Relentless Navel Gazing, Part 10

I’ve made explicit that that email addresses are optional when commenting.

I’ve added easy links to, Digg, Reddit, Furl, YahooMyWeb and NewsVine.



If you have a bookmark system you’d like me to add, let me know.

[Update: More navel gazing: added dates to post footers, and fixed underlining for links in the archives. As always, let me know what I broke.]

DHS says one thing, does another. Film at 11.

The Department of Homeland Security (DHS) Privacy Office conducted a review of the
Transportation Security Administration’s (TSA) collection and use of commercial data
during initial testing for the Secure Flight program that occurred in the fall 2004 through spring 2005. The Privacy Office review was undertaken following notice by the TSA
Privacy Officer of preliminary concerns raised by the Government Accountability Office
(GAO) that, contrary to published privacy notices and public statements, TSA may have
accessed and stored personally identifying data from commercial sources as part of its
efforts to fashion a passenger prescreening program.

Secure Flight Report (DHS)
Declan McCullough broke the story which led me to this document. He notes that:

The report, and a second one critiquing a government database called Matrix, was released on the last business day before Christmas, a tactic that federal agencies and publicly traded companies sometimes use to avoid drawing attention to critical findings.

Perhaps one way to prevent things like this would be to curtail the ability of private companies (the providers of the Secure Flight information) to collect and resell it in the first place without the express permission of those to whom it pertained. Probably a quaint, pre-9/11 notion, but let a guy dream on Christmas Eve, will you?

Radical Transparency and Society

In “Radical Transparency to improve resilience,” John Robb posts about Chris Anderson’s ‘radical transparency:’

Think about how these tactics can be applied to societal resilience:

  • Show who we are.
  • Show what we are working on.
  • “Process as Content.”
  • Privilege the crowd.
  • Let readers decide what is best (aka: wisdom of the crowd)
  • Wikify (this another way of saying: open the storehouse of background information) everything.

I think it’s a fascinating perspective on what frustrates so many of us about the Bush Administration. In their dragging us to torture prisoners, jail Americans without trial, secret laws and secret programs, they have implemented a program of radical transparency. What it shows about their souls is particularly unpleasant.

Related to ‘opening the storehouse,’ the New York Times reports that “U.S. to declassify secrets at age 25.” There’s fascinating commentary about how “The Bush administration could have said, ‘This is a Clinton thing,’ and abandoned it.” Nice way to look at laws. Process as content, indeed.

That wasn’t so bad after all…

There’s an article in Wall Street and Technology, “When Risk Managers Cry Wolf.” It opens:

Avoiding “reputation risk” is a common justification for increasing security measures, protecting customers’ financial information and reporting security breaches in a timely manner. But now more than 18 months after the big ChoicePoint incident when 163,000 bogus accounts were created by ID thieves, the doom and gloom that financial services risk professionals have predicted has failed to come true.

So this means that the “reputation risk” card carries much less punch, now that consumers are content to have 97 million personal data records exposed since February 2005. Going forward, risk managers will need to rely more on the actual costs associated with data breaches, rather than play the reputation risk card.

Yep. These things don’t hurt nearly as much as some people were predicting. Can we move along, and start learning from them?

Akaka-Sununu Bill Repeals Key Aspects Of The Real ID Act

Daniel Akaka and John Sununu have introduced a bill to repeal title II of the Real ID Act. From the press release:

The Identification Security Enhancement Act (S. 4117) replaces REAL ID with language from the Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458), which took a more measured approach in mandating tougher standards for drivers’ licenses and identification cards by requiring that the new guidelines be developed by a shared rulemaking process that would involve all key stakeholders, including state governments and privacy experts.

It’s really great to see some bi-partisan support for our rights for a change. I particularly like the fact that both state governments and privacy experts will be involved. It gives me hope that should this bill pass we’ll actually end up with something sane.
[Via EFF: Deep Links]

I’ll See Your Randomness, And Raise You a Protocol

aurora.jpgIn “Stellar Lavarand,” Ben Laurie writes:

Some crazy people think they can make a business of this, only using the solar wind, the clouds of Venus, the Northern Lights, Jupiter’s shortwave emissions and other cosmic events as their random source.

Just like lavarand, this causes a moment of “oooo, shiny”, rapidly followed by “but why would I want someone else to see my randomness?”. So, kids, feel free to point and laugh at anyone foolish enough to use this service for anything real, but don’t try it at home.

I can imagine a number of protocols that rely on a source of random bits that both Alice and Bob get at the same time, and which can be independently verified to have been outside the control of a third party.

Is it a business? Seems doubtful, but it’s interesting that it’s being tried. Who knows what might emerge?

Photo: “The Last One” by J.C. Freakshow.

Aspen Privacy Breach

The Wall Street Journal reported yesterday that “Stars Find Privacy Breached
In Aspen by Phone Book”
(behind paywall, sorry). According to the Journal:

When the Yellow Book directory for Aspen, Colo. came out recently, residents of this ultra-chic ski town found it contained more than the usual list of local bars, hair salons and ski shops.
It also included the previously unpublished addresses of actor Jack Nicholson, former Walt Disney Co. boss Michael Eisner and the deceased ex-chairman of Enron Corp. Kenneth Lay, among other celebrities and executives accustomed to keeping their contact information unpublished. The incident was first reported in the Aspen Daily News.

Yellow Book has stated that they used a third-party marketing service for the data for the phone book. I guess someone forgot to double-check that the requests for not having a number listed were being honored prior to publication. Oops….
[Edit: A commentator pointed me to the original article in the Aspen Daily News]
[Edit: America’s Finest News source covered this issue years ago. (Thanks Adam)]

Fines, Settlements in Privacy Invasions

peeping-dog.jpgTopping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. “Greek Scandal Sees Vodaphone fined” at the BBC, via Flying Penguin.

On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers in the US. None of that money would go to those whose privacy was invaded. (“Driver Data Lawsuits Settlement Proposed.”)

Pop quiz: Which do you think will influence behavior more?

Photo: Peeping Dog, by ErinV.

My Advice for the Pragmatic CSO

gordon-and-loeb.jpgMike Rothman writes:

On the Wikid blog, they tackle the mess of incentive plans in this post (h/t to Emergent Chaos). I can see the underlying thought process, but I have a fundamental issue with the idea of capping information security expenses to about 1/3 of the expected loss. Now I haven’t read Gordon & Loeb’s book, so maybe there is a reason it’s 37% and not 50%. Obviously you need to show a “return” on the security investment, so it isn’t going to be 100% – but whatever.

“Whatever?” “Maybe there’s a reason?” It’s not like this is a $200 book. It’s $40 and 225 pages.

My advice for the pragmatic CSO is to read Gordon and Loeb instead.

PS: Now I know why it’s called the Security Incite, not the Security Insight.

Million Dollar Blog Post

My friend Austin Hill has put up the Million Dollar Blog Post. They, and their sponsors, will donate up to a million dollars to charity, at $1 per comment.

I think charity is tremendously important. I’ve been lucky enough to have a set of skills that are well rewarded in today’s world. (I’m reminded of a joke Warren Buffet tells, of what would have happened if he were a cave man: as he runs from a saber-toothed tiger, he yells, “But I can allocate capital efficiently!”) I’m lucky enough to have missed many of the horrors of the twentieth century.

Some of the organizations I give to include:

If you’re reading this blog, odds are good you’re employed in the sort of job that allows you to surf the Internet. Which puts you in an excellent position to spend a few more minutes surfing the web, and donating to worthy causes and those less fortunate than you.

Why not start with the Million Dollar Blog Post, and go on from there?

[Update: closed comments due to spam]

Read any good books lately?

Do share your opinions and suggestions.
Personally, I don’t read enough, and I stay within a too-narrow comfort zone of UNIX geek material. Help me, and other EC readers similarly situated. It’d be nice if the techie side of infosec was not the subject (Rich Bejtlich has that covered anyway)
I wrote up a review of Bryan Skyrms’ The Stag Hunt and the Evolution of Social Structure a while back, and I recommend it highly (the book, not the review).
I also liked Amartya Sen’s Rationality and Freedom.

Posted in art

Gifts for the Cryptological Mind

Cryptological in this case meaning those who like thinking about the hidden.

The Cryptex
Hakone Box
Authorized Da Vinci Code Cryptex from The Noble Collection. It’s very nice, made of good, solid brass. It avoids many combination lock issues. I tried some obvious ways you can cheat a letter from such a device and it was well-made enough that they didn’t work. It’s a nice bit of work.
Also, Japanese Hakone puzzle boxes from Pandora’s Puzzle Boxes. These are beautiful inlaid wooden boxes that you have to open up by sliding pieces of the box around. They’re rated by both size of the box and the number of moves needed to open it.

The puzzle box is both harder and easier than the Cryptex. You can brute-force the Cryptex in 265 moves, but you know what the moves are. It’s still a bit of a trick to know just how to slide the letters in place (that’s a good thing) as well. I found that pleasing in the Cryptex. The sliders for each ring are analog with no wussy little ratchets.

If you have a 27-move Hakone box, it’s only 27 moves, but you have to know what the moves are, and that’s a challenge in and of itself. The boxes go all the way up to 78 moves. New boxes are a bit stiff, and so there’s also a manual dexterity aspect to solving it, even if you know how to.

I recommend getting one of each. If the recipient has been naughty, put the solution for the Hakone box in the Cryptex and the Cryptex solution in the Hakone box. If the recipient has been very naughty, there are many opportunities for crypto-sadism. You can put a crib in the Cryptex’s setting of the initials of some significant person or place. You can put a clue to the Cryptex solution rather than the solution itself in the Hakone box. Add more boxes for more fun.

Breach Bills, and the Role of Encryption

In Grant Gross’s IDG article, “VA Security Breach Bill Criticized by Cybersecurity Group,” CyberSecurity Industry Alliance General Counsel Liz Gasster is quoted extensively:

The Veterans Benefits, Health Care, and Information Technology Act, largely focused on veterans’ health-care programs, includes a section on information security requiring the VA to report data breaches of any “sensitive” personal information, potentially including breaches where only veterans’ names were exposed, said Liz Gasster, general counsel for the Cyber Security Industry Alliance (CSIA), a trade group representing cybersecurity vendors.

The bill, passed by Congress late last week, requires the VA to report breaches of sensitive personal information to Congress and requires VA Secretary R. James Nicholson to create plans for notifying affected veterans, as well as offering credit monitoring and identity theft insurance to affected veterans.

Hey, another law! I’d missed it!

“Essentially, the loss of a list of names on a piece of paper constitutes a data breach under the law, which seems far too broad,” she said. “Clearly, your name is not sensitive personal information.”

Perhaps Congress has figured out that there’s more reasons to know about breaches than identity theft risk. If the VA can’t control data entrusted to it, Congress wants to know, has a right to know, and has a responsibility to know. I’m glad they’re taking interest, and will be able to evaluate the effectiveness of FISMA.

In addition to its potentially broad definition of sensitive personal data, the bill does not exempt the VA from reporting data breaches if the information was encrypted, Gasster said. In supporting a national data breach notification bill, CSIA and other groups have called on Congress to exempt encrypted data from notification rules, saying the exemption would encourage companies and government agencies to encrypt more data.

The lack of an exemption “seems like it deprives the benefit of encryption from the VA,” Gasster said.

This is an odd perspective, perhaps an artifact of the way the conversation is reported. The benefit of encryption is that the data is protected, and the organization that’s encrypted it is protecting those that have entrusted it from privacy infringements. There’s a secondary benefit of not having to report about the breach, but it should be secondary in the minds of civil servants.

Although the bill’s language on personal sensitive information and encrypted data is too broad, in some ways the bill doesn’t do enough to protect consumers, Gasster added. The bill only addresses VA data breaches, not breaches at other government agencies or private companies.

And that really is a shame.

Have Some Soma, and Don’t Mind The Cameras

its-rude-to-stare.jpgThe BBC reports that “Prozac ‘found in drinking water’” in Britain, and that:

In the decade leading up to 2001, the number of prescriptions for antidepressants went up from nine million per year to 24 million per year, says the paper.

They point to a Observer story, “Stay calm everyone, there’s Prozac in the drinking water.”

So, 24 million people taking prozac out of a population of 60 million. Now its clear to me how people cope with all those cameras.



Photo “It’s rude to stare” by Gilgono.

[Update: Thanks to Philll-prescriptions are a month at a time. So it’s “only” 3% of the population at any one time. Which begs the question of how people cope.

Incidentally, do you read comments? We have awesome commenters here, and an RSS feed for comments.]