Disaster Recovery Drills Aren’t Just For IT

The Economist has a short but great overview on crisis management. The article is well worth reading completely, but there is one section that bears highlighting:

Be well prepared in advance. Potential members of a crisis management “team” should rehearse how they would manage the impact of an incident. It is a bit like learning the safety instructions on a plane before take-off: you hope you will never need them, but you know it would be unwise to miss the lesson. The team should include the chief executive and a representative of the press office. Thereafter, all external enquiries relating to a crisis should be answered by the team.

It’s amazing how often this step gets left out of business continuity plans and it is probably the most important. I heartily encourage all executives to not just plan but practice practice practice. This is the sort of thing that can really bite you hard at just the wrong time.

King Log or King Brutalist

brutalist third church of christ.jpg

A Christian Science church near the White House filed suit against the city on Thursday, accusing it of trammeling religious freedom by declaring the church a historic landmark and refusing to allow church leaders to tear it down.

The building, a stark structure with walls that soar toward the sky, is an eyesore or a work of genius, depending on who is discussing it. The 37-year-old church was designed by Araldo A. Cossutta, who had been an architect in I. M. Pei’s firm, and declared a landmark in December.

Supporters of preserving the church, the Third Church of Christ, Scientist, say it is a sterling example of a style of architecture called brutalism, which is identified by repetitive geometric design and raw concrete. (“Church Sues over Landmark Status”=

Me, I just think there’s something between irony and schadenfreude in there not only being a “brutalist” style of architecture, but that Washington DC wants to preserve it, over the objections of those subjected to it.

(Not to mention the questionable justification for the government creating and keeping a list of historic landmarks which their owners then must maintain.)

Photo: Washington DC 3rd Church of Christ Scientist, Amy.Arch

We’re all in it together

Ryan Singel reports at 27B/6:

The TSA was keeping the names of people who lost their wallets and needed to fly — even after ascertaining their identity and determining they were not a threat and could board a plane. It stored these names in a shared threat database. Then it decided that it won’t store the names of people who it was able to identify as not a threat.

The entire article is a must read.

I’m Certifiably Wrong

So there’s some great discussion going on in the comments to “Certifiably Silly,” and I’d urge you to read them all. I wanted to respond to several, and I’ll start with Frank Hecker:

Could we take the cost issue out of this equation please … [Adam: I'm willing to set it aside, because the conversation has spiraled.]

The real questions as I see it are

1) Leaving aside the issue of cost, what are the pros and cons of introducing self-signed certificates into the current browser model of SSL?

2) If the advantages of introducing self-signed certificates into this model outweigh the disadvantages, what is the best approach (from a technical and user experience perspective) to introduce self-signed certificates into the current SSL model?

3) If there is a good technical/UX approach to introduce self-signed certificates into the current SSL model, what is the likelihood of such an approach being adopted on a universal basis (i.e., by all browser vendors), and how might this be made more likely?

I’d argue that these are the wrong questions: the real questions underlying our disagreement are probably “do certification authorities do what they’re purported to do, and (if we agree they don’t), what do we do about it?”

I think we do two things: One, we stop investing so much in them, and second, we investigate the heck out of the alternatives, including persistence and organizational CAs, including CAs run by groups like the American Bankers Association. These are both in direct contradiction of the CA business model, and so they’ve been stillborn.

I’m not going to claim that either will have better user experience than the current SSL model, and that’s a low bar.

So I’m wrong, the issue isn’t really self-signed certs, it’s the CA model.

There were another points raised, by both Frank and Andy Steingruebl about my bookmark model, which is that it breaks PayPal. There are two ways to read this model: One is “always use bookmarks.” the other is “never click on a link in email.” I intended the first, the second is unclear, given the prevalence of webmail. Perhaps we could address this by having merchants send transactions to PayPal, and then if I choose to login via a bookmark, I get a list of pending activity.

The final point that Andy raised is organizations with lots of web sites. A reasonable point, and one I’m not sure how to address. Part of how I’d address it is that most of us don’t see all of those brands. I would be happy to see some of the brand profusion go away, which of course, doesn’t mean it would happen. (I consulted for a bank for several years, I can’t keep track of all the brands that they present around my retirement accounts.) If I can’t keep track of them when they’re ‘not’ security critical, I surely can’t keep track when they are, and it is unreasonable to expect me to.

Certifiably Silly

Over at “The Security Practice,” Michael Barrett writes about “Firefox 3.0 and self-signed certificates.” Neither he or I are representing our respective employers.

…almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only be described as nominal.

There are all sorts of use cases where $29 is not chump change. For example, I own about 8 domains, that’s $240 in “security taxes.” People in the third world would like to communicate securely. But most importantly, the idea assumes that it’s ok to have an infrastructure which is mostly unencrypted, and we may only trust encryption only after the certificate priests bless it. When I wrote about turning on “opportunistic encryption for PostFix,” my goal was encrypting all email. There’s no need for a CA. The threat model is passive adversaries, and there are lots of those.

My company is a major target of phishing, and as such we’ve spent quite a bit of time researching what anti-phishing approaches work We published a whitepaper on this topic (which can be found on the company blog at www.thepaypalblog.com), which explains this in detail. However, a couple of relevant conclusions are that: 1) the vast majority of users simply want to be protected, 2) there’s no single “silver bullet”, and 3) that what we describe as “safer browsers” such as IE 7, and Firefox 3.0 are a significant part of the solution based on their improvements in user visible security indicators and secure-by-default behaviors.

You can’t always get what you want. Really, most people have little understanding of the issues. I think this is in large part because we’ve been talking down to them, in some part because the issues are complex, and in some part because it’s not important enough for them to want to become educated. It’s especially not important enough in light of debates like this one. We should try (sometime) to give people what they need.

I think we’d agree that the vast majority of users want, need and deserve protection that’s as simple and effective as we can make it. I don’t think blocking self-signed certs is a large part of that goal.

I conflated two or three separate ideas in that last sentence, and I should explain them. The general logic is that most users should never be presented with a security dialog that gives them a choice – if they are, there’s typically at least a 50:50 chance that the wrong decision will be made. Instead, the browser should make the decision for them. However, in the case of self-signed certificates it’s almost impossible to see how any technology can disambiguate between legitimate uses and criminal ones.

When viewed through this lens, the changes to the Firefox user experience for self-signed certificates makes perfect sense.

Even viewed through the lens presented, the self-signed experience doesn’t make perfect sense, unless you start with the assumption that a $29 SSL cert has some useful security value. I don’t believe it does. What it does is get rid of the ‘self-signed’ warnings. There are cheaper and easier ways to do that. Most of the certificates out there are signed by a company that the relying consumers have never heard of. There’s just not that much verification that can be done for $29. Today, anyone who’s broken into a company’s mail server can buy a fake cert with a stolen credit card.

Now, Michael’s employer is under massive attack. I am sympathetic to their desire to improve things, and I applaud a lot of things that they do. For example, their use of one time password tokens is great. I also think there’s great value to pushing people to recent browsers.

At the same time, it’s sensible for them to want to shift risk-part of me even welcomes the risks and attacks hitting the CAs. But I think that imposing yet another security tax, based on a static analysis of attackers, and some certificate authority pixie dust isn’t going to help things for very long.

And given the very real costs and the very fuzzy benefits, I think that breaking self-signed certificates is the wrong approach. What’s the right approach? I wrote “Preserving the Internet Channel Against Phishers” three years ago. I think that the advice isn’t silly at all.

Congratulations to Raffy!

security visualization.jpg
His book, Applied Security Visualization, is now out:

Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work was just amazing. I am really happy with how the book turned out. The color insert in the middle is a real eye-catcher for people flipping through the book and it greatly helps making some of the graphs better interpretable.

I’m really excited, and look forward to reading it!

That’s an address I haven’t used in a very long time.

Well, I got a letter from BNY Mellon, explaining that they lost my data. The most interesting thing about it, I think, is where it was sent, which is to my mom. (Hi Mom!) I had thought that I’d moved all of my financial statements to an address of my own more than a decade ago. I’ve been meaning to call BNY and ask questions, but haven’t had time.

The letter is dated June 9, regarding a February 27th loss by Archive Systems, Inc. The three-plus month delay annoys me. Archive Systems isn’t named in the letter. I had to look at Data breach at New York bank possibly affecting hundreds of thousands of CT consumers to discover that.

The signup experience for the “Triple Alert Monitoring” from Experian was not awful, but it was pretty poor. It demanded lots of personal information, wasn’t clear how it was going to be used. Experian stuffed a long terms and conditions into a three line at a time scroll box, clearly indicating that they don’t expect anyone to read it. Their web site silently relied on Javascript, and it wasn’t at all clear how long I’m enrolled for. I have little doubt I’ll start getting renewal notices in three months.

Incidentally, I’ve Been Mugged has a review of Triple Alert.

Watchlist Cleaning Law

Former South African President Nelson Mandela is to be removed from U.S. terrorism watch lists under a bill President Bush signed Tuesday…
The bill gives the State Department and the Homeland Security Department the authority to waive restrictions against ANC members.

This demonstrates that greater scrutiny must be placed on the decisions about who gets placed on terrorist watch lists and other government blacklists. It took a long time for Nelson Mandela to get off the list, and I wonder whether anybody who isn’t of Mandela’s stature stands a chance getting off the list. The story also raises questions about just who is designated a terrorist. There must be greater accountability in creating these lists.

(Dan Solove, “U.S. Government Finally Recognizes that Nelson Mandela Isn’t a Terrorist.”)
I fully agree with what Dan says, and would extend it to creating, maintaining and using such lists. But I wanted to comment on something which struck me. The story says (accurately) that the law “gives the State Department and the Homeland Security Department the authority to waive restrictions,” and also states the sense of Congress. Why doesn’t the bill simply order the removal of all such people, and give them actionable rights if they aren’t removed?

The bill is HR 5690.

This Is Not Writing; You Are Not Reading

The Paper of Record has a hilarious article, “Literacy Debate: Online, R U Really Reading?” which asks important questions about what Those Darn Kids are doing — spending their time using a mixture of hot media and cold media delivered to them over the internets.

I’ll get right to the point before I start ridiculing the ridiculous, and answer the question. No. Of course not. It’s not really reading. This is not text. It is not the product of hot lead type lovingly smearing a mix of kerosene and soot over wood pulp. It’s a bunch of pixels, and those pixels are whispering directly into your brain. You are not reading, you’re hearing my snarky voice directly massaging your neurons. That doesn’t happen when you read. People don’t see things or hear things when they read. Ask Anne Fadiman if you don’t believe me. She knows.

Let’s look at some of the statements in the article:

Few who believe in the potential of the Web deny the value of books. But they argue that it is unrealistic to expect all children to read “To Kill a Mockingbird??? or “Pride and Prejudice??? for fun.

It is unrealistic to expect any children to read Austen. Austen is arguably the second best writer in all of English, but she requires emotional experiences that children do not have. Pride and Prejudice is no more children’s reading than 1984 is. Trust me on this, I know. I read 1984 when I was ten, and when I re-read it in college, I was gobsmacked to learn that there is sex in it.

Some traditionalists warn that digital reading is the intellectual equivalent of empty calories. Often, they argue, writers on the Internet employ a cryptic argot that vexes teachers and parents. Zigzagging through a cornucopia of words, pictures, video and sounds, they say, distracts more than strengthens readers.

They said pretty much the same about Dickens. Until relatively recently, no serious scholar of literature (read college professor) would admit to reading Dickens. Personally, I agree. These days he’s considered a classic, and the non-serious scholars won’t admit to reading him.

Last fall the National Endowment for the Arts issued a sobering report linking flat or declining national reading test scores among teenagers with the slump in the proportion of adolescents who said they read for fun.

And of course we can fix this by denigrating what they do read, as opposed to finding things for them worth reading.

“Whatever the benefits of newer electronic media,??? Dana Gioia, the chairman of the N.E.A., wrote in the report’s introduction, “they provide no measurable substitute for the intellectual and personal development initiated and sustained by frequent reading.???

I’ll do my part. I resolve to start writing my blog posts, okay? Do you want them in printing or copperplate?

[Synopsis: Nadia's mother tries to instill a love of books in Nadia. Nadia does not respond until they get a computer, when Nadia gives up TV for fanfic.]

Now [Nadia] regularly reads stories that run as long as 45 Web pages. Many of them have elliptical plots and are sprinkled with spelling and grammatical errors.

Which the masters of modern literature such as Pynchon and Joyce would never do. Austen never had elliptical plots, they were circular, and she was merely eccentric.

Nadia said she wanted to major in English at college and someday hopes to be published. She does not see a problem with reading few books. “No one’s ever said you should read more books to get into college,??? she said.

And this is a problem?

Reading skills are also valued by employers. A 2006 survey by the Conference Board, which conducts research for business leaders, found that nearly 90 percent of employers rated “reading comprehension??? as “very important??? for workers with bachelor’s degrees.

I don’t know about you, but I wonder what sort of people the 10+% of employers are who think that reading comprehension is not very important. What sort of Dilbert-refugees are they? I find that “nearly 90%” to be disturbing.

Some literacy experts say that reading itself should be redefined. Interpreting videos or pictures, they say, may be as important a skill as analyzing a novel or a poem.

Ah, the word “may.” I’ve ranted about it before. It is true that interpreting pictures may be as important as analyzing a novel. It certainly is if you want to appreciate El Greco. But that’s not the point. As much as I like sneering at moderns who think Dickens is literature, times change. It may, indeed. Joyce may have written grammatically. Austen may be suitable for children. Reading comprehension may be important for workers with bachelor’s degrees. And Shakespeare’s works may have been written by another man of the same name.

I am disdainful of hot media, but the Web is the rennaissance of cold media. It’s an aberration in a slide to hotter and hotter media. Also realize that cold media is relatively recent. Most of human history had its literature in songs and pantomime.

Lastly, remember that kids have been no damned good for as long as we’ve been writing at all. The pinnacle of civilization was when we were in the caves, and it’s been a long slow slide into perdition ever since. Every generation is worse than the previous one. It will continue to be that way. These kids are going to sigh with exasperation and not understand why their kids roll their eyes at Sailor Moon. And they just not going to understand the true art form of fanfic and slashfic. Tsk.