More thoughts on blogging

Thanks for the kind introduction Adam. This has been an interesting summer as I reach out to various security bloggers. I hope my “Meet The Bloggers” podcast series will help people to get to know the various “personalities” out there. We are an interesting bunch.
The one question I have for everyone, bloggers and blog readers alike, is what is the impact of blogging on the security space? Obviously bloggers are doing a better job in general than journalists in exposing what is happening in the security space. But it is still disjoint. You have to tune into at least four or five and maybe ten blogs on security just to stay in touch. In the mean time you have to check in on reddit, digg, techmeme, a couple of times a day and subscribe to a bunch of feeds from Haval Daar. Are bloggers adding to or helping reduce the chaos? I hope it is the latter.
As I see it security bloggers are accomplishing three things. First they are disseminating information. By sifting through all of those feeds and posting on the “important” stuff they help filter out the good bits from the bad for the security professional. Second, they take a stand. They are advocates for good security and typically defenders of digital rights. They do not let topics die. I for one will be blogging about the Sumitomo Bank Heist and asking my questions until I get answers. And finally, they sway decision making. Through the forum created between bloggers and their commenters, actionable advise is derived that I believe helps individuals and corporate IT departments ultimately improve their security posture.
Comments? Concerns? Are there three things that security bloggers don’t do but they should?

The Down Side of “Strong” Authentication

Brad Stone has a great article in Wired about his car being stolen and the insurance company insisting that he must be lying because he still had all of his fancy RFID enabled keys. This assumption that the security system is perfect is going to continue to bite consumers especially as banks move to two-factor authentication. I see scenarios where malicious parties will make use of trojans or man in the middle attacks to steal and banks and vendors, leaning on the use of products like SecurID, will shift the liability to the customer. Fortunately for Brad he got his car back in the end, read the full article, he has a great analysis of the moving target that is security.

Don’t Cross the Streams?

cross-the-streams.jpgSo this week I’m off to Metricon and Usenix Security. Many of my co-workers are off (to present an entire track) at Blackhat. What I find really interesting is that there are these two separate streams of security research, one academic and one hacker, in the most positive sense of the word. Both have produced excellent research. Both have their own forums, conferences, journals and jargon. Both have strong traditions of acknowledging the work you build on. “What’s new about this?” is a fair question in both communities. Sometimes, that question crosses the boundary.

See, for example, the 4th comment on “Ignoring the ‘Great Firewall of China’,” where Bill Xia complains that “I explained this mechanism in 5th HOPE conference” and then adds in a burst of honesty, “Sorry the slides are hard to read without the video presentation.”

These two streams of research are so separate that I’ve heard few complaints that the two conferences are overlapping. That’s a shame, because there’s good work being done in both of them. The highly practical orientation of the hackers finds real flaws. Ideally, that would dovetail with the theoretical underpinnings that the academic community has.

The picture, of course, is from Ghostbusters.

Drowing in Notices?

drowning-in-notices.jpg
In “Access controlled by a password,” Phillip Hallam-Baker writes:

It probably makes sense to have an exception of this type in the first instance when the law is enacted. Otherwise we may well drown in privacy disclosure notices.

I must say, I don’t get this objection. Does it apply to any other bit of information disclosure? Are we drowning in SEC regulatory filings? National Crime Victimization Surveys? Statistical Abstracts of the United States? (How ought one pluralize that, anyway?)

Sure, there may be lots of notices. Sure, those notices may, to a degree, be fiscally inefficient. However, the stock market doesn’t think they matter a great deal (see “Does Lost Data Matter?“) At the same time, as Phill points out:

In the longer term the problem with such exceptions is that lost laptops are a major cause of data loss and there is at least anecdotal evidence to suggest that stolen laptops do trade for the information on them. A few months ago I had lunch with Simson Garfinkel who remarked that there is a correlation between the price of used disk drives on EBay and the purposes that they appear to have been used for.

We should sweep any such evidence under the rug, before it becomes apparent that there are material weaknesses in all sorts of controls.

The reality is that while companies are actually working to improve the security of their data with things like drive encryption, consumers are not (near as I can tell) getting either bored or overwhelmed with notices. Seems like sunlight is a fine disinfectant.

Yet Another Coding Standard?

Over at Matasano, Tom Ptacek skewers the new CERT Secure Programming Standard by asking: Do We Need an ISO Secure Coding Standard?. The entire article is well worth reading, but it sums up nicely with this:

There are already a myriad of good sources of information about
secure programming, including books targeted specifically to
developers that don’t have experience with secure
programming. I don’t understand why a wiki or an ISO standard
would be more accessible to these developers, who write the
majority of all code.

Thanks Tom.

Indiana’s Breach Law

Indiana’s breach notification law went into effect on July 1, 2006. An excerpt relevant the “lost laptop” phenomenon:

Sec. 2. (a) As used in this chapter, "breach of the security of the system"
means unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal information maintained by a state or
local agency.
(b) The term does not include the following:
(1) Good faith acquisition of personal information by an agency or
employee of the agency for purposes of the agency, if the personal information
is not used or subject to further unauthorized disclosure.
(2) Unauthorized acquisition of a portable electronic device on
which personal information is stored if access to the device is protected
by a password that has not been disclosed.

DHS Has Nothing Better To Do, Apparently

peeping-cameraman.jpg

A federal Department of Homeland Security agent passed along information about student protests against military recruiters at UC Berkeley and UC Santa Cruz, landing the demonstrations on a database tracking foreign terrorism, according to government documents released Tuesday.

From San Francisco Chronicle, “Terror database tracks UC protests
U.S. agent reported on ’05 rallies against military recruitment
.”

Let me be clear. I’m fully in favor of saving American lives, and also the American way of life. When DHS is wasting its time on student protests, corn stands and flea markets, more and more people are going to decide that its a waste of money. So, DHS, stop thinking about this as a matter of civil rights.

This is going to be about your budget. If you’d like your budget to be there in five years, stop spying on Americans. Because if you don’t, Americans will decide you have more money and less sense than a drunken sailor.

Peeping Tom photo by WebLoes.

Return on (Other People’s) Investment

‘The Australian’ has a great story on “Focus key to crack money-laundering.” Its focused on the testimony of a British expert on “money laundering” and includes:

Last year, British banks, accountants and lawyers made some 200,000 reports to the authorities. But in the three years since Britain’s law was implemented, there had been only one successful prosecution in 2003.

“A common picture is emerging across the world that banks and accountants are complying with their obligations, but little seems to be done with the information.

It cost the British financial services sector pound stg. 60 million (AU$146 million) to just set up the compliance system.

I don’t know what else £60 million could buy, but one prosecution, and the privacy of 200,000 violated? Seems like a poor use, even if it’s other people’s money. Maybe they should have offered some huge rewards with it instead.

Previously on this topic, “FinCEN Effectiveness,” “The Cost of Following the Money” and
The Remittor and the Money Launderer.”

It’s Getting Worse All The Time?

So there’s a post over at F-Secure’s blog:

There’s a growing trend here. We’ve been saying for some time that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better. The bad guys want to make money – not make attention. So as a malware author, if you want to target a few prominent companies for the purpose of industrial espionage, you design your exploit to attack them within and then lay low. Spoofed e-mails are sent to company insiders and they, thinking it’s just another document that they need to review, open it up and the backdoor gets installed.

So while I follow the logic, I have a question: If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better? If not, is there any evidence possible of things getting better, or are they always getting worse?

[Update: Linked to the post. Sorry about that! F-Secure doesn't have per-post archive pages, but the post is titled "Exploit Wednesday."

Also, lacking deep insight, I don't dispute what they're seeing or saying. I'm simply asking if it were to be the case that things were getting better, what would the evidence look like?]