Category Archives: books

Mr. Bureaucrat, Please Report to Room 101

Posted on by


orwell-passport.jpg

As I’ve said before, all non-trivial privacy warnings are mocked and then come true.

Sixty years ago today, George Orwell published 1984. He unfortunately failed to include a note that the book was intended as a warning, not a manual.

Today, in England, there are an unknown number of surveillance cameras, including many around Orwell’s house, despite the fact that they don’t reduce crime. People can be detained for 28 days without charge, there are “anti-social behavior orders,” which allow a civil court to impose behavioral restrictions on children as young as 10 based on low somewhat relaxed standards of evidence.

Being modern, the UK has outsourced most of its torture to other less reputable nations like Syria and the United States.

Photo: MI5

Would Anne Fadiman buy a Kindle?

Posted on by

Anne Fadiman

If you like books, if you like to read, you need a copy of Anne Fadiman’s “Ex Libris: Confessions of a Common Reader.” You especially need to read it if you care an iota about identity management, because the major themes in her essays are not only about books, but about identity. (In case you’re wondering, yes, she’s the daughter of Clifton and Annalee.)

The first major theme is about mixing books in a relationship. She opens Ex Libris with:

A few months ago, my husband and I decided to mix our books together. We had known each other for ten years, lived together for six, been married for five….

Sharing a bed and future was child’s play compared to sharing my copy of The Complete Poems of W. B. Yeats, from which I had once read “Under Ben Bulben” aloud while standing at Yeats’s grace in Drumcliff churchyard, or George’s copy of T. S. Eliot’s Selected Poems, given to him in the ninth grade by his best friend, Rob Farnsworth, who inscribed it “Best Wishes from Gerry Cheevers….”

George is a lumper. I am a splitter. His books commingled democratically, united under the all-inclusive flag of Literature…. Mine were balkanized by nationality and subject matter….

If you are charmed, you must by this book. I’ve omitted some of the funniest lines. If you doubt me, check Amazon as these pages are included in their peek inside.

The other important theme in her book is the difference between people who think that books are objects and people who think that books are information. People who think that books are objects shudder at the thought of writing in them, dogearing page corners, etc. I’m sure you can guess where George and Anne lie.

I am especially amused by this because I, too, have had the problem of co-mingling libraries. I’ve been divorced, and dividing the library was a horror. The horror; nothing else was that hard. It was such a horror that I flipped from being someone who views books as objects to one who views them as information.

Books can be replaced. Really. I’ve done it. The archaeologists of future civilizations will not sigh in a lament because they’re missing the one issue of National Geographic or Cook’s Illustrated that you threw out. Truly. Trust me on that.

My last spouse, however, is someone who firmly believes that books are objects. I understand some of this. She collects antique children’s books. I have a first edition of The Hunting of the Snark (a possession that I can blame Ms. Fadiman’s father for, with Martin Gardner as an accessory before, during, and after the fact). Yet that admission also proves that I’m not that sort of person. My present condition of loving information rather than objects is some sort of Laingian adaptation, I suppose. I understand books just the way that Thomas Mendip understands names.

She lusts after a Kindle. Not Ms. Fadiman, my spouse. It’s something I find amusing, because I’m inclined to get her one because the savings in floor space alone amortizes its value out in the first month. In California, floor space is a valuable asset if you’re a bibliophile. She is someone who screams, “Nooooooooooo!” if I suggest that we get rid of a crap novel we agree is crap and yet she is willing to convert from paper you own to bits on loan. Even if our house is Alexandria, future generations would thank their ancestors for the culling if they only knew, of course, which they couldn’t. Nonetheless, she desires a Kindle.

Worse, a friend brought one into work today, and I’d like one, too. I’ve downloaded the Kindle app to my iPod. The problem that remains is the problem I complained about in Identity Manglement last fall. What account should we buy the books under?

An elegant part of the Kindle is that if you have more than one, they sync their books, and even the bookmarks. If you have the iPod app, that syncs, too. It’s brilliant.

I have friends who are already a multi-Kindle household. The system works well, but you can’t have two accounts pointing to one Kindle if you want to share books. There are ways, I am told, to work around this limitation, but I don’t want to work around it. I don’t want to soak the books in a digital solvent that removes the stickiness. I just want to be able to read a book she bought, as if it were a — you know, book.

When it came to music, I had the foresight to create an account that we collectively buy music with. Emusic and iTunes both under the one identity. The community property we own can distribute itself over our laptops and iPods.

But we’ve been buying books from Amazon for ages, each of us. There’s no real problem with taking that email address and giving it the Kindles, but I don’t want to. I want Amazon to understand that there are households where after a lot of thought, after years of agonizing, the books have been merged. They should do that for Kindles, too.

It’s easy enough to do. Please do it. I wonder what Anne Fadiman would do.

Applied Security Visualization

Posted on by

applied-security-visualization.jpg
Our publisher sent me a copy of Raffael Marty‘s Applied Security Visualization. This book is absolutely worth getting if you’re designing information visualizations. The first and third chapters are a great short intro into how to construct information visualization, and by themselves are probably worth the price of the book. They’re useful far beyond security. The chapter I didn’t like was the one on insiders, which I’ll discuss in detail further in the review.

In the intro, the author accurately scopes the book to operational security visualization. The book is deeply applied: there’s a tremendous number of graphs and the data which underlies them. Marty also lays out the challenge that most people know about either visualization or security, and sets out to introduce each to the other. In the New School of Information Security, Andrew and I talk about these sorts of dichotomies and the need to overcome them, and so I really liked how Marty called it out explicitly. One of the challenges of the book is that the first few chapters flip between their audiences. As long as readers understand that they’re building foundations, it’s not bad. For example, security folks can skim chapter 2, visualization people chapter 3.

Chapter 1, Visualization covers the whats and whys of visualization, and then delves into some of the theory underlying how to visualize. The only thing I’d change in chapter 1 is a more explicit mention of Tufte’s small multiples idea. Chapter 2, Data Sources, lays out many of the types of data you might visualize. There’s quite a bit of “run this command” and “this is what the output looks like,” which will be more useful to visualization people than to security people. Chapter 3, Visually Representing Data covers the many types of graphs, their properties and when they’re approprite. He goes from pie and bar charts to link graphs, maps and tree maps, and closes with a good section on choosing the right graph. I was a little surprised to see figure 3-12 be a little heavy on the data ink (a concept that Marty discusses in chapter 1) and I’m confused by the box for DNS traffic in figure 3-13. It seems that the median and average are both below the minimum size of the packets. These are really nits, it’s a very good chapter. I wish more of the people who designed the interfaces I use regularly had read it. Chapter 4, From Data to Graphs covers exactly that: how to take data and get a graph from it. The chapter lays out six steps:

  1. Define the problem
  2. Assess Available Data (I’ll come back to this)
  3. Process Information
  4. Visual Transformation
  5. View Transformation
  6. Interpret and Decide

There’s also a list of tools for processing data, and some comparisons. Chapter 5, Visual Security Analysis covers reporting, historical analysis and real time analysis. He explains the difference, when you use each, and what tools to use for each. Chapter 6, Perimeter Threat covers visualization of traffic flows, firewalls, intrusion detection signature tuning, wireless, email and vulnerability data. Chapter 7, Compliance covers auditing, business process management, and risk management. Marty makes the assumption that you have a mature risk management process which produces numbers he can graph. I don’t suppose that this book should go into a long digression on risk management, but I question the somewhat breezy assumption that you’ll have numbers for risks.

I had two major problems with chapter 8, Insider Threat. The first is claims like “fewer than half (according to various studies) of various studies involve sophisticated technical means” (pg 387) and “Studies have found that a majority of subjects who stole information…” (pg 390) None of these studies are referenced or footnoted, and this in a book that footnotes a URL for sendmail. I believe those claims are wrong. Similarly, there’s a bizarre assertion that insider threats are new (pg 373). I’ve been able to track down references to claims that 70% of security incidents come from insiders back to the early 1970s. My second problem is that having mis-characterized the problem, Marty presents a set of approaches which will send IT security scurrying around chasing chimeras such as “printing files with resume in the name.” (This because a study claims that many insiders who commit information theft are looking for a new job. At least that study is cited.) I think the book would have been much stronger without this chapter, and suggest that you skip it or use it with a strongly questioning bias.

Chapter 9, Data Visualization Tools is a guided tour of file formats, free tools, open source libraries, and online and commercial tools. It’s a great overview of the strengths and weaknesses of tools out there, and will save anyone a lot of time in finding a tool to meet various needs. The Live CD, Data Analysis and Visualization Linux can be booted on most any computer, and used to experiment with the tools described in chapter 9. I haven’t played with it yet, and so can’t review it.

I would have liked at least a nod to the value of comparative and baseline data from other organizations. I can see that that’s a little philosophical for this book, but the reality is that security won’t become a mature discipline until we share data. Some of the compliance and risk visualizations could be made much stronger by drawing on data from organizations like the Open Security Foundation’s Data Loss DB or the Verizion Breaches Report.

Even in light of the criticism I’ve laid out, I learned a lot reading this book. I even wish that Marty had taken the time to look at non-operational concerns, like software development. I can see myself pulling this off the shelf again and again for chapters 3 and 4. This is a worthwhile book for anyone involved in Applied Security Visualization, and perhaps even anyone involved in other forms of technical visualization.

Congratulations to Raffy!

Posted on by

security visualization.jpg
His book, Applied Security Visualization, is now out:

Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work was just amazing. I am really happy with how the book turned out. The color insert in the middle is a real eye-catcher for people flipping through the book and it greatly helps making some of the graphs better interpretable.

I’m really excited, and look forward to reading it!

Solove’s Understanding Privacy

Posted on by

understanding-privacy.jpg
Dan Solove sent me a review copy of his new book, “Understanding Privacy.” If you work in privacy or data protection either from a technology or policy perspective, you need to read this book and understand Solove’s approach. That’s not to say it’s perfect or complete, but I think it’s an important intellectual step forward, and perhaps a practical one as well.

I’m going to walk through the chapters, and then bring up some of my responses and the reasons I’m being guarded.

Chapter 1 is “Privacy: A Concept in Disarray.” It lays out how broad and complex a topic privacy is, and some of the struggles that people have in defining and approaching it as a legal or social science concept. Chapter 2, “Theories of Privacy and Their Shortcomings” lays out, as the title implies, prior theories of privacy. Having thus set the stage, chapter 3 “Reconstructing Privacy“is where the book transitions from a review of what’s come before to new analysis. Solove uses Wittgenstein’s concept of ‘family resemblances’ as a way of approaching the ways people use the word. Privacy (as I’ve commented) has many meanings. You can’t simplify it into, say, identity theft. Solove uses family resemblances to say that they’re all related, even if they have very different personalities. Chapter 4, “The Value of Privacy” points out that one of the reasons we’re losing privacy is that it’s often portrayed as an individual right, based on hiding something. In policy fights, society tends to trump individualism. (Which is one reason the Bill of Rights in the US protects the individual.) Rather than calling for better protection of the individual, this chapter explores the many social values which privacy supports, bringing it closer to equal footing, and providing a policy basis for the defense and enhancement of privacy because it makes us all better off.

Chapter 5, “A Taxonomy of Privacy” is the core of the book. The taxonomy is rich. Solove devotes seventy pages to expounding on the harms done in not respecting privacy, and discussing a balance between societal interests of privacy and the reason for the invasion. In brief, the taxonomy is currently:

  1. Information collection: Surveillance, Interrogation
  2. Information Processing: Aggregation, Identification, Insecurity, Secondary Use, Exclusion
  3. Information Dissemination: Breach of confidentiality, Disclosure, Exposure, Increased Accessibility, Blackmail, Appropriation, Distortion
  4. Invasion: Intrusion, Divisional Interference.

I’ve tried to apply this taxonomy to issues. For example, when I wrote “Call Centers Will Get More Annoying,” I used the taxonomy, although not the words. There’s surveillance, secondary use, increased accessibility and (what feels like a form of) intrusion. What the taxonomy doesn’t do is capture or predict my outrage. I think that that’s an important weakness, but it may well be asking too much. Solove’s goals of a societal balance don’t admit my outrage as a key factor. They can’t. Outrage is too individual.

I’m also concerned that perhaps this isn’t a taxonomy. If you read the old posts in my taxonomies category, you’ll see that I spent a bunch of time digging fairly deeply into what taxonomies are, how they come about, how they’re used and abused. I don’t think that Solove’s taxonomy really fits into the core of a taxonomy: a deterministic way to classify things which we find, which various practitioners can reliably use. As in my example of the call centers, the flaws are legion, and some of my classification may be wrong.

At Microsoft, we use STRIDE as a “taxonomy” of security issues (STRIDE is Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) I think, as a taxonomy, STRIDE is lousy. If you know about an issue, it’s hard to classify using STRIDE. The categories overlap. On the other hand, it’s very useful as an evocation of issues that you might worry about, and the same may be said of Solove’s taxonomy. I also don’t have a superior replacement on hand, and so I use it and teach it. Taxonomy-ness is not next to godliness.

My other issue with Solove’s taxonomy is that it doesn’t recognize the issuance of identifiers, in and of itself, as a privacy issue. I believe that, even before the abuses start, there are forseeable issues that arise from issuing identification numbers to people, like the Social Security Number. The act of enumeration was clearly seen by as an invasion by Englishmen who named the Doomsday book. The ability of the US government to even take a census is tied directly to the specified purpose of allocating legislative seats. I see it as self-evident, and haven’t been able to find the arguments to convince Solove. (Solove and I have discussed this in email now and then; I haven’t convinced him [that identifiers are, per se, a privacy harm])

Chapter 6 Privacy: A New Understanding closes the book with a summation and a brief discussion of the future.

The book has a strong policy focus. I am very interested in understanding how this new understanding intersects both broad laws and legal principles (such as the Fair Information Practices) and specific law (for example, HIPAA). The FIP, the OECD privacy statements, and Canada’s PIPED act all show up in the discussion of secondary use. I’m also interested in knowing if an organization could practically adopt it as a basis for building products and services with good privacy. I think there’s very interesting follow-on work in both of these areas for someone to pick up.

I also worry that privacy as individual right is important. Even though Solove makes a convincing case that that’s a weaker policy basis than the one he lays out, that doesn’t mean it’s not to be cherished as a social value, and I feel that the view of privacy which Solove presents is weaker to the extent that it fails to embrace this.

In closing, there are three major elements to the book: the first is to take us past the definitional games of “what is privacy.” The second is a serious attempt to address the “what do you have to hide” approach to privacy. The third is the taxonomy. Two of these would have been a pretty good book. Three are impressive, even as I disagree with parts of it. Again, this is an important book and worth reading if you work in or around privacy.

How much work is writing a book?

Posted on by

There’s a great (long) post by Baron Schwartz, “What is it like to write a technical book?” by the lead author of “High Performance MySQL.” There’s a lot of great content about the process and all the but I wanted to respond to this one bit:

I can’t tell you how many times I asked people at O’Reilly to help me understand what would be involved in writing this book. (This is why I’m writing this for you now — in case no one will tell you, either). You would have thought these folks had never helped anyone write a book and had no idea themselves what it entailed. As a result, I had no way to know what was realistic, and of course the schedule was a death march. The deadlines slipped, and slipped and slipped. To November, then December, then February — and ultimately far beyond. Each time the editor told me he thought we were on track to make the schedule. Remember, I didn’t know whether to believe this or not. The amount of work involved shocked me time after time — I thought I saw the light at the end of the tunnel and then discovered it was much farther away than I thought.

I think this is somewhat unfair to the O’Reilly folks, and wanted to comment. Baron obviously put a huge amount of effort into the work, but O’Reilly has no way of knowing that will happen. They run a gamut in second editions from “update the references and commands to the latest revision of the software” to “complete re-write.” Both are legitimate ways to approach it. It could take three months, it could take a few years. O’Reilly can’t know in advance. (Our publisher has told me horror stories about books and what it’s taken to get them out.)

So O’Reilly probably figures that there’s a law of diminishing returns, and pushes an insane schedule as a way of forcing their authors to write what matters and ignore the rest.

So it’s not like a baby that’s gonna take 9 months.


Andrew and I opened the New School of Information Security with a quote from Mark Twain which I think is very relevant: “I didn’t have time to write you a short letter, so I wrote you a long one instead.”

We took our time to write a short book, and Jessica and Karen at Addison-Wesley were great. We went through 2 job changes, a cross-country move, and a whole lot of other stuff in the process. Because we were not technology specific, we had the luxury of time until about December 1st, when Jessica said “hey, if you guys want to be ready for RSA, we need to finish.” From there, it was a little crazy, although not so crazy that we couldn’t hit the deadlines. The biggest pain was our copy-edit. We’d taken the time to copy-edit, and there were too many changes to review them all. If we’d had more time, I would have pushed back and said “reject all, and do it again.”

So there’s no way a publisher can know how long a book will take a new set of authors, because a great deal of the work that Baron Schwartz and co-authors did was their choice.

Bush’s Law — Less Safe, Less Free

Posted on by

bushs-law.jpg
less-safe-less-free.jpg
I’d like to review two recent books on the war on terror: “Bush’s Law: The Remaking of American Justice” by by Eric Lichtblau, and “Less Safe, Less Free: Why America Is Losing the War on Terror” by David Cole and Jules Lobel. Both are well written assaults on the way in which the Bush administration is conducting itself, although each takes a tact aligned with the author’s background and history. Lichtblau is a reporter, currently for the New York Times, and Cole and Lobel are law professors.

Bush’s Law is an extended view into some of the major stories that Lichtblau has covered. Included are the NSA’s warrant-less wiretapping, the SWIFT following of the money, and the Comey/Ashcroft hospital story. Even as someone who follows these stories fairly closely, I still learned quite a bit-some new, some not previously reported, and all better organized and more readable than in the newspaper. The theme that emerges from Bush’s Law is one of secrecy, and the conflict which a free society faces when repeatedly begged to `trust us’ by an administration which seems to not understand how its actions undermine trust.

The undermining of trust is also a major theme of Less Safe, Less Free. Before getting into the meat of the book, let me say that this is law professor writing at its best. It’s clear and compelling, and the notes are at the end. They lay out a strong case that the Bush administration’s concept of how to engage with the world is is at its core, preventative, rather than reactive. In theory, this seems like a great plan. In practice Cole and Lobel show how it inevitably undermines the concepts of justice on which our society is founded, as well as our reputation with the rest of the world. That is, it is not merely a practical failure, it was inevitably going to be a practical failure. Predictions are hard, especially about the future. Reasonable people may disagree on the reasonableness of a preventative action. The difficulty of reaching proof “beyond a reasonable doubt” about what would have happened undermines the legitimacy of claims about the future.

The essence of their argument is that prevention, be it preventative war, such as in Iraq, or preventative law enforcement, such as with the justice, always requires the showing of evidence. You can’t simply detain someone because they might in the future commit a crime. In a court, no single body acts as judge, jury and executioner. Each party gets their day in court, with an opportunity to examine the evidence against them. These things are impossible in the preventative paradigm. Not only are sources and methods secret (sometimes with good reason), but the evidence is often lacking. In the case of war, the court is that of public opinion in many places. They also show a plethora of historical cases where preventative war went horribly wrong, and relate preventative war to a set of regimes with which no reasonable person wants to be associated.

The core reason which we demand that justice be reactive, or, at its fastest, at the instant of a crime, is that we rightfully fear the powers we invest in our government. It is a mighty and fearsome machine which can crush anything in its path. When it is allowed to do so, we are all less safe, and less free.

Two asides: I paid for both books, and I love the endnote styling of page number, excerpt, note used in Bush’s Law.

Good problems to have

Posted on by

You don’t have much credibility looking for a publisher for a book on rum when you’re sailing in the Caribbean drinking the best rums you can find in the name of research. Most people just didn’t take me seriously that there was even a need for a book on rum. It took quite a while to get things rolling.

See the Ministry of Rum FAQ.