Happy Geeky Thanksgiving

Hey everyone, it’s time to celebrate Thanksgiving here in the U.S. Or in the words of Anya, engage in “ritual sacrifice with pie.” If pie isn’t your thing, perhaps cookies are. kung-foodie points us to Joseph Hall’s Ubuntu and Tux cookie recipes. If they are as tasty as they look, you can always add decorations after the fact and make them into Christmas cookies. This of course makes me wonder how hard it would be to embed a pattern into a potato latke…..

England and Wales to fingerprint motorists at traffic stops

Via the Beeb:

Drivers who get stopped by the police could have their fingerprints taken at the roadside, under a new plan to help officers check people’s identities.
A hand-held device being tested by 10 forces in England and Wales is linked to a database of 6.5m prints.
Police say they will save time because people will no longer have to go to the station to prove their identity.
Officers promise prints will not be kept on file but concerns have been raised about civil liberties.
[…]
If the driver does not convince police he is giving them a correct name, they will fingerprint him and verify his identity on the spot, instead of taking him to the police station.

Assuming that 6.5m means 6,500,000, how is it that use of fingerprints can establish identity? The population of England and Wales is about 50,000,000. If 30% of this number are under the legal driving age (an overestimate, since 20% are 15 or younger), then 35,000,000 people are eligible to drive (I assume the number of those prohibited due to, for example, blindness or past offenses is not substantial). The Department for Transport says there are 31,000,000 registered vehicles in the U.K. Let’s be conservative and say that there are 20,000,000 licensed drivers in England and Wales.
If this is so, then a fingerprint obtained at random from a driver will match one the coppers have on file only a third of the time. How is it that this “verifies his identity on the spot”?
Rather than my back of the envelope stuff, I’d love to see some real numbers on the efficacy of this program. Unless there is a match in the database, how can this process do anything?

Selling Security?

Last week, Martin McKeay responded to RaviC’s thougthful discussion of security as a core competence by saying:

I don’t think any business is going to buy into security as a core competence unless you can demonstrate to management that they’ve lost business directly because of a lack of security. And even then, it’s an incident around lack of security that’s more likely to get action rather than the idea of being proactive about security.

I can’t speak to to the business world as a whole, but in my experience Martin is right. More specifically, it will take many many incidents for a company to understand that this is not just a point issue that can be addressed with one patch.
Martin also talks about using the sales team to your advantage:

If your company does operate in an environment where security can be used as a sales tool, think about incorporating your sales department in your efforts to push security up the ladder. If you have your VP of Sales talking about how how security will allow them to approach a market they haven’t been in before or get a sale they missed last year, management will see the dollar signs. It’s probably a lot healthier way to sell security in the organization too.

On a similar vein, use your customers to your advantage. Find out who the biggest customers are and contact the security organizations at those companies and ascertain what their specific concerns are and assist them in making their concerns known. Make yourself an evangelist for the customers. Undoubtedly, if you see issues with the product being sold so do your customers and they just don’t know who to talk to in order to make those concerns known.
Update: I closed a tag on behalf of Arthur. cw.

On Awareness

Last week, Rich Bejtlich posted his common security mistakes to TaoSecurity. His points are all excellent and well thought out, however, I would add one more item to his list: Awareness.
It is very in vogue to say that user education must be eradicated, will never work and is one of the dumbest ideas in computer security. However, all of the authors miss a vital point, and that is: If users don’t know what they are and are not supposed to do, it is no wonder that they break the rules and make mistakes.
It’s all well and good to believe that technology should protect the user and that argument works well for things like spam and spyware (even if the technology doesn’t), but that just doesn’t fly when it comes to policy based issues like sharing of confidential information or writing quality code. At some point, users need to understand why things need to be done a certain way whether for security, safety or just plain profit. How are they going to get that? Osmosis?

Carole King said it best

“It’s too late, baby”
Yeah, I’m dating myself, but Tapestry was huge, and she and Goffin had some serious songwriting chops.
Anyway, the “it” about which it’s too late is, yes, a relationship. An important relationship. A relationship which, while admittedly not exclusive, is “open” in a hopefully honest, fulfilling, respectful way. That relationship is the one you have with your personal information.
Well, bad news. That info is all over town, for anybody who can pay the bills, and you don’t know the half of it. That, at least, is the opinion of David Cowan, a VC at Bessemer Venture Partners, blogging about Lifelock:

It would be quite a stretch for you to imagine that somehow your data remain safely stored among all the vendors, doctors, banks, web sites, and government agenices[sic] whom you’ve engaged in your lifetime. More likely, your personal credentials are all for sale in black market exchanges like this one.
In other words, the horses are out of the barn. There’s little point trying to re-tool or regulate the world’s IT infrastructure to contain consumer data. Even if your concern is future generations whose identities are still safe from thieves, there are so many ways for data to leak that it’s futile to expect brittle secrets like our social security numbers to be both useful and sustainably confidential.

Here, Cowan echoes the response I got over a beer when I asked a knowledgeable observer of the financial industry how he’d estimate the number of compromised identities (I figured he’d know about fraud detection and so on). I knew I was in for some fun when his response began with “You’re not going to like the answer…”. It seems that in his opinion all our PII belongs to them. It’s merely a question of monetizing it. (Listen closely — that sound you hear is Lindstrom saying “Yessss!!!”)
I am not qualified to assess whether Lifelock or Debix, or any other player in this space is a sensible investment. I will say that, as I understand it, their value proposition could be obliterated with a stroke of the pen, which leads me to a conclusion, and to a question.
That smart people are willing to attach their names and wallets to these enterprises shows me that US consumers won’t have true control over access to their personal information for the foreseeable future because legislation providing it is seemingly not forthcoming.
To those who argue that the data are already all out there, my question is “Is that a falsifiable hypothesis?”

The Kristian Von Hornsleth of the Blogosphere?

hornsleth.jpg
Apparently, artist Kristian Von Hornsleth has been paying Ugandans to rename themselves Hornsleth, as a way of drawing attention to aid failures. His exhibit is sub-titled “We want to help you, but we want to own you.”

I think it’s brilliant. Regular readers know that we talk a lot about identity, id cards, and economics. So this is an art project that really touches me, and I’d like to participate. Mr. Hornsleth, will you donate one extra animal if I rename this blog the Kristian Von Hornsleth of the blogosphere for a week?

Via the BBC, “Storm over ‘pig-for-name’ artist.” To the racism question that leads the beeb story, I think that the racial overtones are cleverly used by the artist to draw attention to a very real problem of ineffective aid.

Frito-Lay’s New Snack Line

sproutitos.jpg

Frito-Lay spokeswoman Lisa Greeley, who said that the company made a commitment in 2004 to develop a healthier line of snacks but “never thought it would actually come to this,” described the Flat Earth brand as “tailor-made for the small, vocal minority of health-conscious consumers who apparently can’t just be content with salads, bananas, apples, or any of the literally thousands of fruits and vegetables already widely available.”

Frito-Lay Angrily Introduces Line of Healthy Snacks,” in America’s Finest News Source.

Guidance Software, Evidence and Software Provenance

encase.jpg
So Chris beat me to the mocking of Guidance Software. I was going to do that, and then ask about the software that they produce, and its heavy use in legal proceedings. If your corporate network is full of hackers, what does that say about the admissibility of the output of your software?


There’s also a concept floating around out there in executive suites of “software provenance.” The idea is that you should be able to track and understand who’s checked software in. I don’t know of any software that would really do that effectively.

Let’s assume that there’s some awesome, hard to hack, SDL’d version control software out there with integrated three-factor authentication that logs every check-in to paper and cryptographizes it out the wazoo. It hash-trees, it signs, it timestamps and publishes the good news in the newspaper. Let’s even say that it was installed at Guidance. I should mention that I have no knowledge of what’s happened at Guidance and this is all hypothetical.

Alice the hacker wants to install a backdoor in EnCase that will cause it to not see any file starting with the string “$sys$” and Alice can write code to do that. Let’s next say that Alice pwns Bob the developer’s workstation. She waits until he’s checking in a large set of files, and adds her back door. Bob does the chicken dance with his smartcard, swiptes his fingerprint, and types his 19 character password. And checks in Alice’s code.

I don’t know what it will cost Guidance to ensure its software makes it through the next court case.

SANS Top 20 has competition!

SANS has just released their annual Top 20. I won’t bother linking to it — Google knows where to find it, and if you’re reading this blog, you probably do too.
Anyway, it seems like the SANS people have a bit of competition.
Check out this list:


  1. Failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable Web-based attacks, such as structured query language injection attacks;

  2. Failing to implement simple, low-cost, and readily available defenses to such attacks;

  3. Storing in clear, readable text network administrator credentials, such as user name and password, that facilitated access to credit card information stored on the network;

  4. Failing to use readily available security measures to monitor and limit access from the corporate network to the Internet; and

  5. Failing to employ measures to detect unauthorized access to consumers’ credit card information.


Ooops! My bad.
This isn’t a list of the top five security bonehead moves. This is a list of the things the Federal Trade Commission says Guidance Software did, resulting in the loss of thousands of customers’ credit card information, in violation of federal law.
Guidance, of course, are the makers of enCase, the market-leading computer forensics tool. The company admits no wrongdoing, and has entered a consent decree with the FTC.

Tufte, Godin, Juice Analytics

napoleons-march.jpgJuice Analytics comments on “Godin’s take on Tufte:

(Godin) I think this is one of the worst graphs ever made.

He’s very happy because it shows five different pieces of information on three axes and if you study it for 15 minutes it really is worth 1000 words.

I don’t think that is what graphs are for. I think you are trying to make a point in two seconds for people who are two lazy to read the forty words underneath

I think Seth has it just right. Personally, I can hardly resist the a well-constructed infographic, but I have an unnatural interest in data. For the many business users, better to construct information displays that are simple and to the point.

So, Seth’s points are good. They’re made in this video presentation at GEL 2006 (Google video, worth watching).

I’m really irritated by Juice’s words. It is never better to construct information displays that are simple and to the point, absent an understanding of why you’re constructing a display. If your point is “Napoleon lost a lot of lives attacking Russia” maybe a bar graph would do. Sometimes complex reasoning requires complex data. The question is not “Should your graphics be simple and to the point,” but rather “do my graphics help present the data and help people reason about it?”

To put it another way, start from the user story, use case, or scenario, and construct your information presentations to help that story along. Then, and only then, should you make it as simple and to the point as possible, but no simpler.