The New School of Air Travel Security?

As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways:

  • Failures are rare
  • Partial failures are generally secret
  • Actual failures are analyzed in secret
  • Procedures are secret
  • Procedures seem bizarre and arbitrary
  • External analysis seems to show that the procedures are fundamentally flawed
  • Those charged with doing the work appear to develop a bunker mentality

In this situation, anyone can offer up their opinions, and most of us do.

It’s hard to figure out which analysis are better than others, because the data about partial failures is harder to get than opinions. And so most opinions are created and appear equal. Recommendations in airline security are all ‘best practices’ which are hard to evaluate.

Now, as Peter Swire has pointed out, the disclosure debate pivots on if an attacker needs to expose themselves in order to test a hypothesis. If the attacker needs to show up and risk arrest or being shot to understand if a device will make it through a magnometer, that’s very different than if an attacker needs to send packets over the internet.

I believe much of this swivels on the fact that most of the security layers have been innocently exposed in many ways. The outline of how the intelligence agencies and their databases work is public. The identity checking is similarly public. It’s easy to discover at home or at the airport that you’re on a list. The primary and secondary physical screening layers are well and publicly described. The limits of tertiary screening are easily discovered, as an unlucky friend discovered when he threw a nazi salute at a particularly nosy screener in Amsterdam’s Schiphol airport. And then some of it comes out when government agencies accidentally expose it. All of this boils down to partial and unstructured disclosure in three ways:

  1. Laws or public inquiries require it
  2. The public is exposed to it or can “innocently” test it
  3. Accidents

In light of all of this, the job of a terrorist mastermind is straightforward: figure out a plan that bypasses the known defenses, then find someone to carry it out. Defending the confidentiality of approaches is hard. Randomization is an effort to change attacker’s risk profiles.

But here’s the thing: between appropriate and important legal controls and that the public goes through the system, there are large parts of it which cannot be kept secret for any length of time. We need to acknowledge that and design for it.

So here’s my simple proposal:

  1. Publish as much of the process as can be published, in accordance with the intent of Executive Order on Classified National Security Information:

    “Agency heads shall complete on a periodic basis a comprehensive review of the agency’s classification guidance, particularly classification guides, to ensure the guidance reflects current circumstances and to identify classified information that no longer requires protection and can be declassified,”

    That order lays out a new balance between openness and national security, including terrorism. TSA’s current approach does not meet that new balance.

  2. Publish information about failed attempts and the costs of the system
  3. Stop harassing and intimidating those like Chris Soghoian, Steven Frischling or Christopher Elliott who discuss details of the system.
  4. Encourage and engage in a fuller debate with facts, rather than speculation.

There you have it. We will get better security through a broad set of approaches being brought to the problems. We will get easier travel because we will understand what we’re being asked to do and why. Everyone understand we need some level of security for air travel. Without an acrimonious, ill-informed firestorm, we’ll get more security with less pain and distraction.

What should the new czar do? (Tanji’s Security Survey)

Over at Haft of the Spear, Michael Tanji asks:

You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will?

I think it’s a fascinating question, and posted my answer over at the New School blog.

“No Evidence” and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:”

Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email.

and

We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

I wanted to bring this up, not to laugh at Coleman (that’s Franken’s job, after all), but because we frequently see assertions that “there’s no evidence that…”

As anyone trained in any science knows, absence of evidence is not evidence of absence. At the same time, sometimes there really is sufficient evidence, properly protected, that allows that claim to be made. We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.

Security is about outcomes: RSA edition

garner-hard-drive-crusher.jpgSo last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that.

But I did I promise to tell you what I wanted to get out of it. My goals, ordered:

  1. A successful Research Revealed track. I think we had some great talks, a panel I’m not qualified to judge (since I was on it), and at least a couple of sell-out sessions. But you tell me. Did it work for you?
  2. See interesting new technology. I saw three things: Garner’s hard driver crusher (they have a “destroy” button!), Camouflage‘s database masking and some very cool credit card form factor crypto devices from Emue. (I’d add Verizon’s DBIR, but I saw that before the show.) Four interesting bits? Counts as success. Ooh, plus saw the Aptera car.
  3. Announce our new blog at Newschoolsecurity.com. Done!
  4. See friends and make five new ones. It turns out that the most successful part of this was my Open Security Foundation t-shirt. I urge you all to donate and get this highly effective networking tool.
  5. Connect five pairs of people who previously didn’t know each other. I counted seven, which makes me really happy.

What I didn’t want: a hangover. Only had one, Friday morning.

Will The Real Adam Shostack Please Stand Up?

fakeadamshostack.JPG
At one point during the RSA party hopping last week, Adam, Alex and I ended up at the Executive Women’s Forum event. I was feelng pretty punchy and decided that all three of us should have name tags that read “Adam Shostack”. If anyone asked, I just explained that we were promoting the new blog. Eventually I wandered off to another party and some other folks decided that this was a really good idea as well. By the time I got back to the W, there was a whole slew of Adam’s floating around. Those who subscribe to the “Pictures or It Didn’t Happen” school of thought can find all the evidence over on fickr photostream.

The New School Blog

I’m really excited to announce NewSchoolSecurity.com, the blog inspired by the book. I’ll be blogging with Alex Hutton, Chandler Howell and Brooke Paul. And who knows, maybe we’ll even get a post or two from Andrew?

Emergent Chaos will continue. My posts here will be a little more on the privacy, liberty and economics end of things, with my technical and business security split between The New School.

All that said, I’ve posted the followup to “ Security is about outcomes, not about process” on The New School, which you can read at “Events don’t happen in a Vacuum.”

Building Security In, Maturely

While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model.


Lots has been said, so I’d just like to quote one little bit:

One could build a maturity model for software security theoretically (by pondering what organizations should do) or one could build a maturity model by understanding what a set of distinct organizations have already done successfully. The latter approach is both scientific and grounded in the real world, and is the one we followed.

It’s long, but an easy and worthwhile read if you’re thinking of putting together or improving your software security practice.

Incidentally, my boss also commented on our work blog “Building Security In Maturity Model on the SDL Blog.”

Would I self-publish?

A few weeks back, Dave Birch asked me if I’d publish my next book myself. I don’t think I would. I’m really happy with Karen Gettman and Jessica Goldstein at Addison Wesley, and I’ve convinced my co-authors for my next book that we should have a discussion about publishers.

So why am I happy with them, and what can you learn from that?

First, let me scope this by saying the New School is what they call a “big idea” book. This is in contrast to a lot of books in technology, which are, well, technology specific. The New School is a tech book, but it’s not a tech book in the way that “Mastering Office 97” or “Teach yourself Haskel in 28 Days” are tech books.

Books like that are usually on a hard schedule. You need to get them done as the software ships. No one wants a copy of “Mastering Office 97” anymore. If you get them done too soon, they don’t reflect the final program. Anyone writing such a book gets a lot more pressure than we did. (Jessica called me one day and said “you know, if you guys finally finish, we can release at RSA and your sales will be higher.”)

That advice “do this and your sales will be higher” is tremendously useful to any author not named “Rowling,” “King” or “Clancy.” However well an author may understand their audience, there are trends in publishing, and understanding those trends is far easier for a publisher who has people monitoring their sales and those of competitors.

When we were getting started, we wanted to write a book for executives, and call it “Security Decisions.” Several publishers rejected that proposal, because ‘executives don’t read,’ and if you look at Amazon SalesRank for a book on managing security that you like, you’ll see that that’s roughly borne out. (Yes, SalesRank is a bad indicator, but an easy one to use.) So we got effective market advice from our publisher.


The next thing authors get is financial support, either in the obvious form of an advance, or in that the publisher pays for printing, binding, warehousing and distribution in advance.

The final thing you get from a major publisher is channels, both domestic and international. I’ve seen the New School in Borders and Barnes and Noble. When there are trade events, my book tends to magically show up at the show bookstore, and I don’t have to do anything. Addison Wesley makes that happen without any effort from me. Cory Doctorow speaks out “In Praise of the Sales Force.”

Of course, for all of this, they extract a fee of about 80-90% of the sale price of the book. (See Mary Shaw and Tim O’Reilly for a breakdown.) That would make it hard to earn a living on the sales of technical books. If I werre writing to earn a living, I might choose differently. Then again, I said “if I were writing,” not “if I were selling books for a living.”

As an aside, in “Why There’s no Tip Jar” Charlie Stross writes, “If I put a Paypal tipjar on this blog, to take conscience money from folks who’ve downloaded a (cough) unauthorized ebook or two, the money would come to me, not to the publisher. And without the publisher those books wouldn’t exist: wouldn’t have been commissioned, wouldn’t have been edited, wouldn’t have been corrected and marketed and sold in whatever form filtered onto the unauthorized ebook market.”


If you still want to self-publish, check out 6 Ways to Publish Your Own Book. Otherwise, any good publisher will have a set of resources up for authors. Pearson’s is here.

[Update: and they copyedit & proofread your words!]

Happy Sunshine Week

rlogovc150.jpg
March 15-21 is “Sunshine Week“, a government transparency initiative described by its main proponents as

a national initiative to open a dialogue about the importance of open government and freedom of information. Participants include print, broadcast and online news media, civic groups, libraries, non-profits, schools and others interested in the public’s right to know.

The arguments in favor of governmental transparency are numerous and well-known. On a purely pragmatic basis, it is harder to hide misdeeds, inefficiencies, and feather-bedding when anyone can ask you to show your work. Stated simply, quality evidence aids decision-making and reveals entrenched self-dealing, waste, and deception.
Information security folks, particularly New School adherents, should find much to like in this. I want to highlight once again the outstanding work of our friends at DataLossDB.org. In addition to operating what was formerly Attrition.org’s DataLoss database, they have become a central repository for the actual source documents — notification letters, reporting forms, etc. — pertaining to breaches. The majority of these documents have been obtained via — you guessed it — Freedom of Information requests.
By highlighting DataLossDB, I do not mean to slight the actions of others. Since I have been fairly active as a researcher in querying government entities, I know there is a small community of like-minded folks, with DataLossDB having several (and certainly the fastest RonR coders!).
The fact that relatively obscure people — all of whom have day jobs, as far as I know — can assemble an archive of this caliber is a testament to the leverage Freedom of Information laws give to citizens. And we know the information in these materials is valuable when made available broadly because state legislatures have seen the results and are looking to emulate the leaders.
So, with Spring on it’s way — at least at my latitude — here’s to more sunshine.

Tweet, tweet

A few weeks back, Pistachio twittered about How to Present While People are Twittering. I picked it up, and with the help of Quine, was getting comments from Twitter as I spoke. It was a fun experiment, and it’s pretty cool to be able to go back and look at the back channel.

[Update: I think there was more positive than I really touched on, and have written a new post all atwitter about why it was useful and why I’ll do it again.]

I don’t think that it was hugely successful for this talk for two reasons. First, my talk, “The Crisis In Information Security” is a ‘big idea’ talk, based on my book “The New School of Information Security,” written with Andrew Stewart.
A big idea talk has to cover a lot of ground quickly, rather than dwell on a lot of specifics–you can see some of that feedback, Rich Mogull comments on “I said some of that a year ago,” and B.K. Delong says “can we have more details?” The other reason it didn’t work is because there was a lot of in-room interaction. Questions came out during the talk rather than being tweeted.


Still, it was pretty cool, and I’ll definitely try it again.

So, here are the #sourceadam comments in chronological order. My comments are in italic.

stormtrooperguy: All tweets from the current panel @sourceboston will be tagged with #sourceadam so that they can reference it later.

leune: getting ready for #sourceadam

quine: Actually, #SOURCEAdam or #AdamSOURCE.

bkdelong: At Adam Shostack’s talk #sourceadam

securitytwits: RT @quine — if you’re in @adamshostack’s presentation at #SOURCEBoston, please use #adamsource OR #sourceadam for feedback/questions.

quine: Admittedly, I am a buffoon. I chose “#adamsource”, then announced “#sourceadam” — hence the use of both 😉

Beaker: I believe I just saw a nerd version of Sysyphus — better than a LOLcat #sourceadam #sourceboston

Yes: http://flickr.com/photos/signifying/2073074572/


Beaker: Who was the last idiot infected with Blaster? We just saw the last guy who had Smallpox…. #sourceadam #sourceboston


mortman: @Beaker Well lolcats are beneath Adam #sourceadam #sourceboston

mortman: Milliken Oildrop Experiment lead to powerpoint. #sourceadam #sourceboston

mortman: @alexsotirov @k8em0 has an apple and the rest of us don’t. #sourceadam #sourceboston

k8em0: @alexsotirov we lack cred in infosec because we lack data #sourceboston #sourceadam

hackertweets: k8em0: @alexsotirov we lack cred in infosec because we lack data #sourceboston #sourceadam


k8em0: @mortman @alexsotirov it’s a pear. Observation is not the best way to gather data.#sourceboston #sourceadam

mortman: @k8em0 @alexsotirov Proof that independent confirmation is a necessary part of the scientific method. #sourceboston #sourceadam

bkdelong: @k8em0 At least not VISUAL observation #sourceadam #sourceboston

mortman: #sourceadam #sourceboston Re: learning from experience. Is that another way of saying “the plural of anecdote is not data”?

stormtrooperguy: @sourceboston : the #sourceadam panel is packed, standing room only.

Beaker: Adam, you have a lot of “questions.” You have any answers? #sourceadam

I think I do. If not, you have a refund coming. (Hoff bought the book on his Kindle as we were setting up. I promised him a refund if he doesn’t like it.)

bkdelong: So @adamshostack what data is being collected that is good? What do we NEED to be collecting? #sourceadam #sourceboston

bkdelong: Specifically what KPIs and what metrics / risk calculations can we be doing to help us make the case to management #sourceadam @sourceboston
What does your management care about? You’re going to need rich sets of data to find the comparatives you need
mortman: #sourceadam #sourceboston RE: What is the biggest pain point? We talk about professional hackers, users, random loss, why not vendors?

mortman: #sourceadam #sourceboston Why not more blame for the folks who produce crap?

k8em0: it’s hard to categorize what causes security customer pain (hax0rs, kiddiez, RBN, nation-states) #sourceboston #sourceadam

rybolov: #sourceadam can you use the phrase “self-licking ice cream cone” jus for me? k thnx.

Self licking ice cream cone
hallam: @SOURCEAdam have you heard of the GENI initiative, any thoughts?

mortman: @hallam geni.net? or something else #sourceadam #sourceboston

hallam: geni.net

I haven’t, thanks! Checking it out now.

bkdelong: The @datalossdb does not cover all breaches and too many reporters cite it as true total # of breaches – bad. Needs correction #sourceadam

BK: True, but as the Beatles said, it’s getting better all the time.

k8em0: #sourceboston #sourceadam Hype is too big for your breaches – they don’t cause all customers to flee & you to go bankrupt.

mortman: #sourceboston #sourceadam Mmmmm tylenol.

bkdelong: Tylenol Recall #sourceboston #sourceadam (expand)

bkdelong: The @datalossdb certainly best out there but there are lots of unreported/non-FOIA’d breaches not in there. Still a lot more. #sourceadam

bkdelong: More on Black Swan theory – http://tinyurl.com/2ngwkw (expand) (Yes, wikipedia for ease sake) #sourceadam #sourceboston

I was pretty dismissive of “Black Swan” hype. I stand by that, and don’t think we should allow fear of a black swan out there somewhere to prevent us from studying white ones and generalizing about what we can see.

rmogull: @bkdelong #sourceadam #sourceboston I wrote an article on that over a year ago (Tylenol/disclosure): http://bit.ly/Q5Ko8 (expand)
Great stuff, Rich!

mortman: #sourceboston #sourceadam Check out “research revealed” tracke at RSA.

k8em0: #sourceboston #sourceadam wallow in the data, follow @datalossdb for example.

bsmithsweeney: #sourceadam reminded of “The Quixotic Quest for Invulnerability” http://tinyurl.com/5equfo (expand), on protection vs. recovery #sourceboston

k8em0: #sourceboston #sourceadam you point out methodological flaws w/the passwords4chocolate experiment. 45% of women likely lied 4 choc.

It would be fun to find out how many lied, and how many didn’t care. I suspect we’d be depressed, but the truth is supposed to set you free, not make you happy.

bsmithsweeney: Really enjoyed #sourceadam talk @sourceboston. Definitely worth grabbing the slides/video.

Thanks bsmithsweeney, and thank you to everyone who participated in the talk and the backchannel!

“A Scientific R&D Approach to Cyber Security”

Charlie Catlett, CIO of Argonne National Labs has released a report on “A Scientific R&D Approach to Cyber Security” (Powerpoint summary, community wiki).

It’s a very interesting report. There’s a lot to agree with in terms of a research agenda. They’re looking to compose trustworthy systems from untrusted components, to create self-protective data and software, and to use mathematicsc for predictive awareness for secure systems.

I have two issues with it, one small and one large. The small issue is that the report places mathematics on a pedestal, and goes so far as to refer to economic analysis as a ‘metaphor.’ Mathematics is clearly quite useful, but the problems we experience are often no longer mathematical, but about the meaning of things, and that is a human problem.

Much bigger is that in all the discussions of bringing to bear the power of science, there’s no mention of the data acquisition problem. That is, you can do all the modeling you want, but if you’re not gathering rich data sets about what goes wrong, you can’t test those models or craft informed hypotheses.

I applaud Catlett for seeing the need for real science, and hope that the future research agenda will involve partnerships with those who handle the human side of computer security, as well as joining the New School call for more and more data.

Public Perception of Security

So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder:

Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.

“We couldn’t believe what we found,” said Paula, who purchased the cabinets and asked that her last name not be published. “We thought of calling the American consulate right away, and then we thought, you know they’ll just hide it and say, ‘Oh, we made a mistake.'” (“U.S. Consulate Mistakenly sells secret files in Jerusalem,” Fox News)

Transparency is a powerful idea. There’s little risk in disclosing this incident, except to the career of the person who sold the cabinet. Security professionals on both side know that these things happen. If we talked about the incidents we could assess their frequency and see if there are cost effective ways to prevent these things. I expect that there are, but no one wants to add a layer of bureaucracy for a threat that they can’t really assess. There are too many threats and too many ways to address them.

The New Administration and Security

Quoting first from Obama’s inaugural address:

The question we ask today is not whether our government is too big or too small, but whether it works — whether it helps families find jobs at a decent wage, care they can afford, a retirement that is dignified. Where the answer is yes, we intend to move forward. Where the answer is no, programs will end. Those of us who manage the public’s dollars will be held to account — to spend wisely, reform bad habits, and do our business in the light of day — because only then can we restore the vital trust between a people and their government.

and then from the new Director of National Intelligence:

In an unusual comment from a man who will head the most secret agencies of government, [Dennis Blair] said, “There is a need for transparency and accountability in a mission where most work necessarily remains hidden from public view.” He said that if confirmed, he would “communicate frequently and candidly with the oversight committees, and as much as possible with the American people.” (“Blair Pledges New Approach to Counterterrorism,” NYTimes)

I was struck by Obama’s focus on transparency in his address, and I was struck by how easily we can substitute in ‘information security,’ “those of us who manage information security dollars will be held to account — to spend wisely, reform bad habits, and do our business in the light of day — because only then can we restore the vital trust…”

From the perspective of executives, information security spending is often wasteful. If you can see security problems, the money wasn’t spent well. We have a tendency to move with fads, and we certainly cover up our problems. For these reasons, we’re too often not trusted advisors to our businesses, but rather, we’re seen as obstacles.

The advice of Obama and Blair is something that we can all heed. Everyone knows there are security problems. It’s time, or even past time, to stop with the secrecy around most problems. We can communicate more freely. That’s change you should believe in.