I have been playing with Splunk, for about 45 minutes.
So far, I like it.
I’ve previously been exposed to Arcsight, but what I have more of an affinity for psychologically is not so much a correlation engine, but a great visualization tool that automagically can grok log formats without making me write a hairy regex. I have no idea whether I will use Splunk for anything real, but it made a good first impression. Since my budget is zero, the price of the non-enterprise version looks good, too. I am sure that for those of a less penurious station, there are many more fine contenders.

How Government Can Improve Cyber-Security

In “How Can Government Improve Cyber-Security?” Ed Felten says:

Wednesday was the kickoff meeting of the Commission on Cyber Security for the 44th Presidency, of which I am a member. The commissionhas thirty-four members and has four co-chairs: Congressmen Jim Langevin and Michael McCaul, Admiral Bobby Inman, and Scott Charney. It was organized by the Center for Strategic and International Studies, a national security think tank in Washington. Our goal is to provide advice about cyber-security policy to the next presidential administration.

First, congratulations on the appointment, Ed! Given that Scott Charney is a chair, I want to be clear that, as always, my comments here are my own.

There are some great comments about economics and motivations, and I’d like to offer up a different answer, which is that the government can improve cybersecurity by helping us gather more and better data.

This is a normal and regular role of government. For example, the US government runs and publishes a census, a statistical abstract of the United States, the CIA produces their World Factbook, and the FBI produces Uniform Crime Reports, and the Department of Justice does a National Crime Victimization Survey.

In information security, we have a paucity of good information to help us make good decisions. For example, are insiders really responsible for 70% of all attacks?

Many of the data gathering processes that the government runs are obsessed with secrecy. CERT, ISACs and others sometimes publish statistics, but they’re sparse. Over the last few years, laws relating to reporting data breaches have sprung up in 39 states. Hackers at Attrition.org have assembled a database of over 800 breaches, and Privacy Rights Clearinghouse maintains a similar list. These lists contain specific data on what’s gone wrong at a wide variety of companies and institutions. There are two key lessons we can get from this.

Many of our fears about what happens after a company is breached have turned out to be false. This is the first key lesson. We have feared that companies will go out of business, people will lose their jobs, and customers will flee. Generally, these things happen only in extreme outliers, if at all. (Two companies have gone out of business; average customer churn is about 2%.)

The second lesson comes from studying the data. The dataloss list contains less selection bias about a broader set of incidents than any other public data I’ve ever seen.

So my goal for the 44th Presidency would be to overcome the fear that has held us back from having national cybercrime statistics, in the form of good law requiring breach disclosure.

By good law, I mean breadth of what must be reported on, no expensive and anti-consumer ‘trigger provisions,’ central reporting of detail, and publication of those details and summaries by an agency tasked with data sharing and advancing knowledge.

That said, congratulations on the appointment, and I’d be happy to delve deeper.

Security is never static


There’s a story in the Wall St Journal, “London’s Congestion Fee
Begets Pinched Plates

This city’s congestion pricing for drivers is heralded around the world for reducing traffic and pollution. It’s also causing an unintended effect: a sharp jump in thieves stealing or counterfeiting license plates.

Thieves are pinching plates by the dozens every day to fool the city’s traffic cameras, which enforce the £8 ($16) daily charge to drive in central London as well as other traffic infractions … With someone else’s license plate on their car, scofflaws can drive around free, and any fines are billed to the plate’s rightful owners.

Before the congestion charge took effect in February 2003, police didn’t bother to track stolen number plates…because so few incidents were reported … Reports of stolen plates in the city spiked to 9,777 last year.

This is precisely the opposite of how we’d want such a system to work: it should catch criminals and ignore the rest of us. [Updated this for clarity.]

Unfortunately, most tracking systems are perverse, and do exactly what we don’t want: criminals learn to get around them, and the general public loses their privacy.

When looking at a system, ask yourself, “is this good enough to stop people motivated to get around it? If it’s not, then look at the costs.

We can do this with the new American approach to tourism:

“Since September 11, 2001, the United States has experienced a 17 percent decline in overseas travel, costing America 94 billion dollars in lost visitor spending, nearly 200,000 jobs and 16 billion dollars in lost tax revenue. (“‘Unwelcoming’ US sees sharp fall in visitors since 9/11,” Discover America travel advocacy group.)

Terrorists are going to enter the country illegally, using paths worn smooth by millions of illegal immigrants. Meanwhile, millions of people are deciding to take their business and leisure elsewhere, because of the harsh face we show the world at our borders.

License plate story via David Lesher in the Risks Digest, tourism story via BoingBoing. Photo by ChiquitaNerd.

Total Kabab Awareness

In a May, 2006 post entitled Codename: Miranda, I joked about having my grocery purchases linked to another Chicagoan due to poor schema design.
There, I joked about buying:

… granola, yogurt, hummus — the healthy stuff which probably alerts Admiral Poindexter’s Bayesian classifier to my fifth-column status.

Maybe this wasn’t jocular after all, as a Congressional Quarterly article (referred to by Ryan Singel) reports:

Like Hansel and Gretel hoping to follow their bread crumbs out of the forest, the FBI sifted through customer data collected by San Francisco-area grocery stores in 2005 and 2006, hoping that sales records of Middle Eastern food would lead to Iranian terrorists.
The idea was that a spike in, say, falafel sales, combined with other data, would lead to Iranian secret agents in the south San Francisco-San Jose area.

I hope Miranda is not in Gitmo as a result of my healthy eating habits.

Measuring the Wrong Stuff

There’s a great deal of discussion out there about security metrics. There’s a belief that better measurement will improve things. And while I don’t disagree, there are substantial risks from measuring the wrong things:

Because the grades are based largely on improvement, not simply meeting state standards, some high-performing schools received low grades. The Clove Valley School in Staten Island, for instance, received an F, although 86.5 percent of the students at the school met state standards in reading on the 2007 tests.

On the opposite end of the spectrum, some schools that had a small number of students reaching state standards on tests received grades that any child would be thrilled to take home. At the East Village Community School, for example, 60 percent of the students met state standards in reading, but the school received an A, largely because of the improvement it showed over 2006, when 46.3 percent of its students met state standards. (The New York Times, “50 Public Schools Fail Under New Rating System

Get that? The school that flunked has more students meeting state standards than the school that got an A.

There’s two important takeaways. First, if you’re reading “scorecards” from somewhere, make sure you understand the nitty gritty details. Second, if you’re designing metrics, consider what perverse incentives and results you may be getting. For example, if I were a school principal today, every other year I’d forbid teachers from mentioning the test. That year’s students would do awfully, and then I’d have an easy time improving next year.

“A duty of care” to notify?

Some people have objected to my repeated claims that a new normal is emerging. Those people don’t include Her Majesty’s Revenue and Customs, who, after losing a disk in the mail, said:

“There was a thorough search for the item, which went missing at the end of September, but it has not been found. We have a duty of care to let people know what has happened and so we are writing to tell them.”

HMRC loses personal details of thousands,” the Telegraph, who also had this to say on timeliness:

Mike Warburton, senior tax partner at accountants Grant Thornton, said: ” It does seem strange that it has taken a month for HMRC to start sending these letters out. That disc could be anywhere by now and large numbers of people may be at risk of fraud – if not through their pensions, then possibly through identity theft.”

All of this is happening without breach notice laws in the UK. They read the press in North America, we read the press there, and the new social norms get ahead of where the laws and regulations are. There’s a clear expectation of rapid disclosure.

If you’re covering up a breach, and it gets out, lawyers are going to have a field day with you. Try to avoid quibbling over what the meaning of “is” is, and own up to your mistakes, even if there’s no “controlling legal authority.”

Thanks to Ant for the story pointer!

[Update: in closely related news, Brian Krebs has “Salesforce.com acknowledges data loss” in the Washington Post. What we currently know about the Salesforce breach, doesn’t seem to reach the legal minimums for mandatory disclosure. Perhaps I should have been more clear in saying that “if you’re covering up a breach that the law requires be disclosed…” Then again, perhaps the lawyers will have a field day. Also, Rich Mogull has an article, “Learning From Tylenol” at DarkReading which beautifully compares the Tylenol response to the typical breach response.]

The Magic Phone

The “gPhone” was announced today. I put gPhone in quotes, because there was no actual phone announcement. What was announced was the “Open Handset Alliance” and their toolkit, Android. They are

“…committed to commercially deploy handsets and services using the Android Platform in the second half of 2008.”


“An early look at the Android Software Development Kit (SDK) will be available on November 12th.”

This makes the announcement the biggest marketing anticlimax since the Segway. They’re not announcing anything but a toolkit, and I don’t even get to see that for a week. That week only increases the “WTF?” I keep murmuring. Yes, yes, there was this huge buzz surrounding gPhone/Android, but why are you leaving people like me with nothing to do but be snarky for a week, without having the code there. If the code were there, any comment I could make could be pushed back with the reply of, “go look at the SDK.” Absent an SDK, I have to peer at what is on the web site, and what is there is anticlimactic, as there will be no phones for a year (or longer). It’s less of an anticlimax than cold fusion, but that’s not hard.

The parts of Android that aren’t an anticlimax are downright frightening.

Some of that is harmlessly frightening. There are two videos on the OHA web page. One is of children talking about, “if I had a magic phone” and it is treacly and content-free. I, too, would love to have a phone that made me an astronaut, take me to the moon, make cupcakes with sprinkles as well as pizza, cookies, and peanut butter sandwiches, and help animals feel better. I would pass on the phone that turns into underpants, and if the gPhone Android does this, I’ll stick to something else, thank you.

However, I believe we already have phones that take pictures, fit in my pocket, and have a keyboard. As a matter of fact, there is one of those in my pocket now. Those suggestions show the difference between being imaginative and innovative. Watch this video; I’ve inoculated you from needing a barf bag.

The other video is of a bunch of adults showing the same level of attachment to reality. The closing child remark is that a magic phone will do whatever you want it to and that is the theme of this second video.

The adults say some telling things. The video opens up with a sound check and a clapper, to let us know this is unfinished. Nick Sears and Andy Rubin’s dog tell us about how this comes from thinking from Danger (who made the Sidekick) and T-Mobile, not Google. Despite what the paper of record has said, Google is nowhere mentioned. People who have been following the gPhone rumors know that Google bought the company, Android, that is now giving us the phone software, Android. The message, therefore, is that this isn’t really Google, it’s Android. They tell us that there is no gPhone, “what we’re doing is enabling an entire industry to create thousands of gPhones.”

So this is a committee-based, excuse me alliance-based system. It’s Linux and all the stuff like GTK toolkits. The tech lead, Brian Swetland, tells that there will be “at least five people out there who read Slashdot, who will be all over that.” I blinked when I heard that. Go watch the video for yourself. I didn’t take that quote very much out of context. This is not a phone. It is an OS and toolkit. That’s it.

The vision behind this non-announcement? Well, the kids want cookies, pizza and trips to the moon. The adults want a shared family calendar (ummm, doesn’t the iPhone have that? Not having an iPhone, I don’t know, but I thought it does), “keep track of my kids,” “maybe some social thing,” “my taxes,” and “make me understand my wife better — it would translate her thoughts” (this latter one coming from German Bauer, Experience Designer). Oh, man, I’m sure Jonathan Ive is kicking himself now. (Or maybe not. If you’re an android, understanding humans you’ve married is hard. I think Mr Ive is sympatico with humans.) I finished watching that saying, “That’s it? That’s it? That’s all you can think of?” It is harmlessly frightening because I’m frightened that so many smart people can have so little there.

Missing from the vision of children and adults alike is my vision of a magic phone. I want a magic phone that doesn’t drop out every other word when someone calls me, and can display their name when they call, even if one of us is in a different country. My magic phone makes phone calls.

I loathe my present phone with a special white-hot passion because it has a GPS and can show me with Google Maps where I am to three meters, but it doesn’t do the things that I think a magic phone should.

The serious frightening parts are in the Android are in the text of the overview.

“All applications are created equal. Android does not differentiate between the phone’s core applications and third-party applications. They can all be built to have equal access to a phone’s capabilities providing users with a broad spectrum of applications and services.”


“For example, Android enables developers to obtain the location of the device, and allow devices to communicate with one another enabling rich peer-to-peer social applications.”

In other words — there’s no security. Nowhere on the Android web site does that word appear. But they do flat out have as their vision tracking people. The architecture proudly enables geo-targeted ads, malware, bots, spyware and so on. The designers tell us they don’t understand their spouses and want to track their kids before they tell us.

“Android breaks down the barriers to building new and innovative applications. For example, a developer can combine information from the web with data on an individual’s mobile phone — such as the user’s contacts, calendar, or geographic location — to provide a more relevant user experience. With Android, a developer could build an application that enables users to view the location of their friends and be alerted when they are in the vicinity giving them a chance to connect.”

Gosh, thanks. Eesh.

The clear winner in this announcement is the collection of Apple, Microsoft, Symbian, and RIM, who should see no threat in a committee whose vision is to deliver things that you can get from the iPhone, N95, or other present smartphones. The clear loser is OpenMoko. Sorry, guys. You’re dead. Someone else has Linux phone with no apps, and a bigger marketing budget. They’re also smart enough to flee from Copyleft and the GPL. They’re are using Apache licensing, so they are more open than you. I recommend switching to delivering Android on your hardware for those “five Slashdot readers.”

If the winners want to kill Android, they can, easily. Let’s suppose that Apple said that Android-compatible apps would work on iPhone 2, or Microsoft said the same thing about the next version of Windows Mobile. Much of the reason for considering Android to be separate would vanish.

Fortunately, we the humans who use phones do not appear to have any threat from the androids, because sometime next year they’re going to deliver this year’s smartphone.

Gordon Brown on liberty

While this great tradition can be traced back to the Magna Carta, it was the rise of the modern state with all the new powers at its disposal that made the 17th century the pivotal period in the struggle against arbitrary and unaccountable government —— as Britain led the way in the battle for freedom from hierarchical rule, for human rights and for the rule of law.

And tracing Coke’s defence of common law, the work of John Locke and the Bill of Rights of 1689 right through to the first of the Reform Acts, Macaulay concluded that ‘the authority of law and the security of property were found to be compatible with a liberty of discussion and of individual action never before known’. (“Speech on Liberty,” Gordon Brown)

It’s a fascinating speech for the depth of understanding it goes through before proposing national ID cards and a DNA database. In today’s United States, I can hardly imagine the President giving a speech this deep or nuanced.

Well worth the read on Guy Fawkes day.

Via the Privacy Commissioner of Canada.

[Update: As Nicko suggested in comments, I read too much into this, and in the Queen’s Speech, Brown made no clear mention of ID cards or DNA databases.]

Informed discussion? Cool!

David Litchfield examines some public breach data and concludes that

Word documents and spreadsheets mistakenly left on a web server or indexed by a search engine account for 20.6% of the 276 breaches, both physical and digital, recorded up to the 23rd of October.

He further surmises that the proportion may be even higher, since the bad guys don’t alert data custodians when Google serves up social security numbers.
I looked at this very question for the FIRST presentation referred to in my previous post. There, breach incidents affecting entities based in New York, and reported by at least one of several sources (including the state itself) were examined.

The upshot? As my notes for the presentation said:

[A]t least in terms of numbers of breach incidents, equipment or media loss and unintended online exposure (such as with a misconfigured web server) are the main sources of exposure. Indeed, results from the New York dataset and the New York cases from the University of Washington dataset are statistically indistinguishable, each showing 60-65% of breaches due to lost or stolen media and 15-25%
exposed online.
By way of comparison, Attrition.org’s DLDOS shows almost exactly 50% (180 of 362) of recorded 2006 incidents being due to lost or stolen equipment or media, and Hasan and Yurcik report 36% of incidents from the period 01-05-2005 through 06-05-2006. North Carolina’s breach notification log (obtained via an open records request) shows 53 incidents of 107 (50%) involved lost or stolen media/hardware.
New Hampshire records from December 2006 to June 2007 show 54% of incidents (N=51) due to lost or stolen equipment or media (67% of affected firms since one stolen laptop had 13 firms’ data!)
Since so many of the cases reported to NY involve small numbers of persons affected, one might think that the “small incidents” differ from the
rest. However, when small (defined as 99 persons affected or fewer) incidents are excluded, the breakdown of breach mechanisms is statistically indistinguishable from an examination with all cases included.

So far, Litchfield is right on the money, and as a database guru rather than a burglar alarm salesman he focuses on logical, not physical, security. However, at least for the breaches I looked at (which, for methodological reasons involved only entities in NY) about 99% of the exposed records were due to lost or stolen computers or media.
The folks in the whole disk encryption business probably are on the case, but I wanted to point out that accidental publishing is a minor exposure source, as measured by records exposed (IMO).
Two final observations:
1. Not all exposures are equal. Having your backup tape out on the sidewalk is bad. Having it indexed by Google is worse.
2. Litchfield’s contribution would not have been possible without data on breaches. I know that as an opinion leader, his words will resonate. That means that because of data availability, security just got better. Feels good, doesn’t it?

WEIS 2008 Call for papers

The call for papers for the 2008 Workshop on Economics and Information Security, to be held at Dartmouth’s Tuck School of Business in late June, has just been issued.

The 2008 Workshop on the Economics of Information Security invites original research papers focused on the economics of information security and the economics of privacy. We encourage economists, computer scientists, business school researchers, law scholars, security and privacy specialists, as well as industry experts to submit their research and attend the Workshop. Suggested topics include (but are not limited to) empirical and theoretical economic studies of:
– Optimal investment in information security
– Privacy, confidentiality and anonymity
– Cybertrust and reputation systems
– Intellectual property protection
– Information access and provisioning
– Risk management and cyberinsurance
– Security standards and regulation
– Behavioral security and privacy
– Cyberterrorism policy
– Organizational security and metrics
– Psychology of risk and security
– Phishing, spam, and cybercrime
– Vulnerability discovery, disclosure, and patching
Important dates
Submissions due: March 1, 2008
Notification of acceptance: April 10, 2008
Workshop: June 25-27, 2008
Papers should be submitted online by 11:59 EST on Saturday, March 1, 2008, preferably in PDF format.

This is a great event. Mark your calendars. And by the way, there are worse places to be than New Hampshire in June.