Secrets, Wikileaks, and Hacktivism

Current events have put into keen focus the balancing act between privacy, data controls, the reason secrets are kept, and ethics.

So if you haven’t had an interest in Wikileaks, related individuals, the classified information that was leaked to them, and the people that did it, let’s get you caught up.

First, I would suggest the long New Yorker piece on Julian Paul Assange, the ambassador and frontman of sorts for Wikileaks.

Then perhaps you can review the breaking news threat in Wired here, here, here, and here.

The 2600 Magazine synopsis here.

The Wikileaks video from 26c3. My commentary about those conference talks is here.

Really what’s happening here is a conflict of principals. Lamo informing on Manning to the feds is an interesting character distinction in a difficult situation.

This has moved from an example of the tipping of a balancing act between the two separate philosophical ideals of do no harm and that information should be free to one of polarizing schools of thought last weekend. When Manning told Lamo that he was hoovering up compartmentalized information in bulk and throwing it to Wikileaks (I paraphrase), Lamo seemed to reach his tipping point and turned him in.

I have respect for both ideals at play in the 101 write-ups already up about this, a lot of the reactions to it smacks of confirmation bias and radical honesty which prevents me taking some of it’s points very seriously. Taken to an extreme, my view is that these notions undermine diplomacy, privacy, free enterprise, and the rule of law.

Risky Business made an interesting characterization on their podcast that Wikileaks is not a journalistic organization. “You can be an activist or a journalist, but you can’t be both.” The concept of a shield for whistleblowers and journalists is an interesting one and one that I find appealing about Wikileaks. Being a hacktivist is also interesting but is rarely legal. Based on Manning’s chat logs, it’s clear that he went out of his way to gather sensitive data stored places where he did not have ready access and send it to unknown persons overseas.

The uncertainty of who processes that data at Wikileaks is part of what raises concern about the organization to Lamo and to United States agencies if I read the tea leaves correctly.

Interestingly enough, people like Assange feel entitled to picking and choosing what rule of law they follow. I would like to hear which set of laws that he and his organization feel are applicable to them.

The hacker culture ideal of “no more secrets” is great until you realize that it’s hard to have a meritocracy. Maybe it’s impossible.

Will Gragido and myself are going to give a talk sometime about our vision of the ideal natures of our industry. He, speaking about his ideal of a sort of modern bushi, and my taking the other side of the coin of the measured agitator. Samurai vs ninja; mod and troll.

These two archetypes, the one of honor and responsibility and one of instigator and agitator for change are what I see as being the key roles for success. The philosopher warrior and the maker of effective change; innovator and practitioner.

The individuals with our skillset in our industry are usually tasked with safeguarding of data people think is important.

Because of who we are and what we do on a daily basis, most people in this industry develop a highly refined sense of risk and of others maturity for dealing with risks and secrets. Would you ever want to employ someone to keep your secrets that wears one of these t-shirts?

I’ve only read my clients email when they have specifically requested that I do so. Why? Because I’m not a prick who betrays the responsibility that has been entrusted to me. It is my job to secure and safeguard data, not be entertained by it or share it irresponsibly or indiscriminately.

In the end, Manning betrayed the trust and oaths that he took to his employer and nation, the United States. Did he do this to serve what he perceived as a greater purpose? I guess I’ll look forward to learning his answer in court documents and in his lecture series and book on the subject when he pulls a Mitnick later on when he gets out of prison.

Meanwhile, Lamo continues to entertain the whirlwind. It should be an interesting HOPE and Defcon this year.FirefoxScreenSnapz092.jpg

pixelstats trackingpixel
June 18th, 2010 | Tags: , | Category: Information Security, Politics | 6 comments

Threats, Threat Modeling and Analysis

This is a super high level presentation about basic threat modeling, SDL, and why a proactive stance is better than a reactive. I thought that it was fun.

Threats, Threat Modeling and Analysis

I’ve had even less time to myself than usual lately so let me apologize in advance for not separating and expanding on my speaking notes from the deck like I have in the past. To make up for it, please feel free to use this deck if you are introducing SDL to your team(s).

Download file formats:
pdf
keynote

pixelstats trackingpixel
May 21st, 2010 | Tags: , , , | Category: Information Security, Presentations | 3 comments

The Art of Keeping Things Done

The current field of information security is largely one of arcana, vagueness, arbitrary views, philosophy, mountaintop sages, a general lack of reliable data, and legions of vendors selling “best practices.”

It was my hope that I could help out a little by giving a talk on my take of how our industry can best navigate during these turbulent and weird times and come toward relevance and transparency.

That’s enough of a preface. Here’s the talk I gave at the Seattle NAISG meeting this month.

Continue reading The Art of Keeping Things Done

pixelstats trackingpixel
April 9th, 2010 | Tags: , , , | Category: Information Security, Presentations | 11 comments

Public and Private

In this brave new internet world (as of about 1995), I’ve been thinking of my personal information sharing generally as public and private.

Information Classification

Because of my work, classifying information comes as second nature. I have two separate and non-intersecting information streams. You are reading part of one of them.

100% of the talk about people on social networks and things going horribly wrong are people who don’t make clear distinctions between the public, professional, personal, and social aspect of their lives. Getting into etiquette with social networks can be tricky. I find it best to, as a rule, separate business and pleasure.

Partial Disclosure

Public information is available for anyone in the world to read. I put it out there so that people can learn a bit about me.

The reason I started writing things in the public eye is because I realized that if I didn’t define myself and give people something to read who didn’t know me, someone else would. This is the same reason that I don’t publish raw slide decks of my presentations, but I put my speaking points intermixed with the slides in a blog posting. Text based communication loses a lot of intent and inflection, so I try to make up for it in this way.

I didn’t want to have a blog. Once upon a time, when I was younger (and even more naive), I thought that I could get by on merit alone; I believed that if I did good work, my work would be recognized for and stand on its merits. I read things like The Fountainhead (watch the movie) and took from it “Oh! If I do good work and work toward my own sense of excellence, I will triumph in the end!”

I don’t think so anymore.  I think success takes more than merit.

Not only do you have to do good work, but people need to know about it. You need to help people directly, impart lessons you’ve learned without being an arrogant jerk, and sell them on why a good solution is better than a thought-to-be-sufficient solution.

Blogging

When Livejournal came out, I thought that this was lame in the same way Jennicam was lame. My conclusion was that blogging was about media and attention seeking. I didn’t have a need to have a public blog for people who didn’t know me could learn tons about me without my knowing them.

More importantly, it wasn’t interesting.

I found it massively egotistical that anyone would want to know what I bought at the grocery store or ate for lunch. I didn’t understand sharing of the mundane. Clearly many people do not share this opinion today.

The stuff I put on my blog are my presentations, the way I manipulate data for my own uses when I haven’t seen it represented in my way previously, or my attempts to explain the poorly explained. The ideal that I aspire to is “I wouldn’t find it interesting to read, I don’t write it.” I imagine that might come off as rampagingly egotistical at times, but I really make an effort not to be. I laugh at myself and at life as much as possible. It’s pretty ridiculous a lot of the time. My work tends to be very serious and can effect, in a real appreciable way, the lives of others. I take it very seriously. When people do important work badly, I can take it as a personal affront.

I would like to post more, but too much of it is sensitive, under contractual obligations, or in personal confidence. Unlike many people that do not share my views, I can’t disclose in good faith.

Social networks

What I find interesting about social networks, and by that I mean mostly Twitter and Facebook, is that it can introduce a gray area between public and private information; a social periphery of information that busy people share in order to keep in touch with people they think are cool.

That’s pretty much how I view a friends list; “These are people I think are cool.” If I would invite you to an informal party is my general baseline for inclusion into my social network.

Twitter: Low attention span blogging and random link sharing.

Bad Penny: Informal writings, past sharable presentations, and general information sharing of things I find interesting.

Facebook: Fun people that I associate with socially.

LinkedIn: People I have done business with or know professionally that I would vouch for. Yes. I really do know all of those people and have had dealings in the past.

Be Cool

As any good rule, it is proven by its exceptions. Excessively cool people are allowed to break most rules.

My advice to everyone: be excessively cool and don’t take things seriously that do not merit being taken seriously.

Life is too short to be taken seriously. — Oscar Wilde

Work and play are words used to describe the same thing under differing conditions. –Mark Twain

In every real man a child is hidden that wants to play. –Friedrich Nietzsche

Humanity has advanced, when it has advanced, not because it has been sober, responsible, and cautious, but because it has been playful, rebellious, and immature. –Tom Robbins

Necessity may be the mother of invention, but play is certainly the father. –Roger von Oech

pixelstats trackingpixel
February 22nd, 2010 | Tags: , , | Category: Biographical, Internet | Leave a comment

Monopoly Customer Service

394.jpgAfter a few years of avoiding the cable industry, I went ahead and signed up for Comcast Highspeed2Go, a new bundled service where they resell Clearwire and combine it with conventional broadband home internet service.

As per usual large non-technical business operations, and I feel that I must classify Comcast as such, they launched a product that they could not support. I spent a few hours on the phone with them attempting to figure out why they disabled wireless cards they sent me. They sent me a total of three cards and then disabled each of them after about a week.

This last week I didn’t feel like giving Comcast another two hour free tech support call and sent all of their wireless gear back to them. Previously I spent a few hours talking to people in attempts to navigate their broken process in order to get home service installed and activated.

The time of a consumer seems to be a free resource according to Comcast. They have a robodialer calling me now asking me to call some number. No thanks. I’m already at my quota for time wasted talking to you guys this month. I’ll be happy to pay you when you send me a bill consistent with our agreements.

This is nothing new. Back when I managed leased lines from telcos, I eventually found a backchannel into their top tier of support to get recurring and completely preventable problems resolved. I monitored their uptime. I reported their outages. I gave them their remediation process. If I didn’t, the business that I worked for would suffer.

Usually I assume good will, but my experiences as a consumer and as a professional with Comcast in particular point in another direction.

My point here is that branding is considered more substantial than service. I’m sure this is a business decision that was made when they worked the numbers and determined that giving five 9s of uptime and quick problem resolution was more expensive than just running more commercials, forcing out competition, suing municipal projects designed to give an alternative, and having the illusion of support on Twitter.

amoeba21.jpgIn an upcoming white paper, some associates and I will be discussing some aspects of this issue. Sometimes quality of service and streamlined operational works matter. Occasionally a company makes a business case for giving good service and honest commitments. Invariably, they are purchased and wrapped under one of the huge brands to be forgotten after their customers are re-absorbed into the amoeba of near-monopoly mediocrity.

This seems to be the new model for innovators and people who are good at their jobs:

  • Find an unmet market need to improve
  • Do it better, faster, more reliably, or with pretty colors
  • Get bought out and paid (mostly) in stock
  • See your business die at the hands of the insiders that can’t improve themselves
  • Move on to something else

Where does this leave the market? Large non-agile organizations who are prone to mismanagement buy all of the intellectual property and use political influence and bare-knuckle market pressures to keep themselves on top of the heap.

Result: the market and consumers suffer.

See also the current state of patents, software and otherwise.

Some services and systems should not be held to the minimum standard of MBA business sufficiency where any excess money spent past the point where the customer will not fire the vendor is waste. My experience tells me that the standard of five 9s is generally becoming a thing of the past. Huge websites turn themselves off for multi-hour maintenance routinely with no notice. Cell phone providers incur day-long nationwide outages. Cable companies turn down a variety of services without warning or notification for undetermined amounts of time.

No standard of service seems to be the preeminent emerging standard of service. The myth of the disposable worker is in full effect here.

I’m seeing this as a market opportunity for service providers. I would wager that consumers who can pay will pay to not talk to these people. That was the Speakeasy sales model when I was their consumer in the past:

We’ll provide you with DSL service and you won’t have to talk to any incompetent jerks. Pay a little more a month and it’s completely worth it.

toast.jpgSpeakeasy could compete with Covad and Qwest offerings (even though they resell the both of them) because the big guys do such a bad job of taking care of their customers. Qwest and Covad are on board with this Comcast consumer model.

These MITMing businesses should increase as this continues since real competition is not currently allowed to occur simply because consumer time does have a value that is not being addressed.

The cable and other telcos had better watch out that they don’t kill their own markets. As soon as a fast data alternative comes along, be it from Google, a national broadband plan, or fast unlimited wireless, all of their business models are toast.

Keep it up, guys. We’ll see you in the technology deadpool soon enough.

pixelstats trackingpixel
February 12th, 2010 | Tags: , , , | Category: Business, Internet | 2 comments
 
  Older Entries »