The Week That Was - 4/15/2013

I've got one metric butt load of links for you this week.  There is a lot of good stuff but here are some of the highlights: Doctor Dan Colman, Winton Professor for the Public Understanding of Risk at Cambridge University, has shared a really interesting video on risk.  [1],[9]  His point is that sometimes it's riskier to avoid risk than to accept it.  He uses some good everyday examples to illustrate his point.  As an information security risk guy, it makes me reconsider if I consistently offer risk acceptance as a viable option when developing risk mitigation strategies.  How do you guys look at risk acceptance?

There is also an interesting article on the inner workings of Siri, Apple's natural language interface.  [26]  The interesting part is that most of the work is done server side.  Wouldn't it be interesting to compromise the server side and see what trends were in Siri voice commands?  What if you could compromise the server and modify the input it receives or the output it generates.  Lots of interesting implications with this model.  I suspect major governments have already thought about this.

The Harvard Business Review had an interesting article on data visualization.  [44]  I know we tend to mock the stereotypical executive that wants all of his updates in pictorial, dashboard form.  However, the stereotypes are there for a reason.  Execs like pictures and they like pictures because if done well the pictures communicate information in an extremely efficient manner.  As security professionals, we need to communicate our messages in the language of the target audience, which means we need to improve our data visualization skills.  Take a read of this article and then go break out your black beret and turtleneck and head to your local coffee shop to ponder the aesthetic beauty of security metric bar charts.

I have to admit that I've not been keeping up on the Bitcoin story, but I fixed that this week.  [4-6],[42]  If you find yourself in the position of explaining Bitcoin to someone, point them to the Bitcoin Explained video by Duncan Elms and Marc Fennell.  It's short, sweet, and to-the-point while communicating all the vital bits.  [4]


Here are a couple more highlights:

  • The Android OS space is *really* fragmented  [2]
  • Evidenced-based information security practice is good [8]
  • IO9, a SciFi site, suggests Bayes' Theorem can help you be a better thinker [22]
  • Windows XP is not dead yet [27]

As I said, there is a lot this week. Go poke around and see what I haven't mentioned.

Link Dump

[1]  D. Colman, “‘Professor Risk’ at Cambridge University Says ‘One of the Biggest Risks is Being Too Cautious’,” Open Culture. [Online]. Available: [Accessed: 08-Apr-2013].

[2]  “Android Fragmentation Visualized : 4000+ Devices, and 83.5% on Outdated OS!,”, 09-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[3]  R. Beckhusen, “As Colombian Drug Gangs Collapse, Mexican Cartels Get Tons of Cheap Coke,” Danger Room, 11-Apr-2013. [Online]. Available: [Accessed: 11-Apr-2013].

[4]  D. Elms and M. Fennell, “Bitcoin Explained,”, 10-Apr-2013. [Online]. Available: [Accessed: 11-Apr-2013].

[5]  B. Schneier, “Bitcoins in the Mainstream Media,” Schneier on Security, 09-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[6]  K. Denninger, “BitCon: Don’t,” The Market Ticker. [Online]. Available: [Accessed: 09-Apr-2013].

[7]  S. Ackerman, “Blood Money, Kill Lists, Favors for Favors: Deep Inside CIA’s Targeted Killings,” Danger Room, 09-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[8]  R. Thomas, “By looking for evidence first, the Brits do it right,” The New School of Information Security, 09-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[9]  Cambridge Ideas - Professor Risk. 2009.

[10]  C. Osborne, “CISPA voting session slated for this week,” ZDNet, 08-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[11]  J. Ullrich, “Cleaning Up After the Leak: Hiding exposed web content,” ISC Diary, 08-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[12]  B. Rogers, “Current State of Cyber Security: More Concern Over Facebook Than Credit Cards - Forbes,” Forbes, 08-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[13]  D. A. Purdy, “‘Developing a Framework to Improve Critical Infrastructure Cybersecurity’ Submission from Huawei Technologies - Response to Docket Number 130208119-3119-01,” National Institute of Standards and Technology. [Online]. Available: [Accessed: 10-Apr-2013].

[14]  R. Lemos, “‘Embassies’ Could Give Users Sanctuary From Threats,” Dark Reading, 11-Apr-2013. [Online]. Available: [Accessed: 12-Apr-2013].

[15]  M. Rothman, “Gaming the Narcissist (to get what you want),” Securosis, 10-Apr-2013. [Online]. Available: [Accessed: 12-Apr-2013].

[16]  S. Rogers, “GDELT: a big data history of life, the universe and everything,” The Guardian. [Online]. Available: [Accessed: 12-Apr-2013].

[17]  L. Clark, “Google launches global human trafficking helpline and data network,” Ars Technica, 10-Apr-2013. [Online]. Available: [Accessed: 10-Apr-2013].

[18]  F. Lardinois, “Google Wants To Operate .Search As A ‘Dotless’ Domain, Plans To Open .Cloud, .Blog And .App To Others,” TechCrunch, 10-Apr-2013. [Online]. Available: [Accessed: 11-Apr-2013].

[19]  B. Schneier, “Government Use of Hackers as an Object of Fear,” Schneier on Security, 08-Apr-2013. [Online]. Available: [Accessed: 08-Apr-2013].

[20]  P. M. Sandman, “H7N9: A Tale of Two CDCs,” The Peter Sandman Risk Communication Website, 08-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[21]  N. Anderson, “How a banner ad for H&R Block appeared on—without Apple’s OK,” Ars Technica, 07-Apr-2013. [Online]. Available: [Accessed: 08-Apr-2013].

[22]  G. Dvorsky, “How Bayes’ Rule Can Make You A Better Thinker,” io9, 08-Apr-2013. [Online]. Available: [Accessed: 11-Apr-2013].

[23]  D. Paliwoda and J. Williams, “How Far is it to Mars?,” How Far is it to Mars?, 08-Apr-2013. [Online]. Available: [Accessed: 08-Apr-2013].

[24]  M. Sauter, “If Hackers Didn’t Exist, Governments Would Have to Invent Them,” The Atlantic, 05-Jul-2012. [Online]. Available: [Accessed: 08-Apr-2013].

[25]  “Information technology amplifies irrational group behavior,”, 11-Apr-2013. [Online]. Available: [Accessed: 11-Apr-2013].

[26]  M. Tabini, “Inside Siri’s brain: The challenges of extending Apple’s virtual assistant | Macworld,” Macworld, 08-Apr-2013. [Online]. Available: [Accessed: 08-Apr-2013].

[27]  “Millions Still on 11-Year-Old XP in Asia,” 08-Apr-2013. [Online]. Available: [Accessed: 08-Apr-2013].

[28]  N. McAllister, “Mozilla’s Persona beta adds password-free Yahoo! logins,” The Register, 09-Apr-2013. [Online]. Available: [Accessed: 10-Apr-2013].

[29]  I. Thompson, “Researcher hacks aircraft controls with Android smartphone,” The Register, 11-Apr-2013. [Online]. Available: [Accessed: 11-Apr-2013].

[30]  “Rethinking Strategic Risk | Risk Management.” [Online]. Available: [Accessed: 11-Apr-2013].

[31]  M. Mimoso, “Rogue Twitter Account Used in Targeted Attacks Against Free Tibet Supporters | threatpost,” ThreatPost, 10-Apr-2013. [Online]. Available: [Accessed: 10-Apr-2013].

[32]  S. Nichols, “Russian police nab suspected Phoenix malware mastermind,”, 08-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[33]  R. Beckhusen, “‘Secretbook’ Lets You Encode Hidden Messages in Your Facebook Pics,” Danger Room, 10-Apr-2013. [Online]. Available: [Accessed: 10-Apr-2013].

[34]  K. Zetter, “Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight,” Threat Level, 09-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[35]  J. L. Bayuk, “Security as a Theoretical Attribute Construct,” Computers & Security, Apr-2013. [Online]. Available: [Accessed: 08-Apr-2013].

[36]  R. Lemos, “Security Job Market ‘Rocking,’ But Pressures Rise,” Dark Reading, 09-Apr-2013. [Online]. Available: [Accessed: 10-Apr-2013].

[37] “‘Spooky action at a distance’ aboard the ISS,”, 09-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[38]  R. Chirgwin, “SSH an ill-managed mess says SSH author Tatu Ylonen,” The Register, 11-Apr-2013. [Online]. Available: [Accessed: 11-Apr-2013].

[39]  R. Thomas, “Submission to NIST RFI for Critical Infrastructure Cyber Security Framework (CSF),” The New School of Information Security, 07-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[40]  S. Dougherty and A. Bochman, “Suggestions for Business-Oriented Security Metrics for Utilities,” National Institute of Standards and Technology, 19-Mar-2013. [Online]. Available: [Accessed: 10-Apr-2013].

[41]  R. Beckhusen, “The ATF Wants ‘Massive’ Online Database to Find Out Who Your Friends Are,” Danger Room, 05-Apr-2013. [Online]. Available: [Accessed: 08-Apr-2013].

[42]  M. Bustillos, “The Bitcoin Boom,” The New Yorker Blogs, 02-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[43]  A. Saita, “The Controversial CISPA Is Back in Congress,” ThreatPost, 08-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[44]  S. Berinato, “The Power of Visualization’s ‘Aha!’ Moments,” Harvard Business Review, 19-Mar-2013. [Online]. Available: [Accessed: 08-Apr-2013].

[45]  R. Tate, “The Software Revolution Behind LinkedIn’s Gushing Profits,” Wired Business, 10-Apr-2013. [Online]. Available: [Accessed: 11-Apr-2013].

[46]  “Top porn sites ‘pose malware risk’,” BBC, 10-Apr-2013. [Online]. Available: [Accessed: 11-Apr-2013].

[47]  J. H. Sawyer, “Trends In Mobile Device Threats,” Dark Reading, 10-Apr-2013. [Online]. Available: [Accessed: 10-Apr-2013].

[48]  D. Smith, “Visualize large data sets with the bigvis package,” Revolutions, 08-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[49]  “Wikileaks publishes 1.7m US records,” BBC, 08-Apr-2013. [Online]. Available: [Accessed: 09-Apr-2013].

[50]  M. O’Rourke, “Zombie Risk Management,” Risk Management, 10-Apr-2013. [Online]. Available: [Accessed: 11-Apr-2013].

[51]  J. Constine, “Zuckerberg And A Team Of Tech All-Stars Launch Political Advocacy Group,” TechCrunch, 11-Apr-2013. [Online]. Available: [Accessed: 11-Apr-2013].