Breach Misdirection

While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past.

Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost in the TJX breach.

There aren’t many details, yet. Apparently the hackers were on the network for months, having gotten in through malware.

We will of course hear many more details on this. The USA Today article has some news. AP has the best reporting I’ve read, but they are ambivalent about pixels, so you’ll have to find it on your own.

Rethinking Risk

Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”:

The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable these days). For all others, risk management is just an ancilliary aspect, a nice-to-have, something that others say is critical to you, but you ignore because you’ve got too much to do. So we have a choice: is security like finance, or is it like “the rest of business?”

I disagree while it’s true that financials and insurance have done a much better job then anyone else of formalizing their risk management practices, every business does risk management to some degree, it’s part of the job of the C-Suite. Arguing that we don’t have data so trying to do it in security is pointless is taking the lazy way out. It’s true we don’t have as much data as we’d like, but as Hubbard said, (more or less) “You don’t need as much data as you think, and you have more data then you think.” or in other words, we have to start somewhere.
On a related note, The Economist ran an article at the beginning of this year, from which I took the title of this post “Rethinking Risk.

What makes the current situation so dire is the way in which so many major risks are converging all at once: a credit crisis, volatile commodity prices, soaring government debt, rising unemployment and its attendant impact on consumer spending — the list goes on.
None of those risks are lost on CFOs, of course, who now have an additional impetus to address them: more pressure from boards. Corporate directors in most industries have gotten risk religion, says Henry Ristuccia, U.S. leader of Deloitte’s governance and risk-management practice in the Northeast. “More external directors are asking senior management: What are the company’s major risk issues? What are the dimensions of governance and risk management? What levers and tools does the company have in place for risk management?

Now, The Economist doesn’t explicitly talk about security but as several companies including Hannaford and TJ Maxx learned, just because you’re not in the finance industry doesn’t mean you don’t face significant financial or security risk. A shame neither of them had real risk management in place.

President for Ten Minutes

During a chat I had this afternoon, someone brought up an interesting situation to contemplate. The Presidency of George Bush fils ended today at noon EST, but Mr. Obama wasn’t sworn in until 12:10. Who then, the question was, President during those ten minutes.

One mildly unsatisfactory answer is Ms. Pelosi. If there is neither a President nor Vice President, then the duty falls to the Speaker of the House.

An even less satisfactory answer is Mr. Biden. The way that was explained, he was sworn in at 11:58. I find it unsatisfactory for two reasons. The most important to me is that after conjuring up this inter-administration gap, this closes it before it started. The second reason follows from what I think the best answer is.

The best answer to my mind is the simplest: no one. The office doesn’t magically fall to the next person in line, they actually have to be sworn in. When Mr. Kennedy was murdered, there was a short gap between his death and Mr. Johnson being sworn in and during that gap, there was no President. It’s the swearing in that makes the President. Similarly, in the event that an election gets thrown into the House and they didn’t decide until the 21st, there’d be no President for that day.

If there was indeed a gap (I could argue there was none), the person to whom the office fell was unequivocally Mr. Obama. He was at the time President-Elect. Even if Mr. Biden were somehow actually Veep, the obvious President-to-be is the President-Elect. Of course, this is also why the answer of Ms. Pelosi is unsatisfying. Even if we’re running the Executive like a Swiss railway, we know who the incumbent executives are.

Nonetheless, it’s fun to muse over. Feel free to spin your own argument for whomever.

The clever reader may also note that I said “today” despite it being past midnight server time. I have a personal rule that it’s still today until one goes to bed; it’s still night until one has breakfast; it’s still morning until one has lunch. And besides, it’s still the 20th in Hawaii, the President’s home state.

Change I Can Believe In

From (the new)

Except where otherwise noted, third-party content on this site is licensed under a Creative Commons Attribution 3.0 License. Visitors to this website agree to grant a non-exclusive, irrevocable, royalty-free license to the rest of the world for their submissions to under the Creative Commons Attribution 3.0 License.

Three short comments on the Inauguration

The reality that a black man is about to become President of the United States is both momentous and moving. It’s hard to say anything further on the subject that hasn’t been said and re-said, but I am simply proud that the pendulum has swung to someone like Obama.

I’m excited to have an educated, articulate, urban President. When I say urban I mean he lives in a city, not on a ranch, a farm, or in a vacation town. I don’t know what fraction of Americans are urban, but I do feel that we are under-represented by our Presidents.

It’s a sad reality that threats against him are higher than against other Presidents because of his race. Some black friends of mine are stunned that he made it through the campaign, and don’t expect him to make it through his first term. Despite crap like this, I don’t think anyone in the protection business wants to be the one who fails this President. Professional pride. At the same time, I’m with Mark Thompson, who, in Time, wrote “Is a Police State Necessary?” I believe that the answer is no. We don’t need to restrict strollers or thermoses from the broad inauguration zone. If we wish to keep those things from the innermost zones, that might make sense. We can’t allow our institutions and traditions to continue to be driven by fear. It’s a matter of hope.

Children, Online Risks and Facts

There’s an interesting (and long!) “Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States.” Michael Froomkin summarizes the summary.” Adam Thierer was a member of the task force, and has extensive commentary on the primary online safety issue today is peer-on-peer cyber-harassment, not adult [sexual] predation, along with a great link roundup. Kim Zetter at Wired gives unfortunate credence to hyperbolic claims by some attorneys general that “harsh reality defies the statistical academic research underlying the report.” Uh huh. I’m glad Richard Blumenthal knows the truthy, and isn’t going to let facts stand in his way. I’m less glad that Wired chose to portray that as a ‘controversy.’ I’d call it an embarrassment to the state of Connecticut.

Emergent Forest

moving forest.jpg

Moving Forest is a park on wheels. The park is made of trees in shopping carts that allow the public to rearrange their own little park.

The forest is created by Dutch architect firm NL architects in response to the lack of green nature in contemporary urban environments – which in the case of the Netherlands, more or less amounts to whole country.

Via Guerrilla Innovation. The show has a photostream on Flickr. I liked this one, but the contrast wasn’t quite right for here.

Posted in art

Umami, or why MSG tastes so good

It’s appetizing news for anyone who’s ever wanted the savory taste of meats and cheeses without actually having to eat them: chemists have identified molecular mechanisms underlying the sensation of umami, also known as the fifth taste.

The umami receptor’s shape is similar to that of sweetness receptors, he said, and his team’s research could eventually suggest alternatives to sugar. But more work is needed to determine exactly what happens when signals are sent from tongue to brain.

Molecular mechanism for the umami taste synergism” By Feng Zhang, Boris Klebansky, Richard M. Fine, Hong Xu, Alexey Pronin, Haitian Liu, Catherine Tachdjian and Xiaodong Li. Proceedings of the National Academy of Sciences, Vol. 106 No. 52, Dec. 30, 2008.

Via Wired, who didn’t link to the article, and so we won’t link to them.
“Science Behind Mysterious ‘Fifth Taste’ Revealed,” By Brandon Kim, Wired Science Blog, December 22, 2008.

Privacy & Healthcare

One of the dirty little secrets of bad privacy law is that it kills. People who are not comfortable with the privacy of their medical care may avoid getting needed care. That’s why privacy features in the Hippocratic oath. But few people want to study this issue, and studying it is hard–people are likely to lie about their behavior. So when I find examples, I want to post them. This one is an incidental mention from the Economist a year or so back, which I pulled from the magazine and lost on my desk until now:

In the short term, the case for strong privacy laws seems clear. Francis Collins, an official at America’s National Institutes of Health who led the American arm of the Human Genome Project, argues strongly for GINA. He claims that many people with genes worth studying are avoiding research projects for fear of facing genetic discrimination later in life. Never mind altruism, says Dr Cook-Deegan, many people are even avoiding genetic screening that could save their own lives.

The problem arises when one looks to the medium term. If genetic information is kept secret from insurers, but individuals have the freedom to add or drop insurance coverage, then problems of adverse selection may arise. People will be tempted to “game” the system. Those who test negative for a serious and costly disease may drop coverage, while those who test positive may add or increase coverage. Insurers worry this will lead to a collapse of their risk pools, and ultimately to financial ruin.

(“Do Not Ask or Do Not Answer?,” Economist print edition. Oddly, the printed page, which I saved, has this as August 25, 2007, under a different title than the Economist’s web archive.)

“Get FISA Right” Pointer

[Update: This got to #5 on’s list, and they’re now working to draw attention to the issue on]

Jon Pincus has asked me for help in drawing attention to his “Get FISA Right” campaign to get votes on When I’ve tried to look at this, it’s crashed my browser. YMMV–I use a number of security plugins which may be at fault The crash happens when the browser reports getting data from (I think), so if you can watch YouTube video, you’re likely ok. I think that getting the rule of law restored in the intelligence community is incredibly important. At the same time, we face a large number of crises right now, and which to address first is a hard problem. I don’t want to endorse this over other things which I can’t see, but Jon asked for help drawing attention to it. So go take a look.

Note is not the same as, the new President’s transition team’s site, operated and surveilled by Google.

In closely related news, the NYTimes reports that “Intelligence Court Rules Wiretapping Program Legal:”

A federal intelligence court, in a rare public opinion, is expected to issue a major ruling validating the power of the president and Congress to wiretap international phone calls and intercept e-mail messages without a court order, even when Americans’ private communications may be involved, according to a person with knowledge of the opinion.

The court ruling grew out of a previously undisclosed challenge from a telecommunications provider, which questioned the constitutional authority of the executive branch in ordering it to capture and turn over international communications without court authority, according to the person with knowledge of the opinion.

It’s clear that we can not operate a system of secret courts issuing secret rulings, and then critique the same behavior by despotic regimes. We need to sharply curtail the system of secret laws and secret lawsuits in secret courts which issue secret opinions, and have a real debate about the limits of power.

Back in 1996, the National Research Council had a set of retired generals, admirals and heads of intelligence agencies study the cryptography question. In their “Cryptography’s Role in Securing the Information Society,” they clearly state that we can have this debate in public. The shape of the facts are all known. The details which must be kept secret are not needed for the full debate that a democratic society must engage in. Their wisdom is applicable here.

Massachusetts Analyzes its Breach Reports

Mass Data Breach Report.jpg
In “Report On The M.G.L. Chapter 93H Notifications,” the Office of Consumer Affairs analyzes the breach notices which have come in. The report is a lot shorter than the “Maine Breach Study,” coming in at a mere four pages.

There are many interesting bits in those four pages, but the two that really jumped out at me are:

  • The Hannaford incident suggests that the Payment Card Industry Data Security Standards are not an effective standard in light of the need for encryption.


  • The Hannaford breach (as understood in light of the HSBC notification) illustrates that data breaches not amounting to the breach of “personal information” have the potential to be as damaging as those that do involve such information.

What’s exciting about this is that we’re seeing the PCI standard being tested against empirical data about its effectiveness. Admittedly, the report jumps to conclusions from a single data point, but this is new for security. The idea that we can take a set of “best practices” and subject them to a real test is new. It might, if you’ll forgive me, even be New School.

Protection Poker

Listening to Gary McGraw’s Silver Bullet #33, Laurie William mentioned protection poker.

Protection poker, like planning poker isn’t really poker. Planning poker is a planning exercise, designed to avoid certain common pitfalls of other approaches to planning. The idea behind protection poker is to be a “informal form of misuse case development and threat modeling that plays off the diversity of knowledge and perspectives of the participants.”

I really like informal approaches to threat modeling, especially where there’s a somewhat knowledgeable group of players. (The draft title of this was “putting the fun back in threat modeling.”) Most people have some informal thoughts about what might go wrong with a system they’re building. This sense is probably strongest with those with the right orientation (“security mindedness”) but it can be enhanced with either training or a methodology. Yoshi Kohno is working on teaching the orientation. To the extent that we can better extract implicit knowledge, or make the training or process more fun, we’ll get more secure systems.

There’s a tutorial, and a paper, Williams, L., Gegick, M., and Meneely, A., Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer, International Symposium on Engineering Secure Software and Systems (ESSoS) 2009, Leuven, Belgium.