This is quite possibly the DEA’s greatest success in disrupting the supply of a major illicit substance. The focus on disrupting the supply of inputs rather than of the drug itself proved extremely successful. This success was the result of a highly concentrated input supply market and consequently may be difficult to replicate for drugs with less centralized sources of supply, such as cocaine and heroin. That this massive market disruption resulted in only a temporary reduction in adverse health events and drug arrests and did not reduce property and violent crimes, is disappointing. (italics added)
So reads the conclusion to “Methamphetamine, Public Health and Crime.”
Anyone watching our 40 year futile war on drugs has to see this. But we’re locked into it for all sorts of reasons. What security measure is the best analog for this? Expensive, intrusive, and ultimately futile?
Via Marginal Revolution.
Thousands of dollars worth of hundred dollar bills brought rush hour to an abrupt halt on two San Diego freeways.
Drug suspects tossed the money from their car as they were chased by police. Other drivers saw the money and stopped their cars on the freeway to dash into traffic trying to get some of the cash.
For the past few months, I’ve been working with the folks at the RSA Conference to put together a track entitled “Research Revealed.” Our idea is that security needs to advance by getting empirical, and bringing in a wide variety of analytic techniques. (Regular readers understand that Andrew Stewart and I brought these ideas together in a book, “The New School of Information Security.)”
The content is really exciting. From the opening with a top rated speaker, Betsy Nichols, who’ll be talking about “Crunching Metrics from Public Security Data” continuing to Gene Kim’s talk about applying real analysis of practice to virtualization and a great panel talking about lessons learned from Election 2008, this track is just packed with hard facts and practical analysis.
Because I’m so excited by this, I’ve put the data into a Research Revealed .ics file you can use to bring these into your calendar.
I also extracted this table from the RSA website (it was hard to link), so you can easily see the track:
|Session ID||Title||Classification||Session Type||Scheduled
|RR-105||Crunching Metrics from Public Security Data||Advanced||Track Session||Tuesday, April 21 01:30 PM||
|RR-106||Controlling Virtualization Security Risks: Tips from the Experts||Intermediate||Track Session||Tuesday, April 21 03:00 PM||
|RR-107||Technology Lessons Learned from Election 2008||Advanced||Track Session||Tuesday, April 21 04:10 PM||
Senior Computer Scientist,
Chief Technology Officer,
Open Source Digital Voting Foundation
University of California, Berkeley
University of Iowa
|RR-108||Security Risk Metrics: The View from the Trenches||Intermediate||Track Session||Tuesday, April 21 05:40 PM||
|RR-201||Fraud Management Strategies of North American Financial Institutions||Intermediate||Track Session||Wednesday, April 22 08:00 AM||
|RR-202||Data Sources, Methods, and Challenges||Not Rated||Track Session||Wednesday, April 22 09:10 AM||
The Security Consortium, Inc.
Professor of Computer Science,
University of Pennsylvania
|RR-203||Why Software is Still Insecure: Conclusions from a Ten-Year Study||Advanced||Track Session||Wednesday, April 22 10:40 AM||
Research Director, Secure Content and Threat Management Products,
|RR-301||Into the Breach: An Analysis of Attack Data Trends||Intermediate||Track Session||Thursday, April 23 08:00 AM||
Information Security Manager,
|RR-302||Best Practices for Mitigating Insider Threat: Lessons Learned from 250 Cases||Advanced||Track Session||Thursday, April 23 09:10 AM||
Senior Member of the Technical Staff,
Carnegie Mellon Software Engineering Institute
Carnegie Mellon Software Engineering Institute
|RR-303||Using Science to Battle Data Loss: Analyzing Breaches by Type and Industry||Intermediate||Track Session||Thursday, April 23 10:40 AM||
|RR-304||Cyber Warfare: Technology, Law and Ethics||Advanced||Track Session||Thursday, April 23 02:10 PM||
Professor and Program Coordinator,
Sheridan Institute of Technology and Advanced Learning
|RR-401||The Data-Driven CSO: Steering Clear of Security Breaches||Intermediate||Track Session||Friday, April 24 09:00 AM||
Vice President of Technology & Innovation,
|RR-402||Closed-Loop Information Assurance||Advanced||Track Session||Friday, April 24 10:10 AM||
|RR-403||Applying Pattern Recognition in SOD, Fraud or GRC-Related Violations||Advanced||Track Session||Friday, April 24 11:20 AM||
Software Development Director,
While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model.
Lots has been said, so I’d just like to quote one little bit:
One could build a maturity model for software security theoretically (by pondering what organizations should do) or one could build a maturity model by understanding what a set of distinct organizations have already done successfully. The latter approach is both scientific and grounded in the real world, and is the one we followed.
It’s long, but an easy and worthwhile read if you’re thinking of putting together or improving your software security practice.
Incidentally, my boss also commented on our work blog “Building Security In Maturity Model on the SDL Blog.”
This year’s Computers, Freedom and Privacy Conference will feature a research showcase in the form of a research poster session as well as a research panel that includes the authors of the best research posters. CFP is the leading policy conference exploring the impact of the Internet, computers, and communications technologies on society. For more than a decade, CFP has anticipated policy trends and issues, and has shaped the public debate on the future of privacy and freedom in an ever more technology-filled world. CFP focuses on topics such as freedom of speech, privacy, intellectual property, cybersecurity, telecommunications, electronic democracy, digital rights and responsibilities, and the future of technologies and their implications. Researchers who work in any of these areas are invited to submit research abstracts.
We seek research abstracts describing recent or ongoing research in all areas relevant to the conference themes. We are especially interested in research abstracts that present results with clearly articulated policy implications. Abstracts should be written for a general audience and should avoid using technical or legal jargon.
Submitted research abstracts can be either unpublished original research (including work in progress), or research that has been recently published (2008 or 2009).
This is a great opportunity to get interesting work in front of a diverse audience. I’m on the program committee, and we’ve extended the deadline — all you need to submit is an abstract — to Friday the 10th. Check it out.
and I’ll sing what he said. Ethan Zuckerman has two great posts lately: “From protest to collaboration: Paul Simon’s “Graceland” and lessons for xenophiles” and “Argentine economics and maker culture.” The Paul Simon post talks about the deep history of the Apartheid boycott, Paul Simon’s approach to creating Graceland. Graceland was a collaboration of the hardest sort. Not only across boundaries of culture, but of money, fame, power and an international boycott. It’s always been one of my favorite albums because..
At its best, Graceland sounds like Simon is encountering forces to large for him to understand or control. He’s riding on top of them, offering free-form reflections on a world that’s vastly more complicated and colorful than the narrow places he and Art Garfunkel explored in their close harmonies. In “Boy in the Bubble” (video above), the chorus, “These are the days of miracle and wonder, this is the long distance call” could serve as a tagline for anyone confronting our strange, connected world. Simon’s not cutting and pasting from a global palette of sounds the way McLaren is – he’s being swept forward by the brilliant musicians he’s playing with, trying frantically to tell us what he sees through the window as the train rushes forwards.
while just a few days before he had time for a long rumination about the impact of currency on culture in Argentina:
I started thinking things were a bit strange when I noticed an Italian restaurant advertising the fact that they used a particular dried pasta imported from Italy. The pasta in question – DeCecco – is fine stuff, but I buy it for $2 a box at my local supermarket. This restaurant was charging a steep premium for these noodles, roughly twice what they charged for handmade. In the US, where labor is at a premium, “handmade” almost always means “expensive” – in Argentina, handmade means local, which means cheap, while the imported noodles demand a premium.
The world is a weird and wonderful place, and Zuckerman is a fascinating linker, bringing together interesting and diverse threads to make a mosaic.
Ultimately, Simon emerged from Graceland as a bridge figure. Producing Ladysmith Black Mambazo albums, he found himself literally attempting to share what he saw as beautiful and transformative in Zulu choral music with an American audience…Xenophilia involves this sort of complex negotiation, finding a path that’s about collaboration, not appropriation. It finds ways to engage as well as to protest, to build joint projects that, in turn, build relationships and bridges. In rare cases, you might get something truly special, a record that’s very much worth a listen more than twenty years later.
I wanted to tie this a little (because it’s hard to tie it a lot to very much of anything, and that’s not only ok, but great) to some of what I’m learning lately, but I’m short on time.
So go read Ethan’s posts.
A Missouri state bill requiring notification of the state attorney general as well as of individuals whose records have been exposed just took a step closer to becoming law.
As reported in the St. Louis Business Journal on April 1:
Missouri businesses would be required to notify consumers when their personal or financial information is compromised in security breaches, under a bill that received initial approval Wednesday from the Missouri Senate.
f the personal information of more than 1,000 Missourians has been breached, companies would be required to notify the state attorney general’s office, which would have the authority to seek civil penalties up to $150,000 per security breach, under the bill.
The legislation needs a second vote of approval before moving to the House for similar consideration.
St. Louis Business Journal
Should the bill become law, Missouri would become one of several states requiring centralized notification to state authorities for at least some breaches.
I was going to title this “Painful Mistakes: Torture, Boyd and Lessons for Infosec,” but then decided that I wanted to talk about torture in a slightly different way.
The Washington Post reports that “Detainee’s Harsh Treatment Foiled No Plots” and [UK Foreign & Commonwealth Office] Finally Admits To Receiving Intelligence From Torture. From the Post story:
When CIA officials subjected their first high-value captive, Abu Zubaida, to waterboarding and other harsh interrogation methods, they were convinced that they had in their custody an al-Qaeda leader who knew details of operations yet to be unleashed, and they were facing increasing pressure from the White House to get those secrets out of him.
The methods succeeded in breaking him, and the stories he told of al-Qaeda terrorism plots sent CIA officers around the globe chasing leads.
In the end, though, not a single significant plot was foiled as a result of Abu Zubaida’s tortured confessions, according to former senior government officials who closely followed the interrogations.
The torture committed in our names undermines our claim to moral superiority. It doesn’t demolish it completely. Intentional mass murder of civilians is worse, but in war, you don’t want to have such arguments. You want to clearly have a right side and a wrong side, and torture usually sets you on the wrong side. Boyd laid out conflict as happening in a moral-mental-physical atmosphere, with moral being the most important. If you don’t have a moral claim to rightness, then your side’s mental willingness to fight for the cause is subject to alienation through propaganda. (This is why Al Qaeda shows so many videos of Guantanamo, Abu Ghraib, etc.) More on this in Chuck Spinney’s When Strategic “Genius” is Mortal Blunder.”
So why do people commit acts of torture? It’s because they believe that it works, and under the ticking time bomb theory, it’s the lesser evil. That what counts is “why the President thinks he needs to do that.”
There are two arguments against torture, the moral and the practical. Both are outlined in the articles cited at the top. I’d now like to turn back to the idea of best practices.
Best practices are ideas which make intuitive sense: don’t write down your passwords. Make backups. Educate your users. Shoot the guy in the kneecap and he’ll tell you what you need to know.
The trouble is that none of these are subjected to testing. No one bothers to design experiments to see if users who write down their passwords get broken into more than those who don’t. No one tests to see if user education works. (I did, once, and stopped advocating user education. Unfortunately, the tests were done under NDA.)
The other trouble is that once people get the idea that some idea is a best practice, they stop thinking about it critically. It might be because of the authority instinct that Milgram showed, or because they’ve invested effort and prestige in their solution, or because they believe the idea should work.
The next time someone suggests something because it’s a best practice, ask yourself: is this going to work? Will it be worth the cost?
British newspaper announces all-tweet format. Hilarity ensues.