Jonathan Ive’s Sharia Style

I was on a business commuter flight the other day, which was also the maiden voyage of my MacBook Air. I had it out before takeoff. This was an international flight and I was in bulkhead. On international flights, they’re not as strict about not having your laptop on your lap during takeoff. This flight was only an hour and ten, and if I had to wait ’til cruising altitude, I’d never get any work done.

I slid it into the middle of my Economist (manila envelopes are the only think it fits in), but other guys had their mondo Dells out, so I stopped hiding it.

One of the flight attendants saw it and came over, pouncing on me. Drat. Nabbed.

I blinked when she cooed, “Ooooooo, is that the new MacBook? Can I touch it?”, because this wasn’t what I would think of as a nerd-bird. It was Etihad from DMM to AUH, and after a few days in Al Khobar, I found the fact that the flight attendants had neither an abaya nor hijab to be a pleasant surprise.

I handed it to her. She called over another flight attendant, who also cooed over it. They passed it back and forth extolling, “It’s so light! It’s so smooth! It feels sooooo good!”

They called over a third young woman who turned up her her nose and sniffed, unimpressed, “My brother has one of those.” She thus put the others in their place for being so unsophisticated as to not be totally bored by it yet. It’s a good thing that SAFEE isn’t implemented, yet, or we’d never have gotten off the ground. If looks could kill….

Pointedly ignoring her, my pair of flight attendants marveled over the Air for a bit longer and then handed it off to me so they could play with seatbelts and oxygen masks.

After they left, the guy across the aisle turned to me and said, “My god, I never thought I’d see the day when a laptop was better at picking up girls than a Ferrari. That’s it, I’m ditching Windows.”

CSO’s FUD Watch

Introducing FUD Watch:”

Most mornings, I start the work day with an inbox full of emails from security vendors or their PR reps about some new malware attack, software flaw or data breach. After some digging, about half turn out to be legitimate issues while the rest – usually the most alarming in tone – turn out to be threats that have little or no impact on the average enterprise.

The big challenge for security writers is to separate the hot air from the legitimate threats. This column aims to do just that.

But for this to work, audience participation is a must.

I’m highly in favor of reducing the FUD. I hope that Bill Brenner’s efforts will help constrain and shame some of the worst of the FUD. However, it won’t go all the way. Bill admits that he’s working from opinion not data. In The New School, we talk about how we need data on how often various problems actually manifest. When we get that data, we won’t need as much audience participation. In the meantime, go mock the FUDsters.

RIM speaks out on BB security

IndianBB.jpg

El Reg writes that the India Times writes that RIM has “blackballed” (El Reg’s words) the Indian Government’s requests to get BB keys, saying what we suspected, that there are no keys to give.

The India times says:

BlackBerry vendor Research-In-Motion (RIM) said it cannot hand over the message encryption key to the government as its security structure does not allow any ‘third party’ or even the company to read the information transferred over its network.

The full RIM letter to its customers says:

Dear Valued BlackBerry Customer:

Research In Motion (RIM) is more excited than ever to be doing business in India and is extremely pleased by the enthusiasm of Indian customers toward the BlackBerry platform.

RIM recognizes that some customers are curious about the discussions that occurred between RIM and the Indian government regarding the use of encryption in BlackBerry products and understands that the confidential nature of these discussions has consequently enabled an opportunity for a variety of speculation and misinterpretation to arise.

RIM regrets any concern prompted by incorrect speculation or rumors and wishes to assure customers that RIM is committed to continue serving security-conscious businesses in the Indian market with highly secure and innovative products that satisfy the needs of both business and government.

RIM respects the needs of governments to balance regulatory requirements alongside the corporate security and individual privacy needs of its citizens and RIM will not disclose confidential discussions that take place with any government. However, many public facts about the BlackBerry security architecture have been well established over the years and remain unchanged. A recap of these facts, along with other general industry facts, can help customers easily debunk incorrect rumors and speculation and maintain confidence about the security of their information.

  • RIM understands and respects the concerns of governments. RIM operates in over 135 countries today and provides a security architecture that has been widely scrutinized over the last nine years and has been accepted and embraced by security-conscious corporations and governments around the world.
  • Governments have a wide range of resources and methodologies to satisfy national security and law enforcement needs without compromising commercial security requirements.
  • The use of strong encryption in wireless technology is not unique to the BlackBerry platform. Strong encryption is a mandatory requirement for all enterprise-class wireless email services.
  • The use of strong encryption in information technology is not limited to the wireless industry. Strong encryption is used pervasively on the Internet to protect the confidentiality of personal and corporate information.
  • Strong encryption is a fundamental requirement for a wide variety of technology products that enable businesses to operate and compete, both domestically and internationally.
  • The BlackBerry security architecture was specifically designed to provide corporate customers with the ability to transmit information wirelessly while also providing them with the necessary confidence that no one, including RIM, could access their data.
  • The BlackBerry security architecture for enterprise customers is based on a symmetric key system whereby the customer creates their own key and only the customer ever possesses a copy of their encryption key. RIM does not possess a “master key”, nor does any “back door” exist in the system that would allow RIM or any third party to gain unauthorized access to the key or corporate data.
  • The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.
  • The BlackBerry security architecture was also purposefully designed to perform as a global system independent of geography. The location of data centers and the customer’s choice of wireless network are irrelevant factors from a security perspective since end-to-end encryption is utilized and transmissions are no more decipherable or less secure based on the selection of a wireless network or the location of a data center. All data remains encrypted through all points of transfer between the customer’s BlackBerry Enterprise Server and the customer’s device (at no point in the transfer is data decrypted and re-encrypted).
  • The same BlackBerry security architecture is maintained in all 135+ countries where the BlackBerry solution is commercially available and it continues to be validated through various formal and independent security certifications, including FIPS-140-2 (USA), @Stake security assessment, Common Criteria EAL 2+ (International) and CAPS (United Kingdom), as well as several other independent government approvals and customer assessments.

Once again, RIM is extremely pleased by the reaction of the Indian market to the BlackBerry platform and excited about the future in India. RIM also remains positive about the ongoing use of strong encryption in enterprise-class information technologies and believes that governmental security requirements in countries around the world, including India, will continue to be achieved in tandem with the domestic and international security needs of corporate customers.

My major grumble remaining is that while RIM has been very good at some assessments (FIPS 140 and CAPS are worth something, CC is not), Those of us in the real world haven’t seen the BlackBerry architecture.

I still hear people say, “Oh, you can’t trust that because the French government banned them,” which is also FUD, but absent an open attitude about public review, is going to keep happening. My response to that FUD is to counter-FUD by pointing out that there’s no better way to spy on someone than to FUD their existing security system.

It’s worth something to know that Charlie Miller hasn’t broken the BlackBerry, but it would be better to have more to go on. Thank you for the discussing rather than ignoring this, RIM. Please, may we have another?

Photo “Indian BB” by Edlimagno.

Does the UK need a breach notice law?

Chris Pounder has an article on the subject:

In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals are protected because they have simple and free access to the Information Commissioner, who has powers to investigate any complaint and fine. Compensation for aggrieved individuals could arise from any significant security lapse.

In other words, all the features of a security breach notification law are now found in existing data protection legislation. (“Why we don’t need a security breach notification law in the UK.”)

It’s an interesting analysis that breaches are already covered, and I think he’s probably right. However, he’s not certainly right. Attorneys are paid (in part) to argue, and I think most decent attorneys could construct an argument that the law is unclear.

I think there are two strong reasons to support a breach disclosure law: clarity and learning.

The argument for clarity is just that: the law may not be clear, and it will save U.K. organizations money to have a simple, clear law on the subject. (It can’t cost more for notifications, because that cost, according to Pounder, is already present. Similarly, there’s no increase in liability, that cost is already present.) But with a clear law, attorneys can’t charge as much for analysis.

The second reason for a law is to charge a public agency with collecting and sharing information about what happened and why.

As organizations go through this pain, we should learn from it. Not learning from it entails going through it again and again.

There’s a third reason, which is that even in the case of clear law, which exists in the US, only 3 of 21 retailers breached had told their customers. (Based on a Gartner survey, n=50.)

[Gartner analyst Avivah] Litan didn’t know whether the retailers had broken state laws by not informing their customers of the breaches, but she said it was a possibility. Some of the breaches may have happened before applicable state laws were in effect. (“Most Retailer Breaches Are Not Disclosed, Gartner Says.”)

Update: A friend in the UK pointed out privately that I could have been clearer about the evolution of common law, and how decisions establish law. The UK has not yet had many official rulings, and so both the law and practice are evolving rapidly. Their courts and regulators may look to other countries for guidance, and find that prompt notification is essential, both under many US laws and under evolving Canadian jurisprudence. For example, the “[British Columbia Office of Information Privacy Commissioner] says 41 days too long for breach notification.”

Visualizing Risk

I really like this picture from Jack Jones, “Communicating about risk – part 2:”

risk-images.jpg

Using frequency, we can account for events that occur many times within the defined timeframe as well as those that occur fewer than once in the timeframe (e.g., .01 times per year, or once in one hundred years). Of course, this raises the question of how we determine frequency, particularly for infrequent events. In the interest of keeping this post to a reasonable length, I’ll cover that another time (soon).

And I’m looking forward to how to Jack says we should determine those frequencies.

One suggestion for improvement: state the timeframe on the chart label: “Loss Event Frequency (per year).”

Please read more carefully.

A paper by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti to be presented at the upcoming WEIS workshop examines the impact of breach disclosure laws on identity theft. The authors

find no statistically [significant] evidence that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce

The folks at Bank Technology News pick up this ball and run with it, proclaiming in a headline:

Study: Data Breach Laws Don’t Reduce ID Theft

This is, quite simply, wrong. Absence of evidence is not evidence of absence. Maybe the data just aren’t good enough (something we at EC have been complaining about — and even trying to fix — for some time).
Since the Bank Technology News article is behind a pay wall, I can’t read it. I hope it is more accurate in conveying Romanosky, et. al.’s recommendations than it is regarding their conclusions.
Those recommendations will be familiar to EC readers, and are worth quoting at length:

Proper research on the effectiveness of data breach disclosure laws is hampered by the lack of sufficient, high quality data. Hoofnagle argues that the current collection of identity theft records come from surveys and anecdotal accounts (Hoofnagle, 2007). He claims that current information is not sufficient and that banks and other organizations should be
required to release identity theft data to the public for proper research. We certainly agree with this view. To the extent that reporting and other biases can be reduced, it will allow researchers to more accurately measure the impact of disclosure laws. Moreover, we believe that the proper collection of identity theft victimization, and consumer and firm loss data will be a valuable tool for researchers, policy makers and consumers. We therefore join others (Samuelson, 2007) in supporting the
following recommendations to policy makers:
• Create a single, federal data breach disclosure law that covers all persons, private organizations, data brokers and state and federal agencies. This single law should reduce conflict between states laws and lower the barrier for compliance.
• Standardize the content of notifications to include only pertinent information (no marketing brochures) that includes actionable information for the consumer (e.g. date of breach, type of personal information lost, and customer support contact information).
• Define an oversight committee to be notified of all breaches. This will create an authoritative source of breach data that can be made available to policy makers, researchers and consumers.

I haven’t given this paper the time it deserves, so I’ll reserve comment. I’ve read it attentively enough to know that contrary to what some in the trade press may think, the jury is definitely still out on whether identity theft is decreased by breach laws.

Sing it shrdlu

Over at Layer8, shrdlu lays it out there and tells us what it takes to appear to be effective:

In all the initiatives I’ve rolled out in my (checkered) career, the ones that have gotten the most acclaim from my management have always been the ones that were most visible to the users. They turned out to be popular if they:
– were used directly by the users
– allowed the users to do something better, or faster, or better AND more securely
– helped reduce the risk of a legal problem

and

In the eyes of the business—the ultimate risk decision maker—the more it affects/helps the users, the bigger the win. So from a practical point of view, they’re using a very different set of risk factors than we are from behind our consoles and our dashboards.

These are both huge points, that highlight the difference between what we as practitioners often think is important and what the business thinks is important. The trick of course is balancing the two correctly. My recommendation is whenever possible leverage adding security by packaging it with a new offering that users want. For instance, at one employer, there was a big push from users to be allowed to move from dial-up to VPN over their home broad-band connections. We gave it to them, but took the opportunity to move from passwords for authentication to tokens. We got almost no complaints from users about it being harder or more complicated because it was bundled with something they really wanted. This had the added bonus, that down the road when we later required it for accessing certain critical systems, it was a well understood technology that people were used to using, so we got very little push-back and got compliments from our auditors for being so conscientious.

This May Be FUD

IndianBB.jpg

You may have seen this article from the India Times, “Govt may get keys to your BlackBerry mailbox soon.” Many people have been commenting on it, and the hand-wringing should build up to a good storm in a few days.

The gist of the article is that the Indian Government has told RIM that if they can’t read BlackBerry email, they might just ban all BlackBerries from India, and that RIM is caving.

Being the sort of person I am, I called someone who actually knows something. I can’t tell you anything more, precisely because they actually know something.

What I was told is that this is complete FUD and false. The BlackBerry crypto is real crypto, just like SSL, PGP, S/MIME or anything else. The keys are generated on the handsets and on the BES server. There is end-to-end crypto, using real protocols like SPEKE. RIM doesn’t have the keys to give. RIM cannot give the keys over because only the devices have them.

Of course, as is true in all hatchet jobs, the lead is with weasel-words:

In a major change of stance, Canada-based Research In Motion (RIM) may allow the Indian government to intercept non-corporate emails sent over BlackBerrys.

See that? It’s the word may.

Here’s my own text, which I know may be true because I just may have made it up:

In a major cryptographic breakthrough, Canada-based Research In Motion (RIM) may soon put quantum cryptography in all new handsets, preventing any interceptions, because it’s well, you know, quantum, and quantum is cool.

Or this:

In a major scientific advancement, Canada-based Research In Motion (RIM) may have accepted an order for 10 million BlackBerrys from space aliens living on Epsilon Erandi. A faster-than-light (FTL) email relay server may be installed at Barnard’s Star as part of this groundbreaking, er, space-breaking agreement.

And even:

In a major economic development, Canada-based Research In Motion (RIM) may have purchased the Large Hadron Collider from CERN. According to officials close to the development, Canadian High Commissioner David Malone may have approved the deal not merely despite, but actually because of the chance that the LHC could create a small black hole that would devour all of France. “Canada is just fed up with the pointy-lips in France making fun of their accents and may have decided to take proactive action. Details on this one will be provided in two or three weeks,” sources close to the deal may have told Emergent Chaos. No comment was available from the United Nations at posting time.

May, while a merry month, may also be the tool of liars.

RIM, I know you’re reading this, not only because we are one of the top 25 blogs, and not at all because we speak for the President of the United States, but because Adam used to live in Montréal and is no pointy-lips. Please, please give us a definitive statement. You have to call bullshit on this sort of thing before it becomes destructive.

I know and you know that there would be no better publicity for you than to call their bluff and say, “D’accord, pas des mûres pour vous.” We would all cheer. BlackBerry sales will soar.

Photo “Indian BB” by Edlimagno.