Come see me and Bruce Schneier at the RSA Conference in San Francisco discuss his new book, Liars and Outliers: Enabling the Trust that Society Needs to Thrive. He was kind enough to mention me by name on his blog:

At the end of February, I’ll be at the RSA Conference in San Francisco. In addition to my other speaking events, Davi Ottenheimer will interview me about the book at something called The Author’s Studio. I’ll be doing two one-hour book signings at the conference bookstore. And, and this is the best news of all, HP has bought 1,000 copies of the book and will be giving them away at their booth. I’ll be doing a couple of signings there as well.

We will be in the Crypto Commons, Wednesday, February 29th from 10:20 am – 10:50 am

Crypto Commons will be the home for new events at RSA Conference 2012 this year. One of these new events will be the debut of the Security “Author’s Studio.” Come spend 30 minutes watching and participating in a live interview with a well-known author who is also speaking at the Conference. The interview will be done by a selected delegate and will include questions from the audience. A book signing will follow.

The book has just been published and already is getting many rave reviews for his treatment of game theory and his thorough study of trust. He is clearly one of the best writers alive and is known for an amazing ability to synthesise, distil and explain complex security theory in a very accessible and entertaining format.

We don’t demand a background check on the plumber who shows up to fix the leaky sink. We don’t do a chemical analysis on food we eat.

Trust and cooperation are the first problems we had to solve before we could become a social species. In the 21st century, they have become the most important problems we need to solve—again. Our global society has become so large and complex that our traditional trust mechanisms no longer work.

I don’t know about you but I don’t background check the plumber because I use a different set of controls instead. It’s not like I actually trust the plumber. And I have been known to do chemical analysis of food. Perhaps you can imagine how this interview will go. :)

Below is a video on YouTube I found with Bruce introducing the core dilemma he addresses in the book (20 views so far).

After I watched it a few times (to help get the view numbers up) an alternative title came to mind: Life with Parasites.

Now just imagine my voice interrupting him to ask if we really should judge the outliers as a parasite absolutely or does the dichotomy break when we introduce a few degrees of relativism. Given one person’s parasite could be another person’s provider, does the dichotomy give way to a cycle of rewards?

To put it another way, why is it after a bombing that a bus driver is more likely to return to driving a bus than a passenger is likely to return to riding one? Is it trust? I say no but maybe Bruce can convince me otherwise.

Hope to see you there.

The recent breach of “Jude Medical Center in Fullerton and Mission Hospital facilities in Laguna Beach and Mission Viejo” offers some examples of communication made after discovery.

First, the article gives a statement regarding obfuscation of the data:

But the data would have been difficult to access without using “a complex combination of terms” or be doing an “extensive search,” said Dr. Clyde Wesp, chief medical-information officer for the St. Joseph Health System.

Complex according to what? Compliance regulations tend not to use “complex” or “extensive” to describe controls required for privacy because computers are very good at turning both complex and extensive into easy and fast operations.

The University of Miami tried to make this argument when they lost their backup tapes. It did not fly then. It won’t fly now. Doctors, of all people, should know better than to say that complexity will be the main impediment to success.

So the question they really should answer is related to the “strength” of the control that protects data, not the complexity.

Second, the article says they are unaware of anyone obtaining the data improperly:

St. Joseph discovered the security breach within the past week after receiving a phone call from a patient’s attorney, said hospital officials, adding they do not know how the patient learned about the problem. Personnel at the two hospitals have not heard of any of the information being improperly obtained, Wesp said. The information could have been accessed from Google and Yahoo; the hospital worked with the search engines to delete the information from the Internet.

They may be trying to emphasise that it is hard to prove a negative. Yet the article also gives at least two positive examples of improper access.

The first is by the search engines. They have evidence that the data was accessed by Google, Yahoo!, and so forth. Did they authorise search engine access? No.

The second is by the patient’s attorney. Clearly the patient’s attorney obtained something akin to improper access, which is why they contacted the entity.

This also undermines their “difficult to access” communication in the first point. It is easy to use a search engine. It must have been easy enough for the patient and/or their attorney to find the data and access it, so how complex is it really?

Third, they try to give some of the usual disclaimers:

It would not have included Social Security numbers, addresses or financial data, the doctor said. “I think that the most important thing is that our response was rapid,” Wesp said. “As a health system, we have secured the sites, and this information is not available any longer.”

These no longer carry any weight. Regulators, as well as patients, have expanded the scope of concern beyond basic financial information. Email addresses, birth dates, intellectual property, even zip codes are increasingly considered privacy-related information. And if they want us to believe the data was not privacy-related, why would they report the breach at all?

It’s nice to see that they had a “rapid” response but I don’t know anyone who would characterise that as “the most important thing”. Everyone, I think, would agree it is more important to prevent a breach or to detect a breach internally than to respond rapidly. That certainly has been the perspective taken by regulators who have fined entities for failure to prevent breaches. Rapid response just lessens the penalties, it does not take them away.

I’ve been fiddling around the file system of the Nokia N9 lately. It’s not hard to do and actually quite fun to have shell on a linux device that fits in the palm of your hand.

First enable developer mode:

Settings > Security > Developer Mode

The phone will install an SSH server and also a Terminal to the home screen. Open the Terminal and you will be in BusyBox v1.19.0 shell.

Second, change the root password. Enter the following command to su to root:

devel-su

It will prompt for a password. The default is “rootme”. The prompt should change from “~ $” to “~ #”. Enter the following command to change the root password:

passwd

You will have to enter it twice. Then type “exit” to return to the user prompt.

If you type “gconftool-2 –help” at the prompt you should see a long list including a “s” option to set and sync a value and a “t” option with the values “int|bool|float|string|list|pair”

For example, use the following to install an image to the screen_lock screen.

gconftool-2 -t string -s /desktop/meego/screen_lock/low_power_mode/operator_logo /home/user/MyDocs/Pictures/filename.png

The image (filename.png) should be no more than 120×120 pixels and 1-bit (black and white). Space invaders comes to mind…

Or a flyingpenguin:

Maybe white is a little bright. The screen lock color can be modified by editing the following file:

/usr/share/themes/base/meegotouch/libsysuid-screenlock-nokia/style/libsysuid-screenlock-nokia.css

Easiest way to modify it is remotely over ssh. Open the SDK Connection app on the home screen. Select WLAN from the two buttons. It will show you the IP of the N9 and the password.

Once you’ve made a backup of the file, change the hex setting just below the line that reads LockScreen MLabelStyle#LockScreenLowPowerModeClockLabel. Red is #FF0000.