Price is what you pay, value is what you get

Nice work by Francois Paget (hattip Andrew Jaquith) pulling together underground economy's willingness to pay up for quality

Last Friday morning in France, my investigations lead me to visit a site proposing top-quality data for a higher price than usual. But when we look at this data we understand that as everywhere, you have to pay for quality. The first offer concerned bank logons. As you can see in the following screenshot, pricing depends on available balance, bank organization and country. Additional information such as PIN and Transfer Passphrase are also given when necessary:

Since financial services drives a lot of the information security industry it is fair to ask - are they doing a very good job at securing systems and data or are they just moving more risk on to the consumer? In 2008, should we be telling people to type usernames and password into web forms and the use those "secrets" (cough, cough) to make business decisions?

Weak identity = weak claim = weak access control.

From Ross Anderson's book (2nd edition)

Were I designing an online banking system now, I would invest most of the security budget in the back end.

Rote Based Access Control

I think RBAC is, next to firewalls and SSL, the biggest silver bullet misconception in infosec. I cannot count how many times I have heard managers say if we just had rbac all our identity problems would be solved. These same managers work in companies that reorg every 6 months and outsource anything that moves. Not that RBAC is useless, it can solve some problems, but introduces some too, Pamela Dingle

Roles are indeed in the domain of the “identity weenie” — but alone, roles are nothing but a maintenance nightmare - they exist to be leveraged. Rules on the other hand, are the problem of the “authorization weenie” and are written (for example) as a WAM policy that says “All Production Accountant Level II resources can access the accounting SharePoint instance”. When you collect roles into a profile and collect rules into a policy and then evaluate for a given user, resource, and point in time, what you eventually get is an entitlement, ie “Jenny should get into the accounting SharePoint instance”. The goal is to have transitive logic between roles and rules, such that two different people can take on the two different statements being made. Jenny’s Manager can authoritatively state (through a workflow approval) that Jenny is indeed a production accountant. The owner of the Accounting Sharepoint instance can authoritatively state (through an authorization policy) that all production accountants should have access to their site. ... What happens when the system detects the static presence of two conflicting roles? What happens if one role is “truer” than another at some point in time?

The other silver bullet fallacy the RBAC introduces is the idea that objects, subjects, and sessions can be bundled so nicely enterprise wide. People look at their nice org charts and assume that you just plug that into your directory and go. Works great in a domain with hard edges like a call center where discreet groups of people execute the same tasks the same away across many sessions. Not so good once you step above the rote task level. Interestingly "God level" access works well with roles too, but we are not supposed to be building systems with that stuff any more, right?

Learning from Ghana

Its always interesting to see where the developed world can learn from emerging economies. A lot of the best engineering work comes from having to deal with harsh constraints (opposite of architecture astronomics). I blogged awhile ago about using smart cards for digital cash in Africa

Looks like there is a new system in Ghana as well

E-zwhich smart launched

-ZWICH smartcard, a universal electronic system that facilitates easy access to and transfer of money has now become part of financial transactions in Ghana.

The new system which is also designed to remove the cumbersome and insecure processes of using cash, was launched in Accra yesterday by President J.A. Kufuor, with a call on corporate bodies and government agencies to use it to ensure transparency and integrity on payrolls.

E-zwich is an electronic payment system that allows one to make payments for goods and services or transfer money to others without having to carry physical cash.

Available at all banks countrywide, the system involves the loading of money onto the smart card after registering with any bank without necessarily having an accounts with that bank.

President Kufuor said the introduction of the system has the potential of transforming the payments landscape, the financial services industry and the general conduct of business in the country.

He said accessing the technology was an integral part of government’s overall vision of making Ghana the gateway to the West Africa sub-region and transforming her into a major financial hub.

The President said that globalisation has come with a major challenge of adopting best practices in all spheres of endeavour especially within the macro economy in order to survive in the market.

He said it was against that background that the government has pursued polices to develop and modernise the financial sector to enable it to play a key role in resource mobilisation for increased investment.

With the reforms and the stability of the macro-economy, President Kufuor said the nation was witnessing dramatic growth in the banking sector.

He pointed out, however, that inspite of the impressive growth of financial institutions, an estimated 80 per cent of the eligible population was still "un-banked" or "under-banked" and seemed not to have access to financial services.

Wonder when we will see US, UK, and other first world banks and brokerages catch up to Ghana and South Africa on these technologies? Is it really a good idea in 2008 to have everyone type their username and password into a web browser?

Sun in Microsoft's Rearview Mirror on Software Security

James McGovern muses:

Good to run across Sun employees such as Gerald at OWASP chapter meetings. Hopefully for the next event, he can figure out how to bring down a dozen or so folks from Sun labs. After all, they probably understand the need for writing secure code more than the Microsoft crowd. This makes me wonder if Pat Patterson has ever attended OWASP meetings on his side of town?

Would be great to see Sun get involved with OWASP, but I see no evidence that they understand the need for writing secure code more so than Microsoft. In fact I see every evidence that Sun is several years behind Microsoft on software security. Let's do the list - Howard/Leblanc's work, threat modeling, software security patterns and practices, SDL, SecPal, BlueHat, OWASP guidance work and that is all before we get to identity stuff. From what I see its a yawning gap. Would be great if Sun would re-discover its engineering roots at some point, but right now I don't think they are even in the conversation.

Air travel revenue

I know the airlines are struggling with revenues but instead of charging people for bring 5 more lb of luggage why not consider the entertainment business. Bill Simmons

Why is there no sports book in McCarran Airport in Vegas? The place is full of slot machines. Isn't a sports book the perfect gambling option for someone on a layover who doesn't want to play slots? -- Jeff, Valparaiso, Ind.

SG: You're making too much sense. McCarran needs a sports book, blackjack and craps, and it needs an area where you can walk around in a black leather jacket screaming "Serrano's got the disks! Serrano's got the disks!" without airport security tackling you.

There is no question you could charge people to reenact Serrano's got the disks.

Omaha Trip Report

Last weekend I went to Omaha for the Berkshire Hathaway (A, B) annual meeting, there were many highlights.

Around 30,000 people showed up to hear Warren Buffett and Charlie Munger hold court. I had read the meeting notes from the previous few years and was excited to hear what they had to say. Buffett could not have been more gracious, patient host (he revealed that he had been too shy to do public speaking when he was younger, he signed up for a Dale Carnegie speaking course, gave them a check for $100, went back to his apt and then stopped payment on the check, the next time he signed up he paid the $100 in cash) and Munger was very witty and insightful. Oh and Bill Gates was there, but I did not get a chance to ask him any WS-* questions.

I also got to briefly meet Bill Mann, who is one of my favorite analysts at the Motley Fool where he runs the Global Gains service (I wanted to meet Alex Dumortier but missed him, but running into one person in 30,000 was pretty good), I got to thank Bill for picking a couple of nice stocks. If you like learning about Argentinian land companies one month, Macau casinos the next, and Irish banks the following as much as I do then this service is for you. Bill took notes of his favorite quotes

Munger on investment banks

CM: It is crazy to allow things to get too big to fail, run with knavery. As an industry, there is a crazy culture of greed and overreaching and overconfidence trading algorithms. It is demented to allow derivative trading such that clearance risks are embedded in system. Assets are all “good until reached for” on balance sheets. We had $400m of that at general re, “good until reached for”. In drug business you must prove it is good. It is a crazy culture, and to some extent an evil culture. Accounting people really failed us. Accounting standards ought to be dealt with like engineering standards.

Munger on risk(!) - double layering of risk protection. These guys view risk so much differently from the herd, it is refreshing. Its about avoiding permanent capital loss. Its the assets stupid.

CM: You can see how risk averse Berkshire is. We try to behave in a way so that no rational person will worry about our credit. We also try to behave in a way that if people don’t like our credit we wouldn’t notice for months. That double layering of protection against risk is like breathing. The alternative culture is you call a man a Chief Risk Officer, but often he is man who makes you feel good while you do dumb things. Like the Delphic oracle, a dumb soothsayer, and how can he do dumb things if he has a PHD and can do all the advanced math! You crave a system such that you torture reality to fit a structure that doesn’t match with extreme situations in reality, you feel confident because you compute the risks, but you haven’t -- you have just clobbered up your own head.

Munger on nuclear war (heads up survivability people)

CM: Mexico had a 95% mortality rate from European settlers, the pathogens and such. So I think the species will survive. I hope that cheers you up.

On subprime

How do we better measure leverage and accounting of assets, integrity?

WB: It is a very tough thing. I still lean strongly towards fair value accounting – it is hard to use, but should we use cost? I think there are more troubles when you start openly valuing things at prices that don’t matter instead of best estimates even if inaccurate. I would stick with financials reporting assets at fair value. When you get into CDOsquared, the documentation is enormous. If you read a standard residential security – it consists of thousands of mortgages, then different tranches. Then take CDO and take junior tranches on a whole bunch of juniors – put them together and diversified in theory – a big error to start with. That was nuttiness squared. You had to read 15,000 pages to get a CDO, then 750k pages to evaluate one security in a CDOsquared. To let people use 100cents they paid vs. the 10cents it trades at in market is an abomination. Fair value discipline, mild as it may be, may keep managements from doing some stupid things. I lean toward the market value approach. When you get towards complex instruments, I don’t know how you value it. Charlie, back at Salomon I think you found one mismarked by $20m, right?

CM: A lot goes on in bowels of American industry which is not pretty. A lot of people got overdosed on Ayn Rand. They would hold that even if an axe murderer in a free market is a wise development. I think Alan Greenspan did a good job on average, but he overdosed on Ayn Rand that whatever happens in free market is going to be alright. We should prohibit some things. If we had banned the phrase, “this is a financial innovation which will diversify risk”, we would have been far better off.

They had all the Berkshire family companies represented and we walked the floor - Johns Manville, Shaw Carpet, DQ, the works and even Mars was there even though they had only joined the Berkshire family the week before

jOHN Steven demonstrated how a firewall works, crunchy on the outside smooth and creamy on the inside, at least until the whole thing melts

Finally, we went out to the airport to check out the Netjets planes

Long drive back to MN, due to Ned's Treo-ing we found an outstanding German restaurant outside Ames, IA just off the highway - The Old Hamburg. No Dunkels for me, because I was driving, but everything else was awesome. I worked off and on in germany for a number of years, and never had anything this good.

I have learned more about security from Buffett and Munger than reading anyone in information security, and it was a pleasure to see them hold court in person. I hope to attend many more.

Building a Security Architecture Blueprint at Secure 360

Next week I am talking on "Building a Security Architecture Blueprint - A Strategic Approach to Enterprise Security" at the Secure 360 conference in the great state of Minnesota.

Overview
Information is a strategic asset, yet the practice of information security in firms is a patchwork of one off tactical solutions that lack a cohesive, rational framework. The purpose of the security architecture blueprint is to bring focus to the key areas of concern for the enterprise, highlighting decision criteria and context for each domain. Since security is a system property it can be difficult for Enterprise Security groups to separate the disparate concerns that exist at different system layers and to understand their role in the system as a whole. This blueprint provides a framework for understanding disparate design and process considerations; to organize architecture and actions toward improving enterprise security.

The talk will survey Security Architecture Blueprint I published last year. We will do an overview of the strategic framework and then drill down to how we practically apply the framework. We will look at how to apply the framework in some of the most interesting domains in information security - static analysis, Web services security, and federated identity. We will use these examples to illustrate how the framework helps ensure a comprehensive approach to make decisions and tradeoffs for building security into your systems.

Newspapers - Yesterday's News for Yesterday's People

You'd be hard pressed to find a large industry with worse economics than newspapers, from this week's Economist

THE New York Times once epitomised all that was great about American newspapers; now it symbolises its industry's deep malaise. The Grey Lady's circulation is tumbling, down another 3.9% in the latest data from America's Audit Bureau of Circulations (ABC). Its advertising revenues are down, too (12.5% lower in March than a year earlier), as is the share price of its owner, the New York Times Company, up from its January low but still over 20% below what it was last July. On April 29th Standard & Poor's cut the firm's debt rating to one notch above junk. ... Pick almost any American newspaper company and you can tell a similar story. The ABC reported that for the 530 biggest dailies, average circulation in the past six months was 3.6% lower than in the same period a year earlier; for Sunday papers, it was 4.6% lower. Ad revenues are plunging across the board: by 22.3% at Media General, for example. In 2007 total newspaper revenues fell to $42.2 billion, not to be sniffed at, certainly, but a lot less than the peak of $48.7 billion in 2000.

Closer to home, Toby Dayton has the story on the epic flailing at the Star Tribune

In yesterday’s post, I attempted to estimate the current valuation of the Star Tribune in the context of Blackstone’s negotiations with Avista and Credit Suisse. I surmised that the $100M Avista invested is worth nothing today, and that the remaining $430M in debt was worth no more than $215M, and probably quite a bit less given the fact that the guy on the other side of the table is Steven Schwarzman, a guy who can afford to pay Rod Stewart $1,000,000 just to sing at his 60th birthday party.

Interestingly enough, today’s Star Tribune details with surprising precision, the valuation of the Strib. Avista has, in fact, notified its limited partner investors that at the end of 2007 it had written off 75% of the $100M it invested in the paper, and that the value of the remaining $25M is ‘uncertain.’ Of the $430M in debt, $340M is trading at 56 cents on the dollar which equates to a value of $190M. (I didn’t take the time to look up the debt yesterday but I guess I could have or maybe should have. I suppose that’s why bloggers are bloggers and not professional journalists). Another $96M in subordinated debt is trading at 10 centes on the dollar, for a value of $9.6M. That all adds up to a value of $225M that Avista places on its own company. Keep in mind, this is just the starting point for what type of value ‘the market’ would place on the very same assets.

The Internets are to blame they say, and I do understand you cannot easily change a hard wired industrial age distribution model overnight. But here is one thing I do not understand - one thing newspapers have is reporters. Why don't the newspapers' content reflect the technology age? Why is all the interesting content on computing and the Internet on the web only? Where is the NYT interview with Werner Vogels, for example?

Marc Sewell wrote a great book on Software architecture, in which he foretold a day when software architecture was discussed as much in the NYT as real world, physical architecture. Why has this not happened? Where is the SOAP, Rest, Web 2.0 debate in the NYT? Is IBM's three ESB strategy a good one? Why doesn't Gary McGraw have a weekly editorial in the NYT?

There are very, very few newspapers that cover technology in a meaningful sense - Brian Krebs is a shining example. And, well, I cannot think of anyone else. Why not? These are big honking industries with major impact on our lives. You don't have to be a geek to get the story, you just to use basic reporting skills.

Part of the newspaper's problem is their distribution model is outmoded, but the other more serious problem is their content is not relevant and they are missing the story as the information age unfolds.

BRIC Boom

I guess this has been obvious for awhile, but when you step back these are still seriously impressive numbers (ft.com)

This growth is being fuelled by both international and domestic demand. Bric economies helped to push up the share of global exports from emerging markets from 20 per cent in 1970 to 42 per cent in 2006, according to Professional Wealth Management. At the same time, capital flows into the Brics and emerging markets have reached record levels, with the Institute of International Finance reporting that foreign direct investment jumped by more than 50 per cent from $167.4bn in 2006 to $255.6bn in 2007.

In fact, since Brics first featured in the wealth management lexicon, investment inflows have been fuelling their equity markets. Between November 2001 and 2007, Brazil’s stock market rose 369 per cent, India’s by 499 per cent, Russia’s by 630 per cent and China’s by 201 per cent if you use the A-share market, or 817 per cent based on the Hang Seng China Enterprises Index.

Given these robust equity markets, it is not surprising that the Bric countries accounted for 39 per cent of global initial public offering volume last year, up from 32 per cent in 2006.

Stalking the right software security metric

Zach Gemignani from JuiceAnalytics posits the following rules for a Choosing the Right Metric

One of the best tools for security metricians are static analysis tools, let's see how they compare to the four dimensions.

Actionable - Static analysis findings are actionable because the tools prescribe remediations to the security vulnerabilities they find

Common interpretation - Generally this is the hardest thing to get "out of the box", common interpretation for security metrics usually requires mapping to policy, architecture, and/or standards that are agreed on.

Accessible, creditable data - Static analysis conducted against an objective set of rules that can be customized provide a good way to both see the rule and verify its logic.

Transparent, simple calculation - a MetriCon 2.0 Fredrick DeQuan Lee from Fortify showed a nice simple calculation for grading applications, it is based on the Morningstar model for grading mutual funds

1 Star: Absence of Remote and/or Setuid Vulnerabilities

2 Stars: Absence of Obvious Reliability Issues

3 Stars: Follow Best Practices

4 Stars: Documented Secure Development Process

5 Stars: Passed Independent Security Review

I am big fan of maturity continuums such as this (if you can't get one star there is not a lot we can do for you), because it gives you a fixed point and something to shoot for to improve. This is just one example, but I think static analysis tools are the best security metrics tool we have in software security.

Got ideas for the "right" security metric? MetriCon 3.0 is coming up soon!