Not Selling But Marketing

As promised last week, I have more to say on selling security. Well sort of. Actually, I’m going to try a new approach. I’m increasing convinced that to get real attention on security, we need to stop thinking about selling, awareness or even training users. We need to be marketing security, more specifically we need to be creating passionate users.
I’m hoping that I’m not going to get Mordaxus’s dander up to much with my semantics, but I think this is an important distinction Kathy Sierra explains far better than I can in “Marketing should be education, education should be marketing“.

Do you want passionate users? Educate them. Do you want passionate learners? Sell them. If ever there were two groups who ought to trade places–and especially research — it’s teachers and marketers. Our mantra here is, “Where there is passion, there is a user kicking ass…” and by “kicking ass” we mean “being really good at something.” In the post-30-second-spot world, the marketing department should become the learning department. Meanwhile back in schools, teachers should become…marketers.

So my recommendation is make friends with your marketing department. Find someone who is interested in security and get their assistance in putting together an effective program. In brief, the goal is to have a company full of people who care about security. This means not telling them what they can’t do, but telling them how they can help the company. Is this just spin? Yes. Am I talking about indoctrinating users? Yes. Will it be far more effective than telling users not to click on attachments in email. I think so…
[Edit: The Security Catalyst had a post yesterday talking about similar issues]
[Image is the cover of Citizen Marketers]

Why We Fight

TJX appears to have suffered little financial fallout. Its stock fell just 2 percent yesterday after the company disclosed the new problems, along with its fourth-quarter earnings. For the three months ended Jan. 27, TJX said, profit fell to $205 million from $288 million in the same period a year earlier.
Store closings led TJX to take a $38 million charge, while the cost of investigating the breach and upgrading systems was $5 million through the end of the quarter.
On an earnings webcast with analysts yesterday, TJX executives said that store traffic through the end of January hasn’t suffered since its Jan. 17 announcement of the security breach. “I want to assure our shareholders that our operational management team isn’t being distracted from our core business or our opportunities to grow,” said chief executive Carol Meyrowitz on the webcast.
Mark Montagna, analyst at CL King in New York, said yesterday’s share decline had more to do with lower-than-expected earnings guidance TJX gave yesterday than the data problems.
“I don’t think that overall Wall Street is seeing it as that big an issue,” Montagna said.
He praised TJX’s management and noted that other retailers have faced similar security problems. “Once they get this resolved, it’s behind them,” he said.

“TJX says theft of data may go back to 2005”, Boston Globe, 2/22/2007

Wretched Word of the Week: Trust


Where to start on this one?

Trust as we use it means so many things. Then there’s the word trusted. Beyond that, there is trustworthy. A bullet point on a slide I recently saw said, “Trusted computing is not trustworthy computing.” Oh, how nice. Even better, “Trusted Computing does not mean trustworthy or secure.” I must ask in what sense is trust anything but jargon (at best) or newspeak (at worst), with hyperbole being a middle interpretation?

Isaac Newton said that for every hyperbole, there’s an equal and opposite hyperbole. Confirming this law of nature, Richard Stallman has declared that trusted computing is actually treacherous computing. Thus we have Orwell satisfied. War is peace; freedom is slavery; trust is treachery.

A good deal of the problem is that trust is transitive. No, not that way. Not in the sense that if Alice trusts Bob and Bob trusts Carol, then Alice trusts Carol. Transitive as in verb that takes a direct object. Of course we all trust our mothers. But if you “trust your mother with your life,” does that mean you trust your mother to change a firewall rule in your router? Trust is not only a transitive verb, but it is a situational transitive verb.

We in security use trust not as a transitive verb, but as a noun, and worse, an adjective. This leads to many strange things. Among them:

  • “Trust is willingness to do something risky on behalf of another human.” I wish this were merely a typo because this is the opposite of trust. I might be willing to let you do something if I trust you, but your willingness is not trust, it is willingness. Trust may be a precondition for my willingness, but it may be that my willingness is thin because I have no choice. I trust Bill Gates, Steve Jobs, and Linus Torvalds, but it’s not like I have an alternative.
  • “Trust is risk.” Not bad. But as we know from economics, risk is money. Therefore, through transitivity, trust is money.
  • “A trusted system is one that can screw you.” Yup, and precisely my point. When I trust my OS, I trust it in the sense that I just have to take a deep breath and hope.

Let’s stop using the word trust. Don’t say trustworthy metadata if you mean believable metadata. Don’t say trust if you mean control, risk, willingness, confidence, or reliance. Use those words. Trust is stale and vague. It would be best if we stop using it.

That is easier said than done, given the way we habitually use it. Nonetheless, we should fight new uses of the word, if for no other reason than a smart consumer will run screaming if they hear you use it, because when trust is used with security, it means something bad is going to happen. It means exactly what “This won’t hurt a bit” does. The faster you flee it, the faster the irony becomes apparent to all.

Photo “Trust” courtesy of

Data Collection about Breaches

In “Once a data loss report, always a data loss report?” Dissent asks about what we should be collecting and analyzing.

Scenario 1: “We thought we had lost a computer with sensitive customer records, but it turns out we didn’t lose it.”

Should that entry in a breach list be removed? I think that the answer depends, in part, on the stated inclusion criteria for the list, the stated or anticipated purpose/intended usage of the list, and on whether the list compiler has been provided with a statement by the agency or business to support the claim of no loss.

If the inclusion criteria are worded so as to only include agencies or businesses where records were actually compromised or might have been accessed, then one might see some merit in an argument to remove the entry in our hypothetical case. Common sense would dictate that if I say “I lost my wallet!” but then find it an hour later in another room in my house or under a pile of papers on my desk, it wasn’t really “lost” and no harm, no foul, right?

But what if one of the purposes of the list is to enable tracking and analysis of costs associated with notifications and our hypothetical company had already made a notification before discovering the hardware on their premises?

I just want to chime in and say that errors and recoveries are fascinating numbers to learn about as well. How many lost tapes are recovered in a week or a month? Is anyone wrapping their backups in tamper-evident tape? (What would that even do to a drive’s read mechanism?) Laptops are clearly not tamper evident, and the Dataloss forensics page explains how a thief could silently pull data from a machine using well known techniques.

Also, if some fraction of reports are erroneous, what’s the source of those errors? Seems like a useful question to ask, and we can’t do it if databases are redacted.
Finally, scientific reproducability, that is, the ability for a researcher to look at data and see if the same results come out, requires that the data be made available.

Award-winning scrotum

The New York Times writes about “The Higher Power of Lucky“, a children’s book which recently won the Newbery Medal. As someone who has purchased his share of kids’ books, I assure you that the Newbery — and its companion the Caldecott Medal — signal quality to buyers.
In this case, though, some parents and librarians in the more benighted areas of our fine nation are staying away. The problem is that the book’s young protagonist overhears the word “scrotum” (as a boy relates a seemingly tragic story involving his dog and a rattlesnake [OUCH!]), and wonders what it means. This, it seems, is too much for some of the people we pay to help teach our children about books, learning, and the power of language:

I don’t think our teachers, or myself, want to do that vocabulary lesson

said one New York school librarian,

If I were a third- or fourth-grade teacher, I wouldn’t want to have to explain that.

quoth a NJ colleague (both quoted in the Times).
The thing about great teachers — and I am lucky enough to have had my share — is that they don’t just “teach you stuff”. They teach you how to learn for yourself. So, an appropriate response to the awkward question these people fear is something as simple as “Why don’t you look it up in the dictionary?”
I bought my copy today. Ballsy writing should be rewarded.

Posted in art

There’s A List?

I received the following in the mail the other week and while I was initially amused that I was getting this without asking for it, it took my wife pointing out the irony of there being an actual directory at all:

More On Selling Security

Chandler says that “would rather be understood than perfect” in response to Mordax’s call to stop cutesy names for attacks. In doing so, he says:

Second (and I know this has been mentioned elsewhere in the world), instead of talking about vulnerabilities within the Software Development Lifecycle, I just talk generically about them as a post-release defect which contributes to the Cost Of Poor Quality. That’s something which is meaningful and whose costs can be inferred back onto the organization that produced them. And since Qwality is important around here, it gets traction with the developers in a way that “security matters…really” never quite did.
So when thinking about how to explain risk issues to The Business, ask yourself: Would I rather be perfect or understood?

This is an extremely important point that gets bandied about by CSOs but rarely expounded upon in detail. When trying to sell security don’t talk in terms of security, talk in terms of the value to the business. What this means is, you need to change your communications strategy. In the example above, see how Chandler doesn’t talk about vulnerabilities but about quality. So what you need to do is talk about the cost of delays in production cycles brought on by the need to produce patches and the time spent by the support organization in helping customers deal with those patches. Being on the IT side of security is 90% about marketing and sales and 10% about technology. If you really want to improve security at your company, go to the business units and ask them what their concerns are and demonstrate in their terms how you can help them achieve their goals safely. More on this next week…

Advances in Conference Usability

Flash ProceedingsA little bird reports that at the Usable Security Conference they handed out conference proceedings in PDF form on a flash drive. I’m told that the flash drive was cheaper than printing on paper. I hope this trend spreads, as I’m always lugging back paper from conferences along with the inevitable bag or t-shirt. Flash drives are easier to carry, and if I get too many of them, I can always put them together into a RAID drive.
Those clever usability experts. What will they think of next?
Photo “Gersterbrot” courtesy of hannesstruss

DVD Player Advice?

I’d like to buy a cheap DVD player, and bet someone reading can tell me: Who’s the Apex of 2007? That is, who’s making cheap, consumer-friendly DVD players? I’d like one that’s:

  • region-free
  • fully controllable (none of that “we’re sorry, you have to watch the ads” crap)
  • good at error-correcting for scratched up DVDs.

Let’s Stop Cutesy Names for Attacks

Kiss da cutesy monkey

Orwell said it best in “Politics and the English Language,” and if you haven’t read him recently, you should. Abuse of the language has adverse effects on thought, and it’s true in security as well as politics. He gives some wretched examples and says of them:

Each of these passages has faults of its own, but, quite apart from avoidable ugliness, two qualities are common to all of them. The first is staleness of imagery; the other is lack of precision.

There are many examples of this in security terminology, but I’ll give a few.

This is the term that has set me off on the present rant. The person who just used it in a meeting I’m in said “pharming” and then screwed up his face when he perceived a blank look or three and said, “Well, pharming is a name for a number of attacks, which are all DNS spoofing attacks.” I bit my tongue and did not say, “Then why didn’t you say ‘DNS attacks’?” and then sat down to this rant.

Pharming has both of the faults Orwell mentions. It’s stale (being a back-formation from phishing) and imprecise. It’s so imprecise that one can’t imagine what it is just from the name. I could complain about phishing itself, but it is at least poetic and suggestive of the actual criminal activity, and that particular spelling appeared as early as 1996 in an AOL password-stealing scam. However, the word forgery was created for this very case.

Anything else that uses a ph instead of an f
When Jon Fishman started a band with his college chums, it was cute. It is merely cutesy now. Please stop, unless it adds so much precision that the staleness is overcome.

Social Engineering
It’s a con job. One of its most notorious users at least had the grace to call it deception.

Deception. Impersonation. Fraud.

Using cutesy terms is jargon at its worst. It creates a group of insiders and outsiders, where there insiders can wrap their minds around the problem and the outsiders can’t. We need to have security understood by non-experts. We need less jargon, not more.

This lack of clarity hurts people. The State of California recently defeated an proposed anti-pretexting law because the MPAA argued that there were legitimate uses for it. It’s harder to defend impersonation and fraud when it is called impersonation and fraud. Cutesiness is euphemism.

Don’t be a cutesy monkey. Use precise language. Use powerful language. Don’t let the bad guys get away with defending the indefensible, as Orwell put it, with euphemism. While you’re at it, read or re-read Orwell’s essay.

Photo “Emily and me kiss kiss da cutesy monkey” courtesy of Nanikas.

Professional Ethics

Cutaway’s post about ethics at RSA reminded me that I wanted to post about this as well. Like Cutaway, I attended “Professional Ethics in the Security Disciplines” which was chaired by Howard Schmidt and the panelists were representatives of SANS, (ISC) , ASIS and ISACA. All in all, despite Howard’s expert moderation, I remain under-whelmed by the idea of certification authorities enforcing ethical standards. All of the panelists avoided answering questions related to the number of complaints they had received and number of members actually disciplined.
I’m going to limit my comments for the most part to (ISC) since I haven’t had any interactions nor am I member of the other organizations. My first issue is a lack of transparency to the process by which investigations are done and the apparent lack of any appeals process. After talking privately with Cutaway, I found out that at least in the case of SANS, the ethics committee is not part of the GIAC certification team, which is an excellent start to improving things.
My next issue is that (ISC) requires that potential CISSPs read and sign a statement of ethics. That’s all well and good, except at no point is there any reminder of what you signed or any requirement to reaffirm that such a code exists. Even my employer requires that I sign a document like that each year.
Finally, at least one speaker (unfortunately I don’t remember which one) made the statement which the rest of the panel agreed with: “We certify knowledge, not qualifications for employment”. I’m curious how they are certifying my knowledge of ethics when:

  • There is no discussion of ethics in any of the training.
  • There are no questions about ethics on the CISSP exam.
  • Ethics is not part of the CBK

So what it sounds like to me is that (ISC) is really using the ethics requirement as a reason to protect the name of the certification and not to advance either the individual or the profession. (ISC) and other groups like to equate security professionals to lawyers and doctors, if they are really interested in doing so, they should be providing actual training and discussion about it and not just use it as a hammer when convenient.
Update: Since some folks have asked me, the California State Bar publishes the Ethics Hotliner which covers news and developments covering ethics issues. Bar rules are handed on a state by state basis, presumably other states have similar offerings. Also I’m told that chiropractors are required to take safety and/or ethics classes as part of maintaining their certification which is good for four years. Several states including Texas and Nevada specificly require ethics training as part of the mandatory continuing education needed to maintain medical licenses while other states such as Massachusetts requires both a course of study on current regulations and a course on risk management study.
[Image is Ethic&Disciplin from NathanaelArcher]

Credentica Launches U-Prove

Montreal, QC (PRWEB) February 13, 2007 — Credentica , a Montreal-based provider of innovative security software for identity and access management, today announced the immediate availability of its U-Prove product for user-centric identity management. The U-Prove product enables organizations to protect identity-related information with unprecedented security throughout its lifecycle, wherever it may travel. It is tailor-made for online user authentication that must withstand phishing attacks, for sharing identity information across disparate domains, and for creating the digital equivalent of the cards in one’s wallet.

Credentica will demonstrate the U-Prove product and its application to Government Online on February 15 and 16 in industry booth #15 at the 8th Annual Privacy and Security Conference and Exposition in Victoria, British Columbia (see Demonstrations will be given every hour on both days, on the hour. In addition, Dr. Brands will give a keynote presentation in the morning of February 15 and will participate later that same day in two panels on identity and authentication.

Sorry to be quoting the press release, but Stefan Brands’ work is really important. It offers a set of new and more flexible choices along the identity slider. I’m glad they’re launching.

Go check this out.

[Edit: Corrected spelling of Credentica in the title. Thanks Gunnar!]

Ignite Seattle

I attended Ignite Seattle last night. It was awful. Don’t attend next time. No, just kidding. It was great, and very crowded. There were some really awesome talks. I’m inspired to put a talk together for next time. My favorites from last night were:

Elisabeth Freeman gave a great talk on how the Head First folks use Csikszentmihalyi‘s flow theory to write books that teach you stuff, rather than poking you in the eye. I’m all in favor of not being poked in the eye.

Hillel from talked about how to enjoy food.

Finally, even if the fellow hadn’t been a jolt of extroprian goodness, how could I not love a blog called Embracing Chaos?

When they get the videos up, I’ll link to these.

[updating regularly with more URLy goodness. Early goodness? Late goodness?]

Identity theft numbers: Javelin vs. FTC

So there was a bunch of press last week from a company (Javelin) claiming that ID theft was falling. Consumer Affairs has a long article contrasting Javelin and FTC numbers, well summarized by the claim that “FTC Findings Undercut Industry Claims that Identity Theft Is Declining.”

I think that there’s an interesting possibility which isn’t getting enough analysis, and that is that the probability of knowing how you were impersonated is conditional on knowing the impersonator.

Let’s start with some numbers:

  • 26% of victims can name the perpetrator
  • Of those 26%, 40% know the perpetrator (that is, just over 10% of id theft is known to have been performed by someone who the victim knows)

There are a number of statements that are consistent with the data:

  1. The 26% of victims who can name the perpetrator are randomly selected from the set of all ID theft victims (or)
  2. There is a correlation between “knowing the perpetrator” and “being able to name them.”

Intuitively, there’s some logic to the latter. If cousin Alice goes to jail, she’s going to be the subject of family gossip. Now, if (1) is true, then for all ID theft victims, 40% should know the perpetrator. If (2) is true, then perhaps 11% of ID theft is committed by someone who the victim knows, and 90% of that is detected. Perhaps it’s 90% of ID theft is committed by someone who the victim knows, and that’s only detected 27% of the time. Intuitively, I find the first possibility easier to accept: that in most local ID fraud, either because of the police making an effort to tell the victim about it, or because someone goes to jail, or because bill collectors end up providing information (such as an address or phone #) that helps the victim identify the perpetrator, the victim discovers that it was locally done.

It might well be possible to test these hypotheses.

(Consumer affairs link via Pogo Was Right. Photo by DJ Wudi)