Open Letters to Security Vendors

John Masserini has a set of “open letters to security vendors” on Security Current.

Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned a great deal about what happens when you’re pitched while I was at a large company, and I can vouch for the realities he puts forth. The sooner you understand those realities and incorporate them into your thinking, the more successful we’ll all be.

After meeting with dozens of startups at Black Hat a few weeks ago, I’ve realized that the vast majority of the leaders of these new companies struggle to articulate the value their solutions bring to the enterprise.

Why does John’s advice make us all more successful? Because each organization that follows it moves towards a more efficient state, for themselves and for the folks who they’re pitching.

Getting more efficient means you waste less time per prospect. When you focus on qualified leads who care about the problem you’re working on, you get more sales per unit of time. What’s more, by not wasting the time of those who won’t buy, you free up their time for talking to those who might have something to provide them. (One banker I know said “I could hire someone full-time to reject startup pitches.” Think about what that means for your sales cycle for a moment.)

Go read “An Open Letter to Security Vendors” along with part 2 (why sales takes longer) and part 3 (the technology challenges most startups ignore).

What’s Copyright, Doc?

I blogged yesterday about all the new works that have entered the public domain as their copyright expired in the United States. If you missed it, that’s because exactly nothing entered the public domain yesterday.

Read more — but only commentary, because there’s no newly free work — at “What Could Have Entered the Public Domain on January 1, 2014?

It’s near-impossible to see how our insanely long copyright terms, or their never-ending extensions encourage Dr. Seuss, Ayn Rand, Jack Kerouac or Ian Fleming to keep producing new work. Those authors have been richly rewarded for their work. But it’s easy to see how keeping those works under copyright reduces creative re-use of our collective cultural heritage.

What Price Privacy, Paying For Apps edition

There’s a new study on what people would pay for privacy in apps. As reported by Techflash:

A study by two University of Colorado Boulder economists, Scott Savage and Donald Waldman, found the average user would pay varying amounts for different kinds of privacy: $4.05 to conceal contact lists, $2.28 to keep their browser history private, $2.12 to eliminate advertising on apps, $1.19 to conceal personal locations, $1.75 to conceal the phone’s ID number and $3.58 to conceal the contents of text messages.

Those numbers seem small, but they’re in the context of app pricing, which is generally a few bucks. If those numbers combine linearly, people being willing to pay up to $10 more for a private version is a very high valuation. (Of course, the numbers will combine in ways that are not strictly rational. Consumers satisfice.

A quick skim of the article leads me to think that they didn’t estimate app maker benefit from these privacy changes. How much does a consumer contact list go for? (And how does that compare to the fines for improperly revealing it?) How much does an app maker make per person whose eyeballs they sell to show ads?

Lunar Oribter Image Recovery Project

The Lunar Orbiter Image Recovery Project needs help to recover data from the Lunar Orbiter spacecraft.

Frankly, it’s a bit of a disgrace that Congress funds, well, all sorts of things, over this element of our history, but that’s besides the point. Do I want to get angry, or do I want to see this data preserved? Yes to both.

First View of Earth from Moon
That’s why I’ve given the project some money on Rockethub, and I urge you to do the same.

Should I advertise on Twitter?

Apparently Twitter sent me some credits to use in their advertising program. Now, I really don’t like Twitter’s promoted tweets — I’d prefer to be the customer rather than the product. (That is, I’d like to be able to give Twitter money for an ad-free experience.)

At the same time, I’m curious to see how the advertising system works. I’d like to understand it and blog about it, but Twitter would like to maintain confidentiality around the program. They’re engaged in white-hot competition with Facebook and Google to be the new advertising platform of the future. At the same time, it’s less transparency than the exceptionally high bar that Twitter has generally aspired to.

That said with the launch of Control-Alt-Hack, my collaborators have stuff to sell and give away. (Not to mention maybe a sales bump for The New School of Information Security?) Or maybe I could promote other books that I think people should read, like “Thinking, Fast and Slow“). Does the nature of what I’m advertising change the calculus? Would advertising the giveaway make it different?

Then again, I do lots of “advertising” on Twitter already–I advertise the book, the game, blog posts, ideas I like. Does paying to bring them to more people dramatically change the equation?

Interestingly (and I think this is something that can be discussed, because it’s visible), I’m offered the chance to promote both tweets and myself.

I’d be really interested in hearing from readers about how I should take advantage of this, and if I should take advantage of it at all.

Taxpayers Stuck With Tab, but not in Seattle

In an article with absolutely no relevance for Seattle, the New York Times reports “With No Vote, Taxpayers Stuck With Tab on Bonds.” In another story to which Seattle residents should pay not attention, the city of Stockton is voting to declare bankruptcy, after risking taxpayer money on things like a … sports arena.

Of course, in Seattle, blah blah it’ll be so profitable, that it’ll make us a world class city while unlocking a stream of buzzwords and nonsense.

No, really. That seems to be the level of public discourse right now. The taxpayers of the region are being asked to pony up as much as 400 million bucks to help a hedge fund manager offload risk. That strikes me as doubly unwise. First, there’s lots of better ways we could allocate a possible $400 million dollars of spending. Second, when making a deal with a hedge fund manager to take risk, you should look for the sucker in the deal. It’s unlikely to be the hedge fund.

Washington State Frees Liquor Sales: some quick thoughts

I hate to let an increase in liberty go by without a little celebration.

For the past 78 years, Washington State has had a set of (effectively) state-operated liquor stores, with identical pricing and inventory. Today, that system is gone, replaced by private liquor sales. The law was overturned by a ballot initiative, heavily backed by Costco.

This is an interesting experiment in letting a little chaos emerge. Unfortunately, it’s not really a transition to a free market, since there are all sorts of licensing restrictions on who may trade in the demon rum. However, there will initially be about 5 times as many legal retailers as were previously present.

The transition is going to be messy. There’s lots of licensed retailers who haven’t obtained inventory. There’s a thousand people who were voted out of their jobs. Change is often messy.

After the transition, I expect prices will be roughly the same because of taxes and fees. What I expect will be much better is the selection and variety, especially of locally produced products from folks like Oola and Pacific Distillery. Many of those businesses were seriously inhibited by the complex and chummy system that was present.

I also expect surprise and look forward to it.

So raise a toast to the slow unwinding of a very silly system of prohibition.

How to get my vote for the ACM Board

I’m concerned about issues of research being locked behind paywalls. The core of my reason is that research builds on other research, and wide availability helps science move forward. There’s also an issue that a great deal of science is funded by taxpayers, who are prevented from seeing their work. One of the organizations which locks science behind a paywall is the ACM. As it turns out, the ACM is having elections, and I’m a member, so I thought maybe I could usefully vote on this issue. So I went to the ACM website to see what’s being said on it. Here’s what I had to go through to find the answer:

  • Are the elections important enough to be listed on the home page? Apparently not.
  • Maybe it’s an issue of importance to the ACM Membership? Nah.
  • Maybe I can find something about it on ACM US? That’s actually the “public policy” arm.
  • So perhaps it’s a matter of who will be on Boards and Committess? No, that points to this page, which is highly informative.
  • Maybe it’s under MyACM? Nope
  • Ahhh! Finally, it’s under Membernet: here

And it turns out that there’s no one running for the board of the ACM who’s running on open access issues. That’s too bad.

So let me be very clear. I’m a one-issue voter for academic societies. I believe that open access to science is a key part of everything that these societies should be doing, and it’s the only part that involves change to the business, and thus controversey.

If you want my vote, run on an open access platform.

(If you’re not familiar with the arguments for open access, see The Open Access Pledge site, The Cost of Knowledge site, or this faculty memo from the library of a small college in Cambridge, Mass.)

[Update: Don’t miss the comment by Brighten Godfrey, who’s been reaching out to the candidates, and gathering their positions.]

It’s a Lie: Seattle Taxpayers Will Pay for a Staduim

The Seattle Times carries a press release: “Arena plan as solid as it looks?

The intricate plan offered for an NBA and NHL arena in Sodo hinges on the untested strategy of building a city-owned, self-supporting arena, without the aid of new taxes, and with team owners — not taxpayers — obligated to absorb any losses.

This not only a lie, it is a blatant lie, contradicted by statements later in the article:

…Seattle and King County would finance $200 million — likely in bonds — to cover construction costs. The city would recoup its money through lease payments and the taxes on everything from tickets to concessions from the arena.

Let me translate that into plain English. The taxpayers of Seattle and King County would sign a bond. We’d be obligated to pay it back if or when the Supersonics new team leaves town. Also, let me comment that the use of “would” is inaccurate. The word that the writers sought and were unable to come up with is “might”, as in: “the city might recoup its money…”

One more quote:

It’s hard to argue against the idea of an arena that pays for itself.

It’s even harder to guarantee it, though.

Actually, it’s easy to guarantee that the arena pays for itself, or at least that the taxpayers don’t pay for it. The builders finance the arena. See how easy that is? They issue the bonds, they reap the profits. Then the people of Seattle and King county are guaranteed to not be on the hook.

Pretty simple, if the Seattle Times would stop relaying lies about who’s on the hook for bonds issued by Seattle or King County.

Look, while I’m opposed to having to sit in traffic for yet more sporting events, I shouldn’t have a say in how these folks spend their money. The arena backers should feel free to spend their money, plus as much as anyone will loan them, to build a stadium, buy a team, or hold a parade. That’s what freedom is about. But the people of Seattle should not carry any of the risk. The money should be entirely private.

Maybe the plan can’t work without Seattle bearing some of the risk. If that’s the case, that’s because this isn’t the sure thing that its backers want us to think. It means that the bankers see this as a risky thing, and want to transfer that risk to some sucker. I don’t want to be the sucker who’s paying for a failed deal. Do you?

Threat Modeling and Risk Assessment

Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully.

So first, what was said:

(Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability too.
(me) Thanks! I’m not advocating against risk, but asking when. Do you evaluate bugs 2x? Once in threat model & once in bug triage?
(Wendy) Yes, because I see TM as being important in design, when the bugs haven’t been written in yet. 🙂

I think Wendy and I are in agreement that threat modeling should happen early, and that probability is important. My issue is that I think issues discovered by threat modeling are, in reality, dealt with by only a few of Gunnar’s top 5 influencers.

I think there are two good reasons to consider threat modeling as an activity that produces a bug list, rather than a prioritized list. First is that bugs are a great exit point for the activity, and second, bugs are going to get triaged again anyway.

First, bugs are a great end point. An important part of my perspective on threat modeling is that it works best when there’s a clear entry and exit point, that is, when developers know when the threat modeling activity is done. (Window Snyder, who knows a thing or two about threat modeling, raised this as the first thing that needed fixing when I took my job at Microsoft to improve threat modeling.) Developers are familiar with bugs. If you end a strange activity, such as threat modeling, with a familiar one, such as filing bugs, developers feel empowered to take a next step. They know what they need to do next.

And that’s my second point: developers and development organizations triage bugs. Any good development organization has a way to deal with bugs. The only two real outputs I’ve ever seen from threat modeling are bugs and threat model documents. I’ve seen bugs work far better than documents in almost every case.

So if you expect that bugs will work better then you’re left with the important question that Wendy is raising: when do you consider probability? That’s going to happen in bug triage anyway, so why bother including it in threat modeling? You might prune the list and avoid entering silly bugs. That’s a win. But if you capture your risk assessment process and expertise within threat modeling, then what happens in bug triage? Will the security expert be in the room? Do you have a process for comparing security priority to other priorities? (At Microsoft, we use security bug bars for this, and a sample is here.)

My concern, and the reason I got into a back and forth, is I suspect that putting risk assessment into threat modeling keeps organizations from ensuring that expertise is in bug triage, and that’s risky.

(As usual, these opinions are mine, and may differ from those of my employer.)

[Updated to correct editing issues.]

“Pirate my books, please”

Science fiction author Walter John Williams wants to get his out of print work online so you can read it:

To this end, I embarked upon a Cunning Plan. I discovered that my work had been pirated, and was available for free on BitTorrent sites located in the many outlaw server dens of former Marxist countries. So I downloaded my own work from thence with the intention of saving the work of scanning my books— I figured I’d let the pirates do the work, and steal from them. While this seemed karmically sound, there proved a couple problems.

Read more in “Crowdsource, Please.”

I’d like some of that advertising action

Several weeks back, I was listening to the Technometria podcast on “Personal Data Ecosystems,” and they talked a lot about putting the consumer in the center of various markets. I wrote this post then, and held off posting it in light of the tragic events in Japan.

One element of this is the “VRM” or “vendor relationship management” space, where we let people proxy for ads to us.

As I was listening, I realized, I’m in the market for another nice camera. And rather than doing more research, I would like to sell the right to advertise to me. There’s a huge ($59B?) advertising market. I am ready to buy, and if Fuji had shipped their #$^&%^ X100, I was about ready to buy it. But even before the earthquake, they were behind in production, and I’m ready to buy. So I could go do research, or the advertisers could advertise to me. But before they do, I want a piece of that $59B action.

I don’t want to start a blog. (Sorry, Nick!). I don’t want to sell personal information about me. I want another nice camera. How do I go about accepting ads into this market?

I’m willing, by the way, to share additional information about my criteria, but I figure that those have value to advertisers. Please send in your bids for the answers to specific questions. Please specify if your bids are for exclusive, private, or public answers. (Public answers prevent others from gathering exclusive market intelligence, and are thus a great strategic investment.)

So, dear readers, how do I get a piece of the action? How do I cash in on this micro-market?

If I get a highly actionable answer, I’ll share 25% of the proceeds of the advertising with whomever points me the right way.

Copyrighted Science

In “Shaking Down Science,” Matt Blaze takes issue with academic copyright policies. This is something I’ve been meaning to write about since Elsevier, a “reputable scientific publisher,” was caught publishing a full line of fake journals.

Matt concludes:

So from now on, I’m adopting my own copyright policies. In a perfect world, I’d simply refuse to publish in IEEE or ACM venues, but that stance is complicated by my obligations to my student co-authors, who need a wide range of publishing options if they are to succeed in their budding careers. So instead, I will no longer serve as a program chair, program committee member, editorial board member, referee or reviewer for any conference or journal that does not make its papers freely available on the web or at least allow authors to do so themselves.

Please join me. If enough scholars refuse their services as volunteer organizers and reviewers, the quality and prestige of these closed publications will diminish and with it their coercive copyright power over the authors of new and innovative research. Or, better yet, they will adapt and once again promote, rather than inhibit, progress.

I already consider copyright as a factor when selecting a venue for my (sparse) academic work. However, there’s always other factors involved in that choice, and I don’t expect them to go away. Like Matt, my world is not perfect, and in particular, I’m on the steering committee of the Privacy Enhancing Technologies Symposium, and we publish with Springer-Verlag. I regularly raise the copyright question with the board, which has decided to stay with Springer for now [and Springer does allow authors to post final papers].

There’s obviously a need for a business model for the folks who archive and make available the work, but when many webmail providers give away nearly infinite storage and support it with ads, $30 per 200K PDF is way too high for work that was most likely done on a government grant to improve public knowledge.

I’m not sure what the right balance will be for me, but I’d like to raise one issue which I don’t usually see raised. That is, what to do about citing to these journals? I sometimes do security research on my own, or with friends outside the academic establishment. As a non-academic, I don’t have easy access to ACM or IEEE papers. Sometimes, I’ll pick up copies at work, but that’s perhaps not an appropriate use of corporate resources. Other times, I’ll ask the authors or friends for copies. We need to understand what’s been done to avoid re-inventing the wheel.

If our goal is to ensure that scientific work paid for by the public is not handed over to someone who puts it behind a paywall, perhaps the next step is to apply pressure by only reviewing open access journals and conferences? When I first thought about that, I recoiled from the idea. But the process of looking for previous and related work is a process which must be bounded. There’s simply too many published papers out there for anyone to really be aware of all of it, and so everyone limits what they search. In fact, there are already computer security journals, including Phrack and Uninformed, which are high quality work but rarely cited by academics.

So I’m interested. Does being behind a paywall suffice as a reason to not cite work? If you answer, “no, it’s not sufficient,” how much time or money do you think you or I should reasonably spend investigating possibly related work?

Unmeddle Housing More

Last month, I wrote:

But after 50 years of meddling in the market, reducing the support for housing is going to be exceptionally complex and chaotic. And the chaos isn’t going to be evenly distributed. It’s going to be a matter of long, complex laws whose outcomes are carefully and secretly influenced. Groups who aren’t photogenic or sympathetic will lose out. (I’m thinking “DINKs” in gentrified urban areas.) Groups who aren’t already well-organized with good lobbyists will lose out. (See previous parenthetical.) Those who believed that the government housing subsidy would go on forever will lose. (“Unmeddling Housing,” January )

Now, the New York Times reports on the administration’s plan, calling it “audacious:”

The Obama administration’s much-anticipated report on redesigning the government’s role in housing finance, published Friday, is not solely a proposal to dissolve the unpopular finance companies Fannie Mae and Freddie Mac. It is also a more audacious call for the federal government to cut back its broadly popular, long-running campaign to help Americans own homes. The three ideas that the report outlines for replacing Fannie and Freddie all would raise the cost of mortgage loans and push homeownership beyond the reach of some families. (“Administration Calls for Cutting Aid to Home Buyers,” New York Times)

Audacious would be to put the mortgage interest deductions on the table. This is a move in the right direction, but it’s not going to let people express their real preferences in a market. It will continue to distort the market, reducing people’s flexibility to move, and encouraging them to make their major asset a non-liquid one which is likely to decrease in value as the US population ages.