Happy Sunshine Week

March 15-21 is “Sunshine Week“, a government transparency initiative described by its main proponents as

a national initiative to open a dialogue about the importance of open government and freedom of information. Participants include print, broadcast and online news media, civic groups, libraries, non-profits, schools and others interested in the public’s right to know.

The arguments in favor of governmental transparency are numerous and well-known. On a purely pragmatic basis, it is harder to hide misdeeds, inefficiencies, and feather-bedding when anyone can ask you to show your work. Stated simply, quality evidence aids decision-making and reveals entrenched self-dealing, waste, and deception.
Information security folks, particularly New School adherents, should find much to like in this. I want to highlight once again the outstanding work of our friends at DataLossDB.org. In addition to operating what was formerly Attrition.org’s DataLoss database, they have become a central repository for the actual source documents — notification letters, reporting forms, etc. — pertaining to breaches. The majority of these documents have been obtained via — you guessed it — Freedom of Information requests.
By highlighting DataLossDB, I do not mean to slight the actions of others. Since I have been fairly active as a researcher in querying government entities, I know there is a small community of like-minded folks, with DataLossDB having several (and certainly the fastest RonR coders!).
The fact that relatively obscure people — all of whom have day jobs, as far as I know — can assemble an archive of this caliber is a testament to the leverage Freedom of Information laws give to citizens. And we know the information in these materials is valuable when made available broadly because state legislatures have seen the results and are looking to emulate the leaders.
So, with Spring on it’s way — at least at my latitude — here’s to more sunshine.

Tweet, tweet

A few weeks back, Pistachio twittered about How to Present While People are Twittering. I picked it up, and with the help of Quine, was getting comments from Twitter as I spoke. It was a fun experiment, and it’s pretty cool to be able to go back and look at the back channel.

[Update: I think there was more positive than I really touched on, and have written a new post all atwitter about why it was useful and why I'll do it again.]

I don’t think that it was hugely successful for this talk for two reasons. First, my talk, “The Crisis In Information Security” is a ‘big idea’ talk, based on my book “The New School of Information Security,” written with Andrew Stewart.
A big idea talk has to cover a lot of ground quickly, rather than dwell on a lot of specifics–you can see some of that feedback, Rich Mogull comments on “I said some of that a year ago,” and B.K. Delong says “can we have more details?” The other reason it didn’t work is because there was a lot of in-room interaction. Questions came out during the talk rather than being tweeted.

Still, it was pretty cool, and I’ll definitely try it again.

So, here are the #sourceadam comments in chronological order. My comments are in italic.

stormtrooperguy: All tweets from the current panel @sourceboston will be tagged with #sourceadam so that they can reference it later.

leune: getting ready for #sourceadam

quine: Actually, #SOURCEAdam or #AdamSOURCE.

bkdelong: At Adam Shostack’s talk #sourceadam

securitytwits: RT @quine — if you’re in @adamshostack’s presentation at #SOURCEBoston, please use #adamsource OR #sourceadam for feedback/questions.

quine: Admittedly, I am a buffoon. I chose “#adamsource”, then announced “#sourceadam” — hence the use of both ;)

Beaker: I believe I just saw a nerd version of Sysyphus — better than a LOLcat #sourceadam #sourceboston

Yes: http://flickr.com/photos/signifying/2073074572/

Beaker: Who was the last idiot infected with Blaster? We just saw the last guy who had Smallpox…. #sourceadam #sourceboston

mortman: @Beaker Well lolcats are beneath Adam #sourceadam #sourceboston

mortman: Milliken Oildrop Experiment lead to powerpoint. #sourceadam #sourceboston

mortman: @alexsotirov @k8em0 has an apple and the rest of us don’t. #sourceadam #sourceboston

k8em0: @alexsotirov we lack cred in infosec because we lack data #sourceboston #sourceadam

hackertweets: k8em0: @alexsotirov we lack cred in infosec because we lack data #sourceboston #sourceadam

k8em0: @mortman @alexsotirov it’s a pear. Observation is not the best way to gather data.#sourceboston #sourceadam

mortman: @k8em0 @alexsotirov Proof that independent confirmation is a necessary part of the scientific method. #sourceboston #sourceadam

bkdelong: @k8em0 At least not VISUAL observation #sourceadam #sourceboston

mortman: #sourceadam #sourceboston Re: learning from experience. Is that another way of saying “the plural of anecdote is not data”?

stormtrooperguy: @sourceboston : the #sourceadam panel is packed, standing room only.

Beaker: Adam, you have a lot of “questions.” You have any answers? #sourceadam

I think I do. If not, you have a refund coming. (Hoff bought the book on his Kindle as we were setting up. I promised him a refund if he doesn’t like it.)

bkdelong: So @adamshostack what data is being collected that is good? What do we NEED to be collecting? #sourceadam #sourceboston

bkdelong: Specifically what KPIs and what metrics / risk calculations can we be doing to help us make the case to management #sourceadam @sourceboston
What does your management care about? You’re going to need rich sets of data to find the comparatives you need
mortman: #sourceadam #sourceboston RE: What is the biggest pain point? We talk about professional hackers, users, random loss, why not vendors?

mortman: #sourceadam #sourceboston Why not more blame for the folks who produce crap?

k8em0: it’s hard to categorize what causes security customer pain (hax0rs, kiddiez, RBN, nation-states) #sourceboston #sourceadam

rybolov: #sourceadam can you use the phrase “self-licking ice cream cone” jus for me? k thnx.

Self licking ice cream cone
hallam: @SOURCEAdam have you heard of the GENI initiative, any thoughts?

mortman: @hallam geni.net? or something else #sourceadam #sourceboston

hallam: geni.net

I haven’t, thanks! Checking it out now.

bkdelong: The @datalossdb does not cover all breaches and too many reporters cite it as true total # of breaches – bad. Needs correction #sourceadam

BK: True, but as the Beatles said, it’s getting better all the time.

k8em0: #sourceboston #sourceadam Hype is too big for your breaches – they don’t cause all customers to flee & you to go bankrupt.

mortman: #sourceboston #sourceadam Mmmmm tylenol.

bkdelong: Tylenol Recall #sourceboston #sourceadam (expand)

bkdelong: The @datalossdb certainly best out there but there are lots of unreported/non-FOIA’d breaches not in there. Still a lot more. #sourceadam

bkdelong: More on Black Swan theory – http://tinyurl.com/2ngwkw (expand) (Yes, wikipedia for ease sake) #sourceadam #sourceboston

I was pretty dismissive of “Black Swan” hype. I stand by that, and don’t think we should allow fear of a black swan out there somewhere to prevent us from studying white ones and generalizing about what we can see.

rmogull: @bkdelong #sourceadam #sourceboston I wrote an article on that over a year ago (Tylenol/disclosure): http://bit.ly/Q5Ko8 (expand)
Great stuff, Rich!

mortman: #sourceboston #sourceadam Check out “research revealed” tracke at RSA.

k8em0: #sourceboston #sourceadam wallow in the data, follow @datalossdb for example.

bsmithsweeney: #sourceadam reminded of “The Quixotic Quest for Invulnerability” http://tinyurl.com/5equfo (expand), on protection vs. recovery #sourceboston

k8em0: #sourceboston #sourceadam you point out methodological flaws w/the passwords4chocolate experiment. 45% of women likely lied 4 choc.

It would be fun to find out how many lied, and how many didn’t care. I suspect we’d be depressed, but the truth is supposed to set you free, not make you happy.

bsmithsweeney: Really enjoyed #sourceadam talk @sourceboston. Definitely worth grabbing the slides/video.

Thanks bsmithsweeney, and thank you to everyone who participated in the talk and the backchannel!

“A Scientific R&D Approach to Cyber Security”

Charlie Catlett, CIO of Argonne National Labs has released a report on “A Scientific R&D Approach to Cyber Security” (Powerpoint summary, community wiki).

It’s a very interesting report. There’s a lot to agree with in terms of a research agenda. They’re looking to compose trustworthy systems from untrusted components, to create self-protective data and software, and to use mathematicsc for predictive awareness for secure systems.

I have two issues with it, one small and one large. The small issue is that the report places mathematics on a pedestal, and goes so far as to refer to economic analysis as a ‘metaphor.’ Mathematics is clearly quite useful, but the problems we experience are often no longer mathematical, but about the meaning of things, and that is a human problem.

Much bigger is that in all the discussions of bringing to bear the power of science, there’s no mention of the data acquisition problem. That is, you can do all the modeling you want, but if you’re not gathering rich data sets about what goes wrong, you can’t test those models or craft informed hypotheses.

I applaud Catlett for seeing the need for real science, and hope that the future research agenda will involve partnerships with those who handle the human side of computer security, as well as joining the New School call for more and more data.

Public Perception of Security

So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder:

Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.

“We couldn’t believe what we found,” said Paula, who purchased the cabinets and asked that her last name not be published. “We thought of calling the American consulate right away, and then we thought, you know they’ll just hide it and say, ‘Oh, we made a mistake.’” (“U.S. Consulate Mistakenly sells secret files in Jerusalem,” Fox News)

Transparency is a powerful idea. There’s little risk in disclosing this incident, except to the career of the person who sold the cabinet. Security professionals on both side know that these things happen. If we talked about the incidents we could assess their frequency and see if there are cost effective ways to prevent these things. I expect that there are, but no one wants to add a layer of bureaucracy for a threat that they can’t really assess. There are too many threats and too many ways to address them.

The New Administration and Security

Quoting first from Obama’s inaugural address:

The question we ask today is not whether our government is too big or too small, but whether it works — whether it helps families find jobs at a decent wage, care they can afford, a retirement that is dignified. Where the answer is yes, we intend to move forward. Where the answer is no, programs will end. Those of us who manage the public’s dollars will be held to account — to spend wisely, reform bad habits, and do our business in the light of day — because only then can we restore the vital trust between a people and their government.

and then from the new Director of National Intelligence:

In an unusual comment from a man who will head the most secret agencies of government, [Dennis Blair] said, “There is a need for transparency and accountability in a mission where most work necessarily remains hidden from public view.” He said that if confirmed, he would “communicate frequently and candidly with the oversight committees, and as much as possible with the American people.” (“Blair Pledges New Approach to Counterterrorism,” NYTimes)

I was struck by Obama’s focus on transparency in his address, and I was struck by how easily we can substitute in ‘information security,’ “those of us who manage information security dollars will be held to account — to spend wisely, reform bad habits, and do our business in the light of day — because only then can we restore the vital trust…”

From the perspective of executives, information security spending is often wasteful. If you can see security problems, the money wasn’t spent well. We have a tendency to move with fads, and we certainly cover up our problems. For these reasons, we’re too often not trusted advisors to our businesses, but rather, we’re seen as obstacles.

The advice of Obama and Blair is something that we can all heed. Everyone knows there are security problems. It’s time, or even past time, to stop with the secrecy around most problems. We can communicate more freely. That’s change you should believe in.

Designing Cars

I was struck by this quote in “Edgy, Yet Still Aerodynamic” an article in the New York Times about how new cars are being designed and tested:

To his surprise, in hundreds of tests at Ford’s Wind Tunnel 8 southwest of Detroit the original edges produced less drag than curved substitutes, Mr. Koester said. In the bumper, headlights and hood, in fact, aerodynamics were improved by carefully designed edges.

Usually, aerodynamic shapes are rounded forms that slip through the air. But the wind tunnel is proving that counterintuitive, edgy shapes can reduce the drag coefficient and save fuel or battery power.

Even in fields where repeatable tests seem relatively easy, the expectation and intuition of professionals can be wrong. In information security, it’s far worse.

What are you doing to test your long-standing assumptions?

Public Policy and InfoSec

…Armed with my favorite govie (who is actually the lead on this, I’m just a straphanger), The New School of Information Security (Hi Adam and Andrew), some government policy directives, and the National Strategy to Secure Cyberspace, I am teaching an Information Security Management and Public Policy class for Carnegie Mellon’s Heinz School.

The more I work with the Masters of Science in Public Policy Management program, the more I’m sold on it. Basically the students do a year on-campus in Pittsburg, then they have the option of staying there or coming to DC. The students who come to DC work a 32-hour week (some do more), 2 night classes, and class for most of Friday. Our information security class fits in as a sector-specific deep-dive, the other one being healthcare (which needs smart public policy people, too).

Which is where we need some help. It’s a little behind the game, but we’re constantly looking for Government agencies, NGOs/NPOs, and contractors who are interested in taking on interns. Even better if you have jobs that don’t have a US citizenship requirement. If you want to be linked up, just drop me a line.

First, thank you! Andrew and I are both tremendously excited to see the New School being used at CMU. If anyone knows of internships to help their students find jobs, please visit “The Guerilla CISO” and let’s help them out?

The Costs of Secrecy

Security continues to be crippled by a conspiracy of silence. The ongoing costs of not talking about what’s going wrong are absolutely huge, and today, we got insight into just how huge.

Richard Clayton and Tyler Moore of Cambridge University have a new paper on phishing, “The consequence of non-cooperation in the fight against phishing.” In it, they look at how phishing sites are taken down, and estimate how much faster it would be if there were better sharing of data. From their blogpost:

Since extended lifetimes equate to more unsuspecting visitors handing over their credentials and having their bank accounts cleaned out, these delays can also be expressed in monetary terms. Using the rough and ready model we developed last year, we estimate that an extra $326 million per annum is currently being put at risk by the lack of data sharing. This figure is from our analysis of just two companies’ feeds, and there are several more such companies in this business.

I haven’t had time to read the paper in depth, but I have a lot of respect for both Richard and Tyler. Have you read the paper? Impressions? (Here or on their blog.)

What’s in a name(less)?


I had a great time in a conversation with Dennis Fisher which is now up on his nameless security podcast: Adam Shostack on privacy, data breaches and “The New School of Information Security”

Check it out.

Update: Amazon seems to be having trouble keeping The New School in stock. (Thank you!!!) Addison Wesley has the New School in stock, if you’d like to buy it now.

And really, thank you! You don’t know how happy it makes me that the emergent behavior of readers (and listeners) have wreaked chaos on Amazon’s prediction algorithms.

Adam on CS TechCast

I did a podcast with Eric and Josh at CS Techcast. It was lots of fun, and is available now:
link to the show

Welcome to another CSTechcast.com podcast for IT professionals. This week we interview Adam Shostack, author of The New School of Information Security about the essentials IT organizations need to establish to really do security right.

The Podcast Awards nomination period closes soon, so get your votes in for CS Techcast at podcastawards.com. If you want to follow us on the social web check out friendfeed.com/cstechcast or twitter.com/cstechcast. Otherwise, give us a ring or type up some feedback, all available at CSTechcast.com.