The Security Catalyst

Into the Breach is really taking shape - but I have been eager to get back behind the microphone and share the ideas and concepts I have been working on. You witnessed my transition to The Security Catalyst last year, and with it, my focus on changing the way people protect information.

In this podcast, I share a simple and powerful concept that can be applied to anything you do: PLAN - DO - REVIEW

I first learned about PLAN - DO - REVIEW a few years back when it was time to learn about nursery schools, and one of the schools followed the HIGH/SCOPE method. Curious, I went to explore and learn more. Since then, I have tested and adapted the approach for my own use - with excellent results.

Now I share my experience with you.

Here are three links if you would like to learn more:

http://www.highscope.org/

http://en.wikipedia.org/wiki/High/Scope

http://www.perpetualpreschool.com/highscope/highscope_info.htm

 

 Standard Podcast [13:04m]: Play Now | Play in Popup | Download (81)

With many thanks to dreamhost, the redirect was fixed and the podcasts are now working again!!

In case you run across a similar issue, here was the fix they helped with:

#redirect the ?feed=rss2 people, namely iTunes
RewriteEngine On
RewriteCond %{QUERY_STRING} .*feed=rss2 [NC]
RewriteRule .* http://www.securitycatalyst.com/blog/feed/ [R=301,L]

And now, back to producing podcasts.

I recently moved my blog from the base of www.securitycatalyst.com to www.securitycatalyst.com/blog (and then filled in the balance of the site). I considered the need to redirect the feed, and established a .htaccess file in the root with one line:
‘redirect permanent /feed/ http://www.securitycatalyst.com/blog/feed/’

It works and feedburner works (for most it’s only 1, maybe 2 redirects). Turns out, however, that iTunes is looking for http://www.securitycatalyst.com/?feed=rss2

I have spent a few days and 2 hours this evening pouring through the forums and trying every combination of code I can find to be able to redirect http://www.securitycatalyst.com/?feed=rss2 to http://www.securitycatalyst.com/blog/feed/

I’m finding no joy.

The current .htaccess includes:

Redirect permanent /feed/ http://www.securitycatalyst.com/blog/feed/
#redirect the ?feed=rss2 people, namely iTunes
RewriteEngine On
RewriteCond %{QUERY_STRING} ^rss=1$
RewriteRule ^(.*)$ http://www.securitycatalyst.com/blog/feed/ [R=301,L]

I would love some insights or guidance. Clearly, I’m doing something wrong and hopefully missing something that is obvious to those of you who understand code better than me.

Suggestions, insights?

I just received the updated draft of Into the Breach and printed it out. I’m going to read through it today and determine what I need to do before sharing it with my review team. I feel very excited and nervous right now…

In the book, we use breaches to examine the breakdown of information protection and outline a proven strategy to reverse the trend. This is a book focused on exploring, understanding and solving the problem at the core. As I lay out in the book, breach isn’t the problem, it’s the symptom. The problem is a human problem, but people are not the problem. The problem, quite simply, is that individuals have been disconnected from the process. It’s time to reverse the trend and make some real progress. I introduce a simple Strategy to Protect Information and a 5-step implementation of the strategy that anyone can apply and get results. I want to put forth a work that changes the way people protect information.

The review process begins next week. The focus of the review is to make sure the concepts are tight and illustrated with the right examples. The initial audience of the book is the business executive faced with the challenge of protecting information while running the business. I have an amazing team of reviewers, but as I come down to the wire, I welcome more critical review. If you have the passion and experience to read an unfinished work, you can help! If you have time in the next two weeks to explore my concepts and offer me constructive feedback before it gets published, send me an email. I’m going to work through a brief review period (2-3 weeks) and then the executive edition of the book will go to print.

Yes, you read that correctly. There are now two editions - the executive edition and an expanded (how-to) edition that will come out sometime after Ironman. Do not despair - I’ve been working on developing a guided implementation program, too, and will be announcing that in the next few weeks. 2008 is going to be a great year for us all!

By Patrick Romero

A recent ruling has once again demonstrated how technology continues to challenge traditional legal frameworks leading to different court rulings. In a controversial case, a federal magistrate in Vermont held that the 5th Amendment’s right against self-incrimination protected a man charged with the transportation of child pornography.

Sebastian Boucher was arrested while crossing the border from Canada into the United States. Border agents stopped Boucher during a routine stop and began to look through his laptop, noticing several files with names indicating acts of child pornography in the Z: drive. When asked if there was any child pornography, Boucher claimed that he wasn’t sure since he downloaded pornography from online newsgroups and then transferred them onto his computer.

Border agents continued to search the drive and eventually were able to locate actual videos and pictures containing child pornography. They then placed Boucher under arrest and subsequently shut down the laptop. One week later, the government tried accessing the files only to realize that the Z: drive was encrypted with PGP(Pretty Good Security), thereby making it impossible to access the files without knowing the password. So can the government compel Boucher to give up the password in order to view the files on his computer?

Boucher’s attorneys argue that forcing their client to reveal the password is a violation of the 5th Amendment. Judge Jerome Niedermeier agreed, writing that disclosing the password would provide evidence to the government that could be used to incriminate Boucher in violation of his 5th Amendment rights. The 5th Amendment protects individuals from being forced to testify against themselves because their response could be self-incriminating. Supreme Court precedent holds that the Fifth Amendment privilege against self-incrimination doctrine “protects a person…against being incriminated by his own compelled testimonial communications.” The issue ultimately came down to whether compelling Boucher to disclose the password is a testimonial communication and therefore privileged under the United States Constitution.

Different Tests to Use

Some acts of production such as providing fingerprints, blood samples, or voice recordings are considered unprivileged since such evidence gives no indication of a person’s thoughts or knowledge. A court can generally force a defendant to provide such information without implicating the 5th Amendment.

The government is arguing a distinction beyond whether the information is or is not known by the defendant. They contend that revealing the password is not testimonial communication because it will not reveal any new information which the government is not already aware of. The fact that the password is in the content of Boucher’s mind should not preclude disclosure since he would not be revealing any new evidence to the government. It would only be revealing the files that the border agents had previously seen. There may or not be other files on the Z: drive containing incriminating information. As a result, prior knowledge of incriminating activity by the government would bar a 5th Amendment privilege right by Boucher.

Judge Niedermeier took a broader view in his decision denying the government’s subpoena. He believes that that the password qualifies as testimonial communications because it was within the content of Boucher’s mind. Niedermeier referenced a Supreme Court case that analogized the password to the combination of a wall safe. He wrote that “a password, like a combination, is in the suspect’s mind, and is therefore testimonial and beyond the reach of the grand jury subpoena.” If Boucher had written the password somewhere, it would likely be found to be unprivileged and the government could force him to disclose it.

The judge also ruled against the government’s offer which allowed Boucher to enter the password without having to reveal it to the government. Judge Niedermeier wrote that even the effect of hiding the password from the government would still be implicitly indicating that Boucher knew the password and that he had access to the files. The contents of his mind would still be displayed and the testimonial nature would not change by not revealing the password to the government.

Future Rulings in a Digital Age

Each test is dispositive of a particular outcome in cases where technology makes it easier to hide information. The government is seeking to find the best possible strategy to convict criminals and would like for the courts to use a narrow interpretation of what constitutes testimonial communications in a digital age. The dilemma in this case has occurred because access to the evidence is located inside the defendant’s head. Even though the government has sufficient probable cause to get a subpoena if Boucher had child pornography available in his car or house, the encryption technology has now added another dimension for the government to overcome in order to convict.

Supporters of individual rights would prefer the test used by Judge Niedermeier which creates a clear, black and white rule vis-à-vis electronic communications. Privacy advocates would stand by the ruling of the judge and will seek to prevent the government from compelling disclosure of content protected by passwords. They see no need for an exception to the 5th Amendment and hope to convince the courts that passwords should always be testimonial communications.

The case will likely be appealed by the government and should not be viewed as the last word on the topic. There are many variables in the facts of this particular case that could provide ample room for the court to side with either ruling. It does raise an interesting situation that U.S. courts will continue to face as technology becomes more pervasive in criminal investigations.

A habit can be formed, good or bad in 21 days. Three full weeks is relatively short, given the average life span, and yet sometimes feels like an eternity — especially when it comes to changing behaviors. Three weeks is just long enough to either be a mental barrier to success, or a pain to endure, fostering a resentment that leads to failure. Instead of trying to make changes for three weeks, there is an alternate approach I have developed — the “two week test.”

The Two Week Test
The two week test is when a change is tried for two weeks. While only a week shorter on the calendar, two weeks carries a completely different perspective and scale; two weeks is simply “this week and next week.” Asking someone to try something for “this week and next” is both less threatening and easily visualized into the mental calendar most people keep. While a two-week change might not be enough to develop a habit, it is long enough to get results. If two weeks bring about positive results, the resulting boost to motivation carries the change through until it becomes a habit. If it turns out to be a dud, then it can be stopped without a sense of dread and time wasted.

Whether attempting a change in ourselves or working to change the way people protect information - what could you accomplish in two weeks?

January brings a focus on resolutions and making changes. Most of us step on a scale, take a look in the mirror and vow to get in shape (lose weight). Recognizing this, we are inundated with information on dieting and losing weight. In seven months, I’ll be one of the 2000 people to race the Ironman triathlon in Lake Placid. My training includes nutrition. As I make changes to my own diet (but not dieting), the science is clear - sustained weight loss and health are more dependent on mindset and lifestyle, less on diet. Dieting, for the most part, doesn’t work.

Ironic, then, that we embrace the “security diet” approach to protecting information. Like a diet, people restrict activities and make wholesale changes that are difficult to sustain, but for brief periods. Once the audit (or event) has concluded, the restrictions and changes are lifted and its a happy return to business as usual; information is again left unprotected. The security diet, for the most part, fails.

What if instead of resolving to diet this year - for health or for protecting information - we resolved, instead, to change the way people protect information?