Ain’t Nobody’s Business But My Own

itsjustsad.jpg

A year ago, I discussed stupid email disclaimers in, “If I Screw Up, It’s Your Fault!” This week, Brian Krebs of the Washington Post comes over the same issue, indirectly, in his “They Told You Not To Reply.”

Krebs tells the story of Chet Faliszek, who owns the domain donotreply.com, which he bought in 2000 as a lark. The interesting situation is that many otherwise sane people will send broadcast messages with a return address that has donotreply.com in it. And of course, people reply. When they reply, he gets the mail.

He gets customer service mail from Charbroil grills; financial service from Capital One and Merrill Lynch; network diagrams and vulnerabity data from Yardville National Bank; faxes from Iraq contractor and former subsidiary of Halliburton, Kellog Brown & Root; and of late very interesting mail from the Department of Homeland Security.

Krebs quotes Faliszek:

“I’ve had people yell at me, saying these e-mails are marked private and that I shouldn’t read them.”

“They get all frantic like I’ve done something to them, particularly when you talk to the non-technical people at these companies.”

The most delicious emails end up on his blog. He will remove them if you show proof of a donation to an animal protection league or humane society.

Note that if you send your email to Mr Faliszek, it becomes his email. No one suggests that there is anything untoward in owning donotreply.com. No one suggests that the disclaimer has any standing. No one suggests that there is anything wrong with his letting you ransom those emails through good works.

Certainly, it’s stupid to use a domain like donotreply.com. It’s a legal domain. There are some reserved domain names, and they are documented in RFC 2606. For Heaven’s sake, use donotreply@yourdomain! However, it’s worse to have the disclaimer. Non-expert, non-technical people might think that it has standing. Note what Mr Faliszek said, that people think that because they’re marked private, he shouldn’t read what’s delivered to his domain. I have every sympathy with these people. They think they’re protected, and they’re not. Fortunately for us all, Mr Faliszek is a nice guy who loves animals. Take it away, bandleader.

Photo “its just sad” by Quiz….

Avoid ID theft: Don’t run for President

The Washington Post reports:

The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama’s passport file.
Obama’s presidential campaign immediately called for a “complete investigation.”
State Department spokesman Tom Casey said the employees had individually looked into Obama’s passport file on Jan. 9, Feb. 21 and March 14. To access such a file, the employees must first acknowledge a pledge to keep the information private.
The employees were each caught because of a computer-monitoring system that is triggered when the passport accounts of a “high-profile person” are accessed, he said. The system was put in place after the State Department was embroiled in a scandal involving the access of the passport records of then-presidential candidate Bill Clinton in 1992.
“The State Department has strict policies and controls on access to passport records by government and contract employees,” Casey said.
The department uses contract employees to help with data entry, customer service and other administration tasks. The employee involved in the March 14 incident has only been disciplined so far, because the probe of that incident is continuing, an official said.

My translation is that the State Department, “in order to serve you better”, violates the principle of separation of privilege and allows individual contract call center people to access the passport data for everybody in the country. Then, after a high-profile person has his privacy grossly violated (they ran Clinton’s file because of malicious, false rumors he renounced his US citizenship during the Viet Nam era), they put in detective controls (not preventative — too obvious), but these only work for important people.
Nice.
Luckily, Bill Burton, spokesman for Senator Obama, has a keen grasp of the issues:

“This is a serious matter that merits a complete investigation, and we demand to know who looked at Senator Obama’s passport file, for what purpose, and why it took so long for them to reveal this security breach.”

One way to learn some of that, as I am sure Mr. Burton’s boss knows, is to get a decent national breach notification law.
While State may have been slow, they did the right thing, and canned the violators. Nothing reinforces a security policy better than a public execution, and nothing undermines one more effectively than blatant non-enforcement. With recent privacy breaches affecting not just semi-celebs like Presidential candidates, but also really important people, making sure that punishment is swift and sure seems like an obvious way to “incentivize good behavior”.

First in-depth review

Newschool-small.jpg
Andre Gironda writes “Implications of The New School:”

Additionally, the authors immediately begin the book with how they are going to write it — how they don’t reference anything in great detail, but that the endnotes should suffice. This also put me off a bit… that is — until I got to the endnotes! Certainly from the beginning to the end of the book I was also kept in a state of constant interest thanks to the excellent writing. Even if you have read all of their past work, this book is certainly worth a read or two or three, maybe even quarterly.

He has a lot of detail in his review, while I’m just quoting the intro, blown away and grateful that someone would suggest reading it quarterly.

Thanks Andre!

Algorithms for the War on the Unexpected

Technology Review has an article, “The Technology That Toppled Eliot Spitzer.” What jumped out at me was the explicit statement that strange is bad, scary and in need of investigation. Bruce Schneier is talking a lot about the war on the unexpected, and this fits right into that.

Each category is analyzed to determine patterns of ordinary behavior. Every single transaction by customers in these groups, and even patterns of transactions stretching back as far as a year, are then scrutinized for evidence of deviation from this norm using measures such as the number, size, or frequency of transactions, among others.

When “not behaving normally” is considered grounds for investigation, there’s an inevitable chilling effect. The willingness of people to do new, exciting things is reduced by the risk that they’ll get on some financial blacklist, and be unable to buy a house or a car.

(Via Paul Kedrosky)

Context, please!

Chess masters will sometimes play chess against a dozen or more competitors at once, walking from board to board and making a move. The way they do this isn’t to remember the games, but to look at the board, and make a decent (to a master) move each time. They look at the board, get all the information they need, and act. Remember that as context as you read the rest of this post.

So over the past few months, I’ve been noticing more and more people cutting the context out of their email, and replying in a way which can be read on a single screen. This is nice. Concise replies are often good. But where’s the context? Why are you removing all the conversation which happened before? I get and send a lot of email. I send roughly 15-20 messages a day from my personal account, and probably 30-50 a day at work. How many I get is a little hard to count because of all the spam, but it’s probably around the same into my inboxes.

The context of a conversation helps me remember what’s being said, and why. (This, incidentally, is why top-posting is good for short conversations that stay short, and bad for long ones.)

For example, I’m trying to set up an appointment to talk to a former co-worker about some stuff. I haven’t added him to my IM address book, and in his response agreeing on a time, he cut that information. Not only that, there was effort involved in cutting it. Maybe it’s only 1 or 2 clicks, or 10-15 characters of typing to find the rest of the conversation, but that’s still more work than having it all right there.

So please, think about context when you send email. Just like chess masters can see the board, let your co-respondent see what you’re responding to.

If you do, you’ll get more complete and useful responses faster. It’s in your best interest. That’s not just with me. Think about the usability of what you send to people–it pays off.

Hannaford: 4.2 million card #s potentially exposed

Hannaford says the security breach affects all of its 165 stores in the
Northeast, 106 Sweetbay stores in Florida and a smaller number of
independent groceries that sell Hannaford products. The company puts the
number of unique credit and debit card numbers that were potentially
exposed to fraud at 4.2 million.
The company is currently aware of about 1,800 cases of reported fraud
related to the security breach.
The Massachusetts Bankers Association said one-third of its 200 member
banks have been contacted by Visa and MasterCard about the problem.

WMUR.com, via Dataloss
If I am an independent grocer who sells Hannaford products, how does a Hannaford breach expose my customers’ card numbers? Do independent grocers report purchases to their suppliers, including the card numbers used to make those purchases? Do these smaller groceries outsource their POS activities to a large supplier (i.e., Hannaford)?
Update: I read at MSNBC.com that the card numbers were revealed during the authorization process. This jibes with the “outsourced POS” (as I sloppily use the term) theory. I need to review the details of “card present” authorization to understand this better, but my immediate thought was man-in-the-middle.

More New School feedback

Newschool-small.jpg

Our editor says that the Safari e-book edition of The New School is now available. Hardcopies should be out in a week or so.

Jon Pincus gives us a mention in his long article “Indeed! The Economist on “computer science as a social science”” and comments that we “explicitly include discussions of diversity in the social science sense.” (As he discusses, Jon has long been focused on computer science as a social science, and he gave us some great help in improving the diversity section.


Nick Owen thinks he won’t be invited to the prom in the New School, but he’s wrong. He turned me on to Bennett Stewart’s work, which influenced how we talk about ROI.

KJW/Code likes the first chapter. Decius on Memstreams says that our editorial blurb “makes a lot of bold claims without explaining how those claims are met. I eagerly await further reviews and shorter articles written by the authors to promote their book…”

Also, a couple of people emailed me asking for a table of contents and more sample content. Here’s the table of contents, and yes, Decius, there will be more that we’ll release over the next little while. We have a first couple of interviews lined up, and are eager to get the ideas out there in forms which are easy to digest.

Table of Contents

1. OBSERVING THE WORLD AND ASKING WHY

Spam, and Other Problems with Email 4
Hostile Code 7
Security Breaches 9
Identity and the Theft of Identity 11
Should We Just Start Over? 14
The Need for a New School 15


2. THE SECURITY INDUSTRY

Where the Security Industry Comes From 19
Orientations and Framing 25
What Does the Security Industry Sell? 27
How Security Is Sold 33

3. ON EVIDENCE

The Trouble with Surveys 46
The Trade Press 50
Vulnerabilities 52
Instrumentation on the Internet 54
Organizations and Companies with Data 55

4. THE RISE OF THE SECURITY BREACH

How Do Companies Lose Data? 64
Disclose Breaches 68
Possible Criticisms of Breach Data 70
Moving from Art to Science 74
Get Involved 76

5. AMATEURS STUDY CRYPTOGRAPHY;
PROFESSIONALS STUDY ECONOMICS

The Economics of Information Security 82
Psychology 95
Sociology 99

6. SPENDING

Reasons to Spend on Security Today 106
Non-Reasons to Spend on Security 110
Emerging Reasons to Spend 112
How Much Should a Business
Spend on Security? 116
The Psychology of Spending 122
On What to Spend 126

7. LIFE IN THE NEW SCHOOL

People Are People 132
Breach Data Is Not Actuarial Data 136
Powerful Externalities 137
The Human Computer Interface and
Risk Compensation 139
The Use and Abuse of Language 142
Skills Shortages, Organizational
Structure, and Collaboration 144

8. A CALL TO ACTION

Join the New School 149
Embrace the New School 153
Make Money from the New School 157
Final Words 159

ENDNOTES 161

BIBLIOGRAPHY 213

INDEX 229

Bear Stearns

Dan Geer is fond of saying that financial risk management works
because everyone knows who owns what risks.

Reports are that JPMorgan just bought Bear Stearns for $236MM, a 93% discount to Friday’s closing price, with $30BB of US taxpayer money thrown in (as guarantees) for good measure. Bloomberg also reports that the Bear Stearns headquaters are valued at $1.2 BB, which means that the firm’s net market positions are a liability of about ($31BB).

Apparently, Bear Stearns owned less of the risk than the Fed. I
wonder when the Fed knew that? According to the same New York Times story, Bear Stearns has known it all along:

Even up until last week, Alan “Ace” Greenberg, Bear Stearn’s chairman for more than 20 years and a champion bridge player, still regaled its partners over lengthy lunches about gambling with the firm’s money in its wood-paneled dining room.

The firm’s money, indeed.

Reporting on Data Breaches: US and Great Britain

Is the recent wave of reporting on British data breaches similar to what we’ve been seeing in the US? A couple of things seem true: the US has way more reported breaches per capita, but both locations have seen greatly accelerated reporting.
Here’s a plot of all US (Country = ‘US’) and British (Country = ‘GB’) breaches in Attrition’s DLDOS, as of March 13, 2008.
The incident count has been normalized by dividing each series by the total number of incidents in that series. The US had 840 reported incidents, Great Britain had 33.

dldosbycountry2.jpg

What does this mean? I’m not sure…
Update: Added vertical lines to graphic, in response to Lyger’s comment. Left one is Choicepoint 2/15/05. Right is HMRC 11/20/2007.