy Disclaimers

Paul Gowder has an interesting post over at Prawfblog, “In Defense of Facebook Copyright Disclaimer Status Updates (!!!).” He presents the facts:

…People then decide that, hey, goose, gander, if Facebook can unilaterally change the terms of our agreement by presenting new ones where, theoretically, a user might see them, then a user can unilaterally change the terms of our agreement by presenting new ones where, theoretically, some responsible party in Facebook might see them. Accordingly, they post Facebook statuses declaring that they reserve all kinds of rights in the content they post to Facebook, and expressly denying that Facebook acquires any rights to that content by virtue of that posting.

Before commenting on his analysis, which is worth reading in full, there’s an important takeaway, which is that even on Facebook, and even with Facebook’s investment in making their privacy controls more usable, people want more privacy while they’re using Facebook. Is that everyone? No, but it’s enough for the phenomenon of people posting these notices to get noticed.

His analysis instead goes to what we can learn about how people see the law:

To the contrary, I think the Facebook status-updaters reflect both cause for hope and cause for worry about our legal system. The cause for worry is that the system does seem to present itself as magic words. The Facebook status updates, like the protests of the sovereign citizens (but much more mainstream), seem to me to reflect a serious alienation of the public from the law, in which the law isn’t rational, or a reflection of our collective values and ideas about how we ought to treat one another and organize our civic life. Instead, it’s weaponized ritual, a set of pieces of magic paper or bits on a computer screen, administered by a captured priesthood, which the powerful can use to exercise that power over others. With mere words, unhinged from any semblance of autonomy or agreement, Facebook can (the status-updaters perceive) whisk away your property and your private information. This is of a kind with the sort of alienation that I worried about over the last few posts, but in the civil rather than the criminal context: the perception that the law is something done to one, rather than something one does with others as an autonomous agent as well as a democratic citizen. Whether this appears in the form of one-sided boilerplate contracts or petty police harassment, it’s still potentially alienating, and, for that reason, troubling.

This is spot-on. Let me extend it. These “weaponized rituals” are not just at the level of the law. Our institutions are developing anti-bodies to unscripted or difficult to categorize human participation, because engaging with human participation is expensive to deliver and inconvenient to the organization. We see this in the increasingly ritualized engagement with the courts. Despite regular attempts to make courts operate in plain English, it becomes a headline when “Prisoner wins Supreme Court case after submitting handwritten petition.” (Yes, the guy’s apparently otherwise a jerk, serving a life sentence.) Comments to government agencies are now expected to follow a form (and regular commenters learn to follow it, lest their comments engage the organizational anti-bodies on procedural grounds). When John Oliver suggested writing to the FCC, its systems crashed and they had to extend the deadline. Submitting Freedom of Information requests to governments, originally meant to increase transparency and engagement, has become so scripted that there are web sites to track your requests and departmental failures to comply with the statuatory timelines. We have come to accept that our legislators and regulators are looking out for themselves, and no longer ask them to focus on societal good. We are pleasantly surprised when they pay more than lip service to anything beyond their agency’s remit. In such a world, is it any surprise that most people don’t bother to vote?

Such problems are not limited to the law. We no longer talk to the man in the gray flannel suit, we talk to someone reading from a script he wrote. Our interactions with organizations are fenceposted by vague references to “policy.” Telephone script-readers are so irksome to deal with that we all put off making calls, because we know that even asking for a supervisor barely helps. (This underlies why rage-tweeting can actually help cut red tape; it summons a different department to try to work your way through a problem created by intra-organizational shuffling of costs.) Sometimes the references to policy are not vague, but precise, and the precision itself is a cost-shifting ritual. By demanding a form that’s convenient to itself, an organization can simultaneously call for engagement while making that engagement expensive and frustrating. When engaging requires understanding the the system as well as those who are immersed in it, engagement is discouraged. We can see this at Wikipedia, for example, discussed in a blog post like “The Closed, Unfriendly World of Wikipedia.” Wikipedia has evolved a system for managing disputes, and that system is ritualized. Danny Sullivan doesn’t understand why they want him to jump through hoops and express himself in the way that makes it easy for them to process.

Such ritualized forms of engagement display commitment to the organization. This can inform our understanding of how social engineers work. Much of their success at impersonating employees comes from being fluid in the use of a victim’s jargon, and in the 90s, much of what was published in 2600 was lists of Ma Bell’s acronyms or descriptions of operating procedures. People believe that only an employee would bother to learn such things, and so learning such things acts as an authenticator in ways that infuriate technical system designers.

What Gowder calls rituals can also be viewed as protocols (or protocol messages). They are the formalized, algorithm friendly, state-machine altering messages, and thus we’ll see more of them.

Such growth makes systems brittle, as they focus on processing those messages and not others. Brittle systems break in chaotic and often ugly ways.

So let me leave this with a question: how can we design systems which scale without becoming brittle, and also allow for empathy?

IOS Subject Key Identifier?

I’m having a problem where the “key identifier” displayed on my ios device does not match the key fingerprint on my server. In particular, I run:

% openssl x509 -in keyfile.pem -fingerprint -sha1

and I get a 20 byte hash. I also have a 20 byte hash in my phone, but it is not that hash value. I am left wondering if this is a crypto usability fail, or an attack.

Should I expect the output of that openssl invocation to match certificate details on IOS, or is that a different hash? What options to openssl should produce the result I see on my phone?

[update: it also does not match the output or a trivial subset of the output of

% openssl x509 -in keyfile.pem -fingerprint -sha256

% openssl x509 -in keyfile.pem -fingerprint -sha512


[Update 2: iOS displays the “X509v3 Subject Key Identifier”, and you can ask openssl for that via -text, eg, openssl x509 -in pubkey.pem -text. Thanks to Ryan Sleevi for pointing me down that path.]

Color-Changing Cats

Looking for something festive, holiday-like and chaotic for the blog, I came across color-changing cats. The history of color-changing cats is a fascinating one, involving Carl Sagan and accurate predictions of unfathomable chaos over the next ten thousand years. Because while we don’t know what life will be like that far in the future, consider how much the world has changed in the last hundred, and square that.

Color changing cats

Of course, 10,000 years matters because it’s both substantially longer than meaningfully recorded history (or even a meaning for meaningful recording of history), and because it’s a good approximation for how long certain radioactive isotopes will remain dangerous.

So the US government, producer of said isotopes in its nuclear weapons programs, has convened panels of the great and clever to consider how to ensure that those isotopes are protected. Solutions were proposed including a skull and crossbones and giant spikes surrounding the site.

Read or listen to “Ten Thousand Years ” on 99% Invisible to see why those won’t work. One fascinating solution involves the creation of both color-changing cats and songs about them, such as:

One of the few things that’s for certain, over the next ten thousand years, assuming people are around, some will continue to ache for control they cannot achieve, and produce crap like a DRM-enabled litter box.

A few credits: The music is from 10,000 year earmworm. The photo: 12 bizarre examples of genetic engineering

The Future Is So Cool

When you were growing up, 2014 was the future. And it’s become cliche to bemoan that we don’t have the flying cars we were promised, but did get early delivery on a dystopian surveillance state.

So living here in the future, I just wanted to point out how cool it is that you can detect extrasolar planets with a home kit.

A camera mounted on a clever set of hinges to track the sky

Read the story at IEEE Spectrum: DIY Exoplanet Detector.

Hate-watching, breaking and building

Listening to the radio, there was a discussion of how the folks at NBC were worried that people were going to “hatewatch” their new version of Peter Pan.

Hatewatch. Like it’s a word.

It’s fascinating. They discussed how people wanted to watch it to tweet cynically at its expense. The builder/breaker split isn’t just present in systems engineering, it’s everywhere. It’s easier to snark than to contribute. Any idiot with a crowbar can break things. And maybe it feels good.

The PR folks were also talking about how people had trouble watching a non-ironic version of Peter Pan. That sincerely enjoying a lovely children’s story had become culturally unacceptable.

It’s hard to build. We don’t appreciate it enough. In fact, we don’t appreciate enough. It’s hard to be appreciative in 140 characters. It can be hard to take appreciation seriously. Too often, appreciation is the lead-in to harsh feedback, and the appreciation is perfunctorily delivered, gotten out of the way to get to the “important” part. So many people have been reasonably trained to be wary when the positive feedback shows up.

Let’s try to do better.

Chaos and Legitimacy

At BruCon 0x06, I was awoken from a nap to the sound of canons, and looked out my window to see soldiers marching through the streets. It turns out they were celebrating the 200th anniversary of the Treaty of Ghent. As I’m sure you’ll recall from history class Wikipedia, the Treaty of Ghent ended the war of 1812, and was the second war between Great Britain and the less Canadian parts of its North American colonies.

Treaty of Ghent Anniversary Celebration

Lately, I’ve been thinking a lot about that and what it tells us about Iraq, ISIS and more recently, Ferguson, and I want to write some of it down to see if it makes sense.

Much of our policy in Iraq and Afghanistan seems to operate on a model of history which goes something like this: after the revolutionary war, town meetings coalesced into the Constitution, and we all lived democratically ever after. It’s an ahistorical view that forgets the Articles of Confederation, the Whiskey Rebellion, Shays Rebellion, and what some in the American south still call “the War of Northern Aggression.” It takes time to develop the institutions of a functioning democratic society.

Is it any surprise that after years of dictatorships, torture of dissidents, children growing up under sanctions (in the case of Iraq), occupation, and civil war, the people of Iraq are not using democracy to solve their problems? That they fight over how to run their country?

While each has a unique history and set of circumstances, it appears to me that there is, across Afghanistan, Iraq, Syria, a crisis of legitimacy. The people who live in those areas have disagreements about not only who should lead them, or what policies should be in place, but about the process for selecting their leaders or governments, and the powers those governments should have.

Their disagreements are strong enough that many people are willing to take up arms rather than acquiesce to other visions. Our understanding of these disagreements is muddied by use of terms like “militia”, “the legitimate security forces” or “the so-called Islamic State.”

The Islamic State, with territory, an army, and a currency, is in many ways, no more or no less legitimate than the army and currency of Prince Assad of Syria. (He is a prince in all but name, having inherited power from his father, that literal inheritance of power being the defining feature of princes.) Assad has taken the step of staging a Potemkin village election, because he understands that legitimacy (rather than power) comes from the consent and agreement of the governed.

This is why Churchill said that democracy is the worst form of government, save all those others that have been tried. No one really thinks that asking a bunch of people who can’t be bothered to vote who should lead them is a great way to get the best people into government. But democracy is a unique way to give people a voice, and in that voice, get their consent. The form democracy, that everyone has a voice, is what gives it its legitimacy. Another way to say that is it’s the ballot or the bullet. (If you haven’t listened to Malcom X give that speech, it’s really an outstanding use of your time. Ballot or Bullet Part I, Ballot or Bullet Part II. In two parts from 100 American Speeches, not sure why it’s two-parted.)

Developing legitimacy requires both institutions and time. The institutions must show that they are reliably better than other choices, or people will pursue those other choices. When Federal grand juries return indictments in 162,000 out of 162,011 cases brought to them, it is reasonable to question if they are a worthwhile or trustworthy institution, or act simply as an instrument of power. From that same 538 Story, grand juries in Dallas reviewed 81 shootings by officers, and returns a single indictment. It is easy to think something is out of whack.

What I think I see in Ferguson is that the institutions of justice have failed, again and again. They didn’t just fail when Darren Wilson shot Michael Brown. Police officers can and will make bad decisions. But afterwards, they continued to fail. The medical examiner didn’t take photos because the battery in his camera died. The prosecutor led Darren Wilson’s testimony.
The institutions didn’t just failed in the moment, they couldn’t be made to work under an intense spotlight. The figures about grand jury indictments indicate that they system is failing victims of police violence. (Although Law Proffesor Paul Cassell makes a case that the grand jury did the right thing, and Wilson had a strong self-defense claim.) However, the institutions didn’t fail completely. A grand jury met, its activity was transcribed and the transcript was released. These elements of transparency allow us to judge the system, and find it wanting. But even while wanting, it’s better than judgement in the ‘court of public opinion,’ and its better than mob justice or lynchings.

These failures may lead reasonable people to ask what alternatives to violence exist? It may lead people to think that violence or destruction is their best option. Perhaps the democratic bargain as a whole is no longer sufficiently legitimate to the people protesting or even rioting in Ferguson. To be clear, I don’t think that the violence or property destruction will improve their lives. In fact I believe that violence and property destruction will make their lives worse. I also think that the people rioting, if they would sit down and talk it through might even agree that burning their own community won’t help. But they’re living in a system where things are more arrest warrants than people.

The chaos in Ferguson, like the chaos in Boston in 1776, like the chaos in Iraq, like the chaos in Syria, may be stopped, for a time, by more violence. But violence will not correct the underlying issues of legitimacy.

(There’s a whole related history of the use of offices to enrich office-holders, including the sale of military commissions, the sale of tax collection jobs, etc. I think that’s too complex for me to work into a single blog post. But briefly, the idea that positions were held as a public trust was an important development. We’ve lost it to the idea that because
officials will sometimes act in their own interest, we should only expect them to act that way. In no longer holding people to an ideal, we’re losing something.)