Shostack + Friends Blog Archive


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004

To the amazing chaos of the 2010s

I expect that there will be senseless acts of violence, planes destroyed and perhaps a city attacked with effective biological weapons. There will be crazy people with more power than we want to comprehend. There will be a billion malnourished, undereducated folks whose lives don’t improve. The first world will continue to be saddled with […]


Airplane Terrorism, Data-Driven Edition

I’m just off a flight from London back to the United States and I’m hesitant to attempt to think while jet-lagged. I’ll have some more thoughts and first-hand observations once my head clears, however. In the meantime, Nate Silver has broken down the risk of terror attacks on airplanes so I don’t have to. Summarizing […]


The New School of Air Travel Security?

As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways: Failures are rare Partial failures are generally secret Actual failures are analyzed in secret Procedures are secret Procedures seem bizarre and arbitrary […]


What the FBI Was Doing on Beethoven's Birthday

This is unfair, but I can’t resist. Nine days before we found out again that PETN is hard to detonate, the FBI was keeping us safe: FBI FINALLY MAKES AN ARREST OVER ‘WOLVERINE’ LEAK The FBI has announced the capture of an individual connected with the leak of 20th Century Fox’s “X-Men Origins: Wolverine.” … […]


Abdulmutallab/Flight 253 Airline Terror links

Air Canada is canceling US flights because of security. (Thanks, @nselby!) The New York Times reports that “Britain Rejected Visa Renewal for Suspect.” NPR reported that the State Department may have raised some sort of flag, but I don’t have a link. ABC is reporting that two of the “al Qaeda Leaders Behind Northwest Flight […]


Observations on the Christmas Bomber

Since there’s been so much discussion about the Chrismas Bomber, I want to avoid going over the same ground everyone else is. So as much as I can, I’m going to try to stick to lightly-treaded ground. This is a failure for the terrorists. A big one. Think about it; put yourself on the other […]


Abdulmutallab/Flight 253 Airline Terror links

The Economist “The latest on Northwest flight 253:” “the people who run America’s airport security apparatus appear to have gone insane” and “This is the absolute worst sort of security theatre: inconvenient, absurd, and, crucially, ineffective.” Business Travel Coalition, via Dave Farber and Esther Dyson, “Aviation Security After Detroit:” “It is welcome news that President […]


76% Organic

The back does explain that it’s 76% organic petite sirah, and 24% non-organic grapes. I just thought it was a pretty funny thing to put on the front label, and wonder which consumers are going to be more likely to buy it, knowing that it’s 76% organic.


New Restrictions: No Using Electronic Devices for the Last Hour

Apparently, in the wake of thousands of deaths from idiots paying more attention to GPS, cell phones, GameBoys, iPods and other such electronic devices, TSA has announced a ban on all use of such devices for the last hour of your commute. No, just kidding. Apparently, they may be imposing new secret restrictions on use […]


Brian W Kernighan & Dennis M Ritchie & HP Lovecraft

I never heard of C Recursion till the day before I saw it for the first and– so far– last time. They told me the steam train was the thing to take to Arkham; and it was only at the station ticket-office, when I demurred at the high fare, that I learned about C Recursion. […]


Burning News: Gavle Goat

USA Today informs us that: Despite surveillance cameras and heavy security, vandals in a small Swedish town have burned down a giant Yuletide straw goat for the 24th time since 1966, the Associated Press reports. Here at Emergent Chaos, we’re deeply concerned that the goat ended up with neither privacy nor even temporary safety. Photo: […]


An Open Letter to the New Cyber-Security Czar

Dear Howard, Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but […]


Biggest Breach Ever

Precision blogging gets the scoop: You’re probably talking about this terrible security disaster already: the largest database leak ever. Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice. The source […]


NotObvious On Heartland

I posted this also to the mailing list. Sorry if discussing in multiple venues ticks you off. The Not Obvious blog has an interesting write up on the Heartland Breach and impact. From the blog post: “Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they […]


Open Thread

I’ll give you a topic, eh, no I won’t. Have at it, but not at each other.


For Blog/Twitter Conversation: Can You Defend "GRC"?

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today. I believe G & C are subservient to risk management. So let me offer you this statement to chew on: “A metric for Governance is only useful inasmuch as it describes an ability to manage risk” True or False, […]


St. Cajetan's Revenge

For some time, I’ve watched the War on Bottled Water with amusement. I don’t disagree with figuring out how to reduce waste, and so on and so forth, but the railing against bottled water per se struck me as not thought out very well. The major reason for my thinking is that I never heard […]


Top Security Stories of the Year?

On Wednesday, I’ll be joining a podcast to discuss “top security stories of the year.” I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year? (I posted this on Emergent Chaos, but forgot to post it […]


We Take Your Privacy Seriously

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login. Boy, am I glad […]


Data Not Assertions

There have already been a ton of posts out there about the Verizon DBIR Supplement that came out yesterday, so I’m not going to dive into the details, but I wanted to highlight this quick discussion from twitter yesterday that really sums of the value of the supplement and similar reports: georgevhulme: I’m glad we […]


Huh, who knew?

We have a comments feed. I suppose we should add that to somewhere sane. In the meanwhile, you should click here. We have smart commenters, and what they say is usually worthwhile.


Emerging threat: Social Botnets

We think of botnets as networks of computing devices slaved to some command & control system. But what about human-in-the-loop botnets, where humans are either participants or prime actors? I’m coining this label: “social botnets”. Recent example: “Health Insurers Caught Paying Facebook Gamers To Oppose Reform Bill”.


Top Security Stories of the Year?

Next week, I’ll be joining a podcast to discuss “top security stories of the year.” I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year?


NEW: Verizon 2009 DBIR Supplement

The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.


Monkeys krak-oo krak-oo

According to “Campbell’s Monkeys Use Affixation to Alter Call Meaning:” We found that male alarm calls are composed of an acoustically variable stem, which can be followed by an acoustically invariable suffix. Using long-term observations and predator simulation experiments, we show that suffixation in this species functions to broaden the calls’ meaning by transforming a […]


Sweden: An Interesting Demographic Case Study In Internet Fraud

(quietly, wistfully singing “Yesterday” by the Beatles) From my favorite Swedish Infosec Blog, I don’t speak Swedish, so I couldn’t really read the fine article they linked to. Do go read their blog post, I’ll wait here. Back? Great. Here are my thoughts on those numbers: SWEDISH FRAUD STATISTICS RELEASED The World Bank estimates […]


Manditory web client scripts analogous to CDOs

The widespread and often mandatory use of client scripts in websites (e.g., JavaScript) are like CDOs [Collateralized Debt Obligations}. They both are designed by others with little interest in your security, they leverage your resources for their benefit, they are opaque, complex, nearly impossible to audit, and therefore untrustworthy.


Time to update your threat model to include "friendly fire"

If you work in InfoSec outside of the military, you may be thinking that “offensive cyber capability” don’t doesn’t apply to you. Don’t be so sure. I think it’s worth adding to the threat model for every organization. New “hacking gadgets” could be put in the hands of ordinary soldiers, turning them into the equivalent of “script kiddies”. But what if the potential target knows that such attacks may be coming. They could sets up a deceptive defense and redirect the attack to another network


TSA Security Operating Procedures

Via Gary Leff, we learn that “The TSA Puts Their Sensitive Security Screening Procedures Online For All To See (oops).” It’s another “we blacked out the doc without blacking out the data” story. The doc is 93 pages, and I don’t have time to more than skim it right now. I think that the redactions […]


All in the Presentation

America’s Finest News Source teaches an excellent lesson on how to spin data: Labor Dept: Available Labor Rate Increases To 10.2% WASHINGTON—In what is being touted by the Labor Department as extremely positive news, the nation’s available labor rate has reached double digits for the first time in 26 years, bringing the total number of […]


Engineers vs. Scammers

Adam recently sent me a link to a paper titled, “Understanding scam victims: seven principles for systems security.” The paper examines a number of real-world (i.e. face-to-face) frauds and then extrapolates security principles which can be applied generically to both face-to-face and information or IT security problems. By illustrating these principles with examples taken from […]


A sociologist reads a Twitter feed

So, Adam retweets a hysterical reference to a viral email about an absolute genius of a Xmas light display made to look like an accident with a ladder, and the hapless homeowner left hanging from the gutter of his house. The email explains that the display was taken down after two days in large part […]


Fingerprinted and Facebooked at the Border

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online. That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they […]


Dilbert On Reusable Code

A while back I wrote an article on reusable code for ThreatPost. Today’s Dilbert, has an alternate, equally useful take on reusable code.


The stupidest post of the year?

George Hulme nominates this as the stupidest blog post of the year. I’m tempted to vote, although we have 30 more days. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period). My take? Anytime someone says that […]


Miscommunicating risks to teenagers

A lesson in miscommunication of risk from “abstinence only” sex education aimed at teenagers. The educators emphasize the failure rate of condoms, but never mention the failure rate of abstinence-only policies when implemented by teenagers.


We've made piracy a community activity.

From BoingBoing: Somali nautical pirates have established a stock-market where guns and cash are invested in upcoming hijackings, with shares of the proceeds returned to investors Emergent Chaos strikes again…


The Market for Fake Police Badges

But in New York, a city that has become almost synonymous with high security, where office employees wear picture IDs and surveillance cameras are on the rise, some officers don’t wear their badges on patrol. Instead, they wear fakes. Called “dupes,” these phony badges are often just a trifle smaller than real ones but otherwise […]


Awesome Vendor-Speak

I received an unsolicited ( I’ve tried to unsubscribe several times there, techtarget ) email today, that I actually happened to open because it advertised an “integrated maturity model for governance and security”. Yeah, I’m a sucker like that. This is what I read: …a practical maturity model with illustrative use cases that can be […]


Chris Soghoian’s Surveillance Metrics

I also posted about this on Emergent Chaos, but since our readership doesn’t fully overlap, I’m commenting on it here as well. Chis Soghoian, has just posted some of his new research into government electronic surveillance here in the US. The numbers are truly astounding (Sprint for instance provided geo-location data on customers eight million […]


Eight Million? Eight Million?!?!

Chris Soghoian, who we’ve mentioned here extensively in the past, has posted some new research around just how much electronic surveillance is really going on here in the US. Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of […]


Visualization Monday: Storage

This is cool. Visualization of relative storage capacities in terms of media and format. Notice that it goes all the way back into pre-digital forms, a subtle tweak that I’ll bet a lot of people miss on first inspection. Too bad, too, since the ability to seamlessly compare seemingly-different things is a valuable skill when […]


2010 Security Prognosticators – Put Your Money Where Your Mouth Is!!!

Just saw where Symantec has released their 2010 Security Trends to watch. Now not to pick on Symantec (I’m guilty of the same mess in the past myself over on my old blog) but usually these sorts of prognostication lists are full of the same horse@!@#$. For example: 8. Mac and Mobile Malware Will Increase […]


FBI Gets all New School

“Of the thousands of cases that we’ve investigated, the public knows about a handful,” said Shawn Henry, assistant director for the Federal Bureau of Investigation’s Cyber Division. “There are million-dollar cases that nobody knows about.” … “Keeping your head in the sand on filing a report means that the bad guys are out there hitting […]


Tifatul Sembiring Causes Disasters

The BBC reports that “Indonesia minister says immorality causes disasters:” A government minister has blamed Indonesia’s recent string of natural disasters on people’s immorality. Communication and Information Minister Tifatul Sembiring said that there were many television programmes that destroyed morals. Therefore, the minister said, natural disasters would continue to occur. His comments came as he […]


For Those Not In The US (or even if you are)

I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times, “Baseball’s love of statistics is taking over football“ Those who indulge my passion for analysis and for sport know that […]


An advance in the "balance" between security and privacy

Today on Thanksgiving, I’m thankful that the European Parliament has adopted what may be the first useful statement about the balance between security and privacy since Franklin: “… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to […]


Less Is More

Great post today over on SecureThinking about a customer who used a very limited signature set for their IDS. Truth of the matter was that our customer knew exactly what he was doing. He only wanted to see a handful of signatures that were generic and could indicate that “something” was amiss that REALLY needed […]


Deny thy father and refuse thy gene sequence?

There’s a fascinating article in the NYTimes magazine, “Who Knew I Was Not the Father?” It’s all the impact of cheap paternity testing on conceptions of fatherhood. Men now have a cheap and easy way to discovering that children they thought were theirs really carry someone else’s genes. This raises the question, what is fatherhood? […]


Jail Time For ID Fraud

This past Friday, Baltimore resident, Michelle Courtney Johnson, was sentenced to 18 months in jail and a $200K fine for theft and use of PHI. According to her plea agreement and court documents, from August 2005 to April 2007, Johnson provided a conspirator with names, Social Security numbers and other identifying information of more than […]


Connecticut Attorney General On The March

It’s been a bad couple of weeks for residents of Connecticut and their personal health information. First Blue Cross Blue Shield had a laptop stolen with enough PHI that over 800K doctors were notified that their patients were at risk, including almost 19K in Connecticut. Connecticut’s attorney general said Monday that he’s investigating insurer Blue […]


Hackers treated as credible sources of information (D'oh!)

Contrary to popular belief, hackers are not credible sources of information that they themselves have stolen and leaked. Maybe they weren’t “hackers” at all. News organizations and bloggers should think more critically and do more investigation before they add to the “echo chamber effect” for such reports.


Poker Faced?

In “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best […]


Rational Ignorance: The Users' view of security

Cormac Herley at Microsoft Research has done us all a favor and released a paper So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users which opens its abstract with: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore […]


UK Confused About Piracy

According to BoingBoing, “Leaked UK government plan to create “Pirate Finder General” with power to appoint militias, create laws:” What that means is that an unelected official would have the power to do anything without Parliamentary oversight or debate, provided it was done in the name of protecting copyright. Mandelson elaborates on this, giving three […]


"80 Percent of Cyber Attacks Preventable"

Threatlevel (aka 27B/6) reported yesterday that Richard Schaeffer, the NSA’s information assurance director testified to the Senate Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security on the issue of computer based attacks. If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could […]


Questions about Schaeffer's 80% improvement

According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.” I’m trying to find if that’s the FDCC (Federal Desktop Core Configuration), […]


FTC Delays Red Flags Enforcement Yet Again

I missed this when it hit the newswires two weeks ago, but the FTC has delayed enforcement of the Red Flags Rule. This change was in response to the American Bar Association successfully suing the FTC and being granted an injunction to prevent the Red Flags Rule being applied to lawyers. Similarly, the American Institute […]


ICSA Labs report

In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades. At the Verizon Business blog, Wade Baker writes: Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results […]


Can't tell the players without a program

You can’t tell the good guys from the bad guys without knowing the color of their hat. I wish there were some sort of map of the Black Hat ecosystem because it’s hard for non-specialists to tell. Case in point: Looks like a nice, simple service that scan uploaded files using multiple AV software with latest signatures. But it seems *much* more useful to bad guys (malware writers and distributors) than for good guys. Who does it serve?


In the Proudest Traditions of the Royal Navy

The Royal Fleet Auxiliary ship Wave Knight watched a yacht be hijacked for fear of harming its passengers. All stand for a rousing round of “Ain’t gonna study war no more.”


Rich Mogull's Divine Assumptions

Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“. In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions. And he offers a simple, pragmatic process for assumptions which is mainly scenario development, justification, and action. […]


Best Practices in Tax Management

Someone sent me a link to “How to Audit-Proof Your Tax Return: Don’t e-File,” by Paul Caron. In it he quotes a plausible theory that “you are giving the IRS easy electronic access to information it would otherwise have to enter, enabling the agency to examine your return and mine the data more easily than […]


CFP: 9th Workshop on the Economics of Information Security (WEIS)

The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science.


Practices: Proven vs. Standard?

In comments yesterday, both Kyle Maxwell and Nicko suggested that “standard” is a better adjective than “proven:” I like Kyle’s “standard” practice, since it makes it clear that you are just following the flock for safety by sticking to them. Perhaps we should call them “flocking standard practice” I do think there’s an important difference, […]


How to Use the "Think" Best Practice

After I posted the new Best Practice: Think, Dennis Fisher tweeted “Never catch on. Nothing for vendors (or Gartner) to sell.” Which is true, but that’s not the point. The point is to be able to ju-jitsu your best-practice cargo-culter into submission. For example: Cargo-culter: We don’t need a review, this project complied with all […]


Quick Thought: Scenario Planning

I spent yesterday in a workshop learning about and practicing scenario planning. It’s a really great tool for planning for (as opposed to predicting) the future. It feels like it’s a great addition to the risk assessment/management process. Check it out.


Visual Notetaking

I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have […]


"As far as I know, effective immediately"

Asked about the timing, the unbriefed propaganda minister mumbled: “As far as I know, effective immediately.” When that was reported on television, the Berliners were off. Baffled border guards who would have shot their “comrades” a week earlier let the crowd through—and a barrier that had divided the world was soon being gleefully dismantled. West […]


Mini Metricon 4.5 Call for Participation

[Posting this here to help get the word out – Chris ] Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the […]


2 Proposed Breach Laws move forward

See George Hulme, “National Data Breach Law Steps Closer To Reality ” and Dennis Fisher “” Dennis flags this awe-inspiring exception language: “rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.” […]


On smelly goats, unicorns, and FUD

Unicorns (of some sort) are not impossible in principle, only non-existent in recent times. As evidence, I offer Tsintaosaurus spinorhinus, a real dinosaur found in China. Though we may be comfortable with our current “smelly, ugly goat” practices, including the ethically questionable FUD tactic, they only perpetuate the problems and, at worst, are like peeing in the swimming pool.


Apologies to Richard Bejtlich

The previous blog post, “Just say ‘no’ to FUD”, described Richard Bejtlich’s post at Tao of Security as “FUD in other clothing”. That was over-reaching. I apologize. There was an element of FUD, but my main objection to Richard’s post was due to other reasons.


Mini Metricon 4.5 Call For Participation

Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees […]


"A Call for Evidence-Based Security Tools"

Via Schneier: From the Open Access Journal of Forensic Psychology, by a large group of authors: “A Call for Evidence-Based Security Tools“: Abstract: Since the 2001 attacks on the twin towers, policies on security have changed drastically, bringing about an increased need for tools that allow for the detection of deception. Many of the solutions […]


Pay for your own dog food

At Microsoft, there’s a very long history of ‘eating your own dogfood’ or using the latest and greatest daily builds. Although today, people seem to use the term “self-host,” which seems evidence that they don’t do either. Eating your own dogfood gives you a decent idea of when it starts to taste ok, which is […]


Thank you!

For the opportunity to do this:


Detecting Malice

I just finished reading RSnake’s new book Detecting Malice and I can say without a doubt that it is one of the best technical books I have ever read. Furthermore, I can tell you that it is, without a doubt, the best web security book I have ever had the pleasure to read. Imagine a […]


Tabletop Science

Mordaxus emailed some of us and said “I hope this doesn’t mean MG has jumped the shark.” What was he talking about? Apparently, ThinkGeek now has a “Molecular Gastronomy Starter Kit.” For those of you who’ve been hiding in a Cheesecake Factory for the past few years, molecular gastronomy is the art of using science […]


Seattle: Pete Holmes for City Attorney

I don’t usually say a lot about local issues, but as readers know, I’m concerned about how arbitrary ID checking is seeping into our society. It turns out my friend Eric Rachner is also concerned about this, and was excited when a Washington “Judge said showing ID to cops not required.” So when Eric was […]


Just say 'no' to FUD

“Fear, uncertainty, and doubt” (FUD) is a distortion tactic to manipulate decision-makers. You may think it’s good because it can be successful in getting the outcomes you desire. But it’s unethical. FUD is also anti-data and anti-analysis. Don’t do it. It’s the opposite of what we need.


Ooops! and Ooops again!

Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe: Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an orrery, not an astrolabe?” It appears that I’m going to have to update my commentary. […]


Ross Anderson's Psychology & Security page

Ross Anderson has a new Psychology and Security Resource Page. His abstract: A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and undertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as […]


Fordham report on Children's Privacy

Following the No Child Left Behind mandate to improve school quality, there has been a growing trend among state departments of education to establish statewide longitudinal databases of personally identifiable information for all K-12 children within a state in order to track progress and change over time. This trend is accompanied by a movement to […]


Bob Blakley Gets Future Shock Dead Wrong

Bob Blakley has a very thought provoking piece, “Gartner Gets Privacy Dead Wrong.” I really, really like a lot of what he has to say about the technical frame versus the social frame. It’s a very useful perspective, and I went back and forth for a while with titles for my post (The runner up […]


Is responsible disclosure dead?

Jeremiah Grossman has an article in SC Magazine, “Businesses must realize that full disclosure is dead.” On Twitter, I asked for evidence, and Jerimiah responded “Evidence of what exactly?” I think the key assertion that I take issue with is bolded in the context below: Unquestionably, zero-day vulnerabilities have an increasing real-world value to many […]


The Conch Republic

Apparently, in a sovereign-in-cheeck move, the the Florida Keys have withdrawn from the United States, and declared themselves to be “The Conch Republic.” Their motto is “We seceded where others failed.” Perhaps you haven’t heard of them because they make all the good jokes, making writing about them hard. I heard about them because of […]


On the value of 'digital asset value' for security decisions

What good is it to know the economic value of a digital asset for the purposes of making information security decisions? If you can’t make better decisions with this information, then the metric doesn’t have any value. This post discusses alternative uses, especially threshold or sanity checks on security spending. For these purposes, it functions better as a “spotlight” than as a “razor”. Digital Asset Value has other uses, not the least to get InfoSec people to understand Business people and their priorites and vice versa.


Something For Soscia, Girardi, & Charlie Manuel

It’s the probabilistic decision making tool for baseball managers.  On the iPhone. It’s like a business intelligence application in the palm of your hand 🙂 Basically, it takes the probabilistic models of either Win Expectancy or Run Expectancy (any given action has some probability of contributing a run or a win) and given a situation, […]


Prisoners in Iran

There are apparently many people being held without charges by Iranian government. But as far as I know, I’ve only ever met one of them, and so wanted to draw attention to his case: During this entire time, our son has had just two short meetings with us for only a few minutes. Please imagine […]


Vista Didn't Fail Because of Security

Bruce Schneier points in his blog to an article in The Telegraph in which Steve Ballmer blames the failure of Vista on security. Every security person around should clear their throat loudly. Security is not what made Vista unpalatable. Many people liked Vista. My tech reporter friends not only adored it, but flat couldn’t understand […]


Dear ChoicePoint: Lying like a cheap rug undercuts all that

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized […]


How to Value Digital Assets (Web Sites, etc.)

If you need to do financial justification or economic analysis for information security, especially risk analysis, then you need to value digital assets to some degree of precision and accuracy. There is no unversally applicable and acceptable method. This article presents a method that will assist line-of-business managers to make economically rational decisions consistent with overall enterprise goals and values.


RSnakes On A Plane

or why RSnake will never be allowed to play video blackjat or poker at Blackhat ever again. Rsnake’s exploits with the game system on a recent flight are a fabulous read. Makes me wonder just how integrated these systems are with the regular flight systems though. Btw, RSnake, I expect a demo as part of […]


You've Got To Move It Move It

Josh Corman had an awesome post over on Fudsec on Friday. It’s so awesomely appropriate to this blog, that I’m sharing it with you. My only complaint is that I wish that I had written instead. Go read it right now.


Toyota Stalks Woman, Claims She Consented

In a lawsuit filed Sept. 28 in Los Angeles Superior Court, Amber Duick claims she had difficulty eating, sleeping and going to work during March and April of last year after she received e-mails for five days from a fictitious man called Sebastian Bowler, from England, who said he was on the run from the […]


Another good metaphor, killed by science

Wired has a First Look: Dyson’s Blade-Free Wonder Fan Blows Our Minds: Future generations will have no idea why the shit hitting the fan is any worse than it hitting anything else.


Speaking in Michigan on Tuesday

Andrew Stewart and I will be speaking at the University of Michigan SUMIT_09 on Tuesday. We’re on 10:30-11:25. If you’re in the area, please come by.


Are Security "Best Practices" Unethical?

Anton Chuvakin’s been going old school. Raising the specter of “risk-less” security via best practices and haunting me like the ghost of blog posts past. Now my position around best practices in the past has been that they are, to use Jack Jones’ phrase, Infosec “shamansim”. We do these things because our forefathers do them, […]


SECTOR Sniffing: It Smells, as does the Response

Apparently, at the SecTor security conference, someone tapped into the network and posted passwords to a Wall of Sheep. At the SecTor speakers dinner, several attendees were approached by colleagues and informed that their credentials appeared on the “Wall of Shame” for all to see. When questioned about how the encrypted and unencrypted traffic was […]


New Best Practice: Think

Since anyone can declare anything a best practice in information security, I’d like to add my favorite to your list. Think. Thank you.


Another Long Time Fugitive Arrested

Yesterday, Luis Armando Peña Soltren was arrested after forty years on run for hijacking a plane to Cuba. Soltren “will finally face the American justice system that he has been evading for more than four decades,” said U.S. Attorney Preet Bharara. I understand that Woody Allen, Martin Scorsese and David Lynch are already circulating a […]


The Presentation of Self and Everyday Photographs

With the kind help of our awesome readership, Amazon and Glazer’s, I’ve acquired a camera, some books, a tripod, a prime 50mm, a flash diffuser, a polarizing filter, a graduated neutral filter, and some other random photography toys tools. You might question this, but I can quit anytime. Really! I even offered to loan my […]


Visual Complexity Web Site intends to be a unified resource space for anyone interested in the visualization of complex networks. While it may not contain any examples specific to information security, there may be some methods and ideas that can be adapted to InfoSec.


LCROSS Lunar Impact Friday, 4:30 AM Pacific

So the Lunar Crater Observation and Sensing Satellite has one last sensing task which it will carry out tomorrow morning at 4:30 AM Pacific. That is to dig a big hole in Cabeus (proper) and see if there’s water there. Unfortunately for LCROSS, it doesn’t really have landing jets, which means it will dig a […]


Hal Finney's news

Hal Finney has posted some news to LessWrong: A man goes in to see his doctor, and after some tests, the doctor says, “I’m sorry, but you have a fatal disease.” Man: “That’s terrible! How long have I got?” Doctor: “Ten.” Man: “Ten? What kind of answer is that? Ten months? Ten years? Ten what?” […]


Tetraktys is the Best Cryptographic Novel Ever

I’ve been remiss in not posting a review of Tetraktys, by Ari Juels. Short review: It’s better written and has better cryptographers than the ones in any Dan Brown novel, but that’s really damning it with faint praise, which it doesn’t deserve. It’s a highly readable first novel by Ari Juels, who is Chief Scientist […]


Quick Thoughts on the New Blogging Regulations

I want to congratulate the folks at the FTC, who’ve decided we all need to follow some rules about what bloggers can say. See for example, “ Epicenter The Business of Tech FTC Tells Amateur Bloggers to Disclose Freebies or Be Fined” at Wired. These new rules are documented in an easy to read 81 […]


The Cost of a Near-Miss Data Breach

Near misses are very valuable signals regarding future losses. If we ignore them in our cost metrics, we might make some very poor decisions. This example shows that there is a qualitative difference between “ground truth data” (in this case, historical cash flow for data breach events) and overall security metrics, which need to reflect our estimates about the future, a.k.a. risk.


Botnet Research

Rob Lemos has a new article up on the MIT Technology Review, about some researchers from UC Santa Barbara who spent several months studying the Mebroot Botnet. They found some fascinating stuff and I’m looking forward to reading the paper when it’s finally published. While the vast majority of infected machines were Windows based (64% […]


Punditry: Better Security Through Diversity Of Thinking

I am honored that the kind folks at threapost have asked me to write for them occasionally. My first post is about better security through diversity of thinking which was inspired by pastry chef Shuna Fish Lydon. From her post (which I quoted in mine as well) It is my experience that unless you push […]


Changing Expectations around Breach Notice

Earlier this month, the Department of Health and Human Services imposed a “risk of harm” standard on health care providers who lose control of your medical records. See, for example, “Health IT Data Breaches: No Harm, No Foul:” According to HHS’ harm standard, the question is whether access, use or disclosure of the data poses […]


MA/NY: Using GPS To Track Cars Requires A Warrant

Jennifer Granick reports that in Massachusetts, Cops Can’t Convert Car Into Tracking Device Without Court’s OK. Connolly decided that the installation of the GPS device was a seizure of the suspect’s vehicle. “When an electronic surveillance device is installed in a motor vehicle, be it a beeper, radio transmitter, or GPS device, the government’s control […]


Some thoughts on the Olympics, Chicago and Obama

So the 2016 Olympics will be in Rio de Janeiro. Some people think this was a loss for Obama, but Obama was in a no-win situation. His ability to devote time to trying to influence the Olympics is strongly curtailed by other, more appropriate priorities. If he hadn’t gone to Copenhagen, he would have been […]


Models are Distracting

So Dave Mortman wrote: I don’t disagree with Adam that we need raw data. He’s absolutely right that without it, you can’t test models. What I was trying to get at was that, even though I would absolutely love to have access to more raw data to test my own theories, it just isn’t realistic […]


Security is About Outcomes, FISMA edition

Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write: the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ […]



So awhile back, I posted the following to twitter: Thought of the Day: We don’t need to share raw data if we can share meta-data generated using uniform analytical methodologies. Adam, disagreed: @mortman You can’t test & refine models without raw data, & you can’t ask people with the same orientation to bring diverse perspectives. […]


Gates Was Hardly An Exception

There was a lot of news when Henry Lewis Gates was arrested back in July, essentially for mouthing off to a cop. What happened was a shame, but what is more of a shame is that this sort of thing isn’t that rate. Time magazine had a recent article about this, Do You Have the […]


Happy Banned Books Week!

Quoting Michael Zimmer: [Yesterday was] the start of Banned Books Week 2009, the 28th annual celebration of the freedom to choose what we read, as well as the freedom to select from a full array of possibilities. Hundreds of books are challenged in schools and libraries in the United States each year. Here’s a great […]


Podcasts with Amrit

I had fun recording Beyond the Perimiter Episode 48 and 49 with Amrit. I think Amrit asked some of the broadest, most complex questions I’ve been asked, and it was hard to keep the episodes short. Go have a listen!


A Little Temporary Safety

So I saw this ad on the back of the Economist. (Click for a larger PDF). In reading it, I noticed this exhortation to “support the STANDUP act of 2009:” The STANDUP Act* (H.R. 1895) creates a National Graduated Driver Licensing (GDL) law that [limits nighttime driving, reduces in-car distractions, puts a cap on the […]


Metrics Abused

Statistically speaking, 6 out of 7 dwarves are not happy. [via zem42]


National Cyber Leap Year Summit reports now available

I believe these are the final deliverables: National Cyber Leap Year Summit 2009 Co-Chairs Report — main discussion of metrics is p 26-28 National Cyber Leap Year Summit 2009 Participants’ Ideas Report – main discussion of metrics is p 44-46, p 50-51, and p 106; with related discussion on p 53-54. Also worth noting is […]


Happy Emancipation Proclamation Day!

That on the first day of January in the year of our Lord, one thousand eight hundred and sixty-three, all persons held as slaves within any state, or designated part of a state, the people whereof thenceforward, and forever free; and the executive government of the United States [including the military and naval authority thereof] […]


Making Sense of the SANS "Top Cyber Security Risks" Report

The SANS Top Cyber Security Risks report has received a lot of positive publicity. I applaud the effort and goals of the study and it may have some useful conclusions. We should have more of this. Unfortunately, the report has some major problems. The main conclusions may be valid but the supporting analysis is either confusing or weak. It would also be good if this study could be extended by adding data from other vendors and service providers.


Private Thoughts on Race

So I’m sitting on the plane home from* Seattle, and I had a really interesting conversation on race with the woman next to me. We were talking, and she asked me, why is it so hard to have conversations like this. I thought that the answer we came to was interesting, and insofar as it […]


Visualization Friday – Improving a Bad Graphic

We can learn from bad visualization examples by correcting them. This example is from the newly released SANS “Top Cyber Security Risks” report. Their first graphic has a simple message, but due to various misleading visual cues, it’s confusing. A simplified graphic works much better, but they probably don’t need a graphic at all — a bulleted list works just as well. Moral of this story: don’t simply hand your graphics to a designer with the instructions to “make this pretty”. Yes, the resulting graphic may be pretty, but it may lose its essential meaning or it might just be more confusing than enlightening. Someone has to take responsibility for picking the right visualization metaphor and structures.


Secret Photo Apps for the iPhone

If you try searching the App store for photo apps, you find all sorts of things to make your photos sepia. Or blurry. Or to draw on them. Which is great, but if you want apps to help you take photographs, they’re sorta hard to find. So here are some links: First up, a reference […]


Proskauer Rose Crows "Rows of Fallen Foes!"

Over on their blog, the law firm announces yet another class action suit over a breach letter has been dismissed. Unfortunately, that firm is doing a fine business in getting rid of such suits. I say it’s unfortunate for two reasons: first, the sued business has to lay out a lot of money (not as […]


Notes to the Data People

Over on his Guerilla CISO blog, Rybolov suggests that we ask the folks for infosec data using their Suggest a data set page. It sounds like a good idea to me! I took his request and built on it. Rather than breaking the flow with quotes and edit marks, I’ll simply say the requests […]


Atoms, Photographed

The pictures, soon to be published in the journal Physical Review B, show the detailed images of a single carbon atom’s electron cloud, taken by Ukrainian researchers at the Kharkov Institute for Physics and Technology in Kharkov, Ukraine….To create these images, the researchers used a field-emission electron microscope, or FEEM. They placed a rigid chain […]


12 Tips for Designing an InfoSec Risk Scorecard (its harder than it looks)

An “InfoSec risk scorecard” attempts to include all the factors that drive information security risk – threats, vulnerabilities, controls, mitigations, assets, etc. But for the sake of simplicity, InfoSec risk scorecards don’t include any probabilistic models, causal models, or the like. It can only roughly approximate it under simplifying assumptions. This leaves the designer open to all sorts of problems. Here are 12 tips that can help you navigate these difficulty. It’s harder than it looks.


BBC Video of Liquid Explosives

The BBC has some really scary video “Detonation of Liquid Explosives.” However, as I thought about it, I grow increasingly confused by what it purports to show, and the implications. At the end of the day, I think there are two possibilities: It’s a fair representation, or it’s not. I’m leaning slightly towards the second. […]


This Friday is “Take an Academic Friend to Work Day”

We need more cross-disciplinary research and collaboration in InfoSec. We start on a small scale, starting with people in our professional network. One fertile area of research and collaboration is to apply the latest research in non-standard logic and formal reasoning (a.k.a. AI) to InfoSec risk management problems. The problem is that most of that research reads like Sanskrit unless you are a specialist. Rather than simply post links to academic papers and ask you to read them, let’s use these papers as a vehicle to start a dialog with an academic friend, or a friend-of-friends. Maybe there are some breakthrough ideas in here. Maybe not. Either way, you will have an interesting experience in cross-discipline collaboration on a small scale.


Is risk management too complicated and subtle for InfoSec?

Luther Martin, blogger with Voltage Security, has advised caution about using of risk risk management methods for information security, saying it’s “too complicated and subtle” and may lead decision-makers astray. To backup his point, he uses the example of the Two Envelopes Problem in Bayesian (subjectivist) probability, which can lead to paradoxes. Then he posed an analogous problem in information security, with the claim that probabilistic analysis would show that new security investments are unjustified. However, Luther made some mistakes in formulating the InfoSec problem and thus the lessons from Two Envelopes Problem don’t apply. Either way, a reframing into a “possible worlds” analysis resolves the paradoxes and accurately evaluates the decision alternatives for both problems. Conclusion: risk management for InfoSec is complicated and subtle, but that only means it should be done with care and with the appropriate tools, methods, and frameworks. Unsolved research problems remain, but the Two Envelopes Problem and similar are not among them.


Caster Semenya, Alan Turing and "ID Management" products

South African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony. There are reports that: […]


National Cyber Leap Year: Without a Good Running Start, There Might Be No Leap

The National Cyber Leap Year (NCLY) report coming out in a few weeks might lead to more US government research funding for security metrics in coming years. But that depends on whether the report is compelling to the Feds and Congress. Given the flawed process leading up to the Summit, I have my doubts. Clearly, this NCLY process is not a good model for public-private collaboration going forward.


Rebuilding the internet?

Once apon a time, I was uunet!harvard!bwnmr4!adam. Oh, harvard was probably enough, it was a pretty well known host in the uucp network which carried our email before snmp. I was also harvard!bwnmr4!postmaster which meant that at the end of an era, I moved the lab from copied hosts files to dns, when I became […]


Metrics: 50% Chance of Injury by Biscuit

The Telegraph reports: More than half of all Britons have been injured by biscuits ranging from scalding from hot tea or coffee while dunking or breaking a tooth eating during a morning tea break, a survey has revealed. Who knew that cookies could be so dangerous? So forget worrying about AV or even seat belts, […]


Some Stuff You Might Find Interesting 9-8-2009

IT’S A TAB DUMP Hey, because of the holiday, I missed posting some stuff for you all about security & visualization last week. So I thought I’d make it up to you today (plus, I’m about to declare Firefox tab bankruptcy, as I tend to find things to mention on the blog here and then […]


Make the Smart Choice: Ignore This Label

He said the criteria used by the Smart Choices™ Program™ were seriously flawed, allowing less healthy products, like sweet cereals and heavily salted packaged meals, to win its seal of approval. “It’s a blatant failure of this system and it makes it, I’m afraid, not credible,” Mr. Willett said. […] Eileen T. Kennedy, president of […]


Only an idea after a bunch of calculating

Andrew Koppelman has a post on lawprof blog Balkinization, titled “You have no idea:” This data sits uneasily beside a recent study in the American Journal of Medicine of personal bankruptcies in the United States. In 2007, 62% of all personal bankruptcies were driven by medical costs. “Nationally, a quarter of firms cancel coverage immediately […]


Non Commercial

If you haven’t listened to Larry Lessig’s 23C3 talk, it’s worthwhile to listen to the argument he makes. As I was listening to it, I was struck by the term non-commercial, and, having given it some thought, think that we need a better word to describe the goals Creative Commons is pursuing. The term non-commercial […]


We're all reputable on this bus

There’s an interesting story at Computerworld, “Court allows suit against bank for lax security.” What jumped out at me was Citizens also had claimed that its online banking services were being provided and protected by a highly reputable company. In addition to the third-party security services, Citizens said it had its own measures for protecting […]


Ten Years Ago: Reminiscing about Zero-Knowledge

Ten years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who […]


Sunday Linkage Security/Privacy In The UK

Quarter of a million Welsh profiles added to DNA database since 2000. [I forget who linked to this one.] CCTV in the spotlight: one crime solved for every 1,000 cameras [Via the security metrics mailing list.]


Cures versus Treatment

A relevant tale of medical survival over at The Reality-Based Community: Three years ago a 39-year-old American man arrived at the haematology clinic of Berlin’s sprawling Charité hospital. (The venerable Charité, one of the great names in the history of medicine, used to be in East Berlin, but it’s now the brand for the merged […]


I'm OK When The System Works – Even If It Is A False Alarm

——————————— UPDATE: @lbhuston gives us the dirty low down here: ——————————— This was a test of the emergency broadcast system.  This was only a test, had this been a real change in the Threat Landscape….. You may have read in various media outlets about a little incident that happened yesterday concerning the mailing of […]


Visualization Friday – Back From Hiatus

Hey all, sorry it’s been so long since I put up some eye candy.  Today’s posts come from the usual sources (flowing data and other various information design blogs) but I also wanted to point you to a new source of cool: So without futher adieu, your Visualization Friday Posts (some pertinent to the […]


We Live in Public

It’s opening in New York this weekend, and the New York Times has a review.


Perfecter than Perfect

So I’m having a conversation with a friend about caller ID blocking. And it occurs to me that my old phone with AT&T, before Cingular bought them, had this nifty feature, “show my caller-ID to people in my phone book.” Unfortunately, my current phone doesn’t have that, because Steve Jobs has declared that “Apple’s goal […]


What Are People Willing to Pay for Privacy?

So I was thinking about the question of the value of privacy, and it occurred to me that there may be an interesting natural experiment we can observe, and that is national security clearances in the US. For this post, I’ll assume that security clearances work for their primary purpose, which is to keep foreign […]


Mike Dahn Wants to NewSchool PCI

And I couldn’t agree more. Capability and Maturity Model Creation in Information Security — PS – sorry for using “NewSchool” as a verb.


Social network privacy study finds identity link to cookies

Quick follow up to Adam’s Monday post New on SSRN. Rob Westervelt over at tells us about a social network privacy study finds identity link to cookies. Turns out that passing unique identifiers in referring URLs isn’t such a smart idea after all. Color me shocked. The full paper is linked to from Rob’s […]


Moore's Law is a Factor in This

I remember when Derek Atkins was sending mail to the cypherpunks list, looking for hosts to dedicate to cracking RSA-129. I remember when they announced that “The Magic Words are Squeamish Ossifrage.” How it took 600 people with 1,600 machines months of work and then a Bell Labs supercomputer to work through the data. I […]


Renaming the Blog to Emergent Chaos (II)

A little more seriously, the identity of a blog is constructed between the authors, commenters and readers, and I’m continually amazed by what emerges here. At the same time, what’s emerging is currently not very chaotic, and I’m wondering if it’s time for some mixing it up. Suggestions welcome.


Renaming the blog to Emergent Chaos (I)

In 2007, Artist Kristin Sue Lucas went before a judge to get a name change to…Kristin Sue Lucas. She’s put together a show called “Refresh” and one called “Before and After.” My favorite part is where the judge wrestles with the question “what happens when you change a thing to itself:” JR: And I don’t […]


New on SSRN

There’s new papers by two law professors whose work I enjoy. I haven’t finished the first or started the second, but I figured I’d post pointers, so you’ll have something to read as we here at the Combo improvise around Cage’s 2:33. Paul Ohm has written “Broken Promises of Privacy: Responding to the Surprising Failure […]


Suing Into the Box

Todays New York Times has an interesting article “A Lawsuit Tries to Get at Hackers Through the Banks They Attack” about the folks over at Unspam who are suing under the Can-Spam Act in an attempt to get the names of miscreants who have been attacking banks. More interestingly, they are hoping to force the […]


Entering Our Prime

Today is amazingly enough the fifth anniversary of Adam starting this blog. It’s amazing how fast time flies when things are chaotic. Seems like just yesterday Adam was doing the initial Star Wars posts. Appropriately enough the most recent in the category was just this past Saturday. Thank you to all of our readers for […]


What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? I think it’s a fascinating question, and posted my answer over […]


What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? My three: De-stigmatize failure. Today, we see the same failures we […]


Heartland/TJX/Hannaford hacker caught

I’ve been busy and haven’t had a lot of time to dig in, but Rich Mogull has some really good articles, “Heartland Hackers Caught; Answers and Questions,” and “Recent Breaches- We May Have All the Answers.” I have two questions: Were these custom attacks, or a failure to patch? Reading what’s not in the USSS/FBI […]


Mortman/Hutton Security-BSides & Black Hat Presentation Available

Hey y’all, happy Monday morning. I’ve put Dave & my presentation for Security BSides up on slideshare: Mortman/Hutton Security B-Sides Presentation View more presentations from alexhutton. Also note that this includes the Black Hat presentation we gave on the Mortman/Hutton Vulnerability/Exploit model. I hope you will enjoy! PS – There’s probably audio available for […]


We Live In Public, The Movie

One of the best ways to upset someone who cares about privacy is to trot out the “nothing to hide, nothing to worry about” line. It upsets me on two levels. First because it’s so very wrong, and second, because it’s hard to refute in a short quip. I think what I like most about […]


Spinal Tap, Copyright

There’s a cute little story in the NYTimes, “Lego Rejects a Bit Part in a Spinal Tap DVD.” I read it as I was listening to a podcast on Shepard Fairey vs The Associated Press that Dan Solove pointed out. In that podcast, Dale Cendali (the attorney representing the AP) asserts that licensing is easy, […]


Hearsay podcast: Shostack on Privacy

Dennis Fisher talks with Microsoft’s Adam Shostack about the Privacy Enhancing Technologies Symposium, the definition of privacy in today’s world and the role of technology in helping to enhance and protect that privacy. As always, a fun conversation with Dennis Fisher. Ran longer than I think either of us expected at 41:15. And speaking of […]


Heartland CEO and Outrage

Bill Brenner has an interview with Robert Carr, the CEO of Heartland. It’s headlined “Heartland CEO on Data Breach: QSAs Let Us Down.” Some smart security folks are outraged, asserting that Carr should know the difference between compliance and security, and audit and assessment. Examples include Rich Mogull’s “Open Letter to Robert Carr” and Alan […]


New Breach Laws

Missouri adds a law with a “risk of harm trigger” aka the full-employment provision for lawyers and consultants. Texas adds health data to their notification list. Most importantly, North Carolina requires notice to their attorney general for breaches smaller than 1,000 people. I think Proskauer here is being a little inaccurate when they characterize this […]


Information Security-Don't sweat it

So-called clinical-strength antiperspirants …come with instructions that they be applied before bed for “maximum” protection from wetness and odor. … Even regular-strength antiperspirants work best when applied to underarms at night, experts told us. Bedtime application “really is the best way to use an antiperspirant,” says Daivd Pariser, M.D., president of the American Academy of […]


What's in a name?

Brian Jones Tamanaha has an interesting post about our database-driven society. The core of it is that English is bad at recording some names. The solution? Force people to change their official names for the convenience of the database: During public hearings on the voter identification legislation in the House, state Rep. Betty Brown, R-Terrell, […]


Dear $LOCALBANK That I Use

Keeping a database of all of your ATM PINs in a clear (or possibly encrypted but easily reversible) text database is not a good idea. I honestly can’t see any use value for this, especially when they won’t tell you what your PIN is even if you have multiple forms of government issued identification. No […]


Quantitative Analysis of Web Application Usefulness (Or Why Your ROSI is wRONG)

The amazing (in both quality and quantity of blog post production) Lori MacVittie of f5 has a blog post up on their corporate blog called,  “A Formula for Quantifying Productivity of Web Applications.” Basically, Lori proposes that we study web server processes and the time to complete them over a period of time rather than […]


Television, Explained

So I’m not sure if Michael Pollan’s “Out of the Kitchen, Onto the Couch” is supposed to be a movie review, but it’s definitely worth reading if you think about what you eat. I really like this line: The historical drift of cooking programs — from a genuine interest in producing food yourself to the […]


Is Barack Obama an American Citizen?

It might seem, to the average person, that the “Birthers” must have a tough time proving their case. After all, Barack Obama has released his Certification of Live Birth (pictured above), which meets all the requirements for proving one’s citizenship to the State Department. The authenticity of the certificate has been verified by Hawaii state […]


Hot Singles Are Waiting for You!

Information anyone gives to Facebook can be used by Facebook to do things Faceook wants to do. Like use your face in a personals ad. Even if Facebook knows you’re married. Facebook used Cheryl Smith’s face this way in an ad that it showed her husband. (“oops”) So go read more in Wife’s face used […]


ID Theft Risk Scores?

A bunch of widely read people are blogging about “ Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.” First, there’s little explanation of how it’s working. I got a 240 when I didn’t give them my SSN, and my score dropped to 40 […]


To The Moon

One of the really fascinating things about listening to the streaming audio of the first moon landing is how much time was spent debugging the spacecraft, resetting this and that. As the memory fades away, Charlie Stross wrote about the difficulties in going back to the moon: Not only does the cost of putting a […]


Identity Theft

Remember Identity Theft isn’t getting your credit card stolen, that’s fraud. Having the records that define who you are to an entire country and determine whether you can get a relatively high paying job get stolen. That’s identity theft…


Penetration testing your products

It was built to be impenetrable, from its “super rugged transparent polycarbonate housing” to its intricate double-tabbed lid… Just go read the story. Anything else I say will spoil the punchline.


Chris, I'm sorry

I hate the overuse of URL shortners like tinyurl. I like to be able to see what a link is before I click on it. I don’t like that these companies get to be yet another point of surveillance. (To be fair, tinyurl doesn’t seem to be taking advantage of that. I have cookies from […]


The Arrest of Gates

A couple of good articles are John McWhorter’s “Gates is Right–and We’re Not Post-Racial Until He’s Wrong,” and Lowry Heussler’s “Nightmare on Ware Street.” The full police report is at “Gates police report.” I think PHB’s comment on Michael Froomkin’s post is quite interesting: You are all missing a rather significant fact, this is the […]


Today's Privacy Loss – English Soldiers' Details Published

Demonstrating that no one’s data is safe, the names, pay records, and other personal information of 90,000 English soldiers was placed on the Internet. These soldiers, who served with king Henry V at Agincourt now have their information listed at, exposing them to the chance of identity theft after nearly 500 years. They soldiers […]


For epistemological anarchism

So Dave Mortman and Alex Hutton have a talk submitted to Security BSides entitled “Challenging the Epistemological Anarchist to Escape our Dark Age.” Now, it would certainly be nice if we could all use the same words to mean the same things. It would make communication so much easier! It would let us build the […]


July 20, 1969

The Apollo program took place at just about the right time for me. I was six (or, as I would quickly have pointed out at the time, six *and a half*) when the first lunar landing occurred, and barely ten when Apollo 17 splashed down. This was old enough to be fascinated by the technology […]


Color on Chrome OS

New things resemble old things at first. Moreover, people interpret new things in terms of old things. Such it is with the new Google Chrome OS. Very little I’ve seen on it seems to understand it. The main stream of commentary is comparisons to Windows and how this means that Google is in the OS […]


We Regret The New York Times’ Error

In “Kindling a Consumer Revolt,” I quoted the New York Times: But no, apparently the publisher changed its mind about offering an electronic edition, and apparently Amazon, whose business lives and dies by publisher happiness, caved. It electronically deleted all books by this author from people’s Kindles and credited their accounts for the price.” What […]


Kindle Brouhaha Isn't About DRM

In case you haven’t heard about it, there is a brouhaha about Amazon un-selling copies of two Orwell books, 1984 and Animal Farm. There has been much hand-wringing, particularly since it’s deliciously amusing that that it’s Orwell. The root cause of the issue is that the version of the Orwell novels available on the Kindle […]


Kindling a Consumer Revolt

Well, by now it’s all over the blogo/twitter spheres, and everything that might be said has already been said about Eric Blair, a publisher and Amazon: This morning, hundreds of Amazon Kindle owners awoke to discover that books by a certain famous author had mysteriously disappeared from their e-book readers. These were books that they […]


Up Again

We had some expected downtime this morning. Thanks for your notes and IMs. If you’re reading this, things are now working again.


A Black Hat Sneak Preview (Part 2 of ?)

Following up on my previous post, here’s Part 2, “The Factors that Drive Probable Use”. This is the meat of our model. Follow up posts will dig deeper into Parts 1 and 2. At Black Hat we’ll be applying this model to the vulnerabilities that are going to be released at the show. But before […]


Not because it is easy, but because it is hard

Forty years ago today, Apollo 11 lifted off for the moon, carrying Buzz Aldrin, Neil Armstrong and Michael Collins. The Boston Globe has a great selection of photos, “Remembering Apollo 11.” (Thanks to Deb for the link.)


Happy Bastille Day!

It’s hard not to like a holiday which celebrates the storming of a prison and the end of a monarchy. Photo: Vytenis Benetis .


An Example of Our Previous Graph In Action

I wanted to throw it out here as an example of how you would the model from my earlier post in real life. So let’s take the recently released Internet Explorer security vulnerability and see how it fits. Now this is a pretty brain-dead example and hardly requires a special tool, but I think it […]


Do Audit Failures Mean That Audit Fails In General?

Iang’s posts are, as a rule, really thought provoking, and his latest series is no exception. In his most recent post, How many rotten apples will spoil the barrel, he asks: So we are somewhere in-between the extremes. Some good, some bad. The question then further develops into whether the ones that are good are […]


Wells Fargo vs Wells Fargo

You can’t expect a bank that is dumb enough to sue itself to know why it is suing itself. Yet I could not resist asking Wells Fargo Bank NA why it filed a civil complaint against itself in a mortgage foreclosure case in Hillsborough County, Fla. “Due to state foreclosure laws, lenders are obligated to […]


Running from the truth

Robin Hanson has an interesting article, “Desert Errors:” His findings stayed secret until 1947, when he was allowed to publish his pioneering Physiology of Man in the Desert. It went almost entirely unnoticed. In the late 1960s, marathon runners were still advised not to drink during races and until 1977, runners in international competitions were […]


Business Week on Heartland

Not much to add, but a good article in Business Week on Lessons from the Data Breach at Heartland. Well worth reading…


Origins of time-sync passwords

In “Who Watches the Watchman” there’s an interesting history of watchclocks: An elegant solution, designed and patented in 1901 by the German engineer A.A. Newman, is called the “watchclock”. It’s an ingenious mechanical device, slung over the shoulder like a canteen and powered by a simple wind-up spring mechanism. It precisely tracks and records a […]


Social Security Numbers are Worthless as Authenticators

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The findings, published Monday in The Proceedings of the National […]


A Black Hat Sneak Preview (Part 1 of ?)

Alex and I will be on a panel, A Black Hat Vulnerability Risk Assessment, at this year’s Black Hat. We’ll be discussing the need to perform a risk assessment of vulnerabilities as you become aware of them in a deeper context then just looking at the CVSS scores. Things to consider are what compensating controls […]


Bob Blakely on the Cybersecurity Conversation

Bob Blakely has a thought-provoking blog post which starts: The Cyberspace Policy Review says “The national dialog on cyber-security must begin today.” I agree. Let’s start the dialog with a conversation about what sacrifices we’re willing to make to get to an acceptable worst-case performance. Here are four questions to get the ball rolling: Question […]


Va Pbaterff Nffrzoyrq, Whyl 4 1776

My usual celebration of Independence day is to post, in its entirety, the Declaration of Independence. It’s very much worth reading, but this year, there’s a little twist, from a delightful story starring Lawren Smithline and Robert Patterson, with a cameo by Thomas Jefferson. Patterson sent Jefferson a letter which read, in part: “I shall […]


Thoughts on Iran

Our love affair with the Iranian Tweetolution has worn off. The thugs declared their election valid, told their armed representatives to Sorry, next tweet: go impose some law or order or something, and it was done. Well, as it often turns out, there was more to it than fits in 140 characters, and the real […]


The Punch Line Goes at the End

The Black Hat conference in Las Vegas always has its share of drama. This year, it’s happened a month before the conference opens. The researcher Barnaby Jack had to cancel his talk. gives an account of this; his talk was to make an Automated Teller Machine spit out a “jackpot” of cash, in the […]


Rebellion over an ID plan

What they were emphatically not doing, said Jay Platt, the third-generation proprietor of the ranch, was abiding by a federally recommended livestock identification plan, intended to speed the tracing of animal diseases, that has caused an uproar among ranchers. They were not attaching the recommended tags with microchips that would allow the computerized recording of […]


Unthinkable Foolishness from TSA

“Flying from Los Angeles to New York for a signing at Jim Hanley’s Universe Wednesday (May 13th), I was flagged at the gate for ‘extra screening’. I was subjected to not one, but two invasive searches of my person and belongings. TSA agents then ‘discovered’ the script for Unthinkable #3. They sat and read the […]


Voltage Predicts the Future

It’s easy to critique the recent Voltage report on breaches. (For example, “2009 started out to be a good year for hackers; in the first three months alone, there were already 132 data breaches reported.” That there were 132 breaches does not mean that hackers are having a good year; most breaches are not caused […]


On the Assimilation Process

Three years and three days ago I announced that “I’m Joining Microsoft.” While I was interviewing, my final interviewer asked me “how long do you plan to stay?” I told him that I’d make a three year commitment, but I really didn’t know. We both knew that a lot of senior industry people have trouble […]


Thanks, Jeffrey Bennett

In “Books that should be in a security manager’s library,” Jeffrey Bennett says nice things about The New School (the book) and suggests that it’s one of eight that “no professional library is complete without.” Thanks!


Emergent Traffic Chaos

Paul Kedrosky has an amazing video: As described in the New Scientist: Researchers from several Japanese universities managed the feat by putting 22 vehicles on a 230-metre single-lane circuit (see video). They asked drivers to cruise steadily at 30 kilometres per hour, and at first the traffic moved freely. But small fluctuations soon appeared in […]


More Friday Skepticism

Since Adam started it, I’ll add a link to a nice YouTube video about how to be a good skeptic h/t BoingBoing


Death-related items

I’m cleaning out my pending link list with couple morbidly-thematic links. Old-but-interesting (2007 vintage) list of relative likelihoods of death compared to dying in a terrorist attack. For example… You are 1048 times more likely to die from a car accident than from a terrorist attack You are 12 times more likely to die from […]


Visualization Friday & More!

OK, so this week for Visualization Friday, I’m going to point you to just one thing: At Last, a Scientific Approach to Infographics A blog post by the awesome visualization expert Stephen Few that praises: Visual Language for Designers: Principles for Creating Graphics that People Understand by Connie Malamed OK, I’ll also mention that I […]


Science, Skepticism and Security

Rich Mogull has a great post on “Science, Skepticism and Security” In the security industry we never lack for theories or statistics, but very few of them are based on sound scientific principles, and often they cannot withstand scientific scrutiny. For example, the historic claim that 70% of security attacks were from the “insider threat” […]


The Cost of Anything is the Foregone Alternative

The New York Times reports: At least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the […]


Economics of Information Security

Ross Anderson is liveblogging the 2009 Workshop on Economics of Information Security. I’m in Seattle, and thus following eagerly. It seems Bruce isn’t liveblogging this time. I know I found it challenging to be a stenographer and a participant at SHB.


The emergent chaos of fingerprinting at airports

HONG KONG (Reuters) – A Singapore cancer patient was held for four hours by immigration officials in the United States when they could not detect his fingerprints — which had apparently disappeared because of a drug he was taking. The incident, highlighted in the Annals of Oncology, was reported by the patient’s doctor, Tan Eng […]


UnClear where the data will go

So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “ Clear Shuts Down Registered Traveler Lanes.” Clear collected a lot of data: The information that TSA requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration Number (if applicable), current home […]


Iran Links

The Economist’s Bagehot writes about his idea of “The chemistry of revolution,” while admitting he’s generalizing from two. Ethan Zuckerman on “Iran, citizen media and media attention.” “Unfortunately, unlike positive online gestures of solidarity (retweeting reports from Iran, turning Twitter or Facebook pictures green), this one does little more than piss off sysadmins, helps Iranian […]


Ron Paul supporter inadvertently gets iPhones banned from U.S. aircraft

Via CNN: Steve Bierfeldt says the Transportation Security Administration pulled him aside for extra questioning in March. He was carrying a pocket edition of the U.S. Constitution and an iPhone capable of making audio recordings. And he used them. On a recording a TSA agent can be heard berating Bierfeldt. One sample: “You want to […]


Suffering for Art

Joseph Carnevale, 21, was nabbed Wednesday after a Raleigh Police Department investigation determined that he was responsible for the work (seen below) constructed May 31 on a roadway adjacent to North Carolina State University. Carnevale, pictured in the mug shot at right, was charged with misdemeanor larceny for allegedly building his orange monster from materials […]


Visualization Friday!

Yesterday I got to see what might have been one of the most amazing(ly bad) security dashboards I’ve ever seen. And those who have read my posts on visualization know that I find the visualization of risk & security to be a pretty fascinating field of study. So given the quality of the GRC apps […]


Happy Juneteenth!

Celebrate Juneteenth, but remember that we have not eliminated the scrouge of slavery.


The Trouble With Metrics

Is that they can be gamed. See “ Terror law used to stop thousands ‘just to balance racial statistics’” in the Guardian: Thousands of people are being stopped and searched by the police under their counter-terrorism powers – simply to provide a racial balance in official statistics, the government’s official anti-terror law watchdog has revealed. […]


Privacy Enhancing Technologies 2009

The organizers of the 9th Privacy Enhancing Technologies Symposium invite you to participate in PETS 2009, to be held at the University of Washington, Seattle, WA, USA, on Aug 5-7, 2009. PETS features leading research in a broad array of topics, with sessions on network privacy, database privacy, anonymous communication, privacy policies, and privacy offline. […]


Chaos in Iran

Millions of people in Iran are in the streets, protesting a stolen election. Nate Silver, who did a great job on US election statistics has this: However, given the absolutely bizarre figures that have been given for several provinces, given qualitative knowledge – for example, that Mahdi Karroubi earned almost negligible vote totals in his […]


The Art of Mathematics

Paul Nylander has some amazingly beautiful mathematical constructs which he’s ray-tracing. Via Aleks Jakulin.


Green Dam

Update 26 June 2009: The status of Green Dam’s optionality is still up in the air. See, for example, this news story on PC makers’ efforts to comply, which points out that Under the order, which was given to manufacturers in May and publicly released in early June, producers are required to pre-install Green Dam […]


SHB Session 8: How do we fix the world?

(Bruce Schneier has been running a successful prediction attack on my URLs, but the final session breaks his algorithm. More content to follow.) So as it turns out, I was in the last session, and didn’t blog it. Bruce Schneier and Ross Anderson did. Matt Blaze has the audio. I’ll turn my comments into an […]


SHB Session 7: Privacy

Tyler Moore chaired the privacy session. Alessandro Acquisti, CMU. (Suggested reading: What Can Behavioral Economics Teach Us About Privacy?; Privacy in Electronic Commerce and the Economics of Immediate Gratification.) It’s not that people act irrationally, it’s that we need deeper models of their privacy choices. Illusion of control, over-confidence, in privacy people seek ambiguity, people […]


SHB Session 6: Terror

Bill Burns (Suggested reading Decision Research: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike) Response to Crisis: Perceptions, Emotions and Behaviors. Examining a set of scenarios of threats in downtown LA. Earthquake, chlorine release, dirty bomb. Earthquake: likely 100-200 casualties. Dirty bomb, expected casualties: 100 at most. Chlorine may be thousands to […]


SHB Session 5: Foundations

Rachel Greenstadt chaired. I’m going to try to be a little less literal in my capture, and a little more interpretive. My comments in italic. Terence Taylor, ICLS (Suggested reading: Darwinian Security; Natural Security (A Darwinian Approach to a Dangerous World)). Thinks about living with risks, rather than managing them. There are lessons from biology, […]


SHB Session 4: Methodology

David Livingstone Smith chaired. Angela Sasse “If you only remember one thing: write down everything the user needs to do and then write down everything the user needs to know to make the system work. Results of failure are large, hard to measure. (Errors, frustration, annoyance, impact on processes and performance, coloring user perception of […]


SHB Session 3: Usability

Caspar Bowden chaired session 3, on usability. Andrew Patrick NRC Canada (until Tuesday), spoke about there being two users of biometric systems: the purchaser or system operator and the subject. Argues that biometrics are being rolled out without a lot of thought for why they’re being used, when they make sense and when not. Canada […]


Publius Outed

The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers […]


SHB Session 2: Fraud

Julie Downs studied users who were going through an email inbox full of phishing emails, while doing a talk-aloud. They also did interviews afterwards. People with incidents get very sensitive to risks, but don’t get any better at identifying phishing emails. What really helps is contextualized understanding. Do they know what a URL is? Do […]


SHB Session 1: Deception

Frank Stajano Understanding Victims Six principles for systems security Real systems don’t follow logic that we think about. Fraudsters understand victims really well. Working with UK TV show, “the real hustle.” Draft paper on SHB site. Principles: Distraction, social compliance, herd principle, decption, greed, dishonesty David Livingstone Smith What are we talking about? Theoretical definitions: […]


Security & Human Behavior

I’m at the Security & Human Behavior workshop, and will be trying to blog notes as we go. I should be clear: these notes aren’t intended to be perfect or complete. Update: Bruce Schneier is also liveblogging. intro. Ross Anderson is blogging in comments to this post.


Security & Human Behavior

I’m blogging the Security & Human Behavior Workshop at the New School blog. Bruce Schneier is also blogging it, as is Ross Anderson.


A Farewell to Bernstein

From Chandler, who is in China: Adam sent along to the authors of this blog a link to the New York Times obituary for Peter Bernstein yesterday Peter L. Bernstein, an economic historian and a widely read popularizer of the efficient market theory, which changed trading behavior on Wall Street, died Friday at NewYork-Presbyterian/Weill […]


Pirate Party Victory in Sweden

“Together, we have today changed the landscape of European politics. No matter how this night ends, we have changed it,” Falkvinge said. “This feels wonderful. The citizens have understood it’s time to make a difference. The older politicians have taken apart young peoples’ lifestyle, bit by bit. We do not accept that the authorities’ mass-surveillance,” […]


Links To Interesting Stuff

I have a ton of tabs open in Firefox about stuff I thought would be some sweet newschool-esque reading for everybody out there. 1.) Threat and Risk Mapping Analysis in Sudan Not really about measurement and progress, but a fascinating look at “physical risk management” nonetheless: 2.) I thought Gunnar did a great job […]


Mr. Bureaucrat, Please Report to Room 101

As I’ve said before, all non-trivial privacy warnings are mocked and then come true. Sixty years ago today, George Orwell published 1984. He unfortunately failed to include a note that the book was intended as a warning, not a manual. Today, in England, there are an unknown number of surveillance cameras, including many around Orwell’s […]


Bialystock Triumphs in Berlin

The crowd for the premiere seemed pleased. It wasn’t your typical Broadway musical audience, to judge from the number of smart-looking young people with interesting haircuts. A “lively counterpoint to Hollywood productions like ‘Valkyrie’ and ‘Defiance,’ with their impeccable Resistance heroes and clichés,” decided the reviewer for Spiegel Online. “The New York triumph was repeated […]


S&P Risk Models

There was an interesting segement on NPR this morning, “Economy Got You Down? Many Blame Rating Firms” that covered amongst other things the risk model that Standard and Poors used to rate bonds and in specific mortgage backed ones. There are a few choice quotes in the story about how the organizations approached the models […]


The Art of Living Dangerously

I haven’t had a chance to read it, but I’ll probably pick up “Absinthe and Flamethrowers: Projects and Ruminations on the Art of Living Dangerously” at some point, if only because of the author’s writing on the relationship between risk and happiness says something I’ve always suspected, that risk takers are happier than risk avoiders […]


Pirates, Inc.

I found this short documentary about piracy around the Straits of Malaca to be an interesting view of the reality of pirate life as a last refuge of the unemployed fisherman to be an interesting counterpoint to the NPR Story, “Behind the Business Plan of Pirates, Inc.” which provides an altogether different view of the […]


Statistics Police?!

From Gelman’s blog: U.K. Sheriff Cites Officials for Serious Statistical Violations I don’t know if we need an “office” of information assurance in the government sector, but it would be nice to have some penalty on the books for folks who abuse basic common sense statistical principles. Of course, the *real* answer lies in education […]



Hey everyone. I wanted to let you know that Rich, Adrian & Co. at Securosis are spearheading a research project called “Quant”. They currently have a survey up on survey monkey about Patch Management that they’d like participation in. If you can, please give thoughtful contribution to the survey. There’s something about a registration […]


Amusements with Alpha

I just saw a link to someone who had broken Wolfram Alpha. Their breaking question was, “when is 5 trillion days from now?” The broken result is: […]


New Means of Pie Chart Abuse

Just for Adam, because I know he’ll *love* this. Was reading the “How to transform your ETL tool into a data quality toolkit” post on the data quality blog when I noticed something. In the graphic they’re presenting there: The.Pie.Chart.Spins. Which could be one of the most awesome data visualization abuses. ever.


Voltage Security's Breach Map

The folks over at Voltage have released a really cool interactive map of breaches from around the world. Tools like this show how important having data is, just imagine how much more impressive and useful something like this could be if more people were willing to share data about breaches or other information security issues […]


Open Thread

What’s on your mind? Extra points for mocking other members of the combo for not posting. Me? I’m wondering why the opening of the Parliament of South Africa involves so many bagpipes.


Thoughts on Bejtlich's Information Security Incident Ratings

Check out Richard Bejtlich’s Information Security Incident Rating post. In it, he establishes qualitative, color-based scales for various asset-states in relation to the aggregate threat community. As Richard states, he’s not modeling risk, but rather he’s somewhat modeling half of risk (in FAIR terms, an attempt at TEF/LEF/TCap information, just not the loss magnitude side). […]


Democracy, Gunpowder, Literacy and Privacy

In an important sense, privacy is a modern invention. Medieval people had no concept of privacy. They also had no actual privacy. Nobody was ever alone. No ordinary person had private space. Houses were tiny and crowded. Everyone was embedded in a face-to-face community. Privacy, as idea and reality, is the creation of a modern […]


It’s a warning, not a manual, part MCMLXXXIV

“He had set his features into the expression of quiet optimism which it was advisable to wear when facing the telescreen…” Photo: “Under surveillance,” Toban Black, in the 1984 Flickr pool.


How to Present

As I get ready to go to South Africa, I’m thinking a lot about presentations. I’ll be delivering a keynote and a technical/managerial talk at the ITWeb Security Summit. The keynote will be on ‘The Crisis in Information Security’ and the technical talk on Microsoft’s Security Development Lifecycle. As I think about how to deliver […]


TSA Kills Bad Program!

The government is scrapping a post-Sept. 11, 2001, airport screening program because the machines did not operate as intended and cost too much to maintain. The so-called puffer machines were deployed to airports in 2004 to screen randomly selected passengers for bombs after they cleared the standard metal detectors. The machines take 17 seconds to […]


Web 2.0 and the Federal Government

This looks interesting, especially in light of the launch of The Obama campaign—and now the Obama administration—blazed new trail in the use of Web 2.0 technology, featuring videos, social networking tools, and new forms of participatory and interactive technology. This event will feature government, technology, and new media leaders in addressing the special challenges […]


Giving Circles and de Tocqueville

There was an interesting story on NPR the other day about “giving circles.” It’s about groups of people getting together, pooling their money, investigating charities together, and then giving money. The story mentions how the increasing bureaucratization* of fund-raising leads to groups whose involvement is “I write them a cheque each year.” It also mentions […]


Secret Questions

Congratulations to Stuart Schechter, A. J. Bernheim Brush (Microsoft Research), Serge Egelman (Carnegie Mellon University). Their paper, “It’s No Secret. Measuring the Security and Reliability of Authentication via ‘Secret’ Questions” has been Slashdotted. It’s really good research, which Rob Lemos covered in “Are Your “Secret Questions” Too Easily Answered?”


Can't Win? Re-define losing the TSA Way!

We were surprised last week to see that the GAO has issued a report certifying that, “As of April 2009, TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program and had conditionally achieved 1 condition (TSA had defined plans, but had not completed all activities […]


Just Landed in…

Just Landed: Processing, Twitter, MetaCarta & Hidden Data: This got me thinking about the data that is hidden in various social network information streams – Facebook & Twitter updates in particular. People share a lot of information in their tweets – some of it shared intentionally, and some of it which could be uncovered with […]


Need ID to see Joke ID card

A bunch of folks sent me links to this Photography License, which also found its way to BoingBoing: Now, bizarrely, if you visit that page, Yahoo wants you to show your (Yahoo-issued) ID to see (Matt’s self-issued) ID. It’s probably a bad idea to present a novelty version of a DHS document to law enforcement. […]


Definitions: cloudenfreude

cloudenfreude — Feeling of happiness at watching the discomfort of others, especially senior management, as they accept in aggregate for *aaS the same risks which were easily accepted piecemeal over time for the analgous service internally.


First International Alternative Workshop on Aggressive Computing and Security

Thinking security can not be done without adopting a preferential mode of thought of the attacker. A system cannot be defended if we do not know how to attack it. If the theory is still an interesting approach to formalize things, the operational approach must be the ultimate goal: to talk about security is meaningless […]


PCI Data Available

Interesting information was made available today from VISA about PCI Compliance status for Level 1, 2, and 3 merchants. Find it as a .pdf >>here<< (thanks to Mike Dahn for bringing it to our notice). **UPDATE** You may want to check out what Pete Lindstrom has done with that data, in his Blog Post, “Is […]


Richard Bejtlich's Quantum State

Is Statistically Mixed? Richard Bejtlich (whom I do admire greatly in most all of his work) just dug up a dead horse and started beating it with the shovel, and I just happen to have this baseball bat in my hands, and we seem to be entangled together on this subject, so here goes: I […]


Twitter Bankruptcy and Twitterfail

If you’re not familiar with the term email bankruptcy, it’s admitting publicly that you can’t handle your email, and people should just send it to you again. A few weeks ago, I had to declare twitter bankruptcy. It just became too, too much. I’ve been meaning to blog about it since, but things have just […]


European View on Breaches

I hadn’t seen this article by Peter Hustinix when it came out, but it’s important. He says that “All data breaches must be made public:” The good news is that Europe’s lawmakers want to make it obligatory to disclose data breaches. The bad news is that the law will not apply to everyone. Those exemptions […]


Camera thanks!

An enourmous thank you to everyone who offered advice on what camera to get. I ended up with a Canon Rebel after heading to a local camera store and having a chance to play with the stabilization features. It may end up on ebay, but I’m confident I’ll get high quality pictures. If they’re great, […]


I wrote code for a botnet today

There’s a piece of software out there trying to cut down on blog spam, and it behaves annoyingly badly. It’s bad in a particular way that drives me up the wall. It prevents reasonable behavior, and barely blocks bad behavior of spammers. In particular, it stops all requests that lack an HTTP Referer: header. All […]


My Wolfram Alpha Demo

I got the opportunity a couple days ago to get a demo of Wolfram Alpha from Stephen Wolfram himself. It’s an impressive thing, and I can sympathize a bit with them on the overblown publicity. Wolfram said that they didn’t expect the press reaction, which I both empathize with and cast a raised eyebrow at. […]


Camera advice bleg

I’m thinking about maybe getting a new camera. Before I say anything else let me say that I understand that sensor size and lens rule all else, and that size does matter, except when it’s megapixel count, which is a glamour for the foolish. That said, I’m off to South Africa in a few weeks, […]


The Eyes of Texas Are on Baseboard Management Controllers? WHAT??!!!

OR TEXAS HB1830S IS SWINEFLU LEGISLATION, IT’S BEEN INFECTED BY PORK! **UPDATE: It looks like the “vendor language” around Section Six has been struck! Given Bejtlich’s recent promises, I thought we’d take a quick but pragmatic look at why risk assessments, even dumb, back-of-the-envelope assessments, might just be a beneficial thing. As you probably know, […]


Ban Whole Body Imaging

Congressman Jason Chaffetz has introduced legislation seeking a ban on Whole-Body Imaging machines installed by the Transportation Security Administration in various airports across America. Describing the method as unnecessary to securing an airplane, Congressman Chaffetz stated that the new law was to “balance the dual virtues of safety and privacy.” The TSA recently announced plans […]


Seattle Parking Monitoring

Seattle’s King5 TV reports on “Parking enforcement’s powerful new weapon:” An unassuming white sedan is the Seattle Police Department’s new weapon against parking violators. Just by driving down the street, George Murray, supervisor of SPD’s parking enforcement unit, can make a record of every parked car he passes. “What we’re doing here is we’re actually […]


Time To Patch, Patch Significance, & Types of Cloud Computing

Recently, a quote from Qualys CTO Wolfgang Kandek struck me kind of weird when I was reading Chris Hoff yet again push our hot buttons on cloud definitions and the concepts of information security survivability. Wolfgang says (and IIRC, this was presented at Jericho in SF a couple of weeks ago, too): In five years, […]


Covering the Verizon Breach Report

As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me to it, as evidenced by the fact […]


Cybersecurity Review Turf Battle

Many at RSA commented on the lack of content in Melissa Hathaway’s RSA keynote. The Wall St Journal has an interesting article which may explain why, “Cybersecurity Review Sets Turf Battle:” President Barack Obama’s cybersecurity review has ignited turf battles inside the White House, with economic adviser Lawrence Summers weighing in to prevent what he […]


Scalia: Just Because You Can Doesn't Mean You Should

aka it’s not nearly as funny when you are the subject of the probe. At a recent conference Justice Scalia said “”Every single datum about my life is private? That’s silly,” Well, a professor at Fordham University decided to take Mr Scalia at his word, and had one of his classes collect a dossier on […]


"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]


"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]


@Mortman MP3d on Threat Post

I’ll go ahead and promote David. He’s interviewed over at Threat Post. Pod/Talk cast it up! In this episode of the Digital Underground podcast, Dennis Fisher talks with David Mortman, CSO-in-residence at Echelon One and longtime security executive, about whether we’ve become too reliant on compliance, the changing nature of the CSO’s job and how […]


Security is about outcomes: RSA edition

So last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that. But I did I promise to tell you what I wanted to get […]


More breach visualization

I received some excellent comments on my previous breach visualization post, which I wanted to highlight for EC readers and take a stab at addressing.


Breach Visualization

I took the latest breach database and extracted all breaches involving a third party, omitting all columns other than the reporting entity and the third party. I then ran the resulting two-column CSV file through afterglow, and finally made pretty (3MB) picture with graphviz. This was done more for fun than for insight, but […]


Little Bobby Drop tables

In 1999 Syse Data was converted to a limited liability company, and has since been trading under the name Syse Data AS[1]. As the names are so similar, searches for our company in the official Norwegian registry of just-about-anything (Brønnøysundregistrene) often resulted in potential customers looking up the wrong company. To prevent this confusion we […]


Dept. of Pre-Blogging: Swine Flu edition

In no particular order, your friendly neighborhood Dept. of Pre-blogging hereby predictively reports on: Increased speculation, coupled with a spike in Twitter activity. Politicization of the event from the Right (blame Mexico and/or Big Government), the Left (if we spent money in the right places, this would not happen), and out in left field (this […]


Congratulations, Open Security Foundation

The Open Security Foundation, creators of OSVDB and DataLossDB have won SC Magazine’s Editor’s Choice award for 2009. It’s well deserved. In other Open Security Foundation News, about a dozen people asked me how to get a stylin’ DataLossDB t-shirt. It’s pretty easy-donate. I think you get one at the $100 level.


Congratulations to the Social Security Blog award winners!

A huge congratulations to the winners of the Social Security Awards [on Wednesday] PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman […]


Registration now open for WEIS 2009

Registration for The Eighth Workshop on the Economics of Information Security (WEIS 2009) is now open. The deadline for the Early Bird registration is 1 June 2009. We’ve written here often (and favorably) about WEIS, and about papers delivered there.


Standing Still

Following up on Ben’s comment to s/green/secure/g, infosec generally makes life /harder/ for people (at least in the short-term), all to keep bad things from happening. I’ll argue it’s even worse than that. Since “secure” is neither achievable nor a static state, it can never be done and standing still means falling behind. One of […]


Security is about outcomes, not process (RSA edition)

So I’m getting ready to head over to RSA, and I’m curious. If you believe that “security is about outcomes, not about process,” what outcomes do you want from RSA? How will you judge if the conference was worthwhile?



Don’t miss this fascinating article in the New York Times, “Why Isn’t the Brain Green?” You can read it for itself, but then you hit paragraphs like this: It isn’t immediately obvious why such studies are necessary or even valuable. Indeed, in the United States scientific community, where nearly all dollars for climate investigation are […]


Breach Notification Law Across the World

“Data Breach Noti?cation Law Across the World from California to Australia” by Alana Maurushat. From the abstract: The following article and table examine the specifics of data breach notification frameworks in multiple jurisdictions. Over the year of 2008, Alana Maurushat of the Cyberspace Law and Policy Centre, with research assistance from David Vaile and student […]


Who should be punished for torture?

Normally, I try to post funny bits over the weekend, but I can’t let this week’s news slip by. I have deeply mixed feelings about how to handle those who tortured. On the one hand, they were only following orders. On the other hand, they were following orders which clearly required contortions to see as […]


Project Quant: Patch Management Metrics

Rich Mogull, Adrian Lane, (of Securosis) and Jeff Jones (of Microsoft) have started a “transparent” metrics project “to help build an independent model to measure the costs and effectiveness of patch management.” They’re calling it (for now) Project Quant. As you can probably guess, I’m all for transparent metrics projects, and I hope you’ll at […]


Off to the Moscone Center

Every year around this time, thousands of people converge on the Moscone Center in San Francisco for RSA. I had never given much thought to who Moscone was–some local politician I figured. I first heard about Harvey Milk in the context of the Dead Kennedys cover of I Fought The Law: The law don’t mean […]


Evolution of Information Analysis

Real briefly, something that came to me reading Marcus Ranum over at Tenable’s Blog. Marcus writes: Usually, when I attack pseudo-science in computer security, someone replies, “Yes, but some data is better than none at all!” Absolutely not true! Deceptive, inaccurate, and misleading data is worse than none at all, because it can encourage you […]


Black Swan-Proof InfoSec?

I came across an interesting take on Nassim Taleb’s “Black Swan” article for the Financial Times via JP Rangaswami‘s blog “Confused in Calcutta“. Friends and folks who know me are probably tired of my rants about what I think of Taleb’s work and what I think he’s gotten wrong. But really, I find his FT […]


A Curmudgeon is a Little Confused by the 2009 DBIR

I’ve given Vz’s DBIR a quick perusal. The data are interesting indeed and the recommendations are obvious. There is little new here in the way of recommendations – I guess nobody is listening or the controls are ineffective (or a bit of both). Regardless, I have a few items that confuse and irritate me a […]


Breaches Conference audio online

Back in March, the Berkeley Center for Law and Technology put on a great conference, the “Security Breach Notification Symposium.” It was a fascinating day, and the audio is now online.


Initial Thoughts on the 2009 Verizon DBIR

Last night, the fine folks at Verizon posted the 2009 version of the DBIR. I haven’t had time to do a full deep dive yet, but I thought I’d share my initial notes in the meantime. Stuff in italics is from the DBIR, regular text is me: 81 percent of organizations subject to PCI DSS […]


How to be Cyberscary

The intersection of cime and technology is a fascinating place. Innovation of fraud, theft, and industrial espionage is occurring at a phenomenal pace and is producing no shortage of real problems that Information Risk and Security professionals need to be learning about and addressing. Unfortunately, the noise coming from journalists in this space is so […]


Events don't happen in a Vacuum

Several commenters on yesterday’s post brought up the excellent point that its hard to talk about outcomes when you think you haven’t had any incidents. (“Consider the bank that had no attempted robberies this year”) Are you right? With a bank, it’s pretty easy to see most robberies. What’s more, we have the FBI showing […]


The New School Blog

I’m really excited to announce, the blog inspired by the book. I’ll be blogging with Alex Hutton, Chandler Howell and Brooke Paul. And who knows, maybe we’ll even get a post or two from Andrew? Emergent Chaos will continue. My posts here will be a little more on the privacy, liberty and economics end […]


Security is about outcomes, not about process

In some migration or another, this post was duplicated; the real post is at Editing to avoid linkrot


Security is about outcomes, not about process

Nearly a decade ago Bruce Schneier wrote “Security is a process, not a product.” His statement helped us advance as a profession, but with the benefit of hindsight, we can see he’s only half right. Security isn’t about technology. Security is about outcomes, and our perceptions, beliefs and assurance about those outcomes. Here’s a quick […]


Statebook and Database State

So while Statebook is a pretty entertaining demo, “Database State” is a disturbing look at how real the underlying data collection is in the U.K. Via Boingboing.


It’s hard to change a market

This is quite possibly the DEA’s greatest success in disrupting the supply of a major illicit substance. The focus on disrupting the supply of inputs rather than of the drug itself proved extremely successful. This success was the result of a highly concentrated input supply market and consequently may be difficult to replicate for drugs […]


New Billboards for the UK

Make your own at I was gonna wait for the weekend, but…via @alecmuffet


Microsoft Security Intelligence Report

The Microsoft SIR was released 4/8 and is available for download here. Some of the interesting stuff they put in graphs is from the Open Security Foundation’s OSF Data Loss Database ( Among the interesting things in the Microsoft SIR: Good old theft and losing equipment, when combined, still beats the sexier categories hands down. […]


Flinging Money Around Never Works

Freeway Drivers Grab Money as Suspects Toss Thousands During Police Chase:” Thousands of dollars worth of hundred dollar bills brought rush hour to an abrupt halt on two San Diego freeways. Drug suspects tossed the money from their car as they were chased by police. Other drivers saw the money and stopped their cars on […]


New School Bloggers Speaking Today

So I apologize for short notice. Hopefully the webmaster will get in gear and put up an event calendar or something, but here are a couple of events you might want to attend today that New School Bloggers are speaking at. First, David Mortman is giving “The Mortman Briefing: Metrics for the Real World”over at […]



The WSJ has an article up today about how the Russians and Chinese are mapping the US electirical grid. What I thought was more interesting was the graph they used (which is only mildly related to the article itself). If I’m reading this correctly, the DHS is claiming that there were just under 70,000 breaches […]


Hello World?

Thanks for stopping by The New School of Information Security Blog. We’re very “beta” right now, and anticipate having everything ready by the RSA conference (the week of the 17th). If you’d like to see some recent content by our authors, I had a recent post on the Verizon/Cybertrust blog about the PCI DSS and […]


Research Revealed Track at RSA

For the past few months, I’ve been working with the folks at the RSA Conference to put together a track entitled “Research Revealed.” Our idea is that security needs to advance by getting empirical, and bringing in a wide variety of analytic techniques. (Regular readers understand that Andrew Stewart and I brought these ideas together […]


Building Security In, Maturely

While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model. Lots has been said, so I’d just like to quote one little bit: One could build a maturity model for software security theoretically (by pondering what organizations should […]


Deadline extended: Computers, Freedom & Privacy Research Showcase

This year’s Computers, Freedom and Privacy Conference will feature a research showcase in the form of a research poster session as well as a research panel that includes the authors of the best research posters. CFP is the leading policy conference exploring the impact of the Internet, computers, and communications technologies on society. For more […]



Effects shop fulfills amputee’s mermaid dream:


I Know What I Know

and I’ll sing what he said. Ethan Zuckerman has two great posts lately: “From protest to collaboration: Paul Simon’s “Graceland” and lessons for xenophiles” and “Argentine economics and maker culture.” The Paul Simon post talks about the deep history of the Apartheid boycott, Paul Simon’s approach to creating Graceland. Graceland was a collaboration of the […]


Mo-mentum on centralized breach reporting?

A Missouri state bill requiring notification of the state attorney general as well as of individuals whose records have been exposed just took a step closer to becoming law. As reported in the St. Louis Business Journal on April 1: Missouri businesses would be required to notify consumers when their personal or financial information is […]


Torture is a Best Practice

I was going to title this “Painful Mistakes: Torture, Boyd and Lessons for Infosec,” but then decided that I wanted to talk about torture in a slightly different way. The Washington Post reports that “Detainee’s Harsh Treatment Foiled No Plots” and [UK Foreign & Commonwealth Office] Finally Admits To Receiving Intelligence From Torture. From the […]


Mr Laurie – Don’t do that

Ben Laurie has a nice little post up “More Banking Stupidity: Phished by Visa:” Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders – by training them to expect a process in which there’s […]


Suspect and Unusual Photographs

This picture was taken by 4 high school kids with no budget: The Telegraph has the story at Teens capture images of space with £56 camera and balloon. You can click the photo for their amazing Flickr page. It’s a good thing they were in Spain. In the UK, they’d probably have been arrested for […]


Metricon 4.0 Call for Papers

I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11. Metricon 4 – The Importance of Context MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable […]


Would I self-publish?

A few weeks back, Dave Birch asked me if I’d publish my next book myself. I don’t think I would. I’m really happy with Karen Gettman and Jessica Goldstein at Addison Wesley, and I’ve convinced my co-authors for my next book that we should have a discussion about publishers. So why am I happy with […]


Brad DeLong on the bailout

Brad DeLong has a FAQ up about Geithner’s plan to purchase toxic assets on the theory that the market has undervalued them, and will in time price them properly. Among the items: Q: What if markets never recover, the assets are not fundamentally undervalued, and even when held to maturity the government doesn’t make back […]


Best Practices?

The BBC reports that the UK Local Government Association has a new banned words list, including our favorite, “best practices.” Andrew asked me in email if this was a best practice, and I wrote back: Does it pass the seven whys test? Why did they ban the phrase? Because it’s meaningless business speak Why is […]


Double-take Department, Madoff Division

The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read: The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….” […]


The Emergent Chaos of Kutiman

So when someone sent me a link to “The Mother of all Funk Chords,” they didn’t explain it, and I didn’t quite get what I was watching. What I was watching: …is a mash up of videos found on YouTube, turned into an entire album by an Israeli artist, Kutiman.


Identity is Mashed Up

I posted last month about Bob Blakely’s podcast with Phil Windley. Now (by which I really mean last month, wow I’m running behind!) Bob posts that the “Relationship Paper Now Freely Available,” and I’m embarrassed to say I stole Bob’s opening sentence. Now that I’ve actually read the paper, I’d like to remix the ideas […]


Happy Sunshine Week

March 15-21 is “Sunshine Week“, a government transparency initiative described by its main proponents as a national initiative to open a dialogue about the importance of open government and freedom of information. Participants include print, broadcast and online news media, civic groups, libraries, non-profits, schools and others interested in the public’s right to know. The […]


Joseph Ratzinger and Information Security

Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.” Many of you are likely […]


"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]


Twitter + Cats = Awesome

My smart friend James Thomson of TLA Systems has created a new benchmark in iPhone applications, Twitkitteh. Not only is it the first Twitter client for cats, but it might also be the first iPhone app for cats, as well. I’ve always accused my cats of playing the stereo when I’m not there, and it […]


Understanding Users

Paul Graham has a great article in “Startups in 13 Sentences:” Having gotten it down to 13 sentences, I asked myself which I’d choose if I could only keep one. Understand your users. That’s the key. The essential task in a startup is to create wealth; the dimension of wealth you have most control over […]


All atwitter

In re-reading my blog post on twittering during a conference I realized it sounded a lot more negative than I’d meant it to. I’d like to talk about why I see it as a tremendous positive, and will be doing it again. First, it engages the audience. There’s a motive to pay close attention and […]


What you talkin' 'bout?

The 110-story Sears Tower, tallest office building in the Western Hemisphere, will be renamed the Willis Tower, global insurance broker Willis Group Holdings said on Thursday. Willis said it was leasing multiple floors in the 1,451-foot (442-meter) structure in downtown Chicago to consolidate offices. As part of the deal, it will become the Willis Tower […]


Tweet, tweet

A few weeks back, Pistachio twittered about How to Present While People are Twittering. I picked it up, and with the help of Quine, was getting comments from Twitter as I spoke. It was a fun experiment, and it’s pretty cool to be able to go back and look at the back channel. [Update: I […]


What Was Wrong With the Old FISA?

The Get FISA Right group is publicizing our need to re-think the laws. They have discussion going on on their site, as well as on The Daily Kos. I recommend catching up there, or reading Adam’s recent post here. I have to ask what was wrong with the old FISA? It wasn’t a bad system, […]


Would Anne Fadiman buy a Kindle?

If you like books, if you like to read, you need a copy of Anne Fadiman’s “Ex Libris: Confessions of a Common Reader.” You especially need to read it if you care an iota about identity management, because the major themes in her essays are not only about books, but about identity. (In case you’re […]


Open Thread

I’d give you a topic, but I’m taking Hilzoy’s advice and going Galt. I’ve taken ads off the blog, given up my lucrative contract for Harry Potter and the Half-Baked Firewall, and so turn this thread over to you with but a single request: civility. So what’s on your mind?


What Should FISA Look Like?

Jim Burrows is working to kick off a conversation about what good reform of US telecom law would be. He kicks it off with “What does it mean to “get FISA right”?” and also here. To “get it right”, let me suggest that we need: One law that covers all spying Require warrants when the […]


The Lastest Big Processor Breach

So it’s now roughly confirmed, except for a few denials from Visa. First there was CardSystems, then Heartland, and maybe there’s at least one more known-to-some criminal breach at a payments processor. A lot of security bloggers have been talking about this, but I figure another day, another breach. Can’t we just get some facts? […]


This Data Will Self-Destruct in 5 Seconds

CSO Online has a good article on data destruction, Why Information Must Be Destroyed.” It’s mostly about physical documents, not data, but I can still make a few quibbles. The author, Ben Rothke, gives an example of a financial institution that did not live up to its regulatory requirements for properly disposing documents, and was […]


Welcome To The (New) Machine

If you can read this, you are now reading Emergent Chaos on its new server. We’ve also upgraded to the 4.x train of MovableType. Let us know what you think. We’re also considering a site redesign, so let us know any feature requests or design suggestions. Thanks!


Leia With a Pearl Earring

This and other less subtle Star Wars/classical art mashups are at Star Wars as Classic Art. (Originally.) Thanks, Stepto!


Will People Ever Pay for Privacy, Redux

A few years back, I gave a talk titled “Will People Ever Pay for Privacy.” As they say, a picture is worth a thousand words: Tiger Woods’s Boat, Privacy, Attracts Plenty of Onlookers. Photo: Tiger Woods’ Yacht, TheLastMinute.


Facebook: Conform or else

Robert Scoble, discussing Facebook founder Mark Zuckerberg: He also said that his system looks for “outlying” behavior. He said if you behave like an average user you should never trigger the algorithms that will get you kicked off. Let’s be specific here: if you behave like the system’s Harvard undergraduate founders and primarily-male engineering staff […]


SDL Threat Modeling Tool 3.1.4 ships!

On my work blog, I wrote: We’re pleased to announce version 3.1.4 of the SDL Threat Modeling Tool. A big thanks to all our beta testers who reported issues in the forum! In this release, we fixed many bugs, learned that we needed a little more flexibility in how we handled bug tracking systems (we’ve […]


Security Breach Notification Symposium

Next Friday (March 6th) I’ll be speaking at the “Security Breach Notification Symposium:” A one-day symposium on identity theft and security breaches. Experts from law, government, computer science, and economics will discuss laws that protect personal information and suggest reforms to strengthen them. Although most agree that reforms are needed, leading thinkers clash on what […]


More on Privacy Contracts

Law Prof Dan Solove took the A-Rod question I posted, and blogged much more in depth in A-Rod, Rihanna, and Confidentiality: Shostack suggests that A-Rod might have an action for breach of contract. He might also have an action for the breach of confidentiality tort. Professor Neil Richards and I have written extensively about breach […]


Congratulations, Justin!

Justin Mason has won the 2009 Irish Blog Award for Best Technology Blog/Blogger. I don’t know how Justin manages to stay engaged with his blog and others while getting so much work done. When I say others, I mean this blog. Justin found Emergent Chaos back when it was a solo gig and I was […]


Don't put Peter Fleischer on Ice

Peter Fleischer is Google’s chief privacy counsel. I met Peter once at a IAPP event, and spoke pretty briefly. We have a lot of friends and colleagues in common. He’s now threatened with three years of jail in Italy. Google took under 24 hours to remove a video which invaded the privacy of someone with […]


Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column. Brenner watched the FUD as he spreads it. He moans histrionically, When security is your company’s business, […]


Synthetic Identity "Theft" – The Mysterious Case of Prawo Jazdy

The BBC tells the tale of a Polish immigrant flouting traffic regulations across the emerald isle: He had been wanted from counties Cork to Cavan after racking up scores of speeding tickets and parking fines. However, each time the serial offender was stopped he managed to evade justice by giving a different address. As it […]


A-Rod had a privacy contract, and so did you

In 2003 the deal was simple: The players would submit to anonymous steroid testing, and if more than 5 percent tested positive, real testing with real penalties would begin in 2004. But in 2003, the tests were going to be (A) anonymous and then (B) destroyed. Those were the rules of engagement, and in any […]


Three on the Value of Privacy

First, the Economist, “Everybody Does It:” WHY is a beer better than a woman? Because a beer won’t complain if you buy a second beer. Oops. There go your correspondent’s chances of working for Barack Obama, America’s president-elect. (Ironically, the Economist’s articles are all anonymous.) Second, Fraser Speirs, “On the Flickr support in iPhoto ‘09:” […]


MI5 Head Critiques Government on Liberties

The BBC reports: A former head of MI5 has accused the government of exploiting the fear of terrorism to restrict civil liberties. Dame Stella Rimington, 73, stood down as the director general of the security service in 1996…”Furthermore it has achieved the opposite effect – there are more and more suicide terrorists finding a greater […]


Javelin ID theft survey

Salon reports “Identity theft up, but costs fall sharply:” In 2008, the number of identity theft cases jumped 22 percent to 9.9 million, according to a study released Monday by Javelin Strategy & Research. The good news is that the cost per incident — including unrecovered losses and legal fees — fell 31 percent to […]


Closing the Collapse Gap

There’s a very interesting annotated presentation at “Closing the ‘Collapse Gap’: the USSR was better prepared for collapse than the US.” In it, Dmitry Orlov lays out his comparison between the USSR and the USA of 2006. Posting this now because a talk he gave at Long Now is getting lots of attention. In closely […]


AOL Search Documentary

Lernert Engelberts and Sander Plug have taken the AOL search data which AOL released “anonymously,” and made a movie with the searchs of user #711391. I Love Alaska, via Guerrilla Innovation. Worth checking out, but be warned, it’s a little on the languid side, using pacing and the voice to build the story. Also, note […]


Let’s Fix Paste!

Okay, this is a rant. Cut and paste is broken in most apps today. More specifically, it is paste that is broken. There are two choices in just about every application: “Paste” and “Paste correctly.” Sometimes the latter one is labeled “Paste and Match Style” (Apple) and sometimes “Paste Special” (Microsoft). However, they have it […]


Daily Show on Privacy

(h/t to Concurring Opinions) The Daily Show With Jon StewartM – Th 11p / 10c Bill O’Reilly’s Right to Privacy Daily Show Full EpisodesImportant Things With Demetri Martin Funny Political NewsJoke of the Day


Why Didn't SOX Catch The Bank Failures?

Iang recently indicted the entire audit industry with “Two Scary Words: Sarbanes-Oxley”. I’ve excerpted several chunks below: Let’s check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis? No. Not one, not even a single one! Yet, the basic […]


$450 per account? No.

So there’s a claim going around, which is that I believe that a breach costs $450 per account. That claim is not accurate. What was said (and the interview was in email, so I can quote exactly): (Interviewer) The Hannaford breach resulted in more than $318,000 in gross fraud losses, according to data reported by […]


"A Scientific R&D Approach to Cyber Security"

Charlie Catlett, CIO of Argonne National Labs has released a report on “A Scientific R&D Approach to Cyber Security” (Powerpoint summary, community wiki). It’s a very interesting report. There’s a lot to agree with in terms of a research agenda. They’re looking to compose trustworthy systems from untrusted components, to create self-protective data and software, […]


Seattle Tech Universe

The Washington Technology Industry Association has released a very cool map of the Puget Sound Tech Universe. Here’s an excerpt:


Public Perception of Security

So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder: Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. […]


First Impressions of the 2008 Ponemon Report

So the 2008 Ponemon breach survey is out and I’m reading through it, but I wanted to expand on the headline: “Ponemon Study Shows Data Breach Costs Continue to Rise.” This is the report’s figure 3: Left to right, those are “detection and escalation,” notification, “ex-post response” and “lost business.” I note that 2 fell, […]


Boundary Objects and Threat Modeling

Ethonomethodologists talk a lot about communities of practice. Groups of people who share some set of work that they do similarly, and where they’ll co-evolve ways of working and communicating. When everyone is part of a given community, this works really well. When we talk about “think like an attacker” within a community of security […]


Identities are Created Through Relationships

I’m listening to this really interesting podcast by Bob Blakley and Phil Windley. What really struck me was where Bob said “thinking of identity as an artifact all by itself is unsatisfactory because we can talk about an identity and the attributes of an identity leaves out important details about how identities are created and […]


But is it art?

Jackson [Update: Click the picture. It’s only funny if you click the picture with Flash enabled. The site requires Flash.]


That's some fine discourse, Professor Froomkin

I just wanted to draw attention to the comments in Michael Froomkin’s blog post on “Cabinet Confirmation Mechanics.” I am delighted to have had ‘Jim’ concur with my Constitutional analysis by quoting the closing lines of Ulysses. I’m in awe of your commenters, Michael.


Politics and Money: Transparency and Privacy

(Or, the presentation of self in everyday donations) So I’ve had a series of fairly political posts about election finance, and in one of them, I said “I’d prefer that the rules avoidance be minimized, and I think transparency is the most promising approach there.” Well, in the interests of transparency, I need to comment […]


Will Proof-of-Work Die a Green Death?

In the Cryptography mailing list, John Gilmore recently brought up and interesting point. One of the oft-debated ways to fight spam is to put a form of proof-of-work postage on it. Spam is an emergent property of the very low cost of email combined with the effect that most of the cost is pushed to […]


"EPC RFID Tags in Security Applications"

I just finished an interesting paper, K. Koscher, A. Juels, T. Kohno, and V. Brajkovic. “EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond.” In the paper, they analyze issues of cloning (easy) read ranges (longer than the government would have you believe) and `design drift’ (a nice way of saying […]


News and a Request from the DataLossDB folks

They’ve added a blotter to add news that isn’t quite breaches, and they’re looking for funds to help with their FOIA requests. Please join me in donating.


Request your travel records

Speaking of how you’re presented and perceived…”How to request your travel records,” by Ed Hasbrouck. By popular demand, I’m posting updated forms to request your PNR’s and other records of your international travel that are being kept by the U.S. Customs and Border Protection (CBP) division of the Department of Homeland Security (DHS)… If you […]


The Presentation of Self in Everyday Tweeting

Chris Hoff pointed to an interesting blog post from Peter Shankman. Someone* tweeted “True confession but I’m in one of those towns where I scratch my head and say ‘I would die if I had to live here!’” Well it turns out that… Not only did an employee find it, they were totally offended by […]


Photosynth and the inauguration

So what do you do with the million photos everyone took of the inauguration? Here at Emergent Chaos, we believe that we should throw them all in a massive blender, and see what emerges. A massive blender isn’t a very technical description of Photosynth, but it’s not a bad analogy. The project cleverly figures out […]


A nudge in the right direction?

I am surprised I hadn’t heard about the book Nudge, by Cass Sunstein and Richard Thaler. I haven’t read it yet, but from the web page it seems to be about how policymakers can take into account the heuristics and biases characteristic of human decision-makers and create a choice architecture which yields “proper” decision-making. I […]


Abuse of the Canadian Do Not Call List

The Globe and Mail and the CBC each report that Canada’s Do Not Call list is being used by telemarketers both good and bad (where each term is relative). This is a bit sad for Canada. The US’s DNC list has been very successful, and one of the very few places where the US has […]


The New Openness?

This photograph was taken at 11:19 AM on January 20th. It’s very cool that we can get 1 meter resolution photographs from space. What really struck me about this photo was.. well, take a look as you scroll down… What really struck me about this is the open space. What’s up with that? Reports were […]


The New Administration and Security

Quoting first from Obama’s inaugural address: The question we ask today is not whether our government is too big or too small, but whether it works — whether it helps families find jobs at a decent wage, care they can afford, a retirement that is dignified. Where the answer is yes, we intend to move […]


Pinch me…

The Freedom of Information Act should be administered with a clear presumption: In the face of doubt, openness prevails. The Government should not keep information confidential merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears. Nondisclosure should never be based on […]


A few Heartland links

Well, Mordaxus got the story, but I’ll add some links I found interesting or relevant. StoreFront BackTalk has From The Heartland Breach To Second Guessing Service Providers. Dave G at Matasano added “Heartland’s PCI certification.” The Emergent Chaos time travel team already covered that angle in “Massachusetts Analyzes its Breach Reports:” What’s exciting about this […]


Breach Misdirection

While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past. Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost […]


Rethinking Risk

Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”: The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable […]


President for Ten Minutes

During a chat I had this afternoon, someone brought up an interesting situation to contemplate. The Presidency of George Bush fils ended today at noon EST, but Mr. Obama wasn’t sworn in until 12:10. Who then, the question was, President during those ten minutes. One mildly unsatisfactory answer is Ms. Pelosi. If there is neither […]


Change I Can Believe In

From (the new) Except where otherwise noted, third-party content on this site is licensed under a Creative Commons Attribution 3.0 License. Visitors to this website agree to grant a non-exclusive, irrevocable, royalty-free license to the rest of the world for their submissions to under the Creative Commons Attribution 3.0 License.


Three short comments on the Inauguration

The reality that a black man is about to become President of the United States is both momentous and moving. It’s hard to say anything further on the subject that hasn’t been said and re-said, but I am simply proud that the pendulum has swung to someone like Obama. I’m excited to have an educated, […]


Children, Online Risks and Facts

There’s an interesting (and long!) “Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States.” Michael Froomkin summarizes the summary.” Adam Thierer was a member of the task force, and has extensive commentary on the primary online safety issue today […]


Emergent Forest

Moving Forest is a park on wheels. The park is made of trees in shopping carts that allow the public to rearrange their own little park. The forest is created by Dutch architect firm NL architects in response to the lack of green nature in contemporary urban environments – which in the case of the […]


Umami, or why MSG tastes so good

It’s appetizing news for anyone who’s ever wanted the savory taste of meats and cheeses without actually having to eat them: chemists have identified molecular mechanisms underlying the sensation of umami, also known as the fifth taste. … The umami receptor’s shape is similar to that of sweetness receptors, he said, and his team’s research […]


Privacy & Healthcare

One of the dirty little secrets of bad privacy law is that it kills. People who are not comfortable with the privacy of their medical care may avoid getting needed care. That’s why privacy features in the Hippocratic oath. But few people want to study this issue, and studying it is hard–people are likely to […]


"Get FISA Right" Pointer

[Update: This got to #5 on’s list, and they’re now working to draw attention to the issue on] Jon Pincus has asked me for help in drawing attention to his “Get FISA Right” campaign to get votes on When I’ve tried to look at this, it’s crashed my browser. YMMV–I use a […]


Massachusetts Analyzes its Breach Reports

In “Report On The M.G.L. Chapter 93H Notifications,” the Office of Consumer Affairs analyzes the breach notices which have come in. The report is a lot shorter than the “Maine Breach Study,” coming in at a mere four pages. There are many interesting bits in those four pages, but the two that really jumped out […]


Security Blog Awards

In “The Social Security Blogger Awards,” Alan Shimel asks for nominations for blogs. Ironically, to even see the site at, you need to accept Javascript. I think we should have an award for “best vuln in the voting system.” But anyway, please take a minute to go vote. I’ll ask for your vote for […]


Patch and Pray…

..or, Spaf‘s DVD players get bricked. In which, lies a tale…


Protection Poker

Listening to Gary McGraw’s Silver Bullet #33, Laurie William mentioned protection poker. Protection poker, like planning poker isn’t really poker. Planning poker is a planning exercise, designed to avoid certain common pitfalls of other approaches to planning. The idea behind protection poker is to be a “informal form of misuse case development and threat modeling […]


Look how hip I am…

Normally, this would be something for Twitter, but…well…. Officiating at the NY v. Philadelphia game has been poor. Not biased, I don’t think, but poor.


Strange Maps

All from the Strange Maps blog. You could click on the pictures, but this blog is perfect Saturday afternoon “hey look at this” material.


Gary McGraw and Steve Lipner

Gary McGraw has a new podcast, “Reality Check” about software security practitioners. The first episode features Steve Lipner. It’s some good insight into how Microsoft is approaching software security. I’d say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy. You […]


Reboot the FCC? No, debug the problem

Larry Lessig has a very interesting article in Newsweek, “Reboot the FCC.” The essence is that the FCC is inevitably bound by regulatory capture. He proposes a new agency with three tasks: “The iEPA’s first task would thus be to reverse the unrestrained growth of these monopolies.” “The iEPA’s second task should be to assure […]


No Fun

Stooges guitarist Ron Asheton, dead at 60.


ITRC Year End Report for 2008

The Identity Theft Resource Center (ITRC) released their year-end breach report: Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. Dissent of PogoWasRight has some analysis. I’ll take […]


Cryptol Language for Cryptography

Galois has announced “” Cryptol is a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency. It has been used successfully in a number of projects, and is also in use at Rockwell Collins, Inc. … Cryptol allows […]


The Identity Divide and the Identity Archepelago

(I’d meant to post this in June. Oops! Chaos reigns!) Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, […]


Choose your own prescription (glasses)

Silver has devised a pair of glasses which rely on the principle that the fatter a lens the more powerful it becomes. Inside the device’s tough plastic lenses are two clear circular sacs filled with fluid, each of which is connected to a small syringe attached to either arm of the spectacles. The wearer adjusts […]


Security through obscurity

…or, antique car collectors are an honest lot. According to the Times (of London, dear chap), a recently-deceased British surgeon has left his heirs a rather significant bequest: a super-rare, super-fast, antique Bugatti which hasn’t been driven since 1960 and is expected to fetch several million at auction. This is the fabled “Imagine their surprise, […]


Biometric Fail reported

A South Korean woman entered Japan on a fake passport in April 2008 by slipping through a state-of-the-art biometric immigration control system using special tape on her fingers to alter her fingerprints, it was learned Wednesday… During questioning, the woman allegedly told the immigration bureau that she had bought a forged passport from a South […]


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004