Mr Laurie – Don’t do that

Ben Laurie has a nice little post up “More Banking Stupidity: Phished by Visa:”

Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders – by training them to expect a process in which there’s absolutely no way to know whether you are being phished or not. Even more astonishing is that this seen as a benefit!

Ben’s analysis seems pretty good, except for one thing–he doesn’t say anything about what to do. Right now, we can see that organizations are flailing around, trying to address the problem. And pointing out problems can be helpful, “you’re wrong” is a pet peeve of mine. (While, Michael Howard’s really, but I’ve adopted it.)

So Mr Laurie, don’t do that. Don’t just say what not to do. Say what to do.

The security engineering community needs to come together and speak out on what the right design is. I’m going to ask Ben, Gunnar Peterson, Rich Mogull and Mike Dahn to ask what should we do? Can the four of you come to agreement on what to recommend?

(My recommendation, incidentally, stands from August 2005, in the essay “Preserving the Internet Channel Against Phishers.” Short version: bookmarks, although I need to add, empower people to use the bookmarks by giving them a list of pending actions from the login landing page.)

Photo: “The Matt Malone experience

[Update: edited title. Thanks, @mortman. Update 2: Fixed Mike Dahn’s URL; Firefox still not happy, I don’t think I can fix the post URL.]

Metricon 4.0 Call for Papers

I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11.

Metricon 4 – The Importance of Context

MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics.
It is a forum for quantifiable approaches and results to problems afflicting information security
today, with a bias towards practical, specific approaches that demonstrate the value of security
metrics with respect to a security-related goal. Topics and presentations will be selected for their
potential to stimulate discussion in the workshop.
MetriCon 4.0 will be a one-day event, Tuesday, August 11, 2009, co-located with the 18th
USENIX Security Symposium
in Montreal, Quebec.
Beginning first thing in the morning, with meals taken in the meeting room, and extending into the
evening. Attendance will be by invitation and limited to 60 participants. All participants will be
expected to “come with findings” and be willing to address the group in some fashion, formally or
not. In keeping with the theme of The Importance of Context, preference will be given to the
authors of position papers/presentations who have actual work in progress that demonstrates the
value of security metrics with respect to a security-related goal.
Topics that demonstrate the importance of context include:

• Data and analyses emerging from ongoing metrics efforts
• Studies in specific subject matter areas
• Time and situation-dependent aspects of security metrics
• Long-term trend analysis and forecasts
• Measures of the depth and breadth of security defenses
• Metrics definitions that can be operationalized
• Incorporating unknown vulnerabilities into security metrics
• Security and risk modeling calibrations
• Security measures in system design
• Software assurance initiatives
• Security metrics relationship to security assessments

The program committee will also consider any innovative security metrics related work
How to Participate
Submit a short position paper or description of work done or ongoing. Your submission must be
brief — no longer than two pages including both text and graphical displays of quantitative
information. Author names and affiliations should appear first in the submission. Submissions
may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to These requests to participate are due no later than noon GMT,
Monday, May 25, 2009 (a hard deadline). You should receive an email acknowledgment of your
submission within a day or two of posting; take action if you do not.
The Program Committee will invite both attendees and presenters. Participants of either sort will
be notified of acceptance quickly — by June15, 2009. Presenters who want hardcopy materials to
be distributed at the Workshop must provide originals of those materials to the Program
Committee by July 27, 2009. All slides, position papers, and what-not will be made available to
all participants at the Workshop. No formal academic proceedings are intended, but a digest of
the meeting will be prepared and distributed to participants and the general public. (Digests for
previous MetriCon meetings are on the past event pages mentioned above.) Plagiarism is
dishonest, and the organizers of this Workshop will take appropriate action if dishonesty of this
sort is found. Submission of recent, previously published work as well as simultaneous
submissions to multiple venues is entirely acceptable, but only if you disclose this in your

Would I self-publish?

A few weeks back, Dave Birch asked me if I’d publish my next book myself. I don’t think I would. I’m really happy with Karen Gettman and Jessica Goldstein at Addison Wesley, and I’ve convinced my co-authors for my next book that we should have a discussion about publishers.

So why am I happy with them, and what can you learn from that?

First, let me scope this by saying the New School is what they call a “big idea” book. This is in contrast to a lot of books in technology, which are, well, technology specific. The New School is a tech book, but it’s not a tech book in the way that “Mastering Office 97” or “Teach yourself Haskel in 28 Days” are tech books.

Books like that are usually on a hard schedule. You need to get them done as the software ships. No one wants a copy of “Mastering Office 97” anymore. If you get them done too soon, they don’t reflect the final program. Anyone writing such a book gets a lot more pressure than we did. (Jessica called me one day and said “you know, if you guys finally finish, we can release at RSA and your sales will be higher.”)

That advice “do this and your sales will be higher” is tremendously useful to any author not named “Rowling,” “King” or “Clancy.” However well an author may understand their audience, there are trends in publishing, and understanding those trends is far easier for a publisher who has people monitoring their sales and those of competitors.

When we were getting started, we wanted to write a book for executives, and call it “Security Decisions.” Several publishers rejected that proposal, because ‘executives don’t read,’ and if you look at Amazon SalesRank for a book on managing security that you like, you’ll see that that’s roughly borne out. (Yes, SalesRank is a bad indicator, but an easy one to use.) So we got effective market advice from our publisher.

The next thing authors get is financial support, either in the obvious form of an advance, or in that the publisher pays for printing, binding, warehousing and distribution in advance.

The final thing you get from a major publisher is channels, both domestic and international. I’ve seen the New School in Borders and Barnes and Noble. When there are trade events, my book tends to magically show up at the show bookstore, and I don’t have to do anything. Addison Wesley makes that happen without any effort from me. Cory Doctorow speaks out “In Praise of the Sales Force.”

Of course, for all of this, they extract a fee of about 80-90% of the sale price of the book. (See Mary Shaw and Tim O’Reilly for a breakdown.) That would make it hard to earn a living on the sales of technical books. If I werre writing to earn a living, I might choose differently. Then again, I said “if I were writing,” not “if I were selling books for a living.”

As an aside, in “Why There’s no Tip Jar” Charlie Stross writes, “If I put a Paypal tipjar on this blog, to take conscience money from folks who’ve downloaded a (cough) unauthorized ebook or two, the money would come to me, not to the publisher. And without the publisher those books wouldn’t exist: wouldn’t have been commissioned, wouldn’t have been edited, wouldn’t have been corrected and marketed and sold in whatever form filtered onto the unauthorized ebook market.”

If you still want to self-publish, check out 6 Ways to Publish Your Own Book. Otherwise, any good publisher will have a set of resources up for authors. Pearson’s is here.

[Update: and they copyedit & proofread your words!]

Brad DeLong on the bailout

Brad DeLong has a FAQ up about Geithner’s plan to purchase toxic assets on the theory that the market has undervalued them, and will in time price them properly. Among the items:

Q: What if markets never recover, the assets are not fundamentally undervalued, and even when held to maturity the government doesn’t make back its money?
A: Then we have worse things to worry about than government losses on TARP-program money–for we are then in a world in which the only things that have value are bottled water, sewing needles, and ammunition.

This response reminded me of a conversation I had over a beer with a banking regulator back in August 2006 or thereabouts. He reported on a IM conversation he had had with a colleague whose expertise lay in the area which subsequently imploded. After jokingly asking “Time to buy gold, huh?”, there was a pregnant pause. Then came the response: “Buy ammunition”.
I ordered another beer.

Double-take Department, Madoff Division

The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read:

The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….”

Senior programmers getting a quarter-mil in “comparable firms”? Comparable in what way? Other multi-billion Ponzi schemes that stole from rich suckers and charities alike? Is this another thing to be angry at AIG for? (Cue rimshot.)

I know it’s a tell-all, but tell more, tell more. Another intriguing morsel can be found in:

The employee was part of a trading group, which was able to break a security code that he says led them to a site that was supposed to be seen only by the Madoff family. It showed the profits and losses of the legitimate businesses.

The group broke the code? The person broke the code? And do tell more. Perhaps the author, Lucinda Franks, has some more details for us. Or maybe she’s saving them for a second Pulitzer.

Identity is Mashed Up

I posted last month about Bob Blakely’s podcast with Phil Windley.

Now (by which I really mean last month, wow I’m running behind!) Bob posts that the “Relationship Paper Now Freely Available,” and I’m embarrassed to say I stole Bob’s opening sentence.

Now that I’ve actually read the paper, I’d like to remix the ideas with some web 2.0 Zero Knowledge Infomediation craziness and having thus altered it, send it back out, its identity changed.

One of the core ideas in the paper is that of intermediaries who will represent for you. These intermediaries, who Bob says have a ‘custodial relationship with your data,’ rather than a transactional one, will know lots about you, and gossip as you let them. It’s like letters of introduction or recommendation–you select who you think can represent you well, and if they have a relationship with the person you want to talk to, then things are great.

This is a useful model because a business can perform due diligence on a few of these infomediaries, rather than on each customer. I’m using the phrase infomediary, which some of you may remember from the book Net Worth. The idea was you’d have someone representing you to the net, who would help you get good deals. It was a very consumer-centric idea in some ways, advertising-centric in others.

The difference with the 1990s infomediary concept is that Bob has a great angle on why a business would want to engage with the infomediary, rather than engage in surveillance itself.

It’s a compelling vision, but I’m not sure I buy it as a complete view of identity. As a citizen, I don’t want to work with a single identity provider. The lock in risk seems very high.

But worse, I don’t have one identity. My identity is created through a set of relationships: with family and friends, with employers, but also with colleagues who I’ve never worked with directly (like Mordaxus and Chris) and with former co-workers who aren’t exactly friends. For example, I had a great three hour lunch and walk around Rock Ridge with a fellow who I’d worked with at Zero-Knowledge, and seen maybe once since. I feel a little like Comic Book Guy, caught in a new situation, and forced to say “There’s no emoticon for what I’m feeling!”

Some of our business relationships lead to personal ones, of friendship or romance. The bright lines which once existed are gone. A business which tries to help us with all of these may end up creepy like Facebook. One which only sees one aspect of our lives may well get and give a one dimensional view of us.

I’m thinking of two folks reading this. One is saying “what’s the point?” Another is identifying this as “Adam brain spew.” Which is another way of saying that this is all over the place.

And perhaps, in a world in which we present different selves at different times, that is exactly my response to Bob.

Happy Sunshine Week

March 15-21 is “Sunshine Week“, a government transparency initiative described by its main proponents as

a national initiative to open a dialogue about the importance of open government and freedom of information. Participants include print, broadcast and online news media, civic groups, libraries, non-profits, schools and others interested in the public’s right to know.

The arguments in favor of governmental transparency are numerous and well-known. On a purely pragmatic basis, it is harder to hide misdeeds, inefficiencies, and feather-bedding when anyone can ask you to show your work. Stated simply, quality evidence aids decision-making and reveals entrenched self-dealing, waste, and deception.
Information security folks, particularly New School adherents, should find much to like in this. I want to highlight once again the outstanding work of our friends at In addition to operating what was formerly’s DataLoss database, they have become a central repository for the actual source documents — notification letters, reporting forms, etc. — pertaining to breaches. The majority of these documents have been obtained via — you guessed it — Freedom of Information requests.
By highlighting DataLossDB, I do not mean to slight the actions of others. Since I have been fairly active as a researcher in querying government entities, I know there is a small community of like-minded folks, with DataLossDB having several (and certainly the fastest RonR coders!).
The fact that relatively obscure people — all of whom have day jobs, as far as I know — can assemble an archive of this caliber is a testament to the leverage Freedom of Information laws give to citizens. And we know the information in these materials is valuable when made available broadly because state legislatures have seen the results and are looking to emulate the leaders.
So, with Spring on it’s way — at least at my latitude — here’s to more sunshine.

Joseph Ratzinger and Information Security

Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.”

Many of you are likely outraged. Saying, “sure, if only people would do that, then we wouldn’t need condoms. But people don’t behave that way.”

I’d like to explain what this has to do with information security. Some of you may be saying “sure, but we’re not that bad.”

In information security, we often keep saying the same thing over and over again, because we know it’s right. We tell people to never write down their passwords, to always validate their input, and to run IDS systems. Deep in our hearts, we know they don’t, and yet we keep saying those things. We tell them they “have to” fix all the security problems all the time.

It’s my hope that we in information security will be less religious than the Pope, but there’s plenty of evidence that, like him, we offer advice that makes people shake their heads in disgust.

Wherever you work, whatever you do, it’s worth asking yourself: am I being dogmatic in what I’m asking of people?

Me, I’m being dogmatic about asking you all to keep it civil in the comments.

“No Evidence” and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:”

Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email.


We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

I wanted to bring this up, not to laugh at Coleman (that’s Franken’s job, after all), but because we frequently see assertions that “there’s no evidence that…”

As anyone trained in any science knows, absence of evidence is not evidence of absence. At the same time, sometimes there really is sufficient evidence, properly protected, that allows that claim to be made. We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.

Twitter + Cats = Awesome

TwitkittehMy smart friend James Thomson of TLA Systems has created a new benchmark in iPhone applications, Twitkitteh. Not only is it the first Twitter client for cats, but it might also be the first iPhone app for cats, as well.

I’ve always accused my cats of playing the stereo when I’m not there, and it would be good to know what they’re listening to. It would also be good to have in V1.1 hairball alerts, bird-outside-the-window, or there are squirrels on the fence.

It’s one of the better 99¢ applications, and better dinner-table conversation than many others.

Understanding Users

Paul Graham has a great article in “Startups in 13 Sentences:”

Having gotten it down to 13 sentences, I asked myself which I’d choose if I could only keep one.

Understand your users. That’s the key. The essential task in a startup is to create wealth; the dimension of wealth you have most control over is how much you improve users’ lives; and the hardest part of that is knowing what to make for them. Once you know what to make, it’s mere effort to make it, and most decent hackers are capable of that.

Then in “Geeks and Anti-Geeks,” Adam Barr writes:

You notice this if you listen to the chatter before a meeting. Half the time people are talking about World of Warcraft; those are the geeks. The other half they are talking about pinot noir; those are the anti-geeks. In either case, the group then proceeds to discuss a pattern-based approach to refactoring your C# class design in order to increase cohesion and leverage mock objects to achieve high code coverage while minimizing your unit test execution time.

The reason this matters is because Microsoft has recently been pushing engineers to realize that they are not the customer, the customers are not geeks, and therefore engineers can’t design properly for our customers. What I think happens, however, is that the anti-geeks hear this and think, “They’re not talking about me; I know that those beer-swilling geeks don’t understand the customer, but I’m a cultured sort, not a geek–I’m just like our customers!” And so they go out and design software for themselves…and of course they mess it up…because our customers may not spend their spare time playing Dungeons & Dragons, but neither do they spend it tramping across the Burgess Shale.

So I don’t disagree with Mr. Barr, but I do want to expand a little. The fundamental job of the program manager is to understand the market, come up with a solution that will delight the customer, sell that vision to the team, create and drive the product to shipping to those customers. The market only matters in understanding if a product is worth building, and in helping to shape our understanding of the customer by understanding their economic context.

I don’t think I’m anything like most of my customers. Those customers are first and foremost, 35,000 or so software engineers inside of Microsoft, second, security experts helping them or reviewing their work, and third, software engineers at other vendors who build on our platform. I’m most like the second set, but they’re a distant second, and (as several of them will tell you) I have a tendency to reject their first attempt at getting a feature out of hand, because our previous tools were so expert-centric.

More importantly, I don’t need to be like our customers to delight them. I am nothing like a professional chef, but I am frequently delighted by them. What I need to do is actively listen to those customers, and fairly and effectively advocate for their attitudes and words to my team.

As I was working on this Joel Spolsky posted “How to be a program manager,” which covers some similar ideas.

All atwitter

In re-reading my blog post on twittering during a conference I realized it sounded a lot more negative than I’d meant it to.

I’d like to talk about why I see it as a tremendous positive, and will be doing it again.

First, it engages the audience. There’s a motive to pay close attention and share what you hear. They’re using their laptops for good, not evil.

Second, it multiplies the attention to the talk. The talk was standing room only, but the room held fewer than 100 people. The people who tweeted had 5,300 followers. Now, that’s total followers, not unique (does anyone have an easy way to calculate that?) It’s also unlikely that many of them were reading Twitter or read backscroll, but it seems like an ok guess to say that 200-500 people saw some mention of the talk on Twitter.

Third, it promotes the audience from passive to engaged (although that wasn’t a problem for my audience, I’ve seen it in other talks). They’re no longer just listeners, they’re interpreting, quoting, and generating additional content as we engaged around the ideas in the talk.

What chaotically emerged is larger than my talk. It’s a conversation.

What you talkin’ ’bout?

What you talking about, Willis?

The 110-story Sears Tower, tallest office building in the Western Hemisphere, will be renamed the Willis Tower, global insurance broker Willis Group Holdings said on Thursday.
Willis said it was leasing multiple floors in the 1,451-foot (442-meter) structure in downtown Chicago to consolidate offices. As part of the deal, it will become the Willis Tower this summer when the move takes place, the company said.