Cyberdeterrence Papers

This just came past my inbox:

The National Research Council (NRC) is undertaking a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The project is aimed at fostering a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and the possible utility of these strategies for the U.S. government.

To stimulate work in this area, the NRC is offering one or more monetary prizes for excellent contributed papers that address one or more of the questions of interest found in its call for papers, which can be found at
http://sites.nationalacademies.org/CSTB/CSTB_056215

Abstracts of less than 500 words are due April 1, 2010. First drafts are due May 21, 2010, final drafts July 9, 2010. For more information, see the call for papers.

The broad themes of interest include

  1. Theoretical Models for Cyberdeterrence
  2. Cyberdeterrence and Declaratory Policy
  3. Operational Considerations in Cyberdeterrence
  4. Regimes of Reciprocal/Consensual Limitations Regarding Cyberattack
  5. Cyberdeterrence in a Larger Context
  6. The Dynamics of Action/Reaction in Cyber Conflict
  7. Escalation Dynamics of Cyber Conflict

Readers with questions can contact Herb Lin, 202-334-3191, hlin at nas … edu

Me, I’m glad to see the administration moving towards more contests and open solicitations as a way of tapping into different ideas from a broader set of contributors.

I saw something that an abstract is not required to submit a fill paper, but would encourage checking in on the rules for yourself.

Dear SSN-publishing crowd

There’s a bunch of folks out there who are advocating for publishing all SSNs, and so wanted to point out (courtesy of Michael Froomkin’s new article on Government Data Breaches ) that it would be illegal to do so.

42 USC § 405(c)(2)(C)(viii) reads:

(viii)(I) Social security account numbers and related records that are obtained or maintained by authorized persons pursuant to any provision of law enacted on or after October 1, 1990, shall be confidential, and no authorized person shall disclose any such social security account number or related record.

Which doesn’t impact on your policy analysis, but since you need to advocate for a law being changed, we might as well advocate for the right law, rather than a change you hope will have certain effects.

In my view, the right law is one that says that reliance on the SSN for authentication or authorization purposes shall be presumed negligent.

Oh, and Froomkin’s article is delightful too. Take a look.

Women In Security

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science.

For Lady Ada Day, I wanted to call out the inspiring work of Aleecia McDonald. In a privacy world full of platonic talk of the value of notice and consent, Aleecia did something very simple: she figured out how long it would take for consumers to do what the Direct Marketing Association recommends: read privacy policies.

She then multiplied that by an estimate of how much it would cost, and demonstrated pretty conclusively what we all intuitively knew: the current scheme is a massive wealth transfer because of transaction costs. (I’m interpreting her results here; I believe she would be more conservative in the interpretation.)

Her work also prefigures Cormac Herley‘s recent work “So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users.”

So Aleecia McDonald is my choice for a woman in science and technology who’s inspiring me to think about the economics of security and privacy in new ways.

PS: I have an another choice over at The New School blog. Hey, two blogs, two choices.

Some Chaotic Thoughts on Healthcare

Passage of this bill is too big for my little brain, and therefore I’ll share some small comments. I’m going to leave out the many anecdotes which orient me around stupid red tape conflicts in the US, how much better my health care was in Canada (and how some Canadian friends flew to the US for optional procedures), etc.

I am glad that some of the worst elements of the American health care system are getting reined in. I can think of few worse ways to accomplish that goal, and many better ones. People thinking as I do are why the system perpetuated in the form that it did.

I am pessimistic that the system proposed will achieve its broader goals. The Massachusetts model is cumbersome and ineffective. Optimistic ideas about how prices would fall in a regulated market did not come to pass. The likely next step is a government run health system with supplemental insurance available. I expect this will come to pass in 10-20 years. Medicare seems reasonably well run for an American government program.

The Republican failure to push a coherent and principled alternative will haunt them. Going into the next election cycles, 32 million people will have some idea that the Democrats gave them bread and circuses health care. David Frum describes it as a Waterloo. I’m hopeful but not optimistic that the Tea Bagger Party will follow in the tradition of the Know Nothings and just fade away. I used to be hopeful that the Libertarians would split from the Republicans, but they’ve failed to. I would not be surprised to see the Republican minority shrink in 2010 and 2012, and I think some (but not all) of the shrillness I hear is people who fear that outcome is now inevitable.

I do expect that removing the health care impediment to entrepreneurship will be very positive for smaller companies. I wish we’d apply that same thinking to health care, enable people to make choices for themselves, and let the government own the residual risks, as it does today. But no one offered a credible way to un-couple employment and insurance that would let people keep their doctors, short of nationalization.

Anyway, there’s my negative 8 cents on the bill.

Please keep comments civil.

Kids today

A burglar who spent about five hours on a store’s computer after breaking into the business gave police all the clues they needed to track him down. Investigators said the 17-year-old logged into his MySpace account while at Bella Office Furniture and that made it easy for them to find him. He also spent time looking at pornography and trying to sell stolen items, all while using the business’ computer.

From “Cops: Burglar logs into MySpace on store computer.”

The real tragedy? He’s still on MySpace.

Which reminds me of “Viewing American class divisions through Facebook and MySpace .”
I was going to include one of the many Myspace mugshot photos from Flickr where people are trying to get back into their accounts, but decided against it.

Your credit worthiness in 140 Characters or Less

In “Social networking: Your key to easy credit?,” Eric Sandberg writes:

In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it’s really being used.


To be clear, creditors aren’t accessing the credit reports or scores of those in your social network, nor do those friends affect your personal credit rating. Jewitt asserts that the graphs aren’t being used to penalize borrowers or to find reasons to reject customers, but quite the opposite: “There is an immediate concern that it’s going to affect the ability to get a financial product. But it makes it more likely” that it will work in their favor,” says Jewitt. [vice president of business development of Rapleaf, a San Francisco, Calif., company specializing in social media monitoring.]

I’ll give Jewitt the benefit of the doubt here, and assume he’s sincere. But the issue isn’t will it make it more or less likely to get a loan. The issue is the rate that people will pay. If you think about it from the perspective of a smart banker, they want to segment their loans into slices of more and less likely to pay. The most profitable loans are the ones where people who are really likely to pay them back, but can be convinced that they must pay a higher rate.

The way the banking industry works this is through the emergent phenomenon of credit scores. If banks colluded to ensure you paid a higher rate, it would raise regulatory eyebrows. But since Fair Issac does that, all the bankers know that as your credit score falls, they can charge you more without violating rules against collusion.

Secretive and obscure criteria for differentiating people are a godsend, because most people don’t believe that it matters even when there’s evidence that it does.

Another way to ask this is, “if it’s really likely it will work in my favor, why is it so hard to find details about how it works? Wouldn’t RapLeaf’s customers be telling people about all the extra loans they’re handing out at great rates?”

I look forward to that story emerging.

Head of O’Hare Security says it sucks

In the eight months that I was the head of security under the Andolino administration, the commissioner of the busiest airport of the world, depending on who’s taking the survey, the busiest airport in the world, never once had a meeting with the head of security for the busiest airport in the world. Never once.

Mayor Richard Daley, who appointed the former security boss, says the man is just “disgruntled.”

Daley’s comment is a fascinating confirmation. Maurer, the head of security, ought to be disgruntled if he was completely blocked from getting anything done.

And good for him for speaking out.

Audio at WBEZ and comments (quoted) from Consumerist.

In related news, “TSA told airport to issue badge to convicted robber.”

Free speech for police

david-bratzer.jpgDavid Bratzer is a police officer in Victoria, British Columbia. He’s a member of “Law Enforcement Against Prohibition,” and was going to address a conference this week. There’s a news video at “VicPD Officer Ordered to Stay Quiet.”

In an article in the Huffington Post, “The Muzzling of a Cop” former Seattle Police Chief Norm Stamper writes:

Officer Bratzer was scheduled to address, on his own time, an important “harm reduction” conference in the city this week. His chief stepped in, said no. Why? He didn’t like the message Bratzer was set to deliver. Of course, this decision by the brass has had the effect of shining an even brighter light on the horrific effects of the U.S.-led drug war. That’s good.

A free society requires that all points of view be voiced. Debate requires facts. If the department wants to ban all speech about the laws it enforces, that would be one thing. But I don’t think that’s their position, nor would such a ban be compatible with the Canadian Charter of Rights and Freedoms. But as you can see in the video, Sgt Grant Hamilton is portraying the official position of the Victoria police: that the people it protects are incapable of making distinctions between those in uniform and those in civilian dress. That position isn’t compatible with democratic decision making. What other distinctions do the police worry people can’t make? Isn’t making those choices the job of the legislature?

Please sign the petition to let David Bratzer speak at http://www.leap.cc/freespeech, and consider making a donation in support of their work.

Logging practices

Via a tweet from @WeldPond, I was led to a Daily Mail article which discusses allegations that Facebook founder Mark Zuckerberg “hacked into the accounts of [Harvard] Crimson staff”. Now, I have no idea what happened or didn’t, and I will never have a FB account thanks to my concerns about their approach to privacy, but I was curious about the form of this alleged hacking.

My curiosity was rewarded:

“he allegedly examined a report of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com.

In the instances where they had, Business Insider claimed that Zuckerberg said he tried using those incorrect passwords to access the Crimson members’ Harvard email accounts.”

dailymail.co.uk, 2010-03-06

So, it looks like the allegation is that actual passwords entered for failed logins were routinely logged.

Yuck.