Tea Risk

Posted on March 24, 2009 by dutcherstiles


At the Tea Risk conference today. Heard a woman keynote all over me, until my brain sploded. Her talk was divided into two part:
1. A retrospective of headlines indicate that there has been no progress in information security in the past twenty years. This trip down corrupted memory lane came with wistful recollections of the punch-card, suspender snapping variety. Vax is what we should nostagicate on now. And despite her involvement in security, and yelling the same thing over and over again, No Progress Has Been Made. I was waiting for her confession that she was part of the problem, doing the same thing over and over, expecting different results. Didn’t come. A slight whiff of the “stoopid luzers” but the topic was dropped without conclusion.
2. A detailed trip through her personal hell of IDENTITY THEFT! Here’s what happens: on some records somewhere, her Social Security number is associated with SOMEONE ELSE! Of course, no fraudulent loans were made, no bogus entries on her credit bureaus reports, and the person used a different name, different gender, different address, different date of birth, etc. And yet, she was upset that the police were somewhat reluctant to send out an APD and marshal all available resources to investigate her claim. She hinted that she used less than legal means to get the other individual’s address and driver’s license, and carried around a stack of papers with all her info into a Kafkaesque morass of bureaucracy. I’ve seen this sort of thing before in my previous life as an investigator. It’s not IDENTITY THEFT, it’s a typo. I’ve been brewing a rant in my head about the words “identity theft,” but it probably needs a while longer to attain the desired proof.
This woman’s bio lists her as a “risk consultant.” Maybe that’s why security sux.

Morning at Tea Plantation, by Docbudie via Flickr.

Posted in Uncategorized | Tagged , , | 1 Comment

Non Fiction: Risk

Posted on November 14, 2008 by dutcherstiles

From Alex Roy’s The Driver:

“Our second hour of 150 mph or more inspired a highly unscientific analysis of the actual danger we faced. I concocted what I called The Danger Coefficient (DC). I guessed the average NASCAR driver, in a thirty-six race season including practice, probably drove 15,000 miles — with a safety cage and onboard active fire suppression — on highly prepared tracks, with hospitals less than 14 minutes away by choppers on standby. Assuming this represented a DC of ten, Gumball’s 3,000 miles meant our DC was two…. until factoring our relative safety deficiencies. High speeds over potholes had to triple our DC to six. Civilian traffic doubled it again, to twelve. Time and distance to medical help? Double again, to twenty-four. Lack of roll cages, harnesses and HANS devices? My guesses ended when I realized Gumball — at least the way I did it — was at least five times more dangerous than NASCAR.”

From Wright and Decker’s Burglars on the Job:

They referred to this process as “burning bread on yourself.”

“Thieves got a thang they say [about getting caught,] “If you think about thangs like that, you burnin’ bread on yourself” So you don’t think about it… Just go for it. [No. 011]

Several of the subjects found it difficult to speak about the risk of apprehension, fearing that such talk would jinx their future illegal activities.

Some of the offenders also tried not to think about getting caught because such thought generated an uncomfortably high level of mental anguish. They believed that the best way to prevent this from happening was to forget about the risk and leave matters to fate.

Posted in Uncategorized | Tagged , , | Leave a comment

Fiction

Posted on November 13, 2008 by dutcherstiles

From Ed Park’s Personal Days:

“Every employee would soon be required to create a new log-on password consisting of a mix of nonsequential capital letters and a three-digit prime number and a punctuation mark, and then change it once a month by sending an Excel form to a secure website in Oakland. This was just standard operating procedure.

Each demand felt like the securing of a strap on a straitjacket.”

Posted in Uncategorized | Tagged , , , | Leave a comment

4th Quadrant

Posted on September 18, 2008 by dutcherstiles

My favorite ex-quant, N. N. Taleb, outlines the 4th Quadrant.
Thoroughly enjoyable, but I’m a fan.

This table made sense to me:

In information risk management, what sort of events are fat tailed with complex payoff? Or which are not?
I’ve suspected that there is a parallel between software and markets, as both proxy human behavior, yet are percieved as acting autonomously.

Posted in Uncategorized | Tagged | 1 Comment

The Wisdom of Mobs

Posted on August 27, 2008 by dutcherstiles

Alex mentions stock prices as a potential input into information risk assessment. I’m skeptical of the value of market driven metrics, and the collective wisdom of the market’s crowd in assessing value of an asset. The forces driving stock prices in the short term are not afraid to work with rumor, fact, unrelated fact, remotely disjointed misreported fact and insinduendo.* Corporate stock value can be maintained by close Internet monitoring of cowboy executives, especially if you are in the vicinity of 6th and Lamar in Austin, Texas (a couple of e-mail datapoints: GSD&M and Whole Foods ) Must be something in the bottled water. I’ve said it before (probably), bad stuff will happen long term if you are a third party managing privacy related data, and you blow it. Because your customers will likely have better information, and have the power to put a long term hurt on your bottom line. If you come clean.

And, of course, out asswards talking I am.

And why haven’t I written more in the last few months? I’ll let my son answer that:

http://www.flickr.com/apps/video/stewart.swf?v=59154

*not a word, but I like it anyway.

Posted in Uncategorized | 1 Comment

Visualize World Data Breach

Posted on June 17, 2008 by dutcherstiles


38.2% of the known universe has blogged about the Verizon data breach report and how it has changed their life, and opened their eyes, busted icons and confirmed suspicions. But I looked right at the facts there, but I might as well have been completely blind.

My thoughts are simply:

  • What? No scatterplots? Bar charts and pie charts combined with narrative paragraphs that don’t describe either are sort of lame. Give us an idea if there are two or three mammoth breaches that are skewing your stats. A little creativity would have helped. Don’t just think the data breach. Be the data breach.
  • It would have helped to have “data breach” defined. Sometimes, the stats are describing a leak of GLB-style NPI, other times credit card info, other times website defacements. What do you want to bet that the threats and controls for a theft of trade secrets is different than for a credit card data from a Bennigan’s POS terminal? Is it enlightening to lump this data together? I recall reading many years ago an essay in a scholarly computer science jounal on Computer Crime. They including the classic network hacking and phone phreaking in their analysis, as well as people hijacking trucks carrying motherboards. So, if I hit someone over the head with a laptop that stores unencrypted SSNs, is that a data breach?
  • I will give the Verizon guys extra bonus points for not using the report as a sales lead generation tool. I’ll rant more on that later.

Photo of Gene Clark courtesy of Find-A-Grave. Think Gene Clark, not Eagles.

Posted in Uncategorized | Tagged , , , | 1 Comment

Cruel But Fair: The IT Auditor’s Ball

Posted on April 29, 2008 by dutcherstiles

There is no need to remind me how I dislike Las Vegas. As the woman walking away from the conference this afternoon said, “casinos are full of weird people.” And she wasn’t talking about her fellow information systems governance professionals.

Well, I’m almost live blogging the event (no wireless connectivity? 20 lbs of printed procedings? CACS is old school, baby!) from the IT Audit bloggers meetup (the attendees so far: me & a bottle of cheap scotch).
So what did I learn on my first day at the North American Computer Audit Control and Security Conference?

1. Dumb user jokes still get a laugh. The dumb user jokes need to end now. Really. It adds nothing, and only confirms everyone’s opinion that security and audit people are arrogant and condescending. More on this later.

2. The “I am not a lawyer” defense to compliance. If something is too unpleasant, or unsavory, yet explicitly outlined in law and regulation, there is a tendency to punt the enforcement to legal. Cause, you don’t want to practice law without a license. You know, cops aren’t lawyers, either. Nonetheless they enforce the laws. This is an issue that can be solved, and likely has been, between auditors, security practitioners and lawyers.

3. The ice machine on the 13th floor of the Rio is broken. This is the thoughest lesson I’ve learned. But experience is a bitter and effective teacher.

4. Can gaussian distributions be helpful in analysis of breach disclosure? My butt was in the wrong seat to attend this talk, but the slides were curious (mostly because the color-coding in the pie charts didn’t work in the B&W procedings). I would have been interested in hearing how that would work. I don’t have the depth in stats to have flung anything at the presenter, but I may have had the guts to shout “HERETIC.”

Soundtrack for today: “Raving & Drooling”

Posted in Uncategorized | 2 Comments

Metrics Gone Wrong: Horsepower at 100% Throttle

Posted on April 17, 2008 by dutcherstiles


In the April issue of Bike magazine, Simon Hargreaves examines the myth of the dyno. The rise of the the Dynojet Dynamometer provided a cheap, standard way to measure motorcycle horsepower, allowing a common manner to rate the impact of your performance tweak. Roll your bike up to the rollers, and wind it up to full throttle. Moments later, the dyno spits out a pretty graph with torque and horsepower. (I recall a sweaty, restless July night at Texas World Speedway, the motorsport jewel of the Bryan/College Station where my buddy and I parked the VW camper van next to the dyno. Yosh pipes howling through 100% throttle get old after about the 15th carb rejetting, but the dyno truck’s jam box pumping out interstitial “Give It Away” got old after the 5th round. )

None the less, Hargreaves cites the problem with a standard measure:

First, higher horsepower figures than the manufacturer next door sells more bikes than him, though – second – higher horsepower figures bring anti-biking legislation closer and closer, despite the fact that – third – accident figures aren’t related to increased power, even though – fourth – the performance of your three 160hp models comfortably exceeds the ability of your customer to get anywhere near using it all without crashing.

The answer is measuring 40% and 20% throttle as well. The nebulous corner exit power that was measured only in sphincter tension or nebulous terms like “grunt” and “oomphus” is now a value that can be colored red, blue or green and plotted on a pretty graph. And a telling graph it is, as the GSX-R1000 appears to have dropped power at 20% throttle (to reduce highsideability) while maintaining the pornographic 160hp at top.

So, the top number, the easy number, the number of honorable tradition, means less and less once it is maxed. The tweaks underneath where there, and important. But you are stuck with your gut feeling until you plot it with a pretty blue line.

Posted in Uncategorized | Tagged , | Leave a comment

Metrics Gone Wrong: Body Count

Posted on April 14, 2008 by dutcherstiles

From the Washington Post, and which also I heard on the radio this morning, the Colombian army finds a twisted method to meet their performance metrics:

But under intense pressure from Colombian military commanders to register combat kills, the army has in recent years also increasingly been killing poor farmers and passing them off as rebels slain in combat, government officials and human rights groups say. The tactic has touched off a fierce debate in the Defense Ministry between tradition-bound generals who favor an aggressive campaign that centers on body counts and reformers who say the army needs to develop other yardsticks to measure battlefield success.

This is the most extreme example of how a metric intended to track progress toward a goal becomes a measure of performance for the implementers. Focussed on the finger pointing at the moon, rather than the moon itself, the implementers manage the metric but undermine the goal. I don’t believe this behavior is uncommon. I saw this sort of behavior in a past life as a fraud examiner. An individual forged a stack of documents, because he understood more documents were good for the company, their legitimacy only an inconvenience.

Posted in Uncategorized | Tagged , | 2 Comments

Releative Position and Privacy

Posted on March 17, 2008 by dutcherstiles


Ed Felton recently wrote two posts on the failure of the marketability of privacy, and how corporations and consumers should respond. According to Felton:

There’s an obvious market failure here. If we postulate that at least some customers want to use web services that come with strong privacy commitments (and are willing to pay the appropriate premium for them), it’s hard to see how the market can provide what they want.

In the follow-up, Felton describes a standard contract and a sort of privacy escrow protocol to protect individuals against the desperate actions of a cratering start-up.

The more I read and think about privacy, the theory that an individual’s privacy has a value that can be exchanged on the market becomes less and less compelling. Frank Pasquale wrote at Concurring Opinions that in the market model, you trade your privacy for efficiency and convenience, using Gmail as an example:

[C]onsider the type of suspicions that might result if you were applying to a new job and said “By the way, in addition to requiring 2 weeks of vacation a year, I need to keep my email confidential.” The bargaining model is utterly inapt there. . . . just as it would have been for women to “bargain” for nondiscrimination policies, or mineworkers to bargain, one by one, for safety equipment.

He concludes that people who trade their privacy will outcompete those who do not, and that
“[a] collective commitment to privacy may be far more valuable than a private, transactional approach that all but guarantees a ‘race to the bottom.’ ” The paper he cites on cost benefit analysis and relative position was interesting (to me at least) when read in terms of privacy. From the abstract:

When a regulation requires all workers to purchase additional safety, each worker gives up the same amount of other goods, so no worker experiences a decline in relative living standards. The upshot is that an individual will value an across-the-board increase in safety much more highly than an increase in safety that he alone purchases.

“Privacy” can be substituted for “safety.” Can “security” also be considered in this context? Is it already?

Posted in Uncategorized | Tagged , , , | Leave a comment