Sunday, April 19, 2015

B-Sides SF Talk

Here is the demo spreadsheet I'll be using in today's B-Sides SF talk on the Thomas Scoring System (TSS):
Download the spreadsheet and open in Microsoft Excel 2008 or later.  It uses conditional formatting and cell data validation, but no macros or other advanced features.  The sheets are protected to avoid data entry errors, but there is no password.

This is a realistic, fully functional implementation of the TSS applied to a general case: scoring the maturity of a company's information security capability.

Wednesday, April 15, 2015

Entry in Schneier's Eighth Movie-Plot Threat Contest

Every year, on April Fool's Day, Bruce Schneier hosts a "movie plot threat" contest on his blog.  This year's theme is "evils of encryption".  This is my third year submitting an entry (I won two years ago -- w00t!).  Here is my entry for the 8th contest (500 word limit):

Friday, October 31, 2014

Presentation: Topological View on Radical Innovation

I'm presenting today at the 6th Annual Complexity in Business Conference, sponsored by the University of Maryland Center for Complexity in Business.  Here are my slides.  (FYI: no information security content here, unless you are interested in institutional innovation.)

If you are really, really interested in this topic and want all the details and references, here is a paper I just completed for a Directed Reading class (89 pages, PDF).  It's a little rough around the edges due to time constraints.

Thursday, October 9, 2014

SIRAcon presentation

I'm presenting at SIRAcon today: "How to aggregate ground-truth metrics & indicators into a performance index".  It will be recorded and will be available to SIRA members on the SIRA web site.  Here are the slides.  Here is the blog post with background and tutorial.

Wednesday, June 25, 2014

My inputs to DHS on cyber economics & incentives

I'm at the 3rd day of Workshop on Economics of Information Security (WEIS) at Penn State.  The focus of this day is to provide input and ideas to the Science & Technology (S&T) Directorate in US Department of Homeland Security regarding R&D on cyber economics and incentives.

Here is the 2007 working paper I co-authored: "Incentive-based Cyber Trust -- A Call to Action".  I think many of the arguments and ideas are still relevant.  (It's long -- 27 pages -- but I think readers will be rewarded.)

Here are my slides.

Thursday, May 1, 2014

Splitting this blog and moving to Octopress

I've decided to split this blog to separate my academic posts from my industry posts.  I'm going to be blogging more about my dissertation and related works in progress, and I suspect that most of my industry readers won't be interested and I don't want to dilute my posts on industry topics -- information security, risk, performance metrics, etc.

Google's Blogger has worked well for me, but I've decided to move to Octopress.  I'll spare you all the details of the decision process but here's a post that describes the process and benefits.  I'm also following in the footsteps of others in my community (e.g., Data Driven Security, and Adam Elkus).

The industry blog with be renamed "Meritology Blog" and will have a URL.  The academic blog will be "Exploring Possibility Space" and will have an URL.  I aim to move all the Blogger posts to these so that the archives are available under both.

I'll let you know when this goes live, and hopefully there will be redirection once the move is complete.

Thursday, April 17, 2014

"Creative Destruction": 500 word entry for Schneier's Movie Plot Contest

Since I won last year, I wasn't going to enter this year. But my imagination started turning and this came out.  Hope you enjoy it.

Bruce Schneier's 7th Annual Movie Plot Contest

Theme: NSA wins!  But how? (full description and all entries are here)

My entry:
Creative Destruction
June 2014 – March 2015: Stock market booms.

June 2014: Snowden revelations trigger international political scandals.

July: Feinstein-Rogers Intelligence Reform Bill passes, breaks up NSA. “Largest garage sale in history”.

Headline: “NSA Nuked”

August: 10,000 NSA workers are laid off.

September – December: Open Source projects, Working Groups see influx of volunteers.

September – November: “NSA garage sale” draws small contractors and public-private partnerships spread over 50 states. Private equity firms are buyers – Flatiron Partners, Narsil Capital, and Tech Disruptions.

September – November 2014: Flurry of privacy and security scandals hit big firms. Lawsuits, investigations, and criminal indictments follow.

November: “Alt Apps Group” formed: “Secure, private, and ad-free”. Most members are majority owned by Flatiron, Narsil Capital, or Tech Disruptions.

July – December: Symantec goes on buying spree: Webroot, Cloudflare, StackExchange, Disqus, Rapid7, and MaaS360 – all funded by Flatiron, Narsil Capital, or Tech Disruptions.

December: Puerto Rico Bridge Initiative announces completion of 50GB fiber optic cable.

January 2015: Private equity firms, led by Flatiron, make offer for Symantec.

February: Loren Reynolds, rookie Equity Analyst at JPMorgan Chase working on Symantec project, is accidentally copied on email from Flatiron:
“Confirming that Launch has been accelerated to March. Don’t use email anymore.”
Loren is puzzled by the distribution list:
  • Puerto Rico Bridge Initiative (PRBI) 
  • Economic Development Corporation Utah (EDCU)
  • Fatherly (formerly GoDaddy)
  • DuckDuckGo 
  • Safebook (startup)
March: Traffic and membership surges at Alt Apps Group members. Fatherly achieves 70% share in Certificate Authority market.

March: Loren receives email from friend Zoltin, networking expert:
“PRBI isn’t 50GB. It’s 75TB – the highest capacity in the world!!! WTF! There’s more. Same capacity cables to Bermuda and to Azores. Looks like they are bypassing US-Europe cables. Big news: Big data center on PR now complete.”
April: Google earnings due 4/15; then Facebook, Apple, Twitter, Microsoft, and Verizon on 4/22.

April: Over beers, Loren hears rumors of large short positions in technology stocks from a few “weird” hedge funds.

April 4: Loren receives email from Sarah:
“EDCU is gatekeeper on NSA Utah Data Center.”
April 15: Google disappoints. Earnings down 40% on flat revenue. Stock falls 30%, overall market falls 10%. 
April 20: Loren discovers link between former NSA executives and Flatiron, Narsil Capital, and Tech Disruptions. Finds NSA people behind tech firm scandals in the previous Fall 2014. Tip of the iceberg, she suspects.

April 21: Loren sends IM to her husband, an Assistant DA in the Southern District of NY:

“Must see you ASAP. NSA & GCHQ live on. They’ve gone legit – running private businesses and funds. THEY ARE KILLING THE INTERNET AD BUSINESS.”
After clicking “send”, her computer freezes. She reaches for her smart phone to call her husband, but the directory is empty. She dials the number manually, but gets an “out of service” signal, followed by “low battery”. The phone dies.

Running down seven flights of stairs, Loren races to her car. She jumps in, starts the engine, and backs out with a screech. One turn from the exit the car engine suddenly cuts out and brakes lock. The car crashes into a cement pillar. The airbag fails to deploy. Loren is out cold.
[This has a few lines added, so it's beyond 500 word limit.  But the entry on Bruce's site is below the limit.]