Twitter Weekly Updates for 2011-12-25

Powered by Twitter Tools

Niels Bohr was right about predictions

There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I figured I’d share.

With minor formatting changes, the following is from my email of April, 2010.

Prediction 1

Regulation E style accountholder liability limitation will be extended
to commercial accountholders with assets below some reasonably large
value by 12/31/2010.

Why:  ACH and wire fraud are an increasingly large, and increasingly
public, problem.  Financial institutions will accept regulation in order
to preserve confidence in on-line channel.

WRONG!

Prediction 2

An episode of "state-sponsored SSL certificate fraud/forgery" will make
the public press.

Why: There is insufficient audit of the root certs that browser vendors
innately trust, making it sufficiently easy for a motivated attacker to
"build insecurity in" by getting his untrustworthy root cert trusted by
default.  The recent Mozilla kerfuffle over CNNIC is an harbinger of
this[1].  Similarly, Chris Soghoian's recent work[2] will increase
awareness of this issue enough to result in a governmental actor who has
done it being exposed.

Right!

But only because for this one I forgot to put in a date (I meant to also say “by 12/31/2010″, which makes this one WRONG! too.

I was motivated to make this post because I once again came across Soghoian’s paper just the other day (I think he cited it in a blog post I was reading). He really nailed it. I predict he’ll do so again in 2012.

The Pre-K underground?

Not my headline, but the New York Times:

Beyond the effort was the challenge of getting different families to work together. When matters as personal as education, values and children are at stake, intense emotions are sure to follow, whether the issue is snacks (organic or not?), paint (machine washable?) or what religious holidays, if any, to acknowledge. Oh, and in many cases, forming a co-op school is illegal, because getting the required permits and passing background checks can be so prohibitively expensive and time-consuming that most co-ops simply don’t. (“The Pre-K Underground“, The New York Times, December 16)

Read the whole thing, and then give some thought to how effectively those policies, combined with the drug war, are de-legitimizing governments, and convincing people that to live their lives involves avoiding government rules. Eventually, even legitimate and necessary functions of government like courts will fall apart.

Think I’m exaggerating?

“There’s a fairly stringent code and byzantine process for getting certified and code-compliant,” said City Councilman Brad Lander, a Democrat from Brooklyn, whose office held a meeting over the summer for any co-ops interested in pooling their resources and securing permits. “Some are genuinely for the safety of kids, and some are more debatable.”

There’s a city councilman driving doubt over the system. What does that do to the legitimacy? What happens to the social contract?

Will the war on coop kindergardens join the war on drugs?

Twitter Weekly Updates for 2011-12-18

Powered by Twitter Tools

Outrage of the Day: DHS Takes Blog Offline for a year

Imagine if the US government, with no notice or warning, raided a small but popular magazine’s offices over a Thanksgiving weekend, seized the company’s printing presses, and told the world that the magazine was a criminal enterprise with a giant banner on their building. Then imagine that it never arrested anyone, never let a trial happen, and filed everything about the case under seal, not even letting the magazine’s lawyers talk to the judge presiding over the case. And it continued to deny any due process at all for over a year, before finally just handing everything back to the magazine and pretending nothing happened. I expect most people would be outraged. I expect that nearly all of you would say that’s a classic case of prior restraint, a massive First Amendment violation, and exactly the kind of thing that does not, or should not, happen in the United States.

But, in a story that’s been in the making for over a year, and which we’re exposing to the public for the first time now, this is exactly the scenario that has played out over the past year — with the only difference being that, rather than “a printing press” and a “magazine,” the story involved “a domain” and a “blog.”

Read the whole thing at “Breaking News: Feds Falsely Censor Popular Blog For Over A Year, Deny All Due Process, Hide All Details…

The output of a threat modeling session, or the creature from the bug lagoon

Wendy Nather has continued the twitter conversation which is now a set of blog posts. (My comments are threat modeling and risk assessment, and hers: “That’s not a bug, it’s a creature. “)

I think we agree on most things, but I sense a little semantic disconnect in some things that he says:

The only two real outputs I’ve ever seen from threat modeling are bugs and threat model documents. I’ve seen bugs work far better than documents in almost every case.

I consider the word “bug” to refer to an error or unintended functionality in the existing code, not a potential vulnerability in what is (hopefully) still a theoretical design. So if you’re doing whiteboard threat modeling, the output should be “things not to do going forward.”

As a result, you’re stuck with something to mitigate, probably by putting in extra security controls that you otherwise wouldn’t have needed. I consider this a to-do list, not a bug list.
(“That’s not a bug, it’s a creature. “, Wendy Nather)

I don’t disagree here, but want to take it one step further. I see a list of “things not to do going forward” and a “todo list” as an excellent start for a set of tests to confirm that those things happen or don’t. So you file bugs, and those bugs get tracked and triaged and ideally closed as resolved or fixed when you have a test that confirms that they ain’t happening. If you want to call this something else, that’s fine–tracking and managing bugs can be too much work. The key to me is that the “things not to do” sink in, and to to-do list gets managed in some good way.

And again, I agree with her points about probability, and her point that it’s lurking in people’s minds is an excellent one, worth repeating:

the conversation with the project manager, business executives, and developers is always, always going to be about probability, even as a subtext. Even if they don’t come out and say, “But who would want to do that?” or “Come on, we’re not a bank or anything,” they’ll be thinking it when they estimate the cost of fixing the bug or putting in the mitigations.

I simply think the more you focus threat modeling on the “what will go wrong” question, the better. Of course, there’s an element of balance: you don’t usually want to be movie plotting or worrying about Chinese spies replacing the hard drive before you worry about the lack of authentication in your network connections.

“Can copyright help privacy?”

There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.”

Key quote:

One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two demerits: it is unconstitutional, and it is insane. Otherwise, it seems fine.

As an aside, Bambauer is incorrect. The idea has a third important problem, which he also points out in his post: “It’s also stupid.”

Read the whole thing here.

Twitter Weekly Updates for 2011-12-11

  • RT @daveaitel Tests Show Most Store Honey Isn't Honey http://t.co/2oI3O6RK << Will anyone go to jail for fraud? #
  • RT @jdp23 Look at the list of the FTC complaints — huge issues. And basically no consequnces to FB. So why should they change? #privchat #
  • RT @threatpost $56 Billion Later and Airport #Security Is Still Junk – http://t.co/mUtNiMc7 – via @wired << a touching story! #
  • White House unveils cybersec strategy incl "Inducing Change", "Developing Science Foundations" http://t.co/UN1usMVf (Could be New School-y) #
  • New White House cybersec strategy "Inducing Change", "Developing Science Foundations" seems fairly New School http://t.co/TIIYNVok #
  • New blog "Podtrac.com and listener privacy" http://t.co/KAZTGtg7 #
  • "In Major Gaffe, Obama Forgets To Dumb It Down" http://t.co/bINRJom1 #
  • This shows the success of our current "information sharing" "infrastructures": Data gathering for ssh attacks: http://t.co/nHe0hICE #
  • MT @alexhutton I'll be on a webinar w/ @joshcorman in an 1/2 hour. It will only be fun if you join us http://t.co/mGUFOvMN #
  • RT @nickm_tor The key idea from our field that we need most to export to other system designers is not IMO anonymity but unlinkability. #
  • RT @alexhutton Best security/risk job description I've ever seen: http://t.co/yfRg0UX1 << this link is dangerous! (Dangerously New School.) #
  • RT @_nomap Proud to announce that I'm officially a PhD. Now looking forward to new challenges! << Congratulations! #
  • RT @techdirt Breaking News: Feds Falsely Censor Popular Blog For Over A Year, Deny All Due Process, Hide All Details.. http://t.co/SCJvhGAT #
  • RT @marciahofmann Join me in fighting for the users! Become an @EFF member today and your donation will get a 4x match http://t.co/ISaGGamW #
  • New blog: Outrage of the Day: Police Violence http://t.co/KJPoubWA #
  • MT @josephmenn Very good books from many perspectives: Important 2011 Tech Policy & Law Books http://t.co/u5g41hF8 < Nothing new in infosec? #
  • For bloggers – "Conbis" is stealing New School & other blog content. Their "about us" is Lorum Ipsum. http://t.co/SvYlU5f4 #
  • RT @ehasbrouck I'd rather pay for Twitter than pay w/wasted time, distracting features that earn them $, & have them monetize info about me #
  • New blog: "Threat Modeling & Risk Assessment" follows up on conversation with @451wendy http://t.co/iFCRCJW3 #
  • Wow. IEEE won't even give me a citation without an account. http://t.co/l8AKCBEx Why do people let IEEE lock up their work? #

Powered by Twitter Tools