The New School of Information Security


A few days ago, we turned in the very last edits to The New School of Information Security to Addison-Wesley.

My co-author, Andrew Stewart, and I are both really excited. The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make things better. We think there’s an emerging way of approaching the world, which we call the New School.

We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn’t just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new sources of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.

Incidentally, this isn’t an official project for either of us. (We wouldn’t want anyone to get confused about who gets the credit or blame.)

Are We Measuring the Right Things?


One of the reasons that airline passengers sit on the tarmac for hours before takeoff is how the FAA Department of Transportation measures “on time departures.” The on time departure is measured by push-back from the gate, not wheels leaving the tarmac. (Airlines argue that the former is in their control.) If you measure the wrong things, you create incentives for bizarre behavior.

Which is why I was fascinated to read the new GAO report, “Information Security: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies.

While progress may be reported, PogoWasRight calls out:

The number of security breaches on government computers has quadrupled in the last 2 years – from just over 3,500 in fiscal 2005 to just over 13,000 in fiscal 2007.

If that’s progress, maybe we need some regression?

More seriously, I think it’s great progress that we are talking about the failure rates. Now we need to start to question the things being measured that allow the GAO to summarize that state of affairs as progress.

I wonder, where else are we measuring the wrong things?

[Update: I was measuring the wrong agency.]

WOOT08 Call for Papers

Progress in the field of computer security is driven by a symbiotic relationship between our understandings of attack and of defense. The USENIX Workshop on Offensive Technologies aims to bring together researchers and practitioners in system security to present research advancing the understanding of attacks on operating systems, networks, and applications.

2nd USENIX Workshop on Offensive Technologies (WOOT ’08)
July 28, 2008
San Jose, CA

Sponsored by USENIX, the Advanced Computing Systems Association

WOOT ’08 will be co-located with the 17th USENIX Security Symposium (USENIX Security ’08), which will take place July 28–August 1, 2008.

Important Date: Submissions due: June 1, 2008

WOOT ’08 Call for Papers.

(I’m on the program committee.)

You Can’t Say That: Blogging Your Failures

I forgot exactly where I saw the link to Ben Neumann’s Views from the Trenches, but the opening lines of his post “Network Outage” are great, doubly for what he’s just gone through:

Today was a NIGHTMARE-DAY! just emerged from a major outage – the worst in company history and everybody – customers and staff alike – still feel extremely beaten up. Here’s what happened:

At approximately 5:00am Pacific Time on Thursday, February 21, 2008 we suffered a major network outage, which effected nearly all customers, our own Web sites and service infrastructure as well as our phone systems.

He goes on to explain what went wrong, and what he’s doing to prevent it from happening again.

This sort of thing is fairly common in computer operations. People talk about what’s gone wrong. And their customers, while annoyed, prefer this to the bravado and bull they get about security incidents.

In fact, it’s common in a lot of industries to have failures discussed. And while it leads to some Monday-morning quarterbacking, it also leads to operational improvement.

There’s Going to Be a Paper-Scorching Ka-Booom!


The New York Times has a great story about Cai Gou-Qiang, an artist who works in gunpowder. “The Pyrotechnic Imagination.” It’s pretty cool stuff for a lazy weekend afternoon read.

[I forgot to mention, he has a show at the Guggenheim, and their press release states, “For publicity images go to User ID = photoservice Password = presspass”. There’s some high quality art there.]

Posted in art

Friday Pogues Blogging

I saw the Pogues’ show at Chicago’s Riviera Theatre last night, exactly 22 years minus one day since the last time I saw them.
Spider Stacy seems to have fared a tad better than Shane :^). The show was good, but of course nothing can compare to nostalgia. A particularly enjoyable feature for me was the ecstatic reaction of a nearby woman who was a devoted fan — she was loving every millisecond. I was bemused thinking that last time I stood 15 feet from Shane and company she was probably not even toilet-trained.
There were plenty of grey hairs in the audience, even up front. I was polite and let a shorter person in front of me, and as the band got into things I wound up a few feet back from the stage, where the crowd was younger and ethanol-fueled. Luckily my quads are as strong, and my elbows as sharp, as they were back in the day.
Photo courtesy of, who have many more great shots

Microsoft Acquires Credentica’s U-Prove

I am tremendously pleased to say that Microsoft has closed an acquisition of Credentica‘s U-Prove technology. This technology adds a new and important set of choices in how we as a society deal with identity and properties of people. Kim Cameron has the official announcement, “Microsoft to adopt Stefan Brands’ Technology” and Stefan Brands has blogged at “Microsoft acquires Credentica’s U-prove technology.”

Kim writes:

I personally think we are just beginning to understand what it would mean if everything we do is both remembered and automatically related to everything else we do. No evil “Dr. No” is necessary to bring this about, although evil actors might accelerate and take advantage of the outcome. Linkage is just a natural tendency of digital reality, similar to entropy in the physical world. When designing phsyical systems a big part of our job is countering entropy. And in the digital sphere, our designs need to counter linkage.

This has led me to the idea of the “Need-to-Know Internet”.

Our goal is that Minimal Disclosure Tokens will become base features of identity platforms and products, leading to the safest possible intenet. I don’t think the point here is ultimately to make a dollar. It’s about building a system of identity that can withstand the ravages that the Internet will unleash. That will be worth billions.

On a personal level, I’m happy to be working with Stefan again, and look forward to what Microsoft and our customers will be able to achieve with this technology.

Previously on Emergent Chaos:

[Updated with some quotes from Kim.]

Analyzing the Analysts

In Things Are Looking Up For TJX, or, Javelin Research – Credibility Issues?, Alex takes a look at research released by Javelin, and compares it to some SEC filings. Javelin is making the argument that companies that suffer massive breaches will lose market share. As do these folks at Response Source: “LATEST NATIONAL RESEARCH REVEALS LACK OF CONSUMER TRUST IN THE SECURITY OF PERSONAL DATA IN THE UK.”

The trouble is, consumer behavior seems un-impacted.

Also in the looking at Javelin department, Chris Hoofnagle writes about “Making the Known Unknowns Known,” which gets some additional thoughts from Dan Solove, in “Requiring Banks to Disclose Identity Theft Statistics.” It’s a very good and reasonably short article that makes the argument that the fraudsters have figured out weaknesses in the US banking system that aren’t getting analyzed in a systemic way.

If this data thing were organized, it would be like a movement.

Credit Ratings for Governments?

Last week, I talked about consumer credit in “The real problem in ID theft.”

Yesterday, the New York Times had a story, “States and Cities Start Rebelling on Bond Ratings:”

A complex system of credit ratings and insurance policies that Wall Street uses to set prices for municipal bonds makes borrowing needlessly expensive for many localities, some officials say. States and cities have begun to fight back, saying they can no longer afford the status quo given the slackening economy and recent market turmoil.

At every rating, municipal bonds default less often than similarly rated corporate bonds, according to Moody’s… Colleen Woodell, chief quality officer for public finance, acknowledged that municipal debt had defaulted at lower rates than corporate issues, but she noted that the data covered a relatively benign 20-year period…Ms. Woodell said the disparity was “within a tolerable band” and would diminish over time.

Tolerable to whom, Ms. Woodell?

The article goes on to explain that the financiers are taking enormous sums of money from taxpayers on what is really very safe debt.

Since most government bonds are repaid, there would be a very large chunk of identically rated bonds.

If you rate 95 percent of the issues the same, the ratings cease to be useful, and investors need and utilize these ratings to differentiate credits,” said John Miller, chief investment officer at Nuveen Asset Management in Chicago, which manages about $65 billion in mostly tax-exempt bonds.

Really? If the bonds are safe, and 95% of them would get a AAA rating, maybe we could save a lot of money by removing a low-value information source.

It makes sense to look at the organizations who control credit data, and ask the age-old question: who benefits? These organizations aren’t in it for their health.

I’ve Made Up My Mind, Don’t Bother Me With the Facts

The report, Educational Security Incidents (ESI) Year in Review, spotlights institutions worldwide, and Penn State was included in the report with one data breach last year.

“My goal with ESI is to, hopefully, increase awareness within higher education that not only is information security a concern, but that the threats to college and university information is not as simple as network and/or computer attacks,” Adam Dodge, ESI creator, wrote in an e-mail.

The report also shows the majority of information breaches at colleges came from unintentional leaks, rather than hackers. But Penn State Information Technology Vice Provost Kevin Morooney said he isn’t sure how deeply anyone should read into the report.

I’m ignoring the report,” he said. “Hackers are a constant and daily threat at the university, and we have many things put in place to mitigate the risk.” (Emphasis added.)

Security of data analyzed in study,” The Daily Collegian at Penn State.

Adam Dodge runs the “Educational Security Incidents” blog, and his “Year In Review” is worth a look.

I hope that Vice Provost Morooney had other things to say about a comprehensive approach to security. Because otherwise, he’s made up his mind, and don’t wanna be bothered with no facts. A sad position for anyone at a University to take.