Tweet, tweet

A few weeks back, Pistachio twittered about How to Present While People are Twittering. I picked it up, and with the help of Quine, was getting comments from Twitter as I spoke. It was a fun experiment, and it’s pretty cool to be able to go back and look at the back channel.

[Update: I think there was more positive than I really touched on, and have written a new post all atwitter about why it was useful and why I’ll do it again.]

I don’t think that it was hugely successful for this talk for two reasons. First, my talk, “The Crisis In Information Security” is a ‘big idea’ talk, based on my book “The New School of Information Security,” written with Andrew Stewart.
A big idea talk has to cover a lot of ground quickly, rather than dwell on a lot of specifics–you can see some of that feedback, Rich Mogull comments on “I said some of that a year ago,” and B.K. Delong says “can we have more details?” The other reason it didn’t work is because there was a lot of in-room interaction. Questions came out during the talk rather than being tweeted.


Still, it was pretty cool, and I’ll definitely try it again.

So, here are the #sourceadam comments in chronological order. My comments are in italic.

stormtrooperguy: All tweets from the current panel @sourceboston will be tagged with #sourceadam so that they can reference it later.

leune: getting ready for #sourceadam

quine: Actually, #SOURCEAdam or #AdamSOURCE.

bkdelong: At Adam Shostack’s talk #sourceadam

securitytwits: RT @quine — if you’re in @adamshostack’s presentation at #SOURCEBoston, please use #adamsource OR #sourceadam for feedback/questions.

quine: Admittedly, I am a buffoon. I chose “#adamsource”, then announced “#sourceadam” — hence the use of both 😉

Beaker: I believe I just saw a nerd version of Sysyphus — better than a LOLcat #sourceadam #sourceboston

Yes: http://flickr.com/photos/signifying/2073074572/


Beaker: Who was the last idiot infected with Blaster? We just saw the last guy who had Smallpox…. #sourceadam #sourceboston


mortman: @Beaker Well lolcats are beneath Adam #sourceadam #sourceboston

mortman: Milliken Oildrop Experiment lead to powerpoint. #sourceadam #sourceboston

mortman: @alexsotirov @k8em0 has an apple and the rest of us don’t. #sourceadam #sourceboston

k8em0: @alexsotirov we lack cred in infosec because we lack data #sourceboston #sourceadam

hackertweets: k8em0: @alexsotirov we lack cred in infosec because we lack data #sourceboston #sourceadam


k8em0: @mortman @alexsotirov it’s a pear. Observation is not the best way to gather data.#sourceboston #sourceadam

mortman: @k8em0 @alexsotirov Proof that independent confirmation is a necessary part of the scientific method. #sourceboston #sourceadam

bkdelong: @k8em0 At least not VISUAL observation #sourceadam #sourceboston

mortman: #sourceadam #sourceboston Re: learning from experience. Is that another way of saying “the plural of anecdote is not data”?

stormtrooperguy: @sourceboston : the #sourceadam panel is packed, standing room only.

Beaker: Adam, you have a lot of “questions.” You have any answers? #sourceadam

I think I do. If not, you have a refund coming. (Hoff bought the book on his Kindle as we were setting up. I promised him a refund if he doesn’t like it.)

bkdelong: So @adamshostack what data is being collected that is good? What do we NEED to be collecting? #sourceadam #sourceboston

bkdelong: Specifically what KPIs and what metrics / risk calculations can we be doing to help us make the case to management #sourceadam @sourceboston
What does your management care about? You’re going to need rich sets of data to find the comparatives you need
mortman: #sourceadam #sourceboston RE: What is the biggest pain point? We talk about professional hackers, users, random loss, why not vendors?

mortman: #sourceadam #sourceboston Why not more blame for the folks who produce crap?

k8em0: it’s hard to categorize what causes security customer pain (hax0rs, kiddiez, RBN, nation-states) #sourceboston #sourceadam

rybolov: #sourceadam can you use the phrase “self-licking ice cream cone” jus for me? k thnx.

Self licking ice cream cone
hallam: @SOURCEAdam have you heard of the GENI initiative, any thoughts?

mortman: @hallam geni.net? or something else #sourceadam #sourceboston

hallam: geni.net

I haven’t, thanks! Checking it out now.

bkdelong: The @datalossdb does not cover all breaches and too many reporters cite it as true total # of breaches – bad. Needs correction #sourceadam

BK: True, but as the Beatles said, it’s getting better all the time.

k8em0: #sourceboston #sourceadam Hype is too big for your breaches – they don’t cause all customers to flee & you to go bankrupt.

mortman: #sourceboston #sourceadam Mmmmm tylenol.

bkdelong: Tylenol Recall #sourceboston #sourceadam (expand)

bkdelong: The @datalossdb certainly best out there but there are lots of unreported/non-FOIA’d breaches not in there. Still a lot more. #sourceadam

bkdelong: More on Black Swan theory – http://tinyurl.com/2ngwkw (expand) (Yes, wikipedia for ease sake) #sourceadam #sourceboston

I was pretty dismissive of “Black Swan” hype. I stand by that, and don’t think we should allow fear of a black swan out there somewhere to prevent us from studying white ones and generalizing about what we can see.

rmogull: @bkdelong #sourceadam #sourceboston I wrote an article on that over a year ago (Tylenol/disclosure): http://bit.ly/Q5Ko8 (expand)
Great stuff, Rich!

mortman: #sourceboston #sourceadam Check out “research revealed” tracke at RSA.

k8em0: #sourceboston #sourceadam wallow in the data, follow @datalossdb for example.

bsmithsweeney: #sourceadam reminded of “The Quixotic Quest for Invulnerability” http://tinyurl.com/5equfo (expand), on protection vs. recovery #sourceboston

k8em0: #sourceboston #sourceadam you point out methodological flaws w/the passwords4chocolate experiment. 45% of women likely lied 4 choc.

It would be fun to find out how many lied, and how many didn’t care. I suspect we’d be depressed, but the truth is supposed to set you free, not make you happy.

bsmithsweeney: Really enjoyed #sourceadam talk @sourceboston. Definitely worth grabbing the slides/video.

Thanks bsmithsweeney, and thank you to everyone who participated in the talk and the backchannel!

What Was Wrong With the Old FISA?

The Get FISA Right group is publicizing our need to re-think the laws. They have discussion going on on their site, as well as on The Daily Kos. I recommend catching up there, or reading Adam’s recent post here.

I have to ask what was wrong with the old FISA? It wasn’t a bad system, had a lot tradeoffs as well as emergency provisions. The government could, for example, get a warrant after the fact in an emergency.

But the old FISA was very Cold War. It was also very much adapted to the previous century’s technology in which wired technologies were static and protected and wireless or mobile technologies were highly regulated.

So let’s look at some of the things that are indeed worth changing.

  • I think it is important to note upfront that getting a warrant trumps all this discussion. We are talking about Fourth Amendment considerations, and that means what can be done without a warrant. But it also concerns a certain amount of how the government can operate when it has one, when they’re operating completely above board.
  • In the past, FISA was overly concerned with devices rather than persons. Changing it so that it affects persons is a good idea. If there is permission to spy on a person, then it should be to spy on the person. Making it the person and device is awfully restrictive, especially when it’s hard to know what counts. Rather than debate about what happens when DHCP gives you a new address, it’s better to just make things apply to persons. That probably makes the law adapt better to changing technology.

    I would not want end up having interesting new technologies like femtocells end up in some odd legal limbo because of some peculiarity of the technology. It’s better for us all to just agree that when it is okay to spy on a person, it’s that person.

  • In the past, FISA worried a lot about about where the pipes were. It also seems reasonable to have that abstracted away. This goes along with focusing on the persons. A phone call between non-US persons does not suddenly become a US thing just because some glass runs across the US.

    Now, this has consequences. I wouldn’t blame non-US telecom companies to proudly avoid the US as a result of that. It’s from the viewpoint of a civil libertarian who is trying to make sense out of the rules of spying that I think that.

    It is also the converse of thinking that when I am in another country, they’ll spy on me or not according to their rules, not mine.

  • The flip side of this is that US persons are protected everywhere. It seems fair that if we’re going to tune the law to make it easier to spy on non-US persons no matter where they are, the US persons should get full protection. This strikes me as being the way that things ought to be. My government shouldn’t spy on me (without a warrant) just because I’m traveling outside the country. This may be as things ought to be, but it used to be at least de facto that if you were outside the country, your calls would be monitored.
  • It is a point of our common law that non-US persons are subject to US law when they are in the US. If a foreigner is arrested in the US, they get a jury trial, for example. In this particular case, however, non-US persons in the US should have some extra measure of protection, the question is what.

I can go on, particularly about the new features of the new FISA. However, that strays away from this discussion. What didn’t work well in the old one.

Would Anne Fadiman buy a Kindle?

Anne Fadiman

If you like books, if you like to read, you need a copy of Anne Fadiman’s “Ex Libris: Confessions of a Common Reader.” You especially need to read it if you care an iota about identity management, because the major themes in her essays are not only about books, but about identity. (In case you’re wondering, yes, she’s the daughter of Clifton and Annalee.)

The first major theme is about mixing books in a relationship. She opens Ex Libris with:

A few months ago, my husband and I decided to mix our books together. We had known each other for ten years, lived together for six, been married for five….

Sharing a bed and future was child’s play compared to sharing my copy of The Complete Poems of W. B. Yeats, from which I had once read “Under Ben Bulben” aloud while standing at Yeats’s grace in Drumcliff churchyard, or George’s copy of T. S. Eliot’s Selected Poems, given to him in the ninth grade by his best friend, Rob Farnsworth, who inscribed it “Best Wishes from Gerry Cheevers….”

George is a lumper. I am a splitter. His books commingled democratically, united under the all-inclusive flag of Literature…. Mine were balkanized by nationality and subject matter….

If you are charmed, you must by this book. I’ve omitted some of the funniest lines. If you doubt me, check Amazon as these pages are included in their peek inside.

The other important theme in her book is the difference between people who think that books are objects and people who think that books are information. People who think that books are objects shudder at the thought of writing in them, dogearing page corners, etc. I’m sure you can guess where George and Anne lie.

I am especially amused by this because I, too, have had the problem of co-mingling libraries. I’ve been divorced, and dividing the library was a horror. The horror; nothing else was that hard. It was such a horror that I flipped from being someone who views books as objects to one who views them as information.

Books can be replaced. Really. I’ve done it. The archaeologists of future civilizations will not sigh in a lament because they’re missing the one issue of National Geographic or Cook’s Illustrated that you threw out. Truly. Trust me on that.

My last spouse, however, is someone who firmly believes that books are objects. I understand some of this. She collects antique children’s books. I have a first edition of The Hunting of the Snark (a possession that I can blame Ms. Fadiman’s father for, with Martin Gardner as an accessory before, during, and after the fact). Yet that admission also proves that I’m not that sort of person. My present condition of loving information rather than objects is some sort of Laingian adaptation, I suppose. I understand books just the way that Thomas Mendip understands names.

She lusts after a Kindle. Not Ms. Fadiman, my spouse. It’s something I find amusing, because I’m inclined to get her one because the savings in floor space alone amortizes its value out in the first month. In California, floor space is a valuable asset if you’re a bibliophile. She is someone who screams, “Nooooooooooo!” if I suggest that we get rid of a crap novel we agree is crap and yet she is willing to convert from paper you own to bits on loan. Even if our house is Alexandria, future generations would thank their ancestors for the culling if they only knew, of course, which they couldn’t. Nonetheless, she desires a Kindle.

Worse, a friend brought one into work today, and I’d like one, too. I’ve downloaded the Kindle app to my iPod. The problem that remains is the problem I complained about in Identity Manglement last fall. What account should we buy the books under?

An elegant part of the Kindle is that if you have more than one, they sync their books, and even the bookmarks. If you have the iPod app, that syncs, too. It’s brilliant.

I have friends who are already a multi-Kindle household. The system works well, but you can’t have two accounts pointing to one Kindle if you want to share books. There are ways, I am told, to work around this limitation, but I don’t want to work around it. I don’t want to soak the books in a digital solvent that removes the stickiness. I just want to be able to read a book she bought, as if it were a — you know, book.

When it came to music, I had the foresight to create an account that we collectively buy music with. Emusic and iTunes both under the one identity. The community property we own can distribute itself over our laptops and iPods.

But we’ve been buying books from Amazon for ages, each of us. There’s no real problem with taking that email address and giving it the Kindles, but I don’t want to. I want Amazon to understand that there are households where after a lot of thought, after years of agonizing, the books have been merged. They should do that for Kindles, too.

It’s easy enough to do. Please do it. I wonder what Anne Fadiman would do.

What Should FISA Look Like?

wiretap america.jpg
Jim Burrows is working to kick off a conversation about what good reform of US telecom law would be. He kicks it off with “What does it mean to “get FISA right”?” and also here.

To “get it right”, let me suggest that we need:

  1. One law that covers all spying
  2. Require warrants when the US spies on
    1. Anyone in the US
    2. US persons (citizens and resident aliens) anywhere
  3. Allow the intelligence agencies to spy freely on foreigners oversees, even if the taps are in the US
  4. Require Executive, Judicial and Congressional oversight when protected and unprotected communications are entangled.
  5. Criminalize violation of the Constitution.

I think we need a law which works cross medium, and addresses both content and routing information. It should lay out broad principles of privacy protection for Americans and people in America, and the times when spying is acceptable in ways that enable debate and discussion. We also need to address the very real abuses of past wiretapping statues, perhaps with increasing oversight as time goes by.

This is a hard area, and I encourage you to join in the discussion here, on Jim’s blogs, or on your own.

I hit post to soon, I’d meant to explain the image. I picked the image because I believe that listening to phone calls is sometimes something we should allow a government to do. If we do it right, it’s a valuable tool. If we do it wrong, it becomes an intrusion and a betrayal of our values. To date, we are doing it wrong, with secret courts rubber stamping requests under complex laws that few can understand. The result is that legitimate wiretapping is harder than it needs to be. Getting FISA right includes restoring public trust.

Image: Dr. Bulldog & Ronin.

The Lastest Big Processor Breach

So it’s now roughly confirmed, except for a few denials from Visa. First there was CardSystems, then Heartland, and maybe there’s at least one more known-to-some criminal breach at a payments processor. A lot of security bloggers have been talking about this, but I figure another day, another breach. Can’t we just get some facts? Do we have to get all wrapped around the secrecy axle?

I wanted to talk a little about this release from the Pennsylvania Credit Union Association, which was the first confirmation of the new breach, and said in passing:

Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series US- 2009-0088-IC. They expect to have all accounts released by Friday, February 13. MasterCard began releasing accounts on Wednesday, February 11, 2009 under MC Alert series MCA0150-US-09.

Now, what I found really interesting is the form of those numbers, which apply to “event series” and “alert series.” Visas is “US-2009-0088-IC” If I were to break that down, I’d figure that the 0088 is an event number, and Mastercard’s on MC alert #150.

So before anyone jumps up and says “OMG! 150 breaches! pwn! doom!” let’s analyze. First, either Visa and Mastercard have very different rules about what gets an event or an alert, or very different detection speeds. I think the former is more likely. So given that the networks have different definitions of what an event is, there are at least two professionally defensible definitions, and likely many more.

I wonder what the definitions are, and if they tell us anything about public breach notification rates.

This Data Will Self-Destruct in 5 Seconds

LeiaWithAPearlEarring.jpg

CSO Online has a good article on data destruction, Why Information Must Be Destroyed.” It’s mostly about physical documents, not data, but I can still make a few quibbles.

The author, Ben Rothke, gives an example of a financial institution that did not live up to its regulatory requirements for properly disposing documents, and was punished. Well, duh, financials are a regulated industry, and let’s face it, if you don’t live up to your regulatory obligations, you’re asking for trouble. In financials, especially given the economic situation, not living up to regulatory requirements is apt to get one slapped around. The governments are embarrassed at their part in the financial mess, so they’re as likely to overreact as anything.

However, there are other regulated industries that have a requirement to keep data (e.g. pharmaceuticals), and a parallel article could be written: “Why Information Must Not Be Destroyed.” Many IT companies have data retention requirements, as well. There are even kerfuffles about keeping router logs and so on that allegedly would affect anyone with a wireless router, all in the name of stopping kiddie porn.

I’m not going to say anything more about the obvious stupidity of this, as Gentle Readers of this blog can likely come up with as long a list as I can. I’m instead going to tell a pair of stories about destructing physical documents.

I once worked for a computer security startup that had a delightfully playful culture. We had a contract with a company that shredded documents, and they had a number of large shredding bins throughout the building. I don’t know how we got the bright idea, but one day we decided that at our next all-hands meeting, one of the architects — let’s call him Jack — would hide in one of the bins. A shill would call out, “Hey, where’s Jack?” and then Jack would flip open the top of the bin and pop up like a Jack-in-the-box and say, “Here I am!”

This of course, meant that we had to get Jack into the box. The box had a three-digit combination lock, so that meant we just had to brute-force it surreptitiously. We co-consipirators set about to brute force the lock. We started at some convenient spot (666, as I remember) and started counting down. Jack’s whiteboard had a small spot where we put the current position, and anyone with a moment or three to spare tried a few numbers.

After about a week, we had gone through the whole keyspace and — nothing. The lock wasn’t open. That meant that someone hadn’t tugged hard enough on the lock as they went through. Not only had we wasted a week and had to do it again, but we were likely to miss the all-hands meeting and would have to wait for the next one. As we were grumbling about it, one of the administrative assistants came by the shredding bin. We got quiet. She asked why we were over there and that she’d noticed a people congregating around the bin of late.

We had the rule in the company that it was all right to do a hack, you just had to ‘fess up when asked about it. So we told her. She thought it was a hilarious idea, and said, “I think I can help.” She dropped some of her papers into the bin and said, “Oops, I dropped the wrong folder into the bin. I’ll go get Facilities.” We scattered.

The facilities manager came over, and rescued her folder. She ostentatiously tossed the right documents into the bin and thanked the facilities guy. After he left, we all assembled and asked her, “And? And?” She told us that she’d managed to shoulder-surf two digits from him. We cheered, clapped her on the back and then found the last digit. And indeed, you had to give the lock quite a tug to get it to open. This is the first lesson: don’t put graphite in a combo lock; stickiness is a security feature.

Our hack went off without a hitch. The all-hands meeting came, we asked, “Where’s Jack?” and out Jack popped from the box to stunned looks from everyone not in on the joke. Our CEO gave one of the long-suffering sighs he gave whenever we hacked something. (However, he was game on things — we taught him to pick locks. He knew it was his job to give long-suffering sighs whenever he wasn’t included in the hack.)

A few years later in a different company, one day our office manager uttered an uncharacteristically emphatic stream of epithets. I asked what the problem was and she’d dropped the wrong folder into the shredding bin. She didn’t have good contact information for the company that handles the bin, and it was the previous office manager who had set up the service, too. She started wending her way through the twisty maze of non-English-speaking people at the shredding company.

I wandered over to the bin. It was from the same company as before. You don’t suppose, do you? I mean you don’t suppose they’d have the same combination? I tried it. Nothing. I stared at it for a moment, and the pushed the middle wheel up one. The lock snapped open in my hand. Clearly, the sticky lock wasn’t an intentional security feature before. I managed to fish out the misplaced folder without falling in and brought it over to her.

She disengaged from the shredding company, who had not figured out which account it was yet, and asked, “How did you do that?” and then added sotto voce, “Or do I not want to know?” I told her the story of Jack in the Bin, as well as the combination that worked, and told her to write it down in her notebook of fun facts. I also opined that the other bins in the building probably differed by only the middle digit. Why? Human factors. The guys who come in to empty the bins can’t memorize lots of combinations, so probably only remember the two-digit outer number and brute-force the middle digit. (And, Gentle Reader, the outer pair was the same digit, too.)

A couple days later, she told me that she’d checked the other bins, and yes, they only differed by the middle digit and there were only two distinct codes in the building. I’m not this says anything about data destruction companies. Remember, they have to have a manageable business, and most locks merely keep honest people honest. The system that company was (is?) using is almost certainly better than the alternative — an easily pickable key lock.

Photo by Lady, That’s My Skull.

Welcome To The (New) Machine

If you can read this, you are now reading Emergent Chaos on its new server. We’ve also upgraded to the 4.x train of MovableType. Let us know what you think. We’re also considering a site redesign, so let us know any feature requests or design suggestions. Thanks!