For your holiday amusement:
For your holiday amusement:
Powered by Twitter Tools
There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I figured I’d share.
With minor formatting changes, the following is from my email of April, 2010.
Regulation E style accountholder liability limitation will be extended to commercial accountholders with assets below some reasonably large value by 12/31/2010. Why: ACH and wire fraud are an increasingly large, and increasingly public, problem. Financial institutions will accept regulation in order to preserve confidence in on-line channel.
An episode of "state-sponsored SSL certificate fraud/forgery" will make the public press. Why: There is insufficient audit of the root certs that browser vendors innately trust, making it sufficiently easy for a motivated attacker to "build insecurity in" by getting his untrustworthy root cert trusted by default. The recent Mozilla kerfuffle over CNNIC is an harbinger of this. Similarly, Chris Soghoian's recent work will increase awareness of this issue enough to result in a governmental actor who has done it being exposed.
But only because for this one I forgot to put in a date (I meant to also say “by 12/31/2010”, which makes this one
I was motivated to make this post because I once again came across Soghoian’s paper just the other day (I think he cited it in a blog post I was reading). He really nailed it. I predict he’ll do so again in 2012.
Not my headline, but the New York Times:
Beyond the effort was the challenge of getting different families to work together. When matters as personal as education, values and children are at stake, intense emotions are sure to follow, whether the issue is snacks (organic or not?), paint (machine washable?) or what religious holidays, if any, to acknowledge. Oh, and in many cases, forming a co-op school is illegal, because getting the required permits and passing background checks can be so prohibitively expensive and time-consuming that most co-ops simply don’t. (“The Pre-K Underground“, The New York Times, December 16)
Read the whole thing, and then give some thought to how effectively those policies, combined with the drug war, are de-legitimizing governments, and convincing people that to live their lives involves avoiding government rules. Eventually, even legitimate and necessary functions of government like courts will fall apart.
Think I’m exaggerating?
“There’s a fairly stringent code and byzantine process for getting certified and code-compliant,” said City Councilman Brad Lander, a Democrat from Brooklyn, whose office held a meeting over the summer for any co-ops interested in pooling their resources and securing permits. “Some are genuinely for the safety of kids, and some are more debatable.”
There’s a city councilman driving doubt over the system. What does that do to the legitimacy? What happens to the social contract?
Will the war on coop kindergardens join the war on drugs?
Powered by Twitter Tools
Imagine if the US government, with no notice or warning, raided a small but popular magazine’s offices over a Thanksgiving weekend, seized the company’s printing presses, and told the world that the magazine was a criminal enterprise with a giant banner on their building. Then imagine that it never arrested anyone, never let a trial happen, and filed everything about the case under seal, not even letting the magazine’s lawyers talk to the judge presiding over the case. And it continued to deny any due process at all for over a year, before finally just handing everything back to the magazine and pretending nothing happened. I expect most people would be outraged. I expect that nearly all of you would say that’s a classic case of prior restraint, a massive First Amendment violation, and exactly the kind of thing that does not, or should not, happen in the United States.
But, in a story that’s been in the making for over a year, and which we’re exposing to the public for the first time now, this is exactly the scenario that has played out over the past year — with the only difference being that, rather than “a printing press” and a “magazine,” the story involved “a domain” and a “blog.”
Read the whole thing at “Breaking News: Feds Falsely Censor Popular Blog For Over A Year, Deny All Due Process, Hide All Details…“
I think we agree on most things, but I sense a little semantic disconnect in some things that he says:
The only two real outputs I’ve ever seen from threat modeling are bugs and threat model documents. I’ve seen bugs work far better than documents in almost every case.
I consider the word “bug” to refer to an error or unintended functionality in the existing code, not a potential vulnerability in what is (hopefully) still a theoretical design. So if you’re doing whiteboard threat modeling, the output should be “things not to do going forward.”
As a result, you’re stuck with something to mitigate, probably by putting in extra security controls that you otherwise wouldn’t have needed. I consider this a to-do list, not a bug list.
(“That’s not a bug, it’s a creature. “, Wendy Nather)
I don’t disagree here, but want to take it one step further. I see a list of “things not to do going forward” and a “todo list” as an excellent start for a set of tests to confirm that those things happen or don’t. So you file bugs, and those bugs get tracked and triaged and ideally closed as resolved or fixed when you have a test that confirms that they ain’t happening. If you want to call this something else, that’s fine–tracking and managing bugs can be too much work. The key to me is that the “things not to do” sink in, and to to-do list gets managed in some good way.
And again, I agree with her points about probability, and her point that it’s lurking in people’s minds is an excellent one, worth repeating:
the conversation with the project manager, business executives, and developers is always, always going to be about probability, even as a subtext. Even if they don’t come out and say, “But who would want to do that?” or “Come on, we’re not a bank or anything,” they’ll be thinking it when they estimate the cost of fixing the bug or putting in the mitigations.
I simply think the more you focus threat modeling on the “what will go wrong” question, the better. Of course, there’s an element of balance: you don’t usually want to be movie plotting or worrying about Chinese spies replacing the hard drive before you worry about the lack of authentication in your network connections.
There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.”
One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two demerits: it is unconstitutional, and it is insane. Otherwise, it seems fine.
As an aside, Bambauer is incorrect. The idea has a third important problem, which he also points out in his post: “It’s also stupid.”
Read the whole thing here.
Powered by Twitter Tools
Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully.
So first, what was said:
(Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability too.
(me) Thanks! I’m not advocating against risk, but asking when. Do you evaluate bugs 2x? Once in threat model & once in bug triage?
(Wendy) Yes, because I see TM as being important in design, when the bugs haven’t been written in yet. 🙂
I think Wendy and I are in agreement that threat modeling should happen early, and that probability is important. My issue is that I think issues discovered by threat modeling are, in reality, dealt with by only a few of Gunnar’s top 5 influencers.
I think there are two good reasons to consider threat modeling as an activity that produces a bug list, rather than a prioritized list. First is that bugs are a great exit point for the activity, and second, bugs are going to get triaged again anyway.
First, bugs are a great end point. An important part of my perspective on threat modeling is that it works best when there’s a clear entry and exit point, that is, when developers know when the threat modeling activity is done. (Window Snyder, who knows a thing or two about threat modeling, raised this as the first thing that needed fixing when I took my job at Microsoft to improve threat modeling.) Developers are familiar with bugs. If you end a strange activity, such as threat modeling, with a familiar one, such as filing bugs, developers feel empowered to take a next step. They know what they need to do next.
And that’s my second point: developers and development organizations triage bugs. Any good development organization has a way to deal with bugs. The only two real outputs I’ve ever seen from threat modeling are bugs and threat model documents. I’ve seen bugs work far better than documents in almost every case.
So if you expect that bugs will work better then you’re left with the important question that Wendy is raising: when do you consider probability? That’s going to happen in bug triage anyway, so why bother including it in threat modeling? You might prune the list and avoid entering silly bugs. That’s a win. But if you capture your risk assessment process and expertise within threat modeling, then what happens in bug triage? Will the security expert be in the room? Do you have a process for comparing security priority to other priorities? (At Microsoft, we use security bug bars for this, and a sample is here.)
My concern, and the reason I got into a back and forth, is I suspect that putting risk assessment into threat modeling keeps organizations from ensuring that expertise is in bug triage, and that’s risky.
(As usual, these opinions are mine, and may differ from those of my employer.)
[Updated to correct editing issues.]
When the LAPD finally began arresting those of us interlocked around the symbolic tent, we were all ordered by the LAPD to unlink from each other (in order to facilitate the arrests). Each seated, nonviolent protester beside me who refused to cooperate by unlinking his arms had the following done to him: an LAPD officer would forcibly extend the protestor’s legs, grab his left foot, twist it all the way around and then stomp his boot on the insole, pinning the protestor’s left foot to the pavement, twisted backwards. Then the LAPD officer would grab the protestor’s right foot and twist it all the way the other direction until the non-violent protestor, in incredible agony, would shriek in pain and unlink from his neighbor.
It was horrible to watch, and apparently designed to terrorize the rest of us. At least I was sufficiently terrorized. I unlinked my arms voluntarily and informed the LAPD officers that I would go peacefully and cooperatively. I stood as instructed, and then I had my arms wrenched behind my back, and an officer hyperextended my wrists into my inner arms. It was super violent, it hurt really really bad, and he was doing it on purpose. When I involuntarily recoiled from the pain, the LAPD officer threw me face-first to the pavement. He had my hands behind my back, so I landed right on my face. The officer dropped with his knee on my back and ground my face into the pavement. It really, really hurt and my face started bleeding and I was very scared. I begged for mercy and I promised that I was honestly not resisting and would not resist.
It turns out that it’s very hard to subscribe to many podcasts without talking to Podtrac.com servers. (Technical details in the full post, below.) So I took a look at their privacy statement:
Podtrac provides free services to podcasters whereby Podtrac gathers data specific to individual podcasts (e.g. audience survey data, content ratings, measurement data, etc). This podcast data is not considered personally identifiable information and may be shared by Podtrac with member advertisers. (“Podtrac Client Privacy Statement,” undated, unversioned.)
It’s not clear to me who doesn’t consider what they collect to be personal data, because the passive voice is annoyingly used. So I’ll ask: precisely what data is collected? And under what set of laws or even perspectives is the data they’re collecting is not considered personally identifiable? For example, are they collecting IP addresses, which I understand are PII in the EU?
Enquiring minds with privacy officials might want to ask those officials.
Powered by Twitter Tools
It’s a bit of a Christmas tradition here at Emergent Chaos to keep you informed about the Gävle Goat. Ok, technically, our traditions seem hit and miss, but whaddaya want from a site with Chaos in the name? You want precision, read a project management blog. Project management blogs probably set calendar reminders to kick off a plan with defined stakeholders, success metrics and milestones to ensure high quality blog posts. Us, we sometimes randomly remember.
But, but! This year, we actually have a plan with 8×10 color gannt charts with circles and arrows explaining how to set up a market to predict when the goat would burn.
We even have prizes.
Unfortunately, chaos (and flames) emerged, and the goat was burned before we set up the market.
You can read the full story of “Sweden’s Christmas goat succumbs to flames.”