17 Security Related Phrases We Are Sick of Hearing

1. “What is the key to our wireless again?”


2. “I downloaded something and now my computer is acting all weird”


3. “Why do I need to use the VPN all the time?”


4. “How come I have to apply updates all the time?”


5. “At home I run macs because they don’t get viruses and malware”


6. “Hey, can you teach me how to hack?”


7. “Is there any way to get around me having to type my password over and over again?”


8. “I clicked on it because it totally looked like it was from my bank”


9. “I think my twitter account has been hacked, what do I do now?”


10. “Should I get my CISSP?”


11. “Is it safe to click on this self-signed cert?”


12. “I have no idea how that pornography got on my computer?”


13. “The webpage said that this cloud services was 100% secure?”


14. “I locked myself out of my account again, can you reset it?”


15. “I think I may have just lost a bunch of important files, what do I do?”


 16. “Can I get root access on this server?”


17. “We will get back to you on those security-related changes you recommend”


Accounting for the uncountable

Albert Einstein Gives a Lecture

Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. —Albert Einstein

I know now more than ever why he made this point.  Back in 2009 I blogged on this topic and wanted to revisit it briefly before I start in a direction that will ultimately place me back in the industry where this research can be applied.

In my independent study of Gregory Bateson and Alfred Korzybski I truly understood for myself that the name is not the things named or as some would say the map is not the territory.  I call your attention to this manner of thinking because we have a problem with metrics in that the count is not the things counted.  Many metrics for risk and compliance describe beautiful mathematical formulas but only see a limited success because the classification of the things being counted is narrowly understood beyond a few individuals.  This blog posting makes the assertion that our problem with effective metrics is not one of numbers but one of semantics; not of the counts but of the things counted.  Since April of this year, I’ve been working on a few computational systems that side step the requirement put forth by number systems and I’m excited to test them out in the real world.

The things being counted must be named, defined, and ultimately understood by a community of practice.  The very act of naming is an act of mapping or classification; it comes with a certain level of precision and consequences. A useful classification standard for one community may be useless for another. To the degree that this mapping or classification is common with others in your community of practice, you achieve a mutual semantic coherence (some call this objectivity but I reject that term).  The durability of a set of metrics is challenged when multiple communities of practices are asked to engage in a common objective for the business.  Such is the case when one proposes a standard terminology and metrics that apply across a large enterprise consisting of multiple communities of practice and diverse personas.  To be useful one must know what these metrics mean and to be able to draw inferences from experience.  Needless to say, the process of stabilizing semantics across communities are extremely expensive and for those performing this in purely information spaces like information security, rapid change makes this practically impossible.

A measurement system must be judged on the notion of “usefulness to a community of practice” and this scoping must be made explicit.  The utility is a function of the audience’s ability to draw inference from the counts and things counted.  Let me share with you an example I experienced with a Canadian co-worker back in 2009.  I said “Dude, it was in the 90’s in San Francisco today”.  A blank face appeared as I saw him think and convert this implicit 90 degrees Fahrenheit to Celsius ((F – 32) x 5/9) because he could not draw an inference from Fahrenheit.  Inferences like it being weather for shorts, no jacket required, that it is odd for San Francisco to have a high of 32 Celsius, that homes in San Francisco don’t have AC because it is never that hot and so on and so on.

When you look at the notion of temperature, you can see that the different communities have chosen different standards because of the way they have come to know those units and it is more about the semantics than the mathematics.  This becomes exponentially more difficult when the syntax is the same but the semantics vary.  Take terms like ‘asset’ or ‘platform’ and you can fill a page with what it means in certain context with certain communities even within the same enterprise.  Each community of practice has come to know the term ‘asset’ in very different ways; this person has encoded work and meaning in ways that are different than others.  While mathematics remains important, we must turn our focus to formal ways to share semantics. Only then can we share both the numbers (the count) within their intended context (the things counted); semantics that can only be seen through a keen ethnographic eye that respects heterogeneous sense-making and the diverse viewpoints of an enterprise.

So while I am not going to spill the beans just yet, I will say that more important than numbers and counts, are the means to compute membership to classes.  You are probably saying to yourself, well, does that not require numbers?  I mean I need to score higher than 70 to pass this test, I need to score less than 40 to pass this audit, etc.  We got so hung up on number systems to help us compute membership to a set that everyone forgot to explore the other techniques.  Welcome to the wonderful world of semantic reasoning and in the coming months, I will have many stories to tell.  Thanks to the great works of Einstein, Bateson, and Korzybski, accounting for the uncountable will finally make sense.

The Spy Who Loved Me (be tracked and earn points!)


Almost every task you perform is online and almost every online service you subscribe to is tracking your behavior in detail.  And, the reality is that this is happening offline as well.  How many loyalty cards are you carrying around to get points?  Guess what all those businesses are doing with the data they gather from your loyalty cards? That’s right, they are tracking your every move.

Everyone is freaking out about the NSA tracking US citizens, but their local grocery store, Amazon, and their favorite search engines are likely to have a longer history of “spying” on their behavior.  Beyond these obvious data collection mechanisms, bike computers, fitness monitors, and mobile phones are all publishing location data to systems that are not very well protected.

As a consumer of online and offline services, do you have a choice about being tracked?  Not really.  I dare you to try and be proactively anonymous.  The effort alone, not to mention the discounts you will forfeit, will be significant.  On average, you save about 10% to 20% in loyalty programs and that can really add up. If you really want to be anonymous, you’ll need to pay in cash and that’s not very convenient. You’ll also need to enter all your personal accounting data manually and as Sweet Brown would say: “ain’t nobody got time for that!” Of course, cash will also limit your vendor selection.  Anonymity, or even it’s close approximation, will take practice and skill that you just don’t have and the people tracking you are banking on this fact.

Parents, employers, governments and online vendors all want to “spy” on you so they can “make” you a better son or daughter, student, employee, citizen, or customer.  No matter which role you fall into during a specific transaction, the “spying” is supposed to be for your benefit.

My point is that if you accept the fact that spying or tracking is a given, then instead of complaining about it you can get proactive. This makes it possible to make conscious decisions about who is allowed to “spy” on you. I think consumers should approach this decision by evaluating these criteria:

1) Make sure you are the one getting a tangible benefit. This doesn’t have to be a discount, it could be priority access to information or better status. Whatever it is, it should be meaningful to you – don’t give your data away for nothing.

2) Demand that the data being collected on you is protected in some way.  Some people tracking you are absolutely careless about how they store and protect the data and this is not going to change until consumers collectively demand a change.

One other issue that hasn’t been addressed by most vendors tracking your behavior is ‘identity noise’ or ‘profile pollution’ caused when multiple people using a single login. Most systems assume a one to one relationship between users and logins, or are based on an incorrect assumption that you only shop for yourself. When you start allowing others to make purchases using your login or buy things for your children or friends with very different tastes, stupid recommendations start to appear rendering recommendation engines annoying instead of helpful.

Netflix recently came to terms with the fact that multiple people were using the same Netflix account and instead of fighting it, they introduced the concept of multiple profiles associated with the same login/password.   Now a single account can have up to 5 profiles, so your kid’s unicorn or pony cartoons and your wife’s romance flicks don’t pollute your quality sci-fi recommendations.  Good job Netflix!

Believe it or not, it’s possible (and maybe even likely) for us to become even more traceable. Just wait until Tiles are available and used by the masses.  All I have to say about this is that the people behind Tiles better have badass security people working on the design and implementation or it has the potential to make really bad things happen.  Tiles could get very creepy very fast; for example, they could be hidden in gifts so subsequently something in your proximity can be tracked.  Give a gift that keeps on spying – ugly but extremely possible.

Are you paranoid yet?  I’m not sure you will ever be sufficiently paranoid because so many of these monitoring acts are being sold with major benefits. Deep discounts, rewards, recommendations that you would have not found on your own — all of these things are the positive side of vendors “spying” or tracking your actions.  Marketing and business intelligence systems require more precision about customer behavior so businesses have become very effective in their communications in order to remind you that every action they are taking is “for your own good”.

This battle is being won or lost in the hearts and minds of consumers, not in the bits and bytes of the data vendors are collecting. And all hope for privacy isn’t completely lost. Eventually, it will all works itself out but the issues are more social than technical.  Just remember this: You are a person of interest to someone and that someone will want to track you.  This has been true since the day you were born.