Off to Belgium

belgian beer.jpg

I’m getting ready to leave for the 2008 Privacy Enhancing Technologies Symposium. I love this event, and I’m proud to have been involved since Hannes Federrath kicked it off as a workshop on design issues anonymity and unobservability.

I’m also happy that Microsoft has continued to sponsor an award for outstanding research in Privacy Enhancing Technologies. I used to participate in paper selection, before I took a job at Microsoft, but we are hands off as to the recipient. The award goes where the research community thinks it should go.

Finally, I’m happily reminiscing because on my last trip to Belgium, I met Andrew Stewart, leading, along a very chaotic road, to us writing The New School of Information Security.

I’ll be taking a couple of days off to get over jet lag and enjoy some fine beer and frites, and [my] blogging will be light.

Photo: some delicious beer, Awynhaus.

Putting the fun back in threat modeling

I have an article in the latest MSDN magazine, “Reinvigorate your threat modeling process:”

My colleague Ellen likes to say that everyone threat models all the time. We all threat model airport security. We all threat model our homes. We think about threats against our assets: our families, our jewelry, and our sentimental and irreplaceable photographs (well, those of us old enough to have photos that never existed in digital form do). We model threats based on architecture: there’s a wall here, a picture window there, and an easily climbed tree that we can use when we forget our keys. And we model threats based on attackers. We worry about burglars and kids falling into pools. We also worry about the weather, be it earthquakes, snow, or tornadoes.

If I wanted to sound like a management consultant, I’d say you employ a mature, multi-dimensional assessment process, with a heavy reliance on heuristics and low reproducibility across instances. At the same time, it’s likely you won’t have thought of everything or implemented defenses against every possible attack. It’s very unlikely you have a home defense management plan or have ever run a penetration test against your home.

There’s a lot in there talking about how and why some threat modeling methods became “heavy” and what to do about it. Underlying that is the start of a way of thinking about threat modeling as a family of related activities, and some ways of breaking that down. In particular, there’s a breakdown into asset-centric, architecture-centric, and attacker-centric threat modeling, which I think is a useful step forward.

What works for you in threat modeling? What hasn’t worked that you needed to replace?

Writing a book: The Proposal

To start from the obvious, book publishers are companies, hoping to make money from the books they publish. If you’d like your book to be on this illustrious list, you need an idea for a book that will sell. This post isn’t about how to come up with the idea, it’s about how to sell it.

In a mature market, like the book market, you need some way to convince the publisher that thousands of people will buy your book. Some common ways to do this are to be the first or most comprehensive book on some new technology. You can be the easiest to understand. You can try to become the standard textbook. The big problem with our first proposal was that we wanted to write a book on how managers should make security decisions.

That book didn’t get sold. We might rail against the injustice, or we might accept that publishers know their business better than we do.
Problems with the idea include that there aren’t a whole lot of people who manage security, and managers don’t read a lot of books. (Or so we were told by several publishers.) We didn’t identify a large enough market.

So a proposal for a new book has to do two main things: first identify a market niche that your idea will sell, and second, convince the publisher that you can write. You do that with an outline and a sample chapter. Those are the core bits of a proposal. There are other things, and most publishers have web sites like Addison Wesley’s Write for us or Writing For O’Reilly. Think of each of these as a reason for some mean editor who doesn’t understand you to disqualify your book, and make sure you don’t give them that reason.

With our first proposal, we gave them that reason. Fortunately, both Jessica Goldstein (Addison Wesley) and Carol Long (Wiley) gave us really clear reasons for not wanting our book. We listened, and put some lipstick on our pig of a proposal.

Funny thing is, that lipstick changed our thinking about the book and how we wrote it. For the better.

Breach notice primary sources

Today on the Dataloss mailing list, a contributor asked whether states in addition to New Hampshire and Maryland make breach notification letters available on-line.
I responded thusly (links added for this blog post):

I know only of NH and MD. NY and NC have been asked to do it, but have no plans to. NJ won’t do it because the reports are held by the state police and not considered public. IN had that provision stripped from their revised law. I saw no evidence that ME has them on-line at the AG’s site. Unless I missed any, those are all the states with central reporting.
I personally have several hundred notices to NY and NC that I am slowly scanning and making available. Unfortunately, my site is off the net for probably a couple weeks.

A later response pointed out that Wisconsin publishes some data as well. Actually, so does New York, but it’s pretty measly.
I forgot to mention in my email that California also considered central reporting — including a web site — as part of an update to its breach law. We blogged about this at the time. I understand these features were cut because of lack of resources.
EC reader Iang made a perspicacious comment at the time:

At some stage we have to think about open governance being run by the people. That is, expect to see some quality control from open institutions, ones that arise for a need. E.g., blogs like this and other aggregators of info.

I am very happy to report that the Open Security Foundation yesterday announced just such a resource. The press release tells the story, but basically it’s crowd-sourcing information on breaches. I am very enthusiastic about getting my primary sources archive back on-line so that I can link with, and otherwise contribute to, this new DataLossDB.

Laptops and border crossings

The New York Times has in an editorial, “The Government and Your Laptop” a plea for Congress to pass a law to ensure that laptops (along with phones, etc.) are not seized at borders without reasonable suspicion.

The have the interesting statistic that in a survey by the Association of Corporate Travel Executives, 7 of 100 respondents reported a laptop or other electronic device seized. Of course, this indicates a problem with metrics. It almost certainly does not mean a 7% seizure rate, as I’ve seen this inflated to. These seizures are such an outrageous thing that the people who have been subjected to them are properly and justifiably outraged. They’re not going to toss the survey in the trash.

I’m not sure how much I like the idea that Congress should pass a law to ensure that the fourth amendment is met. Part of me grits my teeth, as I think it should happen on its own. But if the courts aren’t going to agree, that probably has to happen.

Leveraging Public Data For Competitive Purposes

The Freakonomics blog pretty much says it all:

The latest:, the brainchild of brothers Ryan and David Petersen, with Michael Kanko. They exploit customs reporting obligations and Freedom of Information requests to organize and publish — in real-time — the contents of every shipping container entering the United States.
There’s a neat ticker on the bottom of their page showing a trickle of these data. Watch it for a few minutes: it’s mesmerizing and provides a sometimes beautiful window into the wonders of international trade.

Talk about a not-so-covert channel leaking what your business is up to on a daily basis. What the Petersens and Kanko are onto is yet another unintended consequence of globalization. It makes me wonder what other sources like this are out there and accessible via the Freedom of Information Act. Similarly, as one commenter on the above article asked, how soon before people try to game the system:

I wonder if something like this will lead to a rise in ‘creative’ customs declarations. Say a proxy company to take that new shipment of 22,000 digital thingies that are then immediately sold to Apple and thus mitigating the chances of someone predicting the street date of their latest offering

The Recent History of the Future of Cash

Dave Birch has a really interesting post about The future of the future of cash:

The report also identifies three key attributes of cash that make it — still — the dominant payment system. Universality, trust and anonymity. I’m curious about the location of anonymity in the customer mindset and I’m going to post some more about this shortly, so I’m only looking at the first two here.

I want to extend Dave’s assessment of what makes “trust” interesting:

Trust, on the other hand, may not be such a big barrier. It’s not clear to me how to disentangle trust in the medium of exchange from trust in the store of value, since people clearly use cash for both, but it is clear that a great many other tradable items can easily usurp cash once technology has acted to shift them from being a store of value into a viable medium of exchange (remember the tally sticks!) for their age. A couple of months ago we were discussing Nick Szabo’s classification of commodity derivatives as a kind of near-money, but there are plenty of exant near-monies already in use around the world, including mobile phone minutes in a great many developing countries. If I lived in Zimbabwe, it would take me years to learn to trust cash more than Vodafone minutes.

I think there’s an important element of trust missing, which is finality. With almost all computer-based systems, payments are conditional on some complex bureaucracy deciding to credit them. For example, see Gary Leff on some deal for frequent flyer miles:

Second, print everything and I mean everything. I printed the offer itself. I printed the page where I enter all the information about the rental (including my Skymiles number, etc). I printed the confirmation page. I’m saving all of those, and will save my rental receipt as well.

Why does he do this? Because he doesn’t trust the system. He’s prepping himself to go fight its decisions. In contrast, if they handed him a bearer certificate for 9,999 miles, or $200 cash (the rough value of the miles at $.02 per) he’d be done. He’d trust those things.

People used to sell things for cash on the barrelhead. When that cash was cold, hard cash, rather than fiat, print-it-yourself money, the deal was done when the money changed hands. You can’t lose any more than you have in your pocket (or under your mattress). Electronic systems don’t have that property, and that makes them harder to trust. You don’t just have to disentangle value-store from medium of exchange. You have to estimate the value of finality.