Omaha Trip Report

Last weekend I went to Omaha for the Berkshire Hathaway (A, B) annual meeting, there were many highlights.

Around 30,000 people showed up to hear Warren Buffett and Charlie Munger hold court. I had read the meeting notes from the previous few years and was excited to hear what they had to say. Buffett could not have been more gracious, patient host (he revealed that he had been too shy to do public speaking when he was younger, he signed up for a Dale Carnegie speaking course, gave them a check for $100, went back to his apt and then stopped payment on the check, the next time he signed up he paid the $100 in cash) and Munger was very witty and insightful. Oh and Bill Gates was there, but I did not get a chance to ask him any WS-* questions.

I also got to briefly meet Bill Mann, who is one of my favorite analysts at the Motley Fool where he runs the Global Gains service (I wanted to meet Alex Dumortier but missed him, but running into one person in 30,000 was pretty good), I got to thank Bill for picking a couple of nice stocks. If you like learning about Argentinian land companies one month, Macau casinos the next, and Irish banks the following as much as I do then this service is for you. Bill took notes of his favorite quotes

Munger on investment banks

CM: It is crazy to allow things to get too big to fail, run with knavery. As an industry, there is a crazy culture of greed and overreaching and overconfidence trading algorithms. It is demented to allow derivative trading such that clearance risks are embedded in system. Assets are all “good until reached for” on balance sheets. We had $400m of that at general re, “good until reached for”. In drug business you must prove it is good. It is a crazy culture, and to some extent an evil culture. Accounting people really failed us. Accounting standards ought to be dealt with like engineering standards.

Munger on risk(!) - double layering of risk protection. These guys view risk so much differently from the herd, it is refreshing. Its about avoiding permanent capital loss. Its the assets stupid.

CM: You can see how risk averse Berkshire is. We try to behave in a way so that no rational person will worry about our credit. We also try to behave in a way that if people don’t like our credit we wouldn’t notice for months. That double layering of protection against risk is like breathing. The alternative culture is you call a man a Chief Risk Officer, but often he is man who makes you feel good while you do dumb things. Like the Delphic oracle, a dumb soothsayer, and how can he do dumb things if he has a PHD and can do all the advanced math! You crave a system such that you torture reality to fit a structure that doesn’t match with extreme situations in reality, you feel confident because you compute the risks, but you haven’t -- you have just clobbered up your own head.

Munger on nuclear war (heads up survivability people)

CM: Mexico had a 95% mortality rate from European settlers, the pathogens and such. So I think the species will survive. I hope that cheers you up.

On subprime

How do we better measure leverage and accounting of assets, integrity?

WB: It is a very tough thing. I still lean strongly towards fair value accounting – it is hard to use, but should we use cost? I think there are more troubles when you start openly valuing things at prices that don’t matter instead of best estimates even if inaccurate. I would stick with financials reporting assets at fair value. When you get into CDOsquared, the documentation is enormous. If you read a standard residential security – it consists of thousands of mortgages, then different tranches. Then take CDO and take junior tranches on a whole bunch of juniors – put them together and diversified in theory – a big error to start with. That was nuttiness squared. You had to read 15,000 pages to get a CDO, then 750k pages to evaluate one security in a CDOsquared. To let people use 100cents they paid vs. the 10cents it trades at in market is an abomination. Fair value discipline, mild as it may be, may keep managements from doing some stupid things. I lean toward the market value approach. When you get towards complex instruments, I don’t know how you value it. Charlie, back at Salomon I think you found one mismarked by $20m, right?

CM: A lot goes on in bowels of American industry which is not pretty. A lot of people got overdosed on Ayn Rand. They would hold that even if an axe murderer in a free market is a wise development. I think Alan Greenspan did a good job on average, but he overdosed on Ayn Rand that whatever happens in free market is going to be alright. We should prohibit some things. If we had banned the phrase, “this is a financial innovation which will diversify risk”, we would have been far better off.

They had all the Berkshire family companies represented and we walked the floor - Johns Manville, Shaw Carpet, DQ, the works and even Mars was there even though they had only joined the Berkshire family the week before

jOHN Steven demonstrated how a firewall works, crunchy on the outside smooth and creamy on the inside, at least until the whole thing melts

Finally, we went out to the airport to check out the Netjets planes

Long drive back to MN, due to Ned's Treo-ing we found an outstanding German restaurant outside Ames, IA just off the highway - The Old Hamburg. No Dunkels for me, because I was driving, but everything else was awesome. I worked off and on in germany for a number of years, and never had anything this good.

I have learned more about security from Buffett and Munger than reading anyone in information security, and it was a pleasure to see them hold court in person. I hope to attend many more.

Risk Management != Uncertainty Management

Recall in Authorization is a Puzzle, Authentication is a Mystery, I made the case that logic should operate differently when you are operating with good information (puzzles) than it does with uncertain information (mysteries), I think that decoupling risk and uncertainty leads to more effective security architectures, and in fact using a Dhandho Infosec approach we want to spend more time on risk and less on uncertainty. The former leads to more effective actions, whereas the latter often devolves into spin cycles, and counting the number of SQL injection attacks that can fit on the head of a pin.

So this piece I found quoted on Mapping Strategy makes a lot of sense to me

Our global financial system has become so staggeringly complex and opaque that we’ve moved from a world of risk to a world of uncertainty. In a world of risk, we can judge dangers and opportunities by using the best evidence at hand to estimate the probability of a particular outcome. But in a world of uncertainty, we can’t estimate probabilities, because we don’t have any clear basis for making such a judgment. In fact, we might not even know what the possible outcomes are. Surprises keep coming out of the blue, because we’re fundamentally ignorant of our own ignorance. We’re surrounded by unknown unknowns.

Some smart risk people like Alex Hutton disagree with my suggested prioritization of highly effective/low risk instead of high risk/low effectiveness, but however you want to prioritize, I think we can all agree that its important to understand which problem set you are dealing with and know you need to bring different tools to bear depending on the problem space context.

Its not like we are sitting on a pile of highly effective tools for high risk problems. We are sitting on:

1. Low effectiveness tools for high risk areas
2. Highly effective tools for low risk areas
3. And metric tons of low effective tools for low risk areas (see here)

So you really do have to choose. I have had this discussion in the context of static analysis tools with several consultants, the security consultants bashed static analysis tools as weak and demonstrated how they can find so many more bugs in a manual review. Now these are excellent security consultants and if you could afford to have them review every line of your code I would.

But here is the thing, you can't afford and even if you had the $ it slows down the process if you are rolling lots of code. Static analysis tools don't find everything, and a lot of what they find may not be the highest risk like say an architectural flaw (note - I am *not* saying that software security is a low risk area), but the point is they find it, its automated, repeatable, the tools keep getting better and you can actually *solve* the problems they find. We would be in a lot better place as an industry if we used tools to find and solve as many puzzles as possible and spent less time in uncertainty spin cycles.

Dr. Geer goes to Washington

Subcommittee on Emerging Threats, Cybersecurity,and Science and Technology
Hearing, Wednesday 25 April 07, entitled Addressing the Nation’sCybersecurity Challenges: Reducing Vulnerabilities Requires Strategic Investment and Immediate Action

The purpose of risk management is to improve the future, not to explain the past. Security metrics are the servants of risk management, and risk management is about making decisions under uncertainty. Therefore, the only security metrics we are interested in are those that support decision making about risk for the purpose of managing that risk. I urge the Congress to put explaining the past, particularly for the purpose of assigning blame, behind itself. Demanding report cards, legislating under the influence of adrenaline, imagining that cybersecurity is an end rather than merely a means — all these and more inevitably prolong a world in which we are procedurally correct but factually stupid. Aclearinghouse review of what we know how to measure and how good what we know is at predicting the future would be a good start as we do not even know what it is that we do not know. - DanielE. Geer

Stockpickr Computer Security Index

Stockpickr has set up "a portfolio of stocks that I believe are both cheap and good for this security play, regardless of the economy." The Computer Security Index includes the usual suspects like Symantec, McAfee and such. Interestingly, the article notes:

Symantec is also among the holdings of deep-value investor Bruce Sherman of Private Capital. Sherman, as I've mentioned before, is particularly known for investing in the sorts of value companies that end up being bought by Warren Buffett's Berkshire Hathaway (BRK.A - Cramer's Take - Stockpickr - Rating).

Kind of makes sense that value type investors, who ordinarily don't dip too much in the technology pool, would be interested in security, since security is an ongoing cash generating business and from (from the outside) relatively boring, leave it to the contrarian value investors to invest in information risk management businesses, eh? The current list for new investing in the security space includes Cisco (CSCO) (see even Wall Street analysts recognize the value of XML Security Gateways and the Reactivity acquisition),  Microsoft (MSFT)  (Wall Street loves Mike Howard's SDL ), and Sourcefire (FIRE).
Interestingly enough, several large investors are heavily invested in physical security companies like Tyco as well.

Looks like the Stockpickr Computer Security index, is lagging the Ping Identity Federation index though.

**************************************************

Upcoming public SOA, Web Services, and XML Security training by Gunnar Peterson, Arctec Group
- NYC (April 19), Unatek Web Services (May), OWASP App Sec Europe (May), Helsinki (June), DC/Baltimore (July 19).

Warren Buffet on Risk Management

From Berkshire Hathaway's (BRK.A)(BRK.B) annual letter from the chairman

The big unknown is super-cat insurance. Were the terrible hurricane seasons of 2004-05 aberrations? Or were they our planet’s first warning that the climate of the 21st Century will differ materially from what we’ve seen in the past? If the answer to the second question is yes, 2006 will soon be perceived as a misleading period of calm preceding a series of devastating storms. These could rock the insurance industry. It’s naïve to think of Katrina as anything close to a worst-case event.

Neither Ajit Jain, who manages our super-cat operation, nor I know what lies ahead. We do know
that it would be a huge mistake to bet that evolving atmospheric changes are benign in their implications for insurers.

Don’t think, however, that we have lost our taste for risk. We remain prepared to lose $6 billion
in a single event, if we have been paid appropriately for assuming that risk. We are not willing, though, to take on even very small exposures at prices that don’t reflect our evaluation of loss probabilities.
Appropriate prices don’t guarantee profits in any given year, but inappropriate prices most certainly
guarantee eventual losses. Rates have recently fallen because a flood of capital has entered the super-cat field. We have therefore sharply reduced our wind exposures. Our behavior here parallels that which we employ in financial markets: Be fearful when others are greedy, and be greedy when others are fearful.

This describes some of the fundamental concepts in risk management that get missed in Information Security. It is ok to take risks, InfoSec's job is not to tell the business what risks to take, rather it is to highlight the risk and risk management options. What countermeasures can we deploy to protect the assets in this transaction that would make the tradeoffs more palatable?

But of course, it is not just the big challenges and decisions, but the small ones too. Just like Buffet is averse to small exposures at bad prices, InfoSec should examine this balance as well. I remember a talk a few years ago by Jay Beale at Blackhat and he was speaking on IDS/IPS and other kind of cutting edge stuff, and Beetle from the Shmoo group stand up in the middle of the talk and says basically 'this is ridiculous instead of all this new technology, businesses need to focus on locking down their operating systems" and so on. The point is that the job of Information Security is not to avoid risk at all cost, or to deploy every security technology under the sun, but to find the right amount countermeasures to deploy based on the assets in play in a given context.

A useful model for security architects is an investment counselor. If your investment adviser gave the exact same guidance to everyone would that be useful at all? Not so much, but this is more or less the equivalent to what you see in many information security policies.

Instead, do what investment advisers do - based on the relevant factors age, time to retire, risk tolerance, and so on, recommend a set of stocks, funds, and bonds that meet their needs. The Information Security architect should have a portfolio of security services that can offer the right mix of defense in depth services based on the business factors.

Vertex Pharma CEO on Biotech Nation

"David Ewing Duncan and Dr. Moira Gunn speak with Joshua Boger, the President and CEO of Vertex Pharmaceuticals (VRTX). They discuss rational drug design: how Vertex re-engineered their HIV/AIDS drug into one for Hepatitis C."

This 30 minute interview gives a good in the trenches view of what it takes for a biotech to bring a finished product to the market, Boger calls it the best video game around. He also talks about something that resonated with me namely that as a company this is really about managing a portfolio more than any one single drug. To me making a sustainable biotech, leveraging the knowledge in the database of all the successful and failed tests seems like there would be a lot of value. The basic science that was targeted at HIV could also be applied to HCV. In other words iterating and updating what you do based on both successes and failures. Sounds like a rational approach to me. In software security, we often want to find security mechanisms that deal with a wide variety of threats. The biotechs are playing at risk management with billions of dollars and human lives at stake based on their risk management investment and direction decisions.

A couple of other interesting notes, Boger says they take the approach of putting their basic science out into the literature so everyone can learn from it even if there is some competitive disadvantage. This seems to me to be analogous to companies like Red Hat that do open source software. I think the act of formalizing something to the degree that it it publishable probably helps with the rigor of the internal analysis.

In the discussion of HCV, he noted they are looking to have 1,000 patients in clinical trials by end of 2007, and look to send it to the FDA in 2008. They estimate based on what the CDC shows that there are 3-4 million people chronically infected in America (4 times as many Americans dealing with these liver issues than there are with HIV). The company has had some success with their protease inhibitors which execute a DoS like effect ion virus.

Integrated Transaction Puzzle

Robert Morris, Sr. gave a very interesting problem at Defcon a few years back, it describes very why the security technologies like network firewalls and SSL are insufficient by themselves, and in my view why we need technologies like Federation, SAML, Cardspace, WS-Security, and other tools to help us build what is required to operate in an increasingly malicious system.

"This is a long term problem. If you work on it and make any progress against it, you'll find yourself much smarter at the far end, than you were at the near end.

When I was in Norway about 5 years ago, I was there very close to the summer solstice. I was wandering around town at 2 o'clock in the morning and there was plenty of light out. You come to a sign that says New Minsk about 60 km and it points south.

And I ask the lady "what country is this?"

She scratched her head for a bit, and said "well I think its Norway"

I said "well who plows the roads?"

"well Norway does, but he have to pay them."

There is a triple boundary in this town that I was in between Norway, Finland and Russia.

But what I did there, was, I had a card about wallet size, I stuck it into a machine, I punched in four digits, and it gave me about 2,000 krone, whatever the hell that is.

Now there are a lot of participants in that transaction. When I put a card into that machine, punch in a pin, and it gurgles for awhile, and finally gives me, a fairly large amount of money. There are a lot of participants in that transaction. The bank that owned the machine that gave me the money, it gave some money away -- that bank wants it back. The pin is necessary to convince my own bank that I'm me. But I don't want my pin to be broadcast all over the world. My bank in the us, it hasn't really given out or taken in any money, really. But there is a lot of credits involved here. Somebody needs to charge somebody else for having more money available. Even though there was actually no cash transfer.

And the problem that I have in mind is

- who are all the participants in an ATM transaction?

- what do those participants need to satisfy their problems?

- how is that in fact done?

In a general way, does the atm system actually work in some reasonable sense? To which the answer is by the way: yes. The atm system damn well works. With extremely high reliability and accuracy. It surprises me. Its quite a bit different than voting machines.

One part of the issue is that ATM network is more of a puzzle, while the web is a mystery. However, the real gap with firewalls and SSL is that they are all or nothing propositions. With netowrk firewalls you are supposedly "inside" the firewall, in the DMZ or "outside" the firewall. Yet we know that gajillions of transactions and attacks plow right through the firewall on a regular basis. With SSL, we are able to create confidential channel, but once that channel terminates, say at your load balancer or firewall, you have no way to guarantee any integrity or confidentiality for the transaction beyond the termination point. And you have no way to provide a security model that satisfies multiple parties in the context of a given transaction; this is what I find so interesting about what the WS-Trust standard provides. WS-Trust assumes that different token types (SAML, X.509, Kerberos) are desired at different endpoints and what we really need is a way to move them around in some standard way. It is partly an integration problem, and partly an interoperability problem. Call it SOA, call it REST, call it Web 2.0, call it eCommerce, callit whatever, this is a problem all technologies that engage in valuable transactions with multiple players need to solve. More thoughts on how are here.

Vulnerability Puzzles and Mysterious Threats

From Dan Geer, we know that digital security is fundamentally about risk management. We further know that risk is comprised of threats exercising vulnerabilities against some set of assets, which may or may not be defended by the countermeasures we deploy. This is all well and good...looks great in the ppt, but doesn't exactly help your average middle manager or pragmatic CSO fill in their project plans of what to do about security in an organization.

To help focus and find action steps, I advocate for my clients to separate their activities into several categories, two important categories are threats and vulnerability management. How to differentiate the two? Well, first off, it is helpful to understand where you can be proactive (most desirable) and where you must be reactive. I explored the difference of risk and uncertainty in a paper on Identity Management Risk Metrics

Risk differs from uncertainty in that risk may be measured and managed whereas uncertainty may not. Risk management efforts hinge on this important distinction because it highlights differences where a team may be more proactive. For instance, many vulnerabilities are known, hence they may be measured and managed whereas the threats to a systems contain a greater degree of uncertainty in that the threat environment contains numerous elements such as threat actors that one’s organization can not directly control.

Malcolm Gladwell explores a related concept - puzzles and mysteries:

" The national-security expert Gregory Treverton has famously made a distinction between puzzles and mysteries. Osama bin Laden’s whereabouts are a puzzle. We can’t find him because we don’t have enough information. The key to the puzzle will probably come from someone close to bin Laden, and until we can find that source bin Laden will remain at large.

The problem of what would happen in Iraq after the toppling of Saddam Hussein was, by contrast, a mystery. It wasn’t a question that had a simple, factual answer. Mysteries require judgments and the assessment of uncertainty, and the hard part is not that we have too little information but that we have too much. The C.I.A. had a position on what a post-invasion Iraq would look like, and so did the Pentagon and the State Department and Colin Powell and Dick Cheney and any number of political scientists and journalists and think-tank fellows. For that matter, so did every cabdriver in Baghdad.

The distinction is not trivial. If you consider the motivation and methods behind the attacks of September 11th to be mainly a puzzle, for instance, then the logical response is to increase the collection of intelligence, recruit more spies, add to the volume of information we have about Al Qaeda.
If you consider September 11th a mystery, though, you’d have to wonder whether adding to the volume of information will only make things worse. You’d want to improve the analysis within the intelligence community; you’d want more thoughtful and skeptical people with the skills to look more
closely at what we already know about Al Qaeda. You’d want to send the counterterrorism team from the C.I.A. on a golfing trip twice a month with the counterterrorism teams from the F.B.I. and the N.S.A. and the Defense Department, so they could get to know one another and compare notes. If things go wrong with a puzzle, identifying the culprit is easy: it’s the person who withheld information. Mysteries, though, are a lot murkier: sometimes the information we’ve been given is inadequate, and sometimes we aren’t very smart about making sense of what we’ve been given, and sometimes the question itself cannot be answered. Puzzles come to satisfying conclusions. Mysteries often don’t."

What does this have to do with infosec? There is a lot of vulnerability data out there. Many known knowns. Excluding zero days (which are unknown to enterprise security managers), we have many vulnerability puzles to deal with. These puzzles can be sized, remediated, measured (how many vulns? where? how long to patch?), managed, etc.

Threats and zero day vulns are mysteries, they require different tools, different techniques, like monitoring and detection process and tools. Gladwell on the evolution from Cold War to present day:

Then the pressing questions that preoccupied intelligence were puzzles, ones that could, in principle, have been answered definitively if only the information had been available: How big was the Soviet economy? How many missiles did the Soviet Union have? Had it launched a “bolt from the blue” attack? These puzzles were intelligence’s stock-in-trade during the Cold War.

With the collapse of the Eastern bloc, Treverton and others have argued that the situation facing the intelligence community has turned upside down. Now most of the world is open, not closed. Intelligence officers aren’t dependent on scraps from spies. They are inundated with information. Solving puzzles remains critical: we still want to know precisely where Osama bin Laden is hiding, where North Korea’s nuclear-weapons facilities are situated. But mysteries increasingly take center stage. The stable and predictable divisions of East and West have been shattered. Now the task of the intelligence analyst is to help policymakers navigate the disorder. .
...
Puzzles are “transmitter-dependent”; they turn on what we are told Mysteries are “receiver dependent”; they turn on the skills of the listener

When enterprise "Security" staffs for only one of these, the other is inevitably short changed. When security teams conflate threats and vulnerabilities, the result is confusion. Instead efforts dealing with threats (tune the listener) and vulnerabilities (tune the transmitter) should be separately optimized, besides both being part of "security"; they don't have that much in common.

Blaine Burnham on Election Risks

Everyone's favorite election judge, Avi Rubin's work on crippling vulnerabilities in Diebbold reminded me of Usenix security 2000, and what Blaine Burnham said in his speech (he was talking about Internet voting, but the same concepts apply):

So we're putting money at risk. With ecommerce were putting large money at risk, but if Coca-Cola lost its secret formula today, we'd be out Coca-Cola. It's not the end of the world, its just Coca-Cola, for crying out loud. And on a given day taste tests can't tell 'em apart anyway. With remote surgery, with invasive medicine, we're putting people at risk. The game is changing. And with Internet voting we're putting the very fabric of the country at risk...because of this changing threat model and because of what we are putting at risk, the game is no longer a game. We have to get extraordinarily serious about what we are doing.

Blaine Burnham also said in his talk that "Las Vegas is the monument to the failure of high school mathematics teachers." Hopefully this election won't be the monument to the failure of computer security.

OWASP App Sec Trip Report - Security Metrics version

There was talk aplenty about metrics at the just completed OWASP App Sec conference.

Our friends at Microsoft, led by Mike Howard, repeatedly pointed out there usage of metrics in their SDL. For example, Mike Howard related that MS uses metrics to judge the quality of developers' threat models. We did not get to see examples of the metrics, but I have written to see if/when we could get more details.

OWASP has relaunched an App Security metrics project. It is led by Bob Austin from Korelogic. I did not hear his talk (slides should be online rsn), but in talking to Bob it is early days and they are seeking collaborators.

Lastly, my panel which was at the end of the conference was focused on the question "What's in your app security toolbox?" and featured : Dave Wichers; Brian Chess from Fortify; Alan Murphy, Product Management Engineer, F5; Danny Allan, Director, Security Research, Watchfire; James Whittaker, Security Engineer, Microsoft, We looked at app security from a number of perspectives (see below), and in order to align efforts across development time, deployment time and run time came to the consensus that a CISO with the prototypical 100 hundred dollars to spend on app security, should invest in education/training, metrics, and process.

I taught SOA Security on the training day and as per usual the training class worked through several examples for using security metrics in an SOA.