AOL Search Documentary

Lernert Engelberts and Sander Plug have taken the AOL search data which AOL released “anonymously,” and made a movie with the searchs of user #711391.

i love alaska.jpg

I Love Alaska, via Guerrilla Innovation.

Worth checking out, but be warned, it’s a little on the languid side, using pacing and the voice to build the story.

Also, note that the movie says the release was accidental. Engleberts and Plug regret the error.

Previously: “AOL search records ‘research’,” “AOL data release fallout,” “Researchers Two-Faced over Facebook Data Release,” and “Wendy Richmond’s Surreptitious Cellphone

Let’s Fix Paste!

copy-paste.jpg

Okay, this is a rant.

Cut and paste is broken in most apps today. More specifically, it is paste that is broken. There are two choices in just about every application: “Paste” and “Paste correctly.” Sometimes the latter one is labeled “Paste and Match Style” (Apple) and sometimes “Paste Special” (Microsoft).

However, they have it backwards. Usually, what you want to do is the latter one, which is why I called it “paste correctly.” It is the exception that you want to preserve the fonts, formatting etc. Usually, you want to just paste the damned text in.

I mean, Jesus Hussein Christ, how hard is it to understand that when I go to a web page and copy something and then paste it into my document that I want to use MY fonts, formatting, color, and so on? Even if I do want to preserve those, I ESPECIALLY do not want you to leave my cursor sitting at the end of the paste switched out of whatever my setting I’m using. In the rare occasion that I want paste as it is done today, the keys I type are:

modifier-V              ! Paste (modifier is either (ironically) command or control)
start typing            ! Continue on my merry way
modifier-Z              ! Oh, crap, I'm no longer in my font,
modifier-Z              ! I'm in Web2.0Nerd Grotesque 10 light-grey
! undo the typing and the paste
space, back-arrow       ! Get some room
modifier-V              ! Paste
forward-arrow           ! Get back to my formatting
(delete)                ! Optionally delete the space
start typing again      ! Now where was I? Oh, yeah....

Note the extra flourish at the end because pasting is so helpful.

The usual sequence I type is:

modifier-V              ! Paste
modifier-Z              ! %$#@*!
search Edit menu        ! Gawd, where is it, what do they call it?
select Paste Correctly  ! Oh, there
start typing again      ! Now where was I? Oh, yeah....

This is much simpler, but has its own headaches. First of all, Microsoft binds their “Paste Special” to control-alt-V and brings up a modal dialog because there are lots of options you could conceivably want, and just wanting to paste the %$#@&* text is so, so special. Apple (whose devos must long for the Knight keyboard) binds it to command-option-shift-V, but at least doesn’t make me deal with Clippy’s dumber cousin. They put “Paste Style” on command-option-V, which pastes into place only the formatting. Oh, yeah, like I do that so often I need a keyboard shortcut.

The upshot is that the user experience here is so bad that the stupid blog editor I’m using here that actually makes me type in my own <p> tags is a more predictable editing experience. I can actually achieve flow while I’m writing.

Most tellingly, the most even, consistent, out-of-my way editing experience is getting to be LaTeX! Yeah, I have to type accents by hand, but at least I don’t lose my train of thought every time I paste.

The solution is simple. Make modifier-V be paste. Just plain old paste. Put paste-with-frosting on control-meta-cokebottle-V and give it a helpful dialog box. Please?

Photo by adam.coulombe.

Daily Show on Privacy

(h/t to Concurring Opinions)

Why Didn’t SOX Catch The Bank Failures?

Iang recently indicted the entire audit industry with “Two Scary Words: Sarbanes-Oxley”. I’ve excerpted several chunks below:

Let’s check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?
No. Not one, not even a single one!
Yet, the basic failures in the financial crisis are so blatant that surely, even by accident at least one audit should have picked up at least one pending failure, and fixed it? No, not one, known to date. At least, as far as I know, and we should probably wait a few years before writing the final judgment.

and

Can we pronounce the financial audit as bankrupt by its own measures? In theory, the audit should have picked up these failures, all of them. Consider this case-in-point, to prove that the theory works: the enhanced audit required on public listing did in fact pick up the Refco fraud that led quickly to its failure, and the near-failure of Bawag, a big bank in Austria that participated in the fraud. (The sorry fool who found the fraud was fired for his troubles, and only later did his reports filter out and cause questions that ultimately forced the fatal result.)
The audit theory works, then, in some sense or other. Manifestly, audits didn’t work for the financial crisis. And, they so didn’t work after that so-huge rewrite called Sarbanes-Oxley, that we can conclude that mere improvement is completely off the agenda

The thing about SOX is that while it is hugely in-depth as audit requirements go, it is also incredibly narrow in it’s breath in terms of how it is implemented by companies and how it is audited. Auditors are so busy ensuring that someone isn’t cooking the books that they don’t look for people deluding themselves or who don’t understand their own inputs or whether or not the source data for the models was reasonable. This is why Refco was identified and the bank failures were not. And if there this is an actual failure of SOX this is it. Not that it didn’t catch the bank failures but that it was never designed to do so in the first place. If all you are worried about is nails, all you look for is hammers.

$450 per account? No.

So there’s a claim going around, which is that I believe that a breach costs $450 per account. That claim is not accurate. What was said (and the interview was in email, so I can quote exactly):

(Interviewer) The Hannaford breach resulted in more than $318,000 in gross fraud
losses, according to data reported by 22 financial institutions. More
than 700 accounts were used fraudulently. That’s out of millions that
were breached. Do you find that $318K figure high or about right.

(me) That’s about $450 per account, which is inline with the reports of how
the crooks were monetizing their data.

This was reported as:

Adam Shostack, blogger and author of The New School of Information Security, said the expenses turn out to be about $450 for each breached account, which is inline with the estimated figures on for sales of pilfered account data on the black market.

I’m not naming the interviewer, because I don’t want to imply that the fault is his. I answered the question, he quoted me.

What I meant, which I think is clear from context is: “That’s about $450 per abused account, which is inline with the reports of how the crooks were monetizing their data.”

Emergent Chaos regrets … any confusion which may have resulted, and I’d like to thank Patrick Florer for drawing my attention to this.

[Update: Robert Westervelt has updated the original story. Thanks, Robert! I hadn’t contacted him because I felt the reporting was not inaccurate.]

“A Scientific R&D Approach to Cyber Security”

Charlie Catlett, CIO of Argonne National Labs has released a report on “A Scientific R&D Approach to Cyber Security” (Powerpoint summary, community wiki).

It’s a very interesting report. There’s a lot to agree with in terms of a research agenda. They’re looking to compose trustworthy systems from untrusted components, to create self-protective data and software, and to use mathematicsc for predictive awareness for secure systems.

I have two issues with it, one small and one large. The small issue is that the report places mathematics on a pedestal, and goes so far as to refer to economic analysis as a ‘metaphor.’ Mathematics is clearly quite useful, but the problems we experience are often no longer mathematical, but about the meaning of things, and that is a human problem.

Much bigger is that in all the discussions of bringing to bear the power of science, there’s no mention of the data acquisition problem. That is, you can do all the modeling you want, but if you’re not gathering rich data sets about what goes wrong, you can’t test those models or craft informed hypotheses.

I applaud Catlett for seeing the need for real science, and hope that the future research agenda will involve partnerships with those who handle the human side of computer security, as well as joining the New School call for more and more data.

Public Perception of Security

So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder:

Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.

“We couldn’t believe what we found,” said Paula, who purchased the cabinets and asked that her last name not be published. “We thought of calling the American consulate right away, and then we thought, you know they’ll just hide it and say, ‘Oh, we made a mistake.'” (“U.S. Consulate Mistakenly sells secret files in Jerusalem,” Fox News)

Transparency is a powerful idea. There’s little risk in disclosing this incident, except to the career of the person who sold the cabinet. Security professionals on both side know that these things happen. If we talked about the incidents we could assess their frequency and see if there are cost effective ways to prevent these things. I expect that there are, but no one wants to add a layer of bureaucracy for a threat that they can’t really assess. There are too many threats and too many ways to address them.

First Impressions of the 2008 Ponemon Report

So the 2008 Ponemon breach survey is out and I’m reading through it, but I wanted to expand on the headline: “Ponemon Study Shows Data Breach Costs Continue to Rise.”

This is the report’s figure 3:

Ponemon Study Breaches.jpg

Left to right, those are “detection and escalation,” notification, “ex-post response” and “lost business.” I note that 2 fell, one is flat, and one rose. The lost business number is a survey estimate, an extrapolation.

I am, to be frank, somewhat skeptical of these lost business numbers. I think that the estimates are now at risk of being “self-feeding,” where people take one of the estimates they’ve seen from prior reports, and build an estimate on that, adding a little “because this is a bad one.”

I’m also pretty surprised to see that 5 industries reported churn rates above 5%. They are healthcare, financial, energy, communications, and ‘services.’ I’m not as skeptical here–these are easier to measure for both the reporter and the surveyor. I am surprised because at least health and financial can have pretty good lock in. I tend to agree with the analysis that “[The] growth in lost business costs demonstrates consumers do not take a breach of their trust and privacy lightly and have not become desensitized to the issue.”

So I’m pretty sure I have readers who have been involved in a breach response process. Can you comment (anonymously if you’d like) about how accurate you think these calculations are? What margin of error would you assign to your own organization’s estimates of lost business?

[Update: Black Fist has interesting and similar analysis in “ Risk analysis: Cost of breaches and rolling your own numbers,” which I just saw.]

Boundary Objects and Threat Modeling

threat model dfd.jpg
Ethonomethodologists talk a lot about communities of practice. Groups of people who share some set of work that they do similarly, and where they’ll co-evolve ways of working and communicating.


When everyone is part of a given community, this works really well. When we talk aboutthink like an attacker” within a community of security practice, it works well. When we tell developers to do that, they look like a deer in the headlights. (Sorry, couldn’t resist.)

One of the tools which different communities of practice can use to communicate is a boundary object. Boundary objects include things like ISBNs. Books have ISBNs in large part to track payments. They differ from Library of Congress catalog numbers. 0321502787, HD30.2.S563 and “The New School of Information Security” all refer to the same book in different contexts.

In STRIDE/Element threat modeling, there are two accidental boundary objects. (I learned about the theory after developing the approach.) They are data flow diagrams (DFDs) and bugs. The picture is a DFD, showing the process of threat modeling, along with boundaries. The boundaries are doing double duty as trust boundaries, and bi-secting the boundary objects.

The DFD acts as a boundary object because it’s simple. It takes about 30 seconds to learn (except for trust boundaries). It looks a lot like most whiteboard diagrams. Developers can draw the diagram, and security experts can analyze it.

The second boundary object is the bug database. Everyone in software development understands bug databases. And though the practices which surround them differ pretty markedly, almost no one would ship a product without reviewing their bugs, which is why security people like putting the output of a threat modeling session into the database.

There are other possible boundaries, such as the interface between the business and the software. This is where assets come into some threat modeling approaches.

So what’s the takeaway here? If you’re watching groups of people frustratedly talk past each other — or wishing they’d be that communicative — look to see if you can find boundary objects which they can use to help organize conversation.

Identities are Created Through Relationships

identity.jpg
I’m listening to this really interesting podcast by Bob Blakley and Phil Windley. What really struck me was where Bob said “thinking of identity as an artifact all by itself is unsatisfactory because we can talk about an identity and the attributes of an identity leaves out important details about how identities are created and how they evolve…relationships are the landscapes in which identities exist.” I think this is interesting, but I’m reading a paper about ethnomethodology and information security. One of the claims it makes is that meaning is created through conversation, and that a history of conversation and shared reference points gives us an ability to converse in meaningful ways. When someone says we’re talking past each other, what they may mean is that the conversation lacks sufficient shared context to be meaning-full.

So I’d like to fuse these ideas, and propose that identity is created through relationships. That without relationships, identities actually don’t exist. In the pathological cases of solitary confinement or hermitage, identity is severely stressed or destroyed.

I think people understand this instinctively, although perhaps not formulated as I’ve said it. Who a child spends time with shapes them, for good or ill. What parent doesn’t ask to meet their children’s new friends? The relationships create identity. As people age, and intimate relationships end either by breakup or death, people say they feel like they’ve lost a part of themselves.

As regular readers know, I’m concerned about the impact of replacing personal relationships with dossiers, algorithms and their implementations, like background checks, the use of credit scores everywhere, etc. Dossiers and databases are fed by organizations with whom we have a relationship. But the relying parties often have no relationship with us. They start their relationship defining us by the contents of dossiers, and it impinges on our sense of self. Our identities are set aside. There’s no relationship, there’s no conversation, and we feel either elated — “they like my file me!” or dejected “what’s wrong with me?” This displacement also drives the emotional response to identity theft. We’re upset that the person or organization we’re talking to is confused about who we are. They’re confused because the dossier is confused, and the dossier is confused because of a web of relationships which are hard to see or understand. The relationship re-creates our identity.

The third place I’d like to look is the rise of new forms of ‘loosely coupled’ technological relationships, perhaps first created by usenet, and now visible in places like Tribe, Facebook or MySpace. Here, we see people presenting their identity — in part — by how many ‘friends’ they have. There’s also an element of restoration of older identities — reconnecting with a boy scout troop, high school friends — all relationships that contribute to identity.

In “The Presentation of Self in Everyday Life,” the idea is that we create personas to control relationships. From lawyers to doctors to waitstaff or auto mechanics, people present a view into their identity that makes sense. I would question if I want to give business to an auto mechanic who was reading the Harvard Law Review when I came in, or a lawyer who was reading a Chilton’s repair manual. People present themselves in certain ways to control the perception of ‘who they are,’ and so a professional relationship develops in the right way.

I also want to look at privacy in the sense of Schoeman’s “Privacy and Social Freedom.” Schoeman looks at privacy as essential to freedom because it allows us to explore ideas without having to ‘answer’ for them. If we have a conversation with a friend, we need to worry less about saying dumb things, because the conversation is private. We explore and shape our identity within relationships and through those we’ve chosen to trust.

So next time someone talks about identity or identity management, ask yourself, what are the assumptions about the relationship? And when you hear someone talking about ‘customer relationship management,’ as yourself what identity they seem to want to manage.

Photo: Which one, by BeViewed.

[Update: Corrected spelling errors, including someone’s name. I am the king of spelling errors today!]