Why can’t the CIA hire guys like this?

The Telegraph is concerned that

The most senior British intelligence official, appointed yesterday to oversee MI5, MI6 and GCHQ, has a website revealing his home address, phone numbers and private photographs of himself, family and friends.

The upshot seems to be that the gent in question, Alex Allan, lacks the circumspection one would demand of a high-level intelligence official.
While the Telegraph is loath to reveal at which personal web site Mr. Allan wrote of his personal history — including his love for the Grateful Dead — a simple Google search locates it trivially. From what I saw there, the guy seems intelligent and cool. Perhaps some of the juicier bits have been removed, but much of what the Telegraph goes on about was easy to find, so I don’t know.
Call me naive, but I think the value in seeing the head of a spy agency as a thoughtful human being outweighs the danger wrought by having his address known publicly.
[Photo credit, Ken Towner (via Alex Allan’s secure undisclosed web site)]

Controlling Water

In Controlling Water, Dana writes:

…Alex Stupak, […] dropped this bombshell in my ear with the casual effect of a little bird chirping their daily song.

With no prompt, he said simply, “You know, it’s really just about controlling water,” and walked away.

This simple phrase had the power of a plot changing hollywood one liner, too few words with more effect than realistically possible, delivered at a turning point at which you can see the characters shift indelibly. These words have shifted me.

These “magic white powders” that are given to modern technique, xanthan gum, gellan gum, agar agar, and various modified starches, are simply put, controlling water. And by controlling water, we are controlling texture.

While this fact was a revelation to me, what was even more thought provoking, was how much of my pastry work up to this point was based off controlling water. And it’s not just me folks, it’s you too.

Making desert. It’s all about controlling water. Cool.

Posted in art

Bye-Bye Pay By Touch!


I’ve always been concerned about biometric systems for payment. I don’t want my fingerprint to be able to access my bank account: I leave fingerprints all over the place. I’m glad to see that biometrics pioneer Pay-By-Touch is shifting focus:

Pay By Touch, which has made a major push in POS biometric payments, is backing off that business, according to a report in the current issue of The Nilson Report, a major payments newsletter.

Tip of the hat to StoreFrontBackTalk, “Pay By Touch Giving Up On Biometric POS?

A quick clarification: “POS” is industry-speak for “Point of Sale,” not “Piece of Shit.” We apologize for any confusion.

[Update: Evan now relays the news that “Pay By Touch (is) In Bankruptcy Proceeding(s).”

Photo: Escaped Monkey‘s password, posted to Flickr.

How to Blog a Talk

Blogging about your own presentations is tough. Some people post their slides, but slides are not essays, and often make little sense without the speaker.

I really like what Chris Hoff did in his blog post, “Security and Disruptive Innovation Part I: The Setup.”


I did something similar after “Security Breaches Are Good for You: My Shmoocon talk.” I posted a PDF of the slides. I think the PDF is less effective, because you can’t skim it, search it, or excerpt it as easily as with Hoff’s HTML version.

Nice work, Chris!

Wednesday Privacy Roundup

Privacy in the EU has been hugely in the news in the last week. Check these out:
European Union justice ministers Friday agreed on a minimum set of rules protecting the cross-border exchange of personal data by law-enforcement agencies in the 27 member states. There’s were lots of other proposals discussed, including ones that mimic US Visit and datasharing of flight passenger information.
Data Protection Act doesn’t ban parents filming the school play.
Europe’s top privacy regulator has said that European privacy laws will need to be overhauled in just five years’ time.

I would expect that some five years down the road, we need to see some changes in the existing framework,” said Hustinx, the European Data Protection Supervisor (EDPS). “Where? Not in the principles, although some parts perhaps need to be revisited, my emphasis would be we need more flexible arrangements to make it work better, to make it more effective.

The European Commission has published a plan to compel EU members to gather more information on air passengers travelling in and out of the EU in what it says is an attempt to combat terrorism. Of course, it’s never that simple:

Statewatch editor Tony Bunyan said that the increased monitoring was unwarranted. “This is yet another measure that places everyone under surveillance and makes everyone a suspect without any meaningful right to know how the data is used, how it is further processed and by whom,” he said. “Moreover, the profiling of all airline passengers has no place in a democracy.”

Back on August 1st, the Office of the Privacy Commissioner of Canada, released guidelines for handling breach disclosures. Key Steps for Organizations in Responding to Privacy Breaches lays out the definition of a breach and a high level process for dealing with breaches, starting with containment, moving through assessment to notification and finally prevention of future breaches.
To assist with the process, the Commissioner also released the Privacy Breach Checklist which takes the guidance from the first document and reproduces it in an easier to follow format at the time of an incident occurring. This checklist in particular would be a great starting point for any incident response team dealing with privacy breaches.


I have been playing with Splunk, for about 45 minutes.
So far, I like it.
I’ve previously been exposed to Arcsight, but what I have more of an affinity for psychologically is not so much a correlation engine, but a great visualization tool that automagically can grok log formats without making me write a hairy regex. I have no idea whether I will use Splunk for anything real, but it made a good first impression. Since my budget is zero, the price of the non-enterprise version looks good, too. I am sure that for those of a less penurious station, there are many more fine contenders.

How Government Can Improve Cyber-Security

In “How Can Government Improve Cyber-Security?” Ed Felten says:

Wednesday was the kickoff meeting of the Commission on Cyber Security for the 44th Presidency, of which I am a member. The commissionhas thirty-four members and has four co-chairs: Congressmen Jim Langevin and Michael McCaul, Admiral Bobby Inman, and Scott Charney. It was organized by the Center for Strategic and International Studies, a national security think tank in Washington. Our goal is to provide advice about cyber-security policy to the next presidential administration.

First, congratulations on the appointment, Ed! Given that Scott Charney is a chair, I want to be clear that, as always, my comments here are my own.

There are some great comments about economics and motivations, and I’d like to offer up a different answer, which is that the government can improve cybersecurity by helping us gather more and better data.

This is a normal and regular role of government. For example, the US government runs and publishes a census, a statistical abstract of the United States, the CIA produces their World Factbook, and the FBI produces Uniform Crime Reports, and the Department of Justice does a National Crime Victimization Survey.

In information security, we have a paucity of good information to help us make good decisions. For example, are insiders really responsible for 70% of all attacks?

Many of the data gathering processes that the government runs are obsessed with secrecy. CERT, ISACs and others sometimes publish statistics, but they’re sparse. Over the last few years, laws relating to reporting data breaches have sprung up in 39 states. Hackers at Attrition.org have assembled a database of over 800 breaches, and Privacy Rights Clearinghouse maintains a similar list. These lists contain specific data on what’s gone wrong at a wide variety of companies and institutions. There are two key lessons we can get from this.

Many of our fears about what happens after a company is breached have turned out to be false. This is the first key lesson. We have feared that companies will go out of business, people will lose their jobs, and customers will flee. Generally, these things happen only in extreme outliers, if at all. (Two companies have gone out of business; average customer churn is about 2%.)

The second lesson comes from studying the data. The dataloss list contains less selection bias about a broader set of incidents than any other public data I’ve ever seen.

So my goal for the 44th Presidency would be to overcome the fear that has held us back from having national cybercrime statistics, in the form of good law requiring breach disclosure.

By good law, I mean breadth of what must be reported on, no expensive and anti-consumer ‘trigger provisions,’ central reporting of detail, and publication of those details and summaries by an agency tasked with data sharing and advancing knowledge.

That said, congratulations on the appointment, and I’d be happy to delve deeper.

Security is never static


There’s a story in the Wall St Journal, “London’s Congestion Fee
Begets Pinched Plates

This city’s congestion pricing for drivers is heralded around the world for reducing traffic and pollution. It’s also causing an unintended effect: a sharp jump in thieves stealing or counterfeiting license plates.

Thieves are pinching plates by the dozens every day to fool the city’s traffic cameras, which enforce the £8 ($16) daily charge to drive in central London as well as other traffic infractions … With someone else’s license plate on their car, scofflaws can drive around free, and any fines are billed to the plate’s rightful owners.

Before the congestion charge took effect in February 2003, police didn’t bother to track stolen number plates…because so few incidents were reported … Reports of stolen plates in the city spiked to 9,777 last year.

This is precisely the opposite of how we’d want such a system to work: it should catch criminals and ignore the rest of us. [Updated this for clarity.]

Unfortunately, most tracking systems are perverse, and do exactly what we don’t want: criminals learn to get around them, and the general public loses their privacy.

When looking at a system, ask yourself, “is this good enough to stop people motivated to get around it? If it’s not, then look at the costs.

We can do this with the new American approach to tourism:

“Since September 11, 2001, the United States has experienced a 17 percent decline in overseas travel, costing America 94 billion dollars in lost visitor spending, nearly 200,000 jobs and 16 billion dollars in lost tax revenue. (“‘Unwelcoming’ US sees sharp fall in visitors since 9/11,” Discover America travel advocacy group.)

Terrorists are going to enter the country illegally, using paths worn smooth by millions of illegal immigrants. Meanwhile, millions of people are deciding to take their business and leisure elsewhere, because of the harsh face we show the world at our borders.

License plate story via David Lesher in the Risks Digest, tourism story via BoingBoing. Photo by ChiquitaNerd.

Total Kabab Awareness

In a May, 2006 post entitled Codename: Miranda, I joked about having my grocery purchases linked to another Chicagoan due to poor schema design.
There, I joked about buying:

… granola, yogurt, hummus — the healthy stuff which probably alerts Admiral Poindexter’s Bayesian classifier to my fifth-column status.

Maybe this wasn’t jocular after all, as a Congressional Quarterly article (referred to by Ryan Singel) reports:

Like Hansel and Gretel hoping to follow their bread crumbs out of the forest, the FBI sifted through customer data collected by San Francisco-area grocery stores in 2005 and 2006, hoping that sales records of Middle Eastern food would lead to Iranian terrorists.
The idea was that a spike in, say, falafel sales, combined with other data, would lead to Iranian secret agents in the south San Francisco-San Jose area.

I hope Miranda is not in Gitmo as a result of my healthy eating habits.

Measuring the Wrong Stuff

There’s a great deal of discussion out there about security metrics. There’s a belief that better measurement will improve things. And while I don’t disagree, there are substantial risks from measuring the wrong things:

Because the grades are based largely on improvement, not simply meeting state standards, some high-performing schools received low grades. The Clove Valley School in Staten Island, for instance, received an F, although 86.5 percent of the students at the school met state standards in reading on the 2007 tests.

On the opposite end of the spectrum, some schools that had a small number of students reaching state standards on tests received grades that any child would be thrilled to take home. At the East Village Community School, for example, 60 percent of the students met state standards in reading, but the school received an A, largely because of the improvement it showed over 2006, when 46.3 percent of its students met state standards. (The New York Times, “50 Public Schools Fail Under New Rating System

Get that? The school that flunked has more students meeting state standards than the school that got an A.

There’s two important takeaways. First, if you’re reading “scorecards” from somewhere, make sure you understand the nitty gritty details. Second, if you’re designing metrics, consider what perverse incentives and results you may be getting. For example, if I were a school principal today, every other year I’d forbid teachers from mentioning the test. That year’s students would do awfully, and then I’d have an easy time improving next year.