I absolutely enjoyed the insight shown by Thomas Wailgum in his recent article “How TJX Avoided Wall Street’s Wrath“, mostly because I have long been in complete agreement with the premise.

With respect to security professionals, unfortunately, TJX now appears to be “the one that got away.” Let me explain, with tongue planted firmly in cheek.

If you’re in the business of providing discount items and the economy is a little weak, then business will be good. Apparently, it won’t matter that you’ve had a mishap or two with the data entrusted to you. It has always been my contention that only a small minority of people really understand the impact of stolen personal data and, even amongst most the people who do “get it,” the theft of nearly 100 million records of personal data is almost meaningless in its enormity. The victims are worried only about one record — theirs. Either it got stolen or it didn’t. And, if it did, it’ll get abused or it won’t. And, if it does, there is an ingrained belief the credit card company will “take care of it.”

Besides, there’s a huge sale and my niece needs galoshes — the green ones that look like frogs.

Yes, I believe that, as a rule, people care about the persona of the organizations they patronize. On the other hand, I believe we are at a point where the idea that “Stuff happens” because “Hackers did it” has seeped into the public consciousness much more deeply than “It’s the big, bad conglomerate’s fault.”

Virtually everyone can feel outrage at accounting scandals and multi-million dollar salaries and insider trading and so on, especially when you’re clipping coupons to make ends meet. On the other hand, virtually everyone had been impacted by “hackers.” Phishing, spyware, malware, malicious web sites, Internet scams, spam, MySpace worms, fake wireless hotspots, lions, tigers, bears — everyone has felt the sting of “the bad guy.” I claim that for Mr. and Mrs. Average American, it’s almost natural to feel a little sorry for TJX, to feel a camaraderie even, like “Hey, welcome to the club.”

Sure, we all believe they should have done more. On the other hand, I shouldn’t have clicked on that email attachment last year. I’m quite happy with my physical attributes, but it really sounded like a good deal. And that Nigerian gentleman sounded so sincere. And who doesn’t want a few new MySpace friends. We all make mistakes, right?

But what about those of us in the consulting business who have to convince organizations to put their trust in us. They have to believe us when we say that not spending on {data|information|application|software|IT} security can have intolerable business consequences. TJX would’ve made such a great example of just what intolerable really means — a veritable poster child for “See! I wasn’t kidding!” And now it’s ruined.

Okay, I don’t really want their stock to tank and have thousands more people affected. On the other hand, the least TJX could’ve done was fire a wing of executives so they could serve the consulting industry as an example in endless PowerPoint presentations for decades to come. (I still occasionally see technology demos that claim things such as, “And this could’ve even stopped the Morris worm.”) Now, we’ll have to go out of our way to omit TJX. We can’t bring up an example where nothing that bad really happened — for the organization, not the people affected by the thieves, of course. Now, instead of answering the question “How do we prevent this happening to us?”, consultants will have to answer the question “How do they get out of it so easily?”

Yeah, I’m sure it was rough in their executive suites for a while, but I’ll bet everyone is breathing easier now, walking around saying, “Woo-Hoo, we didn’t pull a CardSystems!” TJX has a very respectable 5-year stock climb, including three splits, and the current trade price is solid. Would they prefer to have invested a little more in IT security? Of course. Would they prefer not have unplanned millions in expenses? Of course. Do huge, unplanned expenses happen to large companies with some regularity? Of course. This one is special to us because we have some insight into how relatively easily it could have been avoided or detected, but for many, it really is business as usual.

Sammy aimed two recent entries at those attempting to govern security and expenditure in an organization. I’m using his posts as license to wax more philosophically. Specifically, I’m going to use Digital Rights Management (DRM) as a lightning rod for conversation about protecting data end-to-end in one’s system (the topic of my next–far more focused–post). I’ve been thinking about this ever since McGraw’s Dark Reading column: on Vista, and it’s driven me mad.

In posting this message, I’ll skirt more topics than I cover; I apologize. In return, I’ve included a lot of links worth reading. I don’t presume to answer the question, “Is DRM ever a good idea?” I believe most computer security folk simply answer “no,” bemused because in the end they know consumers MUST use protected data and algorithms in their full quality, to be satisfied. Some gifted albeit misguided security folk attempt to trade data quality for what they perceive to be security. Peter Gutmann’s working paper covers Microsoft’s attempts through Vista.

When I replied to Gary’s Dark Reading article, defending Apple’s DRM, I had purchased about $350 worth of music from iTunes. The standard caveats applied:

1. Apple could change their DRM scheme out from under consumers at any time
2. DRM still provides no value from the consumer’s perspective
3. DRM imposes limitations, potentially limiting competition between vendors

but I still found myself unable to come to any other conclusion but the mighty unpopular: Apple’s DRM seems a reasonable compromise between affording protection and remaining flexible to consumers. Remember, I said ‘unpopular’, so feel free to argue with me.

Now, $450 into the fray, something very interesting has happened: Apple and EMI have decided to sell some music electronically but DRM-free (see:
http://news.bbc.co.uk/2/hi/technology/6516189.stm ). Unprotected music will be encoded at 256KBps (twice the bit rate of Apple’s protected files) and will cost $1.29, rather than $0.99.

Now, consumers have an interesting choice to make: “Do I want to pay an extra $0.30 for the ability to copy the music I purchased freely?” Some may be willing to pay extra for the quality–but that’s not what we’re interested in right now.

In asking local “kids,” I’ve gotten consistent reply: “I’d only pay more if I liked the band.” Questioning them further immediately reveals they perceive the music to be free (and rightly so–it’s just too easy to pirate). They make their purchase/steal decision based on their feeling of loyalty towards the band. Can your business rely on such good will? I used to pay for single pieces of bulk candy at the grocery store–but I wouldn’t bet my business on others doing so. At the same age (prior to driving) I’d hack games’ copy protection, give copies to my friends and say, “Ok, but call me before you play it… to make sure only one of us is using it at a time.” Why am I only now explicitly aware they never called? Guess they never played it ;)

More fundamentally, will consumers perceive your product or service as being free? Think back to Windows ‘95… did anyone you know have a problem copying it?

An interesting question to ask one’s self is this: At what increase of price can I afford to protect my data less for the sake of other business drivers? Presumably, EMI has come to the conclusion that the answer, in their case, is $0.30. Interesting. If protected music accounts for only 2% of sales (dubious estimation by extrapolation of iPod size + sales compared to iTunes sales), how much does EMI expect that number to jump if the price has moved to $1.29? If physical sales still occur at $1.99 per single, how much less piracy does EMI expect from electronic sources as compared to physical ones? What does this even mean–given that pirated physical wares will almost immediately take the electronic form for ease of distribution?

Finally, what numbers could Apple put on the cost of developing and maintaining their DRM scheme? What affect does that price have on their profits (if any) in the case of EMI’s unprotected content versus that which is protected?

Part of me wonders if any of this will have even the slightest effect; given the ubiquity of the protected content, unlocked and freely available from peer-to-peer sites. If all’s for naught, is EMI making a good decision, or a mistake? God, I hope there’s no analog for that in your data.

I have no idea how successful Apple’s iTunes model will be, or whether or not consumers will accept Vista’s DRM, but with EMI’s decision to distribute unprotected music along side protected songs, those of us in security-land potentially gained data to look at. What will it tell us? And, while it’s very unlikely that you’re distributing electronic music, dear reader, or even passing content directly to end-consumers, EMI’s move should raise questions about how you’ve calculated the value of data, the protective mechanisms you’ve placed around it, and the impact on usability those protections imposed.

Technorati Tags: drm, apple, data security

“We have long had death and taxes as the two standards of inevitability. But there are those who believe that death is the preferable of the two. ‘At least,’ as one man said, ‘there’s one advantage about death; it doesn’t get worse every time Congress meets.’”

~Erwin N. Griswold

Just look at them grow… they’re like weeds. Unfortunately, in this case it’s not a compliment for your sibling’s kids. This particular growth is in the data breach lists at Privacy Rights Clearinghouse, Attrition, PogoWasRight, and others. (And please accept my thanks for the time you all put into this public service; I apologize for not including you all by name.)

I have no doubt these disclosures represent the tip of the proverbial iceberg of data that have actually left the control of those to which it has been entrusted. I also have no doubt that we’ve been given this glimpse into the shoddy treatment afforded many of our most intimate personal details solely through some forward-looking state legislation (thanks, California, for helping to start a good thing in the U.S.).

Let’s just jump ahead of all this piecemeal personal information loss for a minute. (Did the WABAC machine have a “forward” lever?) Let’s declare it not only inevitable, but also unavoidable, that, for each and every adult American, their name, social security number, top one or two credit card numbers, street address, date of birth, brief genealogy, and a few other interesting data items are known, collated, and cross-referenced.

But, not by legitimate companies like Experian, TRW, and Equifax. Let’s assume that individuals and groups who do not have our best interests at heart have all of these bits of information correctly assembled into mini-virtual-self-referentially-consistent identities, even if they have no “real life” information on the actual person (e.g., photo, current job, salary, type of vehicle, where your kids go to school, etc.). And, let’s assume they have the ability to keep this information current enough to meet their goals of acceptable cash flow for acceptable risk.

[Aside: Is this feasible? How many databases would I have to subvert in order to get most of this information? One at the IRS, one at a credit agency, one each at a few major banks, and maybe a few others? Remember, I don’t actually have to hack in, I can use social engineering, pay someone, coerce someone, steal the back-up tapes, and so on, and on, and on.]

What then? Is it the collapse of American civilization? I doubt it, but I think it would certainly accelerate some good things and some bad things.

The good things might include something like two-factor credit card use at all times (e.g., you have to show a [new government issue?] driver’s license for all card present credit/debit card transactions). But, what would have to change to allow card-not-present credit card transactions to continue to happen (e.g., most Internet orders, catalog phone orders, Chinese food orders, etc.)? What would it take for Americans to embrace single-use credit card numbers, for example? What parts of the infrastructure would have to change? How would we get and carry around these numbers? And so on.

The bad things might include a new state or national ID that would be required by the credit card companies in order to get a “secure” (whatever that would mean) credit card and a lot of high-end establishments that would start accepting only “VMCAMEXD Secure” for transactions over certain dollar limits or that meet certain risk profiles (e.g., buying for delivery to another country). A treaty with foreign countries could require that “secure” credit cards are the only ones accepted in some situations (e.g., buying a one-way plane ticket to the U.S.).

Beyond that, what would have to change at the IRS now that all SSNs are “public”? What about elsewhere in the Federal government? What would this mean to the Privacy Act? And so on. The mind reels, but it still feels like a good thought exercise.

For me, the question is not “What happens if someone else knows all the data associated with me?” The question is “What financially and socially acceptable capability will make it such that I can unequivocally prove that I’m the only me that goes along with my (now public) mini-identity data (e.g., credit card numbers, social security number, address, genealogy, etc.)?” And, in terms of requirements creep, I’d also like to be able to prove it without giving away my actual identity.

Thoughts? I hate to take you this far and not have something to offer, but I feel qualified only in asking the question, not in postulating an answer. And, of course, my follow-up question is “How are we going to make that software better than the software we have now?”

Technorati Tags: data security, privacy