Medeco Embraces The Locksport Community

Two days ago, Marc Weber Tobias pointed out that Medeco, the 800 pound gorilla in the high-security lock market, recently published an open letter to the locksport community, welcoming it to the physical security industry:

While we have worked with many locksmiths and security specialists in the past to improve our
cylinders, this is the first time that we have worked with people in the sport-lock picking community.
I am pleased to know that you have as much concern for the security of the public as those of us in
the lock industry. Again, I welcome you as representatives of the sport-lock picking community, to
the lock industry, and hope that together we can continue to improve the security and safety that
locks provide to the world.

This is really exciting. For the past few years, I’ve watched as Matt Blaze and others applied information security principles to physical security and the resulting kerfuffles that so closely resembled the disclosure debates in our own space over the last ten years. As a result, it’s particularly exciting to see stuff like this coming from the physical security space.
Marc Weber Tobias has a great analysis of this letter as well as a very worthwhile discussion of ethics. Do go read it. The parallels between this and our own industry are very revealing…

R-E-S-E-P-C-T! Find out what it means to me

TSA-authority.jpg

The TSA apparently is issuing itself badges in its continuing search for authority.

The attire aims to convey an image of authority to passengers, who have harassed, pushed and in a few instances punched screeners. “Some of our officers aren’t respected,” TSA spokeswoman Ellen Howe said.

A.J. Castilla, a screener at Boston’s Logan Airport and a spokesman for a screeners union, is eager to get a badge. “It’ll go a long way to enhance the respect of this workforce,” he said. (“TSA’s Badges Are a Sore Spot With Cops,” USA Today)

See, the problem isn’t that the American people are unwilling to respect to support you, it’s that you don’t respect us. And respect is a two way street. TSA humiliates people. They intrude. They touch people’s privates. They want you to pack your toiletries in a baggie, take off your shoes, and submit to millimeter wave scanning. All the while, they’re no more effective than their predecessors.

You want respect? Earn it. Respect those around you, and those you’re supposed to serve. Tin-plate badges make you look like you’re desperate.

I suppose there’s a reason for that.

Intelligence maven Haft of the Spear has “How you dress has nothing to do with your effectiveness:”

I think this is a bad idea not because I think Screeners don’t deserve respect; I’m against it because its “cop-creep.”

Identity Theft is more than Fraud By Impersonation

gossip.jpgIn “The Pros and Cons of LifeLock,” Bruce Schneier writes:

In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn’t work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry’s lobbyists would never allow that.

There’s a type of security expert who likes to sigh and assert that ID theft is simply a clever name for impersonation. I used to be one of them. More recently, I’ve found that it often leads to incorrect or incomplete thinking like the above.

The real problem of ID theft is not the impersonation: the bank eats that, although we pay eventually. The real problem is that one’s “good name” is now controlled by the credit bureaus. The pain of ID theft is not that you have to deal with one bad loan, it’s how the claims about that bad loan haunt you through a shadowy network of unaccountable bureaucracies who libel you for years, and treat you like a liar when you try to clear up the problem.

So there’s a third way to deal with identity theft: make the various reporting agencies responsible for their words and the impact of those words. Align the law and their responsibilities with the reality of how their services are used.

I’ve talked about this before, in “The real problem in ID theft,” and Mordaxus has talked about “What Congress Can Do To Prevent Identity Theft.”

How much work is writing a book?

There’s a great (long) post by Baron Schwartz, “What is it like to write a technical book?” by the lead author of “High Performance MySQL.” There’s a lot of great content about the process and all the but I wanted to respond to this one bit:

I can’t tell you how many times I asked people at O’Reilly to help me understand what would be involved in writing this book. (This is why I’m writing this for you now — in case no one will tell you, either). You would have thought these folks had never helped anyone write a book and had no idea themselves what it entailed. As a result, I had no way to know what was realistic, and of course the schedule was a death march. The deadlines slipped, and slipped and slipped. To November, then December, then February — and ultimately far beyond. Each time the editor told me he thought we were on track to make the schedule. Remember, I didn’t know whether to believe this or not. The amount of work involved shocked me time after time — I thought I saw the light at the end of the tunnel and then discovered it was much farther away than I thought.

I think this is somewhat unfair to the O’Reilly folks, and wanted to comment. Baron obviously put a huge amount of effort into the work, but O’Reilly has no way of knowing that will happen. They run a gamut in second editions from “update the references and commands to the latest revision of the software” to “complete re-write.” Both are legitimate ways to approach it. It could take three months, it could take a few years. O’Reilly can’t know in advance. (Our publisher has told me horror stories about books and what it’s taken to get them out.)

So O’Reilly probably figures that there’s a law of diminishing returns, and pushes an insane schedule as a way of forcing their authors to write what matters and ignore the rest.

So it’s not like a baby that’s gonna take 9 months.


Andrew and I opened the New School of Information Security with a quote from Mark Twain which I think is very relevant: “I didn’t have time to write you a short letter, so I wrote you a long one instead.”

We took our time to write a short book, and Jessica and Karen at Addison-Wesley were great. We went through 2 job changes, a cross-country move, and a whole lot of other stuff in the process. Because we were not technology specific, we had the luxury of time until about December 1st, when Jessica said “hey, if you guys want to be ready for RSA, we need to finish.” From there, it was a little crazy, although not so crazy that we couldn’t hit the deadlines. The biggest pain was our copy-edit. We’d taken the time to copy-edit, and there were too many changes to review them all. If we’d had more time, I would have pushed back and said “reject all, and do it again.”

So there’s no way a publisher can know how long a book will take a new set of authors, because a great deal of the work that Baron Schwartz and co-authors did was their choice.

Iowa breach law arrives a bit early

On May 10, Iowa became the 42nd U.S. state (counting D.C. as a state) with a breach notification law. The law itself is not remarkable. If anything, it is notably weaker than many other states’ laws.
When can we expect to see the last stragglers finally pass their laws? Here’s a plot of each state’s date of law passage, expressed in days since the Choicepoint episode became public. The x-axis is logarithmic.
breachlaws.png
Looks like a decent fit to me. In fact, a tad over under 3% of the variance remains unexplained. Assuming that whatever accounts for this exponential decay remains for a while, the last state should have a law in place October 9, 2011 :^).

L’affaire Kozinski

Kim Zetter on Threat Level has written about Larry Lessig’s comments about Judge Alex Kozinski’s problems with having files on a personal server made public.

Zetter has asked to hear people’s opinions about the issue. I thought I’d just blog about mine.

Basically, I agree with Lessig. The major place that I disagree with Lessig is in his metaphor of someone jiggling open a lock. I think I would use the metaphor of someone pressing a camera to the judge’s window, and shooting pictures of the library through the gauze curtains. It was rude and inappropriate, whatever we might think of Kozinski as a judge. It was a privacy violation, and yes, a form of trespass. Perhaps somewhere in there it shows some hypocrisy, but privacy advocates who cheer showing someone’s hypocrisy by violating their privacy are hypocrites, too. (I am not accusing any specific people of this hypocrisy, I’m making a point.)

As Lessig and others have noted, nothing Kozinski did was illegal. Even in the case of his having MP3s, this was not illegal nor infringing, given what we know. It is completely legal in the US to make MP3s from your other media. It is not legal in the UK, nor in other countries, but he’s not a judge there. It’s also not infringing to set up a private server for family and friends.

RIAA, the MPAA, and other alleged defenders of intellectual property frequently deny that these things are legal, but if someone wants to show Kozinski’s hypocrisy by taking up those arguments, they’re essentially carrying RIAA’s and the MPAA’s water. This may be hypocrisy itself, if the people wanting to play gotcha consider themselves anti-RIAA/MPAA. It might also be simple stupidity, too. The media companies often and repeatedly advance opinions that if there were any reasonable regulation of the lawyers would get the media lawyers disbarred. Bringing those cracked opinions to bear against Kozinski only gives them credibility they do not otherwise have.

The one place I do wish to take issue with Zetter’s article is this:

On a separate note, the ABA Journal, a publication of the American Bar Association, has a good story today that examines the MP3 issue, noting that Kozinski wrote the dissenting opinion in a copyright case last year in which he sided with the copyright holder in saying that credit card companies that process payment for material that violates copyright should be liable for facilitating illegal sales of copyrighted material. This would imply that if it turns out that Kozinski’s site was making MP3 files available for download, he would consider himself liable for facilitating the illegal trade of copyrighted material.

I’ll again note that I think I’m disagreeing with the ABA Journal, not with Zetter’s remarks on it.

No, this doesn’t imply that. The Home Recording Act specifically allows one to time-shift content, media-shift content, and to share that content with family and friends. If Kozinski’s son implemented an el-cheapo equivalent of a Slingbox or iTunes Music Sharing and there were bugs in that implementation that let a clever person make unauthorized, infringing copies of the Kozinski Clan’s media, that’s an embarrassment. I am quite certain that Kozinski fils and père are quite properly embarrassed now. Unless we’re going to move from carrying the RIAA’s water to insisting on software liability for amateur programmers (won’t the FOSS crowd love that), then let’s let it drop.

Freedom isn’t doing what you want, freedom is defending people you disagree with. I actually don’t know if I disagree with Kozinski. I do know that I agree with Lessig. Privacy is an important right, and an intrinsic right. Everyone is deserving of privacy, even judges.

Woodie Guthrie said that some will rob you with a six-gun and some with a fountain pen. It is not as euphonious to note that some will hack you with Metasploit and some will hack you with Google, but it’s no less true. I’m not going to stretch that metaphor much further, but I will note that the technological difficulty of an act doesn’t change its character. There’s good hacking and bad hacking. It isn’t good just because it was easy. Conjuring up dirt on a judge with an easy hack is conjuring up dirt a judge. Here’s Lessig:

Now imagine … some disgruntled litigant … finds some stuff that he knows the local puritans won’t like. He takes it, and then starts shopping it around to newspapers and the like: “Hey look,” he says, “look at the sort of stuff the judge keeps in his house.”

I take it anyone would agree that it would outrageous for someone to publish the stuff this disgruntled sort produced. Obviously, within limits: if there were illegal material (child porn, for example), we’d likely ignore the trespass and focus on the crime. But if it is not illegal material, we’d all, I take it, say that the outrage is the trespass, and the idea that anyone would be burdened to defend whatever someone found in one’s house.

Lessing spoke of illegal material. An infringing MP3 is not illegal material. Infringement is not theft, but even if it were, a stolen Rembrandt is not kiddie porn. Lessig understand that and that’s why he picked the exception he did.

I’m one of Lessig’s anyones. It is outrageous to violate this person’s privacy and trump up their personal quirks (like thinking they can save a few bucks and write their own media server) into imagined crimes. If you believe in the right of privacy as a fundamental human right, then you should be outraged, too. We are all deserving of privacy. Even judges. Even judges who defend copyright. Even judges whose sons write buggy software.

Those of us who believe in the right to control the media we legally have in the way we see fit, not the way the media companies see fit should be defending Kozinski. Those of us who believe that creating software should be an unencumbered right should be defending Kozinski. We need to remember which side we’re on. It’s the side of liberty, not control.

Quantum Pride

Sorry, it's a comic strip

One of the curious features of Quantum Cryptographers is the way they harumph at mathematics. “Don’t trust that math stuff, you should trust physics.”

It’s easy to sneer at this attitude because physics has traditionally gotten its cred because of its foundations in math. Physicists are just mathematicians who don’t squick at canceling dxes. Quantum people had a hard time for a while because some of their math ended up dividing by zero, which squicks many people even more than canceling differentials. Feynman got around that with some clever drumming and some pictures, but I sneer at the Quantum Crypto lack of respect towards mathematics every chance I get.

On the other hand, some of their attitude is justified. A few months ago, I shut up a cryptographer who was railing about the stupidity of religious people by saying, “Oh, yeah? Well, there’s no proof that factoring is hard. You’re taking that on faith. Intelligent Design, RSA, what’s the diff?” just because I hate all forms of certainty.

And so it is impossible to hide the smile on my face as I point you to the arXiv blog entry, “How to build a quantum eavesdropper” in which physicists Yuta Okubo, Francesco Buscemi, and Akihisa Tomita describe an experiment in how to create a quantum eavesdropper on quantum cryptography. The paper is here.

No word on when they’re going to propose to the ESA to do the experiment on the ISS.

The xkcd comic is “Purity” by the talented Randall Munroe.

Can You Hear Me Now?

Debix, Verizon, the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security.

This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have FBI compiled crime statistics. What we have are lost of people with lots of opinions, making lots of noise. It can be hard to get your message heard over the noise.

Tufte talks about credibility as one important outcome of good visualization. How showing your data effectively can make your case for you. In security, we haven’t shown our work very often. That’s why in the New School, Andrew and I made gather and analyze good data two of our key closing points. Some people have suggested they wanted more specifics, and I’m now glad that we didn’t. This outpouring of data makes this a tremendously exciting time to be in security.

Sharing data gets your voice out there. Verizon has just catapulted themselves into position as a player who can shape security.

That’s because of their willingness to provide data. I was going to say give away, but they’re really not giving the data away. They’re trading it for respect and credibility.

Verizon, we can hear you now. We can also hear Debix, the ITRC and the DoJ. Because they’re buying credibility with their data.


(Disclaimer: I’m a Debix shareholder, and I reviewed a draft of their report.)


[Update: Verizon’s report is getting lots of commentary. Interesting bits from Rich Bejtlich, Chris Wysopal, the Hoff or Slashdot.]

Department of Justice on breach notice

data-breaches-carding-justice.jpg
There’s an important new report out from the Department of Justice, “Data Breaches: What the Underground World of “Carding” Reveals.” It’s an analysis of several cases and the trends in carding and the markets which exist. I want to focus in on one area, which is recommendations around breach notification:

Several bills now before Congress include a national notification standard. In addition to merely requiring notice of a security breach to law enforcement,200 it is also helpful if such laws require victim companies to notify law enforcement prior to mandatory customer notification. This provides law enforcement with the opportunity to delay customer notification if there is an ongoing criminal investigation and such
notification would impede the investigation. Finally, it is also helpful if such laws do not include thresholds for reporting to law enforcement even if certain thresholds – such as the number of customers affected or the likelihood of customer harm — are contained within customer notification requirements. Such thresholds are often premised on the large expense of notifications for the victim entity, the fear of desensitizing customers to breaches, and causing undue alarm in circumstances where customers are unlikely to suffer harm. These reasons have little applicability in the law enforcement setting, however, where notification (to law enforcement) is inexpensive, does not result in reporting fatigue, and allows for criminal investigations even where particular customers were not apparently harmed. (“Data Breaches: What the Underground World of “Carding” Reveals,” Kimberly Kiefer Peretti U.S. Department of Justice, Forthcoming in Volume 25 of the Santa Clara Computer and High Technology Journal, page 28.)

I think such reports should go not only to law enforcement, but to consumer protection agencies. Of course, this sets aside the question of “are these arguments meaningful,” and potentially costs us an ally in the fight for more and better data, but I’m willing to take small steps forward.

Regardless, it’s great to see that the Department of Justice is looking at this as something more than a flash in the pan. They see it as an opportunity to learn.