On Provable Security

Eric Rescorla writes:

Koblitz and Menezes are at it again. Back in 2004, they published
Another Look at “Provable
arguing that the reduction proofs that are de rigeur
for new cryptosystems don’t add much security value. (See
for a summary.) Last week, K&M returned to the topic with
Another Look at “Provable
which is about the difficulty of interpreting
the reduction results. They take on the proofs for a number
of well-known systems and argue that they don’t show what you
would like.

See “Provable Security (II)” if you want the rest of the details.

Sky Marshalls Have Suspicious Behavior Quotas?

The air marshals, whose identities are being concealed, told 7NEWS that they’re required to submit at least one report a month. If they don’t, there’s no raise, no bonus, no awards and no special assignments.

Even better, the people who are “suspicious” are put into secret databases with no way to find out why their travel life suddenly became hell.

When you have nothing to measure, and the threat you’re coping with is very rare, sometimes you invent things. I like Schneier’s comment, “I have been stunned before by the stupidity of the Department of Homeland Security.” (Story is at “Marshals: Innocent People Placed On ‘Watch List’ To Meet Quota” at the Denver ABC affiliate.

[Update: See Brock Meeks' comments on the issue, at Dave Farber's Interesting People List.]

“Privacy” International

As mentioned by Ben Laurie; Simon Davies, the Director of Privacy International, was quoted in IT Weeks’s Will industry rescue the identity card? as saying:

“I’ve believed for some months that a ‘white knight’ consortium from industry is needed,” Davies said. “Companies that can see the benefits of the ID card idea should approach the government about effectively taking over the project.”

I find this particularly galling from a group dedicated to privacy. They are in their own words: “a human rights group formed in 1990 as a watchdog on surveillance and privacy invasions by governments and corporations.”
Like Ben, I am speechless.

Fu-Sec, Dunbar Numbers, and Success Catastrophes

In “I Smell a Movement,” Chris talks about the City-sec movement, of security people getting together for beer, and about groups like ISSA.

So the question I’d like to ask is why do these groups keep emerging so chaotically? Why can’t the extant groups, usually formed for the same reasons, succeed?

I think there are two main reasons, the first involving group dynamics, and the second involving group dynamics success catastrophes.

As a group grows, there are lots of dynamics. One of those is that functional groups can get more done than individuals. There are also communication and alignment costs, which is why adding more programmers to a late project makes it later. Christopher Allen has written extensively about this in his posts on Dunbar numbers, such as “The Dunbar Number as a Limit to Group Sizes.”

As a professional networking group hits some critical mass of interested early adopters, those early adopters put in work and get lots of value. Since a goal of the group is networking, they excitedly invite more people, telling them how great it is. The group grows. Newcomers may not invest the same level of energy (after all, things are working great, let’s drink more!) As that happens, the selection functions that controlled early membership: Did you find out about it because you read the right blogs? Did you make time to attend?

As the group grows, the activities and energy that made it work may no longer suit what the group has become. This is why lots of startup founders leave: They’re great in the early stages, but as they build the company, the very skills that made the early days work become dysfunctional. Startups often do this, at great cost, because there’s a board of directors who are focused on a financial outcome. Professional societies, who take their boards from the enthusiastic membership, may not have that same focus. These groups want more of what made them valuable early on.

Thus, the habits and skills that make a group successful can end up holding it back. It’s the catastrophe that follows success, and its why we have a growing list of professional organizations that don’t do quite what some people want. When the groups don’t serve the purpose, some enthusiastic people will set out to fill that gap, either in a market or in a social setting.

So what can you do about it? Me, I plan to drink lots of beer at the next SeaSec.

Photo: Zombarmy06 by Father.Jack.

Usable Security: SOUPS Blog posts

There are about twenty good posts talking about the Symposium on Usable Security and Privacy (SOUPS) over at Ka-Ping Yee’s Usable Security blog.

If you’re reading this in the archives, start here and go forward, or here and go back.

Some favorites:

Security, Privacy and A Digression into Copyrights


(Via Caspar and Nicko.)

I hesitated before posting this. I’m pretty sure it’s a Dr. Fun cartoon, but the jerks in “my confined space” have obscured the signature.

I try hard to attribute all the images I use here. I’ve given credit to Galerie which we use to produce the frames. (They even added a feature to make that easier. I’d say buy it, but, umm, it’s free.) I digress. I may not always manage to attribute the photos, but I certainly don’t take others work and intentionally obscure its origins for my own aggrandizement.

If anyone knows of the proper author, I’d love to provide credit where it’s due. In the meanwhile, enjoy the cartoon. [Update: Saar Drimer ran this a few days ago, and found an un-edited version which includes the credit to Clay Bennett, and the publisher, the Christian Science Monitor.

I find myself really irked at the jerks who covered up credit for the work. They're not only taking the work without paying, they're preventing readers from finding more great work like Clay's. It's enough to almost make me think about the possibility of maybe one day reconsidering my hatred of the RIAA.]

[Update 2: I thought about replacing the picture with a properly signed one, but then readers wouldn't understand what I'm ranting about.]

Are You Human or Not?

three-hot-women.jpgAn reader who wants to remain anonymous points us to “Another CAPTCHA — But I failed (partly)” and “http://hotcaptcha.com/:”

I cracked up when I saw this. It uses “the hotornot API” (Web 2.0 is getting out of hand!) to offer up pictures of nine women (or men) and asks you to prove you’re human by selecting the three “hot” ones. Politically incorrect, funny and thought-provoking, and potentially flawed by sexual bias to boot.

Incidentally, this is proof that Google is not human, because Master Cheng Yen is their #1 hit for “three hot women” (with Safesearch on.)

Meet the Bugles

Check out Bugle, a collection of google searches that look for known general classes of vulnerabilities in source code such as buffer overflows and format string issues. The list is far from complete and is no replacement for real static analysis but will should get you a lot of low hanging fruit.
[Via FIRST News.]

I smell a movement

No, not that kind, silly.
I just read over at Bejtlich’s blog, that he has decided to start NoVA Sec, having been inspired by Chisec, which was begun by Matasano honcho Thomas Ptacek.
ChiSec is fun, and has been rapidly imitated by other Matasano folks, yielding Seasec and NYsec (I’m hoping it will go next to Paris, just so there can be a Parsec).
My sense is that many in the security biz are disappointed with some of the “establishment” groups, such as ISSA. I let my ISSA membership lapse because it had no payoff for me. I can network with people on-line and at conferences more tailored to my interests, anyway. The “local connection” was missing, however. Chisec has eliminated that problem handily. I wonder if the success of these other regional {foo}secs is due to a similar disatisfaction or sense that something is missing? If I had to guess, I’d say yes.
I’m glad to see Rich taking this step, which I am certain will be popular.