“No Evidence” and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:”

Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email.

and

We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

I wanted to bring this up, not to laugh at Coleman (that’s Franken’s job, after all), but because we frequently see assertions that “there’s no evidence that…”

As anyone trained in any science knows, absence of evidence is not evidence of absence. At the same time, sometimes there really is sufficient evidence, properly protected, that allows that claim to be made. We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.

Twitter + Cats = Awesome

TwitkittehMy smart friend James Thomson of TLA Systems has created a new benchmark in iPhone applications, Twitkitteh. Not only is it the first Twitter client for cats, but it might also be the first iPhone app for cats, as well.

I’ve always accused my cats of playing the stereo when I’m not there, and it would be good to know what they’re listening to. It would also be good to have in V1.1 hairball alerts, bird-outside-the-window, or there are squirrels on the fence.

It’s one of the better 99¢ applications, and better dinner-table conversation than many others.

Understanding Users

Paul Graham has a great article in “Startups in 13 Sentences:”

Having gotten it down to 13 sentences, I asked myself which I’d choose if I could only keep one.

Understand your users. That’s the key. The essential task in a startup is to create wealth; the dimension of wealth you have most control over is how much you improve users’ lives; and the hardest part of that is knowing what to make for them. Once you know what to make, it’s mere effort to make it, and most decent hackers are capable of that.

Then in “Geeks and Anti-Geeks,” Adam Barr writes:

You notice this if you listen to the chatter before a meeting. Half the time people are talking about World of Warcraft; those are the geeks. The other half they are talking about pinot noir; those are the anti-geeks. In either case, the group then proceeds to discuss a pattern-based approach to refactoring your C# class design in order to increase cohesion and leverage mock objects to achieve high code coverage while minimizing your unit test execution time.

The reason this matters is because Microsoft has recently been pushing engineers to realize that they are not the customer, the customers are not geeks, and therefore engineers can’t design properly for our customers. What I think happens, however, is that the anti-geeks hear this and think, “They’re not talking about me; I know that those beer-swilling geeks don’t understand the customer, but I’m a cultured sort, not a geek–I’m just like our customers!” And so they go out and design software for themselves…and of course they mess it up…because our customers may not spend their spare time playing Dungeons & Dragons, but neither do they spend it tramping across the Burgess Shale.

So I don’t disagree with Mr. Barr, but I do want to expand a little. The fundamental job of the program manager is to understand the market, come up with a solution that will delight the customer, sell that vision to the team, create and drive the product to shipping to those customers. The market only matters in understanding if a product is worth building, and in helping to shape our understanding of the customer by understanding their economic context.

I don’t think I’m anything like most of my customers. Those customers are first and foremost, 35,000 or so software engineers inside of Microsoft, second, security experts helping them or reviewing their work, and third, software engineers at other vendors who build on our platform. I’m most like the second set, but they’re a distant second, and (as several of them will tell you) I have a tendency to reject their first attempt at getting a feature out of hand, because our previous tools were so expert-centric.

More importantly, I don’t need to be like our customers to delight them. I am nothing like a professional chef, but I am frequently delighted by them. What I need to do is actively listen to those customers, and fairly and effectively advocate for their attitudes and words to my team.

As I was working on this Joel Spolsky posted “How to be a program manager,” which covers some similar ideas.

All atwitter

In re-reading my blog post on twittering during a conference I realized it sounded a lot more negative than I’d meant it to.

I’d like to talk about why I see it as a tremendous positive, and will be doing it again.

First, it engages the audience. There’s a motive to pay close attention and share what you hear. They’re using their laptops for good, not evil.

Second, it multiplies the attention to the talk. The talk was standing room only, but the room held fewer than 100 people. The people who tweeted had 5,300 followers. Now, that’s total followers, not unique (does anyone have an easy way to calculate that?) It’s also unlikely that many of them were reading Twitter or read backscroll, but it seems like an ok guess to say that 200-500 people saw some mention of the talk on Twitter.

Third, it promotes the audience from passive to engaged (although that wasn’t a problem for my audience, I’ve seen it in other talks). They’re no longer just listeners, they’re interpreting, quoting, and generating additional content as we engaged around the ideas in the talk.

What chaotically emerged is larger than my talk. It’s a conversation.

What you talkin’ ’bout?

What you talking about, Willis?

The 110-story Sears Tower, tallest office building in the Western Hemisphere, will be renamed the Willis Tower, global insurance broker Willis Group Holdings said on Thursday.
Willis said it was leasing multiple floors in the 1,451-foot (442-meter) structure in downtown Chicago to consolidate offices. As part of the deal, it will become the Willis Tower this summer when the move takes place, the company said.

Reuters

Tweet, tweet

A few weeks back, Pistachio twittered about How to Present While People are Twittering. I picked it up, and with the help of Quine, was getting comments from Twitter as I spoke. It was a fun experiment, and it’s pretty cool to be able to go back and look at the back channel.

[Update: I think there was more positive than I really touched on, and have written a new post all atwitter about why it was useful and why I’ll do it again.]

I don’t think that it was hugely successful for this talk for two reasons. First, my talk, “The Crisis In Information Security” is a ‘big idea’ talk, based on my book “The New School of Information Security,” written with Andrew Stewart.
A big idea talk has to cover a lot of ground quickly, rather than dwell on a lot of specifics–you can see some of that feedback, Rich Mogull comments on “I said some of that a year ago,” and B.K. Delong says “can we have more details?” The other reason it didn’t work is because there was a lot of in-room interaction. Questions came out during the talk rather than being tweeted.


Still, it was pretty cool, and I’ll definitely try it again.

So, here are the #sourceadam comments in chronological order. My comments are in italic.

stormtrooperguy: All tweets from the current panel @sourceboston will be tagged with #sourceadam so that they can reference it later.

leune: getting ready for #sourceadam

quine: Actually, #SOURCEAdam or #AdamSOURCE.

bkdelong: At Adam Shostack’s talk #sourceadam

securitytwits: RT @quine — if you’re in @adamshostack’s presentation at #SOURCEBoston, please use #adamsource OR #sourceadam for feedback/questions.

quine: Admittedly, I am a buffoon. I chose “#adamsource”, then announced “#sourceadam” — hence the use of both ;)

Beaker: I believe I just saw a nerd version of Sysyphus — better than a LOLcat #sourceadam #sourceboston

Yes: http://flickr.com/photos/signifying/2073074572/


Beaker: Who was the last idiot infected with Blaster? We just saw the last guy who had Smallpox…. #sourceadam #sourceboston


mortman: @Beaker Well lolcats are beneath Adam #sourceadam #sourceboston

mortman: Milliken Oildrop Experiment lead to powerpoint. #sourceadam #sourceboston

mortman: @alexsotirov @k8em0 has an apple and the rest of us don’t. #sourceadam #sourceboston

k8em0: @alexsotirov we lack cred in infosec because we lack data #sourceboston #sourceadam

hackertweets: k8em0: @alexsotirov we lack cred in infosec because we lack data #sourceboston #sourceadam


k8em0: @mortman @alexsotirov it’s a pear. Observation is not the best way to gather data.#sourceboston #sourceadam

mortman: @k8em0 @alexsotirov Proof that independent confirmation is a necessary part of the scientific method. #sourceboston #sourceadam

bkdelong: @k8em0 At least not VISUAL observation #sourceadam #sourceboston

mortman: #sourceadam #sourceboston Re: learning from experience. Is that another way of saying “the plural of anecdote is not data”?

stormtrooperguy: @sourceboston : the #sourceadam panel is packed, standing room only.

Beaker: Adam, you have a lot of “questions.” You have any answers? #sourceadam

I think I do. If not, you have a refund coming. (Hoff bought the book on his Kindle as we were setting up. I promised him a refund if he doesn’t like it.)

bkdelong: So @adamshostack what data is being collected that is good? What do we NEED to be collecting? #sourceadam #sourceboston

bkdelong: Specifically what KPIs and what metrics / risk calculations can we be doing to help us make the case to management #sourceadam @sourceboston
What does your management care about? You’re going to need rich sets of data to find the comparatives you need
mortman: #sourceadam #sourceboston RE: What is the biggest pain point? We talk about professional hackers, users, random loss, why not vendors?

mortman: #sourceadam #sourceboston Why not more blame for the folks who produce crap?

k8em0: it’s hard to categorize what causes security customer pain (hax0rs, kiddiez, RBN, nation-states) #sourceboston #sourceadam

rybolov: #sourceadam can you use the phrase “self-licking ice cream cone” jus for me? k thnx.

Self licking ice cream cone
hallam: @SOURCEAdam have you heard of the GENI initiative, any thoughts?

mortman: @hallam geni.net? or something else #sourceadam #sourceboston

hallam: geni.net

I haven’t, thanks! Checking it out now.

bkdelong: The @datalossdb does not cover all breaches and too many reporters cite it as true total # of breaches – bad. Needs correction #sourceadam

BK: True, but as the Beatles said, it’s getting better all the time.

k8em0: #sourceboston #sourceadam Hype is too big for your breaches – they don’t cause all customers to flee & you to go bankrupt.

mortman: #sourceboston #sourceadam Mmmmm tylenol.

bkdelong: Tylenol Recall #sourceboston #sourceadam (expand)

bkdelong: The @datalossdb certainly best out there but there are lots of unreported/non-FOIA’d breaches not in there. Still a lot more. #sourceadam

bkdelong: More on Black Swan theory – http://tinyurl.com/2ngwkw (expand) (Yes, wikipedia for ease sake) #sourceadam #sourceboston

I was pretty dismissive of “Black Swan” hype. I stand by that, and don’t think we should allow fear of a black swan out there somewhere to prevent us from studying white ones and generalizing about what we can see.

rmogull: @bkdelong #sourceadam #sourceboston I wrote an article on that over a year ago (Tylenol/disclosure): http://bit.ly/Q5Ko8 (expand)
Great stuff, Rich!

mortman: #sourceboston #sourceadam Check out “research revealed” tracke at RSA.

k8em0: #sourceboston #sourceadam wallow in the data, follow @datalossdb for example.

bsmithsweeney: #sourceadam reminded of “The Quixotic Quest for Invulnerability” http://tinyurl.com/5equfo (expand), on protection vs. recovery #sourceboston

k8em0: #sourceboston #sourceadam you point out methodological flaws w/the passwords4chocolate experiment. 45% of women likely lied 4 choc.

It would be fun to find out how many lied, and how many didn’t care. I suspect we’d be depressed, but the truth is supposed to set you free, not make you happy.

bsmithsweeney: Really enjoyed #sourceadam talk @sourceboston. Definitely worth grabbing the slides/video.

Thanks bsmithsweeney, and thank you to everyone who participated in the talk and the backchannel!

What Was Wrong With the Old FISA?

The Get FISA Right group is publicizing our need to re-think the laws. They have discussion going on on their site, as well as on The Daily Kos. I recommend catching up there, or reading Adam’s recent post here.

I have to ask what was wrong with the old FISA? It wasn’t a bad system, had a lot tradeoffs as well as emergency provisions. The government could, for example, get a warrant after the fact in an emergency.

But the old FISA was very Cold War. It was also very much adapted to the previous century’s technology in which wired technologies were static and protected and wireless or mobile technologies were highly regulated.

So let’s look at some of the things that are indeed worth changing.

  • I think it is important to note upfront that getting a warrant trumps all this discussion. We are talking about Fourth Amendment considerations, and that means what can be done without a warrant. But it also concerns a certain amount of how the government can operate when it has one, when they’re operating completely above board.
  • In the past, FISA was overly concerned with devices rather than persons. Changing it so that it affects persons is a good idea. If there is permission to spy on a person, then it should be to spy on the person. Making it the person and device is awfully restrictive, especially when it’s hard to know what counts. Rather than debate about what happens when DHCP gives you a new address, it’s better to just make things apply to persons. That probably makes the law adapt better to changing technology.

    I would not want end up having interesting new technologies like femtocells end up in some odd legal limbo because of some peculiarity of the technology. It’s better for us all to just agree that when it is okay to spy on a person, it’s that person.

  • In the past, FISA worried a lot about about where the pipes were. It also seems reasonable to have that abstracted away. This goes along with focusing on the persons. A phone call between non-US persons does not suddenly become a US thing just because some glass runs across the US.

    Now, this has consequences. I wouldn’t blame non-US telecom companies to proudly avoid the US as a result of that. It’s from the viewpoint of a civil libertarian who is trying to make sense out of the rules of spying that I think that.

    It is also the converse of thinking that when I am in another country, they’ll spy on me or not according to their rules, not mine.

  • The flip side of this is that US persons are protected everywhere. It seems fair that if we’re going to tune the law to make it easier to spy on non-US persons no matter where they are, the US persons should get full protection. This strikes me as being the way that things ought to be. My government shouldn’t spy on me (without a warrant) just because I’m traveling outside the country. This may be as things ought to be, but it used to be at least de facto that if you were outside the country, your calls would be monitored.
  • It is a point of our common law that non-US persons are subject to US law when they are in the US. If a foreigner is arrested in the US, they get a jury trial, for example. In this particular case, however, non-US persons in the US should have some extra measure of protection, the question is what.

I can go on, particularly about the new features of the new FISA. However, that strays away from this discussion. What didn’t work well in the old one.

Would Anne Fadiman buy a Kindle?

Anne Fadiman

If you like books, if you like to read, you need a copy of Anne Fadiman’s “Ex Libris: Confessions of a Common Reader.” You especially need to read it if you care an iota about identity management, because the major themes in her essays are not only about books, but about identity. (In case you’re wondering, yes, she’s the daughter of Clifton and Annalee.)

The first major theme is about mixing books in a relationship. She opens Ex Libris with:

A few months ago, my husband and I decided to mix our books together. We had known each other for ten years, lived together for six, been married for five….

Sharing a bed and future was child’s play compared to sharing my copy of The Complete Poems of W. B. Yeats, from which I had once read “Under Ben Bulben” aloud while standing at Yeats’s grace in Drumcliff churchyard, or George’s copy of T. S. Eliot’s Selected Poems, given to him in the ninth grade by his best friend, Rob Farnsworth, who inscribed it “Best Wishes from Gerry Cheevers….”

George is a lumper. I am a splitter. His books commingled democratically, united under the all-inclusive flag of Literature…. Mine were balkanized by nationality and subject matter….

If you are charmed, you must by this book. I’ve omitted some of the funniest lines. If you doubt me, check Amazon as these pages are included in their peek inside.

The other important theme in her book is the difference between people who think that books are objects and people who think that books are information. People who think that books are objects shudder at the thought of writing in them, dogearing page corners, etc. I’m sure you can guess where George and Anne lie.

I am especially amused by this because I, too, have had the problem of co-mingling libraries. I’ve been divorced, and dividing the library was a horror. The horror; nothing else was that hard. It was such a horror that I flipped from being someone who views books as objects to one who views them as information.

Books can be replaced. Really. I’ve done it. The archaeologists of future civilizations will not sigh in a lament because they’re missing the one issue of National Geographic or Cook’s Illustrated that you threw out. Truly. Trust me on that.

My last spouse, however, is someone who firmly believes that books are objects. I understand some of this. She collects antique children’s books. I have a first edition of The Hunting of the Snark (a possession that I can blame Ms. Fadiman’s father for, with Martin Gardner as an accessory before, during, and after the fact). Yet that admission also proves that I’m not that sort of person. My present condition of loving information rather than objects is some sort of Laingian adaptation, I suppose. I understand books just the way that Thomas Mendip understands names.

She lusts after a Kindle. Not Ms. Fadiman, my spouse. It’s something I find amusing, because I’m inclined to get her one because the savings in floor space alone amortizes its value out in the first month. In California, floor space is a valuable asset if you’re a bibliophile. She is someone who screams, “Nooooooooooo!” if I suggest that we get rid of a crap novel we agree is crap and yet she is willing to convert from paper you own to bits on loan. Even if our house is Alexandria, future generations would thank their ancestors for the culling if they only knew, of course, which they couldn’t. Nonetheless, she desires a Kindle.

Worse, a friend brought one into work today, and I’d like one, too. I’ve downloaded the Kindle app to my iPod. The problem that remains is the problem I complained about in Identity Manglement last fall. What account should we buy the books under?

An elegant part of the Kindle is that if you have more than one, they sync their books, and even the bookmarks. If you have the iPod app, that syncs, too. It’s brilliant.

I have friends who are already a multi-Kindle household. The system works well, but you can’t have two accounts pointing to one Kindle if you want to share books. There are ways, I am told, to work around this limitation, but I don’t want to work around it. I don’t want to soak the books in a digital solvent that removes the stickiness. I just want to be able to read a book she bought, as if it were a — you know, book.

When it came to music, I had the foresight to create an account that we collectively buy music with. Emusic and iTunes both under the one identity. The community property we own can distribute itself over our laptops and iPods.

But we’ve been buying books from Amazon for ages, each of us. There’s no real problem with taking that email address and giving it the Kindles, but I don’t want to. I want Amazon to understand that there are households where after a lot of thought, after years of agonizing, the books have been merged. They should do that for Kindles, too.

It’s easy enough to do. Please do it. I wonder what Anne Fadiman would do.

What Should FISA Look Like?

wiretap america.jpg
Jim Burrows is working to kick off a conversation about what good reform of US telecom law would be. He kicks it off with “What does it mean to “get FISA right”?” and also here.

To “get it right”, let me suggest that we need:

  1. One law that covers all spying
  2. Require warrants when the US spies on
    1. Anyone in the US
    2. US persons (citizens and resident aliens) anywhere
  3. Allow the intelligence agencies to spy freely on foreigners oversees, even if the taps are in the US
  4. Require Executive, Judicial and Congressional oversight when protected and unprotected communications are entangled.
  5. Criminalize violation of the Constitution.

I think we need a law which works cross medium, and addresses both content and routing information. It should lay out broad principles of privacy protection for Americans and people in America, and the times when spying is acceptable in ways that enable debate and discussion. We also need to address the very real abuses of past wiretapping statues, perhaps with increasing oversight as time goes by.

This is a hard area, and I encourage you to join in the discussion here, on Jim’s blogs, or on your own.

I hit post to soon, I’d meant to explain the image. I picked the image because I believe that listening to phone calls is sometimes something we should allow a government to do. If we do it right, it’s a valuable tool. If we do it wrong, it becomes an intrusion and a betrayal of our values. To date, we are doing it wrong, with secret courts rubber stamping requests under complex laws that few can understand. The result is that legitimate wiretapping is harder than it needs to be. Getting FISA right includes restoring public trust.

Image: Dr. Bulldog & Ronin.