Mr Laurie – Don’t do that

Ben Laurie has a nice little post up “More Banking Stupidity: Phished by Visa:”
scolding.jpg

Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders – by training them to expect a process in which there’s absolutely no way to know whether you are being phished or not. Even more astonishing is that this seen as a benefit!

Ben’s analysis seems pretty good, except for one thing–he doesn’t say anything about what to do. Right now, we can see that organizations are flailing around, trying to address the problem. And pointing out problems can be helpful, “you’re wrong” is a pet peeve of mine. (While, Michael Howard’s really, but I’ve adopted it.)

So Mr Laurie, don’t do that. Don’t just say what not to do. Say what to do.

The security engineering community needs to come together and speak out on what the right design is. I’m going to ask Ben, Gunnar Peterson, Rich Mogull and Mike Dahn to ask what should we do? Can the four of you come to agreement on what to recommend?

(My recommendation, incidentally, stands from August 2005, in the essay “Preserving the Internet Channel Against Phishers.” Short version: bookmarks, although I need to add, empower people to use the bookmarks by giving them a list of pending actions from the login landing page.)

Photo: “The Matt Malone experience

[Update: edited title. Thanks, @mortman. Update 2: Fixed Mike Dahn's URL; Firefox still not happy, I don't think I can fix the post URL.]

Metricon 4.0 Call for Papers

I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11.

Metricon 4 – The Importance of Context

MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics.
It is a forum for quantifiable approaches and results to problems afflicting information security
today, with a bias towards practical, specific approaches that demonstrate the value of security
metrics with respect to a security-related goal. Topics and presentations will be selected for their
potential to stimulate discussion in the workshop.
MetriCon 4.0 will be a one-day event, Tuesday, August 11, 2009, co-located with the 18th
USENIX Security Symposium
in Montreal, Quebec.
Beginning first thing in the morning, with meals taken in the meeting room, and extending into the
evening. Attendance will be by invitation and limited to 60 participants. All participants will be
expected to “come with findings” and be willing to address the group in some fashion, formally or
not. In keeping with the theme of The Importance of Context, preference will be given to the
authors of position papers/presentations who have actual work in progress that demonstrates the
value of security metrics with respect to a security-related goal.
Topics that demonstrate the importance of context include:

• Data and analyses emerging from ongoing metrics efforts
• Studies in specific subject matter areas
• Time and situation-dependent aspects of security metrics
• Long-term trend analysis and forecasts
• Measures of the depth and breadth of security defenses
• Metrics definitions that can be operationalized
• Incorporating unknown vulnerabilities into security metrics
• Security and risk modeling calibrations
• Security measures in system design
• Software assurance initiatives
• Security metrics relationship to security assessments

The program committee will also consider any innovative security metrics related work
How to Participate
Submit a short position paper or description of work done or ongoing. Your submission must be
brief — no longer than two pages including both text and graphical displays of quantitative
information. Author names and affiliations should appear first in the submission. Submissions
may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to
metricon4@securitymetrics.org. These requests to participate are due no later than noon GMT,
Monday, May 25, 2009 (a hard deadline). You should receive an email acknowledgment of your
submission within a day or two of posting; take action if you do not.
The Program Committee will invite both attendees and presenters. Participants of either sort will
be notified of acceptance quickly — by June15, 2009. Presenters who want hardcopy materials to
be distributed at the Workshop must provide originals of those materials to the Program
Committee by July 27, 2009. All slides, position papers, and what-not will be made available to
all participants at the Workshop. No formal academic proceedings are intended, but a digest of
the meeting will be prepared and distributed to participants and the general public. (Digests for
previous MetriCon meetings are on the past event pages mentioned above.) Plagiarism is
dishonest, and the organizers of this Workshop will take appropriate action if dishonesty of this
sort is found. Submission of recent, previously published work as well as simultaneous
submissions to multiple venues is entirely acceptable, but only if you disclose this in your
proposal.

Would I self-publish?

A few weeks back, Dave Birch asked me if I’d publish my next book myself. I don’t think I would. I’m really happy with Karen Gettman and Jessica Goldstein at Addison Wesley, and I’ve convinced my co-authors for my next book that we should have a discussion about publishers.

So why am I happy with them, and what can you learn from that?

First, let me scope this by saying the New School is what they call a “big idea” book. This is in contrast to a lot of books in technology, which are, well, technology specific. The New School is a tech book, but it’s not a tech book in the way that “Mastering Office 97″ or “Teach yourself Haskel in 28 Days” are tech books.

Books like that are usually on a hard schedule. You need to get them done as the software ships. No one wants a copy of “Mastering Office 97″ anymore. If you get them done too soon, they don’t reflect the final program. Anyone writing such a book gets a lot more pressure than we did. (Jessica called me one day and said “you know, if you guys finally finish, we can release at RSA and your sales will be higher.”)

That advice “do this and your sales will be higher” is tremendously useful to any author not named “Rowling,” “King” or “Clancy.” However well an author may understand their audience, there are trends in publishing, and understanding those trends is far easier for a publisher who has people monitoring their sales and those of competitors.

When we were getting started, we wanted to write a book for executives, and call it “Security Decisions.” Several publishers rejected that proposal, because ‘executives don’t read,’ and if you look at Amazon SalesRank for a book on managing security that you like, you’ll see that that’s roughly borne out. (Yes, SalesRank is a bad indicator, but an easy one to use.) So we got effective market advice from our publisher.


The next thing authors get is financial support, either in the obvious form of an advance, or in that the publisher pays for printing, binding, warehousing and distribution in advance.

The final thing you get from a major publisher is channels, both domestic and international. I’ve seen the New School in Borders and Barnes and Noble. When there are trade events, my book tends to magically show up at the show bookstore, and I don’t have to do anything. Addison Wesley makes that happen without any effort from me. Cory Doctorow speaks out “In Praise of the Sales Force.”

Of course, for all of this, they extract a fee of about 80-90% of the sale price of the book. (See Mary Shaw and Tim O’Reilly for a breakdown.) That would make it hard to earn a living on the sales of technical books. If I werre writing to earn a living, I might choose differently. Then again, I said “if I were writing,” not “if I were selling books for a living.”

As an aside, in “Why There’s no Tip Jar” Charlie Stross writes, “If I put a Paypal tipjar on this blog, to take conscience money from folks who’ve downloaded a (cough) unauthorized ebook or two, the money would come to me, not to the publisher. And without the publisher those books wouldn’t exist: wouldn’t have been commissioned, wouldn’t have been edited, wouldn’t have been corrected and marketed and sold in whatever form filtered onto the unauthorized ebook market.”


If you still want to self-publish, check out 6 Ways to Publish Your Own Book. Otherwise, any good publisher will have a set of resources up for authors. Pearson’s is here.

[Update: and they copyedit & proofread your words!]

Brad DeLong on the bailout

Brad DeLong has a FAQ up about Geithner’s plan to purchase toxic assets on the theory that the market has undervalued them, and will in time price them properly. Among the items:

Q: What if markets never recover, the assets are not fundamentally undervalued, and even when held to maturity the government doesn’t make back its money?
A: Then we have worse things to worry about than government losses on TARP-program money–for we are then in a world in which the only things that have value are bottled water, sewing needles, and ammunition.

This response reminded me of a conversation I had over a beer with a banking regulator back in August 2006 or thereabouts. He reported on a IM conversation he had had with a colleague whose expertise lay in the area which subsequently imploded. After jokingly asking “Time to buy gold, huh?”, there was a pregnant pause. Then came the response: “Buy ammunition”.
I ordered another beer.

Double-take Department, Madoff Division

The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read:

The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….”

Senior programmers getting a quarter-mil in “comparable firms”? Comparable in what way? Other multi-billion Ponzi schemes that stole from rich suckers and charities alike? Is this another thing to be angry at AIG for? (Cue rimshot.)

I know it’s a tell-all, but tell more, tell more. Another intriguing morsel can be found in:

The employee was part of a trading group, which was able to break a security code that he says led them to a site that was supposed to be seen only by the Madoff family. It showed the profits and losses of the legitimate businesses.

The group broke the code? The person broke the code? And do tell more. Perhaps the author, Lucinda Franks, has some more details for us. Or maybe she’s saving them for a second Pulitzer.

Identity is Mashed Up

I posted last month about Bob Blakely’s podcast with Phil Windley.

Now (by which I really mean last month, wow I’m running behind!) Bob posts that the “Relationship Paper Now Freely Available,” and I’m embarrassed to say I stole Bob’s opening sentence.

Now that I’ve actually read the paper, I’d like to remix the ideas with some web 2.0 Zero Knowledge Infomediation craziness and having thus altered it, send it back out, its identity changed.


One of the core ideas in the paper is that of intermediaries who will represent for you. These intermediaries, who Bob says have a ‘custodial relationship with your data,’ rather than a transactional one, will know lots about you, and gossip as you let them. It’s like letters of introduction or recommendation–you select who you think can represent you well, and if they have a relationship with the person you want to talk to, then things are great.

This is a useful model because a business can perform due diligence on a few of these infomediaries, rather than on each customer. I’m using the phrase infomediary, which some of you may remember from the book Net Worth. The idea was you’d have someone representing you to the net, who would help you get good deals. It was a very consumer-centric idea in some ways, advertising-centric in others.

The difference with the 1990s infomediary concept is that Bob has a great angle on why a business would want to engage with the infomediary, rather than engage in surveillance itself.

It’s a compelling vision, but I’m not sure I buy it as a complete view of identity. As a citizen, I don’t want to work with a single identity provider. The lock in risk seems very high.


But worse, I don’t have one identity. My identity is created through a set of relationships: with family and friends, with employers, but also with colleagues who I’ve never worked with directly (like Mordaxus and Chris) and with former co-workers who aren’t exactly friends. For example, I had a great three hour lunch and walk around Rock Ridge with a fellow who I’d worked with at Zero-Knowledge, and seen maybe once since. I feel a little like Comic Book Guy, caught in a new situation, and forced to say “There’s no emoticon for what I’m feeling!”

Some of our business relationships lead to personal ones, of friendship or romance. The bright lines which once existed are gone. A business which tries to help us with all of these may end up creepy like Facebook. One which only sees one aspect of our lives may well get and give a one dimensional view of us.

I’m thinking of two folks reading this. One is saying “what’s the point?” Another is identifying this as “Adam brain spew.” Which is another way of saying that this is all over the place.

And perhaps, in a world in which we present different selves at different times, that is exactly my response to Bob.

Happy Sunshine Week

rlogovc150.jpg
March 15-21 is “Sunshine Week“, a government transparency initiative described by its main proponents as

a national initiative to open a dialogue about the importance of open government and freedom of information. Participants include print, broadcast and online news media, civic groups, libraries, non-profits, schools and others interested in the public’s right to know.

The arguments in favor of governmental transparency are numerous and well-known. On a purely pragmatic basis, it is harder to hide misdeeds, inefficiencies, and feather-bedding when anyone can ask you to show your work. Stated simply, quality evidence aids decision-making and reveals entrenched self-dealing, waste, and deception.
Information security folks, particularly New School adherents, should find much to like in this. I want to highlight once again the outstanding work of our friends at DataLossDB.org. In addition to operating what was formerly Attrition.org’s DataLoss database, they have become a central repository for the actual source documents — notification letters, reporting forms, etc. — pertaining to breaches. The majority of these documents have been obtained via — you guessed it — Freedom of Information requests.
By highlighting DataLossDB, I do not mean to slight the actions of others. Since I have been fairly active as a researcher in querying government entities, I know there is a small community of like-minded folks, with DataLossDB having several (and certainly the fastest RonR coders!).
The fact that relatively obscure people — all of whom have day jobs, as far as I know — can assemble an archive of this caliber is a testament to the leverage Freedom of Information laws give to citizens. And we know the information in these materials is valuable when made available broadly because state legislatures have seen the results and are looking to emulate the leaders.
So, with Spring on it’s way — at least at my latitude — here’s to more sunshine.

Joseph Ratzinger and Information Security

Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.”

Many of you are likely outraged. Saying, “sure, if only people would do that, then we wouldn’t need condoms. But people don’t behave that way.”

I’d like to explain what this has to do with information security. Some of you may be saying “sure, but we’re not that bad.”

In information security, we often keep saying the same thing over and over again, because we know it’s right. We tell people to never write down their passwords, to always validate their input, and to run IDS systems. Deep in our hearts, we know they don’t, and yet we keep saying those things. We tell them they “have to” fix all the security problems all the time.

It’s my hope that we in information security will be less religious than the Pope, but there’s plenty of evidence that, like him, we offer advice that makes people shake their heads in disgust.


Wherever you work, whatever you do, it’s worth asking yourself: am I being dogmatic in what I’m asking of people?

Me, I’m being dogmatic about asking you all to keep it civil in the comments.