“No Evidence” and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:”

Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email.


We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

I wanted to bring this up, not to laugh at Coleman (that’s Franken’s job, after all), but because we frequently see assertions that “there’s no evidence that…”

As anyone trained in any science knows, absence of evidence is not evidence of absence. At the same time, sometimes there really is sufficient evidence, properly protected, that allows that claim to be made. We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.

Security is about outcomes: RSA edition

garner-hard-drive-crusher.jpgSo last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that.

But I did I promise to tell you what I wanted to get out of it. My goals, ordered:

  1. A successful Research Revealed track. I think we had some great talks, a panel I’m not qualified to judge (since I was on it), and at least a couple of sell-out sessions. But you tell me. Did it work for you?
  2. See interesting new technology. I saw three things: Garner’s hard driver crusher (they have a “destroy” button!), Camouflage‘s database masking and some very cool credit card form factor crypto devices from Emue. (I’d add Verizon’s DBIR, but I saw that before the show.) Four interesting bits? Counts as success. Ooh, plus saw the Aptera car.
  3. Announce our new blog at Newschoolsecurity.com. Done!
  4. See friends and make five new ones. It turns out that the most successful part of this was my Open Security Foundation t-shirt. I urge you all to donate and get this highly effective networking tool.
  5. Connect five pairs of people who previously didn’t know each other. I counted seven, which makes me really happy.

What I didn’t want: a hangover. Only had one, Friday morning.

Will The Real Adam Shostack Please Stand Up?

At one point during the RSA party hopping last week, Adam, Alex and I ended up at the Executive Women’s Forum event. I was feelng pretty punchy and decided that all three of us should have name tags that read “Adam Shostack”. If anyone asked, I just explained that we were promoting the new blog. Eventually I wandered off to another party and some other folks decided that this was a really good idea as well. By the time I got back to the W, there was a whole slew of Adam’s floating around. Those who subscribe to the “Pictures or It Didn’t Happen” school of thought can find all the evidence over on fickr photostream.

Little Bobby Drop tables

In 1999 Syse Data was converted to a limited liability company, and has since been trading under the name Syse Data AS[1]. As the names are so similar, searches for our company in the official Norwegian registry of just-about-anything (Brønnøysundregistrene) often resulted in potential customers looking up the wrong company. To prevent this confusion we recently changed the name of the old (non-LLC) company, and figured we’d use the opportunity for some harmless – or so we thought – fun.

The old company was renamed to:


Apparently, the tax authorities noticed. You’ll need to read their page for more details. (Scroll down for English.)

As did Justin Mason.

Dept. of Pre-Blogging: Swine Flu edition

In no particular order, your friendly neighborhood Dept. of Pre-blogging hereby predictively reports on:

  • Increased speculation, coupled with a spike in Twitter activity.
  • Politicization of the event from the Right (blame Mexico and/or Big Government), the Left (if we spent money in the right places, this would not happen), and out in left field (this is actually the result of an experiment by the CIA/NSA/World Bank/Freemasons/etc).
  • Rapid adoption of irrational coping mechanisms, perhaps including a run on N95 respirators and surface disinfectants.
  • Reassuring releases from the Pork Council that in addition to being the Other White Meat(tm), yummy bacon cannot transmit influenza unless it has previously been used as a handkerchief.
  • An upcoming Schneier blog item on swine flu hysteria being related to confirmation bias.
  • Congratulations to the Social Security Blog award winners!

    A huge congratulations to the winners of the Social Security Awards [on Wednesday] PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman from Security Incite won the Most Entertaining blog. Now we just need to get Mr. Rothman to start posting again.

    See Martin McKeay’s post for more details of a great meetup.

    Who should be punished for torture?

    Normally, I try to post funny bits over the weekend, but I can’t let this week’s news slip by.

    I have deeply mixed feelings about how to handle those who tortured. On the one hand, they were only following orders. On the other hand, they were following orders which clearly required contortions to see as legal. Soldiers also have a duty to disobey manifestly illegal orders.

    • The OLC Memos” by Gerard Magliocca analyses the analysis, and finds it wanting. (Concurring Opinions)
    • A History of Coercive Interrogation” is Will Levi’s summary of his forthcoming Yale Law Journal article on “Interrogation’s Law.” From the abstract: “Conventional wisdom [is] U.S. authorization of coercive interrogation techniques, and the legal decisions that sanctioned them, constitute a dramatic break with the past. This is false.”
    • At Obsidian Wings, Hilzoy makes “The Obvious Comparison” for one newly revealed technique.
    • Torture and “laying blame for the past”” is Sonja Starr’s analysis of the Convention Against Torture, which seems to require prosecution. By this analysis Obama’s dichotomy of “reflection, not retribution” is the wrong one. The correct one is “do we start obeying the laws we passed, or not?” (Concurring Opinions)
    • The Unreleased Torture Memo by David Luban has a quite cutting response to the “second-guessing argument” at Balkinization.

    As I said, I have mixed feelings about the perhaps legally required prosecution of those who tortured. My feelings about those who authorized it are more varied..they range from hanging to extraordinary rendition under the standards they claimed as legal.

    Please keep comments as civil as is reasonable for the topic.

    Off to the Moscone Center

    Every year around this time, thousands of people converge on the Moscone Center in San Francisco for RSA. I had never given much thought to who Moscone was–some local politician I figured.

    I first heard about Harvey Milk in the context of the Dead Kennedys cover of I Fought The Law:

    The law don’t mean shit if you’ve got the right friends
    That’s how this country’s run
    Twinkies are the best friend I’ve ever had
    I fought the law
    And I won

    I blew George and Harvey’s brains out with my six-gun
    I fought the law and I won

    I learned about Harvey Milk, but didn’t really remember George. I learned who he was from Milk, the movie.

    When you hear someone talking about the absolute catastrophe that getting hacked might be, put it in context of human life. Most hacking incidents are annoying, some have real financial impact, and some few have the potential to do real and irreparable harm.

    So as we go to the Moscone Center, remember the murders committed by an authorized entrant into city hall. When you hear someone talking about the absolute catastrophe that getting hacked might be, put it in context, and remember George Moscone and Harvey Milk.

    The New School Blog

    I’m really excited to announce NewSchoolSecurity.com, the blog inspired by the book. I’ll be blogging with Alex Hutton, Chandler Howell and Brooke Paul. And who knows, maybe we’ll even get a post or two from Andrew?

    Emergent Chaos will continue. My posts here will be a little more on the privacy, liberty and economics end of things, with my technical and business security split between The New School.

    All that said, I’ve posted the followup to “ Security is about outcomes, not about process” on The New School, which you can read at “Events don’t happen in a Vacuum.”

    Security is about outcomes, not about process

    Nearly a decade ago Bruce Schneier wrote “Security is a process, not a product.” His statement helped us advance as a profession, but with the benefit of hindsight, we can see he’s only half right. Security isn’t about technology.

    Security is about outcomes, and our perceptions, beliefs and assurance about those outcomes.

    Here’s a quick gut check: which would you rather tell the board or your customers? (1) “We had no security incidents last year, and aren’t sure why,” or (2) “Our customer database was pillaged 9 times, despite a cross-organizational investment in ISO 27001 which was aligned with our balanced scorecard and measured to be in the top quartile of all infosec programs?”

    However people orient themselves around security, what they worry about is not “does the organization follow COBIT or ITIL?” but, “will they protect the information I’m giving them?”

    Across the variety of orientations which exist within security, outcomes are what counts. Some examples:

    • Compliance officers want to keep the CEO out of jail. All the process in the world is useful because when they’re not, they can talk about their plans for correcting that.
    • Applied Researchers ask “did you pwn it?” They’re concerned with testing a hypothesis, which is “this system resists this type of attack”

    • Law enforcement wants to catch the bad guy (or gal). Much of the friction between civil libertarians and law enforcement comes from a conflict about prioritization of goals.

    We’ve focused on process because we have so little data on outcomes. People will talk about their training processes. But when you ask them, did that process work? no one wants to say.

    For us to mature as a discipline and as part of the organizations we support, we must go from talking about what might happen to what does happen.