I was on the last flight back west on a Friday night, glad that it looked likely I was going to get home. Even better, I’d been upgraded. I flopped into my seat, pulling out the noise-canceling headphones, laptop power adapter, books, and all that other stuff that makes a long flight an oasis of irony.
The guy in the window seat was talking on the phone with the usual stuff you hear by people who are smart enough not to do business on the mobile. “Yeah, honey, I love you too.” “Good to be home this weekend.” That sort of washed over me as I thought, “Aww, that’s sweet.” (My SO and I text each other, and I was firing off a few equivalents, myself. Then he said something that jolted me out of my hearing-yet-not-paying-attention.
The music of his voice shifted from rubato and legato to marcato and strict tempo. “You tell Connor,” he said, “that when I get home, I don’t want the first words out of his mouth to be, ‘Where’s my iPod?'” I suppressed staring, but my eyes bounced off of the end of their swivel pins.
I thought, “Dude, you stole your kid’s iPod!” There was silence on his end, and I have no idea what she said. I just thought again, loudly, hoping his conscience might hear, “Guy! You stole your kid’s iPod! I mean, jeez, I can see “borrowing” it once to see if you like this whole digital music stuff, but DFW’s got a bleeding vending machine for the critters right at A19! Can’t you at least bury a Shuffle in your expenses?”
So Connor, if you read this because we’re 1337-ish, show this post to your dad. And if he’s still being cheap, install Limewire on his laptop and start sharing Sinatra or something. Maybe the RIAA will notice.
photo courtesy of Michael P. Whelan.
So there’s been a stack of news stories on TJX and the issues with their database. I want to comment on an aspect of the story not getting a lot of coverage. In the Cinciannati Enquirer story, “Fifth Third has role in TJX hole,” Mike Cook is quoted as saying “If you are a consumer and you’re part of the TJX breach, you are hoping it’s 10 million people because the chance of your name being misused goes down considerably depending on the size of the data breach.”
I don’t buy it. What we’re doing is telling criminals they need to scale up their exploit techniques and networks. We did that with spamming and phishing. Bad idea.
Some other news tidbits I found interesting:
- Mass TV channel WHDH reports that Attorney General Coakley victim of identity theft
- In “TJX Data Theft Just Keeps Getting Worse,” Chris Wysopal points out what a bad idea it is to give your drivers license to return something to a store. I wonder, are the people who operate the ‘return management networks’ liable?
- Dissent writes On the alleged “costs” of breaches
- The Wall St Journal reports that a “Bill Would Punish Retailers
For Leaks of Personal Data.” I think that this is a bad idea today. We don’t have honest advice about cost-effective ways to prevent these things [see update], so retailers aren’t the right place for liability. (Perhaps liability for storing old data, or collecting SSNs, drivers licenses, etc. But not for holding current credit card information.)
- Risk Management insight: “Way Out of Perspective” compares the results of TJX suffering a breach, and ‘some kid who ran a warez ring.’
It’s my understanding that the shopping bags in the photo aren’t full of clothes. (Photo from here, original context unclear.)
[Update: by ‘these things’ I was intending to imply not only credit card issues, but the gamut of information security issues that might arise. If you think we do have economic advice to give, consider submitting a paper to the workshop on the economics of information security: they explicitly ask for papers on ‘optimal security investment’]
At Balkinization, Scott Horton discusses how “Two Hundred Years Ago Today, the Global Campaign for Human Rights Achieved Its First Victory:”
“As soon as ever I had arrived thus far in my investigation of the slave trade, I confess to you sir, so enormous, so dreadful, so irremediable did its wickedness appear that my own mind was completely made up for the abolition. A trade founded in iniquity, and carried on as this was, must be abolished, let the policy be what it might, – let the consequences be what they would, I from this time determined that I would never rest till I had effected its abolition.”
– William Wilberforce, speech before the House of Commons, May 12, 1789, Hansard vol. 28, col. 68
Today the cause of universal human rights celebrates an important anniversary. On this day two hundred years ago, the Parliament at Westminster voted an act for the abolition of the slave trade. A few decades later, Parliament also voted the manumission of slaves throughout the British Empire. By that time, in the 1830’s, the trafficking in slaves was viewed as a jus cogens crime by legal scholars around the world and the global movement to abolish slavery altogether was well launched.
Scott says much and says it well. Go read his post for the history, the nature of the arguments put forth, their relationships to today, and the biographic information about Wilberforce.
I’m left then, with few things to add, and so I’ll say them briefly.
Advances in human freedom are cause for celebration.
There were strong economic arguments for the institution of slavery, but sometimes you have to do the right thing, even if it costs.
Painting from American University Slave Trade case studies
Back in September, we covered how Pakistan and Waziristan had a peace deal, essentially, a deal with al Qaeda. In it, I commented on how people would get medals for “convincing al Qaeda to get a territorial base which we can bomb.” Now, in “Al Qaeda Chiefs are seen to regain power,” the Times reports: “One counterterrorism official said that some within the Pentagon were advocating American strikes against the camps…”
Even more disturbing, Global Guerrillas has analysis in “Al Qaeda Redux:”
With all indications that the US is in withdrawal, a new attack is likely needed to propel the US back into aggressive action (see “Al Qaeda’s Grand Strategy: Superpower Baiting” for more on why).
As promised last week, I have more to say on selling security. Well sort of. Actually, I’m going to try a new approach. I’m increasing convinced that to get real attention on security, we need to stop thinking about selling, awareness or even training users. We need to be marketing security, more specifically we need to be creating passionate users.
I’m hoping that I’m not going to get Mordaxus’s dander up to much with my semantics, but I think this is an important distinction Kathy Sierra explains far better than I can in “Marketing should be education, education should be marketing“.
Do you want passionate users? Educate them. Do you want passionate learners? Sell them. If ever there were two groups who ought to trade places–and especially research — it’s teachers and marketers. Our mantra here is, “Where there is passion, there is a user kicking ass…” and by “kicking ass” we mean “being really good at something.” In the post-30-second-spot world, the marketing department should become the learning department. Meanwhile back in schools, teachers should become…marketers.
So my recommendation is make friends with your marketing department. Find someone who is interested in security and get their assistance in putting together an effective program. In brief, the goal is to have a company full of people who care about security. This means not telling them what they can’t do, but telling them how they can help the company. Is this just spin? Yes. Am I talking about indoctrinating users? Yes. Will it be far more effective than telling users not to click on attachments in email. I think so…
[Edit: The Security Catalyst had a post yesterday talking about similar issues]
[Image is the cover of Citizen Marketers]
TJX appears to have suffered little financial fallout. Its stock fell just 2 percent yesterday after the company disclosed the new problems, along with its fourth-quarter earnings. For the three months ended Jan. 27, TJX said, profit fell to $205 million from $288 million in the same period a year earlier.
Store closings led TJX to take a $38 million charge, while the cost of investigating the breach and upgrading systems was $5 million through the end of the quarter.
On an earnings webcast with analysts yesterday, TJX executives said that store traffic through the end of January hasn’t suffered since its Jan. 17 announcement of the security breach. “I want to assure our shareholders that our operational management team isn’t being distracted from our core business or our opportunities to grow,” said chief executive Carol Meyrowitz on the webcast.
Mark Montagna, analyst at CL King in New York, said yesterday’s share decline had more to do with lower-than-expected earnings guidance TJX gave yesterday than the data problems.
“I don’t think that overall Wall Street is seeing it as that big an issue,” Montagna said.
He praised TJX’s management and noted that other retailers have faced similar security problems. “Once they get this resolved, it’s behind them,” he said.
“TJX says theft of data may go back to 2005”, Boston Globe, 2/22/2007
Where to start on this one?
Trust as we use it means so many things. Then there’s the word trusted. Beyond that, there is trustworthy. A bullet point on a slide I recently saw said, “Trusted computing is not trustworthy computing.” Oh, how nice. Even better, “Trusted Computing does not mean trustworthy or secure.” I must ask in what sense is trust anything but jargon (at best) or newspeak (at worst), with hyperbole being a middle interpretation?
Isaac Newton said that for every hyperbole, there’s an equal and opposite hyperbole. Confirming this law of nature, Richard Stallman has declared that trusted computing is actually treacherous computing. Thus we have Orwell satisfied. War is peace; freedom is slavery; trust is treachery.
A good deal of the problem is that trust is transitive. No, not that way. Not in the sense that if Alice trusts Bob and Bob trusts Carol, then Alice trusts Carol. Transitive as in verb that takes a direct object. Of course we all trust our mothers. But if you “trust your mother with your life,” does that mean you trust your mother to change a firewall rule in your router? Trust is not only a transitive verb, but it is a situational transitive verb.
We in security use trust not as a transitive verb, but as a noun, and worse, an adjective. This leads to many strange things. Among them:
- “Trust is willingness to do something risky on behalf of another human.” I wish this were merely a typo because this is the opposite of trust. I might be willing to let you do something if I trust you, but your willingness is not trust, it is willingness. Trust may be a precondition for my willingness, but it may be that my willingness is thin because I have no choice. I trust Bill Gates, Steve Jobs, and Linus Torvalds, but it’s not like I have an alternative.
- “Trust is risk.” Not bad. But as we know from economics, risk is money. Therefore, through transitivity, trust is money.
- “A trusted system is one that can screw you.” Yup, and precisely my point. When I trust my OS, I trust it in the sense that I just have to take a deep breath and hope.
Let’s stop using the word trust. Don’t say trustworthy metadata if you mean believable metadata. Don’t say trust if you mean control, risk, willingness, confidence, or reliance. Use those words. Trust is stale and vague. It would be best if we stop using it.
That is easier said than done, given the way we habitually use it. Nonetheless, we should fight new uses of the word, if for no other reason than a smart consumer will run screaming if they hear you use it, because when trust is used with security, it means something bad is going to happen. It means exactly what “This won’t hurt a bit” does. The faster you flee it, the faster the irony becomes apparent to all.
In “Once a data loss report, always a data loss report?” Dissent asks about what we should be collecting and analyzing.
Scenario 1: “We thought we had lost a computer with sensitive customer records, but it turns out we didn’t lose it.”
Should that entry in a breach list be removed? I think that the answer depends, in part, on the stated inclusion criteria for the list, the stated or anticipated purpose/intended usage of the list, and on whether the list compiler has been provided with a statement by the agency or business to support the claim of no loss.
If the inclusion criteria are worded so as to only include agencies or businesses where records were actually compromised or might have been accessed, then one might see some merit in an argument to remove the entry in our hypothetical case. Common sense would dictate that if I say “I lost my wallet!” but then find it an hour later in another room in my house or under a pile of papers on my desk, it wasn’t really “lost” and no harm, no foul, right?
But what if one of the purposes of the list is to enable tracking and analysis of costs associated with notifications and our hypothetical company had already made a notification before discovering the hardware on their premises?
I just want to chime in and say that errors and recoveries are fascinating numbers to learn about as well. How many lost tapes are recovered in a week or a month? Is anyone wrapping their backups in tamper-evident tape? (What would that even do to a drive’s read mechanism?) Laptops are clearly not tamper evident, and the Dataloss forensics page explains how a thief could silently pull data from a machine using well known techniques.
Also, if some fraction of reports are erroneous, what’s the source of those errors? Seems like a useful question to ask, and we can’t do it if databases are redacted.
Finally, scientific reproducability, that is, the ability for a researcher to look at data and see if the same results come out, requires that the data be made available.
The New York Times writes about “The Higher Power of Lucky“, a children’s book which recently won the Newbery Medal. As someone who has purchased his share of kids’ books, I assure you that the Newbery — and its companion the Caldecott Medal — signal quality to buyers.
In this case, though, some parents and librarians in the more benighted areas of our fine nation are staying away. The problem is that the book’s young protagonist overhears the word “scrotum” (as a boy relates a seemingly tragic story involving his dog and a rattlesnake [OUCH!]), and wonders what it means. This, it seems, is too much for some of the people we pay to help teach our children about books, learning, and the power of language:
I don’t think our teachers, or myself, want to do that vocabulary lesson
said one New York school librarian,
If I were a third- or fourth-grade teacher, I wouldn’t want to have to explain that.
quoth a NJ colleague (both quoted in the Times).
The thing about great teachers — and I am lucky enough to have had my share — is that they don’t just “teach you stuff”. They teach you how to learn for yourself. So, an appropriate response to the awkward question these people fear is something as simple as “Why don’t you look it up in the dictionary?”
I bought my copy today. Ballsy writing should be rewarded.