Risk of Death

Posted on September 3, 2010 by dutcherstiles

At the Indy GP last weekend, the laconic Texan from Longview, Ben Spies, got pole and a podium at the Indianapolis.  Which is a good thing.  I saw him race in AMA in 2007.  Tough, matter of fact, smart racer – more of a chess player than a brawler on the track.

The odd story came from the wild redneck Texan, Colin Edwards.  Edwards, Spies’ teammate, has been having a rough season, and it might be his last in the premier class.  He conducted a profanity-laced pre-race press conference, saying he going fucking fishing and asked the moderator to shut the fuck up about his results this year because he knew they sucked, and bringing it up again wasn’t helping.

I watched the race, and saw Edwards race drop back in the order, then pull off into the pits after missing a corner.  His crew was changing his rear tire, and Edwards got a SPEED TV microphone shoved in his face.  He made some vague comment about the rear tire, and added “What’s the point?”  He goes back out for a lap or so, then he’s back in the pits. Wasn’t anything wrong with his bike.   And he wasn’t sounding like a Texas Tornado should.

Turns out he was a mentor to a wicked fast 13 year old from Oregon, Peter Lenz.  I’d heard a couple interviews with Peter over the past couple years, which demonstrated that he had some adult promotional organization and that he was, in fact, a level headed 13 year old, tough and focused.  Peter was racing in a support class at Indy, riding a USGPRU 250 Moriwaki, the formula that will replace the 125s.  It was a big chance to race before an international crowd. Pulling into the pits during practice, he was hit by another rider and died.

Edwards offered this after the race: “This is the life we choose as racers.  I’ve had teammates die, seen friends die and honestly this one hurts the most but … this is the reality of the situation. If they offered a class for 13 year olds to go roadracing when I was 13, I’d have done it in a heartbeat.”

Later, the mainstream media takes notice, with the usual levelheadedness it usually applies to the death of children and motorcycling in general.   And motorcyclists get defensive (it’s in our nature – it’s how you stay alive on the roads).    The incident, according to those who observed it, was unavoidable.  It was not the result of speed, or lack of skill.  It was dumb, horrible, heart destroying luck.  The random noise of physics countering all human intentions.

Meanwhile, at the Isle of Man, two riders die at the Manx GP.  Another rider died at the TT earlier this year.  This is predictable.  The Isle of Man is notorious for killing racers, young and old, year in and year out.  It’s a hold over from when motorcycle racing was new, and didn’t give a damn.  According to Mat Oxley in his excellent book Stealing Speed, the risk a death was an attraction to the English racers who saw their older brothers and uncles go up and possibly come back in Spitfires.  Man, motor and death.  Motorcycle roadracing took a life a month for many years.

Now,  protection is better, tracks are safer, medical staff is present, and death is rare.  The tolerance for death is calculated the same way, and the random will now and then collect a soul.

Peter Lenz Fund

Stealing Speed

J. Ulrich on Lenz

D. Emmett on Lenz

Posted in Uncategorized | Tagged , , | 1 Comment

DBR600RR – The Verizoning

Posted on August 7, 2010 by dutcherstiles

I admit I genuinely enjoyed the latest Data Breach Report courtesy the stalwart boffins at Verizon Business.   My personal benchmark of genuineness is derived from my ability to almost immediately put it to use in my job.    Nonetheless, I’d like to see the data hashed up one more way. 

The following quotes from page 14 –


“Though we do not assert that the full impact of a breach is limited to the number of records compromised, it is a measurable indicator of it.”
and  

“There is not a linear relationship between frequency and impact; harm done by external agents far outweighs that done by insiders and partners. This is true for Verizon and for the USSS and true for this year and in years past  … We could provide commentary to Figure 9, but what could it possibly add? If a chart in this report speaks with more clarity and finality we aren’t sure what it is.”
I’ll tell you what you can add, cause I’m that way.  And the suggestion comes from the assumption that records=impact. I’m groovy with the assumption that number of records compromised is a measurable indicator for the top three categories of records listed on Fig. 31 on page 41 (regulated data that requires breach disclosure).   However, it seems that an incident that involves the theft of proprietary source code, non-public financial statements, or trade secrets, or whatever else comes under the umbrella of “data breach,” is it counted as a single record just as one credit card transaction record counts as one record.  


I’d like to see the PCI DSS and PII/PHI database breaches broken out from the other (information property, trade secret, national security) breaches.  Looking at the data where they are detailed (p 41), there are not a whole lot of them.  Based on the statement on page 18, viz:

”It is worth noting that while executives and upper management were not responsible for many breaches, IP and other sensitive corporate information was usually the intended target when they were.”  

NPI/PII/PHI mandatory disclosure type breaches may be characterized by a different set of threats, impacts, frequencies, and require a differing set corresponding controls than the breaches associated with occupational fraud.   Yeah, I said “fraud” not “insider.”  And I’d like to keep on saying “fraud” until I’m comfortable that the internal controls over non-regulated data are targeted at management override rather than external organized crime.  Is organized crime recruiting from the sysadmins and call centers?  Or is the insider a fraud (corruption/breach of fiduciary duty) issue?  Little help and we’ll all be safer. 


(I personally believe in Solove’s assertion that management should have a fiduciary duty to the privacy of data, but from what I’ve seen, we ain’t there yet, and it is still all about compliance.)


On a side note, the other category of data – authentication credentials – interests me.  Do bad guys just stop at root?  Or do they start at root?  Do the executives/upper management types rely on their organizational credentials, or do they use their authority to con an underling to hand them over?  I’ve got the anecdotes, but I’d like the data.

Some other comments:
Figure 27 (p38) – People?  A person is a compromised asset and contains records?  I’m not sure I follow the taxonomy (or is it  taxidermy?) here.
P 40 and 41 – Thanks!  These charts help quite a bit in understanding the data.
Fig. 35 (p46) Is not only hard on my eyes, but my brain.   Why is the scale broken into non-proportional time units?  Does the data naturally break down this way? A continuous timeline would give me more confidence how stuff happens.  It tapers off dramatically since each “timespan” is considerably bigger than the previous.  My brain could handle a logarithmic scale, but 60 / 12 / 7 / 4 / 12 / (sideways eight) is kinda hard.  I’m a simple country auditor, dadgummit.   The accompanying text 

“In over 60% of breaches investigated in 2009, it took days or longer for the attacker to successfully compromise data.”  

is not fully illustrated in the graph (to my humble eyes).   Also, it could be more informative.  (e. to the extreme g., my kitchen remodel is taking “days or longer” and yet, three months later, the fridge is in living room.  But my bourbon is appropriately iced!  (This is a footnote, really, rather than a parenthetical, so there you go.))


Good thing it the follow up on page 50 struck me like a diamond, a diamond bullet right through my forehead:

Internal audit methods—both financial and technical—are the bright spot in all of this.

Yeah! Give the auditor some!  










 (Image of Roger Lee Hayden’s Moto2 Moriwaki Amerigasm courtesy Motorcycle News, American Honda and USA! USA! USA! because a) it is not wholly unlike a CRB600RR and CBR sounds like DBR, b) all information security can be seen as a metaphor for motorcycle roadracing (technology, engineering, empiricism, piloted by moody irrational egomaniacs who are only in it for the birds & booze) and c) it looks totally awesome!  Porkchop better clean the clock of some euro trash come Indy what with big ol’ #34 plastered on the faring)

Posted in Uncategorized | Leave a comment

Live Twice

Posted on February 25, 2010 by dutcherstiles

Chandler at the New School made me collect, collate and sort my thoughts on the whole recall issue.  Although what follows is more like bend, fold and mutilate.

The greatest risk Toyotas pose to me is that I get drowsy rolling down the highway with nothing more interesting to divert me than continual rivulet of pale metallic four door boredom. 
Not incongruent to their exterior aesthetics, my personal reaction to the Toyotathon of Death falls in two barrels.

  1. Risk of correctly engineered and manufactured product v. risk of incorrectly engineered and faulty product.   A base assumption in driving a recently produced auto is that, not only will it advance the spark automatically and not require a crank to start, but also that the accelerator will not get stuck open.   If Toyota had labeled one of their transportation appliances with the label “May very rarely yet randomly accelerate,” prudent drivers would familiarize themselves with the emergency stopping procedures.   However, Toyota did not disclose this information until much later, so the information was not available for calculation into a driving risk scenario.  Drivers were operating under a “Toyota quality” assumption.   Would the driver of a Trabant exercise the same risk equation as a Prius or Highlander driver?
  2. The Mediation of the Road.  The current Toyota passenger car philosophy appears to be a closer cousin to Kitchen Aid than TF109.  This transportation appliance paradigm isolates the user (no longer a driver) from the grit, grime and smells of the road, substituting an ego coddling display of eco-righteousness and pretty maps.  How could the impolite fangs of risk driven adrenaline ever intrude into the quiet gentle rocking motions of hybrid power in a sarcophagus of LED illuminated soft plastics? The white knuckling pilot of the beater Pinto or the hyper vigilant  motorcyclist know no such peace. They know the road is a dangerous place, and that they are engaged in high risk behavior.  Unintended acceleration is one of myriad annihilation scenarios coursing ten thousand times a second through their oxygen deprived neurons.  Driving for them is like conducting transactions of the internet.   

Tangentially, yet incongruously, I once had a notion (but with a bit of backing…) that the ultimate design for a website used to conduct high dollar Internet transactions would be modeled after a mid-90s “adult” entertainment website – HTTP Auth pop-up, sloppy HotDog generated HTML, broken icon indicating missing plug-ins, probably registered at .biz, .info, .ru or .cx.  The customers would perceive the risk and exercise due caution, such as verifying the SSL certificate, maybe out-of-band telephone call to the institution, and routine changes of password for every session.  The site could be state of the art secure (y’know, SSL + firewall ), but the appearance of danger and perception of risk would make it Yet Still Even More So.   Of course, the crappiness would have to have a periodic refresh just to keep the users’ adrenaline up.





Toyota photo courtesy Wikimedia Commons.

Posted in Uncategorized | Tagged , , , | Leave a comment

Posing

Posted on January 22, 2010 by dutcherstiles

Read this bit of oddness from the Statesman this morning – “Pflugerville man posed as model online to elicit cash.” A young man with “very effeminate voice” managed to spend four years shaking down lonely men for cash while posing as model Bree Condon, who (according to a quick Google image search) poses mostly whilst bikini’d.

I appreciate the opportunity seized by the falsettoed Pfugervillian. And, of course, Ms. Condon should have checked her credit reports and shredded her bank statements to prevent this identity theft.

Wait, that wouldn’t have worked. More from the article:

Her reputation also has taken an online beating.

A commenter — the person used the name Justin Brown — on the Web site whosdatedwho.com said Condon was “really sweet at first, then it’s $5,000 a month just to be one of her boyfriends.”

Another wrote, “She scams men for money and she is extremely psychotic.”

Gracious. It’s reputation theft. But only among a slightly deluded public who can “date” a 24 year old man in Pflugerville and think he’s a female model.

Posted in Uncategorized | Tagged , | Leave a comment

Sociables

Posted on October 7, 2009 by dutcherstiles


When I read this commentary on privacy from Andrea Dimaio from Gartner, I was mildly surprised that people still thought like this, that privacy is tied to secrecy.

Bob Blakley responds at the Burton Group. I agree with his analysis, so it must be brilliant. The back and forth in the comments is worth reading.

Posted in Uncategorized | Tagged , | Leave a comment

Fingertips

Posted on October 3, 2009 by dutcherstiles

From today’s Austin American Statesman, this article discusses the fraud deterrent effect of fingerprinting applicants for food stamps, and if it is worth the delay it may be causing in processing (Department of Agriculture says it isn’t).
There are lessons to be learned at Texas HHSC.
Starting here:

The electronic fingerprinting program costs $3 million a year: $1.6 million for a contract with Cogent Systems for the imaging and $1.4 million for state workers’ time. The state and federal governments split the cost.

Last year, the fingerprint program led to the state investigating just four applicants for fraud.

But state officials say it’s impossible to know how many people are deterred from applying multiple times because of the fingerprinting.

But later in the article:

The state estimates that the deterrent effect of fingerprinting saves $6 million to $11 million a year.

I imagine the latter figure could have been pulled from cost justification of the project, or from the vendor’s response to the RFP, or even the LBB when the law was passed. (Does the cost include the initial implementation of the system?) But measuring the actual decrease in applicant fraud is a solvable problem. To say that there is “no way of knowing” the deterrent effect is not defensible. If they never measured a baseline of applicant fraud to begin with, how would they have known how much to spend on an anti-fraud measure? If they don’t try to measure the change post implementation, how do they know it’s working?

On the other, more cynical, hand, why should they care? They are in compliance with the state law, and the system was implemented. The only people who suffer are the citizens who need help to buy food. Folks who may not be able to take off from their minimum wage job, or don’t have the transportation, to go be fingerprinted. Measuring the dignity of your customers is harder than measuring your fraud deterrence cost.

You tell ’em Stevie.


Posted in Uncategorized | Tagged , , , , | Leave a comment

Intent

Posted on September 15, 2009 by dutcherstiles

There’s a whole bunch of the IDC/RSA white paper on insider risk management that puzzles me on one level or another.

“Whether the threats are accidental or deliberate, the costs are still the same.”

I didn’t see much data in the report regarding costs. I’m not sure if they are talking about dollars. Regardless, the controls to prevent either accidental or deliberate data loss probably overlap in most scenarios, so that cost may be similar. It’s the cost of response and recovery could be wildly different. I would rather pay to have a document restored from backup than pay for the costs of a data falling into the hands of someone who would steal it. Intent is material in incident response cost. ( I’m not married to this idea yet, but I’ve taken it out to dinner a couple times.)

“Malware and spyware attacks are another example of the risk of good employees doing bad things.”

I don’t think good employees are doing the bad things in malware and spyware attacks. I think it’s bad people doing bad things. I’d categorize the real threat as the operator of the malware or spyware. The employee’s behavior is a control, but given the sophistication of much of the malware around, it is not surprising that this control occasionally fails (Is visiting NYTimes.com a “bad thing”?) If the security of data is breached due to malware on a desktop, it has gone to bad people. I think this sort of incident belongs in a different category from an error, omission or mistake. There is an intelligent actor intending harm behind the action. Not so with a lost laptop.
Under “Key Findings”
“14.4 incidents of unintentional data loss through employee negligence in the past 12 months’
So, what does this mean “unintentional data loss”? Dropping the wrong table? Hitting “Save” rather than “Save As” ? Losing a laptop? That number is not as exciting to me as the 11 incidents of internal fraud a year cited a couple rows down. Response to “unintentional data loss” could be as simple as pulling a back-up, but fraud incidents are going to burn more organizational cycles and have a demonstrated loss.

Posted in Uncategorized | Tagged , , , , | Leave a comment

Policy and Ethics

Posted on September 11, 2009 by dutcherstiles


The excellent Grits for Breakfast posted several stories of alleged misbehavior at the Bexar County probation office, including a link to the following story from the San Antonio Current. The following passage caught my attention:


According to former Bexar County probation IT Director Natalie Bynum, [Director of Operations] Cline kept a list of known and suspected union members she wanted out of the department. To weed them out and quash the union, she had Bynum meet her repeatedly during and after work to comb through employee email accounts.
“She wanted their computers monitored in order to find out if they were doing any union activities while on the job, also to see what was going on with the union,” said Bynum, who now lives in Arizona and spoke with the Current by phone. “We’d go to the bar and then we’d go back to work afterwards. It would be just us in the office, often-time.”
Bynum, a close confidant of Cline’s during her tenure, says she was motivated by curiosity since she was “not allowed” to speak with known members of the Central Texas Association of Public Employees, a division of the United Steelworkers. Cline and Bynum’s alleged searches weren’t limited to the “five to 10” employees targeted by Cline, either. Bynum told the Current this week that Cline also regularly tapped into her boss’s account to see if Fitzgerald was talking about her.

In most workplaces, this sort of activity may not be illegal, and is probably not even against policy. Still, I sense some ethical boundary is crossed when you start reading your boss’ e-mail. Am I alone? On what grounds could the e-mail administrator deny an “authorized” request for reading e-mail, other than his/her own sense of ethical obligation?

Posted in Uncategorized | Tagged , , | Leave a comment

Data Rustler

Posted on April 18, 2009 by dutcherstiles

The best thing to come out of the Texas Lege since….ever.
A bill passed through the state senate increasing the penalty on hacking at the critical infrastructures we got down here Texas-way. (State jail penalty, no less.)

But I’m not talking about the law, but the language of the lawmaker. From the Austin American Statesman

“[Sen. Kel S]eliger, R-Amarillo, who on Thursday passed through the Senate a bill that would increase penalties for cattle rustling, laughed at the suggestion that today’s bill was of the same genre.

“Yes, it’s going after data rustlers,” he said.

DATA RUSTLERS! YES! I now abandon “hacker,” “cracker,” “identity thief,” and all other similarly situated nouns in favor of the term coined by the gentleman from Amarillo.

Posted in Uncategorized | Tagged , | Leave a comment

Cyber

Posted on April 16, 2009 by dutcherstiles

After a once over, I’m curious as to the value of the Verizon Business “Data Britches Report.”
http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/

A couple questions/comments I had on the first read:
1. The document really needs a glossary. It’s hard to parse the special meaning assigned to certain words and phrases as they recur throughout the document. For example: “data breach” “record” “incident” and “errors and omissions,” the last of which didn’t mean what I thought it would mean (“negligence and “non-compliance” seem to convey more of what was intended. When I think E&O, I think “malpractice.”)
2. Is the skew toward “outsider” threats due to the type of service that VB offers? Actually, is the skew of all the data because of the type and quality of service that VB offers? Hell, VB admits to whacked out skew. So give me some damages! Or, at least give me a standard deviation, if you are going to skew that way.
3. Where are my scatter plots? Some get these guys some visualization skills.
4. Lumping intellectual property breaches with credit card and NPI in cumulative stats seems wrong to me. I reminds me of an article I read about computer crime that included statistics on hacking, toll fraud and the hijacking of trucks that carried computer chips. That was maybe 12 years ago, or more. This sort of loose affiliation of crimes, torts and misbehavior shovelled under a skirt called “cyber” makes less sense everytime I read a “cyber” this or that. How about words like fraud, impersonation, crime, non-compliance?
5. About half way through, I got the feeling that I was reading a DEA document about the War on Crime. A focus on the incident, without a look at what caused the incident. Who got the money? Why are they stealing data? Is this “cyber” or just fraud? Is it a war we can win? Have we just turned the corner?

Gimme something substantive for a conversation, not just re-hashed status reports that may be misleading.

(Just noticed that Brooke at New School wrote similar comments. I am not alone.

Posted in Uncategorized | Tagged , , , | 2 Comments